Supporting setup into a docker container

private/config.default

@@ -44,3 +44,10 @@ UseSavedCerts="y"
 # Likewise, if either an RSA key pair (ssh_host_rsa and ssh_host_rsa.pub) or an
 # ED25519 key pair (ssh_host_ed25519 and ssh_host_ed25519.pub) is found in private,
 # they will replace the pre-generated host keys in /etc/ssh.
+
+# This option should be left turned off ("n"). If it's turned on ("y") certificates
+# and selinux configuration will be skipped during setup. This is useful for running
+# an offline copy of TryItOnline in a docker image (which does no support selinux)
+# Exposing an installation in offline mode to internet is a big security risk and should 
+# never be done.
+OfflineMode="n"

stage/010-createsymlinks

@@ -2,10 +2,16 @@
 
 err=0
 trap 'err=1' ERR
+source private/config
 
-mkdir -p /usr/local/lib/systemd/system
-ln -fst /usr/local/bin /srv/bin/*
-ln -fst /usr/local/lib/systemd/system /srv/lib/systemd/*
-ln -fst /usr/local/sbin /srv/sbin/* /opt/TioSetup/misc/*
+if [[ "$OfflineMode" != "y" ]]; then
+  mkdir -p /usr/local/lib/systemd/system
+  ln -fst /usr/local/bin /srv/bin/*
+  ln -fst /usr/local/lib/systemd/system /srv/lib/systemd/*
+  ln -fst /usr/local/sbin /srv/sbin/* /opt/TioSetup/misc/*
+else
+  ln -fst /usr/local/bin /srv/bin/*
+  ln -fst /usr/local/sbin /srv/sbin/*
+fi
 
 exit "$err"

stage/015-turnoffjournald

@@ -3,7 +3,10 @@
 err=0
 trap 'err=1' ERR
 
-systemctl mask systemd-journald{,{,-audit,-dev-log}.socket}
-systemctl stop systemd-journald{,{,-audit,-dev-log}.socket}
+source private/config
+if [[ "$OfflineMode" != "y" ]]; then
+  systemctl mask systemd-journald{,{,-audit,-dev-log}.socket}
+  systemctl stop systemd-journald{,{,-audit,-dev-log}.socket}
+fi
 
 exit "$err"

stage/040-installselinuxtools

@@ -3,6 +3,9 @@
 err=0
 trap 'err=1' ERR
 
-dnf install psmisc selinux-policy-sandbox policycoreutils-sandbox selinux-policy-devel -y
+source private/config
+if [[ "$OfflineMode" != "y" ]]; then
+  dnf install psmisc selinux-policy-sandbox policycoreutils-sandbox selinux-policy-devel -y
+fi
 
 exit "$err"

stage/060-addselinuxpolicies

@@ -3,9 +3,12 @@
 err=0
 trap 'err=1' ERR
 
-cp files/selinux/tryitonline.te ./tryitonline.te
-make -f /usr/share/selinux/devel/Makefile tryitonline.pp
-semodule -i tryitonline.pp
-rm -f tryitonline.*
+source private/config
+if [[ "$OfflineMode" != "y" ]]; then
+  cp files/selinux/tryitonline.te ./tryitonline.te
+  make -f /usr/share/selinux/devel/Makefile tryitonline.pp
+  semodule -i tryitonline.pp
+  rm -f tryitonline.*
+fi
 
 exit "$err"

stage/500-configureselinux

@@ -3,32 +3,36 @@
 err=0
 trap "err=1" ERR
 
-semanage fcontext -a -t bin_t '/opt/(.*/)?bin(/.*)?'
-semanage fcontext -a -t httpd_sys_rw_content_t '/srv/cache(/.*)?'
-semanage fcontext -a -t httpd_sys_rw_content_t '/srv/store(/.*)?'
-semanage fcontext -a -t httpd_sys_content_t '/srv/tio.run(/.*)?'
-semanage fcontext -a -t httpd_sys_script_exec_t '/srv/tio.run/cgi-bin(/.*)?'
-semanage fcontext -a -t httpd_sys_rw_content_t '/srv/tmp(/.*)?'
-semanage fcontext -a -t httpd_sys_content_t '/srv/tryitonline.net(/.*)?'
-semanage fcontext -a -t bin_t '/srv/bin(/.*)?'
-semanage fcontext -a -t etc_t '/srv/etc(/.*)?'
-semanage fcontext -a -t lib_t '/srv/lib(/.*)?'
-semanage fcontext -a -t systemd_unit_file_t '/srv/lib/systemd(/.*)?'
-semanage fcontext -a -t bin_t '/srv/sbin(/.*)?'
-semanage fcontext -a -t bin_t '/srv/wrappers(/.*)?'
+source private/config
+if [[ "$OfflineMode" != "y" ]]; then
 
