--- doc/install/linux/install.pl 2024/06/30 20:10:29 1.45.2.19 +++ doc/install/linux/install.pl 2024/08/01 12:57:23 1.45.2.22 @@ -76,7 +76,7 @@ if (!open(LOG,">>loncapa_install.log")) &mt('Stopping execution.')."\n"; exit; } else { - print LOG '$Id: install.pl,v 1.45.2.19 2024/06/30 20:10:29 raeburn Exp $'."\n"; + print LOG '$Id: install.pl,v 1.45.2.22 2024/08/01 12:57:23 raeburn Exp $'."\n"; } # @@ -373,7 +373,7 @@ sub check_prerequisites { sub check_locale { my ($distro) = @_; - my ($fh,$langvar,$command,$earlyout); + my ($fh,$langvar,$command,$langcmd,$earlyout,$default); $langvar = 'LANG'; if ($distro =~ /^(ubuntu|debian)/) { if (!open($fh,"; chomp(@data); + close($fh); foreach my $item (@data) { if ($item =~ /^\Q$langvar\E=\"?([^\"]*)\"?/) { - my $default = $1; + $default = $1; if ($default ne 'en_US.UTF-8') { if ($distro =~ /^debian/) { $command = 'locale-gen en_US.UTF-8'."\n". @@ -453,8 +454,72 @@ sub check_locale { last; } } - close($fh); - return $command; +# Check for locales + if ($default ne 'en_US.UTF-8') { + my ($has_us_english,$has_other_code,$has_other_lang); + if (open(PIPE,"locale -a 2>/dev/null |")) { + while () { + chomp(); + next if (/^(C(|\.utf8)|POSIX)$/i); + if (/^en_US\.utf8/i) { + $has_us_english = 1; + } elsif (/^[A-Za-z]{2}_[A-Za-z]{2}/) { + $has_other_code = 1; + } elsif (/^[A-Za-z]{3,}/) { + $has_other_lang = 1; + } + } + close(PIPE); + if (!$has_us_english) { + if ($has_other_code || $has_other_lang) { + if ($distro =~ /^ubuntu/) { + $langcmd = "sudo apt-get install language-pack-en\n"; + } elsif ($distro =~ /^debian/) { + $langcmd = "apt-get install language-pack-en\n"; + } elsif ($distro =~ /^(suse|sles)/) { + $langcmd = &mt('Use yast: System > Language > Primary Language = English')."\n"; + } elsif ($distro =~ /^fedora(\d+)$/) { + if ($1 > 23) { + $langcmd = "dnf install glibc-langpack-en\n"; + } else { + $langcmd = "yum install glibc-common\n"; + } + } elsif ($distro =~ /^(?:rhes|centos|scientific|oracle|rocky|alma)(\d+)/) { + if ($1 > 7) { + $langcmd = "dnf install glibc-langpack-en\n"; + } else { + $langcmd = "yum install glibc-common\n"; + } + } + } else { + if ($distro =~ /^ubuntu/) { + $langcmd = "sudo apt-get install language-pack-en\n"; + } elsif ($distro =~ /^debian/) { + $langcmd = "apt-get install language-pack-en\n"; + } elsif ($distro =~ /^(suse|sles)/) { + $langcmd = &mt('Use yast: System > Language > Primary Language = English')."\n"; + } elsif ($distro =~ /^fedora(\d+)$/) { + if ($1 > 23) { + $langcmd = &mt('Either install all languages[_1]or install English only[_2]', + ":\ndnf install glibc-all-langpacks\n\n", + ":\ndnf install glibc-langpack-en\n"); + } else { + $langcmd = "yum install glibc-common\n"; + } + } elsif ($distro =~ /^(?:rhes|centos|scientific|oracle|rocky|alma)(\d+)/) { + if ($1 > 7) { + $langcmd = &mt('Either install all languages[_1]or install English only[_2]', + ":\ndnf install glibc-all-langpacks\n\n", + ":\ndnf install glibc-langpack-en\n"); + } else { + $langcmd = "yum install glibc-common\n"; + } + } + } + } + } + } + return ($command,$langcmd); } sub check_required { @@ -465,11 +530,11 @@ sub check_required { } my $gotprereqs = &check_prerequisites($packagecmd,$distro); if ($gotprereqs eq '') { - return ($distro,$gotprereqs,'',$packagecmd,$updatecmd); + return ($distro,$gotprereqs,'','',$packagecmd,$updatecmd); } - my $localecmd = &check_locale($distro); + my ($localecmd,$langcmd) = &check_locale($distro); unless ($localecmd eq '') { - return ($distro,$gotprereqs,$localecmd); + return ($distro,$gotprereqs,$localecmd,$langcmd); } my ($mysqlon,$mysqlsetup,$mysqlrestart,$dbh,$has_pass,$mysql_unix_socket,$has_lcdb, %recommended,$downloadstatus,$filetouse,$production,$testing,$apachefw, @@ -492,7 +557,7 @@ sub check_required { $mysqlrestart = 'sudo '; } $mysqlrestart .