diff --git a/scripts/st2bootstrap-deb.sh b/scripts/st2bootstrap-deb.sh index d6d9b36c..5b7796c9 100644 --- a/scripts/st2bootstrap-deb.sh +++ b/scripts/st2bootstrap-deb.sh @@ -105,6 +105,11 @@ setup_args() { echo "Press \"ENTER\" to continue or \"CTRL+C\" to exit/abort" read -e -p "Admin username: " -i "st2admin" USERNAME read -e -s -p "Password: " PASSWORD + + if [ "${PASSWORD}" = '' ]; then + echo "Password cannot be empty." + exit 1 + fi fi } @@ -173,6 +178,12 @@ check_st2_host_dependencies() { fi } +generate_random_passwords() { + # Generate random password used for MongoDB and PostgreSQL user authentication + ST2_MONGODB_PASSWORD=$(head /dev/urandom | tr -dc A-Za-z0-9 | head -c 24 ; echo '') + ST2_POSTGRESQL_PASSWORD=$(head /dev/urandom | tr -dc A-Za-z0-9 | head -c 24 ; echo '') +} + install_st2_dependencies() { sudo apt-get update @@ -180,7 +191,20 @@ install_st2_dependencies() { sudo apt-get install -y gnupg-curl sudo apt-get install -y curl sudo apt-get install -y rabbitmq-server + + # Configure RabbitMQ to listen on localhost only + sudo sh -c 'echo "RABBITMQ_NODE_IP_ADDRESS=127.0.0.1" >> /etc/rabbitmq/rabbitmq-env.conf' + + if [[ "$SUBTYPE" == 'xenial' ]]; then + sudo systemctl restart rabbitmq-server + else + sudo service rabbitmq-server restart + fi + + # Various other dependencies needed by st2 and installer script + sudo apt-get install -y crudini } + install_mongodb() { # Add key and repo for the latest stable MongoDB (3.2) sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv EA312927 @@ -189,11 +213,55 @@ install_mongodb() { sudo apt-get update sudo apt-get install -y mongodb-org + # Configure MongoDB to listen on localhost only + sudo sed -i -e "s#bindIp:.*#bindIp: 127.0.0.1#g" /etc/mongod.conf + if [[ "$SUBTYPE" == 'xenial' ]]; then sudo systemctl enable mongod sudo systemctl start mongod + else + sudo service mongod restart fi + + sleep 5 + + # Create admin user and user used by StackStorm (MongoDB needs to be running) + mongo <> /etc/mongod.conf' + + # MongoDB needs to be restarted after enabling auth + if [[ "$SUBTYPE" == 'xenial' ]]; then + sudo systemctl restart mongod + else + sudo service mongod restart + fi + } + get_full_pkg_versions() { if [ "$VERSION" != '' ]; then @@ -255,7 +323,11 @@ install_st2() { sudo apt-get install -yf rm ${PACKAGE_FILENAME} fi - + + # Configure [database] section in st2.conf (username password for MongoDB access) + sudo crudini --set /etc/st2/st2.conf database username "stackstorm" + sudo crudini --set /etc/st2/st2.conf database password "${ST2_MONGODB_PASSWORD}" + sudo st2ctl start sleep 5 sudo st2ctl reload --register-all @@ -290,8 +362,8 @@ configure_st2_user () { } configure_st2_authentication() { - # Install htpasswd and tool for editing ini files - sudo apt-get install -y apache2-utils crudini + # Install htpasswd tool for editing ini files + sudo apt-get install -y apache2-utils # Create a user record in a password file. sudo echo "${PASSWORD}" | sudo htpasswd -i /etc/st2/htpasswd $USERNAME @@ -371,8 +443,13 @@ generate_symmetric_crypto_key_for_datastore() { install_st2mistral_depdendencies() { sudo apt-get install -y postgresql + # Configure service only listens on localhost + sudo crudini --set /etc/postgresql/*/main/postgresql.conf '' listen_addresses "'127.0.0.1'" + + sudo service postgresql restart + cat << EHD | sudo -u postgres psql -CREATE ROLE mistral WITH CREATEDB LOGIN