sa_8001/dsk-iac
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Ansible Script 추가

Browse Source
This commit is contained in:
ByeonJungHun
2023-12-19 13:36:16 +09:00
parent 0273450ff6
commit 05cb8d9269
2610 changed files with 281893 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
ansible/00_old/agent_cluster_install.yaml Normal file
View File

@@ -0,0 +1,9 @@
---
- hosts: cluster
become: true
gather_facts: true
environment:
KUBECONFIG: /root/.kube/ansible_config
roles:
- role: agent_os_setting

23
ansible/00_old/agent_datasaker.yml Normal file
View File

@@ -0,0 +1,23 @@
---
- hosts: agent
become: true
roles:
- role: dsk_bot.datasaker
vars:
datasaker_api_key: "XQOt9G3oAtsOQyd3U25JwOu3/sE+zj/m3kRKL/d0OUAQn30jVlrBKN/gJp9cJ4C9CHU1D1vSEPRxaCk8NuwZh6+v48TiaingDy6F74YGySRvnH0gqdmfxLSGisD/g8/JqBlIwhhyMSVCVfAkcNysLnwLi4xLnZMlvVi2Lzo3MiekSfJS5adR3hAv6pCaCFe2rNW24pYS5PBYkP/kxp/cfYAN/UhVEs5J+h4/iQ5vozQgvWuskBpOjlUeEYZnMZ6Al91gAUmSRoxtzLc+QOdfp7+uDXpwXPm80bQz9bR20Elcr4+rNqLcc2ONwJwrSveDSvJn4xjB6n95hEYbaDHUpA=="
datasaker_agents: ["dsk-node-agent","dsk-log-agent"]
datagate_trace_url: 10.10.43.111
datagate_manifest_url: 10.10.43.111
datagate_metric_url: 10.10.43.111
datagate_plan_url: 10.10.43.111
datagate_loggate_url: 10.10.43.111
datasaker_api_url: 10.10.43.111:31501
logs:
- collect:
type: file
file:
paths: ["/var/log/*.log","/datasaker/log/*.log"]
#uninstall: True
#datasaker_clean: True

9
ansible/00_old/api_cluster_install.yaml Normal file
View File

@@ -0,0 +1,9 @@
---
- hosts: cluster
become: true
gather_facts: true
environment:
KUBECONFIG: /root/.kube/ansible_config
roles:
- role: api_os_setting

11
ansible/00_old/authorized_keys.yml Normal file
View File

@@ -0,0 +1,11 @@
---
- hosts: cluster
remote_user: root
tasks:
- name: key add
authorized_key:
user: root
state: present
key: "{{ lookup('file', lookup('env','HOME') + '/.ssh/id_rsa.pub') }}"
manage_dir: False

95
ansible/00_old/bastion.yml Normal file
View File

@@ -0,0 +1,95 @@
---
- hosts: bastion
become: true
gather_facts: true
roles:
- role: bastion
vars:
- sshmainport: 2222
admin_users:
- name: "minchulahn"
ip: "10.20.142.22"
description: "안민철"
key: "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDKDxtkcfx2ITlT2Yh7ZCT79do/25YQ2vROz38m8veAuBhOw+75oZJ4nN//zOWaaMvpC3Z7NIzOR+3UeukhnLZ591q8AaHcKjV8JEJMo2pvpH1vdLcTL9baLqWrxzgRimnZUNf5n5HNr+AKoXuPp//aVSJSoeznb66r04/rJSetT0QGDC8Kj5Q+MNvdd0/3U/nu7JxW9LIEaLoeiX6mVb4PpV7kl3rI3Vut/GnWakOhbS4yNvIFdR6d8rv305/BXJOz/aWy+0j7qK+NBzbSsI/l0vVUHfeD3whYGePCpWmj73ZsMTMjIjrC8DpRQlOJlAZ0GVpQnd/ayIWi4+V8VjvFcd6vSqrhhsNoOyo0Y/6cyO6iyvKqohMK6+HF1w6aXoaGCFFSl/3gw63saNAsdZPArnwf5yZ6GfPa/9bRn2k9g5xfp97Itpo6Iqq+PuRcZOes0EiIQe2hOoYQEIHIRhf8CZ+Xf6W1+XZB+WxEzUe4GCCwgUdTB6RIr4ThDxwCBV0="
- name: "havelight"
ip: "10.20.142.21"
description: "정재희"
key: "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDUAppqxDLltrMsYMwIxGi0FA5STA/R+H6oy7myfiJP2Lt4woCogMi3ELVKEhFkeJx4i8y9G80lynEYCHRH1kAQ/7YaJEVFrPXTvBw+OVxYdVS/gLl0rL89ky+n0dv6A9mancrvUOMacI5aN7/W+EhoLohRjRbWlsPGNnvAmO0AZnt595aMUjFkdhusGyBVunDUFSitj9TFkjxDhr6cx8Bi0FLpvdsoAvfqiw/MVKW2pMgj56AT5UCT0wvtSHSNY/C731jP/RKrxP0fnVhIkVys/XmLV/6SVEqL1XwqMTvRfi5+Q8cPsXrnPuUFHiNN4e/MGJkYi0lg7XbX8jDXv3ybdxZ7lGiUDebxjTKBCCghFae3eAwpJADEDfrzb8DHJZFwJVVdKGXvStTWTibcs14ilRPcB4SWIBx/cFCzwOBK/iw8CfEfsbVe6WQbDc4T4LrgL8cUzHPOO8CQcC4DV/O3BuoqQExu6xTmU8rhLT9kgatIdX0K5jgGbuqz7c2lelU="
- name: "sa_8001"
ip: "10.20.142.50"
description: "변정훈"
key: "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCgvFtLP7A1bR2ANxHiyTalgaI2pvxnCAzsqTAAh/+egIOi2vUIC2jRWGQXyoiTlupdNWQli2D93tEJBvG3VO5LOVocOHsFnFcV8RsiR4QGhqMeXRfMBWbf7Prby0qWv/VQ00gNWEgEjZUhOfBQeJsozGTd3dS4AgRnQkQmnvCT6TWD7+GwMg1SDlu/23y5aKLmpLkVT9kEG3yxZ3rWQfepjAubt+/saZPtyhkmc9+qhe2K+6PCZU2MCh6TYoKrcRUhVaJLvWqS35/Cv/9oxLg7lZwsasHFO9ANXWV9gBelCXLpYosN5hylUvl4JmSN+/qiOH3hpEbOtTCY/ZU0o1/xXLr0pmbYpZoT6zMKZ5fkweW7xidrg/bI1s/4+DVf4c/NJehw4PL3sqRmVdJsriFUifywh05Up5j1NQANiFlFngwEWy81cWRyvSL5q/plJHSvpd6g+WbsyC/QqYNAhxjnEosOb52QGZmLL7GqaC1hdKDOlJYZK63EBQ8YpHqGHo0="
allow_users:
- name: "wkd1994"
ip: "10.20.142.28"
description: "김동우"
key: "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDtmuAhVVyVJ87+t2xVtiS3bvTxxn0dmD7t4D2iSvSErIjRsXRCPLdc/yGWiezj+oVZtRPLJ2mjKToGUerdkcW8oqiQeL0+x/CjdlS2rQXvQa2HXCjB+MejwZyJ2bl7VDtIMdLianJBn7+XVc48+bIf7yait8yVH1aVWcS/AXOSo9LwX/uNW5VCL5BeXSGwXdwkuhjeJurR4WIVSBXuh1ql5Vy6BdSxcmLMihNlIL/DyuzfPLuQZbuSeaJ7eJKiHu63/SwBA1cPzj9tgI7zNvguapIHKXvoK8n5gNUXVRDGnD4J6xbzUQB3DbU8kaz7pDClxzgpkf3MnvP9QvnTyqV+aftYlb02as0PrwIxlTlW/sBxyEGdFe+JwoTctHkrSfp0lYRpyCv3eXJcdDu2l3dTJXAHlpcJuQRH2j9herURxML0w6re1iKJ8MAjOqUvh+B3A1U3x116zEGdsCNCRcfwehEir7fmGKaPvrmOiDOTlNswdL/OJ1RHKFuEZJPlUr8="
- name: "djkim"
ip: "10.20.142.36"
description: "김득진"
key: "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC9Go9pLADJUQtq+ptTAcSIpi+VYv5/Kik0lBuV8xEc++vNtix5kwi+XSsNShHM3MVeiE8J27rYfyNn79r5pVKMuasMRyP3mTDZtRKr7/piM8MXuGSu1jCsVrTBZX0Sf4wuOA1tSkG9QgjBMZfvE9jOSYozA1K85mVE28m2rTihPnL5zYsDKnx+xIcwUBTpkOCoHiAfAX9b5ADAfScJigSZDjFLvexJ1aapPV2Iajh8huIhWvCUhrqUv/ldUm+b1iiOT7GXdrM/cam3FnLZ0b5KI9CQb7084+4l0BlmtPkuFcIlTDm1K6YO7+Mewd+F9uQZwvxGuElBPg8NVgFLD7+nrf2VlJYYCAeChyDV5+ZD70pSTcvHpJbmLKMtRFGov73ZPJ3vld9XCGUCajaoZz5Kz+ANmSC9nl3FpxnYgvFWfS7iwyC+VkGRKUg96/crXz4D8fW/wIskt+3cVrW9Z66psH41ll979mC8xly0ITWwbQZv7rvbdWSDVKVRgbXQOSc="
- name: "sanghee1357"
ip: "10.20.142.40"
description: "김상희"
key: "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC45maYW137cwvdS8AE9UzNHq9AMYrkEJtoNDAOVkUXtpVQITqvBCc4B4FfR5JK2h+imnBDng5fu728YAB7q31BE3Wub8I+QWhnQgv+kH1yMWj2s329tkHvcyNWIHSBqw4z1N74Zba+7mojKioju27HdcRcN1L7tpXSCHrq5bU6++CMShpZ7a3wo20RfikFWd563Y15mE3uDqlbkcuzE0KGSNrdY6Gy9aiE3/poVQRLaCmXnUKNw9wM3UGN9DanJi6iosXrlZRkpwhV+tHh2x+BWCbyY8jj94RDJgMwoKw71tzlEp+B1k6a7g+lEo3KFP//3PQxc9fdKBdg1YzSAKGKjsqATEVclmQHVskk6wZQC/wcjFxrSOreSp6knswX9AhIvGhMtoVo9iMy9cm+F4AauzjjfszCMO484983hIYwsh321VB14Wg7NroCYMUh7krATeKmNWhK0YicYCXINVMphBAcXFhuJduPejz19ZN356t+F/LDqlCxW7kO9QfYUy0="
- name: "jinbekim"
ip: "10.10.142.48"
description: "김진범"
- name: "bypark"
ip: "10.20.142.26"
description: "박병욱"
key: "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCZig/9xMWR3QhwHPbkvY2b9nmHiWkJHgnztGfIyxVTmkcsr9QViIvNUINlRBlE2+I5j7R2+0qI5GkAYndJsQoZiZ3iPqxnM5KdB9bEbWS5Tv7pbGyHyzaYPMUS3g6ZRMKnbJlAmhOLuq4TNYaUSESvaiYbCbaZK2JdsfPtSC99Gez6+HNoapILeg6xkxLnMsgUG6QzGaZyRABlPRbctGfx2U7cYe/7b7T+/yNtMU2FKrAJqcy0S1IUzc/dK2m5SQ3Y2GMohuGkv8mfs16i0wi3LfgEIatsmj2KB7Y7lIYW/GEZA2I+K2uH9Pu+F/kmGvAu5jNd1ztSo9MgElyu2NMXYhM3f/eDD+PdHKjUvOtE5twNBHQooPjBpp/mja4hnxLKepTqgP1t6azncPB8m6jC6MTbkhOHpgSNXurhx0kCurLA+l9KaySidhc0mFNJZGRKAhQoMIDFgXlzkZ4GmmtbfOJ/J1k7QqHZya5x6M4mOfvlPECFKVF24vzJVEulY3E="
- name: "joonsoopark"
ip: "10.20.142.33"
description: "박준수"
key: "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICeOzKeL4ZUXw0lEHDZoBsp7M3oobrBI0sWBHdpk0X0T"
- name: "baekchan1024"
ip: "10.20.142.39"
description: "백승찬"
key: "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDaqqy9YVwxh37xOU0nytBPd6GEJe30e1L/K5UXDZToteNebyfQrtFogxB6MpMNaAzAk6qbyPuZA3rgP8Y+qXgRlx88cxje5P5yOCsMW2o3xD5PiJ7lluWQ9tlS5ti4B9EWurJOsGF27XKKuSHN+dx9ZIb4sDqLYzmycPNwFaEtH6GQ2vjqpPMfjmKAuYmKD4L7mdA8lXTiRS2uYDkUxwQ+6PU+axTauD9qsXuGDAnGkVHKNE0o9OCf1uoyOhy6EB2sDz5Pymr7fbRJauWNxuSJdYPKY33GdDKpioP/1nRLSLtr1nvLHVrG/5CSNO1x20WYXFEGoMTzW4T5nYSS61apHkQ/0Csv0LBeHPc9gsMPobNJpIYlvGwdODQ+fpgxyB4SAQJKtQR1YB4w5OVtXVZAMvZZKI9gQQHZ8wQ4Zk0erGxKeyLxnDrKKNHLRPyUrjkL7H2a0i8BGpdk8sxW9NVrJJGgmQQiPbJx0yvIi1n55mUq+ZVjiF5qPvxtc5D133k="
- name: "jungry"
ip: "10.20.142.44"
description: "서정우"
- name: "ose"
ip: "10.20.142.34"
description: "오승은"
key: "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDAlYSGJZpOOEPZqIa1/CXxiaUNj1wsgkp0kEyD2SX8r7ovwmSAWCS24v/IOSgsUTFRpL64vIeCtcZ8sj4Hwzd3F2h+carQP0v+leCkzPpQ7aP/BoPS27+fSCzaOZv/QJ+eIcXWHIbWkXf6MYQ35PykDeJIO61OMOlWhpNV425VSwfZoB72xZmEH+rIZjXHHs8vYtIG2sXZE22BLiVw6PEL/C4QB2khBT5ZAjX2xGEzUoSknzva/8Uu20adQBalFTIdyLV7V6CxkIPkSgfmZh/fqXfbfPsxHLPK2o2ueGbx3fcN3kAqFrqpJgjEIZmNj6qhVPtbN5TSUyIjtoPhC4JR0heqckz1qLah+8lSiUfHSblGW89QuUcedHdwHp/RiZW6HQO0cqS/QPNcgPLTiv68voBapS9rav+j0tt1RynNY+AdhCOoo4BbGW0pXqi0vaHzbbfbzxp78kx/7/KXmUHkzGSkmlXVbKqzDm5k/kRn0q4pimDun42b+MjNYu3gZz0="
- name: "gurwns1540"
ip: "10.20.142.35"
description: "윤혁준"
key: "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC1+kC8LzDxwc4gfiGzUQH+CeKGf+elX3oKciMmLQJmpddlcWuRthq1pszufHjypT/FfC/XVLZkGvjMDJUWro/Pen3RcdTcENteVZO/nzQ89nmS/D3tbg6nVWxiast6bDdSEdPF8CKSUAlA+8hTgSCWou7TtOuWGCKj+6HSHctBA41WFLpYInYHWTnC+LY1nwOurjG4qjmgdEzBXMhLWvuZDVE21oIUMEXbjW1dXhHNMKfyn/mUqSSG9zoXZSK0KB8OHhBsbxzFqu5cXC1TTpJOyX05730LUdwF9MevreUS3ws5NY8h0C6EVAOMQqeH5gkwVTHsyXQHtXB9nGI1g7sMIjEzJHkOygK17nAfapWhGFahhaaq42qdo7N3Pj8IjrY3S9EDXnPtQODROj3JVzo3Sgd2FUKDcAIWwJHMAwkaFqciPGIrj4ib81NbOoWn7oCjbIyDxgoxSp1vpW7C25rL22LtrCHyMWPbhV19FJIZqtg7f94JptzLND1pHDnsnfeNAxz9d6oKdcJW5bXUDeDCQxBio1RBF6nNzSRoiD0+FD29of9wNWRd2cBkR8uJV7P9XfXMzMK5q7Wqte/DABs3wJ3v/cth6kPrRV7j2h+4DGbEj5Mpz8XAFnGkZFmd/UiSbNqRBLKmp0lPpyxZrRU00xuqJ51pYB2wMwkQgOIVuw=="
- name: "yyeun"
ip: "10.20.142.45"
description: "이예은"
- name: "sujung"
ip: "10.20.142.27"
description: "정성락"
key: "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKbI5DjRkABz65NnREzf5HKKIMPrIA4DrnDDXTrjnRH8"
- name: "antcho"
ip: "10.20.142.46"
description: "조혜수"
- name: "stdhsw"
ip: "10.20.142.32"
description: "한승우"
key: "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIANTMTgqbTtIKKRsZU9An9D3La9Fh1bUtiLE/Y0nL4CZ"
- name: "seungjinjeong"
ip: "10.20.142.41"
description: "정승진"
key: "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDi8funYVM0eRmfplW5EdnfJOFEVDEMMw08VRn6FD9x9VuNWCEkY3iErzekBY2SRat8g6q0VXRyu7b/bhm/kD+BtI79fmz9FKxslTZCeKKN1KWfoZoXSRnvjOX1Y6NDnY2X5M+3kN40ek9ku6abN6lOtInTXJ1QOJIISa8l6vrB/j1xVVZghTYY5MBMc89cRZESGdBZWld0CtmoM+mnjh5vWCCA3VJTcDbj5LKtWllA6t58KwtGBikr8iaOpi83dQ91eXWzxTttl/LCe9bfgSxYlmvZILn0UZMu1WiWBhlIBzC6RlxorkDVRXcSRjguEt+/ys2rv6UTSkm150O4PgjgxlZPmTJt1m5y/St57LELUVbV6XGSq6+eZNTZOYBxxRkKcV0uByCBjxjsVlMmoEZoxedhSVT1Z8/AiMnjPBjXx2ease04EvtZs6rpDRd0puzcx1TKoCkyak60ymxc91X9lQg3kUl0av/G5kMKJQqW6v31GA1Vnh4K9haCVF/Ki/M="

11
ansible/00_old/cmoa_install.yaml Normal file
View File

@@ -0,0 +1,11 @@
---
- hosts: cluster
become: true
gather_facts: true
environment:
KUBECONFIG: /root/.kube/ansible_config
roles:
- role: cmoa_os_setting
- role: cmoa_install
delegate_to: 127.0.0.1

33
ansible/00_old/datasaker.yml Normal file
View File

@@ -0,0 +1,33 @@
- hosts: servers
become: true
roles:
- role: dsk_bot.datasaker
#- role: agent-ansible
vars:
datasaker_api_key: "1VL7/mhddWkQaS/vf/VjjwjnwaUhtZnLL++ih9LxYSB7HVkPpZw1Duy/4gxLN/73Vga00bD79mVd6N4dP0BVxmGqLnR6xItnSLlO3M6LmOMuM8bLaBuxxOvxST3lxpvtI0B2ilyjqTLh5y+NJWFV7Awq4zpqnPnTZ5dryp3yc4zc3C7Vxu0f2CL7/oGT0LRj/1l7gchuUxw2TVDLFFRylb+cFt6/NNylBxIb1wKGILd7N6NGgnsdRcrv4ZvTEPusrDqxO3IRYF6z9ZNbkQ1BPeDINtVFTgwhqFZjxg6erd8oqscB9n1DHOi6+tJ8VSHi2w5hYxHq93EV4cxBfzXAug=="
datasaker_docker_agents:
- "dsk-docker-node-agent"
- "dsk-docker-trace-agent"
- "dsk-docker-log-agent"
- "dsk-docker-postgres-agent"
postgres_user_name: sample
postgres_user_password: 1q2w3e4r
postgres_database_address: 0.0.0.0
postgres_database_port: 5432
plan_postgres_user_name: sample
plan_postgres_user_password: 1q2w3e4r
plan_postgres_database_address: 0.0.0.0
plan_postgres_database_name: sample
plan_postgres_database_port: 5432
logs:
- collect:
type: file
file:
paths:
- /var/log/*.log
- /var/lib/docker/containers/*/*.log
custom_log_volume:
- /var/log/
- /var/lib/docker/containers
#uninstall: True
#datasaker_clean: True

50
ansible/00_old/dev_datasaker.yml Normal file
View File

@@ -0,0 +1,50 @@
---
- hosts: agent
become: true
roles:
- role: dsk_bot.datasaker
vars:
datasaker_api_key: "XQOt9G3oAtsOQyd3U25JwOu3/sE+zj/m3kRKL/d0OUAQn30jVlrBKN/gJp9cJ4C9CHU1D1vSEPRxaCk8NuwZh6+v48TiaingDy6F74YGySRvnH0gqdmfxLSGisD/g8/JqBlIwhhyMSVCVfAkcNysLnwLi4xLnZMlvVi2Lzo3MiekSfJS5adR3hAv6pCaCFe2rNW24pYS5PBYkP/kxp/cfYAN/UhVEs5J+h4/iQ5vozQgvWuskBpOjlUeEYZnMZ6Al91gAUmSRoxtzLc+QOdfp7+uDXpwXPm80bQz9bR20Elcr4+rNqLcc2ONwJwrSveDSvJn4xjB6n95hEYbaDHUpA=="
datasaker_agents: ["dsk-node-agent","dsk-log-agent"]
#datasaker_api_key: "eO58wEYK/2HThAV+5jgv7Or/qW3zJknBQF0FJt5Xo4kSZ9YH2/CJgfNUwKbGwlbzmihG9dVsSmmS40szOuvRVZJO0vPga98sJNI32AJdWaYX8oCNFouI0lYG+r9Y4vahrS7+FVwntyfkjETotqBDvoQ5HjGjvW0wviPagW/alNbI5pvpWwBHtgz9D83Y8DSvCvO64G4xhyIYZPSML11EqWUO8prYT8LfdD4n2oBp0QJ3cXKdvJAUc4w5LKbTASb8x8UTpVU3JH3Wnwe79PKftJ8YdxOtb5jjzXeOEEM2GD8xz4pbB7scCx5oJCWQLF1js6a2uFLENBgW+ztHRf1j2Q=="
#datasaker_api_key: "1VL7/mhddWkQaS/vf/VjjwjnwaUhtZnLL++ih9LxYSB7HVkPpZw1Duy/4gxLN/73Vga00bD79mVd6N4dP0BVxmGqLnR6xItnSLlO3M6LmOMuM8bLaBuxxOvxST3lxpvtI0B2ilyjqTLh5y+NJWFV7Awq4zpqnPnTZ5dryp3yc4zc3C7Vxu0f2CL7/oGT0LRj/1l7gchuUxw2TVDLFFRylb+cFt6/NNylBxIb1wKGILd7N6NGgnsdRcrv4ZvTEPusrDqxO3IRYF6z9ZNbkQ1BPeDINtVFTgwhqFZjxg6erd8oqscB9n1DHOi6+tJ8VSHi2w5hYxHq93EV4cxBfzXAug=="
datasaker_agents: ["dsk-node-agent","dsk-log-agent"]
#datasaker_docker_agents: ["dsk-docker-log-agent"]
#postgres_user_name: jhjung
#postgres_user_password: 1q2w3e4r
#postgres_database_address: 0.0.0.0
#postgres_database_port: 5432
#plan_postgres_user_name: jhjung
#plan_postgres_user_password: 1q2w3e4r
#plan_postgres_database_address: 0.0.0.0
#plan_postgres_database_port: 5432
#plan_postgres_database_name: test
datagate_trace_url: 10.10.43.111
datagate_trace_port: 31300
datagate_trace_timeout: 5s
datagate_manifest_url: 10.10.43.111
datagate_manifest_port: 31301
datagate_manifest_timeout: 5s
datagate_metric_url: 10.10.43.111
datagate_metric_port: 31302
datagate_metric_timeout: 5s
datagate_plan_url: 10.10.43.111
datagate_plan_port: 31303
datagate_plan_timeout: 5s
datagate_loggate_url: 10.10.43.111
datagate_loggate_port: 31304
datagate_loggate_timeout: 5s
datasaker_api_url: 10.10.43.111:31501
datasaker_api_send_interval: 1m
#uninstall: True
#datasaker_clean: True
logs:
- collect:
type: file
file:
paths: ["/var/log/*.log","/datasaker/log/*.log","/var/log/secure"]