= 'service mysql restart'; - return ($distro,$gotprereqs,$localecmd,$packagecmd,$updatecmd,$installnow,$mysqlrestart); + return ($distro,$gotprereqs,$localecmd,$langcmd,$packagecmd,$updatecmd,$installnow,$mysqlrestart); } else { if ($mysqlsetup eq 'noroot') { $recommended{'mysqlperms'} = 1; @@ -511,11 +576,14 @@ sub check_required { } ($recommended{'firewall'},$apachefw) = &chkfirewall($distro); ($recommended{'runlevels'},$tostop,$uses_systemctl) = &chkconfig($distro,$instdir); + if ((ref($uses_systemctl) eq 'HASH') && ($uses_systemctl->{'apache'})) { + $recommended{'systemd'} = &check_systemd_security($distro); + } $recommended{'apache'} = &chkapache($distro,$instdir); $recommended{'stopsrvcs'} = &chksrvcs($distro,$tostop); ($recommended{'download'},$downloadstatus,$filetouse,$production,$testing) = &need_download($distro,$instdir); - return ($distro,$gotprereqs,$localecmd,$packagecmd,$updatecmd,$installnow, + return ($distro,$gotprereqs,$localecmd,$langcmd,$packagecmd,$updatecmd,$installnow, $mysqlrestart,\%recommended,$dbh,$has_pass,$mysql_unix_socket, $has_lcdb,$downloadstatus,$filetouse,$production,$testing,$apachefw, $uses_systemctl); @@ -535,6 +603,9 @@ sub check_mysql_running { $process = 'mysqld'; $proc_owner = 'mysql'; } + if ($1 >= 16) { + $use_systemctl = 1; + } } elsif ($distro =~ /^debian(\w+)/) { if ($1 >= 10) { $process = 'mysql'; @@ -543,6 +614,9 @@ sub check_mysql_running { if ($1 >= 11) { $mysqldaemon = 'mariadb'; } + if ($1 >= 9) { + $use_systemctl = 1; + } } elsif ($distro =~ /^fedora(\d+)/) { if ($1 >= 16) { $process = 'mysqld'; @@ -814,6 +888,26 @@ sub chkconfig { return (\%needfix,\%tostop,\%uses_systemctl); } +sub check_systemd_security { + my ($distro) = @_; + my $service = 'httpd.service'; + if ($distro =~ /^(suse|sles|ubuntu|debian)/) { + $service = 'apache2.service'; + } + system("systemctl daemon-reload"); + if (open(PIPE,"systemctl show $service --property=ProtectHome 2>/dev/null |")) { + my $protection = ; + close(PIPE); + chomp($protection); + if ($protection =~ /^ProtectHome=(read-only|yes)$/i) { + return 1; + } + } else { + print &mt('Could not check systemctl configuration for Apache')."\n"; + } + return 0; +} + sub uses_firewalld { my ($distro) = @_; my ($inuse,$checkfirewalld,$zone); @@ -953,7 +1047,9 @@ sub chkapache { my $diffres = ; close(PIPE); chomp($diffres); - unless ($diffres) { + if ($diffres) { + $fixapache = 1; + } else { $fixapache = 0; } } @@ -1525,11 +1621,12 @@ print " ".&mt('3.')." ".&mt('Set-up the MySQL database.')." ".&mt('4.')." ".&mt('Set-up MySQL permissions.')." ".&mt('5.')." ".&mt('Configure Apache web server.')." -".&mt('6.')." ".&mt('Configure start-up of services.')." -".&mt('7.')." ".&mt('Check firewall settings.')." -".&mt('8.')." ".&mt('Stop services not used by LON-CAPA,')." +".&mt('6.')." ".&mt('Configure systemd security settings for Apache web server.')." +".&mt('7.')." ".&mt('Configure start-up of services.')." +".&mt('8.')." ".&mt('Check firewall settings.')." +".&mt('9.')." ".&mt('Stop services not used by LON-CAPA,')." ".&mt('i.e., services for a print server: [_1] daemon.',"'cups'")." -".