/
as-admin.sh
executable file
·282 lines (237 loc) · 8.75 KB
/
as-admin.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
# Run this script as an admin user (having 'sudo' privileges)
# = 'admin' on debian, 'ubuntu' on ubuntu
# Depending on how the target host is set up, a password might be
# required in order to perform some of these functions. We try to
# ensure that even if a password is needed the first time around, it
# won't be needed the second and following times.
set -e
# Current directory = home dir for admin user
OPENTREE_HOST=$1
OPENTREE_USER=$2
if [ x$OPENTREE_USER = x ]; then
OPENTREE_USER=opentree
fi
APTGET="sudo apt-get -q --assume-yes --no-install-recommends"
function apt_get_install {
if [ ! -r .updated ]; then
$APTGET update
touch .updated
fi
$APTGET install $*
}
# ---------- UPDATE ----------
if [ `which dialog`x = x ]; then
# I was hoping this would help with apache2's configure step, but it doesn't
apt_get_install dialog
fi
# ---------- RSYNC ----------
if [ `which rsync`x = x ]; then
apt_get_install rsync
fi
# ---------- GCC (for some python packages) ----------
if [ `which gcc`x = x ]; then
apt_get_install gcc
fi
# ---------- G++ (for NCL, the nexus, newick converter used by the curation tool's import) ----------
if [ `which g++`x = x ]; then
apt_get_install g++
fi
# ---------- make (for NCL, the nexus, newick converter used by the curation tool's import) ----------
if [ `which make`x = x ]; then
apt_get_install make
fi
# ---------- autoconf and automake for NCL (curation dependency) ----------
if [ `which autoconf`x = x ]; then
apt_get_install autotools-dev
fi
# ---------- autoconf and automake for NCL (curation dependency) ----------
if [ `which automake`x = x ]; then
apt_get_install automake
fi
# ---------- PYTHON-DEV (for some python packages) ----------
if [ ! -r /usr/include/*/Python.h ]; then
apt_get_install python-dev
fi
# -----G++ (for NCL, the nexus, newick converter used by the curation tool's import) -----
if [ `which g++`x = x ]; then
apt_get_install g++
fi
# ---------- autoconf and automake for NCL (curation dependency) ----------
if [ `which autoconf`x = x ]; then
apt_get_install autotools-dev
fi
# ---------- autoconf and automake for NCL (curation dependency) ----------
if [ `which automake`x = x ]; then
apt_get_install automake
fi
# ---------- APACHE ----------
if [ ! -r /etc/init.d/apache2 ]; then
echo Installing apache httpd
# Prompts "do you want to continue?"
apt_get_install apache2
echo Done
fi
# Enable the apache proxy module
if [ ! -r /etc/apache2/mods-enabled/proxy.load ]; then
sudo a2enmod proxy
fi
if [ ! -r /etc/apache2/mods-enabled/proxy_http.load ]; then
sudo a2enmod proxy_http
fi
# Rewrite module
if [ ! -r /etc/apache2/mods-enabled/rewrite.load ]; then
sudo a2enmod rewrite
fi
# Enable the apache ssl module. Doesn't get used unless a cert is present
if [ ! -r /etc/apache2/mods-enabled/ssl.load ]; then
sudo a2enmod ssl
fi
if apt-cache policy apache2 | egrep -q "Installed: 2.2"; then
# Protect against POODLE vulnerability in SSLv3; see https://zmap.io/sslv3/servers.html#apache
sudo sed -i -e "s+^SSLProtocol.*+SSLProtocol TLSv1+" /etc/apache2/mods-available/ssl.conf
# N.B. httpd version 2.2.23+ will need this change instead:
#sudo sed -i -e "s+^SSLProtocol.*+SSLProtocol ALL -SSLv2 -SSLv3+" /etc/apache2/mods-available/ssl.conf
