[LON-CAPA-cvs] cvs: doc /install/linux install.pl

raeburn raeburn@source.lon-capa.org
Wed, 23 Mar 2011 15:01:35 -0000


This is a MIME encoded message

--raeburn1300892495
Content-Type: text/plain

raeburn		Wed Mar 23 15:01:35 2011 EDT

  Modified files:              
    /doc/install/linux	install.pl 
  Log:
  - Add ntp to services for which runlevel check is made.
  - More informative ffedback on how to configure firewall.
  - For debian5, ufw is unavailable, so provide a script for use in
    to setting up iptables for ssh, http and https.
  
  
--raeburn1300892495
Content-Type: text/plain
Content-Disposition: attachment; filename="raeburn-20110323150135.txt"

Index: doc/install/linux/install.pl
diff -u doc/install/linux/install.pl:1.4 doc/install/linux/install.pl:1.5
--- doc/install/linux/install.pl:1.4	Mon Mar 21 13:32:44 2011
+++ doc/install/linux/install.pl	Wed Mar 23 15:01:34 2011
@@ -72,7 +72,7 @@
           &mt('Stopping execution.')."\n";
     exit;
 } else {
-    print LOG '$Id: install.pl,v 1.4 2011/03/21 13:32:44 raeburn Exp $'."\n";
+    print LOG '$Id: install.pl,v 1.5 2011/03/23 15:01:34 raeburn Exp $'."\n";
 }
 
 #
@@ -316,7 +316,7 @@
         return ($distro,$gotprereqs,$packagecmd,$updatecmd,$installnow);
     }
     my ($mysqlon,$mysqlsetup,$dbh,$has_pass,$has_lcdb,%recommended,$downloadstatus,
-        $filetouse,$production,$testing);
+        $filetouse,$production,$testing,$apachefw,$tostop);
     my $wwwuid = &uid_of_www();
     my $wwwgid = getgrnam('www');
     if (($wwwuid eq '') || ($wwwgid eq '')) {
@@ -344,8 +344,7 @@
             $recommended{'mysql'} = 1;
         }
     }
-    my $tostop;
-    $recommended{'firewall'} = &chkfirewall($distro); 
+    ($recommended{'firewall'},$apachefw) = &chkfirewall($distro);
     ($recommended{'runlevels'},$tostop) = &chkconfig($distro);
     $recommended{'apache'} = &chkapache($distro,$instdir);
     $recommended{'stopsrvcs'} = &chksrvcs($distro,$tostop);
@@ -353,7 +352,7 @@
         = &need_download();
     return ($distro,$gotprereqs,$packagecmd,$updatecmd,$installnow,
             \%recommended,$dbh,$has_pass,$has_lcdb,$downloadstatus,
-            $filetouse,$production,$testing);
+            $filetouse,$production,$testing,$apachefw);
 }
 
 sub check_mysql_running {
@@ -400,6 +399,7 @@
     my $mysqldaemon ='mysqld';
     my $webserver = 'httpd';
     my $cupsdaemon = 'cups';
+    my $ntpdaemon = 'ntpd';
     my @runlevels = qw/3 4 5/;
     my @norunlevels = qw/0 1 6/;
     if ($distro =~ /^(suse|sles)/) {
@@ -416,6 +416,7 @@
         $checker_bin = '/usr/sbin/sysv-rc-conf';
         $mysqldaemon = 'mysql';
         $webserver = 'apache2';
+        $ntpdaemon = 'ntp';
     }
     if (! -x $checker_bin) {
         print &mt('Could not check runlevel status for MySQL or Apache.')."\n";
@@ -423,7 +424,7 @@
     }
     my $rlstr = join('',@runlevels);
     my $nrlstr = join('',@norunlevels);
-    foreach my $type ('apache','mysql','cups') {
+    foreach my $type ('apache','mysql','ntp','cups') {
         my $service;
         if ($type eq 'apache') {
             $service = $webserver;
@@ -431,6 +432,8 @@
             $service = $mysqldaemon; 
         } elsif ($type eq 'cups') {
             $service = $cupsdaemon;
+        } elsif ($type eq 'ntp') {
+            $service = $ntpdaemon;
         }
         my $command = $checker_bin.' --list '.$service;
         my $results = `$command`;
@@ -448,7 +451,7 @@
             for (my $rl=0; $rl<=6; $rl++) {
                 if ($results =~ /$rl:on/) { $curr_runlevels{$rl}++; }
             }
-            if (($type eq 'apache') || ($type eq 'mysql')) {
+            if (($type eq 'apache') || ($type eq 'mysql') || ($type eq 'ntp')) {
                 my $warning;
                 foreach my $rl (@runlevels) {
                     if (!exists($curr_runlevels{$rl})) {
@@ -464,7 +467,7 @@
         }
         if ($tofix) {
             $needfix{$type} = $tofix;
-        }    
+        }
     }
     if ($distro =~ /^(suse|sles)([\d\.]+)$/) {
         my $name = $1;
@@ -483,19 +486,20 @@
 }
 
