[LON-CAPA-cvs] cvs: doc /install/linux install.pl
raeburn
raeburn@source.lon-capa.org
Wed, 23 Mar 2011 15:01:35 -0000
This is a MIME encoded message
--raeburn1300892495
Content-Type: text/plain
raeburn Wed Mar 23 15:01:35 2011 EDT
Modified files:
/doc/install/linux install.pl
Log:
- Add ntp to services for which runlevel check is made.
- More informative ffedback on how to configure firewall.
- For debian5, ufw is unavailable, so provide a script for use in
to setting up iptables for ssh, http and https.
--raeburn1300892495
Content-Type: text/plain
Content-Disposition: attachment; filename="raeburn-20110323150135.txt"
Index: doc/install/linux/install.pl
diff -u doc/install/linux/install.pl:1.4 doc/install/linux/install.pl:1.5
--- doc/install/linux/install.pl:1.4 Mon Mar 21 13:32:44 2011
+++ doc/install/linux/install.pl Wed Mar 23 15:01:34 2011
@@ -72,7 +72,7 @@
&mt('Stopping execution.')."\n";
exit;
} else {
- print LOG '$Id: install.pl,v 1.4 2011/03/21 13:32:44 raeburn Exp $'."\n";
+ print LOG '$Id: install.pl,v 1.5 2011/03/23 15:01:34 raeburn Exp $'."\n";
}
#
@@ -316,7 +316,7 @@
return ($distro,$gotprereqs,$packagecmd,$updatecmd,$installnow);
}
my ($mysqlon,$mysqlsetup,$dbh,$has_pass,$has_lcdb,%recommended,$downloadstatus,
- $filetouse,$production,$testing);
+ $filetouse,$production,$testing,$apachefw,$tostop);
my $wwwuid = &uid_of_www();
my $wwwgid = getgrnam('www');
if (($wwwuid eq '') || ($wwwgid eq '')) {
@@ -344,8 +344,7 @@
$recommended{'mysql'} = 1;
}
}
- my $tostop;
- $recommended{'firewall'} = &chkfirewall($distro);
+ ($recommended{'firewall'},$apachefw) = &chkfirewall($distro);
($recommended{'runlevels'},$tostop) = &chkconfig($distro);
$recommended{'apache'} = &chkapache($distro,$instdir);
$recommended{'stopsrvcs'} = &chksrvcs($distro,$tostop);
@@ -353,7 +352,7 @@
= &need_download();
return ($distro,$gotprereqs,$packagecmd,$updatecmd,$installnow,
\%recommended,$dbh,$has_pass,$has_lcdb,$downloadstatus,
- $filetouse,$production,$testing);
+ $filetouse,$production,$testing,$apachefw);
}
sub check_mysql_running {
@@ -400,6 +399,7 @@
my $mysqldaemon ='mysqld';
my $webserver = 'httpd';
my $cupsdaemon = 'cups';
+ my $ntpdaemon = 'ntpd';
my @runlevels = qw/3 4 5/;
my @norunlevels = qw/0 1 6/;
if ($distro =~ /^(suse|sles)/) {
@@ -416,6 +416,7 @@
$checker_bin = '/usr/sbin/sysv-rc-conf';
$mysqldaemon = 'mysql';
$webserver = 'apache2';
+ $ntpdaemon = 'ntp';
}
if (! -x $checker_bin) {
print &mt('Could not check runlevel status for MySQL or Apache.')."\n";
@@ -423,7 +424,7 @@
}
my $rlstr = join('',@runlevels);
my $nrlstr = join('',@norunlevels);
- foreach my $type ('apache','mysql','cups') {
+ foreach my $type ('apache','mysql','ntp','cups') {
my $service;
if ($type eq 'apache') {
$service = $webserver;
@@ -431,6 +432,8 @@
$service = $mysqldaemon;
} elsif ($type eq 'cups') {
$service = $cupsdaemon;
+ } elsif ($type eq 'ntp') {
+ $service = $ntpdaemon;
}
my $command = $checker_bin.' --list '.$service;
my $results = `$command`;
@@ -448,7 +451,7 @@
for (my $rl=0; $rl<=6; $rl++) {
if ($results =~ /$rl:on/) { $curr_runlevels{$rl}++; }
}
- if (($type eq 'apache') || ($type eq 'mysql')) {
+ if (($type eq 'apache') || ($type eq 'mysql') || ($type eq 'ntp')) {
my $warning;
foreach my $rl (@runlevels) {
if (!exists($curr_runlevels{$rl})) {
@@ -464,7 +467,7 @@
}
if ($tofix) {
$needfix{$type} = $tofix;
- }
+ }
}
if ($distro =~ /^(suse|sles)([\d\.]+)$/) {
my $name = $1;
@@ -483,19 +486,20 @@
}
sub chkfirewall {
+ my ($distro) = @_;
my $configfirewall = 1;
my %ports = (
http => 80,
https => 443,
);
+ my %activefw;
if (&firewall_is_active()) {
my $iptables = &get_pathto_iptables();
if ($iptables eq '') {
print &mt('Firewall not checked as path to iptables not determined.')."\n";
} else {
- my @fwchains = &get_fw_chains($iptables);