-restorecon -Rv /srv
+  semanage fcontext -a -t bin_t '/opt/(.*/)?bin(/.*)?'
+  semanage fcontext -a -t httpd_sys_rw_content_t '/srv/cache(/.*)?'
+  semanage fcontext -a -t httpd_sys_rw_content_t '/srv/store(/.*)?'
+  semanage fcontext -a -t httpd_sys_content_t '/srv/tio.run(/.*)?'
+  semanage fcontext -a -t httpd_sys_script_exec_t '/srv/tio.run/cgi-bin(/.*)?'
+  semanage fcontext -a -t httpd_sys_rw_content_t '/srv/tmp(/.*)?'
+  semanage fcontext -a -t httpd_sys_content_t '/srv/tryitonline.net(/.*)?'
+  semanage fcontext -a -t bin_t '/srv/bin(/.*)?'
+  semanage fcontext -a -t etc_t '/srv/etc(/.*)?'
+  semanage fcontext -a -t lib_t '/srv/lib(/.*)?'
+  semanage fcontext -a -t systemd_unit_file_t '/srv/lib/systemd(/.*)?'
+  semanage fcontext -a -t bin_t '/srv/sbin(/.*)?'
+  semanage fcontext -a -t bin_t '/srv/wrappers(/.*)?'
 
-semanage fcontext -a -t bin_t '/usr/lib(64)?/swipl-.*/bin/x86_64-linux(/.*)?'
-semanage fcontext -a -t bin_t '/usr/lib(64)?/node_modules/coffee-script/bin(/.*)?'
-semanage fcontext -a -t bin_t '/usr/lib(64)?/golang/bin(/.*)?'
-semanage fcontext -a -t bin_t '/usr/lib(64)?/node_modules/babel-cli/bin(/.*)?'
-semanage fcontext -a -t bin_t '/usr/lib(64)?/pypy-.*/bin(/.*)?'
-semanage fcontext -a -t bin_t '/usr/lib/node_modules/cheddar-lang/dist/cli(/.*)?'
-semanage fcontext -a -t bin_t '/usr/lib(64)?/clisp-.*/base(/.*)?'
-semanage fcontext -a -t bin_t '/usr/lib(64)?/maxima/.*/binary-sbcl(/.*)?'
-semanage fcontext -a -t bin_t '/usr/lib/golang/pkg/tool/linux_amd64(/.*)?'
-semanage fcontext -a -t bin_t '/usr/lib/ceylon/.*/bin(/ceylon)?'
-semanage fcontext -a -t bin_t '/usr/local/haskell/.*/bin(/.*)?'
+  restorecon -Rv /srv
+
+  semanage fcontext -a -t bin_t '/usr/lib(64)?/swipl-.*/bin/x86_64-linux(/.*)?'
+  semanage fcontext -a -t bin_t '/usr/lib(64)?/node_modules/coffee-script/bin(/.*)?'
+  semanage fcontext -a -t bin_t '/usr/lib(64)?/golang/bin(/.*)?'
+  semanage fcontext -a -t bin_t '/usr/lib(64)?/node_modules/babel-cli/bin(/.*)?'
+  semanage fcontext -a -t bin_t '/usr/lib(64)?/pypy-.*/bin(/.*)?'
+  semanage fcontext -a -t bin_t '/usr/lib/node_modules/cheddar-lang/dist/cli(/.*)?'
+  semanage fcontext -a -t bin_t '/usr/lib(64)?/clisp-.*/base(/.*)?'
+  semanage fcontext -a -t bin_t '/usr/lib(64)?/maxima/.*/binary-sbcl(/.*)?'
+  semanage fcontext -a -t bin_t '/usr/lib/golang/pkg/tool/linux_amd64(/.*)?'
+  semanage fcontext -a -t bin_t '/usr/lib/ceylon/.*/bin(/ceylon)?'
+  semanage fcontext -a -t bin_t '/usr/local/haskell/.*/bin(/.*)?'
+fi
 
 exit "$err"

stage/510-enablezram

@@ -3,7 +3,10 @@
 err=0
 trap 'err=1' ERR
 
-systemctl enable tio-ram
-systemctl start tio-ram
+source private/config
+if [[ "$OfflineMode" != "y" ]]; then
+  systemctl enable tio-ram
+  systemctl start tio-ram
+fi
 
 exit "$err"

stage/540-configuretryitonline

@@ -35,6 +35,10 @@ mkdir -p /srv/cache/{0,1,2,3,4,5,6,7,8,9,a,b,c,d,e,f}{0,1,2,3,4,5,6,7,8,9,a,b,c,
 chown -R apache:apache /srv/cache
 mkdir -p /srv/store
 chown apache:apache /srv/store
-restorecon -Rv /srv
+if [[ "$OfflineMode" != "y" ]]; then
+  restorecon -Rv /srv
+else
+  sed -i 's/^\(no_selinux=\).*/\1true/' etc/run
+fi
 
 exit "$err"

stage/570-configurehttpd

@@ -76,7 +76,8 @@ $LD	RewriteRule "" https://$TIORUN/nexus/%1 [R=301]
 .
 