645
ansible/00_old/get-docker.sh Normal file
View File

@@ -0,0 +1,645 @@
#!/bin/sh
set -e
# Docker CE for Linux installation script
#
# See https://docs.docker.com/engine/install/ for the installation steps.
#
# This script is meant for quick & easy install via:
# $ curl -fsSL https://get.docker.com -o get-docker.sh
# $ sh get-docker.sh
#
# For test builds (ie. release candidates):
# $ curl -fsSL https://test.docker.com -o test-docker.sh
# $ sh test-docker.sh
#
# NOTE: Make sure to verify the contents of the script
# you downloaded matches the contents of install.sh
# located at https://github.com/docker/docker-install
# before executing.
#
# Git commit from https://github.com/docker/docker-install when
# the script was uploaded (Should only be modified by upload job):
SCRIPT_COMMIT_SHA="66474034547a96caa0a25be56051ff8b726a1b28"
# strip "v" prefix if present
VERSION="${VERSION#v}"
# The channel to install from:
# * nightly
# * test
# * stable
# * edge (deprecated)
DEFAULT_CHANNEL_VALUE="stable"
if [ -z "$CHANNEL" ]; then
CHANNEL=$DEFAULT_CHANNEL_VALUE
fi
DEFAULT_DOWNLOAD_URL="https://download.docker.com"
if [ -z "$DOWNLOAD_URL" ]; then
DOWNLOAD_URL=$DEFAULT_DOWNLOAD_URL
fi
DEFAULT_REPO_FILE="docker-ce.repo"
if [ -z "$REPO_FILE" ]; then
REPO_FILE="$DEFAULT_REPO_FILE"
fi
mirror=''
DRY_RUN=${DRY_RUN:-}
while [ $# -gt 0 ]; do
case "$1" in
--mirror)
mirror="$2"
shift
;;
--dry-run)
DRY_RUN=1
;;
--*)
echo "Illegal option $1"
;;
esac
shift $(( $# > 0 ? 1 : 0 ))
done
case "$mirror" in
Aliyun)
DOWNLOAD_URL="https://mirrors.aliyun.com/docker-ce"
;;
AzureChinaCloud)
DOWNLOAD_URL="https://mirror.azure.cn/docker-ce"
;;
esac
command_exists() {
command -v "$@" > /dev/null 2>&1
}
# version_gte checks if the version specified in $VERSION is at least
# the given CalVer (YY.MM) version. returns 0 (success) if $VERSION is either
# unset (=latest) or newer or equal than the specified version. Returns 1 (fail)
# otherwise.
#
# examples:
#
# VERSION=20.10
# version_gte 20.10 // 0 (success)
# version_gte 19.03 // 0 (success)
# version_gte 21.10 // 1 (fail)
version_gte() {
if [ -z "$VERSION" ]; then
return 0
fi
eval calver_compare "$VERSION" "$1"
}
# calver_compare compares two CalVer (YY.MM) version strings. returns 0 (success)
# if version A is newer or equal than version B, or 1 (fail) otherwise. Patch
# releases and pre-release (-alpha/-beta) are not taken into account
#
# examples:
#
# calver_compare 20.10 19.03 // 0 (success)
# calver_compare 20.10 20.10 // 0 (success)
# calver_compare 19.03 20.10 // 1 (fail)
calver_compare() (
set +x
yy_a="$(echo "$1" | cut -d'.' -f1)"
yy_b="$(echo "$2" | cut -d'.' -f1)"
if [ "$yy_a" -lt "$yy_b" ]; then
return 1
fi
if [ "$yy_a" -gt "$yy_b" ]; then
return 0
fi
mm_a="$(echo "$1" | cut -d'.' -f2)"
mm_b="$(echo "$2" | cut -d'.' -f2)"
if [ "${mm_a#0}" -lt "${mm_b#0}" ]; then
return 1
fi
return 0
)
is_dry_run() {
if [ -z "$DRY_RUN" ]; then
return 1
else
return 0
fi
}
is_wsl() {
case "$(uname -r)" in
*microsoft* ) true ;; # WSL 2
*Microsoft* ) true ;; # WSL 1
* ) false;;
esac
}
is_darwin() {
case "$(uname -s)" in
*darwin* ) true ;;
*Darwin* ) true ;;
* ) false;;
esac
}
deprecation_notice() {
distro=$1
distro_version=$2
echo
printf "\033[91;1mDEPRECATION WARNING\033[0m\n"
printf " This Linux distribution (\033[1m%s %s\033[0m) reached end-of-life and is no longer supported by this script.\n" "$distro" "$distro_version"
echo " No updates or security fixes will be released for this distribution, and users are recommended"
echo " to upgrade to a currently maintained version of $distro."
echo
printf "Press \033[1mCtrl+C\033[0m now to abort this script, or wait for the installation to continue."
echo
sleep 10
}
get_distribution() {
lsb_dist=""
# Every system that we officially support has /etc/os-release
if [ -r /etc/os-release ]; then
lsb_dist="$(. /etc/os-release && echo "$ID")"
fi
# Returning an empty string here should be alright since the
# case statements don't act unless you provide an actual value
echo "$lsb_dist"
}
echo_docker_as_nonroot() {
if is_dry_run; then
return
fi
if command_exists docker && [ -e /var/run/docker.sock ]; then
(
set -x
$sh_c 'docker version'
) || true
fi
# intentionally mixed spaces and tabs here -- tabs are stripped by "<<-EOF", spaces are kept in the output
echo
echo "================================================================================"
echo
if version_gte "20.10"; then
echo "To run Docker as a non-privileged user, consider setting up the"
echo "Docker daemon in rootless mode for your user:"
echo
echo " dockerd-rootless-setuptool.sh install"
echo
echo "Visit https://docs.docker.com/go/rootless/ to learn about rootless mode."
echo
fi
echo
echo "To run the Docker daemon as a fully privileged service, but granting non-root"
echo "users access, refer to https://docs.docker.com/go/daemon-access/"
echo
echo "WARNING: Access to the remote API on a privileged Docker daemon is equivalent"
echo " to root access on the host. Refer to the 'Docker daemon attack surface'"
echo " documentation for details: https://docs.docker.com/go/attack-surface/"
echo
echo "================================================================================"
echo
}
# Check if this is a forked Linux distro
check_forked() {
# Check for lsb_release command existence, it usually exists in forked distros
if command_exists lsb_release; then
# Check if the `-u` option is supported
set +e
lsb_release -a -u > /dev/null 2>&1
lsb_release_exit_code=$?
set -e
# Check if the command has exited successfully, it means we're in a forked distro
if [ "$lsb_release_exit_code" = "0" ]; then
# Print info about current distro
cat <<-EOF
You're using '$lsb_dist' version '$dist_version'.
EOF
# Get the upstream release info
lsb_dist=$(lsb_release -a -u 2>&1 | tr '[:upper:]' '[:lower:]' | grep -E 'id' | cut -d ':' -f 2 | tr -d '[:space:]')
dist_version=$(lsb_release -a -u 2>&1 | tr '[:upper:]' '[:lower:]' | grep -E 'codename' | cut -d ':' -f 2 | tr -d '[:space:]')
# Print info about upstream distro
cat <<-EOF
Upstream release is '$lsb_dist' version '$dist_version'.
EOF
else
if [ -r /etc/debian_version ] && [ "$lsb_dist" != "ubuntu" ] && [ "$lsb_dist" != "raspbian" ]; then
if [ "$lsb_dist" = "osmc" ]; then
# OSMC runs Raspbian
lsb_dist=raspbian
else
# We're Debian and don't even know it!
lsb_dist=debian
fi
dist_version="$(sed 's/\/.*//' /etc/debian_version | sed 's/\..*//')"
case "$dist_version" in
11)
dist_version="bullseye"
;;
10)
dist_version="buster"
;;
9)
dist_version="stretch"
;;
8)
dist_version="jessie"
;;
esac
fi
fi
fi
}
do_install() {
echo "# Executing docker install script, commit: $SCRIPT_COMMIT_SHA"
if command_exists docker; then
cat >&2 <<-'EOF'
Warning: the "docker" command appears to already exist on this system.
If you already have Docker installed, this script can cause trouble, which is
why we're displaying this warning and provide the opportunity to cancel the
installation.
If you installed the current Docker package using this script and are using it
again to update Docker, you can safely ignore this message.
You may press Ctrl+C now to abort this script.
EOF
( set -x; sleep 20 )
fi
user="$(id -un 2>/dev/null || true)"
sh_c='sh -c'
if [ "$user" != 'root' ]; then
if command_exists sudo; then
sh_c='sudo -E sh -c'
elif command_exists su; then
sh_c='su -c'
else
cat >&2 <<-'EOF'
Error: this installer needs the ability to run commands as root.
We are unable to find either "sudo" or "su" available to make this happen.
EOF
exit 1
fi
fi
if is_dry_run; then
sh_c="echo"
fi
# perform some very rudimentary platform detection
lsb_dist=$( get_distribution )
lsb_dist="$(echo "$lsb_dist" | tr '[:upper:]' '[:lower:]')"
if is_wsl; then
echo
echo "WSL DETECTED: We recommend using Docker Desktop for Windows."
echo "Please get Docker Desktop from https://www.docker.com/products/docker-desktop"
echo
cat >&2 <<-'EOF'
You may press Ctrl+C now to abort this script.
EOF
( set -x; sleep 20 )
fi
case "$lsb_dist" in
ubuntu)
if command_exists lsb_release; then
dist_version="$(lsb_release --codename | cut -f2)"
fi
if [ -z "$dist_version" ] && [ -r /etc/lsb-release ]; then
dist_version="$(. /etc/lsb-release && echo "$DISTRIB_CODENAME")"
fi
;;
debian|raspbian)
dist_version="$(sed 's/\/.*//' /etc/debian_version | sed 's/\..*//')"
case "$dist_version" in
11)
dist_version="bullseye"
;;
10)
dist_version="buster"
;;
9)
dist_version="stretch"
;;
8)
dist_version="jessie"
;;
esac
;;
centos|rhel|sles)
if [ -z "$dist_version" ] && [ -r /etc/os-release ]; then
dist_version="$(. /etc/os-release && echo "$VERSION_ID")"
fi
;;
*)
if command_exists lsb_release; then
dist_version="$(lsb_release --release | cut -f2)"
fi
if [ -z "$dist_version" ] && [ -r /etc/os-release ]; then
dist_version="$(. /etc/os-release && echo "$VERSION_ID")"
fi
;;
esac
# Check if this is a forked Linux distro
check_forked
# Print deprecation warnings for distro versions that recently reached EOL,
# but may still be commonly used (especially LTS versions).
case "$lsb_dist.$dist_version" in
debian.stretch|debian.jessie)
deprecation_notice "$lsb_dist" "$dist_version"
;;
raspbian.stretch|raspbian.jessie)
deprecation_notice "$lsb_dist" "$dist_version"
;;
ubuntu.xenial|ubuntu.trusty)
deprecation_notice "$lsb_dist" "$dist_version"
;;
fedora.*)
if [ "$dist_version" -lt 33 ]; then
deprecation_notice "$lsb_dist" "$dist_version"
fi
;;
esac
# Run setup for each distro accordingly
case "$lsb_dist" in
ubuntu|debian|raspbian)
pre_reqs="apt-transport-https ca-certificates curl"
if ! command -v gpg > /dev/null; then
pre_reqs="$pre_reqs gnupg"
fi
apt_repo="deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] $DOWNLOAD_URL/linux/$lsb_dist $dist_version $CHANNEL"
(
if ! is_dry_run; then
set -x
fi
$sh_c 'apt-get update -qq >/dev/null'
$sh_c "DEBIAN_FRONTEND=noninteractive apt-get install -y -qq $pre_reqs >/dev/null"
$sh_c 'mkdir -p /etc/apt/keyrings && chmod -R 0755 /etc/apt/keyrings'
$sh_c "curl -fsSL \"$DOWNLOAD_URL/linux/$lsb_dist/gpg\" | gpg --dearmor --yes -o /etc/apt/keyrings/docker.gpg"
$sh_c "chmod a+r /etc/apt/keyrings/docker.gpg"
$sh_c "echo \"$apt_repo\" > /etc/apt/sources.list.d/docker.list"
$sh_c 'apt-get update -qq >/dev/null'
)
pkg_version=""
if [ -n "$VERSION" ]; then
if is_dry_run; then
echo "# WARNING: VERSION pinning is not supported in DRY_RUN"
else
# Will work for incomplete versions IE (17.12), but may not actually grab the "latest" if in the test channel
pkg_pattern="$(echo "$VERSION" | sed "s/-ce-/~ce~.*/g" | sed "s/-/.*/g")"
search_command="apt-cache madison 'docker-ce' | grep '$pkg_pattern' | head -1 | awk '{\$1=\$1};1' | cut -d' ' -f 3"
pkg_version="$($sh_c "$search_command")"
echo "INFO: Searching repository for VERSION '$VERSION'"
echo "INFO: $search_command"
if [ -z "$pkg_version" ]; then
echo
echo "ERROR: '$VERSION' not found amongst apt-cache madison results"
echo
exit 1
fi
if version_gte "18.09"; then
search_command="apt-cache madison 'docker-ce-cli' | grep '$pkg_pattern' | head -1 | awk '{\$1=\$1};1' | cut -d' ' -f 3"
echo "INFO: $search_command"
cli_pkg_version="=$($sh_c "$search_command")"
fi
pkg_version="=$pkg_version"
fi
fi
(
pkgs="docker-ce${pkg_version%=}"
if version_gte "18.09"; then
# older versions didn't ship the cli and containerd as separate packages
pkgs="$pkgs docker-ce-cli${cli_pkg_version%=} containerd.io"
fi
if version_gte "20.10" && [ "$(uname -m)" = "x86_64" ]; then
# also install the latest version of the "docker scan" cli-plugin (only supported on x86 currently)
pkgs="$pkgs docker-scan-plugin"
fi
if version_gte "20.10"; then
pkgs="$pkgs docker-compose-plugin docker-ce-rootless-extras$pkg_version"
fi
if version_gte "23.0"; then
pkgs="$pkgs docker-buildx-plugin"
fi
if ! is_dry_run; then
set -x
fi
$sh_c "DEBIAN_FRONTEND=noninteractive apt-get install -y -qq $pkgs >/dev/null"
)
echo_docker_as_nonroot
exit 0
;;
centos|fedora|rhel)
if [ "$(uname -m)" != "s390x" ] && [ "$lsb_dist" = "rhel" ]; then
echo "Packages for RHEL are currently only available for s390x."
exit 1
fi
if [ "$lsb_dist" = "fedora" ]; then
pkg_manager="dnf"
config_manager="dnf config-manager"
enable_channel_flag="--set-enabled"
disable_channel_flag="--set-disabled"
pre_reqs="dnf-plugins-core"
pkg_suffix="fc$dist_version"
else
pkg_manager="yum"
config_manager="yum-config-manager"
enable_channel_flag="--enable"
disable_channel_flag="--disable"
pre_reqs="yum-utils"
pkg_suffix="el"
fi
repo_file_url="$DOWNLOAD_URL/linux/$lsb_dist/$REPO_FILE"
(
if ! is_dry_run; then
set -x
fi
$sh_c "$pkg_manager install -y -q $pre_reqs"
$sh_c "$config_manager --add-repo $repo_file_url"
if [ "$CHANNEL" != "stable" ]; then
$sh_c "$config_manager $disable_channel_flag docker-ce-*"
$sh_c "$config_manager $enable_channel_flag docker-ce-$CHANNEL"
fi
$sh_c "$pkg_manager makecache"
)
pkg_version=""
if [ -n "$VERSION" ]; then
if is_dry_run; then
echo "# WARNING: VERSION pinning is not supported in DRY_RUN"
else
pkg_pattern="$(echo "$VERSION" | sed "s/-ce-/\\\\.ce.*/g" | sed "s/-/.*/g").*$pkg_suffix"
search_command="$pkg_manager list --showduplicates 'docker-ce' | grep '$pkg_pattern' | tail -1 | awk '{print \$2}'"
pkg_version="$($sh_c "$search_command")"
echo "INFO: Searching repository for VERSION '$VERSION'"
echo "INFO: $search_command"
if [ -z "$pkg_version" ]; then
echo
echo "ERROR: '$VERSION' not found amongst $pkg_manager list results"
echo
exit 1
fi
if version_gte "18.09"; then
# older versions don't support a cli package
search_command="$pkg_manager list --showduplicates 'docker-ce-cli' | grep '$pkg_pattern' | tail -1 | awk '{print \$2}'"
cli_pkg_version="$($sh_c "$search_command" | cut -d':' -f 2)"
fi
# Cut out the epoch and prefix with a '-'
pkg_version="-$(echo "$pkg_version" | cut -d':' -f 2)"
fi
fi
(
pkgs="docker-ce$pkg_version"
if version_gte "18.09"; then
# older versions didn't ship the cli and containerd as separate packages
if [ -n "$cli_pkg_version" ]; then
pkgs="$pkgs docker-ce-cli-$cli_pkg_version containerd.io"
else
pkgs="$pkgs docker-ce-cli containerd.io"
fi
fi
if version_gte "20.10" && [ "$(uname -m)" = "x86_64" ]; then
# also install the latest version of the "docker scan" cli-plugin (only supported on x86 currently)
pkgs="$pkgs docker-scan-plugin"
fi
if version_gte "20.10"; then
pkgs="$pkgs docker-compose-plugin docker-ce-rootless-extras$pkg_version"
fi
if version_gte "23.0"; then
pkgs="$pkgs docker-buildx-plugin"
fi
if ! is_dry_run; then
set -x
fi
$sh_c "$pkg_manager install -y -q $pkgs"
)
echo_docker_as_nonroot
exit 0
;;
sles)
if [ "$(uname -m)" != "s390x" ]; then
echo "Packages for SLES are currently only available for s390x"
exit 1
fi
if [ "$dist_version" = "15.3" ]; then
sles_version="SLE_15_SP3"
else
sles_minor_version="${dist_version##*.}"
sles_version="15.$sles_minor_version"
fi
opensuse_repo="https://download.opensuse.org/repositories/security:SELinux/$sles_version/security:SELinux.repo"
repo_file_url="$DOWNLOAD_URL/linux/$lsb_dist/$REPO_FILE"
pre_reqs="ca-certificates curl libseccomp2 awk"
(
if ! is_dry_run; then
set -x
fi
$sh_c "zypper install -y $pre_reqs"
$sh_c "zypper addrepo $repo_file_url"
if ! is_dry_run; then
cat >&2 <<-'EOF'
WARNING!!
openSUSE repository (https://download.opensuse.org/repositories/security:SELinux) will be enabled now.
Do you wish to continue?
You may press Ctrl+C now to abort this script.
EOF
( set -x; sleep 30 )
fi
$sh_c "zypper addrepo $opensuse_repo"
$sh_c "zypper --gpg-auto-import-keys refresh"
$sh_c "zypper lr -d"
)
pkg_version=""
if [ -n "$VERSION" ]; then
if is_dry_run; then
echo "# WARNING: VERSION pinning is not supported in DRY_RUN"
else
pkg_pattern="$(echo "$VERSION" | sed "s/-ce-/\\\\.ce.*/g" | sed "s/-/.*/g")"
search_command="zypper search -s --match-exact 'docker-ce' | grep '$pkg_pattern' | tail -1 | awk '{print \$6}'"
pkg_version="$($sh_c "$search_command")"
echo "INFO: Searching repository for VERSION '$VERSION'"
echo "INFO: $search_command"
if [ -z "$pkg_version" ]; then
echo
echo "ERROR: '$VERSION' not found amongst zypper list results"
echo
exit 1
fi
search_command="zypper search -s --match-exact 'docker-ce-cli' | grep '$pkg_pattern' | tail -1 | awk '{print \$6}'"
# It's okay for cli_pkg_version to be blank, since older versions don't support a cli package
cli_pkg_version="$($sh_c "$search_command")"
pkg_version="-$pkg_version"
fi
fi
(
pkgs="docker-ce$pkg_version"
if version_gte "18.09"; then
if [ -n "$cli_pkg_version" ]; then
# older versions didn't ship the cli and containerd as separate packages
pkgs="$pkgs docker-ce-cli-$cli_pkg_version containerd.io"
else
pkgs="$pkgs docker-ce-cli containerd.io"
fi
fi
if version_gte "20.10"; then
pkgs="$pkgs docker-compose-plugin docker-ce-rootless-extras$pkg_version"
fi
if version_gte "23.0"; then
pkgs="$pkgs docker-buildx-plugin"
fi
if ! is_dry_run; then
set -x
fi
$sh_c "zypper -q install -y $pkgs"
)
echo_docker_as_nonroot
exit 0
;;
*)
if [ -z "$lsb_dist" ]; then
if is_darwin; then
echo
echo "ERROR: Unsupported operating system 'macOS'"
echo "Please get Docker Desktop from https://www.docker.com/products/docker-desktop"
echo
exit 1
fi
fi
echo
echo "ERROR: Unsupported distribution '$lsb_dist'"
echo
exit 1
;;
esac
exit 1
}
# wrapped up in a function so that we have some protection against only getting
# half the file during "curl | sh"
do_install

18
ansible/00_old/health_check.yml Normal file
View File

@@ -0,0 +1,18 @@
---
- name: Check the health of all servers
hosts: all
tasks:
- name: Check if server is reachable
ping:
register: result
ignore_errors: true
- name: Print result
debug:
var: result
when: result is defined
- name: Print error message
debug:
msg: "Server {{ inventory_hostname }} could not be reached."
when: result.ping is undefined

