From d1728dcd6de36778e6ec0bb99ea9e37ac2f56645 Mon Sep 17 00:00:00 2001 From: Pamela Dragosh Date: Tue, 14 Feb 2017 19:57:17 -0500 Subject: Initial OpenECOMP policy/docker commit Change-Id: Ib37c3693614ee21a78f838e63eb40319cc85bdc6 Signed-off-by: Pamela Dragosh --- .gitreview | 4 + LICENSE.txt | 16 + README.md | 16 + config/drools/base.conf | 55 +++ config/drools/drools-tweaks.sh | 30 ++ config/drools/policy-keystore | Bin 0 -> 5640 bytes config/drools/policy-management.conf | 5 + config/pe/base.conf | 20 + config/pe/brmsgw-tweaks.sh | 2 + config/pe/brmsgw.conf | 43 ++ config/pe/console.conf | 135 ++++++ config/pe/mysql.conf | 5 + config/pe/pap-tweaks.sh | 15 + config/pe/pap.conf | 55 +++ config/pe/paplp.conf | 12 + config/pe/pdp-tweaks.sh | 2 + config/pe/pdp.conf | 36 ++ config/pe/pdplp.conf | 12 + config/pe/push-policies.sh | 75 +++ config/pe/pypdp-tweaks.sh | 3 + config/pe/pypdp.conf | 25 + docker-compose.yml | 80 ++++ policy-base/Dockerfile | 12 + policy-db/Dockerfile | 17 + policy-db/dbinit.sh | 38 ++ policy-db/do-start.sh | 12 + policy-drools/Dockerfile | 11 + policy-drools/do-start.sh | 49 ++ policy-drools/docker-install.sh | 851 +++++++++++++++++++++++++++++++++++ policy-drools/wait-for-port.sh | 18 + policy-nexus/Dockerfile | 19 + policy-os/Dockerfile | 12 + policy-pe/Dockerfile | 13 + policy-pe/do-start.sh | 97 ++++ policy-pe/docker-install.sh | 674 +++++++++++++++++++++++++++ policy-pe/wait-for-port.sh | 18 + pom.xml | 109 +++++ 37 files changed, 2596 insertions(+) create mode 100644 .gitreview create mode 100644 LICENSE.txt create mode 100644 README.md create mode 100644 config/drools/base.conf create mode 100755 config/drools/drools-tweaks.sh create mode 100644 config/drools/policy-keystore create mode 100644 config/drools/policy-management.conf create mode 100644 config/pe/base.conf create mode 100755 config/pe/brmsgw-tweaks.sh create mode 100644 config/pe/brmsgw.conf create mode 100644 config/pe/console.conf create mode 100644 config/pe/mysql.conf create mode 100755 config/pe/pap-tweaks.sh create mode 100644 config/pe/pap.conf create mode 100644 config/pe/paplp.conf create mode 100755 config/pe/pdp-tweaks.sh create mode 100644 config/pe/pdp.conf create mode 100644 config/pe/pdplp.conf create mode 100644 config/pe/push-policies.sh create mode 100755 config/pe/pypdp-tweaks.sh create mode 100644 config/pe/pypdp.conf create mode 100644 docker-compose.yml create mode 100644 policy-base/Dockerfile create mode 100644 policy-db/Dockerfile create mode 100644 policy-db/dbinit.sh create mode 100755 policy-db/do-start.sh create mode 100644 policy-drools/Dockerfile create mode 100644 policy-drools/do-start.sh create mode 100644 policy-drools/docker-install.sh create mode 100644 policy-drools/wait-for-port.sh create mode 100644 policy-nexus/Dockerfile create mode 100644 policy-os/Dockerfile create mode 100644 policy-pe/Dockerfile create mode 100644 policy-pe/do-start.sh create mode 100644 policy-pe/docker-install.sh create mode 100644 policy-pe/wait-for-port.sh create mode 100644 pom.xml diff --git a/.gitreview b/.gitreview new file mode 100644 index 00000000..245a0e4a --- /dev/null +++ b/.gitreview @@ -0,0 +1,4 @@ +[gerrit] +host=gerrit.openecomp.org +port=29418 +project=policy/docker.git diff --git a/LICENSE.txt b/LICENSE.txt new file mode 100644 index 00000000..3ce0584e --- /dev/null +++ b/LICENSE.txt @@ -0,0 +1,16 @@ +Copyright © 2017 AT&T Intellectual Property. All rights reserved. + +Licensed under the Apache License, Version 2.0 (the "License"); you may +not use this file except in compliance with the License. + +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +License for the specific language governing permissions and limitations +under the License. + +ECOMP and OpenECOMP are trademarks and service marks of AT&T Intellectual Property. diff --git a/README.md b/README.md new file mode 100644 index 00000000..3a4b4cd2 --- /dev/null +++ b/README.md @@ -0,0 +1,16 @@ +This source repository contains the files for building the OpenECOMP Policy Engine Docker images. + +To build it using Maven 3, first build 'policy-common-modules', 'policy-engine', 'policy-drools-pdp', and 'policy-drools-applications' repositories, and then run: mvn prepare-package. This will pull the installation zip files needed for building the policy-pe and policy-drools Docker images into the target directory. It will not actually build the docker images; the following additional steps are needed to accomplish this: + +- Copy the files under policy-pe to target/policy-pe +- Copy the files under policy-drools to target/policy-drools +- Run the 'docker build' command on the following directories, in order: + policy-os + policy-db + policy-nexus + policy-base + target/policy-pe + target/policy-drools + +In addition, the 'config' dirctory contains configuration files that are read during the startup of the containers; this directory is referenced by the docker-compose.yml file. + diff --git a/config/drools/base.conf b/config/drools/base.conf new file mode 100644 index 00000000..f6c9519f --- /dev/null +++ b/config/drools/base.conf @@ -0,0 +1,55 @@ +POLICY_HOME=/opt/app/policy +JAVA_HOME=/usr/lib/jvm/java-8-openjdk-amd64 +KEYSTORE_PASSWD=PolicyR0ck$ + +ENGINE_MANAGEMENT_PORT=9696 +ENGINE_MANAGEMENT_HOST=localhost +ENGINE_MANAGEMENT_USER=@1b3rt +ENGINE_MANAGEMENT_PASSWORD=31nst@1n + +JDBC_DRIVER=org.mariadb.jdbc.Driver +JDBC_URL=jdbc:mysql://mariadb:3306/ecomp_sdk +JDBC_DROOLS_URL=jdbc:mysql://mariadb:3306/drools +JDBC_USER=policy_user +JDBC_PASSWORD=policy_user + +# Integrity Monitor properties +site_name=site_1 +fp_monitor_interval=30 +failed_counter_threshold=3 +test_trans_interval=20 +write_fpc_interval=5 +max_fpc_update_interval=60 +test_via_jmx=false +jmx_fqdn= +node_type=pdp_drools +# Dependency groups are groups of resources upon which a node operational state is dependent upon. +# Each group is a comma-separated list of resource names and groups are separated by a semicolon. +dependency_groups= +resource_name=pdpd_1 + +# The (optional) period of time in seconds between executions of the integrity audit. +# Value < 0 : Audit does not run (default value if property is not present = -1) +# Value = 0 : Audit runs continuously +# Value > 0 : The period of time in seconds between execution of the audit on a particular node +integrity_audit_period_seconds=-1 + +host_port=0.0.0.0:9981 + +# To use a Nexus repository for rules artifacts, +# following properties must be uncommented and set: +snapshotRepositoryID=policy-nexus-snapshots +snapshotRepositoryUrl=http://nexus:8081/nexus/content/repositories/snapshots/ +releaseRepositoryID=policy-nexus-releases +releaseRepositoryUrl=http://nexus:8081/nexus/content/repositories/releases/ +repositoryUsername=admin +repositoryPassword=admin123 + +PDPD_CONFIGURATION_TOPIC=PDPD-CONFIGURATION +PDPD_CONFIGURATION_SERVERS=vm1.mr.simpledemo.openecomp.org +PDPD_CONFIGURATION_API_KEY= +PDPD_CONFIGURATION_API_SECRET= +PDPD_CONFIGURATION_CONSUMER_GROUP= +PDPD_CONFIGURATION_CONSUMER_INSTANCE= +PDPD_CONFIGURATION_PARTITION_KEY= + diff --git a/config/drools/drools-tweaks.sh b/config/drools/drools-tweaks.sh new file mode 100755 index 00000000..edf5e9d5 --- /dev/null +++ b/config/drools/drools-tweaks.sh @@ -0,0 +1,30 @@ +#! /bin/bash + +# changes for health check +options enable policy-healthcheck +sedArgs=("-i") +while read var value ; do + if [[ "${var}" == "" ]] ; then + continue + fi + sedArgs+=("-e" "s@\${{${var}}}@${value}@g") +done <<-EOF + PAP_HOST pap + PAP_USERNAME testpap + PAP_PASSWORD alpha123 + PDP_HOST pdp + PDP_USERNAME testpdp + PDP_PASSWORD alpha123 +EOF + +# convert file +sed "${sedArgs[@]}" ${POLICY_HOME}/config/*health* + +cat >>${POLICY_HOME}/config/*health* <<-'EOF' + http.server.services.HEALTHCHECK.userName=healthcheck + http.server.services.HEALTHCHECK.password=zb!XztG34 +EOF + +sed -i -e 's/DCAE-CL-EVENT/unauthenticated.TCA_EVENT_OUTPUT/' \ + -e '/TCA_EVENT_OUTPUT\.servers/s/servers=.*$/servers=10.0.4.102/' \ + $POLICY_HOME/config/v*-controller.properties diff --git a/config/drools/policy-keystore b/config/drools/policy-keystore new file mode 100644 index 00000000..ab25c3a3 Binary files /dev/null and b/config/drools/policy-keystore differ diff --git a/config/drools/policy-management.conf b/config/drools/policy-management.conf new file mode 100644 index 00000000..843b832e --- /dev/null +++ b/config/drools/policy-management.conf @@ -0,0 +1,5 @@ +CONTROLLER_ARTIFACT_ID=policy-management +CONTROLLER_NAME=policy-management-controller +CONTROLLER_PORT=9696 +RULES_ARTIFACT=not-used:not-used:1.0.0-SNAPSHOT +UEB_TOPIC=policyengine-develop diff --git a/config/pe/base.conf b/config/pe/base.conf new file mode 100644 index 00000000..e798a40d --- /dev/null +++ b/config/pe/base.conf @@ -0,0 +1,20 @@ +JAVA_HOME=/usr/lib/jvm/java-8-openjdk-amd64 +POLICY_HOME=/opt/app/policy +KEYSTORE_PASSWD=PolicyR0ck$ + +JDBC_DRIVER=org.mariadb.jdbc.Driver +JDBC_URL=jdbc:mariadb://mariadb:3306/ecomp_sdk +JDBC_LOG_URL=jdbc:mariadb://mariadb:3306/log +JDBC_USER=policy_user +JDBC_PASSWORD=policy_user + +site_name=site_1 +fp_monitor_interval=30 +failed_counter_threshold=3 +test_trans_interval=20 +write_fpc_interval=5 +max_fpc_update_interval=60 +test_via_jmx=false +jmx_fqdn= + +ENVIRONMENT=TEST diff --git a/config/pe/brmsgw-tweaks.sh b/config/pe/brmsgw-tweaks.sh new file mode 100755 index 00000000..f6825363 --- /dev/null +++ b/config/pe/brmsgw-tweaks.sh @@ -0,0 +1,2 @@ +#! /bin/bash + diff --git a/config/pe/brmsgw.conf b/config/pe/brmsgw.conf new file mode 100644 index 00000000..da2cd0a4 --- /dev/null +++ b/config/pe/brmsgw.conf @@ -0,0 +1,43 @@ +# BRMSpep component installation configuration parameters +BRMSGW_JMX_PORT=9989 + +COMPONENT_X_MX_MB=1024 +COMPONENT_X_MS_MB=1024 + +REST_PAP_URL=http://pap:9091/pap/ +REST_PDP_ID=http://pdp:8081/pdp/ + +PDP_HTTP_USER_ID=testpdp +PDP_HTTP_PASSWORD=alpha123 +PDP_PAP_PDP_HTTP_USER_ID=testpap +PDP_PAP_PDP_HTTP_PASSWORD=alpha123 + +M2_HOME=/usr/share/maven +snapshotRepositoryID=policy-nexus-snapshots +snapshotRepositoryName=Snapshots +snapshotRepositoryURL=http://nexus:8081/nexus/content/repositories/snapshots +releaseRepositoryID=policy-nexus-releases +releaseRepositoryName=Releases +releaseRepositoryURL=http://nexus:8081/nexus/content/repositories/releases +repositoryUsername=admin +repositoryPassword=admin123 +UEB_URL=vm1.mr.simpledemo.openecomp.org +UEB_TOPIC=PDPD-CONFIGURATION +UEB_API_KEY= +UEB_API_SECRET= + +groupID=org.openecomp.policy-engine +artifactID=drlPDPGroup +VFW_GROUP_ID=org.openecomp.policy-engine.drools.vFW +VFW_ARTIFACT_ID=policy-vFW-rules +VDNS_GROUP_ID=org.openecomp.policy-engine.drools.vDNS +VDNS_ARTIFACT_ID=policy-vDNS-rules + + +# the java property is RESOURCE_NAME (uppercase), but the conf parameter is lowercase +resource_name=brmsgw_1 +node_type=brms_gateway + +CLIENT_ID=PyPDPServer +CLIENT_KEY=test +ENVIRONMENT=TEST diff --git a/config/pe/console.conf b/config/pe/console.conf new file mode 100644 index 00000000..6606addb --- /dev/null +++ b/config/pe/console.conf @@ -0,0 +1,135 @@ +# configs component installation configuration parameters + +# tomcat specific parameters + +TOMCAT_JMX_PORT=9993 +TOMCAT_SHUTDOWN_PORT=8090 +SSL_HTTP_CONNECTOR_PORT=8443 +SSL_HTTP_CONNECTOR_REDIRECT_PORT=8443 +SSL_AJP_CONNECTOR_PORT=8383 +SSL_AJP_CONNECTOR_REDIRECT_PORT=8443 + +TOMCAT_X_MS_MB=2048 +TOMCAT_X_MX_MB=2048 + +# ------------------ console properties --------------------------- + +# +# Authorization Policy + +ROOT_POLICIES=admin +ADMIN_FILE=Policy-Admin.xml + + +# Set your domain here: + +REST_ADMIN_DOMAIN=com + +# +# Location where the GIT repository is located +# +REST_ADMIN_REPOSITORY=repository + +# +# Location where all the user workspaces are located. +# +REST_ADMIN_WORKSPACE=${{POLICY_HOME}}/servers/console/bin/workspace + +# +# These can be set so the Admin Console knows who is logged on. Ideally, you can run the console in a J2EE +# container and setup authentication as you please. Setting HttpSession attribute values will override these +# values set in the properties files. +# +# ((HttpServletRequest) request).getSession().setAttribute("xacml.rest.admin.user.name", "Homer"); +# +# The default policy: Policy-Admin.xml is extremely simple. +# +# You can test authorization within the Admin Console by changing the user id. +# There are 3 supported user ids: +# guest - Read only access +# editor - Read/Write access +# admin - Read/Write/Admin access +# +# An empty or null value for xacml.rest.admin.user.id results in no access to the application at all. +# +# This is for development/demonstration purposes only. A production environment should provide authentication which is +# outside the scope of this application. This application can be used to develop a XACML policy for user authorization +# within this application. +# + +REST_ADMIN_USER_NAME=Administrator +REST_ADMIN_USER_ID=super-admin + +# +# +# Property to declare the max time frame for logs. +# +LOG_TIMEFRAME=30 + +# Property to declare the number of visible rows for users in MicroService Policy +COLUMN_COUNT=3 + +# Dashboard refresh rate in miliseconds +REFRESH_RATE=40000 + +# +# URL location for the PAP servlet. +# + + +REST_PAP_URL=http://pap:9091/pap/ + +# +# Config/Action Properties location. +# + +REST_CONFIG_HOME=${{POLICY_HOME}}/servers/pap/webapps/Config/ +REST_ACTION_HOME=${{POLICY_HOME}}/servers/pap/webapps/Action/ +REST_CONFIG_URL=http://pap:9091/ +REST_CONFIG_WEBAPPS=${{POLICY_HOME}}/servers/pap/webapps/ + +# PAP account information +CONSOLE_PAP_HTTP_USER_ID=testpap +CONSOLE_PAP_HTTP_PASSWORD=alpha123 + + +node_type=pap_admin +resource_name=console_1 + +# The (optional) period of time in seconds between executions of the integrity audit. +# Value < 0 : Audit does not run (default value if property is not present = -1) +# Value = 0 : Audit runs continuously +# Value > 0 : The period of time in seconds between execution of the audit on a particular node +integrity_audit_period_seconds=-1 + +#Automatic Policy Distribution +automatic_push=false + +#Diff of policies for Firewall feature +FW_GETURL= +FW_AUTHOURL= +FW_PROXY= +FW_PORT= + +#SMTP Server Details for Java Mail +ecomp_smtp_host= +ecomp_smtp_port=25 +ecomp_smtp_userName= +ecomp_smtp_password= +ecomp_application_name= + +#-----------------------ECOMP-PORTAL-Properties---------------------- + +ECOMP_REDIRECT_URL=http://portal.api.simpledemo.openecomp.org:8989/ECOMPPORTAL/login.htm +ECOMP_REST_URL= +ECOMP_UEB_URL_LIST= +ECOMP_PORTAL_INBOX_NAME= +ECOMP_UEB_APP_KEY= +ECOMP_UEB_APP_SECRET= +ECOMP_UEB_APP_MAILBOX_NAME= +APP_DISPLAY_NAME=OpenECOMP Policy +ECOMP_SHARED_CONTEXT_REST_URL=http://portal.api.simpledemo.openecomp.org:8989/ECOMPPORTAL/context + +#Add the Rest PAP url and pap auth password on adding delimiter @Auth@ + +REST_PAPURL_WITH_AUTH_PASSWORD=http://policy.api.simpledemo.openecomp.org:9091/pap/@Auth@dGVzdHBhcDphbHBoYTEyMw== diff --git a/config/pe/mysql.conf b/config/pe/mysql.conf new file mode 100644 index 00000000..28b9e3ca --- /dev/null +++ b/config/pe/mysql.conf @@ -0,0 +1,5 @@ +# mysql scripts component installation configuration parameters + +# Path to mysql bin +MYSQL_BIN=/usr/local/mysql/bin + diff --git a/config/pe/pap-tweaks.sh b/config/pe/pap-tweaks.sh new file mode 100755 index 00000000..be8a905a --- /dev/null +++ b/config/pe/pap-tweaks.sh @@ -0,0 +1,15 @@ +#! /bin/bash + +# config directory may contain an ip_addr.txt file that specifies +# the VM IP address. Substitute this value in the URL in the +# config.json file, overriding the hostname that came from the +# REST_PAPURL_WITH_AUTH_PASSWORD property in console.conf. This is +# to avoid hardcoding an IP address in console.conf that can change +# from one VM instance to the next. + +if [[ -f config/ip_addr.txt ]]; then + vm_ip=$( 0 : The period of time in seconds between execution of the audit on a particular node +integrity_audit_period_seconds=-1 diff --git a/config/pe/paplp.conf b/config/pe/paplp.conf new file mode 100644 index 00000000..9fdd643b --- /dev/null +++ b/config/pe/paplp.conf @@ -0,0 +1,12 @@ +# JVM specific parameters +LOGPARSER_JMX_PORT=9996 +LOGPARSER_X_MS_MB=1024 +LOGPARSER_X_MX_MB=1024 + +SERVER=http://pap:9091/pap/ +LOGPATH=${{POLICY_HOME}}/servers/pap/logs/pap-rest.log +PARSERLOGPATH=IntegrityMonitor.log + +node_type=logparser +# the java property is RESOURCE_NAME (uppercase), but the conf parameter is lowercase +resource_name=paplp_1 diff --git a/config/pe/pdp-tweaks.sh b/config/pe/pdp-tweaks.sh new file mode 100755 index 00000000..f6825363 --- /dev/null +++ b/config/pe/pdp-tweaks.sh @@ -0,0 +1,2 @@ +#! /bin/bash + diff --git a/config/pe/pdp.conf b/config/pe/pdp.conf new file mode 100644 index 00000000..363fdcb3 --- /dev/null +++ b/config/pe/pdp.conf @@ -0,0 +1,36 @@ +# pdp component installation configuration parameters + +# tomcat specific parameters + +TOMCAT_JMX_PORT=9991 +TOMCAT_SHUTDOWN_PORT=8087 +SSL_HTTP_CONNECTOR_PORT=8081 +SSL_AJP_CONNECTOR_PORT=8381 +SSL_AJP_CONNECTOR_REDIRECT_PORT=8443 + +TOMCAT_X_MS_MB=1024 +TOMCAT_X_MX_MB=1024 + +# pdp properties + +UEB_CLUSTER=vm1.mr.simpledemo.openecomp.org + +REST_PAP_URL=http://pap:9091/pap/ +REST_PDP_ID=http://pdp:8081/pdp/ +REST_PDP_CONFIG=${{POLICY_HOME}}/servers/pdp/bin/config +REST_PDP_WEBAPPS=${{POLICY_HOME}}/servers/pdp/webapps +REST_PDP_REGISTER=true +REST_PDP_REGISTER_SLEEP=15 +REST_PDP_REGISTER_RETRIES=-1 +REST_PDP_MAXCONTENT=999999999 + +# PDP related properties +PDP_HTTP_USER_ID=testpdp +PDP_HTTP_PASSWORD=alpha123 +PDP_PAP_PDP_HTTP_USER_ID=testpap +PDP_PAP_PDP_HTTP_PASSWORD=alpha123 + +node_type=pdp_xacml +resource_name=pdp_1 +dependency_groups=pdplp_1;pypdp_1;brmsgw_1 +test_via_jmx=true diff --git a/config/pe/pdplp.conf b/config/pe/pdplp.conf new file mode 100644 index 00000000..789d2b01 --- /dev/null +++ b/config/pe/pdplp.conf @@ -0,0 +1,12 @@ +# JVM specific parameters +LOGPARSER_JMX_PORT=9997 +LOGPARSER_X_MS_MB=1024 +LOGPARSER_X_MX_MB=1024 + +SERVER=http://pdp:8081/pdp/ +LOGPATH=${{POLICY_HOME}}/servers/pdp/logs/pdp-rest.log +PARSERLOGPATH=IntegrityMonitor.log + +node_type=logparser +# the java property is RESOURCE_NAME (uppercase), but the conf parameter is lowercase +resource_name=pdplp_1 diff --git a/config/pe/push-policies.sh b/config/pe/push-policies.sh new file mode 100644 index 00000000..957156ed --- /dev/null +++ b/config/pe/push-policies.sh @@ -0,0 +1,75 @@ +#! /bin/bash + + +echo "Pushing default policies" + +# Sometimes brmsgw gets an error when trying to retrieve the policies on initial push, +# so for the BRMS policies we will do a push, then delete from the pdp group, then push again. +# Second push should be successful. + +curl -X PUT --header 'Content-Type: application/json' --header 'Accept: text/plain' --header 'ClientAuth: cHl0aG9uOnRlc3Q=' --header 'Authorization: Basic dGVzdHJlc3Q6M2MwbXBVI2gwMUBOMWMz' --header 'Environment: TEST' -d '{ + "pdpGroup": "default", + "policyName": "vFirewall", + "policyScope": "com", + "policyType": "MicroService" +}' 'http://pypdp:8480/PyPDPServer/pushPolicy' + +sleep 2 + +curl -X PUT --header 'Content-Type: application/json' --header 'Accept: text/plain' --header 'ClientAuth: cHl0aG9uOnRlc3Q=' --header 'Authorization: Basic dGVzdHJlc3Q6M2MwbXBVI2gwMUBOMWMz' --header 'Environment: TEST' -d '{ + "pdpGroup": "default", + "policyName": "vLoadBalancer", + "policyScope": "com", + "policyType": "MicroService" +}' 