コード例 #1
0
ファイル: fabfile.py プロジェクト: rootart/woven
def test_server_state():
    set_server_state('example',delete=True)
    set_server_state('example')
    print 'Server State:%s:'% str(server_state('example'))
    assert server_state('example') == True
    set_server_state('example',content='something')
    assert server_state('example') == 'something'
    assert server_state('example')
コード例 #2
0
ファイル: ubuntu.py プロジェクト: rootart/woven
def restrict_ssh(rollback=False):
    """
    Set some sensible restrictions in Ubuntu /etc/ssh/sshd_config and restart sshd
    UseDNS no #prevents dns spoofing sshd defaults to yes
    X11Forwarding no # defaults to no
    AuthorizedKeysFile  %h/.ssh/authorized_keys

    uncomments PasswordAuthentication no and restarts sshd
    """

    if not rollback:
        if server_state('ssh_restricted'):
            print env.host, 'Warning: sshd_config has already been modified. Skipping..'
            return False

        sshd_config = '/etc/ssh/sshd_config'
        if env.verbosity:
            print env.host, "RESTRICTING SSH with "+sshd_config
        filename = 'sshd_config'
        if not exists('/home/%s/.ssh/authorized_keys'% env.user): #do not pass go do not collect $200
            print env.host, 'You need to upload_ssh_key first.'
            return False
        backup_file(sshd_config)
        context = {"HOST_SSH_PORT": env.HOST_SSH_PORT}
        
        upload_template('woven/ssh/sshd_config','/etc/ssh/sshd_config',context=context,use_sudo=True)
        # Restart sshd
        sudo('/etc/init.d/ssh restart')
        
        # The user can modify the sshd_config file directly but we save
        if env.INTERACTIVE and contains('#PasswordAuthentication no','/etc/ssh/sshd_config',use_sudo=True):
            c_text = 'Woven will now remove password login from ssh, and use only your ssh key. \n'
            c_text = c_text + 'CAUTION: please confirm that you can ssh %s@%s -p%s from a terminal without requiring a password before continuing.\n'% (env.user, env.host, env.port)
            c_text += 'If you cannot login, press enter to rollback your sshd_config file'
            proceed = confirm(c_text,default=False)
    
        if not env.INTERACTIVE or proceed:
            #uncomments PasswordAuthentication no and restarts
            uncomment(sshd_config,'#(\s?)PasswordAuthentication(\s*)no',use_sudo=True)
            sudo('/etc/init.d/ssh restart')
        else: #rollback
            print env.host, 'Rolling back sshd_config to default and proceeding without passwordless login'
            restore_file('/etc/ssh/sshd_config', delete_backup=False)
            sed('/etc/ssh/sshd_config','Port '+ str(env.DEFAULT_SSH_PORT),'Port '+str(env.HOST_SSH_PORT),use_sudo=True)
            
            sudo('/etc/init.d/ssh restart')
            return False
        set_server_state('ssh_restricted')
        return True
    else: #Full rollback
        restore_file('/etc/ssh/sshd_config')
        if server_state('ssh_port_changed'):
            sed('/etc/ssh/sshd_config','Port '+ str(env.DEFAULT_SSH_PORT),'Port '+str(env.HOST_SSH_PORT),use_sudo=True)
            sudo('/etc/init.d/ssh restart')
        sudo('/etc/init.d/ssh restart')
        set_server_state('ssh_restricted', delete=True)
        return True
コード例 #3
0
ファイル: ubuntu.py プロジェクト: rootart/woven
def setup_ufw(rollback=False):
    """
    Setup ufw and apply rules from settings UFW_RULES
    You can add rules and re-run setup_ufw but cannot delete rules or reset by script
    since deleting or reseting requires user interaction
    
