harden(desudo): convert monitoring subsystem + global log-append idiom
- Global uniform pass: the $logs_dir/$docker_log_file log-append idiom (always /docker/logs, data-plane) -> runFileWrite -a across runtime files (check_success.sh logging backbone + several app scripts). - monitoring.sh fully converted: containers_dir/docker_dir file ops (sqlite3/sed/mkdir/cp/rm/chmod/find, grafana tee-heredocs) -> runFileOp/ runFileWrite; prometheus/grafana docker ps/kill/restart -> dockerCommandRun. Byte-identical in rooted (all helpers reduce to sudo there). Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> Signed-off-by: librelad <librelad@digitalangels.vip>
This commit is contained in:
parent
03d7a7b969
commit
a8248ccf7f
@ -60,10 +60,10 @@ installAuthelia()
|
||||
|
||||
dockerComposeSetupFile $app_name;
|
||||
|
||||
local result=$(copyResource "$app_name" "configuration.yml" "config" | sudo tee -a "$logs_dir/$docker_log_file" 2>&1)
|
||||
local result=$(copyResource "$app_name" "configuration.yml" "config" | runFileWrite -a "$logs_dir/$docker_log_file" 2>&1)
|
||||
checkSuccess "Copying configuration.yml to $containers_dir$app_name/config"
|
||||
|
||||
local result=$(copyResource "$app_name" "users_database.yml" "config" | sudo tee -a "$logs_dir/$docker_log_file" 2>&1)
|
||||
local result=$(copyResource "$app_name" "users_database.yml" "config" | runFileWrite -a "$logs_dir/$docker_log_file" 2>&1)
|
||||
checkSuccess "Copying users_database.yml to $containers_dir$app_name/config"
|
||||
|
||||
local authelia_config_file="$containers_dir$app_name/config/configuration.yml"
|
||||
|
||||
@ -54,7 +54,7 @@ installHeadscale()
|
||||
local result=$(createFolders "loud" $docker_install_user $containers_dir$app_name/config)
|
||||
checkSuccess "Create config folder"
|
||||
|
||||
local result=$(copyResource "$app_name" "config.yaml" "config" | sudo tee -a "$logs_dir/$docker_log_file" 2>&1)
|
||||
local result=$(copyResource "$app_name" "config.yaml" "config" | runFileWrite -a "$logs_dir/$docker_log_file" 2>&1)
|
||||
checkSuccess "Copying config.yaml to config folder."
|
||||
|
||||
configSetupFileWithData $app_name "config.yaml" "config";
|
||||
|
||||
@ -57,7 +57,7 @@ installPrometheus()
|
||||
local result=$(createTouch "$containers_dir$app_name/$app_name/$app_name.yml" $docker_install_user)
|
||||
checkSuccess "Created $app_name.yml file for $app_name"
|
||||
|
||||
local result=$(copyResource "$app_name" "$app_name.yml" "$app_name" | sudo tee -a "$logs_dir/$docker_log_file" 2>&1)
|
||||
local result=$(copyResource "$app_name" "$app_name.yml" "$app_name" | runFileWrite -a "$logs_dir/$docker_log_file" 2>&1)
|
||||
checkSuccess "Copying $app_name.yml to containers folder."
|
||||
|
||||
((menu_number++))
|
||||
|
||||
@ -53,7 +53,7 @@ installUnbound()
|
||||
|
||||
monitoringToggleAppConfig "$app_name" "docker-compose.yml";
|
||||
|
||||
local result=$(copyResource "$app_name" "unbound.conf" "etc" | sudo tee -a "$logs_dir/$docker_log_file" 2>&1)
|
||||
local result=$(copyResource "$app_name" "unbound.conf" "etc" | runFileWrite -a "$logs_dir/$docker_log_file" 2>&1)
|
||||
checkSuccess "Copying unbound.conf to containers folder."
|
||||
|
||||
monitoringToggleAppConfig "$app_name" "etc/unbound.conf";
|
||||
|
||||
@ -40,7 +40,7 @@ dockerComposeSetupFile()
|
||||
isError "The source file '$source_file' does not exist."
