diff --git a/README.md b/README.md index 3ac4526..5e66f46 100644 --- a/README.md +++ b/README.md @@ -5,7 +5,7 @@ [![Docker Stars](https://img.shields.io/docker/stars/tiredofit/openldap.svg)](https://hub.docker.com/r/tiredofit/openldap) [![Docker Layers](https://images.microbadger.com/badges/image/tiredofit/openldap.svg)](https://microbadger.com/images/tiredofit/openldap) -# Introduction +### Introduction This as a Dockerfile to build a [OpenLDAP](https://openldap.org) server for maintaining a directory. Upon starting this image it will give you a ready to run server with many configurable options. @@ -24,43 +24,46 @@ Upon starting this image it will give you a ready to run server with many config * This Container uses a [customized Alpine Linux base](https://hub.docker.com/r/tiredofit/alpine) which includes [s6 overlay](https://github.com/just-containers/s6-overlay) enabled for PID 1 Init capabilities, [zabbix-agent](https://zabbix.org) for individual container monitoring, Cron also installed along with other tools (bash,curl, less, logrotate, mariadb-client, nano, vim) for easier management. It also supports sending to external SMTP servers.. - [Changelog](CHANGELOG.md) -# Authors +### Authors - [Dave Conroy](dave@tiredofit.ca) -# Table of Contents +### Table of Contents + -- [Introduction](#introduction) - - [Changelog](CHANGELOG.md) - [Prerequisites](#prerequisites) -- [Dependencies](#dependendcies) - [Installation](#installation) -- [Quick Start](#quick-start) + - [Quick Start](#quick-start) - [Configuration](#configuration) - - [Data Volumes](#data-volumes) - - [Database](#database) - - [Environment Variables](#environmentvariables) - - [Networking](#networking) + - [Data-Volumes](#data-volumes) + - [Environment Varables](#environment-varables) + - [Required for new setup](#required-for-new-setup) + - [Logging Options](#logging-options) + - [Backup Options:](#backup-options) + - [Backing Up to S3 Compatible Services](#backing-up-to-s3-compatible-services) + - [Password Policy Options](#password-policy-options) + - [TLS options](#tls-options) + - [Replication options](#replication-options) + - [Other environment variables](#other-environment-variables) + - [Networking](#networking) - [Maintenance](#maintenance) - - [Shell Access](#shell-access) -- [References](#references) + - [Shell Access](#shell-access) + - [References](#references) +## Prerequisites -# Prerequisites - -This image has the capability to take advantage of getting TLS certificates autogenerated via the -[jwilder/nginx-proxy](https://github.com/jwilder/nginx-proxy) and the [Let's Encrypt Proxy Companion @ -https://github.com/JrCs/docker-letsencrypt-nginx-proxy-companion](https://github.com/JrCs/docker-letsencrypt-nginx-proxy-companion). +This image has the capability to take advantage of getting TLS certificates autogenerated via the +[jwilder/nginx-proxy](https://github.com/jwilder/nginx-proxy) and the [Let's Encrypt Proxy Companion @ +https://github.com/JrCs/docker-letsencrypt-nginx-proxy-companion](https://github.com/JrCs/docker-letsencrypt-nginx-proxy-companion). However, it will run just fine on it's own without it. # Dependencies None. -# Installation +## Installation Automated builds of the image are available on [Docker Hub](https://hub.docker.com/r/tiredofit/openldap) and is