def servers(self):
"""
Return a dict of the servers defined in the ini file.
Each server is a list of parameters provided for it.
Parameter lists are lists of key,value tuples.
"""
c = iniparse.RawConfigParser()
c.read(self.inipath)
servers = c.sections()
servers = filter(
lambda s: s.lower().startswith("server ") and s.lower() !=
"server defaults", servers)
results = {}
for server in servers:
name = server.split(None, 1)[1]
if results.has_key(name):
raise ValueError("Server %s defined more than once" % (name))
items = []
results[name] = items
self._sectsDone.clear()
try:
self._includeItems(items, "server defaults", c)
except (iniparse.NoSectionError, iniparse.NoOptionError):
pass
self._includeItems(items, server, c)
self._sectsDone.clear()
return results
def cleanup():
config = iniparse.RawConfigParser()
config.readfp(FakeSection(file(sys.argv[2])))
dbpath = config.get(FAKE_SECTION, 'dbpath')
dblock = os.path.join(dbpath, 'mongod.lock')
if os.path.exists(dblock) and os.path.getsize(dblock) > 0:
try:
print >> sys.stderr, myname, "let's try to read what's in the lockfile"
# Here we get an exception if the file is currently locked by a process
junk = file(dblock, 'rU').read()
print >> sys.stderr, myname, "OK, let's remove the lock"
os.remove(dblock)
time.sleep(2)
except Exception as e:
return False
output = ''
try:
print >> sys.stderr, myname, "let's attempt to repair the database"
output = subprocess.check_output(
[sys.argv[1], '--config', sys.argv[2], '--repair'])
except subprocess.CalledProcessError as cpe:
print >> sys.stderr, "ERROR when running --repair"
return True
return False
print "Copying buildout skeleton"
shutil.copytree(os.path.join(opt.uidir, 'base_skeleton'), opt.instance_home)
# remove OS X and svn detritus (this is mainly helpful for installer development)
doCommand('find %s -name "._*" -exec rm {} \; > /dev/null' % opt.instance_home)
doCommand('find %s -name ".svn" | xargs rm -rf' % opt.instance_home)
##########################################################
# buildout.cfg customizations
#
CLIENTS = int(opt.clients)
template = opt.template
if not '.cfg' in template:
template += ".cfg"
buildout = iniparse.RawConfigParser()
buildout.read(os.path.join(opt.uidir, 'buildout_templates', template))
# set the parts list
parts = buildout.get('buildout', 'parts').split('\n')
if opt.itype == 'standalone':
parts.remove('client1')
parts.remove('zeoserver')
else:
parts.remove('instance')
parts.remove('repozo')
client_index = parts.index('client1')
for client in range(1, CLIENTS):
parts.insert(client_index + client, 'client%d' % (client + 1))
if not opt.root_install:
parts.remove('setpermissions')
def main():
# TODO : check debian / ubuntu / centos / redhat version
if postconf.yesno("Do you want to launch post configuration tool ?"
) != postconf.DIALOG_OK:
print "canceling wapt postconfiguration"
sys.exit(1)
# TODO : check if it a new install or an upgrade (upgrade from mongodb to postgresql)
if type_redhat():
if re.match('^SELinux status:.*enabled',
subprocess.check_output('sestatus')):
postconf.msgbox('SELinux detected, tweaking httpd permissions.')
