Merge branch 'release/v0.5.0'

CHANGELOG.md

@@ -3,7 +3,24 @@
 All notable changes to this project will be documented in this file.
 This project adheres to [Semantic Versioning](http://semver.org/).
 
-## [Unreleased](https://github.com/passbolt/passbolt_install_scripts/compare/v0.3.1...HEAD)
+## [Unreleased](https://github.com/passbolt/passbolt_install_scripts/compare/v0.4.0...HEAD)
+
+## [0.5.0](https://github.com/passbolt/passbolt_install_scripts/compare/v0.5.0..v0.4.0) - 2020-04-20
+
+This release adds support to configure firewalls on centos platform to open passbolt necessary ports
+and it also introduces EXPERIMENTAL support for Red Hat Enterprise Linux.
+
+### Added
+
+- Open ports 80 and 443 on centos firewalls [#6](Centos: Firewall left unconfigured blocking access to passbolt interface.)
+- Experimental support for RHEL installations from version 7.0
+    * Use of software collections:
+       1. rhel-server-rhscl-7-rpms
+       2. rhel-7-server-extras-rpms
+       3. rhel-7-server-optional-rpms
+    * Use of Epel-release repository
+    * Setup firewall to open ports 80 and 443
+    * Support for certbot for lets encrypt
 
 ## [0.4.0](https://github.com/passbolt/passbolt_install_scripts/compare/v0.4.0..v0.3.2) - 2019-08-07
 

build_scripts.sh

@@ -16,7 +16,7 @@ help_message() {
 
   OPTIONS:
     -h                    This help message
-    -d DISTRIBUTION_NAME  Builds for a specific distribution. Supported values centos/debian/ubuntu
+    -d DISTRIBUTION_NAME  Builds for a specific distribution. Supported values centos/debian/redhat/ubuntu
 EOF
 }
 
@@ -44,7 +44,7 @@ build() {
   local os=$1
   local output=dist/"$os"/passbolt_ce_"$os"_installer.sh
 
-  if ! [[ "$os" =~ ^(debian|ubuntu|centos)$ ]]; then
+  if ! [[ "$os" =~ ^(debian|ubuntu|centos|redhat)$ ]]; then
     error "Distribution not supported"
   fi
 
@@ -71,7 +71,7 @@ build() {
     cat "$initializer" >> "$output";
   done
 
-  if [ "$os" == "centos" ]; then
+  if [ "$os" == "centos" ] || [ "$os" == "redhat" ]; then
     for helper in lib/helpers/"$os"/*.sh; do
       cat "$helper" >> "$output";
     done
@@ -94,6 +94,11 @@ build() {
   cp conf/nginx/*.conf "dist/$os/conf/nginx"
   cp conf/php/*.conf "dist/$os/conf/php"
   cp "conf/$os/packages.txt" "dist/$os/conf/packages.txt"
+
+  if [ "$os" == "redhat" ]; then
+    sed -i s:-euo:-eo: "$output"
+    sed -i s:/etc/nginx:/etc/opt/rh/rh-nginx116/nginx: "$output"
+  fi
 }
 
 while getopts "chd:" opt; do
@@ -112,6 +117,7 @@ while getopts "chd:" opt; do
       checksum centos 7
       compress ubuntu 18.04
       checksum ubuntu 18.04
+      compress redhat EXPERIMENTAL
       ;;
     *)
       error "No such build option"

conf/constants_common.sh

@@ -5,7 +5,8 @@ readonly PROGNAME="$0"
 readonly PASSBOLT_BASE_DIR="/var/www/passbolt"
 readonly PASSBOLT_REPO="https://github.com/passbolt/passbolt_api"
 readonly PASSBOLT_BRANCH="master"
-readonly NGINX_SITE_DIR='/etc/nginx/conf.d'
+readonly NGINX_BASE='/etc/nginx'
+readonly NGINX_SITE_DIR="$NGINX_BASE/conf.d"
 readonly SSL_CERT_PATH='/etc/ssl/certs/passbolt_certificate.crt'
 readonly SSL_KEY_PATH='/etc/ssl/certs/passbolt_private.key'
 readonly LETSENCRYPT_LIVE_DIR='/etc/letsencrypt/live'

