--- doc/install/linux/install.pl 2021/03/11 20:59:34 1.69 +++ doc/install/linux/install.pl 2024/07/27 18:39:10 1.91 @@ -29,6 +29,7 @@ use Term::ReadKey; use Socket; use Sys::Hostname::FQDN(); use DBI; +use File::Spec; use Cwd(); use File::Basename(); use lib File::Basename::dirname(Cwd::abs_path($0)); @@ -77,7 +78,7 @@ if (!open(LOG,">>loncapa_install.log")) &mt('Stopping execution.')."\n"; exit; } else { - print LOG '$Id: install.pl,v 1.69 2021/03/11 20:59:34 raeburn Exp $'."\n"; + print LOG '$Id: install.pl,v 1.91 2024/07/27 18:39:10 raeburn Exp $'."\n"; } # @@ -211,8 +212,11 @@ sub get_distro { $distro = 'rhes'.$1; $updatecmd = 'dnf install LONCAPA-prerequisites'; $installnow = 'dnf -y install LONCAPA-prerequisites'; - } elsif ($versionstring =~ /CentOS(?:| Linux) release (\d+)/) { - $distro = 'centos'.$1; + } elsif ($versionstring =~ /CentOS(| Linux| Stream) release (\d+)/) { + $distro = 'centos'.$2; + if ($1 eq ' Stream') { + $distro .= '-stream'; + } $updatecmd = 'yum install LONCAPA-prerequisites'; $installnow = 'yum -y install LONCAPA-prerequisites'; } elsif ($versionstring =~ /Scientific Linux (?:SL )?release ([\d.]+) /) { @@ -221,6 +225,18 @@ sub get_distro { $distro = 'scientific'.$ver; $updatecmd = 'yum install LONCAPA-prerequisites'; $installnow = 'yum -y install LONCAPA-prerequisites'; + } elsif ($versionstring =~ /Rocky Linux release ([\d.]+)/) { + my $ver = $1; + $ver =~ s/\.\d+$//; + $distro = 'rocky'.$ver; + $updatecmd = 'dnf install LONCAPA-prerequisites'; + $installnow = 'dnf -y install LONCAPA-prerequisites'; + } elsif ($versionstring =~ /AlmaLinux release ([\d.]+) /) { + my $ver = $1; + $ver =~ s/\.\d+$//; + $distro = 'alma'.$ver; + $updatecmd = 'dnf install LONCAPA-prerequisites'; + $installnow = 'dnf -y install LONCAPA-prerequisites'; } else { print &mt('Unable to interpret [_1] to determine system type.', '/etc/redhat-release')."\n"; @@ -456,7 +472,7 @@ sub check_locale { '/etc/sysconfig/i18n'); $earlyout = 1; } - } elsif ($distro =~ /^(?:rhes|centos|scientific|oracle)(\d+)/) { + } elsif ($distro =~ /^(?:rhes|centos|scientific|oracle|rocky|alma)(\d+)/) { if ($1 >= 7) { if (!open($fh,"{'apache'})) { + $recommended{'systemd'} = &check_systemd_security($distro); + } $recommended{'apache'} = &chkapache($distro,$instdir); ($recommended{'apachessl'},$sslhostsfilesref,$has_std,$has_int,$rewritenum, $nochgstd,$nochgint) = &chkapachessl($distro,$instdir,$hostname,$hostip); $recommended{'stopsrvcs'} = &chksrvcs($distro,$tostop); ($recommended{'download'},$downloadstatus,$filetouse,$production,$testing) - = &need_download(); + = &need_download($distro,$instdir); return ($distro,$gotprereqs,$localecmd,$packagecmd,$updatecmd,$installnow, $mysqlrestart,\%recommended,$dbh,$has_pass,$mysql_unix_socket, $has_lcdb,$downloadstatus,$filetouse,$production,$testing,$apachefw, @@ -607,6 +625,20 @@ sub check_mysql_running { $process = 'mysqld'; $proc_owner = 'mysql'; } + if ($1 >= 16) { + $use_systemctl = 1; + } + } elsif ($distro =~ /^debian(\w+)/) { + if ($1 >= 10) { + $process = 'mysql'; + $proc_owner = 'mysql'; + } + if ($1 >= 11) { + $mysqldaemon = 'mariadb'; + } + if ($1 >= 9) { + $use_systemctl = 1; + } } elsif ($distro =~ /^fedora(\d+)/) { if ($1 >= 16) { $process = 'mysqld'; @@ -616,13 +648,19 @@ sub check_mysql_running { if ($1 >= 19) { $mysqldaemon ='mariadb'; } - } elsif ($distro =~ /^(?:centos|rhes|scientific|oracle)(\d+)/) { + if ($1 >= 34) { + $process = 'mariadb'; + } + } elsif ($distro =~ /^(?:centos|rhes|scientific|oracle|rocky|alma)(\d+)/) { if ($1 >= 7) { $mysqldaemon ='mariadb'; $process = 'mysqld'; $proc_owner = 'mysql'; $use_systemctl = 1; } + if ($1 >= 9) { + $process = 'mariadb'; + } } elsif ($distro =~ /^sles(\d+)/) { if ($1 >= 12) { $use_systemctl = 1; @@ -743,9 +781,13 @@ sub chkconfig { if (($distro =~ /^ubuntu/) && ($version <= 8)) { $daemon{'cups'} = 'cupsys'; } - if (($distro =~ /^ubuntu/) && ($version >= 18)) { + if ((($distro =~ /^ubuntu/) && ($version >= 18)) || + (($distro =~ /^debian/) && ($version >= 10))) { $daemon{'ntp'} = 'chrony'; } + if (($distro =~ /^debian/) && ($version >= 11)) { + $daemon{'mysql'} = 'mariadb'; + } } elsif ($distro =~ /^fedora(\d+)/) { my $version = $1; if ($version >= 15) { @@ -763,7 +805,7 @@ sub chkconfig { if ($version >= 26) { $daemon{'ntp'} = 'chronyd'; } - } elsif ($distro =~ /^(?:centos|rhes|scientific|oracle)(\d+)/) { + } elsif ($distro =~ /^(?:centos|rhes|scientific|oracle|rocky|alma)(\d+)/) { my $version = $1; if ($version >= 7) { $uses_systemctl{'ntp'} = 1; @@ -868,6 +910,26 @@ sub chkconfig { return (\%needfix,\%tostop,\%uses_systemctl); } +sub check_systemd_security { + my ($distro) = @_; + my $service = 'httpd.service'; + if ($distro =~ /^(suse|sles|ubuntu|debian)/) { + $service = 'apache2.service'; + } + system("systemctl daemon-reload"); + if (open(PIPE,"systemctl show $service --property=ProtectHome 2>/dev/null |")) { + my $protection = ; + close(PIPE); + chomp($protection); + if ($protection =~ /^ProtectHome=(read-only|yes)$/i) { + return 1; + } + } else { + print &mt('Could not check systemctl configuration for Apache')."