netdata/packaging/makeself/install-or-update.sh

#!/usr/bin/env bash

# SPDX-License-Identifier: GPL-3.0-or-later

# shellcheck source=./packaging/makeself/functions.sh
. "$(dirname "${0}")"/functions.sh

export LC_ALL=C
umask 002

# Be nice on production environments
renice 19 $$ > /dev/null 2> /dev/null

NETDATA_PREFIX="/opt/netdata"
NETDATA_USER_CONFIG_DIR="${NETDATA_PREFIX}/etc/netdata"

# -----------------------------------------------------------------------------
if [ -d /opt/netdata/etc/netdata.old ]; then
  progress "Found old etc/netdata directory, reinstating this"
  [ -d /opt/netdata/etc/netdata.new ] && rm -rf /opt/netdata/etc/netdata.new
  mv -f /opt/netdata/etc/netdata /opt/netdata/etc/netdata.new
  mv -f /opt/netdata/etc/netdata.old /opt/netdata/etc/netdata

  progress "Trigger stock config clean up"
  rm -f /opt/netdata/etc/netdata/.installer-cleanup-of-stock-configs-done
fi

STARTIT=1
REINSTALL_OPTIONS=""
NETDATA_CERT_MODE="${NETDATA_CERT_MODE:-auto}"
NETDATA_CERT_TEST_URL="${NETDATA_CERT_TEST_URL:-https://app.netdata.cloud}"
RELEASE_CHANNEL="nightly"

while [ "${1}" ]; do
  case "${1}" in
    "--dont-start-it")
      STARTIT=0
      REINSTALL_OPTIONS="${REINSTALL_OPTIONS} ${1}"
      ;;
    "--auto-update" | "-u") ;;
    "--stable-channel")
      RELEASE_CHANNEL="stable"
      REINSTALL_OPTIONS="${REINSTALL_OPTIONS} ${1}"
      ;;
    "--nightly-channel")
      RELEASE_CHANNEL="nightly"
      REINSTALL_OPTIONS="${REINSTALL_OPTIONS} ${1}"
      ;;
    "--disable-telemetry")
      NETDATA_DISABLE_TELEMETRY=1
      REINSTALL_OPTIONS="${REINSTALL_OPTIONS} ${1}"
      ;;
    "--certificates")
      case "${2}" in
        auto|system) NETDATA_CERT_MODE="auto" ;;
        check) NETDATA_CERT_MODE="check" ;;
        bundled) NETDATA_CERT_MODE="bundled" ;;
        *) run_failed "Unknown certificate handling mode '${2}'. Supported modes are auto, check, system, and bundled."; exit 1 ;;
      esac
      shift 1
      ;;
    "--certificate-test-url")
      NETDATA_CERT_TEST_URL="${2}"
      shift 1
      ;;

    *) echo >&2 "Unknown option '${1}'. Ignoring it." ;;
  esac
  shift 1
done

if [ ! "${DISABLE_TELEMETRY:-0}" -eq 0 ] ||
  [ -n "$DISABLE_TELEMETRY" ] ||
  [ ! "${DO_NOT_TRACK:-0}" -eq 0 ] ||
  [ -n "$DO_NOT_TRACK" ]; then
  NETDATA_DISABLE_TELEMETRY=1
  REINSTALL_OPTIONS="${REINSTALL_OPTIONS} --disable-telemetry"
fi

if [ -n "${NETDATA_CERT_MODE}" ]; then
  REINSTALL_OPTIONS="${REINSTALL_OPTIONS} --certificates ${NETDATA_CERT_MODE}"
fi

if [ -n "${NETDATA_CERT_TEST_URL}" ]; then
  REINSTALL_OPTIONS="${REINSTALL_OPTIONS} --certificate-test-url ${NETDATA_CERT_TEST_URL}"
fi

# -----------------------------------------------------------------------------
progress "Attempt to create user/group netdata/netadata"

NETDATA_WANTED_GROUPS="docker nginx varnish haproxy adm nsd proxy squid ceph nobody I2C"
NETDATA_ADDED_TO_GROUPS=""
# Default user/group
NETDATA_USER="root"
NETDATA_GROUP="root"

if portable_add_group netdata; then
  if portable_add_user netdata "/opt/netdata"; then
    progress "Add user netdata to required user groups"
    for g in ${NETDATA_WANTED_GROUPS}; do
      # shellcheck disable=SC2086
      if portable_add_user_to_group ${g} netdata; then
        NETDATA_ADDED_TO_GROUPS="${NETDATA_ADDED_TO_GROUPS} ${g}"
      else
        run_failed "Failed to add netdata user to secondary groups"
      fi
    done
    # Netdata must be able to read /etc/pve/qemu-server/* and /etc/pve/lxc/*
    # for reading VMs/containers names, CPU and memory limits on Proxmox.
    if [ -d "/etc/pve" ]; then
      portable_add_user_to_group "www-data" netdata && NETDATA_ADDED_TO_GROUPS="${NETDATA_ADDED_TO_GROUPS} www-data"
    fi
    NETDATA_USER="netdata"
    NETDATA_GROUP="netdata"
  else
    run_failed "I could not add user netdata, will be using root"
  fi
else
  run_failed "I could not add group netdata, so no user netdata will be created as well. Netdata run as root:root"
fi

