From 2db535f99a566d5d4433e1d9fb78e79427cd7918 Mon Sep 17 00:00:00 2001 From: Alex Farrant Date: Sun, 29 Jan 2023 13:49:59 +0000 Subject: [PATCH] PG15, IP for CN, Smarter mem alloc --- CoreConfig.xml | 2 +- docker/amd64/Dockerfile.takserver-db | 4 ++-- docker/arm64/Dockerfile.takserver-db | 6 +++--- scripts/certDP.sh | 14 +++++++------- scripts/cleanup.sh | 4 ++++ scripts/configureInDocker1.sh | 9 +++++---- scripts/setup.sh | 17 +++++++++++++++-- scripts/takserver-setup-db-1.sh | 6 +++--- 8 files changed, 40 insertions(+), 22 deletions(-) diff --git a/CoreConfig.xml b/CoreConfig.xml index 80e8ca3..a64aa9e 100644 --- a/CoreConfig.xml +++ b/CoreConfig.xml @@ -17,7 +17,7 @@ - + diff --git a/docker/amd64/Dockerfile.takserver-db b/docker/amd64/Dockerfile.takserver-db index b50a38b..02ee596 100644 --- a/docker/amd64/Dockerfile.takserver-db +++ b/docker/amd64/Dockerfile.takserver-db @@ -1,8 +1,8 @@ -FROM postgres:14.4 +FROM postgres:15 # this is slow - updates all packages -RUN apt-get update && apt install -y postgresql-14-postgis-3 +RUN apt-get update && apt install -y postgresql-15-postgis-3 ENTRYPOINT ["/bin/bash", "-c", "/opt/tak/db-utils/configureInDocker.sh"] diff --git a/docker/arm64/Dockerfile.takserver-db b/docker/arm64/Dockerfile.takserver-db index cdefedd..ac54d18 100644 --- a/docker/arm64/Dockerfile.takserver-db +++ b/docker/arm64/Dockerfile.takserver-db @@ -1,6 +1,6 @@ -FROM postgres:14.4 +FROM postgres:15 # this is slow - updates all packages -RUN apt-get update && apt install -y postgresql-14-postgis-3 +RUN apt-get update && apt install -y postgresql-15-postgis-3 -ENTRYPOINT ["/opt/tak/db-utils/configureInDocker.sh"] \ No newline at end of file +ENTRYPOINT ["/opt/tak/db-utils/configureInDocker.sh"] diff --git a/scripts/certDP.sh b/scripts/certDP.sh index 5dd4c3b..4dad342 100755 --- a/scripts/certDP.sh +++ b/scripts/certDP.sh @@ -15,13 +15,13 @@ echo "" > server.pref echo "" >> server.pref echo " " >> server.pref echo " 1" >> server.pref -echo " TAK Server (https://github.com/Cloud-RF/tak-server)" >> server.pref +echo " TAK Server" >> server.pref echo " true" >> server.pref echo " $IP:8089:ssl" >> server.pref echo " " >> server.pref echo " " >> server.pref echo " true" >> server.pref -echo " cert/takserver.p12" >> server.pref +echo " cert/$IP.p12" >> server.pref echo " atakatak" >> server.pref echo " atakatak" >> server.pref echo " cert/$USER.p12" >> server.pref @@ -38,12 +38,12 @@ echo " " >> manifest.xml echo " " >> manifest.xml echo " " >> manifest.xml echo " " >> manifest.xml -echo " " >> manifest.xml -echo " " >> manifest.xml -echo " " >> manifest.xml +echo " " >> manifest.xml +echo " " >> manifest.xml +echo " " >> manifest.xml echo " " >> manifest.xml echo "" >> manifest.xml -zip -j tak/certs/files/$USER-$IP.dp.zip manifest.xml server.pref tak/certs/files/takserver.p12 tak/certs/files/$USER.p12 +zip -j tak/certs/files/$USER-$IP.dp.zip manifest.xml server.pref tak/certs/files/$IP.p12 tak/certs/files/$USER.p12 echo "-------------------------------------------------------------" -echo "Created certificate data package for $USER @ $IP as tak/certs/files/$USER-$IP.dp.zip" \ No newline at end of file +echo "Created certificate data package for $USER @ $IP as tak/certs/files/$USER-$IP.dp.zip" diff --git a/scripts/cleanup.sh b/scripts/cleanup.sh index f86e17c..cdba101 100755 --- a/scripts/cleanup.sh +++ b/scripts/cleanup.sh @@ -12,3 +12,7 @@ $DOCKER_COMPOSE down docker volume rm --force tak-server_db_data rm -rf tak rm -rf /tmp/takserver + +# Comment me out to save yourself rebuilding........ +docker image rm tak-server_db --force +docker image rm tak-server_tak --force diff --git a/scripts/configureInDocker1.sh b/scripts/configureInDocker1.sh index 4f0b650..4811aef 100755 --- a/scripts/configureInDocker1.sh +++ b/scripts/configureInDocker1.sh @@ -3,7 +3,8 @@ # Added for 4.7 REL 18 where they broke DB auth with TCP/IP hardening # Commented out when they relaxed it in REL 4.7 20 because folks docker systems stopped working.. # Re-added for 4.8 REL 31 because they got hard again. I can do this all day. -sed -i 's/127.0.0.1\/32/0.0.0.0\/0/g' /opt/tak/db-utils/pg_hba.conf +# Now using a flexible docker /8 range +sed -i 's/127.0.0.1\/32/172.0.0.0\/8/g' /opt/tak/db-utils/pg_hba.conf # Removed inline options because these belong in postgres.conf if [ -f "/var/lib/postgresql/data/postgresql.conf" ]; @@ -12,15 +13,15 @@ then rm -f /var/lib/postgresql/data/postmaster.pid echo "listen_addresses='*'" >> /var/lib/postgresql/data/postgresql.conf cp /opt/tak/db-utils/pg_hba.conf /var/lib/postgresql/data/pg_hba.conf - su - postgres -c "/usr/lib/postgresql/14/bin/pg_ctl -D /var/lib/postgresql/data -l logfile start" + su - postgres -c "/usr/lib/postgresql/15/bin/pg_ctl -D /var/lib/postgresql/data -l logfile start" else echo "-------NO DB-------" chown postgres:postgres /var/lib/postgresql/data - su - postgres -c '/usr/lib/postgresql/14/bin/pg_ctl initdb -D /var/lib/postgresql/data' + su - postgres -c '/usr/lib/postgresql/15/bin/pg_ctl initdb -D /var/lib/postgresql/data' cp /opt/tak/db-utils/pg_hba.conf /var/lib/postgresql/data/pg_hba.conf - su - postgres -c "/usr/lib/postgresql/14/bin/pg_ctl -D /var/lib/postgresql/data -l logfile start" + su - postgres -c "/usr/lib/postgresql/15/bin/pg_ctl -D /var/lib/postgresql/data -l logfile start" cd /opt/tak/db-utils ./configure.sh diff --git a/scripts/setup.sh b/scripts/setup.sh index 341f64e..14a1240 100755 --- a/scripts/setup.sh +++ b/scripts/setup.sh @@ -214,6 +214,8 @@ chown -R $USER:$USER tak cp ./scripts/configureInDocker1.sh ./tak/db-utils/configureInDocker.sh cp ./postgresql1.conf ./tak/postgresql.conf cp ./scripts/takserver-setup-db-1.sh ./tak/db-utils/takserver-setup-db.sh + +# This config uses a docker alias of postgresql://tak-database:5432/ cp ./CoreConfig.xml ./tak/CoreConfig.xml ## Set admin username and password and ensure it meets validation criteria @@ -231,8 +233,18 @@ IP=$(ip addr show $NIC | grep -m 1 "inet " | awk '{print $2}' | cut -d "/" -f1) printf $info "\nProceeding with IP address: $IP\n" sed -i "s/password=\".*\"/password=\"${pgpassword}\"/" tak/CoreConfig.xml +# Replaces HOSTIP for rate limiter and Fed server. Database URL is a docker alias of tak-database sed -i "s/HOSTIP/$IP/g" tak/CoreConfig.xml +# Replaces takserver.jks with $IP.jks +sed -i "s/takserver.jks/$IP.jks/g" tak/CoreConfig.xml + +# Better memory allocation: +# By default TAK server allocates memory based upon the *total* on a machine. +# In the real world, people not on a gov budget use a server for more than one thing. +# Instead we allocate memory based upon the available memory so this still scales, but you can run it on a smaller budget +sed -i "s/MemTotal/MemFree/g" tak/setenv.sh + ## Set variables for generating CA and client certs printf $warning "SSL setup. Hit enter (x3) to accept the defaults:\n" read -p "State (for cert generation). Default [state] :" state @@ -276,10 +288,10 @@ while : do sleep 10 # let the PG stderr messages conclude... printf $warning "------------CERTIFICATE GENERATION--------------\n" - $DOCKER_COMPOSE exec tak bash -c "cd /opt/tak/certs && ./makeRootCa.sh --ca-name LOL" + $DOCKER_COMPOSE exec tak bash -c "cd /opt/tak/certs && ./makeRootCa.sh --ca-name CRFtakserver" if [ $? -eq 0 ]; then - $DOCKER_COMPOSE exec tak bash -c "cd /opt/tak/certs && ./makeCert.sh server takserver" + $DOCKER_COMPOSE exec tak bash -c "cd /opt/tak/certs && ./makeCert.sh server $IP" if [ $? -eq 0 ]; then $DOCKER_COMPOSE exec tak bash -c "cd /opt/tak/certs && ./makeCert.sh client $user" @@ -305,6 +317,7 @@ cd tak/certs ./makeCert.sh client user1 ./makeCert.sh client user2 + # Make 2 data packages cd ../../ ./scripts/certDP.sh $IP user1 diff --git a/scripts/takserver-setup-db-1.sh b/scripts/takserver-setup-db-1.sh index 64322e4..ebbd31b 100755 --- a/scripts/takserver-setup-db-1.sh +++ b/scripts/takserver-setup-db-1.sh @@ -17,7 +17,7 @@ # if [ "x$DB_EXISTS" != "x" ]; then # sed -i 's/127.0.0.1\/32/0.0.0.0\/0/g' /opt/tak/db-utils/pg_hba.conf # cp /opt/tak/db-utils/pg_hba.conf /var/lib/postgresql/data/pg_hba.conf -# su - postgres -c "/usr/lib/postgresql/14/bin/pg_ctl -D /var/lib/postgresql/data -l logfile restart -o '-c max_connections=2100 -c shared_buffers=2560MB'" +# su - postgres -c "/usr/lib/postgresql/15/bin/pg_ctl -D /var/lib/postgresql/data -l logfile restart -o '-c max_connections=2100 -c shared_buffers=2560MB'" # exit 0 # fi @@ -52,8 +52,8 @@ fi DB_INIT="" # Ensure PostgreSQL is initialized. -if [ -x /usr/lib/postgresql/14/bin/pg_ctl ]; then - DB_INIT="/usr/lib/postgresql/14/bin/pg_ctl initdb" +if [ -x /usr/lib/postgresql/15/bin/pg_ctl ]; then + DB_INIT="/usr/lib/postgresql/15/bin/pg_ctl initdb" elif [ -x /usr/bin/postgresql-setup ]; then DB_INIT="/usr/bin/postgresql-setup initdb" else