Merge branch 'master' into dev_server_verify

Conflicts:
	install.sh.txt
	web_server/provision_apache.drush.inc

HINTS_CentOS.txt

@@ -49,8 +49,8 @@ Shell commands::
  useradd --home-dir /var/aegir aegir
  gpasswd -a aegir www-data
  chmod -R 755 /var/aegir
- # Include the Aegir config
- echo "Include /var/aegir/config/vhost.d/" > /etc/httpd/conf.d/aegir.conf
+ # Include the Aegir configs
+ ln -s /var/aegir/config/apache.conf /etc/httpd/conf.d/aegir.conf
  service mysqld start
  # Optional: set the mysql root password
  mysqladmin password $password

HINTS_Solaris.txt

@@ -58,7 +58,7 @@ Shell commands::
  groupadd aegir
  useradd -g aegir -G webservd -d /var/aegir -s /bin/bash -c "Aegir sandbox" aegir
  chown aegir:aegir /var/aegir
- echo "Include /var/aegir/config/vhost.d/" >> /etc/apache2/httpd.conf
+ echo "Include /var/aegir/config/apache.conf" >> /etc/apache2/httpd.conf
 
 MySQL commands::
  # Replace 'aegir_password' with the chosen password for 'aegir' mysql account

INSTALL.txt

@@ -156,8 +156,12 @@ you can place include that file in your apache.conf/httpd.conf. We
 prefer the former. In other systems there are similar ways to accomplish
 this. Consult your OS's documentation if unsure.
 
+If you are on a Debian-based system, you will also need to enable the 
+mod_rewrite module manually.
+
 Shell commands as root::
 
+ a2enmod rewrite
  ln -s /var/aegir/config/apache.conf /etc/apache2/conf.d/aegir.conf
 
 
@@ -212,9 +216,9 @@ the official release.). You can modify which version to install by editing the
 AEGIR_VERSION variable in the script.
 
 The install script is shipped with other default settings that you will likely
-need to change (such as the URL of the Aegir site) prior to running it.
+need to change, especially the value of AEGIR_DOMAIN to match the URL of your site.
 
-You can change which release to install or other parameters such as these
+You can also change which release to install or other parameters such as these
 through options passed to the script. Run "sh install.sh.txt -h" for more
 information on the available options.
 

UPGRADE.txt

@@ -36,9 +36,9 @@ you are reading this document.
 Shell commands::
 
   export AEGIR_VERSION=HEAD
-  export DRUPAL_DIR=/var/aegir/hostmaster-$AEGIR_TAG
+  export DRUPAL_DIR=/var/aegir/hostmaster-$AEGIR_VERSION
   export OLD_DRUPAL_DIR=/var/aegir/drupal-6.14
-  export DRUSH_VERSION=6.x-3.0-alpha1.tar.gz
+  export DRUSH_VERSION=All-versions-3.0-beta1
   export DRUSH_MAKE_VERSION=6.x-2.0-beta6
 
 This document also assumes drush is installed properly and we use an
@@ -159,13 +159,22 @@ and a single apache.conf. The vhost.d directory is for virtual hosts,
 platform.d is for platform-specific configuration and apache.conf is the
 server-wide configuration file.
 
-You will need to move all platform_* configuration file to the
-platform.d directory for Aegir to operate properly. Failure to do so
-will yield unpredictable results as multiple definitions will be loaded
-by Apache for the same platform. This can be fixed by doing:
+After you have completed the migration process as outlined above, 
+you will need to change the line you added to either the httpd.conf file 
+or /etc/apache2/conf.d/aegir file during installation.
 
+Open your httpd.conf file and modify :
 
-Shell commands::
+  Include /var/aegir/config/vhost.d
+
+To read :
+
+  Include /var/aegir/config/apache.conf
+
+You will also need to create the following directories :
+
+  /var/aegir/config/platform.d
+  /var/aegir/config/apache.d
 
-  mkdir /var/aegir/config/platform.d/
-  mv /var/aegir/config/vhost.d/platform_*.conf /var/aegir/config/platform.d/
+Now log into Aegir, and verify the hostmaster platform. This will generate
+the correct apache.conf file and restart apache.