 echo 'http_server=httpd' > /srv/etc/tio-web
-systemctl enable tio-web
-systemctl start tio-web
-
+if [[ "$OfflineMode" != "y" ]]; then
+  systemctl enable tio-web
+  systemctl start tio-web
+fi
 exit "$err"

stage/580-configurecerts

@@ -4,13 +4,14 @@ err=0
 trap "err=1" ERR
 
 source private/config
-
-if [[ "$UseSavedCerts" != "y" ]]; then
+if [[ "$OfflineMode" != "y" ]]; then
+  if [[ "$UseSavedCerts" != "y" ]]; then
     certbot --non-interactive --agree-tos --email $EMAIL --apache --domains $TRYITONLINENET,$TIORUN --redirect
-else
+  else
     certbot --staging --non-interactive --agree-tos --email $EMAIL --apache --domains $TRYITONLINENET,$TIORUN --redirect
     tar xvf private/letsencrypt.tar.gz -C /
-    systemctl restart httpd
+    systemctl restart tio-web
+  fi
 fi
 
 exit "$err"

stage/720-setuprunner

@@ -3,12 +3,14 @@
 err=0
 trap 'err=1' ERR
 
+source private/config
 id -u runner &> /dev/null || useradd runner
 mkdir -p ~runner/.ssh
 cat ~apache/.ssh/id_*.pub >> ~runner/.ssh/authorized_keys
 chmod 700 ~runner/.ssh
 chmod 640 ~runner/.ssh/authorized_keys
-chown -R runner: ~runner
-chattr +i ~runner
+if [[ "$OfflineMode" != "y" ]]; then
+  chown -R runner: ~runner
+fi
 
 exit "$err"

stage/830-installdotnet

@@ -24,6 +24,10 @@ pushd /opt/microsoft/home/csharp
 cp "$saveddir/files/dotnet/project.csproj" ./project.csproj
 mkdir -p /opt/microsoft/tmp
 HOME=/opt/microsoft/home TMPDIR=/opt/microsoft/tmp dotnet restore
+source private/config
+if [[ "$OfflineMode" == "y" ]]; then
+  ln -fs /opt/microsoft/home/.nuget /home/runner/
+fi
 rm -rf /opt/microsoft/tmp
 popd
 cd ..

stage/850-installdyalogapl

@@ -3,20 +3,22 @@
 err=0
 trap 'err=1' ERR
 
-pushd /opt
+source private/config
+if [[ "$OfflineMode" != "y" ]]; then
+  pushd /opt
 
-sync && echo 3 > /proc/sys/vm/drop_caches
-for dyalogzip in linux_64_*_*.zip; do
+  for dyalogzip in linux_64_*_*.zip; do
     dyalogrpm=${dyalogzip%.zip}.x86_64.rpm
     rm -f $dyalogrpm
     if unzip $dyalogzip $dyalogrpm; then
-        dnf install -y $dyalogrpm
-        rm -f $dyalogzip $dyalogrpm
+      dnf install -y $dyalogrpm
+      rm -f $dyalogzip $dyalogrpm
     else
-            err=1
+      err=1
     fi
-done
+  done
 
-popd
+  popd
+fi
 
 exit "$err"

stage/870-setlimits

@@ -3,10 +3,13 @@
 err=0
 trap 'err=1' ERR
 
-rm -f /etc/security/limits.d/99-tio.conf
-cp files/system/ulimits.conf /etc/security/limits.d/99-tio.conf
-
-rm -f /etc/sysctl.d/99-tio.conf
-cp files/system/sysctl.d.conf /etc/sysctl.d/99-tio.conf
+source private/config
+if [[ "$OfflineMode" != "y" ]]; then
+  rm -f /etc/security/limits.d/99-tio.conf
+  cp files/system/ulimits.conf /etc/security/limits.d/99-tio.conf
+
+  rm -f /etc/sysctl.d/99-tio.conf
+  cp files/system/sysctl.d.conf /etc/sysctl.d/99-tio.conf
+fi
 
 exit "$err"

stage/890-clonetests

@@ -3,13 +3,16 @@
 err=0
 trap "err=1" ERR
 
-rm -rf /opt/TioTests
-git clone https://github.com/TryItOnline/TioTests.git /opt/TioTests
-pushd /opt/TioTests
-mkdir -p /opt/microsoft/tmp
-HOME=/root TMPDIR=/opt/microsoft/tmp dotnet restore
-HOME=/root dotnet build
-rm -rf /opt/microsoft/tmp
-popd
+source private/config
+if [[ "$OfflineMode" != "y" ]]; then
+  rm -rf /opt/TioTests
+  git clone https://github.com/TryItOnline/TioTests.git /opt/TioTests
+  pushd /opt/TioTests
+  mkdir -p /opt/microsoft/tmp
+  HOME=/root TMPDIR=/opt/microsoft/tmp dotnet restore
+  HOME=/root dotnet build
+  rm -rf /opt/microsoft/tmp
+  popd
+fi
 
 exit "$err"

stage/900-restoreselinuxcontext

@@ -3,7 +3,10 @@
 err=0
 trap "err=1" ERR
 
-restorecon -Rv ~runner /opt /srv /usr
+source private/config
+if [[ "$OfflineMode" != "y" ]]; then
+  restorecon -Rv ~runner /opt /srv /usr
+fi
 chown -R root: /opt
 
 exit "$err"