Update for 3.1.0 release

Author: sfmwilson

LICENSE.txt

@@ -1 +1 @@
-3.0.5
+3.1.0

VERSION

@@ -42,15 +42,6 @@ cat << "__EOF__"
                        UUU         UUU         UUU
 __EOF__
 
-RAM_TOTAL=$(free -m | grep Mem | awk '{print $2}')
-if [ $RAM_TOTAL -lt 7200 ]; then
-    echo
-    echo "*** ERROR: Sandfly Server requires 8GB or more of RAM. Please increase"
-    echo "           this system's RAM and log in again to start the Sandfly Server"
-    echo "           installation process."
-    exit 1
-fi
-
 echo
 echo "******************************************************************************"
 echo "***** Sandfly Automated Single-VM Setup **************************************"
@@ -134,14 +125,14 @@ done
 echo
 echo "******************************************************************************"
 echo "Waiting for Sandfly Server to configure and start. This will take about"
-echo "60 seconds."
+echo "20 seconds."
 echo "******************************************************************************"
 echo
 $SUDO ./start_server.sh >/dev/null 2>&1
 # Wait a maximum of 2 minutes, double what we should need
 TIMER=120
 while true; do
-    docker logs sandfly-server 2>&1 | grep "started and is ready" > /dev/null
+    docker logs sandfly-server 2>&1 | grep "Starting Sandfly API service version" > /dev/null
     if [ $? -eq 0 ]; then
         echo
         break
@@ -189,7 +180,7 @@ echo "** SANDFLY INSTALLATION COMPLETE
 echo "**                                                                          **"
 echo "** Use the URL and login information printed below to log in to your        **"
 echo "** server. The initial admin password is stored on this server in           **"
-echo "** the setup_data directory; we recommend you change your intial            **"
+echo "** the setup_data directory; we recommend you change your initial           **"
 echo "** password after logging in.                                               **"
 echo "**                                                                          **"
 echo "******************************************************************************"

setup/auto_install_allinone.sh

@@ -4,7 +4,7 @@
 
 # This script will install the Sandfly server. By default, it will run
 # through an interactive setup process that is appropriate for users wishing
-# to control the location of Elasticsearch, Rabbit, etc.
+# to control the location of Rabbit, etc.
 #
 # The script is also capable of performing a non-interactive automated all-
 # in-one single-system setup. To perform the automated setup, set the
@@ -19,10 +19,11 @@
 
 # Make sure we run from the correct directory so relative paths work
 cd "$( dirname "${BASH_SOURCE[0]}" )"
+SETUP_DATA_DIR=./setup_data
 
 VERSION=${SANDFLY_SETUP_VERSION:-$(cat ../VERSION)}
 DOCKER_BASE=${SANDFLY_SETUP_DOCKER_BASE:-quay.io/sandfly}
-export SANDFLY_MGMT_DOCKER_IMAGE="$DOCKER_BASE/sandfly-server-mgmt:$VERSION"
+export SANDFLY_MGMT_DOCKER_IMAGE="$DOCKER_BASE/sandfly-server-mgmt${IMAGE_SUFFIX}:$VERSION"
 
 # Is this an automated install?
 [ -n "$SANDFLY_SETUP_AUTO_HOSTNAME" ] && export SANDFLY_AUTO=YES
@@ -49,63 +50,15 @@ Sandfly Management Image: $SANDFLY_MGMT_DOCKER_IMAGE
 
 EOF
 
-if [ -z "$SANDFLY_AUTO" ]; then
-  cat << EOF
-
-******************************************************************************
-Elasticsearch Database Setup
-
-If you want to use an external Elasticsearch cluster, please fill in the field
-below with the URL. Otherwise, just hit enter and we'll use the default URL.
-
-The default URL is internally routed only with the Sandfly server and is not
-reachable over the network.
-
-External Elasticsearch clusters will need to be secured according to your
-network policies. If you are using a username/password and SSL for an external
-Elasticsearch cluster then the URL should be the format:
-
-https://username:password@elastic.example.com:9200
-
-Where username is the username for Elasticsearch (default "elastic") and
-password is the password for the login you configured.
-
-After setup is completed, you can copy over a certificate for the SSL
-connection for the Elasticsearch cluster. Please see the documentation for
-more details on how to do this.
-******************************************************************************
-
-EOF
-
-  read -p "Optional Elasticsearch URL (Default: http://elasticsearch:9200): " ELASTIC_SERVER_URL
-fi
-
-if [[ ! "$ELASTIC_SERVER_URL" ]]; then
-    echo "No Elasticsearch URL provided. Using default."
-else
-    echo "Setting Elasticsearch URL to: $ELASTIC_SERVER_URL"
-    export ELASTIC_SERVER_URL
-fi
-
 docker network create sandfly-net 2>/dev/null
 docker rm sandfly-server-mgmt 2>/dev/null
 
