PG15, IP for CN, Smarter mem alloc

Author: FarrantAlex

CoreConfig.xml

@@ -17,7 +17,7 @@
     <submission ignoreStaleMessages="false" validateXml="false"/>
     <subscription reloadPersistent="false"/>
     <repository enable="true" numDbConnections="16" connectionPoolAutoSize="true" primaryKeyBatchSize="500" insertionBatchSize="500" archive="false">
-        <connection url="jdbc:postgresql://HOSTIP:5432/cot" username="martiuser" password="A4qs6s5MsZ06VasUmE!"/>
+        <connection url="jdbc:postgresql://tak-database:5432/cot" username="martiuser" password="A4qs6s5MsZ06VasUmE!"/>
     </repository>
     <repeater enable="true" periodMillis="3000" staleDelayMillis="15000">
         <repeatableType initiate-test="/event/detail/emergency[@type='911 Alert']" cancel-test="/event/detail/emergency[@cancel='true']" _name="911"/>

docker/amd64/Dockerfile.takserver-db

@@ -1,8 +1,8 @@
-FROM postgres:14.4
+FROM postgres:15
 
 # this is slow - updates all packages
 
-RUN apt-get update && apt install -y postgresql-14-postgis-3
+RUN apt-get update && apt install -y postgresql-15-postgis-3
 
 
 ENTRYPOINT ["/bin/bash", "-c", "/opt/tak/db-utils/configureInDocker.sh"]

docker/arm64/Dockerfile.takserver-db

@@ -1,6 +1,6 @@
-FROM postgres:14.4
+FROM postgres:15
 # this is slow - updates all packages
 
-RUN apt-get update && apt install -y postgresql-14-postgis-3
+RUN apt-get update && apt install -y postgresql-15-postgis-3
 
-ENTRYPOINT ["/opt/tak/db-utils/configureInDocker.sh"]
+ENTRYPOINT ["/opt/tak/db-utils/configureInDocker.sh"]

scripts/certDP.sh

@@ -15,13 +15,13 @@ echo "<?xml version='1.0' encoding='ASCII' standalone='yes'?>" > server.pref
 echo "<preferences>" >> server.pref
 echo "  <preference version=\"1\" name=\"cot_streams\">" >> server.pref
 echo "    <entry key=\"count\" class=\"class java.lang.Integer\">1</entry>" >> server.pref
-echo "    <entry key=\"description0\" class=\"class java.lang.String\">TAK Server (https://github.com/Cloud-RF/tak-server)</entry>" >> server.pref
+echo "    <entry key=\"description0\" class=\"class java.lang.String\">TAK Server</entry>" >> server.pref
 echo "    <entry key=\"enabled0\" class=\"class java.lang.Boolean\">true</entry>" >> server.pref
 echo "    <entry key=\"connectString0\" class=\"class java.lang.String\">$IP:8089:ssl</entry>" >> server.pref
 echo "  </preference>" >> server.pref
 echo "  <preference version=\"1\" name=\"com.atakmap.app_preferences\">" >> server.pref
 echo "    <entry key=\"displayServerConnectionWidget\" class=\"class java.lang.Boolean\">true</entry>" >> server.pref
-echo "    <entry key=\"caLocation\" class=\"class java.lang.String\">cert/takserver.p12</entry>" >> server.pref
+echo "    <entry key=\"caLocation\" class=\"class java.lang.String\">cert/$IP.p12</entry>" >> server.pref
 echo "    <entry key=\"caPassword\" class=\"class java.lang.String\">atakatak</entry>" >> server.pref
 echo "    <entry key=\"clientPassword\" class=\"class java.lang.String\">atakatak</entry>" >> server.pref
 echo "    <entry key=\"certificateLocation\" class=\"class java.lang.String\">cert/$USER.p12</entry>" >> server.pref
@@ -38,12 +38,12 @@ echo "    <Parameter name=\"name\" value=\"$USER DP\"/>" >> manifest.xml
 echo "    <Parameter name=\"onReceiveDelete\" value=\"true\"/>" >> manifest.xml
 echo "  </Configuration>" >> manifest.xml
 echo "  <Contents>" >> manifest.xml
-echo "    <Content ignore=\"false\" zipEntry=\"certs\server.pref\"/>" >> manifest.xml
-echo "    <Content ignore=\"false\" zipEntry=\"certs\takserver.p12\"/>" >> manifest.xml
-echo "    <Content ignore=\"false\" zipEntry=\"certs\\$USER.p12\"/>" >> manifest.xml
+echo "    <Content ignore=\"false\" zipEntry=\"server.pref\"/>" >> manifest.xml
+echo "    <Content ignore=\"false\" zipEntry=\"$IP.p12\"/>" >> manifest.xml
+echo "    <Content ignore=\"false\" zipEntry=\"$USER.p12\"/>" >> manifest.xml
 echo "  </Contents>" >> manifest.xml
 echo "</MissionPackageManifest>" >> manifest.xml
 