    See Ubuntu Server documentation for more about UFW.
    """
    if not rollback:
        #TODO - Optimize to store & compare existing rules to stop unecessary reloads
        #Should be able to do something with the ufw status command to store the rules
        #ufw_rules = sudo("ufw status | awk '/tcp|udp/ {print $1,$2,$3}'").split('\n')
        ufw = run("dpkg -l | grep '%s' | awk '{print $2}'").strip()
        #It would be nice to handle an existing installation but until ufw can easily
        #predefine rules in a conf we'll need to just mark it if woven installs it
        if not ufw:
            if env.verbosity:
                print env.host, "INSTALLING & ENABLING FIREWALL ufw"
            apt_get_install('ufw')
            set_server_state('ufw_installed')
        sudo('ufw allow %s/tcp'% env.port) #ssh port
        for rule in env.UFW_RULES:
            if rule:
                if env.verbosity:
                    print ' *',rule
                sudo('ufw '+rule)
        backup_file('/etc/ufw/ufw.conf')
        sed('/etc/ufw/ufw.conf','ENABLED=no','ENABLED=yes',use_sudo=True)
        sudo('ufw reload')
    else:
        #if it was installed by woven remove it else leave it the hell alone
        if server_state('ufw_installed'): 
            sudo('ufw disable')
            apt_get_purge('ufw')
            set_server_state('ufw_installed',delete=True)
コード例 #4
0
ファイル: ubuntu.py プロジェクト: rootart/woven
def change_ssh_port(rollback=False):
    """
    This would be the first function to be run to setup a server.
    By changing the ssh port first we can test it to see if it has been
    changed, and thus can reasonably assume that root has also been disabled
    in a previous setupserver execution
    
    Returns success or failure
    """

    if not rollback:
        after = env.port
        before = str(env.DEFAULT_SSH_PORT)
    else:
        after = str(env.DEFAULT_SSH_PORT)
        before = env.port
    host = normalize(env.host_string)[1]
    host_string=join_host_strings('root',host,before)

    with settings(host_string=host_string, user='******', password=env.ROOT_PASSWORD):
        if env.verbosity:
            print env.host, "CHANGING SSH PORT TO: "+str(after)
        if not rollback:
                try:
                    #Both test the port and also the ubuntu version.
                    distribution, version = ubuntu_version()
                    #    print env.host, distribution, version
                    if version < 9.10:
                        print env.host, 'Woven is only compatible with Ubuntu versions 9.10 and greater'
                        sys.exit(1)
                except KeyboardInterrupt:
                    if env.verbosity:
                        print >> sys.stderr, "\nStopped."
                    sys.exit(1)
                except: #No way to catch the failing connection without catchall? 
                    print env.host, "Warning: Default port not responding. Setupnode may alredy have been run or the host is down. Skipping.."
                    return False
                sed('/etc/ssh/sshd_config','Port '+ str(before),'Port '+str(after),use_sudo=True)
                if env.verbosity:
                    print env.host, "RESTARTING SSH on",after
                sudo('/etc/init.d/ssh restart')
                set_server_state('ssh_port_changed',content=str(before))
                return True
        else:
            port = server_state('ssh_port_changed')
            if port:
                sed('/etc/ssh/sshd_config','Port '+ str(before),'Port '+str(after),use_sudo=True)
                set_server_state('ssh_port_changed',delete=True)
                sudo('/etc/init.d/ssh restart')
                return True
            return False
コード例 #5
0
ファイル: webservers.py プロジェクト: rootart/woven
    def deploy(self,patch=False):
        with cd(self.deploy_root):

            log_dir = env.deployment_root+'log'
            if not exists(log_dir):
                run("mkdir -p %s"% log_dir)
                sudo("chown -R www-data:sudo %s" % log_dir)
                sudo("chmod -R ug+w %s"% log_dir)
            u_domain = self.domain.replace('.','_')

            filename = u_domain + '-'+self.version+'.conf'
            context = {"project_name": env.project_name,
                        "u_domain":u_domain,
                        "domain":self.domain,
                        "root_domain":env.root_domain,
                        "user":env.user,
                        "host_ip":env.host,
                        "media_url":self.media_url,
                        "static_url":self.static_url,
                        }
                
