Merge pull request #4964 from Icinga/packaging

Packaging Adjustments
2023-01-10 08:56:58 +01:00 · 2023-01-10 08:56:58 +01:00 · 57c52cadfa
parent 9a17c6c054 7855293302
commit 57c52cadfa
30 changed files with 15 additions and 442 deletions
--- a/.gitattributes
+++ b/.gitattributes
@ -1,5 +1,9 @@
-# Exclude files related to git when generating an archive
+test/ export-ignore
 .git* export-ignore
 CONTRIBUTING.md export-ignore
 icingaweb2-ruleset.xml export-ignore
 phpcs.xml export-ignore
 RELEASE.md export-ignore
 # Include version information on `git archive'
 /application/VERSION export-subst
--- a/0
+++ b/0
--- a/doc/20-Advanced-Topics.md
+++ b/doc/20-Advanced-Topics.md
@ -183,7 +183,7 @@ CREATE DATABASE icingaweb2;
 GRANT SELECT, INSERT, UPDATE, DELETE, DROP, CREATE VIEW, INDEX, EXECUTE ON icingaweb2.* TO 'icingaweb2'@'localhost' IDENTIFIED BY 'icingaweb2';
 quit
-mysql -p icingaweb2 < /usr/share/doc/icingaweb2/schema/mysql.schema.sql
+mysql -p icingaweb2 < /usr/share/icingaweb2/schema/mysql.schema.sql
 ```
@ -318,7 +318,7 @@ and all the other steps described above first.
 1. Install PHP dependencies: `php`, `php-intl`, `php-imagick`, `php-gd`, `php-mysql`, `php-curl`, `php-mbstring` used
 by Icinga Web 2.
 2. Create a database for Icinga Web 2, i.e. `icingaweb2`.
-3. Import the database schema: `mysql -D icingaweb2 < /usr/share/icingaweb2/etc/schema/mysql.schema.sql`.
+3. Import the database schema: `mysql -D icingaweb2 < /usr/share/icingaweb2/schema/mysql.schema.sql`.
 4. Insert administrator user in the `icingaweb2` database:
 `INSERT INTO icingaweb_user (name, active, password_hash) VALUES ('admin', 1, '<hash>')`, where `<hash>` is the output
 of `php -r 'echo password_hash("yourtopsecretpassword", PASSWORD_DEFAULT);'`.
--- a/doc/80-Upgrading.md
+++ b/doc/80-Upgrading.md
@ -13,8 +13,9 @@ v2.6 to v2.8 requires to follow the instructions for v2.7 too.
 **Database Schema**
 * Please apply the `v2.11.0.sql` upgrade script depending on your database vendor.
-  In package installations this file can be found in `/usr/share/doc/icingaweb2/schema/*-upgrades/`
+  As of version `2.11.4`, upgrade scripts can be found at `/usr/share/icingaweb2/schema/*-upgrades/`.
-  (Debian/Ubuntu: `/usr/share/icingaweb2/etc/schema/*-upgrades/`).
+  Older versions install these files to `/usr/share/doc/icingaweb2/schema/*-upgrades/` for RPM-based systems 
  and `/usr/share/icingaweb2/etc/schema/*-upgrades/` for Debian or Ubuntu.
 **Breaking changes**
--- a/doc/90-SELinux.md
+++ b/doc/90-SELinux.md
@ -13,65 +13,13 @@ For a simplified (and funny) introduction download the [SELinux Coloring Book](h
 ## Policy <a id="selinux-policy"></a>
-Icinga Web 2 is providing its own SELinux policy for Red Hat Enterprise Linux 7 and its derivates running the targeted
+Icinga Web 2 is providing its own SELinux policy for RPM-based systems running the targeted policy
-policy which confines Icinga Web 2 with support for all its modules. All other distributions will require some tweaks.
+which confines Icinga Web 2 with support for all its modules.
 It is not upstreamed to the reference policies yet.
 The policy for Icinga Web 2 will also require the policy for Icinga 2 which provides access to its interfaces.
