Posts Tagged ‘centos’

A script to allow non-admin users to install security updates on CentOS

Thursday, September 27th, 2018

At work, I needed to come up with a script that allows non-admin users to install security updates on CentOS servers.

The only real dependency is yum-utils (because it uses the binary needs-restart to check the status of things) but you should also create a folder to store the script and of course a sudo command for the users to run.

Please also note the creative accumulation of several copied scripts to create the multiple choice menus…. I patched together some code samples found on the usual websites where coding is discussed.

HTH someone out there…

#!/bin/bash

######################################
## only root can run this (or sudo) ##
######################################

# Make sure only root can run our script
if [[ $EUID -ne 0 ]]; then
echo “This script must be run using sudo (“sudo /opt/yumcleanup/restartsetupscript”) or as root. Exiting…” 1>&2
exit 1
fi

###############
## functions ##
###############

display_help () {
echo “The script can be run without interaction using the following”
echo “command line option: –non-interactive”
echo “This will silently install security updates only and restart”
echo “affected services.”
echo ” ”
echo “Calling the script with –help will also display this help text”
echo “as does calling the script with an unknown option.”
exit
}

set_exports () {
export http_proxy=”http://my.proxy.server.local:11111″
export https_proxy=”http://my.proxy.server.local:11111″
export proxy=”http://my.proxy.server.local:11111″
}

unset_exports () {
unset http_proxy
unset https_proxy
unset proxy
}

outputs_preparation () {
`rm -f $outputs`
touch $outputs
chmod 600 $outputs
}

outputr_preparation () {
`rm -f $outputr`
touch $outputr
chmod 600 $outputr
}

outputs_filling () {
`$mybin -s >> $outputs`
}

outputr_filling () {
`$mybin -r >> $outputr`
}

services_restart () {
while read line
do
# Restarting $line
`/bin/systemctl stop $line`
`/bin/systemctl start $line`
done < $outputs
}

#################
## getopt test ##
#################

getopt –test > /dev/null
if [[ $? -ne 4 ]]; then
echo “I’m sorry, `getopt –test` failed in this environment.”
exit 1
fi

#######################
## setting variables ##
#######################

outputs=/tmp/myoutputs
outputr=/tmp/myoutputr
mybin=/bin/needs-restarting

getopt –test > /dev/null
if [[ $? -ne 4 ]]; then
echo “I’m sorry, `getopt –test` failed in this environment.”
exit 1
fi

LONGOPTIONS=non-interactive,help

PARSED=$(getopt –options=$OPTIONS –longoptions=$LONGOPTIONS –name “$0” — “$@”)
if [[ $? -ne 0 ]]; then
# e.g. $? == 1
# then getopt has complained about wrong arguments to stdout
echo “something wrong, showing help instead in one second”
display_help
exit 2
fi

# echo “$PARSED”

# read getopt’s output this way to handle the quoting right:
eval set — “$PARSED”

# now enjoy the options in order and nicely split until we see —
while true; do
case “$1” in
–non-interactive)
n=y
# echo “doing silent stuff now… TODO: disable this line”
# should do these steps: (probably better to put this in its own function)
set_exports
`yum -y -d0 –security update`
outputs_preparation
outputs_filling
services_restart
unset_exports
exit
shift
;;
–help)
h=y
# echo “displaying help in two seconds”
display_help
shift
;;
–)
#echo “instead of — showing help in three seconds”
#display_help
shift
break
;;
*)
echo “Programming error”
echo “displaying help instead in four seconds”
display_help
exit 3
;;
esac
done

set_exports
#export http_proxy=”http://my.proxy.server.local:11111″
#export https_proxy=”http://my.proxy.server.local:11111″
#export proxy=”http://my.proxy.server.local:11111″