 sub chkfirewall {
+    my ($distro) = @_;
     my $configfirewall = 1;
     my %ports = (
                     http  =>  80,
                     https => 443,
                 );
+    my %activefw;
     if (&firewall_is_active()) {
         my $iptables = &get_pathto_iptables();
         if ($iptables eq '') {
             print &mt('Firewall not checked as path to iptables not determined.')."\n";
         } else {
-            my @fwchains = &get_fw_chains($iptables);
+            my @fwchains = &get_fw_chains($iptables,$distro);
             if (@fwchains) {
-                my %activefw;
                 foreach my $service ('http','https') {
                     foreach my $fwchain (@fwchains) {
                         if (&firewall_is_port_open($iptables,$fwchain,$ports{$service})) {
@@ -514,7 +518,7 @@
     } else {
         print &mt('Firewall not enabled.')."\n";
     }
-    return $configfirewall;
+    return ($configfirewall,\%activefw);
 }
 
 sub chkapache {
@@ -561,7 +565,6 @@
                 my $diffres = <PIPE>;
                 close(PIPE);
                 chomp($diffres);
-                print "Diff is ||$diffres||\n";
                 unless ($diffres) {
                     $fixapache = 0;
                 }
@@ -774,7 +777,7 @@
 }
 
 sub get_fw_chains {
-    my ($iptables) = @_;
+    my ($iptables,$distro) = @_;
     my @fw_chains;
     my $suse_config = "/etc/sysconfig/SuSEfirewall2";
     my $ubuntu_config = "/etc/ufw/ufw.conf";
@@ -784,6 +787,8 @@
         my @posschains;
         if (-e $ubuntu_config) {
             @posschains = ('ufw-user-input','INPUT');
+        } elsif ($distro =~ /^debian5/) {
+            @posschains = ('INPUT');
         } else {
             @posschains = ('RH-Firewall-1-INPUT','INPUT');
             if (!-e '/etc/sysconfig/iptables') {
@@ -978,7 +983,7 @@
 my $dsn = "DBI:mysql:database=mysql";
 my ($distro,$gotprereqs,$packagecmd,$updatecmd,$installnow,$recommended,
     $dbh,$has_pass,$has_lcdb,$downloadstatus,$filetouse,$production,
-    $testing) = &check_required($instdir,$dsn); 
+    $testing,$apachefw) = &check_required($instdir,$dsn);
 if ($distro eq '') {
     print "\n".&mt('Linux distribution could not be verified as a supported distribution.')."\n".
           &mt('The following are supported: [_1].',
@@ -1008,7 +1013,8 @@
                 } else {
                     ($distro,$gotprereqs,$packagecmd,$updatecmd,$installnow,
                      $recommended,$dbh,$has_pass,$has_lcdb,$downloadstatus,
-                     $filetouse) = &check_required($instdir,$dsn);
+                     $filetouse,$production,$testing,$apachefw) = 
+                     &check_required($instdir,$dsn);
                 }
             } else {
                 print &mt('Failed to run command to install LONCAPA-prequisites')."\n";
@@ -1166,22 +1172,38 @@
 