the recommended method of installation. @@ -68,7 +71,7 @@ Automated builds of the image are available on [Docker Hub](https://hub.docker.c docker pull tiredofit/openldap ``` -# Quick Start +### Quick Start * The quickest way to get started is using [docker-compose](https://docs.docker.com/compose/). See the examples folder for a working [docker-compose.yml](examples/docker-compose.yml) that can be modified for development or production use. @@ -81,132 +84,167 @@ Start openldap using: ```bash docker-compose up ``` + __NOTE__: Please allow up to 2 minutes for the application to start for the first time if you are generating self signed TLS certificates. -## Data-Volumes +## Configuration +### Data-Volumes The following directories are used for configuration and can be mapped for persistent storage. -| Directory | Description | -|-----------|-------------| -| `/var/lib/openldap` | Data Directory | -| `/etc/openldap/slapd.d` | Configuration Directory | -| `/assets/custom-scripts/` | If you'd like to execute a script during the initialization process drop it here (Useful for using this image as a base) -| `/assets/slapd/certs/` | Drop TLS Certificates here (or use your own path) | -| `/data/backup` | Backup Directory | -| `/www/html` | If you want to put a landing page if using Nginx for LetsEncrypt SSL Place it here | - -## Environment Variables -Along with the Environment Variables from the [Base image](https://hub.docker.com/r/tiredofit/alpine), below is the complete list of -available options that can be used to customize your installation. - -Required and used for new ldap server only: - -| Variable | Description | -|-----------|-------------| -| `DOMAIN` | LDAP domain. Default `example.org` | -| `BASE_DN` | LDAP base DN. If empty automatically set from `DOMAIN` value. Default (empty) | -| `ADMIN_PASS` | Ldap Admin password. Default `admin` | -| `CONFIG_PASS` | Ldap Config password. Default `config` | -| `ORGANIZATION` | Organization Name Default: `Example Organization` | -| `ENABLE_READONLY_USER` | Add a read only user. Default`false` | -| `READONLY_USER_USER` | Read only user username. Default `readonly` | -| `READONLY_USER_PASS` | Read only user password. Default `readonly` | -| `SCHEMA_TYPE` | Use `nis` or `rfc2307bis` core schema. Default `nis` | +| Directory | Description | +| ------------------------- | ------------------------------------------------------------------------------------------------------------------------ | +| `/var/lib/openldap` | Data Directory | +| `/etc/openldap/slapd.d` | Configuration Directory | +| `/assets/custom-scripts/` | If you'd like to execute a script during the initialization process drop it here (Useful for using this image as a base) | +| `/certs/` | Drop TLS Certificates here (or use your own path) | +| `/data/backup` | Backup Directory | +| `/www/html` | If you want to put a landing page if using Nginx for LetsEncrypt SSL Place it here | +### Environment Varables -| Variable | Description | -|-----------|-------------| -| `BACKEND` | Ldap backend. `bdb` `hdb` `mdb` and others. Default `mdb` | -| `LOG_LEVEL` | Set LDAP Log Level - Default `256` -| `ULIMIT_N` | Set Open File Descriptor Limit - Default `1024` | - -Backup Options: - -| Variable | Description | -|-----------|-------------| -| `BACKUP_CONFIG_CRON_PERIOD` | Cron