# -----------------------------------------------------------------------------
progress "Install logrotate configuration for netdata"

install_netdata_logrotate || run_failed "Cannot install logrotate file for netdata."

progress "Install journald configuration for netdata"

install_netdata_journald_conf || run_failed "Cannot install journald file for netdata."

# -----------------------------------------------------------------------------
progress "Telemetry configuration"

# Opt-out from telemetry program
if [ -n "${NETDATA_DISABLE_TELEMETRY}" ]; then
  run touch "${NETDATA_USER_CONFIG_DIR}/.opt-out-from-anonymous-statistics"
else
  printf "You can opt out from anonymous statistics via the --disable-telemetry option, or by creating an empty file %s \n\n" "${NETDATA_USER_CONFIG_DIR}/.opt-out-from-anonymous-statistics"
fi

# -----------------------------------------------------------------------------
progress "Install netdata at system init"

install_netdata_service || run_failed "Cannot install netdata init service."

set_netdata_updater_channel || run_failed "Cannot set netdata updater tool release channel to '${RELEASE_CHANNEL}'"

# -----------------------------------------------------------------------------
progress "Install (but not enable) netdata updater tool"
install_netdata_updater || run_failed "Cannot install netdata updater tool."

# -----------------------------------------------------------------------------
progress "creating quick links"

dir_should_be_link() {
  local p="${1}" t="${2}" d="${3}" old

  old="${PWD}"
  cd "${p}" || return 0

  if [ -e "${d}" ]; then
    if [ -h "${d}" ]; then
      run rm "${d}"
    else
      run mv -f "${d}" "${d}.old.$$"
    fi
  fi

  run ln -s "${t}" "${d}"
  cd "${old}" || true
}

dir_should_be_link . bin sbin
dir_should_be_link usr ../bin bin
dir_should_be_link usr ../bin sbin
dir_should_be_link usr . local

dir_should_be_link . etc/netdata netdata-configs
dir_should_be_link . usr/share/netdata/web netdata-web-files
dir_should_be_link . usr/libexec/netdata netdata-plugins
dir_should_be_link . var/lib/netdata netdata-dbs
dir_should_be_link . var/cache/netdata netdata-metrics
dir_should_be_link . var/log/netdata netdata-logs

dir_should_be_link etc/netdata ../../usr/lib/netdata/conf.d orig

# -----------------------------------------------------------------------------
progress "fix permissions"

run chmod g+rx,o+rx /opt
run find /opt/netdata -type d -exec chmod go+rx '{}' \+
run chown -R ${NETDATA_USER}:${NETDATA_GROUP} /opt/netdata/var

if [ -d /opt/netdata/usr/libexec/netdata/plugins.d/ebpf.d ]; then
  run chown -R root:${NETDATA_GROUP} /opt/netdata/usr/libexec/netdata/plugins.d/ebpf.d
fi

# -----------------------------------------------------------------------------

progress "changing plugins ownership and permissions"

for x in ndsudo apps.plugin perf.plugin slabinfo.plugin debugfs.plugin freeipmi.plugin ioping cgroup-network local-listeners network-viewer.plugin ebpf.plugin nfacct.plugin xenstat.plugin python.d.plugin charts.d.plugin go.d.plugin ioping.plugin cgroup-network-helper.sh; do
  f="usr/libexec/netdata/plugins.d/${x}"
  if [ -f "${f}" ]; then
    run chown root:${NETDATA_GROUP} "${f}"
  fi
done

if command -v setcap >/dev/null 2>&1; then
  if ! run setcap "cap_dac_read_search,cap_sys_ptrace=ep" "usr/libexec/netdata/plugins.d/apps.plugin"; then
    run chmod 4750 "usr/libexec/netdata/plugins.d/apps.plugin"
  fi
  if ! run setcap "cap_dac_read_search=ep" "usr/libexec/netdata/plugins.d/slabinfo.plugin"; then
    run chmod 4750 "usr/libexec/netdata/plugins.d/slabinfo.plugin"
  fi
  if ! run setcap "cap_dac_read_search=ep" "usr/libexec/netdata/plugins.d/debugfs.plugin"; then
    run chmod 4750 "usr/libexec/netdata/plugins.d/debugfs.plugin"
  fi
  if ! run setcap "cap_dac_read_search+epi cap_net_admin+epi cap_net_raw=eip" "usr/libexec/netdata/plugins.d/go.d.plugin"; then
    run chmod 4750 "usr/libexec/netdata/plugins.d/go.d.plugin"
  fi

