0ab1bf552d
By default, all sudo commands are logged to auth.log with their full command line. Previously, Shipyard scripts called 'sudo docker' with -e OS_PASSWORD=foo, resulting in the password value appearing in auth.log in plaintext. This change adds -E to the sudo command to pass the user's environment through, and removes the value from -e OS_PASSWORD which tells Docker to use the environment value directly. This prevents the password value from being logged. Change-Id: Ifcf7f6525876144a609ff42be42da57a3f7f6f60
64 lines
2.5 KiB
Bash
Executable File
64 lines
2.5 KiB
Bash
Executable File
#!/bin/bash
|
|
# Copyright 2018 AT&T Intellectual Property. All other rights reserved.
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
# you may not use this file except in compliance with the License.
|
|
# You may obtain a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
# See the License for the specific language governing permissions and
|
|
# limitations under the License.
|
|
|
|
set -e
|
|
|
|
# User can run the script as they would execute the Shipyard CLI.
|
|
# For instance, to run the 'shipyard get actions' command, user can execute
|
|
# the following command after setting up the required environment variables:
|
|
#
|
|
# $ ./tools/shipyard.sh get actions
|
|
#
|
|
|
|
# NOTE: If user is executing the script from outside the cluster, e.g. from
|
|
# a remote jump server, then he/she will need to ensure that the DNS server
|
|
# is able to resolve the FQDN of the Shipyard and Keystone public URL (both
|
|
# will be pointing to the IP of the Ingress Controller). If the DNS resolution
|
|
# is not available, the user will need to ensure that the /etc/hosts file is
|
|
# properly updated before running the script.
|
|
|
|
# Commands requiring files as input utilize the pwd mounted into the container
|
|
# as the /target directory, e.g.:
|
|
#
|
|
# $ ./tools/shipyard.sh create configdocs design --filename=/target/afile.yaml
|
|
|
|
# Get the path of the directory where the script is located
|
|
# Source Base Docker Command
|
|
SHIPYARD_HOSTPATH=${SHIPYARD_HOSTPATH:-"/target"}
|
|
NAMESPACE="${NAMESPACE:-ucp}"
|
|
SHIPYARD_IMAGE="${SHIPYARD_IMAGE:-quay.io/airshipit/shipyard:master}"
|
|
# set default value for OS_PASSWORD if it's not set
|
|
# this doesn't actually get exported to environment
|
|
# unless the script is sourced
|
|
export OS_PASSWORD=${OS_PASSWORD:-password}
|
|
|
|
# Define Base Docker Command
|
|
base_docker_command=$(cat << EndOfCommand
|
|
sudo -E docker run -t --rm --net=host
|
|
-e http_proxy=${HTTP_PROXY}
|
|
-e https_proxy=${HTTPS_PROXY}
|
|
-e no_proxy=${NO_PROXY:-127.0.0.1,localhost,.svc.cluster.local}
|
|
-e OS_AUTH_URL=${OS_AUTH_URL:-http://keystone.${NAMESPACE}.svc.cluster.local:80/v3}
|
|
-e OS_USERNAME=${OS_USERNAME:-shipyard}
|
|
-e OS_USER_DOMAIN_NAME=${OS_USER_DOMAIN_NAME:-default}
|
|
-e OS_PASSWORD
|
|
-e OS_PROJECT_DOMAIN_NAME=${OS_PROJECT_DOMAIN_NAME:-default}
|
|
-e OS_PROJECT_NAME=${OS_PROJECT_NAME:-service}
|
|
EndOfCommand
|
|
)
|
|
|
|
# Execute Shipyard CLI
|
|
${base_docker_command} -v "$(pwd)":"${SHIPYARD_HOSTPATH}" "${SHIPYARD_IMAGE}" $@
|