expression to schedule OpenLDAP config backup. Defaults `0 4 * * *` Every day at 4am. | -| `BACKUP_DATA_CRON_PERIOD` | Cron expression to schedule OpenLDAP data backup. Defaults `0 4 * * *` Every day at 4am. | -| `BACKUP_TTL ` | Automatically cleanup backup after how many days. Default `15` | +Along with the Environment Variables from the [Base image](https://hub.docker.com/r/tiredofit/alpine), below is the complete list of +available options that can be used to customize your installation. -Password Policy Options: +#### Required for new setup + +| Variable | Description | Default | +| ---------------------- | ------------------------------------------------------------- | ---------------------- | +| `DOMAIN` | LDAP domain. | `example.org` | +| `BASE_DN` | LDAP base DN. If empty automatically set from `DOMAIN` value. | (empty) | +| `ADMIN_PASS` | Ldap Admin password. | `admin` | +| `CONFIG_PASS` | Ldap Config password. | `config` | +| `ORGANIZATION` | Organization Name | `Example Organization` | +| `ENABLE_READONLY_USER` | Add a read only/Simple Security Object/DSA | `false` | +| `READONLY_USER_USER` | Read only user username. | `readonly` | +| `READONLY_USER_PASS` | Read only user password. | `readonly` | +| `SCHEMA_TYPE` | Use `nis` or `rfc2307bis` core schema. | `nis` | + +#### Logging Options +| Variable | Description | Default | +| ----------- | ----------------------------- | -------------- | +| `LOG_FILE` | Filename for logging | `openldap.log` | +| `LOG_LEVEL` | Set LDAP Log Level | `256` | +| `LOG_PATH` | Path for Logs | `/logs/` | +| `LOG_TYPE` | Output to `CONSOLE` or `FILE` | `CONSOLE` | + +#### Backup Options: + + +| Parameter | Description | +| ----------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| `ENABLE_BACKUP` | Enable Backup System | `TRUE` | +| `BACKUP_LOCATION` | Backup to `FILESYSTEM` or `S3` compatible services like S3, Minio, Wasabi | `FILESYSTEM` | +| `BACKUP_COMPRESSION` | Use either Gzip `GZ`, Bzip2 `BZ`, XZip `XZ`, ZSTD `ZSTD` or none `NONE` | `GZ` | +| `BACKUP_COMPRESSION_LEVEL` | Numberical value of what level of compression to use, most allow `1` to `9` except for `ZSTD` which allows for `1` to `19` | `3` | +| `BACKUP_INTERVAL` | How often to do a dump, in minutes. Defaults to 1440 minutes, or once per day. | +| `BACKUP_BEGIN` | What time to do the first dump. Defaults to immediate. Must be in one of two formats | +| | Absolute HHMM, e.g. `2330` or `0415` | +| | Relative +MM, i.e. how many minutes after starting the container, e.g. `+0` (immediate), `+10` (in 10 minutes), or `+90` in an hour and a half | +| `BACKUP_RETENTION` | Value in minutes to delete old backups (only fired when dump freqency fires). 1440 would delete anything above 1 day old. You don't need to set this variable if you want to hold onto everything. | +| `BACKUP_MD5` | Generate MD5 Sum in Directory, `TRUE` or `FALSE` | `TRUE` | +| `BACKUP_PARALLEL_COMPRESSION` | Use multiple cores when compressing backups `TRUE` or `FALSE` | `TRUE` | +| `BACKUP_PATH` | Filesystem path on where to place backups | `/data/backup` | + +##### Backing Up to S3 Compatible Services + +If `BACKUP_LOCATION` = `S3` then the following options are used. + +| Parameter | Description | +| ---------------------- | --------------------------------------------------------------------------------------- | +| `BACKUP_S3_BUCKET` | S3 Bucket name e.g. 