subprocess.check_call(
['setsebool', '-P', 'httpd_can_network_connect', '1'])
postconf.msgbox(
'SELinux correctly configured for Apache reverse proxy')
if not os.path.isfile('/opt/wapt/conf/waptserver.ini'):
shutil.copyfile('/opt/wapt/waptserver/waptserver.ini.template',
'/opt/wapt/conf/waptserver.ini')
waptserver_ini = iniparse.RawConfigParser()
waptserver_ini.readfp(file('/opt/wapt/conf/waptserver.ini', 'rU'))
# add user db and password in ini file
ensure_postgresql_db()
print("create database schema")
subprocess.check_output(
""" sudo -u wapt python /opt/wapt/waptserver/waptserver_model.py init_db """,
shell=True)
mongo_update_status = check_mongo2pgsql_upgrade_needed(waptserver_ini)
if mongo_update_status == 0:
print("already running postgresql, nothing to do")
elif mongo_update_status == 1:
print(
"need to upgrade from mongodb to postgres, please launch python /opt/wapt/waptserver/waptserver_model.py upgrade2postgres"
)
sys.exit(1)
elif mongo_update_status == 2:
print("something not normal please check your installation first")
sys.exit(1)
# no trailing slash
if type_debian():
wapt_folder = '/var/www/wapt'
elif type_redhat():
wapt_folder = '/var/www/html/wapt'
waptserver_ini.set('uwsgi', 'gid', 'httpd')
else:
print('distrib not supported')
sys.exit(1)
if os.path.isdir(wapt_folder):
waptserver_ini.set('options', 'wapt_folder', wapt_folder)
else:
# for install on windows
# keep in sync with waptserver.py
wapt_folder = os.path.join(wapt_root_dir, 'waptserver', 'repository',
'wapt')
if os.path.exists(os.path.join(wapt_root_dir, 'waptserver', 'wsus.py')):
waptserver_ini.set(
'uwsgi', 'attach-daemon',
'/usr/bin/python /opt/wapt/waptserver/wapthuey.py wsus.huey')
if not waptserver_ini.has_option('options', 'wapt_password') or \
not waptserver_ini.get('options', 'wapt_password') or \
postconf.yesno("Do you want to reset admin password ?",yes_label='skip',no_label='reset') != postconf.DIALOG_OK:
wapt_password_ok = False
while not wapt_password_ok:
wapt_password = ''
wapt_password_check = ''
while wapt_password == '':
(code, wapt_password) = postconf.passwordbox(
"Please enter the wapt server password: "******"Please enter the wapt server password again: ",
insecure=True)
if code != postconf.DIALOG_OK:
exit(0)
if wapt_password != wapt_password_check:
postconf.msgbox('Password mismatch!')
else:
wapt_password_ok = True
password = hashlib.sha1(wapt_password).hexdigest()
waptserver_ini.set('options', 'wapt_password', password)
if not waptserver_ini.has_option('options', 'server_uuid'):
waptserver_ini.set('options', 'server_uuid', str(uuid.uuid1()))
with open('/opt/wapt/conf/waptserver.ini', 'w') as inifile:
subprocess.check_output("/bin/chmod 640 /opt/wapt/conf/waptserver.ini",
shell=True)
subprocess.check_output(
"/bin/chown wapt /opt/wapt/conf/waptserver.ini", shell=True)
waptserver_ini.write(inifile)
final_msg = [
'Postconfiguration completed.',
]
enable_waptserver()
start_waptserver()
reply = postconf.yesno("Do you want to configure apache?")
if reply == postconf.DIALOG_OK:
try:
fqdn = socket.getfqdn()
if not fqdn:
fqdn = 'wapt'
if '.' not in fqdn:
fqdn += '.lan'
msg = 'FQDN for the WAPT server (eg. wapt.acme.com)'
(code, reply) = postconf.inputbox(text=msg,
width=len(msg) + 4,
init=fqdn)
if code != postconf.DIALOG_OK:
exit(1)
else:
fqdn = reply
# cleanup of old naming convention for the wapt vhost definition
if type_debian():
if os.path.exists('/etc/apache2/sites-enabled/wapt'):
try:
os.unlink('/etc/apache2/sites-enabled/wapt')
except Exception:
pass
if os.path.exists('/etc/apache2/sites-available/wapt'):
try:
os.unlink('/etc/apache2/sites-available/wapt')
except Exception:
pass
# TODO : check first if fqdn is dns resolvable
make_httpd_config(wapt_folder, '/opt/wapt/waptserver', fqdn)
final_msg.append('Please connect to https://' + fqdn +
'/ to access the server.')
if type_debian():
enable_debian_vhost()
elif type_redhat():
enable_redhat_vhost()
reply = postconf.yesno(
"The Apache config has been reloaded. Do you want to force-restart Apache?"
)
if reply == postconf.DIALOG_OK:
start_apache()
enable_apache()
start_apache()
setup_firewall()
except subprocess.CalledProcessError as cpe:
final_msg += [
'Error while trying to configure Apache!',
'errno = ' + str(cpe.returncode) + ', output: ' + cpe.output
]
except Exception as e:
import traceback
final_msg += [
'Error while trying to configure Apache!',
traceback.format_exc()
]
width = 4 + max(10, len(max(final_msg, key=len)))
height = 2 + max(20, len(final_msg))
postconf.msgbox('\n'.join(final_msg), height=height, width=width)
def main():
global wapt_folder, MONGO_SVC, APACHE_SVC, NGINX_GID
parser = OptionParser(usage=usage, version='waptserver.py ' + __version__)
parser.add_option(
"-k",
"--use-kerberos",
dest="use_kerberos",
default=False,
action='store_true',
help="Use kerberos for host registration (default: False)")
parser.add_option(
"-s",
"--force-https",
dest="force_https",
default=False,
action='store_true',
help=
"Use https only, http is 301 redirected to https (default: False). Requires a proper DNS name"
)
(options, args) = parser.parse_args()
if postconf.yesno("Do you want to launch post configuration tool ?"
