Why the need for another 'Installing Moodle' guide? Two reasons, Systemd and SELinux.
The steps are presented as a Bash script, which may be run on a virgin system, installing a complete working Moodle stack in one go, including enforcing SELinux.
In addition to the absolute basics it also includes adding ClamAV virus for file uploads and Memcached for sessions and 'MUC'.
It does not cover any extras you will need to get your site up to production, e.g. securing your database or updating your virus definitions automatically. Neither does it do any extra PHP configuration (upload limits, execution time etc.) or any extra complexities that might be desirable. For all of this you should goto docs.moodle.org.
The steps are presented as a Bash script, which may be run on a virgin system, installing a complete working Moodle stack in one go, including enforcing SELinux.
In addition to the absolute basics it also includes adding ClamAV virus for file uploads and Memcached for sessions and 'MUC'.
It does not cover any extras you will need to get your site up to production, e.g. securing your database or updating your virus definitions automatically. Neither does it do any extra PHP configuration (upload limits, execution time etc.) or any extra complexities that might be desirable. For all of this you should goto docs.moodle.org.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # | |
| # This Bash script installs Moodle (http://moodle.org) and all it's | |
| # requirements into a freshly installed Centos or RHEL 7 operating system. | |
| # It assumes an 'Enforced' SELinux environment and configures the system | |
| # accordingly. | |
| # | |
| # It is designed to be instructional and clear to read to persons unfamiliar | |
| # with Bash and as such does *no* sanity checking before taking actions. | |
| # Becasue of this *great* care should be taken if you feel the urge to run | |
| # this twice on a single system. | |
| # | |
| # What this script does | |
| # ===================== | |
| # - Installs and configures a 'LAMP' stack | |
| # - Installs and configures ClamAV | |
| # - Installs Memcached and configures two instances | |
| # - Creates the Moodle database | |
| # - Installs Moodle with good defaults | |
| # - Configures SELinux paramaters so that it may remain enforced | |
| # | |
| # What this script does NOT do | |
| # ============================ | |
| # This script does not generate a production ready environment. | |
| # e.g. root access to the database is not secured and the clamav virus | |
| # definitions are not updated or scheduled to be updated (freshclam). | |
| # These are just two examples. | |
| # | |
| # The MIT License (MIT) | |
| # ===================== | |
| # | |
| # Copyright (c) 2015 Paul Verrall | |
| # | |
| # Permission is hereby granted, free of charge, to any person obtaining a copy | |
| # of this software and associated documentation files (the "Software"), to deal | |
| # in the Software without restriction, including without limitation the rights | |
| # to use, copy, modify, merge, publish, distribute, sublicense, and/or sell | |
| # copies of the Software, and to permit persons to whom the Software is | |
| # furnished to do so, subject to the following conditions: | |
| # | |
| # The above copyright notice and this permission notice shall be included in all | |
| # copies or substantial portions of the Software. | |
| # | |
| # THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR | |
| # IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, | |
| # FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE | |
| # AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER | |
| # LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, | |
| # OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE | |
| # SOFTWARE. | |
| ################################################## | |
| # This script is intended to be run as root user. | |
| # Lets just check that before we begin. | |
| ################################################## | |
| if [ "$(id -u)" != "0" ]; then | |
| echo "This script must be run as root" 1>&2 | |
| exit 1 | |
| fi | |
| # First Install some core utilities we will need. | |
| # git - for fetching and managing the Moodle source | |
| # policycoreutils-python - for managing SELiinux | |
| # epel-release - for Clamav and Zend Opcache | |
| yum install -y git policycoreutils-python epel-release | |
| ################################################## | |
| # httpd (apache) | |
| ################################################## | |
| # Install the httpd and the core php mdules we'll need | |
