update ab-openldap scripts

This commit is contained in:
Asif Bacchus 2020-03-13 02:28:00 -06:00
parent 220f0bdd23
commit ffd336e218
3 changed files with 815 additions and 47 deletions

View File

@ -24,18 +24,23 @@ yellow=$(tput setaf 3)
### parameter defaults
clean=false
restore=false
container_name="ab-openldap"
volume_data="ab-openldap_data"
volume_ldif="ab-openldap_ldif"
backup_dir="$(pwd)/restore"
remove=0
shell=false
tag=latest
scriptHelp () {
printf "\n${magenta}%80s\n" | tr " " "-"
printf "${norm}This is a simple helper script so you can avoid lengthy typing when working\n"
printf "\n%s%80s\n" "$magenta" | tr " " "-"
printf "%sThis is a simple helper script so you can avoid lengthy typing when working\n" "$norm"
printf "with the openLDAP container. The script reads the contents of 'ab-openldap.params'\n"
printf "and constructs various 'docker run' commands based on that file. The biggest\n"
printf "timesaver is working with certificates. If they are specified in the '.params',\n"
printf "the script will automatically bind-mount them so openLDAP starts in 'TLS\n"
printf "file, the script will automatically bind-mount them so openLDAP starts in 'TLS\n"
printf "required' mode.\n\n"
printf "If you run the script with no parameters, it will execute the container\n"
printf "'normally': Run in detached mode with openLDAP automatically launched and\n"
@ -45,29 +50,50 @@ scriptHelp () {
printf "Containers run in SHELL mode are ALWAYS removed upon exit as they are meant for\n"
printf "testing only. By default, containers run without '--rm' will be restarted\n"
printf "automatically unless they are manually stopped via 'docker stop...'\n\n"
printf "${magenta}The script has the following parameters:\n"
printf "${cyan}(parameter in cyan) ${yellow}(default in yellow)${norm}\n\n"
printf "${cyan}-n|--name${norm}\n"
printf "%sThe script has the following parameters:\n" "$magenta"
printf "%s(parameter in cyan) %s(default in yellow)%s\n\n" \
"$cyan" "$yellow" "$norm"
printf "%s-t|--tag%s\n" "$cyan" "$norm"
printf "Change the version of the container downloaded by specifying a particular tag.\n"
printf "This can be useful when testing new versions or if you have to roll back to a\n"
printf "previous container version.\n"
printf "%s(latest)%s\n\n" "$yellow" "$norm"
printf "%s-n|--name%s\n" "$cyan" "$norm"
printf "Change the name of the container. This is cosmetic and does not affect\n"
printf "operation in any way.\n"
printf "${yellow}(ab-openldap)${norm}\n\n"
printf "${cyan}--rm|--remove${norm}\n"
printf "%s(ab-openldap)%s\n\n" "$yellow" "$norm"
printf "%s--data%s\n" "$cyan" "$norm"
printf "Change the name of the docker volume used to persist data.\n"
printf "%s(ab-openldap_data)%s\n\n" "$yellow" "$norm"
printf "%s--ldif%s\n" "$cyan" "$norm"
printf "Change the name of the docker volume used to persist LDIFs.\n"
printf "%s(ab-openldap_ldif)%s\n\n" "$yellow" "$norm"
printf "%s--rm|--remove%s\n" "$cyan" "$norm"
printf "Automatically remove the container and volume (unless data is written) after it\n"
printf "is exited.\n"
printf "${yellow}(off: do not destroy container when stopped)${norm}\n\n"
printf "${cyan}-s|--shell${norm}\n"
printf "%s(off: do not destroy container when stopped)%s\n\n" \
"$yellow" "$norm"
printf "%s-s|--shell%s\n" "$cyan" "$norm"
printf "Enter the container using an interactive POSIX shell. This happens after\n"
printf "startup operations but *before* openLDAP (slapd) is actually started. This is\n"
printf "a great way to see configuration changes possibly stopping openLDAP from\n"
printf "starting. You can combine this with '--rm' for easy configuration checks.\n"
printf "${yellow}(off: run in detached mode)${norm}\n\n"
printf "${cyan}--clean${norm}\n"
printf "%s(off: run in detached mode)%s\n\n" "$yellow" "$norm"
printf "%s--clean%s\n" "$cyan" "$norm"
printf "This option will stop ALL running openLDAP containers *AND DESTROY ALL\n"
printf "VOLUMES*. This is meant to give you a 'clean start' if you've made\n"
printf "configuration changes, etc.\n\n"
printf "${yellow}More information can be found at:\n"
printf "%s--restore%s\n" "$cyan" "$norm"
printf "Restore a 'slapcat' backup to the data and ldif volume in preparation for\n"
printf "mounting them in a normal container.\n"
printf "It is strongly recommended you review your '-t' '--data' and '--ldif' settings\n"
printf "before proceeding with this option.\n\n"
printf "%s--backupdir%s\n" "$cyan" "$norm"
printf "Location of the 'slapcat' backup files which you want to restore.\n"
printf "%s(./restore)%s\n\n" "$yellow" "$norm"
printf "%sMore information can be found at:\n" "$yellow"
printf "https://git.asifbacchus.app/ab-docker/openldap/wiki\n"
printf "${magenta}%80s\n\n" | tr " " "-"
printf "%s%80s\n\n" "$magenta" | tr " " "-"