conf/redhat/constants.sh

@@ -0,0 +1,10 @@
+readonly OS='redhat'
+readonly OS_SUPPORTED_VERSION="7.0"
+readonly OS_VERSION_FILE="/etc/redhat-release"
+readonly FPM_WWW_POOL="/etc/opt/rh/rh-php73/php-fpm.d/www.conf"
+readonly FPM_SERVICE="rh-php73-php-fpm"
+readonly WWW_USER="nginx"
+readonly WWW_USER_HOME="/var/opt/rh/rh-nginx116/lib/nginx"
+readonly GNUPG_HOME='/var/lib/nginx/.gnupg'
+readonly CRONTAB_DIR='/var/spool/cron/'
+readonly PHP_EXT_DIR='/etc/opt/rh/rh-php73/php.d'

conf/redhat/packages.txt

@@ -0,0 +1,18 @@
+rh-php73-php-intl
+rh-php73-php-gd
+rh-php73-php-mysqlnd
+rh-php73-php-pdo
+rh-php73-php-pear
+rh-php73-php-devel
+rh-php73-php-mbstring
+rh-php73-php-fpm
+rh-php73-php-ldap
+rh-nginx116-nginx
+gcc
+git
+policycoreutils-python
+unzip
+wget
+python2-certbot-nginx
+scl-utils
+gpgme-devel

lib/helpers/centos/setup_firewall.sh

@@ -0,0 +1,11 @@
+setup_firewall() {
+  local zone=public
+  local services=(http https)
+  banner "Opening ports 80 and 443 on firewall"
+
+  for i in "${services[@]}"; do
+    firewall-cmd --permanent --zone="$zone" --add-service="$i"
+  done
+
+  enable_service firewalld
+}

lib/helpers/centos/setup_software_collections.sh

@@ -0,0 +1,9 @@
+activate_scl() {
+  source /opt/rh/rh-php73/enable
+  source /opt/rh/rh-nginx116/enable
+  cat <<EOF > /etc/profile.d/passbolt_scl.sh
+#!/bin/bash
+source scl_source enable rh-php73
+source scl_source enable rh-nginx116
+EOF
+}

lib/helpers/centos/setup_yum.sh

@@ -1,7 +1,27 @@
 setup_yum() {
-  install_packages yum-utils epel-release
-  if ! yum list installed | grep remi-release; then
-    yum -y install "$REMI_PHP_URL"
-  fi
-  yum-config-manager --enable "$REMI_PHP_VERSION"
+  local os="${1:-centos}"
+  case $os in
+    centos)
+      install_packages "yum-utils epel-release $REMI_PHP_URL"
+      yum-config-manager --enable "$REMI_PHP_VERSION"
+      ;;
+    redhat)
+      enable_repos
+      if ! yum list installed | grep epel-release; then
+        install_packages "https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm"
+      fi
+  esac
+}
+
+
+enable_repos() {
+  local repos=(rhel-server-rhscl-7-rpms rhel-7-server-extras-rpms rhel-7-server-optional-rpms)
+  local enabled_repos=""
+
+  enabled_repos="$(subscription-manager repos --list-enabled | grep 'Repo ID' | awk '{print $3}')"
+  for repo in "${repos[@]}"; do
+    if ! [[ "$enabled_repos" == *"$repo"* ]]; then
+      subscription-manager repos --enable "$repo"
+    fi
+  done
 }

lib/helpers/mysql_setup.sh

@@ -4,10 +4,13 @@
 # require service_enabler.sh
 # require package_installer.sh
 mysql_setup() {
+  local mariadb_package="${1:-mariadb-server}"
+  local mariadb_service="${2:-mariadb}"
+
   if [[ "$(__config_get 'mariadb_local_installation')" == true ]]; then
     banner 'Installing mariadb...'
-    install_packages 'mariadb-server'
-    enable_service 'mariadb'
+    install_packages "$mariadb_package"
+    enable_service "$mariadb_service"
     __install_db 'mariadb_root_password' 'mariadb_user' 'mariadb_passbolt_password' 'mariadb_name'
   else
     banner 'Using remote or custom database installation'

lib/helpers/package_installer.sh

@@ -7,6 +7,9 @@ __installer_command() {
     'centos')
       _installer=yum
       ;;
+    'redhat')
+      _installer=yum
+      ;;
     *)
       die "Unsupported OS"
       ;;

lib/helpers/redhat

@@ -0,0 +1 @@
+centos

lib/helpers/setup_nginx.sh

@@ -6,10 +6,10 @@ __nginx_config(){
   local nginx_config_file="$2"
   local _config_passbolt_host="$3"
 