| yum install -y httpd php php-gd php-fpm php-cli php-xmlrpc php-soap \ | |
| php-intl php-mbstring php-xml php-pecl-zendopcache | |
| # Add persistent rule to the firewall for http | |
| firewall-cmd --permanent --add-service=http | |
| firewall-cmd --reload | |
| # SELinux - Allow httpd to send emails | |
| setsebool -P httpd_can_sendmail 1 | |
| # SELinux - Allow httpd to use network daemons, e.g. memcached | |
| setsebool -P httpd_can_network_relay 1 | |
| # SELinux - Allow httpd to make network connections, e.g. LDAP, external rss, etc. | |
| setsebool -P httpd_can_network_connect 1 | |
| # We need to forbid access to the .git folder in our web root | |
| # To do this we add the file '/etc/httpd/conf.d/no-git.conf' | |
| # in which we match the locations begining with .git and forbid them | |
| cat << EOF > /etc/httpd/conf.d/no-git.conf | |
| <LocationMatch "/.git"> | |
| Require all denied | |
| </LocationMatch> | |
| EOF | |
| ################################################## | |
| # Database (mariadb) | |
| ################################################## | |
| yum install -y mariadb-server php-mysqlnd | |
| systemctl enable mariadb | |
| systemctl start mariadb | |
| # Choose a Moodle database name, default moodle | |
| echo -n "Enter a database name and press [ENTER]: " | |
| read -e -i moodle YOUR_DB | |
| # Choose a Moodle database user, default moodleuser | |
| echo -n "Enter a database username and press [ENTER]: " | |
| read -e -i moodleuser YOUR_USER | |
| # Choose a moodle databse password, default yourpassword | |
| echo -n "Enter a database password and press [ENTER]: " | |
| read -e -i yourpassword YOUR_PASSWORD | |
| # Create a moodle database as per https://docs.moodle.org/29/en/MySQL#Creating_Moodle_database | |
| echo "Log into mariadb (mysql) with the ROOT password you set, NOT the moodle database password." | |
| mysql -uroot << EOF | |
| SET GLOBAL innodb_file_per_table=1; | |
| SET GLOBAL innodb_file_format=Barracuda; | |
| CREATE DATABASE $YOUR_DB DEFAULT CHARACTER SET utf8 COLLATE utf8_unicode_ci; | |
| GRANT SELECT,INSERT,UPDATE,DELETE,CREATE,CREATE TEMPORARY TABLES,DROP,INDEX,ALTER | |
| ON $YOUR_DB.* TO moodleuser@localhost IDENTIFIED BY '$YOUR_PASSWORD'; | |
| EOF | |
| ################################################## | |
| ### AV (clamav) | |
| ################################################## | |
| # Install the clam daemon and tools | |
| yum install -y clamav-scanner-systemd clamav clamav-update | |
| # Edit the /etc/clam.d/scan.conf and delete 'Example' near the top | |
| sed -i '/^Example/d' /etc/clamd.d/scan.conf | |
| # Uncomment the following line from /etc/clamd.d/scan.conf | |
| # 'LocalSocket /var/run/clamd.scan/clamd.sock' | |
| sed -i 's#^\(.*\)\(LocalSocket /var/run/clamd\.scan/clamd\.sock\)#\2#' \ | |
| /etc/clamd.d/scan.conf | |
| # Allow httpd to access the clamav socket by changing the group on /var/run/clamd.scan | |
| # as per instruction at /usr/share/doc/clamav-server-0.98.7/README | |
| chgrp apache /var/run/clamd.scan | |
| # link the to /etc/cland.conf so command line tools 'just work' | |
| ln -s /etc/clamd.d/scan.conf /etc/clamd.conf | |
| # SELinux - Allow Clamd to work | |
| setsebool -P antivirus_can_scan_system 1 | |
| # Start our Clamav service | |
| systemctl enable clamd@scan.service | |
| systemctl start clamd@scan.service | |
| ################################################## | |
| # Memcached | |
| ################################################## | |
| # Install memcached and it's php module | |
| yum install -y memcached php-pecl-memcached | |
| # Disable the default memcached service | |
| systemctl mask memcached | |
| # We are going to be running two memcached services | |
| # One for sessions and one for the MUC | |
| # Create their environment configuration | |
| cp /etc/sysconfig/memcached /etc/sysconfig/memcached_muc | |
| cp /etc/sysconfig/memcached /etc/sysconfig/memcached_sessions | |
| # Edit only the sessions file and increase the port number to 11212 | |
| sed -i 's/11211/11212/' /etc/sysconfig/memcached_sessions | |
| # Create the Systemd service (unit) definitiond for our two memcached services | |
| cp /lib/systemd/system/memcached.service /lib/systemd/system/memcached_muc.service | |
| cp /lib/systemd/system/memcached.service /lib/systemd/system/memcached_sessions.service | |
| # edit the coressponding EnvironmentFile path by appending _(sessions|muc) | |
| sed -i 's/^\(EnvironmentFile=-\/etc\/sysconfig\/memcached\)$/\1_muc/' \ | |
| /lib/systemd/system/memcached_muc.service | |
| sed -i 's/^\(EnvironmentFile=-\/etc\/sysconfig\/memcached\)$/\1_sessions/' \ | |