&mt('9.')." ".&mt('Download LON-CAPA source code in readiness for installation.')." +".&mt('10.')." ".&mt('Download LON-CAPA source code in readiness for installation.')." ".&mt('Typically, you will run this script only once, when you first install LON-CAPA.')." @@ -1558,7 +1655,7 @@ my $instdir = `pwd`; chomp($instdir); my %callsub; -my @actions = ('wwwuser','pwauth','mysql','mysqlperms','apache', +my @actions = ('wwwuser','pwauth','mysql','mysqlperms','apache','systemd', 'runlevels','firewall','stopsrvcs','download'); my %prompts = &texthash( wwwuser => "Create the 'www' user?", @@ -1566,6 +1663,7 @@ my %prompts = &texthash( mysql => 'Set-up the MySQL database?', mysqlperms => 'Set-up MySQL permissions?', apache => 'Configure Apache web server?', + systemd => 'Configure systemd security settings for Apache web server?', runlevels => 'Set overrides for start-up order of services?', firewall => 'Configure firewall settings for Apache', stopsrvcs => 'Stop extra services not required on a LON-CAPA server?', @@ -1575,7 +1673,7 @@ my %prompts = &texthash( print "\n".&mt('Checking system status ...')."\n"; my $dsn = "DBI:mysql:database=mysql"; -my ($distro,$gotprereqs,$localecmd,$packagecmd,$updatecmd,$installnow,$mysqlrestart, +my ($distro,$gotprereqs,$localecmd,$langcmd,$packagecmd,$updatecmd,$installnow,$mysqlrestart, $recommended,$dbh,$has_pass,$mysql_unix_socket,$has_lcdb,$downloadstatus, $filetouse,$production,$testing,$apachefw,$uses_systemctl) = &check_required($instdir,$dsn); if ($distro eq '') { @@ -1594,8 +1692,12 @@ if ($mysqlrestart) { exit; } if ($localecmd ne '') { - print "\n".&mt('Although the LON-CAPA application itself is localized for a number of different languages, the default locale language for the Linux OS on which it runs should be US English.')."\n"; - print "\n".&mt('Run the following command from the command line to set the default language for your OS, and then run this LON-CAPA installation set-up script again.')."\n\n". + print "\n".&mt('Although the LON-CAPA application itself is localized for a number of different languages,[_1]the default locale language for the Linux OS on which it runs should be US English.',"\n")."\n\n"; + if ($langcmd ne '') { + print &mt('Use the following command(s) or action(s) to install a required language package.')."\n\n". + "$langcmd\n"; + } + print &mt('Run the following command from the command line to set the default language for your OS,[_1]and then run this LON-CAPA installation set-up script again.',"\n")."\n\n". $localecmd."\n\n". &mt('Stopping execution.')."\n"; exit; @@ -1619,7 +1721,7 @@ if (!$gotprereqs) { &mt('Stopping execution.')."\n"; exit; } else { - ($distro,$gotprereqs,$localecmd,$packagecmd,$updatecmd,$installnow, + ($distro,$gotprereqs,$localecmd,$langcmd,$packagecmd,$updatecmd,$installnow, $mysqlrestart,$recommended,$dbh,$has_pass,$mysql_unix_socket, $has_lcdb,$downloadstatus,$filetouse,$production,$testing,$apachefw, $uses_systemctl) = &check_required($instdir,$dsn); @@ -1772,6 +1874,12 @@ if ($callsub{'apache'}) { print_and_log(&mt('Skipping configuration of Apache web server.')."\n"); } +if ($callsub{'systemd'}) { + &check_systemd_update($distro); +} else { + print_and_log('Skipping systemd configuration update for web server'); +} + if ($callsub{'runlevels'}) { my $count = 0; if (ref($recommended) eq 'HASH') { @@ -1957,6 +2065,10 @@ if ($have_tarball && !