Add installation script + Dockerfile for OpenDataKit, closes #67

2018-03-16 16:08:18 +01:00 · 2018-03-16 16:08:18 +01:00 · 77043ccd62
commit 77043ccd62
parent 8a0abe9c99
12 changed files with 335 additions and 1 deletions
--- a/README.md
+++ b/README.md
@ -71,6 +71,7 @@ vi 00-install.sh
 | MariaDB         |     3306 (MySQL) |       N/A |        N/A |
 | Mifos X         |      8012 (HTTP) |      8812 |       8412 |
 | Motech          |      8013 (HTTP) |      8813 |       8413 |
 | OpenDataKit     |      8015 (HTTP) |      8815 |       8415 |
 | OpenMapKit      |      8007 (HTTP) |      8807 |       8407 |
 | Pan.do/ra       |      8002 (HTTP) |      8802 |       8402 |
 | Postfix         |        25 (SMTP) |       N/A |        N/A |
--- a/basic/srv/portal/index.html
+++ b/basic/srv/portal/index.html
@ -78,7 +78,7 @@
            <h2><a href="#"><img src="img/ODK.png" alt="Open Data Kit" title="Open Data Kit">Open Data Kit</a></h2>
            <p><strong>Sběr dat s pomocí smartphone</strong>.<br>
                <a href="http://geoodk.com/xlsform_converter.html">XLSForm</a> - online konverter XLS.<br>
-                <a href="httbap://geoodk.com">GeoODK Collect</a> - náhrada papírových dotazníků smartphonem.
+                <a href="http://geoodk.com">GeoODK Collect</a> - náhrada papírových dotazníků smartphonem.
            </p>
            <ul>
                <li><strong>Login:</strong> <span class="login"></span></li>
@ -86,6 +86,16 @@
            </ul>
        </div>
        <div class="c" id="opendatakit-clients">
            <h2><a href="#"><img src="img/ODK.png" alt="Open Data Kit" title="Open Data Kit">Open Data Kit</a></h2>
            <p>Mobilní aplikace<br>
                <a href="https://play.google.com/store/apps/details?id=org.odk.collect.android"><img src="img/android.png" class="ico" alt="ODK Collect">ODK Collect pro Android</a><br>
            </p>
            <ul>
                <li><strong>URL:</strong> <span class="clienturl"></span></li>
            </ul>
        </div>
        <div class="c" id="openmapkit">
            <h2><a href="#"><img src="img/OMK.png" alt="Open Map Kit" title="Open Map Kit">Open Data Kit</a></h2>
            <p><strong>Sběr dat s pomocí smartphone</strong>.<br>
--- a/opendatakit.sh
+++ b/opendatakit.sh
@ -0,0 +1,48 @@
 #!/bin/sh
 SOURCE_DIR=$(realpath $(dirname "${0}"))/opendatakit
 # Check prerequisites
 docker image ls | grep -q postgres || $(realpath $(dirname "${0}"))/postgres.sh