\n"; + } + return 0; +} + sub uses_firewalld { my ($distro) = @_; my ($inuse,$checkfirewalld,$zone); @@ -879,20 +941,20 @@ sub uses_firewalld { if ($1 >= 18) { $checkfirewalld = 1; } - } elsif ($distro =~ /^(?:centos|rhes|scientific|oracle)(\d+)/) { + } elsif ($distro =~ /^(?:centos|rhes|scientific|oracle|rocky|alma)(\d+)/) { if ($1 >= 7) { $checkfirewalld = 1; } } if ($checkfirewalld) { my ($loaded,$active); - if (open(PIPE,"systemctl status firewalld |")) { + if (open(PIPE,"systemctl status firewalld 2>/dev/null |")) { while () { chomp(); if (/^\s*Loaded:\s+(\w+)/) { $loaded = $1; } - if (/^\s*Active\s+(\w+)/) { + if (/^\s*Active:\s+(\w+)/) { $active = $1; } } @@ -971,7 +1033,8 @@ sub chkapache { my $distname = $1; my $version = $2; my ($stdconf,$stdsite); - if (($distname eq 'ubuntu') && ($version > 12)) { + if ((($distname eq 'ubuntu') && ($version > 12)) || + (($distname eq 'debian') && ($version >= 10))) { $stdconf = "$instdir/debian-ubuntu/ubuntu14/loncapa_conf"; $stdsite = "$instdir/debian-ubuntu/ubuntu14/loncapa_sites"; } else { @@ -982,7 +1045,8 @@ sub chkapache { print &mt('Warning: No LON-CAPA Apache configuration file found for installation check.')."\n"; } else { my ($configfile,$sitefile); - if (($distname eq 'ubuntu') && ($version > 12)) { + if ((($distname eq 'ubuntu') && ($version > 12)) || + (($distname eq 'debian') && ($version >= 10))) { $sitefile = '/etc/apache2/sites-available/loncapa.conf'; $configfile = '/etc/apache2/conf-available/loncapa.conf'; } else { @@ -998,13 +1062,16 @@ sub chkapache { } } } - if ((!$fixapache) && ($distname eq 'ubuntu') && ($version > 12)) { + if ((!$fixapache) && ((($distname eq 'ubuntu') && ($version > 12)) || + (($distname eq 'debian') && ($version >= 10)))) { if (($sitefile ne '') && (-e $sitefile) && (-e $stdsite)) { if (open(PIPE, "diff --brief $stdsite $sitefile |")) { my $diffres = ; close(PIPE); chomp($diffres); - unless ($diffres) { + if ($diffres) { + $fixapache = 1; + } else { $fixapache = 0; } } @@ -1018,7 +1085,7 @@ sub chkapache { } } } - if ((!$fixapache) && ($distname eq 'ubuntu')) { + if ((!$fixapache) && (($distname eq 'ubuntu') || ($distname eq 'debian'))) { my $sitestatus = "/etc/apache2/mods-available/status.conf"; my $stdstatus = "$instdir/debian-ubuntu/status.conf"; if ((-e $stdstatus) && (-e $sitestatus)) { @@ -1072,7 +1139,7 @@ sub chkapache { } else { my $configfile = 'httpd.conf'; my $mpmfile = 'mpm.conf'; - if ($distro =~ /^(?:centos|rhes|scientific|oracle)(\d+)$/) { + if ($distro =~ /^(?:centos|rhes|scientific|oracle|rocky|alma)(\d+)/) { if ($1 >= 7) { $configfile = 'apache2.4/httpd.conf'; } elsif ($1 > 5) { @@ -1369,7 +1436,11 @@ sub chkapachessl { foreach my $file (sort(keys(%{$sslfiles{$key}}))) { unless ((-l "$enabled_dir/$file") && (readlink("$enabled_dir/$file") eq "$ssldir/$file")) { - print_and_log(&mt("Warning, use: 'sudo a2ensite $file' to activate LON-CAPA SSL Apache config\n")); + if ($distro =~ /^debian(\d+)$/) { + print_and_log(&mt("Warning, use: 'a2ensite $file' to activate LON-CAPA SSL Apache config\n")); + } elsif ($distro =~ /^ubuntu(\d+)$/) { + print_and_log(&mt("Warning, use: 'sudo a2ensite $file' to activate LON-CAPA SSL Apache config\n")); + } } } } @@ -1440,12 +1511,12 @@ sub chksrvcs { } sub need_download { + my ($distro,$instdir) = @_; my $needs_download = 1; my ($production,$testing,$stdsizes) = &download_versionslist(); - my ($rootdir,$localcurrent,$localtesting,%tarball,%localsize,%bymodtime, + my ($localcurrent,$localtesting,%tarball,%localsize,%bymodtime, %bysize,$filetouse,$downloadstatus); - $rootdir = '/root'; - if (opendir(my $dir,"$rootdir")) { + if (opendir(my $dir,$instdir)) { my (@lcdownloads,$version); foreach my $file (readdir($dir)) { if ($file =~ /^loncapa\-([\w\-.]+)\.tar\.gz$/) { @@ -1455,14 +1526,14 @@ sub need_download { } if (ref($stdsizes) eq 'HASH') { if ($version eq 'current') { - my @stats = stat("$rootdir/$file"); + my @stats = stat("$instdir/$file"); $localcurrent = $stats[7]; if ($localcurrent == $stdsizes->{$production}) { $needs_download = 0; $filetouse = $file; } } elsif ($version eq 'testing') { - my @stats = stat("$rootdir/$file"); + my @stats = stat("$instdir/$file"); $localtesting = $stats[7]; if ($localtesting == $stdsizes->{$testing}) { $needs_download = 0; @@ -1476,7 +1547,7 @@ sub need_download { if ($needs_download) { if (@lcdownloads > 0) { foreach my $version (@lcdownloads) { - my @stats = stat("$rootdir/$tarball{$version}"); + my @stats = stat("$instdir/$tarball{$version}"); my $mtime = $stats[9]; $localsize{$version} = $stats[7]; if ($mtime) { @@ -1509,31 +1580,31 @@ sub need_download { my $newest = $sorted[0]; if (ref($bymodtime{$newest}) eq 'ARRAY') { $downloadstatus = - "Latest LON-CAPA source download in $rootdir is: ". + "Latest LON-CAPA source download in $instdir is: ". join(',',@{$bymodtime{$newest}})." (downloaded ". localtime($newest).")