            conf_exists = exists(os.path.join(self.enabled_path,filename), use_sudo=True)
            state = server_state(self.state+env.project_fullname)

            if not conf_exists and patch:
                if env.verbosity:
                    print env.host,"Cannot patch %s conf %s. This version does not exist on %s. Skipping"% (self.deploy_type, filename, env.host)
                return False
            elif state and not patch: #active version
                print "%s conf %s already exists on the host %s. Skipping"% (self.deploy_type, filename, env.host)
                return False
            else:
                enabled_sites = _ls_sites(self.enabled_path)
                if not patch:
                    for site in enabled_sites:
                        if env.verbosity:
                            print env.host,'Disabling', site, filename
                        sudo("rm %s%s"% (self.enabled_path,site))

                upload_template('woven/'+self.template,
                                filename,
                                context,
                                use_sudo=True)
                if not patch:
                    #enable this site
                    sudo("chmod 644 %s" % filename)
                    if not exists(self.enabled_path+ filename):
                        sudo("ln -s %s%s %s%s"% (self.deploy_root,filename,self.enabled_path,filename))
        set_server_state(self.state + self.fullname)
        if env.verbosity:
            print env.host,'DEPLOYED',self.deploy_type
コード例 #6
0
ファイル: fabfile.py プロジェクト: rootart/woven
def test_deploy_static():
    change_version('0.2','0.1')
    run('rm -rf /home/woven/example.com')
    set_server_state('deployed_static_example_project-0.1',delete=True)
    
    #Test simple with no app media
    deploy_static()
    
    #Test with just admin_media
    env.INSTALLED_APPS += ['django.contrib.admin']
    deploy_static()
    assert exists('/home/woven/example.com/env/example_project-0.1/static/static/admin-media/css')
    
    #Teardown
    s = Static()
    s.delete()
    assert not server_state('deployed_static_example_project-0.1')    
コード例 #7
0
ファイル: fabfile.py プロジェクト: rootart/woven
def test_deploy_public():
    run('rm -rf /home/woven/example.com')
    run('rm -f dist/django-pony1.jpg')
    set_server_state('deployed_public_example_project-0.1',delete=True)
    env.MEDIA_ROOT =''
    #Test simple with no media_root - fails
    deploy_public()
    
    #Test with a real media directory
    env.MEDIA_ROOT = os.path.join(setup_dir,'media_root','')
    print env.MEDIA_ROOT
    env.MEDIA_URL = '/media/'
    deploy_public()
    assert exists('/home/woven/example.com/public/media/django-pony.jpg')
    
    #Test with no files - skips
    deploy_public()
    
    #Teardown
    p = Public()
    p.delete()
    assert not server_state('deployed_public_example_project-0.1') 
コード例 #8
0
ファイル: fabfile.py プロジェクト: rootart/woven
def test_virtualenv():
    #Ensure we're cleared out
    set_server_state('created_virtualenv_example_project-0.1', delete=True)
    set_server_state('created_virtualenv_example_project-0.2', delete=True)
    v = mkvirtualenv()
    #Returns True if it is created
    assert v
    assert exists('/home/woven/example.com/env/example_project-0.1/bin/python')
    
    v = mkvirtualenv()
    #Returns False if not created.
    assert not v
    
    #test updating the version no#
    v = mkvirtualenv('0.2')
    
    #teardown
    assert exists('/home/woven/example.com/env/example_project-0.2/bin/python')
    rmvirtualenv('0.2')
    assert not exists('/home/woven/example.com/env/example_project-0.2/bin/python')
    assert exists('/home/woven/example.com/env/example_project-0.1/bin/python')
    rmvirtualenv()
    assert not exists('/home/woven/example.com')
    assert not server_state('created_virtualenv_example_project-0.2')
コード例 #9
0
ファイル: ubuntu.py プロジェクト: rootart/woven
def disable_root(rollback=False):
    """
    Disables root and creates a new sudo user as specified by HOST_USER in your
    settings or your host_string
    