'http://pypdp:8480/PyPDPServer/pushPolicy' + +sleep 2 +curl -X PUT --header 'Content-Type: application/json' --header 'Accept: text/plain' --header 'ClientAuth: cHl0aG9uOnRlc3Q=' --header 'Authorization: Basic dGVzdHJlc3Q6M2MwbXBVI2gwMUBOMWMz' --header 'Environment: TEST' -d '{ + "pdpGroup": "default", + "policyName": "BRMSParamvLBDemoPolicy", + "policyScope": "com", + "policyType": "BRMS_Param" +}' 'http://pypdp:8480/PyPDPServer/pushPolicy' + +sleep 2 + +curl -X PUT --header 'Content-Type: application/json' --header 'Accept: text/plain' --header 'ClientAuth: cHl0aG9uOnRlc3Q=' --header 'Authorization: Basic dGVzdHJlc3Q6M2MwbXBVI2gwMUBOMWMz' --header 'Environment: TEST' -d '{ + "pdpGroup": "default", + "policyName": "BRMSParamvFWDemoPolicy", + "policyScope": "com", + "policyType": "BRMS_Param" +}' 'http://pypdp:8480/PyPDPServer/pushPolicy' + +sleep 2 + +curl -X DELETE --header 'Content-Type: application/json' --header 'Accept: text/plain' --header 'ClientAuth: cHl0aG9uOnRlc3Q=' --header 'Authorization: Basic dGVzdHJlc3Q6M2MwbXBVI2gwMUBOMWMz' --header 'Environment: TEST' -d '{ +"pdpGroup": "default", +"policyComponent": "PDP", +"policyName": "com.Config_BRMS_Param_BRMSParamvFWDemoPolicy.1.xml" +}' 'http://pypdp:8480/PyPDPServer/deletePolicy' + + + +curl -X DELETE --header 'Content-Type: application/json' --header 'Accept: text/plain' --header 'ClientAuth: cHl0aG9uOnRlc3Q=' --header 'Authorization: Basic dGVzdHJlc3Q6M2MwbXBVI2gwMUBOMWMz' --header 'Environment: TEST' -d '{ +"pdpGroup": "default", +"policyComponent": "PDP", +"policyName": "com.Config_BRMS_Param_BRMSParamvLBDemoPolicy.1.xml" +}' 'http://pypdp:8480/PyPDPServer/deletePolicy' + +sleep 2 +curl -X PUT --header 'Content-Type: application/json' --header 'Accept: text/plain' --header 'ClientAuth: cHl0aG9uOnRlc3Q=' --header 'Authorization: Basic dGVzdHJlc3Q6M2MwbXBVI2gwMUBOMWMz' --header 'Environment: TEST' -d '{ + "pdpGroup": "default", + "policyName": "BRMSParamvLBDemoPolicy", + "policyScope": "com", + "policyType": "BRMS_Param" +}' 'http://pypdp:8480/PyPDPServer/pushPolicy' + +sleep 2 + +curl -X PUT --header 'Content-Type: application/json' --header 'Accept: text/plain' --header 'ClientAuth: cHl0aG9uOnRlc3Q=' --header 'Authorization: Basic dGVzdHJlc3Q6M2MwbXBVI2gwMUBOMWMz' --header 'Environment: TEST' -d '{ + "pdpGroup": "default", + "policyName": "BRMSParamvFWDemoPolicy", + "policyScope": "com", + "policyType": "BRMS_Param" +}' 'http://pypdp:8480/PyPDPServer/pushPolicy' + diff --git a/config/pe/pypdp-tweaks.sh b/config/pe/pypdp-tweaks.sh new file mode 100755 index 00000000..5d899bd1 --- /dev/null +++ b/config/pe/pypdp-tweaks.sh @@ -0,0 +1,3 @@ +#! /bin/bash + + diff --git a/config/pe/pypdp.conf b/config/pe/pypdp.conf new file mode 100644 index 00000000..4a792b47 --- /dev/null +++ b/config/pe/pypdp.conf @@ -0,0 +1,25 @@ +# pypdp component installation configuration parameters + +# tomcat specific parameters + +TOMCAT_JMX_PORT=9994 +TOMCAT_SHUTDOWN_PORT=8405 +SSL_HTTP_CONNECTOR_PORT=8480 +SSL_AJP_CONNECTOR_PORT=8384 +SSL_AJP_CONNECTOR_REDIRECT_PORT=8443 + +TOMCAT_X_MS_MB=1024 +TOMCAT_X_MX_MB=1024 + +# pypdp parameters + +PDP_URL=http://pdp:8081/pdp/,testpdp,alpha123 +PAP_URL=http://pap:9091/pap/,testpap,alpha123 +PYPDP_ID=testrest +PYPDP_PASSWORD=3c0mpU#h01@N1c3 + +node_type=pypdp +# the java property is RESOURCE_NAME (uppercase), but the conf parameter is lowercase +resource_name=pypdp_1 + +CLIENT_FILE=client.properties diff --git a/docker-compose.yml b/docker-compose.yml new file mode 100644 index 00000000..f4e73213 --- /dev/null +++ b/docker-compose.yml @@ -0,0 +1,80 @@ +version: '2' +services: + mariadb: + image: ecomp-nexus:51220/policy/policy-db +# build: +# context: ./policy-db + container_name: mariadb + hostname: mariadb + ports: + - "3306:3306" + nexus: + image: ecomp-nexus:51220/policy/policy-nexus +# build: +# context: ./policy-nexus + container_name: nexus + hostname: nexus + pap: + image: ecomp-nexus:51220/policy/policy-pe +# build: +# context: ./policy-pe + container_name: pap + depends_on: + - mariadb + hostname: pap + ports: + - "8443:8443" + - "9091:9091" + command: pap + volumes: + - ./config/pe:/tmp/policy-install/config + pdp: + image: ecomp-nexus:51220/policy/policy-pe +# build: +# context: ./policy-pe + container_name: pdp + depends_on: + - pap + hostname: pdp + ports: + - "10.0.6.1:8081:8081" + command: pdp + volumes: + - ./config/pe:/tmp/policy-install/config + pypdp: + image: ecomp-nexus:51220/policy/policy-pe +# build: +# context: ./policy-pe + container_name: pypdp + depends_on: + - pap + hostname: pypdp + ports: + - "8480:8480" + command: pypdp + volumes: + - ./config/pe:/tmp/policy-install/config + brmsgw: + image: ecomp-nexus:51220/policy/policy-pe +# build: +# context: ./policy-pe + container_name: brmsgw + depends_on: + - pap + hostname: brmsgw + command: brmsgw + volumes: + - ./config/pe:/tmp/policy-install/config + drools: + image: ecomp-nexus:51220/policy/policy-drools +# build: +# context: ./policy-drools + container_name: drools + depends_on: + - mariadb + - nexus + hostname: drools + ports: + - "6969:6969" + volumes: + - ./config/drools:/tmp/policy-install/config diff --git a/policy-base/Dockerfile b/policy-base/Dockerfile new file mode 100644 index 00000000..943d3362 --- /dev/null +++ b/policy-base/Dockerfile @@ -0,0 +1,12 @@ +FROM ecomp-nexus:51220/policy/policy-os + + +# install MariaDB client +RUN \ + apt-get install -y apt-transport-https && \ + apt-key adv --recv-keys --keyserver hkp://keyserver.ubuntu.com:80 0xcbcb082a1bb943db && \ + add-apt-repository 'deb [arch=amd64,i386,ppc64el] https://mirrors.evowise.com/mariadb/repo/10.1/ubuntu trusty main' && \ + apt-get update && \ + apt-get install -y mariadb-client + + diff --git a/policy-db/Dockerfile b/policy-db/Dockerfile new file mode 100644 index 00000000..3f8ed0b7 --- /dev/null +++ b/policy-db/Dockerfile @@ -0,0 +1,17 @@ +FROM ecomp-nexus:51220/policy/policy-os + +RUN \ + apt-get install -y apt-transport-https && \ + apt-key adv --recv-keys --keyserver hkp://keyserver.ubuntu.com:80 0xcbcb082a1bb943db && \ + add-apt-repository 'deb [arch=amd64,i386,ppc64el] https://mirrors.evowise.com/mariadb/repo/10.1/ubuntu trusty main' && \ + apt-get update && \ + apt-get install -y mariadb-server && \ + touch /var/lib/mysql/firstrun + +COPY dbinit.sh do-start.sh /tmp/ +RUN bash /tmp/dbinit.sh + +# mount volumes to persist the data +VOLUME /etc/mysql /var/lib/mysql + +CMD exec bash /tmp/do-start.sh diff --git a/policy-db/dbinit.sh b/policy-db/dbinit.sh new file mode 100644 index 00000000..19f4a5bd --- /dev/null +++ b/policy-db/dbinit.sh @@ -0,0 +1,38 @@ +#sed -i '/^bind-address/s/127\.0\.0\.1/0.0.0.0/' /etc/mysql/my.cnf +cat >/etc/mysql/conf.d/policy.cnf <<-'EOF' + [mysqld] + lower_case_table_names = 1 + bind-address = 0.0.0.0 +EOF + +echo "Starting mysqld" +service mysql start + +echo "Run mysql_secure_installation" +/usr/bin/mysql_secure_installation <<-EOF + + y + secret + secret + y + y + y + y +EOF + +echo "Creating db schemas and user" +mysql -uroot -psecret <<-EOF + create database xacml; + create database log; + create database support; + create table support.db_version(the_key varchar(20) not null, version varchar(20), primary key(the_key)); + insert into support.db_version values('VERSION', '00'); + insert into support.db_version values('DROOLS_VERSION', '00'); + create user 'policy_user'@'localhost' identified by 'policy_user'; + grant all privileges on *.* to 'policy_user'@'localhost' with grant option; + flush privileges; + select * from support.db_version; +EOF + +echo "Stopping mysqld" +service mysql stop diff --git a/policy-db/do-start.sh b/policy-db/do-start.sh new file mode 100755 index 00000000..49dbe0fe --- /dev/null +++ b/policy-db/do-start.sh @@ -0,0 +1,12 @@ +#! /bin/bash + +# determine IP pattern associated with 'eth0' (assume net mask = 255.255.0.0) +ipPattern=$(ifconfig eth0|sed -n -e 's/^.*inet addr:\([^\.]*.[^\.]*\)\..*$/\1.%.%/p') + +# start MySQL, and grant all privileges to the local network +# (it doesn't hurt to do the 'grant' multiple times) +service mysql start +mysql -uroot -psecret \ + -e "grant all privileges on *.* to 'policy_user'@'${ipPattern}' identified by 'policy_user' with grant option;" + +exec sleep 1000d diff --git a/policy-drools/Dockerfile b/policy-drools/Dockerfile new file mode 100644 index 00000000..40d8809d --- /dev/null +++ b/policy-drools/Dockerfile @@ -0,0 +1,11 @@ +FROM ecomp-nexus:51220/policy/policy-base + +RUN mkdir -p /opt/app/policy /tmp/policy-install && chown policy /opt/app/policy /tmp/policy-install +WORKDIR /tmp/policy-install + +COPY install-drools.zip apps.zip docker-install.sh do-start.sh wait-for-port.sh ./ + +RUN unzip install-drools.zip && unzip apps.zip && rm install-drools.zip apps.zip && chown -R policy * && chmod +x *.sh + +USER policy +CMD ./do-start.sh diff --git a/policy-drools/do-start.sh b/policy-drools/do-start.sh new file mode 100644 index 00000000..0d57d834 --- /dev/null +++ b/policy-drools/do-start.sh @@ -0,0 +1,49 @@ +#!