ENCRYPTED PASSWORD 'StackStorm'; +CREATE ROLE mistral WITH CREATEDB LOGIN ENCRYPTED PASSWORD '${ST2_POSTGRESQL_PASSWORD}'; CREATE DATABASE mistral OWNER mistral; EHD } @@ -391,8 +468,12 @@ install_st2mistral() { rm ${PACKAGE_FILENAME} fi + # Configure database settings + sudo crudini --set /etc/mistral/mistral.conf database connection "postgresql://mistral:${ST2_POSTGRESQL_PASSWORD}@127.0.0.1/mistral" + # Setup Mistral DB tables, etc. /opt/stackstorm/mistral/bin/mistral-db-manage --config-file /etc/mistral/mistral.conf upgrade head + # Register mistral actions /opt/stackstorm/mistral/bin/mistral-db-manage --config-file /etc/mistral/mistral.conf populate @@ -527,6 +608,7 @@ ok_message() { trap 'fail' EXIT STEP="Setup args" && setup_args $@ STEP="Check TCP ports and MongoDB storage requirements" && check_st2_host_dependencies +STEP="Generate random password" && generate_random_passwords STEP="Install st2 dependencies" && install_st2_dependencies STEP="Install st2 dependencies (MongoDB)" && install_mongodb STEP="Install st2" && install_st2 diff --git a/scripts/st2bootstrap-el6.sh b/scripts/st2bootstrap-el6.sh index 641ff079..5f661ec2 100644 --- a/scripts/st2bootstrap-el6.sh +++ b/scripts/st2bootstrap-el6.sh @@ -95,6 +95,11 @@ setup_args() { echo "Press \"ENTER\" to continue or \"CTRL+C\" to exit/abort" read -e -p "Admin username: " -i "st2admin" USERNAME read -e -s -p "Password: " PASSWORD + + if [ "${PASSWORD}" = '' ]; then + echo "Password cannot be empty." + exit 1 + fi fi } @@ -258,14 +263,27 @@ check_st2_host_dependencies() { fi } +generate_random_passwords() { + # Generate random password used for MongoDB and PostgreSQL user authentication + ST2_MONGODB_PASSWORD=$(head /dev/urandom | tr -dc A-Za-z0-9 | head -c 24 ; echo '') + ST2_POSTGRESQL_PASSWORD=$(head /dev/urandom | tr -dc A-Za-z0-9 | head -c 24 ; echo '') +} + install_st2_dependencies() { is_epel_installed=$(rpm -qa | grep epel-release || true) if [[ -z "$is_epel_installed" ]]; then sudo yum -y install https://dl.fedoraproject.org/pub/epel/epel-release-latest-6.noarch.rpm fi sudo yum -y install curl rabbitmq-server + + # Configure RabbitMQ to listen on localhost only + sudo sh -c 'echo "RABBITMQ_NODE_IP_ADDRESS=127.0.0.1" >> /etc/rabbitmq/rabbitmq-env.conf' + sudo service rabbitmq-server start sudo chkconfig rabbitmq-server on + + # Various other dependencies needed by st2 and installer script + sudo yum -y install crudini } install_mongodb() { @@ -281,8 +299,45 @@ gpgkey=https://www.mongodb.org/static/pgp/server-3.2.asc EOT" sudo yum -y install mongodb-org + + # Configure MongoDB to listen on localhost only + sudo sed -i -e "s#bindIp:.*#bindIp: 127.0.0.1#g" /etc/mongod.conf + sudo service mongod start sudo chkconfig mongod on + + sleep 5 + + # Create admin user and user used by StackStorm (MongoDB needs to be running) + mongo <> /etc/mongod.conf' + + # MongoDB needs to be restarted after enabling auth + sudo service mongod restart } install_st2() { @@ -297,6 +352,10 @@ install_st2() { sudo yum -y install ${PACKAGE_URL} fi + # Configure [database] section in st2.conf (username password for MongoDB access) + sudo crudini --set /etc/st2/st2.conf database username "stackstorm" + sudo crudini --set /etc/st2/st2.conf database password "${ST2_MONGODB_PASSWORD}" + sudo st2ctl start sleep 5 sudo st2ctl reload --register-all @@ -328,8 +387,8 @@ configure_st2_user() { } configure_st2_authentication() { - # Install