-# Use standard Elasticsearch image unless overriden.
-if [[ -z "${ELASTIC_SERVER_URL}" ]]
-then
-  echo "Starting default Elasticsearch database. Please wait a bit."
-  ../start_scripts/start_elastic.sh
-  temp_cnt=30
-  while [[ ${temp_cnt} -gt 0 ]];
-  do
-      printf "\rWaiting %2d second(s) for Elasticsearch to start and settle down." ${temp_cnt}
-      sleep 1
-      ((temp_cnt--))
-  done
-else
-  echo "Using remote Elasticsearch URL for database: $ELASTIC_SERVER_URL"
-fi
-
+# The first time we start Postgres, we need to assign a superuser password.
+POSTGRES_ADMIN_PASSWORD=$(< /dev/urandom tr -dc A-Za-z0-9 | head -c40)
+echo "$POSTGRES_ADMIN_PASSWORD" > $SETUP_DATA_DIR/postgres.admin.password.txt
+echo "Starting Postgres database."
+../start_scripts/start_postgres.sh
+sleep 5
 
 ./setup_scripts/setup_server.sh
 if [[ $? -eq 1 ]]
@@ -169,7 +122,7 @@ server:
 
 ./start_sandfly.sh
 
-Your randomly generated password for the admin account is is located under:
+Your randomly generated password for the admin account is located under:
 
 $PWD/setup_data/admin.password.txt
 ******************************************************************************

setup/install.sh

@@ -1,4 +1,5 @@
 {
+	"config_version": 2,
 	"server": {
 		"keys": {
 			"server": {
@@ -7,12 +8,12 @@
 			},
 			"node": {
 				"public_key": "server_keys_node_public_key_b64"
-			}
+			},
+			"jwt": "server_keys_jwt"
 		},
 		"ssl": {
 			"server": {
 				"cacert": "server_ssl_server_cacert_b64",
-				"dhparam": "server_ssl_server_dhparam_b64",
 				"cert": "server_ssl_server_cert_b64",
 				"cert_signed": "server_ssl_server_cert_signed_b64",
 				"private_key": "server_ssl_server_key_b64",
@@ -32,15 +33,10 @@
 			"password": "api_password"
 		},
 		"db": {
-			"elastic": {
-				"main": {
-					"url": "db_elastic_main_url",
-					"cacert": "db_elastic_main_cacert_b64"
-				},
-				"replication": {
-					"url": "db_elastic_replication_url",
-					"cacert": "db_elastic_replication_cacert_b64"
-				}
+			"postgres": {
+				"connstr": "db_postgres_connstr",
+				"postgres_password": "db_postgres_postgres_password",
+				"sandfly_password": "db_postgres_sandfly_password"
 			}
 		},
 		"options": {

setup/setup_data/templates/config.server.template.json

@@ -20,7 +20,7 @@ EOF
 # Use standard docker image unless overriden.
 if [[ -z "${SANDFLY_MGMT_DOCKER_IMAGE}" ]]; then
   VERSION=$(cat ../VERSION)
-  SANDFLY_MGMT_DOCKER_IMAGE="quay.io/sandfly/sandfly-server-mgmt:$VERSION"
+  SANDFLY_MGMT_DOCKER_IMAGE="quay.io/sandfly/sandfly-server-mgmt${IMAGE_SUFFIX}:$VERSION"
 fi
 
 docker network create sandfly-net 2>/dev/null

setup/setup_scripts/setup_config_json.sh

@@ -11,7 +11,7 @@ docker version >/dev/null 2>&1 || { echo "This script must be run as root or as
 # Use standard docker image unless overriden.
 if [[ -z "${SANDFLY_MGMT_DOCKER_IMAGE}" ]]; then
   VERSION=$(cat ../VERSION)
-  SANDFLY_MGMT_DOCKER_IMAGE="quay.io/sandfly/sandfly-server-mgmt:$VERSION"
+  SANDFLY_MGMT_DOCKER_IMAGE="quay.io/sandfly/sandfly-server-mgmt${IMAGE_SUFFIX}:$VERSION"
 fi
 