'mybucket' | +| `BACKUP_S3_HOSTNAME` | Hostname of S3 Server e.g "s3.amazonaws.com" - You can also include a port if necessary | +| `BACKUP_S3_KEY_ID` | S3 Key ID | +| `BACKUP_S3_KEY_SECRET` | S3 Key Secret | +| `BACKUP_S3_PATH` | S3 Pathname to save to e.g. '`backup`' | +| `BACKUP_S3_PROTOCOL` | Use either `http` or `https` to access service | `https` | +| `BACKUP_S3_URI_STYLE` | Choose either `VIRTUALHOST` or `PATH` style | `VIRTUALHOST` | + +#### Password Policy Options If you already have a check_password.conf or ppm.conf in /etc/openldap/ the following environment variables will not be applied -| Variable | Description | -|-----------|-------------| -| `PPOLICY_CHECK_RDN` | Check RDN Parameter (ppm.so) - Default `0` | -| `PPOLICY_FORBIDDEN_CHARACTERS` | Forbidden Characters (ppm.so) - Default `` | -| `PPOLICY_MAX_CONSEC`| Maximum Consective Character Pattern - Default `0` | -| `PPOLICY_MIN_DIGIT` | Minimum Digit Characters - Default `0` | -| `PPOLICY_MIN_LOWER` | Minimum Lowercase Characters - Default `0` | -| `PPOLICY_MIN_POINTS`| Minimum Points required to pass checker - Default `3` | -| `PPOLICY_MIN_PUNCT` | Minimum Punctuation Characters - Default `0` | -| `PPOLICY_MIN_UPPER` | Minimum Uppercase Characters - Default `0` | -| `PPOLICY_USE_CRACKLIB` | Use Cracklib for verifying words (ppm.so) - Default `1` | - -TLS options: - -| Variable | Description | -|-----------|-------------| -| `ENABLE_TLS` | Add TLS capabilities. Can't be removed once set to `true`. Defaults `true` | -| `TLS_CA_CRT_FILENAME` | TLS CA certificate filename. Default `ca.pem` | -| `TLS_CA_CRT_PATH` | TLS CA certificate path. Default `/assets/slapd/certs` | -| `TLS_CIPHER_SUITE` | TLS cipher suite. Default `ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:-DHE-DSS:-RSA:!aNULL:!MD5:!DSS:!SHA` | -| `TLS_CRT_FILENAME` | TLS certificate filename. Default `cert.pem` | -| `TLS_CRT_PATH` | TLS certificate path. Default `/assets/slapd/certs` | -| `TLS_DH_PARAM_FILENAME` | TLS DHParam Filename. Default `dhparam.pem` | -| `TLS_DH_PARAM_KEYSIZE` | TLS DHParam Keysize. Default `2048` | -| `TLS_DH_PARAM_PATH` | TLS DHParam path. Default `/assets/slapd/certs` | -| `TLS_ENFORCE` | Enforce TLS. Can't be disabled once set to `true`. Defaults `false` | -| `TLS_KEY_FILENAME` | TLS certificate private key filename. Default `key.pem` | -| `TLS_KEY_PATH` | TLS certificate private key path. Default `/assets/slapd/certs` | -| `TLS_RESET_PERMISSIONS` | Change ownership and reset permissions on Certificates on startup. Default `TRUE` | -| `TLS_VERIFY_CLIENT` | TLS verify client. Default `try` +| Variable | Description | Default | +| ------------------------------ | ----------------------------------------- | ------- | +| `ENABLE_PPOLICY` | Enable PPolicy Module utilization | `TRUE` | +| `PPOLICY_CHECK_RDN` | Check RDN Parameter (ppm.so) | `0` | +| `PPOLICY_FORBIDDEN_CHARACTERS` | Forbidden Characters (ppm.so) | `` | +| `PPOLICY_MAX_CONSEC` | Maximum Consective Character Pattern | `0` | +| `PPOLICY_MIN_DIGIT` | Minimum Digit Characters | `0` | +| `PPOLICY_MIN_LOWER` | Minimum Lowercase Characters | `0` | +| `PPOLICY_MIN_POINTS` | Minimum Points required to pass checker | `3` | +| `PPOLICY_MIN_PUNCT` | Minimum