) != postconf.DIALOG_OK:
print "canceling wapt postconfiguration"
sys.exit(1)
# TODO : check if it a new install or an upgrade (upgrade from mongodb to postgresql)
if type_redhat():
if re.match('^SELinux status:.*enabled',
subprocess.check_output('sestatus')):
postconf.msgbox('SELinux detected, tweaking httpd permissions.')
run('setsebool -P httpd_can_network_connect 1')
run('setsebool -P httpd_setrlimit on')
for sepath in ('wapt', 'wapt-host', 'wapt-hostref'):
run('semanage fcontext -a -t httpd_sys_content_t "/var/www/html/%s(/.*)?"'
% sepath)
run('restorecon -R -v /var/www/html/%s' % sepath)
postconf.msgbox(
'SELinux correctly configured for Nginx reverse proxy')
if not os.path.isfile('/opt/wapt/conf/waptserver.ini'):
shutil.copyfile('/opt/wapt/waptserver/waptserver.ini.template',
'/opt/wapt/conf/waptserver.ini')
else:
print('making a backup copy of the configuration file')
datetime_now = datetime.datetime.now()
shutil.copyfile(
'/opt/wapt/conf/waptserver.ini',
'/opt/wapt/conf/waptserver.ini.bck_%s' % datetime_now.isoformat())
waptserver_ini = iniparse.RawConfigParser()
waptserver_ini.readfp(file('/opt/wapt/conf/waptserver.ini', 'rU'))
if waptserver_ini.has_section('uwsgi'):
print('Remove uwsgi options, not used anymore')
waptserver_ini.remove_section('uwsgi')
# add secret key initialisation string (for session token)
if not waptserver_ini.has_option('options', 'secret_key'):
waptserver_ini.set(
'options', 'secret_key', ''.join(
random.SystemRandom().choice(string.letters + string.digits)
for _ in range(64)))
# add user db and password in ini file
ensure_postgresql_db()
print("create database schema")
run(" sudo -u wapt python /opt/wapt/waptserver/waptserver_model.py init_db "
)
mongo_update_status = check_mongo2pgsql_upgrade_needed(waptserver_ini)
if mongo_update_status == 0:
print("already running postgresql, trying to upgrade structure")
run("sudo -u wapt python /opt/wapt/waptserver/waptserver_upgrade.py upgrade_structure"
)
elif mongo_update_status == 1:
print(
"need to upgrade from mongodb to postgres, please launch python /opt/wapt/waptserver/waptserver_upgrade.py upgrade2postgres"
)
sys.exit(1)
elif mongo_update_status == 2:
print("something not normal please check your installation first")
sys.exit(1)
if os.path.isdir(wapt_folder):
waptserver_ini.set('options', 'wapt_folder', wapt_folder)
else:
# for install on windows
# keep in sync with waptserver.py
wapt_folder = os.path.join(wapt_root_dir, 'waptserver', 'repository',
'wapt')
# if os.path.exists(os.path.join(wapt_root_dir, 'waptserver', 'wsus.py')):
# waptserver_ini.set('uwsgi', 'attach-daemon', '/usr/bin/python /opt/wapt/waptserver/wapthuey.py wsus.huey')
if not waptserver_ini.has_option('options', 'wapt_password') or \
not waptserver_ini.get('options', 'wapt_password') or \
postconf.yesno("Do you want to reset admin password ?",yes_label='skip',no_label='reset') != postconf.DIALOG_OK:
wapt_password_ok = False
while not wapt_password_ok:
wapt_password = ''
wapt_password_check = ''
while wapt_password == '':
(code, wapt_password) = postconf.passwordbox(
"Please enter the wapt server password: "******"Please enter the wapt server password again: ",
insecure=True)
if code != postconf.DIALOG_OK:
exit(0)
if wapt_password != wapt_password_check:
postconf.msgbox('Password mismatch!')
