Lts20 (#102)

* Update to tomcat 9

* Update to python3-psycopg package

* Installs yarn & node via packages

* Adds support for newer ssh

* Remove dangling reference

* Repair tomcat userid to tomcat

* Set fits system property in tomcat9 defaults file, removes incompatible catalina.properties

* Installs ed25591 in user environment

* Installs crypto gems in ubuntu userland

* Adds fedora-data to sandbox.

* Adds acl package

* Adds /tmp to tomcat permitted read-write directories

* Adds jaxb & activation jars to tomcat classpath.

* Installs activation & jaxb w/ sudo

* Update to node 10, oldest node available for our distro of Ubuntu

Co-authored-by: Max Kadel <max@curationexperts.com>

roles/capistrano_setup/tasks/main.yml

@@ -13,7 +13,6 @@
 #     - https://github.com/mark-dce.keys
 #     - https://github.com/little9.keys
 #     - https://github.com/no-reply.keys
-#     - https://github.com/bess.keys
 
 - name: create cap group
   become: yes

roles/fedora/defaults/main.yml

@@ -8,7 +8,7 @@ tomcat_min_memory: 1024m
 # tomcat max memory allocation
 tomcat_max_memory: 2048m
 
-fedora_config_file: /etc/default/tomcat8
+fedora_config_file: /etc/default/tomcat9
 
 fedora_version: 4.7.5
 fedora_database: jdbc-postgresql

roles/fedora/tasks/main.yml

@@ -28,44 +28,56 @@
 
 - name: install servlet container package
   become: yes
-  package: name=tomcat8 state=present
+  package: name=tomcat9 state=present
 
 - name: download fedora
   get_url: url=https://repo1.maven.org/maven2/org/fcrepo/fcrepo-webapp/{{ fedora_version }}/fcrepo-webapp-{{ fedora_version }}.war owner={{ ansible_ssh_user }} dest={{ install_path }}/fcrepo-webapp-{{ fedora_version }}.war timeout=100
 
 - name: make fedora data dir
-  file: owner=tomcat8 group=tomcat8 state=directory path=/opt/fedora-data
+  file: owner=tomcat group=tomcat state=directory path=/opt/fedora-data
   become: yes
 
 - name: check fedora.war
-  stat: path=/var/lib/tomcat8/webapps/fedora.war
+  stat: path=/var/lib/tomcat9/webapps/fedora.war
   register: fedora_war
 
 - name: copy over fedora.war
   become: yes
-  command: cp {{ install_path }}/fcrepo-webapp-{{ fedora_version }}.war /var/lib/tomcat8/webapps/fedora.war
+  command: cp {{ install_path }}/fcrepo-webapp-{{ fedora_version }}.war /var/lib/tomcat9/webapps/fedora.war
   when: fedora_war.stat.exists == False
 
+- name: install activation
+  become: yes
+  get_url: url=https://repo1.maven.org/maven2/javax/xml/bind/activation/1.0.2/activation-1.0.2.jar owner=tomcat dest=/var/lib/tomcat9/lib/activation-1.0.2.jar timeout=100
+
+- name: install jaxb
+  become: yes
+  get_url: url=https://repo1.maven.org/maven2/javax/xml/bind/jaxb-api/2.3.1/jaxb-api-2.3.1.jar owner=tomcat dest=/var/lib/tomcat9/lib/jaxb-api-2.3.1.jar timeout=100
+
+- name: create systemd configuration
+  become: yes
+  template: src=tomcat9.service dest=/lib/systemd/system/tomcat9.service backup=yes
+
 - name: create tomcat config and java options
   become: yes
   template:
-    src: tomcat8.j2
+    src: tomcat9.j2
     dest: "{{ fedora_config_file }}"
-    owner: tomcat8
-    group: tomcat8
+    owner: tomcat
+    group: tomcat
     backup: yes
 
 - name: set port for tomcat
   become: yes
   replace:
-    dest: /etc/tomcat8/server.xml
+    dest: /etc/tomcat9/server.xml
     regexp: "8080"
     replace: "{{ tomcat_port }}"
 
 - name: add log rotation for catalina.out (tomcat/fedora logs)
   become: yes
-  template: src=logrotate-tomcat dest=/etc/logrotate.d/tomcat8 backup=yes
+  template: src=logrotate-tomcat dest=/etc/logrotate.d/tomcat9 backup=yes
 
