opensource/download
opensource/download
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
download/panel/memcached/install.sh
耗子 3446aa4db1
feat: first commit
2024-11-10 02:06:42 +08:00

184 lines
5.8 KiB (Stored with Git LFS)
Bash
Raw Blame History

#!/bin/bash
export PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:$PATH
: '
Copyright (C) 2022 - now HaoZi Technology Co., Ltd.
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU Affero General Public License as published
by the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU Affero General Public License for more details.
You should have received a copy of the GNU Affero General Public License
along with this program. If not, see <https://www.gnu.org/licenses/>.
'
source <(curl -f -s --connect-timeout 10 --retry 3 https://dl.cdn.haozi.net/panel/public.sh)
if [ $? -ne 0 ]; then
echo "下载 public.sh 失败,请检查网络或稍后重试。"
echo "Download public.sh failed, please check the network or try again later."
exit 1
fi
channel=${1}
version=${2}
memcached_path="${setup_path}/server/memcached"
if ! id -u "memcached" >/dev/null 2>&1; then
groupadd memcached
useradd -s /sbin/nologin -g memcached memcached
fi
# 安装依赖
if [ ${OS} == "rhel" ]; then
dnf makecache -y
dnf groupinstall "Development Tools" -y
dnf install openssl-devel cyrus-sasl cyrus-sasl-devel libevent-devel -y
elif [ ${OS} == "debian" ] || [ ${OS} == "ubuntu" ]; then
apt-get update
apt-get install build-essential libssl-dev libsasl2-2 libsasl2-dev libevent-dev -y
else
error "不支持的操作系统"
fi
if [ "$?" != "0" ]; then
error "安装依赖软件失败"
fi
# 准备目录
rm -rf ${memcached_path}
mkdir -p ${memcached_path}
cd ${memcached_path}
# 下载源码
wget -T 120 -t 3 -O ${memcached_path}/memcached-${version}.tar.gz ${download_url}/memcached/memcached-${version}.tar.gz
wget -T 20 -t 3 -O ${memcached_path}/memcached-${version}.tar.gz.sha256 ${download_url}/memcached/memcached-${version}.tar.gz.sha256
if ! sha256sum --status -c memcached-${version}.tar.gz.sha256; then
rm -rf ${memcached_path}
error "memcached 校验失败"
fi
tar -zxvf memcached-${version}.tar.gz
rm -f memcached-${version}.tar.gz
rm -f memcached-${version}.tar.gz.sha256
mv memcached-${version} src
cd src
./configure --prefix=/www/server/memcached --enable-tls --enable-sasl --enable-sasl-pwdb --enable-64bit
if [ "$?" != "0" ]; then
rm -rf ${memcached_path}
error "memcached 配置失败"
fi
make -j${CORES}
if [ "$?" != "0" ]; then
rm -rf ${memcached_path}
error "memcached 编译失败"
fi
make install
if [ ! -f "${memcached_path}/bin/memcached" ]; then
rm -rf ${memcached_path}
error "memcached 安装失败"
fi
cd ..
rm -rf src
chown -R memcached:memcached ${memcached_path}
chmod -R 700 ${memcached_path}
# 设置服务
cat >/etc/systemd/system/memcached.service <<EOF
[Unit]
Description=memcached daemon
After=network.target
Wants=network.target
[Service]
User=memcached
Group=memcached
Type=simple
Restart=on-failure
RestartSec=5s
ExecStart=${memcached_path}/bin/memcached -p 11211 -u memcached -m 128 -c 1024 $OPTIONS
# Set up a new file system namespace and mounts private /tmp and /var/tmp
# directories so this service cannot access the global directories and
# other processes cannot access this service's directories.
PrivateTmp=true
# Mounts the /usr, /boot, and /etc directories read-only for processes
# invoked by this unit.
ProtectSystem=full
# Ensures that the service process and all its children can never gain new
# privileges
NoNewPrivileges=true
# Sets up a new /dev namespace for the executed processes and only adds API
# pseudo devices such as /dev/null, /dev/zero or /dev/random (as well as
# the pseudo TTY subsystem) to it, but no physical devices such as /dev/sda.
PrivateDevices=true
# Required for dropping privileges and running as a different user
CapabilityBoundingSet=CAP_SETGID CAP_SETUID CAP_SYS_RESOURCE
# Restricts the set of socket address families accessible to the processes
# of this unit. Protects against vulnerabilities such as CVE-2016-8655
RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
# Attempts to create memory mappings that are writable and executable at
# the same time, or to change existing memory mappings to become executable
# are prohibited.
MemoryDenyWriteExecute=true
# Explicit module loading will be denied. This allows to turn off module
# load and unload operations on modular kernels. It is recommended to turn
# this on for most services that do not need special file systems or extra
# kernel modules to work.
ProtectKernelModules=true
# Kernel variables accessible through /proc/sys, /sys, /proc/sysrq-trigger,
# /proc/latency_stats, /proc/acpi, /proc/timer_stats, /proc/fs and /proc/irq
# will be made read-only to all processes of the unit. Usually, tunable
# kernel variables should only be written at boot-time, with the sysctl.d(5)
# mechanism. Almost no services need to write to these at runtime; it is hence
# recommended to turn this on for most services.
ProtectKernelTunables=true
# The Linux Control Groups (cgroups(7)) hierarchies accessible through
# /sys/fs/cgroup will be made read-only to all processes of the unit.
# Except for container managers no services should require write access
# to the control groups hierarchies; it is hence recommended to turn this
# on for most services
ProtectControlGroups=true
# Any attempts to enable realtime scheduling in a process of the unit are
# refused.
RestrictRealtime=true
# Takes away the ability to create or manage any kind of namespace
RestrictNamespaces=true
[Install]
WantedBy=multi-user.target
EOF
systemctl daemon-reload
systemctl enable --now memcached
if [ "$?" != "0" ]; then
error "启动失败"
fi
panel-cli app write memcached ${channel} ${version}
echo -e $HR
echo "安装完成"
echo -e $HR
Reference in New Issue View Git Blame Copy Permalink