docker/openldap
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: 根据新模板更新脚本文件

Browse Source
This commit is contained in:
房振会
2023-09-16 10:20:05 +08:00
parent cf70d38535
commit ccae24f68c
8 changed files with 475 additions and 428 deletions
Download Patch File Download Diff File Expand all files Collapse all files
Dockerfile
+46 -63
View File
@@ -1,9 +1,8 @@
# Ver: 1.9 by Endial Fang (endial@126.com)
# Ver: 1.11 by Endial Fang (endial@126.com)
#
# 默认变量 ========================================================================
# 系统默认变量 ====================================================================
# 该部分变量为系统根据编译命令默认设置
# `TARGETPLATFORM`:构建后的目标平台信息。如 `linux/amd64``linux/arm/v7``windows/amd64`
# `TARGETOS`:目标平台信息(TARGETPLATFORM)中的操作系统部分,如:`linux`、`windows`
# `TARGETARCH`:目标平台信息(TARGETPLATFORM)中的平台架构部分,如:`amd64`、`arm`
@@ -16,18 +15,11 @@
# 可变参数 ========================================================================
# 该部分变量,在编译命令中通过 `--build-arg` 传入;如果未设置,则使用下面对应的默认值
# 设置当前应用名称及版本
ARG APP_NAME=openldap
ARG APP_VER=2.4.59
# 设置默认仓库地址,默认为本地仓库;定义时需要包含末尾的`/`
ARG REGISTRY_URL="docker.colovu.com/"
# 设置 apt-get 源:default / ustc / aliyun
ARG APT_SOURCE=aliyun
# 编译镜像时指定用于加速的本地软件包存储服务器地址
ARG LOCAL_URL="http://local.colovu.com/dist"
ARG APP_NAME=openldap # 设置当前应用名称
ARG APP_VER=2.4.59 # 设置当前应用版本
ARG REGISTRY_URL="docker.colovu.com/" # 设置默认仓库地址,默认为本地仓库;定义时需要包含末尾的`/`
ARG APT_SOURCE=aliyun # 设置 apt-get 源:default / ustc / aliyun
ARG LOCAL_URL="http://local.colovu.com/dist" # 编译镜像时指定用于加速的本地软件包存储服务器地址
# 0. 预处理 ======================================================================
FROM --platform=${TARGETPLATFORM:-linux/amd64} ${REGISTRY_URL}colovu/dbuilder:12 as builder
@@ -38,17 +30,14 @@ ARG APP_VER
ARG APT_SOURCE
ARG LOCAL_URL
# 选择软件包源(Optional),以加速后续软件包安装
# 选择软件包源加速后续软件包安装
RUN select_source ${APT_SOURCE};
# 安装依赖的软件包及库(Optional)
# 安装依赖的软件包及库
# 官方推荐包:Cyrus SASL 2.1.27+、OpenSSL 1.1.1+、libevent 2.1.8+、libsodiumgroff
RUN install_pkg libperl-dev libcrypto++-dev libsasl2-dev libevent-dev libdb5.3-dev groff groff-base
# dbuilder已安装: libtool libltdl7 libltdl-dev libssl1.1 libssl-dev
# 设置工作目录
WORKDIR /tmp
# 参考文档:
# 编译: https://www.cnblogs.com/si-jie/p/8214206.html
# seolim解决(groff): http://www.emreakkas.com/linux-tips/ubuntu-solve-bin-sh-soelim-not-found
@@ -56,7 +45,7 @@ WORKDIR /tmp
# 下载并解压软件包(OpenLDAP 2.4.59)
RUN set -eux; \
appName=${APP_NAME}-${APP_VER}.tgz; \
[ ! -z ${LOCAL_URL} ] && localURL=${LOCAL_URL}/${APP_NAME}; \
[ -n ${LOCAL_URL} ] && localURL=${LOCAL_URL}/${APP_NAME}; \
appUrls="${localURL:-} \
https://www.openldap.org/software/download/OpenLDAP/openldap-release \
"; \
@@ -65,11 +54,13 @@ RUN set -eux; \
# 源码编译(OpenLDAP)
# --enable-overlays 会安装所有模块到 slapd 中,比如 memberof 属性,不需要单独添加该模块,但需要配置文件中增加:`overlay memberof`来开启
RUN set -eux; \
APP_ARCH=`arch` \
APP_SRC="/tmp/${APP_NAME}-${APP_VER}"; \
cd ${APP_SRC}; \
LDFLAGS="-L/usr/local/lib -L/usr/lib/${APP_ARCH}-linux-gnu" \
CPPFLAGS="-I/usr/local/include -D_GNU_SOURCE" \
./configure \
--prefix=/usr/local/${APP_NAME} \
CPPFLAGS="-I/usr/local/include -D_GNU_SOURCE" LDFLAGS="-L/usr/local/lib" \
--enable-dynamic \
--enable-slapd --enable-cleartext --enable-crypt --enable-spasswd --enable-modules \
--enable-bdb --enable-mdb --enable-ndb=no --enable-sql=no \
@@ -88,30 +79,25 @@ RUN set -eux; \
# 检测并生成依赖文件记录
RUN set -eux; \
find /usr/local/${APP_NAME} -type f -executable -exec ldd '{}' ';' | \
awk '/=>/ { print $(NF-1) }' | \
sort -u | \
xargs -r readlink -f | \
xargs -r dpkg-query --search 2>/dev/null | \
cut -d: -f1 | \
sort -u >>/usr/local/${APP_NAME}/runDeps;
awk '/=>/ { print $(NF-1) }' | xargs -r basename -a | sort -u | \
xargs -r dpkg-query --search 2>/dev/null | cut -d: -f1 | sort -u \
>>/usr/local/${APP_NAME}/runDeps;
# 1. 生成镜像 =====================================================================
FROM --platform=${TARGETPLATFORM:-linux/amd64} ${REGISTRY_URL}colovu/debian:12
# 声明需要使用的全局可变参数
# 声明需要使用的全局可变参数ARG声明的变量仅编译打包阶段有效)
ARG APP_NAME
ARG APP_VER
ARG APT_SOURCE
# 镜像所包含应用的基础信息,定义环境变量,供后续脚本使用
# 定义应用的基础信息变量(ENV声明的变量实例化后容器内有效)
ENV APP_NAME=${APP_NAME} \
APP_VER=${APP_VER} \
APP_EXEC=slapd \
APP_HOME_DIR=/usr/local/${APP_NAME} \
APP_DEF_DIR=/etc/${APP_NAME}