995
ansible/00_old/install-centos-node.sh Normal file
View File

@@ -0,0 +1,995 @@
#!/bin/bash
set -euo pipefail
SCRIPT_NAME="teleport-installer"
# default values
ALIVE_CHECK_DELAY=3
CONNECTIVITY_TEST_METHOD=""
COPY_COMMAND="cp"
DISTRO_TYPE=""
IGNORE_CONNECTIVITY_CHECK="${TELEPORT_IGNORE_CONNECTIVITY_CHECK:-false}"
LAUNCHD_CONFIG_PATH="/Library/LaunchDaemons"
LOG_FILENAME="$(mktemp -t ${SCRIPT_NAME}.log.XXXXXXXXXX)"
MACOS_STDERR_LOG="/var/log/teleport-stderr.log"
MACOS_STDOUT_LOG="/var/log/teleport-stdout.log"
SYSTEMD_UNIT_PATH="/lib/systemd/system/teleport.service"
TARGET_PORT_DEFAULT=443
TELEPORT_ARCHIVE_PATH='teleport'
TELEPORT_BINARY_DIR="/usr/local/bin"
TELEPORT_BINARY_LIST="teleport tctl tsh"
TELEPORT_CONFIG_PATH="/etc/teleport.yaml"
TELEPORT_DATA_DIR="/var/lib/teleport"
TELEPORT_DOCS_URL="https://goteleport.com/docs/"
TELEPORT_FORMAT=""
# initialise variables (because set -u disallows unbound variables)
f=""
l=""
DISABLE_TLS_VERIFICATION=false
NODENAME=$(hostname)
IGNORE_CHECKS=false
OVERRIDE_FORMAT=""
QUIET=false
APP_INSTALL_DECISION=""
INTERACTIVE=false
# the default value of each variable is a templatable Go value so that it can
# optionally be replaced by the server before the script is served up
TELEPORT_VERSION='13.3.4'
TELEPORT_PACKAGE_NAME='teleport'
REPO_CHANNEL=''
TARGET_HOSTNAME='teleport.access.datasaker.io'
TARGET_PORT='443'
JOIN_TOKEN='d5bef76d6d1d2038dbf96a221e429d5e'
JOIN_METHOD=''
JOIN_METHOD_FLAG=""
[ -n "$JOIN_METHOD" ] && JOIN_METHOD_FLAG="--join-method ${JOIN_METHOD}"
# inject labels into the configuration
LABELS='teleport.internal/resource-id=9182aa69-a343-4111-a587-1efe5b1daa1c'
LABELS_FLAG=()
[ -n "$LABELS" ] && LABELS_FLAG=(--labels "${LABELS}")
# When all stanza generators have been updated to use the new
# `teleport <service> configure` commands CA_PIN_HASHES can be removed along
# with the script passing it in in `join_tokens.go`.
CA_PIN_HASHES='sha256:941164dbcfedbe05de067f5ce14d4c4e6a0523c070f0bdb3959b01ba452b15f8'
CA_PINS='sha256:941164dbcfedbe05de067f5ce14d4c4e6a0523c070f0bdb3959b01ba452b15f8'
ARG_CA_PIN_HASHES=""
APP_INSTALL_MODE='false'
APP_NAME=''
APP_URI=''
DB_INSTALL_MODE='false'
# usage message
# shellcheck disable=SC2086
usage() { echo "Usage: $(basename $0) [-v teleport_version] [-h target_hostname] [-p target_port] [-j join_token] [-c ca_pin_hash]... [-q] [-l log_filename] [-a app_name] [-u app_uri] " 1>&2; exit 1; }
while getopts ":v:h:p:j:c:f:ql:ika:u:" o; do
case "${o}" in
v) TELEPORT_VERSION=${OPTARG};;
h) TARGET_HOSTNAME=${OPTARG};;
p) TARGET_PORT=${OPTARG};;
j) JOIN_TOKEN=${OPTARG};;
c) ARG_CA_PIN_HASHES="${ARG_CA_PIN_HASHES} ${OPTARG}";;
f) f=${OPTARG}; if [[ ${f} != "tarball" && ${f} != "deb" && ${f} != "rpm" ]]; then usage; fi;;
q) QUIET=true;;
l) l=${OPTARG};;
i) IGNORE_CHECKS=true; COPY_COMMAND="cp -f";;
k) DISABLE_TLS_VERIFICATION=true;;
a) APP_INSTALL_MODE=true && APP_NAME=${OPTARG};;
u) APP_INSTALL_MODE=true && APP_URI=${OPTARG};;
*) usage;;
esac
done
shift $((OPTIND-1))
if [[ "${ARG_CA_PIN_HASHES}" != "" ]]; then
CA_PIN_HASHES="${ARG_CA_PIN_HASHES}"
fi
# function to construct a go template variable
# go's template parser is a bit finicky, so we dynamically build the value one character at a time
construct_go_template() {
OUTPUT="{"
OUTPUT+="{"
OUTPUT+="."
OUTPUT+="${1}"
OUTPUT+="}"
OUTPUT+="}"
echo "${OUTPUT}"
}
# check whether we are root, exit if not
assert_running_as_root() {
if ! [ "$(id -u)" = 0 ]; then
echo "This script must be run as root." 1>&2
exit 1
fi
}
# function to check whether variables are either blank or set to the default go template value
# (because they haven't been set by the go script generator or a command line argument)
# returns 1 if the variable is set to a default/zero value
# returns 0 otherwise (i.e. it needs to be set interactively)
check_variable() {
VARIABLE_VALUE="${!1}"
GO_TEMPLATE_NAME=$(construct_go_template "${2}")
if [[ "${VARIABLE_VALUE}" == "" ]] || [[ "${VARIABLE_VALUE}" == "${GO_TEMPLATE_NAME}" ]]; then
return 1
fi
return 0
}
# function to check whether a provided value is "truthy" i.e. it looks like you're trying to say "yes"
is_truthy() {
declare -a TRUTHY_VALUES
TRUTHY_VALUES=("y" "Y" "yes" "YES" "ye" "YE" "yep" "YEP" "ya" "YA")
CHECK_VALUE="$1"
for ARRAY_VALUE in "${TRUTHY_VALUES[@]}"; do [[ "${CHECK_VALUE}" == "${ARRAY_VALUE}" ]] && return 0; done
return 1
}
# function to read input until the value you get is non-empty
read_nonblank_input() {
INPUT=""
VARIABLE_TO_ASSIGN="$1"
shift
PROMPT="$*"
until [[ "${INPUT}" != "" ]]; do
echo -n "${PROMPT}"
read -r INPUT
done
printf -v "${VARIABLE_TO_ASSIGN}" '%s' "${INPUT}"
}
# error if we're not root
assert_running_as_root
# set/read values interactively if not provided
# users will be prompted to enter their own value if all the following are true:
# - the current value is blank, or equal to the default Go template value
# - the value has not been provided by command line argument
! check_variable TELEPORT_VERSION version && INTERACTIVE=true && read_nonblank_input TELEPORT_VERSION "Enter Teleport version to install (without v): "
! check_variable TARGET_HOSTNAME hostname && INTERACTIVE=true && read_nonblank_input TARGET_HOSTNAME "Enter target hostname to connect to: "
! check_variable TARGET_PORT port && INTERACTIVE=true && { echo -n "Enter target port to connect to [${TARGET_PORT_DEFAULT}]: "; read -r TARGET_PORT; }
! check_variable JOIN_TOKEN token && INTERACTIVE=true && read_nonblank_input JOIN_TOKEN "Enter Teleport join token as provided: "
! check_variable CA_PIN_HASHES caPins && INTERACTIVE=true && read_nonblank_input CA_PIN_HASHES "Enter CA pin hash (separate multiple hashes with spaces): "
[ -n "${f}" ] && OVERRIDE_FORMAT=${f}
[ -n "${l}" ] && LOG_FILENAME=${l}
# if app service mode is not set (or is the default value) and we are running interactively (i.e. the user has provided some input already),
# prompt the user to choose whether to enable app_service
if [[ "${INTERACTIVE}" == "true" ]]; then
if ! check_variable APP_INSTALL_MODE appInstallMode; then
APP_INSTALL_MODE="false"
echo -n "Would you like to enable and configure Teleport's app_service, to use Teleport as a reverse proxy for a web application? [y/n, default: n] "
read -r APP_INSTALL_DECISION
if is_truthy "${APP_INSTALL_DECISION}"; then
APP_INSTALL_MODE="true"
fi
fi
fi
# prompt for extra needed values if we're running in app service mode
if [[ "${APP_INSTALL_MODE}" == "true" ]]; then
! check_variable APP_NAME appName && read_nonblank_input APP_NAME "Enter app name to install (must be DNS-compatible; less than 63 characters, no spaces, only - or _ as punctuation): "
! check_variable APP_URI appURI && read_nonblank_input APP_URI "Enter app URI (the host running the Teleport app service must be able to connect to this): "
# generate app public addr by concatenating values
APP_PUBLIC_ADDR="${APP_NAME}.${TARGET_HOSTNAME}"
fi
# set default target port if value not provided
if [[ "${TARGET_PORT}" == "" ]]; then
TARGET_PORT=${TARGET_PORT_DEFAULT}
fi
# clear log file if provided
if [[ "${LOG_FILENAME}" != "" ]]; then
if [ -f "${LOG_FILENAME}" ]; then
echo -n "" > "${LOG_FILENAME}"
fi
fi
# log functions
log_date() { echo -n "$(date '+%Y-%m-%d %H:%M:%S %Z')"; }
log() {
LOG_LINE="$(log_date) [${SCRIPT_NAME}] $*"
if [[ ${QUIET} != "true" ]]; then
echo "${LOG_LINE}"
fi
if [[ "${LOG_FILENAME}" != "" ]]; then
echo "${LOG_LINE}" >> "${LOG_FILENAME}"
fi
}
# writes a line with no timestamp or starting data, always prints
log_only() {
LOG_LINE="$*"
echo "${LOG_LINE}"
if [[ "${LOG_FILENAME}" != "" ]]; then
echo "${LOG_LINE}" >> "${LOG_FILENAME}"
fi
}
# writes a line by itself as a header
log_header() {
LOG_LINE="$*"
echo ""
echo "${LOG_LINE}"
echo ""
if [[ "${LOG_FILENAME}" != "" ]]; then
echo "${LOG_LINE}" >> "${LOG_FILENAME}"
fi
}
# important log lines, print even when -q (quiet) is passed
log_important() {
LOG_LINE="$(log_date) [${SCRIPT_NAME}] ---> $*"
echo "${LOG_LINE}"
if [[ "${LOG_FILENAME}" != "" ]]; then
echo "${LOG_LINE}" >> "${LOG_FILENAME}"
fi
}
log_cleanup_message() {
log_only "This script does not overwrite any existing settings or Teleport installations."
log_only "Please clean up by running any of the following steps as necessary:"
log_only "- stop any running Teleport processes"
log_only " - pkill -f teleport"
log_only "- remove any data under ${TELEPORT_DATA_DIR}, along with the directory itself"
log_only " - rm -rf ${TELEPORT_DATA_DIR}"
log_only "- remove any configuration at ${TELEPORT_CONFIG_PATH}"
log_only " - rm -f ${TELEPORT_CONFIG_PATH}"
log_only "- remove any Teleport binaries (${TELEPORT_BINARY_LIST}) installed under ${TELEPORT_BINARY_DIR}"
for BINARY in ${TELEPORT_BINARY_LIST}; do EXAMPLE_DELETE_COMMAND+="${TELEPORT_BINARY_DIR}/${BINARY} "; done
log_only " - rm -f ${EXAMPLE_DELETE_COMMAND}"
log_only "Run this installer again when done."
log_only
}
# other functions
# check whether a named program exists
check_exists() { NAME=$1; if type "${NAME}" >/dev/null 2>&1; then return 0; else return 1; fi; }
# checks for the existence of a list of named binaries and exits with error if any of them don't exist
check_exists_fatal() {
for TOOL in "$@"; do
if ! check_exists "${TOOL}"; then
log_important "Error: cannot find ${TOOL} - it needs to be installed"
exit 1
fi
done
}
# check connectivity to the given host/port and make a request to see if Teleport is listening
# uses the global variable CONNECTIVITY_TEST_METHOD to return the name of the checker, as return
# values aren't really a thing that exists in bash
check_connectivity() {
HOST=$1
PORT=$2
# check with nc
if check_exists nc; then
CONNECTIVITY_TEST_METHOD="nc"
if nc -z -w3 "${HOST}" "${PORT}" >/dev/null 2>&1; then return 0; else return 1; fi
# if there's no nc, check with telnet
elif check_exists telnet; then
CONNECTIVITY_TEST_METHOD="telnet"
if echo -e '\x1dclose\x0d' | telnet "${HOST}" "${PORT}" >/dev/null 2>&1; then return 0; else return 1; fi
# if there's no nc or telnet, try and use /dev/tcp
elif [ -f /dev/tcp ]; then
CONNECTIVITY_TEST_METHOD="/dev/tcp"
if (head -1 < "/dev/tcp/${HOST}/${PORT}") >/dev/null 2>&1; then return 0; else return 1; fi
else
return 255
fi
}
# check whether a teleport DEB is already installed and exit with error if so
check_deb_not_already_installed() {
check_exists_fatal dpkg awk
DEB_INSTALLED=$(dpkg -l | awk '{print $2}' | grep -E ^teleport || true)
if [[ ${DEB_INSTALLED} != "" ]]; then
log_important "It looks like there is already a Teleport DEB package installed (name: ${DEB_INSTALLED})."
log_important "You will need to remove that package before using this script."
exit 1
fi
}
# check whether a teleport RPM is already installed and exit with error if so
check_rpm_not_already_installed() {
check_exists_fatal rpm
RPM_INSTALLED=$(rpm -qa | grep -E ^teleport || true)
if [[ ${RPM_INSTALLED} != "" ]]; then
log_important "It looks like there is already a Teleport RPM package installed (name: ${RPM_INSTALLED})."
log_important "You will need to remove that package before using this script."
exit 1
fi
}
# function to check if given variable is set
check_set() {
CHECK_KEY=${1} || true
CHECK_VALUE=${!1} || true
if [[ "${CHECK_VALUE}" == "" ]]; then
log "Required variable ${CHECK_KEY} is not set"
exit 1
else
log "${CHECK_KEY}: ${CHECK_VALUE}"
fi
}
# checks that teleport binary can be found in path and runs 'teleport version'
check_teleport_binary() {
FOUND_TELEPORT_VERSION=$(${TELEPORT_BINARY_DIR}/teleport version)
if [[ "${FOUND_TELEPORT_VERSION}" == "" ]]; then
log "Cannot find Teleport binary"
return 1
else
log "Found: ${FOUND_TELEPORT_VERSION}";
return 0
fi
}
# wrapper to download with curl
download() {
URL=$1
OUTPUT_PATH=$2
CURL_COMMAND="curl -fsSL --retry 5 --retry-delay 5"
# optionally allow disabling of TLS verification (can be useful on older distros
# which often have an out-of-date set of CA certificate bundle which won't validate)
if [[ ${DISABLE_TLS_VERIFICATION} == "true" ]]; then
CURL_COMMAND+=" -k"
fi
log "Running ${CURL_COMMAND} ${URL}"
log "Downloading to ${OUTPUT_PATH}"
# handle errors with curl
if ! ${CURL_COMMAND} -o "${OUTPUT_PATH}" "${URL}"; then
log_important "curl error downloading ${URL}"
log "On an older OS, this may be related to the CA certificate bundle being too old."
log "You can pass the hidden -k flag to this script to disable TLS verification - this is not recommended!"
exit 1
fi
# check that the file has a non-zero size as an extra validation
check_exists_fatal wc xargs
FILE_SIZE="$(wc -c <"${OUTPUT_PATH}" | xargs)"
if [ "${FILE_SIZE}" -eq 0 ]; then
log_important "The downloaded file has a size of 0 bytes, which means an error occurred. Cannot continue."
exit 1
else
log "Downloaded file size: ${FILE_SIZE} bytes"
fi
# if we have a hashing utility installed, also download and validate the checksum
SHA_COMMAND=""
# shasum is installed by default on MacOS and some distros
if check_exists shasum; then
SHA_COMMAND="shasum -a 256"
# sha256sum is installed by default in some other distros
elif check_exists sha256sum; then
SHA_COMMAND="sha256sum"
fi
if [[ "${SHA_COMMAND}" != "" ]]; then
log "Will use ${SHA_COMMAND} to validate the checksum of the downloaded file"
SHA_URL="${URL}.sha256"
SHA_PATH="${OUTPUT_PATH}.sha256"
${CURL_COMMAND} -o "${SHA_PATH}" "${SHA_URL}"
if ${SHA_COMMAND} --status -c "${SHA_PATH}"; then
log "The downloaded file's checksum validated correctly"
else
SHA_EXPECTED=$(cat "${SHA_PATH}")
SHA_ACTUAL=$(${SHA_COMMAND} "${OUTPUT_PATH}")
if check_exists awk; then
SHA_EXPECTED=$(echo "${SHA_EXPECTED}" | awk '{print $1}')
SHA_ACTUAL=$(echo "${SHA_ACTUAL}" | awk '{print $1}')
fi
log_important "Checksum of the downloaded file did not validate correctly"
log_important "Expected: ${SHA_EXPECTED}"
log_important "Got: ${SHA_ACTUAL}"
log_important "Try rerunning this script from the start. If the issue persists, contact Teleport support."
exit 1
fi
else
log "shasum/sha256sum utilities not found, will skip checksum validation"
fi
}
# gets the filename from a full path (https://target.site/path/to/file.tar.gz -> file.tar.gz)
get_download_filename() { echo "${1##*/}"; }
# gets the pid of any running teleport process (and converts newlines to spaces)
get_teleport_pid() {
check_exists_fatal pgrep xargs
pgrep teleport | xargs echo
}
# returns a command which will start teleport using the config
get_teleport_start_command() {
echo "${TELEPORT_BINARY_DIR}/teleport start --config=${TELEPORT_CONFIG_PATH}"
}
# installs the teleport-provided launchd config
install_launchd_config() {
log "Installing Teleport launchd config to ${LAUNCHD_CONFIG_PATH}"
${COPY_COMMAND} ./${TELEPORT_ARCHIVE_PATH}/examples/launchd/com.goteleport.teleport.plist ${LAUNCHD_CONFIG_PATH}/com.goteleport.teleport.plist
}
# installs the teleport-provided systemd unit
install_systemd_unit() {
log "Installing Teleport systemd unit to ${SYSTEMD_UNIT_PATH}"
${COPY_COMMAND} ./${TELEPORT_ARCHIVE_PATH}/examples/systemd/teleport.service ${SYSTEMD_UNIT_PATH}
log "Reloading unit files (systemctl daemon-reload)"
systemctl daemon-reload
}
# formats the arguments as a yaml list
get_yaml_list() {
name="${1}"
list="${2}"
indentation="${3}"
echo "${indentation}${name}:"
for item in ${list}; do
echo "${indentation}- ${item}"
done
}
# installs the provided teleport config (for app service)
install_teleport_app_config() {
log "Writing Teleport app service config to ${TELEPORT_CONFIG_PATH}"
CA_PINS_CONFIG=$(get_yaml_list "ca_pin" "${CA_PIN_HASHES}" " ")
cat << EOF > ${TELEPORT_CONFIG_PATH}
version: v3
teleport:
nodename: ${NODENAME}
auth_token: ${JOIN_TOKEN}
${CA_PINS_CONFIG}
proxy_server: ${TARGET_HOSTNAME}:${TARGET_PORT}
log:
output: stderr
severity: INFO
auth_service:
enabled: no
ssh_service:
enabled: no
proxy_service:
enabled: no
app_service:
enabled: yes
apps:
- name: "${APP_NAME}"
uri: "${APP_URI}"
public_addr: ${APP_PUBLIC_ADDR}
EOF
}
# installs the provided teleport config (for database service)
install_teleport_database_config() {
log "Writing Teleport database service config to ${TELEPORT_CONFIG_PATH}"
CA_PINS_CONFIG=$(get_yaml_list "ca_pin" "${CA_PIN_HASHES}" " ")
# This file is processed by `shellschek` as part of the lint step
# It detects an issue because of un-set variables - $index and $line. This check is called SC2154.
# However, that's not an issue, because those variables are replaced when we run go's text/template engine over it.
# When executing the script, those are no long variables but actual values.
# shellcheck disable=SC2154
cat << EOF > ${TELEPORT_CONFIG_PATH}
version: v3
teleport:
nodename: ${NODENAME}
auth_token: ${JOIN_TOKEN}
${CA_PINS_CONFIG}
proxy_server: ${TARGET_HOSTNAME}:${TARGET_PORT}
log:
output: stderr
severity: INFO
auth_service:
enabled: no
ssh_service:
enabled: no
proxy_service:
enabled: no
db_service:
enabled: "yes"
resources:
- labels:
EOF
}
# installs the provided teleport config (for node service)
install_teleport_node_config() {
log "Writing Teleport node service config to ${TELEPORT_CONFIG_PATH}"
${TELEPORT_BINARY_DIR}/teleport node configure \
--token ${JOIN_TOKEN} \
${JOIN_METHOD_FLAG} \
--ca-pin ${CA_PINS} \
--proxy ${TARGET_HOSTNAME}:${TARGET_PORT} \
"${LABELS_FLAG[@]}" \
--output ${TELEPORT_CONFIG_PATH}
}
# checks whether the given host is running MacOS
is_macos_host() { if [[ ${OSTYPE} == "darwin"* ]]; then return 0; else return 1; fi }
# checks whether teleport is already running on the host
is_running_teleport() {
check_exists_fatal pgrep
TELEPORT_PID=$(get_teleport_pid)
if [[ "${TELEPORT_PID}" != "" ]]; then return 0; else return 1; fi
}
# checks whether the given host is running systemd as its init system
is_using_systemd() { if [ -d /run/systemd/system ]; then return 0; else return 1; fi }
# prints a warning if the host isn't running systemd
no_systemd_warning() {
log_important "This host is not running systemd, so Teleport cannot be started automatically when it exits."
log_important "Please investigate an alternative way to keep Teleport running."
log_important "You can find information in our documentation: ${TELEPORT_DOCS_URL}"
log_important "For now, Teleport will be started in the foreground - you can press Ctrl+C to exit."
log_only
log_only "Run this command to start Teleport in future:"
log_only "$(get_teleport_start_command)"
log_only
log_only "------------------------------------------------------------------------"
log_only "| IMPORTANT: TELEPORT WILL STOP RUNNING AFTER YOU CLOSE THIS TERMINAL! |"
log_only "| YOU MUST CONFIGURE A SERVICE MANAGER TO MAKE IT RUN ON STARTUP! |"
log_only "------------------------------------------------------------------------"
log_only
}
# print a message giving the name of the node and a link to the docs
# gives some debugging instructions if the service didn't start successfully
print_welcome_message() {
log_only ""
if is_running_teleport; then
log_only "Teleport has been started."
log_only ""
if is_using_systemd; then
log_only "View its status with 'sudo systemctl status teleport.service'"
log_only "View Teleport logs using 'sudo journalctl -u teleport.service'"
log_only "To stop Teleport, run 'sudo systemctl stop teleport.service'"
log_only "To start Teleport again if you stop it, run 'sudo systemctl start teleport.service'"
elif is_macos_host; then
log_only "View Teleport logs in '${MACOS_STDERR_LOG}' and '${MACOS_STDOUT_LOG}'"
log_only "To stop Teleport, run 'sudo launchctl unload ${LAUNCHD_CONFIG_PATH}/com.goteleport.teleport.plist'"
log_only "To start Teleport again if you stop it, run 'sudo launchctl load ${LAUNCHD_CONFIG_PATH}/com.goteleport.teleport.plist'"
fi
log_only ""
log_only "You can see this node connected in the Teleport web UI or 'tsh ls' with the name '${NODENAME}'"
log_only "Find more details on how to use Teleport here: https://goteleport.com/docs/user-manual/"
else
log_important "The Teleport service was installed, but it does not appear to have started successfully."
if is_using_systemd; then
log_important "Check the Teleport service's status with 'systemctl status teleport.service'"
log_important "View Teleport logs with 'journalctl -u teleport.service'"
elif is_macos_host; then
log_important "Check Teleport logs in '${MACOS_STDERR_LOG}' and '${MACOS_STDOUT_LOG}'"
fi
log_important "Contact Teleport support for further assistance."
fi
log_only ""
}
# start teleport in foreground (when there's no systemd)
start_teleport_foreground() {
log "Starting Teleport in the foreground"
# shellcheck disable=SC2091
$(get_teleport_start_command)
}
# start teleport via launchd (after installing config)
start_teleport_launchd() {
log "Starting Teleport via launchctl. It will automatically be started whenever the system reboots."
launchctl load ${LAUNCHD_CONFIG_PATH}/com.goteleport.teleport.plist
sleep ${ALIVE_CHECK_DELAY}
}
# start teleport via systemd (after installing unit)
start_teleport_systemd() {
log "Starting Teleport via systemd. It will automatically be started whenever the system reboots."
systemctl enable teleport.service
systemctl start teleport.service
sleep ${ALIVE_CHECK_DELAY}
}
# checks whether teleport binaries exist on the host
teleport_binaries_exist() {
for BINARY_NAME in teleport tctl tsh; do
if [ -f ${TELEPORT_BINARY_DIR}/${BINARY_NAME} ]; then return 0; else return 1; fi
done
}
# checks whether a teleport config exists on the host
teleport_config_exists() { if [ -f ${TELEPORT_CONFIG_PATH} ]; then return 0; else return 1; fi; }
# checks whether a teleport data dir exists on the host
teleport_datadir_exists() { if [ -d ${TELEPORT_DATA_DIR} ]; then return 0; else return 1; fi; }
# error out if any required values are not set
check_set TELEPORT_VERSION
check_set TARGET_HOSTNAME
check_set TARGET_PORT
check_set JOIN_TOKEN
check_set CA_PIN_HASHES
if [[ "${APP_INSTALL_MODE}" == "true" ]]; then
check_set APP_NAME
check_set APP_URI
check_set APP_PUBLIC_ADDR
fi
###
# main script starts here
###
# check connectivity to teleport server/port
if [[ "${IGNORE_CONNECTIVITY_CHECK}" == "true" ]]; then
log "TELEPORT_IGNORE_CONNECTIVITY_CHECK=true, not running connectivity check"
else
log "Checking TCP connectivity to Teleport server (${TARGET_HOSTNAME}:${TARGET_PORT})"
if ! check_connectivity "${TARGET_HOSTNAME}" "${TARGET_PORT}"; then
# if we don't have a connectivity test method assigned, we know we couldn't run the test
if [[ ${CONNECTIVITY_TEST_METHOD} == "" ]]; then
log "Couldn't find nc, telnet or /dev/tcp to do a connection test"
log "Going to blindly continue without testing connectivity"
else
log_important "Couldn't open a connection to the Teleport server (${TARGET_HOSTNAME}:${TARGET_PORT}) via ${CONNECTIVITY_TEST_METHOD}"
log_important "This issue will need to be fixed before the script can continue."
log_important "If you think this is an error, add 'export TELEPORT_IGNORE_CONNECTIVITY_CHECK=true && ' before the curl command which runs the script."
exit 1
fi
else
log "Connectivity to Teleport server (via ${CONNECTIVITY_TEST_METHOD}) looks good"
fi
fi
# use OSTYPE variable to figure out host type/arch
if [[ "${OSTYPE}" == "linux-gnu"* ]]; then
# linux host, now detect arch
TELEPORT_BINARY_TYPE="linux"
ARCH=$(uname -m)
log "Detected host: ${OSTYPE}, using Teleport binary type ${TELEPORT_BINARY_TYPE}"
if [[ ${ARCH} == "armv7l" ]]; then
TELEPORT_ARCH="arm"
elif [[ ${ARCH} == "aarch64" ]]; then
TELEPORT_ARCH="arm64"
elif [[ ${ARCH} == "x86_64" ]]; then
TELEPORT_ARCH="amd64"
elif [[ ${ARCH} == "i686" ]]; then
TELEPORT_ARCH="386"
else
log_important "Error: cannot detect architecture from uname -m: ${ARCH}"
exit 1
fi
log "Detected arch: ${ARCH}, using Teleport arch ${TELEPORT_ARCH}"
# if the download format is already set, we have no need to detect distro
if [[ ${TELEPORT_FORMAT} == "" ]]; then
# detect distro
# if /etc/os-release doesn't exist, we need to use some other logic
if [ ! -f /etc/os-release ]; then
if [ -f /etc/centos-release ]; then
if grep -q 'CentOS release 6' /etc/centos-release; then
log_important "Detected host type: CentOS 6 [$(cat /etc/centos-release)]"
log_important "Teleport will not work on CentOS 6 -based servers due to the glibc version being too low."
exit 1
fi
elif [ -f /etc/redhat-release ]; then
if grep -q 'Red Hat Enterprise Linux Server release 5' /etc/redhat-release; then
log_important "Detected host type: RHEL5 [$(cat /etc/redhat-release)]"
log_important "Teleport will not work on RHEL5-based servers due to the glibc version being too low."
exit 1
elif grep -q 'Red Hat Enterprise Linux Server release 6' /etc/redhat-release; then
log_important "Detected host type: RHEL6 [$(cat /etc/redhat-release)]"
log_important "Teleport will not work on RHEL6-based servers due to the glibc version being too low."
exit 1
fi
fi
# use ID_LIKE value from /etc/os-release (if set)
# this is 'debian' on ubuntu/raspbian, 'centos rhel fedora' on amazon linux etc
else
check_exists_fatal cut
DISTRO_TYPE=$(grep ID_LIKE /etc/os-release | cut -d= -f2) || true
if [[ ${DISTRO_TYPE} == "" ]]; then
# use exact ID value from /etc/os-release if ID_LIKE is not set
DISTRO_TYPE=$(grep -w ID /etc/os-release | cut -d= -f2)
fi
if [[ ${DISTRO_TYPE} =~ "debian" ]]; then
TELEPORT_FORMAT="deb"
elif [[ "$DISTRO_TYPE" =~ "amzn"* ]] || [[ ${DISTRO_TYPE} =~ "centos"* ]] || [[ ${DISTRO_TYPE} =~ "rhel" ]] || [[ ${DISTRO_TYPE} =~ "fedora"* ]]; then
TELEPORT_FORMAT="rpm"
else
log "Couldn't match a distro type using /etc/os-release, falling back to tarball installer"
TELEPORT_FORMAT="tarball"
fi
fi
log "Detected distro type: ${DISTRO_TYPE}"
#suse, also identified as sles, uses a different path for its systemd then other distro types like ubuntu
if [[ ${DISTRO_TYPE} =~ "suse"* ]] || [[ ${DISTRO_TYPE} =~ "sles"* ]]; then
SYSTEMD_UNIT_PATH="/etc/systemd/system/teleport.service"
fi
fi
elif [[ "${OSTYPE}" == "darwin"* ]]; then
# macos host, now detect arch
TELEPORT_BINARY_TYPE="darwin"
ARCH=$(uname -m)
log "Detected host: ${OSTYPE}, using Teleport binary type ${TELEPORT_BINARY_TYPE}"
if [[ ${ARCH} == "arm64" ]]; then
TELEPORT_ARCH="arm64"
elif [[ ${ARCH} == "x86_64" ]]; then
TELEPORT_ARCH="amd64"
else
log_important "Error: unsupported architecture from uname -m: ${ARCH}"
exit 1
fi
log "Detected MacOS ${ARCH} architecture, using Teleport arch ${TELEPORT_ARCH}"
TELEPORT_FORMAT="tarball"
else
log_important "Error - unsupported platform: ${OSTYPE}"
exit 1
fi
log "Using Teleport distribution: ${TELEPORT_FORMAT}"
# create temporary directory and exit cleanup logic
TEMP_DIR=$(mktemp -d -t teleport-XXXXXXXXXX)
log "Created temp dir ${TEMP_DIR}"
pushd "${TEMP_DIR}" >/dev/null 2>&1
finish() {
popd >/dev/null 2>&1
rm -rf "${TEMP_DIR}"
}
trap finish EXIT
# optional format override (mostly for testing)
if [[ ${OVERRIDE_FORMAT} != "" ]]; then
TELEPORT_FORMAT="${OVERRIDE_FORMAT}"
log "Overriding TELEPORT_FORMAT to ${OVERRIDE_FORMAT}"
fi
# check whether teleport is running already
# if it is, we exit gracefully with an error
if is_running_teleport; then
if [[ ${IGNORE_CHECKS} != "true" ]]; then
TELEPORT_PID=$(get_teleport_pid)
log_header "Warning: Teleport appears to already be running on this host (pid: ${TELEPORT_PID})"
log_cleanup_message
exit 1
else
log "Ignoring is_running_teleport as requested"
fi
fi
# check for existing config file
if teleport_config_exists; then
if [[ ${IGNORE_CHECKS} != "true" ]]; then
log_header "Warning: There is already a Teleport config file present at ${TELEPORT_CONFIG_PATH}."
log_cleanup_message
exit 1
else
log "Ignoring teleport_config_exists as requested"
fi
fi
# check for existing data directory
if teleport_datadir_exists; then
if [[ ${IGNORE_CHECKS} != "true" ]]; then
log_header "Warning: Found existing Teleport data directory (${TELEPORT_DATA_DIR})."
log_cleanup_message
exit 1
else
log "Ignoring teleport_datadir_exists as requested"
fi
fi
# check for existing binaries
if teleport_binaries_exist; then
if [[ ${IGNORE_CHECKS} != "true" ]]; then
log_header "Warning: Found existing Teleport binaries under ${TELEPORT_BINARY_DIR}."
log_cleanup_message
exit 1
else
log "Ignoring teleport_binaries_exist as requested"
fi
fi
install_from_file() {
# select correct URL/installation method based on distro
if [[ ${TELEPORT_FORMAT} == "tarball" ]]; then
URL="https://get.gravitational.com/${TELEPORT_PACKAGE_NAME}-v${TELEPORT_VERSION}-${TELEPORT_BINARY_TYPE}-${TELEPORT_ARCH}-bin.tar.gz"
# check that needed tools are installed
check_exists_fatal curl tar
# download tarball
log "Downloading Teleport ${TELEPORT_FORMAT} release ${TELEPORT_VERSION}"
DOWNLOAD_FILENAME=$(get_download_filename "${URL}")
download "${URL}" "${TEMP_DIR}/${DOWNLOAD_FILENAME}"
# extract tarball
tar -xzf "${TEMP_DIR}/${DOWNLOAD_FILENAME}" -C "${TEMP_DIR}"
# install binaries to /usr/local/bin
for BINARY in ${TELEPORT_BINARY_LIST}; do
${COPY_COMMAND} "${TELEPORT_ARCHIVE_PATH}/${BINARY}" "${TELEPORT_BINARY_DIR}/"
done
elif [[ ${TELEPORT_FORMAT} == "deb" ]]; then
# convert teleport arch to deb arch
if [[ ${TELEPORT_ARCH} == "amd64" ]]; then
DEB_ARCH="amd64"
elif [[ ${TELEPORT_ARCH} == "386" ]]; then
DEB_ARCH="i386"
elif [[ ${TELEPORT_ARCH} == "arm" ]]; then
DEB_ARCH="arm"
elif [[ ${TELEPORT_ARCH} == "arm64" ]]; then
DEB_ARCH="arm64"
fi
URL="https://get.gravitational.com/${TELEPORT_PACKAGE_NAME}_${TELEPORT_VERSION}_${DEB_ARCH}.deb"
check_deb_not_already_installed
# check that needed tools are installed
check_exists_fatal curl dpkg
# download deb and register cleanup operation
log "Downloading Teleport ${TELEPORT_FORMAT} release ${TELEPORT_VERSION}"
DOWNLOAD_FILENAME=$(get_download_filename "${URL}")
download "${URL}" "${TEMP_DIR}/${DOWNLOAD_FILENAME}"
# install deb
log "Using dpkg to install ${TEMP_DIR}/${DOWNLOAD_FILENAME}"
dpkg -i "${TEMP_DIR}/${DOWNLOAD_FILENAME}"
elif [[ ${TELEPORT_FORMAT} == "rpm" ]]; then
# convert teleport arch to rpm arch
if [[ ${TELEPORT_ARCH} == "amd64" ]]; then
RPM_ARCH="x86_64"
elif [[ ${TELEPORT_ARCH} == "386" ]]; then
RPM_ARCH="i386"
elif [[ ${TELEPORT_ARCH} == "arm" ]]; then
RPM_ARCH="arm"
elif [[ ${TELEPORT_ARCH} == "arm64" ]]; then
RPM_ARCH="arm64"
fi
URL="https://get.gravitational.com/${TELEPORT_PACKAGE_NAME}-${TELEPORT_VERSION}-1.${RPM_ARCH}.rpm"
check_rpm_not_already_installed
# check for package managers
if check_exists dnf; then
log "Found 'dnf' package manager, using it"
PACKAGE_MANAGER_COMMAND="dnf -y install"
elif check_exists yum; then
log "Found 'yum' package manager, using it"
PACKAGE_MANAGER_COMMAND="yum -y localinstall"
else
PACKAGE_MANAGER_COMMAND=""
log "Cannot find 'yum' or 'dnf' package manager commands, will try installing the rpm manually instead"
fi
# check that needed tools are installed
check_exists_fatal curl
log "Downloading Teleport ${TELEPORT_FORMAT} release ${TELEPORT_VERSION}"
DOWNLOAD_FILENAME=$(get_download_filename "${URL}")
download "${URL}" "${TEMP_DIR}/${DOWNLOAD_FILENAME}"
# install with package manager if available
if [[ ${PACKAGE_MANAGER_COMMAND} != "" ]]; then
log "Installing Teleport release from ${TEMP_DIR}/${DOWNLOAD_FILENAME} using ${PACKAGE_MANAGER_COMMAND}"
# install rpm with package manager
${PACKAGE_MANAGER_COMMAND} "${TEMP_DIR}/${DOWNLOAD_FILENAME}"
# use rpm if we couldn't find a package manager
else
# install RPM (in upgrade mode)
log "Using rpm to install ${TEMP_DIR}/${DOWNLOAD_FILENAME}"
rpm -Uvh "${TEMP_DIR}/${DOWNLOAD_FILENAME}"
fi
else
log_important "Can't figure out what Teleport format to use"
exit 1
fi
}
install_from_repo() {
if [[ "${REPO_CHANNEL}" == "" ]]; then
# By default, use the current version's channel.
REPO_CHANNEL=stable/v"${TELEPORT_VERSION//.*/}"
fi
# Populate $ID, $VERSION_ID, $VERSION_CODENAME and other env vars identifying the OS.
# shellcheck disable=SC1091
. /etc/os-release
PACKAGE_LIST=$(package_list)
if [ "$ID" == "debian" ] || [ "$ID" == "ubuntu" ]; then
# old versions of ubuntu require that keys get added by `apt-key add`, without
# adding the key apt shows a key signing error when installing teleport.
if [[
($ID == "ubuntu" && $VERSION_ID == "16.04") || \
($ID == "debian" && $VERSION_ID == "9" )
]]; then
apt install apt-transport-https gnupg -y
curl -fsSL https://apt.releases.teleport.dev/gpg | apt-key add -
echo "deb https://apt.releases.teleport.dev/${ID} ${VERSION_CODENAME} ${REPO_CHANNEL}" > /etc/apt/sources.list.d/teleport.list
else
curl -fsSL https://apt.releases.teleport.dev/gpg \
-o /usr/share/keyrings/teleport-archive-keyring.asc
echo "deb [signed-by=/usr/share/keyrings/teleport-archive-keyring.asc] \
https://apt.releases.teleport.dev/${ID} ${VERSION_CODENAME} ${REPO_CHANNEL}" > /etc/apt/sources.list.d/teleport.list
fi
apt-get update
apt-get install -y ${PACKAGE_LIST}
elif [ "$ID" = "amzn" ] || [ "$ID" = "rhel" ] || [ "$ID" = "centos" ] ; then
if [ "$ID" = "rhel" ]; then
VERSION_ID="${VERSION_ID//.*/}" # convert version numbers like '7.2' to only include the major version
fi
yum install -y yum-utils
yum-config-manager --add-repo \
"$(rpm --eval "https://yum.releases.teleport.dev/$ID/$VERSION_ID/Teleport/%{_arch}/${REPO_CHANNEL}/teleport.repo")"
# Remove metadata cache to prevent cache from other channel (eg, prior version)
# See: https://github.com/gravitational/teleport/issues/22581
yum --disablerepo="*" --enablerepo="teleport" clean metadata
yum install -y ${PACKAGE_LIST}
else
echo "Unsupported distro: $ID"
exit 1
fi
}
# package_list returns the list of packages to install.
# The list of packages can be fed into yum or apt because they already have the expected format when pinning versions.
package_list() {
TELEPORT_PACKAGE_PIN_VERSION=${TELEPORT_PACKAGE_NAME}
TELEPORT_UPDATER_PIN_VERSION="${TELEPORT_PACKAGE_NAME}-updater"
if [[ "${TELEPORT_FORMAT}" == "deb" ]]; then
TELEPORT_PACKAGE_PIN_VERSION+="=${TELEPORT_VERSION}"
TELEPORT_UPDATER_PIN_VERSION+="=${TELEPORT_VERSION}"
elif [[ "${TELEPORT_FORMAT}" == "rpm" ]]; then
TELEPORT_YUM_VERSION="${TELEPORT_VERSION//-/_}"
TELEPORT_PACKAGE_PIN_VERSION+="-${TELEPORT_YUM_VERSION}"
TELEPORT_UPDATER_PIN_VERSION+="-${TELEPORT_YUM_VERSION}"
fi
PACKAGE_LIST=${TELEPORT_PACKAGE_PIN_VERSION}
# (warning): This expression is constant. Did you forget the $ on a variable?
# Disabling the warning above because expression is templated.
# shellcheck disable=SC2050
if is_using_systemd && [[ "false" == "true" ]]; then
# Teleport Updater requires systemd.
PACKAGE_LIST+=" ${TELEPORT_UPDATER_PIN_VERSION}"
fi
echo ${PACKAGE_LIST}
}
is_repo_available() {
if [[ "${OSTYPE}" != "linux-gnu" ]]; then
return 1
fi
# Populate $ID, $VERSION_ID and other env vars identifying the OS.
# shellcheck disable=SC1091
. /etc/os-release
# The following distros+version have a Teleport repository to install from.
case "${ID}-${VERSION_ID}" in
ubuntu-16.04* | ubuntu-18.04* | ubuntu-20.04* | ubuntu-22.04* | \
debian-9* | debian-10* | debian-11* | \
rhel-7* | rhel-8* | rhel-9* | \
centos-7* | centos-8* | centos-9* | \
amzn-2 | amzn-2023)
return 0;;
esac
return 1
}
if is_repo_available; then
log "Installing repo for distro $ID."
install_from_repo
else
log "Installing from binary file."
install_from_file
fi
# check that teleport binary can be found and runs
if ! check_teleport_binary; then
log_important "The Teleport binary could not be found at ${TELEPORT_BINARY_DIR} as expected."
log_important "This usually means that there was an error during installation."
log_important "Check this log for obvious signs of error and contact Teleport support"
log_important "for further assistance."
exit 1
fi
# install teleport config
# check the mode and write the appropriate config type
if [[ "${APP_INSTALL_MODE}" == "true" ]]; then
install_teleport_app_config
elif [[ "${DB_INSTALL_MODE}" == "true" ]]; then
install_teleport_database_config
else
install_teleport_node_config
fi
# Used to track whether a Teleport agent was installed using this method.
export TELEPORT_INSTALL_METHOD_NODE_SCRIPT="true"
# install systemd unit if applicable (linux hosts)
if is_using_systemd; then
log "Host is using systemd"
# we only need to manually install the systemd config if teleport was installed via tarball
# all other packages will deploy it automatically
if [[ ${TELEPORT_FORMAT} == "tarball" ]]; then
install_systemd_unit
fi
start_teleport_systemd
print_welcome_message
# install launchd config on MacOS hosts
elif is_macos_host; then
log "Host is running MacOS"
install_launchd_config
start_teleport_launchd
print_welcome_message
# not a MacOS host and no systemd available, print a warning
# and temporarily start Teleport in the foreground
else
log "Host does not appear to be using systemd"
no_systemd_warning
start_teleport_foreground
fi

