Различия

Здесь показаны различия между двумя версиями данной страницы.

Ссылка на это сравнение

Предыдущая версия справа и слева Предыдущая версия
ru:bayzrcibyhands [2017/11/18 00:24]
skoree
ru:bayzrcibyhands [2017/11/18 00:53] (текущий)
skoree
Строка 942: Строка 942:
   * mysql -e "GRANT ALL ON bayzr.* TO '​bayzr'​@'​localhost'​ IDENTIFIED BY '​PASSWD';"​   * mysql -e "GRANT ALL ON bayzr.* TO '​bayzr'​@'​localhost'​ IDENTIFIED BY '​PASSWD';"​
   * mysql -e "FLUSH PRIVILEGES;"​   * mysql -e "FLUSH PRIVILEGES;"​
 +  * curl --data "​login=admin&​password=admin"​ -H "​Content-Type:​ application/​x-www-form-urlencoded"​ -X POST http://​127.0.0.1:​9000
 +  * curl --user admin:admin --data "​key=genericcoverage"​ -H "​Content-Type:​ application/​x-www-form-urlencoded"​ -X POST http://​127.0.0.1:​9000/​api/​plugins/​install
 +  * curl --user admin:admin --data "​key=l10nru"​ -H "​Content-Type:​ application/​x-www-form-urlencoded"​ -X POST http://​127.0.0.1:​9000/​api/​plugins/​install
 +  * curl --user admin:admin --data "​key=widgetlab"​ -H "​Content-Type:​ application/​x-www-form-urlencoded"​ -X POST http://​127.0.0.1:​9000/​api/​plugins/​install
 +  * curl --user admin:admin --data "​key=scmgit"​ -H "​Content-Type:​ application/​x-www-form-urlencoded"​ -X POST http://​127.0.0.1:​9000/​api/​plugins/​install
 +  * curl --user admin:admin --data "​key=csharp"​ -H "​Content-Type:​ application/​x-www-form-urlencoded"​ -X POST http://​127.0.0.1:​9000/​api/​plugins/​install
 +  * curl --user admin:admin --data "​key=java"​ -H "​Content-Type:​ application/​x-www-form-urlencoded"​ -X POST http://​127.0.0.1:​9000/​api/​plugins/​install
 +  * curl --user admin:admin --data "​key=javascript"​ -H "​Content-Type:​ application/​x-www-form-urlencoded"​ -X POST http://​127.0.0.1:​9000/​api/​plugins/​install
 +  * yum -y install pylint
 +  * service sonar stop
 +  * service sonar start
 +  * curl --user admin:admin --data "​id=sonar.bayzr.pass&​value=PASSWD"​ -H "​Content-Type:​ application/​x-www-form-urlencoded"​ -X POST http://​127.0.0.1:​9000/​api/​plugins/​install
 +  * yum install -y squid
 +  * systemctl enable squid
 +  * touch /​etc/​squid/​squid.conf с содержимым:​
 +
 +<​Code:​bash linenums:1 |/​etc/​squid/​squid.conf>​
 +#
 +# Recommended minimum configuration:​
 +#
 +
 +# Example rule allowing access from your local networks.