ENV PATH="${APP_HOME_DIR}/sbin:${APP_HOME_DIR}/bin:${APP_HOME_DIR}/libexec:${PATH}" \
LD_LIBRARY_PATH="${APP_HOME_DIR}/lib"
APP_USER=${APP_NAME} \
LD_LIBRARY_PATH="/usr/local/${APP_NAME}/lib" \
PATH="${PATH}:/usr/local/${APP_NAME}/sbin:/usr/local/${APP_NAME}/bin:/usr/local/${APP_NAME}/libexec"
LABEL \
"Version"="v${APP_VER}" \
@@ -119,47 +105,44 @@ LABEL \
"Github"="https://github.com/colovu/docker-${APP_NAME}" \
"Vendor"="Endial Fang (endial@126.com)"
# 从预处理过程中拷贝软件包(Optional),可以使用阶段编号或阶段命名定义来源
COPY --from=0 /usr/local/${APP_NAME} /usr/local/${APP_NAME}
# 拷贝应用使用的客制化脚本
# 拷贝多阶段构建结果输出及客制化脚本
COPY --from=builder /usr/local/${APP_NAME} /usr/local/${APP_NAME}
COPY customer /
RUN set -eux; \
\
# 创建对应的用户及数据存储目录
prepare_env; \
useradd -U -u 996 -d /srv/${APP_NAME} -s /usr/sbin/nologin -r ${APP_USER}; \
mkdir -p /var/log/${APP_NAME} /var/run/${APP_NAME} /var/cache/${APP_NAME}; \
mkdir -p /srv/${APP_NAME}/conf /srv/${APP_NAME}/data /srv/${APP_NAME}/cert /srv/${APP_NAME}/log; \
chown -R ${APP_USER}:${APP_USER} /var/log/${APP_NAME} /var/run/${APP_NAME} /var/cache/${APP_NAME}; \
chown -R ${APP_USER}:${APP_USER} /usr/local/${APP_NAME} /srv/${APP_NAME}; \
\
/bin/bash -c "ln -sf /usr/local/${APP_NAME}/etc/${APP_NAME} /etc/"; \
\
# 选择软件包源(Optional),以加速后续软件包安装
# 选择软件包源,以加速后续软件包安装
select_source ${APT_SOURCE}; \
\
# 安装依赖的软件包及库(Optional)
install_pkg `cat /usr/local/${APP_NAME}/runDeps`; \
# 安装应用依赖的软件包及库
install_pkg pwgen; \
install_pkg `cat /usr/local/${APP_NAME}/runDeps`; \
\
# 执行处理脚本,并验证安装的软件包
override_file="/usr/local/overrides/overrides-${APP_VER}.sh"; \
[ -e "${override_file}" ] && /bin/bash "${override_file}"; \
${APP_EXEC} -V | :;
# 执行处理脚本
overrideShell="/usr/local/overrides/overrides-${APP_VER}.sh"; \
[ -e "${overrideShell}" ] && /bin/bash "${overrideShell}"; \
\
# 验证安装的应用
${APP_EXEC} -VV;
# 默认提供的数据卷
VOLUME ["/srv/conf", "/srv/data", "/srv/datalog", "/srv/cert", "/var/log"]
# 默认使用gosu切换为新建用户启动,必须保证端口在1024之上
# 配置容器的数据卷、工作目录及服务端口(必须保证端口在1024之上)
VOLUME ["/srv/${APP_NAME}/conf", "/srv/${APP_NAME}/data", "/srv/${APP_NAME}/cert", "/srv/${APP_NAME}/log"]
WORKDIR /srv/${APP_NAME}/data
EXPOSE 8389 8636
# 关闭基础镜像的健康检查
#HEALTHCHECK NONE
# 应用健康状态检查
HEALTHCHECK --interval=10s --timeout=10s --retries=3 \
CMD netstat -ltun | grep 8389
#HEALTHCHECK --interval=30s --timeout=30s --retries=3 CMD curl -fs http://localhost:8080/ || exit 1
#HEALTHCHECK --interval=10s --timeout=10s --retries=3 CMD netstat -ltun | grep 8389
# 使用 non-root 用户运行后续的命令
USER 1001
# 容器初始化命令
ENTRYPOINT ["/usr/local/bin/entry.sh"]
# 应用程序的启动命令,必须使用非守护进程方式运行
CMD ["/usr/local/bin/run.sh"]
# 使用 dumb-init 启动入口 Shell,确保容器可以接收控制信号;并使用前台方式启动应用程序
ENTRYPOINT ["dumb-init", "entry.sh"]
CMD ["run.sh"]
customer/usr/local/bin/common.sh
+331 -269
View File
@@ -1,81 +1,133 @@
#!/bin/bash
# Ver: 1.2 by Endial Fang (endial@126.com)
# Ver: 1.4 by Endial Fang (endial@126.com)
#
# 应用通用业务处理函数
# {0}config
# {-1}frontend
# {1}hdb
# {2}monitor
# 加载依赖脚本
. /colovu/lib/libcommon.sh # 通用函数库
. /colovu/lib/libos.sh
. /colovu/lib/libfile.sh
. /colovu/lib/libfs.sh
. /colovu/lib/liblog.sh
. /colovu/lib/libos.sh
. /colovu/lib/libservice.sh
. /colovu/lib/libvalidations.sh
# 函数列表
# 检测应用相应的配置文件是否存在,如果不存在,则从默认配置文件目录拷贝一份
# 默认配置文件路径:/etc/${APP_NAME}
# 目标配置文件路径:/srv/conf/${APP_NAME}
# 参数:
# $1 - 目标路径
# $2 - 源路径
# $* - 基础路径下的文件及目录列表,以" "分割
# 例子:
# ensure_config_file_exist /etc/${APP_NAME} conf.d server.conf
app_ensure_config_file_exist() {
local -r dist_path="${1:?dist paths is missing}"
local -r base_path="${2:?source paths is missing}"
local f=""
shift 2
LOG_D "List to check in ${base_path}: $@"
while [ "$#" -gt 0 ]; do
f="${1}"
LOG_D " Process \"${f}\""
if [ -d "${base_path}/${f}" ]; then
[[ ! -d "${dist_path}/${f}" ]] && LOG_D " Create directory: ${dist_path}/${f}" && mkdir -p "${dist_path}/${f}"
[[ ! -z $(ls -A "${base_path}/${f}") ]] && app_ensure_config_file_exist "${dist_path}/${f}" "${base_path}/${f}" $(ls -A "${base_path}/${f}")
else
[[ ! -e "${dist_path}/${f}" ]] && LOG_D " Copy: ${base_path}/${f} to ${dist_path}" && cp "${base_path}/${f}" "${dist_path}"
fi
shift
done
}
# 使用环境变量中配置,更新配置文件
openldap_update_conf() {
app_update_conf() {
LOG_I "Update configure files..."