995
ansible/00_old/install-node-ubuntu.sh Normal file
View File

@@ -0,0 +1,995 @@
#!/bin/bash
set -euo pipefail
SCRIPT_NAME="teleport-installer"
# default values
ALIVE_CHECK_DELAY=3
CONNECTIVITY_TEST_METHOD=""
COPY_COMMAND="cp"
DISTRO_TYPE=""
IGNORE_CONNECTIVITY_CHECK="${TELEPORT_IGNORE_CONNECTIVITY_CHECK:-false}"
LAUNCHD_CONFIG_PATH="/Library/LaunchDaemons"
LOG_FILENAME="$(mktemp -t ${SCRIPT_NAME}.log.XXXXXXXXXX)"
MACOS_STDERR_LOG="/var/log/teleport-stderr.log"
MACOS_STDOUT_LOG="/var/log/teleport-stdout.log"
SYSTEMD_UNIT_PATH="/lib/systemd/system/teleport.service"
TARGET_PORT_DEFAULT=443
TELEPORT_ARCHIVE_PATH='teleport'
TELEPORT_BINARY_DIR="/usr/local/bin"
TELEPORT_BINARY_LIST="teleport tctl tsh"
TELEPORT_CONFIG_PATH="/etc/teleport.yaml"
TELEPORT_DATA_DIR="/var/lib/teleport"
TELEPORT_DOCS_URL="https://goteleport.com/docs/"
TELEPORT_FORMAT=""
# initialise variables (because set -u disallows unbound variables)
f=""
l=""
DISABLE_TLS_VERIFICATION=false
NODENAME=$(hostname)
IGNORE_CHECKS=false
OVERRIDE_FORMAT=""
QUIET=false
APP_INSTALL_DECISION=""
INTERACTIVE=false
# the default value of each variable is a templatable Go value so that it can
# optionally be replaced by the server before the script is served up
TELEPORT_VERSION='13.3.4'
TELEPORT_PACKAGE_NAME='teleport'
REPO_CHANNEL=''
TARGET_HOSTNAME='teleport.access.datasaker.io'
TARGET_PORT='443'
JOIN_TOKEN='b0a997e4c3c200b8152a3f3025548189'
JOIN_METHOD=''
JOIN_METHOD_FLAG=""
[ -n "$JOIN_METHOD" ] && JOIN_METHOD_FLAG="--join-method ${JOIN_METHOD}"
# inject labels into the configuration
LABELS='teleport.internal/resource-id=89a1a61b-54f4-4e42-94d9-7ab2b1c1c847'
LABELS_FLAG=()
[ -n "$LABELS" ] && LABELS_FLAG=(--labels "${LABELS}")
# When all stanza generators have been updated to use the new
# `teleport <service> configure` commands CA_PIN_HASHES can be removed along
# with the script passing it in in `join_tokens.go`.
CA_PIN_HASHES='sha256:941164dbcfedbe05de067f5ce14d4c4e6a0523c070f0bdb3959b01ba452b15f8'
CA_PINS='sha256:941164dbcfedbe05de067f5ce14d4c4e6a0523c070f0bdb3959b01ba452b15f8'
ARG_CA_PIN_HASHES=""
APP_INSTALL_MODE='false'
APP_NAME=''
APP_URI=''
DB_INSTALL_MODE='false'
# usage message
# shellcheck disable=SC2086
usage() { echo "Usage: $(basename $0) [-v teleport_version] [-h target_hostname] [-p target_port] [-j join_token] [-c ca_pin_hash]... [-q] [-l log_filename] [-a app_name] [-u app_uri] " 1>&2; exit 1; }
while getopts ":v:h:p:j:c:f:ql:ika:u:" o; do
case "${o}" in
v) TELEPORT_VERSION=${OPTARG};;
h) TARGET_HOSTNAME=${OPTARG};;
p) TARGET_PORT=${OPTARG};;
j) JOIN_TOKEN=${OPTARG};;
c) ARG_CA_PIN_HASHES="${ARG_CA_PIN_HASHES} ${OPTARG}";;
f) f=${OPTARG}; if [[ ${f} != "tarball" && ${f} != "deb" && ${f} != "rpm" ]]; then usage; fi;;
q) QUIET=true;;
l) l=${OPTARG};;
i) IGNORE_CHECKS=true; COPY_COMMAND="cp -f";;
k) DISABLE_TLS_VERIFICATION=true;;
a) APP_INSTALL_MODE=true && APP_NAME=${OPTARG};;
u) APP_INSTALL_MODE=true && APP_URI=${OPTARG};;
*) usage;;
esac
done
shift $((OPTIND-1))
if [[ "${ARG_CA_PIN_HASHES}" != "" ]]; then
CA_PIN_HASHES="${ARG_CA_PIN_HASHES}"
fi
# function to construct a go template variable
# go's template parser is a bit finicky, so we dynamically build the value one character at a time
construct_go_template() {
OUTPUT="{"
OUTPUT+="{"
OUTPUT+="."
OUTPUT+="${1}"
OUTPUT+="}"
OUTPUT+="}"
echo "${OUTPUT}"
}
# check whether we are root, exit if not
assert_running_as_root() {
if ! [ "$(id -u)" = 0 ]; then
echo "This script must be run as root." 1>&2
exit 1
fi
}
# function to check whether variables are either blank or set to the default go template value
# (because they haven't been set by the go script generator or a command line argument)
# returns 1 if the variable is set to a default/zero value
# returns 0 otherwise (i.e. it needs to be set interactively)
check_variable() {
VARIABLE_VALUE="${!1}"
GO_TEMPLATE_NAME=$(construct_go_template "${2}")
if [[ "${VARIABLE_VALUE}" == "" ]] || [[ "${VARIABLE_VALUE}" == "${GO_TEMPLATE_NAME}" ]]; then
return 1
fi
return 0
}
# function to check whether a provided value is "truthy" i.e. it looks like you're trying to say "yes"
is_truthy() {
declare -a TRUTHY_VALUES
TRUTHY_VALUES=("y" "Y" "yes" "YES" "ye" "YE" "yep" "YEP" "ya" "YA")
CHECK_VALUE="$1"
for ARRAY_VALUE in "${TRUTHY_VALUES[@]}"; do [[ "${CHECK_VALUE}" == "${ARRAY_VALUE}" ]] && return 0; done
return 1
}
# function to read input until the value you get is non-empty
read_nonblank_input() {
INPUT=""
VARIABLE_TO_ASSIGN="$1"
shift
PROMPT="$*"
until [[ "${INPUT}" != "" ]]; do
echo -n "${PROMPT}"
read -r INPUT
done
printf -v "${VARIABLE_TO_ASSIGN}" '%s' "${INPUT}"
}
# error if we're not root
assert_running_as_root
# set/read values interactively if not provided
# users will be prompted to enter their own value if all the following are true:
# - the current value is blank, or equal to the default Go template value
# - the value has not been provided by command line argument
! check_variable TELEPORT_VERSION version && INTERACTIVE=true && read_nonblank_input TELEPORT_VERSION "Enter Teleport version to install (without v): "
! check_variable TARGET_HOSTNAME hostname && INTERACTIVE=true && read_nonblank_input TARGET_HOSTNAME "Enter target hostname to connect to: "
! check_variable TARGET_PORT port && INTERACTIVE=true && { echo -n "Enter target port to connect to [${TARGET_PORT_DEFAULT}]: "; read -r TARGET_PORT; }
! check_variable JOIN_TOKEN token && INTERACTIVE=true && read_nonblank_input JOIN_TOKEN "Enter Teleport join token as provided: "
! check_variable CA_PIN_HASHES caPins && INTERACTIVE=true && read_nonblank_input CA_PIN_HASHES "Enter CA pin hash (separate multiple hashes with spaces): "
[ -n "${f}" ] && OVERRIDE_FORMAT=${f}
[ -n "${l}" ] && LOG_FILENAME=${l}
# if app service mode is not set (or is the default value) and we are running interactively (i.e. the user has provided some input already),
# prompt the user to choose whether to enable app_service
if [[ "${INTERACTIVE}" == "true" ]]; then
if ! check_variable APP_INSTALL_MODE appInstallMode; then
APP_INSTALL_MODE="false"
echo -n "Would you like to enable and configure Teleport's app_service, to use Teleport as a reverse proxy for a web application? [y/n, default: n] "
read -r APP_INSTALL_DECISION
if is_truthy "${APP_INSTALL_DECISION}"; then
APP_INSTALL_MODE="true"
fi
fi
fi
# prompt for extra needed values if we're running in app service mode
if [[ "${APP_INSTALL_MODE}" == "true" ]]; then
! check_variable APP_NAME appName && read_nonblank_input APP_NAME "Enter app name to install (must be DNS-compatible; less than 63 characters, no spaces, only - or _ as punctuation): "
! check_variable APP_URI appURI && read_nonblank_input APP_URI "Enter app URI (the host running the Teleport app service must be able to connect to this): "
# generate app public addr by concatenating values
APP_PUBLIC_ADDR="${APP_NAME}.${TARGET_HOSTNAME}"
fi
# set default target port if value not provided
if [[ "${TARGET_PORT}" == "" ]]; then
TARGET_PORT=${TARGET_PORT_DEFAULT}
fi
# clear log file if provided
if [[ "${LOG_FILENAME}" != "" ]]; then
if [ -f "${LOG_FILENAME}" ]; then
echo -n "" > "${LOG_FILENAME}"
fi
fi
# log functions
log_date() { echo -n "$(date '+%Y-%m-%d %H:%M:%S %Z')"; }
log() {
LOG_LINE="$(log_date) [${SCRIPT_NAME}] $*"
if [[ ${QUIET} != "true" ]]; then
echo "${LOG_LINE}"
fi
if [[ "${LOG_FILENAME}" != "" ]]; then
echo "${LOG_LINE}" >> "${LOG_FILENAME}"
fi
}
# writes a line with no timestamp or starting data, always prints
log_only() {
LOG_LINE="$*"
echo "${LOG_LINE}"
if [[ "${LOG_FILENAME}" != "" ]]; then
echo "${LOG_LINE}" >> "${LOG_FILENAME}"
fi
}
# writes a line by itself as a header
log_header() {
LOG_LINE="$*"
echo ""
echo "${LOG_LINE}"
echo ""
if [[ "${LOG_FILENAME}" != "" ]]; then
echo "${LOG_LINE}" >> "${LOG_FILENAME}"
fi
}
# important log lines, print even when -q (quiet) is passed
log_important() {
LOG_LINE="$(log_date) [${SCRIPT_NAME}] ---> $*"
echo "${LOG_LINE}"
if [[ "${LOG_FILENAME}" != "" ]]; then
echo "${LOG_LINE}" >> "${LOG_FILENAME}"
fi
}
log_cleanup_message() {
log_only "This script does not overwrite any existing settings or Teleport installations."
log_only "Please clean up by running any of the following steps as necessary:"
log_only "- stop any running Teleport processes"
log_only " - pkill -f teleport"
log_only "- remove any data under ${TELEPORT_DATA_DIR}, along with the directory itself"
log_only " - rm -rf ${TELEPORT_DATA_DIR}"
log_only "- remove any configuration at ${TELEPORT_CONFIG_PATH}"
log_only " - rm -f ${TELEPORT_CONFIG_PATH}"
log_only "- remove any Teleport binaries (${TELEPORT_BINARY_LIST}) installed under ${TELEPORT_BINARY_DIR}"
for BINARY in ${TELEPORT_BINARY_LIST}; do EXAMPLE_DELETE_COMMAND+="${TELEPORT_BINARY_DIR}/${BINARY} "; done
log_only " - rm -f ${EXAMPLE_DELETE_COMMAND}"
log_only "Run this installer again when done."
log_only
}
# other functions
# check whether a named program exists
check_exists() { NAME=$1; if type "${NAME}" >/dev/null 2>&1; then return 0; else return 1; fi; }
# checks for the existence of a list of named binaries and exits with error if any of them don't exist
check_exists_fatal() {
for TOOL in "$@"; do
if ! check_exists "${TOOL}"; then
log_important "Error: cannot find ${TOOL} - it needs to be installed"
exit 1
fi
done
}
# check connectivity to the given host/port and make a request to see if Teleport is listening
# uses the global variable CONNECTIVITY_TEST_METHOD to return the name of the checker, as return
# values aren't really a thing that exists in bash
check_connectivity() {
HOST=$1
PORT=$2
# check with nc
if check_exists nc; then
CONNECTIVITY_TEST_METHOD="nc"
if nc -z -w3 "${HOST}" "${PORT}" >/dev/null 2>&1; then return 0; else return 1; fi
# if there's no nc, check with telnet
elif check_exists telnet; then
CONNECTIVITY_TEST_METHOD="telnet"
if echo -e '\x1dclose\x0d' | telnet "${HOST}" "${PORT}" >/dev/null 2>&1; then return 0; else return 1; fi
# if there's no nc or telnet, try and use /dev/tcp
elif [ -f /dev/tcp ]; then
CONNECTIVITY_TEST_METHOD="/dev/tcp"
if (head -1 < "/dev/tcp/${HOST}/${PORT}") >/dev/null 2>&1; then return 0; else return 1; fi
else
return 255
fi
}
# check whether a teleport DEB is already installed and exit with error if so
check_deb_not_already_installed() {
check_exists_fatal dpkg awk
DEB_INSTALLED=$(dpkg -l | awk '{print $2}' | grep -E ^teleport || true)
if [[ ${DEB_INSTALLED} != "" ]]; then
log_important "It looks like there is already a Teleport DEB package installed (name: ${DEB_INSTALLED})."
log_important "You will need to remove that package before using this script."
exit 1
fi
}
# check whether a teleport RPM is already installed and exit with error if so
check_rpm_not_already_installed() {
check_exists_fatal rpm
RPM_INSTALLED=$(rpm -qa | grep -E ^teleport || true)
if [[ ${RPM_INSTALLED} != "" ]]; then
log_important "It looks like there is already a Teleport RPM package installed (name: ${RPM_INSTALLED})."
log_important "You will need to remove that package before using this script."
exit 1
fi
}
# function to check if given variable is set
check_set() {
CHECK_KEY=${1} || true
CHECK_VALUE=${!1} || true
if [[ "${CHECK_VALUE}" == "" ]]; then
log "Required variable ${CHECK_KEY} is not set"
exit 1
else
log "${CHECK_KEY}: ${CHECK_VALUE}"
fi
}
# checks that teleport binary can be found in path and runs 'teleport version'
check_teleport_binary() {
FOUND_TELEPORT_VERSION=$(${TELEPORT_BINARY_DIR}/teleport version)
if [[ "${FOUND_TELEPORT_VERSION}" == "" ]]; then
log "Cannot find Teleport binary"
return 1
else
log "Found: ${FOUND_TELEPORT_VERSION}";
return 0
fi
}
# wrapper to download with curl
download() {
URL=$1
OUTPUT_PATH=$2
CURL_COMMAND="curl -fsSL --retry 5 --retry-delay 5"
# optionally allow disabling of TLS verification (can be useful on older distros
# which often have an out-of-date set of CA certificate bundle which won't validate)
if [[ ${DISABLE_TLS_VERIFICATION} == "true" ]]; then
CURL_COMMAND+=" -k"
fi
log "Running ${CURL_COMMAND} ${URL}"
log "Downloading to ${OUTPUT_PATH}"
# handle errors with curl
if ! ${CURL_COMMAND} -o "${OUTPUT_PATH}" "${URL}"; then
log_important "curl error downloading ${URL}"
log "On an older OS, this may be related to the CA certificate bundle being too old."
log "You can pass the hidden -k flag to this script to disable TLS verification - this is not recommended!"
exit 1
fi
# check that the file has a non-zero size as an extra validation
check_exists_fatal wc xargs
FILE_SIZE="$(wc -c <"${OUTPUT_PATH}" | xargs)"
if [ "${FILE_SIZE}" -eq 0 ]; then
log_important "The downloaded file has a size of 0 bytes, which means an error occurred. Cannot continue."
exit 1
else
log "Downloaded file size: ${FILE_SIZE} bytes"
fi
# if we have a hashing utility installed, also download and validate the checksum
SHA_COMMAND=""
# shasum is installed by default on MacOS and some distros
if check_exists shasum; then
SHA_COMMAND="shasum -a 256"
# sha256sum is installed by default in some other distros
elif check_exists sha256sum; then
SHA_COMMAND="sha256sum"
fi
if [[ "${SHA_COMMAND}" != "" ]]; then
log "Will use ${SHA_COMMAND} to validate the checksum of the downloaded file"
SHA_URL="${URL}.sha256"
SHA_PATH="${OUTPUT_PATH}.sha256"
${CURL_COMMAND} -o "${SHA_PATH}" "${SHA_URL}"
if ${SHA_COMMAND} --status -c "${SHA_PATH}"; then
log "The downloaded file's checksum validated correctly"
else
SHA_EXPECTED=$(cat "${SHA_PATH}")
SHA_ACTUAL=$(${SHA_COMMAND} "${OUTPUT_PATH}")
if check_exists awk; then
SHA_EXPECTED=$(echo "${SHA_EXPECTED}" | awk '{print $1}')
SHA_ACTUAL=$(echo "${SHA_ACTUAL}" | awk '{print $1}')
fi
log_important "Checksum of the downloaded file did not validate correctly"
log_important "Expected: ${SHA_EXPECTED}"
log_important "Got: ${SHA_ACTUAL}"
log_important "Try rerunning this script from the start. If the issue persists, contact Teleport support."
exit 1
fi
else
log "shasum/sha256sum utilities not found, will skip checksum validation"
fi
}
# gets the filename from a full path (https://target.site/path/to/file.tar.gz -> file.tar.gz)
get_download_filename() { echo "${1##*/}"; }
# gets the pid of any running teleport process (and converts newlines to spaces)
get_teleport_pid() {
check_exists_fatal pgrep xargs
pgrep teleport | xargs echo
}
# returns a command which will start teleport using the config
get_teleport_start_command() {
echo "${TELEPORT_BINARY_DIR}/teleport start --config=${TELEPORT_CONFIG_PATH}"
}
# installs the teleport-provided launchd config
install_launchd_config() {
log "Installing Teleport launchd config to ${LAUNCHD_CONFIG_PATH}"
${COPY_COMMAND} ./${TELEPORT_ARCHIVE_PATH}/examples/launchd/com.goteleport.teleport.plist ${LAUNCHD_CONFIG_PATH}/com.goteleport.teleport.plist
}
# installs the teleport-provided systemd unit
install_systemd_unit() {
log "Installing Teleport systemd unit to ${SYSTEMD_UNIT_PATH}"
${COPY_COMMAND} ./${TELEPORT_ARCHIVE_PATH}/examples/systemd/teleport.service ${SYSTEMD_UNIT_PATH}
log "Reloading unit files (systemctl daemon-reload)"
systemctl daemon-reload
}
# formats the arguments as a yaml list
get_yaml_list() {
name="${1}"
list="${2}"
indentation="${3}"
echo "${indentation}${name}:"
for item in ${list}; do
echo "${indentation}- ${item}"
done
}
# installs the provided teleport config (for app service)
install_teleport_app_config() {
log "Writing Teleport app service config to ${TELEPORT_CONFIG_PATH}"
CA_PINS_CONFIG=$(get_yaml_list "ca_pin" "${CA_PIN_HASHES}" " ")
cat << EOF > ${TELEPORT_CONFIG_PATH}
version: v3
teleport:
nodename: ${NODENAME}
auth_token: ${JOIN_TOKEN}
${CA_PINS_CONFIG}
proxy_server: ${TARGET_HOSTNAME}:${TARGET_PORT}
log:
output: stderr
severity: INFO
auth_service:
enabled: no
ssh_service:
enabled: no
proxy_service:
enabled: no
app_service:
enabled: yes
apps:
- name: "${APP_NAME}"
uri: "${APP_URI}"
public_addr: ${APP_PUBLIC_ADDR}
EOF
}
# installs the provided teleport config (for database service)
install_teleport_database_config() {
log "Writing Teleport database service config to ${TELEPORT_CONFIG_PATH}"
CA_PINS_CONFIG=$(get_yaml_list "ca_pin" "${CA_PIN_HASHES}" " ")
# This file is processed by `shellschek` as part of the lint step
# It detects an issue because of un-set variables - $index and $line. This check is called SC2154.
# However, that's not an issue, because those variables are replaced when we run go's text/template engine over it.
# When executing the script, those are no long variables but actual values.
# shellcheck disable=SC2154
cat << EOF > ${TELEPORT_CONFIG_PATH}
version: v3
teleport:
nodename: ${NODENAME}
auth_token: ${JOIN_TOKEN}
${CA_PINS_CONFIG}
proxy_server: ${TARGET_HOSTNAME}:${TARGET_PORT}
log:
output: stderr
severity: INFO
auth_service:
enabled: no
ssh_service:
enabled: no
proxy_service:
enabled: no
db_service:
enabled: "yes"
resources:
- labels:
EOF
}
# installs the provided teleport config (for node service)
install_teleport_node_config() {
log "Writing Teleport node service config to ${TELEPORT_CONFIG_PATH}"
${TELEPORT_BINARY_DIR}/teleport node configure \
--token ${JOIN_TOKEN} \
${JOIN_METHOD_FLAG} \
--ca-pin ${CA_PINS} \
--proxy ${TARGET_HOSTNAME}:${TARGET_PORT} \
"${LABELS_FLAG[@]}" \
--output ${TELEPORT_CONFIG_PATH}
}
# checks whether the given host is running MacOS
is_macos_host() { if [[ ${OSTYPE} == "darwin"* ]]; then return 0; else return 1; fi }
# checks whether teleport is already running on the host
is_running_teleport() {
check_exists_fatal pgrep
TELEPORT_PID=$(get_teleport_pid)
if [[ "${TELEPORT_PID}" != "" ]]; then return 0; else return 1; fi
}
# checks whether the given host is running systemd as its init system
is_using_systemd() { if [ -d /run/systemd/system ]; then return 0; else return 1; fi }
# prints a warning if the host isn't running systemd
no_systemd_warning() {
log_important "This host is not running systemd, so Teleport cannot be started automatically when it exits."
log_important "Please investigate an alternative way to keep Teleport running."
log_important "You can find information in our documentation: ${TELEPORT_DOCS_URL}"
log_important "For now, Teleport will be started in the foreground - you can press Ctrl+C to exit."
log_only
log_only "Run this command to start Teleport in future:"