|
||||
fi
|
||||
|
||||
copyFile "loud" "$source_file" "$target_file" $docker_install_user | sudo tee -a "$logs_dir/$docker_log_file" 2>&1
|
||||
copyFile "loud" "$source_file" "$target_file" $docker_install_user | runFileWrite -a "$logs_dir/$docker_log_file" 2>&1
|
||||
|
||||
if [ $? -ne 0 ]; then
|
||||
isError "Failed to copy the source file to '$target_path'. Check '$docker_log_file' for more details."
|
||||
|
||||
@ -5,7 +5,7 @@ function checkSuccess()
|
||||
if [ $? -eq 0 ]; then
|
||||
isSuccessful "$1"
|
||||
if [ -f "$logs_dir/$docker_log_file" ]; then
|
||||
echo "✓ Success $1" | sudo tee -a "$logs_dir/$docker_log_file" >/dev/null
|
||||
echo "✓ Success $1" | runFileWrite -a "$logs_dir/$docker_log_file" >/dev/null
|
||||
fi
|
||||
else
|
||||
isError "$1"
|
||||
@ -14,8 +14,8 @@ function checkSuccess()
|
||||
# blocking on read.
|
||||
if [[ "$LIBREPORTAL_NONINTERACTIVE" == "1" ]] || [ ! -t 0 ]; then
|
||||
if [ -f "$logs_dir/$docker_log_file" ]; then
|
||||
isError " $1" | sudo tee -a "$logs_dir/$docker_log_file" >/dev/null
|
||||
echo "===================================" | sudo tee -a "$logs_dir/$docker_log_file" >/dev/null
|
||||
isError " $1" | runFileWrite -a "$logs_dir/$docker_log_file" >/dev/null
|
||||
echo "===================================" | runFileWrite -a "$logs_dir/$docker_log_file" >/dev/null
|
||||
fi
|
||||
isNotice "Non-interactive mode: aborting on error."
|
||||
exit 1
|
||||
@ -36,15 +36,15 @@ function checkSuccess()
|
||||
|
||||
if [[ "$error_occurred" == [xX] ]]; then
|
||||
# Log the error output to the log file
|
||||
isError " $1" | sudo tee -a "$logs_dir/$docker_log_file"
|
||||
echo "===================================" | sudo tee -a "$logs_dir/$docker_log_file"
|
||||
isError " $1" | runFileWrite -a "$logs_dir/$docker_log_file"
|
||||
echo "===================================" | runFileWrite -a "$logs_dir/$docker_log_file"
|
||||
exit 1 # Exit the script with a non-zero status to stop the current action
|
||||
fi
|
||||
|
||||
if [[ "$error_occurred" == [mM] ]]; then
|
||||
# Log the error output to the log file
|
||||
isError " $1" | sudo tee -a "$logs_dir/$docker_log_file"
|
||||
echo "===================================" | sudo tee -a "$logs_dir/$docker_log_file"
|
||||
isError " $1" | runFileWrite -a "$logs_dir/$docker_log_file"
|
||||
echo "===================================" | runFileWrite -a "$logs_dir/$docker_log_file"
|
||||
if [[ "$initial_command2" == "terminal" ]]; then
|
||||
resetToMenu;
|
||||
fi
|
||||
|
||||
@ -8,7 +8,7 @@ tailscaleInstallToContainer()
|
||||
local result=$(createFolders "loud" $docker_install_user $containers_dir$app_name/tailscale)
|
||||
checkSuccess "Creating Tailscale folder"
|
||||
|
||||
copyFile "loud" "${install_scripts_dir}tailscale.sh" "$containers_dir$app_name/tailscale/tailscale.sh" $docker_install_user | sudo tee -a "$logs_dir/$docker_log_file" 2>&1
|
||||
copyFile "loud" "${install_scripts_dir}tailscale.sh" "$containers_dir$app_name/tailscale/tailscale.sh" $docker_install_user | runFileWrite -a "$logs_dir/$docker_log_file" 2>&1
|
||||
|
||||
if [[ "$type" != "install" ]]; then
|
||||
dockerComposeRestart $app_name;
|
||||
|
||||
@ -17,7 +17,7 @@
|
||||