 +# Adapt to list your (internal) IP networks from where browsing
 +# should be allowed
 +acl localnet src 10.0.0.0/​8 #​ RFC1918 possible internal network
 +acl localnet src 172.16.0.0/​12 #​ RFC1918 possible internal network
 +acl localnet src 192.168.0.0/​16 #​ RFC1918 possible internal network
 +acl localnet src fc00::/​7 ​      # RFC 4193 local private network range
 +acl localnet src fe80::/​10 ​     # RFC 4291 link-local (directly plugged) machines
 +
 +acl SSL_ports port 443
 +acl Safe_ports port 80 # http
 +acl Safe_ports port 21 # ftp
 +acl Safe_ports port 443 # https
 +acl Safe_ports port 70 # gopher
 +acl Safe_ports port 210 # wais
 +acl Safe_ports port 1025-65535 #​ unregistered ports
 +acl Safe_ports port 280 # http-mgmt
 +acl Safe_ports port 488 # gss-http
 +acl Safe_ports port 591 # filemaker
 +acl Safe_ports port 777 # multiling http
 +acl CONNECT method CONNECT
 +
 +#
 +# Recommended minimum Access Permission configuration:​
 +#
 +# Deny requests to certain unsafe ports
 +http_access deny !Safe_ports
 +
 +# Deny CONNECT to other than secure SSL ports
 +http_access deny CONNECT !SSL_ports
 +
 +# Only allow cachemgr access from localhost
 +http_access allow localhost manager
 +http_access deny manager
 +
 +# We strongly recommend the following be uncommented to protect innocent
 +# web applications running on the proxy server who think the only
 +# one who can access services on "​localhost"​ is a local user
 +#​http_access deny to_localhost
 +
 +#
 +# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
 +#
 +
 +# Example rule allowing access from your local networks.
 +# Adapt localnet in the ACL section to list your (internal) IP networks
 +# from where browsing should be allowed
 +http_access allow localnet
 +http_access allow localhost
 +
 +# And finally deny all other access to this proxy
 +http_access deny all
 +
 +# Squid normally listens to port 3128
 +http_port 3128
 +
 +# Uncomment and adjust the following to add a disk cache directory.
 +cache_dir ufs /​var/​spool/​squid 2048 16 256
 +
 +# Leave coredumps in the first cache dir
 +coredump_dir /​var/​spool/​squid
 +
 +#
 +# Add any of your own refresh_pattern entries above these.
 +#
 +refresh_pattern ^ftp:​ 1440 20% 10080
 +refresh_pattern ^gopher:​ 1440 0% 1440
 +refresh_pattern -i (/​cgi-bin/​|\?​) 0 0% 0
 +refresh_pattern . 0 20% 4320
 +
 +maximum_object_size 300000000
 +</​Code>​
 +
 +  * chmod 640 /​etc/​squid/​squid.conf
 +  * systemctl start squid
 +  * touch /​etc/​yumbootstrap/​suites/​centos-7-mod.suite с содержимым:​
 +
 +<​Code:​bash linenums:1 |/​etc/​yumbootstrap/​suites/​centos-7-mod.suite>​
 +name = CentOS
 +release = 7
 +
 +gpg_key =  gpg/​RPM-GPG-KEY-CentOS-7
 +gpg_key ?= gpg/​RPM-GPG-KEY-CentOS-Security-7
 +gpg_key ?= gpg/​repomd.xml.key
 +
 +packages = packages/​${suite}.list
 +
 +[main]
 +cachedir=/​yumbootstrap/​cache
 +logfile=/​yumbootstrap/​log/​yum.log
 +keepcache=0
 +debuglevel=2
 +exactarch=1
 +obsoletes=1
 +installonly_limit=5
 +proxy=http://​127.0.0.1:​3128
 +
 +[post_install]
 +finalize = scripts/​addbayzr.py
