def setup_mail_notification(admin_mail, sender_domain, relay):
"""Setup postfix as satellite system to send root mails to the admin"""
# TODO more tests, so far tested on 14.04 only
if not utils.is_installed('postfix'):
sudo('debconf-set-selections <<< "postfix postfix/main_mailer_type '
'string Satellite system"')
sudo('debconf-set-selections <<< "postfix postfix/relayhost '
'string {relay}"'.format(relay=relay))
sudo('debconf-set-selections <<< "postfix postfix/mailname '
'string {mailname}"'.format(mailname=sender_domain))
utils.apt_get_update()
sudo('apt-get install postfix -y')
else:
sudo('echo "{mailname}" > /etc/mailname'.format(mailname=sender_domain))
sed('/etc/postfix/main.cf', '^relayhost.*',
'relayhost = {relay}'.format(relay=relay), use_sudo=True)
sudo('service postfix restart')
for line in open(os.path.join(LUCHIZZ_DIR,
'files/aliases')).read().split('\n'):
try:
if line.split()[0] == 'root:':
line = line.format(admin_mail=admin_mail)
sed('/etc/aliases', 'root:.*', line, use_sudo=True)
if not contains('/etc/aliases', line.split()[0]):
append('/etc/aliases', line, use_sudo=True)
except IndexError:
pass
sudo('newaliases')
def deploy_production_web():
def _sudo(command, *args, **kwargs):
command = 'source %svirtualenv/bin/activate && %s' % (REMOTE_PROJECT_PATH, command)
sudo(command, user='******', *args, **kwargs)
def manage_py(command):
_sudo('python %smanage.py %s' % (REMOTE_PROJECT_PATH, command))
# stop services
run('supervisorctl stop mindmaptornado')
run('supervisorctl stop uwsgi')
# backup
_sudo('%sdeployment/db_backup.sh' % (REMOTE_PROJECT_PATH))
_sudo('cd %s; git reset --hard production && git pull' % (REMOTE_PROJECT_PATH))
# install python modules
_sudo('cd %s; source virtualenv/bin/activate; pip install -r REQUIREMENTS' % (REMOTE_PROJECT_PATH))
_sudo('rm -rf %sassets/static/' % (REMOTE_PROJECT_PATH))
manage_py('collectstatic --noinput')
# run missing migrations
manage_py('migrate')
# force DEBUG = False
files.sed('%ssettings.py' % (REMOTE_PROJECT_PATH), '^DEBUG\s*=\s*True$', 'DEBUG = False')
# rm pyc files
manage_py('clean_pyc')
# start services
run('supervisorctl start mindmaptornado')
run('supervisorctl start uwsgi')
def sys_ssh_set_port(port=22):
""" Set ssh port - Ex: (cmd:[port])"""
sshd_config = '/etc/ssh/sshd_config'
files.sed(sshd_config, before='\s*#\s*Port\s*[0-9]*', after='Port {0}'.format(port), use_sudo=True)
files.sed(sshd_config, before='\s*Port\s*[0-9]*', after='Port {0}'.format(port), use_sudo=True)
sudo('service ssh reload')
sys_etc_git_commit('Configured ssh (Port={0})'.format(port))
def setup_cifs_connector(volume_name, devid, supervisor_host):
"""
Deploy an sfused cifs connector and SOFS accompanying volume.
:param volume_name: the name of the SOFS volume to create and
expose over cifs
:type volume_name: string
:param devid: device id to associate with the volume
:type devid: int
:param supervisor_host: hostname or ip of the supervisor for registration
of connector and volume
:type supervisor_host: string
"""
setup_connector('cifs', volume_name, devid, supervisor_host)
install_packages('scality-cifs')
conf_path = abspath('assets/connector/etc/samba/smb.conf')
put(conf_path, '/etc/samba', use_sudo=True)
sed(
filename='/etc/default/sernet-samba',
before='SAMBA_START_MODE="none"',
after='SAMBA_START_MODE="classic"',
use_sudo=True,
)
sudo('mkdir -p /var/run/samba')
sudo('testparm -s')
# The sernet-samba-smbd init script is flaky: if the parent exits
# to quickly, the smbd process does not have time to daemonize.
sudo('/etc/init.d/sernet-samba-smbd start && sleep 5')
def dse_prepare():
node = get_node_info()
vars = load_vars()
broadcast_rpc_address_line = 'broadcast_rpc_address: %s' % node['host']
cluster_name = 'NODE'
if 'cluster_name' in vars['dse']:
cluster_name = vars['dse']['cluster_name']
opscenter_cluster_config_name = '/etc/opscenter/clusters/%s.conf' % cluster_name
cluster_name_line = '%s CLUSTER' % cluster_name
if ('solr' in vars['dse']) and vars['dse']['solr']:
sed('/etc/default/dse',before='SOLR_ENABLED=0',after='SOLR_ENABLED=1',use_sudo=True, backup='')
if ('spark' in vars['dse']) and vars['dse']['spark']:
sed('/etc/default/dse',before='SPARK_ENABLED=0',after='SPARK_ENABLED=1',use_sudo=True, backup='')
sed('/etc/dse/cassandra/cassandra.yaml',before="Test Cluster",after=cluster_name_line,use_sudo=True, backup='')
sed('/etc/dse/cassandra/cassandra.yaml',before="rpc_address: localhost",after="rpc_address: 0.0.0.0",use_sudo=True, backup='')
sed('/etc/dse/cassandra/cassandra.yaml',before="# broadcast_rpc_address: 1.2.3.4",after=broadcast_rpc_address_line,use_sudo=True, backup='')
append('/var/lib/datastax-agent/conf/address.yaml','stomp_interface: 127.0.0.1',True)
if not exists(opscenter_cluster_config_name,True):
sudo('mkdir /etc/opscenter/clusters')
append(opscenter_cluster_config_name,default_opscenter_cluster_config,True)
time.sleep(8)
def installConfigureChrony():
msg='installing chrony on %s'% env.host
sudo('yum -y install chrony')
var1=run('rpm -qa |grep chrony ')
printMessage("good", msg)
logging.info(msg +" version "+ var1)
if env.host == 'controller':
sed ('/etc/chrony.conf',
'server 0.centos.pool.ntp.org iburst',
'server time1.srv.ualberta.ca iburst')
sed ('/etc/chrony.conf',
'server 1.centos.pool.ntp.org iburst',
'server time2.srv.ualberta.ca iburst')
sed ('/etc/chrony.conf',
'server 2.centos.pool.ntp.org iburst',
'server time3.srv.ualberta.ca iburst')
sed ('/etc/chrony.conf',
'server 3.centos.pool.ntp.org iburst',
'')
sed("/etc/chrony.conf","#allow 192.168/16","allow 192.168/16")
else:
run('echo "server controller iburst" > /etc/chrony.conf')
run('systemctl restart chronyd.service')
result=run('systemctl status chronyd.service')
if result.failed:
logging.info(" starting Chrony on " +env.host)
run('systemctl start chronyd.service')
run('systemctl enable chronyd.service')
else:
logging.info(" restarting Chrony on " +env.host)
run('systemctl restart chronyd.service')
printMessage("good",msg)
var1=run('systemctl status chronyd.service |grep Active')
logging.info(env.host +" Chrony is "+ var1)
def sys_easy_sudo(remote_configuration=None):
""" Allow sudo to run without password for @sudo members. """
LOGGER.info("Installing sys_easy_sudo()…")
if remote_configuration.is_osx:
