From 1059fb89c62d476b9d2d2e394a1f61a2633422db Mon Sep 17 00:00:00 2001 From: Justin Ludwig Date: Wed, 20 Sep 2023 13:19:53 -0700 Subject: [PATCH] installer script updates * fix SELinux label for conf files * check if libsodium can be installed by package manager (which it can't on Amazon Linux) * install Python with packages needed to build PyNaCl wheel on Arch Linux, Debian (and derivatives), and Fedora (and derivatives) * check for broken virtualenv (due to distribution upgrade) * upgrade pip and setuptools packages in virtualenv --- install.sh | 110 ++++++++++++++++++++++++++++++++++++++++++++--------- 1 file changed, 91 insertions(+), 19 deletions(-) diff --git a/install.sh b/install.sh index 5b5478f..65f8bcd 100755 --- a/install.sh +++ b/install.sh @@ -19,7 +19,7 @@ python_bin="${INSTALL_PYTHON:-python3}" # minimum required python version number python_minimum_version="3.8" # other versions of python to try -python_alt_bins="python3.10 python3.9 python3.8" +python_alt_bins="python3.11 python3.10 python3.9 python3.8" # python packages required to create virtualenv python_venv_packages="ensurepip venv" # path to broker virtualenv @@ -451,7 +451,7 @@ delete_user() { # # Examples # -# > fix_file_mode /etc/procustodibu/brokers/broker.conf 640 +# > fix_file_mode /etc/procustodibus/brokers/broker.conf 640 # OK will fix mode # fixed mode fix_file_mode() { @@ -470,7 +470,7 @@ fix_file_mode() { # # Examples # -# > fix_file_mode /etc/procustodibu/brokers/broker.conf procustodibus-broker +# > fix_file_mode /etc/procustodibus/brokers/broker.conf procustodibus-broker # OK will fix owner # fixed owner fix_file_owner() { @@ -489,7 +489,7 @@ fix_file_owner() { # # Examples # -# > fix_file_mode /etc/procustodibu/brokers/broker.conf procustodibus-broker +# > fix_file_mode /etc/procustodibus/brokers/broker.conf procustodibus-broker # OK will fix group # fixed group fix_file_group() { @@ -499,6 +499,24 @@ fix_file_group() { log_info "fixed group" } +# Restores the specified file's default SELinx context label (unless in "dryrun" mode). +# +# Logs message indicating label was fixed. +# +# $1 - File path. +# +# Examples +# +# > fix_file_label /etc/procustodibus/brokers/broker.conf procustodibus-broker +# OK will fix label +# fixed label +fix_file_label() { + log_info "OK will fix label" + test ! "$dryrun" || return 0 + restorecon -F "$1" + log_info "fixed label" +} + # Prompts to fix the mode of the specified base config dir. # # Logs messages indicating the existing state, and any fixes made. @@ -539,7 +557,7 @@ set_base_cnf_dir_permissions() { # # Examples # -# > set_cnf_file_permissions /etc/procustodibus/broker/broker.conf '-r?-??-?--' 644 +# > set_cnf_file_permissions /etc/procustodibus/broker/broker.conf 644 # WARNING /etc/procustodibus/broker/broker.conf mode should be 644 # fix mode? ([y]es, [n]no): _ # OK will fix mode @@ -552,20 +570,28 @@ set_base_cnf_dir_permissions() { # fix owner? ([y]es, [n]no): _ # OK will fix group # fixed group +# WARNING SELinux Would relabel /etc/procustodibus/broker/broker.conf from unconfined_u:object_r:user_home_t:s0 to unconfined_u:object_r:etc_t:s0 +# fix SELinux context label? ([y]es, [n]o): _ +# OK will fix label +# fixed label set_cnf_file_permissions() { local file_path="$1" - local mode_mask="$2" - local mode_to_set="$3" + local expected_mode="$2" local mode=$(ls -ld "$file_path" | awk '{ print $1 }') local owner=$(ls -ld "$file_path" | awk '{ print $3 }') local group=$(ls -ld "$file_path" | awk '{ print $4 }') + local label=$(ls -dZ "$file_path" 2>/dev/null | awk '/^-/ { print $4 } !/^-/ { print $1 }') - if [ ! "${mode##$mode_mask}" ]; then + if [ "$expected_mode" = 644 -a ! "${mode##-r?-??-?--*}" ]; then + log_info "$file_path mode ok ($mode)" + elif [ "$expected_mode" = 640 -a ! "${mode##-rw-??----*}" ]; then + log_info "$file_path mode ok ($mode)" + elif [ "$expected_mode" = 755 -a ! "${mode##drwx????-?*}" ]; then log_info "$file_path mode ok ($mode)" else - log_warn "$file_path mode should be $mode_to_set" + log_warn "$file_path mode should be $expected_mode" case $(prompt "fix mode?" yes no) in - y*) fix_file_mode "$file_path" $mode_to_set ;; + y*) fix_file_mode "$file_path" $expected_mode ;; n*) ;; esac fi @@ -589,6 +615,19 @@ set_cnf_file_permissions() { n*) ;; esac fi + + if [ ! "${label##\?