htpasswd and tool for editing ini files - sudo yum -y install httpd-tools crudini + # Install htpasswd tool + sudo yum -y install httpd-tools # Create a user record in a password file. sudo htpasswd -bs /etc/st2/htpasswd $USERNAME $PASSWORD @@ -444,6 +503,9 @@ install_st2mistral_depdendencies() { # Setup postgresql at a first time sudo service postgresql-9.4 initdb + # Configure service only listens on localhost + sudo sh -c "echo \"listen_addresses = '127.0.0.1'\" >> /var/lib/pgsql/9.4/data/postgresql.conf" + # Make localhost connections to use an MD5-encrypted password for authentication sudo sed -i "s/\(host.*all.*all.*127.0.0.1\/32.*\)ident/\1md5/" /var/lib/pgsql/9.4/data/pg_hba.conf sudo sed -i "s/\(host.*all.*all.*::1\/128.*\)ident/\1md5/" /var/lib/pgsql/9.4/data/pg_hba.conf @@ -453,7 +515,7 @@ install_st2mistral_depdendencies() { sudo chkconfig postgresql-9.4 on cat << EHD | sudo -u postgres psql -CREATE ROLE mistral WITH CREATEDB LOGIN ENCRYPTED PASSWORD 'StackStorm'; +CREATE ROLE mistral WITH CREATEDB LOGIN ENCRYPTED PASSWORD '${ST2_POSTGRESQL_PASSWORD}'; CREATE DATABASE mistral OWNER mistral; EHD } @@ -468,8 +530,12 @@ install_st2mistral() { sudo yum -y install ${PACKAGE_URL} fi + # Configure database settings + sudo crudini --set /etc/mistral/mistral.conf database connection "postgresql://mistral:${ST2_POSTGRESQL_PASSWORD}@127.0.0.1/mistral" + # Setup Mistral DB tables, etc. /opt/stackstorm/mistral/bin/mistral-db-manage --config-file /etc/mistral/mistral.conf upgrade head + # Register mistral actions /opt/stackstorm/mistral/bin/mistral-db-manage --config-file /etc/mistral/mistral.conf populate @@ -580,6 +646,7 @@ STEP="Check TCP ports and MongoDB storage requirements" && check_st2_host_depend STEP='Check libffi-devel availability' && check_libffi_devel STEP='Adjust SELinux policies' && adjust_selinux_policies STEP='Install repoquery tool' && install_yum_utils +STEP="Generate random password" && generate_random_passwords STEP="Install st2 dependencies" && install_st2_dependencies STEP="Install st2 dependencies (MongoDB)" && install_mongodb diff --git a/scripts/st2bootstrap-el7.sh b/scripts/st2bootstrap-el7.sh index d2e1c117..90bdc73f 100644 --- a/scripts/st2bootstrap-el7.sh +++ b/scripts/st2bootstrap-el7.sh @@ -95,6 +95,11 @@ setup_args() { echo "Press \"ENTER\" to continue or \"CTRL+C\" to exit/abort" read -e -p "Admin username: " -i "st2admin" USERNAME read -e -s -p "Password: " PASSWORD + + if [ "${PASSWORD}" = '' ]; then + echo "Password cannot be empty." + exit 1 + fi fi } @@ -241,14 +246,27 @@ check_st2_host_dependencies() { fi } +generate_random_passwords() { + # Generate random password used for MongoDB and PostgreSQL user authentication + ST2_MONGODB_PASSWORD=$(head /dev/urandom | tr -dc A-Za-z0-9 | head -c 24 ; echo '') + ST2_POSTGRESQL_PASSWORD=$(head /dev/urandom | tr -dc A-Za-z0-9 | head -c 24 ; echo '') +} + install_st2_dependencies() { is_epel_installed=$(rpm -qa | grep epel-release || true) if [[ -z "$is_epel_installed" ]]; then sudo yum -y install https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm fi sudo yum -y install curl rabbitmq-server + + # Configure RabbitMQ to listen on localhost only + sudo sh -c 'echo "RABBITMQ_NODE_IP_ADDRESS=127.0.0.1" >> /etc/rabbitmq/rabbitmq-env.conf' + sudo systemctl start rabbitmq-server sudo systemctl enable rabbitmq-server + + # Various other dependencies needed by st2 and installer script + sudo yum -y install crudini } install_mongodb() { @@ -264,13 +282,50 @@ gpgkey=https://www.mongodb.org/static/pgp/server-3.2.asc EOT" sudo yum -y install mongodb-org + + # Configure MongoDB to listen on localhost only + sudo sed -i -e "s#bindIp:.