From 438c34fef9dc6283a1de3850d68779e642d2bc76 Mon Sep 17 00:00:00 2001 From: Giacomo Sanchietti Date: Thu, 23 Jan 2025 16:42:15 +0100 Subject: [PATCH] feat: add tmce plugin Include the jar plugin as encrypted file inside the webapp container image. Add an entrypoint script that decrypts the jar when the container is started. Subscribe also to subscription-change event to adapt the environment. --- build-images.sh | 12 ++++++++++++ .../actions/configure-module/30subscription | 19 +++++++++++++++++++ .../subscription-changed/30subscription | 1 + .../events/subscription-changed/70restart | 8 ++++++++ imageroot/systemd/user/webapp.service | 1 + webapp/entrypoint.sh | 14 ++++++++++++++ 6 files changed, 55 insertions(+) create mode 100755 imageroot/actions/configure-module/30subscription create mode 120000 imageroot/events/subscription-changed/30subscription create mode 100755 imageroot/events/subscription-changed/70restart create mode 100755 webapp/entrypoint.sh diff --git a/build-images.sh b/build-images.sh index 076aa428..938effc5 100644 --- a/build-images.sh +++ b/build-images.sh @@ -63,9 +63,19 @@ pecbridge_tmp_dir=$(mktemp -d) cleanup_list+=("${pecbridge_tmp_dir}") tar -C "${pecbridge_tmp_dir}" -x -v -z -f pecbridge-*.tar.gz +# Download tmce plugin jar: plugin is encrypted with GPG, the password is 'subscription' +tmce_jar_url="https://distfeed.nethserver.org/webtop/webtop-tmceplugins-6.3.1.0.jar.gpg" +tmce_jar_path="${PWD}/webtop-tmceplugins-6.3.1.0.jar.gpg" +echo "Downloading encrypted tmce plugin jar from ${tmce_jar_url}..." +curl --fail -L -o "${tmce_jar_path}" "${tmce_jar_url}" + #Create webtop-webapp container reponame="webtop-webapp" container=$(buildah from docker.io/library/tomcat:8-jre8) +buildah run ${container} apt-get update +buildah run ${container} apt-get install -y gpg +buildah run ${container} apt-get clean +buildah run ${container} rm -rf /var/lib/apt/lists/* buildah add ${container} ${webapp_tmp_dir}/webtop /usr/local/tomcat/webapps/webtop/ buildah add ${container} ${PWD}/webtop5-build/webtop-login/ /usr/local/tomcat/webapps/webtop/WEB-INF/classes/ buildah add ${container} ${jcharset_tmp_dir}/jcharset-2.0.jar /usr/local/tomcat/webapps/webtop/lib/ @@ -75,6 +85,8 @@ buildah add ${container} ${PWD}/zfaker/wrappers/php /usr/share/webtop/bin/php buildah add ${container} ${PWD}/zfaker/wrappers/z-push-admin-wapper /usr/share/webtop/bin/z-push-admin-wrapper buildah add ${container} ${pecbridge_tmp_dir}/pecbridge /usr/share/pecbridge buildah add ${container} ${PWD}/webapp/ / +buildah add ${container} "${tmce_jar_path}" /usr/local/tomcat/webapps/webtop/WEB-INF/lib/webtop-tmceplugins.jar.gpg +buildah config --entrypoint=/entrypoint.sh ${container} # Commit the image buildah commit --rm "${container}" "${repobase}/${reponame}" diff --git a/imageroot/actions/configure-module/30subscription b/imageroot/actions/configure-module/30subscription new file mode 100755 index 00000000..e7012d4f --- /dev/null +++ b/imageroot/actions/configure-module/30subscription @@ -0,0 +1,19 @@ +#!/usr/bin/env python3 + +# +# Copyright (C) 2025 Nethesis S.r.l. +# SPDX-License-Identifier: GPL-3.0-or-later +# + +import agent + +rdb = agent.redis_connect(privileged=False) + +subscription = rdb.hgetall('cluster/subscription') + +with open('subscription.env', 'w') as env: + if subscription: + env.write(f'VALID_SUBSCRIPTION=true\n') + else: + env.write(f'VALID_SUBSCRIPTION=false\n') + diff --git a/imageroot/events/subscription-changed/30subscription b/imageroot/events/subscription-changed/30subscription new file mode 120000 index 00000000..e0e147df --- /dev/null +++ b/imageroot/events/subscription-changed/30subscription @@ -0,0 +1 @@ +../../actions/configure-module/30subscription \ No newline at end of file diff --git a/imageroot/events/subscription-changed/70restart b/imageroot/events/subscription-changed/70restart new file mode 100755 index 00000000..93739a25 --- /dev/null +++ b/imageroot/events/subscription-changed/70restart @@ -0,0 +1,8 @@ +#!/bin/bash + +# +# Copyright (C) 2025 Nethesis S.r.l. +# SPDX-License-Identifier: GPL-3.0-or-later +# + +systemctl --user restart webapp diff --git a/imageroot/systemd/user/webapp.service b/imageroot/systemd/user/webapp.service index 301f1712..1e2898a4 100644 --- a/imageroot/systemd/user/webapp.service +++ b/imageroot/systemd/user/webapp.service @@ -22,6 +22,7 @@ ExecStart=/usr/bin/podman run \ -Dcom.sun.jndi.ldap.object.disableEndpointIdentification=true \ -Dmail.mime.address.strict=false -Dwebtop.etc.dir=/etc/webtop \ -Duser.timezone=${WEBTOP_TIMEZONE}" \ + --env-file=%S/state/subscription.env \ --volume=webtop-home:/var/lib/nethserver/webtop \ --volume=./webtop.properties:/etc/webtop/webtop.properties:z \ --pod=webtop \ diff --git a/webapp/entrypoint.sh b/webapp/entrypoint.sh new file mode 100755 index 00000000..0a14900f --- /dev/null +++ b/webapp/entrypoint.sh @@ -0,0 +1,14 @@ +#!/bin/bash + +# +# Copyright (C) 2025 Nethesis S.r.l. +# SPDX-License-Identifier: GPL-3.0-or-later +# + +# Enable tmce plugin only if subscription is enabled + +# Decrypt tmce plugins jar if subscription is enabled +if [ "VALID_SUBSCRIPTION=true" ]; then + gpg --batch --yes --passphrase 'subscription' -d -o /usr/local/tomcat/webapps/webtop/WEB-INF/lib/webtop-tmceplugins.jar \ + /usr/local/tomcat/webapps/webtop/WEB-INF/lib/webtop-tmceplugins.jar.gpg +fi