 if ($callsub{'firewall'}) {
     if ($distro =~ /^(suse|sles)/) {
-        print &mt('Use [_1].','yast')."\n";
-    } elsif ($distro =~ /^(debian|ubuntu)/) {
-        print &mt('Use [_1].','ufw')."\n";
+        print &mt('Use [_1] to configure the firewall to allow access for [_2].',
+                  'yast -- Security and Users -> Firewall -> Interfaces',
+                   'ssh, http, https')."\n";
+    } elsif ($distro =~ /^(debian|ubuntu)(\d+)/) {
+        if (($1 eq 'ubuntu') || ($2 > 5)) {
+            print &mt('Use [_1] to configure the firewall to allow access for [_2].',
+                      'ufw','ssh, http, https')."\n";
+        } else {
+            my $fwadded = &get_iptables_rules($distro,$instdir,$apachefw);
+            if ($fwadded) {
+                print &mt('Enable firewall? ~[Y/n~]');
+                my $enable_iptables = &get_user_selection(1);
+                if ($enable_iptables) {
+                    system('/etc/network/if-pre-up.d/iptables');
+                    print &mt('Firewall enabled using rules defined in [_1].',
+                              '/etc/iptables.loncapa.rules'); 
+                }
+            }
+        }
     } else {
-        print &mt('Use [_1].','setup')."\n";
+        print &mt('Use [_1] to configure the firewall to allow access for [_2].',
+                  'setup -- Firewall confiuration -> Customize',
+                  'ssh, http, https')."\n";
     }
 } else {
-    if ($distro =~ /^(suse|sles)/) {
-        &print_and_log(&mt('Skipping Firewall configuration.')."\n");
-    }
+    &print_and_log(&mt('Skipping Firewall configuration.')."\n");
 }
 
 if ($callsub{'stopsrvcs'}) {
     &kill_extra_services($distro,$recommended->{'stopsrvcs'});
 } else {
-    &print_and_log(&mt('Skipping stopping unnecessary services ([_1] and [_2] daemons).',"'cups'","'sendmail'")."\n");
+    &print_and_log(&mt('Skipping stopping unnecessary service ([_1] daemon).',"'cups'")."\n");
 }
 
 my ($have_tarball,$updateshown);
@@ -1345,7 +1367,7 @@
             # Install patched pwauth
             print_and_log(&mt('Copying pwauth to [_1]',' /usr/local/sbin')."\n");
             if (copy "$dir/pwauth","/usr/local/sbin/pwauth") {
-                if (chmod (06755, "/usr/local/sbin/pwauth")) {
+                if (chmod(06755, "/usr/local/sbin/pwauth")) {
                     print_and_log(&mt('[_1] copied successfully',"'pwauth'").
                                   "\n");
                 } else {
@@ -1536,7 +1558,7 @@
                   "'/etc/httpd/conf/httpd.conf'")."\n");
     copy "/etc/httpd/conf/httpd.conf","/etc/httpd/conf/httpd.conf.original";
     copy "$instdir/httpd.conf","/etc/httpd/conf/httpd.conf";
-    chmod 0444,"/etc/httpd/conf/httpd.conf";
+    chmod(0444,"/etc/httpd/conf/httpd.conf");
     print_and_log("\n");
 }
 
@@ -1581,7 +1603,7 @@
         copy "/etc/apache2/default-server.conf","/etc/apache2/default-server.conf.original";
     }
     copy "$instdir/default-server.conf","/etc/apache2/default-server.conf";
-    chmod 0444,"/etc/apache2/default-server.conf";
+    chmod(0444,"/etc/apache2/default-server.conf");
     # Make symlink for conf directory (included in loncapa_apache.conf)
     my $can_symlink = (eval { symlink('/etc/apache2','/srv/www/conf'); }, $@ eq '');
     if ($can_symlink) {
@@ -1608,7 +1630,7 @@
         copy "/etc/apache2/uid.conf","/etc/apache2/uid.conf.original";
     }
     copy "$instdir/uid.conf","/etc/apache2/uid.conf";
-    chmod 0444,"/etc/apache2/uid.conf";
+    chmod(0444,"/etc/apache2/uid.conf");
 }
 