 It covers only the scenario running Icinga Web 2 in Apache HTTP Server with mod_php.
-## Installation <a id="selinux-policy-installation"></a>
+Use your distribution's package manager to install the `icingaweb2-selinux` package.
 There are two ways to install the SELinux Policy for Icinga Web 2 on Enterprise Linux 7.
 Either install it from the provided package which is the preferred option or intall the policy manually, if you need
 fixes which are not yet released.
 Verify that the system runs in enforcing mode.
    sestatus
    # SELinux status:                 enabled
    # SELinuxfs mount:                /sys/fs/selinux
    # SELinux root directory:         /etc/selinux
    # Loaded policy name:             targeted
    # Current mode:                   enforcing
    # Mode from config file:          enforcing
    # Policy MLS status:              enabled
    # Policy deny_unknown status:     allowed
    # Max kernel policy version:      28
 If problems occur, you can set icinga2 or httpd to run to run its domain in permissive mode.
 You can change the configured mode by editing `/etc/selinux/config` and the current mode by executing `setenforce 0`.
 ### Package installation <a id="selinux-policy-installation-package"></a>
 Simply add the `selinux` subpackage to your installation.
    yum install icingaweb2-selinux
 ### Manual installation <a id="selinux-policy-installation-manual"></a>
 This section describes the manual installation to support development and testing.
 As a prerequisite install the `git`, `selinux-policy-devel` and `audit` package. Enable and start the audit daemon
 afterwards.
    yum install git selinux-policy-devel audit
    systemctl enable auditd.service
    systemctl start auditd.service
 To create and install the policy package run the installation script from the Icinga Web 2 source which also labels the
 resources.
    cd packages/selinux/
    ./icingaweb2.sh
 Verify that Apache runs in its own domain `httpd_t` and the Icinga Web 2 configuration has its own context
 `icingaweb2_config_t`.
    ps -eZ | grep http
    # system_u:system_r:httpd_t:s0     9785 ?        00:00:00 httpd
    ls -ldZ /etc/icingaweb2/
    # drwxrws---. root icingaweb2 system_u:object_r:icingaweb2_config_t:s0 /etc/icingaweb2/
 ## General <a id="selinux-policy-general"></a>
--- a/modules/setup/library/Setup/WebWizard.php
+++ b/modules/setup/library/Setup/WebWizard.php
@ -445,7 +445,7 @@ class WebWizard extends Wizard implements SetupWizard
                        ? $pageData['setup_auth_db_creation']['password']
                        : null,
                    'schemaPath'        => Config::module('setup')
-                        ->get('schema', 'path', Icinga::app()->getBaseDir('etc' . DIRECTORY_SEPARATOR . 'schema'))
+                        ->get('schema', 'path', Icinga::app()->getBaseDir('schema'))
                ))
            );
        } elseif (isset($pageData['setup_config_db_resource'])
@ -466,7 +466,7 @@ class WebWizard extends Wizard implements SetupWizard
                        ? $pageData['setup_config_db_creation']['password']
                        : null,
                    'schemaPath'        => Config::module('setup')
-                        ->get('schema', 'path', Icinga::app()->getBaseDir('etc' . DIRECTORY_SEPARATOR . 'schema'))
+                        ->get('schema', 'path', Icinga::app()->getBaseDir('schema'))
                ))
            );
        }
--- a/packages/RPM.md
+++ b/packages/RPM.md
@ -1,110 +0,0 @@
 # Icinga Web 2 README for RPM Packages
 This file will describe how to install Icinga Web 2 from an RPM
 package (RHEL/CentOS/Fedora, SLES/OpenSUSE).
 ## Requirements
 * EPEL/OBS Repository for Zend Framework
 * Apache 2.2+
 * PHP 5.3+, Zend Framework, PHP PDO MySQL/PostgreSQL, PHP LDAP (optional)
 * MySQL or PostgreSQL for internal DB
 * Icinga 1.x or 2.x providing an IDO database (default: `icinga`)
 * Icinga 1.x or 2.x providing an external command pipe (default: `icinga2.cmd`)
 ### SELinux
 Disabled SELinux for sending commands via external command pipe
 provided by Icinga (2) Core.
    setenforce 0
 ## Webserver Configuration
 Can be generated using the following local icingacli command:
    /usr/share/icingaweb2/bin/icingacli setup config webserver apache
 Pipe the output into `/etc/httpd/conf.d/icingaweb2.conf` or similar,
 if not already existing.