-zip -j tak/certs/files/$USER-$IP.dp.zip manifest.xml server.pref tak/certs/files/takserver.p12 tak/certs/files/$USER.p12
+zip -j tak/certs/files/$USER-$IP.dp.zip manifest.xml server.pref tak/certs/files/$IP.p12 tak/certs/files/$USER.p12
 echo "-------------------------------------------------------------"
-echo "Created certificate data package for $USER @ $IP as tak/certs/files/$USER-$IP.dp.zip"
+echo "Created certificate data package for $USER @ $IP as tak/certs/files/$USER-$IP.dp.zip"

scripts/cleanup.sh

@@ -12,3 +12,7 @@ $DOCKER_COMPOSE down
 docker volume rm --force tak-server_db_data
 rm -rf tak
 rm -rf /tmp/takserver
+
+# Comment me out to save yourself rebuilding........
+docker image rm tak-server_db --force
+docker image rm tak-server_tak --force

scripts/configureInDocker1.sh

@@ -3,7 +3,8 @@
 # Added for 4.7 REL 18 where they broke DB auth with TCP/IP hardening
 # Commented out when they relaxed it in REL 4.7 20 because folks docker systems stopped working..
 # Re-added for 4.8 REL 31 because they got hard again. I can do this all day.
-sed -i 's/127.0.0.1\/32/0.0.0.0\/0/g' /opt/tak/db-utils/pg_hba.conf
+# Now using a flexible docker /8 range
+sed -i 's/127.0.0.1\/32/172.0.0.0\/8/g' /opt/tak/db-utils/pg_hba.conf
 
 # Removed inline options because these belong in postgres.conf
 if [ -f "/var/lib/postgresql/data/postgresql.conf" ];
@@ -12,15 +13,15 @@ then
 	rm -f /var/lib/postgresql/data/postmaster.pid
 	echo "listen_addresses='*'" >> /var/lib/postgresql/data/postgresql.conf
 	cp /opt/tak/db-utils/pg_hba.conf /var/lib/postgresql/data/pg_hba.conf
-	su - postgres -c "/usr/lib/postgresql/14/bin/pg_ctl -D /var/lib/postgresql/data -l logfile start"
+	su - postgres -c "/usr/lib/postgresql/15/bin/pg_ctl -D /var/lib/postgresql/data -l logfile start"
 
 else
 
 	echo "-------NO DB-------"
 	chown postgres:postgres /var/lib/postgresql/data
-	su - postgres -c '/usr/lib/postgresql/14/bin/pg_ctl initdb -D /var/lib/postgresql/data'
+	su - postgres -c '/usr/lib/postgresql/15/bin/pg_ctl initdb -D /var/lib/postgresql/data'
 	cp /opt/tak/db-utils/pg_hba.conf /var/lib/postgresql/data/pg_hba.conf
-	su - postgres -c "/usr/lib/postgresql/14/bin/pg_ctl -D /var/lib/postgresql/data -l logfile start"	
+	su - postgres -c "/usr/lib/postgresql/15/bin/pg_ctl -D /var/lib/postgresql/data -l logfile start"	
 
 	cd /opt/tak/db-utils
 	./configure.sh

scripts/setup.sh

@@ -214,6 +214,8 @@ chown -R $USER:$USER tak
 cp ./scripts/configureInDocker1.sh ./tak/db-utils/configureInDocker.sh
 cp ./postgresql1.conf ./tak/postgresql.conf
 cp ./scripts/takserver-setup-db-1.sh ./tak/db-utils/takserver-setup-db.sh
+
+# This config uses a docker alias of postgresql://tak-database:5432/
 cp ./CoreConfig.xml ./tak/CoreConfig.xml
 
