Automagic Moodle update

Well its monday so semi auto magic roll of patches on CentOS via yum-cron on Debian broken for some dumb and strong firewall rules but applied via unattended updates now done through a ssh tunnel using tsocks, been thinking on create a permanent tunnel or one based on apt.conf and push keys to our external machine, laziness has won and it’s not implemented… but.
Our mini script, for every directory get git code

        for i in $( ls ); do
            echo item: $i
        cd $i
        sudo -u apache git pull
        cd /var/www/html

For 20 instances took 88 secs yay! ;)

real    1m28.599s
user    0m11.510s
sys     0m5.070s

Now tell Moodle about the changes and run whatever is pending

        for i in $( ls ); do
            echo item: $i
        sudo -u apache php $i/admin/cli/upgrade.php --non-interactive

Nice it took almost four minutes to execute…

real    4m31.226s
user    2m36.918s
sys     0m28.886s

Half of work done… time for a coffee, need to make this via ansible… still get no time to implement test |staging | production from staging to production rollback if breaks.

As pointed by Gunnar in the comments the moodle source not really needs to have apache permissions opposed to moodledata where it need to write and create files.

Esta entrada fue publicada en Debraye, planetalinux, sysadmin, Trabajo y etiquetada , , , , . Guarda el enlace permanente.

2 respuestas a Automagic Moodle update

  1. Gunnar dijo:

    Comes to my attention that… The Git repositories themselves are owned in your system by the «apache» user. Why? In my case, I «git pull» as user root, and the files themselves are root-owned, root-modifiable only. It makes it a bit harder for somebody to insert their modifications in the code were they to attack my server.

    • vicm3 dijo:

      CentOS and SELinux, if not owned by apache can’t be accessed by apache or executed, the files are 644 and directories 755 , also each repo is a working instance I have tried to make a symlink mess and have not succeeded also as the things where for yesterday and «we start tomorrow (R)», on Debian my files are root owned and non writeable as you point, on Centos have not digged enough, but I can tell the files are not apache writable as a SELinux rules that, if sounds crazy I think the same.

      Guess what.. I just reread what I wrote and sounds idiotic, it happens that the old system, Centos6 was not installed by me but handled by one RHCE guy that briefed me on the quirks they had with Joomla and at that time with Moodle and they ended disabling SELinux to run Moodle, and I was in real hurry so just looked at what they have done and fixed the obvious problems keep what they told me on apache ownership, then research on how let postfix, apache and moodle work on SELinux and migrated to this instance also not installed by me and also CentOS 6, so until your comment not searched truly on the SELinux rules, after first replying your comment just tried a quick chown, and as you point it works as apache don’t need to write to this directory for that moodle config uses moodledata dir with different permissions, so fixing and changing ownership to root, thanks for the heads up!

      When | if we deploy a new server, planned since last year, I will have to dig again as CentOS 7 is now default… and changed SELinux, Network and other things…

Deja una respuesta

Tu dirección de correo electrónico no será publicada. Los campos obligatorios están marcados con *

Este sitio usa Akismet para reducir el spam. Aprende cómo se procesan los datos de tus comentarios.