\n"; } } else { $downloadstatus = - "The $rootdir directory already contains the latest LON-CAPA version:". + "The $instdir directory already contains the latest LON-CAPA version:". "\n".$filetouse."\n"."which can be used for installation.\n"; } } else { - $downloadstatus = "The $rootdir directory does not appear to contain any downloaded LON-CAPA source code files which can be used for installation.\n"; + $downloadstatus = "The $instdir directory does not appear to contain any downloaded LON-CAPA source code files which can be used for installation.\n"; } } } else { - $downloadstatus = "Could not open $rootdir directory to look for existing downloads of LON-CAPA source code.\n"; + $downloadstatus = "Could not open $instdir directory to look for existing downloads of LON-CAPA source code.\n"; } return ($needs_download,$downloadstatus,$filetouse,$production,$testing); } sub check_mysql_setup { - my ($instdir,$dsn,$distro,$mysql_has_wwwuser) = @_; - my ($mysqlsetup,$has_pass,$mysql_unix_socket); + my ($instdir,$dsn,$distro) = @_; + my ($mysqlsetup,$has_pass,$mysql_unix_socket,$mysql_has_wwwuser); my $dbh = DBI->connect($dsn,'root','',{'PrintError'=>0}); - my ($mysqlversion,$mysqlsubver,$mysqlname) = &get_mysql_version(); - if (($mysqlname =~ /^MariaDB/i) && ($mysqlversion >= 10.4)) { + my ($mysqlversion,$mysqlminorversion,$mysqlsubver,$mysqlname) = &get_mysql_version(); + if (($mysqlname =~ /^MariaDB/i) && (($mysqlversion == 10 && $mysqlminorversion >= 4) || ($mysqlversion >= 11))) { if ($dbh) { my $sth = $dbh->prepare("SELECT Priv FROM mysql.global_priv WHERE (User = 'root' AND Host ='localhost')"); $sth->execute(); @@ -1547,16 +1618,30 @@ sub check_mysql_setup { if ($mysql_unix_socket) { print_and_log(&mt('MariaDB using unix_socket for root access from localhost.')."\n"); $mysqlsetup = 'rootok'; - $mysql_unix_socket = 1; - unless ($mysql_has_wwwuser) { - $mysql_has_wwwuser = &check_mysql_wwwuser(); - } + $mysql_has_wwwuser = &check_mysql_wwwuser($dbh); return ($mysqlsetup,$has_pass,$dbh,$mysql_has_wwwuser,$mysql_unix_socket); } } } if ($dbh) { - $mysqlsetup = 'noroot'; + $mysqlsetup = 'noroot'; + if (($mysqlname !~ /^MariaDB/i) && (($mysqlversion == 5 && $mysqlminorversion >= 7) || ($mysqlversion >= 6))) { + my $sth = $dbh->prepare("SELECT plugin from mysql.user where User='root'"); + $sth->execute(); + while (my $priv = $sth->fetchrow_array) { + if ($priv =~ /auth_socket/) { + $mysql_unix_socket = 1; + last; + } + } + $sth->finish(); + if ($mysql_unix_socket) { + print_and_log(&mt('MySQL using unix_socket for root access from localhost.')."\n"); + $mysqlsetup = 'rootok'; + $mysql_has_wwwuser = &check_mysql_wwwuser($dbh); + return ($mysqlsetup,$has_pass,$dbh,$mysql_has_wwwuser,$mysql_unix_socket); + } + } } elsif ($DBI::err =~ /1045/) { $has_pass = 1; } elsif ($distro =~ /^ubuntu(\d+)$/) { @@ -1569,16 +1654,15 @@ sub check_mysql_setup { } close(PIPE); } - unless ($mysql_has_wwwuser) { - $mysql_has_wwwuser = &check_mysql_wwwuser(); - } $dbh = DBI->connect($dsn,'root','',{'PrintError'=>0}); if ($dbh) { $mysqlsetup = 'noroot'; + $mysql_has_wwwuser = &check_mysql_wwwuser($dbh); } elsif ($DBI::err =~ /1045/) { $has_pass = 1; } else { $mysqlsetup = 'needsrestart'; + $mysql_has_wwwuser = &check_mysql_wwwuser(); return ($mysqlsetup,$has_pass,$dbh,$mysql_has_wwwuser); } } @@ -1590,6 +1674,7 @@ sub check_mysql_setup { if ($dbh) { $mysqlsetup = 'rootok'; print_and_log(&mt('Password accepted.')."\n"); + $mysql_has_wwwuser = &check_mysql_wwwuser($dbh); } else { $mysqlsetup = 'rootfail'; print_and_log(&mt('Problem accessing MySQL.')."\n"); @@ -1601,27 +1686,35 @@ sub check_mysql_setup { if ($dbh) { $mysqlsetup = 'rootok'; print_and_log(&mt('Password accepted.')."\n"); + $mysql_has_wwwuser = &check_mysql_wwwuser($dbh); } else { if ($DBI::err =~ /1045/) { print_and_log(&mt('Incorrect password.')."\n"); } + $mysql_has_wwwuser = &check_mysql_wwwuser(); } } } } elsif ($mysqlsetup ne 'noroot') { print_and_log(&mt('Problem accessing MySQL.')."