Base Components¶
ESG Apache Manager Module¶
Module for installing Apache and mod_wsgi. Also contains Apache process management functions
ESG Postgres Module¶
-
esg_postgres.
backup_db
(db_name, schema=None, backup_dir='/etc/esgf_db_backup')[source]¶ Backup database to directory specified by backup_dir
-
esg_postgres.
build_connection_string
(user, db_name=None, host=None, password=None)[source]¶ Creates the db connection string using the params as options
-
esg_postgres.
check_existing_pg_version
(psql_path)[source]¶ Gets the version number if a previous Postgres installation is detected
-
esg_postgres.
connect_to_db
(user, db_name=None, host='/tmp', password=None)[source]¶ Connect to database
-
esg_postgres.
create_pg_publisher_user
(cursor, db_user_password)[source]¶ Creates postgres user for the ESGF Publisher (esgcet by default)
-
esg_postgres.
create_pg_super_user
(psycopg2_cursor, db_user_password)[source]¶ Create postgres super user
-
esg_postgres.
list_roles
(conn=None, user_name='postgres', db_name='postgres')[source]¶ List all roles
-
esg_postgres.
list_tables
(conn=None, user_name='postgres', db_name='postgres')[source]¶ List all tables in current database
-
esg_postgres.
list_users
(conn=None, user_name='postgres', db_name='postgres')[source]¶ List all users in database
-
esg_postgres.
log_postgres_properties
()[source]¶ Write postgres properties to /esg/config/esgf.properties
-
esg_postgres.
postgres_clean_schema_migration
(repository_id)[source]¶ Removes entries from the esgf_migrate_version table if any exist where repository_id matches an SQL LIKE to the first argument
The SQL LIKE strings are generally defined in “src/python/esgf/<reponame>/schema_migration/migrate.cfg” in each relevant repository.
-
esg_postgres.
postgres_list_db_schemas
(conn=None, user_name='postgres', db_name='postgres', password=None)[source]¶ This prints a list of all schemas known to postgres.
-
esg_postgres.
postgres_list_dbs
(conn=None, user_name='postgres', db_name='postgres')[source]¶ This prints a list of all databases known to postgres.
ESG Setup Module¶
-
esg_setup.
check_prerequisites
()[source]¶ A check for what is expected to be on the system a-priori that we are not going to install or be responsible for.
ESG Tomcat Module¶
Tomcat Management Functions
-
esg_tomcat_manager.
copy_config_files
()[source]¶ copy custom configuration context.xml: increases the Tomcat cache to avoid flood of warning messages
-
esg_tomcat_manager.
copy_credential_files
(tomcat_install_config_dir)[source]¶ Copy Tomcat config files
-
esg_tomcat_manager.
extract_tomcat_tarball
(dest_dir='/usr/local')[source]¶ Extract tomcat tarball that was downloaded from the distribution mirror
-
esg_tomcat_manager.
migrate_tomcat_credentials_to_esgf
()[source]¶ Move selected config files into esgf tomcat’s config dir (certificate et al) Ex: /esg/config/tomcat -rw-r–r– 1 tomcat tomcat 181779 Apr 22 19:44 esg-truststore.ts -r——– 1 tomcat tomcat 887 Apr 22 19:32 hostkey.pem -rw-r–r– 1 tomcat tomcat 1276 Apr 22 19:32 keystore-tomcat -rw-r–r– 1 tomcat tomcat 590 Apr 22 19:32 pcmdi11.llnl.gov-esg-node.csr -rw-r–r– 1 tomcat tomcat 733 Apr 22 19:32 pcmdi11.llnl.gov-esg-node.pem -rw-r–r– 1 tomcat tomcat 295 Apr 22 19:42 tomcat-users.xml Only called when migration conditions are present.
