diff --git a/CHANGELOG.md b/CHANGELOG.md index 7ebb3d0..4f6c3f4 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,7 +3,24 @@ All notable changes to this project will be documented in this file. This project adheres to [Semantic Versioning](http://semver.org/). -## [Unreleased](https://github.com/passbolt/passbolt_install_scripts/compare/v0.3.1...HEAD) +## [Unreleased](https://github.com/passbolt/passbolt_install_scripts/compare/v0.4.0...HEAD) + +## [0.5.0](https://github.com/passbolt/passbolt_install_scripts/compare/v0.5.0..v0.4.0) - 2020-04-20 + +This release adds support to configure firewalls on centos platform to open passbolt necessary ports +and it also introduces EXPERIMENTAL support for Red Hat Enterprise Linux. + +### Added + +- Open ports 80 and 443 on centos firewalls [#6](Centos: Firewall left unconfigured blocking access to passbolt interface.) +- Experimental support for RHEL installations from version 7.0 + * Use of software collections: + 1. rhel-server-rhscl-7-rpms + 2. rhel-7-server-extras-rpms + 3. rhel-7-server-optional-rpms + * Use of Epel-release repository + * Setup firewall to open ports 80 and 443 + * Support for certbot for lets encrypt ## [0.4.0](https://github.com/passbolt/passbolt_install_scripts/compare/v0.4.0..v0.3.2) - 2019-08-07 diff --git a/build_scripts.sh b/build_scripts.sh index 62f18a5..60bf2be 100755 --- a/build_scripts.sh +++ b/build_scripts.sh @@ -16,7 +16,7 @@ help_message() { OPTIONS: -h This help message - -d DISTRIBUTION_NAME Builds for a specific distribution. Supported values centos/debian/ubuntu + -d DISTRIBUTION_NAME Builds for a specific distribution. Supported values centos/debian/redhat/ubuntu EOF } @@ -44,7 +44,7 @@ build() { local os=$1 local output=dist/"$os"/passbolt_ce_"$os"_installer.sh - if ! [[ "$os" =~ ^(debian|ubuntu|centos)$ ]]; then + if ! [[ "$os" =~ ^(debian|ubuntu|centos|redhat)$ ]]; then error "Distribution not supported" fi @@ -71,7 +71,7 @@ build() { cat "$initializer" >> "$output"; done - if [ "$os" == "centos" ]; then + if [ "$os" == "centos" ] || [ "$os" == "redhat" ]; then for helper in lib/helpers/"$os"/*.sh; do cat "$helper" >> "$output"; done @@ -94,6 +94,11 @@ build() { cp conf/nginx/*.conf "dist/$os/conf/nginx" cp conf/php/*.conf "dist/$os/conf/php" cp "conf/$os/packages.txt" "dist/$os/conf/packages.txt" + + if [ "$os" == "redhat" ]; then + sed -i s:-euo:-eo: "$output" + sed -i s:/etc/nginx:/etc/opt/rh/rh-nginx116/nginx: "$output" + fi } while getopts "chd:" opt; do @@ -112,6 +117,7 @@ while getopts "chd:" opt; do checksum centos 7 compress ubuntu 18.04 checksum ubuntu 18.04 + compress redhat EXPERIMENTAL ;; *) error "No such build option" diff --git a/conf/constants_common.sh b/conf/constants_common.sh index 6206242..e42e564 100644 --- a/conf/constants_common.sh +++ b/conf/constants_common.sh @@ -5,7 +5,8 @@ readonly PROGNAME="$0" readonly PASSBOLT_BASE_DIR="/var/www/passbolt" readonly PASSBOLT_REPO="https://github.com/passbolt/passbolt_api" readonly PASSBOLT_BRANCH="master" -readonly NGINX_SITE_DIR='/etc/nginx/conf.d' +readonly NGINX_BASE='/etc/nginx' +readonly NGINX_SITE_DIR="$NGINX_BASE/conf.d" readonly SSL_CERT_PATH='/etc/ssl/certs/passbolt_certificate.crt' readonly SSL_KEY_PATH='/etc/ssl/certs/passbolt_private.key' readonly LETSENCRYPT_LIVE_DIR='/etc/letsencrypt/live' diff --git a/conf/redhat/constants.sh b/conf/redhat/constants.sh new file mode 100644 index 0000000..5aa096c --- /dev/null +++ b/conf/redhat/constants.sh @@ -0,0 +1,10 @@ +readonly OS='redhat' +readonly OS_SUPPORTED_VERSION="7.0" +readonly OS_VERSION_FILE="/etc/redhat-release" +readonly FPM_WWW_POOL="/etc/opt/rh/rh-php73/php-fpm.d/www.conf" +readonly FPM_SERVICE="rh-php73-php-fpm" +readonly WWW_USER="nginx" +readonly WWW_USER_HOME="/var/opt/rh/rh-nginx116/lib/nginx" +readonly