}" ]; then : + elif [ ! "${label##system_u:object_r:etc_t:s0}" ]; then + log_info "$file_path SELinux context label ok ($label)" + elif [ "$(whichis restorecon)" ]; then + log_warn "SELinux $(restorecon -Fnv "$file_path")" + case $(prompt "fix SELinux context label?" yes no) in + y*) fix_file_label "$file_path" ;; + n*) ;; + esac + else + log_error "$file_path SELinux context label should be system_u:object_r:etc_t:s0" + fi } # Prompts to fix the mode, group, and owner of cnf and credential files. @@ -621,16 +660,16 @@ set_cnf_permissions() { if [ -d $cnf_dir ]; then set_base_cnf_dir_permissions $(dirname $cnf_dir) - set_cnf_file_permissions $cnf_dir 'drwx????-?' 755 + set_cnf_file_permissions $cnf_dir 755 if [ -f $base_path.conf ]; then - set_cnf_file_permissions $base_path.conf '-r?-??-?--' 644 + set_cnf_file_permissions $base_path.conf 644 fi if [ -f $base_path-credentials.conf ]; then - set_cnf_file_permissions $base_path-credentials.conf '-rw-??----' 640 + set_cnf_file_permissions $base_path-credentials.conf 640 fi if [ -f $base_path-setup.conf ]; then - set_cnf_file_permissions $base_path-setup.conf '-rw-??----' 640 + set_cnf_file_permissions $base_path-setup.conf 640 fi fi } @@ -847,6 +886,23 @@ must_add_redhat_epel_to_install_libsodium() { echo "yes" } +# Outputs yes if libsodium can be installed via package manager. +# +# Ouputs blank if libsodium cannot be installed. +# +# Examples +# +# > can_install_libsodium +# yes +can_install_libsodium() { + test "$(get_package_manager)" || return 0 + case "$(get_distro_name)/$(get_distro_version)" in + amzn/2022) return 0 ;; + amzn/2023) return 0 ;; + *) echo "yes" ;; + esac +} + # Outputs path to libsodium, or blank. # # Examples @@ -910,7 +966,7 @@ install_libsodium() { y*) do_add_redhat_epel_repo; do_install_libsodium ;; q*) bye 1 QUIT ;; esac - elif [ "$(get_package_manager)" ]; then + elif [ "$(can_install_libsodium)" ]; then case $(prompt "install libsodium?" yes quit) in y*) do_install_libsodium ;; q*) bye 1 QUIT ;; @@ -945,7 +1001,7 @@ get_python_version() { # > get_alt_python # /usr/bin/python3.8 get_alt_python() { - whichof python3.11 python3.10 python3.9 python3.8 + whichof $python_alt_bins } # Updates global `python_bin` variable if it points to a version of python @@ -978,7 +1034,7 @@ try_alt_python() { get_redhat_python_package() { case "$(get_redhat_major_version)" in 8) echo python3.8 ;; - *) echo python3 ;; + *) echo findutils gcc libffi-devel make python3-devel ;; esac } @@ -1002,9 +1058,9 @@ do_install_python() { case "$(get_package_manager)" in apk) apk add gcc libffi-dev make musl-dev python3-dev ;; - apt-get) apt-get install -y python3-venv ;; + apt-get) apt-get install -y gcc libffi-dev make python3-dev python3-venv ;; dnf) dnf install -y $(get_redhat_python_package) ;; - pacman) pacman --noconfirm -Sy python-virtualenv ;; + pacman) pacman --noconfirm -Sy gcc libffi make python-virtualenv ;; pkg) pkg install -y python3 ;; yum) yum install -y $(get_redhat_python_package) ;; zypper) zypper install -y python3-virtualenv ;; @@ -1155,6 +1211,14 @@ do_delete_venv() { # create virtualenv? ([y]es, [q]uit): _ # OK will create virtualenv # created virtualenv +# +# > create_venv +# WARNING python virtualenv broken at /opt/venv/procustodibus-broker +# recreate virtualenv? ([y]es, [q]uit): _ +# OK will delete virtualenv +# deleted virtualenv +# OK will create virtualenv +# created virtualenv create_venv() { if [ ! -f "$venv_path/bin/activate" ]; then log_warn "python virtualenv not found at $venv_path" @@ -1162,6 +1226,12 @@ create_venv() { y*) do_create_venv ;; q*) bye 1 QUIT ;; esac + elif ! $venv_path/bin/pip --version >/dev/null 2>&1; then + log_warn "python virtualenv broken at $venv_path" + case $(prompt "recreate virtualenv?" yes quit) in + y*) do_delete_venv; do_create_venv ;; + q*) bye 1 QUIT ;; + esac else log_info "python virtualenv found at $venv_path" fi @@ -1219,6 +1289,7 @@ do_install_broker_package() { test ! "$dryrun" || return 0 . "$venv_path/bin/activate" + pip install --upgrade pip setuptools pip install $opts "$target" if [ $action = upgrade ]; then @@ -1632,6 +1703,7 @@ do_checkfns() { echo get_redhat_major_version: $(get_redhat_major_version) echo get_redhat_epel_installed: $(get_redhat_epel_installed) echo must_add_redhat_epel_to_install_libsodium: $(must_add_redhat_epel_to_install_libsodium) + echo can_install_libsodium: $(can_install_libsodium) echo get_libsodium_path: $(get_libsodium_path) echo python_bin: $python_bin echo get_python_version: $(get_python_version) -- 2.45.2