# GNU sed is needed for fabric `sed` command to succeed.
pkg.brew_add("gnu-sed")
symlink("/usr/local/bin/gsed", "/usr/local/bin/sed")
sudoers = "/private/etc/sudoers"
group = "admin"
else:
# Debian / Ubuntu
sudoers = "/etc/sudoers"
group = "sudo"
with settings(hide("warnings", "running", "stdout", "stderr"), warn_only=True):
sed(
sudoers,
"%%%s\s+ALL\s*=\s*\(ALL(:ALL)?\)\s+ALL" % group,
"%%%s ALL = (ALL:ALL) NOPASSWD: ALL" % group,
use_sudo=True,
backup=".bak",
)
def set_deployed_version(tag):
with cd(app_base):
run("rm -f {0}".format(currently_deployed_dir))
run("ln -s {0}/{1} {2}".format(deployments_dir, tag,
currently_deployed_dir))
# Write version file which will get loaded by the application.
sed(version_file, "development", tag)
def setup():
"Set up and bootstrap a new web server."
# Install needed packages
run('aptitude -y install git-core python-dev postgresql-dev postgresql-client build-essential libpq-dev apache2 libapache2-mod-wsgi')
# Make the code directories, and go get the code
run('mkdir -p %s' % os.path.join(env.web_root, "static"))
with cd(env.web_root):
run('git clone git://github.com/jacobian/django-deployment-workshop.git')
# Bootstrap and buildout
with cd(env.buildout_root):
run('python bootstrap.py')
run('./bin/buildout')
# In the real world, the settings file would already contain the correct
# DATABASE_HOST. Since this is a demo, we'll do something somewhat
# hackish -- but cool -- and swap in the correct DATABASE_HOST at
# bootstrap time.
dbip = prompt("What's the private IP for DB1?")
files.sed(os.path.join(env.buildout_root, "fski", "settings.py"),
before = r"^DATABASE_HOST.*$",
after = r'DATABASE_HOST = "%s"' % dbip.strip())
# Install the Apache conf
with cd("/etc/apache2"):
run('rm -rf apache2.conf conf.d/ httpd.conf magic mods-* sites-* ports.conf ')
run('ln -s /home/web/django-deployment-workshop/apache/apache2.conf .')
# Make the Python eggs directory.
run('mkdir -m777 -p /var/www/.python-eggs')
# Done - where! Now restart Apache.
run('invoke-rc.d apache2 restart')
def config_exim():
"""Set exim configuration type if defined by the user."""
if hasattr(conf, "EXIM_CONFIG_TYPE"):
files.sed('/etc/exim4/update-exim4.conf.conf', 'local',
conf.EXIM_CONFIG_TYPE or "local",
limit="dc_eximconfig_configtype=", use_sudo=True)
sudo("/etc/init.d/exim4 restart")
def config_apticron():
"""
Adds sysadmin emails to the apticron config.
"""
emails = ' '.join(v['email'] for k,v in conf.SYSADMINS.items())
files.sed('/etc/apticron/apticron.conf', '"root"', '"%s"' % emails,
limit="EMAIL=", use_sudo=True)
def harden_sshd():
"""Security harden sshd.
"""
# Disable password authentication
sed("/etc/ssh/sshd_config", "#PasswordAuthentication yes", "PasswordAuthentication no", use_sudo=True)
# Deny root login
sed("/etc/ssh/sshd_config", "PermitRootLogin yes", "PermitRootLogin no", use_sudo=True)
def config_sshd():
"""Disables password-based and root logins. Make sure that you have some
users created with ssh keys before running this."""
sshd_config = '/etc/ssh/sshd_config'
files.sed(sshd_config, 'yes', 'no', limit='PermitRootLogin', use_sudo=True)
files.sed(sshd_config, '#PasswordAuthentication yes', 'PasswordAuthentication no', use_sudo=True)
sudo('/etc/init.d/ssh restart')
def _deployWhyQAScripts(w):
workers = eval(env["workers"]["workers"])
worker = workers[w]
deploypath = env["deploy"]["deploy.path"] + "/"
run("mkdir -p {0}/{1}".format(deploypath, env["whyqapassage"]["whyqapassage.rootpath"]))
with cd(deploypath):
run("{0}".format(env["whyqapassage"]["whyqapassage.deploycmd"]))
run(
"sed -e 's#\\(INDEX=\\)\\(.*\\)#\\1{0}#g' ./{1} > ./{1}.work".format(
env["whyqapassage"]["whyqapassage.index"], env["whyqapassage"]["whyqapassage.startsh"]
)
)
run("cp ./{0}.work ./{0} && chmod u+x,g+x ./{0}".format(env["whyqapassage"]["whyqapassage.startsh"]))
run("{0}".format(env["whyqapassage"]["rasc.deploycmd"]))
if env["whyqapassage"].has_key("tinysvm.deploycmd") == True:
run("{0}".format(env["whyqapassage"]["tinysvm.deploycmd"]))
sedfiles = eval(env["whyqapassage"]["rasc.sedfiles"])
for s in sedfiles:
print s["file"]
for reg in s["regex"]:
print reg["before"]
print reg["after"]
sed(s["file"], reg["before"], reg["after"])
# sed(env['whyqapassage']['whyqapassage.sed.file'],
# before=env['whyqapassage']['whyqapassage.sed.before'], after=env['whyqapassage']['whyqapassage.sed.after'] , backup='')
# run('cp {0} {1}'.format(env['whyqapassage']['rasc.servcexml.src'],env['whyqapassage']['rasc.servcexml.dst']))
run("chmod u+x,g+x {0}".format(env["whyqapassage"]["rasc.startsh"]))
run("chmod u+x,g+x {0}".format(env["whyqapassage"]["rasc.stopsh"]))
run("chmod u+x,g+x {0}".format(env["whyqapassage"]["whyqapassage.stopsh"]))
def initialise_qgis_plugin_repo():
"""Initialise a QGIS plugin repo where we host test builds."""