 ## Set admin username and password and ensure it meets validation criteria
@@ -231,8 +233,18 @@ IP=$(ip addr show $NIC | grep -m 1 "inet " | awk '{print $2}' | cut -d "/" -f1)
 
 printf $info "\nProceeding with IP address: $IP\n"
 sed -i "s/password=\".*\"/password=\"${pgpassword}\"/" tak/CoreConfig.xml
+# Replaces HOSTIP for rate limiter and Fed server. Database URL is a docker alias of tak-database
 sed -i "s/HOSTIP/$IP/g" tak/CoreConfig.xml
 
+# Replaces takserver.jks with $IP.jks
+sed -i "s/takserver.jks/$IP.jks/g" tak/CoreConfig.xml
+
+# Better memory allocation:
+# By default TAK server allocates memory based upon the *total* on a machine. 
+# In the real world, people not on a gov budget use a server for more than one thing.
+# Instead we allocate memory based upon the available memory so this still scales, but you can run it on a smaller budget
+sed -i "s/MemTotal/MemFree/g" tak/setenv.sh
+
 ## Set variables for generating CA and client certs
 printf $warning "SSL setup. Hit enter (x3) to accept the defaults:\n"
 read -p "State (for cert generation). Default [state] :" state
@@ -276,10 +288,10 @@ while :
 do
 	sleep 10 # let the PG stderr messages conclude...
 	printf $warning "------------CERTIFICATE GENERATION--------------\n"
-	$DOCKER_COMPOSE exec tak bash -c "cd /opt/tak/certs && ./makeRootCa.sh --ca-name LOL"
+	$DOCKER_COMPOSE exec tak bash -c "cd /opt/tak/certs && ./makeRootCa.sh --ca-name CRFtakserver"
 	if [ $? -eq 0 ];
 	then
-		$DOCKER_COMPOSE exec tak bash -c "cd /opt/tak/certs && ./makeCert.sh server takserver"
+		$DOCKER_COMPOSE exec tak bash -c "cd /opt/tak/certs && ./makeCert.sh server $IP"
 		if [ $? -eq 0 ];
 		then
 			$DOCKER_COMPOSE exec tak bash -c "cd /opt/tak/certs && ./makeCert.sh client $user"	
@@ -305,6 +317,7 @@ cd tak/certs
 ./makeCert.sh client user1
 ./makeCert.sh client user2
 
+
 # Make 2 data packages
 cd ../../
 ./scripts/certDP.sh $IP user1

scripts/takserver-setup-db-1.sh

@@ -17,7 +17,7 @@
 # if [ "x$DB_EXISTS" != "x" ]; then
 #   sed -i 's/127.0.0.1\/32/0.0.0.0\/0/g' /opt/tak/db-utils/pg_hba.conf
 #   cp /opt/tak/db-utils/pg_hba.conf /var/lib/postgresql/data/pg_hba.conf
-#   su - postgres -c "/usr/lib/postgresql/14/bin/pg_ctl -D /var/lib/postgresql/data -l logfile restart -o '-c max_connections=2100 -c shared_buffers=2560MB'"
+#   su - postgres -c "/usr/lib/postgresql/15/bin/pg_ctl -D /var/lib/postgresql/data -l logfile restart -o '-c max_connections=2100 -c shared_buffers=2560MB'"
 #   exit 0
 # fi
 
@@ -52,8 +52,8 @@ fi
 DB_INIT=""
 # Ensure PostgreSQL is initialized.
 
-if [ -x /usr/lib/postgresql/14/bin/pg_ctl ]; then
-    DB_INIT="/usr/lib/postgresql/14/bin/pg_ctl initdb"
+if [ -x /usr/lib/postgresql/15/bin/pg_ctl ]; then
+    DB_INIT="/usr/lib/postgresql/15/bin/pg_ctl initdb"
 elif [ -x /usr/bin/postgresql-setup ]; then
     DB_INIT="/usr/bin/postgresql-setup initdb"
 else