 ## Setup Wizard
 Navigate to `/icingaweb/setup` and follow the on-screen instructions.
 ## Support
 Please use one of the listed support channels at https://support.icinga.com
 ## Manual Setup
 ### Internal DB Setup
 Decide whether to use MySQL or PostgreSQL.
 #### MySQL
    mysql -u root -p
        CREATE USER `icingaweb`@`localhost` IDENTIFIED BY 'icingaweb';
        CREATE DATABASE `icingaweb`;
        GRANT ALL PRIVILEGES ON `icingaweb`.* TO `icingaweb`@`localhost`;
        FLUSH PRIVILEGES;
        quit
    mysql -u root -p icingaweb < /usr/share/doc/icingaweb2*/schema/mysql.schema..sql
 #### PostgreSQL
    sudo su postgres
    psql
    postgres=#  CREATE USER icingaweb WITH PASSWORD 'icingaweb';
    postgres=#  CREATE DATABASE icingaweb;
    postgres=#  \q
 Add the `icingaweb` user for trusted authentication to your `pg_hba.conf` file
 in `/var/lib/pgsql/data/pg_hba.conf` and restart the PostgreSQL server.
    local   icingaweb      icingaweb                            trust
    host    icingaweb      icingaweb      127.0.0.1/32          trust
    host    icingaweb      icingaweb      ::1/128               trust
 Now install the `icingaweb` schema
    bash$  psql -U icingaweb -a -f /usr/share/doc/icingaweb2*/schema/pgsql.schema.sql
 ### Configuration
 #### Module Configuration
 The monitoring module is enabled by default.
 #### Backend configuration
 `/etc/icingaweb2/resources.ini` contains the database backend information.
 By default the Icinga 2 DB IDO is used by the monitoring module in
 `/etc/icingaweb2/modules/monitoring/backends.ini`
 The external command pipe is required for sending commands
 and configured for Icinga 2 in
 `/etc/icingaweb2/modules/monitoring/commandtransports.ini`
 #### Authentication configuration
 The `/etc/icingaweb2/authentication.ini` file uses the internal database as
 default. This requires the database being installed properly before
 allowing users to login via web console.
 #### Default User
 When not using the default setup wizard, you can generate a secure password hash with openssl
 and insert that manually like so:
    openssl passwd -1 "yoursecurepassword"
    mysql -uicingaweb -p icingaweb
    mysql> INSERT INTO icingaweb_user (name, active, password_hash) VALUES ('icingaadmin', 1, '$yoursecurepassword_hash');
--- a/packages/files/apache/icingaweb2.conf
+++ b/packages/files/apache/icingaweb2.conf
@ -1,60 +0,0 @@
 Alias /icingaweb2 "/usr/share/icingaweb2/public"
 # Remove comments if you want to use PHP FPM and your Apache version is older than 2.4
 #<IfVersion < 2.4>
 #    # Forward PHP requests to FPM
 #    SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1
 #    <LocationMatch "^{urlPath}/(.*\.php)$">
 #        ProxyPassMatch "fcgi://127.0.0.1:9000/{documentRoot}/$1"
 #    </LocationMatch>
 #</IfVersion>
 <Directory "/usr/share/icingaweb2/public">
    Options SymLinksIfOwnerMatch
    AllowOverride None
    DirectoryIndex index.php
    <IfModule mod_authz_core.c>
        # Apache 2.4
        <RequireAll>
            Require all granted
        </RequireAll>
    </IfModule>
    <IfModule !mod_authz_core.c>
        # Apache 2.2
        Order allow,deny
        Allow from all
    </IfModule>