db_server/backup.provision.inc

@@ -21,7 +21,7 @@ function drush_provision_mysql_pre_provision_backup($url = NULL) {
 host=%s
 user=%s
 password=%s
-', drush_get_option('db_host'), drush_get_option('db_user'), drush_get_option('db_passwd'));
+', drush_get_option('db_host'), urldecode(drush_get_option('db_user')), urldecode(drush_get_option('db_passwd')));
 
   $descriptorspec = array(
    // 0 => array("pipe", "r"),  // this would be stdin, but we don't need to input into mysqldump

db_server/provision_mysql.drush.inc

@@ -277,15 +277,7 @@ function _provision_mysql_suggest_db_name($url) {
  *
  */
 function _provision_mysql_grant_host($db_host, $web_ip, $web_host) {
-  // The database hostname is localhost, not defined or on the same ip/host as the webserver.
-  if (in_array($db_host, array('127.0.0.1', 'localhost', '', $web_ip, $web_host))) {
-    $grant = 'localhost';
-  }
-  // if we have the web ip, use that first.
-  elseif ($web_ip) {
-    $grant = $web_ip;
-  } else {
-    $grant = $web_host;
-  }
-  return $grant;
+  $result = provision_db_result(provision_db_query("select current_user()"));
+  preg_match('/^.*@(.*)$/', $result, $matches);
+  return $matches[1];
 }

install.sh.txt

@@ -35,8 +35,7 @@ AEGIR_VERSION=HEAD
 AEGIR_HOME=$HOME
 WEB_GROUP=www-data
 # doesn't exist yet, but we need drush_prompt in HEAD
-DRUSH_VERSION=6.x-3.0-beta2
-DRUSH_MAKE_VERSION=6.x-2.0-beta6
+DRUSH_VERSION=All-versions-3.0-rc3
 
 # when adding a variable here, add it to the display below
 
@@ -140,6 +139,7 @@ fi
 msg "Creating basic directory structure"
 mkdir -p $AEGIR_HOME/config/vhost.d
 mkdir -p $AEGIR_HOME/config/platform.d
+mkdir -p $AEGIR_HOME/config/apache.d
 mkdir -p $AEGIR_HOME/backups
 chmod 0711 $AEGIR_HOME/config
 chmod 0700 $AEGIR_HOME/backups
@@ -175,7 +175,7 @@ else
   $DRUSH dl drush_make-$DRUSH_MAKE_VERSION --destination=$AEGIR_HOME/.drush
 fi
 
-if $DRUSH help | grep "^ provision install" > /dev/null ; then
+if $DRUSH help | grep "^ provision-install" > /dev/null ; then
   msg "Provision already seems to be installed"
 else
   msg "Installing provision backend in $AEGIR_HOME/.drush"
@@ -190,8 +190,37 @@ else
   fi
 fi
 
+<<<<<<< HEAD
 # this will prompt the user for the database password if not provided through stdin in JSON
 $DRUSH provision-server --parent_path=$AEGIR_HOME --web_group=$WEB_GROUP --drush_path=$DRUSH
+=======
+# this should be handled by provision server verification, as it is a
+# duplicate of web_server/provision_apache_server.tpl.php
+# http://drupal.org/node/586000
+if [ ! -f $AEGIR_HOME/config/apache.conf ]; then
+  cat > $AEGIR_HOME/config/apache.conf <<EOF
+NameVirtualHost *:80  
+<IfModule ssl_module>
+  NameVirtualHost *:443  
+</IfModule>
+
+<IfModule !env_module>
+  LoadModule env_module modules/mod_env.so
+</IfModule>
+
+<IfModule !rewrite_module>
+  LoadModule rewrite_module modules/mod_rewrite.so
+</IfModule>
+
+# virtual hosts
+Include $AEGIR_HOME/config/vhost.d/
+# platforms
+Include $AEGIR_HOME/config/platform.d/
+# other configuration, not touched by aegir
+Include $AEGIR_HOME/config/apache.d/
+EOF
+fi
+>>>>>>> master
 
 msg "Aegir provision backend installed successfully"
 

platform/backup.provision.inc

@@ -70,3 +70,14 @@ function drush_provision_drupal_provision_backup($url) {
     drush_set_error('PROVISION_BACKUP_FAILED', dt("Could not back up sites directory for drupal"));
   }
 }
+
+/**
+ * Remove the backup file if something went wrong
+ */
+function drush_provision_drupal_provision_backup_rollback() {
+  $backup_file = drush_get_option('backup_file');
+  if (file_exists($backup_file)) {
+    provision_path('unlink', $backup_file, TRUE, 
+          dt("Removed stale backup file $backup_file"), dt("Failed deleting backup file $backup_file"));
+  }
+}

platform/backupmigrate/README.txt

+This provision extension is designed to enforce privacy of backups in the backup_migrate module.
+
+http://drupal.org/node/642948

platform/backupmigrate/provision_backupmigrate.info

+name = Provision: backup_migrate
+description = Backup migrate specific configuration
+package = Provision
+dependencies[] = provision
+
+core = 6.x

platform/backupmigrate/verify.provision.inc

+<?php
+
+/**
+ * Inject the relevant .htacces configuration into the global apache configuration
+ */
+function provision_backupmigrate_provision_apache_dir_config($data = null) {
+  return <<<EOF
+  RewriteRule sites/%{SERVER_NAME}/files/backup_migrate - [F]
+  RewriteRule files/backup_migrate - [F]
+EOF;
+}

platform/drupal/deploy.inc

@@ -2,7 +2,7 @@
 // $Id$
 
 $new_url = drush_get_option('site_url');
-$old_url = drush_get_option('site_url', 'site');
+$old_url = drush_get_option('site_url', '', 'site');
 
 /**
  * @file
@@ -15,7 +15,7 @@ drush_log(
   dt('Changed paths from sites/@old_url to sites/@new_url',
   array('@old_url' => $old_url, '@new_url' => $new_url)));
 
-db_query("UPDATE {files} SET filepath=replace(filepath, 'sites/%', 'sites/%')", $old_url, $new_url);
+db_query("UPDATE {files} SET filepath=replace(filepath, 'sites/%s', 'sites/%s')", $old_url, $new_url);
 db_query("UPDATE {users} SET picture = replace(picture, 'sites/%s', 'sites/%s')", $old_url, $new_url);
 variable_set('file_directory_path', "sites/$new_url/files");
 variable_set('file_directory_temp', "sites/$new_url/files/tmp");

platform/provision_drupal.drush.inc

@@ -445,10 +445,6 @@ function provision_find_packages() {
     $packages['profiles'][$profile] =  _provision_find_packages('profiles', $profile);
   }
 
-  // Iterate through the sites, finding site specific packages
-  foreach (drush_get_option('sites', array()) as $site) {
-    $packages['sites'][$site] = _provision_find_packages('sites', $site);
-  }
   return $packages;
 }
 
@@ -501,6 +497,11 @@ function provision_drupal_system_map() {
   $packages['profiles'][$profile]->status = 1;
 
   foreach (_provision_system_query("module") as $module) { 
+    $frags = explode("/", $module->filename);
+    // ignore site-specific modules
+    if ($frags[0] == 'sites' && $frags[1] != 'all') {
+      continue;
+    }
     $info_file = sprintf("%s/%s.info", dirname($module->filename), $module->name);
     $module->info = provision_parse_info_file($info_file);
 
@@ -514,7 +515,13 @@ function provision_drupal_system_map() {
 
   drush_log(dt("Found !count modules", array('!count' => sizeof($packages['modules']))));
 
+  // XXX: mostly a copy-paste from above
   foreach (_provision_system_query("theme") as $theme) { 
+    $frags = explode("/", $theme->filename);
+    // ignore site-specific themes
+    if ($frags[0] == 'sites' && $frags[1] != 'all') {
+      continue;
+    }
     $info_file = sprintf("%s/%s.info", dirname($theme->filename), $theme->name);
     $theme->info = provision_parse_info_file($info_file);
     _provision_cvs_deploy($theme);
@@ -571,7 +578,7 @@ function _provision_drupal_find_modules($scope, $key = '') {
       $source = str_replace("\r\n", "\n", $source);
       $source = str_replace("\r", "\n", $source);
       $function_matches = array();
-        preg_match_all('!function\s*&?([a-zA-Z0-9_]+)_update_([0-9]+)\(.*?\s*\{!', $source, $function_matches);
+        preg_match_all('!function\s*&?([a-zA-Z0-9_]+)_update_([0-9]+)\s*\(.*?\s*\{!', $source, $function_matches);
       
       if (sizeof($function_matches[0])) {
         $schema_version = max($function_matches[2]);
@@ -604,7 +611,10 @@ function provision_parse_info_file($filename) {
 }
 