Punctuation Characters | `0` | +| `PPOLICY_MIN_UPPER` | Minimum Uppercase Characters | `0` | +| `PPOLICY_USE_CRACKLIB` | Use Cracklib for verifying words (ppm.so) | `1` | + +#### TLS options + +| Variable | Description | Default | +| ----------------------- | ------------------------------------------------------------------ | ----------------------------------------------------------------------------------------------------------------------- | +| `ENABLE_TLS` | Add TLS capabilities. Can't be removed once set to `TRUE`. | `true` | +| `TLS_CA_NAME` | Selfsigned CA Name | `ldap-selfsigned-ca` | +| `TLS_CA_SUBJECT` | Selfsigned CA Subject | `/C=XX/ST=LDAP/L=LDAP/O=LDAP/CN=` | +| `TLS_CA_CRT_SUBJECT` | SelfSigned CA Cert Sujbject | `${TLS_CA_SUBJECT}${TLS_CA_NAME}` | +| `TLS_CA_CRT_FILENAME` | CA Cert filename | `${TLS_CA_AME}.crt` | +| `TLS_CA_KEY_FILENAME` | CA Key filename | `${TLS_CA_NAME}.key` | +| `TLS_CA_CRT_PATH` | CA Certificates path | `/certs/${TLS_CA_NAME}/` | +| `TLS_CIPHER_SUITE` | Cipher Suite to use | `ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:-DHE-DSS:-RSA:!aNULL:!MD5:!DSS:!SHA` | +| `TLS_CREATE_CA` | Automatically create CA when generating certificates | `TRUE` | +| `TLS_CRT_FILENAME` | TLS cert filename | `cert.pem` | +| `TLS_CRT_PATH` | TLS cert path | `/certs/` | +| `TLS_DH_PARAM_FILENAME` | DH Param filename | `dhparam.pem` | +| `TLS_DH_PARAM_KEYSIZE` | Keysize for DH Param | `2048` | +| `TLS_DH_PARAM_PATH` | DH Param path | `/certs/` | +| `TLS_ENFORCE` | Enforce TLS Usage | `FALSE` | +| `TLS_KEY_FILENAME` | TLS Key filename | `key.pem` | +| `TLS_KEY_PATH` | TLS Key path | `/certs/` | +| `TLS_RESET_PERMISSIONS` | Change permissions on certificate directories for OpenLDAP to read | `TRUE` | +| `TLS_VERIFY_CLIENT` | TLS verify client. | `try` | Help: http://www.openldap.org/doc/admin24/tls.html -Replication options: +#### Replication options -| Variable | Description | -|-----------|-------------| -| `ENABLE_REPLICATION` | Add replication capabilities. Multimaster only at present. Default `false` -| `REPLICATION_CONFIG_SYNCPROV` | olcSyncRepl options used for the config database. Without rid and provider which are automatically added based on `REPLICATION_HOSTS`. Default `binddn="cn=admin,cn=config" bindmethod=simple credentials=$CONFIG_PASS searchbase="cn=config" type=refreshAndPersist retry="60 +" timeout=1 starttls=critical` | -| `REPLICATION_DB_SYNCPROV` | olcSyncRepl options used for the database. Without rid and provider which are automatically added based on `REPLICATION_HOSTS`. Default `binddn="cn=admin,$BASE_DN" bindmethod=simple credentials=$ADMIN_PASS searchbase="$BASE_DN" type=refreshAndPersist interval=00:00:00:10 retry="60 +" timeout=1 starttls=critical` | -| `REPLICATION_HOSTS` | list of replication hosts seperated by a space, must contain the current container hostname set by --hostname on docker run command. If replicating all hosts must be set in the same order. Example - `ldap://ldap1.example.com ldap://ldap2.example.com ldap://ldap3.example.com` +| Variable | Description | Default | +| ----------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| `ENABLE_REPLICATION` | Add replication capabilities. Multimaster only at present. | `false` | +| `REPLICATION_CONFIG_SYNCPROV` | olcSyncRepl options used for