else:
wapt_password_ok = True
password = pbkdf2_sha256.hash(wapt_password.encode('utf8'))
waptserver_ini.set('options', 'wapt_password', password)
if not waptserver_ini.has_option('options', 'server_uuid'):
waptserver_ini.set('options', 'server_uuid', str(uuid.uuid1()))
if options.use_kerberos:
waptserver_ini.set('options', 'use_kerberos', 'True')
else:
waptserver_ini.set('options', 'use_kerberos', 'False')
with open('/opt/wapt/conf/waptserver.ini', 'w') as inifile:
run("/bin/chmod 640 /opt/wapt/conf/waptserver.ini")
run("/bin/chown wapt /opt/wapt/conf/waptserver.ini")
waptserver_ini.write(inifile)
# TODO : remove mongodb lines that are commented out
run('python /opt/wapt/wapt-scanpackages.py %s ' % wapt_folder)
final_msg = [
'Postconfiguration completed.',
]
postconf.msgbox("Press ok to start waptserver")
enable_waptserver()
start_waptserver()
# In this new version Apache is replaced with Nginx? Proceed to disable Apache. After migration one can remove Apache install altogether
try:
print(
subprocess.check_output('systemctl stop %s' % APACHE_SVC,
shell=True))
except:
pass
try:
print(
subprocess.check_output('systemctl disable %s' % APACHE_SVC,
shell=True))
except:
pass
reply = postconf.yesno("Do you want to configure nginx?")
if reply == postconf.DIALOG_OK:
try:
fqdn = socket.getfqdn()
if not fqdn:
fqdn = 'wapt'
if '.' not in fqdn:
fqdn += '.lan'
msg = 'FQDN for the WAPT server (eg. wapt.acme.com)'
(code, reply) = postconf.inputbox(text=msg,
width=len(msg) + 4,
init=fqdn)
if code != postconf.DIALOG_OK:
exit(1)
else:
fqdn = reply
dh_filename = '/etc/ssl/certs/dhparam.pem'
if not os.path.exists(dh_filename):
print(
subprocess.check_output('openssl dhparam -out %s 2048' %
dh_filename,
shell=True))
os.chown(dh_filename, 0, NGINX_GID)
os.chmod(dh_filename, 0o640)
# cleanup of nginx.conf file
with open('/etc/nginx/nginx.conf', 'r') as read_conf:
nginx_conf = nginxparser.load(read_conf)
nginx_conf = nginx_set_worker_limit(nginx_conf)
nginx_conf = nginx_clean_default_vhost(nginx_conf)
with open("/etc/nginx/nginx.conf", "w") as nginx_conf_file:
nginx_conf_file.write(nginxparser.dumps(nginx_conf))
if options.use_kerberos:
if type_debian():
if not check_if_deb_installed(
'libnginx-mod-http-auth-spnego'):
print(
'missing dependency libnginx-mod-http-auth-spnego, please install first before configuring kerberos'
)
sys.exit(1)
elif type_redhat():
import yum
yb = yum.YumBase()
yb.conf.cache = os.geteuid() != 1
pkgs = yb.rpmdb.returnPackages()
found = False
for pkg in pkgs:
if pkg.name == 'nginx-mod-http-auth-spnego':
found = True
if found == False:
print(
'missing dependency nginx-mod-http-auth-spnego, please install first before configuring kerberos'
)
sys.exit(1)
make_httpd_config(wapt_folder, '/opt/wapt/waptserver', fqdn,
options.use_kerberos, options.force_https)
final_msg.append('Please connect to https://' + fqdn +
'/ to access the server.')
postconf.msgbox(
"The Nginx config is done. We need to restart Nginx?")
print(subprocess.check_output('systemctl enable nginx',
shell=True))
print(
subprocess.check_output('systemctl restart nginx', shell=True))
setup_firewall()
except subprocess.CalledProcessError as cpe:
final_msg += [
'Error while trying to configure Nginx!',
'errno = ' + str(cpe.returncode) + ', output: ' + cpe.output
]
except Exception as e:
import traceback
final_msg += [
'Error while trying to configure Nginx!',
traceback.format_exc()
]
width = 4 + max(10, len(max(final_msg, key=len)))
height = 2 + max(20, len(final_msg))
postconf.msgbox('\n'.join(final_msg), height=height, width=width)
db_host=127.0.0.1
waptserver_port={{waptserver_port}}
"""
if __name__ == '__main__':
lst = []
sport = 8080
ports = []
for instance in lst:
ini_fn = '/opt/wapt/conf/%s.ini' % instance
ini = iniparse.RawConfigParser()
if os.path.isfile(ini_fn):
ini.read(ini_fn)
waptserver_port = ini.get('options', 'waptserver_port',
'%s' % sport)
application_root = ini.get('options', 'application_root', instance)
del ini
else:
while sport in ports:
sport += 1
ports.append(sport)
application_root = instance
secret_key = ''.join(random.SystemRandom().choice(string.letters +
string.digits)
for _ in range(64))