/bin/bash + +# skip installation if build.info file is present (restarting an existing container) +if [[ -f /opt/app/policy/etc/build.info ]]; then + echo "Found existing installation, will not reinstall" + . /opt/app/policy/etc/profile.d/env.sh +else + # replace conf files from installer with environment-specific files + # mounted from the hosting VM + if [[ -d config ]]; then + cp config/*.conf . + fi + + # wait for nexus up before installing, since installation + # needs to deploy some artifacts to the repo + ./wait-for-port.sh nexus 8081 + + ./docker-install.sh + + . /opt/app/policy/etc/profile.d/env.sh + + # install policy keystore + mkdir -p $POLICY_HOME/etc/ssl + cp config/policy-keystore $POLICY_HOME/etc/ssl + + # this should probably be done by install.sh + mvn install:install-file archetype:crawl -Dfile="archetype-closedloop-demo-rules-1.0.0-SNAPSHOT.jar" -DgroupId=org.openecomp.policy.archetype -DartifactId=archetype-closedloop-demo-rules -Dversion="1.0.0-SNAPSHOT" -Dpackaging=jar -DgeneratePom=true -DupdateReleaseInfo=true + + if [[ -x config/drools-tweaks.sh ]] ; then + echo "Executing tweaks" + # file may not be executable; running it as an + # argument to bash avoids needing execute perms. + bash config/drools-tweaks.sh + fi + + # wait for DB up + ./wait-for-port.sh mariadb 3306 + # now that DB is up, invoke database upgrade + # (which does nothing if the db is already up-to-date) + dbuser=$(echo $(grep '^JDBC_USER=' base.conf | cut -f2 -d=)) + dbpw=$(echo $(grep '^JDBC_PASSWORD=' base.conf | cut -f2 -d=)) + db_upgrade_droolspdp_remote.sh $dbuser $dbpw mariadb +fi + +echo "Starting processes" + +policy.sh start + +sleep 1000d diff --git a/policy-drools/docker-install.sh b/policy-drools/docker-install.sh new file mode 100644 index 00000000..fd920648 --- /dev/null +++ b/policy-drools/docker-install.sh @@ -0,0 +1,851 @@ +#!/bin/bash + +### +# ============LICENSE_START======================================================= +# Installation Package +# ================================================================================ +# Copyright (C) 2017 AT&T Intellectual Property. All rights reserved. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# ============LICENSE_END========================================================= +### + + +function JAVA_HOME() { + if [[ $DEBUG == y ]]; then + echo "-- ${FUNCNAME[0]} $@ --" + set -x + fi + + if [[ -z ${JAVA_HOME} ]]; then + echo "error: aborting installation: JAVA_HOME variable must be present in base.conf" + exit 1; + fi + + echo "JAVA_HOME is ${JAVA_HOME}" +} + +function POLICY_HOME() { + if [[ $DEBUG == y ]]; then + echo "-- ${FUNCNAME[0]} $@ --" + set -x + fi + + if [[ -z ${POLICY_HOME} ]]; then + echo "error: aborting installation: the installation directory POLICY_HOME must be set" + exit 1 + fi + + POLICY_HOME_ABS=$(readlink -f "${POLICY_HOME}") + if [[ -n ${POLICY_HOME_ABS} ]]; then + export POLICY_HOME=${POLICY_HOME_ABS} + fi + + echo "POLICY_HOME is ${POLICY_HOME}" + + # Do not allow installations from within POLICY_HOME dir or sub-dirs + if [[ "$(pwd)/" == ${POLICY_HOME}/* ]]; then + echo "error: aborting installation: cannot be executed from '${POLICY_HOME}' or sub-directories. " + exit 1 + fi +} + +function check_java() { + if [[ $DEBUG == y ]]; then + echo "-- ${FUNCNAME[0]} $@ --" + set -x + fi + + TARGET_JAVA_VERSION=$1 + + if [[ -z ${JAVA_HOME} ]]; then + echo "error: ${JAVA_HOME} is not set" + return 1 + fi + + if ! check_x_file "${JAVA_HOME}/bin/java"; then + echo "error: ${JAVA_HOME}/bin/java is not accessible" + return 1 + fi + + INSTALLED_JAVA_VERSION=$("${JAVA_HOME}/bin/java" -version 2>&1 | awk -F '"' '/version/ {print $2}') + if [[ -z $INSTALLED_JAVA_VERSION ]]; then + echo "error: ${JAVA_HOME}/bin/java is invalid" + return 1 + fi + + if [[ "${INSTALLED_JAVA_VERSION}" != ${TARGET_JAVA_VERSION}* ]]; then + echo "error: java version (${INSTALLED_JAVA_VERSION}) does not"\ + "march desired version ${TARGET_JAVA_VERSION}" + return 1 + fi + + echo "OK: java ${INSTALLED_JAVA_VERSION} installed" + + if ! type -p "${JAVA_HOME}/bin/keytool" > /dev/null 2>&1; then + echo "error: {JAVA_HOME}/bin/keytool is not installed" + return 1 + fi +} + +function process_configuration() { + if [[ $DEBUG == y ]]; then + echo "-- ${FUNCNAME[0]} $@ --" + set -x + fi + + CONF_FILE=$1 + while read line || [ -n "${line}" ]; do + if [[ -n ${line} ]] && [[ ${line} != *#* ]]; then + name=$(echo "${line%%=*}") + value=$(echo "${line#*=}") + # escape ampersand so that sed does not replace it with the search string + value=${value//&/\\&} + if [[ -z ${name} ]] || [[ -z $value ]]; then + echo "WARNING: ${line} missing name or value" + fi + export ${name}="${value}" + eval "${name}" "${value}" 2> /dev/null + fi + done < "${CONF_FILE}" + return 0 +} + +function component_preinstall() { + if [[ $DEBUG == y ]]; then + echo "-- ${FUNCNAME[0]} $@ --" + set -x + fi + + /bin/sed -i -e 's!${{POLICY_HOME}}!'"${POLICY_HOME}!g" \ + -e 's!${{FQDN}}!'"${FQDN}!g" \ + *.conf > /dev/null 2>&1 +} + +function configure_component() { + if [[ $DEBUG == y ]]; then + echo "-- ${FUNCNAME[0]} $@ --" + set -x + fi + + CONF_FILE=$1 + COMPONENT_ROOT_DIR=$2 + + SED_LINE="sed -i" + SED_LINE+=" -e 's!\${{POLICY_HOME}}!${POLICY_HOME}!g' " + SED_LINE+=" -e 's!\${{POLICY_USER}}!${POLICY_USER}!g' " + SED_LINE+=" -e 's!\${{POLICY_GROUP}}!${POLICY_GROUP}!g' " + SED_LINE+=" -e 's!\${{KEYSTORE_PASSWD}}!${KEYSTORE_PASSWD}!g' " + SED_LINE+=" -e 's!\${{JAVA_HOME}}!${JAVA_HOME}!g' " + + while read line || [ -n "${line}" ]; do + if [[ -n $line ]] && [[ $line != *#* ]]; then + name=$(echo "${line%%=*}") + value=$(echo "${line#*=}") + # escape ampersand so that sed does not replace it with the search string + value=${value//&/\\&} + if [[ -z ${name} ]] || [[ -z ${value} ]]; then + echo "WARNING: ${line} missing name or value" + fi + SED_LINE+=" -e 's!\${{${name}}}!${value}!g' " + + fi + done < "$CONF_FILE" + + SED_FILES="" + for sed_file in $(find "${COMPONENT_ROOT_DIR}" -path ${COMPONENT_ROOT_DIR}/backup -prune -o -name '*.xml' -o -name '*.sh' -o -name '*.properties' -o -name '*.json' -o -name '*.conf' -o -name '*.cfg' -o -name '*.template' -o -name '*.conf' -o -name '*.cron'); do + if fgrep -l '${{' ${sed_file} > /dev/null 2>&1; then + SED_FILES+="${sed_file} " + fi + done + + if [[ -z ${SED_FILES} ]]; then + echo "WARNING: no xml, sh, properties, or conf files to perform configuration expansion" + else + SED_LINE+=${SED_FILES} + eval "${SED_LINE}" + fi +} + +function configure_settings() { + if [[ $DEBUG == y ]]; then + echo "-- ${FUNCNAME[0]} $@ --" + set -x + fi + + # The goal is to have repositories for both 'release' and 'snapshot' + # artifacts. These may either be remote (e.g. Nexus) repositories, or + # a local file-based repository. + local fileRepoID=file-repository + local fileRepoUrl=file:$HOME_M2/file-repository + mkdir -p "${fileRepoUrl#file:}" + + # The following parameters are also used outside of this function. + # if snapshotRepositoryUrl and/or releaseRepositoryUrl is defined, + # the corresponding ID and url will be updated below + releaseRepoID=${fileRepoID} + releaseRepoUrl=${fileRepoUrl} + snapshotRepoID=${fileRepoID} + snapshotRepoUrl=${fileRepoUrl} + + # if both snapshotRepositoryUrl and releaseRepositoryUrl are null, + # use standalone-settings.xml that just defines the file-based repo. + # if only one of them is specified, use file-based repo for the other. + if [[ -z "$snapshotRepositoryUrl" && -z $releaseRepositoryUrl ]]; then + echo "snapshotRepositoryUrl and releaseRepositoryUrl properties not set, configuring settings.xml for standalone operation" + mv $HOME_M2/standalone-settings.xml $HOME_M2/settings.xml + else + rm $HOME_M2/standalone-settings.xml + + if [[ -n "${snapshotRepositoryUrl}" ]] ; then + snapshotRepoID=${snapshotRepositoryID} + snapshotRepoUrl=${snapshotRepositoryUrl} + fi + if [[ -n "${releaseRepositoryUrl}" ]] ; then + releaseRepoID=${releaseRepositoryID} + releaseRepoUrl=${releaseRepositoryUrl} + fi + fi + + SED_LINE="sed -i" + SED_LINE+=" -e 's!\${{snapshotRepositoryID}}!${snapshotRepoID}!g' " + SED_LINE+=" -e 's!\${{snapshotRepositoryUrl}}!${snapshotRepoUrl}!g' " + SED_LINE+=" -e 's!\${{releaseRepositoryID}}!${releaseRepoID}!g' " + SED_LINE+=" -e 's!\${{releaseRepositoryUrl}}!${releaseRepoUrl}!g' " + SED_LINE+=" -e 's!\${{repositoryUsername}}!${repositoryUsername}!g' " + SED_LINE+=" -e 's!\${{repositoryPassword}}!${repositoryPassword}!g' " + SED_LINE+=" -e 's!\${{fileRepoID}}!${fileRepoID}!g' " + SED_LINE+=" -e 's!\${{fileRepoUrl}}!${fileRepoUrl}!g' " + + SED_LINE+="$HOME_M2/settings.xml" + eval "${SED_LINE}" + +} + + +function check_r_file() { + if [[ $DEBUG == y ]]; then + echo "-- ${FUNCNAME[0]} $@ --" + set -x + fi + + FILE=$1 + if [[ ! -f ${FILE} || ! -r ${FILE} ]]; then + return 1 + fi + + return 0 +} + +function check_x_file() { + if [[ $DEBUG == y ]]; then + echo "-- ${FUNCNAME[0]} $@ --" + set -x + fi + + FILE=$1 + if [[ ! -f ${FILE} || ! -x ${FILE} ]]; then + return 1 + fi + + return 0 +} + +function install_prereqs() { + if [[ $DEBUG == y ]]; then + echo "-- ${FUNCNAME[0]} $@ --" + set -x + fi + + CONF_FILE=$1 + + if ! check_r_file "${CONF_FILE}"; then + echo "error: aborting ${COMPONENT_TYPE} installation: ${CONF_FILE} is not accessible" + exit 1 + fi + + if ! process_configuration "${CONF_FILE}"; then + echo "error: aborting ${COMPONENT_TYPE} installation: cannot process configuration ${CONF_FILE}" + exit 1 + fi + + if ! check_java "1.8"; then + echo "error: aborting ${COMPONENT_TYPE} installation: invalid java version" + exit 1 + fi + + + if [[ -z ${POLICY_HOME} ]]; then + echo "error: aborting ${COMPONENT_TYPE} installation: ${POLICY_HOME} is not set" + exit 1 + fi + + HOME_OWNER=$(ls -ld "${POLICY_HOME}" | awk '{print $3}') + if [[ ${HOME_OWNER} != ${POLICY_USER} ]]; then + echo "error: aborting ${COMPONENT_TYPE} installation: ${POLICY_USER} does not own ${POLICY_HOME} directory" + exit 1 + fi + + echo -n "Starting ${OPERATION} of ${COMPONENT_TYPE} under ${POLICY_USER}:${POLICY_GROUP} " + echo "ownership with umask $(umask)." +} + +function configure_base() { + if [[ $DEBUG == y ]]; then + echo "-- ${FUNCNAME[0]} $@ --" + set -x + fi + + # check if fqdn is set in base.conf and use that value if set + if [[ -z ${INSTALL_FQDN} ]] + then + echo "FQDN