_all()
fabtools.require.deb.package('libapache2-mod-wsgi')
code_path = os.path.join(env.repo_path, env.repo_alias)
local_path = '%s/scripts/test-build-repo' % code_path
if not exists(env.plugin_repo_path):
sudo('mkdir -p %s' % env.plugin_repo_path)
sudo('chown %s.%s %s' % (env.user, env.user, env.plugin_repo_path))
run('cp %s/plugin* %s' % (local_path, env.plugin_repo_path))
run('cp %s/icon* %s' % (code_path, env.plugin_repo_path))
run('cp %(local_path)s/inasafe-test.conf.templ '
'%(local_path)s/inasafe-test.conf' % {'local_path': local_path})
sed('%s/inasafe-test.conf' % local_path,
'inasafe-test.linfiniti.com',
env.repo_site_name)
with cd('/etc/apache2/sites-available/'):
if exists('inasafe-test.conf'):
sudo('a2dissite inasafe-test.conf')
fastprint('Removing old apache2 conf', False)
sudo('rm inasafe-test.conf')
sudo('ln -s %s/inasafe-test.conf .' % local_path)
# Add a hosts entry for local testing - only really useful for localhost
hosts = '/etc/hosts'
if not contains(hosts, 'inasafe-test'):
append(hosts, '127.0.0.1 %s' % env.repo_site_name, use_sudo=True)
sudo('a2ensite inasafe-test.conf')
sudo('service apache2 reload')
def rewrite_base_enable(path, base=None):
"""Change the RewriteBase variable on a Drupal site
Args:
parent: Path to the website base
base: RewriteBase string to add to the .htaccess file (default: None)
Usage:
$ fab -H localhost rewrite_base_enable:'/path/to/web/dir/site-name','site-name'
Will modify the .htaccess file at /path/to/web/dir/site-name/.htaccess
adding this RewriteBase directive:
RewriteBase /site-name
$ fab -H localhost rewrite_base_enable:'/path/to/web/dir'
Will modify the .htaccess file at /path/to/web/dir/.htaccess
adding this RewriteBase directive:
RewriteBase /
"""
htaccess = path + '/.htaccess'
if htaccess_exists(path):
if not rewrite_base_enabled(path):
# sed the RewriteBase rule
sed(htaccess, "^.*# RewriteBase /$", " RewriteBase " + base)
def install_jenkins(*args, **kwargs):
home = run('echo $HOME')
version = kwargs.get('version', 'latest')
init = os.path.join(home,'init')
jenkins_base_dir = os.path.join(home, 'jenkins')
jenkins_init = os.path.join(init, 'jenkins')
port = kwargs.get('port')
if not exists(jenkins_base_dir):
run('mkdir ' + jenkins_base_dir)
if not exists(os.path.join(jenkins_base_dir, 'jenkins.war')):
with hide('output'):
run('wget http://mirrors.jenkins-ci.org/war/%s/jenkins.war -O ~/jenkins/jenkins.war' % version)
if not exists(os.path.join(jenkins_base_dir, 'org.jenkinsci.main.modules.sshd.SSHD.xml')):
with hide('output'):
run('wget https://templates.wservices.ch/jenkins/org.jenkinsci.main.modules.sshd.SSHD.xml -O ~/jenkins/org.jenkinsci.main.modules.sshd.SSHD.xml')
if not exists(init):
run('mkdir ~/init')
if not exists(jenkins_init):
with hide('output'):
run('wget https://templates.wservices.ch/jenkins/jenkins.init -O ~/init/jenkins')
run('chmod 750 ~/init/jenkins')
sed(jenkins_init, 'PORT=HTTP_PORT', 'PORT=%s' % port)
run('~/init/jenkins start')
else:
run('~/init/jenkins restart')
def sys_ssh_enable_root_login():
""" Enable root login - Ex: (cmd)"""
sshd_config = '/etc/ssh/sshd_config'
files.sed(sshd_config, before='\s*#\s*\PermitRootLogin\s*(yes|no)', after='PermitRootLogin yes',use_sudo=True)
files.sed(sshd_config, before='\s*PermitRootLogin\s*no', after='PermitRootLogin yes',use_sudo=True)
sudo('service ssh reload')
sys_etc_git_commit('Endabled root login')
def install(java_version=None):
"""
Install dependencies (curl and unzip) and Install GVM
::
import fabtools
# Install GVM
fabtools.gvm.install()
"""
res = run('gvm help', quiet=True)
if res.failed:
family = distrib_family()
packages = ['curl', 'unzip']
if family == 'debian':
require_deb_packages(packages)
elif family == 'redhat':
require_rpm_packages(packages)
elif family == 'sun':
require_pkg_packages(packages)
else:
raise UnsupportedFamily(supported=['debian', 'redhat', 'sun'])
if java_version is None:
java()
else:
java(version=java_version)
run('curl -s get.gvmtool.net | bash')
user = run('whoami')
run('source "/home/%s/.gvm/bin/gvm-init.sh"' % user)
configFile = "/home/%s/.gvm/etc/config" % user
sed(configFile, 'gvm_auto_answer=false', 'gvm_auto_answer=true')
def deploy():
install_deps()
sudo('test -e /var/lib/pgsql/data/pg_hba.conf || postgresql-setup initdb')
enable_services(['memcached', 'postgresql'])
with settings(warn_only=True, sudo_user='******'):
sudo('createuser {0}'.format(env.user))
sudo('createdb --owner={0} vmdb_development'.format(env.user))
run('type bundle 2>/dev/null || gem install bundler -v "~>1.3"')
run('test -d manageiq || git clone https://github.com/ManageIQ/manageiq')
with cd('manageiq/vmdb'):
run('bundle install --without qpid')
with cd('manageiq'):
run('vmdb/bin/rake build:shared_objects')
with cd('manageiq/vmdb'):
run('bundle install --without qpid')
run('cp config/database.pg.yml config/database.yml')
sed('config/database.yml',
'username: root', 'username: {0}'.format(env.user))
run('bin/rake db:migrate')
enable_tcp_ports([3000])
def set_hostname(hostname):
# TODO: reload MTA
if not hostname or hostname == 'None':
hostname = env.host
need_sudo = am_not_root()
with settings(warn_only=True):
hosts_entry = run('grep "^127\.0\.1\.1 " /etc/hosts')
line_to_append = '127.0.1.1 %s' % hostname
if hosts_entry == line_to_append:
pass
elif not hosts_entry:
# TODO: this should be placed right under the line ^127.0.0.1
append('/etc/hosts', '127.0.1.1 %s' % hostname, use_sudo=need_sudo)
else:
sed('/etc/hosts', '^(127\.0\.1\.1) (.*)$', '\\1 %s \\2' % hostname, use_sudo=need_sudo)
if distro_flavour() == 'redhat':
sed('/etc/sysconfig/network', '^HOSTNAME=.*', 'HOSTNAME=%s' % hostname, use_sudo=need_sudo)
_run('hostname %s' % hostname, use_sudo=need_sudo)
else:
_run('echo %s > /etc/hostname' % hostname, use_sudo=need_sudo)
_run('hostname -F /etc/hostname', use_sudo=need_sudo)
if exists('/etc/mailname'):
_run('echo %s > /etc/mailname' % hostname, use_sudo=need_sudo)
# Restart logging service
servicename = 'rsyslog'
if exists('/etc/init.d/%s' % servicename):
_run('service %s restart' % servicename, use_sudo=need_sudo)
else:
# CentOS<6 and old Ubuntus and some Debians might not use 'rsyslog'
print 'WARN: Could not identify syslogging service. Please restart manually.'