  perf_caps="cap_sys_admin=ep"
  if command -v capsh >/dev/null 2>&1 && capsh --supports=cap_perfmon 2>/dev/null; then
    perf_caps="cap_perfmon=ep"
  fi

  if ! run setcap "${perf_caps}" "usr/libexec/netdata/plugins.d/perf.plugin"; then
    run chmod 4750 "usr/libexec/netdata/plugins.d/perf.plugin"
  fi
else
  for x in apps.plugin perf.plugin slabinfo.plugin debugfs.plugin; do
    f="usr/libexec/netdata/plugins.d/${x}"
    run chmod 4750 "${f}"
  done
fi

for x in ndsudo freeipmi.plugin ioping cgroup-network local-listeners network-viewer.plugin ebpf.plugin nfacct.plugin xenstat.plugin; do
  f="usr/libexec/netdata/plugins.d/${x}"

  if [ -f "${f}" ]; then
    run chmod 4750 "${f}"
  fi
done

# -----------------------------------------------------------------------------

replace_symlink() {
    target="${1}"
    name="${2}"
    rm -f "${name}"
    ln -s "${target}" "${name}"
}

select_system_certs() {
  if [ -d /etc/pki/tls ] ; then
    echo "${1} /etc/pki/tls for TLS configuration and certificates"
    replace_symlink /etc/pki/tls /opt/netdata/etc/ssl
  elif [ -d /etc/ssl ] ; then
    echo "${1} /etc/ssl for TLS configuration and certificates"
    replace_symlink /etc/ssl /opt/netdata/etc/ssl
  fi
}

select_internal_certs() {
  echo "Using bundled TLS configuration and certificates"
  replace_symlink /opt/netdata/share/ssl /opt/netdata/etc/ssl
}

certs_selected() {
  [ -L /opt/netdata/etc/ssl ] || return 1
}

test_certs() {
  /opt/netdata/bin/curl --fail --max-time 300 --silent --output /dev/null "${NETDATA_CERT_TEST_URL}"

  case "$?" in
    35|77) echo "Failed to load certificate files for test." ; return 1 ;;
    60|82|83) echo "Certificates cannot be used to connect to ${NETDATA_CERT_TEST_URL}" ; return 1 ;;
    53|54|66) echo "Unable to use OpenSSL configuration associated with certificates" ; return 1 ;;
    0) echo "Successfully connected to ${NETDATA_CERT_TEST_URL} using certificates" ;;
    *) echo "Unable to test certificates due to networking problems, blindly assuming they work" ;;
  esac
}

# If the user has manually set up certificates, don’t mess with it.
if [ ! -L /opt/netdata/etc/ssl ] && [ -d /opt/netdata/etc/ssl ] ; then
  echo "Preserving existing user configuration for TLS"
else
  echo "Configure TLS certificate paths (mode: ${NETDATA_CERT_MODE})"
  case "${NETDATA_CERT_MODE}" in
    check)
      select_system_certs "Testing"
      if certs_selected && test_certs; then
        select_system_certs "Using"
      else
        select_internal_certs
      fi
      ;;
    bundled) select_internal_certs ;;
    *)
      select_system_certs "Using"
      if ! certs_selected; then
        select_internal_certs
      fi
      ;;
  esac
fi

# -----------------------------------------------------------------------------

echo "Save install options"
grep -qv 'IS_NETDATA_STATIC_BINARY="yes"' "${NETDATA_PREFIX}/etc/netdata/.environment" || echo IS_NETDATA_STATIC_BINARY=\"yes\" >> "${NETDATA_PREFIX}/etc/netdata/.environment"
REINSTALL_OPTIONS="$(echo "${REINSTALL_OPTIONS}" | awk '{gsub("/", "\\/"); print}')"
sed -i "s/REINSTALL_OPTIONS=\".*\"/REINSTALL_OPTIONS=\"${REINSTALL_OPTIONS}\"/" "${NETDATA_PREFIX}/etc/netdata/.environment"

# -----------------------------------------------------------------------------
if [ ${STARTIT} -eq 0 ]; then
  create_netdata_conf "${NETDATA_PREFIX}/etc/netdata/netdata.conf"
  netdata_banner "is installed now!"
else
  progress "starting netdata"

  if ! restart_netdata "${NETDATA_PREFIX}/bin/netdata"; then
    create_netdata_conf "${NETDATA_PREFIX}/etc/netdata/netdata.conf"
    netdata_banner "is installed and running now!"
  else
    create_netdata_conf "${NETDATA_PREFIX}/etc/netdata/netdata.conf" "http://localhost:19999/netdata.conf"
    netdata_banner "is installed now!"
  fi
fi
run chmod 0644 "${NETDATA_PREFIX}/etc/netdata/netdata.conf"