*#bindIp: 127.0.0.1#g" /etc/mongod.conf + sudo systemctl start mongod sudo systemctl enable mongod + + sleep 5 + + # Create admin user and user used by StackStorm (MongoDB needs to be running) + mongo <> /etc/mongod.conf' + + # MongoDB needs to be restarted after enabling auth + sudo systemctl restart mongod } install_st2() { curl -s https://packagecloud.io/install/repositories/StackStorm/${REPO_PREFIX}${RELEASE}/script.rpm.sh | sudo bash - + if [ "$DEV_BUILD" = '' ]; then STEP="Get package versions" && get_full_pkg_versions && STEP="Install st2" sudo yum -y install ${ST2_PKG} @@ -280,6 +335,10 @@ install_st2() { sudo yum -y install ${PACKAGE_URL} fi + # Configure [database] section in st2.conf (username password for MongoDB access) + sudo crudini --set /etc/st2/st2.conf database username "stackstorm" + sudo crudini --set /etc/st2/st2.conf database password "${ST2_MONGODB_PASSWORD}" + sudo st2ctl start sleep 5 sudo st2ctl reload --register-all @@ -311,8 +370,8 @@ configure_st2_user() { } configure_st2_authentication() { - # Install htpasswd and tool for editing ini files - sudo yum -y install httpd-tools crudini + # Install htpasswd tool + sudo yum -y install httpd-tools # Create a user record in a password file. echo $PASSWORD | sudo htpasswd -i /etc/st2/htpasswd $USERNAME @@ -418,6 +477,9 @@ install_st2mistral_depdendencies() { # Setup postgresql at a first time sudo postgresql-setup initdb + # Configure service only listens on localhost + sudo sh -c "echo \"listen_addresses = '127.0.0.1'\" >> /var/lib/pgsql/data/postgresql.conf" + # Make localhost connections to use an MD5-encrypted password for authentication sudo sed -i "s/\(host.*all.*all.*127.0.0.1\/32.*\)ident/\1md5/" /var/lib/pgsql/data/pg_hba.conf sudo sed -i "s/\(host.*all.*all.*::1\/128.*\)ident/\1md5/" /var/lib/pgsql/data/pg_hba.conf @@ -427,7 +489,7 @@ install_st2mistral_depdendencies() { sudo systemctl enable postgresql cat << EHD | sudo -u postgres psql -CREATE ROLE mistral WITH CREATEDB LOGIN ENCRYPTED PASSWORD 'StackStorm'; +CREATE ROLE mistral WITH CREATEDB LOGIN ENCRYPTED PASSWORD '${ST2_POSTGRESQL_PASSWORD}'; CREATE DATABASE mistral OWNER mistral; EHD } @@ -442,8 +504,12 @@ install_st2mistral() { sudo yum -y install ${PACKAGE_URL} fi + # Configure database settings + sudo crudini --set /etc/mistral/mistral.conf database connection "postgresql://mistral:${ST2_POSTGRESQL_PASSWORD}@127.0.0.1/mistral" + # Setup Mistral DB tables, etc. /opt/stackstorm/mistral/bin/mistral-db-manage --config-file /etc/mistral/mistral.conf upgrade head + # Register mistral actions /opt/stackstorm/mistral/bin/mistral-db-manage --config-file /etc/mistral/mistral.conf populate @@ -554,6 +620,7 @@ STEP='Parse arguments' && setup_args $@ STEP="Check TCP ports and MongoDB storage requirements" && check_st2_host_dependencies STEP='Adjust SELinux policies' && adjust_selinux_policies STEP='Install repoquery tool' && install_yum_utils +STEP="Generate random password" && generate_random_passwords STEP="Install st2 dependencies" && install_st2_dependencies STEP="Install st2 dependencies (MongoDB)" && install_mongodb