\n"); $mysqlsetup = 'rootfail'; + $mysql_has_wwwuser = &check_mysql_wwwuser(); } return ($mysqlsetup,$has_pass,$dbh,$mysql_has_wwwuser); } sub check_mysql_wwwuser { + my ($dbh) = @_; my $mysql_wwwuser; - my $dbhn = DBI->connect("DBI:mysql:database=information_schema",'www','localhostkey', - {PrintError => +0}) || return; - if ($dbhn) { - $mysql_wwwuser = 1; - $dbhn->disconnect; + if ($dbh) { + $mysql_wwwuser = $dbh->selectrow_array("SELECT COUNT(User) FROM mysql.user WHERE (User = 'www' AND Host ='localhost')"); + } else { + my $dbhn = DBI->connect("DBI:mysql:database=information_schema",'www','localhostkey', + {PrintError => +0}) || return; + if ($dbhn) { + $mysql_wwwuser = 1; + $dbhn->disconnect; + } } return $mysql_wwwuser; } @@ -1657,14 +1750,30 @@ sub get_pathto_iptables { sub firewall_is_active { if (-e '/proc/net/ip_tables_names') { + my $status; if (open(PIPE,'cat /proc/net/ip_tables_names |grep filter |')) { - my $status = ; + $status = ; close(PIPE); chomp($status); if ($status eq 'filter') { return 1; } } + unless ($status) { + if (open(PIPE,'nft list tables |')) { + while() { + chomp(); + if (/filter$/) { + $status = 1; + last; + } + } + close(PIPE); + if ($status) { + return 1; + } + } + } } return 0; } @@ -1826,12 +1935,13 @@ print " ".&mt('3.')." ".&mt('Set-up the MySQL database.')." ".&mt('4.')." ".&mt('Set-up MySQL permissions.')." ".&mt('5.')." ".&mt('Configure Apache web server.')." -".&mt('6.')." ".&mt('Configure SSL for Apache web server.')." -".&mt('7.')." ".&mt('Configure start-up of services.')." -".&mt('8.')." ".&mt('Check firewall settings.')." -".&mt('9.')." ".&mt('Stop services not used by LON-CAPA,')." +".&mt('6.')." ".&mt('Configure systemd security settings for Apache web server.')." +".&mt('7.')." ".&mt('Configure SSL for Apache web server.')." +".&mt('8.')." ".&mt('Configure start-up of services.')." +".&mt('9.')." ".&mt('Check firewall settings.')." +".&mt('10.')." ".&mt('Stop services not used by LON-CAPA,')." ".&mt('i.e., services for a print server: [_1] daemon.',"'cups'")." -".&mt('10.')." ".&mt('Download LON-CAPA source code in readiness for installation.')." +".&mt('11.')." ".&mt('Download LON-CAPA source code in readiness for installation.')." ".&mt('Typically, you will run this script only once, when you first install LON-CAPA.')." @@ -1860,7 +1970,7 @@ my $instdir = `pwd`; chomp($instdir); my %callsub; -my @actions = ('wwwuser','pwauth','mysql','mysqlperms','apache', +my @actions = ('wwwuser','pwauth','mysql','mysqlperms','apache','systemd', 'apachessl','runlevels','firewall','stopsrvcs','download'); my %prompts = &texthash( wwwuser => "Create the 'www' user?", @@ -1868,7 +1978,8 @@ my %prompts = &texthash( mysql => 'Set-up the MySQL database?', mysqlperms => 'Set-up MySQL permissions?', apache => 'Configure Apache web server?', - apachessl => 'Configure SSL for Apache web server?', + systemd => 'Configure systemd security settings for Apache web server?', + apachessl => 'Configure SSL for Apache web server?', runlevels => 'Set overrides for start-up order of services?', firewall => 'Configure firewall settings for Apache', stopsrvcs => 'Stop extra services not required on a LON-CAPA server?', @@ -1910,6 +2021,7 @@ if (!$gotprereqs) { &mt('The following command can be used to install the package (and dependencies):')."\n\n". $updatecmd."\n\n"; if ($installnow eq '') { + print &mt('Stopping execution.')."\n"; exit; } else { print &mt('Run command? ~[Y/n~]'); @@ -1981,26 +2093,41 @@ my $lctarball = 'loncapa-current.tar.gz' my $sourcetarball = $lctarball; if ($callsub{'download'}) { my ($production,$testing,$sizes) = &download_versionslist(); + my $homedir = '/root'; + if ($distro =~ /^ubuntu/) { + if ($instdir ne $homedir) { + ($homedir) = ($instdir =~ m{^(.*)/[^/]+$}); + } + } if ($production && $testing) { if ($production ne $testing) { print &mt('Two recent LON-CAPA releases are available: ')."\n". &mt('1.').' '.&mt('A production release - version: [_1].',$production)."\n". &mt('2.').' '.&mt('A testing release - version: [_1].',$testing)."\n\n". - &mt('Download the production release? ~[Y/n~]'); + &mt("After download, the tar.gz file will be extracted into $homedir")."\n\n". + &mt("Download the production release into $instdir? ~[Y/n~]"); if (&get_user_selection(1)) { $sourcetarball = 'loncapa-'.$production.'.tar.gz'; + print "$sourcetarball will be downloaded into $instdir\n"; } else { print "\n".&mt('Download the testing release? ~[Y/n~]'); if (&get_user_selection(1)) { $sourcetarball = 'loncapa-'.$testing.'.tar.gz'; + print "$sourcetarball will be downloaded into $instdir\n"; + } else { + $callsub{'download'} = 0; } } } } elsif ($production) { print &mt('The most recent LON-CAPA release is version: [_1].',$production)."\n". - &mt('Download the production release? ~[Y/n~]'); + &mt("After download, the tar.gz file will be extracted into $homedir")."\n\n". + &mt("Download the production release into $instdir? ~[Y/n~]"); if (&get_user_selection(1)) { $sourcetarball = 'loncapa-'.$production.'