exit 0
}
@ -76,14 +102,14 @@ scriptHelp () {
# is user root or in the docker group?
if [ ! "$( id -u )" -eq 0 ]; then
if ! id -Gn | grep docker > /dev/null; then
printf "${err}\nYou must either be root or in the 'docker' group to run this script since you must be able to actually start the container! Exiting.\n${norm}"
printf "%s\nYou must either be root or in the 'docker' group to run this script since you must be able to actually start the container! Exiting.\n%s" "$err" "$norm"
exit 2
fi
fi
# does the params file exist?
if [ ! -f "./ab-openldap.params" ]; then
printf "${err}\nCannot find 'ab-openldap.params' file in the same directory as this script. Exiting.\n${norm}"
printf "%s\nCannot find 'ab-openldap.params' file in the same directory as this script. Exiting.\n%s" "$err" "$norm"
exit 3
fi
@ -93,15 +119,18 @@ fi
# check for certs if using TLS
if [ "$TLS_CERT" ]; then
if [ ! -f "$TLS_CERT" ]; then
printf "${err}\nCannot find specified TLS certificate file. Exiting.${norm}\n"
printf "%s\nCannot find specified TLS certificate file. Exiting.%s\n" \
"$err" "$norm"
exit 5
fi
if [ ! -f "$TLS_KEY" ]; then
printf "${err}\nCannot find specified TLS private key file. Exiting.${norm}\n"
printf "%s\nCannot find specified TLS private key file. Exiting.%s\n" \
"$err" "$norm"
exit 5
fi
if [ ! -f "$TLS_CHAIN" ]; then
printf "${err}\nCannot find specified TLS certificate chain file. Exiting.${norm}\n"
printf "%s\nCannot find specified TLS certificate chain file. Exiting.%s\n" \
"$err" "$norm"
exit 5
fi
fi
@ -126,18 +155,63 @@ while [ $# -gt 0 ]; do
# stop if necessary, delete volumes
clean=true
;;
--restore)
# restore backup
restore=true
;;
-n|--name)
# container name
if [ -z "$2" ]; then
printf "${err}\nNo container name specified. Exiting.\n${norm}"
printf "%s\nNo container name specified. Exiting.\n%s" \
"$err" "$norm"
exit 1
fi
container_name="$2"
shift
;;
--data)
# data volume name
if [ -z "$2" ]; then
printf "%s\nNo name specified for data volume. Exiting.\n%s" \
"$err" "$norm"
exit 1
fi
volume_data="$2"
shift
;;
--ldif)
# ldif volume name
if [ -z "$2" ]; then
printf "%s\nNo name specified for LDIF volume. Exiting.\n%s" \
"$err" "$norm"
exit 1
fi
volume_ldif="$2"
shift
;;
--backupdir)
# location of backup files to restore
if [ -z "$2" ]; then
printf "%s\nLocation of your backup files not provided. Exiting.\n%s" \
"$err" "$norm"
exit 1
fi
backup_dir="$2"
shift
;;
-t|--tag)
# specify container tag
if [ -z "$2" ]; then
printf "%s\nNo tag specified. Exiting.\n%s" \
"$err" "$norm"
exit 1
fi
tag="$2"
shift
;;
*)
printf "${err}\nUnknown option: %s\n" "$1"
printf "Use '--help' for valid options.\n\n${norm}"
printf "%s\nUnknown option: %s\n" "$err" "$1"
printf "Use '--help' for valid options.\n\n%s" "$norm"
exit 1
;;
esac
@ -145,13 +219,39 @@ while [ $# -gt 0 ]; do
done
# cleanup any running containers and volumes
# cleanup containers and volumes
if [ $clean = true ]; then
# display warning and confirm user's intentions
printf "\nThis will stop and remove all ab-openldap containers %sAND REMOVE ALL PERSISTENT DATA VOLUMES%s. Please ensure you have a backup and understand how to restore your data.\n" \
"$red" "$norm"
printf "%sThis action CANNOT be undone!%s\n\n" \
"$red" "$norm"
# confirmation loop
while true; do
printf "%sAre you sure you want to continue? (yes/no)%s " \
"$cyan" "$norm"
read -r yn
case "$yn" in
[Yy]*)
break
;;
[Nn]*)
printf "\n"
exit 0
;;
*)
printf "Please answer 'y' or 'n'.\n"
;;
esac
done
# get all ab-openldap containers
containers=$(docker ps -a --no-trunc --filter "label=org.label-schema.name=ab-openldap" --format "{{ .Names }}")
# check for null value -- no containers to remove
if [ -z "$containers" ]; then
printf "${err}No openldap containers to remove. Exiting.${norm}\n\n"
printf "%sNo openldap containers to remove. Exiting.%s\n\n" \
"$err" "$norm"
exit 0
fi
@ -159,66 +259,125 @@ if [ $clean = true ]; then
set -- dummy $containers
shift
for container; do
printf "\n${cyan}Found %s -- processing:${norm}\n" ${container}