 docker image ls | grep -q postfix || $(realpath $(dirname "${0}"))/postfix.sh
 docker image ls | grep -q tomcat || $(realpath $(dirname "${0}"))/tomcat.sh
 # Build Docker container
 docker build -t opendatakit ${SOURCE_DIR}
 # Create databases
 export OPENDATAKIT_PWD=$(head -c 18 /dev/urandom | base64)
 envsubst <${SOURCE_DIR}/createdb.sql | docker exec -i postgres psql
 # Configure OpenDataKit
 export OPENDATAKIT_ADMIN_USER=admin
 export OPENDATAKIT_ADMIN_REALM=spotter
 mkdir -p /srv/opendatakit/conf /srv/opendatakit/data
 envsubst <${SOURCE_DIR}/srv/opendatakit/conf/jdbc.properties >/srv/opendatakit/conf/jdbc.properties
 envsubst <${SOURCE_DIR}/srv/opendatakit/conf/security.properties >/srv/opendatakit/conf/security.properties
 cp ${SOURCE_DIR}/srv/opendatakit/conf/server.xml /srv/opendatakit/conf/server.xml
 cp ${SOURCE_DIR}/srv/opendatakit/update-ip.sh /srv/opendatakit/update-ip.sh
 chown -R 8015:8015 /srv/opendatakit/conf /srv/opendatakit/data
 # Create OpenDataKit service
 cp ${SOURCE_DIR}/etc/init.d/opendatakit /etc/init.d/opendatakit
 rc-update add opendatakit
 service opendatakit start
 # Update admin account
 export OPENDATAKIT_ADMIN_PWD=$(head -c 12 /dev/urandom | base64)
 export OPENDATAKIT_ADMIN_SALT=$(head -c 4 /dev/urandom | hexdump -e '"%x"') # Must be 8 characters
 export OPENDATAKIT_ADMIN_BASIC_HASH=$(echo -n "${OPENDATAKIT_ADMIN_PWD}{${OPENDATAKIT_ADMIN_SALT}}" | sha1sum | tr -d " -")
 export OPENDATAKIT_ADMIN_DIGEST_HASH=$(echo -n "${OPENDATAKIT_ADMIN_USER}:${OPENDATAKIT_ADMIN_REALM}:${OPENDATAKIT_ADMIN_PWD}" | md5sum | tr -d " -")
 until docker logs opendatakit 2>&1 | grep -q 'org.apache.catalina.startup.Catalina.start'; do
    sleep 1
 done
 envsubst <${SOURCE_DIR}/adminpwd.sql | docker exec -i postgres psql opendatakit
 # Create nginx app definition
 cp ${SOURCE_DIR}/etc/nginx/conf.d/opendatakit.conf /etc/nginx/conf.d/opendatakit.conf
 service nginx reload
 # Add portal application definition
 portal-app-manager opendatakit "https://{host}:8415/aggregate/" "${OPENDATAKIT_ADMIN_USER}" "${OPENDATAKIT_ADMIN_PWD}"
 portal-app-manager opendatakit-clients -p clienturl "http://{host}:8815/aggregate"
--- a/opendatakit/Dockerfile
+++ b/opendatakit/Dockerfile
@ -0,0 +1,29 @@
 FROM tomcat
 MAINTAINER Disassembler <disassembler@dasm.cz>
 RUN \
 # Install build dependencies
 apk --no-cache add --virtual .deps git git-lfs openjdk8 \
 # Clone ODK aggregate
 && git clone --depth 1 https://github.com/opendatakit/aggregate.git /srv/odk \