.tar.gz'; + print "$sourcetarball will be downloaded into $instdir\n"; + } else { + $callsub{'download'} = 0; } } } elsif ($filetouse ne '') { @@ -2025,7 +2152,7 @@ if ($callsub{'pwauth'}) { if ($callsub{'mysql'}) { if ($dbh) { &setup_mysql($callsub{'mysqlperms'},$dbh,$has_pass, - $mysql_unix_socket,$has_lcdb); + $mysql_unix_socket,$has_lcdb,$distro); } else { print &mt('Unable to configure MySQL because access is denied.')."\n"; } @@ -2062,6 +2189,12 @@ if ($callsub{'apache'}) { print_and_log(&mt('Skipping configuration of Apache web server.')."\n"); } +if ($callsub{'systemd'}) { + &check_systemd_update($distro); +} else { + print_and_log('Skipping systemd configuration update for web server'); +} + if ($callsub{'apachessl'}) { my $targetdir = '/etc/httpd/conf.d'; if ($distro =~ /^(suse|sles)/) { @@ -2148,14 +2281,16 @@ if ($callsub{'firewall'}) { if (keys(%added) > 0) { print &mt('Firewall configured to allow access for: [_1].', join(', ',sort(keys(%added))))."\n"; + system('firewall-cmd --reload'); } if ($current{'http'} || $current{'https'}) { print &mt('Firewall already configured to allow access for:[_1].', (($current{'http'})? ' http':'').(($current{'https'})? ' https':''))."\n"; } unless ($current{'ssh'}) { - print &mt('If you would the like to allow access to ssh from outside, use the command[_1].', - "firewall-cmd --permanent --zone=$zone --add-service=ssh")."\n"; + print &mt('If you would like to allow access to ssh from outside, use the commands:')."\n". + "firewall-cmd --permanent --zone=$zone --add-service=ssh\n". + "firewall-cmd --reload\n"; } } elsif ($distro =~ /^(suse|sles)/) { print &mt('Use [_1] to configure the firewall to allow access for [_2].', @@ -2183,7 +2318,7 @@ if ($callsub{'firewall'}) { 'ssh, http')."\n"; } else { my $version; - if ($distro =~ /^(redhat|centos)(\d+)$/) { + if ($distro =~ /^(redhat|centos|rocky|alma)(\d+)/) { $version = $1; } if ($version > 5) { @@ -2214,10 +2349,11 @@ if ($callsub{'download'}) { print &mt('LON-CAPA is available for download from: [_1]', 'http://install.loncapa.org/')."\n"; if (!-e '/etc/loncapa-release') { - &print_and_log(&mt('LON-CAPA is not yet installed on your system.'). - "\n\n". - &mt('You may retrieve the source for LON-CAPA by executing:')."\n". - "wget http://install.loncapa.org/versions/$lctarball\n"); + &print_and_log(&mt('LON-CAPA is not yet installed on your system.')."\n\n"); + unless ($filetouse) { + &print_and_log(&mt('You may retrieve the source for LON-CAPA by executing:')."\n". + "wget http://install.loncapa.org/versions/$lctarball\n"); + } } else { my $currentversion; if (open(my $fh," 6) { + $lc_uses_systemctl = 1; + } + } elsif ($distro =~ /^(?:rhes|centos|rocky|alma)(\d+)/) { + if ($1 > 7) { + $lc_uses_systemctl = 1; + } + } elsif ($distro =~ /^ubuntu(\d+)$/) { + if ($1 > 16) { + $lc_uses_systemctl = 1; + } + $uses_sudo = 1; + } elsif ($distro =~ /^debian(\d+)$/) { + if ($1 >= 10) { + $lc_uses_systemctl = 1; + } + } elsif ($distro =~ /^sles(\d+)$/) { + if ($1 > 12) { + $lc_uses_systemctl = 1; + } + } elsif ($distro =~ /^fedora(\d+)$/) { + if ($1 > 25) { + $lc_uses_systemctl = 1; } - print "/etc/init.d/$apachename stop\n"; } - print "cd /root\n". - "tar zxf $sourcetarball\n". - "cd $lcdir\n". - "./UPDATE\n"; + if (!-e '/etc/loncapa-release') { + print &mt('If you are now ready to install LON-CAPA, enter the following commands:')."\n\n"; + } else { + my $lcstop = '/etc/init.d/loncontrol stop'; + if ($lc_uses_systemctl) { + $lcstop = 'systemctl stop loncontrol'; + } + my $apachestop = "/etc/init.d/$apachename stop"; + if ($uses_systemctl) { + $apachestop = "systemctl stop $apachename"; + } + if ($uses_sudo) { + $lcstop = 'sudo '.$lcstop; + $apachestop = 'sudo '.$apachestop; + } + print &mt('If you are now ready to update LON-CAPA, enter the following commands:'). + "\n\n$lcstop\n$apachestop\n"; + } + my ($extract,$update); + my $homedir = '/root'; + if ($uses_sudo) { + $extract = 'sudo '; + $update = 'sudo '; + if ($instdir ne $homedir) { + ($homedir) = ($instdir =~ m{^(.*)/[^/]+$}); + } + } + $extract .= "tar zxf $sourcetarball --directory $homedir"; + $update .= './UPDATE'; + print "$extract\n". + "cd $homedir/$lcdir\n". + "$update\n"; if (-e '/etc/loncapa-release') { - print "/etc/init.d/loncontrol start\n"; - print "/etc/init.d/$apachename start\n"; + my $lcstart = '/etc/init.d/loncontrol start'; + if ($lc_uses_systemctl) { + $lcstart = '/home/httpd/perl/loncontrol start'; + } + my $apachestart = "/etc/init.d/$apachename start"; + if ($uses_systemctl) { + $apachestart = "systemctl start $apachename"; + } + if ($uses_sudo) { + $lcstart = 'sudo '.$lcstart; + $apachestart = 'sudo '.