initial github release commit

Author: Steve Brunton

LICENSE

@@ -0,0 +1,30 @@
+BSD 3-Clause License
+
+Copyright (c) 2019, sbrunton at gmail dot com
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are met:
+
+* Redistributions of source code must retain the above copyright notice, this
+  list of conditions and the following disclaimer.
+
+* Redistributions in binary form must reproduce the above copyright notice,
+  this list of conditions and the following disclaimer in the documentation
+  and/or other materials provided with the distribution.
+
+* Neither the name of the copyright holder nor the names of its
+  contributors may be used to endorse or promote products derived from
+  this software without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
+FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
+OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+

README.md

@@ -0,0 +1,87 @@
+### OCI Metadata Script Handler
+
+#### Overview
+
+The intent of this is to make it easy to be able to run a startup or shutdown script on an instance for purposes such 
+as configuration, ping back announcements or anything else one may want to do during these lifecycle steps.
+
+Scripts are defined in the instance metadata as being either of `startup` or `shutdown` and can be sourced from 
+either local storage, metadata value, remote url or
+[Object Storage](https://docs.cloud.oracle.com/iaas/Content/Object/Concepts/objectstorageoverview.htm). If more
+than one source is supplied both will be executed with remote being run first.
+
+`startup-script` Examples :
+
+```
+"startup-script" : "/opt/service/start/bootstrap.py"
+```
+
+```
+"startup-script" : "IyEvdXNyL2Jpbi9lbnYgYmFzaAoKZWNobyAibXkgYXdlc29tZSBzdGFydHVwIHNjcmlwdCIK"
+```
+
+The first will execute the script that is contained locally on the host instance. It will be copied into a
+temporary location before execution.
+
+The second is the actual script data base64 encoded and supplied in the instance metadata. It will be base64 decoded
+into a temporary location under a temporary filename and then executed.
+
+`startup-script-url` Examples:
+
+```
+"startup-script-url" : "oci://bucket@namespace/bootstrap.py"
+```
+
+```
+"startup-script-url" : "https://trusted-remote-server.io/boot/bootstrap.py"
+```
+
+The first will fetch the script from an Object Storage bucket in the namespace, store in a temporary working
+directory and then execute it. It is the responsibility of the owner to make sure that the instances have access to
+the bucket.
+
+The second will make a request to the specified location, download to a temporary directory and execute the
+payload. Be warned that this should be a trusted known site and that egress to the remote location is allowed.
+
+#### Object Storage Example
+
+If Object storage will be the source for the scripts a
+[policy](https://docs.cloud.oracle.com/iaas/Content/Identity/Concepts/policygetstarted.htm)
+will need to be applied such that the instances
+can easily have read-only access to the buckets in the namespace to retrieve the scripts from. A definition for
+[Dynamic Groups](https://docs.cloud.oracle.com/iaas/Content/Identity/Tasks/managingdynamicgroups.htm) is also helpful
+for being able to allow instances in this group to have the policy for read-only access to the buckets. Using
+[Terraform](https://www.terraform.io/) it could be something like :
+
+
+```
+resource "oci_identity_dynamic_group" "ro_script_buckets" {
+  compartment_id = "${var.tenancy_ocid}"
+  name           = "ro-script-buckets"
+  description    = "dynamic group for reading startup/shutdown script buckets"
+  matching_rule  = <<EOF
+Any {instance.compartment.id = 'ocid1.compartment.oc1..aaaaaxutgua',
+instance.compartment.id = 'ocid1.compartment.oc1..aaaaallwh6mv7avuozfsus4yaia',
+instance.compartment.id = 'ocid1.compartment.oc1..aaaaaaaaszz2v4gyfza'}
+EOF
+}
+```
+
+Where the `instance.compartment.id` values are those of compartments where instances will be created in and will
+require access to the startup or shutdown scripts buckets.
+
+```
+resource "oci_identity_policy" "script_buckets_read" {
+    depends_on = ["oci_identity_dynamic_group.ro_script_buckets"]
+    compartment_id = "${var.tenancy_ocid}"
+    name = "script-buckets-read"
+    description = "read only policy for scripts buckets"
+    statements = [
+        "allow dynamic-group ro-script-buckets to read buckets in compartment Bucket_Compartment where any {target.bucket.name='startup-scripts', target.bucket.name='shutdown-scripts'}",
+        "allow dynamic-group ro-script-buckets to read objects in compartment Bucket_Compartment where any {target.bucket.name='startup-scripts', target.bucket.name='shutdown-scripts'}"
+    ]
+}
+```
+
+This will allow the instances in the dynamic group created above to access the buckets with the names `startup-scripts`
+and `shutdown-scripts`.