# cleanup before we do anything
#`rm -f $outputs`
#`rm -f $outputr`

# install updates, ask user which type of updating he wants to do
echo “”
echo “Please select the type of updates you want to install: ”
echo “”
PS3=’Enter your choice: ‘
options=(“All updates (will most certainly require a reboot)” “Security updates only (reboot probably not required)” “All updates except kernel and kernel-related packages (reboot might be required)” “Quit (you will need to run the script again later)”)
select opt in “${options[@]}”
do
case $opt in
#”Option 1″)
“All updates (will most certainly require a reboot)”)
echo “Installing all updates… please wait”
`yum -y -d0 update` &
PIDD=`ps -ef|grep yum | grep -v yumclean |grep -v grep | awk ‘{print $2}’`
while sleep 8; do echo “still installing…” && kill -0 $PIDD 2>/dev/null || break; done
break
;;
#”Option 2″)
“Security updates only (reboot probably not required)”)
echo “Installing only security updates…. please wait”
`yum -y -d0 –security update` &
PIDD=`ps -ef|grep yum | grep -v yumclean |grep -v grep | awk ‘{print $2}’`
while sleep 8; do echo “still installing…” && kill -0 $PIDD 2>/dev/null || break; done
break
;;
#”Option 3″)
“All updates except kernel and kernel-related packages (reboot might be required)”)
echo “Installing all updates except kernel and kernel-related packages… please wait”
`yum –exclude=kernel* -y -d0 update` &
PIDD=`ps -ef|grep yum | grep -v yumclean |grep -v grep | awk ‘{print $2}’`
while sleep 8; do echo “still installing…” && kill -0 $PIDD 2>/dev/null || break; done
break
;;
#”Quit”)
“Quit (you will need to run the script again later)”)
echo “Quitting… bye!”
exit
;;
*) echo “invalid option $REPLY”;;
esac
done

unset_exports
#unset http_proxy
#unset https_proxy
#unset proxy

##############################
## section services restart ##
##############################

outputs_preparation
outputs_filling

# `$mybin -s >> $outputs`
# chmod 600 $outputs

if [ `wc -l $outputs | awk ‘{ print $1 }’` -ge 1 ]; then
echo “”
echo “The following services should be restarted:”
echo “******************************”
cat $outputs
echo “******************************”

while true
do
read -p “Do you want to restart the above services? (y/N)” answer

case $answer in
[yY]* ) #
echo “restarting services….”

while read line
do
echo Restarting $line
`/bin/systemctl stop $line`
`/bin/systemctl start $line`
done < $outputs

break;;

[nN]* )echo “exiting…” && break ;;

* ) echo “Please enter Y or N”;;
esac
done
else
echo “******************************”
echo “No services need to be restarted.”
echo “******************************”
fi

# section reboot

outputr_preparation
outputr_filling

# `$mybin -r >> $outputr`
# chmod 600 $outputr

echo “”
echo “Please check the following output and decide whether a reboot is required:”
echo “***************”
cat $outputr
echo “***************”

while true
do
echo “If you need to disable some kind of monitoring before rebooting the server,”
echo “please cancel this script (Ctrl+c) and disable the monitoring now,”
echo “then re-run this script again.”
read -p “Do you want to reboot the server in 60 seconds? (y/N)” answer

case $answer in
[yY]* ) #
echo “Scheduling reboot….”

shutdown -r -t 1

break;;

[nN]* )echo “exiting…” && exit;;

* ) echo “Please enter Y or N”;;
esac
done

Tags:, , , ,
Posted in Computer | Comments Closed

Installing Galaxy on CentOS 6.3 with an mysql db and running it as a non-root user

Friday, February 8th, 2013

There’s a biomedical reaseach software called Galaxy. I didn’t know that either 😉
The installation is easy but it uses a sqlite ‘db’ and must be started by whoever wants to use it. In a production environment, this is not convenient and does not scale nicely. To be fair, the makers provide infos on how to run it in a production environment.