$updateshown) { if ($1 > 12) { $lc_uses_systemctl = 1; } + } elsif ($distro =~ /^fedora(\d+)$/) { + if ($1 > 25) { + $lc_uses_systemctl = 1; + } } if (!-e '/etc/loncapa-release') { print &mt('If you are now ready to install LON-CAPA, enter the following commands:')."\n\n"; @@ -2401,6 +2513,118 @@ sub get_mysql_version { return ($version,$minorversion,$subversion,$name); } +sub check_systemd_update { + my ($distro) = @_; + my ($use_systemctl,$service); + $service = 'apache2.service'; + if ($distro =~ /^ubuntu(\w+)/) { + if ($1 >= 16) { + $use_systemctl = 1; + } + } elsif ($distro =~ /^debian(\w+)/) { + if ($1 >= 9) { + $use_systemctl = 1; + } + } elsif ($distro =~ /^fedora(\d+)/) { + $service = 'httpd.service'; + if ($1 >= 16) { + $use_systemctl = 1; + } + } elsif ($distro =~ /^(?:centos|rhes|scientific|oracle|rocky|alma)(\d+)/) { + $service = 'httpd.service'; + if ($1 >= 7) { + $use_systemctl = 1; + } + } elsif ($distro =~ /^sles(\d+)/) { + if ($1 >= 12) { + $use_systemctl = 1; + } + } elsif ($distro =~ /^suse(\d+)/) { + if ($1 >= 13) { + $use_systemctl = 1; + } + } + if ($use_systemctl) { + my $needsupdate = &check_systemd_security($distro); + if ($needsupdate) { + if (!-d '/etc/systemd/system/'.$service.'.d') { + mkdir '/etc/systemd/system/'.$service.'.d', 0755; + } + if (-d '/etc/systemd/system/'.$service.'.d') { + if (-e '/etc/systemd/system/'.$service.'.d/override.conf') { + if (open(my $fh,'<','/etc/systemd/system/'.$service.'.d/override.conf')) { + my ($inservice,$addservice,$protectoff,$linenum,$change,@lines); + while (my $entry = <$fh>) { + $linenum ++; + chomp($entry); + if ($entry eq '[Service]') { + if (!$protectoff) { + $inservice = $linenum; + push(@lines,$entry); + } else { + $addservice = 1; + next; + } + } + if ($entry =~ /^ProtectHome\s*=\s*([\w-]+)\s*$/) { + my $value = $1; + if ($protectoff) { + next; + if (lc($value) eq 'no') { + $protectoff = $linenum; + push(@lines,$entry); + } else { + if ($protectoff) { + next; + } else { + push(@lines,'ProtectHome=no'); + $protectoff = $linenum; + $change = $linenum; + } + } + } + } + } + close($fh); + if ($addservice || $change || !$protectoff) { + if (open(my $fh,'>','/etc/systemd/system/'.$service.'.d/override.conf')) { + if ($addservice) { + print $fh "[Service]\n"; + } + foreach my $entry (@lines) { + print $fh "$entry\n"; + } + close($fh); + print_and_log('Updated /etc/systemd/system/'.$service.'.d/override.conf'); + system('systemctl daemon-reload'); + } else { + print_and_log('Could not open /etc/systemd/system/'.$service.'.d/override.conf for writing.'); + } + } else { + print_and_log('No change needed in /etc/systemd/system/'.$service.'.d/override.conf'); + } + } else { + print_and_log('Could not open /etc/systemd/system/'.$service.'.d/override.conf for reading.'); + } + } else { + if (open(my $fh,'>','/etc/systemd/system/'.$service.'.d/override.conf')) { + print $fh '[Service]'."\n".'ProtectHome=no'."\n"; + close($fh); + print_and_log('Created /etc/systemd/system/'.$service.'.d/override.conf'); + system('systemctl daemon-reload'); + } + } + } else { + print_and_log('No /etc/systemd/system/'.$service.'.d directory exists and creating one failed,'); + } + } else { + print_and_log('No update needed to systemd security settings for Apache web server.'); + } + } else { + print_and_log('No update needed to systemd, as this Linux distro does not use systemctl'); + } +} + ########################################################### ## ## RHEL/CentOS/Fedora/Scientific Linux