log_only "$(get_teleport_start_command)"
log_only
log_only "------------------------------------------------------------------------"
log_only "| IMPORTANT: TELEPORT WILL STOP RUNNING AFTER YOU CLOSE THIS TERMINAL! |"
log_only "| YOU MUST CONFIGURE A SERVICE MANAGER TO MAKE IT RUN ON STARTUP! |"
log_only "------------------------------------------------------------------------"
log_only
}
# print a message giving the name of the node and a link to the docs
# gives some debugging instructions if the service didn't start successfully
print_welcome_message() {
log_only ""
if is_running_teleport; then
log_only "Teleport has been started."
log_only ""
if is_using_systemd; then
log_only "View its status with 'sudo systemctl status teleport.service'"
log_only "View Teleport logs using 'sudo journalctl -u teleport.service'"
log_only "To stop Teleport, run 'sudo systemctl stop teleport.service'"
log_only "To start Teleport again if you stop it, run 'sudo systemctl start teleport.service'"
elif is_macos_host; then
log_only "View Teleport logs in '${MACOS_STDERR_LOG}' and '${MACOS_STDOUT_LOG}'"
log_only "To stop Teleport, run 'sudo launchctl unload ${LAUNCHD_CONFIG_PATH}/com.goteleport.teleport.plist'"
log_only "To start Teleport again if you stop it, run 'sudo launchctl load ${LAUNCHD_CONFIG_PATH}/com.goteleport.teleport.plist'"
fi
log_only ""
log_only "You can see this node connected in the Teleport web UI or 'tsh ls' with the name '${NODENAME}'"
log_only "Find more details on how to use Teleport here: https://goteleport.com/docs/user-manual/"
else
log_important "The Teleport service was installed, but it does not appear to have started successfully."
if is_using_systemd; then
log_important "Check the Teleport service's status with 'systemctl status teleport.service'"
log_important "View Teleport logs with 'journalctl -u teleport.service'"
elif is_macos_host; then
log_important "Check Teleport logs in '${MACOS_STDERR_LOG}' and '${MACOS_STDOUT_LOG}'"
fi
log_important "Contact Teleport support for further assistance."
fi
log_only ""
}
# start teleport in foreground (when there's no systemd)
start_teleport_foreground() {
log "Starting Teleport in the foreground"
# shellcheck disable=SC2091
$(get_teleport_start_command)
}
# start teleport via launchd (after installing config)
start_teleport_launchd() {
log "Starting Teleport via launchctl. It will automatically be started whenever the system reboots."
launchctl load ${LAUNCHD_CONFIG_PATH}/com.goteleport.teleport.plist
sleep ${ALIVE_CHECK_DELAY}
}
# start teleport via systemd (after installing unit)
start_teleport_systemd() {
log "Starting Teleport via systemd. It will automatically be started whenever the system reboots."
systemctl enable teleport.service
systemctl start teleport.service
sleep ${ALIVE_CHECK_DELAY}
}
# checks whether teleport binaries exist on the host
teleport_binaries_exist() {
for BINARY_NAME in teleport tctl tsh; do
if [ -f ${TELEPORT_BINARY_DIR}/${BINARY_NAME} ]; then return 0; else return 1; fi
done
}
# checks whether a teleport config exists on the host
teleport_config_exists() { if [ -f ${TELEPORT_CONFIG_PATH} ]; then return 0; else return 1; fi; }
# checks whether a teleport data dir exists on the host
teleport_datadir_exists() { if [ -d ${TELEPORT_DATA_DIR} ]; then return 0; else return 1; fi; }
# error out if any required values are not set
check_set TELEPORT_VERSION
check_set TARGET_HOSTNAME
check_set TARGET_PORT
check_set JOIN_TOKEN
check_set CA_PIN_HASHES
if [[ "${APP_INSTALL_MODE}" == "true" ]]; then
check_set APP_NAME
check_set APP_URI
check_set APP_PUBLIC_ADDR
fi
###
# main script starts here
###
# check connectivity to teleport server/port
if [[ "${IGNORE_CONNECTIVITY_CHECK}" == "true" ]]; then
log "TELEPORT_IGNORE_CONNECTIVITY_CHECK=true, not running connectivity check"
else
log "Checking TCP connectivity to Teleport server (${TARGET_HOSTNAME}:${TARGET_PORT})"
if ! check_connectivity "${TARGET_HOSTNAME}" "${TARGET_PORT}"; then
# if we don't have a connectivity test method assigned, we know we couldn't run the test
if [[ ${CONNECTIVITY_TEST_METHOD} == "" ]]; then
log "Couldn't find nc, telnet or /dev/tcp to do a connection test"
log "Going to blindly continue without testing connectivity"
else
log_important "Couldn't open a connection to the Teleport server (${TARGET_HOSTNAME}:${TARGET_PORT}) via ${CONNECTIVITY_TEST_METHOD}"
log_important "This issue will need to be fixed before the script can continue."
log_important "If you think this is an error, add 'export TELEPORT_IGNORE_CONNECTIVITY_CHECK=true && ' before the curl command which runs the script."
exit 1
fi
else
log "Connectivity to Teleport server (via ${CONNECTIVITY_TEST_METHOD}) looks good"
fi
fi
# use OSTYPE variable to figure out host type/arch
if [[ "${OSTYPE}" == "linux-gnu"* ]]; then
# linux host, now detect arch
TELEPORT_BINARY_TYPE="linux"
ARCH=$(uname -m)
log "Detected host: ${OSTYPE}, using Teleport binary type ${TELEPORT_BINARY_TYPE}"
if [[ ${ARCH} == "armv7l" ]]; then
TELEPORT_ARCH="arm"
elif [[ ${ARCH} == "aarch64" ]]; then
TELEPORT_ARCH="arm64"
elif [[ ${ARCH} == "x86_64" ]]; then
TELEPORT_ARCH="amd64"
elif [[ ${ARCH} == "i686" ]]; then
TELEPORT_ARCH="386"
else
log_important "Error: cannot detect architecture from uname -m: ${ARCH}"
exit 1
fi
log "Detected arch: ${ARCH}, using Teleport arch ${TELEPORT_ARCH}"
# if the download format is already set, we have no need to detect distro
if [[ ${TELEPORT_FORMAT} == "" ]]; then
# detect distro
# if /etc/os-release doesn't exist, we need to use some other logic
if [ ! -f /etc/os-release ]; then
if [ -f /etc/centos-release ]; then
if grep -q 'CentOS release 6' /etc/centos-release; then
log_important "Detected host type: CentOS 6 [$(cat /etc/centos-release)]"
log_important "Teleport will not work on CentOS 6 -based servers due to the glibc version being too low."
exit 1
fi
elif [ -f /etc/redhat-release ]; then
if grep -q 'Red Hat Enterprise Linux Server release 5' /etc/redhat-release; then
log_important "Detected host type: RHEL5 [$(cat /etc/redhat-release)]"
log_important "Teleport will not work on RHEL5-based servers due to the glibc version being too low."
exit 1
elif grep -q 'Red Hat Enterprise Linux Server release 6' /etc/redhat-release; then
log_important "Detected host type: RHEL6 [$(cat /etc/redhat-release)]"
log_important "Teleport will not work on RHEL6-based servers due to the glibc version being too low."
exit 1
fi
fi
# use ID_LIKE value from /etc/os-release (if set)
# this is 'debian' on ubuntu/raspbian, 'centos rhel fedora' on amazon linux etc
else
check_exists_fatal cut
DISTRO_TYPE=$(grep ID_LIKE /etc/os-release | cut -d= -f2) || true
if [[ ${DISTRO_TYPE} == "" ]]; then
# use exact ID value from /etc/os-release if ID_LIKE is not set
DISTRO_TYPE=$(grep -w ID /etc/os-release | cut -d= -f2)
fi
if [[ ${DISTRO_TYPE} =~ "debian" ]]; then
TELEPORT_FORMAT="deb"
elif [[ "$DISTRO_TYPE" =~ "amzn"* ]] || [[ ${DISTRO_TYPE} =~ "centos"* ]] || [[ ${DISTRO_TYPE} =~ "rhel" ]] || [[ ${DISTRO_TYPE} =~ "fedora"* ]]; then
TELEPORT_FORMAT="rpm"
else
log "Couldn't match a distro type using /etc/os-release, falling back to tarball installer"
TELEPORT_FORMAT="tarball"
fi
fi
log "Detected distro type: ${DISTRO_TYPE}"
#suse, also identified as sles, uses a different path for its systemd then other distro types like ubuntu
if [[ ${DISTRO_TYPE} =~ "suse"* ]] || [[ ${DISTRO_TYPE} =~ "sles"* ]]; then
SYSTEMD_UNIT_PATH="/etc/systemd/system/teleport.service"
fi
fi
elif [[ "${OSTYPE}" == "darwin"* ]]; then
# macos host, now detect arch
TELEPORT_BINARY_TYPE="darwin"
ARCH=$(uname -m)
log "Detected host: ${OSTYPE}, using Teleport binary type ${TELEPORT_BINARY_TYPE}"
if [[ ${ARCH} == "arm64" ]]; then
TELEPORT_ARCH="arm64"
elif [[ ${ARCH} == "x86_64" ]]; then
TELEPORT_ARCH="amd64"
else
log_important "Error: unsupported architecture from uname -m: ${ARCH}"
exit 1
fi
log "Detected MacOS ${ARCH} architecture, using Teleport arch ${TELEPORT_ARCH}"
TELEPORT_FORMAT="tarball"
else
log_important "Error - unsupported platform: ${OSTYPE}"
exit 1
fi
log "Using Teleport distribution: ${TELEPORT_FORMAT}"
# create temporary directory and exit cleanup logic
TEMP_DIR=$(mktemp -d -t teleport-XXXXXXXXXX)
log "Created temp dir ${TEMP_DIR}"
pushd "${TEMP_DIR}" >/dev/null 2>&1
finish() {
popd >/dev/null 2>&1
rm -rf "${TEMP_DIR}"
}
trap finish EXIT
# optional format override (mostly for testing)
if [[ ${OVERRIDE_FORMAT} != "" ]]; then
TELEPORT_FORMAT="${OVERRIDE_FORMAT}"
log "Overriding TELEPORT_FORMAT to ${OVERRIDE_FORMAT}"
fi
# check whether teleport is running already
# if it is, we exit gracefully with an error
if is_running_teleport; then
if [[ ${IGNORE_CHECKS} != "true" ]]; then
TELEPORT_PID=$(get_teleport_pid)
log_header "Warning: Teleport appears to already be running on this host (pid: ${TELEPORT_PID})"
log_cleanup_message
exit 1
else
log "Ignoring is_running_teleport as requested"
fi
fi
# check for existing config file
if teleport_config_exists; then
if [[ ${IGNORE_CHECKS} != "true" ]]; then
log_header "Warning: There is already a Teleport config file present at ${TELEPORT_CONFIG_PATH}."
log_cleanup_message
exit 1
else
log "Ignoring teleport_config_exists as requested"
fi
fi
# check for existing data directory
if teleport_datadir_exists; then
if [[ ${IGNORE_CHECKS} != "true" ]]; then
log_header "Warning: Found existing Teleport data directory (${TELEPORT_DATA_DIR})."
log_cleanup_message
exit 1
else
log "Ignoring teleport_datadir_exists as requested"
fi
fi
# check for existing binaries
if teleport_binaries_exist; then
if [[ ${IGNORE_CHECKS} != "true" ]]; then
log_header "Warning: Found existing Teleport binaries under ${TELEPORT_BINARY_DIR}."
log_cleanup_message
exit 1
else
log "Ignoring teleport_binaries_exist as requested"
fi
fi
install_from_file() {
# select correct URL/installation method based on distro
if [[ ${TELEPORT_FORMAT} == "tarball" ]]; then
URL="https://get.gravitational.com/${TELEPORT_PACKAGE_NAME}-v${TELEPORT_VERSION}-${TELEPORT_BINARY_TYPE}-${TELEPORT_ARCH}-bin.tar.gz"
# check that needed tools are installed
check_exists_fatal curl tar
# download tarball
log "Downloading Teleport ${TELEPORT_FORMAT} release ${TELEPORT_VERSION}"
DOWNLOAD_FILENAME=$(get_download_filename "${URL}")
download "${URL}" "${TEMP_DIR}/${DOWNLOAD_FILENAME}"
# extract tarball
tar -xzf "${TEMP_DIR}/${DOWNLOAD_FILENAME}" -C "${TEMP_DIR}"
# install binaries to /usr/local/bin
for BINARY in ${TELEPORT_BINARY_LIST}; do
${COPY_COMMAND} "${TELEPORT_ARCHIVE_PATH}/${BINARY}" "${TELEPORT_BINARY_DIR}/"
done
elif [[ ${TELEPORT_FORMAT} == "deb" ]]; then
# convert teleport arch to deb arch
if [[ ${TELEPORT_ARCH} == "amd64" ]]; then
DEB_ARCH="amd64"
elif [[ ${TELEPORT_ARCH} == "386" ]]; then
DEB_ARCH="i386"
elif [[ ${TELEPORT_ARCH} == "arm" ]]; then
DEB_ARCH="arm"
elif [[ ${TELEPORT_ARCH} == "arm64" ]]; then
DEB_ARCH="arm64"
fi
URL="https://get.gravitational.com/${TELEPORT_PACKAGE_NAME}_${TELEPORT_VERSION}_${DEB_ARCH}.deb"
check_deb_not_already_installed
# check that needed tools are installed
check_exists_fatal curl dpkg
# download deb and register cleanup operation
log "Downloading Teleport ${TELEPORT_FORMAT} release ${TELEPORT_VERSION}"
DOWNLOAD_FILENAME=$(get_download_filename "${URL}")
download "${URL}" "${TEMP_DIR}/${DOWNLOAD_FILENAME}"
# install deb
log "Using dpkg to install ${TEMP_DIR}/${DOWNLOAD_FILENAME}"
dpkg -i "${TEMP_DIR}/${DOWNLOAD_FILENAME}"
elif [[ ${TELEPORT_FORMAT} == "rpm" ]]; then
# convert teleport arch to rpm arch
if [[ ${TELEPORT_ARCH} == "amd64" ]]; then
RPM_ARCH="x86_64"
elif [[ ${TELEPORT_ARCH} == "386" ]]; then
RPM_ARCH="i386"
elif [[ ${TELEPORT_ARCH} == "arm" ]]; then
RPM_ARCH="arm"
elif [[ ${TELEPORT_ARCH} == "arm64" ]]; then
RPM_ARCH="arm64"
fi
URL="https://get.gravitational.com/${TELEPORT_PACKAGE_NAME}-${TELEPORT_VERSION}-1.${RPM_ARCH}.rpm"
check_rpm_not_already_installed
# check for package managers
if check_exists dnf; then
log "Found 'dnf' package manager, using it"
PACKAGE_MANAGER_COMMAND="dnf -y install"
elif check_exists yum; then
log "Found 'yum' package manager, using it"
PACKAGE_MANAGER_COMMAND="yum -y localinstall"
else
PACKAGE_MANAGER_COMMAND=""
log "Cannot find 'yum' or 'dnf' package manager commands, will try installing the rpm manually instead"
fi
# check that needed tools are installed
check_exists_fatal curl
log "Downloading Teleport ${TELEPORT_FORMAT} release ${TELEPORT_VERSION}"
DOWNLOAD_FILENAME=$(get_download_filename "${URL}")
download "${URL}" "${TEMP_DIR}/${DOWNLOAD_FILENAME}"
# install with package manager if available
if [[ ${PACKAGE_MANAGER_COMMAND} != "" ]]; then
log "Installing Teleport release from ${TEMP_DIR}/${DOWNLOAD_FILENAME} using ${PACKAGE_MANAGER_COMMAND}"
# install rpm with package manager
${PACKAGE_MANAGER_COMMAND} "${TEMP_DIR}/${DOWNLOAD_FILENAME}"
# use rpm if we couldn't find a package manager
else
# install RPM (in upgrade mode)
log "Using rpm to install ${TEMP_DIR}/${DOWNLOAD_FILENAME}"
rpm -Uvh "${TEMP_DIR}/${DOWNLOAD_FILENAME}"
fi
else
log_important "Can't figure out what Teleport format to use"
exit 1
fi
}
install_from_repo() {
if [[ "${REPO_CHANNEL}" == "" ]]; then
# By default, use the current version's channel.
REPO_CHANNEL=stable/v"${TELEPORT_VERSION//.*/}"
fi
# Populate $ID, $VERSION_ID, $VERSION_CODENAME and other env vars identifying the OS.
# shellcheck disable=SC1091
. /etc/os-release
PACKAGE_LIST=$(package_list)
if [ "$ID" == "debian" ] || [ "$ID" == "ubuntu" ]; then
# old versions of ubuntu require that keys get added by `apt-key add`, without
# adding the key apt shows a key signing error when installing teleport.
if [[
($ID == "ubuntu" && $VERSION_ID == "16.04") || \
($ID == "debian" && $VERSION_ID == "9" )
]]; then
apt install apt-transport-https gnupg -y
curl -fsSL https://apt.releases.teleport.dev/gpg | apt-key add -
echo "deb https://apt.releases.teleport.dev/${ID} ${VERSION_CODENAME} ${REPO_CHANNEL}" > /etc/apt/sources.list.d/teleport.list
else
curl -fsSL https://apt.releases.teleport.dev/gpg \
-o /usr/share/keyrings/teleport-archive-keyring.asc
echo "deb [signed-by=/usr/share/keyrings/teleport-archive-keyring.asc] \
https://apt.releases.teleport.dev/${ID} ${VERSION_CODENAME} ${REPO_CHANNEL}" > /etc/apt/sources.list.d/teleport.list
fi
apt-get update
apt-get install -y ${PACKAGE_LIST}
elif [ "$ID" = "amzn" ] || [ "$ID" = "rhel" ] || [ "$ID" = "centos" ] ; then
if [ "$ID" = "rhel" ]; then
VERSION_ID="${VERSION_ID//.*/}" # convert version numbers like '7.2' to only include the major version
fi
yum install -y yum-utils
yum-config-manager --add-repo \
"$(rpm --eval "https://yum.releases.teleport.dev/$ID/$VERSION_ID/Teleport/%{_arch}/${REPO_CHANNEL}/teleport.repo")"
# Remove metadata cache to prevent cache from other channel (eg, prior version)
# See: https://github.com/gravitational/teleport/issues/22581
yum --disablerepo="*" --enablerepo="teleport" clean metadata
yum install -y ${PACKAGE_LIST}
else
echo "Unsupported distro: $ID"
exit 1
fi
}
# package_list returns the list of packages to install.
# The list of packages can be fed into yum or apt because they already have the expected format when pinning versions.
package_list() {
TELEPORT_PACKAGE_PIN_VERSION=${TELEPORT_PACKAGE_NAME}
TELEPORT_UPDATER_PIN_VERSION="${TELEPORT_PACKAGE_NAME}-updater"
if [[ "${TELEPORT_FORMAT}" == "deb" ]]; then
TELEPORT_PACKAGE_PIN_VERSION+="=${TELEPORT_VERSION}"
TELEPORT_UPDATER_PIN_VERSION+="=${TELEPORT_VERSION}"
elif [[ "${TELEPORT_FORMAT}" == "rpm" ]]; then
TELEPORT_YUM_VERSION="${TELEPORT_VERSION//-/_}"
TELEPORT_PACKAGE_PIN_VERSION+="-${TELEPORT_YUM_VERSION}"
TELEPORT_UPDATER_PIN_VERSION+="-${TELEPORT_YUM_VERSION}"
fi
PACKAGE_LIST=${TELEPORT_PACKAGE_PIN_VERSION}
# (warning): This expression is constant. Did you forget the $ on a variable?
# Disabling the warning above because expression is templated.
# shellcheck disable=SC2050
if is_using_systemd && [[ "false" == "true" ]]; then
# Teleport Updater requires systemd.
PACKAGE_LIST+=" ${TELEPORT_UPDATER_PIN_VERSION}"
fi
echo ${PACKAGE_LIST}
}
is_repo_available() {
if [[ "${OSTYPE}" != "linux-gnu" ]]; then
return 1
fi
# Populate $ID, $VERSION_ID and other env vars identifying the OS.
# shellcheck disable=SC1091
. /etc/os-release
# The following distros+version have a Teleport repository to install from.
case "${ID}-${VERSION_ID}" in
ubuntu-16.04* | ubuntu-18.04* | ubuntu-20.04* | ubuntu-22.04* | \
debian-9* | debian-10* | debian-11* | \
rhel-7* | rhel-8* | rhel-9* | \
centos-7* | centos-8* | centos-9* | \
amzn-2 | amzn-2023)
return 0;;
esac
return 1
}
if is_repo_available; then
log "Installing repo for distro $ID."
install_from_repo
else
log "Installing from binary file."
install_from_file
fi
# check that teleport binary can be found and runs
if ! check_teleport_binary; then
log_important "The Teleport binary could not be found at ${TELEPORT_BINARY_DIR} as expected."
log_important "This usually means that there was an error during installation."
log_important "Check this log for obvious signs of error and contact Teleport support"
log_important "for further assistance."
exit 1
fi
# install teleport config
# check the mode and write the appropriate config type
if [[ "${APP_INSTALL_MODE}" == "true" ]]; then
install_teleport_app_config
elif [[ "${DB_INSTALL_MODE}" == "true" ]]; then
install_teleport_database_config
else
install_teleport_node_config
fi
# Used to track whether a Teleport agent was installed using this method.
export TELEPORT_INSTALL_METHOD_NODE_SCRIPT="true"
# install systemd unit if applicable (linux hosts)
if is_using_systemd; then
log "Host is using systemd"
# we only need to manually install the systemd config if teleport was installed via tarball
# all other packages will deploy it automatically
if [[ ${TELEPORT_FORMAT} == "tarball" ]]; then
install_systemd_unit
fi
start_teleport_systemd
print_welcome_message
# install launchd config on MacOS hosts
elif is_macos_host; then
log "Host is running MacOS"
install_launchd_config
start_teleport_launchd
print_welcome_message
# not a MacOS host and no systemd available, print a warning
# and temporarily start Teleport in the foreground
else
log "Host does not appear to be using systemd"
no_systemd_warning
start_teleport_foreground
fi