Here is one such installation in details. maybe this helps you.
-OS: CentOS 6.3
-DB: mysql
-Galaxy is run by a non-root user
-Galaxy starts at system boot

Lines starting with # must be run as root, some lines are comments so you can’t just paste line by line in your shell. Make sure you understand what you do (the line breaks make it a bit hard to read though, sorry)

After the installation, open firefox. To use galaxy, visit localhost:8080

**************************

===========================================================
= Installation of Galaxy with a local mysql DB on CentOS6 =
===========================================================

mysql
=====

# yum install mysql-server
# yum install mysql
# yum install mysql-devel

# service mysqld start

# /usr/bin/mysql_secure_installation

Set root password? [Y/n] Y
root pwd: <pwd>

Remove anonymous users? [Y/n] Y

Disallow root login remotely? [Y/n] Y

Remove test database and access to it? [Y/n] Y

Reload privilege tables now? [Y/n] Y

(http://wiki.galaxyproject.org/Admin/Get%20Galaxy)

(sets mysqld to start on reboot)
# chkconfig mysqld on

add another db user
——————-

/usr/bin/mysql -u root -p (enter pwd)

mysql> INSERT INTO mysql.user (User,Host,Password) VALUES(‘galaxy’,’localhost’,PASSWORD(‘<pwd>’));
mysql> FLUSH PRIVILEGES;

create a galaxy db
——————

mysql> CREATE DATABASE galadb;

grant user ‘galaxy’ all permissions on db ‘galadb’
————————————————–

mysql> GRANT ALL PRIVILEGES ON galadb.* to galaxy@localhost;
mysql> FLUSH PRIVILEGES;
mysql> quit

mercurial
=========

# yum install mercurial

galaxy installation
===================

# cd /usr/local
# mkdir galaxy
# cd galaxy/
# hg clone https://bitbucket.org/galaxy/galaxy-dist/

# sh galaxy-dist/run.sh

–> starts a local galaxy instance, can be opened in a browser with localhost:8080
^C –> quits

change settings for production server
=====================================

(http://wiki.galaxyproject.org/Admin/Config/Performance/ProductionServer)

disable developer settings
————————–

cd /usr/local/galaxy/galaxy-dist/
# cp universe_wsgi.ini universe_wsgi.ini.orig
# vim /usr/local/galaxy/galaxy-dist/universe_wsgi.ini
(line 370) debug = True –> debug = False
(line 383) use_interactive = True –>  use_interactive = False

use a local mysql db
——————–

set db connection in universe_wsgi.ini
(line 93) database_connection = mysql://galaxy:<pwd>@localhost/galadb?unix_socket=/var/lib/mysql/mysql.sock

securing the galaxy installation by running it as non-root
==========================================================

(create a local user “galaxy”)
# useradd -c “local user for galaxy installation” -d /home/galaxy -m -U galaxy
# passwd galaxy <pwd>

**********************
* running galaxy with the local user galaxy will throw an error
*
ssh galaxy@host
[galaxy@host ~]$ sh /usr/local/galaxy/galaxy-dist/run.sh
–>
OSError: [Errno 13] Permission denied: ‘./database/tmp/tmpeeJTbo’
*
* so we need to fix this by chowning the installation folder to galaxy
**********************

# cd /usr/local/galaxy/
# chown -R galaxy:galaxy galaxy-dist/

**********************
* now it should run
ssh galaxy@host
[galaxy@host ~]$ sh /usr/local/galaxy/galaxy-dist/run.sh
Starting server in PID <PID>.
serving on http://127.0.0.1:8080
* yes, it does
**********************

crontab fuer user galaxy:
SHELL=/bin/sh
@reboot $SHELL /usr/local/galaxy/galaxy-dist/run.sh >>/tmp/galaxy.log
**********************
* –> galaxy will run after the next reboot
* as the log file is in /tmp, it delete disappear after a reboot
* put it into /var/log and chown it to make it more persistent
**********************
* after reboot, you can check if galaxy was really run at system boot: * [user@host ~]$ ps -ef | grep gala
* galaxy    2864  2862  0 15:44 ?        00:00:00 /bin/sh -c $SHELL /usr/local/galaxy/galaxy-dist/run.sh >>/tmp/galaxy.log
* galaxy    2865  2864  0 15:44 ?        00:00:00 /bin/sh /usr/local/galaxy/galaxy-dist/run.sh
* galaxy    3148  2865  2 15:44 ?        00:00:07 python ./scripts/paster.py serve universe_wsgi.ini
* galaxy    3180  2862  0 15:44 ?        00:00:00 /usr/sbin/sendmail -FCronDaemon -i -odi -oem -oi -t -f root

=================================================

**************************

Tags:, , , , , ,
Posted in Computer | Comments Closed