 /**
- * Set up the $_SERVER environment variable so that drupal can correctly parse the settings.php file
+ * Set up the $_SERVER environment variable so that drupal can correctly parse the settings.php file.
+ * The real credentials are stored in the Apache vhost of the relevant site, to prevent leaking of 
+ * sensitive data to site administrators with PHP access who might otherwise access such credentials 
+ * potentially of other sites' settings.php in a multisite set-up.
  */
 function provision_prepare_environment() {
   $fields = array('db_type', 'db_host', 'db_user', 'db_passwd', 'db_name');

platform/provision_drupal_htaccess.tpl.php

-#
-# Apache/PHP/Drupal settings:
-#
-
-# Protect files and directories from prying eyes.
-<FilesMatch "\.(engine|inc|info|install|module|profile|test|po|sh|.*sql|theme|tpl(\.php)?|xtmpl|svn-base)$|^(code-style\.pl|Entries.*|Repository|Root|Tag|Template|all-wcprops|entries|format)$">
-  Order allow,deny
-</FilesMatch>
-
-# Don't show directory listings for URLs which map to a directory.
-Options -Indexes
-
-# Follow symbolic links in this directory.
-Options +FollowSymLinks
-
-# Make Drupal handle any 404 errors.
-ErrorDocument 404 /index.php
-
-# Force simple error message for requests for non-existent favicon.ico.
-<Files favicon.ico>
-  # There is no end quote below, for compatibility with Apache 1.3.
-  ErrorDocument 404 "The requested file favicon.ico was not found.
-</Files>
-
-# Set the default handler.
-DirectoryIndex index.php
-
-# Override PHP settings. More in sites/default/settings.php
-# but the following cannot be changed at runtime.
-
-# PHP 4, Apache 1.
-<IfModule mod_php4.c>
-  php_value magic_quotes_gpc                0
-  php_value register_globals                0
-  php_value session.auto_start              0
-  php_value mbstring.http_input             pass
-  php_value mbstring.http_output            pass
-  php_value mbstring.encoding_translation   0
-</IfModule>
-
-# PHP 4, Apache 2.
-<IfModule sapi_apache2.c>
-  php_value magic_quotes_gpc                0
-  php_value register_globals                0
-  php_value session.auto_start              0
-  php_value mbstring.http_input             pass
-  php_value mbstring.http_output            pass
-  php_value mbstring.encoding_translation   0
-</IfModule>
-
-# PHP 5, Apache 1 and 2.
-<IfModule mod_php5.c>
-  php_value magic_quotes_gpc                0
-  php_value register_globals                0
-  php_value session.auto_start              0
-  php_value mbstring.http_input             pass
-  php_value mbstring.http_output            pass
-  php_value mbstring.encoding_translation   0
-</IfModule>
-
-# Requires mod_expires to be enabled.
-<IfModule mod_expires.c>
-  # Enable expirations.
-  ExpiresActive On
-
-  # Cache all files for 2 weeks after access (A).
-  ExpiresDefault A1209600
-
-  <FilesMatch \.php$>
-    # Do not allow PHP scripts to be cached unless they explicitly send cache
-    # headers themselves. Otherwise all scripts would have to overwrite the
-    # headers set by mod_expires if they want another caching behavior. This may
-    # fail if an error occurs early in the bootstrap process, and it may cause
-    # problems if a non-Drupal PHP file is installed in a subdirectory.
-    ExpiresActive Off
-  </FilesMatch>
-</IfModule>
-
-# Various rewrite rules.
-<IfModule mod_rewrite.c>
-  RewriteEngine on
-
-  # allow files to be accessed without /sites/fqdn/
-  RewriteRule ^files/(.*)$ /sites/%{HTTP_HOST}/files/$1 [L]
-
-  # Rewrite URLs of the form 'x' to the form 'index.php?q=x'.
-  RewriteCond %{REQUEST_FILENAME} !-f
-  RewriteCond %{REQUEST_FILENAME} !-d
-  RewriteCond %{REQUEST_URI} !=/favicon.ico
-  RewriteRule ^(.*)$ index.php?q=$1 [L,QSA]
-</IfModule>

