def create_site_base(name, folder, username):
"""
Create an empty Plone site installation and corresponding UNIX user.
Each sites has its own subfolder /srv/plone/xxx.
"""
check_known_environment()
base_folder = os.path.dirname(folder)
create_base(base_folder)
create_plone_unix_user(username)
# Enable friendly
give_user_ztanesh(username)
with sudo:
print "Creating a Plone site %s folder %s for UNIX user %s" % (name, folder, username)
install("-d", folder)
reset_permissions(username, folder)
create_site_initd_script(name, folder, username)
print "Site base (re)created: %s" % folder
def main():
args = parse_args()
if args.outdir == KEY_DIR:
sh.install("-m", "700", "-d", KEY_DIR)
mrenclave_path = os.path.join(args.outdir, "mrenclave")
with open(args.MANIFEST_SIGNATURE_FILE, "rb") as f:
mrenclave = f.read()[MRENCLAVE_OFFSET:MRENCLAVE_OFFSET +
MRENCLAVE_SIZE]
with open(mrenclave_path, "w+") as f:
f.write(mrenclave.hex())
def main():
args = parse_args()
if args.outdir == KEY_DIR:
sh.install("-m", "700", "-d", KEY_DIR)
pubkey_path = os.path.join(args.outdir, "challenger_public.key")
privkey_path = os.path.join(args.outdir, "challenger_private.key")
if os.path.exists(pubkey_path):
raise FileExistsError("File %r already exists" % pubkey_path)
if os.path.exists(privkey_path):
raise FileExistsError("File %r already exists" % privkey_path)
public_key, private_key = crypto.generate_ecdh_key_pair()
with open(pubkey_path, "w+") as pubkey_file:
pubkey_file.write(public_key.hex())
with open(privkey_path, "w+") as privkey_file:
privkey_file.write(private_key.hex())
def create_base(folder):
"""
Create multisite Plone hosting infrastructure on a server..
Host sites at /srv/plone or chosen cache_folder
Each folder has a file called buildout.cfg which is the production buildout file
for this site. This might not be a real file, but a symlink to a version controlled
file under /srv/plone/xxx/src/yoursitecustomization.policy/production.cfg.
Log rotate is performed using a global UNIX log rotate script:
http://opensourcehacker.com/2012/08/30/autodiscovering-log-files-for-logrotate/
:param folder: Base installation folder for all the sites e.g. /srv/plone
"""
from sh import apt_get
with sudo:
# Return software we are going to need in any case
# Assumes Ubuntu / Debian
# More info: https://github.com/miohtama/ztanesh
if (not which("zsh")) or (not which("git")) or (not which("gcc")):
# Which returs zero on success
print "Installing OS packages"
apt_get("update")
apt_get("install", "-y", *PACKAGES)
# Create base folder
if not os.path.exists(folder):
print "Creating installation base %s" % folder
install(folder, "-d")
# Create nightly restart cron job
if os.path.exists("/etc/cron.d"):
print "(Re)setting all sites nightly restart cron job"
echo(CRON_TEMPLATE, _out=CRON_JOB)
create_python_env(folder)
def copy_site_files(source, target):
"""
Rsync all non-regeneratable Plone files.
We also *must* not copy some files as they would mess up
running the buildout on the new target.
http://plone.org/documentation/kb/copying-a-plone-site
"""
# Make sure we can SSH into to the box without interaction
ssh_handshake(source)