not set in config...using the default FQDN ${FQDN}" + else + echo "Using FQDN ${INSTALL_FQDN} from config" + FQDN=${INSTALL_FQDN} + fi + + configure_component "${BASE_CONF}" "${POLICY_HOME}" + + configure_settings + + BASH_PROFILE_LINE=". ${POLICY_HOME}/etc/profile.d/env.sh" + PROFILE_LINE="ps -p \$\$ | grep -q bash || . ${POLICY_HOME}/etc/profile.d/env.sh" + + # Note: adding to .bashrc instead of .bash_profile + if ! fgrep -x "${BASH_PROFILE_LINE}" "${HOME}/.bashrc" >/dev/null 2>&1; then + echo "${BASH_PROFILE_LINE}" >> "${HOME}/.bashrc" + fi + + if ! fgrep -x "${PROFILE_LINE}" "${HOME}/.profile" >/dev/null 2>&1; then + echo "${PROFILE_LINE}" >> "${HOME}/.profile" + fi + + + . "${POLICY_HOME}/etc/profile.d/env.sh" + + cat "${POLICY_HOME}"/etc/cron.d/* | crontab +} + +function install_base() { + if [[ $DEBUG == y ]]; then + echo "-- ${FUNCNAME[0]} $@ --" + set -x + fi + + install_prereqs "${BASE_CONF}" + + # following properties must be set: + # POLICY_HOME - installation directory, must exist and be writable + + # test that all required properties are set + for var in POLICY_HOME JAVA_HOME + do + if [[ -z $(eval echo \$$var) ]]; then + echo "ERROR: $var must be set in $BASE_CONF" + exit 1 + fi + done + + if [[ ! ( -d "$POLICY_HOME" && -w "$POLICY_HOME" ) ]]; then + echo "ERROR: Installation directory $POLICY_HOME does not exist or not writable" + exit 1 + fi + + if ! /bin/rm -fr "${POLICY_HOME}"/* > /dev/null 2>&1; then + echo "error: aborting base installation: cannot delete the underlying ${POLICY_HOME} files" + exit 1 + fi + + POLICY_HOME_CONTENTS=$(ls -A "${POLICY_HOME}" 2> /dev/null) + if [[ -n ${POLICY_HOME_CONTENTS} ]]; then + echo "error: aborting base installation: ${POLICY_HOME} directory is not empty" + exit 1 + fi + + if ! /bin/mkdir -p "${POLICY_HOME}/logs/" > /dev/null 2>&1; then + echo "error: aborting base installation: cannot create ${POLICY_HOME}/logs/" + exit 1 + fi + + BASE_TGZ=$(ls base-*.tar.gz) + if [ ! -r ${BASE_TGZ} ]; then + echo "error: aborting: base package is not accessible" + exit 1 + fi + + tar -tzf ${BASE_TGZ} > /dev/null 2>&1 + if [[ $? != 0 ]]; then + echo >&2 "error: aborting installation: invalid base package file: ${BASE_TGZ}" + exit 1 + fi + + BASEX_TGZ=$(ls basex-*.tar.gz) + if [ ! -r ${BASEX_TGZ} ]; then + echo "warning: basex package is not accessible" + BASEX_TGZ= + else + tar -tzf ${BASEX_TGZ} > /dev/null 2>&1 + if [[ $? != 0 ]]; then + echo >&2 "warning: invalid basex package tar file: ${BASEX_TGZ}" + BASEX_TGZ= + fi + fi + + + # Undo any changes in the $HOME directory if any + + BASH_PROFILE_LINE=". ${POLICY_HOME}/etc/profile.d/env.sh" +# PROFILE_LINE="ps -p \$\$ | grep -q bash || . ${POLICY_HOME}/etc/profile.d/env.sh" + + # Note: using .bashrc instead of .bash_profile + if [[ -f ${HOME}/.bashrc ]]; then + /bin/sed -i.bak "\:${BASH_PROFILE_LINE}:d" "${HOME}/.bashrc" + fi + +# if [[ -f ${HOME}/.profile ]]; then +# /bin/sed -i.bak "\:${PROFILE_LINE}:d" "${HOME}/.profile" +# fi + + tar -C ${POLICY_HOME} -xf ${BASE_TGZ} --no-same-owner + if [[ $? != 0 ]]; then + # this should not happened + echo "error: aborting base installation: base package cannot be unpacked: ${BASE_TGZ}" + exit 1 + fi + + if [ ! -z ${BASEX_TGZ} ]; then + tar -C ${POLICY_HOME} -xf ${BASEX_TGZ} --no-same-owner + if [[ $? != 0 ]]; then + # this should not happened + echo "warning: basex package cannot be unpacked: ${BASEX_TGZ}" + fi + fi + +# /bin/mkdir -p ${POLICY_HOME}/etc/ssl > /dev/null 2>&1 +# /bin/mkdir -p ${POLICY_HOME}/etc/init.d > /dev/null 2>&1 +# /bin/mkdir -p ${POLICY_HOME}/nagios/tmp > /dev/null 2>&1 +# /bin/mkdir -p ${POLICY_HOME}/tmp > /dev/null 2>&1 +# /bin/mkdir -p ${POLICY_HOME}/var > /dev/null 2>&1 + +# chmod -R 755 ${POLICY_HOME}/nagios > /dev/null 2>&1 + + HOME_M2=$HOME/.m2 + if [[ -d $HOME_M2 ]]; then + echo "Renaming existing $HOME_M2 to $HOME/m2.$TIMESTAMP" + mv $HOME_M2 $HOME/m2.$TIMESTAMP + if [[ $? != 0 ]]; then + echo "WARNING: Failed to rename $HOME_M2 directory; will use old directory" + fi + fi + if [[ ! -d $HOME_M2 ]]; then + echo "Moving m2 directory to $HOME_M2" + mv $POLICY_HOME/m2 $HOME_M2 + if [[ $? != 0 ]]; then + echo "ERROR: Error in moving m2 directory" + exit 1 + fi + fi + + configure_base + +# if ! create_keystore; then +# echo "error: aborting base installation: creating keystore" +# exit 1 +# fi + +# list_unexpanded_files ${POLICY_HOME} + +} + +function install_controller() +{ + if [[ $DEBUG == y ]]; then + echo "-- ${FUNCNAME[0]} $@ --" + set -x + fi + + if [[ $DEBUG == y ]]; then + echo "-- ${FUNCNAME[0]} $@ --" + set -x + fi + + if [[ -f "${HOME}/.bashrc" ]]; then + source "${HOME}/.bashrc" + fi + + if [[ -z ${POLICY_HOME} ]]; then + echo "error: aborting installation: POLICY_HOME environment variable is not set." + exit 1 + fi + + if ! check_r_file ${POLICY_HOME}/etc/profile.d/env.sh; then + echo "error: aborting installation: ${POLICY_HOME}/etc/profile.d/env.sh is not accessible" + exit 1 + fi + + CONTROLLER_CONF=$COMPONENT_TYPE.conf + install_prereqs "${CONTROLLER_CONF}" + + # following properties must be set in conf file: + # CONTROLLER_ARTIFACT_ID - Maven artifactId for controller + # CONTROLLER_NAME - directory name for the controller; controller will be installed to + # $POLICY_HOME/controllers/$CONTROLLER_NAME + # CONTROLLER_PORT - port number for the controller REST interface + # RULES_ARTIFACT - rules artifact specifier: groupId:artifactId:version + + # test that all required properties are set + for var in CONTROLLER_ARTIFACT_ID CONTROLLER_NAME CONTROLLER_PORT RULES_ARTIFACT UEB_TOPIC + do + if [[ -z $(eval echo \$$var) ]]; then + echo "ERROR: $var must be set in $CONTROLLER_CONF" + exit 1 + fi + done + + CONTROLLER_ZIP=$(ls $CONTROLLER_ARTIFACT_ID*.zip 2>&-) + if [[ -z $CONTROLLER_ZIP ]]; then + echo "ERROR: Cannot find controller zip file ($CONTROLLER_ARTIFACT_ID*.zip)" + exit 1 + fi + + if [[ ! "$CONTROLLER_NAME" =~ ^[A-Za-z0-9_-]+$ ]]; then + echo "ERROR: CONTROLLER_NAME may only contain alphanumeric, underscore, and dash characters" + exit 1 + fi + + if [[ ! "$CONTROLLER_PORT" =~ ^[0-9]+$ ]]; then + echo "ERROR: CONTROLLER_PORT is not a valid integer" + exit 1 + fi + + # split artifact string into parts + IFS=: read RULES_GROUPID RULES_ARTIFACTID RULES_VERSION <<<$RULES_ARTIFACT + if [[ -z $RULES_GROUPID || -z $RULES_ARTIFACTID || -z $RULES_VERSION ]]; then + echo "ERROR: Invalid setting for RULES_ARTIFACT property" + exit 1 + fi + + #RULES_JAR=$RULES_ARTIFACTID-$RULES_VERSION.jar + RULES_JAR=$(echo ${RULES_ARTIFACTID}-*.jar) + if ! check_r_file $RULES_JAR; then + echo "WARNING: Rules jar file $RULES_JAR not found in installer package, must be installed manually" + RULES_JAR= + fi + + + SOURCE_DIR=$PWD + CONTROLLER_DIR=$POLICY_HOME + + cd $CONTROLLER_DIR + + echo "Unpacking controller zip file" + # use jar command in case unzip not present on system + jar xf $SOURCE_DIR/$CONTROLLER_ZIP + if [[ $? != 0 ]]; then + echo "ERROR: unpack of controller zip file failed, install aborted" + exit 1 + fi + + chmod +x bin/* + + # Perform base variable replacement in controller config file + configure_component "${SOURCE_DIR}/${BASE_CONF}" "${CONTROLLER_DIR}" + + # Perform variable replacements in config files. + # config files may contain the following strings that need to be replaced with + # real values: + # AAAA - artifactId + # BBBB - Substring of AAAA after first dash (stripping initial "ncomp-" or "policy-") + # PORT - Port number for REST server + + echo "Performing variable replacement in config files" + AAAA=$CONTROLLER_ARTIFACT_ID + BBBB=${AAAA#[a-z]*-} + PORT=$CONTROLLER_PORT + UTOPIC=${UEB_TOPIC} + + for file in config/* + do + sed -i -e "s/AAAA/$AAAA/" -e "s/BBBB/$BBBB/" -e "s/PORT/$PORT/" -e "s!\${{UEB_TOPIC}}!${UTOPIC}!" $file + if [[ $? != 0 ]]; then + echo "ERROR: variable replacement failed for file $file, install aborted" + exit 1 + fi + done + + mv config/makefile . + + # append properties for rules artifact to server properties + cat >>config/server.properties <> ${POLICY_HOME}/etc/monitor/monitor.cfg + fi + + + echo "${NAME}=off" >> ${POLICY_HOME}/etc/monitor/monitor.cfg + fi + else + echo "WARNING: ${POLICY_HOME}/etc/monitor/monitor.cfg does not exist. No monitoring enabled." + fi +} + +# Usage: getPomAttributes ... +# +# This function performs simplistic parsing of a 'pom.xml' file, extracting +# the specified attributes (e.g. 'groupId', 'artifactId', 'version'). The +# attributes are returned as environment variables with the associated name. + +function getPomAttributes +{ + local tab=$'\t' + local rval=0 + local file="$1" + local attr + local value + shift + for attr in "$@" ; do + # Try to fetch the parameter associated with the 'pom.xml' file. + # Initially, the 'parent' element is excluded. If the desired + # parameter is not found, the 'parent' element is included in the + # second attempt. + value=$(sed -n \ + -e '//,/<\/parent>/d' \ + -e '//,/<\/dependencies>/d' \ + -e '//,/<\/build>/d' \ + -e "/^[ ${tab}]*<${attr}>\([^<]*\)<\/${attr}>.*/{s//\1/p;}" \ + <"${file}") + + if [[ "${value}" == "" ]] ; then + # need to check parent for parameter + value=$(sed -n \ + -e '//,/<\/dependencies>/d' \ + -e '//,/<\/build>/d' \ + -e "/^[ ${tab}]*<${attr}>\([^<]*\)<\/${attr}>.