Added DE and DEM init/setup scripts

Author: mambelli

package/rpm/decisionengine-init.sh

@@ -0,0 +1,48 @@
+#!/bin/bash
+
+# SPDX-FileCopyrightText: 2017 Fermi Research Alliance, LLC
+# SPDX-License-Identifier: Apache-2.0
+
+# Initialization script for Decision Engine and its modules
+# It will run all the executable files in DE_INIT_DIR
+# Assuming that all scripts do only persistent changes on the file system and are idempotent
+DE_INIT_DIR=/etc/decisionengine/init.d
+DE_INIT_LAST="$DE_INIT_DIR"/.lastrun
+
+# Emulate function library.
+success() {
+    echo -en "\033[60G[OK]"
+    return 0
+}
+
+failure() {
+    echo -en "\033[60G[FAILED]"
+    return 1
+}
+
+log_debug() {
+  [[ -z "$DECISIONENGINE_DEBUG" ]] || echo "$@"
+}
+
+if [[ -d "$DE_INIT_DIR" ]]; then
+  # Check if the init scripts changed from the last execution
+  # if [ -f $TSTF ] && find ./start -newer $TSTF -print -exec false {} + -quit; then echo "NO new"; else echo GO; touch $TSTF; fi
+  if [[ -f "$DE_INIT_LAST" ]] && find "$DE_INIT_DIR" -newer "$DE_INIT_LAST" -exec false {} + -quit; then
+    log_debug "No new Decision Engine init file"
+    exit 0
+  fi
+  touch "$DE_INIT_LAST"
+
+  # Running the scripts
+  pushd "$DE_INIT_DIR" || exit 1
+  for i in *; do
+    [[ -x "$i" ]] || continue
+    log_debug -n "Running '$i':"
+    if ./"$i"; then
+      log_debug OK
+    else
+      log_debug FAILED
+    fi
+  done
+  popd || exit 1
+fi

package/rpm/decisionengine-wrapper.sh

@@ -12,6 +12,12 @@ DE_USER=decisionengine
 DE_CMD=$(basename "$0")
 DE_HOME=$(getent passwd "$DE_USER" | cut -d: -f6 )
 
+# DECISIONENGINE_DEBUG - debug enabled if not empty (debug flags possible in the future)
+if echo "$*" | grep "--debug"; then
+  DECISIONENGINE_DEBUG=true
+  export DECISIONENGINE_DEBUG
+fi
+
 # Check if decisionengine Python code is installed
 # Library ~$DE_USER/.local/lib/python3.9/site-packages/decisionengine
 DE_EXPECTED="$DE_HOME/.local/bin/decisionengine"
@@ -20,10 +26,11 @@ if [ ! -f "$DE_EXPECTED" ]; then
     echo "WARNING. decisionengine command not found in $DE_EXPECTED."
     echo "The command will likely fail. Was the Python code installed? Use decisionengine-install-python"
 fi
-# Run the command, with su if needed
-if [ "$UID" -eq 0 ]; then
+# Run the command, with su if needed. NOTE that decisionengine-init can run only as root
+if [ "$(id -u)" -eq 0 ]; then
+    decisionengine-init.sh
     # su -s /bin/bash -l $DE_USER -c "export PATH=\"\$HOME/.local/bin:\$PATH\"; echo \$PATH; command -v \"$DE_CMD\"; \"$DE_CMD\" $(for i in "$@"; do echo -n "\"$i\" "; done;); echo \"Test END\""
-    su -s /bin/bash -l -c "export PATH=\"\$HOME/.local/bin:\$PATH\"; \"$DE_CMD\" $(for i in "$@"; do echo -n "\"$i\" "; done;)" $DE_USER
+    su -s /bin/bash -l -c "export PATH=\"\$HOME/.local/bin:\$PATH\"; \"$DE_CMD\" $(for i in "$@"; do printf "%s" "\"$i\" "; done;)" $DE_USER
 elif [ "$(whoami)" = "$DE_USER" ]; then
     export PATH="$HOME/.local/bin:$PATH"
     "$DE_CMD" "$@"

