diff --git a/client/container_preparation/entrypoint.sh b/client/container_preparation/entrypoint.sh index 3173f76..ff7e813 100755 --- a/client/container_preparation/entrypoint.sh +++ b/client/container_preparation/entrypoint.sh @@ -8,7 +8,7 @@ docker_path="/var/run/docker.sock" # Argument parser, arguments for both container preparation and key shipping should be handled here. parse_args() { - while [[ "$#" -gt 0 ]]; do + while [ "${#}" -gt 0 ]; do case "$1" in --config) config="$2" @@ -69,7 +69,7 @@ parse_args() { done # Check for required arguments - if [ -z "$config" ] || [ -z "$base_oci_image" ] || [ -z "$sif_path" ] || [ -z "$data_path" ] || [ -z "$data_path_at_rest" ] || ([ -z "$users" ] && [ -z "$groups" ]) || [ -z "$compute_nodes" ]; then + if [ -z "$config" ] || [ -z "$base_oci_image" ] || [ -z "$sif_path" ] || [ -z "$data_path" ] || [ -z "$data_path_at_rest" ] || { [ -z "$users" ] && [ -z "$groups" ]; } || [ -z "$compute_nodes" ]; then echo echo "Please provides options for both of these programs : " python3 ./prepare_container.py --help python3 ./utils/ship_a_key.py --help @@ -79,7 +79,7 @@ parse_args() { # Cleanup spire-agent generated files end_entrypoint() { - if ! [ -n "$encrypted" ]; then + if [ -z "$encrypted" ]; then echo "No encryption, nothing to clean" else echo "Cleaning everything before leaving ..." @@ -100,21 +100,21 @@ NC='\033[0m' # No Color # Parse arguments from cli parse_args "$@" -echo -e "${YELLOW}[LUMI-SD]${NC}${BLUE}[Container preparation]${NC} Entering entrypoint" +printf "%b" "${YELLOW}[LUMI-SD]${NC}${BLUE}[Container preparation]${NC} Entering entrypoint" # ## [RUN] Perform node attestation (spawn agent, register it's and it's workload's spiffeID) # if [ -n "$encrypted" ]; then - echo -e "${YELLOW}[LUMI-SD]${NC}${BLUE}[Container preparation]${NC} Encryption mode is on. Registering and running SPIRE Agent" + printf "%b" "${YELLOW}[LUMI-SD]${NC}${BLUE}[Container preparation]${NC} Encryption mode is on. Registering and running SPIRE Agent" - python3 ./utils/spawn_agent.py --config $config >/dev/null 2>/dev/null & + python3 ./utils/spawn_agent.py --config "$config" >/dev/null 2>/dev/null & spire_agent_pid=$! fi -ps $spire_agent_pid >/dev/null || ( +ps "$spire_agent_pid" >/dev/null || ( echo "spire agent died, aborting" end_entrypoint "$spire_agent_pid" 1 ) @@ -123,7 +123,7 @@ ps $spire_agent_pid >/dev/null || ( ## [END] Perform node attestation # -echo -e "${YELLOW}[LUMI-SD]${NC}${BLUE}[Container preparation]${NC} Run container preparation" +printf "%b" "${YELLOW}[LUMI-SD]${NC}${BLUE}[Container preparation]${NC} Run container preparation" # ## [RUN] Run container preparation (Preparation of new image, build of new image, build of Apptainer/Singularity image) @@ -139,7 +139,7 @@ fi ## [END] Run container preparation # -echo -e "${YELLOW}[LUMI-SD]${NC}${BLUE}[Container preparation]${NC} Container preparation ended" +printf "%b" "${YELLOW}[LUMI-SD]${NC}${BLUE}[Container preparation]${NC} Container preparation ended" # ## [RUN] Ship private key to the vault (Creation of workload identity to give access to the key, writing key to the vault) @@ -150,29 +150,29 @@ if [ -n "$encrypted" ]; then fi if [ -z "$encrypted" ]; then - echo -e "${YELLOW}[LUMI-SD]${NC}${BLUE}[Container preparation]${NC} Encryption mode is off, nothing to do" + printf "%b" "${YELLOW}[LUMI-SD]${NC}${BLUE}[Container preparation]${NC} Encryption mode is off, nothing to do" else - echo -e "${YELLOW}[LUMI-SD]${NC}${BLUE}[Container preparation]${NC} Encryption mode is on, writing key to the vault, using spiffeID $spiffeID" + printf "%b" "${YELLOW}[LUMI-SD]${NC}${BLUE}[Container preparation]${NC} Encryption mode is on, writing key to the vault, using spiffeID $spiffeID" if [ -z "$users" ]; then # If the user provided only groups - python3 ./utils/ship_a_key.py --config $config --username "$username" -g "$groups" -c "$compute_nodes" --data-path "$data_path" --data-path-at-rest "$data_path_at_rest" -i "$spiffeID" || end_entrypoint "$spire_agent_pid" 1 + python3 ./utils/ship_a_key.py --config "$config" --username "$username" -g "$groups" -c "$compute_nodes" --data-path "$data_path" --data-path-at-rest "$data_path_at_rest" -i "$spiffeID" || end_entrypoint "$spire_agent_pid" 1 elif [ -z "$groups" ]; then # If the user provided only users - python3 ./utils/ship_a_key.py --config $config --username "$username" -u "$users" -c "$compute_nodes" --data-path "$data_path" --data-path-at-rest "$data_path_at_rest" -i "$spiffeID" || end_entrypoint "$spire_agent_pid" 1 + python3 ./utils/ship_a_key.py --config "$config" --username "$username" -u "$users" -c "$compute_nodes" --data-path "$data_path" --data-path-at-rest "$data_path_at_rest" -i "$spiffeID" || end_entrypoint "$spire_agent_pid" 1 else # If the user provided both - python3 ./utils/ship_a_key.py --config $config --username "$username" -u "$users" -g "$groups" -c "$compute_nodes" --data-path "$data_path" --data-path-at-rest "$data_path_at_rest" -i "$spiffeID" || end_entrypoint "$spire_agent_pid" 1 + python3 ./utils/ship_a_key.py --config "$config" --username "$username" -u "$users" -g "$groups" -c "$compute_nodes" --data-path "$data_path" --data-path-at-rest "$data_path_at_rest" -i "$spiffeID" || end_entrypoint "$spire_agent_pid" 1 fi - echo -e "${YELLOW}[LUMI-SD]${NC}${BLUE}[Container preparation]${NC} Key written to the vault" + printf "%b" "${YELLOW}[LUMI-SD]${NC}${BLUE}[Container preparation]${NC} Key written to the vault" fi # ## [END] Ship private key to the vault # -echo -e "${YELLOW}[LUMI-SD]${NC}${BLUE}[Container preparation]${NC} Leaving entrypoint" +printf "%b" "${YELLOW}[LUMI-SD]${NC}${BLUE}[Container preparation]${NC} Leaving entrypoint" end_entrypoint "$spire_agent_pid" 0 diff --git a/client/container_preparation/input_logic/run.sh b/client/container_preparation/input_logic/run.sh index 86a1a34..579c073 100755 --- a/client/container_preparation/input_logic/run.sh +++ b/client/container_preparation/input_logic/run.sh @@ -7,10 +7,12 @@ PATH="$PATH:/sd-container/tools/input_logic/" echo "[SD-Container][Input-Logic] : Getting data decryption key from vault" # Get token via vault login. The data_login environment variable need to be exported from calling script -data_token=$(curl -s --request POST --data "$data_login" $vault/v1/auth/jwt/login | jq '.auth.client_token' -r) || exit 1 +# shellcheck disable=SC2154 # data_login and vault are actually environment variables someone at some point decided to use lower case letters for <- TODO: fix this +data_token=$(curl -s --request POST --data "$data_login" "$vault/v1/auth/jwt/login" | jq '.auth.client_token' -r) || exit 1 # Use the token to access the key. The data_path environment variable needs to be exported from calling script -data_key=$(curl -s -H "X-Vault-Token: $data_token" $vault/v1/kv/data/${data_path} | jq '.data.data.key' -r) || exit 1 +# shellcheck disable=SC2154 # data_path and vault are actually