From be26babbde6d17a48e6e39eb2c8d23b8aa5bf1b3 Mon Sep 17 00:00:00 2001 From: Jonathan Baecker Date: Mon, 22 Jun 2020 14:05:28 +0200 Subject: [PATCH] add centos support --- docs/ffplayout-api.service | 4 +- docs/ffplayout.conf | 4 +- install.sh | 140 ++++++++++++++++++++++++++++++------- 3 files changed, 120 insertions(+), 28 deletions(-) diff --git a/docs/ffplayout-api.service b/docs/ffplayout-api.service index 6dc5f369..015fca80 100644 --- a/docs/ffplayout-api.service +++ b/docs/ffplayout-api.service @@ -7,8 +7,8 @@ WorkingDirectory=/var/www/ffplayout/ffplayout Environment=DJANGO_SETTINGS_MODULE=ffplayout.settings.production ExecStart=/var/www/ffplayout/venv/bin/gunicorn --workers 4 --worker-class=gevent --timeout 10800 --log-level=info --log-file=- --access-logfile=- --bind 127.0.0.1:8001 ffplayout.wsgi:application KillMode=process -User=www-data -Group=www-data +User=root +Group=root [Install] WantedBy=multi-user.target diff --git a/docs/ffplayout.conf b/docs/ffplayout.conf index b023a230..97f61525 100644 --- a/docs/ffplayout.conf +++ b/docs/ffplayout.conf @@ -22,7 +22,9 @@ server { add_header X-XSS-Protection "1; mode=block"; add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; - location / { + expires $expires; + + location / { if ($http_origin ~ '^https?://(localhost|ffplayout\.local|ffplayout)') { add_header 'Access-Control-Allow-Origin' "$http_origin" always; add_header 'Access-Control-Allow-Credentials' 'true' always; diff --git a/install.sh b/install.sh index 127eb6e4..a19a6eef 100755 --- a/install.sh +++ b/install.sh @@ -5,11 +5,6 @@ if [[ $(whoami) != 'root' ]]; then exit 1 fi -if [ ! "$(grep -Ei 'debian|buntu|mint' /etc/*release)" ]; then - echo "This script must run under debian/ubuntu/mint!" - exit 1 -fi - echo "" echo "-----------------------------------------------------------------------------------------------------" echo "compile and install (nonfree) ffmpeg:" @@ -69,23 +64,55 @@ echo "-------------------------------------------------------------------------- echo "install main packages" echo "-----------------------------------------------------------------------------------------------------" -apt install -y sudo curl wget net-tools git python3-dev build-essential virtualenv python3-virtualenv mediainfo +if [[ "$(grep -Ei 'debian|buntu|mint' /etc/*release)" ]]; then + apt install -y sudo curl wget net-tools git python3-dev build-essential python3-virtualenv mediainfo autoconf automake libtool pkg-config yasm cmake mercurial gperf + curl -sL https://deb.nodesource.com/setup_12.x | bash - -curl -sL https://deb.nodesource.com/setup_12.x | bash - + apt install -y nodejs -apt install -y nodejs + if [[ $installNginx == 'y' ]]; then + apt install -y nginx + fi -if [[ $installNginx == 'y' ]]; then - apt install -y nginx + serviceUser="www-data" + nginxConfig="/etc/nginx/sites-available/" +elif [[ "$(grep -Ei 'centos|fedora' /etc/*release)" ]]; then + dnf -y install epel-release + dnf repolist epel -v + dnf -y config-manager --enable PowerTools + dnf -y group install "Development Tools" + dnf -y --enablerepo=PowerTools install libmediainfo mediainfo + dnf -y install libstdc++-static yasm mercurial libtool cmake net-tools git python3 python36-devel wget python3-virtualenv gperf nano + dnf -y install policycoreutils-{python3,devel} + + curl -sL https://rpm.nodesource.com/setup_12.x | sudo -E bash - + + dnf -y install nodejs + + if [[ $installNginx == 'y' ]]; then + dnf -y install nginx + systemctl enable nginx + systemctl start nginx + firewall-cmd --permanent --add-service=http + firewall-cmd --permanent --zone=public --add-service=https + firewall-cmd --reload + mkdir /var/www + chcon -vR system_u:object_r:httpd_sys_content_t:s0 /var/www + fi + + alternatives --set python /usr/bin/python3 + + serviceUser="nginx" + nginxConfig="/etc/nginx/conf.d/" fi + + if [[ $compileFFmpeg == 'y' ]]; then echo "" echo "-----------------------------------------------------------------------------------------------------" echo "compile and install ffmpeg" echo "-----------------------------------------------------------------------------------------------------" - apt install -y autoconf automake libtool pkg-config texi2html yasm cmake mercurial gperf - cd /opt/ git clone https://github.com/jb-alvarado/compile-ffmpeg-osx-linux.git ffmpeg-build @@ -139,8 +166,8 @@ if [[ $installSRS == 'y' ]]; then cd srs/trunk/ ./configure - ./make - ./make install + make + make install mkdir -p "/var/www/srs/live" mkdir "/etc/srs" @@ -207,7 +234,6 @@ RestartSec=3 [Install] WantedBy=multi-user.target - EOF systemctl enable srs.service @@ -232,12 +258,12 @@ mkdir /etc/ffplayout mkdir /var/log/ffplayout cp ffplayout.yml /etc/ffplayout/ -chown -R www-data. /etc/ffplayout -chown www-data. /var/log/ffplayout +chown -R $serviceUser. /etc/ffplayout +chown $serviceUser. /var/log/ffplayout cp docs/ffplayout-engine.service /etc/systemd/system/ -sed -i "s/User=root/User=www-data/g" /etc/systemd/system/ffplayout-engine.service -sed -i "s/Group=root/Group=www-data/g" /etc/systemd/system/ffplayout-engine.service +sed -i "s/User=root/User=$serviceUser/g" /etc/systemd/system/ffplayout-engine.service +sed -i "s/Group=root/Group=$serviceUser/g" /etc/systemd/system/ffplayout-engine.service systemctl enable ffplayout-engine.service @@ -270,17 +296,81 @@ python manage.py createsuperuser deactivate -chown www-data. -R /var/www/ffplayout +chown $serviceUser. -R /var/www/ffplayout cd .. cp docs/ffplayout-api.service /etc/systemd/system/ + +sed -i "s/User=root/User=$serviceUser/g" /etc/systemd/system/ffplayout-api.service +sed -i "s/Group=root/Group=$serviceUser/g" /etc/systemd/system/ffplayout-api.service + systemctl enable ffplayout-api.service && systemctl start ffplayout-api.service -cp docs/ffplayout.conf /etc/nginx/sites-available/ -ln -s /etc/nginx/sites-available/ffplayout.conf /etc/nginx/sites-enabled/ +if [[ "$(grep -Ei 'debian|buntu|mint' /etc/*release)" ]]; then + cp docs/ffplayout.conf "$nginxConfig" + ln -s $nginxConfig/ffplayout.conf /etc/nginx/sites-enabled/ +elif [[ "$(grep -Ei 'centos|fedora' /etc/*release)" ]]; then + cp docs/ffplayout.conf "$nginxConfig" -echo 'www-data ALL = NOPASSWD: /bin/systemctl start ffplayout-engine.service, /bin/systemctl stop ffplayout-engine.service, /bin/systemctl reload ffplayout-engine.service, /bin/systemctl restart ffplayout-engine.service, /bin/systemctl status ffplayout-engine.service, /bin/systemctl is-active ffplayout-engine.service, /bin/journalctl -n 1000 -u ffplayout-engine.service' >> /etc/sudoers + setsebool httpd_can_network_connect on -P + semanage port -a -t http_port_t -p tcp 8001 + +cat < gunicorn.te +module gunicorn 1.0; + +require { + type init_t; + type httpd_sys_content_t; + type etc_t; + type sudo_exec_t; + class file { create execute execute_no_trans getattr ioctl lock map open read unlink write }; + class lnk_file { getattr read }; +} + +#============= init_t ============== + +#!!!! This avc is allowed in the current policy +allow init_t etc_t:file write; + +#!!!! This avc is allowed in the current policy +#!!!! This av rule may have been overridden by an extended permission av rule +allow init_t httpd_sys_content_t:file { create execute execute_no_trans getattr ioctl lock map open read unlink write }; + +#!!!! This avc is allowed in the current policy +allow init_t httpd_sys_content_t:lnk_file { getattr read }; + +#!!!! This avc is allowed in the current policy +allow init_t sudo_exec_t:file { execute execute_no_trans map open read }; +EOF + + checkmodule -M -m -o gunicorn.mod gunicorn.te + semodule_package -o gunicorn.pp -m gunicorn.mod + semodule -i gunicorn.pp + +cat < conf.te +module conf 1.0; + +require { + type init_t; + type httpd_sys_content_t; + class file { create lock unlink write }; +} + +#============= init_t ============== +allow init_t httpd_sys_content_t:file unlink; + +#!!!! This avc is allowed in the current policy +allow init_t httpd_sys_content_t:file { create lock write }; +EOF + + checkmodule -M -m -o conf.mod conf.te + semodule_package -o conf.pp -m conf.mod + semodule -i conf.pp +fi + + +echo "$serviceUser ALL = NOPASSWD: /bin/systemctl start ffplayout-engine.service, /bin/systemctl stop ffplayout-engine.service, /bin/systemctl reload ffplayout-engine.service, /bin/systemctl restart ffplayout-engine.service, /bin/systemctl status ffplayout-engine.service, /bin/systemctl is-active ffplayout-engine.service, /bin/journalctl -n 1000 -u ffplayout-engine.service" >> /etc/sudoers cd /var/www/ffplayout/ffplayout/frontend @@ -301,7 +391,7 @@ echo "-------------------------------------------------------------------------- echo "please edit /var/www/ffplayout/ffplayout/ffplayout/settings/production.py" echo "and set ALLOWED_HOSTS and CORS_ORIGIN_WHITELIST" echo "" -echo "edit /etc/nginx/sites-available/ffplayout.conf" +echo "edit $nginxConfig/ffplayout.conf" echo "set server_name and http_origin" echo "" -echo "add your ssl config!" +echo "add your ssl config, reboot and login to the webapp"