nasa / meza Goto Github PK
View Code? Open in Web Editor NEWSetup an enterprise MediaWiki server with simple commands
License: MIT License
Setup an enterprise MediaWiki server with simple commands
License: MIT License
Extension:StringFunctionsEscaped is unmaintained. Although it may still work, any bug reports or feature requests will more than likely be ignored.
This is being installed here: https://github.com/nasa/meza/blob/main/config/MezaCoreExtensions.yml#L284
Initially, created issue 1312 on the gh enterprisemediawiki meza because this wiki pointer to a broken nasa/meza/ issue for github issues as talked about in enterprisemediawiki/meza#1312 (comment).
Have spent three+ hours trying to find the exact version of our current meza wiki on wiki webpages themselves, but it is not there.
Could not find on webpage, so ssh'ed into the host expecting meza cli would document the way to find the existing version.
Happened across Jamesmontalvo3's issue
Jamesmontalvo3's issue "meza --version fails in python 3.x #1311", but that does NOT show in the webpage.
Environment
**xcp-ng.org xen vm**
**CentOS Linux release 7.9.2009 (Core)**
**meza version hash: (run cd /opt/meza && git rev-parse --short HEAD and report output) **
https://github.com/enterprisemediawiki/meza/commit/3838ace53f9a61da7dcd83f6b6ec61d83e1d9326
Note, one has to open a new case in order to find out how to get their current version of the git hash :(
Issue details
meza help
or meza version
both crash and meza
does not mention a version number nor the command to find the version. Otherwise, no error message because there is no webpage to look at or command to run that i could find. So experimented.
meza version
[mezawiki meza]$ meza version
Traceback (most recent call last):
File "/usr/bin/meza", line 1193, in <module>
main(sys.argv[1:])
File "/usr/bin/meza", line 63, in main
display_docs(argv[0])
File "/usr/bin/meza", line 1084, in display_docs
f = open('/opt/meza/manual/meza-cmd/{}.txt'.format(name),'r')
IOError: [Errno 2] No such file or directory: '/opt/meza/manual/meza-cmd/version.txt'
meza help
[user@intrawiki ~]$ meza help
Traceback (most recent call last):
File "/usr/bin/meza", line 1193, in <module>
main(sys.argv[1:])
File "/usr/bin/meza", line 63, in main
display_docs(argv[0])
File "/usr/bin/meza", line 1084, in display_docs
f = open('/opt/meza/manual/meza-cmd/{}.txt'.format(name),'r')
IOError: [Errno 2] No such file or directory: '/opt/meza/manual/meza-cmd/help.txt'
many more commands and file snooping. For some reason, did not think meza
may actually be a script that i could read with a text editor.
VMware
Red Hat Enterprise Linux release 8.8 (Ootpa)
d103da8
By default, executing 'meza deploy monolith' overwrites the /etc/ssh/sshd_config file. This could potentially prevent remote SSH logins for systems that have been configured to use PIV-SSH, with password and public key authorizations disabled. It also clobbers other settings that have been made to meet the NASA OpenSSH Security Configuration Specification (attached and located online at https://cset.nasa.gov/ascs/application/open-source-openssh/).
Before running 'meza deploy monolith' the first time, I save the /etc/ssh/sshd_config file. Then after deployment, I copy it back.
To prevent future overwrites, I must modify /opt/meza/config/defaults.yml and set:
use_default_ssh_config: False
My first suggestion is to never completely overwrite /etc/ssh/sshd_config. If meza would like to modify a setting in /etc/ssh/sshd_config, then there should be a prompt to ask whether such a change can be made.
VMware
Red Hat Enterprise Linux release 8.8 (Ootpa)
d103da8
During "meza monolith deploy", TASK [apache-php : Install memcached PECL packages] fails:
fatal: [localhost]: FAILED! => {
"changed": true,
"cmd": "pecl install --configureoptions 'with-libmemcached-dir="no" with-zlib-dir="no" with-syste
m-fastlz="no" enable-memcached-igbinary="no" enable-memcached-msgpack="no" enable-memcached-json="no" e
nable-memcached-protocol="no" enable-memcached-sasl="yes" enable-memcached-session="yes"' memcached\n","delta": "0:00:01.199410", "end": "2023-03-20 15:59:39.181133", "rc": 1, "start": "2023-03-20 15:59:37.981723"
}
STDOUT:-(22%)
pecl/memcached can optionally use PHP extension "igbinary" (version >= 2.0)
pecl/memcached can optionally use PHP extension "msgpack" (version >= 2.0)
downloading memcached-3.2.0.tgz ...
Starting to download memcached-3.2.0.tgz (90,722 bytes)
.....................done: 90,722 bytes
18 source files, building
running: phpize
Configuring for:
PHP Api Version: 20190902
Zend Module Api No: 20190902
Zend Extension Api No: 320190902
shtool at '/var/tmp/memcached/build/shtool' does not exist or is not executable.
Make sure that the file exists and is executable and then rerun this script.ERROR: `phpize' failed
MSG:re--(22%)
non-zero return code
...ignoring%)
This occurs because NASA-SPEC-2601OS.RHEL8 (RED HAT ENTERPRISE LINUX 8 SECURITY CONFIGURATION SPECIFICATION) has the control "NASA-ASCS-20238: Add noexec Option to /var/tmp".
