From 14b1b43345025618b27b2971b62cdbed2ecfee10 Mon Sep 17 00:00:00 2001 From: Frank Denis Date: Wed, 25 Sep 2019 22:50:53 +0200 Subject: [PATCH] Give up with migrations --- Dockerfile | 3 +- encrypted-dns.toml.in | 6 +-- entrypoint.sh | 94 +++++++------------------------------------ 3 files changed, 20 insertions(+), 83 deletions(-) diff --git a/Dockerfile b/Dockerfile index 2c12ad6..146c5c8 100644 --- a/Dockerfile +++ b/Dockerfile @@ -5,7 +5,7 @@ ENV SERIAL 1 ENV CFLAGS=-Ofast ENV BUILD_DEPS curl make build-essential git libevent-dev libexpat1-dev autoconf file libssl-dev byacc -ENV RUNTIME_DEPS bash util-linux coreutils findutils grep libssl1.1 ldnsutils libevent-2.1 expat ca-certificates runit runit-helper +ENV RUNTIME_DEPS bash util-linux coreutils findutils grep libssl1.1 ldnsutils libevent-2.1 expat ca-certificates runit runit-helper jed RUN apt-get update; apt-get -qy dist-upgrade; apt-get -qy clean && \ apt-get install -qy --no-install-recommends $RUNTIME_DEPS && \ @@ -41,6 +41,7 @@ RUN apt-get update && apt-get install -qy --no-install-recommends $BUILD_DEPS && cargo install encrypted-dns && \ mkdir -p /opt/encrypted-dns/sbin && \ mkdir -p /opt/encrypted-dns/etc/keys && \ + mkdir -p /opt/encrypted-dns/etc/keys/state && \ mv ~/.cargo/bin/encrypted-dns /opt/encrypted-dns/sbin/ && \ strip --strip-all /opt/encrypted-dns/sbin/encrypted-dns && \ groupadd _encrypted-dns && \ diff --git a/encrypted-dns.toml.in b/encrypted-dns.toml.in index d6afa67..ae1bb9a 100644 --- a/encrypted-dns.toml.in +++ b/encrypted-dns.toml.in @@ -27,7 +27,7 @@ upstream_addr = "127.0.0.1:53" ## File name to save the state to -state_file = "/opt/encrypted-dns/etc/keys/encrypted-dns.state" +state_file = "/opt/encrypted-dns/etc/keys/state/encrypted-dns.state" ## UDP timeout in seconds @@ -93,12 +93,12 @@ daemonize = false ## User name to drop privileges to, when started as root. -user = "_encrypted-dns" +# user = "_encrypted-dns" ## Group name to drop privileges to, when started as root. -group = "_encrypted-dns" +# group = "_encrypted-dns" ## Path to chroot() to, when started as root. diff --git a/entrypoint.sh b/entrypoint.sh index c727137..5596de1 100755 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -7,6 +7,7 @@ action="$1" LEGACY_KEYS_DIR="/opt/dnscrypt-wrapper/etc/keys" LEGACY_LISTS_DIR="/opt/dnscrypt-wrapper/etc/lists" KEYS_DIR="/opt/encrypted-dns/etc/keys" +STATE_DIR="${KEYS_DIR}/state" LISTS_DIR="/opt/encrypted-dns/etc/lists" CONF_DIR="/opt/encrypted-dns/etc" CONFIG_FILE="${CONF_DIR}/encrypted-dns.toml" @@ -15,7 +16,7 @@ CONFIG_FILE_TEMPLATE="${CONF_DIR}/encrypted-dns.toml.in" # -N provider-name -E external-ip-address:port init() { - if [ "$(is_initialized 2>/dev/null)" = yes ]; then + if [ "$(is_initialized)" = yes ]; then start exit $? fi @@ -67,6 +68,17 @@ init() { -e "s#@DOMAIN_BLACKLIST_CONFIGURATION@#${domain_blacklist_configuration}#" \ "$CONFIG_FILE_TEMPLATE" >"$CONFIG_FILE" + mkdir -p -m 700 "${STATE_DIR}" + chown _encrypted-dns:_encrypted-dns "${STATE_DIR}" + + if [ -f "${KEYS_DIR}/secret.key" ]; then + echo "Importing the previous secret key [${KEYS_DIR}/secret.key]" + /opt/encrypted-dns/sbin/encrypted-dns \ + --config "$CONFIG_FILE" \ + --import-from-dnscrypt-wrapper "${KEYS_DIR}/secret.key" \ + --dry-run >/dev/null || exit 1 + fi + /opt/encrypted-dns/sbin/encrypted-dns \ --config "$CONFIG_FILE" --dry-run | tee "${KEYS_DIR}/provider-info.txt" @@ -86,85 +98,9 @@ provider_info() { echo } -dnscrypt_wrapper_compat() { - if [ ! -d "$LEGACY_KEYS_DIR" ]; then - echo "Neither [${KEYS_DIR}] doesn't