 # Compile Java web archive
 && cd /srv/odk \
 && cp gradle.properties.example gradle.properties \
 && ./gradlew war \
 # Deploy web archive
 && mkdir /srv/tomcat/webapps/aggregate \
 && unzip build/libs/aggregate-*.war -d /srv/tomcat/webapps/aggregate \
 # Create OS user
 && addgroup -S -g 8015 odk \
 && adduser -S -u 8015 -h /srv/tomcat -s /bin/false -g odk -G odk odk \
 && chown -R odk:odk /srv/tomcat/conf /srv/tomcat/logs /srv/tomcat/temp /srv/tomcat/webapps /srv/tomcat/work \
 # Cleanup
 && apk --no-cache del .deps \
 && rm -rf /root/.gradle /root/.java /srv/odk
 # VOLUME ["/srv/tomcat/.motech"]
 EXPOSE 8015
 USER odk
 WORKDIR /srv/tomcat
 CMD ["catalina.sh", "run"]
--- a/opendatakit/adminpwd.sql
+++ b/opendatakit/adminpwd.sql
@ -0,0 +1 @@
 UPDATE _registered_users SET "BASIC_AUTH_PASSWORD" = '${OPENDATAKIT_ADMIN_BASIC_HASH}', "BASIC_AUTH_SALT" = '${OPENDATAKIT_ADMIN_SALT}', "DIGEST_AUTH_PASSWORD" = '${OPENDATAKIT_ADMIN_DIGEST_HASH}' WHERE "LOCAL_USERNAME" = '${OPENDATAKIT_ADMIN_USER}';
--- a/opendatakit/createdb.sql
+++ b/opendatakit/createdb.sql
@ -0,0 +1,4 @@
 CREATE ROLE opendatakit NOSUPERUSER NOCREATEDB NOCREATEROLE NOINHERIT LOGIN ENCRYPTED PASSWORD '${OPENDATAKIT_PWD}';
 CREATE DATABASE opendatakit;
 REVOKE ALL ON DATABASE opendatakit FROM public;
 ALTER DATABASE opendatakit OWNER TO opendatakit;
--- a/opendatakit/etc/init.d/opendatakit
+++ b/opendatakit/etc/init.d/opendatakit
@ -0,0 +1,29 @@
 #!/sbin/openrc-run
 description="OpenDataKit docker container"
 depend() {
 	need docker net postgres
 	use dns logger netmount postfix
 }
 start_pre() {
 	/srv/opendatakit/update-ip.sh
 }
 start() {
 	/usr/bin/docker run -d --rm \
 	--name opendatakit \
 	-h opendatakit \
 	--link postfix \
 	--link postgres \
 	-p 127.0.0.1:8015:8015 \
 	-v /srv/opendatakit/conf/server.xml:/srv/tomcat/conf/server.xml \
 	-v /srv/opendatakit/conf/jdbc.properties:/srv/tomcat/webapps/aggregate/WEB-INF/classes/jdbc.properties \
 	-v /srv/opendatakit/conf/security.properties:/srv/tomcat/webapps/aggregate/WEB-INF/classes/security.properties \
 	opendatakit
 }
 stop() {
 	/usr/bin/docker stop opendatakit
 }
--- a/opendatakit/etc/nginx/conf.d/opendatakit.conf
+++ b/opendatakit/etc/nginx/conf.d/opendatakit.conf
@ -0,0 +1,11 @@
 server {
    listen [::]:8815 ipv6only=off;
    listen [::]:8415 ssl http2 ipv6only=off;
    access_log /var/log/nginx/opendatakit.access.log;
    error_log /var/log/nginx/opendatakit.error.log;
    location / {
        proxy_pass http://127.0.0.1:8015;