    SetEnv ICINGAWEB_CONFIGDIR "/etc/icingaweb2"
    EnableSendfile Off
    <IfModule mod_rewrite.c>
        RewriteEngine on
        RewriteBase /icingaweb2/
        RewriteCond %{REQUEST_FILENAME} -s [OR]
        RewriteCond %{REQUEST_FILENAME} -l [OR]
        RewriteCond %{REQUEST_FILENAME} -d
        RewriteRule ^.*$ - [NC,L]
        RewriteRule ^.*$ index.php [NC,L]
    </IfModule>
    <IfModule !mod_rewrite.c>
        DirectoryIndex error_norewrite.html
        ErrorDocument 404 /icingaweb2/error_norewrite.html
    </IfModule>
 # Remove comments if you want to use PHP FPM and your Apache version
 # is greater than or equal to 2.4
 #    <IfVersion >= 2.4>
 #        # Forward PHP requests to FPM
 #        SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1
 #        <FilesMatch "\.php$">
 #            SetHandler "proxy:fcgi://127.0.0.1:9000"
 #            ErrorDocument 503 {urlPath}/error_unavailable.html
 #        </FilesMatch>
 #    </IfVersion>
 </Directory>
--- a/packages/files/apache/icingaweb2.fpm.conf
+++ b/packages/files/apache/icingaweb2.fpm.conf
@ -1,57 +0,0 @@
 Alias /icingaweb2 "/usr/share/icingaweb2/public"
 <IfVersion < 2.4>
    # Forward PHP requests to FPM
    SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1
    <LocationMatch "^/icingaweb2/(.*\.php)$">
        ProxyPassMatch "fcgi://127.0.0.1:9000/usr/share/icingaweb2/public/$1"
    </LocationMatch>
 </IfVersion>
 <Directory "/usr/share/icingaweb2/public">
    Options SymLinksIfOwnerMatch
    AllowOverride None
    DirectoryIndex index.php
    <IfModule mod_authz_core.c>
        # Apache 2.4
        <RequireAll>
            Require all granted
        </RequireAll>
    </IfModule>
    <IfModule !mod_authz_core.c>
        # Apache 2.2
        Order allow,deny
        Allow from all
    </IfModule>
    SetEnv ICINGAWEB_CONFIGDIR "/etc/icingaweb2"
    EnableSendfile Off
    <IfModule mod_rewrite.c>
        RewriteEngine on
        RewriteBase /icingaweb2/
        RewriteCond %{REQUEST_FILENAME} -s [OR]
        RewriteCond %{REQUEST_FILENAME} -l [OR]
        RewriteCond %{REQUEST_FILENAME} -d
        RewriteRule ^.*$ - [NC,L]
        RewriteRule ^.*$ index.php [NC,L]
    </IfModule>
    <IfModule !mod_rewrite.c>
        DirectoryIndex error_norewrite.html
        ErrorDocument 404 /icingaweb2/error_norewrite.html
    </IfModule>
    <IfVersion >= 2.4>
        # Forward PHP requests to FPM
        SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1
        <FilesMatch "\.php$">
            SetHandler "proxy:fcgi://127.0.0.1:9000"
            ErrorDocument 503 /icingaweb2/error_unavailable.html
        </FilesMatch>
    </IfVersion>
 </Directory>
--- a/packages/files/bin/icingacli
+++ b/packages/files/bin/icingacli
@ -1,7 +0,0 @@
 #!/usr/bin/php
 <?php
 /*! Icinga Web 2 | (c) 2013-2015 Icinga Development Team | GPLv2+ */
 require_once '/usr/share/php/Icinga/Application/Cli.php';
 Icinga\Application\Cli::start('/usr/share/icingaweb2')->dispatch();
--- a/packages/files/config/modules/doc/config.ini
+++ b/packages/files/config/modules/doc/config.ini
@ -1,3 +0,0 @@
 [documentation]
 icingaweb2 = /usr/share/doc/icingaweb2/markdown
 modules = /usr/share/doc/icingaweb2/modules/{module}/markdown