package/rpm/decisionengine.spec

@@ -164,10 +164,13 @@ install -d $RPM_BUILD_ROOT%{decisionengine_home}/passwords.d
 install -d $RPM_BUILD_ROOT%{decisionengine_home}/tokens.d
 install -d $RPM_BUILD_ROOT%{_sysconfdir}/decisionengine
 install -d $RPM_BUILD_ROOT%{_sysconfdir}/decisionengine/config.d
+install -d $RPM_BUILD_ROOT%{_sysconfdir}/decisionengine/init.d
 install -d $RPM_BUILD_ROOT%{_localstatedir}/log/decisionengine
 install -m 0644 %{src_de_base}/config/decision_engine.jsonnet $RPM_BUILD_ROOT%{_sysconfdir}/decisionengine/
 install -D -m 0644 %{src_de_package}/systemd/decisionengine.service $RPM_BUILD_ROOT%{_unitdir}/decisionengine.service
 install -D -m 0644 %{src_de_package}/systemd/decisionengine_sysconfig $RPM_BUILD_ROOT%{_sysconfdir}/sysconfig/decisionengine
+install -D -m 0755 %{src_de_package}/rpm/decisionengine-init.sh $RPM_BUILD_ROOT%{_bindir}/decisionengine-init.sh
+install -D -m 0755 %{src_de_package}/rpm/dem_glideinwms.sh $RPM_BUILD_ROOT%{_sysconfdir}/init.d/dem_glideinwms.sh
 install -D -m 0755 %{src_de_package}/rpm/decisionengine-wrapper.sh $RPM_BUILD_ROOT%{_bindir}/decisionengine-wrapper.sh
 install -D -m 0755 %{src_de_package}/rpm/decisionengine-install-python.sh $RPM_BUILD_ROOT%{_bindir}/decisionengine-install-python
 # Add links to the wrapper script for all decisionengine binaries
@@ -224,6 +227,7 @@ systemctl daemon-reload || true
 %dir %attr(700, decisionengine, decisionengine) %{decisionengine_home}/tokens.d
 %dir %{_sysconfdir}/decisionengine
 %dir %{_sysconfdir}/decisionengine/config.d
+%dir %{_sysconfdir}/decisionengine/init.d
 %config(noreplace) %{_sysconfdir}/decisionengine/decision_engine.jsonnet
 %attr(-, root, root) %{_unitdir}/decisionengine.service
 %attr(-, root, root) %config(noreplace) %{_sysconfdir}/sysconfig/decisionengine
@@ -239,6 +243,7 @@ systemctl daemon-reload || true
 %attr(-, decisionengine, decisionengine) %dir %{_localstatedir}/log/decisionengine
 
 %files modules-deps
+%config(noreplace) %{_sysconfdir}/decisionengine/init.d/dem_glideinwms.sh
 
 %files standalone
 

package/rpm/dem_glideinwms.sh

@@ -0,0 +1,44 @@
+#!/bin/bash
+
+# SPDX-FileCopyrightText: 2017 Fermi Research Alliance, LLC
+# SPDX-License-Identifier: Apache-2.0
+
+# Initialization script for the GlideinWMS module in Decision Engine Modules
+# This should run before running Decision Engine with the GlideinWMS module
+
+DE_USER=decisionengine
+DE_PASS_NAME=${DE_USER^^}
+DE_HOME=$(getent passwd "$DE_USER" | cut -d: -f6 )
+
+check_idtoken_password() {
+    # Make sure that the IDTOKEN password exists
+    local de_password="$DE_HOME"/passwords.d/$DE_PASS_NAME
+    if [ ! -f "$de_password" ]; then
+        local htc_password=/etc/condor/passwords.d/$DE_PASS_NAME
+        if [ ! -f "$htc_password" ]; then
+            openssl rand -base64 64 | /usr/sbin/condor_store_cred -u "$DE_USER@$(hostname -f)" -f "$htc_password" add > /dev/null 2>&1
+        fi
+        if [ ! -f "$htc_password" ]; then
+            echo 'Cannot create IDTOKENs password! Check if HTCondor is installed correctly'
+            exit 1
+        fi
+        /bin/cp "$htc_password" "$de_password"
+        chown $DE_USER: "$de_password"
+        # The permission of $DE_HOME/passwords.d/${pass_fname} should be 0600
+        if [ ! -f "$de_password" ]; then
+            echo 'Cannot create IDTOKENs password! Check if HTCondor is installed correctly'
+            exit 1
+        fi
+    fi
+}
+
+check_idtoken_password
+
+# TODO: this is changing another RPM's files. A better solution is desired
+# Make sure the decisionengine user ($DE_USER) is in the glidein group
+if [[ -d /etc/gwms-frontend ]]; then
+  chown -R $DE_USER: /etc/gwms-frontend
+else
+  echo '/etc/gwms-frontend is missing! Was the GlideinWMS Frontend installed?'
+  exit 1
+fi

package/systemd/decisionengine.service

@@ -10,11 +10,16 @@ After = network.target
 [Service]
 Type = simple
 EnvironmentFile = -/etc/sysconfig/decisionengine
-User = decisionengine
-Group = decisionengine
 PrivateTmp = true
+
+# + in ExecStartPre/ExecStart should allow o run as root (process is executed with full privileges)
+# But it seems not to work, at least in the systemctl emulation, so running as root and switching in the script wrapper
+# User = decisionengine
+# Group = decisionengine
+# ExecStartPre = +/usr/bin/decisionengine-init.sh
 ExecStart = /usr/bin/decisionengine "$DE_OPTS"
-ExecStop = /usr/bin/echo "Running /usr/bin/de-client --stop" >&2
+# The specified command should be a synchronous operation, not an asynchronous one
+# Only one command allowed: ExecStop = /usr/bin/echo "Running /usr/bin/de-client --stop" >&2
 ExecStop = /usr/bin/de-client --stop
 # ExecReload=/usr/sbin/decsionengine reload  $MAINPID