the config database. Without rid and provider which are automatically added based on `REPLICATION_HOSTS`. | `binddn="cn=admin,cn=config" bindmethod=simple credentials=$CONFIG_PASS searchbase="cn=config" type=refreshAndPersist retry="60 +" timeout=1 starttls=critical` | +| `REPLICATION_DB_SYNCPROV` | olcSyncRepl options used for the database. Without rid and provider which are automatically added based on `REPLICATION_HOSTS`. | `binddn="cn=admin,$BASE_DN" bindmethod=simple credentials=$ADMIN_PASS searchbase="$BASE_DN" type=refreshAndPersist interval=00:00:00:10 retry="60 +" timeout=1 starttls=critical` | +| `REPLICATION_HOSTS` | list of replication hosts seperated by a space, must contain the current container hostname set by --hostname on docker run command. If replicating all hosts must be set in the same order. Example - `ldap://ldap1.example.com ldap://ldap2.example.com ldap://ldap3.example.com` | + #### Other environment variables - Other environment variables: +| Variable | Description | Default | +| --------------------------- | ----------------------------------------------------------------------------------------- | ---------------------------------------------- | +| `CONFIG_PATH` | Configuration files path | `/etc/openldap` | +| `DB_PATH` | Data Files path | `/var/lib/openldap` | +| `ENABLE_NGINX` | If you want to use automatic LetsEncrypt certificates for your server, set this to `true` | `FALSE` | +| `REMOVE_CONFIG_AFTER_SETUP` | Delete config folder after setup. | `true` | +| `SLAPD_ARGS` | If you want to override slapd runtime arguments place here . Default (null) | | +| `SLAPD_HOSTS` | Allow overriding the default listen parameters | `ldap://$HOSTNAME ldaps://$HOSTNAME ldapi:///` | +| `ULIMIT_N` | Set Open File Descriptor Limit | `1024` | -| Variable | Description | -|-----------|-------------| -| `ENABLE_NGINX` | If you want to use automatic LetsEncrypt certificates for your server, set this to `true` -| `REMOVE_CONFIG_AFTER_SETUP` | Delete config folder after setup. Default `true` | -| `SLAPD_ARGS` | If you want to override slapd runtime arguments place here . Default (null) -| `SLAPD_HOSTS` | Allow overriding the default listen parameters - Default `ldap://$HOSTNAME ldaps://$HOSTNAME ldapi:///` -| `SSL_HELPER_PREFIX` | Ssl-helper environment variables prefix. Default `ldap`, ssl-helper first search config from `SSL_HELPER_*` variables, before `SSL_HELPER_*` variables. | - - -## Networking +### Networking The following ports are exposed and available to public interfaces -| Port | Description | -|-----------|-------------| -| `80` | Nginx - For Automatic LetsEncrypt Certficates | -| `389` | Unecrypted LDAP | -| `636` | TLS Encrypted LDAP | +| Port | Description | +| ----- | --------------------------------------------- | +| `80` | Nginx - For Automatic LetsEncrypt Certficates | +| `389` | Unecrypted LDAP | +| `636` | TLS Encrypted LDAP | ## Maintenance -#### Shell Access -For debugging and maintenance purposes you may want access the containers shell. +### Shell Access + +For debugging and maintenance purposes you may want access the containers shell. ```bash docker exec -it openldap bash ``` -# References +### References -* https://openldap.org +* diff --git a/install/assets/slapd/config/bootstrap/README.md b/install/assets/slapd/config/bootstrap/README.md