volume=$(docker inspect --format '{{ range .Mounts }}{{ if eq .Destination "/var/openldap/data" }}{{ .Name }}{{ end }}{{ end }}' ${container})
printf "\t${red}Stopping container...${norm}\n"
printf "\n%sFound %s -- processing:%s\n" \
"$cyan" "$container" "$norm"
# stop container
printf "\t%sStopping container...%s\n" "$red" "$norm"
docker stop ${container} > /dev/null 2>&1
printf "\t${red}Removing container...${norm}\n"
# find volumes
volumes=$(docker inspect --format '{{ range .Mounts }}{{ println .Name }}{{ end }}' ${container})
# remove container
printf "\t%sRemoving container...%s\n" "$red" "$norm"
docker rm ${container} > /dev/null 2>&1
printf "\t${red}Removing volume...${norm}\n"
docker volume rm ${volume} > /dev/null 2>&1
printf "${cyan}...done${norm}\n"
# pause to allow write flushing
sleep 3
# iterate volumes
set -- dummy2 $volumes
shift
for volume; do
printf "\t%sRemoving volume '%s'...%s\n" "$red" "$volume" "$norm"
docker volume rm ${volume} > /dev/null 2>&1
done
printf "%s...done%s\n" "$cyan" "$norm"
done
elif [ $restore = true ]; then
# restore backup
printf "%s\n*** Restoring Backup ***\n\n%s" "$magenta" "$norm"
printf "To avoid errors due to existing files, this script will delete any volumes that have the following names:\n"
printf "\t%s\n\t%s\n" "$volume_data" "$volume_ldif"
# confirmation loop
while true; do
printf "%sDo you want to continue? (yes/no)%s " \
"$cyan" "$norm"
read -r yn
case "$yn" in
[Yy]*)
break
;;
[Nn]*)
printf "\n"
exit 0
;;
*)
printf "Please answer 'y' or 'n'.\n"
;;
esac
done
# delete any conflicting volumes
docker volume rm ${volume_data} > /dev/null 2>&1
docker volume rm ${volume_ldif} > /dev/null 2>&1
# run temporary container to merge backup data into volumes
docker run --rm \
-v "$volume_data":/var/openldap/data \
-v "$volume_ldif":/etc/openldap/ldif \
-v "$backup_dir":/restore \
docker.asifbacchus.app/ldap/ab-openldap:${tag} \
cat /var/openldap/data/restore.log
printf "\nPlease review the log output on your screen to determine if the restore was successful or what errors need to be corrected. If everything was successful, your data volumes can be used in a new container started normally.\n"
# run without TLS
elif [ -z "$TLS_CERT" ]; then
if [ $shell = true ]; then
# exec shell
printf "${cyan}\nRunning SHELL on %s...${norm}\n" "$container_name"
printf "%s\nRunning SHELL on %s...%s\n" \
"$cyan" "$container_name" "$norm"
if [ -d "$MY_LDIF" ]; then
# bind-mount custom LDIFs if specified
docker run --rm -it --name ${container_name} \
--env-file ab-openldap.params \
-v "$volume_data":/var/openldap/data \
-v "$volume_ldif":/etc/openldap/ldif \
-v "$MY_LDIF":/etc/openldap/customLDIF \
-p 389:389 -p 636:636 \
docker.asifbacchus.app/ldap/ab-openldap:latest /bin/sh
docker.asifbacchus.app/ldap/ab-openldap:${tag} /bin/sh
else
docker run --rm -it --name ${container_name} \
--env-file ab-openldap.params \
-v "$volume_data":/var/openldap/data \
-v "$volume_ldif":/etc/openldap/ldif \
-p 389:389 -p 636:636 \
docker.asifbacchus.app/ldap/ab-openldap:latest /bin/sh
docker.asifbacchus.app/ldap/ab-openldap:${tag} /bin/sh
fi
else
# exec normally
printf "${cyan}\nRunning OPENLDAP on %s...${norm}\n" "$container_name"
printf "%s\nRunning OPENLDAP on %s...%s\n" \
"$cyan" "$container_name" "$norm"
if [ "$remove" -eq 1 ]; then
if [ -d "$MY_LDIF" ]; then
# bind-mount custom LDIFs if specified
docker run --rm -d --name ${container_name} \
--env-file ab-openldap.params \
-v "$volume_data":/var/openldap/data \
-v "$volume_ldif":/etc/openldap/ldif \
-v "$MY_LDIF":/etc/openldap/customLDIF \
-p 389:389 -p 636:636 \
docker.asifbacchus.app/ldap/ab-openldap:latest
docker.asifbacchus.app/ldap/ab-openldap:${tag}
else
docker run --rm -d --name ${container_name} \
--env-file ab-openldap.params \
-v "$volume_data":/var/openldap/data \
-v "$volume_ldif":/etc/openldap/ldif \
-p 389:389 -p 636:636 \
docker.asifbacchus.app/ldap/ab-openldap:latest
docker.asifbacchus.app/ldap/ab-openldap:${tag}
fi
else
if [ -d "$MY_LDIF" ]; then