def host(ipaddress, hostnames, use_sudo=False):
"""
Add a ipadress and hostname(s) in /etc/hosts file
Example::
from fabtools import require
require.network.host('127.0.0.1','hostname-a hostname-b')
"""
res = run_as_root('cat /etc/hosts | egrep "^%(ipaddress)s"' % locals())
if res.succeeded:
m = re.match('^%(ipaddress)s (.*)' % locals(), res)
# If ipadress allready exists
if m:
toadd = list()
hostnames = hostnames.split(' ')
inthehosts = m.group(1).split(' ')
for h in hostnames:
if h not in inthehosts:
toadd.append(h)
if len(toadd) > 0:
print "ADD: %s" % toadd
print res
hostline = "%s %s" % (res, ' '.join(toadd))
with hide('stdout', 'warnings'):
sed('/etc/hosts', res, hostline, use_sudo=use_sudo)
else:
hostline = "%s %s" % (res, hostnames)
append('/etc/hosts', hostline, use_sudo=use_sudo)
def set_locale():
sed(
'/etc/sysconfig/i18n',
'LANG=.*',
'LANG="ja_JP.UTF-8"',
use_sudo = True
)
def super():
init_directory()
with cd(env.CIHEUL_DIR):
#sudo("x=$(echo `pwd`/start_django.sh | sed \"s/\//\\\//g\"); sed -i \"s/{{command}}/$x/g\" /etc/supervisor/conf.d/ciheul.conf")
#x = run("echo `pwd`/start_django.sh | sed \"s/\//\\\//g\"")
x = run("echo `pwd`/start_django.sh")
sed("/etc/supervisor/conf.d/ciheul.conf", "replace_cmd_path", x, use_sudo=True)
def oracle():
""" compile and install oracle drivers
"""
setup_env_for_user(env.user)
run('mkdir -p %(admin_home_dir)s/~build' % env)
with cd(env.base):
run('rm -fr oracle*')
run('mkdir -p oracle')
with cd('oracle'):
arch = run('uname -i')
if arch == 'x86_64':
run('find %(packages_cache)s -name "instantclient*86-64*" -exec unzip "{}" \;' % env)
elif arch == 'i386':
run('find %(packages_cache)s -name "instantclient*" -name "*86-64*" -exec unzip "{}" \;' % env)
with cd('instantclient_*'):
run('ln -sf libclntsh.so.11.1 libclntsh.so')
env.oracle_home = run('find $PWD -type d -iname "instant*"' % env)
sed("~/.bash_profile", "export LD_LIBRARY_PATH=.*", "export LD_LIBRARY_PATH=$SITE_ENV/lib:%(oracle_home)s:" % env)
sed("~/bin/activate", "export ORACLE_HOME=.*", "export ORACLE_HOME=%(oracle_home)s:" % env)
assert exists('%(oracle_home)s/libclntsh.so' % env)
run('pip install cx_Oracle')
run('mkdir -p ~/logs/oracle')
run('ln -s ~/logs/oracle %(base)s/oracle/instantclient_11_2/log' % env)
# test
out = run('python -c "import cx_Oracle;print(222)"')
assert out.startswith("222")
def install_rkhunter(email=None):
"""
Install and configure RootKit Hunter
Default section: admin
:param email: Email to send reports
:type email: str
"""
opts = dict(
email=email
or get_envvar('email',section='admin')
or err('Email must be set'),
)
# install RKHunter
apt_get('rkhunter')
# send emails on warnings
uncomment('/etc/rkhunter.conf', '#MAIL-ON-WARNING=me@mydomain root@mydomain', use_sudo=True)
sed('/etc/rkhunter.conf', 'me@mydomain root@mydomain', opts['email'], use_sudo=True)
# ignore some Ubuntu specific files
uncomment('/etc/rkhunter.conf', '#ALLOWHIDDENDIR=\/dev\/.udev', use_sudo=True)
uncomment('/etc/rkhunter.conf', '#ALLOWHIDDENDIR=\/dev\/.static', use_sudo=True)
uncomment('/etc/rkhunter.conf', '#ALLOWHIDDENDIR=\/dev\/.initramfs', use_sudo=True)
def disable_password_authentication():
""" Disables password authentication. """
configuration_file = '/etc/ssh/sshd_config'
# ensure pubkey authentication is enabled
if not contains(configuration_file, '^PubkeyAuthentication yes',
escape=False):
# patterns
before = '^#?PubkeyAuthentication.*$'
after = 'PubkeyAuthentication yes'
sed(configuration_file, before, after, use_sudo=True)
print(green('Pubkey authentication enabled.'))
else:
print(green('Pubkey authentication already enabled.'))
# disable password authentication
if not contains(configuration_file, '^PasswordAuthentication no',
escape=False):
# patterns
before = '^#?PasswordAuthentication.*$'
after = 'PasswordAuthentication no'
sed(configuration_file, before, after, use_sudo=True)
print(green('Password authentication disabled.'))
else:
print(green('Password authentication already disabled.'))