The mount command can be used to determine if there is a noexec option on the file system:
mount | grep /var/tmp
/dev/sdb6 on /var/tmp type ext4 (rw,nosuid,nodev,noexec,relatime,seclabel)
If noexec is in the list of options, then the /var/tmp file system has to be remounted with the "exec" option for the task to be completed without error:
mount -o remount,exec /var/tmp
At the end of the task, /var/tmp should be changed back to noexec to remain compliant with NASA-SPEC-2601OS.RHEL8:
mount -o remount,noexec /var/tmp
VMware virtual machine
redhat-release-eula-8.9-0.1.el8.x86_64
a38b6e0 (meza version hash)
IT Security scan reports PHP Unsupported Version Detection:
Source : X-Powered-By: PHP/7.4.33
Installed version : 7.4.33
End of support date : 2022/11/28
Announcement : http://php.net/supported-versions.php
Supported versions : 8.0.x / 8.1.x
cat /etc/redhat-release
and report output)cd /opt/meza && git rev-parse --short HEAD
and report output)Agency-IT-Outreach sent email on 3/12/24 from Chief Information Officer stating all NASA web sites, both internal and external require a link to NASA's accessibility statement, located at https://www.nasa.gov/accessibility/ in the footer.
One solution could be to:
Add the following to the localsettings.php page:
$wgHooks['SkinAddFooterLinks'][] = function ( Skin $skin, string $key, array &$footerlinks ) {
if ( $key === 'places' ) {
$footerlinks['508link'] = Html::rawElement( 'a',['href' => 'https://www.nasa.gov/accessibility/','rel' => 'noreferrer noopener'],$skin->msg( 'Accessibility-link' )->text());
};
};
Then create a new page at https:///index.php?title=MediaWiki:Accessibility-link and just drop the word ‘Accessibility’ in it.
VMware
Red Hat Enterprise Linux release 8.8 (Ootpa)
d103da8
After meza deploy monolith, the haproxy configuration does not meet NASA specs.
Edit /etc/haproxy/haproxy.cfg and update settings based on NASA-SPEC-2650 for TLS.
Set ciphers:
ssl-default-bind-ciphers EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:EDH+aRSA:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!DHE-RSA-CAMELLIA256-SHA:!DHE-RSA-AES256-SHA256:!DHE-RSA-AES256-SHA:!DHE-RSA-AES128-SHA256:!DHE-RSA-AES128-SHA:!DHE-RSA-SEED-SHA:!DHE-RSA-CAMELLIA128-SHA
Set protocols:
ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11
Commented out port 80:
#frontend www-http
Set HSTS max-age to one year:
http-response set-header Strict-Transport-Security max-age=31557600;\ includeSubDomains;\ preload;
Each administrator should copy their server's certificate, unencrypted certificate key, and CA chain into /etc/haproxy/certs/meza.pem
Ex. cat server.crt server.key ca-bundle.crt > meza.pem
Also, update template so that future deployments retain the settings:
/opt/meza/src/roles/haproxy/templates/haproxy.cfg.j2
VMware
Red Hat Enterprise Linux release 8.8 (Ootpa)
d103da8
The epel-release package fails to install during getmeza.sh execution because the GPG check FAILED.
/opt/meza/src/scripts/getmeza.sh
Enabling code-ready-builder and ansible repo for RHEL. This may take some time.
Repository 'codeready-builder-for-rhel-8-x86_64-rpms' is enabled for this system.
Repository 'ansible-2-for-rhel-8-x86_64-rpms' is enabled for this system.
Updating Subscription Management repositories.
Red Hat Ansible Engine 2 for RHEL 8 x86_64 (RPM 3.3 MB/s | 2.5 MB 00:00
Red Hat CodeReady Linux Builder for RHEL 8 x86_ 11 MB/s | 8.8 MB 00:00
epel-release-latest-8.noarch.rpm 95 kB/s | 24 kB 00:00
Dependencies resolved.Package Architecture Version Repository Size
Installing:
epel-release noarch 8-18.el8 @commandline 24 kTransaction Summary
Install 1 Package
Total size: 24 k
Installed size: 35 k
Downloading Packages:
Public key for epel-release-latest-8.noarch.rpm is not installed
Error: GPG check FAILED
sed: can't read /etc/yum.repos.d/epel.repo: No such file or directory
cp: cannot stat '/etc/yum.repos.d/epel.repo': No such file or directory
I believe this is because NASA-SPEC-2601OS.RHEL8, Red Hat Enterprise Linux 8 Security Configuration Specification has control "NASA-ASCS-20158: Ensure gpgcheck Enabled for Local Packages" which mandates "localpkg_gpgcheck=1" be set in the /etc/yum.conf file.
This means the public key of the epel-release package has to be imported first before it will install properly.
My fix is to execute "rpm --import http://download.fedoraproject.org/pub/epel/RPM-GPG-KEY-EPEL-8" before running getmeza.sh.
getmeza.ssh should import the RPM-GPG-KEY-EPEL-8 before attempting to install.
NASA-SPEC-2601OS.RHEL8_v1.7.pdf
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.