# bind-mount custom LDIFs if specified
docker run -d --name ${container_name} \
--env-file ab-openldap.params \
-v "$volume_data":/var/openldap/data \
-v "$volume_ldif":/etc/openldap/ldif \
-v "$MY_LDIF":/etc/openldap/customLDIF \
-p 389:389 -p 636:636 \
--restart unless-stopped \
docker.asifbacchus.app/ldap/ab-openldap:latest
docker.asifbacchus.app/ldap/ab-openldap:${tag}
else
docker run -d --name ${container_name} \
--env-file ab-openldap.params \
-v "$volume_data":/var/openldap/data \
-v "$volume_ldif":/etc/openldap/ldif \
-p 389:389 -p 636:636 \
--restart unless-stopped \
docker.asifbacchus.app/ldap/ab-openldap:latest
docker.asifbacchus.app/ldap/ab-openldap:${tag}
fi
fi
fi
@ -226,70 +385,84 @@ elif [ -z "$TLS_CERT" ]; then
elif [ "$TLS_CERT" ] && [ "$TLS_KEY" ] && [ "$TLS_CHAIN" ]; then
if [ $shell = true ]; then
# exec shell
printf "${cyan}\nRunning SHELL on %s (TLS)...${norm}\n" "$container_name"
printf "%s\nRunning SHELL on %s (TLS)...%s\n" \
"$cyan" "$container_name" "$norm"
if [ -d "$MY_LDIF" ]; then
# bind-mount custom LDIFs if specified
docker run --rm -it --name ${container_name} \
--env-file ab-openldap.params \
-v "$volume_data":/var/openldap/data \
-v "$volume_ldif":/etc/openldap/ldif \
-v "$MY_LDIF":/etc/openldap/customLDIF \
-v "$TLS_CERT":/certs/fullchain.pem:ro \
-v "$TLS_KEY":/certs/privkey.pem:ro \
-v "$TLS_CHAIN":/certs/chain.pem:ro \
-p 389:389 -p 636:636 \
docker.asifbacchus.app/ldap/ab-openldap:latest /bin/sh
docker.asifbacchus.app/ldap/ab-openldap:${tag} /bin/sh
else
docker run --rm -it --name ${container_name} \
--env-file ab-openldap.params \
-v "$volume_data":/var/openldap/data \
-v "$volume_ldif":/etc/openldap/ldif \
-v "$TLS_CERT":/certs/fullchain.pem:ro \
-v "$TLS_KEY":/certs/privkey.pem:ro \
-v "$TLS_CHAIN":/certs/chain.pem:ro \
-p 389:389 -p 636:636 \
docker.asifbacchus.app/ldap/ab-openldap:latest /bin/sh
docker.asifbacchus.app/ldap/ab-openldap:${tag} /bin/sh
fi
else
# exec normally
printf "${cyan}\nRunning OPENLDAP on %s (TLS)...${norm}\n" "$container_name"
printf "%s\nRunning OPENLDAP on %s (TLS)...%s\n" \
"$cyan" "$container_name" "$norm"
if [ "$remove" -eq 1 ]; then
if [ -d "$MY_LDIF" ]; then
# bind-mount custom LDIFs if specified
docker run --rm -d --name ${container_name} \
--env-file ab-openldap.params \
-v "$volume_data":/var/openldap/data \
-v "$volume_ldif":/etc/openldap/ldif \
-v "$MY_LDIF":/etc/openldap/customLDIF \
-v "$TLS_CERT":/certs/fullchain.pem:ro \
-v "$TLS_KEY":/certs/privkey.pem:ro \
-v "$TLS_CHAIN":/certs/chain.pem:ro \
-p 389:389 -p 636:636 \
docker.asifbacchus.app/ldap/ab-openldap:latest
docker.asifbacchus.app/ldap/ab-openldap:${tag}
else
docker run --rm -d --name ${container_name} \
--env-file ab-openldap.params \
-v "$volume_data":/var/openldap/data \
-v "$volume_ldif":/etc/openldap/ldif \
-v "$TLS_CERT":/certs/fullchain.pem:ro \
-v "$TLS_KEY":/certs/privkey.pem:ro \
-v "$TLS_CHAIN":/certs/chain.pem:ro \
-p 389:389 -p 636:636 \
docker.asifbacchus.app/ldap/ab-openldap:latest
docker.asifbacchus.app/ldap/ab-openldap:${tag}
fi
else
if [ -d "$MY_LDIF" ]; then
# bind-mount custom LDIFs if specified
docker run -d --name ${container_name} \
--env-file ab-openldap.params \
-v "$volume_data":/var/openldap/data \
-v "$volume_ldif":/etc/openldap/ldif \
-v "$MY_LDIF":/etc/openldap/customLDIF \
-v "$TLS_CERT":/certs/fullchain.pem:ro \
-v "$TLS_KEY":/certs/privkey.pem:ro \
-v "$TLS_CHAIN":/certs/chain.pem:ro \
-p 389:389 -p 636:636 \
--restart unless-stopped \
docker.asifbacchus.app/ldap/ab-openldap:latest
docker.asifbacchus.app/ldap/ab-openldap:${tag}
else
docker run -d --name ${container_name} \
--env-file ab-openldap.params \
-v "$volume_data":/var/openldap/data \
-v "$volume_ldif":/etc/openldap/ldif \
-v "$TLS_CERT":/certs/fullchain.pem:ro \
-v "$TLS_KEY":/certs/privkey.pem:ro \
-v "$TLS_CHAIN":/certs/chain.pem:ro \
-p 389:389 -p 636:636 \
--restart unless-stopped \
docker.asifbacchus.app/ldap/ab-openldap:latest
docker.asifbacchus.app/ldap/ab-openldap:${tag}
fi
fi
fi

27
backup.params.template Normal file
View File