$apachestart; + } + print "$lcstart\n"; + print "$apachestart\n"; } } exit; @@ -2338,6 +2536,29 @@ sub build_and_install_mod_auth_external > #define SERVER_UIDS $num /* user "www" */ ENDPATCH + my $patch_code = <<"ENDPATCH"; +127a128 +> #include +214a216 +> #include +566c568 +< check_fails() +--- +> int check_fails() +589c591 +< log_failure() +--- +> void log_failure() +629c631 +< snooze(int seconds) +--- +> void snooze(int seconds) +653c655 +< main(int argc, char **argv) +--- +> int main(int argc, char **argv) +ENDPATCH + if (! -e "/usr/bin/patch") { print_and_log(&mt('You must install the software development tools package: [_1], when installing Linux.',"'patch'")."\n"); print_and_log(&mt('Authentication installation not completed.')."\n"); @@ -2348,9 +2569,17 @@ ENDPATCH return; } my $dir = "/tmp/pwauth-2.2.8"; + my $patchedok; if (open(PATCH,"| patch $dir/config.h")) { print PATCH $patch; close(PATCH); + if (open(PATCH,"| patch $dir/pwauth.c")) { + print PATCH $patch_code; + close(PATCH); + $patchedok = 1; + } + } + if ($patchedok) { print_and_log("\n"); ## ## Compile patched pwauth @@ -2421,7 +2650,8 @@ sub kill_extra_services { &print_and_log(&mt('Removing [_1] from startup.',$service)."\n"); if ($distro =~ /^(?:debian|ubuntu)(\d+)/) { my $version = $1; - if (($distro =~ /^ubuntu/) && ($version > 16)) { + if ((($distro =~ /^ubuntu/) && ($version > 16)) || + (($distro =~ /^debian/) && ($version >= 10))) { if (ref($uses_systemctl) eq 'HASH') { if ($uses_systemctl->{$service}) { if (`systemctl is-enabled $service`) { @@ -2453,10 +2683,20 @@ sub kill_extra_services { } sub setup_mysql { - my ($setup_mysql_permissions,$dbh,$has_pass,$mysql_unix_socket,$has_lcdb) = @_; + my ($setup_mysql_permissions,$dbh,$has_pass,$mysql_unix_socket,$has_lcdb,$distro) = @_; my @mysql_lc_commands; unless ($has_lcdb) { - push(@mysql_lc_commands,"CREATE DATABASE loncapa"); + my $createcmd = 'CREATE DATABASE loncapa'; + if ($distro =~ /^sles(\d+)/) { + if ($1 > 11) { + $createcmd .= ' CHARACTER SET utf8 COLLATE utf8_general_ci'; + } + } elsif ($distro =~ /^ubuntu(\d+)/) { + if ($1 > 16) { + $createcmd .= ' CHARACTER SET latin1 COLLATE latin1_swedish_ci'; + } + } + push(@mysql_lc_commands,$createcmd); } push(@mysql_lc_commands,"USE loncapa"); push(@mysql_lc_commands,qq{ @@ -2481,28 +2721,31 @@ CREATE TABLE IF NOT EXISTS metadata (tit sub setup_mysql_permissions { my ($dbh,$has_pass,$mysql_unix_socket,@mysql_lc_commands) = @_; - my ($mysqlversion,$mysqlsubver,$mysqlname) = &get_mysql_version(); + my ($mysqlversion,$mysqlminorversion,$mysqlsubver,$mysqlname) = &get_mysql_version(); my ($usescreate,$usesauth,$is_mariadb,$hasauthcol,@mysql_commands); if ($mysqlname =~ /^MariaDB/i) { $is_mariadb = 1; - if ($mysqlversion >= 10.4) { + if ((($mysqlversion == 10) && ($mysqlminorversion >= 4)) || ($mysqlversion >= 11)) { $usescreate = 1; - } elsif ($mysqlversion >= 10.2) { + } elsif (($mysqlversion == 10) && ($mysqlminorversion >= 2)) { $usesauth = 1; - } elsif ($mysqlversion >= 5.5) { + } elsif (($mysqlversion == 5) && ($mysqlminorversion >= 5)) { $hasauthcol = 1; } } else { - if (($mysqlversion > 5.7) || (($mysqlversion == 5.7) && ($mysqlsubver > 5))) { + if (($mysqlversion > 5) || (($mysqlminorversion == 5) && ($mysqlminorversion > 7)) || + (($mysqlversion == 5) && ($mysqlminorversion == 7) && ($mysqlsubver > 5))) { $usesauth = 1; - } elsif (($mysqlversion >= 5.6) || (($mysqlversion == 5.5) && ($mysqlsubver >= 7))) { + } elsif (($mysqlversion == 5) && + (($mysqlminorversion >= 6) || (($mysqlminorversion == 5) && ($mysqlsubver >= 7)))) { $hasauthcol = 1; } } if ($usescreate) { @mysql_commands = ("CREATE USER 'www'\@'localhost' IDENTIFIED BY 'localhostkey'"); } elsif ($usesauth) { - @mysql_commands = ("INSERT user (Host, User, ssl_cipher, x509_issuer, x509_subject, authentication_string) VALUES('localhost','www','','','','')"); + @mysql_commands = ("INSERT user (Host, User, ssl_cipher, x509_issuer, x509_subject, authentication_string) VALUES('localhost','www','','','','')", + "FLUSH PRIVILEGES"); if ($is_mariadb) { push(@mysql_commands,"ALTER USER 'www'\@'localhost' IDENTIFIED BY 'localhostkey'"); } else { @@ -2608,17 +2851,127 @@ sub new_mysql_rootpasswd { } sub get_mysql_version { - my ($version,$subversion,$name); + my ($version,$minorversion,$subversion,$name); if (open(PIPE," mysql -V |")) { my $info = ; chomp($info); close(PIPE); - ($version,$subversion,$name) = ($info =~ /(\d+\.\d+)\.(\d+)(?:\-?(\w*),|)/); + ($version,$minorversion,$subversion,$name) = ($info =~ /(\d+)\.(\d+)\.(\d+)(?:\-?