995
ansible/00_old/install-node.sh Normal file
View File

@@ -0,0 +1,995 @@
#!/bin/bash
set -euo pipefail
SCRIPT_NAME="teleport-installer"
# default values
ALIVE_CHECK_DELAY=3
CONNECTIVITY_TEST_METHOD=""
COPY_COMMAND="cp"
DISTRO_TYPE=""
IGNORE_CONNECTIVITY_CHECK="${TELEPORT_IGNORE_CONNECTIVITY_CHECK:-false}"
LAUNCHD_CONFIG_PATH="/Library/LaunchDaemons"
LOG_FILENAME="$(mktemp -t ${SCRIPT_NAME}.log.XXXXXXXXXX)"
MACOS_STDERR_LOG="/var/log/teleport-stderr.log"
MACOS_STDOUT_LOG="/var/log/teleport-stdout.log"
SYSTEMD_UNIT_PATH="/lib/systemd/system/teleport.service"
TARGET_PORT_DEFAULT=443
TELEPORT_ARCHIVE_PATH='teleport'
TELEPORT_BINARY_DIR="/usr/local/bin"
TELEPORT_BINARY_LIST="teleport tctl tsh"
TELEPORT_CONFIG_PATH="/etc/teleport.yaml"
TELEPORT_DATA_DIR="/var/lib/teleport"
TELEPORT_DOCS_URL="https://goteleport.com/docs/"
TELEPORT_FORMAT=""
# initialise variables (because set -u disallows unbound variables)
f=""
l=""
DISABLE_TLS_VERIFICATION=false
NODENAME=$(hostname)
IGNORE_CHECKS=false
OVERRIDE_FORMAT=""
QUIET=false
APP_INSTALL_DECISION=""
INTERACTIVE=false
# the default value of each variable is a templatable Go value so that it can
# optionally be replaced by the server before the script is served up
TELEPORT_VERSION='13.3.4'
TELEPORT_PACKAGE_NAME='teleport'
REPO_CHANNEL=''
TARGET_HOSTNAME='teleport.datasaker.io'
TARGET_PORT='443'
JOIN_TOKEN='2df40c1ac8f47d7b155a92c134a77a84'
JOIN_METHOD=''
JOIN_METHOD_FLAG=""
[ -n "$JOIN_METHOD" ] && JOIN_METHOD_FLAG="--join-method ${JOIN_METHOD}"
# inject labels into the configuration
LABELS='teleport.internal/resource-id=0ec993a8-b1ec-4fa6-8fc5-4e73e3e5306e'
LABELS_FLAG=()
[ -n "$LABELS" ] && LABELS_FLAG=(--labels "${LABELS}")
# When all stanza generators have been updated to use the new
# `teleport <service> configure` commands CA_PIN_HASHES can be removed along
# with the script passing it in in `join_tokens.go`.
CA_PIN_HASHES='sha256:fcd4bcd57c9a2a7bd68c4140c2c46c0131cd31567c3e0c87e6b12258aa190836'
CA_PINS='sha256:fcd4bcd57c9a2a7bd68c4140c2c46c0131cd31567c3e0c87e6b12258aa190836'
ARG_CA_PIN_HASHES=""
APP_INSTALL_MODE='false'
APP_NAME=''
APP_URI=''
DB_INSTALL_MODE='false'
# usage message
# shellcheck disable=SC2086
usage() { echo "Usage: $(basename $0) [-v teleport_version] [-h target_hostname] [-p target_port] [-j join_token] [-c ca_pin_hash]... [-q] [-l log_filename] [-a app_name] [-u app_uri] " 1>&2; exit 1; }
while getopts ":v:h:p:j:c:f:ql:ika:u:" o; do
case "${o}" in
v) TELEPORT_VERSION=${OPTARG};;
h) TARGET_HOSTNAME=${OPTARG};;
p) TARGET_PORT=${OPTARG};;
j) JOIN_TOKEN=${OPTARG};;
c) ARG_CA_PIN_HASHES="${ARG_CA_PIN_HASHES} ${OPTARG}";;
f) f=${OPTARG}; if [[ ${f} != "tarball" && ${f} != "deb" && ${f} != "rpm" ]]; then usage; fi;;
q) QUIET=true;;
l) l=${OPTARG};;
i) IGNORE_CHECKS=true; COPY_COMMAND="cp -f";;
k) DISABLE_TLS_VERIFICATION=true;;
a) APP_INSTALL_MODE=true && APP_NAME=${OPTARG};;
u) APP_INSTALL_MODE=true && APP_URI=${OPTARG};;
*) usage;;
esac
done
shift $((OPTIND-1))
if [[ "${ARG_CA_PIN_HASHES}" != "" ]]; then
CA_PIN_HASHES="${ARG_CA_PIN_HASHES}"
fi
# function to construct a go template variable
# go's template parser is a bit finicky, so we dynamically build the value one character at a time
construct_go_template() {
OUTPUT="{"
OUTPUT+="{"
OUTPUT+="."
OUTPUT+="${1}"
OUTPUT+="}"
OUTPUT+="}"
echo "${OUTPUT}"
}
# check whether we are root, exit if not
assert_running_as_root() {
if ! [ "$(id -u)" = 0 ]; then
echo "This script must be run as root." 1>&2
exit 1
fi
}
# function to check whether variables are either blank or set to the default go template value
# (because they haven't been set by the go script generator or a command line argument)
# returns 1 if the variable is set to a default/zero value
# returns 0 otherwise (i.e. it needs to be set interactively)
check_variable() {
VARIABLE_VALUE="${!1}"
GO_TEMPLATE_NAME=$(construct_go_template "${2}")
if [[ "${VARIABLE_VALUE}" == "" ]] || [[ "${VARIABLE_VALUE}" == "${GO_TEMPLATE_NAME}" ]]; then
return 1
fi
return 0
}
# function to check whether a provided value is "truthy" i.e. it looks like you're trying to say "yes"
is_truthy() {
declare -a TRUTHY_VALUES
TRUTHY_VALUES=("y" "Y" "yes" "YES" "ye" "YE" "yep" "YEP" "ya" "YA")
CHECK_VALUE="$1"
for ARRAY_VALUE in "${TRUTHY_VALUES[@]}"; do [[ "${CHECK_VALUE}" == "${ARRAY_VALUE}" ]] && return 0; done
return 1
}
# function to read input until the value you get is non-empty
read_nonblank_input() {
INPUT=""
VARIABLE_TO_ASSIGN="$1"
shift
PROMPT="$*"
until [[ "${INPUT}" != "" ]]; do
echo -n "${PROMPT}"
read -r INPUT
done
printf -v "${VARIABLE_TO_ASSIGN}" '%s' "${INPUT}"
}
# error if we're not root
assert_running_as_root
# set/read values interactively if not provided
# users will be prompted to enter their own value if all the following are true:
# - the current value is blank, or equal to the default Go template value
# - the value has not been provided by command line argument
! check_variable TELEPORT_VERSION version && INTERACTIVE=true && read_nonblank_input TELEPORT_VERSION "Enter Teleport version to install (without v): "
! check_variable TARGET_HOSTNAME hostname && INTERACTIVE=true && read_nonblank_input TARGET_HOSTNAME "Enter target hostname to connect to: "
! check_variable TARGET_PORT port && INTERACTIVE=true && { echo -n "Enter target port to connect to [${TARGET_PORT_DEFAULT}]: "; read -r TARGET_PORT; }
! check_variable JOIN_TOKEN token && INTERACTIVE=true && read_nonblank_input JOIN_TOKEN "Enter Teleport join token as provided: "
! check_variable CA_PIN_HASHES caPins && INTERACTIVE=true && read_nonblank_input CA_PIN_HASHES "Enter CA pin hash (separate multiple hashes with spaces): "
[ -n "${f}" ] && OVERRIDE_FORMAT=${f}
[ -n "${l}" ] && LOG_FILENAME=${l}
# if app service mode is not set (or is the default value) and we are running interactively (i.e. the user has provided some input already),
# prompt the user to choose whether to enable app_service
if [[ "${INTERACTIVE}" == "true" ]]; then
if ! check_variable APP_INSTALL_MODE appInstallMode; then
APP_INSTALL_MODE="false"
echo -n "Would you like to enable and configure Teleport's app_service, to use Teleport as a reverse proxy for a web application? [y/n, default: n] "
read -r APP_INSTALL_DECISION
if is_truthy "${APP_INSTALL_DECISION}"; then
APP_INSTALL_MODE="true"
fi
fi
fi
# prompt for extra needed values if we're running in app service mode
if [[ "${APP_INSTALL_MODE}" == "true" ]]; then
! check_variable APP_NAME appName && read_nonblank_input APP_NAME "Enter app name to install (must be DNS-compatible; less than 63 characters, no spaces, only - or _ as punctuation): "
! check_variable APP_URI appURI && read_nonblank_input APP_URI "Enter app URI (the host running the Teleport app service must be able to connect to this): "
# generate app public addr by concatenating values
APP_PUBLIC_ADDR="${APP_NAME}.${TARGET_HOSTNAME}"
fi
# set default target port if value not provided
if [[ "${TARGET_PORT}" == "" ]]; then
TARGET_PORT=${TARGET_PORT_DEFAULT}
fi
# clear log file if provided
if [[ "${LOG_FILENAME}" != "" ]]; then
if [ -f "${LOG_FILENAME}" ]; then
echo -n "" > "${LOG_FILENAME}"
fi
fi
# log functions
log_date() { echo -n "$(date '+%Y-%m-%d %H:%M:%S %Z')"; }
log() {
LOG_LINE="$(log_date) [${SCRIPT_NAME}] $*"
if [[ ${QUIET} != "true" ]]; then
echo "${LOG_LINE}"
fi
if [[ "${LOG_FILENAME}" != "" ]]; then
echo "${LOG_LINE}" >> "${LOG_FILENAME}"
fi
}
# writes a line with no timestamp or starting data, always prints
log_only() {
LOG_LINE="$*"
echo "${LOG_LINE}"
if [[ "${LOG_FILENAME}" != "" ]]; then
echo "${LOG_LINE}" >> "${LOG_FILENAME}"
fi
}
# writes a line by itself as a header
log_header() {
LOG_LINE="$*"
echo ""
echo "${LOG_LINE}"
echo ""
if [[ "${LOG_FILENAME}" != "" ]]; then
echo "${LOG_LINE}" >> "${LOG_FILENAME}"
fi
}
# important log lines, print even when -q (quiet) is passed
log_important() {
LOG_LINE="$(log_date) [${SCRIPT_NAME}] ---> $*"
echo "${LOG_LINE}"
if [[ "${LOG_FILENAME}" != "" ]]; then
echo "${LOG_LINE}" >> "${LOG_FILENAME}"
fi
}
log_cleanup_message() {
log_only "This script does not overwrite any existing settings or Teleport installations."
log_only "Please clean up by running any of the following steps as necessary:"
log_only "- stop any running Teleport processes"
log_only " - pkill -f teleport"
log_only "- remove any data under ${TELEPORT_DATA_DIR}, along with the directory itself"
log_only " - rm -rf ${TELEPORT_DATA_DIR}"
log_only "- remove any configuration at ${TELEPORT_CONFIG_PATH}"
log_only " - rm -f ${TELEPORT_CONFIG_PATH}"
log_only "- remove any Teleport binaries (${TELEPORT_BINARY_LIST}) installed under ${TELEPORT_BINARY_DIR}"
for BINARY in ${TELEPORT_BINARY_LIST}; do EXAMPLE_DELETE_COMMAND+="${TELEPORT_BINARY_DIR}/${BINARY} "; done
log_only " - rm -f ${EXAMPLE_DELETE_COMMAND}"
log_only "Run this installer again when done."
log_only
}
# other functions
# check whether a named program exists
check_exists() { NAME=$1; if type "${NAME}" >/dev/null 2>&1; then return 0; else return 1; fi; }
# checks for the existence of a list of named binaries and exits with error if any of them don't exist
check_exists_fatal() {
for TOOL in "$@"; do
if ! check_exists "${TOOL}"; then
log_important "Error: cannot find ${TOOL} - it needs to be installed"
exit 1
fi
done
}
# check connectivity to the given host/port and make a request to see if Teleport is listening
# uses the global variable CONNECTIVITY_TEST_METHOD to return the name of the checker, as return
# values aren't really a thing that exists in bash
check_connectivity() {
HOST=$1
PORT=$2
# check with nc
if check_exists nc; then
CONNECTIVITY_TEST_METHOD="nc"
if nc -z -w3 "${HOST}" "${PORT}" >/dev/null 2>&1; then return 0; else return 1; fi
# if there's no nc, check with telnet
elif check_exists telnet; then
CONNECTIVITY_TEST_METHOD="telnet"
if echo -e '\x1dclose\x0d' | telnet "${HOST}" "${PORT}" >/dev/null 2>&1; then return 0; else return 1; fi
# if there's no nc or telnet, try and use /dev/tcp
elif [ -f /dev/tcp ]; then
CONNECTIVITY_TEST_METHOD="/dev/tcp"
if (head -1 < "/dev/tcp/${HOST}/${PORT}") >/dev/null 2>&1; then return 0; else return 1; fi
else
return 255
fi
}
# check whether a teleport DEB is already installed and exit with error if so
check_deb_not_already_installed() {
check_exists_fatal dpkg awk
DEB_INSTALLED=$(dpkg -l | awk '{print $2}' | grep -E ^teleport || true)
if [[ ${DEB_INSTALLED} != "" ]]; then
log_important "It looks like there is already a Teleport DEB package installed (name: ${DEB_INSTALLED})."
log_important "You will need to remove that package before using this script."
exit 1
fi
}
# check whether a teleport RPM is already installed and exit with error if so
check_rpm_not_already_installed() {
check_exists_fatal rpm
RPM_INSTALLED=$(rpm -qa | grep -E ^teleport || true)
if [[ ${RPM_INSTALLED} != "" ]]; then
log_important "It looks like there is already a Teleport RPM package installed (name: ${RPM_INSTALLED})."
log_important "You will need to remove that package before using this script."
exit 1
fi
}
# function to check if given variable is set
check_set() {
CHECK_KEY=${1} || true
CHECK_VALUE=${!1} || true
if [[ "${CHECK_VALUE}" == "" ]]; then
log "Required variable ${CHECK_KEY} is not set"
exit 1
else
log "${CHECK_KEY}: ${CHECK_VALUE}"
fi
}
# checks that teleport binary can be found in path and runs 'teleport version'
check_teleport_binary() {
FOUND_TELEPORT_VERSION=$(${TELEPORT_BINARY_DIR}/teleport version)
if [[ "${FOUND_TELEPORT_VERSION}" == "" ]]; then
log "Cannot find Teleport binary"
return 1
else
log "Found: ${FOUND_TELEPORT_VERSION}";
return 0
fi
}
# wrapper to download with curl
download() {
URL=$1
OUTPUT_PATH=$2
CURL_COMMAND="curl -fsSL --retry 5 --retry-delay 5"
# optionally allow disabling of TLS verification (can be useful on older distros
# which often have an out-of-date set of CA certificate bundle which won't validate)
if [[ ${DISABLE_TLS_VERIFICATION} == "true" ]]; then
CURL_COMMAND+=" -k"
fi
log "Running ${CURL_COMMAND} ${URL}"
log "Downloading to ${OUTPUT_PATH}"
# handle errors with curl
if ! ${CURL_COMMAND} -o "${OUTPUT_PATH}" "${URL}"; then
log_important "curl error downloading ${URL}"
log "On an older OS, this may be related to the CA certificate bundle being too old."
log "You can pass the hidden -k flag to this script to disable TLS verification - this is not recommended!"
exit 1
fi
# check that the file has a non-zero size as an extra validation
check_exists_fatal wc xargs
FILE_SIZE="$(wc -c <"${OUTPUT_PATH}" | xargs)"
if [ "${FILE_SIZE}" -eq 0 ]; then
log_important "The downloaded file has a size of 0 bytes, which means an error occurred. Cannot continue."
exit 1
else
log "Downloaded file size: ${FILE_SIZE} bytes"
fi
# if we have a hashing utility installed, also download and validate the checksum
SHA_COMMAND=""
# shasum is installed by default on MacOS and some distros
if check_exists shasum; then
SHA_COMMAND="shasum -a 256"
# sha256sum is installed by default in some other distros
elif check_exists sha256sum; then
SHA_COMMAND="sha256sum"
fi
if [[ "${SHA_COMMAND}" != "" ]]; then
log "Will use ${SHA_COMMAND} to validate the checksum of the downloaded file"
SHA_URL="${URL}.sha256"
SHA_PATH="${OUTPUT_PATH}.sha256"
${CURL_COMMAND} -o "${SHA_PATH}" "${SHA_URL}"
if ${SHA_COMMAND} --status -c "${SHA_PATH}"; then
log "The downloaded file's checksum validated correctly"
else
SHA_EXPECTED=$(cat "${SHA_PATH}")
SHA_ACTUAL=$(${SHA_COMMAND} "${OUTPUT_PATH}")
if check_exists awk; then
SHA_EXPECTED=$(echo "${SHA_EXPECTED}" | awk '{print $1}')
SHA_ACTUAL=$(echo "${SHA_ACTUAL}" | awk '{print $1}')
fi
log_important "Checksum of the downloaded file did not validate correctly"
log_important "Expected: ${SHA_EXPECTED}"
log_important "Got: ${SHA_ACTUAL}"
log_important "Try rerunning this script from the start. If the issue persists, contact Teleport support."
exit 1
fi
else
log "shasum/sha256sum utilities not found, will skip checksum validation"
fi
}
# gets the filename from a full path (https://target.site/path/to/file.tar.gz -> file.tar.gz)
get_download_filename() { echo "${1##*/}"; }
# gets the pid of any running teleport process (and converts newlines to spaces)
get_teleport_pid() {
check_exists_fatal pgrep xargs
pgrep teleport | xargs echo
}
# returns a command which will start teleport using the config
get_teleport_start_command() {
echo "${TELEPORT_BINARY_DIR}/teleport start --config=${TELEPORT_CONFIG_PATH}"
}
# installs the teleport-provided launchd config
install_launchd_config() {
log "Installing Teleport launchd config to ${LAUNCHD_CONFIG_PATH}"
${COPY_COMMAND} ./${TELEPORT_ARCHIVE_PATH}/examples/launchd/com.goteleport.teleport.plist ${LAUNCHD_CONFIG_PATH}/com.goteleport.teleport.plist
}
# installs the teleport-provided systemd unit
install_systemd_unit() {
log "Installing Teleport systemd unit to ${SYSTEMD_UNIT_PATH}"
${COPY_COMMAND} ./${TELEPORT_ARCHIVE_PATH}/examples/systemd/teleport.service ${SYSTEMD_UNIT_PATH}
log "Reloading unit files (systemctl daemon-reload)"
systemctl daemon-reload
}
# formats the arguments as a yaml list
get_yaml_list() {
name="${1}"
list="${2}"
indentation="${3}"
echo "${indentation}${name}:"
for item in ${list}; do
echo "${indentation}- ${item}"
done
}
# installs the provided teleport config (for app service)
install_teleport_app_config() {
log "Writing Teleport app service config to ${TELEPORT_CONFIG_PATH}"
CA_PINS_CONFIG=$(get_yaml_list "ca_pin" "${CA_PIN_HASHES}" " ")
cat << EOF > ${TELEPORT_CONFIG_PATH}
version: v3
teleport:
nodename: ${NODENAME}
auth_token: ${JOIN_TOKEN}
${CA_PINS_CONFIG}
proxy_server: ${TARGET_HOSTNAME}:${TARGET_PORT}
log:
output: stderr
severity: INFO
auth_service:
enabled: no
ssh_service:
enabled: no
proxy_service:
enabled: no
app_service:
enabled: yes
apps:
- name: "${APP_NAME}"
uri: "${APP_URI}"
public_addr: ${APP_PUBLIC_ADDR}
EOF
}
# installs the provided teleport config (for database service)
install_teleport_database_config() {
log "Writing Teleport database service config to ${TELEPORT_CONFIG_PATH}"
CA_PINS_CONFIG=$(get_yaml_list "ca_pin" "${CA_PIN_HASHES}" " ")
# This file is processed by `shellschek` as part of the lint step
# It detects an issue because of un-set variables - $index and $line. This check is called SC2154.
# However, that's not an issue, because those variables are replaced when we run go's text/template engine over it.
# When executing the script, those are no long variables but actual values.
# shellcheck disable=SC2154
cat << EOF > ${TELEPORT_CONFIG_PATH}
version: v3
teleport:
nodename: ${NODENAME}
auth_token: ${JOIN_TOKEN}
${CA_PINS_CONFIG}
proxy_server: ${TARGET_HOSTNAME}:${TARGET_PORT}
log:
output: stderr
severity: INFO
auth_service:
enabled: no
ssh_service:
enabled: no
proxy_service:
enabled: no
db_service:
enabled: "yes"
resources:
- labels:
EOF
}
# installs the provided teleport config (for node service)
install_teleport_node_config() {
log "Writing Teleport node service config to ${TELEPORT_CONFIG_PATH}"
${TELEPORT_BINARY_DIR}/teleport node configure \
--token ${JOIN_TOKEN} \
${JOIN_METHOD_FLAG} \
--ca-pin ${CA_PINS} \
--proxy ${TARGET_HOSTNAME}:${TARGET_PORT} \
"${LABELS_FLAG[@]}" \
--output ${TELEPORT_CONFIG_PATH}
}
# checks whether the given host is running MacOS
is_macos_host() { if [[ ${OSTYPE} == "darwin"* ]]; then return 0; else return 1; fi }
# checks whether teleport is already running on the host
is_running_teleport() {
check_exists_fatal pgrep
TELEPORT_PID=$(get_teleport_pid)
if [[ "${TELEPORT_PID}" != "" ]]; then return 0; else return 1; fi
}
# checks whether the given host is running systemd as its init system
is_using_systemd() { if [ -d /run/systemd/system ]; then return 0; else return 1; fi }
# prints a warning if the host isn't running systemd
no_systemd_warning() {
log_important "This host is not running systemd, so Teleport cannot be started automatically when it exits."
log_important "Please investigate an alternative way to keep Teleport running."
log_important "You can find information in our documentation: ${TELEPORT_DOCS_URL}"
log_important "For now, Teleport will be started in the foreground - you can press Ctrl+C to exit."
log_only
log_only "Run this command to start Teleport in future:"