*/{s//\1/p;}" \ + <"${file}") + if [[ "${value}" == "" ]] ; then + echo "${file}: Can't determine ${attr}" >&2 + rval=1 + fi + fi + # the following sets an environment variable with the name referred + # to by ${attr} + read ${attr} <<<"${value}" + done + return ${rval} +} + + +# Usage: installPom +# +# This function installs a 'pom.xml' file in the local repository + +function installPom +{ + # need to extract attributes from POM file + if getPomAttributes "${1}" artifactId groupId version ; then + local repoID repoUrl + if [[ "${version}" =~ SNAPSHOT ]] ; then + repoID=${snapshotRepoID} + repoUrl=${snapshotRepoUrl} + else + repoID=${releaseRepoID} + repoUrl=${releaseRepoUrl} + fi + echo "${1}: Deploying POM artifact to remote repository" + mvn deploy:deploy-file -Dfile="$1" \ + -Dpackaging=pom -DgeneratePom=false \ + -DgroupId=${groupId} \ + -DartifactId=${artifactId} \ + -Dversion=${version} \ + -DrepositoryId=${repoID} -Durl=${repoUrl} \ + -DupdateReleaseInfo=true + else + echo "${1}: Can't install pom due to missing attributes" >&2 + return 1 + fi +} + +# Usage: installJar +# +# This function installs a JAR file in the local repository, as well as +# the 'pom.xml' member it contains. + +function installJar +{ + local dir=$(mktemp -d) + local jar="${1##*/}" + cp -p "${1}" "${dir}/${jar}" + + ( + local rval=0 + cd "${dir}" + # determine name of 'pom' file within JAR + local pom=$(jar tf ${jar} META-INF | grep '/pom\.xml$' | head -1) + if [[ "${pom}" ]] ; then + # extract pom file + jar xf ${jar} "${pom}" + + # determine version from pom file + if getPomAttributes "${pom}" version ; then + local repoID repoUrl + if [[ "${version}" =~ SNAPSHOT ]] ; then + repoID=${snapshotRepoID} + repoUrl=${snapshotRepoUrl} + else + repoID=${releaseRepoID} + repoUrl=${releaseRepoUrl} + fi + echo "${1}: Deploying JAR artifact to remote repository" + mvn deploy:deploy-file \ + -Dfile=${jar} \ + -Dversion=${version} \ + -Dpackaging=jar -DgeneratePom=false -DpomFile=${pom} \ + -DrepositoryId=${repoID} -Durl=${repoUrl} \ + -DupdateReleaseInfo=true + else + echo "${1}: Can't determine version from 'pom.xml'" >&2 + rval=1 + fi + else + echo "${1}: Can't find 'pom.xml'" >&2 + rval=1 + fi + rm -rf ${dir} + return ${rval} + ) +} + +# Unzip the 'artifacts-*.zip' file, and install all of the associated +# artifacts into the local repository. + +function installArtifacts +{ + local file + if [[ -f $(echo artifacts-*.zip) ]] ; then + # use jar command in case unzip not present on system + jar xf artifacts-*.zip + for file in artifacts/* ; do + case "${file}" in + *pom.xml|*.pom) installPom "${file}";; + *.jar) installJar "${file}";; + *) echo "${file}: Don't know how to install artifact" >&2;; + esac + done + fi +} + +function do_install() +{ + if [[ $DEBUG == y ]]; then + echo "-- ${FUNCNAME[0]} $@ --" + set -x + fi + + echo "Starting installation at $(date)" + echo + + COMPONENT_TYPE=base + BASE_CONF=base.conf + install_base + component_preinstall + + COMPONENT_TYPE=policy-management + install_controller + + # install features + SOURCE_DIR=$PWD + cd $POLICY_HOME + jar xf ${SOURCE_DIR}/policy-persistence-*.zip + jar xf ${SOURCE_DIR}/policy-healthcheck-*.zip + cd ${SOURCE_DIR} + + installArtifacts + + echo + echo "Installation complete" + echo "Please logoff and login again to update shell environment" + +} + +DEBUG=n +export POLICY_USER=$(/usr/bin/id -un) +export POLICY_GROUP=$POLICY_USER + +FQDN=$(hostname -f 2> /dev/null) +if [[ $? != 0 || -z ${FQDN} ]]; then + echo "error: cannot determine the FQDN for this host $(hostname)." + exit 1 +fi + +TIMESTAMP=$(date "+%Y%m%d-%H%M%S") +LOGFILE=$PWD/install.log.$TIMESTAMP + +OPERATION=install +BASE_CONF=base.conf + +do_install 2>&1 | tee $LOGFILE diff --git a/policy-drools/wait-for-port.sh b/policy-drools/wait-for-port.sh new file mode 100644 index 00000000..10f08ded --- /dev/null +++ b/policy-drools/wait-for-port.sh @@ -0,0 +1,18 @@ +#!/bin/bash + +if [[ $# -ne 2 ]]; then + echo "Usage: wait-for-port hostname port" >&2 + exit 1 +fi + +host=$1 +port=$2 + +echo "Waiting for $host port $port open" +until telnet $host $port /dev/null | grep -q '^Connected'; do + sleep 1 +done + +echo "$host port $port is open" + +exit 0 diff --git a/policy-nexus/Dockerfile b/policy-nexus/Dockerfile new file mode 100644 index 00000000..68ee9178 --- /dev/null +++ b/policy-nexus/Dockerfile @@ -0,0 +1,19 @@ +FROM ecomp-nexus:51220/policy/policy-os + + +# note that in following command sequence, wget exit status is 1 even on success, +# so can't use && for conditional execution of next command +RUN \ + cd /tmp && \ + wget https://sonatype-download.global.ssl.fastly.net/nexus/oss/nexus-2.14.2-01-bundle.tar.gz ; \ + mkdir /opt/nexus && cd /opt/nexus && \ + tar xfz /tmp/nexus-2.14.2-01-bundle.tar.gz && \ + useradd --create-home --shell /bin/bash nexus && \ + chown -R nexus * + +# make the sonatype-work directory persistent +VOLUME /opt/nexus/sonatype-work + +USER nexus +CMD bash -c "/opt/nexus/nexus-2.14.2-01/bin/nexus start && sleep 1000d" + diff --git a/policy-os/Dockerfile b/policy-os/Dockerfile new file mode 100644 index 00000000..7acbf825 --- /dev/null +++ b/policy-os/Dockerfile @@ -0,0 +1,12 @@ +FROM ubuntu:14.04 + +#RUN add-apt-repository ppa:openjdk-r/ppa +RUN \ + apt-get update && \ + apt-get install -y zip unzip curl wget ssh telnet maven && \ + apt-get install -y software-properties-common && \ + add-apt-repository ppa:openjdk-r/ppa && \ + apt-get update && \ + apt-get install -y openjdk-8-jdk + +RUN useradd --create-home --shell /bin/bash policy diff --git a/policy-pe/Dockerfile b/policy-pe/Dockerfile new file mode 100644 index 00000000..cce1de1b --- /dev/null +++ b/policy-pe/Dockerfile @@ -0,0 +1,13 @@ +FROM ecomp-nexus:51220/policy/policy-base + +RUN mkdir -p /opt/app/policy /tmp/policy-install && chown policy /opt/app/policy /tmp/policy-install + +WORKDIR /tmp/policy-install + +COPY install.zip docker-install.sh do-start.sh wait-for-port.sh ./ +RUN unzip install.zip && rm install.zip && chown policy * && chmod +x *.sh + +USER policy + +ENTRYPOINT [ "bash", "./do-start.sh" ] + diff --git a/policy-pe/do-start.sh b/policy-pe/do-start.sh new file mode 100644 index 00000000..8bdb8bc9 --- /dev/null +++ b/policy-pe/do-start.sh @@ -0,0 +1,97 @@ +#!/bin/bash + +# Script to configure and start the Policy components that are to run in the designated container, +# It is intended to be used as the entrypoint in the Dockerfile, so the last statement of the +# script just goes into a long sleep so that the script does not exit (which would cause the +# container to be torn down). + +container=$1 + +case $container in +pap) + comps="base pap paplp console mysql" + ;; +pdp) + comps="base pdp pdplp" + ;; +pypdp) + comps="base pypdp" + ;; +brmsgw) + comps="base brmsgw" + ;; +*) + echo "Usage: do-start.sh pap|pdp|pypdp|brmsgw" >&2 + exit 1 +esac + + +# skip installation if build.info file is present (restarting an existing container) +if [[ -f /opt/app/policy/etc/build.info ]]; then + echo "Found existing installation, will not reinstall" + . /opt/app/policy/etc/profile.d/env.sh + +else + if [[ -d config ]]; then + cp config/*.conf . + fi + + for comp in $comps; do + echo "Installing component: $comp" + ./docker-install.sh --install $comp + done + for comp in $comps; do + echo "Configuring component: $comp" + ./docker-install.sh --configure $comp + done + + . /opt/app/policy/etc/profile.d/env.sh + + # install keystore + #changed to use http instead of http, so keystore no longer needed + #cp config/policy-keystore.jks $POLICY_HOME/etc/ssl/policy-keystore + + if [[ -f config/$container-tweaks.sh ]] ; then + # file may not be executable; running it as an + # argument to bash avoids needing execute perms. + bash config/$container-tweaks.sh + fi + + if [[ $container == pap ]]; then + # wait for DB up + ./wait-for-port.sh mariadb 3306 + # now that DB is up, invoke database upgrade + # (which does nothing if the db is already up-to-date) + dbuser=$(echo $(grep '^JDBC_USER=' base.conf | cut -f2 -d=)) + dbpw=$(echo $(grep '^JDBC_PASSWORD=' base.conf | cut -f2 -d=)) + db_upgrade_remote.sh $dbuser $dbpw mariadb + fi + +fi + +# pap needs to wait for mariadb up before starting; +# others need to wait for pap up (in case it had to do db upgrade) +if [[ $container == pap ]]; then + # we may have already done this above, but doesn't hurt to repeat + ./wait-for-port.sh mariadb 3306 +else + ./wait-for-port.sh pap 9091 +fi + +policy.sh start + +# on pap, wait for pap, pdp, pypdp, brmsgw, and nexus up, +# then push the initial default policies +if [[ $container == pap ]]; then + ./wait-for-port.sh pap 9091 + ./wait-for-port.sh pdp 8081 + ./wait-for-port.sh pypdp 8480 + # brmsgw doesn't have a REST API, so check for JMX port instead + ./wait-for-port.sh brmsgw 9989 + ./wait-for-port.sh nexus 8081 + # wait addional 1 minute for all processes to get fully initialized and synched up + sleep 60 + bash config/push-policies.sh +fi + +sleep 1000d diff --git a/policy-pe/docker-install.sh b/policy-pe/docker-install.sh new file mode 100644 index 00000000..d85e3592 --- /dev/null +++ b/policy-pe/docker-install.sh @@ -0,0 +1,674 @@ +#!