index 57f02ae..20a77ca 100644 --- a/install/assets/slapd/config/bootstrap/README.md +++ b/install/assets/slapd/config/bootstrap/README.md @@ -1 +1 @@ -Bootstrap config, for a container started without an existing ldap config. +# Bootstrap config, for a container started without an existing ldap config. diff --git a/install/etc/services.available/20-openldap-backup/run b/install/etc/services.available/20-openldap-backup/run index 53c0574..6d3204c 100755 --- a/install/etc/services.available/20-openldap-backup/run +++ b/install/etc/services.available/20-openldap-backup/run @@ -14,7 +14,7 @@ fi tmpdir=/tmp/backups -if [ "BACKUP_TYPE" = "S3" ] || [ "BACKUP_TYPE" = "s3" ] || [ "BACKUP_TYPE" = "MINIO" ] || [ "BACKUP_TYPE" = "minio" ] ; then +if [ "$BACKUP_TYPE" = "S3" ] || [ "$BACKUP_TYPE" = "s3" ] || [ "$BACKUP_TYPE" = "MINIO" ] || [ "$BACKUP_TYPE" = "minio" ] ; then S3_PROTOCOL=${S3_PROTOCOL:-"https"} sanity_var S3_HOST "S3 Host" sanity_var S3_BUCKET "S3 Bucket" @@ -32,7 +32,7 @@ if [ "$1" = "NOW" ]; then fi ### Set Compression Options -if var_true $BACKUP_PARALLEL_COMPRESSION ; then +if var_true "$BACKUP_PARALLEL_COMPRESSION" ; then bzip="pbzip2 -${BACKUP_COMPRESSION_LEVEL}" gzip="pigz -${BACKUP_COMPRESSION_LEVEL}" xzip="pixz -${BACKUP_COMPRESSION_LEVEL}" @@ -49,14 +49,14 @@ backup_openldap() { print_notice "Backing up configuration schemas" target=${now}_openldap_config compression - /usr/sbin/slapcat -F ${CONFIG_PATH}slapd.d -n 0 | $dumpoutput > ${tmpdir}/${target} + /usr/sbin/slapcat -F "${CONFIG_PATH}"slapd.d -n 0 | $dumpoutput > ${tmpdir}/"${target}" generate_md5 move_backup # Data print_notice "Backing up user data" target=${now}_openldap_data compression - /usr/sbin/slapcat -F ${CONFIG_PATH}slapd.d -n 1 | $dumpoutput > ${tmpdir}/${target} + /usr/sbin/slapcat -F "${CONFIG_PATH}"slapd.d -n 1 | $dumpoutput > ${tmpdir}/"${target}" generate_md5 move_backup } @@ -90,11 +90,11 @@ compression() { } generate_md5() { -if var_true $BACKUP_MD5 ; then +if var_true "$BACKUP_MD5" ; then print_notice "Generating MD5 for ${target}" cd $tmpdir - md5sum ${target} > ${target}.md5 - MD5VALUE=$(md5sum ${target} | awk '{ print $1}') + md5sum "${target}" > "${target}".md5 + MD5VALUE=$(md5sum "${target}" | awk '{ print $1}') fi } @@ -118,27 +118,27 @@ move_backup() { FILESIZE=$(du -h "${tmpdir}/${target}" | awk '{ print $1}') print_notice "Backup of ${target} created with the size of ${FILESIZE}" fi - + case "${BACKUP_TYPE}" in "FILE" | "file" | "filesystem" | "FILESYSTEM" ) - mkdir -p ${BACKUP_PATH} - mv ${tmpdir}/*.md5 ${BACKUP_PATH}/ - mv ${tmpdir}/${target} ${BACKUP_PATH}/${target} + mkdir -p "${BACKUP_PATH}" + mv ${tmpdir}/*.md5 "${BACKUP_PATH}"/ + mv ${tmpdir}/"${target}" "${BACKUP_PATH}"/"${target}" ;; "S3" | "s3" | "MINIO" | "minio" ) s3_content_type="application/octet-stream" - if [ "$S3_URI_STYLE" = "VIRTUALHOST" ] || [ "$S3_URI_STYLE" = "VHOST" ] [ "$S3_URI_STYLE" = "virtualhost" ] [ "$S3_URI_STYLE" = "vhost" ] ; then + if [ "$S3_URI_STYLE" = "VIRTUALHOST" ] || [ "$S3_URI_STYLE" = "VHOST" ] || [ "$S3_URI_STYLE" = "virtualhost" ] || [ "$S3_URI_STYLE" = "vhost" ] ; then s3_url="${S3_BUCKET}.