print "Syncing site files from old site %s" % source
from sh import rsync
# XXX: --progress here is too verbose, rsync having multiple file transfer indicator?
rsync("-a", "--compress-level=9", "--inplace",
"--exclude", "*.lock", # Data.fs.lock, instance.lock
"--exclude", "*.pid",
"--exclude", "*.log", # A lot of text data we probably don't need on the new server
"--exclude", "var/log/*", # Old rotated log files
"--exclude", "eggs",
"--exclude", "downloads", # Redownload
"--exclude", "parts", # Buildout always regenerates this folder
"--exclude", "bin", # old bin/ scripts may not regenereate, point to Py interpreter on the old server
"--exclude", ".installed.cfg", # Otherwise does not regenerate zeoserver
"--exclude", ".mr.developer.cfg",
"--exclude", "*.old", # Data.fs.old
"%s/*" % source, target,
_out=_unbuffered_stdout,
_err=_unbuffered_stdout,
_out_bufsize=0).wait()
# Rercreate regeneratable folders
install("-d", "%s/eggs" % target)
install("-d", "%s/parts" % target)
install("-d", "%s/downloads" % target)
install("-d", "%s/bin" % target)
# Link graphene's pal launcher to /usr/bin/graphene-pal
pal = "/usr/bin/graphene-pal"
if not os.path.islink(pal):
subprocess.check_call(
["ln", "-s",
os.path.join(GRAPHENE_DIR, "Runtime/pal-Linux-SGX"), pal])
# Create sgx group (if it doesn't exist)
try:
sh.groupadd(config.GROUP)
except sh.ErrorReturnCode_9:
pass
# Create the config directory
sh.install("-m", "750", "-g", config.GROUP, "-d", config.CONFIG_DIR)
# Create the data directory
sh.install("-m", "770", "-g", config.GROUP, "-d", config.DATA_DIR)
# Create the sealed directory
sh.install("-m", "770", "-g", config.GROUP, "-d", config.SEALED_DIR)
# Copy sgx-ra-manager to `/usr/local/bin/`.
# We don't include sgx-ra-manager in the `scripts` argument to setup(), because setup() creates a script
# which uses run_script() to execute the actual script, thereby ignoring our custom shebang to run python3-sgx.
sh.cp("scripts/sgx-ra-manager", "/usr/local/bin/")
# Copy sealing manifest to config directory
sh.cp("config/sealing", config.CONFIG_DIR)
def install_plone(name, folder, unix_user, python, version, mode, port):
"""
Installs a new Plone site using best practices.
"""
from sh import git, bash, install, touch, rm
if os.path.exists(folder) and not os.path.exists(os.path.join(folder, "buildout.cfg")):
sys.exit("%s exists, but seems to lack buildout.cfg. Please remove first." % folder)
# Create buildout structure using create_instance.py
if not os.path.exists(os.path.join(folder, "buildout.cfg")):
# Resolve the latest version
if version == "latest":
version = get_plone_versions()[0]
# Checkout installer files from the Github
temp_folder = tempfile.mkdtemp()
installer_folder = os.path.join(temp_folder, "plone-unified-installer-%s" % version)
plone_home = os.path.join(temp_folder, "plone-fake-home")
print "Getting Plone installer"
if not os.path.exists(installer_folder):
git("clone", "git://github.com/plone/Installers-UnifiedInstaller.git", installer_folder)
print "Checking out Plone installer version from Git %s" % version
bash("-c", "cd %(installer_folder)s && git checkout %(version)s" % locals())
# The following is needed to satisfy create_instance.py Distribute egg look-up
# It assumes distribute and zc.buildout eggs in a predefined location.
# We spoof these eggs as they are not going to be used in real.
cache_folder = os.path.join(plone_home, "buildout-cache", "eggs")
install("-d", cache_folder)
touch(os.path.join(cache_folder, "zc.buildout-dummy.egg"))
touch(os.path.join(cache_folder, "distribute-dummy.egg"))
python = Command(python)
# Run installer
python( \
os.path.join(installer_folder, "helper_scripts", "create_instance.py"),
"--uidir", installer_folder,
"--plone_home", plone_home,
"--instance_home", folder,
"--daemon_user", unix_user,
"--buildout_user", unix_user,
"--run_buildout", "0",
"--itype", mode,
'--install_lxml', "no",
_out=_unbuffered_stdout,
_err=_unbuffered_stdout
).wait()
# Delete our Github installer checkout and messy files
rm("-rf", temp_folder)
# Integrate with LSB
create_site_base(name, folder, unix_user)
# Restrict FS access over what unified installer did for us
reset_permissions(unix_user, folder)
# Run buildout... we should be able to resume from errors
with sudo(H=True, i=True, u=unix_user, _with=True):
fix_buildout(folder)
set_buildout_port(os.path.join(folder, "buildout.cfg"), mode, port)
# We mod the buildout to disable shared cache,
# as we don't want to share ../buildout-cache/egs with other UNIX users
# on this server
rebootstrap_site(name, folder, python)
# Check we got it up an running Plone installation
check_startup(name, folder, unix_user)