 +finalize = scripts/​fix_rpmdb.py
 +finalize = scripts/​clean_yumbootstrap.py
 +
 +[repositories]
 +centos ​        = http://​mirror.centos.org/​centos/​7/​os/​$basearch/​
 +centos-updates = http://​mirror.centos.org/​centos/​7/​updates/​$basearch/​
 +home_repo ​     = http://​download.opensuse.org/​repositories/​home:/​bayrepo/​CentOS_7/​
 +centos-extras ​ = http://​mirror.centos.org/​centos/​7/​extras/​$basearch/​
 +
 +
 +[environment]
 +HOME=/root
 +TERM="​$TERM" ​
 +PS1='​\u:​\w\$ ' ​
 +PATH=/​bin:/​usr/​bin:/​sbin:/​usr/​sbin
 +OUT_USER=checker
 +
 +[cache]
 +cache_dir = /​usr/​share/​yumbotstrapcache
 +cache_expire = 2592000
 +
 +# vim:​ft=dosini
 +
 +</​Code>​
 +
 +  * chmod 644 /​etc/​yumbootstrap/​suites/​centos-7-mod.suite
 +  * touch /​etc/​yumbootstrap/​suites/​packages/​centos-7-mod.list с содержимым:​
 +
 +<​Code:​bash linenums:1 |/​etc/​yumbootstrap/​suites/​packages/​centos-7-mod.list>​
 +# subset from @Core
 +coreutils
 +bash
 +grep
 +gawk
 +basesystem
 +rpm
 +initscripts
 +iproute
 +sudo
 +shadow-utils
 +
 +# subset from @Base
 +less
 +make
 +mktemp
 +vim-minimal
 +yum
 +which
 +#authconfig
 +#dhclient
 +chkconfig
 +# graphical boot helper (used by initscripts)
 +plymouth
 +# ~root/.*
 +rootfiles
 +
 +#utils
 +bayzr
 +pylint
 +java-1.8.0-openjdk
 +~/​usr/​local/​sonar-scanner
 +~/​etc/​resolv.conf
 +~/​usr/​bin/​shellcheck
 +gcc
 +gcc-c++
 +make
 +cmake
 +git
 +bay-gcc61
 +clang
 +clang-analyzer
 +cppcheck
 +oclint
 +rats
 +splint
 +pylint
 +rpmlint
 +frama-c
 ++/​var/​lib/​mysql
 ++/​usr/​local/​sonar
 ++/dev
 ++/proc
 +
 +# redhat-release
 +centos-release
 +
 +# required to fix RPM DB
 +/​usr/​bin/​db_load
 +
 +</​Code>​
 +
 +  * chmod 644 /​etc/​yumbootstrap/​suites/​packages/​centos-7-mod.list
 +  * touch /​etc/​yumbootstrap/​suites/​gpg/​repomd.xml.key с содержимым:​
 +
 +<​Code:​bash linenums:1 |/​etc/​yumbootstrap/​suites/​gpg/​repomd.xml.key>​
 +-----BEGIN PGP PUBLIC KEY BLOCK-----
 +Version: GnuPG v2.0.15 (GNU/Linux)
 +
 +mQENBFcngrQBCACohw+37Sk3pxTVWwM+vz6zMImQjOXO6nPA+X2/​I996oR2/​RDil
 +l3iGzsBw37p2/​BZb6CO+4w157KfSzhGTEexcjl5rJ9ZPs96Zsizweh4KdBjZRqyE
 +7qb81ZXudItVXDb7Da7z164EwiLkEdUIFGoQuWMZlJ2/​UANg652SOxUaNIIVOWSx
 +rT/​o7NaaUx2H9KtAikaHth+29wWmoQkgD0Tr5YBvtufQw+gy7lBdQlcy5HNx6weW
 +WwE+YhUYgc9AOyhPA3HLP6m5YsvK0O9g2d893N7JLypEjtjm3EPhw94cstfAiHLC
 +OJU8/​9MDXAeTX2NZtoTqlb/​vbqADHO/​5UpRPABEBAAG0OmhvbWU6YmF5cmVwbyBP
 +QlMgUHJvamVjdCA8aG9tZTpiYXlyZXBvQGJ1aWxkLm9wZW5zdXNlLm9yZz6JAT4E
 +EwECACgFAlcngrQCGwMFCQQesAAGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJ
 +EAOb5ANUCoMaezUH/​1UAcLos3tAdYkAzOmFDIrGr8a01ss9mT6uR9orGcawJds67
 +ZsRFqzGu2P+bTvzflDyk6QFYQyYjSbXoYPPXXEVidskEL1iuF4kXk6yxvo83xfCk
 +DOTIt8O88pRkWOm8Rv5pTMqvtp9TMR/​Vkyl9ABvTugLiH1sdHhNpEGdR90Bu7sLl
 +djJvlZePp/​KamOGnKlj/​UjMMYQro78kji+JpNnD0r85WcuBgfdITm6p0GmWmPvgk
 +MzayyRZ7uqHXRSpxNN1TMuoS4Nk4pNjiBpw5WvxpVroi/​SMIL22t69UqdH/​ZUPFc
 +/​eND1LeQZl0KxIyeNPpKnkS+Am790FY9uGiA5SyIRgQTEQIABgUCVyeCtAAKCRA7
 +MBG3a51lI89EAJ9gMmRlng9I8bXyRDOe/​pkMTCs+cACeMLfrf2STae8ktJvxqoHY
 +SaaQsrM=
 +=H2m6
 +-----END PGP PUBLIC KEY BLOCK-----
 +
 +</​Code>​