--- a/packages/files/config/modules/setup/config.ini
+++ b/packages/files/config/modules/setup/config.ini
@ -1,2 +0,0 @@
 [schema]
 path = /usr/share/doc/icingaweb2/schema
--- a/packages/files/config/modules/translation/config.ini
+++ b/packages/files/config/modules/translation/config.ini
@ -1,4 +0,0 @@
 [translation]
 msgmerge = /usr/bin/msgmerge
 xgettext = /usr/bin/xgettext
 msgfmt = /usr/bin/msgfmt
--- a/packages/files/public/index.php
+++ b/packages/files/public/index.php
@ -1,4 +0,0 @@
 <?php
 /*! Icinga Web 2 | (c) 2014 Icinga Development Team | GPLv2+ */
 require_once '/usr/share/php/Icinga/Application/webrouter.php';
--- a/packages/selinux/icingaweb2.fc
+++ b/packages/selinux/icingaweb2.fc
@ -1,7 +0,0 @@
 /etc/icingaweb2(/.*)?           gen_context(system_u:object_r:icingaweb2_config_t,s0)
 /usr/share/icingaweb2(/.*)?           gen_context(system_u:object_r:icingaweb2_content_t,s0)
 /var/log/icingaweb2(/.*)?         gen_context(system_u:object_r:icingaweb2_rw_content_t,s0)
 /var/cache/icingaweb2(/.*)?         gen_context(system_u:object_r:icingaweb2_rw_content_t,s0)
 /var/lib/icingaweb2(/.*)?         gen_context(system_u:object_r:icingaweb2_rw_content_t,s0)
--- a/packages/selinux/icingaweb2.if
+++ b/packages/selinux/icingaweb2.if
@ -1,45 +0,0 @@
 ########################################
 ## <summary>
 ##      Allow the specified domain to read
 ##      icingaweb2 configuration files.
 ## </summary>
 ## <param name="domain">
 ##      <summary>
 ##      Domain allowed access.
 ##      </summary>
 ## </param>
 ## <rolecap/>
 #
 interface(`icingaweb2_read_config',`
        gen_require(`
                type icingaweb2_config_t;
        ')
        files_search_etc($1)
        list_dirs_pattern($1, icingaweb2_config_t, icingaweb2_config_t)
        read_files_pattern($1, icingaweb2_config_t, icingaweb2_config_t)
 	read_lnk_files_pattern($1, icingaweb2_config_t, icingaweb2_config_t)
 ')
 ########################################
 ## <summary>
 ##      Allow the specified domain to read
 ##      and write icingaweb2 configuration files.
 ## </summary>
 ## <param name="domain">
 ##      <summary>
 ##      Domain allowed access.
 ##      </summary>
 ## </param>
 ## <rolecap/>
 #
 interface(`icingaweb2_manage_config',`
        gen_require(`
                type icingaweb2_config_t;
        ')
        files_search_etc($1)
        manage_dirs_pattern($1, icingaweb2_config_t, icingaweb2_config_t)
        manage_files_pattern($1, icingaweb2_config_t, icingaweb2_config_t)
 	manage_lnk_files_pattern($1, icingaweb2_config_t, icingaweb2_config_t)
 ')
--- a/packages/selinux/icingaweb2.sh
+++ b/packages/selinux/icingaweb2.sh
@ -1,52 +0,0 @@
 #!/bin/sh -e
 DIRNAME=`dirname $0`
 cd $DIRNAME
 USAGE="$0 [ --update ]"
 if [ `id -u` != 0 ]; then
 echo 'You must be root to run this script'
 exit 1
 fi
 if [ $# -eq 1 ]; then
 	if [ "$1" = "--update" ] ; then
 		time=`ls -l --time-style="+%x %X" icingaweb2.te | awk '{ printf "%s %s", $6, $7 }'`
 		rules=`ausearch --start $time -m avc --raw -se icinga2`
 		if [ x"$rules" != "x" ] ; then
 			echo "Found avc's to update policy with"
 			echo -e "$rules" | audit2allow -R
 			echo "Do you want these changes added to policy [y/n]?"