@ -0,0 +1,27 @@
#######
### openLDAP backup script parameters file
#######
### This file should be protected since it contains the password used to
### encrypt your backup files!
### recommend at least:
### chown root:root backup.parameters
### chmod 600 backup.parameters
# password used to encrypt backup
password='myPassword'
### encryption options
# encryption cipher
# use 'openssl enc --ciphers' to see which ciphers are supported by your
# openSSL installation
encryptionCipher='aes-256-cbc'
# number of iterations used to derive the private key, higher is better but
# more CPU intensive - minimum of 20000 recommended
encryptionIterations=25000
#EOF

568
backup.sh Executable file
View File

@ -0,0 +1,568 @@
#!/bin/sh
#
### backup openLDAP configuration and frontend database(s)
#
# error code reference:
# 0: exited normally, no errors
# 1: parameter or permissions error
# 2: unsupported number of containers (0 or more than 1)
# 3: could not create/remove temporary directory/files
# 4: problem exporting database(s)
# 5: problem compressing/encrypting tar.gz archive
# 6: problem copying encrypted archive to host
# 7: problem creating target subdirectory in outputLocation
# 8: problem extracting gzipped tarball file
# 99: dependencies not installed (tar, gzip)
### text formatting presets
# set colours for various log message types
bold=$(tput bold)
err=$(tput bold)$(tput setaf 1)
info=$(tput sgr0)
norm=$(tput sgr0)
ok=$(tput setaf 2)
# define other colours used
cyan=$(tput bold)$(tput setaf 6)
magenta=$(tput sgr0)$(tput setaf 5)
yellow=$(tput sgr0)$(tput setaf 3)
### parameter defaults
width=$(tput cols)
scriptPath="$( CDPATH='' cd -- "$( dirname -- "$0" )" && pwd -P )"
scriptName="$( basename "$0" )"
# logfile default: same location and name as this script, with '.log' extension
logfile="$scriptPath/${scriptName%.*}.log"
# encryption parameters file default: same location and name as this script,
# with '.params' extension
encParams="$scriptPath/${scriptName%.*}.params"
# backup mode by default
unset backupFile
extract=false
decrypt=false
# encryption enabled by default
noEncryption=0
tempDir="$(date '+%s')"
fileDate="$(date '+%F_%T')"
outputLocation="$scriptPath/"
# frontend starts at '1', so this number should always be the number of
# frontend databases + 1 -- default to only 1 frontend db
numFrontEnd=2
### functions
cleanup () {
logInfo 'task' 'Cleaning up'
if ! docker exec "$container" rm -rf "$tempDir" \
>> "$logfile" 2>&1; then
logInfo 'err'
exitError 3 'Unable to remove temporary files in container.' 'nc'
fi
logInfo 'done'
}
consoleError () {
printf "%s\n%s\n" "$err" "$2"
printf "Exiting.\n\n%s" "$norm"
exit "$1"
}
decryptionNote () {
printf "\n"
textblock "${bold}${magenta}Decrypting your backup archive:${norm}"
printf "\n"
textblock 'To decrypt and extract your backup file, you need the following information:'
textblock '1. The password used to encrypt the file'
textblock '2. The encryption cipher used (default: AES-256-CBC)'
textblock '3. The number of iterations used to create the private key (default: 25000)'
printf "\n"
textblock "Run the following command, replacing the ${cyan}[cyan stuff in square brackets]${norm} with values appropriate to your environment."
printf "\n"
textblock "openssl enc -d -${cyan}[cipher-here]${norm} -iter +${cyan}[iterations]${norm} -k ${cyan}[password]${norm} -in ${cyan}[backup_archive.tar.gz]${norm} | tar -xz -C ${cyan}[destinationDirectory]${norm}"
printf "\n"
textblock 'NOTE: The output directory must already exist or tar will throw an error.'
printf "\n"
textblock "${magenta}Example:${norm}"
textblock "openssl enc -d -${cyan}aes-256-cbc${norm} -iter +${cyan}25000${norm} -k ${cyan}mypassword${norm} -in ${cyan}~/ldap-2020-03-10_17:31:34.tar.gz${norm} | tar -xz -C ${cyan}~/ldapRestore${norm}"
printf "\n"
textblock 'Note: Using this script with the --decrypt option handles this for you and can create target directories automatically.'
printf "\n\n"
exit 0
}
exitError () {
# cleanup temp directory unless 'nc' passed
if [ ! "$3" = "nc" ]; then cleanup; fi
# log error
printf "%s[%s] -- [ERROR] code %s: %s --%s\n" \
"$err" "$(stamp)" "$1" "$2" "$norm" >> "$logfile"
printf "%s[%s] --- %s terminated with errors ---\n%s" \
"$err" "$(stamp)" "$scriptName" "$norm" >> "$logfile"
# exit with proper error code
exit "$1"
}
logInfo () {
if [ "$1" = 'task' ]; then
printf "%s[%s] -- [INFO] %s... " \
"$info" "$(stamp)" "$2" >> "$logfile"
elif [ "$1" = 'done' ]; then
if [ -z "$2" ]; then
printf "%sdone%s --%s\n" \
"$ok" "$info" "$norm" >> "$logfile"
else
printf "%s%s%s --%s\n" \
"$ok" "$2" "$info" "$norm" >> "$logfile"
fi
elif [ "$1" = 'err' ]; then
printf "%serror%s --%s\n" \
"$err" "$info" "$norm" >> "$logfile"
else
printf "%s[%s] -- [INFO] %s --%s\n" \
"$info" "$(stamp)" "$1" "$norm" >> "$logfile"
fi
}
logSuccess () {
printf "%s[%s] -- [SUCCESS] %s --%s\n" \
"$ok" "$(stamp)" "$1" "$norm" >> "$logfile"
}
scriptHelp () {
printf "\n"
textblock "${bold}${magenta}Usage: ${scriptName} [parameters]${norm}"
printf "\n"
textblock "${cyan}Parameters ${yellow}(default value):${norm}"
textblock "There are NO mandatory parameters. By default the script will run in 'backup' mode and save an encrypted backup archive to the current directory. If a parameter is not supplied, it's default value will be used. In the case of a switch parameter, it will remain deactivated if not specified."