-
esg_tomcat_manager.
remove_default_error_page
()[source]¶ Removes the default Tomcat error page. From https://www.owasp.org/index.php/Securing_tomcat: The default error page shows a full stacktrace which is a disclosure of sensitive information. Place the following within the web-app tag (after the welcome-file-list tag is fine). The following solution is not ideal as it produces a blank page because Tomcat cannot find the file specified, but without a better solution this, at least, achieves the desired result. A well configured web application will override this default in CATALINA_HOME/webapps/APP_NAME/WEB-INF/web.xml so it won’t cause problems.
Data Node Components¶
ESG Publisher Module¶
ESGCET Package (Publisher) functions
-
esg_publisher.
check_publisher_version
()[source]¶ Check if an existing version of the Publisher is found on the system
-
esg_publisher.
edit_esg_ini
(node_short_name='test_node')[source]¶ Edit placeholder values in the generated esg.ini file
-
esg_publisher.
generate_esgsetup_options
()[source]¶ Generate the string that will pass arguments to esgsetup to initialize the database
-
esg_publisher.
run_esginitialize
()[source]¶ Run the esginitialize script to initialize the ESG node database.
ESG ORP Module¶
Module to install the OpenID Relying Party
-
orp.
get_orp_support_libs
(dest_dir, esg_dist_url)[source]¶ Takes the destination directory you wish to have supported libs checked and downloaded to returns the number of files downloaded (in this case max of 2)
0 if there was no update of libs necessary
-
orp.
orp_startup_hook
()[source]¶ This function is called by esg-node before starting tomcat! This is how we make sure we are always using the proper credentials.
-
orp.
setup_providers_dropdown
()[source]¶ Do additional setup to configure CEDA-provided ORP with a dropdown list of IDPs
ESG Thredds Module¶
-
thredds.
add_tomcat_user
()[source]¶ Add a user to the default Tomcat user database (tomcat-users.xml) for container-managed authentication
-
thredds.
copy_jar_files
(esg_dist_url)[source]¶ TDS jars necessary to support ESGF security filters some jars are retrieved from the ESGF repository other jars are copied from the unpacked ORP or NM distributions
-
thredds.
copy_public_directory
()[source]¶ HACK ALERT!! For some reason the public directory does not respect thredds’ tds.context.root.path property… So have to manually move over this directory to avert server not starting! -gavin
-
thredds.
copy_xml_files
()[source]¶ Copy Thredds configuration xmls files into proper location on server
-
thredds.
create_password_hash
(tomcat_user_password)[source]¶ Creates a hash for a Tomcat user’s password using Tomcat’s digest.sh script
-
thredds.
select_idp_peer
(esgf_idp_peer=None)[source]¶ called during setup_tds or directly by –set-idp-peer | –set-admin-peer flags
-
thredds.
update_tomcat_users_file
(tomcat_username, password_hash, tomcat_users_file='/esg/config/tomcat/tomcat-users.xml')[source]¶ Adds a new user to the tomcat-users.xml file
ESG Cert Manager¶
Certificate Management Functions
-
esg_cert_manager.
check_cert_expiry
(cert_name)[source]¶ Check if a certificate is valid or has expired
-
esg_cert_manager.
check_certificates
()[source]¶ Check the validity of the ESGF and Globus certificates
-
esg_cert_manager.
check_for_commercial_ca
()[source]¶ Checks if Commerical CA directory has been created; asks user if they would like proceed with Commercial CA installation if directory is found
-
esg_cert_manager.
create_cert_request
(pkey, digest='sha256', **name)[source]¶ source: https://github.com/pyca/pyopenssl/blob/master/examples/certgen.py
-
esg_cert_manager.
create_certificate
(req, issuer_cert_key, serial, validity_period, digest='sha256')[source]¶ Generate a certificate given a certificate request. Arguments: req - Certificate request to use
issuer_cert - The certificate of the issuer issuer_key - The private key of the issuer serial - Serial number for the certificate not_before - Timestamp (relative to now) when the certificate
starts being valid- not_after - Timestamp (relative to now) when the certificate
- stops being valid
digest - Digest method to use for signing, default is sha256
Returns: The signed certificate in an X509 object
-
esg_cert_manager.