def build_statics(env, version):
code_path = get_code_path(env, version)
# build player skin
with cd(code_path):
for subsite in SUBSITES:
loc = subsite.location
def getPath(path):
return "{project}/{subsite}/static/{path}".format(project=PROJECTNAME, subsite=loc, path=path)
style = subsite.styles
if not files.exists(getPath("css")):
run("mkdir -p {}".format(getPath("css")))
if style.hasBuster:
files.sed(getPath("less/cachebuster.less"), "CACHEBUSTTOKEN", '"{}"'.format(getShortToken(version)))
for stylesheet in style.list:
run("~/node_modules/less/bin/lessc {project}/{subsite}/static/less/{stylesheet} --yui-compress {project}/{subsite}/static/css/{outname}.min.css".format(project=PROJECTNAME, subsite=loc, stylesheet=stylesheet, outname = stylesheet.rsplit(".")[0]))
for subsite in SUBSITES:
if subsite.scripts:
if not files.exists("{project}/{subsite}/static/scripts/build/".format(project=PROJECTNAME, subsite=subsite.location)):
run("mkdir -p {project}/{subsite}/static/scripts/build/".format(project=PROJECTNAME, subsite=subsite.location))
customs = " ".join(["{project}/{subsite}/static/scripts/{script}".format(project=PROJECTNAME, subsite=subsite.location, script = script) for script in subsite.scripts])
run("java -jar ~/resources/compiler.jar --compilation_level SIMPLE_OPTIMIZATIONS \
--js {customs} \
--warning_level QUIET --js_output_file {project}/{subsite}/static/scripts/build/site.js".format(project=PROJECTNAME, subsite=subsite.location, customs = customs))
run("echo {} > ./VERSION_TOKEN".format(getShortToken(version)))
def ensure_hostname(self, hostname):
"""
Ensure a fixed hostname
<em>Parameters</em>
hostname - Hostname to be created
<em>Sample usage</em>
class MySampleRole(Role):
def provision(self):
with self.using(HostNameRole) as role:
role.ensure_hostname('rabbit')
"""
path = "/etc/sysconfig/network"
file = self.read_remote_file(path)
hostname_line = "HOSTNAME={0}".format(hostname)
if hostname == self.execute("hostname"):
return False
self.log("Setting up hostname")
if "HOSTNAME" not in file:
self.ensure_line(hostname_line, stdout=False, sudo=True)
else:
with settings(hide("warnings", "running", "stdout")):
sed(path, "HOSTNAME=.*", hostname_line, use_sudo=True)
self.execute('hostname "{0}"'.format(hostname), stdout=False, sudo=True)
self.log("Hostname %s added" % hostname)
return True
def sys_ssh_disable_password_authentication():
""" Diable password authentication - Ex: (cmd)"""
sshd_config = '/etc/ssh/sshd_config'
files.sed(sshd_config, before='\s*#\s*\sPasswordAuthentication\s*(yes|no)', after='PasswordAuthentication no',use_sudo=True)
files.sed(sshd_config, before='\s*PasswordAuthentication\s*yes', after='PasswordAuthentication no',use_sudo=True)
sudo('service ssh reload')
sys_etc_git_commit('Disable password authentication')
def _update_settings(source_folder, site_name):
settings_path = source_folder + '/superlists/settings.py'
sed(settings_path, "DEBUG = True", "DEBUG = False")
sed(settings_path, 'ALLOWED_HOSTS =.+$',
'ALLOWED_HOSTS = ["%s"]' % (site_name, ))
secret_key_file = source_folder + '/superlists/secret_key.py'
if not exists(secret_key_file):
chars = 'abcdefghijklmnopqrstuvwxyz0123456789!@#$%^&*(-_=+)'
key = ''.join(random.SystemRandom().choice(chars) for _ in range(50))
append(secret_key_file, "SECRET_KEY = '%s'" % (key, ))
append(settings_path, '\nfrom .secret_key import SECRET_KEY')
def _update_settings(source_folder, site_name):
settings_path = source_folder + '/tutorial/settings.py'
sed(settings_path, 'DEBUG = True', 'DEBUG = False')
sed(settings_path, 'ALLOWED_HOSTS =.+$',
f'ALLOWED_HOSTS = ["{site_name}"]')
secret_key_file = source_folder + '/tutorial/secret_key.py'
if not exists(secret_key_file):
chars = 'abcdefghijklmnopqrstuvwxyz0123456789!@#$%^&*(-_=+)'
key = ''.join(random.SystemRandom().choice(chars) for _ in range(50))
append(secret_key_file, f'SECRET_KEY = "{key}"')
append(settings_path, '\nfrom .secret_key import SECRET_KEY')
def _update_settings(source_folder, site_name):
"""обновить настройки"""
settings_path = source_folder + "/superlists/settings.py"
sed(settings_path, "DEBUG = True", "DEBUG = False")
sed(settings_path, "ALLOWED_HOSTS = .+$",
f"ALLOWED_HOSTS = [\"{site_name}\"]")
secret_key_file = source_folder + "/superlists/secret_key.py"
if not exists(secret_key_file):
chars = "abcdefghijklmnopqrstuvwxyz0123456789!@#$%^&*(-_=+)"
key = "".join(random.SystemRandom().choice(chars) for _ in range(50))
append(secret_key_file, f"SECRET_KEY = \"{key}\"")
append(settings_path, "\nfrom .secret_key import SECRET_KEY")
def _update_settings(mconf):
src_dir = '%s/source' % (mconf['app_path'])
settings_path = '%s/%s/settings.py' % (src_dir, mconf['module_name'])
sed(settings_path, 'DEBUG = True', 'DEBUG = False')
sed(settings_path, 'ALLOWED_HOSTS =.+$',
'ALLOWED_HOSTS = ["%s"]' % (mconf['site_name'], ))
secret_key_file = '%s/%s/secret_key.py' % (src_dir, mconf['module_name'])
if not exists(secret_key_file):
chars = 'abcdefghijklmnopqrstuvwxyz0123456789!@#$%^&*(-_=+)'
key = ''.join(random.SystemRandom().choice(chars) for _ in range(50))
append(secret_key_file, "SECRET_KEY = '%s'" % (key, ))
append(settings_path, '\nfrom .secret_key import SECRET_KEY')
def fix_plugins_1():
"""run some fix plugins"""
# copie des plugins corriges
put('/srv/awl_bfi_fabric/data/checktool/l_pci_clamav.sh',
'/usr/lib/checktoolV2/plugins/l_pci_clamav.sh',
use_sudo=True,
mode=0755)
put('/srv/awl_bfi_fabric/data/checktool/l_pci_yumupdate.sh',
'/usr/lib/checktoolV2/plugins/l_pci_yumupdate.sh',
use_sudo=True,
mode=0755)
put('/srv/awl_bfi_fabric/data/checktool/l_pci_rsyslog.sh',
'/usr/lib/checktoolV2/plugins/l_pci_rsyslog.sh',
use_sudo=True,
mode=0755)
put('/srv/awl_bfi_fabric/data/checktool/l_pci_ssh_access.sh',
'/usr/lib/checktoolV2/plugins/l_pci_ssh_access.sh',
use_sudo=True,
mode=0755)
put('/srv/awl_bfi_fabric/data/checktool/l_pci_auditd.sh',
'/usr/lib/checktoolV2/plugins/l_pci_auditd.sh',
use_sudo=True,
mode=0755)
# Application des droits pour les plugins corriges
sudo('chown root:root /usr/lib/checktoolV2/plugins/l_pci_clamav.sh')
sudo('chown root:root /usr/lib/checktoolV2/plugins/l_pci_yumupdate.sh')
sudo('chown root:root /usr/lib/checktoolV2/plugins/l_pci_rsyslog.sh')
sudo('chown root:root /usr/lib/checktoolV2/plugins/l_pci_ssh_access.sh')
sudo('chown root:root /usr/lib/checktoolV2/plugins/l_pci_auditd.sh')
sed('/etc/nagios/nrpe.cfg',
before='dont_blame_nrpe=1',
after='dont_blame_nrpe=0',
use_sudo=True,
backup='.bak',
flags='',
shell=False)
# relance du service nrpe
if sudo('''cat /etc/redhat-release | grep 'release 7' ''', quiet=True):
x = sudo("systemctl restart nrpe.service")
if x.succeeded:
print 'NRPE service restarted'
else:
print 'NRPE service failed'
else:
x = sudo("service nrpe reload")
if x.succeeded:
print 'NRPE service reloaded'
else:
print 'NRPE service failed'
def _update_settings(source_folder, site_name):
settings_path = source_folder + '/superlists/settings.py'
sed(settings_path, 'DEBUG = True',
'DEBUG = False')
sed(settings_path, 'ALLOWED_HOSTS =.+$',
'ALLOWED_HOSTS = ["%s"]' % site_name)