    The normal pattern for hosting is to get a root account which is then disabled.
    If root is disabled as it is in the default ubuntu install then set
    ROOT_DISABLED:True in your settings
    
    returns True on success
    """
    def enter_password():
        password1 = prompt('Enter the password for %s:'% original_username)
        password2 = prompt('Re-enter the password:'******'The password was not the same'
            enter_password()
        return password1
    if not rollback:
        #TODO write a test in paramiko to see whether root has already been disabled
        #Fabric doesn't have a way of detecting a login fail which would be the best way
        #that we could assume that root has been disabled
        #print env.host, 'settings:', env.host_string, env.user, env.port
        original_username = env.user
        original_password = env.get('HOST_PASSWORD','')
        (olduser,host,port) = normalize(env.host_string)
        host_string=join_host_strings('root',host,str(port))
        with settings(host_string=host_string,  password=env.ROOT_PASSWORD):
            if not contains('sudo','/etc/group',use_sudo=True):
                sudo('groupadd sudo')
                set_server_state('sudo-added')
            home_path = '/home/%s'% original_username
            if not exists(home_path, use_sudo=True):
                if env.verbosity:
                    print env.host, 'CREATING A NEW ACCOUNT: %s'% original_username
                
                if not original_password:

                    original_password = enter_password()
                
                add_user(username=original_username, password=original_password,group='sudo')
                
                #add user to /etc/sudoers
                if not exists('/etc/sudoers.wovenbak',use_sudo=True):
                    sudo('cp -f /etc/sudoers /etc/sudoers.wovenbak')
                sudo('cp -f /etc/sudoers /tmp/sudoers.tmp')
                append("# Members of the sudo group may gain root privileges", '/tmp/sudoers.tmp', use_sudo=True)
                append("%sudo ALL=(ALL) ALL", '/tmp/sudoers.tmp', use_sudo=True)
                sudo('visudo -c -f /tmp/sudoers.tmp')
                sudo('cp -f /tmp/sudoers.tmp /etc/sudoers')
                sudo('rm -rf /tmp/sudoers.tmp')
            #Add existing user to sudo group
            else:
                sudo('adduser %s sudo'% original_username)
        env.password = original_password
        #finally disable root
        if env.verbosity:
            print env.host, 'DISABLING ROOT'
        sudo("usermod -L %s"% 'root')
        return True
    else: #rollback to root
        if not env.ROOT_PASSWORD:
            env.ROOT_PASSWORD = enter_password()
        run('echo %s:%s > /tmp/root_user.txt'% ('root',env.ROOT_PASSWORD))
        sudo('chpasswd < /tmp/root_user.txt')
        sudo('rm -rf /tmp/root_user.txt')
        print "Closing connection %s"% env.host_string
        connections[env.host_string].close()
        original_username = env.user
        (olduser,host,port) = normalize(env.host_string)
        host_string=join_host_strings('root',host,str(env.port))
        with settings(host_string=host_string,  password=env.ROOT_PASSWORD):
            if env.INTERACTIVE:
                c_text = 'CAUTION: Woven will now delete the user %s and the home directory. \n'% original_username
                c_text = 'Please ensure you can login as root before continuing.\n'
                c_text += 'Do you wish to continue:'
                proceed = confirm(c_text,default=False)
            if not env.INTERACTIVE or proceed:
                sudo('deluser --remove-home '+original_username)
                if server_state('sudo-added'): #never true on default installation
                    sudo('groupdel sudo')
                    set_server_state('sudo-added',delete=True)
コード例 #10
0
ファイル: ubuntu.py プロジェクト: rootart/woven
def install_packages(rollback = False,overwrite=False):
    """
    Install a set of baseline packages on Ubuntu Server
    and configure where necessary
    
    overwrite will allow existing configurations to be overwritten
    """
    u = env.HOST_BASE_PACKAGES + env.HOST_EXTRA_PACKAGES
    if not rollback:
        if env.verbosity:
            print env.host, "INSTALLING & CONFIGURING HOST PACKAGES:"
            #print ','.join(u)
        #Remove apparmor - TODO we may enable this later
        sudo('/etc/init.d/apparmor stop')
        sudo('update-rc.d -f apparmor remove')
        #Get a list of installed packages
        p = run("dpkg -l | awk '/ii/ {print $2}'").split('\n')
    