environment variables someone at some point decided to use lower case letters for <- TODO: fix this +data_key=$(curl -s -H "X-Vault-Token: $data_token" "$vault/v1/kv/data/${data_path}" | jq '.data.data.key' -r) || exit 1 # Write the key in an encrypted volume echo "$data_key" >/sd-container/encrypted/decryption_key @@ -26,7 +28,7 @@ rm /sd-container/encrypted/decryption_key echo "[SD-Container][Input-Logic] : Data decrypted" # Untar the not anymore encrypted archive -cd /sd-container/encrypted +cd /sd-container/encrypted || exit 1 tar xvf /sd-container/encrypted/decrypted_data.tgz || exit 1 echo "[SD-Container][Input-Logic] : Data untared" diff --git a/client/data_preparation/entrypoint.sh b/client/data_preparation/entrypoint.sh index 6118bd2..cce9441 100755 --- a/client/data_preparation/entrypoint.sh +++ b/client/data_preparation/entrypoint.sh @@ -5,7 +5,7 @@ # Argument parser, arguments for both Data preparation and key shipping should be handled here. parse_args() { - while [[ "$#" -gt 0 ]]; do + while [ "$#" -gt 0 ]; do case "$1" in --config) config="$2" @@ -58,7 +58,7 @@ parse_args() { done # Check for required arguments - if [ -z "$config" ] || [ -z "$input_data" ] || [ -z "$output_data" ] || [ -z "$data_path" ] || [ -z "$data_path_at_rest" ] || [ -z "$username" ] || ([ -z "$users" ] && [ -z "$groups" ]) || [ -z "$compute_nodes" ]; then + if [ -z "$config" ] || [ -z "$input_data" ] || [ -z "$output_data" ] || [ -z "$data_path" ] || [ -z "$data_path_at_rest" ] || [ -z "$username" ] || { [ -z "$users" ] && [ -z "$groups" ]; } || [ -z "$compute_nodes" ]; then echo echo "Please provides options for both of these programs : " python3 ./prepare_data.py --help python3 ./utils/ship_a_key.py --help @@ -86,21 +86,21 @@ NC='\033[0m' # No Color # Parse arguments from cli parse_args "$@" -echo -e "${YELLOW}[LUMI-SD]${NC}${BLUE}[Data preparation]${NC} Entering entrypoint" +printf "%b" "${YELLOW}[LUMI-SD]${NC}${BLUE}[Data preparation]${NC} Entering entrypoint" # ## [RUN] Perform node attestation (spawn agent, register it's and it's workload's spiffeID) # -echo -e "${YELLOW}[LUMI-SD]${NC}${BLUE}[Data preparation]${NC} Registering and running SPIRE Agent" +printf "%b" "${YELLOW}[LUMI-SD]${NC}${BLUE}[Data preparation]${NC} Registering and running SPIRE Agent" -python3 ./utils/spawn_agent.py --config $config >/dev/null 2>/dev/null & +python3 ./utils/spawn_agent.py --config "$config" >/dev/null 2>/dev/null & spire_agent_pid=$! until [ -e /tmp/agent.sock ]; do - echo -e "${RED}[LUMI-SD][Data preparation] Spire workload api socket doesn't exist, waiting 10 seconds ${NC}" + printf "%b" "${RED}[LUMI-SD][Data preparation] Spire workload api socket doesn't exist, waiting 10 seconds ${NC}" sleep 10 - if ! ps | grep $spire_agent_pid >/dev/null; then + if pgrep -q -f "$spire_agent_pid"; then echo "spire agent died, aborting" end_entrypoint "$spire_agent_pid" 1 fi @@ -110,7 +110,7 @@ done ## [END] Perform node attestation # -echo -e "${YELLOW}[LUMI-SD]${NC}${BLUE}[Data preparation]${NC} Run Data preparation" +printf "%b" "${YELLOW}[LUMI-SD]${NC}${BLUE}[Data preparation]${NC} Run Data preparation" # ## [RUN] Run Data preparation (Encryption of input data) @@ -122,7 +122,7 @@ python3 ./prepare_data.py -i "$input_data" -o "$output_data" || end_entrypoint " ## [END] Run Data preparation # -echo -e "${YELLOW}[LUMI-SD]${NC}${BLUE}[Data preparation]${NC} Data preparation ended" +printf "%b" "${YELLOW}[LUMI-SD]${NC}${BLUE}[Data