 CONFIG_JSON=$(cat setup_data/config.server.json) \

setup/setup_scripts/setup_demo_license.sh

@@ -20,7 +20,7 @@ EOF
 # Use standard docker image unless overriden.
 if [[ -z "${SANDFLY_MGMT_DOCKER_IMAGE}" ]]; then
   VERSION=$(cat ../VERSION)
-  SANDFLY_MGMT_DOCKER_IMAGE="quay.io/sandfly/sandfly-server-mgmt:$VERSION"
+  SANDFLY_MGMT_DOCKER_IMAGE="quay.io/sandfly/sandfly-server-mgmt${IMAGE_SUFFIX}:$VERSION"
 fi
 
 # Sets up PGP keys pair for server and node.

setup/setup_scripts/setup_keys.sh

@@ -20,7 +20,7 @@ EOF
 # Use standard docker image unless overriden.
 if [[ -z "${SANDFLY_MGMT_DOCKER_IMAGE}" ]]; then
   VERSION=$(cat ../VERSION)
-  SANDFLY_MGMT_DOCKER_IMAGE="quay.io/sandfly/sandfly-server-mgmt:$VERSION"
+  SANDFLY_MGMT_DOCKER_IMAGE="quay.io/sandfly/sandfly-server-mgmt${IMAGE_SUFFIX}:$VERSION"
 fi
 
 docker network create sandfly-net 2>/dev/null
@@ -33,6 +33,5 @@ docker run -v /dev/urandom:/dev/random:ro \
 -v $PWD/setup_data:/usr/local/sandfly/install/setup_data \
 --name sandfly-server-mgmt \
 --network sandfly-net \
--e ELASTIC_SERVER_URL \
 -e SANDFLY_SETUP_AUTO_HOSTNAME \
 $DOCKER_INTERACTIVE $SANDFLY_MGMT_DOCKER_IMAGE /usr/local/sandfly/install/install_server.sh

setup/setup_scripts/setup_server.sh

@@ -20,7 +20,7 @@ EOF
 # Use standard docker image unless overriden.
 if [[ -z "${SANDFLY_MGMT_DOCKER_IMAGE}" ]]; then
   VERSION=$(cat ../VERSION)
-  SANDFLY_MGMT_DOCKER_IMAGE="quay.io/sandfly/sandfly-server-mgmt:$VERSION"
+  SANDFLY_MGMT_DOCKER_IMAGE="quay.io/sandfly/sandfly-server-mgmt${IMAGE_SUFFIX}:$VERSION"
 fi
 
 # Generates initial SSL keys for the Sandfly Server.

setup/setup_scripts/setup_ssl.sh

@@ -21,7 +21,7 @@ EOF
 # Use standard docker image unless overriden.
 if [[ -z "${SANDFLY_MGMT_DOCKER_IMAGE}" ]]; then
   VERSION=$(cat ../VERSION)
-  SANDFLY_MGMT_DOCKER_IMAGE="quay.io/sandfly/sandfly-server-mgmt:$VERSION"
+  SANDFLY_MGMT_DOCKER_IMAGE="quay.io/sandfly/sandfly-server-mgmt${IMAGE_SUFFIX}:$VERSION"
 fi
 
 # Calls EFF Certbot to get a signed key for the Sandfly Server.

setup/setup_scripts/setup_ssl_renew_cert.sh

@@ -29,7 +29,7 @@ EOF
 # Use standard docker image unless overriden.
 if [[ -z "${SANDFLY_MGMT_DOCKER_IMAGE}" ]]; then
   VERSION=$(cat ../VERSION)
-  SANDFLY_MGMT_DOCKER_IMAGE="quay.io/sandfly/sandfly-server-mgmt:$VERSION"
+  SANDFLY_MGMT_DOCKER_IMAGE="quay.io/sandfly/sandfly-server-mgmt${IMAGE_SUFFIX}:$VERSION"
 fi
 