monitoringInstalledApps()
|
||||
{
|
||||
[[ -f "$docker_dir/$db_file" ]] || return 0
|
||||
sudo sqlite3 "$docker_dir/$db_file" \
|
||||
runFileOp sqlite3 "$docker_dir/$db_file" \
|
||||
"SELECT name FROM apps WHERE status = 1 ORDER BY name;" 2>/dev/null
|
||||
}
|
||||
|
||||
@ -26,7 +26,7 @@ monitoringIsInstalled()
|
||||
{
|
||||
[[ -f "$docker_dir/$db_file" ]] || return 1
|
||||
local n
|
||||
n="$(sudo sqlite3 "$docker_dir/$db_file" \
|
||||
n="$(runFileOp sqlite3 "$docker_dir/$db_file" \
|
||||
"SELECT COUNT(*) FROM apps WHERE name = '$1' AND status = 1;" 2>/dev/null)"
|
||||
[[ -n "$n" && "$n" -gt 0 ]]
|
||||
}
|
||||
@ -62,13 +62,13 @@ monitoringToggleAppConfig()
|
||||
|
||||
if monitoringAppEnabled "$app_name"; then
|
||||
# Uncomment: strip the leading # from every non-marker line in range.
|
||||
sudo sed -i '/# >>> libreportal-monitoring >>>/,/# <<< libreportal-monitoring <<</ {
|
||||
runFileOp sed -i '/# >>> libreportal-monitoring >>>/,/# <<< libreportal-monitoring <<</ {
|
||||
/libreportal-monitoring/! s/^\([[:space:]]*\)#/\1/
|
||||
}' "$file"
|
||||
isSuccessful "Monitoring config enabled in $rel_path"
|
||||
else
|
||||
# Comment: prefix # to every non-marker line in range not already so.
|
||||
sudo sed -i '/# >>> libreportal-monitoring >>>/,/# <<< libreportal-monitoring <<</ {
|
||||
runFileOp sed -i '/# >>> libreportal-monitoring >>>/,/# <<< libreportal-monitoring <<</ {
|
||||
/libreportal-monitoring/! { /^[[:space:]]*#/! s/^\([[:space:]]*\)/\1#/ }
|
||||
}' "$file"
|
||||
isNotice "Monitoring config left disabled in $rel_path (CFG_${app_name^^}_MONITORING not true)."
|
||||
@ -123,24 +123,24 @@ monitoringRefreshPrometheus()
|
||||
fi
|
||||
|
||||
local scrape_dir="${containers_dir}prometheus/prometheus/scrape.d"
|
||||
sudo mkdir -p "$scrape_dir"
|
||||
runFileOp mkdir -p "$scrape_dir"
|
||||
|
||||
local count=0 app_name fragment
|
||||
for app_name in $(monitoringInstalledApps); do
|
||||
fragment="${containers_dir}${app_name}/resources/monitoring/prometheus-scrape.yml"
|
||||
if monitoringAppEnabled "$app_name" && [[ -f "$fragment" ]]; then
|
||||
sudo cp "$fragment" "$scrape_dir/${app_name}.yml"
|
||||
runFileOp cp "$fragment" "$scrape_dir/${app_name}.yml"
|
||||
monitoringResolveScrapeTags "$scrape_dir/${app_name}.yml" "${containers_dir}${app_name}/docker-compose.yml" "$app_name"
|
||||
count=$((count + 1))
|
||||
else
|
||||
sudo rm -f "$scrape_dir/${app_name}.yml"
|
||||
runFileOp rm -f "$scrape_dir/${app_name}.yml"
|
||||
fi
|
||||
done
|
||||
|
||||
sudo chmod -R a+rX "$scrape_dir" 2>/dev/null
|
||||
runFileOp chmod -R a+rX "$scrape_dir" 2>/dev/null
|
||||
|
||||
if sudo docker ps --format '{{.Names}}' 2>/dev/null | grep -q '^prometheus-service$'; then
|
||||
local result=$(sudo docker kill --signal=HUP prometheus-service 2>&1)
|
||||
if dockerCommandRun "docker ps --format '{{.Names}}'" "sudo" 2>/dev/null | grep -q '^prometheus-service$'; then
|
||||
local result=$(dockerCommandRun "docker kill --signal=HUP prometheus-service" "sudo" 2>&1)
|
||||
checkSuccess "Reloaded Prometheus ($count monitored app(s))"
|
||||
else
|
||||
isNotice "Prometheus container not running — scrape.d updated, applied on next start ($count app(s))."