 - name: restart servlet
   become: yes
-  service: name=tomcat8 enabled=yes state=restarted
+  systemd: name=tomcat9 state=restarted daemon_reload=yes

roles/fedora/templates/logrotate-tomcat

@@ -1,8 +1,8 @@
-/var/log/tomcat8/catalina.out {
+/var/log/tomcat9/catalina.out {
   copytruncate
   weekly
   rotate 52
   compress
   missingok
-  create 640 tomcat8 adm
+  create 640 tomcat9 adm
 }

roles/fedora/templates/tomcat8.j2 → roles/fedora/templates/tomcat9.j2

@@ -1,24 +1,25 @@
 # Ansible created this file and made a timestamped backup of the original
 # This template will construct settings that look something like
-# TOMCAT8_USER=tomcat8
+# TOMCAT8_USER=tomcat9
 # or
 # TOMCAT_GROUP=tomcat
-TOMCAT8_USER=tomcat8
-TOMCAT8_GROUP=tomcat8
-# JAVA_OPTS="-Dfcrepo.home=/opt/fedora-data -Dfcrepo.modeshape.configuration=classpath:/config/{{ fedora_database }}/repository.json -Djava.awt.headless=true -XX:+UseG1GC -XX:+UseCompressedOops -XX:-UseLargePagesIndividualAllocation -XX:MaxPermSize={{ tomcat_permgen_memory }} -Xms{{ tomcat_min_memory }} -Xmx{{ tomcat_max_memory }} -Djava.util.logging.config.file=/etc/tomcat8/logging.properties -server"
+TOMCAT9_USER=tomcat
+TOMCAT9_GROUP=tomcat
+# JAVA_OPTS="-Dfcrepo.home=/opt/fedora-data -Dfcrepo.modeshape.configuration=classpath:/config/{{ fedora_database }}/repository.json -Djava.awt.headless=true -XX:+UseG1GC -XX:+UseCompressedOops -XX:-UseLargePagesIndividualAllocation -XX:MaxPermSize={{ tomcat_permgen_memory }} -Xms{{ tomcat_min_memory }} -Xmx{{ tomcat_max_memory }} -Djava.util.logging.config.file=/etc/tomcat9/logging.properties -server"
 
 JAVA_OPTS="${JAVA_OPTS} -Dfcrepo.home=/opt/fedora-data"
 JAVA_OPTS="${JAVA_OPTS} -Dfcrepo.modeshape.configuration=classpath:/config/jdbc-postgresql/repository.json"
 JAVA_OPTS="${JAVA_OPTS} -Dfcrepo.postgresql.username={{ fcdb_user }}"
 JAVA_OPTS="${JAVA_OPTS} -Dfcrepo.postgresql.password={{ fcdb_pass }}"
 JAVA_OPTS="${JAVA_OPTS} -Dfcrepo.postgresql.host=localhost"
 JAVA_OPTS="${JAVA_OPTS} -Dfcrepo.postgresql.port=5432"
+JAVA_OPTS="${JAVA_OPTS} -Dfits.home=/usr/local/lib/fits-1.4.0"
 JAVA_OPTS="${JAVA_OPTS} -Djava.awt.headless=true"
 JAVA_OPTS="${JAVA_OPTS} -XX:+UseG1GC"
 JAVA_OPTS="${JAVA_OPTS} -XX:+UseCompressedOops"
 JAVA_OPTS="${JAVA_OPTS} -XX:-UseLargePagesIndividualAllocation"
 JAVA_OPTS="${JAVA_OPTS} -XX:MaxPermSize={{ tomcat_permgen_memory }}"
 JAVA_OPTS="${JAVA_OPTS} -Xms{{ tomcat_min_memory }}"
 JAVA_OPTS="${JAVA_OPTS} -Xmx{{ tomcat_max_memory }}"
-JAVA_OPTS="${JAVA_OPTS} -Djava.util.logging.config.file=/etc/tomcat8/logging.properties"
+JAVA_OPTS="${JAVA_OPTS} -Djava.util.logging.config.file=/etc/tomcat9/logging.properties"
 JAVA_OPTS="${JAVA_OPTS} -server"