 # Calls EFF Certbot to get a signed key for the Sandfly Server.

setup/setup_scripts/setup_ssl_signed.sh

@@ -66,7 +66,7 @@ fi
 # Use standard docker image unless overriden.
 if [[ -z "${SANDFLY_MGMT_DOCKER_IMAGE}" ]]; then
   VERSION=$(cat ../VERSION)
-  SANDFLY_MGMT_DOCKER_IMAGE="quay.io/sandfly/sandfly-server-mgmt:$VERSION"
+  SANDFLY_MGMT_DOCKER_IMAGE="quay.io/sandfly/sandfly-server-mgmt${IMAGE_SUFFIX}:$VERSION"
 fi
 
 docker network create sandfly-net 2>/dev/null

setup/setup_scripts/setup_ssl_signed_aio.sh

@@ -0,0 +1,150 @@
+#!/usr/bin/env bash
+# Sandfly Security LTD www.sandflysecurity.com
+# Copyright (c) 2016-2021 Sandfly Security LTD, All Rights Reserved.
+
+# Make sure we run from the correct directory so relative paths work
+cd "$( dirname "${BASH_SOURCE[0]}" )"
+
+SETUP_DATA=../setup/setup_data
+VERSION=${SANDFLY_VERSION:-$(cat ../VERSION)}
+IMAGE_BASE=${SANDFLY_IMAGE_BASE:-quay.io/sandfly}
+
+# Use standard docker image unless overriden.
+if [[ -z "${SANDFLY_MGMT_DOCKER_IMAGE}" ]]; then
+  SANDFLY_MGMT_DOCKER_IMAGE="quay.io/sandfly/sandfly-server-mgmt${IMAGE_SUFFIX}:$VERSION"
+fi
+
+
+# See if we can run Docker
+which docker >/dev/null 2>&1 || { echo "Unable to locate docker binary; please install Docker."; exit 1; }
+docker version >/dev/null 2>&1 || { echo "This script must be run as root or as a user with access to the Docker daemon."; exit 1; }
+
+docker network create sandfly-net 2>/dev/null
+docker rm sandfly-server-mgmt 2>/dev/null
+
+# We can only upgrade if Sandfly is already installed and configured.
+if [ ! -f $SETUP_DATA/config.server.json ]; then
+    echo ""
+    echo "********************************** ERROR **********************************"
+    echo "*                                                                         *"
+    echo "* Sandfly does not appear to be configured. Please use install.sh to      *"
+    echo "* install Sandfly on this host, not upgrade.sh.                           *"
+    echo "*                                                                         *"
+    echo "********************************** ERROR **********************************"
+    echo ""
+    exit 1
+fi
+
+# Don't upgrade if currently running
+server_result=$(docker inspect --format="{{.State.Running}}" sandfly-server 2> /dev/null)
+rabbit_result=$(docker inspect --format="{{.State.Running}}" sandfly-rabbit 2> /dev/null)
+if [ "${server_result}z" == "truez" -o "${rabbit_result}z" == "truez" ]; then
+    echo ""
+    echo "********************************** ERROR **********************************"
+    echo "*                                                                         *"
+    echo "* Sandfly is currently running, so cannot be upgraded. Please stop all    *"
+    echo "* Sandfly containers (e.g. \`docker ls\` to get list, then for each name,   *"
+    echo "* \`docker stop <name>\`).                                                  *"
+    echo "*                                                                         *"
+    echo "********************************** ERROR **********************************"
+    echo ""
+    exit 1
+fi
+
+# jq might not be available on the outer Docker host, so we'll do a simple grep
+# to make sure the config version isn't set yet (and thus needs to be upgraded)
+grep -q \"config_version\":\ 2, $SETUP_DATA/config.server.json
+if [ $? == 0 ]; then
+    echo ""
+    echo "********************************** ERROR **********************************"
+    echo "*                                                                         *"
+    echo "* Sandfly appears to already be upgraded to the correct version.          *"
+    echo "*                                                                         *"
+    echo "********************************** ERROR **********************************"