# I'm not convinced about this key generating files.
secret_key_file = source_folder + '/superlists/secret_key.py'
if not exists(secret_key_file):
chars = 'arbitrary_chars_for_randomness'
key = ''.join(random.SystemRandom().choice(chars) for _ in range(50))
append(secret_key_file, "SECRET_KEY = '%s'" % key)
append(settings_path, '\nfrom .secret_key import SECRET_KEY')
def deploy_project(project):
# Put apps....change settings to get project apps automagically
put(project,PYLIBS,use_sudo=True)
with fab_settings(warn_only=True):
for projdir in filter(os.path.isdir,glob.glob('*')):
if projdir != 'shared' and projdir != 'data':
put(projdir,PYLIBS,use_sudo=True)
put('requirements.txt',GEONODEDIR,use_sudo=True)
with cd(GEONODEDIR), prefix(ACT):
sudo('pip install -r requirements.txt')
sudo('rm requirements.txt')
put('%s/%s.apache' % (project,project),'/etc/apache2/sites-available/%s' % project, use_sudo=True)
sed('/etc/apache2/sites-available/%s' % project, 'REPLACE_WITH_SITEDIR', PYLIBS, use_sudo=True)
def _update_settings(site_name):
settings_path = 'abiesmerger/settings.py'
sed(settings_path, "DEBUG = True", "DEBUG = False")
sed(settings_path,
'ALLOWED_HOSTS =.+$',
f'ALLOWED_HOSTS = ["{site_name}"]'
)
secret_key_file = 'abiesmerger/secret_key.py'
if not exists(secret_key_file):
chars = 'abcdefghijklmnopqrstuvwxyz0123456789!@#$%^&*(-_=+)'
key = ''.join(random.SystemRandom().choices(chars, k=50))
append(secret_key_file, f'SECRET_KEY = "{key}"')
append(settings_path, '\nfrom .secret_key import SECRET_KEY')
def update_settings(self):
settings_path = self.superlists_folder + "/superlists/settings.py"
sed(settings_path, "DEBUG = True", "DEBUG = False")
sed(settings_path, "DOMAIN = \"localhost\"",
"DOMAIN = \"%s\"" % self.host)
secret_key_file = self.superlists_folder + "/superlists/secret_key.py"
if not exists(secret_key_file):
chars = 'abcdefghijklmnopqrstuvwxyz0123456789!@#$%^&*(-_=+)'
key = ''.join(random.SystemRandom().choice(chars)
for _ in range(50))
append(secret_key_file, "SECRET_KEY = '%s'" % key)
append(settings_path, "\nfrom .secret_key import SECRET_KEY")
def _update_settings(source_folder, host, project_name):
settings_file = f'{source_folder}/{project_name}/settings/production.py'
# sed(settings_file, 'DEBUG = True', 'DEBUG = False')
sed(settings_file,
'ALLOWED_HOSTS = .+$',
f'ALLOWED_HOSTS = ["{host}"]'
)
# Secret key
secret_key_file = f'{source_folder}/{project_name}/settings/secret_key.py'
if not exists(secret_key_file):
chars = "abcdefghijklmnopqrstuvwxyz0123456789!@#$%^&*(-_=+)"
secret_key = ''.join(random.SystemRandom().choice(chars) for _ in range(50))
append(secret_key_file, f'SECRET_KEY = "{secret_key}"')
def _update_settings(source_folder, site_name):
settings_path = source_folder + '/superlists/settings.py'
static_folder = f'/home/{env.user}/sites/{env.host}/static/'
sed(settings_path, "DEBUG = True", "DEBUG = False")
sed(settings_path, 'ALLOWED_HOSTS = .+$',
f'ALLOWED_HOSTS = ["{site_name}"]')
secret_key_file = source_folder + '/superlists/secret_key.py'
if not exists(secret_key_file):
chars = 'abcdefghijklmnopqrstuvwxyz0123456789!@#$%^&*(-_=+)'
key = ''.join(random.SystemRandom().choice(chars) for _ in range(50))
append(secret_key_file, f'SECRET_KEY = "{key}"')
append(settings_path, '\nfrom .secret_key import SECRET_KEY')
append(settings_path, f'STATIC_ROOT = "{static_folder}"')
def deploy(revision=None):
if revision is not None and env.name != 'production':
sudo(
'curl -sL 169.254.169.254/latest/user-data | egrep -v \'chef-run|apt-get|pip|opscode.com\' | sudo bash'
)
sed('/tmp/node.json',
'("revision":)[^\,]*(\,)?',
'\\1 "%s"\\2' % revision,
use_sudo=True)
sudo('chef-solo -c /tmp/solo.rb | tee /tmp/chef-run.log')
else:
run('curl -sL 169.254.169.254/latest/user-data | egrep -v \'apt-get|pip|opscode.com\' | sudo bash'
)
def harden_sshd():
"""Security harden sshd.
"""
# Disable password authentication
sed('/etc/ssh/sshd_config',
'#PasswordAuthentication yes',
'PasswordAuthentication no',
use_sudo=True)
# Deny root login
sed('/etc/ssh/sshd_config',
'PermitRootLogin yes',
'PermitRootLogin no',
use_sudo=True)
def _update_settings():
settings_path = project_folder + '/{}/settings.py'.format(PROJECT_NAME)
sed(settings_path, "DEBUG = True", "DEBUG = False")
sed(settings_path,
'ALLOWED_HOSTS = .+$',
'ALLOWED_HOSTS = ["%s"]' % (REMOTE_HOST,)
)
secret_key_file = project_folder + '/{}/secret_key.py'.format(PROJECT_NAME)
if not exists(secret_key_file):
chars = 'abcdefghijklmnopqrstuvwxyz0123456789!@#$%^&*(-_=+)'
key = ''.join(random.SystemRandom().choice(chars) for _ in range(50))
append(secret_key_file, "SECRET_KEY = '%s'" % (key,))
append(settings_path, '\nfrom .secret_key import SECRET_KEY')
def masquerade():
"""Set up masquerading so that a box with two NICs can act as a router.