        #The principle we will use is to only install configurations and packages
        #if they do not already exist (ie manually installed or other method)
        
        for package in u:
            if not package in p:
                preinstalled = False
                apt_get_install(package)
                sudo("echo '%s' >> /var/local/woven/packages_installed.txt"% package)
                if package == 'apache2':
                    sudo("a2dissite 000-default")
                elif package == 'nginx':
                    sudo('rm -f /etc/nginx/sites-enabled/default')
                if env.verbosity:
                    print ' * installed '+package
            else:
                preinstalled = True

            if package == 'apache2' and (overwrite or not preinstalled):
                if env.verbosity:
                    print "Uploading Apache2 template /etc/apache2/ports.conf"
                context = {'host_ip':env.host}
                upload_template('woven/apache2/ports.conf','/etc/apache2/ports.conf',context=context, use_sudo=True)
                #Turn keep alive off on apache
                sed('/etc/apache2/apache2.conf',before='KeepAlive On',after='KeepAlive Off',use_sudo=True)
                with settings(warn_only=True):
                    sudo("apache2ctl stop")
            elif package == 'nginx' and (overwrite or not preinstalled):
                if env.verbosity:
                    print "Uploading Nginx templates /etc/nginx/nginx.conf /etc/nginx/proxy.conf"
                upload_template('woven/nginx/nginx.conf','/etc/nginx/nginx.conf',use_sudo=True)
                #Upload a default proxy
                upload_template('woven/nginx/proxy.conf','/etc/nginx/proxy.conf',use_sudo=True)
                with settings(warn_only=True):
                    sudo("/etc/init.d/nginx stop")

        #Set unattended-updates configuration
        unattended_config = '/etc/apt/apt.conf.d/10periodic'
        if not exists(unattended_config, use_sudo=True):
            if env.verbosity:
                "Configuring unattended-updates /etc/apt/apt.conf.d/10periodic"
            sudo('touch '+unattended_config)
            #in theory append() should intelligently ignore lines if they already exist
            #in practice this doesn't work as expected for this particular list.
            #possibly some characters it is not matching correctly hence if the
            #file already exists we'll skip this
            append([
                'APT::Periodic::Update-Package-Lists "1";',
                'APT::Periodic::Download-Upgradeable-Packages "1";',
                'APT::Periodic::AutocleanInterval "7";',
                'APT::Periodic::Unattended-Upgrade "1";',
            ], filename=' /etc/apt/apt.conf.d/10periodic',use_sudo=True)
            set_server_state('unattended_config_created')
        
        #Install base python packages
        #We'll use easy_install at this stage since it doesn't download if the package
        #is current whereas pip always downloads.
        #Once both these packages mature we'll move to using the standard Ubuntu packages

        sudo("easy_install -U virtualenv")
        sudo("easy_install -U pip")

    
        #cleanup after easy_install
        sudo("rm -rf build")
    else: #rollback
        p = sudo('cat /var/local/woven/packages_installed.txt').split('\n')
        for package in u:
            if package in p:
                apt_get_purge(package)
                p.remove(package)
    
        #Finally write back the list of packages
        sudo('rm -f /var/local/woven/packages_installed.txt')
        for package in p:
            sudo("echo '%s' >> /var/local/woven/packages_installed.txt"% package)
        
        #Rollback unattended updates
        if server_state('unattended_config_created'):
            sudo('rm -rf /etc/apt/apt.conf.d/10periodic')
            set_server_state('unattended_config_created',delete=True)
        #Finally remove any unneeded packages
        sudo('apt-get autoremove -qqy')