+ my @fwchains = &get_fw_chains($iptables,$distro);
if (@fwchains) {
- my %activefw;
foreach my $service ('http','https') {
foreach my $fwchain (@fwchains) {
if (&firewall_is_port_open($iptables,$fwchain,$ports{$service})) {
@@ -514,7 +518,7 @@
} else {
print &mt('Firewall not enabled.')."\n";
}
- return $configfirewall;
+ return ($configfirewall,\%activefw);
}
sub chkapache {
@@ -561,7 +565,6 @@
my $diffres = <PIPE>;
close(PIPE);
chomp($diffres);
- print "Diff is ||$diffres||\n";
unless ($diffres) {
$fixapache = 0;
}
@@ -774,7 +777,7 @@
}
sub get_fw_chains {
- my ($iptables) = @_;
+ my ($iptables,$distro) = @_;
my @fw_chains;
my $suse_config = "/etc/sysconfig/SuSEfirewall2";
my $ubuntu_config = "/etc/ufw/ufw.conf";
@@ -784,6 +787,8 @@
my @posschains;
if (-e $ubuntu_config) {
@posschains = ('ufw-user-input','INPUT');
+ } elsif ($distro =~ /^debian5/) {
+ @posschains = ('INPUT');
} else {
@posschains = ('RH-Firewall-1-INPUT','INPUT');
if (!-e '/etc/sysconfig/iptables') {
@@ -978,7 +983,7 @@
my $dsn = "DBI:mysql:database=mysql";
my ($distro,$gotprereqs,$packagecmd,$updatecmd,$installnow,$recommended,
$dbh,$has_pass,$has_lcdb,$downloadstatus,$filetouse,$production,
- $testing) = &check_required($instdir,$dsn);
+ $testing,$apachefw) = &check_required($instdir,$dsn);
if ($distro eq '') {
print "\n".&mt('Linux distribution could not be verified as a supported distribution.')."\n".
&mt('The following are supported: [_1].',
@@ -1008,7 +1013,8 @@
} else {
($distro,$gotprereqs,$packagecmd,$updatecmd,$installnow,
$recommended,$dbh,$has_pass,$has_lcdb,$downloadstatus,
- $filetouse) = &check_required($instdir,$dsn);
+ $filetouse,$production,$testing,$apachefw) =
+ &check_required($instdir,$dsn);
}
} else {
print &mt('Failed to run command to install LONCAPA-prequisites')."\n";
@@ -1166,22 +1172,38 @@
if ($callsub{'firewall'}) {
if ($distro =~ /^(suse|sles)/) {
- print &mt('Use [_1].','yast')."\n";
- } elsif ($distro =~ /^(debian|ubuntu)/) {
- print &mt('Use [_1].','ufw')."\n";
+ print &mt('Use [_1] to configure the firewall to allow access for [_2].',
+ 'yast -- Security and Users -> Firewall -> Interfaces',
+ 'ssh, http, https')."\n";
+ } elsif ($distro =~ /^(debian|ubuntu)(\d+)/) {
+ if (($1 eq 'ubuntu') || ($2 > 5)) {
+ print &mt('Use [_1] to configure the firewall to allow access for [_2].',
+ 'ufw','ssh, http, https')."\n";
+ } else {
+ my $fwadded = &get_iptables_rules($distro,$instdir,$apachefw);
+ if ($fwadded) {
+ print &mt('Enable firewall? ~[Y/n~]');
+ my $enable_iptables = &get_user_selection(1);
+ if ($enable_iptables) {
+ system('/etc/network/if-pre-up.d/iptables');
+ print &mt('Firewall enabled using rules defined in [_1].',
+ '/etc/iptables.loncapa.rules');
+ }
+ }
+ }
} else {
- print &mt('Use [_1].','setup')."\n";
+ print &mt('Use [_1] to configure the firewall to allow access for [_2].',
+ 'setup -- Firewall confiuration -> Customize',
+ 'ssh, http, https')."\n";
}
} else {
- if ($distro =~ /^(suse|sles)/) {
- &print_and_log(&mt('Skipping Firewall configuration.')."\n");
- }
+ &print_and_log(&mt('Skipping Firewall configuration.')."\n");
}
if ($callsub{'stopsrvcs'}) {
&kill_extra_services($distro,$recommended->{'stopsrvcs'});
} else {
- &print_and_log(&mt('Skipping stopping unnecessary services ([_1] and [_2] daemons).',"'cups'","'sendmail'")."\n");
+ &print_and_log(&mt('Skipping stopping unnecessary service ([_1] daemon).',"'cups'")."\n");
}
my ($have_tarball,$updateshown);
@@ -1345,7 +1367,7 @@
# Install patched pwauth
print_and_log(&mt('Copying pwauth to [_1]',' /usr/local/sbin')."\n");
if (copy "$dir/pwauth","/usr/local/sbin/pwauth") {
- if (chmod (06755, "/usr/local/sbin/pwauth")) {
+ if (chmod(06755, "/usr/local/sbin/pwauth")) {
print_and_log(&mt('[_1] copied successfully',"'pwauth'").