create_key_pair
(key_type, bits=4096)[source]¶ source: https://github.com/pyca/pyopenssl/blob/master/examples/certgen.py
-
esg_cert_manager.
extract_keystore_dn
()[source]¶ Returns the distinguished name from the Java keystore
-
esg_cert_manager.
extract_openssl_dn
(public_cert='/etc/grid-security/hostcert.pem')[source]¶ Regex’s the output from openssl’s x509 output in “openssl” format: Subject: O=Grid, OU=GlobusTest, OU=simpleCA-pcmdi3.llnl.gov, CN=pcmdi7.llnl.gov and transforms it to our “standard” format /O=Grid/OU=GlobusTest/OU=simpleCA-pcmdi3.llnl.gov/CN=pcmdi7.llnl.gov arg 1 -> the location of the x509 pem file
-
esg_cert_manager.
generate_esgf_csrs
(node_type_list)[source]¶ Generates a CSR to be signed by a ESGF CA
-
esg_cert_manager.
generate_esgf_csrs_ext
(node_type)[source]¶ Generates a CSR to be signed by a ESGF CA
-
esg_cert_manager.
generate_ssl_key_and_csr
(private_key='/usr/local/tomcat/hostkey.pem', public_cert_req=None)[source]¶ Create a SSL keypair and CSR
ESG Functions¶
esg-functions: ESGF Node Application Stack Functions description: Installer Functions for the ESGF Node application stack
-
esg_functions.
backup
(path, backup_dir='/esg/backups', num_of_backups=7)[source]¶ Given a directory the contents of the directory is backed up as a tar.gz file in path - a filesystem path backup_dir - destination directory for putting backup archive (default esg_backup_dir:-/esg/backups) num_of_backups - the number of backup files you wish to have present in destination directory (default num_backups_to_keep:-7)
-
esg_functions.
call_binary
(binary_name, arguments=None, silent=False, conda_env=None)[source]¶ Uses plumbum to make a call to a CLI binary. The arguments should be passed as a list of strings
-
esg_functions.
call_subprocess
(command_string, command_stdin=None)[source]¶ Mimics subprocess.call; Need this on CentOS 6 because system Python is 2.6, which doesn’t have subprocess.call()
-
esg_functions.
change_ownership_recursive
(directory_path, uid=-1, gid=-1)[source]¶ Recursively changes ownership on a directory and its subdirectories; Mimics chown -R
-
esg_functions.
change_permissions_recursive
(path, mode)[source]¶ Recursively changes permissions on a directory and its subdirectories; Mimics chmod -R
-
esg_functions.
check_for_update
(filename_1, filename_2=None)[source]¶ Does an md5 check between local and remote resource returns 0 (success) iff there is no match and thus indicating that an update is available. USAGE: checked_for_update [file] http://www.foo.com/file
-
esg_functions.
check_shmmax
(min_shmmax=48)[source]¶ NOTE: This is another RedHat/CentOS specialty thing (sort of) arg1 - min value of shmmax in MB (see: /etc/sysctl.conf)
-
esg_functions.
confirm_password
(password_input, password_confirmation)[source]¶ Helper function to confirm that passwords match. Returns true if passwords match
-
esg_functions.
convert_hash_to_hex
(subject_name_hash)[source]¶ Converts the subject_name_hash from a long to a hex string
-
esg_functions.
create_backup_file
(file_name, backup_extension='.bak', date='2018-11-30')[source]¶ Create a backup of a file using the given backup extension
-
esg_functions.
download_update
(local_file, remote_file=None, force_download=False, make_backup_file=False, use_local_files=False)[source]¶ If an update is available then pull it down… then check the md5 sums again!
Yes, this results in 3 network calls to pull down a file, but it saves total bandwidth and it also allows the updating from the network process to be cronttab-able while parsimonious with resources. It is also very good practice to make sure that code being executed is the RIGHT code!