VERSION

@@ -0,0 +1 @@
+1.0.2

executor.go

@@ -0,0 +1,45 @@
+package main
+
+import (
+	"bufio"
+	"fmt"
+	"os/exec"
+
+	log "github.com/sirupsen/logrus"
+)
+
+const defaultShell = "/bin/bash"
+
+func (sm *ScriptManager) RunScript(sn string) error {
+
+	s := fmt.Sprintf("%s/%s", sm.WorkDir, sn)
+
+	log.Debugf("about to run : %s", s)
+
+	cmd := exec.Command(defaultShell, s)
+
+	cmdReader, err := cmd.StdoutPipe()
+	if err != nil {
+		return fmt.Errorf("error creating stdout pipe for '%s' : %s", s, err)
+	}
+
+	scanner := bufio.NewScanner(cmdReader)
+
+	go func() {
+		for scanner.Scan() {
+			log.Infof("%s | %s", sn, scanner.Text())
+		}
+	}()
+
+	err = cmd.Start()
+	if err != nil {
+		return fmt.Errorf("error starting command '%s' : %s", s, err)
+	}
+
+	err = cmd.Wait()
+	if err != nil {
+		return fmt.Errorf("error waiting for command '%s': %s", s, err)
+	}
+
+	return nil
+}

go.mod

@@ -0,0 +1,11 @@
+module oci-metadata-scripts
+
+go 1.12
+
+require (
+	github.com/konsorten/go-windows-terminal-sequences v1.0.2 // indirect
+	github.com/oracle/oci-go-sdk v5.4.0+incompatible
+	github.com/sirupsen/logrus v1.4.1
+	github.com/stretchr/objx v0.2.0 // indirect
+	golang.org/x/sys v0.0.0-20190419153524-e8e3143a4f4a // indirect
+)

go.sum

@@ -0,0 +1,19 @@
+github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
+github.com/konsorten/go-windows-terminal-sequences v1.0.2 h1:DB17ag19krx9CFsz4o3enTrPXyIXCl+2iCXH/aMAp9s=
+github.com/konsorten/go-windows-terminal-sequences v1.0.2/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
+github.com/oracle/oci-go-sdk v5.4.0+incompatible h1:fM4QtmPTmmrzcyvBQP1/deOodn1/zJSszrQmHotAb3Q=
+github.com/oracle/oci-go-sdk v5.4.0+incompatible/go.mod h1:VQb79nF8Z2cwLkLS35ukwStZIg5F66tcBccjip/j888=
+github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
+github.com/sirupsen/logrus v1.4.1 h1:GL2rEmy6nsikmW0r8opw9JIRScdMF5hA8cOYLH7In1k=
+github.com/sirupsen/logrus v1.4.1/go.mod h1:ni0Sbl8bgC9z8RoU9G6nDWqqs/fq4eDPysMBDgk/93Q=
+github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
+github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
+github.com/stretchr/objx v0.2.0/go.mod h1:qt09Ya8vawLte6SNmTgCsAVtYtaKzEcn8ATUoHMkEqE=
+github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
+github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
+golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33 h1:I6FyU15t786LL7oL/hn43zqTuEGr4PN7F4XJ1p4E3Y8=
+golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20190419153524-e8e3143a4f4a h1:XCr/YX7O0uxRkLq2k1ApNQMims9eCioF9UpzIPBDmuo=
+golang.org/x/sys v0.0.0-20190419153524-e8e3143a4f4a/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=

