fix(docker): fix ca entrypoint logic and healthcheck

With this commit, it is advised to `rm ./data/root_ca.crt ./data/*.pem`, as new certificates and a root CA will be generated while utilizing the step volume. Closes #367 Signed-off-by: Kevin Morris <kevr@0cost.org>
2025-02-03 10:43:03 +01:00 · 2022-08-13 23:17:53 -07:00 · 2022-08-13 23:17:53 -07:00 · d63615a994
commit d63615a994
parent 6f7ac33166
3 changed files with 34 additions and 40 deletions
--- a/docker-compose.yml
+++ b/docker-compose.yml
@ -31,8 +31,10 @@ services:
    entrypoint: /docker/ca-entrypoint.sh
    command: /docker/scripts/run-ca.sh
    healthcheck:
-      test: "bash /docker/health/run-ca.sh"
+      test: "bash /docker/health/ca.sh"
-      interval: 2s
+      interval: 3s
    volumes:
      - step:/root/.step
  memcached:
    image: aurweb:latest
@ -40,7 +42,7 @@ services:
    command: /docker/scripts/run-memcached.sh
    healthcheck:
      test: "bash /docker/health/memcached.sh"
-      interval: 2s
+      interval: 3s
  redis:
    image: aurweb:latest
@ -49,7 +51,7 @@ services:
    command: /docker/scripts/run-redis.sh
    healthcheck:
      test: "bash /docker/health/redis.sh"
-      interval: 2s
+      interval: 3s
    ports:
      - "127.0.0.1:16379:6379"
@ -67,7 +69,7 @@ services:
      - mariadb_data:/var/lib/mysql
    healthcheck:
      test: "bash /docker/health/mariadb.sh"
-      interval: 2s
+      interval: 3s
  mariadb_init:
    image: aurweb:latest
@ -98,7 +100,7 @@ services:
      - mariadb_test_run:/var/run/mysqld # Bind socket in this volume.
    healthcheck:
      test: "bash /docker/health/mariadb.sh"
-      interval: 2s
+      interval: 3s
  git:
    image: aurweb:latest
@ -113,7 +115,7 @@ services:
      - "2222:2222"
    healthcheck:
      test: "bash /docker/health/sshd.sh"
-      interval: 2s
+      interval: 3s
    depends_on:
      mariadb_init:
        condition: service_started
@ -129,7 +131,7 @@ services:
    command: /docker/scripts/run-smartgit.sh
    healthcheck:
      test: "bash /docker/health/smartgit.sh"
-      interval: 2s
+      interval: 3s
  cgit-php:
    image: aurweb:latest
@ -142,7 +144,7 @@ services:
    command: /docker/scripts/run-cgit.sh 3000
    healthcheck:
      test: "bash /docker/health/cgit.sh 3000"
-      interval: 2s
+      interval: 3s
    depends_on:
      git:
        condition: service_healthy
@ -162,7 +164,7 @@ services:
    command: /docker/scripts/run-cgit.sh 3000
    healthcheck:
      test: "bash /docker/health/cgit.sh 3000"
-      interval: 2s
+      interval: 3s
    depends_on:
      git:
        condition: service_healthy
@ -199,7 +201,7 @@ services:
    command: /docker/scripts/run-php.sh
    healthcheck:
      test: "bash /docker/health/php.sh"
-      interval: 2s
+      interval: 3s
    depends_on:
      git:
        condition: service_healthy
@ -228,7 +230,7 @@ services:
    command: /docker/scripts/run-fastapi.sh "${FASTAPI_BACKEND}"
    healthcheck:
      test: "bash /docker/health/fastapi.sh ${FASTAPI_BACKEND}"
-      interval: 2s
+      interval: 3s
    depends_on:
      git:
        condition: service_healthy
@ -254,10 +256,10 @@ services:
      - "127.0.0.1:8444:8444" # FastAPI
    healthcheck:
      test: "bash /docker/health/nginx.sh"
-      interval: 2s
+      interval: 3s
    depends_on:
      ca:
-        condition: service_started
+        condition: service_healthy
      cgit-php:
        condition: service_healthy
      cgit-fastapi:
--- a/docker/ca-entrypoint.sh
+++ b/docker/ca-entrypoint.sh
@ -89,34 +89,26 @@ step_cert_request() {
    chmod 666 /data/${1}.*.pem
 }
-if [ ! -f $DATA_ROOT_CA ]; then
+if [ ! -d /root/.step/config ]; then
    # Remove existing certs.
    rm -vf /data/localhost.{cert,key}.pem /data/root_ca.crt
    setup_step_ca
    install_step_ca
    start_step_ca
    for host in $DATA_CERT_HOSTS; do
        step_cert_request $host /data/${host}.cert.pem /data/${host}.key.pem
    done
    kill_step_ca
    echo -n "WARN: Your certificates are being regenerated to resolve "
    echo -n "an inconsistent step-ca state. You will need to re-import "
    echo "the root CA certificate into your browser."
 else
    exec "$@"
 fi
 # For all hosts separated by spaces in $DATA_CERT_HOSTS, perform a check
 # for their existence in /data and react accordingly.
 for host in $DATA_CERT_HOSTS; do
    if [ -f /data/${host}.cert.pem ] && [ -f /data/${host}.key.pem ]; then
        # Found an override. Move on to running the service after
        # printing a notification to the user.
        echo "Found '${host}.{cert,key}.pem' override, skipping..."
        echo -n "Note: If you need to regenerate certificates, run "
        echo '`rm -f data/*.{cert,key}.pem` before starting this service.'
        exec "$@"
    else
        # Otherwise, we had a missing cert or key, so remove both.
        rm -f /data/${host}.cert.pem
        rm -f /data/${host}.key.pem
    fi
 done
 start_step_ca
 for host in $DATA_CERT_HOSTS; do
    step_cert_request $host /data/${host}.cert.pem /data/${host}.key.pem
 done
 kill_step_ca
 # Set permissions to /data to rwx for everybody.
 chmod 777 /data
--- a/docker/health/ca.sh
+++ b/docker/health/ca.sh
@ -1,2 +1,2 @@
-
+#!/bin/bash
-exec printf "" 2>>/dev/null >>/dev/tcp/127.0.0.1/8443
+exec curl -qkiI 'https://localhost:8443/'
`@ -1,2 +1,2 @@`
		`#!/bin/bash`
	`exec printf "" 2>>/dev/null >>/dev/tcp/127.0.0.1/8443`	`exec curl -qkiI 'https://localhost:8443/'`