/bin/bash + +######################################################################### +## +## Functions +## +######################################################################### + +function usage() { + echo -n "syntax: $(basename $0) " + echo -n "--debug (" + echo -n "[--install base|pap|pdp|pypdp|console|mysql|brmsgw|paplp|pdplp] | " + echo -n "[--configure base|pap|pdp|pypdp|console|mysql|brmsgw|paplp|pdplp] | " +} + +function check_java() { + if [[ $DEBUG == y ]]; then + echo "-- ${FUNCNAME[0]} $@ --" + set -x + fi + + TARGET_JAVA_VERSION=$1 + + if [[ -z ${JAVA_HOME} ]]; then + echo "error: ${JAVA_HOME} is not set" + return 1 + fi + + if ! check_x_file "${JAVA_HOME}/bin/java"; then + echo "error: ${JAVA_HOME}/bin/java is not accessible" + return 1 + fi + + INSTALLED_JAVA_VERSION=$("${JAVA_HOME}/bin/java" -version 2>&1 | awk -F '"' '/version/ {print $2}') + if [[ -z $INSTALLED_JAVA_VERSION ]]; then + echo "error: ${JAVA_HOME}/bin/java is invalid" + return 1 + fi + + if [[ "${INSTALLED_JAVA_VERSION}" != ${TARGET_JAVA_VERSION}* ]]; then + echo "error: java version (${INSTALLED_JAVA_VERSION}) does not"\ + "march desired version ${TARGET_JAVA_VERSION}" + return 1 + fi + + echo "OK: java ${INSTALLED_JAVA_VERSION} installed" + +} + +function process_configuration() { + if [[ $DEBUG == y ]]; then + echo "-- ${FUNCNAME[0]} $@ --" + set -x + fi + + CONF_FILE=$1 + while read line || [ -n "${line}" ]; do + if [[ -n ${line} ]] && [[ ${line} != \#* ]]; then + name=$(echo "${line%%=*}") + value=$(echo "${line#*=}") + # escape ampersand so that sed does not replace it with the search string + value=${value//&/\\&} + if [[ -z ${name} ]] || [[ -z $value ]]; then + echo "WARNING: ${line} missing name or value" + fi + export ${name}="${value}" + eval "${name}" "${value}" 2> /dev/null + fi + done < "${CONF_FILE}" + return 0 +} + +function component_preconfigure() { + if [[ $DEBUG == y ]]; then + echo "-- ${FUNCNAME[0]} $@ --" + set -x + fi + + /bin/sed -i -e 's!${{POLICY_HOME}}!'"${POLICY_HOME}!g" \ + -e 's!${{FQDN}}!'"${FQDN}!g" \ + *.conf > /dev/null 2>&1 +} + +function tomcat_component() { + if [[ $DEBUG == y ]]; then + echo "-- ${FUNCNAME[0]} $@ --" + set -x + fi + + TOMCAT_TARGET_INSTALL_DIR=${POLICY_HOME}/servers/${COMPONENT_TYPE} + if [[ -d ${TOMCAT_TARGET_INSTALL_DIR} ]]; then + echo "error: ${TOMCAT_TARGET_INSTALL_DIR} exists." + return 1 + fi + + TOMCAT_INSTALL_DIR=${POLICY_HOME}/install/3rdparty/${TOMCAT_PACKAGE_NAME}/ + if [[ -d ${TOMCAT_INSTALL_DIR} ]]; then + echo "error: ${TOMCAT_INSTALL_DIR} exists." + return 1 + fi + + tar -C "${POLICY_HOME}/servers" -xf "${POLICY_HOME}/install/3rdparty/${TOMCAT_PACKAGE_NAME}.tar.gz" + + mv "${POLICY_HOME}/servers/${TOMCAT_PACKAGE_NAME}" "${POLICY_HOME}/servers/${COMPONENT_TYPE}/" + /bin/cp "${POLICY_HOME}"/install/servers/common/tomcat/bin/* "${POLICY_HOME}/servers/${COMPONENT_TYPE}/bin" + /bin/cp "${POLICY_HOME}"/install/servers/common/tomcat/conf/* "${POLICY_HOME}/servers/${COMPONENT_TYPE}/conf" + + /bin/cp "${POLICY_HOME}/install/servers/common/tomcat/init.d/tomcatd" "${POLICY_HOME}/etc/init.d/${COMPONENT_TYPE}" + /bin/sed -i -e "s!\${{COMPONENT_TYPE}}!${COMPONENT_TYPE}!g" "${POLICY_HOME}/etc/init.d/${COMPONENT_TYPE}" >/dev/null 2>&1 + + + /bin/cp -fr "${POLICY_HOME}"/install/servers/${COMPONENT_TYPE}/webapps/* "${POLICY_HOME}/servers/${COMPONENT_TYPE}/webapps" + /bin/cp -fr "${POLICY_HOME}"/install/servers/${COMPONENT_TYPE}/bin/* "${POLICY_HOME}/servers/${COMPONENT_TYPE}/bin" >/dev/null 2>&1 + /bin/cp -fr "${POLICY_HOME}"/install/servers/${COMPONENT_TYPE}/conf/* "${POLICY_HOME}/servers/${COMPONENT_TYPE}/conf" >/dev/null 2>&1 + + /bin/rm -fr "${POLICY_HOME}/servers/${COMPONENT_TYPE}/webapps/docs" \ + "${POLICY_HOME}/servers/${COMPONENT_TYPE}/webapps/examples" \ + "${POLICY_HOME}/servers/${COMPONENT_TYPE}/webapps/ROOT" \ + "${POLICY_HOME}/servers/${COMPONENT_TYPE}/webapps/manager" \ + "${POLICY_HOME}/servers/${COMPONENT_TYPE}/webapps/host-manager" + + if [[ ${COMPONENT_TYPE} == console ]]; then + install_ecomp_portal_settings + fi + + return 0 +} + +function configure_tomcat_component() { + configure_component "${COMPONENT_TYPE}.conf" "${POLICY_HOME}/servers/${COMPONENT_TYPE}/" +} + +function configure_component() { + if [[ $DEBUG == y ]]; then + echo "-- ${FUNCNAME[0]} $@ --" + set -x + fi + + if ! process_configuration "${COMPONENT_TYPE}.conf"; then + echo "error: aborting ${COMPONENT_TYPE} installation: cannot process configuration ${COMPONENT_TYPE}.conf" + exit 1 + fi + + CONF_FILE=$1 + COMPONENT_ROOT_DIR=$2 + + SED_LINE="sed -i" + SED_LINE+=" -e 's!\${{POLICY_HOME}}!${POLICY_HOME}!g' " + SED_LINE+=" -e 's!\${{POLICY_USER}}!${POLICY_USER}!g' " + SED_LINE+=" -e 's!\${{POLICY_GROUP}}!${POLICY_GROUP}!g' " + SED_LINE+=" -e 's!\${{KEYSTORE_PASSWD}}!${KEYSTORE_PASSWD}!g' " + SED_LINE+=" -e 's!\${{JAVA_HOME}}!${JAVA_HOME}!g' " + SED_LINE+=" -e 's!\${{COMPONENT_TYPE}}!${COMPONENT_TYPE}!g' " + + while read line || [ -n "${line}" ]; do + if [[ -n $line ]] && [[ $line != \#* ]]; then + name=$(echo "${line%%=*}") + value=$(echo "${line#*=}") + # escape ampersand so that sed does not replace it with the search string + value=${value//&/\\&} + if [[ -z ${name} ]] || [[ -z ${value} ]]; then + echo "WARNING: ${line} missing name or value" + fi + SED_LINE+=" -e 's!\${{${name}}}!${value}!g' " + + fi + done < "$CONF_FILE" + + SED_FILES="" + for sed_file in $(find "${COMPONENT_ROOT_DIR}" -name '*.xml' -o -name '*.sh' -o -name '*.properties' -o -name '*.conf' -o -name '*.cfg' -o -name '*.template' -o -name '*.conf' -o -name '*.cron' -o -name '*.json' | grep -v /backup/); do + if fgrep -l '${{' ${sed_file} > /dev/null 2>&1; then + SED_FILES+="${sed_file} " + fi + done + + if [[ -f $HOME/.m2/settings.xml ]]; then + SED_FILES+="$HOME/.m2/settings.xml " + fi + + + if [[ -z ${SED_FILES} ]]; then + echo "WARNING: no xml, sh, properties, or conf files to perform configuration expansion" + else + SED_LINE+=${SED_FILES} + eval "${SED_LINE}" + fi + + list_unexpanded_files ${POLICY_HOME} +} + +function install_ecomp_portal_settings() { + echo "Install ecomp portal settings" + + # unpack ecomp war file + mkdir -p "${POLICY_HOME}"/servers/console/webapps/ecomp + cd "${POLICY_HOME}"/servers/console/webapps/ecomp + unzip -q ../ecomp.war + cd ${INSTALL_DIR} + + # copy over the configured settings + /bin/cp -fr "${POLICY_HOME}"/install/servers/ecomp/* "${POLICY_HOME}/servers/console/webapps/ecomp" +} + +function check_r_file() { + if [[ $DEBUG == y ]]; then + echo "-- ${FUNCNAME[0]} $@ --" + set -x + fi + + FILE=$1 + if [[ ! -f ${FILE} || ! -r ${FILE} ]]; then + return 1 + fi + + return 0 +} + +function check_x_file() { + if [[ $DEBUG == y ]]; then + echo "-- ${FUNCNAME[0]} $@ --" + set -x + fi + + FILE=$1 + if [[ ! -f ${FILE} || ! -x ${FILE} ]]; then + return 1 + fi + + return 0 +} + +function install_prereqs() { + if [[ $DEBUG == y ]]; then + echo "-- ${FUNCNAME[0]} $@ --" + set -x + fi + + CONF_FILE=$1 + + if ! check_r_file "${CONF_FILE}"; then + echo "error: aborting ${COMPONENT_TYPE} installation: ${CONF_FILE} is not accessible" + exit 1 + fi + + if ! process_configuration "${CONF_FILE}"; then + echo "error: aborting ${COMPONENT_TYPE} installation: cannot process configuration ${CONF_FILE}" + exit 1 + fi + +# if ! check_java "1.8"; then +# echo "error: aborting ${COMPONENT_TYPE} installation: invalid java version" +# exit 1 +# fi + + if [[ -z ${POLICY_HOME} ]]; then + echo "error: aborting ${COMPONENT_TYPE} installation: ${POLICY_HOME} is not set" + exit 1 + fi + + HOME_OWNER=$(ls -ld "${POLICY_HOME}" | awk '{print $3}') + if [[ ${HOME_OWNER} != ${POLICY_USER} ]]; then + echo "error: aborting ${COMPONENT_TYPE} installation: ${POLICY_USER} does not own ${POLICY_HOME} directory" + exit 1 + fi + + echo -n "Starting ${OPERATION} of ${COMPONENT_TYPE} under ${POLICY_USER}:${POLICY_GROUP} " + echo "ownership with umask $(umask)." +} + +function list_unexpanded_files() { + ROOT_DIR=$1 + SEARCH_LIST=$(find ${ROOT_DIR} -type f -name '*.properties' -o -name '*.sh' -o -name '*.conf' -o -name '*.yml' -o -name '*.template' -o -name '*.xml' -o -name '*.cfg' -o -name '*.json' -o -path "${ROOT_DIR}/etc/init.d/*" | egrep -v '/m2/|/install/|/logs/') + NOT_EXPANDED_BASE_FILES=$(grep -l '${{' ${SEARCH_LIST} 2> /dev/null) + if [[ -n ${NOT_EXPANDED_BASE_FILES} ]]; then + echo "error: component installation has completed but some base files have not been expanded:" + echo "${NOT_EXPANDED_BASE_FILES}" + return 1 + fi + return 0 +} + +function install_base() { + if [[ $DEBUG == y ]]; then + echo "-- ${FUNCNAME[0]} $@ --" + set -x + fi + + install_prereqs "${BASE_CONF}" + + if [[ -z ${POLICY_HOME} ]]; then + echo "error: ${POLICY_HOME} is not set" + exit 1 + fi + + POLICY_HOME_CONTENTS=$(ls -A "${POLICY_HOME}" 2> /dev/null) + if [[ -n ${POLICY_HOME_CONTENTS} ]]; then + echo "error: aborting base installation: ${POLICY_HOME} directory is not empty" + exit 1 + fi + + if [[ ! -d ${POLICY_HOME} ]]; then + echo "error: aborting base installation: ${POLICY_HOME} is not a directory." + exit 1 + fi + + if ! /bin/mkdir -p "${POLICY_HOME}/servers/" > /dev/null 2>&1; then + echo "error: aborting base installation: cannot create ${POLICY_HOME}/servers/" + exit 1 + fi + + if ! /bin/mkdir -p "${POLICY_HOME}/logs/" > /dev/null 2>&1; then + echo "error: aborting base installation: cannot create ${POLICY_HOME}/logs/" + exit 1 + fi + + BASE_TGZ=$(ls base-*.tar.gz) + if [ ! -r ${BASE_TGZ} ]; then + echo "error: aborting base installation: ${POLICY_USER} cannot access tar file: ${BASE_TGZ}" + exit 1 + fi + + tar -tzf ${BASE_TGZ} > /dev/null 2>&1 + if [[ $? != 0 ]]; then + echo >&2 "error: aborting base installation: invalid base package tar file: ${BASE_TGZ}" + exit 1 + fi + + BASH_PROFILE_LINE=". ${POLICY_HOME}/etc/profile.d/env.sh" + PROFILE_LINE="ps -p \$\$ | grep -q bash || . ${POLICY_HOME}/etc/profile.d/env.sh" + + tar -C ${POLICY_HOME} -xf ${BASE_TGZ} --no-same-owner + if [[ $? != 0 ]]; then + # this should not happened + echo "error: aborting base installation: base package cannot be unpacked: ${BASE_TGZ}" + exit 1 + fi + + /bin/mkdir -p ${POLICY_HOME}/etc/ssl > /dev/null 2>&1 + /bin/mkdir -p ${POLICY_HOME}/etc/init.d > /dev/null 2>&1 + /bin/mkdir -p ${POLICY_HOME}/tmp > /dev/null 2>&1 + /bin/mkdir -p ${POLICY_HOME}/var > /dev/null 2>&1 + + #list_unexpanded_files ${POLICY_HOME} +} + + +function configure_base() { + if [[ $DEBUG == y ]]; then + echo "-- ${FUNCNAME[0]} $@ --" + set -x + fi + + # check if fqdn is set in base.conf and use that value if set + if [[ -z ${INSTALL_FQDN} ]] + then + echo "FQDN not set in config...using the default FQDN ${FQDN}" + else + echo "Using FQDN ${INSTALL_FQDN} from config" + FQDN=${INSTALL_FQDN} + fi + + configure_component "${BASE_CONF}" "${POLICY_HOME}" + + BASH_PROFILE_LINE=". ${POLICY_HOME}/etc/profile.d/env.sh" + PROFILE_LINE="ps -p \$\$ | grep -q bash || . ${POLICY_HOME}/etc/profile.d/env.sh" + + if ! fgrep -x "${BASH_PROFILE_LINE}" "${HOME}/.bash_profile" >/dev/null 2>&1; then + echo "${BASH_PROFILE_LINE}" >> "${HOME}/.bash_profile" + fi + + if ! fgrep -x "${PROFILE_LINE}" "${HOME}/.profile" >/dev/null 2>&1; then + echo "${PROFILE_LINE}" >> "${HOME}/.profile" + fi +} + +function install_tomcat_component() { + if [[ $DEBUG == y ]]; then + echo "-- ${FUNCNAME[0]} $@ --" + set -x + fi + + install_prereqs "${BASE_CONF}" + + if ! process_configuration "${COMPONENT_TYPE}.conf"; then + echo "error: aborting ${COMPONENT_TYPE} installation: cannot process configuration ${COMPONENT_TYPE}.conf" + exit 1 + fi + + if ! tomcat_component; then + echo "error: aborting ${COMPONENT_TYPE} installation: tomcat installation failed." + exit 1 + fi + +} + +# This function installs mysql related shell scripts and sql files in the proper locations +# under $POLICY_HOME. It also adds the MySQL client bin to the PATH based on configuration. +# +function install_mysql() { + if [[ $DEBUG == y ]]; then + echo "-- ${FUNCNAME[0]} $@ --" + set -x + fi + + install_prereqs "${BASE_CONF}" + + if ! process_configuration "${COMPONENT_TYPE}.conf"; then + echo "error: aborting ${COMPONENT_TYPE} installation: cannot process configuration ${COMPONENT_TYPE}.conf" + exit 1 + fi + + MYSQL_DATA_PATH=${POLICY_HOME}/data/mysql + /bin/mkdir -p ${MYSQL_DATA_PATH} > /dev/null 2>&1 + + /bin/cp -f "${POLICY_HOME}"/install/mysql/data/* "${MYSQL_DATA_PATH}" + /bin/chmod 555 "${MYSQL_DATA_PATH}"/* + + MYSQL_BIN_SOURCE=${POLICY_HOME}/install/mysql/bin + /bin/mkdir -p ${POLICY_HOME}/bin > /dev/null 2>&1 + for script in $(/bin/ls "${MYSQL_BIN_SOURCE}"); do + /bin/cp ${MYSQL_BIN_SOURCE}/${script} ${POLICY_HOME}/bin + /bin/chmod 555 "${POLICY_HOME}/bin/${script}" + done +} + +function configure_mysql() { + if [[ $DEBUG == y ]]; then + echo "-- ${FUNCNAME[0]} $@ --" + set -x + fi + + # nothing to do +} + +# This function installs brmsgw related shell scripts and config files in the proper +# locations under $POLICY_HOME. +# + +function install_brmsgw() { + if [[ $DEBUG == y ]]; then + echo "-- ${FUNCNAME[0]} $@ --" + set -x + fi + + install_prereqs "${BASE_CONF}" + + if ! process_configuration "${COMPONENT_TYPE}.conf"; then + echo "error: aborting ${COMPONENT_TYPE} installation: cannot process configuration ${COMPONENT_TYPE}.conf" + exit 1 + fi + + if [ -z "$M2_HOME" ]; then + echo "error: aborting ${COMPONENT_TYPE} installation: M2_HOME must be set in brmsgw.conf" + exit 1 + fi + + echo "export M2_HOME=$M2_HOME" >>$POLICY_HOME/etc/profile.d/env.sh + + /bin/cp -f "${POLICY_HOME}/install/servers/brmsgw/init.d/brmsgw" "${POLICY_HOME}/etc/init.d/brmsgw" + + if ! /bin/mkdir -p "${POLICY_HOME}/servers/${COMPONENT_TYPE}" > /dev/null 2>&1; then + echo "error: aborting base installation: cannot create ${POLICY_HOME}/servers/${COMPONENT_TYPE}" + exit 1 + fi + + /bin/cp -fr "${POLICY_HOME}"/install/servers/${COMPONENT_TYPE}/BRMSGateway.jar "${POLICY_HOME}/servers/${COMPONENT_TYPE}" + /bin/cp -fr "${POLICY_HOME}"/install/servers/${COMPONENT_TYPE}/*.properties "${POLICY_HOME}/servers/${COMPONENT_TYPE}" + /bin/cp -fr "${POLICY_HOME}"/install/servers/${COMPONENT_TYPE}/config "${POLICY_HOME}/servers/${COMPONENT_TYPE}" + + /bin/mv $POLICY_HOME/m2 $HOME/.m2 + + return 0 +} + + +function install_logparser() { + if [[ $DEBUG == y ]]; then + echo "-- ${FUNCNAME[0]} $@ --" + set -x + fi + + install_prereqs "${BASE_CONF}" + + if ! process_configuration "${COMPONENT_TYPE}.conf"; then + echo "error: aborting ${COMPONENT_TYPE} installation: cannot process configuration ${COMPONENT_TYPE}.conf" + exit 1 + fi + + LP_TARGET_DIR=${POLICY_HOME}/servers/${COMPONENT_TYPE} + /bin/mkdir -p ${LP_TARGET_DIR}/bin > /dev/null 2>&1 + /bin/mkdir -p ${LP_TARGET_DIR}/logs > /dev/null 2>&1 + + # copy binaries, initialization script and configuration + /bin/cp "${POLICY_HOME}"/install/servers/common/logparser/bin/*jar "${LP_TARGET_DIR}/bin" + /bin/cp "${POLICY_HOME}/install/servers/common/logparser/init.d/logparserd" "${POLICY_HOME}/etc/init.d/${COMPONENT_TYPE}" + /bin/cp "${POLICY_HOME}/install/servers/${COMPONENT_TYPE}/bin/parserlog.properties" "${LP_TARGET_DIR}/bin" + /bin/cp -fr "${POLICY_HOME}"/install/servers/${COMPONENT_TYPE}/bin/config "${POLICY_HOME}/servers/${COMPONENT_TYPE}/bin" + +} + +######################################################################### +## +## script execution body +## +######################################################################### + + +OPERATION=none +COMPONENT_TYPE=none +DEBUG=n + +BASE_CONF=base.conf + +TOMCAT_PACKAGE_NAME=apache-tomcat-8.0.23 + +INSTALL_DIR="$(pwd)" + +export POLICY_USER=$(/usr/bin/id -un) + +# command line options parsing +until [[ -z "$1" ]]; do + case $1 in + -d|--debug) DEBUG=y + set -x + ;; + -i|--install) OPERATION=install + shift + COMPONENT_TYPE=$1 + ;; + -c|--configure) OPERATION=configure + shift + COMPONENT_TYPE=$1 + ;; + *) usage + exit 1 + ;; + esac + shift +done + +# component-type validation +case $COMPONENT_TYPE in + base) ;; + pypdp) ;; + pdp) ;; + pap) ;; + console) ;; + mysql) ;; + brmsgw) ;; + paplp) ;; + pdplp) ;; + skip) ;; + *) echo "invalid component type (${COMPONENT_TYPE}): must be in {base|pypdp|pdp|pap|console|mysql|brmsgw|paplp|pdplp}"; + usage + exit 1 + ;; +esac + +# operation validation +case $OPERATION in + install|configure) ;; + *) echo "invalid operation (${OPERATION}): must be in {install|configure}"; + usage + exit 1 + ;; +esac + +if [[ -n ${POLICY_GROUP} ]]; then + groups=$(groups) + if ! echo ${groups} | grep -qP "\b${POLICY_GROUP}"; then + echo "error: ${POLICY_GROUP} is not a valid group for account ${POLICY_USER}" + exit 1 + fi +fi + +if [[ -z ${POLICY_GROUP} ]]; then + numGroups=$(groups | sed "s/^.*: *//g" | wc -w) + if [ ${numGroups} -eq 1 ]; then + export POLICY_GROUP=$(groups ${POLICY_USER} | sed "s/^.*: *//g") + else + echo "error: ${POLICY_USER} belongs to multiple groups, one group \ + must be provided for the installation" + usage + exit 1 + fi +fi + +if [[ -z ${POLICY_GROUP} ]]; then + echo "error: installation of root section must not provide the \ + installation group owner argument." + usage + exit 1 +fi + +FQDN=$(hostname -f 2> /dev/null) +if [[ $? != 0 || -z ${FQDN} ]]; then + echo "error: cannot determine the FQDN for this host $(hostname)." + exit 1 +fi + +if [[ ${OPERATION} == install ]]; then + case $COMPONENT_TYPE in + base) + install_base + ;; + pypdp) + install_tomcat_component + ;; + pdp) + install_tomcat_component + ;; + pap) + install_tomcat_component + ;; + console) + install_tomcat_component + ;; + mysql) + install_mysql + ;; + brmsgw) + install_brmsgw + ;; + paplp|pdplp) + install_logparser + ;; + *) + echo "invalid component type (${COMPONENT_TYPE}): must be in {base|pypdp|pdp|pap|console|mysql|brmsgw|paplp|pdplp}"; + usage + exit 1 + ;; + esac +fi +if [[ ${OPERATION} == configure ]]; then + + install_prereqs "${BASE_CONF}" + + case $COMPONENT_TYPE in + base) + configure_base + component_preconfigure + ;; + pypdp) + configure_component "${COMPONENT_TYPE}.conf" "${POLICY_HOME}/servers/${COMPONENT_TYPE}/" + ;; + pdp) + configure_component "${COMPONENT_TYPE}.conf" "${POLICY_HOME}/servers/${COMPONENT_TYPE}/" + ;; + pap) + configure_component "${COMPONENT_TYPE}.conf" "${POLICY_HOME}/servers/${COMPONENT_TYPE}/" + ;; + console) + configure_component "${COMPONENT_TYPE}.conf" "${POLICY_HOME}/servers/${COMPONENT_TYPE}/" + ;; + mysql) + configure_mysql + ;; + brmsgw) + configure_component "${COMPONENT_TYPE}.conf" "${POLICY_HOME}/servers/${COMPONENT_TYPE}/" + ;; + paplp|pdplp) + configure_component "${COMPONENT_TYPE}.conf" "${POLICY_HOME}/servers/${COMPONENT_TYPE}/" + ;; + *) + echo "invalid component type (${COMPONENT_TYPE}): must be in {base|pypdp|pdp|pap|console|mysql|brmsgw|paplp|pdplp}"; + usage + exit 1 + ;; + esac +fi + + +echo -n "Successful ${OPERATION} of ${COMPONENT_TYPE} under ${POLICY_USER}:${POLICY_GROUP} " +echo "ownership with umask $(umask)." diff --git a/policy-pe/wait-for-port.sh b/policy-pe/wait-for-port.sh new file mode 100644 index 00000000..10f08ded --- /dev/null +++ b/policy-pe/wait-for-port.sh @@ -0,0 +1,18 @@ +#!/bin/bash + +if [[ $# -ne 2 ]]; then + echo "Usage: wait-for-port hostname port" >&2 + exit 1 +fi + +host=$1 +port=$2 + +echo "Waiting for $host port $port open" +until telnet $host $port /dev/null | grep -q '^Connected'; do + sleep 1 +done + +echo "$host port $port is open" + +exit 0 diff --git a/pom.xml b/pom.xml new file mode 100644 index 00000000..d04d0c64 --- /dev/null +++ b/pom.xml @@ -0,0 +1,109 @@ + + + + + 4.0.0 + + + org.openecomp.policy.docker + docker + 1.0.0-SNAPSHOT + pom + Docker build + OpenECOMP Policy Docker Build + + + + + org.apache.maven.plugins + maven-dependency-plugin + + + copy-pe-zip + prepare-package + + copy + + + ${project.build.directory}/policy-pe + false + true + + + org.openecomp.policy.engine + install + ${project.version} + zip + install.zip + + + + + + copy-drools-zip + prepare-package + + copy + + + ${project.build.directory}/policy-drools + false + true + + + org.openecomp.policy.drools-pdp + install-drools + ${project.version} + zip + install-drools.zip + + + + + + copy-apps-zip + prepare-package + + copy + + + ${project.build.directory}/policy-drools + false + true + + + org.openecomp.policy.drools-applications + apps + ${project.version} + zip + apps.zip + + + + + + + + + + + -- cgit 1.2.3-korg