${S3_HOST}" else s3_url="${S3_HOST}/${S3_BUCKET}" fi - - if var_true $BACKUP_MD5 ; then + + if var_true "$BACKUP_MD5" ; then s3_date="$(LC_ALL=C date -u +"%a, %d %b %Y %X %z")" s3_md5="$(libressl md5 -binary < "${tmpdir}/${target}.md5" | base64)" sig="$(printf "PUT\n$s3_md5\n${s3_content_type}\n$s3_date\n/$S3_BUCKET/$S3_PATH/${target}.md5" | libressl sha1 -binary -hmac "${S3_KEY_SECRET}" | base64)" print_debug "Uploading ${target}.md5 to S3" - curl -T "${tmpdir}/${target}.md5" ${S3_PROTOCOL}://${s3_url}/${S3_PATH}/${target}.md5 \ + curl -T "${tmpdir}/${target}.md5" "${S3_PROTOCOL}"://"${s3_url}"/"${S3_PATH}"/"${target}".md5 \ -H "Date: $date" \ -H "Authorization: AWS ${S3_KEY_ID}:$sig" \ -H "Content-Type: ${s3_content_type}" \ @@ -149,21 +149,21 @@ move_backup() { s3_md5="$(libressl md5 -binary < "${tmpdir}/${target}" | base64)" sig="$(printf "PUT\n$s3_md5\n${s3_content_type}\n$s3_date\n/$S3_BUCKET/$S3_PATH/${target}" | libressl sha1 -binary -hmac "${S3_KEY_SECRET}" | base64)" print_debug "Uploading ${target} to S3" - curl -T ${tmpdir}/${target} ${S3_PROTOCOL}://${s3_url}/${S3_PATH}/${target} \ + curl -T ${tmpdir}/"${target}" "${S3_PROTOCOL}"://"${s3_url}"/"${S3_PATH}"/"${target}" \ -H "Date: $s3_date" \ -H "Authorization: AWS ${S3_KEY_ID}:$sig" \ -H "Content-Type: ${s3_content_type}" \ -H "Content-MD5: ${s3_md5}" rm -rf ${tmpdir}/*.md5 - rm -rf ${tmpdir}/${target} + rm -rf ${tmpdir}/"${target}" ;; esac } ### ### Container Startup -print_debug "Backup routines Initialized on `date`" +print_debug "Backup routines Initialized on $(date)" ### Wait for Next time to start backup current_time=$(date +"%s") @@ -178,8 +178,8 @@ print_debug "Backup routines Initialized on `date`" fi waittime=$(($target_time - $current_time)) fi - - print_notice "Next Backup at `date -d @${target_time} +"%Y-%m-%d %T %Z"`" + + print_notice "Next Backup at $(date -d @${target_time} +"%Y-%m-%d %T %Z")" sleep $waittime ### Commence Backup @@ -192,16 +192,16 @@ print_debug "Backup routines Initialized on `date`" backup_openldap ### Zabbix - if var_true $ENABLE_ZABBIX ; then + if var_true "$ENABLE_ZABBIX" ; then print_notice "Sending Backup Statistics to Zabbix" - silent zabbix_sender -c /etc/zabbix/zabbix_agentd.conf -k dbbackup.size -o `stat -c%s ${BACKUP_PATH}/${target}` - silent zabbix_sender -c /etc/zabbix/zabbix_agentd.conf -k dbbackup.datetime -o `date -r ${BACKUP_PATH}/${target} +'%s'` + silent zabbix_sender -c /etc/zabbix/zabbix_agentd.conf -k dbbackup.size -o $(stat -c%s "${BACKUP_PATH}"/"${target}") + silent zabbix_sender -c /etc/zabbix/zabbix_agentd.conf -k dbbackup.datetime -o $(date -r "${BACKUP_PATH}"/"${target}" +'%s') fi ### Automatic Cleanup if [[ -n "$BACKUP_RETENTION" ]]; then print_notice "Cleaning up old backups" - find $BACKUP_PATH/ -mmin +$BACKUP_RETENTION -iname "*" -exec rm {} \; + find "$BACKUP_PATH"/ -mmin +"$BACKUP_RETENTION" -iname "*" -exec rm {} \; fi ### Post Backup Custom Script Support @@ -209,11 +209,11 @@ print_debug "Backup routines Initialized on `date`" print_notice "Found Custom Scripts to Execute" for f in $(find /assets/custom-scripts/ -name \*.sh -type f); do print_notice "Running Script ${f}" - ## script DATE TIME BACKUP_FILENAME FILESIZE MD5_VALUE - chmod +x ${f} + ## script DATE TIME BACKUP_FILENAME FILESIZE MD5_VALUE + chmod +x "${f}" ${f} "${now_date}" "${now_time}" "${target}" "${FILESIZE}" "${MD5VALUE}" done - fi + fi ### Go back to Sleep until next Backup time if var_true $MANUAL ; then