"""
# Set up masquerade so that one host can act as a NAT gateway for a network
# of hosts.
#http://forums.fedoraforum.org/archive/index.php/t-178224.html
rc_file = '/etc/rc.local'
rule_1 = '/sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE'
rule_2 = 'echo 1 > /proc/sys/net/ipv4/ip_forward'
if not contains(rc_file, rule_1):
sed(rc_file, '^exit 0', '#exit 0', use_sudo=True)
append(rc_file, rule_1, use_sudo=True)
append(rc_file, rule_2, use_sudo=True)
def _update_settings(source_folder, site_name):
settings_path = source_folder + '/superlists/settings.py'
sed(settings_path, "DEBUG = True", "DEBUG = False")
sed(settings_path, 'ALLOWED_HOSTS = .+$',
f'ALLOWED_HOSTS = ["{site_name}"]')
secret_key_file = source_folder + '/superlists/secret_key.py'
if not exists(secret_key_file):
chars = string.ascii_lowercase + string.digits + '!@#$%^&*(-_=+)'
key = ''.join(random.SystemRandom().choice(chars) for _ in range(50))
append(secret_key_file, f'SECRET_KEY = "{key}"')
append(settings_path, '\nfrom .secret_key import SECRET_KEY')
def _update_settings(site_name):
settings_path = 'superlists/settings.py'
sed(settings_path, "DEBUG = True", "DEBUG = False")
sed(settings_path, 'ALLOWED_HOSTS =.+$',
f'ALLOWED_HOSTS = ["{site_name}"]')
secret_key_file = 'superlists/secret_key.py'
if not exists(secret_key_file):
chars = 'abcdefghijklmnopqrstuvwxyz0123456789!@#$%^&*(-_=+)'
key = ''.join(random.SystemRandom().choices(chars, k=50))
append(secret_key_file, f'SECRET_KEY = "{key}"')
append(
settings_path, '\nfrom .secret_key import SECRET_KEY'
) # append - adds a line to the end of a file (won't do that if the line is already there)
def run_services(
host,
settings_dict,
envs=None,
verbose=None,
):
"""
Install OS with COI on control and compute servers
:param conf: configuration of lab boxes
:param settings_dict: settings dictionary for Fabric
:param envs: environment variables to inject when executing job
:param verbose: if to hide all output or print everything
"""
envs = envs or {}
verbose = verbose or []
if settings_dict['user'] != 'root':
run_func = sudo
use_sudo_flag = True
else:
run_func = run
use_sudo_flag = False
print >> sys.stderr, "FABRIC connecting to", settings_dict["host_string"],
with settings(**settings_dict), hide(*verbose), shell_env(**envs):
with cd("/root/"):
update_time(run_func)
run_func("apt-get update")
run_func('DEBIAN_FRONTEND=noninteractive apt-get -y '
'-o Dpkg::Options::="--force-confdef" -o '
'Dpkg::Options::="--force-confold" dist-upgrade')
run_func("apt-get install -y git")
run_func(
"git clone -b icehouse https://github.com/CiscoSystems/puppet_openstack_builder"
)
## run the latest, not i.0 release
sed("/root/puppet_openstack_builder/install-scripts/cisco.install.sh",
"icehouse/snapshots/i.0",
"icehouse-proposed",
use_sudo=use_sudo_flag)
sed("/root/puppet_openstack_builder/data/hiera_data/vendor/cisco_coi_common.yaml",
"/snapshots/i.0",
"-proposed",
use_sudo=use_sudo_flag)
with cd("/root/puppet_openstack_builder/install-scripts"):
warn_if_fail(run_func("./setup.sh"))
warn_if_fail(run_func('puppet agent --enable'))
warn_if_fail(
run_func(
"puppet agent -td --server=build-server.domain.name --pluginsync"
))
collect_logs(run_func=run_func, hostname=host["hostname"])
def _install_nginx(env):
"""Nginx open source web server.
http://www.nginx.org/
"""
version = "1.2.0"
url = "http://nginx.org/download/nginx-%s.tar.gz" % version
install_dir = os.path.join(env.install_dir, "nginx")
remote_conf_dir = os.path.join(install_dir, "conf")
# Skip install if already present
if exists(remote_conf_dir) and contains(os.path.join(remote_conf_dir, "nginx.conf"), "/cloud"):
env.logger.debug("Nginx already installed; not installing it again.")
return
with _make_tmp_dir() as work_dir:
with contextlib.nested(cd(work_dir), settings(hide('stdout'))):
modules = _get_nginx_modules(env)
module_flags = " ".join(["--add-module=../%s" % x for x in modules])
run("wget %s" % url)
run("tar xvzf %s" % os.path.split(url)[1])
with cd("nginx-%s" % version):
run("./configure --prefix=%s --with-ipv6 %s "
"--user=galaxy --group=galaxy --with-debug "
"--with-http_ssl_module --with-http_gzip_static_module" %
(install_dir, module_flags))
sed("objs/Makefile", "-Werror", "")
run("make")
sudo("make install")
sudo("cd %s; stow nginx" % env.install_dir)
defaults = {"galaxy_home": "/mnt/galaxyTools/galaxy-central"}
_setup_conf_file(env, os.path.join(remote_conf_dir, "nginx.conf"), "nginx.conf", defaults=defaults)
nginx_errdoc_file = 'nginx_errdoc.tar.gz'
url = os.path.join(REPO_ROOT_URL, nginx_errdoc_file)
remote_errdoc_dir = os.path.join(install_dir, "html")
with cd(remote_errdoc_dir):
sudo("wget --output-document=%s/%s %s" % (remote_errdoc_dir, nginx_errdoc_file, url))
sudo('tar xvzf %s' % nginx_errdoc_file)
sudo("mkdir -p %s" % env.install_dir)
if not exists("%s/nginx" % env.install_dir):
sudo("ln -s %s/sbin/nginx %s/nginx" % (install_dir, env.install_dir))
# If the guessed symlinking did not work, force it now
cloudman_default_dir = "/opt/galaxy/sbin"
if not exists(cloudman_default_dir):
sudo("mkdir -p %s" % cloudman_default_dir)
if not exists(os.path.join(cloudman_default_dir, "nginx")):
sudo("ln -s %s/sbin/nginx %s/nginx" % (install_dir, cloudman_default_dir))
env.logger.debug("Nginx {0} installed to {1}".format(version, install_dir))
def install_postgresql(ver=None):
"""
Install PostgreSQL server
"""
# simple settings helper http://pgtune.leopard.in.ua/
assert ver in SUPPORT_POSTGRESQL_VERSIONS or ver is None
check_sudo()
check_os()
if not confirm('Do you want to install PostreSQL{}?'.format(
' {}'.format(ver) if ver else '')):
return
allow_versions = ', '.join(SUPPORT_POSTGRESQL_VERSIONS)
while ver not in SUPPORT_POSTGRESQL_VERSIONS:
ver = prompt(
'Write PostgreSQL version you need ({}):'.format(allow_versions),
default=SUPPORT_POSTGRESQL_VERSIONS[-1])
print_green('INFO: Install PostreSQL {}...'.format(ver))
set_apt_repositories(POSTGRESQL_REPOSITORIES,
POSTGRESQL_REPOS_INSTALL_KEYS_COMMANDS,
subconf_name='postgres')
apt_update()
apt_install(
'postgresql-{ver} postgresql-server-dev-{ver} libpq-dev'.format(
ver=ver),
noconfirm=True)
set_postgresql_user_password(
'postgres', password_prompt('Set password to superuser postgres'))
la = prompt(
'Set listen_addresses (hostname or ip, comma separated; set * for all)',
default='localhost',
validate='[\w\.\-\*]+').strip()
t = BytesIO()
postgresql_conf = '/etc/postgresql/{}/main/postgresql.conf'.format(ver)
get(postgresql_conf, local_path=t, use_sudo=True)
t = BytesIO(
re.sub(br"#listen_addresses = 'localhost'",
r"listen_addresses = '{}'".format(la).encode(), t.getvalue()))
put(t, postgresql_conf, use_sudo=True)
sudo('chown postgres:postgres {}'.format(postgresql_conf))
sudo('chmod 644 {}'.format(postgresql_conf))
hba = '/etc/postgresql/{}/main/pg_hba.conf'.format(ver)
sed(hba, r'(local\s+all\s+all\s+)peer', r'\1md5', use_sudo=True)
if confirm('Do you want to allow connect to PostgreSQL from out?'):
append(
hba,
'host all all 0.0.0.0/0 md5',
use_sudo=True)
install_postgis(postgres_ver=ver)
if confirm('Do you want to restart PostgreSQL?'):
service_restart('postgresql')
print_green('INFO: Install PostreSQL {}... OK'.format(ver))
def _update_settings(source_folder, site_domain):
settings_path = source_folder + '/' + APP_NAME + '/settings.py'
sed(settings_path, "DEBUG = True", "DEBUG = False")
sed(
settings_path,
'ALLOWED_HOSTS =.+$',
# 'ALLOWED_HOSTS = ["{}"]'.format("*")
'ALLOWED_HOSTS = ["{}"]'.format(site_domain))
secret_key_file = source_folder + '/' + APP_NAME + '/secret_key.py'
if not exists(secret_key_file):
chars = 'abcdefghijklmnopqrstuvwxyz0123456789!@#$%^&*(-_=+)'
key = ''.join(random.SystemRandom().choice(chars) for _ in range(50))
append(secret_key_file, "SECRET_KEY = '{}'".format(key))
append(settings_path, '\nfrom .secret_key import SECRET_KEY')
def _update_settings(source_folder, site_name):
"""
Update django settings for allowed hosts, debug mode and secret key.