 			read ANS
 			if [ "$ANS" = "y" -o "$ANS" = "Y" ] ; then
 				echo "Updating policy"
 				echo -e "$rules" | audit2allow -R >> icingaweb2.te
 				# Fall though and rebuild policy
 			else
 				exit 0
 			fi
 		else
 			echo "No new avcs found"
 			exit 0
 		fi
 	else
 		echo -e $USAGE
 		exit 1
 	fi
 elif [ $# -ge 2 ] ; then
 	echo -e $USAGE
 	exit 1
 fi
 echo "Building and Loading Policy"
 set -x
 make -f /usr/share/selinux/devel/Makefile icingaweb2.pp || exit
 /usr/sbin/semodule -i icingaweb2.pp
 # Generate a man page off the installed module
 #sepolicy manpage -p . -d icingaweb2_t
 # Fixing the file context on /etc/icingaweb2
 /sbin/restorecon -F -R -v /etc/icingaweb2
 # Fixing the file context on /var/log/icingaweb2
 /sbin/restorecon -F -R -v /var/log/icingaweb2
 # Fixing the file context on /usr/share/icingaweb2
 /sbin/restorecon -F -R -v /usr/share/icingaweb2
--- a/packages/selinux/icingaweb2.te
+++ b/packages/selinux/icingaweb2.te
@ -1,29 +0,0 @@
 policy_module(icingaweb2, 0.0.1)
 ########################################
 #
 # Declarations
 #
 require {
 	type httpd_t;
 }
 ## <desc>
 ## <p>
 ## Allow Apache to manage icingaweb2 configuration
 ## </p>
 ## </desc>
 gen_tunable(httpd_can_manage_icingaweb2_config, true)
 type icingaweb2_config_t;
 files_config_file(icingaweb2_config_t)
 optional_policy(`
 	apache_content_template(icingaweb2)
 	icingaweb2_read_config(httpd_t)
 	tunable_policy(`httpd_can_manage_icingaweb2_config',`
 		icingaweb2_manage_config(httpd_t)
 	')
 ')
--- a/etc/schema/mysql-upgrades/2.0.0beta3-2.0.0rc1.sql
+++ b/etc/schema/mysql-upgrades/2.0.0beta3-2.0.0rc1.sql
--- a/etc/schema/mysql-upgrades/2.11.0.sql
+++ b/etc/schema/mysql-upgrades/2.11.0.sql
--- a/etc/schema/mysql-upgrades/2.5.0.sql
+++ b/etc/schema/mysql-upgrades/2.5.0.sql
--- a/etc/schema/mysql-upgrades/2.9.0.sql
+++ b/etc/schema/mysql-upgrades/2.9.0.sql
--- a/etc/schema/mysql-upgrades/2.9.1.sql
+++ b/etc/schema/mysql-upgrades/2.9.1.sql
--- a/etc/schema/mysql.schema.sql
+++ b/etc/schema/mysql.schema.sql
--- a/etc/schema/pgsql-upgrades/2.0.0beta3-2.0.0rc1.sql
+++ b/etc/schema/pgsql-upgrades/2.0.0beta3-2.0.0rc1.sql
--- a/etc/schema/pgsql-upgrades/2.11.0.sql
+++ b/etc/schema/pgsql-upgrades/2.11.0.sql
--- a/etc/schema/pgsql-upgrades/2.5.0.sql
+++ b/etc/schema/pgsql-upgrades/2.5.0.sql
--- a/etc/schema/pgsql-upgrades/2.9.0.sql
+++ b/etc/schema/pgsql-upgrades/2.9.0.sql
--- a/etc/schema/pgsql-upgrades/2.9.1.sql
+++ b/etc/schema/pgsql-upgrades/2.9.1.sql
--- a/etc/schema/pgsql.schema.sql
+++ b/etc/schema/pgsql.schema.sql
		`@ -1,2 +0,0 @@`
			`[schema]`
			`path = /usr/share/doc/icingaweb2/schema`