roles/fedora/templates/tomcat9.service

@@ -0,0 +1,45 @@
+#
+# Systemd unit file for Apache Tomcat
+#
+
+[Unit]
+Description=Apache Tomcat 9 Web Application Server
+Documentation=https://tomcat.apache.org/tomcat-9.0-doc/index.html
+After=network.target
+RequiresMountsFor=/var/log/tomcat9 /var/lib/tomcat9
+
+[Service]
+
+# Configuration
+Environment="CATALINA_HOME=/usr/share/tomcat9"
+Environment="CATALINA_BASE=/var/lib/tomcat9"
+Environment="CATALINA_TMPDIR=/tmp"
+Environment="JAVA_OPTS=-Djava.awt.headless=true"
+
+# Lifecycle
+Type=simple
+ExecStartPre=+/usr/libexec/tomcat9/tomcat-update-policy.sh
+ExecStart=/bin/sh /usr/libexec/tomcat9/tomcat-start.sh
+SuccessExitStatus=143
+Restart=on-abort
+
+# Logging
+SyslogIdentifier=tomcat9
+
+# Security
+User=tomcat
+Group=tomcat
+PrivateTmp=no
+AmbientCapabilities=CAP_NET_BIND_SERVICE
+NoNewPrivileges=true
+CacheDirectory=tomcat9
+CacheDirectoryMode=750
+ProtectSystem=strict
+ReadWritePaths=/etc/tomcat9/Catalina/
+ReadWritePaths=/var/lib/tomcat9/webapps/
+ReadWritePaths=/var/log/tomcat9/
+ReadWritePaths=/opt/fedora-data
+ReadWritePaths=/tmp
+
+[Install]
+WantedBy=multi-user.target

roles/first_deploy/tasks/main.yml

@@ -44,6 +44,22 @@
   args:
     chdir: /home/{{ ansible_ssh_user }}/{{ project_name }}
 
+- name: install ed25519 support
+  become_user: ubuntu
+  gem:
+    name: ed25519
+    version: 1.2.4
+    state: present
+    user_install: yes
+
+- name: install bcrypt_pbkdf support
+  become_user: ubuntu
+  gem:
+    name: bcrypt_pbkdf
+    version: 1.1.0
+    state: present
+    user_install: yes
+
 - name: find bundler version from Gemfile.lock
   shell: grep -A 1 "BUNDLED WITH" Gemfile.lock
   args:
@@ -151,7 +167,7 @@
   service: name=solr state=restarted
 
 - name: deploy to production directories with capistrano
-  shell: BRANCH={{ branch | default('master') }} cap localhost deploy
+  shell: BRANCH={{ branch | default('main') }} cap localhost deploy
   args:
     chdir: /home/{{ ansible_ssh_user }}/{{ project_name }}
 

roles/fits/tasks/main.yml

@@ -75,46 +75,47 @@
 
 - name: install servlet container package
   become: yes
-  package: name=tomcat8 state=present
+  package: name=tomcat9 state=present
 
 - name: download fits servlet version {{ fits_servlet_version }}
   become: yes
   get_url:
     url: 'https://projects.iq.harvard.edu/files/fits/files/fits-{{ fits_servlet_version }}.war'
-    owner: tomcat8
-    group: tomcat8
+    owner: tomcat
+    group: tomcat
     dest: '{{ install_path }}/fits-{{ fits_servlet_version }}.war'
     checksum: 'sha256:{{ fits_servlet_checksum }}'
     force: yes
 
 - name: copy over fits.war
   become: yes
-  command: cp {{ install_path }}/fits-{{ fits_servlet_version }}.war /var/lib/tomcat8/webapps/fits-{{ fits_servlet_version }}.war
+  command: cp {{ install_path }}/fits-{{ fits_servlet_version }}.war /var/lib/tomcat9/webapps/fits-{{ fits_servlet_version }}.war
 
-- name: copy catalina properties
+- name: copy context file
   become: yes
   template:
-    src: catalina.properties.j2
-    dest: /etc/tomcat8/catalina.properties
-    owner: tomcat8
-    group: tomcat8
+    src: context.j2
+    dest: /etc/tomcat9/context.xml
+    owner: tomcat
+    group: tomcat
     backup: yes
 
 - name: set port for tomcat
   become: yes
   replace:
-    dest: /etc/tomcat8/server.xml
+    dest: /etc/tomcat9/server.xml
     regexp: "8080"
     replace: "{{ tomcat_port }}"
 
 - name: add log rotation for catalina.out (tomcat/fedora logs)
   become: yes
-  template: src=logrotate-tomcat dest=/etc/logrotate.d/tomcat8 backup=yes
+  template: src=logrotate-tomcat dest=/etc/logrotate.d/tomcat9 backup=yes
 
 - name: restart servlet
   become: yes
-  service: name=tomcat8 enabled=yes state=restarted
+  service: name=tomcat9 enabled=yes state=restarted
 
 - name: check that fits-servlet is up
   uri:
     url: 'http://localhost:{{tomcat_port}}/fits-{{ fits_servlet_version}}/'
+    timeout: 60