preparation]${NC} Data preparation ended" # ## [RUN] Ship private key to the vault (Creation of workload identity to give access to the key, writing key to the vault) @@ -130,26 +130,26 @@ echo -e "${YELLOW}[LUMI-SD]${NC}${BLUE}[Data preparation]${NC} Data preparation spiffeID=$(spire-agent api fetch --output json -socketPath /tmp/agent.sock | jq '.svids[0].spiffe_id' -r) -echo -e "${YELLOW}[LUMI-SD]${NC}${BLUE}[Data preparation]${NC} Writing key to the vault, using spiffeID $spiffeID" +printf "%b" "${YELLOW}[LUMI-SD]${NC}${BLUE}[Data preparation]${NC} Writing key to the vault, using spiffeID $spiffeID" # Handle different cases of user provided compute nodes / user / groups if [ -z "$users" ]; then # If the user provided only groups - python3 ./utils/ship_a_key.py --config $config --username "$username" -g "$groups" -c "$compute_nodes" --data-path "$data_path" --data-path-at-rest "$data_path_at_rest" -i "$spiffeID" || end_entrypoint "$spire_agent_pid" 1 + python3 ./utils/ship_a_key.py --config "$config" --username "$username" -g "$groups" -c "$compute_nodes" --data-path "$data_path" --data-path-at-rest "$data_path_at_rest" -i "$spiffeID" || end_entrypoint "$spire_agent_pid" 1 elif [ -z "$groups" ]; then # If the user provided only users - python3 ./utils/ship_a_key.py --config $config --username "$username" -u "$users" -c "$compute_nodes" --data-path "$data_path" --data-path-at-rest "$data_path_at_rest" -i "$spiffeID" || end_entrypoint "$spire_agent_pid" 1 + python3 ./utils/ship_a_key.py --config "$config" --username "$username" -u "$users" -c "$compute_nodes" --data-path "$data_path" --data-path-at-rest "$data_path_at_rest" -i "$spiffeID" || end_entrypoint "$spire_agent_pid" 1 else # If the user provided both - python3 ./utils/ship_a_key.py --config $config --username "$username" -u "$users" -g "$groups" -c "$compute_nodes" --data-path "$data_path" --data-path-at-rest "$data_path_at_rest" -i "$spiffeID" || end_entrypoint "$spire_agent_pid" 1 + python3 ./utils/ship_a_key.py --config "$config" --username "$username" -u "$users" -g "$groups" -c "$compute_nodes" --data-path "$data_path" --data-path-at-rest "$data_path_at_rest" -i "$spiffeID" || end_entrypoint "$spire_agent_pid" 1 fi -echo -e "${YELLOW}[LUMI-SD]${NC}${BLUE}[Data preparation]${NC} Key written to the vault" +printf "%b" "${YELLOW}[LUMI-SD]${NC}${BLUE}[Data preparation]${NC} Key written to the vault" # ## [END] Ship private key to the vault # -echo -e "${YELLOW}[LUMI-SD]${NC}${BLUE}[Data preparation]${NC} Leaving entrypoint" +printf "%b" "${YELLOW}[LUMI-SD]${NC}${BLUE}[Data preparation]${NC} Leaving entrypoint" end_entrypoint "$spire_agent_pid" 0 diff --git a/server/entrypoint.sh b/server/entrypoint.sh index 5aac004..49025f3 100755 --- a/server/entrypoint.sh +++ b/server/entrypoint.sh @@ -21,11 +21,14 @@ rm -rf /tmp/data spire-agent run -config /tmp/agent.conf || end_entrypoint 0 1 & spire_agent_pid=$! -agent_socket_path=$(cat /tmp/agent.conf | grep "socket_path" | cut -d "=" -f2 | cut -d '"' -f1) +agent_socket_path=$(grep "socket_path" /tmp/agent.conf | cut -d "=" -f2 | cut -d '"' -f1) + +RED='\033[0;31m' +NC='\033[0m' sleep 10 -until [ -e $agent_socket_path ]; do - echo -e "${RED}[LUMI-SD][Data preparation] Spire workload api socket doesn't exist, waiting 10 seconds ${NC}" +until [ -e "${agent_socket_path}" ]; do + printf "%b[LUMI-SD][Data preparation] Spire workload api socket doesn't exist, waiting 10 seconds %b" "${RED}" "${NC}" sleep 10 done