+    echo ""
+    exit 1
+fi
+
+# Get the old configuration.
+CONFIG_JSON=$(cat $SETUP_DATA/config.server.json)
+export CONFIG_JSON
+
+# Back up the old config
+mkdir -p $SETUP_DATA/backup
+cp $SETUP_DATA/*.json $SETUP_DATA/backup
+
+# Start the Postgres server
+# The first time we start Postgres, we need to assign a superuser password.
+if [ ! -f $SETUP_DATA_DIR/postgres.admin.password.txt ]; then
+    POSTGRES_ADMIN_PASSWORD=$(< /dev/urandom tr -dc A-Za-z0-9 | head -c40)
+    echo "$POSTGRES_ADMIN_PASSWORD" > $SETUP_DATA/postgres.admin.password.txt
+fi
+echo "*** Starting Postgres database."
+../start_scripts/start_postgres.sh
+if [ $? -ne 0 ]; then
+    echo "*** ERROR: Error starting Postgres container; cannot proceed."
+    exit 1
+fi
+sleep 5
+
+### Start ElasticSearch if not already running
+esresult=$(docker inspect --format="{{.State.Running}}" elasticsearch 2> /dev/null)
+if [ "${esresult}z" != "truez" ]; then
+    echo "*** Starting ElasticSearch."
+    ../start_scripts/start_elastic.sh
+    if [ $? -ne 0 ]; then
+        echo "*** ERROR: Error starting ElasticSearch container; cannot proceed."
+        exit 2
+    fi
+    temp_cnt=30
+    while [[ ${temp_cnt} -gt 0 ]];
+    do
+        printf "\rWaiting %2d second(s) for Elasticsearch to start and settle down." ${temp_cnt}
+        sleep 1
+        ((temp_cnt--))
+    done
+    echo ""
+else
+    echo "*** ElasticSearch container already running."
+fi
+
+docker run \
+-v $PWD/setup_data:/usr/local/sandfly/install/setup_data \
+--name sandfly-server-mgmt \
+--network sandfly-net \
+$SANDFLY_MGMT_DOCKER_IMAGE /usr/local/sandfly/install/upgrade.sh
+
+if [ $? != 0 ]; then
+    echo "*** ERROR: Upgrade process failed. See above messages for details."
+    exit 1
+fi
+
+echo "Stopping Elasticsearch"
+docker stop elasticsearch
+docker rm elasticsearch
+
+echo ""
+echo "*********************************** INFO ***********************************"
+echo "*                                                                          *"
+echo "* The upgrade to Sandfly 3.1 is complete. Users, credentials, hosts,       *"
+echo "* schedules, and other configuration data has been migrated to the 3.1     *"
+echo "* Postgres database. You will need to run new scans (or wait for scheduled *"
+echo "* scans) for results to start re-populating.                               *"
+echo "*                                                                          *"
+echo "* Sandfly no longer uses Elasticsearch for local data storage. When        *"
+echo "* starting Sandfly 3.1, use the start_postgres.sh start script instead of  *"
+echo "* the old start_elastic.sh start script. (Or use the start_sandfly.sh      *"
+echo "* script which starts all necessary server components automatically.)      *"
+echo "*                                                                          *"
+echo "* Your Sandfly 3.0 Elasticsearch database Docker volume is still available *"
+echo "* if you need to roll back the upgrade. The Sandfly 3.0 configuration      *"
+echo "* files have been backed up to the setup_data/backup directory.            *"
+echo "*                                                                          *"
+echo "* When you are satisfied with the Sandfly 3.1 upgrade, you may permanently *"
+echo "* delete your Sandfly 3.0 Elasticsearch database with the command:         *"
+echo "*    docker volume rm sandfly-elastic-db-vol                               *"
+echo "*                                                                          *"
+echo "* Sandfly support is available at https://support.sandflysecurity.com/     *"
+echo "*                                                                          *"
+echo "*********************************** INFO ***********************************"
+echo ""