}
# 生成RootDN用户信息
openldap_root_credentials() {
app_root_credentials() {
# 根据容器参数,设置配置文件
LOG_I "Configure LDAP credentials for RootDN"
LOG_I "Update RootDN"
cat > "${APP_CONF_DIR}/rootdn.ldif" << EOF
cat > "${APP_CONF_DIR}/default_rootdn.ldif" << EOF
# RootDN configration
dn: olcDatabase={2}hdb,cn=config
dn: olcDatabase={1}hdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: $LDAP_ROOT
dn: olcDatabase={2}hdb,cn=config
changetype: modify
-
replace: olcRootDN
olcRootDN: $LDAP_ROOT_DN
dn: olcDatabase={2}hdb,cn=config
-
add: olcRootPW
olcRootPW: $LDAP_ENCRYPTED_ROOT_PASSWORD
dn: olcDatabase={1}monitor,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=$(id -u),cn=peercred,cn=external, cn=auth" read
by dn.base="${LDAP_ADMIN_DN}" read
by * none
EOF
debug_execute ldapmodify -Y EXTERNAL -H "ldapi:///" -f "${APP_CONF_DIR}/rootdn.ldif"
debug_execute ldapmodify -Y EXTERNAL -H "ldapi:///" -f "${APP_CONF_DIR}/default_rootdn.ldif"
}
openldap_add_default_policy() {
app_add_default_policy() {
# 根据容器参数,设置配置文件
LOG_I "Add default global access control policy"
cat > "${APP_CONF_DIR}/default_policy.ldif" << EOF
# Add default global access control policy
dn: olcDatabase={-1}frontend,cn=config
dn: olcDatabase={2}monitor,cn=config
changetype: modify
replace: olcAccess
olcAccess: to attrs="userPassword,sambaLMPassword,sambaNTPassword,sambaPwdLastSet,sambaPwdMustChange,sambaPwdCanChange,shadowMax,shadowExpire"
by dn.base="gidNumber=0+uidNumber=$(id -u),cn=peercred,cn=external,cn=auth" manage
by dn.base="${LDAP_BIND_DN}" read
by dn.base="${LDAP_ADMIN_DN}" write
by anonymous auth
by self write
by * none
olcAccess: {0}to *
by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external, cn=auth" manage
by dn.base="gidNumber=$(id -g ${APP_GROUP})+uidNumber=$(id -u ${APP_NAME}),cn=peercred,cn=external,cn=auth" manage
by dn.base="${LDAP_BIND_DN}" read
by dn.base="${LDAP_ADMIN_DN}" read
by * none
dn: olcDatabase={1}hdb,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to *
by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external, cn=auth" manage
by dn.base="gidNumber=$(id -g ${APP_GROUP})+uidNumber=$(id -u ${APP_NAME}),cn=peercred,cn=external,cn=auth" manage
by dn.base="${LDAP_BIND_DN}" read
by dn.base="${LDAP_ADMIN_DN}" write
by * none
dn: olcDatabase={0}config,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to *
by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external, cn=auth" manage
by dn.base="gidNumber=$(id -g ${APP_GROUP})+uidNumber=$(id -u ${APP_NAME}),cn=peercred,cn=external,cn=auth" manage
by dn.base="${LDAP_BIND_DN}" read
by dn.base="${LDAP_ADMIN_DN}" write
by * none
dn: olcDatabase={-1}frontend,cn=config
changetype: modify
replace: olcAccess
olcAccess: to *
by dn.base="gidNumber=0+uidNumber=$(id -u),cn=peercred,cn=external,cn=auth" manage
by dn.base="${LDAP_BIND_DN}" read
by dn.base="${LDAP_ADMIN_DN}" write
by anonymous auth
by self write
by * none
olcAccess: {0}to attrs="userPassword,sambaLMPassword,sambaNTPassword,sambaPwdLastSet,sambaPwdMustChange,sambaPwdCanChange,shadowMax,shadowExpire"
by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external, cn=auth" manage
by dn.base="gidNumber=$(id -g ${APP_GROUP})+uidNumber=$(id -u ${APP_NAME}),cn=peercred,cn=external,cn=auth" manage
by dn.base="${LDAP_BIND_DN}" read
by dn.base="${LDAP_ADMIN_DN}" write
by anonymous auth
by self write
by * none
olcAccess: {1}to *
by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external, cn=auth" manage
by dn.base="gidNumber=$(id -g ${APP_GROUP})+uidNumber=$(id -u ${APP_NAME}),cn=peercred,cn=external,cn=auth" manage
by dn.base="${LDAP_BIND_DN}" read
by dn.base="${LDAP_ADMIN_DN}" write
by anonymous auth
by self write
by * none
EOF
@@ -83,23 +135,23 @@ EOF
}
# 生成Admin账户用户信息
openldap_create_tree() {
app_create_tree() {
# 根据容器参数,设置配置文件
LOG_I "Configure LDAP credentials for admin user"
LOG_I "Add manager account"
cat > "${APP_CONF_DIR}/admin.ldif" << EOF
# RootDN creation
cat > "${APP_CONF_DIR}/default_manager.ldif" << EOF
# Root object creation
dn: $LDAP_ROOT
objectClass: dcObject
objectClass: organization
o: $LDAP_ORGNIZATION_NAME
# Mnanger OU creation
# Mnanger OU object creation
dn: ou=Manager,$LDAP_ROOT
objectClass: organizationalUnit
ou: Manager
# User Admin creation
# User Admin object creation
dn: uid=$LDAP_ADMIN_UID,ou=Manager,$LDAP_ROOT
objectClass: inetOrgPerson
cn: $LDAP_ADMIN_GIVEN_NAME $LDAP_ADMIN_SURNAME
@@ -108,26 +160,27 @@ uid: $LDAP_ADMIN_UID
userPassword: $LDAP_ENCRYPTED_ADMIN_PASSWORD
mail: $LDAP_ADMIN_MAIL
# User Binder creation
# User Binder object creation
dn: uid=$LDAP_BIND_UID,ou=Manager,$LDAP_ROOT
objectClass: inetOrgPerson
cn: $LDAP_BIND_GIVEN_NAME $LDAP_BIND_SURNAME
sn: $LDAP_BIND_SURNAME
uid: $LDAP_BIND_UID
userPassword: $LDAP_ENCRYPTED_BIND_PASSWORD
EOF
debug_execute ldapadd -f "${APP_CONF_DIR}/admin.ldif" -H "ldapi:///" -D "$LDAP_ROOT_DN" -w "$LDAP_ROOT_PASSWORD"
debug_execute ldapadd -f "${APP_CONF_DIR}/default_manager.ldif" -H "ldapi:///" -D "$LDAP_ROOT_DN" -w "$LDAP_ROOT_PASSWORD"
openldap_add_default_policy
app_add_default_policy
}
# 生成自定义账户用户信息
openldap_create_users() {
app_create_users() {
# 根据容器参数,设置配置文件
LOG_I "Configure LDAP credentials for admin user"
LOG_I "Add defined user"
cat > "${APP_CONF_DIR}/users.ldif" << EOF
cat > "${APP_CONF_DIR}/default_users.ldif" << EOF
# User OU creation
dn: ${LDAP_USER_OU/#/ou=},$LDAP_ROOT
objectClass: organizationalUnit
@@ -140,7 +193,8 @@ EOF
local index=0
for user in "${users[@]}"; do
cat >> "${APP_CONF_DIR}/users.ldif" << EOF
LOG_D " Add user: ${user}"
cat >> "${APP_CONF_DIR}/default_users.ldif" << EOF
# User $user creation
dn: ${user/#/cn=},${LDAP_USER_OU/#/ou=},${LDAP_ROOT}
cn: User$((index + 1 ))
@@ -158,7 +212,8 @@ EOF
index=$((index + 1 ))
done
cat >> "${APP_CONF_DIR}/users.ldif" << EOF
LOG_D " Add group: ${LDAP_USER_GROUP}"
cat >> "${APP_CONF_DIR}/default_users.ldif" << EOF
# Group creation
dn: ${LDAP_USER_GROUP/#/cn=},${LDAP_USER_OU/#/ou=},${LDAP_ROOT}
cn: $LDAP_USER_GROUP
@@ -167,28 +222,27 @@ objectClass: groupOfNames
EOF
for user in "${users[@]}"; do
cat >> "${APP_CONF_DIR}/users.ldif" << EOF
cat >> "${APP_CONF_DIR}/default_users.ldif" << EOF
member: ${user/#/cn=},${LDAP_USER_OU/#/ou=},${LDAP_ROOT}
EOF
done
debug_execute ldapadd -f "${APP_CONF_DIR}/users.ldif" -H "ldapi:///" -D "$LDAP_ROOT_DN" -w "$LDAP_ROOT_PASSWORD"
debug_execute ldapadd -f "${APP_CONF_DIR}/default_users.ldif" -H "ldapi:///" -D "$LDAP_ROOT_DN" -w "$LDAP_ROOT_PASSWORD"
}
# 生成默认配置文件
openldap_generate_conf() {
app_generate_conf() {
# 根据容器参数,设置配置文件
LOG_I "Creating LDAP online configuration"
! is_root && replace_in_file "${APP_CONF_DIR}/slapd.ldif" "uidNumber=0" "uidNumber=$(id -u)"
debug_execute slapadd -F "$LDAP_ONLINE_CONF_DIR" -n 0 -l "${APP_CONF_DIR}/slapd.ldif"
debug_execute slapadd -n 0 -F "$LDAP_ONLINE_CONF_DIR" -l "${APP_CONF_DIR}/slapd.ldif"
}
# 生成LTS配置文件
openldap_generate_lts_conf() {
app_generate_lts_conf() {
LOG_I "Configuring TLS"
cat > "${APP_CONF_DIR}/certs.ldif" << EOF
cat > "${APP_CONF_DIR}/default_certs.ldif" << EOF
dn: cn=config
changetype: modify
replace: olcTLSCACertificateFile
@@ -202,21 +256,21 @@ olcTLSCertificateKeyFile: $LDAP_TLS_KEY_FILE
EOF
if [[ -f "$LDAP_TLS_DH_PARAMS_FILE" ]]; then
cat >> "${APP_CONF_DIR}/certs.ldif" << EOF
cat >> "${APP_CONF_DIR}/default_certs.ldif" << EOF
-
replace: olcTLSDHParamFile
olcTLSDHParamFile: $LDAP_TLS_DH_PARAMS_FILE
EOF
fi
debug_execute ldapmodify -Y EXTERNAL -H "ldapi:///" -f "${APP_CONF_DIR}/certs.ldif"
debug_execute ldapmodify -Y EXTERNAL -H "ldapi:///" -f "${APP_CONF_DIR}/default_certs.ldif"
}
# 检测用户参数信息是否满足条件; 针对部分权限过于开放情况,打印提示信息
openldap_verify_minimum_env() {
app_verify_minimum_env() {
local error_code=0
LOG_D "Validating settings in APP_* env vars..."