 +
 +  * chmod 644 /​etc/​yumbootstrap/​suites/​gpg/​repomd.xml.key
 +  * touch /​etc/​yumbootstrap/​suites/​scripts/​addbayzr.py с содержимым:​
 +
 +<​Code:​bash linenums:1 |/​etc/​yumbootstrap/​suites/​scripts/​addbayzr.py>​
 +#​!/​usr/​bin/​python
 +
 +import os
 +import time
 +import logging
 +import pwd
 +import grp
 +import yumbootstrap.yum
 +import yumbootstrap.log
 +from shutil import copyfile
 +
 +def createUser(username,​uid,​gid):​
 +    os.system("/​usr/​sbin/​groupadd " + username + " -g " + str(gid))
 +    return ​ os.system("/​usr/​sbin/​useradd -s " + "/​bin/​bash "+ "-d "+ "/​home/"​ + username + " -m " + username + " -u " + str(uid) + " -g " + str(gid))
 +
 +#​-----------------------------------------------------------------------------
 +
 +logger = logging.getLogger()
 +logger.addHandler(yumbootstrap.log.ProgressHandler())
 +if os.environ['​VERBOSE'​] == '​true':​
 +  logger.setLevel(logging.INFO)
 +#​-----------------------------------------------------------------------------
 +
 +out_user = os.environ['​OUT_USER'​]
 +uid = pwd.getpwnam(out_user).pw_uid
 +gid = grp.getgrnam(out_user).gr_gid
 +
 +if uid != os.getuid():​
 +    print "​Prepare chroot for non root user"
 +    os.chown(os.environ['​TARGET'​],​ uid, gid)
 +    real_root = os.open("/",​ os.O_RDONLY)
 +    os.chroot(os.environ['​TARGET'​])
 +    createUser(out_user,​ uid, gid)
 +    with open("/​etc/​sudoers",​ "​a"​) as myfile:
 +        myfile.write("​%s ALL = NOPASSWD : /​usr/​bin/​yum,​ /​usr/​bin/​rpm,​ /​home/​checker/​pre_execute\n"​ % out_user)
 +    os.fchdir(real_root)
 +    os.chroot("​."​)
 +    os.mkdir( os.environ['​TARGET'​] + "/​home/"​ + out_user + "/​.ssh/",​ 0700 );
 +    copyfile("/​root/​config",​ os.environ['​TARGET'​] + "/​home/"​ + out_user + "/​.ssh/​config"​)
 +    os.chown(os.environ['​TARGET'​] + "/​home/"​ + out_user + "/​.ssh/",​ uid, gid)
 +    os.chown(os.environ['​TARGET'​] + "/​home/"​ + out_user + "/​.ssh/​config",​ uid, gid)
 +    # Back to old root
 +    os.close(real_root)
 +
 +</​Code>​
 +
 +  * chmod 755 /​etc/​yumbootstrap/​suites/​scripts/​addbayzr.py
 +  * yum install -y yum-utils
 +  * rpm -ihv https://​dl.fedoraproject.org/​pub/​epel/​epel-release-latest-7.noarch.rpm
 +  * /​usr/​bin/​yum-config-manager --enablerepo=epel-testing
 +  * yum install -y patch cabal-install cabal-dev cabal-rpm ghc-Cabal ghc-Cabal-devel ghc-rpm-macros ghc-containers-devel ghc-directory-devel ghc-json-devel ghc-mtl-devel ghc-parsec-devel ghc-regex-compat-devel ghc-QuickCheck-devel cpphs hscolour chrpath pandoc
 +  * cabal update
 +  * wget https://​github.com/​koalaman/​shellcheck/​archive/​v0.4.4.zip
 +  * unzip v0.4.4.zip
 +  * cd shellcheck-0.4.4"​
 +  * cabal update
 +  * cabal install --force-reinstalls
 +  * mv /​root/​.cabal/​bin/​shellcheck /usr/bin/
 +  * rpm -e epel-release
 +  * systemctl enable citool
 +  * touch /​etc/​sudoers с содержимым:​
 +
 +<​Code:​bash linenums:1 |/​etc/​sudoers>​
 +## Sudoers allows particular users to run various commands as
 +## the root user, without needing the root password.