log_only "$(get_teleport_start_command)"
log_only
log_only "------------------------------------------------------------------------"
log_only "| IMPORTANT: TELEPORT WILL STOP RUNNING AFTER YOU CLOSE THIS TERMINAL! |"
log_only "| YOU MUST CONFIGURE A SERVICE MANAGER TO MAKE IT RUN ON STARTUP! |"
log_only "------------------------------------------------------------------------"
log_only
}
# print a message giving the name of the node and a link to the docs
# gives some debugging instructions if the service didn't start successfully
print_welcome_message() {
log_only ""
if is_running_teleport; then
log_only "Teleport has been started."
log_only ""
if is_using_systemd; then
log_only "View its status with 'sudo systemctl status teleport.service'"
log_only "View Teleport logs using 'sudo journalctl -u teleport.service'"
log_only "To stop Teleport, run 'sudo systemctl stop teleport.service'"
log_only "To start Teleport again if you stop it, run 'sudo systemctl start teleport.service'"
elif is_macos_host; then
log_only "View Teleport logs in '${MACOS_STDERR_LOG}' and '${MACOS_STDOUT_LOG}'"
log_only "To stop Teleport, run 'sudo launchctl unload ${LAUNCHD_CONFIG_PATH}/com.goteleport.teleport.plist'"
log_only "To start Teleport again if you stop it, run 'sudo launchctl load ${LAUNCHD_CONFIG_PATH}/com.goteleport.teleport.plist'"
fi
log_only ""
log_only "You can see this node connected in the Teleport web UI or 'tsh ls' with the name '${NODENAME}'"
log_only "Find more details on how to use Teleport here: https://goteleport.com/docs/user-manual/"
else
log_important "The Teleport service was installed, but it does not appear to have started successfully."
if is_using_systemd; then
log_important "Check the Teleport service's status with 'systemctl status teleport.service'"
log_important "View Teleport logs with 'journalctl -u teleport.service'"
elif is_macos_host; then
log_important "Check Teleport logs in '${MACOS_STDERR_LOG}' and '${MACOS_STDOUT_LOG}'"
fi
log_important "Contact Teleport support for further assistance."
fi
log_only ""
}
# start teleport in foreground (when there's no systemd)
start_teleport_foreground() {
log "Starting Teleport in the foreground"
# shellcheck disable=SC2091
$(get_teleport_start_command)
}
# start teleport via launchd (after installing config)
start_teleport_launchd() {
log "Starting Teleport via launchctl. It will automatically be started whenever the system reboots."
launchctl load ${LAUNCHD_CONFIG_PATH}/com.goteleport.teleport.plist
sleep ${ALIVE_CHECK_DELAY}
}
# start teleport via systemd (after installing unit)
start_teleport_systemd() {
log "Starting Teleport via systemd. It will automatically be started whenever the system reboots."
systemctl enable teleport.service
systemctl start teleport.service
sleep ${ALIVE_CHECK_DELAY}
}
# checks whether teleport binaries exist on the host
teleport_binaries_exist() {
for BINARY_NAME in teleport tctl tsh; do
if [ -f ${TELEPORT_BINARY_DIR}/${BINARY_NAME} ]; then return 0; else return 1; fi
done
}
# checks whether a teleport config exists on the host
teleport_config_exists() { if [ -f ${TELEPORT_CONFIG_PATH} ]; then return 0; else return 1; fi; }
# checks whether a teleport data dir exists on the host
teleport_datadir_exists() { if [ -d ${TELEPORT_DATA_DIR} ]; then return 0; else return 1; fi; }
# error out if any required values are not set
check_set TELEPORT_VERSION
check_set TARGET_HOSTNAME
check_set TARGET_PORT
check_set JOIN_TOKEN
check_set CA_PIN_HASHES
if [[ "${APP_INSTALL_MODE}" == "true" ]]; then
check_set APP_NAME
check_set APP_URI
check_set APP_PUBLIC_ADDR
fi
###
# main script starts here
###
# check connectivity to teleport server/port
if [[ "${IGNORE_CONNECTIVITY_CHECK}" == "true" ]]; then
log "TELEPORT_IGNORE_CONNECTIVITY_CHECK=true, not running connectivity check"
else
log "Checking TCP connectivity to Teleport server (${TARGET_HOSTNAME}:${TARGET_PORT})"
if ! check_connectivity "${TARGET_HOSTNAME}" "${TARGET_PORT}"; then
# if we don't have a connectivity test method assigned, we know we couldn't run the test
if [[ ${CONNECTIVITY_TEST_METHOD} == "" ]]; then
log "Couldn't find nc, telnet or /dev/tcp to do a connection test"
log "Going to blindly continue without testing connectivity"
else
log_important "Couldn't open a connection to the Teleport server (${TARGET_HOSTNAME}:${TARGET_PORT}) via ${CONNECTIVITY_TEST_METHOD}"
log_important "This issue will need to be fixed before the script can continue."
log_important "If you think this is an error, add 'export TELEPORT_IGNORE_CONNECTIVITY_CHECK=true && ' before the curl command which runs the script."
exit 1
fi
else
log "Connectivity to Teleport server (via ${CONNECTIVITY_TEST_METHOD}) looks good"
fi
fi
# use OSTYPE variable to figure out host type/arch
if [[ "${OSTYPE}" == "linux-gnu"* ]]; then
# linux host, now detect arch
TELEPORT_BINARY_TYPE="linux"
ARCH=$(uname -m)
log "Detected host: ${OSTYPE}, using Teleport binary type ${TELEPORT_BINARY_TYPE}"
if [[ ${ARCH} == "armv7l" ]]; then
TELEPORT_ARCH="arm"
elif [[ ${ARCH} == "aarch64" ]]; then
TELEPORT_ARCH="arm64"
elif [[ ${ARCH} == "x86_64" ]]; then
TELEPORT_ARCH="amd64"
elif [[ ${ARCH} == "i686" ]]; then
TELEPORT_ARCH="386"
else
log_important "Error: cannot detect architecture from uname -m: ${ARCH}"
exit 1
fi
log "Detected arch: ${ARCH}, using Teleport arch ${TELEPORT_ARCH}"
# if the download format is already set, we have no need to detect distro
if [[ ${TELEPORT_FORMAT} == "" ]]; then
# detect distro
# if /etc/os-release doesn't exist, we need to use some other logic
if [ ! -f /etc/os-release ]; then
if [ -f /etc/centos-release ]; then
if grep -q 'CentOS release 6' /etc/centos-release; then
log_important "Detected host type: CentOS 6 [$(cat /etc/centos-release)]"
log_important "Teleport will not work on CentOS 6 -based servers due to the glibc version being too low."
exit 1
fi
elif [ -f /etc/redhat-release ]; then
if grep -q 'Red Hat Enterprise Linux Server release 5' /etc/redhat-release; then
log_important "Detected host type: RHEL5 [$(cat /etc/redhat-release)]"
log_important "Teleport will not work on RHEL5-based servers due to the glibc version being too low."
exit 1
elif grep -q 'Red Hat Enterprise Linux Server release 6' /etc/redhat-release; then
log_important "Detected host type: RHEL6 [$(cat /etc/redhat-release)]"
log_important "Teleport will not work on RHEL6-based servers due to the glibc version being too low."
exit 1
fi
fi
# use ID_LIKE value from /etc/os-release (if set)
# this is 'debian' on ubuntu/raspbian, 'centos rhel fedora' on amazon linux etc
else
check_exists_fatal cut
DISTRO_TYPE=$(grep ID_LIKE /etc/os-release | cut -d= -f2) || true
if [[ ${DISTRO_TYPE} == "" ]]; then
# use exact ID value from /etc/os-release if ID_LIKE is not set
DISTRO_TYPE=$(grep -w ID /etc/os-release | cut -d= -f2)
fi
if [[ ${DISTRO_TYPE} =~ "debian" ]]; then
TELEPORT_FORMAT="deb"
elif [[ "$DISTRO_TYPE" =~ "amzn"* ]] || [[ ${DISTRO_TYPE} =~ "centos"* ]] || [[ ${DISTRO_TYPE} =~ "rhel" ]] || [[ ${DISTRO_TYPE} =~ "fedora"* ]]; then
TELEPORT_FORMAT="rpm"
else
log "Couldn't match a distro type using /etc/os-release, falling back to tarball installer"
TELEPORT_FORMAT="tarball"
fi
fi
log "Detected distro type: ${DISTRO_TYPE}"
#suse, also identified as sles, uses a different path for its systemd then other distro types like ubuntu
if [[ ${DISTRO_TYPE} =~ "suse"* ]] || [[ ${DISTRO_TYPE} =~ "sles"* ]]; then
SYSTEMD_UNIT_PATH="/etc/systemd/system/teleport.service"
fi
fi
elif [[ "${OSTYPE}" == "darwin"* ]]; then
# macos host, now detect arch
TELEPORT_BINARY_TYPE="darwin"
ARCH=$(uname -m)
log "Detected host: ${OSTYPE}, using Teleport binary type ${TELEPORT_BINARY_TYPE}"
if [[ ${ARCH} == "arm64" ]]; then
TELEPORT_ARCH="arm64"
elif [[ ${ARCH} == "x86_64" ]]; then
TELEPORT_ARCH="amd64"
else
log_important "Error: unsupported architecture from uname -m: ${ARCH}"
exit 1
fi
log "Detected MacOS ${ARCH} architecture, using Teleport arch ${TELEPORT_ARCH}"
TELEPORT_FORMAT="tarball"
else
log_important "Error - unsupported platform: ${OSTYPE}"
exit 1
fi
log "Using Teleport distribution: ${TELEPORT_FORMAT}"
# create temporary directory and exit cleanup logic
TEMP_DIR=$(mktemp -d -t teleport-XXXXXXXXXX)
log "Created temp dir ${TEMP_DIR}"
pushd "${TEMP_DIR}" >/dev/null 2>&1
finish() {
popd >/dev/null 2>&1
rm -rf "${TEMP_DIR}"
}
trap finish EXIT
# optional format override (mostly for testing)
if [[ ${OVERRIDE_FORMAT} != "" ]]; then
TELEPORT_FORMAT="${OVERRIDE_FORMAT}"
log "Overriding TELEPORT_FORMAT to ${OVERRIDE_FORMAT}"
fi
# check whether teleport is running already
# if it is, we exit gracefully with an error
if is_running_teleport; then
if [[ ${IGNORE_CHECKS} != "true" ]]; then
TELEPORT_PID=$(get_teleport_pid)
log_header "Warning: Teleport appears to already be running on this host (pid: ${TELEPORT_PID})"
log_cleanup_message
exit 1
else
log "Ignoring is_running_teleport as requested"
fi
fi
# check for existing config file
if teleport_config_exists; then
if [[ ${IGNORE_CHECKS} != "true" ]]; then
log_header "Warning: There is already a Teleport config file present at ${TELEPORT_CONFIG_PATH}."
log_cleanup_message
exit 1
else
log "Ignoring teleport_config_exists as requested"
fi
fi
# check for existing data directory
if teleport_datadir_exists; then
if [[ ${IGNORE_CHECKS} != "true" ]]; then
log_header "Warning: Found existing Teleport data directory (${TELEPORT_DATA_DIR})."
log_cleanup_message
exit 1
else
log "Ignoring teleport_datadir_exists as requested"
fi
fi
# check for existing binaries
if teleport_binaries_exist; then
if [[ ${IGNORE_CHECKS} != "true" ]]; then
log_header "Warning: Found existing Teleport binaries under ${TELEPORT_BINARY_DIR}."
log_cleanup_message
exit 1
else
log "Ignoring teleport_binaries_exist as requested"
fi
fi
install_from_file() {
# select correct URL/installation method based on distro
if [[ ${TELEPORT_FORMAT} == "tarball" ]]; then
URL="https://get.gravitational.com/${TELEPORT_PACKAGE_NAME}-v${TELEPORT_VERSION}-${TELEPORT_BINARY_TYPE}-${TELEPORT_ARCH}-bin.tar.gz"
# check that needed tools are installed
check_exists_fatal curl tar
# download tarball
log "Downloading Teleport ${TELEPORT_FORMAT} release ${TELEPORT_VERSION}"
DOWNLOAD_FILENAME=$(get_download_filename "${URL}")
download "${URL}" "${TEMP_DIR}/${DOWNLOAD_FILENAME}"
# extract tarball
tar -xzf "${TEMP_DIR}/${DOWNLOAD_FILENAME}" -C "${TEMP_DIR}"
# install binaries to /usr/local/bin
for BINARY in ${TELEPORT_BINARY_LIST}; do
${COPY_COMMAND} "${TELEPORT_ARCHIVE_PATH}/${BINARY}" "${TELEPORT_BINARY_DIR}/"
done
elif [[ ${TELEPORT_FORMAT} == "deb" ]]; then
# convert teleport arch to deb arch
if [[ ${TELEPORT_ARCH} == "amd64" ]]; then
DEB_ARCH="amd64"
elif [[ ${TELEPORT_ARCH} == "386" ]]; then
DEB_ARCH="i386"
elif [[ ${TELEPORT_ARCH} == "arm" ]]; then
DEB_ARCH="arm"
elif [[ ${TELEPORT_ARCH} == "arm64" ]]; then
DEB_ARCH="arm64"
fi
URL="https://get.gravitational.com/${TELEPORT_PACKAGE_NAME}_${TELEPORT_VERSION}_${DEB_ARCH}.deb"
check_deb_not_already_installed
# check that needed tools are installed
check_exists_fatal curl dpkg
# download deb and register cleanup operation
log "Downloading Teleport ${TELEPORT_FORMAT} release ${TELEPORT_VERSION}"
DOWNLOAD_FILENAME=$(get_download_filename "${URL}")
download "${URL}" "${TEMP_DIR}/${DOWNLOAD_FILENAME}"
# install deb
log "Using dpkg to install ${TEMP_DIR}/${DOWNLOAD_FILENAME}"
dpkg -i "${TEMP_DIR}/${DOWNLOAD_FILENAME}"
elif [[ ${TELEPORT_FORMAT} == "rpm" ]]; then
# convert teleport arch to rpm arch
if [[ ${TELEPORT_ARCH} == "amd64" ]]; then
RPM_ARCH="x86_64"
elif [[ ${TELEPORT_ARCH} == "386" ]]; then
RPM_ARCH="i386"
elif [[ ${TELEPORT_ARCH} == "arm" ]]; then
RPM_ARCH="arm"
elif [[ ${TELEPORT_ARCH} == "arm64" ]]; then
RPM_ARCH="arm64"
fi
URL="https://get.gravitational.com/${TELEPORT_PACKAGE_NAME}-${TELEPORT_VERSION}-1.${RPM_ARCH}.rpm"
check_rpm_not_already_installed
# check for package managers
if check_exists dnf; then
log "Found 'dnf' package manager, using it"
PACKAGE_MANAGER_COMMAND="dnf -y install"
elif check_exists yum; then
log "Found 'yum' package manager, using it"
PACKAGE_MANAGER_COMMAND="yum -y localinstall"
else
PACKAGE_MANAGER_COMMAND=""
log "Cannot find 'yum' or 'dnf' package manager commands, will try installing the rpm manually instead"
fi
# check that needed tools are installed
check_exists_fatal curl
log "Downloading Teleport ${TELEPORT_FORMAT} release ${TELEPORT_VERSION}"
DOWNLOAD_FILENAME=$(get_download_filename "${URL}")
download "${URL}" "${TEMP_DIR}/${DOWNLOAD_FILENAME}"
# install with package manager if available
if [[ ${PACKAGE_MANAGER_COMMAND} != "" ]]; then
log "Installing Teleport release from ${TEMP_DIR}/${DOWNLOAD_FILENAME} using ${PACKAGE_MANAGER_COMMAND}"
# install rpm with package manager
${PACKAGE_MANAGER_COMMAND} "${TEMP_DIR}/${DOWNLOAD_FILENAME}"
# use rpm if we couldn't find a package manager
else
# install RPM (in upgrade mode)
log "Using rpm to install ${TEMP_DIR}/${DOWNLOAD_FILENAME}"
rpm -Uvh "${TEMP_DIR}/${DOWNLOAD_FILENAME}"
fi
else
log_important "Can't figure out what Teleport format to use"
exit 1
fi
}
install_from_repo() {
if [[ "${REPO_CHANNEL}" == "" ]]; then
# By default, use the current version's channel.
REPO_CHANNEL=stable/v"${TELEPORT_VERSION//.*/}"
fi
# Populate $ID, $VERSION_ID, $VERSION_CODENAME and other env vars identifying the OS.
# shellcheck disable=SC1091
. /etc/os-release
PACKAGE_LIST=$(package_list)
if [ "$ID" == "debian" ] || [ "$ID" == "ubuntu" ]; then
# old versions of ubuntu require that keys get added by `apt-key add`, without
# adding the key apt shows a key signing error when installing teleport.
if [[
($ID == "ubuntu" && $VERSION_ID == "16.04") || \
($ID == "debian" && $VERSION_ID == "9" )
]]; then
apt install apt-transport-https gnupg -y
curl -fsSL https://apt.releases.teleport.dev/gpg | apt-key add -
echo "deb https://apt.releases.teleport.dev/${ID} ${VERSION_CODENAME} ${REPO_CHANNEL}" > /etc/apt/sources.list.d/teleport.list
else
curl -fsSL https://apt.releases.teleport.dev/gpg \
-o /usr/share/keyrings/teleport-archive-keyring.asc
echo "deb [signed-by=/usr/share/keyrings/teleport-archive-keyring.asc] \
https://apt.releases.teleport.dev/${ID} ${VERSION_CODENAME} ${REPO_CHANNEL}" > /etc/apt/sources.list.d/teleport.list
fi
apt-get update
apt-get install -y ${PACKAGE_LIST}
elif [ "$ID" = "amzn" ] || [ "$ID" = "rhel" ] || [ "$ID" = "centos" ] ; then
if [ "$ID" = "rhel" ]; then
VERSION_ID="${VERSION_ID//.*/}" # convert version numbers like '7.2' to only include the major version
fi
yum install -y yum-utils
yum-config-manager --add-repo \
"$(rpm --eval "https://yum.releases.teleport.dev/$ID/$VERSION_ID/Teleport/%{_arch}/${REPO_CHANNEL}/teleport.repo")"
# Remove metadata cache to prevent cache from other channel (eg, prior version)
# See: https://github.com/gravitational/teleport/issues/22581
yum --disablerepo="*" --enablerepo="teleport" clean metadata
yum install -y ${PACKAGE_LIST}
else
echo "Unsupported distro: $ID"
exit 1
fi
}
# package_list returns the list of packages to install.
# The list of packages can be fed into yum or apt because they already have the expected format when pinning versions.
package_list() {
TELEPORT_PACKAGE_PIN_VERSION=${TELEPORT_PACKAGE_NAME}
TELEPORT_UPDATER_PIN_VERSION="${TELEPORT_PACKAGE_NAME}-updater"
if [[ "${TELEPORT_FORMAT}" == "deb" ]]; then
TELEPORT_PACKAGE_PIN_VERSION+="=${TELEPORT_VERSION}"
TELEPORT_UPDATER_PIN_VERSION+="=${TELEPORT_VERSION}"
elif [[ "${TELEPORT_FORMAT}" == "rpm" ]]; then
TELEPORT_YUM_VERSION="${TELEPORT_VERSION//-/_}"
TELEPORT_PACKAGE_PIN_VERSION+="-${TELEPORT_YUM_VERSION}"
TELEPORT_UPDATER_PIN_VERSION+="-${TELEPORT_YUM_VERSION}"
fi
PACKAGE_LIST=${TELEPORT_PACKAGE_PIN_VERSION}
# (warning): This expression is constant. Did you forget the $ on a variable?
# Disabling the warning above because expression is templated.
# shellcheck disable=SC2050
if is_using_systemd && [[ "false" == "true" ]]; then
# Teleport Updater requires systemd.
PACKAGE_LIST+=" ${TELEPORT_UPDATER_PIN_VERSION}"
fi
echo ${PACKAGE_LIST}
}
is_repo_available() {
if [[ "${OSTYPE}" != "linux-gnu" ]]; then
return 1
fi
# Populate $ID, $VERSION_ID and other env vars identifying the OS.
# shellcheck disable=SC1091
. /etc/os-release
# The following distros+version have a Teleport repository to install from.
case "${ID}-${VERSION_ID}" in
ubuntu-16.04* | ubuntu-18.04* | ubuntu-20.04* | ubuntu-22.04* | \
debian-9* | debian-10* | debian-11* | \
rhel-7* | rhel-8* | rhel-9* | \
centos-7* | centos-8* | centos-9* | \
amzn-2 | amzn-2023)
return 0;;
esac
return 1
}
if is_repo_available; then
log "Installing repo for distro $ID."
install_from_repo
else
log "Installing from binary file."
install_from_file
fi
# check that teleport binary can be found and runs
if ! check_teleport_binary; then
log_important "The Teleport binary could not be found at ${TELEPORT_BINARY_DIR} as expected."
log_important "This usually means that there was an error during installation."
log_important "Check this log for obvious signs of error and contact Teleport support"
log_important "for further assistance."
exit 1
fi
# install teleport config
# check the mode and write the appropriate config type
if [[ "${APP_INSTALL_MODE}" == "true" ]]; then
install_teleport_app_config
elif [[ "${DB_INSTALL_MODE}" == "true" ]]; then
install_teleport_database_config
else
install_teleport_node_config
fi
# Used to track whether a Teleport agent was installed using this method.
export TELEPORT_INSTALL_METHOD_NODE_SCRIPT="true"
# install systemd unit if applicable (linux hosts)
if is_using_systemd; then
log "Host is using systemd"
# we only need to manually install the systemd config if teleport was installed via tarball
# all other packages will deploy it automatically
if [[ ${TELEPORT_FORMAT} == "tarball" ]]; then
install_systemd_unit
fi
start_teleport_systemd
print_welcome_message
# install launchd config on MacOS hosts
elif is_macos_host; then
log "Host is running MacOS"
install_launchd_config
start_teleport_launchd
print_welcome_message
# not a MacOS host and no systemd available, print a warning
# and temporarily start Teleport in the foreground
else
log "Host does not appear to be using systemd"
no_systemd_warning
start_teleport_foreground
fi