-  if grep -q "^[[:space:]]*server_names_hash_bucket_size[[:space:]]*64;" /etc/nginx/nginx.conf; then
+  if grep -q "^[[:space:]]*server_names_hash_bucket_size[[:space:]]*64;" "$NGINX_BASE/nginx.conf"; then
     echo "Server names hash bucket is 64"
   else
-    sed -i '/^http {/ a\\tserver_names_hash_bucket_size 64;' /etc/nginx/nginx.conf
+    sed -i '/^http {/ a\\tserver_names_hash_bucket_size 64;' "$NGINX_BASE/nginx.conf"
   fi
 
   if [ ! -f "$nginx_config_file" ]; then
@@ -25,20 +25,21 @@ __ssl_substitutions(){
 
 setup_nginx(){
   local passbolt_domain
+  local nginx_service="${1:-nginx}"
 
   passbolt_domain=$(__config_get 'passbolt_hostname')
   banner "Setting up nginx..."
 
   __nginx_config "$script_directory/conf/nginx/passbolt.conf" "$NGINX_SITE_DIR/passbolt.conf" 'passbolt_hostname'
-  enable_service 'nginx'
+  enable_service "$nginx_service"
 
   if [[ "$(__config_get 'ssl_auto')" == 'true' ]]; then
     if __setup_letsencrypt 'passbolt_hostname' 'letsencrypt_email'; then
       __nginx_config "$script_directory/conf/nginx/passbolt_ssl.conf" "$NGINX_SITE_DIR/passbolt_ssl.conf" 'passbolt_hostname'
       ln -s "$LETSENCRYPT_LIVE_DIR/$passbolt_domain/cert.pem" "$SSL_CERT_PATH"
       ln -s "$LETSENCRYPT_LIVE_DIR/$passbolt_domain/privkey.pem" "$SSL_KEY_PATH"
       __ssl_substitutions
-      enable_service 'nginx'
+      enable_service "$nginx_service"
     else
       banner "WARNING: Unable to setup SSL using lets encrypt. Please check the install.log"
     fi
@@ -48,6 +49,6 @@ setup_nginx(){
     __nginx_config "$script_directory/conf/nginx/passbolt_ssl.conf" "$NGINX_SITE_DIR/passbolt_ssl.conf" 'passbolt_hostname'
     __copy_ssl_certs 'ssl_certificate' 'ssl_privkey'
     __ssl_substitutions
-    enable_service 'nginx'
+    enable_service "$nginx_service"
   fi
 }

lib/helpers/utils/messages.sh

@@ -33,7 +33,7 @@ disclaimer() {
        /_/    \__,_/____/____/_,___/\____/_/\__/
 
       The open source password manager for teams
-      (c) 2018 Passbolt SARL
+      (c) 2020 Passbolt SA
       https://www.passbolt.com
 ================================================================
 IMPORTANT NOTE: This installation scripts are for use only

lib/main/centos/main.sh

@@ -12,10 +12,11 @@ main(){
   setup_fpm
   setup_gpg_keyring
   passbolt_install
+  setup_firewall
+  setup_selinux
   setup_nginx
   setup_entropy
   cron_job
-  setup_selinux
   installation_complete
 }
 

lib/main/redhat/main.sh

@@ -0,0 +1,24 @@
+main(){
+  init_config
+  get_options "$@"
+  validate_os 'redhat'
+  disclaimer
+  interactive_prompter
+  banner 'Installing os dependencies...'
+  setup_yum 'redhat'
+  install_packages "$(cat "$script_directory/conf/packages.txt")"
+  activate_scl
+  mysql_setup
+  install_gpg_extension
+  setup_fpm 'rh-php73-php-fpm'
+  setup_gpg_keyring
+  passbolt_install
+  setup_firewall
+  setup_selinux
+  setup_nginx 'rh-nginx116-nginx'
+  setup_entropy
+  cron_job
+  installation_complete
+}
+
+main "$@" 2>&1 | tee -a install.log

templates/header.in

@@ -10,7 +10,7 @@ set -euo pipefail
 # This script must be executed with root permissions        #
 #                                                           #
 # Passbolt, the open source password manager for teams      #
-# (c) 2018 Passbolt SARL                                    #
+# (c) 2020 Passbolt SA                                    #
 # https://www.passbolt.com                                  #
 #                                                           #
 #############################################################