printf "\n"
textblock "${bold}*** Common parameters ***${norm}"
printf "\n"
textblock "${cyan}-l, --log ${yellow}(scriptPath/scriptName.log)${norm}"
textblock "FULL path to write log file. If you supply a path ending with a slash ('/') it will be assumed you mean a directory and the log file will be written to that directory using the format 'path/scriptname.log'. If you supply only a filename (no slashes anywhere), it will assumed you want to save the log using that name in the script directory. The script will attempt to create any provided paths/directories if they do not exist."
printf "\n"
textblock "${cyan}-o, --output ${yellow}(scriptPath/)${norm}"
textblock "Location where the output files should be saved on this machine. You should only specify a *directory* here (trailing slash optional). File names are automatic and cannot be changed via this script. All restore operations will create a 'restore' subdirectory in this specified directory."
printf "\n"
textblock "${cyan}-p, --params ${yellow}(scriptPath/scriptName.params)${norm}"
textblock "Location of the encryption parameters file. This file contains the password and encryption options that should be used. By default, the script looks in the script directory for a file named the same as the script but with a '.params' extension."
printf "\n"
textblock "${cyan}-h, -? | -??, --help${norm}"
textblock "Quick-help screen. | This (detailed) help screen."
printf "\n"
textblock "${bold}*** Encryption parameters ***${norm}"
printf "\n"
textblock "${cyan}-n, --num, --frontend ${yellow}(1)${norm}"
textblock "Number of frontend databases to backup. If you specify a number here greater than actually exist, openLDAP will generate an error and your backup will fail."
printf "\n"
textblock "${cyan}--no-encryption${norm}"
textblock "Switch parameter. Specify this if you DO NOT want the backup archive tar.gz file encrypted. Careful!"
printf "\n"
textblock "${bold}*** Decryption/Extraction parameters ***${norm}"
printf "\n"
textblock "${cyan}-b, --backupfile${norm}"
textblock "FULL path of the backup file you want to decrypt/extract. MUST be supplied if using the --decrypt or --extract switches."
printf "\n"
textblock "${cyan}-d, --decrypt ${yellow}(implies --extract)${norm}"
textblock "Switch parameter. Decrypt and extract your backup file (MUST be supplied using the --backupfile parameter) to the 'restore' subdirectory of the current directory or as specified using the '--output' parameter. This switch will log error code 8 if you try to decrypt an unencrypted backup archive."
printf "\n"
textblock "${cyan}-e, --extract${norm}"
textblock "Switch parameter. Extract your backup file (MUST be supplied using the --backupfile parameter) to the 'restore' subdirectory of the current directory or as specified using the '--output' parameter. This switch will log error code 8 if you try to extract an encrypted backup archive. In that case, use --decrypt instead."
printf "\n"
textblock "${cyan}--manualdecryption${norm}"
textblock "Display instructions on how to manually decrypt and extract your backup archive."
printf "\n\n"
textblock "More details and examples of script usage can be found in the repo wiki at ${magenta}https://git.asifbacchus.app/ab-docker/openldap/wiki${norm}"
printf "\n"
}
stamp () {
(date +%F' '%T)
}
textblock () {
printf "%s\n" "$1" | fold -w "$width" -s
}
quickHelp () {
textblock "${bold}${magenta}Usage: ${scriptName} [parameters]${norm}"
printf "\n"
textblock "${cyan}Parameters ${yellow}(default value):${norm}"
printf "\n"
textblock "${bold}*** Common parameters ***${norm}"
textblock "${cyan}-l, --log ${yellow}(scriptPath/scriptName.log)${norm}"
textblock "FULL path to write log file. Path ending with '/' will be treated as a directory. Filename only will be saved in script directory."
textblock "${cyan}-o, --output ${yellow}(scriptPath/)${norm}"
textblock "Directory to save output files on this machine."
textblock "${cyan}-p, --params ${yellow}(scriptPath/scriptName.params)${norm}"
textblock "Location of the encryption parameters file."
textblock "${cyan}-h, -? | -??, --help${norm}"
textblock "This help screen. | Detailed help."
printf "\n"
textblock "${bold}*** Encryption parameters ***${norm}"
textblock "${cyan}-n, --num, --frontend ${yellow}(1)${norm}"
textblock "Number of frontend databases to backup."
textblock "${cyan}--no-encryption${norm}"
textblock "Switch: DO NOT encrypt backup tar.gz."
printf "\n"
textblock "${bold}*** Decryption/Extraction parameters ***${norm}"
textblock "${cyan}-b, --backupfile${norm}"
textblock "FULL path of the backup file to be decrypted/extracted."
textblock "${cyan}-d, --decrypt ${yellow}(implies --extract)${norm}"
textblock "Decrypt and extract specified backup file to 'restore' subdirectory of current path/specified path (--output parameter)."
textblock "${cyan}-e, --extract${norm}"
textblock "Extract specified backup file to 'restore' subdirectory of current path/specified path (--output parameter)."
textblock "${cyan}--manualdecryption${norm}"
textblock "Display instructions on manually decrypting and extracting your backup archive."
printf "\n"
textblock "Run script with '-?? or --help' for detailed help. More details and examples of script usage can be found in the repo wiki at:"
printf "%s\thttps://git.asifbacchus.app/ab-docker/openldap/wiki%s\n\n" \
"$magenta" "$norm"
}
### pre-requisite checks
# is user root or in the docker group?
if [ ! "$( id -u )" -eq 0 ]; then
if ! id -Gn | grep docker > /dev/null; then
consoleError '1' "You must either be root or in the 'docker' group to run this script since you must be able to run 'docker exec' commands against the container!"