    }
 }
--- a/opendatakit/srv/opendatakit/conf/jdbc.properties
+++ b/opendatakit/srv/opendatakit/conf/jdbc.properties
@ -0,0 +1,6 @@
 jdbc.driverClassName=org.postgresql.Driver
 jdbc.resourceName=jdbc/odk_aggregate
 jdbc.url=jdbc:postgresql://postgres/opendatakit?autoDeserialize=true
 jdbc.username=opendatakit
 jdbc.password=${OPENDATAKIT_PWD}
 jdbc.schema=public
--- a/opendatakit/srv/opendatakit/conf/security.properties
+++ b/opendatakit/srv/opendatakit/conf/security.properties
@ -0,0 +1,48 @@
 # Either basic or digest
 security.server.deviceAuthentication=basic
 # Choose whether to secure everything with https or allow http access.
 #
 # NOTE: changes also needed to:
 # -- server.xml (Tomcat configuration file) to set up the secure channel
 #
 # issue 648 - REQUIRES_INSECURE_CHANNEL is now the default instead of ANY_CHANNEL
 # there are various edge cases that have not been tested in the UI for
 # allowing arbitrary accesses, as the session cookie and authentication
 # do get set for a specific http: or https: scheme and are not transferrable.
 #
 # should be REQUIRES_SECURE_CHANNEL but can't unless SSL is available.
 security.server.secureChannelType=REQUIRES_INSECURE_CHANNEL
 #security.server.secureChannelType=REQUIRES_SECURE_CHANNEL
 # either REQUIRES_INSECURE_CHANNEL to secure nothing
 # or REQUIRES_SECURE_CHANNEL to secure everything
 # or perhaps ANY_CHANNEL when running through a proxy server
 security.server.channelType=REQUIRES_INSECURE_CHANNEL
 #security.server.channelType=REQUIRES_SECURE_CHANNEL
 # When running under Tomcat, you need to set the hostname and port for
 # the server so that the background tasks can generate properly-constructed
 # links in their documents and in their publications to the
 # external services.
 #
 # This is configured during install.  If blank, discovers an IP address
 security.server.hostname=
 security.server.port=8815
 security.server.securePort=8415
 wink.handlersFactoryClass=org.opendatakit.aggregate.odktables.impl.api.wink.AppEngineHandlersFactory
 # e-mail of designated superuser. This must be a user that has an OAuth2
 # login hosted by a remote server (i.e., this must be a gmail account).
 # this should be of the form: 'mailto:user@gmail.com'
 security.server.superUser=
 # Define a superUserUsername to insert an ODK Aggregate username that can
 # access the server.  The initial password for this username is 'aggregate'
 security.server.superUserUsername=${OPENDATAKIT_ADMIN_USER}
 # realm definition
 # realmString -- what should be sent to users when BasicAuth or DigestAuth is done
 security.server.realm.realmString=${OPENDATAKIT_ADMIN_REALM}
--- a/opendatakit/srv/opendatakit/conf/server.xml
+++ b/opendatakit/srv/opendatakit/conf/server.xml
@ -0,0 +1,143 @@
 <?xml version='1.0' encoding='utf-8'?>
 <!--
  Licensed to the Apache Software Foundation (ASF) under one or more
  contributor license agreements.  See the NOTICE file distributed with
  this work for additional information regarding copyright ownership.
  The ASF licenses this file to You under the Apache License, Version 2.0
  (the "License"); you may not use this file except in compliance with
  the License.  You may obtain a copy of the License at
      http://www.apache.org/licenses/LICENSE-2.0
  Unless required by applicable law or agreed to in writing, software
  distributed under the License is distributed on an "AS IS" BASIS,
  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  See the License for the specific language governing permissions and
  limitations under the License.
 -->
 <!-- Note:  A "Server" is not itself a "Container", so you may not
     define subcomponents such as "Valves" at this level.
     Documentation at /docs/config/server.html
 -->
 <Server port="8005" shutdown="SHUTDOWN">
  <Listener className="org.apache.catalina.startup.VersionLoggerListener" />
  <!-- Security listener. Documentation at /docs/config/listeners.html
  <Listener className="org.apache.catalina.security.SecurityListener" />
  -->
  <!--APR library loader. Documentation at /docs/apr.html -->
  <Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" />
  <!-- Prevent memory leaks due to use of particular java/javax APIs-->
  <Listener className="org.apache.catalina.core.JreMemoryLeakPreventionListener" />
  <Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" />
  <Listener className="org.apache.catalina.core.ThreadLocalLeakPreventionListener" />
  <!-- Global JNDI resources
       Documentation at /docs/jndi-resources-howto.html
  -->
  <GlobalNamingResources>
    <!-- Editable user database that can also be used by
         UserDatabaseRealm to authenticate users
    -->
    <Resource name="UserDatabase" auth="Container"
              type="org.apache.catalina.UserDatabase"
              description="User database that can be updated and saved"
              factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
              pathname="conf/tomcat-users.xml" />
  </GlobalNamingResources>
  <!-- A "Service" is a collection of one or more "Connectors" that share
       a single "Container" Note:  A "Service" is not itself a "Container",
       so you may not define subcomponents such as "Valves" at this level.