"\n");
} else {
@@ -1536,7 +1558,7 @@
"'/etc/httpd/conf/httpd.conf'")."\n");
copy "/etc/httpd/conf/httpd.conf","/etc/httpd/conf/httpd.conf.original";
copy "$instdir/httpd.conf","/etc/httpd/conf/httpd.conf";
- chmod 0444,"/etc/httpd/conf/httpd.conf";
+ chmod(0444,"/etc/httpd/conf/httpd.conf");
print_and_log("\n");
}
@@ -1581,7 +1603,7 @@
copy "/etc/apache2/default-server.conf","/etc/apache2/default-server.conf.original";
}
copy "$instdir/default-server.conf","/etc/apache2/default-server.conf";
- chmod 0444,"/etc/apache2/default-server.conf";
+ chmod(0444,"/etc/apache2/default-server.conf");
# Make symlink for conf directory (included in loncapa_apache.conf)
my $can_symlink = (eval { symlink('/etc/apache2','/srv/www/conf'); }, $@ eq '');
if ($can_symlink) {
@@ -1608,7 +1630,7 @@
copy "/etc/apache2/uid.conf","/etc/apache2/uid.conf.original";
}
copy "$instdir/uid.conf","/etc/apache2/uid.conf";
- chmod 0444,"/etc/apache2/uid.conf";
+ chmod(0444,"/etc/apache2/uid.conf");
}
###############################################
@@ -1623,7 +1645,7 @@
copy "/etc/sysconfig/apache2","/etc/sysconfig/apache2.original";
}
copy "$instdir/sysconfig_apache2","/etc/sysconfig/apache2";
- chmod 0444,"/etc/sysconfig/apache2";
+ chmod(0444,"/etc/sysconfig/apache2");
}
###############################################
@@ -1646,7 +1668,68 @@
copy "/etc/insserv/overrides/SuSEfirewall2_setup","/etc/insserv/overrides/SuSEfirewall2_setup.original"
}
copy "$instdir/SuSEfirewall2_setup","/etc/insserv/overrides/SuSEfirewall2_setup";
- chmod 0444,"/etc/insserv/overrides/SuSEfirewall2_setup";
+ chmod(0444,"/etc/insserv/overrides/SuSEfirewall2_setup");
+}
+
+sub get_iptables_rules {
+ my ($distro,$instdir,$apachefw) = @_;
+ my (@fwchains,@ports);
+ if (&firewall_is_active()) {
+ my $iptables = &get_pathto_iptables();
+ if ($iptables ne '') {
+ @fwchains = &get_fw_chains($iptables,$distro);
+ }
+ }
+ if (ref($apachefw) eq 'HASH') {
+ foreach my $service ('http','https') {
+ unless ($apachefw->{$service}) {
+ push (@ports,$service);
+ }
+ }
+ } else {
+ @ports = ('http','https');
+ }
+ if (@ports == 0) {
+ return;
+ }
+ my $ask_to_enable;
+ if (-e "/etc/iptables.loncapa.rules") {
+ if (open(PIPE, "diff --brief $instdir/debian/iptables.loncapa.rules /etc/iptables.loncapa.rules |")) {
+ my $diffres = <PIPE>;
+ close(PIPE);
+ chomp($diffres);
+ if ($diffres) {
+ print &mt('Warning: [_1] exists but differs from LON-CAPA supplied file.','/etc/iptables.loncapa.rules')."\n";
+ }
+ } else {
+ print &mt('Error: unable to open [_1] to compare contents with LON-CAPA supplied file.','/etc/iptables.loncapa.rules')."\n";
+ }
+ } else {
+ if (-e "$instdir/debian/iptables.loncapa.rules") {
+ copy "$instdir/debian/iptables.loncapa.rules","/etc/iptables.loncapa.rules";
+ chmod(0600,"/etc/iptables.loncapa.rules");
+ }
+ }
+ if (-e "/etc/iptables.loncapa.rules") {
+ if (-e "/etc/network/if-pre-up.d/iptables") {
+ if (open(PIPE, "diff --brief $instdir/debian/iptables /etc/network/if-pre-up/iptables |")) {
+ my $diffres = <PIPE>;
+ close(PIPE);
+ chomp($diffres);
+ if ($diffres) {
+ print &mt('Warning: [_1] exists but differs from LON-CAPA supplied file.','/etc/network/if-pre-up.d/iptables')."\n";
+ }
+ } else {
+ print &mt('Error: unable to open [_1] to compare contents with LON-CAPA supplied file.','/etc/network/if-pre-up.d/iptables')."\n";
+ }
+ } else {
+ copy "$instdir/debian/iptables","/etc/network/if-pre-up.d/iptables";
+ chmod(0755,"/etc/network/if-pre-up.d/iptables");
+ print_and_log(&mt('Installed script "[_1]" to add iptables rules to block all ports except 22, 80, and 443 when network is enabled during boot.','/etc/network/if-pre-up.d/iptables'));
+ $ask_to_enable = 1;
+ }
+ }
+ return $ask_to_enable;
}
sub download_loncapa {
--raeburn1300892495--