|
||||
@ -160,11 +160,11 @@ monitoringRefreshGrafana()
|
||||
local ds_dir="$prov/datasources"
|
||||
local dash_provider_dir="$prov/dashboards"
|
||||
local dash_dir="$prov/dashboards/libreportal"
|
||||
sudo mkdir -p "$ds_dir" "$dash_dir"
|
||||
runFileOp mkdir -p "$ds_dir" "$dash_dir"
|
||||
|
||||
# Prometheus datasource — reachable from the grafana container by the
|
||||
# prometheus service name on the shared libreportal docker network.
|
||||
sudo tee "$ds_dir/libreportal-prometheus.yml" >/dev/null <<'EOF'
|
||||
runFileWrite "$ds_dir/libreportal-prometheus.yml" <<'EOF'
|
||||
apiVersion: 1
|
||||
datasources:
|
||||
- name: Prometheus
|
||||
@ -176,7 +176,7 @@ datasources:
|
||||
EOF
|
||||
|
||||
# Dashboard provider — points Grafana at the gathered dashboards dir.
|
||||
sudo tee "$dash_provider_dir/libreportal.yml" >/dev/null <<'EOF'
|
||||
runFileWrite "$dash_provider_dir/libreportal.yml" <<'EOF'
|
||||
apiVersion: 1
|
||||
providers:
|
||||
- name: LibrePortal
|
||||
@ -192,23 +192,23 @@ EOF
|
||||
|
||||
# Gather each monitoring-enabled app's dashboard JSONs (prefixed with the
|
||||
# app name to avoid filename clashes). Clear stale ones first.
|
||||
sudo find "$dash_dir" -type f -name '*.json' -delete 2>/dev/null
|
||||
runFileOp find "$dash_dir" -type f -name '*.json' -delete 2>/dev/null
|
||||
local count=0 app_name app_dash f
|
||||
for app_name in $(monitoringInstalledApps); do
|
||||
app_dash="${containers_dir}${app_name}/resources/monitoring/grafana-dashboards"
|
||||
if monitoringAppEnabled "$app_name" && [[ -d "$app_dash" ]]; then
|
||||
for f in "$app_dash"/*.json; do
|
||||
[[ -f "$f" ]] || continue
|
||||
sudo cp "$f" "$dash_dir/${app_name}-$(basename "$f")"
|
||||
runFileOp cp "$f" "$dash_dir/${app_name}-$(basename "$f")"
|
||||
count=$((count + 1))
|
||||
done
|
||||
fi
|
||||
done
|
||||
|
||||
sudo chmod -R a+rX "$prov" 2>/dev/null
|
||||
runFileOp chmod -R a+rX "$prov" 2>/dev/null
|
||||
|
||||
if sudo docker ps --format '{{.Names}}' 2>/dev/null | grep -q '^grafana-service$'; then
|
||||
local result=$(sudo docker restart grafana-service 2>&1)
|
||||
if dockerCommandRun "docker ps --format '{{.Names}}'" "sudo" 2>/dev/null | grep -q '^grafana-service$'; then
|
||||
local result=$(dockerCommandRun "docker restart grafana-service" "sudo" 2>&1)
|
||||
checkSuccess "Restarted Grafana ($count dashboard(s) provisioned)"
|
||||
else
|
||||
isNotice "Grafana container not running — provisioning updated, applied on next start ($count dashboard(s))."
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user