 +##
 +## Examples are provided at the bottom of the file for collections
 +## of related commands, which can then be delegated out to particular
 +## users or groups.
 +## 
 +## This file must be edited with the '​visudo'​ command.
 +
 +## Host Aliases
 +## Groups of machines. You may prefer to use hostnames (perhaps using 
 +## wildcards for entire domains) or IP addresses instead.
 +# Host_Alias ​    ​FILESERVERS = fs1, fs2
 +# Host_Alias ​    ​MAILSERVERS = smtp, smtp2
 +
 +## User Aliases
 +## These aren't often necessary, as you can use regular groups
 +## (ie, from files, LDAP, NIS, etc) in this file - just use %groupname ​
 +## rather than USERALIAS
 +# User_Alias ADMINS = jsmith, mikem
 +
 +
 +## Command Aliases
 +## These are groups of related commands...
 +
 +## Networking
 +# Cmnd_Alias NETWORKING = /​sbin/​route,​ /​sbin/​ifconfig,​ /bin/ping, /​sbin/​dhclient,​ /​usr/​bin/​net,​ /​sbin/​iptables,​ /​usr/​bin/​rfcomm,​ /​usr/​bin/​wvdial,​ /​sbin/​iwconfig,​ /​sbin/​mii-tool
 +
 +## Installation and management of software
 +# Cmnd_Alias SOFTWARE = /bin/rpm, /​usr/​bin/​up2date,​ /​usr/​bin/​yum
 +
 +## Services
 +# Cmnd_Alias SERVICES = /​sbin/​service,​ /​sbin/​chkconfig,​ /​usr/​bin/​systemctl start, /​usr/​bin/​systemctl stop, /​usr/​bin/​systemctl reload, /​usr/​bin/​systemctl restart, /​usr/​bin/​systemctl status, /​usr/​bin/​systemctl enable, /​usr/​bin/​systemctl disable
 +
 +## Updating the locate database
 +# Cmnd_Alias LOCATE = /​usr/​bin/​updatedb
 +
 +## Storage
 +# Cmnd_Alias STORAGE = /​sbin/​fdisk,​ /​sbin/​sfdisk,​ /​sbin/​parted,​ /​sbin/​partprobe,​ /bin/mount, /bin/umount
 +
 +## Delegating permissions
 +# Cmnd_Alias DELEGATING = /​usr/​sbin/​visudo,​ /bin/chown, /bin/chmod, /​bin/​chgrp ​
 +
 +## Processes
 +# Cmnd_Alias PROCESSES = /bin/nice, /bin/kill, /​usr/​bin/​kill,​ /​usr/​bin/​killall
 +
 +## Drivers
 +# Cmnd_Alias DRIVERS = /​sbin/​modprobe
 +
 +# Defaults specification
 +
 +#
 +# Disable "ssh hostname sudo <​cmd>",​ because it will show the password in clear. ​
 +#         You have to run "ssh -t hostname sudo <​cmd>"​.