       Documentation at /docs/config/service.html
   -->
  <Service name="Catalina">
    <!--The connectors can use a shared executor, you can define one or more named thread pools-->
    <!--
    <Executor name="tomcatThreadPool" namePrefix="catalina-exec-"
        maxThreads="150" minSpareThreads="4"/>
    -->
    <!-- A "Connector" represents an endpoint by which requests are received
         and responses are returned. Documentation at :
         Java HTTP Connector: /docs/config/http.html (blocking & non-blocking)
         Java AJP  Connector: /docs/config/ajp.html
         APR (HTTP/AJP) Connector: /docs/apr.html
         Define a non-SSL/TLS HTTP/1.1 Connector on port 8080
    -->
    <Connector port="8015" protocol="HTTP/1.1"
               connectionTimeout="20000"
               proxyName="127.0.0.1"
               redirectPort="8443" />
    <!-- A "Connector" using the shared thread pool-->
    <!--
    <Connector executor="tomcatThreadPool"
               port="8080" protocol="HTTP/1.1"
               connectionTimeout="20000"
               redirectPort="8443" />
    -->
    <!-- Define a SSL/TLS HTTP/1.1 Connector on port 8443
         This connector uses the NIO implementation that requires the JSSE
         style configuration. When using the APR/native implementation, the
         OpenSSL style configuration is required as described in the APR/native
         documentation -->
    <!--
    <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
               maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
               clientAuth="false" sslProtocol="TLS" />
    -->
    <!-- Define an AJP 1.3 Connector on port 8009 -->
    <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />
    <!-- An Engine represents the entry point (within Catalina) that processes
         every request.  The Engine implementation for Tomcat stand alone
         analyzes the HTTP headers included with the request, and passes them
         on to the appropriate Host (virtual host).
         Documentation at /docs/config/engine.html -->
    <!-- You should set jvmRoute to support load-balancing via AJP ie :
    <Engine name="Catalina" defaultHost="localhost" jvmRoute="jvm1">
    -->
    <Engine name="Catalina" defaultHost="localhost">
      <!--For clustering, please take a look at documentation at:
          /docs/cluster-howto.html  (simple how to)
          /docs/config/cluster.html (reference documentation) -->
      <!--
      <Cluster className="org.apache.catalina.ha.tcp.SimpleTcpCluster"/>
      -->
      <!-- Use the LockOutRealm to prevent attempts to guess user passwords
           via a brute-force attack -->
      <Realm className="org.apache.catalina.realm.LockOutRealm">
        <!-- This Realm uses the UserDatabase configured in the global JNDI
             resources under the key "UserDatabase".  Any edits
             that are performed against this UserDatabase are immediately
             available for use by the Realm.  -->
        <Realm className="org.apache.catalina.realm.UserDatabaseRealm"
               resourceName="UserDatabase"/>
      </Realm>
      <Host name="localhost"  appBase="webapps"
            unpackWARs="true" autoDeploy="true">
        <!-- SingleSignOn valve, share authentication between web applications
             Documentation at: /docs/config/valve.html -->
        <!--
        <Valve className="org.apache.catalina.authenticator.SingleSignOn" />
        -->
        <!-- Access log processes all example.
             Documentation at: /docs/config/valve.html
             Note: The pattern used is equivalent to using pattern="common" -->
        <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
               prefix="localhost_access_log" suffix=".txt"
               pattern="%h %l %u %t &quot;%r&quot; %s %b" />
      </Host>
    </Engine>
  </Service>
 </Server>
--- a/opendatakit/srv/opendatakit/update-ip.sh
+++ b/opendatakit/srv/opendatakit/update-ip.sh
@ -0,0 +1,4 @@
 #!/bin/sh
 URL=$(ip route get 1 | awk '{print $NF;exit}')
 sed -i "s|\(^\s\+proxyName\).*|\1=\"${URL}\"|" /srv/opendatakit/conf/server.xml
		`@ -0,0 +1 @@`
							`UPDATE _registered_users SET "BASIC_AUTH_PASSWORD" = '${OPENDATAKIT_ADMIN_BASIC_HASH}', "BASIC_AUTH_SALT" = '${OPENDATAKIT_ADMIN_SALT}', "DIGEST_AUTH_PASSWORD" = '${OPENDATAKIT_ADMIN_DIGEST_HASH}' WHERE "LOCAL_USERNAME" = '${OPENDATAKIT_ADMIN_USER}';`