setup/upgrade.sh

@@ -41,7 +41,7 @@ fi
 
 echo "Pulling custom sandfly data from: $HOSTNAME"
 
-ACCESS_TOKEN=$(curl -s -k --request POST --header "Content-Type: application/json" --url https://"$HOSTNAME"/v3/auth/login \
+ACCESS_TOKEN=$(curl -s -k --request POST --header "Content-Type: application/json" --url https://"$HOSTNAME"/v4/auth/login \
 --data "{\"username\":\"admin\",\"password\":\"$PASSWORD\"}" |  jq -r ".access_token")
 if [[ "$ACCESS_TOKEN" == "null" ]]; then
   echo "Couldn't get access token for REST API. Check hostname and credentials and try again."
@@ -50,7 +50,7 @@ fi
 echo "Password OK. Dumping custom sandfly data."
 
 SANDFLY_JSON=$(curl -s -k --request GET --header "Content-Type: application/json" --header "Authorization: Bearer $ACCESS_TOKEN" \
---url https://"$HOSTNAME"/v3/sandflies/custom/backup | jq ".")
+--url https://"$HOSTNAME"/v4/sandflies/backup | jq ".")
 if [[ "$SANDFLY_JSON" == "null" ]]; then
   echo "Custom sandfly list appears empty. Nothing to dump."
   exit 1

setup/util_scripts/dump_custom_sandflies.sh

@@ -43,7 +43,7 @@ fi
 
 echo "Pulling host data from: $HOSTNAME"
 
-ACCESS_TOKEN=$(curl -s -k --request POST --header "Content-Type: application/json" --url https://"$HOSTNAME"/v3/auth/login \
+ACCESS_TOKEN=$(curl -s -k --request POST --header "Content-Type: application/json" --url https://"$HOSTNAME"/v4/auth/login \
 --data "{\"username\":\"admin\",\"password\":\"$PASSWORD\"}" |  jq -r ".access_token")
 
 if [[ "$ACCESS_TOKEN" == "null" ]]; then
@@ -53,7 +53,7 @@ fi
 echo "Password OK. Dumping hosts."
 
 HOST_JSON=$(curl -s -k --request GET --header "Content-Type: application/json" --header "Authorization: Bearer $ACCESS_TOKEN" \
---url https://"$HOSTNAME"/v3/hosts | jq ".")
+--url https://"$HOSTNAME"/v4/hosts | jq ".")
 if [[ "$HOST_JSON" == "null" ]]; then
   echo "Host list appears empty. Nothing to dump."
   exit 1
@@ -63,6 +63,6 @@ echo "Saving host JSON to ./sandfly.hosts.json"
 echo "$HOST_JSON" > sandfly.hosts.json
 
 echo "Saving hostname and credential ID to ./sandfly.hosts.csv"
-echo $HOST_JSON | jq -r '.hits.hits[]._source | "\(.hostname), \(.credentials_id)"' > sandfly.hosts.csv
+echo $HOST_JSON | jq -r '.data[] | "\(.hostname), \(.credentials_id)"' > sandfly.hosts.csv
 
 echo "Done!"

setup/util_scripts/dump_hosts.sh

@@ -11,7 +11,7 @@ VERSION=${SANDFLY_VERSION:-$(cat ../../VERSION)}
 IMAGE_BASE=${SANDFLY_IMAGE_BASE:-quay.io/sandfly}
 
 # Populate env variables.
-CONFIG_JSON=$(cat $SETUP_DATA/config.node.json)
+CONFIG_JSON=$(cat $SETUP_DATA/config.server.json)
 export CONFIG_JSON
 
 
@@ -21,5 +21,5 @@ docker rm sandfly-server-mgmt
 docker run --name sandfly-server-mgmt \
 --network sandfly-net \
 -e CONFIG_JSON \
--it $IMAGE_BASE/sandfly-server-mgmt:"$VERSION" /usr/local/sandfly/utils/reset_admin_password.sh
+-it $IMAGE_BASE/sandfly-server-mgmt${IMAGE_SUFFIX}:"$VERSION" /usr/local/sandfly/utils/reset_admin_password.sh
 

setup/util_scripts/reset_admin_password.sh

@@ -14,7 +14,7 @@ VERSION=${SANDFLY_VERSION:-$(cat ../../VERSION)}
 IMAGE_BASE=${SANDFLY_IMAGE_BASE:-quay.io/sandfly}
 
 # Populate env variables.
-CONFIG_JSON=$(cat $SETUP_DATA/config.node.json)
+CONFIG_JSON=$(cat $SETUP_DATA/config.server.json)
 export CONFIG_JSON
 
 docker network create sandfly-net 2>/dev/null
@@ -23,7 +23,7 @@ docker rm sandfly-server-mgmt
 docker run --name sandfly-server-mgmt \
 --network sandfly-net \
 -e CONFIG_JSON \
--it $IMAGE_BASE/sandfly-server-mgmt:"$VERSION" /usr/local/sandfly/utils/init_data_db.sh
+-it $IMAGE_BASE/sandfly-server-mgmt${IMAGE_SUFFIX}:"$VERSION" /usr/local/sandfly/utils/init_data_db.sh
 