fi
# ---------- UNZIP ----------
# unzip is needed for unpacking web2py. Somebody broke the 'which' program -
# you can't just check the status code any more.
if [ `which unzip`x = x ]; then
apt_get_install unzip
fi
# ---------- PIP ----------
# Get pip
if [ `which pip`x = x ]; then
apt_get_install python-pip
fi
# ---------- LIBCURL + PYCURL ----------
# oti no longer uses this.
if false; then
# only needed on debian, may cause problems on ubunutu
# used by oti indexing script (make sure we have SSL support)
if [ `which curl`x = x ] || [ `curl-config --feature | grep SSL`x = x ]; then
# sudo apt-cache search libcurl-dev
apt_get_install libcurl4-openssl-dev
# NOTE that we'll pip-install pycurl inside our venv (in index-doc-store.sh)
fi
fi
# ---------- GIT ----------
# Get git (so we can clone the opentree repo)
if [ `which git`x = x ]; then
apt_get_install git
fi
# ---------- WSGI ----------
# Get wsgi (apache / web2py communication)
if [ ! -r /etc/apache2/mods-enabled/wsgi.load ]; then
apt_get_install libapache2-mod-wsgi
fi
# AWS has python 2.7.3 built in, no need to install it.
# ---------- PYTHON VIRTUALENV ----------
# Get virtualenv
if [ `which virtualenv`x = x ]; then
apt_get_install python-virtualenv
fi
# ---------- JAVA ----------
if [ `which javac`x = x ]; then
apt_get_install openjdk-7-jre
apt_get_install openjdk-7-jdk
fi
# ---------- MAVEN 3 ----------
if [ `which mvn`x = x ]; then
apt_get_install maven
fi
# ---------- LSOF ----------
# neo4j needs this
if [ `which lsof`x = x ]; then
apt_get_install lsof
fi
# ---------- NTP ----------
if [ ! -r /etc/ntp.conf ]; then
apt_get_install ntp
fi
# ---------- APACHE VHOST ----------
# Set up apache so that web2py takes over the vhost
# How the apache config (the one found in the deployment setup
# directory) was created: we copied the apache default vhost config
# (000-default) from a fresh EC2 (woody) instance, then modified it to make
# web2py work, per instructions found on the web. See
# /etc/apache2/sites-available/default .
#
# After adding a second VirtualHost file for HTTPS, we moved all common
# configuration to a third file '{apache|opentree}-config-shared', which is
# used in both vhosts via the Include directive.
# The purpose of clobbering the default vhost is to avoid
# having to know all of our own vhost names. Instead we make opentree
# the default 'vhost'. The opentree vhost config files get put into
# place later on in the setup sequence (restart-apache.sh).
if apt-cache policy apache2 | egrep -q "Installed: 2.2"; then
# Keep old script transiently; flush this after full transition to 2.4+
if [ -r /etc/apache2/sites-enabled/000-default ]; then
sudo rm -f /etc/apache2/sites-enabled/000-default
fi
if [ ! -r /etc/apache2/sites-enabled/000-opentree ]; then
(cd /etc/apache2/sites-enabled; \
sudo ln -sf ../sites-available/opentree ./000-opentree)
fi
# Enable the HTTPS site only if our SSL certs are found; else disable it
if [ -r /etc/ssl/certs/opentree/STAR_opentreeoflife_org.pem ]; then
if [ ! -r /etc/apache2/sites-enabled/001-opentree-ssl ]; then
(cd /etc/apache2/sites-enabled; \
sudo ln -sf ../sites-available/opentree-ssl ./001-opentree-ssl)
fi
else
sudo rm -f /etc/apache2/sites-enabled/001-opentree-ssl
fi
else
sudo rm -f /etc/apache2/sites-enabled/000-default*
sudo rm -f /etc/apache2/sites-enabled/000-opentree
sudo rm -f /etc/apache2/sites-enabled/001-opentree-ssl
if [ ! -e /etc/apache2/sites-enabled/000-opentree.conf ]; then
(cd /etc/apache2/sites-enabled; \
sudo ln -sf ../sites-available/opentree.conf ./000-opentree.conf)
fi
# Enable the HTTPS site only if our SSL certs are found; else disable it
if [ -r /etc/ssl/certs/opentree/STAR_opentreeoflife_org.pem ]; then
if [ ! -r /etc/apache2/sites-enabled/001-opentree-ssl.conf ]; then
(cd /etc/apache2/sites-enabled; \
sudo ln -sf ../sites-available/opentree-ssl.conf ./001-opentree-ssl.conf)
fi
else
sudo rm -f /etc/apache2/sites-enabled/001-opentree-ssl.conf
fi
fi
# Apache 2.4 is finicky about protection of the key file
if sudo test -e /etc/ssl/private/opentreeoflife.org.key; then
sudo chmod o-r /etc/ssl/private/opentreeoflife.org.key
if egrep -q ssl-cert /etc/group; then
sudo chgrp ssl-cert /etc/ssl/private/opentreeoflife.org.key
fi
fi
# ---------- UNPRIVILEGED USER ----------
# Credit goes to Richard Bronosky via stackoverflow for this
OTHOME=$(bash <<< "echo ~$OPENTREE_USER")
if [ ! -e $OTHOME ]; then
sudo useradd $OPENTREE_USER
OTHOME=$(bash <<< "echo ~$OPENTREE_USER")
sudo cp -pr /etc/skel $OTHOME
sudo chown -R $OPENTREE_USER:$OPENTREE_USER $OTHOME
sudo chmod g+sw $OTHOME
sudo chsh -s /bin/bash $OPENTREE_USER
fi
if [ ! -e $OTHOME/.ssh ]; then
sudo mkdir $OTHOME/.ssh
sudo cp -p .ssh/authorized_keys $OTHOME/.ssh/
sudo chmod 700 $OTHOME/.ssh/
sudo chown -R $OPENTREE_USER:$OPENTREE_USER $OTHOME
fi
# Ideally stowing the hostname one would be done every time, but we
# want to avoid unsatisfiable sudo prompt demands, so let's assume it
# stays the same.
# TBD: this code ought to be done by the 'opentree' user, not in this file.
if [ x$OPENTREE_HOST != x -a ! -r $OTHOME/hostname ]; then
HOSTFILE=$OTHOME/hostname
cat <<EOF | sudo bash
echo "$OPENTREE_HOST" >$HOSTFILE
chmod go+r $HOSTFILE
chown $OPENTREE_USER $HOSTFILE
EOF
fi