seem to contain the required DNS provider information, and a [${LEGACY_KEYS_DIR}] directory wasn't found either" >&2 - return 1 - fi - echo "Legacy [$LEGACY_KEYS_DIR] directory found" >&2 - if [ -d "${KEYS_DIR}/provider_name" ]; then - echo "Both [${LEGACY_KEYS_DIR}] and [${KEYS_DIR}] are present and not empty - This is not expected." >&2 - return 1 - fi - if [ ! -f "${LEGACY_KEYS_DIR}/secret.key" ]; then - echo "No secret key in [${LEGACY_KEYS_DIR}/secret.key], this is not expected." >&2 - echo >&2 - echo "If you are migrating from a container previously running dnscrypt-wrapper," >&2 - echo "make sure that the [${LEGACY_KEYS_DIR}] directory is mounted." >&2 - echo >&2 - echo "If you are setting up a brand new server, maybe you've been following" >&2 - echo "an outdated tutorial." >&2 - echo >&2 - echo "The key directory should be mounted as [${KEYS_DIR}] and not [$LEGACY_KEYS_DIR]." >&2 - return 1 - fi - echo "...and this is fine! You can keep using it, no need to change anything to your Docker volumes." >&2 - echo "We'll just copy a few things to [${KEYS_DIR}] internally" >&2 - find "$KEYS_DIR" -type f -print -exec cp -afv {} "$LEGACY_KEYS_DIR/" \; - chmod 700 "$LEGACY_KEYS_DIR" - chown -R _encrypted-dns:_encrypted-dns "$LEGACY_KEYS_DIR" - echo "...and update the configuration file" >&2 - sed -e "s#${KEYS_DIR}#${LEGACY_KEYS_DIR}#g" <"$CONFIG_FILE_TEMPLATE" >"${CONFIG_FILE_TEMPLATE}.tmp" && - mv -f "${CONFIG_FILE_TEMPLATE}.tmp" "$CONFIG_FILE_TEMPLATE" || exit 1 - provider_name=$(cat "${LEGACY_KEYS_DIR}/provider_name") - if [ -f "${LEGACY_KEYS_DIR}/provider-info.txt" ]; then - ext_address=$(grep -F -- "--resolver-address=" "${LEGACY_KEYS_DIR}/provider-info.txt" 2>/dev/null | cut -d'=' -f2 | sed 's/ //g') - fi - if [ -z "$ext_address" ]; then - echo "(we were not able to find the previous external IP address, the printed stamp will be wrong, but the previous stamp will keep working)" >&2 - ext_address="0.0.0.0:443" - fi - - tls_proxy_configuration="" - domain_blacklist_file="${LISTS_DIR}/blacklist.txt" - domain_blacklist_configuration="" - if [ -s "$domain_blacklist_file" ]; then - domain_blacklist_configuration="domain_blacklist = \"${domain_blacklist_file}\"" - fi - sed \ - -e "s#@PROVIDER_NAME@#${provider_name}#" \ - -e "s#@EXTERNAL_IPV4@#${ext_address}#" \ - -e "s#@TLS_PROXY_CONFIGURATION@#${tls_proxy_configuration}#" \ - -e "s#@DOMAIN_BLACKLIST_CONFIGURATION@#${domain_blacklist_configuration}#" \ - "$CONFIG_FILE_TEMPLATE" >"$CONFIG_FILE" - echo "...and check that everything's fine..." >&2 - /opt/encrypted-dns/sbin/encrypted-dns \ - --config "$CONFIG_FILE" \ - --import-from-dnscrypt-wrapper "${LEGACY_KEYS_DIR}/secret.key" \ - --dry-run >/dev/null || exit 1 - chmod 600 "${LEGACY_KEYS_DIR}/secret.key" - echo "Done!" >&2 - echo >&2 - - if [ -s "${LEGACY_LISTS_DIR}/blacklist.txt" ]; then - echo "Your blacklist [${LEGACY_LISTS_DIR}/blacklist.txt] will be loaded as well." >&2 - fi - - export KEYS_DIR="$LEGACY_KEYS_DIR" - export LISTS_DIR="$LEGACY_LISTS_DIR" -} - is_initialized() { - if [ ! -f "${KEYS_DIR}/encrypted-dns.state" ] || [ ! -f "${KEYS_DIR}/provider-info.txt" ] || [ ! -f "${KEYS_DIR}/provider_name" ]; then - if dnscrypt_wrapper_compat; then - if [ ! -f "${KEYS_DIR}/encrypted-dns.state" ] || [ ! -f "${KEYS_DIR}/provider_name" ]; then - echo no - else - echo yes - fi - else - echo no - fi + if [ ! -f "$CONFIG_FILE" ] || [ ! -f "${STATE_DIR}/encrypted-dns.state" ] || [ ! -f "${KEYS_DIR}/provider-info.txt" ] || [ ! -f "${KEYS_DIR}/provider_name" ]; then + echo no else echo yes fi