fi
fi
# is tar installed?
if ! command -v tar > /dev/null; then
consoleError '99' 'It appears that tar is not installed. This script requires tar in order to package and process backup files.'
fi
# is gzip installed?
if ! command -v gzip > /dev/null ; then
consoleError '99' 'It appears that gzip is not installed. This script requires gzip in order to compress/decompress backup tarball files.'
fi
# process startup parameters
while [ $# -gt 0 ]; do
case "$1" in
-b|--backupfile)
# name of backup file to decrypt/extract
if [ -z "$2" ]; then
consoleError '1' 'Backup file name cannot be null.'
elif [ ! -f "$2" ]; then
consoleError '1' "Specified backup file does not exist ($2)."
fi
backupFile="$2"
shift
;;
-d|--decrypt)
# decrypt and extract backup file (implies '-e')
decrypt=true
extract=true
;;
-e|--extract)
# extract gzipped tarball
extract=true
;;
-h|-\?)
# display brief help
quickHelp
exit 0
;;
-\?\?|--help)
# display full help
scriptHelp
exit 0
;;
-l|--log)
# location of log file
if [ -z "$2" ]; then
consoleError '1' 'Log file path cannot be null. Leave unspecified to save log in the same directory as this script.'
fi
logfile="$2"
shift
;;
--manualdecryption)
decryptionNote
exit 0
;;
-n|--num|--frontend)
# number of frontend databases
if [ -z "$2" ]; then
consoleError '1' 'Number of frontend databases cannot be null.'
fi
numFrontEnd=$(($2+1))
shift
;;
--no-encryption)
# disable encryption, switch parameter
noEncryption=1
# switches do not require an internal 'shift'
;;
-o|--output)
# directory on host to save output files
if [ -z "$2" ]; then
consoleError '1' 'Output destination location cannot be null.'
fi
outputLocation="$2"
shift
;;
-p|--params)
# path to encryption parameters file
if [ -z "$2" ]; then
consoleError '1' 'Path to encryption parameters file cannot be null.'
fi
encParams="$2"
shift
;;
*)
printf "%s\nUnknown option: %s\n" "$err" "$1"
printf "Use '--help' for valid options.\n\n%s" "$norm"
exit 1
;;
esac
shift
done
### start logging
# logfile checks
if ! printf "%s" "$logfile" | grep -o / > /dev/null; then
# filename provided, save in scriptdir
logfile="$scriptPath/$logfile"
elif [ "$( printf "%s" "$logfile" | tail -c 1 )" = '/' ]; then
# directory provided, does it exist?
if [ -d "$logfile" ]; then
logfile="${logfile}${scriptName%.*}.log"
else
if ! mkdir -p "$logfile" > /dev/null 2>&1; then
consoleError '1' 'Unable to make specified log file directory.'
fi
logfile="${logfile}${scriptName%.*}.log"
fi
else
# full path provided, does the parent directory exist?
if [ ! -d "${logfile%/*}" ]; then
# make parent path
if ! mkdir -p "${logfile%/*}" > /dev/null 2>&1; then
consoleError '1' 'Unable to make specified log file path.'
fi
fi
fi
# write initial log entries for script run
if ! printf "%s[%s] --- Start %s execution ---%s\n" \
"$magenta" "$(stamp)" "$scriptName" "$norm" >> "$logfile"; then
consoleError '1' "Unable to write to log file ($logfile)"
fi
logInfo "Log located at $logfile"
### process output directory
if [ -d "$outputLocation" ]; then
# touch test to ensure we can write here
if ! touch "${outputLocation%/}/test.touch" > /dev/null 2>&1; then
exitError '1' "Unable to write to output location: $outputLocation" 'nc'
else
logInfo "Writing output to: $outputLocation"
rm -f "${outputLocation%/}/test.touch" > /dev/null 2>&1
fi
else
# create directory
if ! mkdir -p "$outputLocation" > /dev/null 2>&1; then
exitError '1' "Unable to create output path: $outputLocation" 'nc'
else
logInfo "Writing output to: $outputLocation"
fi
fi
### source encryption parameters file
# check if file exists (unless encryption disabled), otherwise exit
if [ $noEncryption = 1 ]; then
logInfo 'Backup archive will NOT be encrypted!'