GNUPG_HOME='/var/lib/nginx/.gnupg' +readonly CRONTAB_DIR='/var/spool/cron/' +readonly PHP_EXT_DIR='/etc/opt/rh/rh-php73/php.d' diff --git a/conf/redhat/packages.txt b/conf/redhat/packages.txt new file mode 100644 index 0000000..3bb0a27 --- /dev/null +++ b/conf/redhat/packages.txt @@ -0,0 +1,18 @@ +rh-php73-php-intl +rh-php73-php-gd +rh-php73-php-mysqlnd +rh-php73-php-pdo +rh-php73-php-pear +rh-php73-php-devel +rh-php73-php-mbstring +rh-php73-php-fpm +rh-php73-php-ldap +rh-nginx116-nginx +gcc +git +policycoreutils-python +unzip +wget +python2-certbot-nginx +scl-utils +gpgme-devel diff --git a/lib/helpers/centos/setup_firewall.sh b/lib/helpers/centos/setup_firewall.sh new file mode 100644 index 0000000..7cbcb8b --- /dev/null +++ b/lib/helpers/centos/setup_firewall.sh @@ -0,0 +1,11 @@ +setup_firewall() { + local zone=public + local services=(http https) + banner "Opening ports 80 and 443 on firewall" + + for i in "${services[@]}"; do + firewall-cmd --permanent --zone="$zone" --add-service="$i" + done + + enable_service firewalld +} diff --git a/lib/helpers/centos/setup_software_collections.sh b/lib/helpers/centos/setup_software_collections.sh new file mode 100644 index 0000000..18953f0 --- /dev/null +++ b/lib/helpers/centos/setup_software_collections.sh @@ -0,0 +1,9 @@ +activate_scl() { + source /opt/rh/rh-php73/enable + source /opt/rh/rh-nginx116/enable + cat < /etc/profile.d/passbolt_scl.sh +#!/bin/bash +source scl_source enable rh-php73 +source scl_source enable rh-nginx116 +EOF +} diff --git a/lib/helpers/centos/setup_yum.sh b/lib/helpers/centos/setup_yum.sh index 3203784..835db58 100644 --- a/lib/helpers/centos/setup_yum.sh +++ b/lib/helpers/centos/setup_yum.sh @@ -1,7 +1,27 @@ setup_yum() { - install_packages yum-utils epel-release - if ! yum list installed | grep remi-release; then - yum -y install "$REMI_PHP_URL" - fi - yum-config-manager --enable "$REMI_PHP_VERSION" + local os="${1:-centos}" + case $os in + centos) + install_packages "yum-utils epel-release $REMI_PHP_URL" + yum-config-manager --enable "$REMI_PHP_VERSION" + ;; + redhat) + enable_repos + if ! yum list installed | grep epel-release; then + install_packages "https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm" + fi + esac +} + + +enable_repos() { + local repos=(rhel-server-rhscl-7-rpms rhel-7-server-extras-rpms rhel-7-server-optional-rpms) + local enabled_repos="" + + enabled_repos="$(subscription-manager repos --list-enabled | grep 'Repo ID' | awk '{print $3}')" + for repo in "${repos[@]}"; do + if ! [[ "$enabled_repos" == *"$repo"* ]]; then + subscription-manager repos --enable "$repo" + fi + done } diff --git a/lib/helpers/mysql_setup.sh b/lib/helpers/mysql_setup.sh index 864ebd5..f7f84af 100644 --- a/lib/helpers/mysql_setup.sh +++ b/lib/helpers/mysql_setup.sh @@ -4,10 +4,13 @@ # require service_enabler.sh # require package_installer.sh mysql_setup() { + local mariadb_package="${1:-mariadb-server}" + local mariadb_service="${2:-mariadb}" + if [[ "$(__config_get 'mariadb_local_installation')" == true ]]; then banner 'Installing mariadb...' - install_packages 'mariadb-server' - enable_service 'mariadb' + install_packages "$mariadb_package" + enable_service "$mariadb_service" __install_db 'mariadb_root_password' 'mariadb_user' 'mariadb_passbolt_password' 'mariadb_name' else banner 'Using remote or custom database installation' diff --git a/lib/helpers/package_installer.sh b/lib/helpers/package_installer.sh index 3db165b..33f7dd2 100644 --- a/lib/helpers/package_installer.sh +++ b/lib/helpers/package_installer.sh @@ -7,6 +7,9 @@ __installer_command() { 'centos') _installer=yum ;; + 'redhat') + _installer=yum + ;; *) die "Unsupported OS" ;; diff --git a/lib/helpers/redhat b/lib/helpers/redhat new file mode 120000 index 0000000..95e1895 --- /dev/null +++ b/lib/helpers/redhat @@ -0,0 +1 @@ +centos \ No newline at end of file diff --git a/lib/helpers/setup_nginx.sh b/lib/helpers/setup_nginx.sh index 8570e44..df43a68 100644 --- a/lib/helpers/setup_nginx.sh +++ b/lib/helpers/setup_nginx.sh @@ -6,10 +6,10 @@ __nginx_config(){ local nginx_config_file="$2" local _config_passbolt_host="$3" - if grep -q "^[[:space:]]*server_names_hash_bucket_size[[:space:]]*64;" /etc/nginx/nginx.conf; then + if grep -q "^[[:space:]]*server_names_hash_bucket_size[[:space:]]*64;" "$NGINX_BASE/nginx.conf"; then echo "Server names hash bucket is 64" else - sed -i '/^http {/ a\\tserver_names_hash_bucket_size 64;' /etc/nginx/nginx.conf + sed -i '/^http {/ a\\tserver_names_hash_bucket_size 64;' "$NGINX_BASE/nginx.conf" fi if [ ! -f "$nginx_config_file" ]; then @@ -25,12 +25,13 @@ __ssl_substitutions(){ setup_nginx(){ local passbolt_domain + local nginx_service="${1:-nginx}" passbolt_domain=$(__config_get 'passbolt_hostname') banner "Setting up nginx..." __nginx_config "$script_directory/conf/nginx/passbolt.conf" "$NGINX_SITE_DIR/passbolt.conf" 'passbolt_hostname' - enable_service 'nginx' + enable_service "$nginx_service" if [[ "$(__config_get 'ssl_auto')" == 'true' ]]; then if __setup_letsencrypt 'passbolt_hostname' 'letsencrypt_email'; then @@ -38,7 +39,7 @@ setup_nginx(){ ln -s "$LETSENCRYPT_LIVE_DIR/$passbolt_domain/cert.pem" "$SSL_CERT_PATH" ln -s "$LETSENCRYPT_LIVE_DIR/$passbolt_domain/privkey.pem" "$SSL_KEY_PATH" __ssl_substitutions - enable_service 'nginx' + enable_service "$nginx_service" else banner "WARNING: Unable to setup SSL using lets encrypt. Please check the install.log" fi @@ -48,6 +49,6 @@ setup_nginx(){ __nginx_config "$script_directory/conf/nginx/passbolt_ssl.conf" "$NGINX_SITE_DIR/passbolt_ssl.conf" 'passbolt_hostname' __copy_ssl_certs 'ssl_certificate' 'ssl_privkey' __ssl_substitutions - enable_service 'nginx' + enable_service "$nginx_service" fi } diff --git a/lib/helpers/utils/messages.sh b/lib/helpers/utils/messages.sh index 8731304..b4b33ee 100644 --- a/lib/helpers/utils/messages.sh +++ b/lib/helpers/utils/messages.sh @@ -33,7 +33,7 @@ disclaimer() { /_/ \__,_/____/____/_,___/\____/_/\__/ The open source password manager for teams - (c) 2018 Passbolt SARL + (c) 2020 Passbolt SA https://www.passbolt.com ================================================================ IMPORTANT NOTE: This installation scripts are for use only diff --git a/lib/main/centos/main.sh b/lib/main/centos/main.sh index 7e13d33..0f79bdb 100644 --- a/lib/main/centos/main.sh +++ b/lib/main/centos/main.sh @@ -12,10 +12,11 @@ main(){ setup_fpm setup_gpg_keyring passbolt_install + setup_firewall + setup_selinux setup_nginx setup_entropy cron_job - setup_selinux installation_complete } diff --git a/lib/main/redhat/main.sh b/lib/main/redhat/main.sh new file mode 100644 index 0000000..e19c87a --- /dev/null +++ b/lib/main/redhat/main.sh @@ -0,0 +1,24 @@ +main(){ + init_config + get_options "$@" + validate_os 'redhat' + disclaimer + interactive_prompter + banner 'Installing os dependencies...' + setup_yum 'redhat' + install_packages "$(cat "$script_directory/conf/packages.txt")" + activate_scl + mysql_setup + install_gpg_extension + setup_fpm 'rh-php73-php-fpm' + setup_gpg_keyring + passbolt_install + setup_firewall + setup_selinux + setup_nginx 'rh-nginx116-nginx' + setup_entropy + cron_job + installation_complete +} + +main "$@" 2>&1 | tee -a install.log diff --git a/templates/header.in b/templates/header.in index f9c2533..3ed125c 100644 --- a/templates/header.in +++ b/templates/header.in @@ -10,7 +10,7 @@ set -euo pipefail # This script must be executed with root permissions # # # # Passbolt, the open source password manager for teams # -# (c) 2018 Passbolt SARL # +# (c) 2020 Passbolt SA # # https://www.passbolt.com # # # #############################################################