"""
settings_path = source_folder + '/superlists/settings.py'
sed(settings_path, "DEBUG = True", "DEBUG = False")
sed(settings_path, 'ALLOWED_HOSTS = .+$',
f'ALLOWED_HOSTS = ["{site_name}"]')
secret_key_file = source_folder + '/superlists/secret_key.py'
if not exists(secret_key_file):
chars = 'abcdefghijklmnopqrstuvwxyz0123456789!@#$%^&*(-_=+)'
key = ''.join(random.SystemRandom().choice(chars) for _ in range(50))
append(secret_key_file, f'SECRET_KEY = "{key}"')
append(settings_path, '\nfrom .secret_key import SECRET_KEY')
def configure_ssh():
"""
Change sshd_config defaults:
Change default port
Disable root login
Disable password login
Restrict to only login group
"""
ssh_config = u'/etc/ssh/sshd_config'
files.sed(ssh_config, u"Port 22$", u"Port %s" % env.ssh_port, use_sudo=True)
files.sed(ssh_config, u"PermitRootLogin yes", u"PermitRootLogin no", use_sudo=True)
files.append(ssh_config, u"AllowGroups login", use_sudo=True)
files.append(ssh_config, u"PasswordAuthentication no", use_sudo=True)
service_command(u'ssh', u'reload')
def nginx_config(projectID='2345',
template='McGraw-Demo',
domain='mydemo.com'):
env.user = env.not_root
env.password = env.not_root_passwd
virtualenv_path = '/home/%s/virtualenvs/%s' % (env.user, projectID)
project_path = os.path.join(virtualenv_path, template)
nginx_conf_path = os.path.join('/etc/nginx/sites-available', projectID)
upload_template(os.path.join(env.local_template_dir, 'nginx_site_config'),
nginx_conf_path,
use_sudo=True)
sed(nginx_conf_path, '\$\{domain\}', domain, use_sudo=True)
sed(nginx_conf_path, '\$\{projectID\}', projectID, use_sudo=True)
sed(nginx_conf_path,
'\$\{virtualenv_path\}',
virtualenv_path,
use_sudo=True)
sed(nginx_conf_path, '\$\{project_path\}', project_path, use_sudo=True)
sudo('rm %s.bak' % (nginx_conf_path))
sudo('ln -s /etc/nginx/sites-available/%s /etc/nginx/sites-enabled/%s' %
(projectID, projectID))
sudo('/etc/init.d/nginx stop')
sudo('/etc/init.d/nginx start')
def disable_root_login():
""" Disables root login authentication over SSH. """
configuration_file = '/etc/ssh/sshd_config'
if not contains(configuration_file, '^PermitRootLogin no', escape=False):
# patterns
before = '^#?PermitRootLogin.*$'
after = 'PermitRootLogin no'
sed(configuration_file, before, after, use_sudo=True)
print(green('Root login disabled.'))
else:
print(green('Root login already disabled.'))
def userSetup():
_new_user(env.not_root, env.not_root_passwd)
env.user = env.not_root
env.password = env.not_root_passwd
append(
"~/.bashrc", "export WORKON_HOME=$HOME/virtualenvs\n\
export PROJECT_HOME=$HOME/projects\n\
source /usr/local/bin/virtualenvwrapper.sh")
with cd("/home/%s" % (env.user)):
upload_template('/home/kevin/McGraw/templates/bashprofile_template',
'.bash_profile')
sed('.bash_profile', '\{\{!USER!\}\}', env.user)
run("source .bashrc")
def _agentip(config):
''' Use this task to control what IP is used for opscenter '''
src_file = "configs/{}/address.yaml".format(config)
dest_file = "/var/lib/datastax-agent/conf/address.yaml"
put(src_file, dest_file, use_sudo=True)
aftertext = 'hosts: ["{}"]'.format(env.host_string)
sed(dest_file,
before='hosts: \["\$HOST"\]',
after=aftertext,
use_sudo=True,
backup='')
def create_redirects():
remote = '%(basepath)s/releases/%(release)s/redirects.conf' % env
remoteblog = '%(basepath)s/releases/%(release)s/blogredirects.conf' % env
if os.access("redirects.txt", os.R_OK):
put("redirects.txt", remote)
sed(remote, '^(.*[^;]);?$', 'rewrite \\1 redirect;')
else:
warn(yellow(">>> File redirects.txt not found -- removing all redirections"))
run('touch %s' % remote)
put("blogredirects.txt", remoteblog)
sed(remoteblog, '^(.*[^;]);?$', '\\1;')
def _expand_template(self, fp, use_sudo=False, flags='i', **mappings):
fmappings = {
'<usr>': self.ctx.user,
'<host>': self.ctx.host,
'<site>': self.ctx.site,
'<project>': self.ctx.project
}
fmappings.update(mappings)
for before, after in fmappings.items():
files.sed(fp,
before,
after,
use_sudo=use_sudo or False,
flags=flags or 'i')
def remove(option):
"""
Remove option line from remote settings.ini
"""
option = option.lower()
before = '%s = .*' % option
after = ''
if contains(env.PROJECT.settings, before):
sed(env.PROJECT.settings, before, after, backup='')
# sanity check
assert not contains(env.PROJECT.settings, '%s.*' % option), 'Config found: "%s"' % option
