Fix letsencrypt permission error and optimize the ownership commands in scheduler

2022-12-14 15:46:09 +01:00 · 2022-12-14 15:46:09 +01:00 · c5d3e77c17
parent 8304116fdd
commit c5d3e77c17
3 changed files with 21 additions and 32 deletions
--- a/src/common/core/letsencrypt/jobs/certbot-deploy.py
+++ b/src/common/core/letsencrypt/jobs/certbot-deploy.py
@ -1,8 +1,9 @@
 #!/usr/bin/python3

 from io import BytesIO
-from os import chmod, chown, getenv, walk
+from os import chmod, getenv, walk
 from os.path import exists, join
+from shutil import chown
 from subprocess import run, DEVNULL, STDOUT
 from sys import exit as sys_exit, path as sys_path
 from tarfile import open as tar_open
@ -44,6 +45,13 @@ try:
    if bw_integration in ("Docker", "Swarm", "Kubernetes", "Autoconf"):
        # Create tarball of /data/cache/letsencrypt
        tgz = BytesIO()
+
+        # Fix permissions for the certificates
+        for root, dirs, files in walk("/data/cache/letsencrypt", topdown=False):
+            for name in files + dirs:
+                chown(join(root, name), "root", 101)
+                chmod(join(root, name), 0o770)
+
        with tar_open(mode="w:gz", fileobj=tgz) as tf:
            tf.add("/data/cache/letsencrypt", arcname=".")
        tgz.seek(0, 0)
@ -54,12 +62,6 @@ try:
            host = instance["server_name"]
            api = API(endpoint, host=host)

-            # Fix permissions for the certificates
-            for root, dirs, files in walk("/lets-encrypt/certificates", topdown=False):
-                for name in files + dirs:
-                    chown(join(root, name), 101, 101)
-                    chmod(join(root, name), 0o770)
-
            sent, err, status, resp = api.request(
                "POST", "/lets-encrypt/certificates", files=files
            )
--- a/src/scheduler/Dockerfile
+++ b/src/scheduler/Dockerfile
@ -57,6 +57,10 @@ RUN apk add --no-cache bash libgcc libstdc++ openssl && \
  mkdir /etc/nginx && \
  chown -R scheduler:scheduler /etc/nginx && \
  chmod -R 770 /etc/nginx && \
+  mkdir /var/log/letsencrypt /var/lib/letsencrypt && \
+  chown root:scheduler /var/log/letsencrypt /var/lib/letsencrypt && \
+  chmod 770 /var/log/letsencrypt /var/lib/letsencrypt && \
+  ln -s /proc/1/fd/1 /var/log/letsencrypt/letsencrypt.log && \
  chmod 660 /usr/share/bunkerweb/INTEGRATION

 # Fix CVEs
--- a/src/scheduler/main.py
+++ b/src/scheduler/main.py
@ -6,7 +6,6 @@ from glob import glob
 from os import (
    _exit,
    chmod,
-    chown,
    getenv,
    getpid,
    listdir,
@ -17,7 +16,7 @@ from os import (
    walk,
 )
 from os.path import dirname, exists, isdir, isfile, islink, join
-from shutil import copy, rmtree
+from shutil import chown, copy, rmtree
 from signal import SIGINT, SIGTERM, signal, SIGHUP
 from subprocess import run as subprocess_run, DEVNULL, STDOUT
 from sys import path as sys_path
@ -55,12 +54,6 @@ signal(SIGINT, handle_stop)
 signal(SIGTERM, handle_stop)


-def imerge(a, b):
-    for i, j in zip(a, b):
-        yield i
-        yield j
-
-
 # Function to catch SIGHUP and reload the scheduler
 def handle_reload(signum, frame):
    global reloading, run, scheduler
@ -111,12 +104,8 @@ def generate_custom_configs(
    # Fix permissions for the custom configs folder
    for root, dirs, files in walk("/data/configs", topdown=False):
        for name in files + dirs:
-            chown(join(root, name), 101, 101)
-
-            if isdir(join(root, name)):
-                chmod(join(root, name), 0o750)
-            if isfile(join(root, name)):
-                chmod(join(root, name), 0o740)
+            chown(join(root, name), "root", 101)
+            chmod(join(root, name), 0o770)

    if integration != "Linux":
        logger.info("Sending custom configs to BunkerWeb")
@ -340,7 +329,7 @@ if __name__ == "__main__":
                    # Fix permissions for the nginx folder
                    for root, dirs, files in walk("/etc/nginx", topdown=False):
                        for name in files + dirs:
-                            chown(join(root, name), 101, 101)
+                            chown(join(root, name), "root", 101)
                            chmod(join(root, name), 0o770)

                    copy("/etc/nginx/variables.env", "/var/tmp/bunkerweb/variables.env")
@ -354,17 +343,11 @@ if __name__ == "__main__":
                                "Sending nginx configs failed, configuration will not work as expected...",
                            )

-            # Fix permissions for the cache and the custom configs folders
-            for root, dirs, files in imerge(
-                walk("/data/cache", topdown=False), walk("/data/configs", topdown=False)
-            ):
+            # Fix permissions for the cache folders
+            for root, dirs, files in walk("/data/cache", topdown=False):
                for name in files + dirs:
-                    chown(join(root, name), 101, 101)
-
-                    if isdir(join(root, name)):
-                        chmod(join(root, name), 0o750)
-                    if isfile(join(root, name)):
-                        chmod(join(root, name), 0o740)
+                    chown(join(root, name), "root", 101)
+                    chmod(join(root, name), 0o770)

            try:
                if len(api_caller._get_apis()) > 0: