[LON-CAPA-cvs] cvs: doc(version_2_11_X) /install/linux install.pl
raeburn
raeburn at source.lon-capa.org
Sat Jul 27 14:40:15 EDT 2024
raeburn Sat Jul 27 18:40:15 2024 EDT
Modified files: (Branch: version_2_11_X)
/doc/install/linux install.pl
Log:
- For 2.11
Backport 1.91
-------------- next part --------------
Index: doc/install/linux/install.pl
diff -u doc/install/linux/install.pl:1.45.2.19 doc/install/linux/install.pl:1.45.2.20
--- doc/install/linux/install.pl:1.45.2.19 Sun Jun 30 20:10:29 2024
+++ doc/install/linux/install.pl Sat Jul 27 18:40:15 2024
@@ -76,7 +76,7 @@
&mt('Stopping execution.')."\n";
exit;
} else {
- print LOG '$Id: install.pl,v 1.45.2.19 2024/06/30 20:10:29 raeburn Exp $'."\n";
+ print LOG '$Id: install.pl,v 1.45.2.20 2024/07/27 18:40:15 raeburn Exp $'."\n";
}
#
@@ -511,6 +511,9 @@
}
($recommended{'firewall'},$apachefw) = &chkfirewall($distro);
($recommended{'runlevels'},$tostop,$uses_systemctl) = &chkconfig($distro,$instdir);
+ if ((ref($uses_systemctl) eq 'HASH') && ($uses_systemctl->{'apache'})) {
+ $recommended{'systemd'} = &check_systemd_security($distro);
+ }
$recommended{'apache'} = &chkapache($distro,$instdir);
$recommended{'stopsrvcs'} = &chksrvcs($distro,$tostop);
($recommended{'download'},$downloadstatus,$filetouse,$production,$testing)
@@ -535,6 +538,9 @@
$process = 'mysqld';
$proc_owner = 'mysql';
}
+ if ($1 >= 16) {
+ $use_systemctl = 1;
+ }
} elsif ($distro =~ /^debian(\w+)/) {
if ($1 >= 10) {
$process = 'mysql';
@@ -543,6 +549,9 @@
if ($1 >= 11) {
$mysqldaemon = 'mariadb';
}
+ if ($1 >= 9) {
+ $use_systemctl = 1;
+ }
} elsif ($distro =~ /^fedora(\d+)/) {
if ($1 >= 16) {
$process = 'mysqld';
@@ -814,6 +823,26 @@
return (\%needfix,\%tostop,\%uses_systemctl);
}
+sub check_systemd_security {
+ my ($distro) = @_;
+ my $service = 'httpd.service';
+ if ($distro =~ /^(suse|sles|ubuntu|debian)/) {
+ $service = 'apache2.service';
+ }
+ system("systemctl daemon-reload");
+ if (open(PIPE,"systemctl show $service --property=ProtectHome 2>/dev/null |")) {
+ my $protection = <PIPE>;
+ close(PIPE);
+ chomp($protection);
+ if ($protection =~ /^ProtectHome=(read-only|yes)$/i) {
+ return 1;
+ }
+ } else {
+ print &mt('Could not check systemctl configuration for Apache')."\n";
+ }
+ return 0;
+}
+
sub uses_firewalld {
my ($distro) = @_;
my ($inuse,$checkfirewalld,$zone);
@@ -953,7 +982,9 @@
my $diffres = <PIPE>;
close(PIPE);
chomp($diffres);
- unless ($diffres) {
+ if ($diffres) {
+ $fixapache = 1;
+ } else {
$fixapache = 0;
}
}
@@ -1525,11 +1556,12 @@
".&mt('3.')." ".&mt('Set-up the MySQL database.')."
".&mt('4.')." ".&mt('Set-up MySQL permissions.')."
".&mt('5.')." ".&mt('Configure Apache web server.')."
-".&mt('6.')." ".&mt('Configure start-up of services.')."
-".&mt('7.')." ".&mt('Check firewall settings.')."
-".&mt('8.')." ".&mt('Stop services not used by LON-CAPA,')."
+".&mt('6.')." ".&mt('Configure systemd security settings for Apache web server.')."
+".&mt('7.')." ".&mt('Configure start-up of services.')."
+".&mt('8.')." ".&mt('Check firewall settings.')."
+".&mt('9.')." ".&mt('Stop services not used by LON-CAPA,')."
".&mt('i.e., services for a print server: [_1] daemon.',"'cups'")."
-".&mt('9.')." ".&mt('Download LON-CAPA source code in readiness for installation.')."
+".&mt('10.')." ".&mt('Download LON-CAPA source code in readiness for installation.')."
".&mt('Typically, you will run this script only once, when you first install LON-CAPA.')."
