-
-
Notifications
You must be signed in to change notification settings - Fork 52
/
Copy pathinstall_boundary.sh
187 lines (158 loc) · 4.84 KB
/
install_boundary.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
#!/bin/bash
set -e
info() {
echo '[INFO] ->' "$@"
}
fatal() {
echo '[ERROR] ->' "$@"
exit 1
}
verify_system() {
if ! [ -d /run/systemd ]; then
fatal 'Can not find systemd to use as a process supervisor for Boundary'
fi
}
setup_env() {
SUDO=sudo
if [ "$(id -u)" -eq 0 ]; then
SUDO=
else
if [ ! -z "$SUDO_PASS" ]; then
echo $SUDO_PASS | sudo -S true
echo ""
fi
fi
BOUNDARY_DATA_DIR=/opt/boundary
BOUNDARY_CONFIG_DIR=/etc/boundary.d
BOUNDARY_SERVICE_FILE=/etc/systemd/system/boundary.service
BIN_DIR=/usr/local/bin
PRE_INSTALL_HASHES=$(get_installed_hashes)
}
# --- set arch and suffix, fatal if architecture not supported ---
setup_verify_arch() {
if [ -z "$ARCH" ]; then
ARCH=$(uname -m)
fi
case $ARCH in
amd64)
SUFFIX=amd64
;;
x86_64)
SUFFIX=amd64
;;
arm64)
SUFFIX=arm64
;;
aarch64)
SUFFIX=arm64
;;
arm*)
SUFFIX=arm
;;
*)
fatal "Unsupported architecture $ARCH"
;;
esac
}
# --- get hashes of the current boundary bin and service files
get_installed_hashes() {
$SUDO sha256sum ${BIN_DIR}/boundary ${BOUNDARY_CONFIG_DIR}/* ${BOUNDARY_SERVICE_FILE} 2>&1 || true
}
has_yum() {
[ -n "$(command -v yum)" ]
}
has_apt_get() {
[ -n "$(command -v apt-get)" ]
}
install_dependencies() {
if [ ! -x "${TMP_DIR}/boundary" ]; then
if ! [ -x "$(command -v unzip)" ] || ! [ -x "$(command -v curl)" ]; then
if $(has_apt_get); then
$SUDO apt-get install -y curl unzip
elif $(has_yum); then
$SUDO yum install -y curl unzip
else
fatal "Could not find apt-get or yum. Cannot install dependencies on this OS"
exit 1
fi
fi
fi
}
download_and_install() {
if [ -f "${TMP_DIR}/boundary.zip" ]; then
info "Installing uploaded Boundary package"
$SUDO unzip -qq -o "$TMP_DIR/boundary.zip" -d $BIN_DIR
else
if [ -x "${BIN_DIR}/boundary" ] && [ "$(${BIN_DIR}/boundary version | grep "Version Number" | tr -s ' ' | cut -d' ' -f4)" = "${BOUNDARY_VERSION}" ]; then
info "Boundary binary already installed in ${BIN_DIR}, skipping downloading and installing binary"
else
info "Downloading boundary_${BOUNDARY_VERSION}_linux_${SUFFIX}.zip"
curl -o "$TMP_DIR/boundary_${BOUNDARY_VERSION}_linux_${SUFFIX}.zip" -sfL "https://releases.hashicorp.com/boundary/${BOUNDARY_VERSION}/boundary_${BOUNDARY_VERSION}_linux_${SUFFIX}.zip"
info "Downloading boundary_${BOUNDARY_VERSION}_SHA256SUMS"
curl -o "$TMP_DIR/boundary_${BOUNDARY_VERSION}_SHA256SUMS" -sfL "https://releases.hashicorp.com/boundary/${BOUNDARY_VERSION}/boundary_${BOUNDARY_VERSION}_SHA256SUMS"
info "Verifying downloaded boundary_${BOUNDARY_VERSION}_linux_${SUFFIX}.zip"
sed -ni '/linux_'"${SUFFIX}"'.zip/p' "$TMP_DIR/boundary_${BOUNDARY_VERSION}_SHA256SUMS"
sha256sum -c "$TMP_DIR/boundary_${BOUNDARY_VERSION}_SHA256SUMS"
info "Unpacking boundary_${BOUNDARY_VERSION}_linux_${SUFFIX}.zip"
$SUDO unzip -qq -o "$TMP_DIR/boundary_${BOUNDARY_VERSION}_linux_${SUFFIX}.zip" -d $BIN_DIR
fi
fi
}
create_user_and_config() {
if $(id boundary >/dev/null 2>&1); then
info "User 'boundary' already exists, will not create again"
else
info "Creating user named 'boundary'"
$SUDO useradd --system --home ${BOUNDARY_CONFIG_DIR} --shell /bin/false boundary
fi
$SUDO mkdir --parents ${BOUNDARY_DATA_DIR}
$SUDO mkdir --parents ${BOUNDARY_CONFIG_DIR}
$SUDO cp ${TMP_DIR}/config/* ${BOUNDARY_CONFIG_DIR}
$SUDO chown --recursive boundary:boundary /opt/boundary
$SUDO chown --recursive boundary:boundary /etc/boundary.d
}
# --- write systemd service file ---
create_systemd_service_file() {
info "Adding system service file ${BOUNDARY_SERVICE_FILE}"
$SUDO tee ${BOUNDARY_SERVICE_FILE} >/dev/null <<EOF
[Unit]
Description=Boundary
Documentation=https://boundaryproject.io/docs/
Wants=network-online.target
After=network-online.target
[Service]
ExecStart=${BIN_DIR}/boundary server -config ${BOUNDARY_CONFIG_DIR}/boundary.hcl
User=boundary
Group=boundary
LimitMEMLOCK=infinity
Capabilities=CAP_IPC_LOCK+ep
CapabilityBoundingSet=CAP_SYSLOG CAP_IPC_LOCK
[Install]
WantedBy=multi-user.target
EOF
}
# --- startup systemd service ---
systemd_enable_and_start() {
[ "${SKIP_ENABLE}" = true ] && return
info "Enabling systemd service"
$SUDO systemctl enable ${BOUNDARY_SERVICE_FILE} >/dev/null
$SUDO systemctl daemon-reload >/dev/null
[ "${SKIP_START}" = true ] && return
POST_INSTALL_HASHES=$(get_installed_hashes)
if [ "${PRE_INSTALL_HASHES}" = "${POST_INSTALL_HASHES}" ]; then
info "No change detected so skipping service start"
return
fi
info "Starting systemd service"
$SUDO systemctl restart boundary
return 0
}
cd $TMP_DIR
setup_env
setup_verify_arch
verify_system
install_dependencies
create_user_and_config
download_and_install
create_systemd_service_file
systemd_enable_and_start