From 4fff75b1ecbae19ca1dd9babd292f9e8b0cbd0f6 Mon Sep 17 00:00:00 2001 From: SkyperTHC Date: Mon, 1 Aug 2022 13:38:28 +0100 Subject: [PATCH] nginx-delay --- docker-compose.yml | 47 +++++++++++++++++---------------- encfs/mount.sh | 19 ++++++++++--- gsnc/sf-gsnc.sh | 8 +++--- host/fs-root/bin/docker_sshd.sh | 14 +++++----- host/fs-root/bin/segfaultsh | 1 + provision/init-ubuntu.sh | 2 +- 6 files changed, 52 insertions(+), 39 deletions(-) diff --git a/docker-compose.yml b/docker-compose.yml index 7b47b28..1dd589c 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -1,5 +1,26 @@ version: "3.7" services: + # EncFS for /onion and /everyone + sf-encfs: + build: encfs + image: sf-encfs + restart: ${SF_RESTART:-on-failure} + cap_add: + - SYS_ADMIN + security_opt: + - apparmor:unconfined + environment: + - SF_SEED + - SF_DEBUG + command: ["/mount.sh", "server"] + network_mode: none + devices: + - "/dev/fuse:/dev/fuse" + volumes: + - "${SF_BASEDIR:-.}/config/etc/seed:/config/etc/seed" + - "${SF_BASEDIR:-.}/data/sf:/encfs/raw" + - "${SF_SHMDIR:-/dev/shm/sf}/encfs-sec/sf:/encfs/sec:shared" + dns-doh: image: crazymax/cloudflared restart: ${SF_RESTART:-on-failure} @@ -117,7 +138,7 @@ services: - SF_SEED volumes: - "${SF_SHMDIR:-/dev/shm/sf}/run/gsnc:/sf/run/gsnc" - - "${SF_BASEDIR:-.}/config/etc/seed:/config/seed" + - "${SF_BASEDIR:-.}/config/etc/seed:/config/etc/seed" entrypoint: ["/sf-gsnc.sh", "172.20.0.110"] segfault: @@ -151,36 +172,16 @@ services: volumes: - "${SF_BASEDIR:-.}/config/etc/ssh:/config/etc/ssh" - "${SF_BASEDIR:-.}/config/db:/config/db" - - "${SF_BASEDIR:-.}/config/etc/seed:/config/seed" + - "${SF_BASEDIR:-.}/config/etc/seed:/config/etc/seed" - "${SF_BASEDIR:-.}/config/etc/info:/config/etc/info:ro" - "${SF_SHMDIR:-/dev/shm/sf}/encfs-sec/sf:/sec:slave" - "/var/run/docker.sock:/var/run/docker.sock" - # EncFS for /onion and /everyone - sf-encfs: - build: encfs - image: sf-encfs - restart: ${SF_RESTART:-on-failure} - cap_add: - - SYS_ADMIN - security_opt: - - apparmor:unconfined - environment: - - SF_SEED - - SF_DEBUG - command: ["/mount.sh", "server"] - network_mode: none - devices: - - "/dev/fuse:/dev/fuse" - volumes: - - "${SF_BASEDIR:-.}/config/etc/seed:/config/seed" - - "${SF_BASEDIR:-.}/data/sf:/encfs/raw" - - "${SF_SHMDIR:-/dev/shm/sf}/encfs-sec/sf:/encfs/sec:shared" - nginx: image: nginx restart: ${SF_RESTART:-on-failure} depends_on: + - dnsmasq # FIXME: This delays nginx until SHMDIR/encfs-sec/sf/onion-www is available - sf-encfs dns: 255.255.255.255 networks: diff --git a/encfs/mount.sh b/encfs/mount.sh index 220e671..a1a1981 100755 --- a/encfs/mount.sh +++ b/encfs/mount.sh @@ -22,10 +22,10 @@ _term() create_load_seed() { [[ -n $SF_SEED ]] && return - [[ ! -f "/config/seed/seed.txt" ]] && { - head -c 1024 /dev/urandom | tr -dc '[:alpha:]' | head -c 32 >/config/seed/seed.txt || { echo >&2 "Can't create \${SF_BASEDIR}/config/etc/seed/seed.txt"; exit 255; } + [[ ! -f "/config/etc/seed/seed.txt" ]] && { + head -c 1024 /dev/urandom | tr -dc '[:alpha:]' | head -c 32 >/config/etc/seed/seed.txt || { echo >&2 "Can't create \${SF_BASEDIR}/config/etc/seed/seed.txt"; exit 255; } } - SF_SEED="$(cat /config/seed/seed.txt)" + SF_SEED="$(cat /config/etc/seed/seed.txt)" [[ -z $SF_SEED ]] && { echo -e >&2 "mount.sh: Failed to generated SF_SEED="; exit 254; } } @@ -39,6 +39,10 @@ sf_server_init() ENCFS_SERVER_PASS=$(echo -n "EncFS-SERVER-PASS-${SF_SEED}" | sha512sum | base64 | tr -dc '[:alpha:]' | head -c 24) } +# The server needs to be initialized differently. All instances are started +# from docker compose. Some are started before EncFS can mount the directory. +# NgingX is a good example. Thus Nginx needs to check unti IS-ENCRYPTED.TXT +# appears and exit otherwise. sf_server() { sf_server_init @@ -46,7 +50,14 @@ sf_server() echo "THIS-IS-NOT-ENCRYPTED *** DO NOT USE *** " >/encfs/sec/IS-NOT-ENCRYPTED.txt encfs --standard -o nonempty -o allow_other -f --extpass="echo \"${ENCFS_SERVER_PASS}\"" "/encfs/raw" "/encfs/sec" -- -o noexec,noatime & cpid=$! - wait $cpid # SIGTERM will wake us + + # Give it 5 seconds and check if it is encrypted. + sleep 5 + [[ ! -e /encfs/sec/IS-NOT-ENCRYPTED.txt ]] && { + # We are encrypted! + touch /encfs/sec/IS-ENCRYPTED.txt + wait $cpid # SIGTERM will wake us + } # SIGTERM or wrong SF_SEED echo -e "${CR}[$cpid] EncFS EXITED with $?..." diff --git a/gsnc/sf-gsnc.sh b/gsnc/sf-gsnc.sh index 202ca8e..0b2111e 100755 --- a/gsnc/sf-gsnc.sh +++ b/gsnc/sf-gsnc.sh @@ -3,15 +3,15 @@ create_load_seed() { [[ -n $SF_SEED ]] && return - [[ ! -f "/config/seed/seed.txt" ]] && { - head -c 1024 /dev/urandom | tr -dc '[:alpha:]' | head -c 32 >/config/seed/seed.txt || { echo >&2 "Can't create \${SF_BASEDIR}/config/etc/seed/seed.txt"; exit 255; } + [[ ! -f "/config/etc/seed/seed.txt" ]] && { + head -c 1024 /dev/urandom | tr -dc '[:alpha:]' | head -c 32 >/config/etc/seed/seed.txt || { echo >&2 "Can't create \${SF_BASEDIR}/config/etc/seed/seed.txt"; exit 255; } } - SF_SEED="$(cat /config/seed/seed.txt)" + SF_SEED="$(cat /config/etc/seed/seed.txt)" [[ -z $SF_SEED ]] && { echo >&2 "Failed to generated SF_SEED="; exit 254; } } [[ ! -d /sf/run/gsnc ]] && { echo >&2 "Forgot -v \${SF_SHMDIR:-/dev/shm/sf}/run/gsnc:/sf/run/gsnc?"; sleep 5; exit 253; } -[[ ! -d /config/seed ]] && { echo >&2 "Forgot -v config/etc/seed:/config/seed?"; sleep 5; exit 252; } +[[ ! -d /config/etc/seed ]] && { echo >&2 "Forgot -v config/etc/seed:/config/etc/seed?"; sleep 5; exit 252; } create_load_seed diff --git a/host/fs-root/bin/docker_sshd.sh b/host/fs-root/bin/docker_sshd.sh index 5826dbc..9817d26 100755 --- a/host/fs-root/bin/docker_sshd.sh +++ b/host/fs-root/bin/docker_sshd.sh @@ -6,7 +6,7 @@ CR="\e[1;31m" # red CN="\e[0m" # none -ERREXIT() +SLEEPEXIT() { local s local code @@ -25,10 +25,10 @@ create_load_seed() { [[ -n $SF_SEED ]] && return [[ ! -f "/config/etc/seed/seed.txt" ]] && { - head -c 1024 /dev/urandom | tr -dc '[:alpha:]' | head -c 32 >/config/seed/seed.txt || { echo >&2 "Can't create \${SF_BASEDIR}/config/etc/seed/seed.txt"; exit 255; } + head -c 1024 /dev/urandom | tr -dc '[:alpha:]' | head -c 32 >/config/etc/seed/seed.txt || { echo >&2 "Can't create \${SF_BASEDIR}/config/etc/seed/seed.txt"; exit 255; } } SF_SEED="$(cat /config/etc/seed/seed.txt)" - [[ -z $SF_SEED ]] && ERREXIT 254 "Failed to generated SF_SEED=" + [[ -z $SF_SEED ]] && SLEEPEXIT 254 5 "Failed to generated SF_SEED=" } setup_sshd() @@ -54,7 +54,7 @@ setup_sshd() done } -[[ -d /config/db ]] || ERREXIT 255 5 "${CR}Not found: /config/db${CN}. Try -v \${SF_BASEDIR}/config:/config,ro -v \${SF_BASEDIR}/config/db:/config/db" +[[ -d /config/db ]] || SLEEPEXIT 255 5 "${CR}Not found: /config/db${CN}. Try -v \${SF_BASEDIR}/config:/config,ro -v \${SF_BASEDIR}/config/db:/config/db" create_load_seed @@ -63,15 +63,15 @@ setup_sshd # This is the entry point for SF-HOST (e.g. host/Dockerfile) # Fix ownership if mounted from within vbox [[ -e /config/etc/ssh/ssh_host_rsa_key ]] || { - [[ ! -d "/config/etc/ssh" ]] && { mkdir -p "/config/etc/ssh" || ERREXIT 255 5; } + [[ ! -d "/config/etc/ssh" ]] && { mkdir -p "/config/etc/ssh" || SLEEPEXIT 255 5; } ssh-keygen -A -f "/config" 2>&1 # Always return 0, even on failure. - [[ ! -f "/config/etc/ssh/ssh_host_rsa_key" ]] && ERREXIT 255 5 + [[ ! -f "/config/etc/ssh/ssh_host_rsa_key" ]] && SLEEPEXIT 255 5 } [[ -e /config/etc/ssh/id_ed25519 ]] || { ssh-keygen -q -t ed25519 -C "" -N "" -f /config/etc/ssh/id_ed25519 2>&1 - [[ ! -f "/config/etc/ssh/id_ed25519" ]] && ERREXIT 255 5 + [[ ! -f "/config/etc/ssh/id_ed25519" ]] && SLEEPEXIT 255 5 } chmod 644 /config/etc/ssh/id_ed25519 diff --git a/host/fs-root/bin/segfaultsh b/host/fs-root/bin/segfaultsh index 68bbc62..82eb7f6 100755 --- a/host/fs-root/bin/segfaultsh +++ b/host/fs-root/bin/segfaultsh @@ -247,6 +247,7 @@ if [[ "$(exec_errnull docker container inspect "encfs-${LID}" -f '{{.State.Statu --cpu-shares=256 \ --blkio-weight=10 \ --oom-score-adj=500 \ + --rm \ --name "encfs-${LID}" \ --cap-add SYS_ADMIN \ --device /dev/fuse \ diff --git a/provision/init-ubuntu.sh b/provision/init-ubuntu.sh index 506b4c3..dd3ee75 100755 --- a/provision/init-ubuntu.sh +++ b/provision/init-ubuntu.sh @@ -112,7 +112,7 @@ init_config_run() [[ ! -d "${SF_BASEDIR}/config/etc/tc" ]] && SUDO_SF "cp -r \"${SFI_SRCDIR}/config/etc/tc\" \"${SF_BASEDIR}/config/etc\"" # Copy info directory - [[ ! -d "${SF_BASEDIR}/config/etc/info" ]] && SUDO_SF "cp -r \"${SFI_SRCDIR}/config/etc/info\" \"${SF_BASEDIR}/config/info\"" + [[ ! -d "${SF_BASEDIR}/config/etc/info" ]] && SUDO_SF "cp -r \"${SFI_SRCDIR}/config/etc/info\" \"${SF_BASEDIR}/config/etc\"" # Create Master-SEED if [[ -z $SF_SEED ]]; then