 +#
 +Defaults ​   requiretty
 +
 +#
 +# Refuse to run if unable to disable echo on the tty. This setting should also be
 +# changed in order to be able to use sudo without a tty. See requiretty above.
 +#
 +Defaults ​  ​!visiblepw
 +
 +#
 +# Preserving HOME has security implications since many programs
 +# use it when searching for configuration files. Note that HOME
 +# is already set when the the env_reset option is enabled, so
 +# this option is only effective for configurations where either
 +# env_reset is disabled or HOME is present in the env_keep list.
 +#
 +Defaults ​   always_set_home
 +
 +Defaults ​   env_reset
 +Defaults ​   env_keep =  "​COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS"​
 +Defaults ​   env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE"​
 +Defaults ​   env_keep += "​LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES"​
 +Defaults ​   env_keep += "​LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE"​
 +Defaults ​   env_keep += "​LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY"​
 +
 +#
 +# Adding HOME to env_keep may enable a user to run unrestricted
 +# commands via sudo.
 +#
 +# Defaults ​  ​env_keep += "​HOME"​
 +
 +Defaults ​   secure_path = /​sbin:/​bin:/​usr/​sbin:/​usr/​bin
 +
 +## Next comes the main part: which users can run what software on 
 +## which machines (the sudoers file can be shared between multiple
 +## systems).
 +## Syntax:
 +##
 +## user MACHINE=COMMANDS
 +##
 +## The COMMANDS section may have other options added to it.
 +##
 +## Allow root to run any commands anywhere ​
 +root ALL=(ALL) ALL
 +
 +## Allows members of the '​sys'​ group to run networking, software, ​
 +## service management apps and more.
 +# %sys ALL = NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING, PROCESSES, LOCATE, DRIVERS
 +
 +## Allows people in group wheel to run all commands
 +%wheel ALL=(ALL) ALL
 +
 +## Same thing without a password
 +# %wheel ALL=(ALL) NOPASSWD:​ ALL
 +
 +## Allows members of the users group to mount and unmount the 
 +## cdrom as root
 +# %users ​ ALL=/​sbin/​mount /mnt/cdrom, /​sbin/​umount /mnt/cdrom
 +
 +## Allows members of the users group to shutdown this system
 +# %users ​ localhost=/​sbin/​shutdown -h now
 +
 +## Read drop-in files from /​etc/​sudoers.d (the # here does not mean a comment)
 +#includedir /​etc/​sudoers.d
 +
 +checker ALL = NOPASSWD : /​usr/​sbin/​yumbootstrap,​ /​home/​checker/​pre_execute,​ /​usr/​bin/​yum
 +
 +
 +</​Code>​
 +
 +  * chmod 440 /​etc/​sudoers
 +  * setcap cap_sys_chroot+ep /​usr/​sbin/​chroot
 +  * setcap cap_sys_chroot+ep /​usr/​sbin/​citool
 +  * touch /​etc/​citool.ini с содержимым:​
 +
 +<​Code:​bash linenums:1 |/​etc/​citool.ini>​
 +[mysql]
 +connect=bayzr:​PASSSWD@tcp(127.0.0.1:​3306)/​bayzr?​charset=utf8
 +clean=10
 +timetoclean=59 59 23 * * *
 +
 +[server]
 +workers=10
 +wait=30
 +</​Code>​
 +
 +  * chmod 644 /​etc/​citool.ini
 +  * systemctl start citool
 +  * /​usr/​bin/​chown checker:​checker /​etc/​citool.ini
 +  * touch /​root/​config с содержимым:​
 +
 +<​Code:​bash linenums:1 |/​root/​config>​
 +Host *
 +    StrictHostKeyChecking no
 +
 +</​Code>​
 +
 +  * chmod 400 /​root/​config
   *    *