LOG_D "Validating settings in ENV vars..."
print_validation_error() {
LOG_E "$1"
@@ -274,55 +328,56 @@ openldap_verify_minimum_env() {
}
# 以后台方式启动应用服务,并等待启动就绪
openldap_start_server_bg() {
local -a flags=("-h" "ldap://:${LDAP_PORT_NUMBER}/ ldapi:/// " "-F" "${APP_CONF_DIR}/slapd.d")
app_start_server_bg() {
app_is_server_running && return
local -a flags=("-h" "ldapi:///" "-F" "${APP_CONF_DIR}/slapd.d")
local -r command="$(command -v slapd)"
LOG_I "Starting ${APP_NAME} in background..."
LOG_D "${command} ${flags[@]}"
if openldap_is_server_not_running; then
ulimit -n "${LDAP_ULIMIT_NOFILES}"
LOG_I "Starting ${APP_NAME} in background..."
LOG_D "${command} ${flags[@]}"
ulimit -n "$LDAP_ULIMIT_NOFILES"
is_root && flags=("-u" "$LDAP_DAEMON_USER" "${flags[@]}")
debug_execute ${command} "${flags[@]}"
debug_execute ${command} "${flags[@]}"
# 通过命令或特定端口检测应用是否就绪
LOG_D "Checking ${APP_NAME} ready status..."
# wait-for-port --timeout 60 "$ZOO_PORT_NUMBER"
LOG_I "${APP_NAME} is ready for service..."
fi
LOG_D "Checking ${APP_NAME} ready status..."
local counter=10
while ! app_is_server_running ; do
LOG_D "Waiting for ${APP_NAME} to ready ... $counter"
if [[ "$counter" -ne 0 ]]; then
break
fi
sleep 1;
counter=$((counter - 1))
done
}
# 停止应用服务
openldap_stop_server() {
local -r retries="${1:-10}"
local -r sleep_time="${2:-1}"
if openldap_is_server_running ; then
app_stop_server() {
if app_is_server_running ; then
LOG_I "Stopping ${APP_NAME}..."
# 使用 PID 文件 kill 进程
stop_service_using_pid "$LDAP_PID_FILE"
# 检测停止是否完成
while [[ "$retries" -ne 0 ]] && openldap_is_server_running; do
LOG_D "Waiting for ${APP_NAME} to stop..."
sleep ${sleep_time}
retries=$((retries - 1))
LOG_D "Checking ${APP_NAME} running status..."
local counter=10
while [[ "$counter" -ne 0 ]] && app_is_server_running; do
LOG_D "Waiting for ${APP_NAME} to stop ... $counter"
sleep 1
counter=$((counter - 1))
done
else
LOG_D "${APP_NAME} stopped..."
fi
fi
}
# 检测应用服务是否在后台运行中
openldap_is_server_running() {
app_is_server_running() {
LOG_D "Check if ${APP_NAME} is running..."
local pid
pid="$(get_pid_from_file "${LDAP_PID_FILE}")"
pid="$(get_pid_from_file '${LDAP_PID_FILE}')"
LOG_D "${APP_NAME} PID: ${pid}"
if [[ -n "${pid}" ]]; then
@@ -332,33 +387,193 @@ openldap_is_server_running() {
fi
}
openldap_is_server_not_running() {
! openldap_is_server_running
app_is_server_not_running() {
if [[ app_is_server_running == false ]]; then
true
else
flse
fi
}
# 增加 schema 文件
openldap_add_modules() {
LOG_I "Adding LDAP extra modules"
# 清理初始化应用时生成的临时文件
app_clean_tmp_file() {
LOG_D "Clean ${APP_NAME} tmp files for init..."
local -r -a files=(
"${LDAP_PID_FILE}"
)
#read -r -a modules <<< "$(tr ',;' ' ' <<< "${LDAP_EXTRA_MODULES}")"
modules=($(echo "${LDAP_EXTRA_MODULES[*]} accesslog" | tr ',;' ' ' | sed 's/ /\n/g' | sort | uniq) )
cat > "${APP_CONF_DIR}/modules.ldif" << EOF
dn: cn=module{0},cn=config
add: olcModuleLoad
EOF
for module in "${modules[@]}"; do
LOG_D "Add module: ${module}.la"
cat >> "${APP_CONF_DIR}/modules.ldif" << EOF
olcModuleLoad: ${module}.la
EOF
debug_execute ldapmodify -Y EXTERNAL -H "ldapi:///" -f "${APP_CONF_DIR}/modules.ldif"
for file in ${files[@]}; do
if [[ -f "$file" ]]; then
LOG_D " Remove $file"
rm "$file"
fi
done
}
# 用户自定义的前置初始化操作,依次执行目录 preinitdb.d 中的初始化脚本
# 执行完毕后,生成文件 ${APP_DATA_DIR}/.custom_preinit_flag
app_custom_preinit() {
LOG_I "Process pre-init for ${APP_NAME}..."
# 检测用户配置文件目录是否存在 preinitdb.d 文件夹,如果存在,尝试执行目录中的初始化脚本
if [ -d "${APP_CONF_DIR}/preinitdb.d" ]; then
# 检测数据存储目录是否存在已初始化标志文件;如果不存在,检索可执行脚本文件并进行初始化操作
if [[ -n $(find "${APP_CONF_DIR}/preinitdb.d/" -type f -regex ".*\.\(sh\)") ]] && \
[[ ! -f "${APP_DATA_DIR}/.custom_preinit_flag" ]]; then
LOG_I "Process custom pre-init scripts from /srv/conf/${APP_NAME}/preinitdb.d..."
# 检索所有可执行脚本,排序后执行
find "${APP_CONF_DIR}/preinitdb.d/" -type f -regex ".*\.\(sh\)" | sort | process_init_files
touch "${APP_DATA_DIR}/.custom_preinit_flag"
echo "$(date '+%Y-%m-%d %H:%M:%S') : Init success." >> "${APP_DATA_DIR}/.custom_preinit_flag"
LOG_I "Custom preinit for ${APP_NAME} complete."
else
LOG_I "Custom preinit for ${APP_NAME} already done before, skipping initialization."
fi
fi
}
# 应用默认初始化操作
# 执行完毕后,生成文件 ${APP_CONF_DIR}/.app_init_flag 及 ${APP_DATA_DIR}/.data_init_flag 文件
app_default_init() {
LOG_I "Process default init for ${APP_NAME}..."
# 检测配置文件是否存在
if [[ ! -f "${APP_CONF_DIR}/.app_init_flag" ]]; then
LOG_I "No injected configuration file found, creating default config files..."
app_generate_conf
touch "${APP_CONF_DIR}/.app_init_flag"
echo "$(date '+%Y-%m-%d %H:%M:%S') : Init success." >> "${APP_CONF_DIR}/.app_init_flag"
else
LOG_I "User injected custom configuration detected!"
LOG_D "Update configure files from environment..."
app_update_conf
fi
if [[ ! -f "${APP_DATA_DIR}/.data_init_flag" ]]; then
LOG_I "Deploying ${APP_NAME} from scratch..."