instancemeta/instance_metadata.go

@@ -0,0 +1,78 @@
+// Copyright 2017 Oracle and/or its affiliates. All rights reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package instancemeta
+
+import (
+	"encoding/json"
+	"fmt"
+	"net/http"
+)
+
+const (
+	baseURL          = "http://169.254.169.254"
+	metadataEndpoint = "/opc/v1/instance/"
+)
+
+// InstanceMetadata holds the subset of the instance metadata retrieved from the
+// local OCI instance metadata API endpoint.
+// https://docs.us-phoenix-1.oraclecloud.com/Content/Compute/Tasks/gettingmetadata.htm
+type InstanceMetadata struct {
+	CompartmentOCID string            `json:"compartmentId"`
+	Region          string            `json:"region"`
+	Metadata        map[string]string `json:"metadata"`
+}
+
+// Interface defines how consumers access OCI instance metadata.
+type Interface interface {
+	Get() (*InstanceMetadata, error)
+}
+
+type metadataGetter struct {
+	baseURL string
+	client  *http.Client
+}
+
+// New returns the instance metadata for the host on which the code is being
+// executed.
+func New() Interface {
+	return &metadataGetter{client: http.DefaultClient, baseURL: baseURL}
+}
+
+// Get either returns the cached metadata for the current instance or queries
+// the instance metadata API, populates the cache, and returns the result.
+func (m *metadataGetter) Get() (*InstanceMetadata, error) {
+	req, err := http.NewRequest("GET", m.baseURL+metadataEndpoint, nil)
+	if err != nil {
+		return nil, err
+	}
+	resp, err := m.client.Do(req)
+	if err != nil {
+		return nil, fmt.Errorf("failed to get instance metadata: %v", err)
+
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode != http.StatusOK {
+		return nil, fmt.Errorf("metadata endpoint returned status %d; expected 200 OK", resp.StatusCode)
+	}
+
+	md := &InstanceMetadata{}
+	err = json.NewDecoder(resp.Body).Decode(md)
+	if err != nil {
+		return nil, err
+	}
+
+	return md, nil
+}

instancemeta/instance_metadata_mock.go

@@ -0,0 +1,28 @@
+// Copyright 2017 Oracle and/or its affiliates. All rights reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package instancemeta
+
+type mockMetadataGetter struct {
+	metadata *InstanceMetadata
+}
+
+// NewMock returns a new mock OCI instance metadata getter.
+func NewMock(metadata *InstanceMetadata) Interface {
+	return &mockMetadataGetter{metadata: metadata}
+}
+
+func (m *mockMetadataGetter) Get() (*InstanceMetadata, error) {
+	return m.metadata, nil
+}

instancemeta/instance_metadata_test.go

@@ -0,0 +1,65 @@
+// Copyright 2017 Oracle and/or its affiliates. All rights reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package instancemeta
+
+import (
+	"fmt"
+	"net/http"
+	"net/http/httptest"
+	"reflect"
+	"testing"
+)
+
+const exampleResponse = `{
+  "availabilityDomain" : "NWuj:PHX-AD-1",
+  "compartmentId" : "ocid1.compartment.oc1..aaaaaaaa3um2atybwhder4qttfhgon4j3hcxgmsvnyvx4flfjyewkkwfzwnq",
+  "displayName" : "trjl-kb8s-master",
+  "id" : "ocid1.instance.oc1.phx.abyhqljtj775udgtbu7nddt6j2hqgxdsgrnpweepogvvsmqfppefewile5zq",
+  "image" : "ocid1.image.oc1.phx.aaaaaaaaamx6ta37uxltor6n5lxfgd5lkb3lwmoqurlpn2x4dz5ockekiuea",
+  "metadata" : {
+    "ssh_authorized_keys" : "ssh-rsa some-key-data tlangfor@tlangfor-mac\n",
+	"startup-script" : "/usr/local/bin/baas-bootstrap.py",
+    "startup-script-url" : "oci://bucket@namespace/baas-bootstrap.py"
+  },
+  "region" : "phx",
+  "shape" : "VM.Standard1.1",
+  "state" : "Provisioning",
+  "timeCreated" : 1496415602152
+}`
+
+func TestGetMetadata(t *testing.T) {
+	ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		fmt.Fprintln(w, exampleResponse)
+	}))
+	defer ts.Close()
+	getter := metadataGetter{client: ts.Client(), baseURL: ts.URL}
+	meta, err := getter.Get()
+	if err != nil {
+		t.Fatalf("Uexpected error calling Get(): %v", err)
+	}
+
+	expected := &InstanceMetadata{
+		CompartmentOCID: "ocid1.compartment.oc1..aaaaaaaa3um2atybwhder4qttfhgon4j3hcxgmsvnyvx4flfjyewkkwfzwnq",
+		Region:          "phx",
+		Metadata: map[string]string{
+			"ssh_authorized_keys": "ssh-rsa some-key-data tlangfor@tlangfor-mac\n",
+			"startup-script":      "/usr/local/bin/baas-bootstrap.py",
+			"startup-script-url":  "oci://bucket@namespace/baas-bootstrap.py",
+		},
+	}
+	if !reflect.DeepEqual(meta, expected) {
+		t.Errorf("Get() => %+v, want %+v", meta, expected)
+	}
+}