The 3rd token is the “force” flag value 1|0. 1 = do not check for update, directly go and fetch the file regardless 0 = first check for update availability. (default)
The 4th token is for indicated whether a backup file should be made flag value 1|0. 1 = yes, create a .bak file if the file is already there before fetching new 0 = no, do NOT make a .bak file even if the file is already there, overwrite it
(When using the force flag you MUST specify the first two args!!)
- NOTE: Has multiple return values test for (( $? > 1 )) when looking or errors
- A return value of 1 only means that the file is up-to-date and there Is no reason to fetch it.
USAGE: checked_get [file] http://www.foo.com/file [<1|0>] [<1|0>]
-
esg_functions.
extract_tarball
(tarball_name, dest_dir='.')[source]¶ Extract a tarball to the given dest_dir
-
esg_functions.
fetch_remote_file
(local_file, remote_file)[source]¶ Download a remote file from a distribution mirror and write its contents to the local_file
-
esg_functions.
get_dir_owner_and_group
(path)[source]¶ Returns a tuple containing the owner and group of the given directory path
-
esg_functions.
get_esgf_host
()[source]¶ Get the esgf host name from the file; if not in file, return the fully qualified domain name (FQDN)
-
esg_functions.
get_java_keystore_password
()[source]¶ Gets the keystore_password from the saved ks_secret_file at /esg/config/.esg_keystore_pass
-
esg_functions.
get_md5sum
(file_name)[source]¶ #Utility function, wraps md5sum so it may be used on either mac or #linux machines
-
esg_functions.
get_node_type
(config_file='/esg/config/config_type')[source]¶ Helper method for reading the last state of node type config from config dir file “config_type” Every successful, explicit call to –type|-t gets recorded in the “config_type” file If the configuration type is not explicity set the value is read from this file.
-
esg_functions.
get_parent_directory
(directory_path)[source]¶ Returns the parent directory of directory_path
-
esg_functions.
get_postgres_password
()[source]¶ Gets the Postgres superuser account password from /esg/config/.esg_pg_pass
-
esg_functions.
get_security_admin_password
()[source]¶ Gets the security_admin_password from the esgf_secret_file
-
esg_functions.
get_version_from_install_manifest
(component, manifest_file='/esg/esgf-install-manifest', section_name='install_manifest')[source]¶ Get component version info from install manifest
-
esg_functions.
insert_file_at_pattern
(target_file, input_file, pattern)[source]¶ Replace a pattern inside the target file with the contents of the input file
-
esg_functions.
is_in_git_repo
(file_name)[source]¶ This determines if a specified file is in a git repository. This function will resolve symlinks and check for a .git directory in the directory of the actual file as well as its parent to avoid attempting to call git unless absolutely needed, so as to be able to detect some common cases on a system without git actually installed and in the path.
Accepts as an argument the file to be checked
Returns True if the specified file is in a git repository
Returns False otherwise
-
esg_functions.
is_valid_password
(password_input)[source]¶ Check that password_input meets the valid password requirements: an alphanumeric string greater than 6 characters long
-
esg_functions.
path_unique
(path_string='/Users/carlson60/miniconda2/envs/esgf-pub/bin:/Users/carlson60/miniconda2/bin:/usr/local/bin:/usr/bin:/bin:/usr/sbin:/sbin:/opt/X11/bin:/Users/carlson60/miniconda2/bin', path_separator=':')[source]¶ Prints a unique path string
The first (leftmost) instance of a path entry will be the one that is preserved.
If $1 is specified, it will be taken as the string to deduplicate, otherwise $PATH is used.
If $2 is specified, it will be taken as the path separator, which otherwise defaults to ‘:’
-
esg_functions.
pip_install
(pkg, req_file=False)[source]¶ pip installs a package to the current python environment
-
esg_functions.
pip_install_git
(repo, name, tag=None, subdir=None)[source]¶ Builds a properly formatted string to pip install from a git repo
-
esg_functions.
pip_version
(pkg_name)[source]¶ Get the version of a package installed with pip, return None if not installed
-
esg_functions.
prefix_to_path
(path, prepend_value)[source]¶ Prepends path components to a variable, deduplicates the list, then prints to stdout the export command required to prepend that list to that variable.