# 启动后台服务
app_start_server_bg
app_root_credentials
if is_boolean_yes "$LDAP_ENABLE_TLS"; then
app_generate_lts_conf
fi
if is_boolean_yes "$LDAP_SKIP_DEFAULT_TREE"; then
LOG_I "Skipping default schemas/tree structure"
else
# 使用相应的 schemas/tree 初始化 OpenLDAP
app_add_modules
app_add_schemas
if ! is_dir_empty "$LDAP_CUSTOM_SCHEMA_DIR"; then
app_add_custom_schema
fi
if ! is_dir_empty "$LDAP_CUSTOM_LDIF_DIR"; then
app_add_custom_ldifs
else
app_create_tree
app_create_users
fi
fi
touch ${APP_DATA_DIR}/.data_init_flag
echo "$(date '+%Y-%m-%d %H:%M:%S') : Init success." >> ${APP_DATA_DIR}/.data_init_flag
app_is_server_running && app_stop_server
else
LOG_I "Deploying ${APP_NAME} with persisted data..."
fi
}
# 用户自定义的应用初始化操作,依次执行目录initdb.d中的初始化脚本
# 执行完毕后,生成文件 ${APP_DATA_DIR}/.custom_init_flag
app_custom_init() {
LOG_I "Process customer init ${APP_NAME}..."
# 检测用户配置文件目录是否存在 initdb.d 文件夹,如果存在,尝试执行目录中的初始化脚本
if [ -d "${APP_CONF_DIR}/initdb.d" ]; then
# 检测数据存储目录是否存在已初始化标志文件;如果不存在,检索可执行脚本文件并进行初始化操作
if [[ -n $(find "${APP_CONF_DIR}/initdb.d/" -type f -regex ".*\.\(sh\|sql\|sql.gz\)") ]] && \
[[ ! -f "${APP_DATA_DIR}/.custom_init_flag" ]]; then
LOG_I "Process custom init scripts from ${APP_CONF_DIR}/initdb.d..."
# 启动后台服务
app_start_server_bg
# 检索所有可执行脚本,排序后执行
find "${APP_CONF_DIR}/initdb.d/" -type f -regex ".*\.\(sh\|ldif\|ldif.gz\)" | sort | while read -r f; do
case "$f" in
*.sh)
if [[ -x "$f" ]]; then
LOG_D "Executing $f"; "$f"
else
LOG_D "Sourcing $f"; . "$f"
fi
;;
*.ldif)
LOG_D "Executing $f";
postgresql_execute "${PG_DATABASE}" "${PG_INITSCRIPTS_USERNAME}" "${PG_INITSCRIPTS_PASSWORD}" < "$f"
;;
*.ldif.gz)
LOG_D "Executing $f";
gunzip -c "$f" | postgresql_execute "${PG_DATABASE}" "${PG_INITSCRIPTS_USERNAME}" "${PG_INITSCRIPTS_PASSWORD}"
;;
*)
LOG_D "Ignoring $f" ;;
esac
done
touch "${APP_DATA_DIR}/.custom_init_flag"
echo "$(date '+%Y-%m-%d %H:%M:%S') : Init success." >> "${APP_DATA_DIR}/.custom_init_flag"
LOG_I "Custom init for ${APP_NAME} complete."
# 检测服务是否运行中;如果运行,则停止后台服务
app_is_server_running && app_stop_server
app_clean_tmp_file
else
LOG_I "Custom init for ${APP_NAME} already done before, skipping initialization."
fi
fi
}
# 增加 schema 文件
openldap_add_schemas() {
LOG_I "Adding LDAP extra schemas"
app_add_modules() {
local flag_first=true
LOG_I "Add extra modules"
#read -r -a modules <<< "$(tr ',;' ' ' <<< "${LDAP_EXTRA_MODULES}")"
modules=($(echo "${LDAP_EXTRA_MODULES[*]} accesslog" | tr ',;' ' ' | sed 's/ /\n/g' | sort | uniq) )
cat > "${APP_CONF_DIR}/default_modules.ldif" << EOF
dn: cn=module{0},cn=config
changetype: modify
EOF
for module in "${modules[@]}"; do
LOG_D " Add module: ${module}.la"
cat >> "${APP_CONF_DIR}/default_modules.ldif" << EOF
add: olcModuleLoad
olcModuleLoad: ${module}.la
EOF
[[ ! $flag_first ]] && echo "-" >> "${APP_CONF_DIR}/default_modules.ldif"
flag_first=false
done
debug_execute ldapmodify -Y EXTERNAL -H "ldapi:///" -f "${APP_CONF_DIR}/default_modules.ldif"
}
# 增加 schema 文件
app_add_schemas() {
LOG_I "Add extra schemas"
#read -r -a schemas <<< "$(tr ',;' ' ' <<< "${LDAP_EXTRA_SCHEMAS}")"
schemas=($(echo "${LDAP_EXTRA_SCHEMAS[*]} cosine inetorgperson nis samba" | tr ',;' ' ' | sed 's/ /\n/g' | sort | uniq) )
@@ -369,7 +584,7 @@ openldap_add_schemas() {
}
# 增加个性化 schema 文件
openldap_add_custom_schema() {
app_add_custom_schema() {
LOG_I "Adding custom Schema in $LDAP_CUSTOM_SCHEMA_DIR ..."
#find "$LDAP_CUSTOM_SCHEMA_DIR" -maxdepth 1 \( -type f -o -type l \) -iname '*.ldif' -print0 | sort -z | xargs --null -I{} bash -c ". /usr/local/scripts/libos.sh && debug_execute debug_execute slapadd -F "$LDAP_ONLINE_CONF_DIR" -n 0 -l {} "
@@ -378,13 +593,13 @@ openldap_add_custom_schema() {
debug_execute debug_execute slapadd -F "$LDAP_ONLINE_CONF_DIR" -n 0 -l $f
done
openldap_stop_server
#while openldap_is_server_running; do sleep 1; done
openldap_start_server_bg
app_stop_server
#while app_is_server_running; do sleep 1; done
app_start_server_bg
}
# 导入 ldif 文件定义的数据
openldap_add_custom_ldifs() {
app_add_custom_ldifs() {
LOG_I "Loading custom LDIF files..."
LOG_W "Ignoring LDAP_USERS, LDAP_PASSWORDS, LDAP_USER_OU and LDAP_USER_GROUP environment variables..."
@@ -395,157 +610,4 @@ openldap_add_custom_ldifs() {
done
}
# 清理初始化应用时生成的临时文件
openldap_clean_tmp_file() {
LOG_D "Clean ${APP_NAME} tmp files for init..."
}
# 在重新启动容器时,删除标志文件及必须删除的临时文件 (容器重新启动)
openldap_clean_from_restart() {
LOG_D "Clean ${APP_NAME} tmp files for restart..."
local -r -a files=(
"/var/run/${APP_NAME}/${APP_NAME}.pid"
)
for file in ${files[@]}; do
if [[ -f "$file" ]]; then
LOG_I "Cleaning stale $file file"
rm "$file"
fi
done
}
# 应用默认初始化操作
# 执行完毕后,生成文件 ${APP_CONF_DIR}/.app_init_flag 及 ${APP_DATA_DIR}/.data_init_flag 文件
openldap_default_init() {
openldap_clean_from_restart
LOG_D "Check init status of ${APP_NAME}..."
# 检测配置文件是否存在
if [[ ! -f "${APP_CONF_DIR}/.app_init_flag" ]]; then
LOG_I "No injected configuration file found, creating default config files..."
openldap_generate_conf
touch "${APP_CONF_DIR}/.app_init_flag"
echo "$(date '+%Y-%m-%d %H:%M:%S') : Init success." >> "${APP_CONF_DIR}/.app_init_flag"
else
LOG_I "User injected custom configuration detected!"