 
 

setup/util_scripts/reset_db_data.sh

@@ -13,7 +13,7 @@ VERSION=${SANDFLY_VERSION:-$(cat ../../VERSION)}
 IMAGE_BASE=${SANDFLY_IMAGE_BASE:-quay.io/sandfly}
 
 # Populate env variables.
-CONFIG_JSON=$(cat $SETUP_DATA/config.node.json)
+CONFIG_JSON=$(cat $SETUP_DATA/config.server.json)
 export CONFIG_JSON
 
 docker network create sandfly-net 2>/dev/null
@@ -22,6 +22,6 @@ docker rm sandfly-server-mgmt
 docker run --name sandfly-server-mgmt \
 --network sandfly-net \
 -e CONFIG_JSON \
--it $IMAGE_BASE/sandfly-server-mgmt:"$VERSION" /usr/local/sandfly/utils/reset_system_password.sh
+-it $IMAGE_BASE/sandfly-server-mgmt${IMAGE_SUFFIX}:"$VERSION" /usr/local/sandfly/utils/reset_system_password.sh
 
 

setup/util_scripts/reset_system_password.sh

@@ -29,4 +29,4 @@ docker run -v /dev/urandom:/dev/random:ro \
 --disable-content-trust \
 --restart on-failure:5 \
 --security-opt="no-new-privileges:true" \
--d $IMAGE_BASE/sandfly-node:"$VERSION" /usr/local/sandfly/start_node.sh
+-d $IMAGE_BASE/sandfly-node${IMAGE_SUFFIX}:"$VERSION" /usr/local/sandfly/start_node.sh

start_scripts/start_elastic.sh

@@ -0,0 +1,48 @@
+#!/bin/bash
+
+# Sandfly Security LTD www.sandflysecurity.com
+# Copyright (c) 2021 Sandfly Security LTD, All Rights Reserved.
+
+# Make sure we run from the correct directory so relative paths work
+cd "$( dirname "${BASH_SOURCE[0]}" )"
+
+# After the first time Postgres starts, the admin password will be set in the
+# database in the Docker volume we use, and setting the password through the
+# docker run command will have no effect (e.g. it doesn't try to change it if
+# a database already exists). If this is an initial install, the password we
+# want to use should be in setup_data courtesy of the install.sh script.
+POSTGRES_ADMIN_PASSWORD="unknown"
+if [ -f ../setup/setup_data/postgres.admin.password.txt ]; then
+    POSTGRES_ADMIN_PASSWORD=$(cat ../setup/setup_data/postgres.admin.password.txt)
+fi
+
+docker network create sandfly-net 2>/dev/null
+docker rm sandfly-postgres 2>/dev/null
+
+docker run \
+--mount source=sandfly-pg14-db-vol,target=/var/lib/postgresql/data/pgdata \
+-d \
+-e POSTGRES_PASSWORD="$POSTGRES_ADMIN_PASSWORD" \
+-e PGDATA=/var/lib/postgresql/data/pgdata \
+--shm-size=1g \
+--restart on-failure:5 \
+--security-opt="no-new-privileges:true" \
+--network sandfly-net \
+--name sandfly-postgres \
+-t \
+postgres:14.0 \
+-c shared_buffers=375MB \
+-c effective_cache_size=1125MB \
+-c maintenance_work_mem=96000kB \
+-c checkpoint_completion_target=0.9 \
+-c wal_buffers=11520kB \
+-c default_statistics_target=100 \
+-c random_page_cost=1.1 \
+-c effective_io_concurrency=200 \
+-c work_mem=4800kB \
+-c min_wal_size=1GB \
+-c max_wal_size=4GB \
+-c max_worker_processes=2 \
+-c max_parallel_workers_per_gather=1 \
+-c max_parallel_workers=2 \
+-c max_parallel_maintenance_workers=1

start_scripts/start_node.sh

@@ -27,4 +27,4 @@ docker run -v /dev/urandom:/dev/random:ro \
 --name sandfly-rabbit \
 --security-opt="no-new-privileges:true" \
 --publish 5673:5673 \
--t $IMAGE_BASE/sandfly-rabbit:"$VERSION"
+-t $IMAGE_BASE/sandfly-rabbit${IMAGE_SUFFIX}:"$VERSION"