@@ -1558,7 +1590,7 @@
chomp($instdir);
my %callsub;
-my @actions = ('wwwuser','pwauth','mysql','mysqlperms','apache',
+my @actions = ('wwwuser','pwauth','mysql','mysqlperms','apache','systemd',
'runlevels','firewall','stopsrvcs','download');
my %prompts = &texthash(
wwwuser => "Create the 'www' user?",
@@ -1566,6 +1598,7 @@
mysql => 'Set-up the MySQL database?',
mysqlperms => 'Set-up MySQL permissions?',
apache => 'Configure Apache web server?',
+ systemd => 'Configure systemd security settings for Apache web server?',
runlevels => 'Set overrides for start-up order of services?',
firewall => 'Configure firewall settings for Apache',
stopsrvcs => 'Stop extra services not required on a LON-CAPA server?',
@@ -1772,6 +1805,12 @@
print_and_log(&mt('Skipping configuration of Apache web server.')."\n");
}
+if ($callsub{'systemd'}) {
+ &check_systemd_update($distro);
+} else {
+ print_and_log('Skipping systemd configuration update for web server');
+}
+
if ($callsub{'runlevels'}) {
my $count = 0;
if (ref($recommended) eq 'HASH') {
@@ -1957,6 +1996,10 @@
if ($1 > 12) {
$lc_uses_systemctl = 1;
}
+ } elsif ($distro =~ /^fedora(\d+)$/) {
+ if ($1 > 25) {
+ $lc_uses_systemctl = 1;
+ }
}
if (!-e '/etc/loncapa-release') {
print &mt('If you are now ready to install LON-CAPA, enter the following commands:')."\n\n";
@@ -2401,6 +2444,116 @@
return ($version,$minorversion,$subversion,$name);
}
+sub check_systemd_update {
+ my ($distro) = @_;
+ my ($use_systemctl,$service);
+ $service = 'apache2.service';
+ if ($distro =~ /^ubuntu(\w+)/) {
+ if ($1 >= 16) {
+ $use_systemctl = 1;
+ }
+ } elsif ($distro =~ /^debian(\w+)/) {
+ if ($1 >= 9) {
+ $use_systemctl = 1;
+ }
+ } elsif ($distro =~ /^fedora(\d+)/) {
+ $service = 'httpd.service';
+ if ($1 >= 16) {
+ $use_systemctl = 1;
+ }
+ } elsif ($distro =~ /^(?:centos|rhes|scientific|oracle|rocky|alma)(\d+)/) {
+ $service = 'httpd.service';
+ if ($1 >= 7) {
+ $use_systemctl = 1;
+ }
+ } elsif ($distro =~ /^sles(\d+)/) {
+ if ($1 >= 12) {
+ $use_systemctl = 1;
+ }
+ } elsif ($distro =~ /^suse(\d+)/) {
+ if ($1 >= 13) {
+ $use_systemctl = 1;
+ }
+ }
+ if ($use_systemctl) {
+ my $needsupdate = &check_systemd_security($distro);
+ if ($needsupdate) {
+ if (!-d '/etc/systemd/system/'.$service.'.d') {
+ mkdir '/etc/systemd/system/'.$service.'.d', 0755;
+ }
+ if (-d '/etc/systemd/system/'.$service.'.d') {
+ if (-e '/etc/systemd/system/'.$service.'.d/override.conf') {
+ if (open(my $fh,'<','/etc/systemd/system/'.$service.'.d/override.conf')) {
+ my ($inservice,$addservice,$protectoff,$linenum,$change, at lines);
+ while (my $entry = <$fh>) {
+ $linenum ++;
+ chomp($entry);
+ if ($entry eq '[Service]') {
+ if (!$protectoff) {
+ $inservice = $linenum;
+ push(@lines,$entry);
+ } else {
+ $addservice = 1;
+ next;
+ }
+ }
+ if ($entry =~ /^ProtectHome\s*=\s*([\w-]+)\s*$/) {
+ my $value = $1;
+ if ($protectoff) {
+ next;
+ if (lc($value) eq 'no') {
+ $protectoff = $linenum;
+ push(@lines,$entry);
+ } else {
+ if ($protectoff) {
+ next;
+ } else {
+ push(@lines,'ProtectHome=no');
+ $protectoff = $linenum;
+ $change = $linenum;
+ }
+ }
+ }
+ }
+ }
+ close($fh);
+ if ($addservice || $change || !$protectoff) {
+ if (open(my $fh,'>','/etc/systemd/system/'.$service.'.d/override.conf')) {
+ if ($addservice) {
+ print $fh "[Service]\n";
+ }
+ foreach my $entry (@lines) {
+ print $fh "$entry\n";
+ }
+ close($fh);
+ print_and_log('Updated /etc/systemd/system/'.$service.'.d/override.conf');
+ } else {
+ print_and_log('Could not open /etc/systemd/system/'.$service.'.d/override.conf for writing.');
+ }
+ } else {
+ print_and_log('No change needed in /etc/systemd/system/'.$service.'.d/override.conf');
+ }
+ } else {
+ print_and_log('Could not open /etc/systemd/system/'.$service.'.d/override.conf for reading.');
+ }
+ } else {
+ if (open(my $fh,'>','/etc/systemd/system/'.$service.'.d/override.conf')) {
+ print $fh '[Service]'."\n".'ProtectHome=no'."\n";
+ close($fh);
+ print_and_log('Created /etc/systemd/system/'.$service.'.d/override.conf');
+ }
+ }
+ } else {
+ print_and_log('No /etc/systemd/system/'.$service.'.d directory exists and creating one failed,');
+ }
+ } else {
+ print_and_log('No update needed to systemd security settings for Apache web server.');
+ }
+ } else {
+ print_and_log('No update needed to systemd, as this Linux distro does not use systemctl');
+ }
+}
+
###########################################################
##
## RHEL/CentOS/Fedora/Scientific Linux
More information about the LON-CAPA-cvs
mailing list