28
ansible/00_old/installer.sh Normal file
View File

@@ -0,0 +1,28 @@
#!/bin/sh
apt_trusted_d_keyring="/etc/apt/trusted.gpg.d/datasaker-archive-keyring.gpg"
apt_usr_share_keyring="/usr/share/keyrings/datasaker-archive-keyring.gpg"
# init keyring
if ! [ -f ${apt_usr_share_keyring} ]; then
echo "create archive-keyring.gpg"
sudo touch ${apt_usr_share_keyring}
sudo chmod a+r ${apt_usr_share_keyring}
fi
# download keyring then add key to keyring
curl -fsSL -o /tmp/datasaker.gpg.key https://dsk-agent-s3.s3.ap-northeast-2.amazonaws.com/dsk-agent-s3/public/public.gpg.key
cat /tmp/datasaker.gpg.key | sudo gpg --import --batch --no-default-keyring --keyring "${apt_usr_share_keyring}"
# copy keyring to trusted keyring
if ! [ -f ${apt_trusted_d_keyring} ]; then
sudo cp -a ${apt_usr_share_keyring} ${apt_trusted_d_keyring}
fi
# add apt source list
if ! [ -f /etc/apt/sources.list.d/datasaker.list ]; then
echo "deb [signed-by=${apt_usr_share_keyring}] https://nexus.exem-oss.org/repository/debian-repos/ ubuntu main" | sudo tee /etc/apt/sources.list.d/datasaker.list > /dev/null
fi
sudo apt update
sudo apt install $1

5
ansible/00_old/key_test.sh Executable file
View File

@@ -0,0 +1,5 @@
#!/usr/bin/expect -f
spawn ssh-copy-id root@$argv
expect "password:"
send "saasadmin1234\n"
expect eof

53
ansible/00_old/local_datasaker.yml Normal file
View File

@@ -0,0 +1,53 @@
---
- hosts: local
become: true
roles:
- role: dsk_bot.datasaker
vars:
datasaker_api_key: "XQOt9G3oAtsOQyd3U25JwOu3/sE+zj/m3kRKL/d0OUAQn30jVlrBKN/gJp9cJ4C9CHU1D1vSEPRxaCk8NuwZh6+v48TiaingDy6F74YGySRvnH0gqdmfxLSGisD/g8/JqBlIwhhyMSVCVfAkcNysLnwLi4xLnZMlvVi2Lzo3MiekSfJS5adR3hAv6pCaCFe2rNW24pYS5PBYkP/kxp/cfYAN/UhVEs5J+h4/iQ5vozQgvWuskBpOjlUeEYZnMZ6Al91gAUmSRoxtzLc+QOdfp7+uDXpwXPm80bQz9bR20Elcr4+rNqLcc2ONwJwrSveDSvJn4xjB6n95hEYbaDHUpA=="
datasaker_agents: ["dsk-node-agent","dsk-log-agent"]
#datasaker_api_key: "eO58wEYK/2HThAV+5jgv7Or/qW3zJknBQF0FJt5Xo4kSZ9YH2/CJgfNUwKbGwlbzmihG9dVsSmmS40szOuvRVZJO0vPga98sJNI32AJdWaYX8oCNFouI0lYG+r9Y4vahrS7+FVwntyfkjETotqBDvoQ5HjGjvW0wviPagW/alNbI5pvpWwBHtgz9D83Y8DSvCvO64G4xhyIYZPSML11EqWUO8prYT8LfdD4n2oBp0QJ3cXKdvJAUc4w5LKbTASb8x8UTpVU3JH3Wnwe79PKftJ8YdxOtb5jjzXeOEEM2GD8xz4pbB7scCx5oJCWQLF1js6a2uFLENBgW+ztHRf1j2Q=="
#datasaker_api_key: "1VL7/mhddWkQaS/vf/VjjwjnwaUhtZnLL++ih9LxYSB7HVkPpZw1Duy/4gxLN/73Vga00bD79mVd6N4dP0BVxmGqLnR6xItnSLlO3M6LmOMuM8bLaBuxxOvxST3lxpvtI0B2ilyjqTLh5y+NJWFV7Awq4zpqnPnTZ5dryp3yc4zc3C7Vxu0f2CL7/oGT0LRj/1l7gchuUxw2TVDLFFRylb+cFt6/NNylBxIb1wKGILd7N6NGgnsdRcrv4ZvTEPusrDqxO3IRYF6z9ZNbkQ1BPeDINtVFTgwhqFZjxg6erd8oqscB9n1DHOi6+tJ8VSHi2w5hYxHq93EV4cxBfzXAug=="
#datasaker_agents: ["dsk-node-agent","dsk-log-agent"]
datasaker_docker_agents: ["dsk-docker-node-agent","dsk-docker-log-agent"]
#datasaker_docker_agents: ["dsk-docker-log-agent"]
#postgres_user_name: jhjung
#postgres_user_password: 1q2w3e4r
#postgres_database_address: 0.0.0.0
#postgres_database_port: 5432
#plan_postgres_user_name: jhjung
#plan_postgres_user_password: 1q2w3e4r
#plan_postgres_database_address: 0.0.0.0
#plan_postgres_database_port: 5432
#plan_postgres_database_name: test
datagate_trace_url: 10.10.43.111
datagate_trace_port: 31300
datagate_trace_timeout: 5s
datagate_manifest_url: 10.10.43.111
datagate_manifest_port: 31301
datagate_manifest_timeout: 5s
datagate_metric_url: 10.10.43.111
datagate_metric_port: 31302
datagate_metric_timeout: 5s
datagate_plan_url: 10.10.43.111
datagate_plan_port: 31303
datagate_plan_timeout: 5s
datagate_loggate_url: 10.10.43.111
datagate_loggate_port: 31304
datagate_loggate_timeout: 5s
datasaker_api_url: 10.10.43.111:31501
datasaker_api_send_interval: 1m
#uninstall: True
#datasaker_clean: True
app_name: test
custom_log_volume:
- /var/lib/docker
- /var/docker
logs:
- collect:
type: driver

9
ansible/00_old/node_role.yaml Normal file
View File

@@ -0,0 +1,9 @@
---
- hosts: agent
become: true
roles:
- teleport
vars:
# remove: True
# custom_labels: 'user=havelight,company=exem'
update: True

27
ansible/00_old/roles.yaml Executable file
View File

@@ -0,0 +1,27 @@
---
- hosts: test
# become: true
# gather_facts: true
roles:
- role: datasaker
vars:
- datasaker_api_key: yCWIqbipuRMULli6qs4vWs8GfV9rQo8gciSKPvAozxiy05HcPru9LChyNQMtVk0xlmz7UqTj/s6682tiHa9wir/1hOxlLDYipWHPgHXZ1WEJDVvXD/z5Pw8G6IMcNwmgXwXfRZuRvWsSlHva28opykqE/oDHMcwnsABYljd+/VG8UEik08rRpI1t48We0HceZSuJ0aO+9FvoCcjPSHjrj17KCX1beS0UO3iHrRkQOFKOFfHK/fZ3G27YoZgs8ySH+90kLUP65AoAne5TFgXRVJJUCZgr5o2ajEyTi4bkwdt7v1X6/3fIO9kkElfQPZoCQ1u5S9eJfIkkmTEpWSLtuQ==
- datasaker_agents: ['dsk-node-agent','dsk-trace-agent','dsk-log-agent','dsk-plan-postgres-agent']
# vars:
# - datagate_trace_url: test
# - datagate_trace_port: test
# - datagate_trace_timeout: test
# - datagate_manifes_url: test
# - datagate_manifest_port: test
# - datagate_manifest_timeout: test
# - datagate_metric_url: test
# - datagate_metric_port: test
# - datagate_metric_timeout: test
# - datagate_plan_url: test
# - datagate_plan_port: test
# - datagate_plan_timeout: test
# - datagate_loggate_url: test
# - datagate_loggate_port: test
# - datagate_loggate_timeout: test
# - datasaker_api_url: test
# - datasaker_api_send_interval: test

18
ansible/00_old/test.yml Normal file
View File

@@ -0,0 +1,18 @@
---
- hosts: all
vars:
test_check: {}
tasks:
- name: test
set_fact:
test_check: "{{ test_check | default({}, true) }}"
- name: mapping
assert:
that:
- test_check is mapping
- name: test
debug:
msg:
- "{{ test_check }}"

10
ansible/00_old/vault_test.yaml Normal file
View File

@@ -0,0 +1,10 @@
---
- hosts: all
tasks:
- name: Get password from Vault
ansible.builtin.debug:
msg: "{{ lookup('hashi_vault', 'secret=secret/hostname2 token=hvs.CAESIOy5Troiesm65BQYj_QhF996yilil8whnWP5FWHp3eE8Gh4KHGh2cy40OTBCT09SdTl1c3FRNmFXenFBUmxVSkE url=http://vault.vault:8200') }}"
register: vault_result
- name: Use password from Vault
ansible.builtin.command: echo "{{ vault_result.msg }}"