platform/provision_drupal_settings.tpl.php

-
+  /**
+   * The database credentials are stored in the Apache vhost config
+   * of the associated site with SetEnv parameters.
+   * They are called here with $_SERVER environment variables to 
+   * prevent sensitive data from leaking to site administrators 
+   * with PHP access, that potentially might be of other sites in
+   * Drupal's multisite set-up.
+   * This is a security measure implemented by the Aegir project.
+   */
   $databases['default']['default'] = array(
     'driver' => urldecode($_SERVER['db_type']),
     'database' => urldecode($_SERVER['db_name']),

platform/verify.provision.inc

@@ -67,9 +67,14 @@ function drush_provision_drupal_post_provision_verify($url = NULL) {
  * @see hook_provision_apache_dir_config()
  */
 function provision_drupal_provision_apache_dir_config($data = null) {
-  $htaccess = file_get_contents(dirname(__FILE__) . "/provision_drupal_htaccess.tpl.php");
+  $htaccess = file_get_contents(drush_get_option('publish_path') . '/.htaccess');
   $htaccess .= <<<EOF
 
+<IfModule mod_rewrite.c>
+  # allow files to be accessed without /sites/fqdn/
+  RewriteRule ^files/(.*)$ /sites/%{HTTP_HOST}/files/$1 [L]
+</IfModule>
+
 # Do not read the platform's .htaccess
 AllowOverride none
 

provision.drush.inc

@@ -300,11 +300,13 @@ function _provision_default_web_group() {
  */
 function provision_count_cpus() {
   $ncpus = FALSE;
-  # this should work on Linux with a /proc filesystem
-  $cpuinfo = file_get_contents("/proc/cpuinfo");
-  if ($cpuinfo !== FALSE) {
-    if (preg_match_all("/^processor.*:.*[0-9]+$/m", $cpuinfo, $matches)) {
-      $ncpus = count(array_pop($matches));
+  if (file_exists("/proc/cpuinfo")) {
+    # this should work on Linux with a /proc filesystem
+    $cpuinfo = file_get_contents("/proc/cpuinfo");
+    if ($cpuinfo !== FALSE) {
+      if (preg_match_all("/^processor.*:.*[0-9]+$/m", $cpuinfo, $matches)) {
+        $ncpus = count(array_pop($matches));
+      }
     }
   }
   return $ncpus;

ssl/provision_ssl.drush.inc

@@ -31,10 +31,12 @@ function provision_ssl_provision_apache_vhost_config($url, $options) {
       $newoptions['site_port'] = 80;
       provision_write_config(drush_get_option('vhost_path') . '/' . $url . '_80', _provision_apache_redirect_template(), $newoptions);
     }
-    return array("php_value session.cookie_secure 1", "SSLEngine On");
-  } else {
-    return NULL;
+    $newoptions = $options;
+    $newoptions['site_port'] = 443;
+    $newoptions['extra_config'] = "php_value session.cookie_secure 1\nSSLEngine On\n";
+    provision_write_config(drush_get_option('vhost_path') . '/' . $url .  '_443', _provision_apache_default_template(), $newoptions);
   }
+  return NULL;
 }
 
 /**

web_server/provision_apache.drush.inc

@@ -188,6 +188,11 @@ function _provision_apache_create_platform_config($url) {
   $writable = provision_path("writable", drush_get_option('platform_conf_path'), TRUE , NULL, dt("Platform configuration path @path is not writable."), 'PROVISION_VHOST_PATH_NOT_WRITABLE');
 
   if ($writable) {
+    // remove the old path first.
+    $oldfile = drush_get_option('vhost_path') . '/' . $file;
+    if (file_exists($oldfile) && is_writable($oldfile)) {
+      unlink($oldfile);
+    }
     return provision_write_config(drush_get_option('platform_conf_path') . '/' . $file, _provision_apache_platform_template(), $data);
   } else {
     return $writable;
@@ -219,7 +224,12 @@ function _provision_apache_create_server_config() {
       'PROVISION_VHOST_PATH_NOT_WRITABLE');
   
   if ($writable) {
-    return provision_write_config($file, $template, $options);
+    // remove the old path first.
+    $oldfile = drush_get_option('vhost_path') . '/' . drush_get_option('web_host') . '.server';
+    if (file_exists($oldfile) && is_writable($oldfile)) {
+      unlink($oldfile);
+    }
+    return provision_write_config(drush_get_option('config_path') .'/apache.conf', $template, $options);
   } else {
     return $writable;
   }