LOG_D "Update configure files from environment..."
openldap_update_conf
fi
if [[ ! -f "${APP_DATA_DIR}/.data_init_flag" ]]; then
LOG_I "Deploying ${APP_NAME} from scratch..."
[[ ! -e ${APP_DATA_DIR}/DB_CONFIG ]] && cp ${APP_CONF_DIR}/DB_CONFIG.example ${APP_DATA_DIR}/DB_CONFIG
# 启动后台服务
openldap_start_server_bg
openldap_root_credentials
if is_boolean_yes "$LDAP_ENABLE_TLS"; then
openldap_generate_lts_conf
fi
if is_boolean_yes "$LDAP_SKIP_DEFAULT_TREE"; then
LOG_I "Skipping default schemas/tree structure"
else
# 使用相应的 schemas/tree 初始化 OpenLDAP
openldap_add_modules
openldap_add_schemas
if ! is_dir_empty "$LDAP_CUSTOM_SCHEMA_DIR"; then
openldap_add_custom_schema
fi
if ! is_dir_empty "$LDAP_CUSTOM_LDIF_DIR"; then
openldap_add_custom_ldifs
else
openldap_create_tree
openldap_create_users
fi
fi
touch ${APP_DATA_DIR}/.data_init_flag
echo "$(date '+%Y-%m-%d %H:%M:%S') : Init success." >> ${APP_DATA_DIR}/.data_init_flag
else
LOG_I "Deploying ${APP_NAME} with persisted data..."
fi
}
# 用户自定义的前置初始化操作,依次执行目录 preinitdb.d 中的初始化脚本
# 执行完毕后,生成文件 ${APP_DATA_DIR}/.custom_preinit_flag
openldap_custom_preinit() {
LOG_I "Check custom pre-init status of ${APP_NAME}..."
# 检测用户配置文件目录是否存在 preinitdb.d 文件夹,如果存在,尝试执行目录中的初始化脚本
if [ -d "/srv/conf/${APP_NAME}/preinitdb.d" ]; then
# 检测数据存储目录是否存在已初始化标志文件;如果不存在,检索可执行脚本文件并进行初始化操作
if [[ -n $(find "/srv/conf/${APP_NAME}/preinitdb.d/" -type f -regex ".*\.\(sh\)") ]] && \
[[ ! -f "${APP_DATA_DIR}/.custom_preinit_flag" ]]; then
LOG_I "Process custom pre-init scripts from /srv/conf/${APP_NAME}/preinitdb.d..."
# 检索所有可执行脚本,排序后执行
find "/srv/conf/${APP_NAME}/preinitdb.d/" -type f -regex ".*\.\(sh\)" | sort | process_init_files
touch "${APP_DATA_DIR}/.custom_preinit_flag"
echo "$(date '+%Y-%m-%d %H:%M:%S') : Init success." >> "${APP_DATA_DIR}/.custom_preinit_flag"
LOG_I "Custom preinit for ${APP_NAME} complete."
else
LOG_I "Custom preinit for ${APP_NAME} already done before, skipping initialization."
fi
fi
# 检测依赖的服务是否就绪
#for i in ${SERVICE_PRECONDITION[@]}; do
# openldap_wait_service "${i}"
#done
}
# 用户自定义的应用初始化操作,依次执行目录initdb.d中的初始化脚本
# 执行完毕后,生成文件 ${APP_DATA_DIR}/.custom_init_flag
openldap_custom_init() {
LOG_I "Check custom initdb status of ${APP_NAME}..."
# 检测用户配置文件目录是否存在 initdb.d 文件夹,如果存在,尝试执行目录中的初始化脚本
if [ -d "/srv/conf/${APP_NAME}/initdb.d" ]; then
# 检测数据存储目录是否存在已初始化标志文件;如果不存在,检索可执行脚本文件并进行初始化操作
if [[ -n $(find "/srv/conf/${APP_NAME}/initdb.d/" -type f -regex ".*\.\(sh\|sql\|sql.gz\)") ]] && \
[[ ! -f "${APP_DATA_DIR}/.custom_init_flag" ]]; then
LOG_I "Process custom init scripts from /srv/conf/${APP_NAME}/initdb.d..."
# 启动后台服务
openldap_start_server_bg
# 检索所有可执行脚本,排序后执行
find "/srv/conf/${APP_NAME}/initdb.d/" -type f -regex ".*\.\(sh\|sql\|sql.gz\)" | sort | while read -r f; do
case "$f" in
*.sh)
if [[ -x "$f" ]]; then
LOG_D "Executing $f"; "$f"
else
LOG_D "Sourcing $f"; . "$f"
fi
;;
*.ldif)
LOG_D "Executing $f";
postgresql_execute "${PG_DATABASE}" "${PG_INITSCRIPTS_USERNAME}" "${PG_INITSCRIPTS_PASSWORD}" < "$f"
;;
*)
LOG_D "Ignoring $f" ;;
esac
done
touch "${APP_DATA_DIR}/.custom_init_flag"
echo "$(date '+%Y-%m-%d %H:%M:%S') : Init success." >> "${APP_DATA_DIR}/.custom_init_flag"
LOG_I "Custom init for ${APP_NAME} complete."
else
LOG_I "Custom init for ${APP_NAME} already done before, skipping initialization."
fi
fi
}
customer/usr/local/bin/entry.sh
+22 -14
View File
@@ -1,29 +1,37 @@
#!/bin/bash
# Ver: 1.3 by Endial Fang (endial@126.com)
#!/usr/bin/dumb-init /bin/bash
# Ver: 1.5 by Endial Fang (endial@126.com)
#
# 容器入口脚本
# 容器入口脚本;当前脚本执行完毕时,使用默认用户执行镜像 CMD 定义的命令(默认为'/usr/local/bin/run.sh'
# 设置 shell 执行参数,可使用'-'(打开)'+'(关闭)控制。常用:
# -e: 命令执行错误则报错(errexit); -u: 变量未定义则报错(nounset); -x: 打印实际待执行的命令行; -o pipefail: 设置管道中命令遇到失败则报错
set -eu
set -o pipefail
set -euo pipefail
. /colovu/lib/libcommon.sh # 加载通用函数库
. /colovu/lib/libcommon.sh # 加载通用函数库
. /usr/local/bin/environment.sh # 设置环境变量
LOG_I "** Processing entry.sh **"
if [[ "$*" = "/usr/local/bin/run.sh" ]]; then
print_image_welcome
# 优先处理'-'开始的版本信息、帮助信息显示命令,如果是该类命令,处理后退出容器
[[ "${1:0:1}" == '-' ]] && set -- "${APP_EXEC:-/bin/bash}" "$@" && print_command_help "$@"
LOG_I "** Starting ${APP_NAME} setup **"
# 处理 root 用户**且**使用默认启动脚本时的初始化
if [[ "$(id -u)" == '0' ]] && [[ "$1" == "run.sh" ]]; then
print_welcome_info
/usr/local/bin/setup.sh
/usr/local/bin/init.sh
LOG_I "** ${APP_NAME} setup finished! **"
gosu "${APP_USER}" /usr/local/bin/init.sh
# 执行应用启动脚本并替换当前进程
exec gosu "${APP_USER}" "$@"
fi
# 检测是否仅打印帮助信息
[ "${1:0:1}" = '-' ] && set -- "${APP_EXEC:-/bin/bash}" "$@"
print_command_help "$@"
# 处理 root 用户**且**使用init.sh脚本时的初始化
if [[ "$(id -u)" == '0' ]] && [[ "$1" == "init.sh" ]]; then
/usr/local/bin/setup.sh
gosu "${APP_USER}" /usr/local/bin/init.sh
fi
# 处理非以上情形的自定义命令
LOG_I "Start container with command: $@"
exec "$@"
customer/usr/local/bin/environment.sh
+20 -18
View File
@@ -1,16 +1,17 @@
#!/bin/bash