elif [ $noEncryption = 0 ] && [ ! -f "$encParams" ]; then
exitError 1 'Encryption parameters file does not exist.' 'nc'
else
# import encryption parameters file
case "${encParams}" in
/*)
# absolute path, no need to rewrite
. "${encParams}"
;;
*)
# relative path, need to rewrite assuming current directory
. "./${encParams}"
;;
esac
logInfo "Imported: '$encParams'"
# verify import
logInfo 'task' 'Verify encryption password'
if [ -z "$password" ]; then
logInfo 'err'
exitError 1 "Imported null value for encryption 'password'." 'nc'
else
logInfo 'done'
fi
logInfo 'task' 'Verify encryption cipher'
if [ -z "$encryptionCipher" ]; then
logInfo 'err'
exitError 1 "Imported null value for 'encryptionCipher'." 'nc'
else
logInfo 'done' "$encryptionCipher"
fi
logInfo 'task' 'Verify encryption key iterations'
if [ -z "$encryptionIterations" ]; then
logInfo 'err'
exitError 1 "Imported null value for 'encryptionIterations'." 'nc'
else
logInfo 'done' "$encryptionIterations"
fi
fi
if [ $extract = 'true' ]; then
# ensure backupFile has been specifed
if [ -z "$backupFile" ]; then
exitError '1' 'backupFile (-b|--backupFile) must be specified when using script in Extract mode.' 'nc'
fi
# extract backupFile to outputLocation
logInfo "Extracting backup file ($backupFile)"
# create extraction target directory
if [ ! -d "${outputLocation%/}/restore" ]; then
# create subdirectory for restored files
if ! mkdir "${outputLocation%/}/restore" > /dev/null 2>&1; then
exitError '7' 'Could not create target subdirectory in output location.' 'nc'
else
logInfo "Extracted files will be written to '${outputLocation%/}/restore/'"
fi
else
# ensure we can write to subdirectory for restored files
if ! touch "${outputLocation%/}/restore/test.touch" > /dev/null 2>&1; then
exitError '1' "Unable to write to output location: ${outputLocation%/}/restore/" 'nc'
else
rm -f "${outputLocation%/}/restore/test.touch" > /dev/null 2>&1
fi
fi
# extract/decrypt backup file
if [ "$decrypt" = 'true' ]; then
logInfo 'Decrypting backup file before extraction'
if ! openssl enc -d -"${encryptionCipher}" -iter +"${encryptionIterations}" -k "${password}" -in "${backupFile}" 2>> "$logfile" | tar --overwrite -xz -C "${outputLocation%/}/restore/" 2>> "$logfile"; then
exitError '8' 'There was a problem extracting the backup file. Perhaps the file is NOT encrypted? If so, please run with the --extract flag instead of the --decrypt flag.' 'nc'
else
logSuccess "Backup extracted to '${outputLocation%/}/restore/'"
fi
else
if ! tar --overwrite -xzf "$backupFile" -C "${outputLocation%/}/restore/" 2>> "$logfile"; then
exitError '8' 'There was a problem extracting the backup file. Perhaps it is encrypted? If so, please run with --decrypt flag.' 'nc'
else
logSuccess "Backup extracted to '${outputLocation%/}/restore/'"
fi
fi
elif [ $extract = 'false' ]; then
### process backup operations
## find ab-openldap container
container=$(docker ps -a --no-trunc --filter "label=org.label-schema.name=ab-openldap" --format "{{ .Names }}")
# check for null value -- cannot find container
if [ -z "$container" ]; then
exitError 2 'Cannot find ab-openldap container. Exiting.' 'nc'
fi
# check for multiple containers, exit if that's the case
# N.B. do NOT quote $container or this loop will NOT work!!!
set -- dummy $container
shift
containerCount=0
for c; do
containerCount=$((containerCount+1))
logInfo "Found container($containerCount): $c"
done
if [ "$containerCount" -gt 1 ]; then
exitError 2 'Multiple containers found. Exiting.' 'nc'
fi
## backup databases to ldif
# create temp working directory
if ! docker exec "$container" mkdir "/$tempDir" >> "$logfile" 2>&1; then
exitError 3 'Could not create temporary working directory.' 'nc'
fi
# backend to ldif
logInfo 'task' 'Backup configuration database'
if ! docker exec "$container" sh -c \
"slapcat -F /etc/openldap/ldif -n 0 -l ${tempDir}/config-${fileDate}.ldif" \
>> "$logfile" 2>&1; then
logInfo 'err'
exitError 4 'Could not backup configuration database.'
fi
logInfo 'done'
# iterate frontend databases and export to ldif
i=1
while [ "$i" -ne "$numFrontEnd" ]; do
logInfo 'task' "Backup frontend database $i"
if ! docker exec "$container" sh -c \
"slapcat -F /etc/openldap/ldif -n ${i} -l ${tempDir}/mdb${i}-${fileDate}.ldif" \
>> "$logfile" 2>&1; then
logInfo 'err'
exitError 4 "Could not backup frontend database $i."
else
logInfo 'done'
fi
i=$((i+1))
done
# compress and encrypt exported ldif files
if [ $noEncryption = 0 ]; then
logInfo 'task' 'Compressing and encrypting backup'
if ! docker exec -w "/$tempDir" "$container" sh -c \
"tar -czf - * | openssl enc -e -${encryptionCipher} -iter +${encryptionIterations} -k ${password} -out ./ldap-${fileDate}.tar.gz" \
>> "$logfile" 2>&1; then
logInfo 'err'
exitError 5 'Could not securely archive backup files.'
fi
logInfo 'done'
elif [ $noEncryption = 1 ]; then
logInfo 'task' 'Compressing backup'
if ! docker exec -w "/$tempDir" "$container" sh -c \
"tar -czf ldap-${fileDate}.tar.gz *" \
>> "$logfile" 2>&1; then
logInfo 'err'
exitError 5 'Could not archive backup files.'
fi
logInfo 'done'
fi
## copy file to output location on host
logInfo 'task' 'Copying archive from docker container to host'
if ! docker cp "$container:/$tempDir/ldap-${fileDate}.tar.gz" "$outputLocation/" \
>> "$logfile" 2>&1; then
logInfo 'err'
exitError 6 'Unable to copy backup archive from container to host.'
fi
logInfo 'done'
logInfo "Backup file: $outputLocation/ldap-${fileDate}.tar.gz"
## cleanup and log success
cleanup
logSuccess 'Backup completed successfully.'
fi
### exit gracefully
logSuccess 'All processes completed'
printf "%s[%s] --- %s execution completed ---\n%s" \
"$magenta" "$(stamp)" "$scriptName" "$norm" >> "$logfile"
exit 0