istio.io/istio@v0.0.0-20240520182934-d79c90f27776/tools/packaging/postinst.sh

istio.io/istio@v0.0.0-20240520182934-d79c90f27776/tools/packaging/postinst.sh (about)

     1  #!/bin/bash
     2  #
     3  # Copyright 2017, 2018 Istio Authors. All Rights Reserved.
     4  #
     5  # Licensed under the Apache License, Version 2.0 (the "License");
     6  # you may not use this file except in compliance with the License.
     7  # You may obtain a copy of the License at
     8  #
     9  #    http://www.apache.org/licenses/LICENSE-2.0
    10  #
    11  # Unless required by applicable law or agreed to in writing, software
    12  # distributed under the License is distributed on an "AS IS" BASIS,
    13  # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    14  # See the License for the specific language governing permissions and
    15  # limitations under the License.
    16  #
    17  ################################################################################
    18  set -e
    19  
    20  umask 022
    21  
    22  if ! getent passwd istio-proxy >/dev/null; then
    23      if command -v useradd >/dev/null; then
    24          groupadd --system istio-proxy
    25          useradd --system --gid istio-proxy --home-dir /var/lib/istio istio-proxy
    26      else
    27          addgroup --system istio-proxy
    28          adduser --system --group --home /var/lib/istio istio-proxy
    29      fi
    30  fi
    31  
    32  if [ ! -e /etc/istio ]; then
    33     # Backward compat.
    34     ln -s /var/lib/istio /etc/istio
    35  fi
    36  
    37  mkdir -p /var/lib/istio/envoy
    38  mkdir -p /var/lib/istio/proxy
    39  mkdir -p /var/lib/istio/config
    40  mkdir -p /var/log/istio
    41  
    42  touch /var/lib/istio/config/mesh
    43  
    44  mkdir -p /etc/certs
    45  chown istio-proxy.istio-proxy /etc/certs
    46  
    47  chown istio-proxy.istio-proxy /var/lib/istio/envoy /var/lib/istio/config /var/log/istio /var/lib/istio/config/mesh /var/lib/istio/proxy
    48  chmod o+rx /usr/local/bin/{envoy,pilot-agent}
    49  
    50  # pilot-agent and envoy may run with effective uid 0 in order to run envoy with
    51  # CAP_NET_ADMIN, so any iptables rule matching on "-m owner --uid-owner
    52  # istio-proxy" will not match connections from those processes anymore.
    53  # Instead, rely on the process's effective gid being istio-proxy and create a
    54  # "-m owner --gid-owner istio-proxy" iptables rule in istio-iptables.
    55  chmod 2755 /usr/local/bin/{envoy,pilot-agent}