# Ver: 1.0 by Endial Fang (endial@126.com)
# Ver: 1.2 by Endial Fang (endial@126.com)
#
# 应用环境变量定义及初始化
# 通用设置
export ENV_DEBUG=${ENV_DEBUG:-false}
export ALLOW_ANONYMOUS_LOGIN="${ALLOW_ANONYMOUS_LOGIN:-no}"
export ALLOW_ANONYMOUS="${ALLOW_ANONYMOUS:-no}"
# 通过读取变量名对应的 *_FILE 文件,获取变量值;如果对应文件存在,则通过传入参数设置的变量值会被文件中对应的值覆盖
# 通过读取变量名对应的`*_FILE`文件,获取变量值
# 变量优先级: *_FILE > 传入变量 > 默认值
app_env_file_lists=(
APP_PASSWORD
LDAP_ROOT_PASSWORD
LDAP_BIND_PASSWORD
LDAP_ADMIN_PASSWORD
)
for env_var in "${app_env_file_lists[@]}"; do
file_env_var="${env_var}_FILE"
@@ -21,16 +22,20 @@ for env_var in "${app_env_file_lists[@]}"; do
done
unset app_env_file_lists
# 应用路径参数
export APP_HOME_DIR="/usr/local"
export APP_DEF_DIR="/etc/${APP_NAME}"
export APP_CONF_DIR="/srv/conf/${APP_NAME}"
export APP_DATA_DIR="/srv/data/${APP_NAME}"
export APP_DATA_LOG_DIR="/srv/datalog/${APP_NAME}"
# 应用路径参数Dockerfile 已定义:APP_NAME、APP_VER,可能定义 APP_USER、APP_EXEC
export APP_EXEC="${APP_EXEC:-${APP_NAME}}"
export APP_USER="${APP_USER:-${APP_NAME}}"
export APP_GROUP="${APP_USER:-${APP_NAME}}"
export APP_HOME="${APP_HOME:-/srv/${APP_NAME}}"
export APP_BASE="${APP_BASE:-/usr/local/${APP_NAME}}"
export APP_DEF_DIR="${APP_BASE}/etc/${APP_NAME}"
export APP_CONF_DIR="/srv/${APP_NAME}/conf"
export APP_DATA_DIR="/srv/${APP_NAME}/data"
export APP_CERT_DIR="/srv/${APP_NAME}/cert"
export APP_LOG_DIR="/srv/${APP_NAME}/log"
export APP_CACHE_DIR="/var/cache/${APP_NAME}"
export APP_RUN_DIR="/var/run/${APP_NAME}"
export APP_LOG_DIR="/var/log/${APP_NAME}"
export APP_CERT_DIR="/srv/cert/${APP_NAME}"
# 应用配置参数
export LDAP_PORT_NUMBER="${LDAP_PORT_NUMBER:-8389}"
@@ -53,8 +58,8 @@ export LDAP_TLS_DH_PARAMS_FILE="${LDAP_TLS_DH_PARAMS_FILE:-}"
export LDAP_ROOT="${LDAP_ROOT:-dc=example,dc=org}"
export LDAP_ORGNIZATION_NAME="${LDAP_ORGNIZATION_NAME:-Colovu Lab}"
export LDAP_ROOT_USERNAME="${LDAP_ROOT_USERNAME:-root}"
export LDAP_ROOT_DN="${LDAP_ROOT_USERNAME/#/cn=},${LDAP_ROOT}"
export LDAP_ROOT_UID="${LDAP_ROOT_UID:-root}"
export LDAP_ROOT_DN="${LDAP_ROOT_UID/#/cn=},${LDAP_ROOT}"
export LDAP_ROOT_PASSWORD="${LDAP_ROOT_PASSWORD:-rootpassword}"
export LDAP_BIND_GIVEN_NAME="${LDAP_BIND_GIVEN_NAME:-Binder}"
@@ -82,9 +87,6 @@ export LDAP_ONLINE_CONF_DIR="${APP_CONF_DIR}/slapd.d"
export LDAP_PID_FILE="${APP_RUN_DIR}/slapd.pid"
export LDAP_ARGS_FILE="${APP_RUN_DIR}/slapd.args"
export LDAP_DAEMON_USER="slapd"
export LDAP_DAEMON_GROUP="slapd"
#export LDAP_ENCRYPTED_ROOT_PASSWORD="$(echo -n $LDAP_ROOT_PASSWORD | slappasswd -n -T /dev/stdin)"
#export LDAP_ENCRYPTED_BIND_PASSWORD="$(echo -n $LDAP_BIND_PASSWORD | slappasswd -n -T /dev/stdin)"
#export LDAP_ENCRYPTED_ADMIN_PASSWORD="$(echo -n $LDAP_ADMIN_PASSWORD | slappasswd -n -T /dev/stdin)"
customer/usr/local/bin/init.sh
+7 -11
View File
@@ -5,25 +5,21 @@
# 设置 shell 执行参数,可使用'-'(打开)'+'(关闭)控制。常用:
# -e: 命令执行错误则报错; -u: 变量未定义则报错; -x: 打印实际待执行的命令行; -o pipefail: 设置管道中命令遇到失败则报错
set -eu
set -o pipefail
set -euo pipefail
. /usr/local/bin/common.sh # 应用专用函数库
. /usr/local/bin/environment.sh # 设置环境变量
. /usr/local/bin/common.sh # 应用专用函数库
LOG_I "** Processing init.sh **"
trap "app_stop_server" EXIT
trap "${APP_NAME}_stop_server" EXIT
${APP_NAME}_verify_minimum_env
app_verify_minimum_env
# 执行应用预初始化操作
${APP_NAME}_custom_preinit
app_custom_preinit
# 执行应用初始化操作
${APP_NAME}_default_init
app_default_init
# 执行用户自定义初始化脚本
${APP_NAME}_custom_init
LOG_I "** Processing init.sh finished! **"
app_custom_init
customer/usr/local/bin/run.sh
+15 -17
View File
@@ -1,14 +1,15 @@
#!/bin/bash
# Ver: 1.3 by Endial Fang (endial@126.com)
# Ver: 1.5 by Endial Fang (endial@126.com)
#
# 应用启动脚本
# 应用启动脚本;组合默认的配置参数及容器启动时传入的 CMD 参数,启动应用
# 设置 shell 执行参数,可使用'-'(打开)'+'(关闭)控制。常用:
# -e: 命令执行错误则报错(errexit); -u: 变量未定义则报错(nounset); -x: 打印实际待执行的命令行; -o pipefail: 设置管道中命令遇到失败则报错
set -eu
set -o pipefail
set -euo pipefail
. /colovu/lib/liblog.sh # 日志输出函数库
. /colovu/lib/libvalidations.sh # 数据校验
. /usr/local/bin/common.sh # 应用专用函数库
. /usr/local/bin/environment.sh # 设置环境变量
LOG_I "** Processing run.sh **"
@@ -17,22 +18,19 @@ LOG_I "** Processing run.sh **"
# https://github.com/docker/docker/issues/8231
ulimit -n "$LDAP_ULIMIT_NOFILES"
readonly START_COMMAND="$(command -v ${APP_EXEC})"
readonly START_COMMAND="$(command -v ${APP_EXEC:-${APP_NAME}})"
flags=("-h" "ldap://:${LDAP_PORT_NUMBER}/ ldapi:///")
# 配置默认启动参数(应用配置文件、前台方式启动)
flags=("-h" "ldapi:/// ldap://:${LDAP_PORT_NUMBER}/")
# 如果启用 TLS, 增加 LDAPS 服务
is_boolean_yes "$LDAP_ENABLE_TLS" && flags=("-h" "ldap://:${LDAP_PORT_NUMBER}/ ldaps://:${LDAP_LDAPS_PORT_NUMBER}/ ldapi:///")
is_boolean_yes "$LDAP_ENABLE_TLS" && flags=("-h" '"ldapi:/// ldap://:'${LDAP_PORT_NUMBER}'/ ldaps://:'${LDAP_LDAPS_PORT_NUMBER}'/"')
# 确保应用运行在前台
flags=("-d" "stats" "${flags[@]}")
flags=("-F" "${APP_CONF_DIR}/slapd.d" "${flags[@]}")
flags+=("-d" "stats")
[[ -z "${APP_EXTRA_FLAGS:-}" ]] || flags=("${flags[@]}" "${APP_EXTRA_FLAGS[@]}")
