diff --git a/scripts/deploy.sh b/scripts/deploy.sh index 518e445..6cdde8d 100755 --- a/scripts/deploy.sh +++ b/scripts/deploy.sh @@ -8,6 +8,12 @@ # # Nginx is configured by hand on 186 (out of scope for this script). # Run scripts/build.sh first. +# +# Sudo: the user password and the sudo password are assumed to be the +# same on both VMs. Every sudo call uses `sudo -S -p ''` and reads the +# password from a per-VM here-string. If your sudo password differs +# from the login password, switch to a NOPASSWD rule in +# /etc/sudoers.d/sdp-deploy and remove the piping. set -euo pipefail cd "$(dirname "$0")/.." @@ -24,35 +30,72 @@ if ! command -v sshpass >/dev/null 2>&1; then exit 1 fi -SSH_92="sshpass -p $PASS_92 ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o LogLevel=ERROR" +# -tt forces a TTY so sudo -S works without a "no tty" error. +SSH_92="sshpass -p $PASS_92 ssh -tt -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o LogLevel=ERROR" SCP_92="sshpass -p $PASS_92 scp -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o LogLevel=ERROR" -SSH_186="sshpass -p $PASS_186 ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o LogLevel=ERROR" +SSH_186="sshpass -p $PASS_186 ssh -tt -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o LogLevel=ERROR" SCP_186="sshpass -p $PASS_186 scp -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o LogLevel=ERROR" +# Wraps a command in `sudo -S -p ''` and pipes the password. The +# leading -S makes sudo read the password from stdin; -p '' suppresses +# the "[sudo] password for ..." prompt so it doesn't end up in the +# remote PTY output and confuse downstream parsing. +sudo_run() { + local pw="$1"; shift + printf '%s\n' "$pw" | sudo -S -p '' "$@" +} + +# run_remote_sudo +# Runs `cmd` on the remote host, with the wrapped command preceded +# by sudo_run. Used so the rest of the script can stay readable. +run_remote_sudo() { + local ssh_prefix="$1" + local pw="$2" + shift 2 + # Build the inner shell command: pipe pw to sudo -S -p '' "cmd". + # We pre-marshal the command into a single string the SSH side can + # `eval` safely (single-quote the arguments). + local inner="" + for a in "$@"; do + inner+=" '"$(printf %s "$a" | sed "s/'/'\\\\''/g")"'" + done + $ssh_prefix "printf '%s\n' '$pw' | sudo -S -p '' sh -c '$inner'" +} + # ponytail: Wipe-and-replace. The deploys are stateful on the VM only via # SQLite + .log files in ~/SDP/data — we keep that. Binaries, dashboard, # and unit files in /etc/systemd/system are replaced cleanly. REMOTE_RESET='rm -rf ~/SDP/bin ~/SDP/dashboard && mkdir -p ~/SDP/bin ~/SDP/dashboard' -# install_unit -# stops the old unit (if any), copies the file from /tmp/ (already -# scp'd there), reloads systemd, and re-enables on next boot. +# install_unit install_unit() { - local ssh_prefix="$1" # e.g. "sshpass -p ... ssh -o ... administrator@host" + local ssh_prefix="$1" local unit="$2" - $ssh_prefix "sudo systemctl stop $unit 2>/dev/null || true" - $ssh_prefix "sudo install -m 644 -o root -g root /tmp/$unit /etc/systemd/system/$unit" - $ssh_prefix "sudo systemctl daemon-reload" - $ssh_prefix "sudo systemctl enable $unit" + local pw="$3" + run_remote_sudo "$ssh_prefix" "$pw" "systemctl stop $unit || true" + run_remote_sudo "$ssh_prefix" "$pw" "install -m 644 -o root -g root /tmp/$unit /etc/systemd/system/$unit" + run_remote_sudo "$ssh_prefix" "$pw" "systemctl daemon-reload" + run_remote_sudo "$ssh_prefix" "$pw" "systemctl enable $unit" } -# status_block -# prints a short status + last 10 journal lines. +# status_block +# Prints a short status + last 10 journal lines. Uses sudo -S for +# journalctl (always root-only) but `systemctl status` works for +# the administrator's own services without sudo on most distros. status_block() { local ssh_prefix="$1" local unit="$2" - $ssh_prefix "echo ' status:'; sudo systemctl --no-pager --full status $unit | head -3" - $ssh_prefix "echo ' journal (last 10):'; sudo journalctl -u $unit -n 10 --no-pager" + local pw="$3" + $ssh_prefix "echo ' status:'; systemctl --no-pager --full status $unit 2>/dev/null | head -3" + $ssh_prefix "echo ' journal (last 10):'; printf '%s\n' '$pw' | sudo -S -p '' journalctl -u $unit -n 10 --no-pager" +} + +# restart_unit +restart_unit() { + local ssh_prefix="$1" + local unit="$2" + local pw="$3" + run_remote_sudo "$ssh_prefix" "$pw" "systemctl restart $unit" } echo "==> 92: $HOST_92" @@ -60,9 +103,9 @@ $SSH_92 "$HOST_92" "$REMOTE_RESET" $SCP_92 "$REPO_ROOT/bin/agent-micro" "$HOST_92:~/SDP/bin/agent-micro" $SCP_92 "$REPO_ROOT/systemd/sdp-agent-micro.service" "$HOST_92:/tmp/sdp-agent-micro.service" $SSH_92 "$HOST_92" "chmod +x ~/SDP/bin/agent-micro" -install_unit "$SSH_92 $HOST_92" sdp-agent-micro.service -$SSH_92 "$HOST_92" "sudo systemctl restart sdp-agent-micro" -status_block "$SSH_92 $HOST_92" sdp-agent-micro +install_unit "$SSH_92 $HOST_92" sdp-agent-micro.service "$PASS_92" +restart_unit "$SSH_92 $HOST_92" sdp-agent-micro "$PASS_92" +status_block "$SSH_92 $HOST_92" sdp-agent-micro "$PASS_92" echo " agent-micro installed" echo @@ -75,14 +118,14 @@ $SCP_186 "$REPO_ROOT/systemd/sdp-control-plane.service" "$HOST_186:/tmp/sdp-cont $SCP_186 "$REPO_ROOT/systemd/sdp-agent-gateway.service" "$HOST_186:/tmp/sdp-agent-gateway.service" $SSH_186 "$HOST_186" "chmod +x ~/SDP/bin/control-plane ~/SDP/bin/agent-gateway" -# Control plane first so the gateway agent's -cp URL has something to dial. -install_unit "$SSH_186 $HOST_186" sdp-control-plane.service -$SSH_186 "$HOST_186" "sudo systemctl restart sdp-control-plane" -status_block "$SSH_186 $HOST_186" sdp-control-plane +# Control plane first so the gateway agent has something to dial. +install_unit "$SSH_186 $HOST_186" sdp-control-plane.service "$PASS_186" +restart_unit "$SSH_186 $HOST_186" sdp-control-plane "$PASS_186" +status_block "$SSH_186 $HOST_186" sdp-control-plane "$PASS_186" -install_unit "$SSH_186 $HOST_186" sdp-agent-gateway.service -$SSH_186 "$HOST_186" "sudo systemctl restart sdp-agent-gateway" -status_block "$SSH_186 $HOST_186" sdp-agent-gateway +install_unit "$SSH_186 $HOST_186" sdp-agent-gateway.service "$PASS_186" +restart_unit "$SSH_186 $HOST_186" sdp-agent-gateway "$PASS_186" +status_block "$SSH_186 $HOST_186" sdp-agent-gateway "$PASS_186" echo " control-plane, agent-gateway, dashboard installed"