 ###############################################
@@ -1623,7 +1645,7 @@
         copy "/etc/sysconfig/apache2","/etc/sysconfig/apache2.original";
     }
     copy "$instdir/sysconfig_apache2","/etc/sysconfig/apache2";
-    chmod 0444,"/etc/sysconfig/apache2";
+    chmod(0444,"/etc/sysconfig/apache2");
 }
 
 ###############################################
@@ -1646,7 +1668,68 @@
         copy "/etc/insserv/overrides/SuSEfirewall2_setup","/etc/insserv/overrides/SuSEfirewall2_setup.original"
     }
     copy "$instdir/SuSEfirewall2_setup","/etc/insserv/overrides/SuSEfirewall2_setup";
-    chmod 0444,"/etc/insserv/overrides/SuSEfirewall2_setup";
+    chmod(0444,"/etc/insserv/overrides/SuSEfirewall2_setup");
+}
+
+sub get_iptables_rules {
+    my ($distro,$instdir,$apachefw) = @_;
+    my (@fwchains,@ports);
+    if (&firewall_is_active()) {
+        my $iptables = &get_pathto_iptables();
+        if ($iptables ne '') {
+            @fwchains = &get_fw_chains($iptables,$distro);
+        }
+    }
+    if (ref($apachefw) eq 'HASH') {
+        foreach my $service ('http','https') {
+            unless ($apachefw->{$service}) {
+                push (@ports,$service); 
+            }
+        }
+    } else {
+        @ports = ('http','https');
+    }
+    if (@ports == 0) {
+        return;
+    }
+    my $ask_to_enable;
+    if (-e "/etc/iptables.loncapa.rules") {
+        if (open(PIPE, "diff --brief $instdir/debian/iptables.loncapa.rules /etc/iptables.loncapa.rules |")) {
+            my $diffres = <PIPE>;
+            close(PIPE);
+            chomp($diffres);
+            if ($diffres) {
+                print &mt('Warning: [_1] exists but differs from LON-CAPA supplied file.','/etc/iptables.loncapa.rules')."\n";
+            }
+        } else {
+            print &mt('Error: unable to open [_1] to compare contents with LON-CAPA supplied file.','/etc/iptables.loncapa.rules')."\n";
+        }
+    } else {
+        if (-e "$instdir/debian/iptables.loncapa.rules") {
+            copy "$instdir/debian/iptables.loncapa.rules","/etc/iptables.loncapa.rules";
+            chmod(0600,"/etc/iptables.loncapa.rules");
+        }
+    }
+    if (-e "/etc/iptables.loncapa.rules") {
+        if (-e "/etc/network/if-pre-up.d/iptables") {
+            if (open(PIPE, "diff --brief $instdir/debian/iptables /etc/network/if-pre-up/iptables |")) {
+                my $diffres = <PIPE>;
+                close(PIPE);
+                chomp($diffres);
+                if ($diffres) {
+                    print &mt('Warning: [_1] exists but differs from LON-CAPA supplied file.','/etc/network/if-pre-up.d/iptables')."\n";
+                }
+            } else {
+                print &mt('Error: unable to open [_1] to compare contents with LON-CAPA supplied file.','/etc/network/if-pre-up.d/iptables')."\n";
+            }
+        } else {
+            copy "$instdir/debian/iptables","/etc/network/if-pre-up.d/iptables";
+            chmod(0755,"/etc/network/if-pre-up.d/iptables");
+            print_and_log(&mt('Installed script "[_1]" to add iptables rules to block all ports except 22, 80, and 443 when network is enabled during boot.','/etc/network/if-pre-up.d/iptables'));
+            $ask_to_enable = 1;
+        }
+    }
+    return $ask_to_enable;
 }
 
 sub download_loncapa {

--raeburn1300892495--