start_scripts/start_postgres.sh

@@ -14,25 +14,17 @@ if [ $(id -u) -ne 0 ]; then
     fi
 fi
 
-### Start ElasticSearch if not already running
-esresult=$($SUDO docker inspect --format="{{.State.Running}}" elasticsearch 2> /dev/null)
+### Start Postgres if not already running
+esresult=$($SUDO docker inspect --format="{{.State.Running}}" sandfly-postgres 2> /dev/null)
 if [ "${esresult}z" != "truez" ]; then
-    echo "*** Starting ElasticSearch."
-    $SUDO ./start_elastic.sh
+    echo "*** Starting Postgres."
+    $SUDO ./start_postgres.sh
     if [ $? -ne 0 ]; then
-        echo "*** ERROR: Error starting ElasticSearch container; cannot proceed."
+        echo "*** ERROR: Error starting Postgres container; cannot proceed."
         exit 2
     fi
-    temp_cnt=30
-    while [[ ${temp_cnt} -gt 0 ]];
-    do
-        printf "\rWaiting %2d second(s) for Elasticsearch to start and settle down." ${temp_cnt}
-        sleep 1
-        ((temp_cnt--))
-    done
-    echo ""
 else
-    echo "*** ElasticSearch container already running."
+    echo "*** Postgres container already running."
 fi
 
 ### Start RabbitMQ if not already running

start_scripts/start_rabbit.sh

@@ -14,22 +14,42 @@ if [ -e $SETUP_DATA/allinone ]; then
 fi
 
 if [ -f $SETUP_DATA/config.node.json -a "$IGNORE_NODE_DATA_WARNING" != "YES" ]; then
-    echo "********* WARNING ***********"
     echo ""
-    echo "The node config data ($SETUP_DATA/config.node.json) is present on the server."
-    echo "This file must be deleted from the server to fully protect the SSH keys stored"
-    echo "in the database. It should only be on the nodes."
-    echo ""
-    echo "********* WARNING ***********"
+    echo "********************************* WARNING *********************************"
+    echo "*                                                                         *"
+    echo "* The node config data file at:                                           *"
+    printf "*     %-67s *\n" "$SETUP_DATA/config.node.json"
+    echo "* is present on the server.                                               *"
+    echo "*                                                                         *"
+    echo "* This file must be deleted from the server to fully protect the SSH keys *"
+    echo "* stored in the database. It should only be on the nodes.                 *"
+    echo "*                                                                         *"
+    echo "********************************* WARNING *********************************"
     echo ""
     echo "Are you sure you want to start the server with the node config data present?"
-    read -p "Type YES if you're sure. (NO): " RESPONSE
+    read -p "Type YES if you're sure. [NO]: " RESPONSE
     if [ "$RESPONSE" != "YES" ]; then
         echo "Halting server start."
         exit 1
     fi
 fi
 
+# jq might not be available on the outer Docker host, so we'll do a simple grep
+# to make sure the config version is correct for this server version.
+grep -q \"config_version\":\ 2, $SETUP_DATA/config.server.json
+if [ $? != 0 ]; then
+    echo ""
+    echo "****************************** ERROR ******************************"
+    echo "*                                                                 *"
+    echo "* The version of the server configuration file does not match     *"
+    echo "* this version of the Sandfly server. Please perform the upgrade  *"
+    echo "* procedure before starting Sandfly.                              *"
+    echo "*                                                                 *"
+    echo "*******************************************************************"
+    echo ""
+    exit 1
+fi
+
 # Populate env variables.
 CONFIG_JSON=$(cat $SETUP_DATA/config.server.json)
 export CONFIG_JSON
@@ -39,12 +59,11 @@ docker rm sandfly-server 2>/dev/null
 
 docker run -v /dev/urandom:/dev/random:ro \
 -e CONFIG_JSON \
---sysctl net.core.somaxconn=15000 \
 --disable-content-trust \
 --restart on-failure:5 \
 --security-opt="no-new-privileges:true" \
 --network sandfly-net \
 --name sandfly-server \
 --publish 443:8443 \
 --publish 80:8000 \
--d $IMAGE_BASE/sandfly-server:"$VERSION" /usr/local/sandfly/start_api.sh
+-d $IMAGE_BASE/sandfly-server${IMAGE_SUFFIX}:"$VERSION" /opt/sandfly/start_api.sh