(\w*),|)/); } else { print &mt('Could not determine which version of MySQL is installed.'). "\n"; } - return ($version,$subversion,$name); + return ($version,$minorversion,$subversion,$name); +} + +sub check_systemd_update { + my ($distro) = @_; + my ($use_systemctl,$service); + $service = 'apache2.service'; + if ($distro =~ /^ubuntu(\w+)/) { + if ($1 >= 16) { + $use_systemctl = 1; + } + } elsif ($distro =~ /^debian(\w+)/) { + if ($1 >= 9) { + $use_systemctl = 1; + } + } elsif ($distro =~ /^fedora(\d+)/) { + $service = 'httpd.service'; + if ($1 >= 16) { + $use_systemctl = 1; + } + } elsif ($distro =~ /^(?:centos|rhes|scientific|oracle|rocky|alma)(\d+)/) { + $service = 'httpd.service'; + if ($1 >= 7) { + $use_systemctl = 1; + } + } elsif ($distro =~ /^sles(\d+)/) { + if ($1 >= 12) { + $use_systemctl = 1; + } + } elsif ($distro =~ /^suse(\d+)/) { + if ($1 >= 13) { + $use_systemctl = 1; + } + } + if ($use_systemctl) { + my $needsupdate = &check_systemd_security($distro); + if ($needsupdate) { + if (!-d '/etc/systemd/system/'.$service.'.d') { + mkdir '/etc/systemd/system/'.$service.'.d', 0755; + } + if (-d '/etc/systemd/system/'.$service.'.d') { + if (-e '/etc/systemd/system/'.$service.'.d/override.conf') { + if (open(my $fh,'<','/etc/systemd/system/'.$service.'.d/override.conf')) { + my ($inservice,$addservice,$protectoff,$linenum,$change,@lines); + while (my $entry = <$fh>) { + $linenum ++; + chomp($entry); + if ($entry eq '[Service]') { + if (!$protectoff) { + $inservice = $linenum; + push(@lines,$entry); + } else { + $addservice = 1; + next; + } + } + if ($entry =~ /^ProtectHome\s*=\s*([\w-]+)\s*$/) { + my $value = $1; + if ($protectoff) { + next; + if (lc($value) eq 'no') { + $protectoff = $linenum; + push(@lines,$entry); + } else { + if ($protectoff) { + next; + } else { + push(@lines,'ProtectHome=no'); + $protectoff = $linenum; + $change = $linenum; + } + } + } + } + } + close($fh); + if ($addservice || $change || !$protectoff) { + if (open(my $fh,'>','/etc/systemd/system/'.$service.'.d/override.conf')) { + if ($addservice) { + print $fh "[Service]\n"; + } + foreach my $entry (@lines) { + print $fh "$entry\n"; + } + close($fh); + print_and_log('Updated /etc/systemd/system/'.$service.'.d/override.conf'); + } else { + print_and_log('Could not open /etc/systemd/system/'.$service.'.d/override.conf for writing.'); + } + } else { + print_and_log('No change needed in /etc/systemd/system/'.$service.'.d/override.conf'); + } + } else { + print_and_log('Could not open /etc/systemd/system/'.$service.'.d/override.conf for reading.'); + } + } else { + if (open(my $fh,'>','/etc/systemd/system/'.$service.'.d/override.conf')) { + print $fh '[Service]'."\n".'ProtectHome=no'."\n"; + close($fh); + print_and_log('Created /etc/systemd/system/'.$service.'.d/override.conf'); + } + } + } else { + print_and_log('No /etc/systemd/system/'.$service.'.d directory exists and creating one failed,'); + } + } else { + print_and_log('No update needed to systemd security settings for Apache web server.'); + } + } else { + print_and_log('No update needed to systemd, as this Linux distro does not use systemctl'); + } } ########################################################### @@ -2631,7 +2984,7 @@ sub get_mysql_version { sub copy_httpd_conf { my ($instdir,$distro,$hostname) = @_; my $configfile = 'httpd.conf'; - if ($distro =~ /^(?:centos|rhes|scientific|oracle)(\d+)$/) { + if ($distro =~ /^(?:centos|rhes|scientific|oracle|rocky|alma)(\d+)/) { if ($1 >= 7) { $configfile = 'apache2.4/httpd.conf'; } elsif ($1 > 5) { @@ -2678,7 +3031,7 @@ sub copy_mpm_conf { print_and_log("\n"); } else { my $logfail; - if ($distro =~ /^(?:centos|rhes|scientific|oracle)(\d+)$/) { + if ($distro =~ /^(?:centos|rhes|scientific|oracle|rocky|alma)(\d+)/) { if ($1 > 7) { $logfail = 1; } @@ -3199,11 +3552,13 @@ sub copy_apache2_debconf { $distname = $1; $version = $2; } - if (($distname eq 'ubuntu') && ($version > 12)) { + if ((($distname eq 'ubuntu') && ($version > 12)) || + (($distname eq 'debian') && ($version >= 10))) { $defaultconfig = "$apache2_sites_enabled_dir/000-default.conf"; } my ($skipconf,$skipsite,$skipstatus); - if (($distname eq 'ubuntu') && ($version > 12)) { + if ((($distname eq 'ubuntu') && ($version > 12)) || + (($distname eq 'debian') && ($version >= 10))) { my $apache2_conf_enabled_dir = '/etc/apache2/conf-enabled'; my $apache2_conf_available_dir = '/etc/apache2/conf-available'; my $defaultconf = $apache2_conf_enabled_dir.'/loncapa.conf'; @@ -3216,10 +3571,15 @@ sub copy_apache2_debconf { copy("$apache2_conf_available_dir/loncapa","$apache2_conf_available_dir/loncapa.conf.original"); } else { copy("$apache2_conf_available_dir/loncapa","$apache2_conf_available_dir/loncapa.conf"); - symlink("$apache2_conf_available_dir/loncapa.conf","$defaultconf"); + chdir($apache2_conf_enabled_dir); + symlink('../conf-available/loncapa.conf','loncapa.conf'); + chdir($instdir); } if (-l $defaultconf) { my $linkfname = readlink($defaultconf); + if ($linkfname ne '') { + $linkfname = Cwd::abs_path(File::Spec->rel2abs($linkfname,$apache2_conf_enabled_dir)); + } if ($linkfname eq "$apache2_conf_available_dir/loncapa") { unlink($defaultconf); } @@ -3237,6 +3597,9 @@ sub copy_apache2_debconf { } if (-l $defaultconf) { my $linkfname = readlink($defaultconf); + if ($linkfname ne '') { + $linkfname = Cwd::abs_path(File::Spec->rel2abs($linkfname,$apache2_conf_enabled_dir)); + } if ($linkfname eq "$apache2_conf_available_dir/loncapa.conf") { unless ($diffres) { $skipconf = 1; @@ -3252,7 +3615,9 @@ sub copy_apache2_debconf { if (-l $defaultconf) { unlink($defaultconf); } - symlink("$apache2_conf_available_dir/loncapa.conf","$defaultconf"); + chdir($apache2_conf_enabled_dir); + symlink('../conf-available/loncapa.conf','loncapa.conf'); + chdir($instdir); } my $stdsite = "$instdir/debian-ubuntu/ubuntu14/loncapa_site"; if ((-e $stdsite) && (-e "$apache2_sites_available_dir/loncapa")) { @@ -3267,6 +3632,9 @@ sub copy_apache2_debconf { } if (-l $defaultconfig) { my $linkfname = readlink($defaultconfig); + if ($linkfname ne '') { + $linkfname = Cwd::abs_path(File::Spec->rel2abs($linkfname,$apache2_sites_enabled_dir)); + } if ($linkfname eq "$apache2_sites_available_dir/loncapa") { unlink($defaultconfig); } @@ -3284,7 +3652,10 @@ sub copy_apache2_debconf { } if (-l $defaultsite) { my $linkfname = readlink($defaultsite); - if ($linkfname eq "$apache2_conf_available_dir/loncapa.conf") { + if ($linkfname ne '') { + $linkfname = Cwd::abs_path(File::Spec->rel2abs($linkfname,$apache2_sites_enabled_dir)); + } + if ($linkfname eq "$apache2_sites_available_dir/loncapa.conf") { unless ($diffres) { $skipsite = 1; } @@ -3296,11 +3667,16 @@ sub copy_apache2_debconf { print_and_log(&mt('Copying loncapa [_1] site file to [_2] and pointing [_3] to it from sites-enabled.',"'apache2'","'/etc/apache2/sites-available'","'loncapa.conf symlink'")."\n"); copy("$instdir/debian-ubuntu/ubuntu14/loncapa_site","$apache2_sites_available_dir/loncapa.conf"); chmod(0444,"$apache2_sites_available_dir/loncapa.conf"); - symlink("$apache2_sites_available_dir/loncapa.conf","$defaultsite"); + chdir($apache2_sites_enabled_dir); + symlink('../sites-available/loncapa.conf','loncapa.conf'); + chdir($instdir); } - if (-l defaultconfig) { + if (-l $defaultconfig) { my $linkfname = readlink($defaultconfig); - if ($linkfname eq "$apache2_sites_available_dir/000-default") { + if ($linkfname ne '') { + $linkfname = Cwd::abs_path(File::Spec->rel2abs($linkfname,$apache2_sites_enabled_dir)); + } + if ($linkfname eq "$apache2_sites_available_dir/000-default.conf") { unlink($defaultconfig); } } @@ -3335,7 +3711,7 @@ sub copy_apache2_debconf { } } } - if ($distname eq 'ubuntu') { + if (($distname eq 'ubuntu') || ($distname eq 'debian')) { my $sitestatus = "$apache2_mods_available_dir/status.conf"; my $stdstatus = "$instdir/debian-ubuntu/status.conf"; if ((-e $sitestatus) && (-e $stdstatus)) { @@ -3536,31 +3912,47 @@ sub download_loncapa { print_and_log(" ------------------------------------------------------------------------ -".&mt('You seem to have a version of loncapa-current.tar.gz in [_1]',$instdir)."\n". +".&mt('You seem to have a version of [_1] in [_2]',$lctarball,$instdir)."\n". &mt('This copy will be used and a new version will NOT be downloaded.')."\n". &mt('If you wish, you may download a new version by executing:')." -wget http://install.loncapa.org/versions/loncapa-current.tar.gz +wget http://install.loncapa.org/versions/$lctarball ------------------------------------------------------------------------ "); } ## - ## untar loncapa.tar.gz + ## untar loncapa-X.Y.Z.tar.gz ## if ($have_tarball) { + my $homedir = '/root'; + my ($targetdir,$chdircmd,$updatecmd); + if (($distro =~ /^ubuntu/) && ($instdir ne $homedir)) { + ($homedir) = ($instdir =~ m{^(.*)/[^/]+$}); + $updatecmd = 'sudo ./UPDATE'; + } else { + $updatecmd = './UPDATE'; + } print_and_log(&mt('Extracting LON-CAPA source files')."\n"); - writelog(`cd ~root; tar zxf $instdir/$lctarball`); + if (-e $homedir) { + writelog(`tar zxf $instdir/$lctarball --directory $homedir`); + $targetdir = $homedir; + } else { + writelog(`tar zxf $instdir/$lctarball`); + $targetdir = $instdir; + } + if ($lctarball =~ /^loncapa\-(\d+\.\d+\.\d+(?:|[^.]+))\.tar\.gz$/) { + $chdircmd = "cd $targetdir/loncapa-".$1; + } else { + $chdircmd = "cd $targetdir/loncapa-X.Y.Z (X.Y.Z should correspond to a version number like '2.11.3')"; + } print_and_log("\n"); print &mt('LON-CAPA source files extracted.')."\n". - &mt('It remains for you to execute the following commands:')." - -cd /root/loncapa-X.Y.Z (X.Y.Z should correspond to a version number like '2.11.3') -./UPDATE - -".&mt('If you have any trouble, please see [_1] and [_2]', - 'http://install.loncapa.org/','http://help.loncapa.org/')."\n"; + &mt('It remains for you to execute the following commands:'). + "\n$chdircmd\n$updatecmd\n". + &mt('If you have any trouble, please see [_1] and [_2]', + 'http://install.loncapa.org/','http://help.loncapa.org/')."\n"; $updateshown = 1; } return ($have_tarball,$updateshown);