| /lib/systemd/system/memcached_sessions.service | |
| # SELinux - Allow memcached to use a non-default port | |
| semanage port -a -t memcache_port_t -p tcp 11212 | |
| semanage port -a -t memcache_port_t -p udp 11212 | |
| # Enable and start memcached | |
| systemctl enable memcached_sessions | |
| systemctl enable memcached_muc | |
| systemctl start memcached_sessions | |
| systemctl start memcached_muc | |
| ################################################## | |
| # Moodle | |
| ################################################## | |
| # Get the Moodle source code using git and put it in our default webroot | |
| git clone https://github.com/moodle/moodle.git /var/www/html | |
| # Move to the webroot | |
| cd /var/www/html | |
| # Establish what the most recent current stable version of Moodle is | |
| MOODLE_VERSION=$(git branch -r | grep -o MOODLE_.* | sort -nr | head -n1) | |
| # Checkout a new git branch based on current stable | |
| git checkout -b $MOODLE_VERSION origin/$MOODLE_VERSION | |
| # Create a moodledata directory outside of the webroot | |
| # and allow apache to write to it | |
| mkdir -p /var/www/moodledata | |
| chgrp apache /var/www/moodledata | |
| chmod 2770 /var/www/moodledata | |
| # SELinux - Allow httpd to read/write to the moodledata directory | |
| semanage fcontext -a -t httpd_sys_rw_content_t "/var/www/moodledata(/.*)?" | |
| restorecon -R /var/www/moodledata | |
| # Allow apache to write to the webroot to create config.php | |
| chmod 0770 /var/www/html | |
| chgrp apache /var/www/html | |
| # SELinux - Allow apache to write to the webroot to create config.php | |
| chcon -t httpd_sys_rw_content_t /var/www/html | |
| # Install moodle using the database paramaters set earlier | |
| install_vars="--chmod=2770 \ | |
| --wwwroot="http://localhost" \ | |
| --dbuser=$YOUR_USER \ | |
| --dbname=$YOUR_DB \ | |
| --dbpass=$YOUR_PASSWORD \ | |
| --dbtype=mariadb" | |
| su apache -s /bin/bash -c \ | |
| "/usr/bin/php /var/www/html/admin/cli/install.php $install_vars" | |
| # Add directives for clam and memcached sessions to config.php | |
| cat << EOF > config.ammedments | |
| \$CFG->runclamonupload = 1; | |
| \$CFG->pathtoclam = '/bin/clamdscan'; | |
| \$CFG->session_handler_class = '\core\session\memcached'; | |
| \$CFG->session_memcached_save_path = '127.0.0.1:11212'; | |
| \$CFG->session_memcached_prefix = 'memc.sess.key.'; | |
| \$CFG->session_memcached_acquire_lock_timeout = 120; | |
| \$CFG->session_memcached_lock_expire = 7200; | |
| EOF | |
| sed -i '/directorypermissions/r config.ammedments' config.php && rm -f config.ammedments | |
| # SELinux - restore contexts to the webtoot, removing write access for apache | |
| restorecon -R /var/www/html | |
| # Enable and start the httpd | |
| systemctl enable httpd | |
| systemctl start httpd | |
| cat << EOF | |
| You may now log in to Moodle at the address you specified during setup. | |
| Once you have logged in you will want to configure the MUC to use the | |
| Memcached instace we configured for it. Instructions on how to do this | |
| are available at: | |
| https://docs.moodle.org/29/en/MUC_FAQ#How_do_I_deploy_Memcached | |
| EOF | |
| exit |
Hi,
ReplyDeleteyour script works like a charm on Centos 7 minimal install, but SELINUX is driving me CRAZY... I'm trying to authenticate against an LDAP Server so I reinstalled php_ldap, configured this but SE Linux blocks my attempt to do a LDAP authentication...
Error is:
type=AVC msg=audit(1445443071.092:399): avc: denied { name_connect } for pid=1890 comm="httpd" dest=389 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:ldap_port_t:s0 tclass=tcp_socket type=SYSCALL msg=audit(1445443071.092:399): arch=c000003e syscall=42 success=noexit=-13 a0=c a1=7fa6b062b370 a2=10 a3=0 items=0 ppid=1123 pid=1890 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)
I'm new to selinux (and I clearly understand its necessity) but I have no idea, which bool to set to allow httpd to state LDAP queries...
Can you help me out?
Thanks and Keep up the good work...
best regards...
And here is the solution...
ReplyDeleteI've just entered the following:
setsebool -P httpd_can_network_connect=1
and now it is working like a charm, even with ldap authentication...
Keep up the good work!
Great stuff, glad you found it useful.
Deletea update to php7 please, greetings
ReplyDeleteThank You
ReplyDeleteThe Ultimate Guide to the Best Casino | 2021 Updated
ReplyDeleteThe Ultimate Guide 코인갤러리 to the Best Casino Games · 1. Jackpot City 일반인 후방 · 2. Bovada bet analysis · 3. MyBookie · 4. Red Dog Casino · 서산 휴게텔 5. Cafe 바카라시스템배팅 Casino · 6. Intertops Casino.