# 增加 "@" 以使用用户在命令行添加的扩展标识
flags=("${flags[@]}" "$@")
[[ -n "${APP_CONF_DIR:-}" ]] && flags+=("-F" "${APP_CONF_DIR}/slapd.d")
[[ -n "${APP_EXTRA_FLAGS:-}" ]] && flags+=("${APP_EXTRA_FLAGS[@]}")
flags+=("$@")
LOG_I "** Starting ${APP_NAME} **"
is_root && flags=("-u" "$LDAP_DAEMON_USER" "${flags[@]}")
LOG_I "Command: ${START_COMMAND[@]} ${flags[@]}"
LOG_I "Start ${APP_NAME} with command: ${START_COMMAND[@]} ${flags[@]}"
exec "${START_COMMAND[@]}" "${flags[@]}"
customer/usr/local/bin/setup.sh
+16 -16
View File
@@ -1,35 +1,35 @@
#!/bin/bash
# Ver: 1.2 by Endial Fang (endial@126.com)
# Ver: 1.3 by Endial Fang (endial@126.com)
#
# 应用环境及依赖文件设置脚本
# 应用环境及依赖文件设置脚本;当前脚本以‘root’用户执行
# 设置 shell 执行参数,可使用'-'(打开)'+'(关闭)控制。常用:
# -e: 命令执行错误则报错(errexit); -u: 变量未定义则报错(nounset); -x: 打印实际待执行的命令行; -o pipefail: 设置管道中命令遇到失败则报错
set -eu
set -o pipefail
set -euo pipefail
. /colovu/lib/libcommon.sh # 通用函数库
. /colovu/lib/libos.sh
. /colovu/lib/libcommon.sh # 加载通用函数库
. /colovu/lib/libfs.sh # 加载文件操作函数库
. /colovu/lib/libos.sh # 加载系统管理函数库
. /usr/local/bin/environment.sh # 设置环境变量
. /usr/local/bin/common.sh # 应用专用函数库
LOG_I "** Processing setup.sh **"
APP_DIRS="${APP_CONF_DIR:-} ${APP_DATA_DIR:-} ${APP_LOG_DIR:-} ${APP_CERT_DIR:-} ${APP_DATA_LOG_DIR:-}"
APP_DIRS=(/var/log/${APP_NAME} /var/run/${APP_NAME} /var/cache/${APP_NAME} ${APP_HOME})
APP_DIRS+=(${APP_HOME}/conf ${APP_HOME}/data ${APP_HOME}/cert ${APP_HOME}/log ${LDAP_ONLINE_CONF_DIR})
APP_DIRS="${APP_DIRS} ${LDAP_ONLINE_CONF_DIR}"
LOG_I "Ensure directory exists: ${APP_DIRS}"
for dir in ${APP_DIRS}; do
LOG_I "Ensure directory exists: ${APP_DIRS[@]}"
for dir in ${APP_DIRS[@]}; do
ensure_dir_exists ${dir}
done
# 检测指定文件是否在配置文件存储目录存在,如果不存在则拷贝(新挂载数据卷、手动删除都会导致不存在)
LOG_I "Check config files in: ${APP_CONF_DIR}"
if [[ ! -z "$(ls -A "${APP_DEF_DIR}")" ]]; then
ensure_config_file_exist "${APP_DEF_DIR}" $(ls -A "${APP_DEF_DIR}")
if [[ -z "$(ls -A "${APP_CONF_DIR}")" ]]; then
app_ensure_config_file_exist "${APP_CONF_DIR}" "${APP_DEF_DIR}" $(ls -A "${APP_DEF_DIR}")
fi
is_root && ensure_user_exists "$LDAP_DAEMON_USER" -g "$LDAP_DAEMON_GROUP"
LOG_I "** Processing setup.sh finished! **"
# 解决使用non-root后,[emerg] open() "/dev/stdout" failed (13: Permission denied)
LOG_D "Change permissions of stdout/stderr to 0662"
chmod 0662 /dev/stdout /dev/stderr
customer/usr/local/openldap/etc/openldap/slapd.ldif
+18 -20
View File
@@ -41,7 +41,7 @@ dn: cn=schema,cn=config
objectClass: olcSchemaConfig
cn: schema
include: file:///srv/conf/openldap/schema/core.ldif
include: file:///srv/openldap/conf/schema/core.ldif
#
# Frontend settings, olcDatabase: -1
@@ -50,7 +50,7 @@ dn: olcDatabase=frontend,cn=config
objectClass: olcDatabaseConfig
objectClass: olcFrontendConfig
olcDatabase: frontend
olcAccess: to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage by * none
olcAccess: to * by * manage
#
# Configuration database, olcDatabase: 0
@@ -58,18 +58,10 @@ olcAccess: to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=a
dn: olcDatabase=config,cn=config
objectClass: olcDatabaseConfig
olcDatabase: config
olcAccess: to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage by * none
olcAccess: to * by * manage
#
# Server status monitoring, olcDatabase: 1
#
dn: olcDatabase=monitor,cn=config
objectClass: olcDatabaseConfig
olcDatabase: monitor
olcAccess: to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read by * none
#
# Backend database definitions, olcDatabase: 2
# Backend database definitions, olcDatabase: 1
#
dn: olcDatabase=hdb,cn=config
objectClass: olcDatabaseConfig
@@ -77,14 +69,23 @@ objectClass: olcHdbConfig
olcDatabase: hdb
olcSuffix: dc=example,dc=com
olcRootDN: cn=root,dc=example,dc=com
olcDbDirectory: /srv/data/openldap
olcDbDirectory: /srv/openldap/data
olcDbIndex: objectClass eq,pres
olcDbIndex: uid,ou,cn,mail,surname,givenname eq,pres,sub
olcAccess: to * by * manage
#
# Add memberof overlay and refint
# Server status monitoring, olcDatabase: 2
#
dn: olcOverlay=memberof,olcDatabase={2}hdb,cn=config
dn: olcDatabase=monitor,cn=config
objectClass: olcDatabaseConfig
olcDatabase: monitor
olcAccess: to * by * manage
#
# Add overlay
#
dn: olcOverlay=memberof,olcDatabase={1}hdb,cn=config
objectClass: olcConfig
objectClass: olcMemberOf
objectClass: olcOverlayConfig
@@ -96,7 +97,7 @@ olcMemberOfGroupOC: groupOfNames
olcMemberOfMemberAD: member
olcMemberOfMemberOfAD: memberOf
dn: olcOverlay=refint,olcDatabase={2}hdb,cn=config
dn: olcOverlay=refint,olcDatabase={1}hdb,cn=config
objectClass: olcConfig
objectClass: olcOverlayConfig
objectClass: olcRefintConfig
@@ -104,10 +105,7 @@ objectClass: top
olcOverlay: refint
olcRefintAttribute: memberof uniqueMember owner
#
# Add ppolicy overlay and syncprov
#
#dn: olcOverlay=ppolicy,olcDatabase={2}hdb,cn=config
#dn: olcOverlay=ppolicy,olcDatabase={1}hdb,cn=config
#objectClass: olcConfig
#objectClass: olcOverlayConfig
#objectClass: olcPPolicyConfig