Takes as arguments first a variable containing a colon-separated path to prepend to, then a space-separated collection of paths to prepend – these path components MUST NOT contain spaces.
If insufficient arguments are present, a warning message is printed to stderr and nothing is printed to stdout.
- Example:
prefix_to_path LD_LIBRARY_PATH /foo/lib /bar/lib
- Would result in the entry:
- export LD_LIBRARY_PATH=/foo/lib:/bar/lib:$LD_LIBRARY_PATH
- NOTE: In the context of system setup this is usually
- WHAT YOU WANT; that your libs are found before any user libs are
-
esg_functions.
readlinkf
(file_name)[source]¶ This is a portable implementation of GNU’s “readlink -f” in bash/zsh, following symlinks recursively until they end in a file, and will print the full dereferenced path of the specified file even if the file isn’t a symlink.
Loop detection exists, but only as an abort after passing a maximum length.
-
esg_functions.
replace_string_in_file
(file_name, original_string, new_string)[source]¶ Goes into a file and replaces string
-
esg_functions.
set_java_keystore_password
(keystore_password=None)[source]¶ Saves the password for a Java keystore to /esg/config/.esg_keystore_pass
-
esg_functions.
set_postgres_password
(password)[source]¶ Updates the Postgres superuser account password; gets saved to /esg/config/.esg_pg_pass
-
esg_functions.
set_publisher_password
(password=None)[source]¶ Sets the publisher database user’s password; saves it to pub_secret_file If not password is provided as an argument, a prompt for a password is given.
-
esg_functions.
set_security_admin_password
(updated_password, password_file='/esg/config/.esgf_pass')[source]¶ Updates the esgf_secret_file
-
esg_functions.
setup_whitelist_files
(whitelist_file_dir='/esg/config')[source]¶ Setups up whitelist XML files from the distribution mirror Downloads the XML files and edits the placeholder string with the esgf hostname Formerly called setup_sensible_confs
-
esg_functions.
stream_subprocess_output
(command_string)[source]¶ Print out the stdout of the subprocess in real time
-
esg_functions.
track_extraction_progress
(members)[source]¶ Output of the files being extracted from a tarball
-
esg_functions.
update_fileupload_jar
()[source]¶ quick-fix for removing insecure commons-fileupload jar file
-
esg_functions.
verify_checksum
(local_file, remote_file)[source]¶ Verify md5 checksum of file downloaded from distribution mirror
Index Node Components¶
ESG Search¶
Solr¶
-
solr.
extract_solr_tarball
(solr_tarball_path, SOLR_VERSION, target_path='/usr/local')[source]¶ Extract the solr tarball to {target_path} and symlink it to /usr/local/solr
IDP Node Components¶
ESG Security¶
-
esg_security.
clean_security_webapp_subsystem
()[source]¶ Removes the deprecated esgf-security webapp if found on system
-
esg_security.
create_policy_files
(policy_type, security_jar_file)[source]¶ Creates the policy files depending on the type argument (either local or common).
Parameters: type – The type of policy file to be created. Must either be ‘local’ or ‘common’ Returns: None Raises: TypeError – raises an exception
Globus¶
-
globus.
create_globus_account
(globus_sys_acct)[source]¶ Create the system account for globus to run as.
-
globus.
setup_globus
(installation_type)[source]¶ Globus Toolkit -> MyProxy (client) & GridFTP (server) Takes arg <selection bit vector> The rest of the args are the following… for data-node configuration (GridFTP stuff): [“bdm”|”end-user”] see esg-globus script for idp configuration (MyProxy stuff): [gen-self-cert] <dir> | <regen-simpleca> [fetch-certs|gen-self-cert|keep-certs] | [“install”|”update”]
-
globus.
setup_globus_services
(config_type)[source]¶ arg1 - config_type (“datanode” | “gateway” [“install”|”update”])