hms-dbmi · bp85 · Jul 5, 2023 · Jul 5, 2023 · Jul 7, 2023 · Jul 7, 2023
diff --git a/RStudio/machine-images/config/infra/files/rstudio/nginx.conf b/RStudio/machine-images/config/infra/files/rstudio/nginx.conf
@@ -1,96 +1,97 @@
-user nginx;
-worker_processes auto;
-pid /run/nginx.pid;
-
-
-events {
-  worker_connections 1024;
-}
-
-
-http {
-
-  server_tokens off;
-  server_name_in_redirect off;
-
-	sendfile on;
-	tcp_nopush on;
-	tcp_nodelay on;
-	keepalive_timeout 65;
-	types_hash_max_size 2048;
-
-  include mime.types;
-  default_type application/octet-stream;
-
-	access_log /var/log/nginx/access.log;
-	error_log /var/log/nginx/error.log;
-
-  map $request_method $proxy_body {
-    POST $request_body;
-    GET $query_string;
-  }
-  map $http_upgrade $connection_upgrade {
-    default upgrade;
-    '' close;
-  }
-
-  server {
-    listen 80;
-    return 301 https://$host$request_uri;
-  }
-
-  server {
-
-    listen 443 ssl http2;
-
-    ssl_protocols TLSv1.2 TLSv1.3;
-    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
-    ssl_prefer_server_ciphers on;
-    ssl_dhparam dhparam.pem;
-    ssl_session_cache shared:SSL:1m;
-    ssl_session_timeout 5m;
-    ssl_session_tickets off;
-    ssl_certificate cert.pem;
-    ssl_certificate_key cert.key;
-    ssl_trusted_certificate cert.pem;
-
-    add_header Referrer-Policy same-origin always;
-    add_header X-Frame-Options SAMEORIGIN always;
-    add_header X-Content-Type-Options nosniff always;
-    add_header X-XSS-Protection "1; mode=block" always;
-    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains" always;
-    add_header Content-Security-Policy "default-src 'self'; connect-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; img-src 'self' data:; style-src 'self' 'unsafe-inline'; font-src 'self';" always;
-
-    proxy_http_version 1.1;
-    proxy_read_timeout 20d;
-    proxy_set_header Host $host;
-    proxy_set_header Upgrade $http_upgrade;
-    proxy_set_header Connection $connection_upgrade;
-    proxy_set_header X-Real-IP $remote_addr;
-    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-
-   # Health check url
-    location /health {
-      return 200 'OK';
-      add_header Content-Type text/plain;
-    }
-
-    location / {
-      proxy_pass http://localhost:8787;
-    }
-
-    location /auth-do-sign-in {
-      proxy_pass http://localhost:8787;
-      proxy_set_header Cookie "csrf-token=$request_id";
-      proxy_method POST;
-      proxy_set_header Content-Type application/x-www-form-urlencoded;
-      proxy_set_body $proxy_body&csrf-token=$request_id;
-    }
-
-    location /auth-sign-in {
-      return 403;
-    }
-
-  }
-
-}
+user nginx;
+worker_processes auto;
+pid /run/nginx.pid;
+
+
+events {
+  worker_connections 1024;
+}
+
+
+http {
+
+  server_tokens off;
+  server_name_in_redirect off;
+
+	sendfile on;
+	tcp_nopush on;
+	tcp_nodelay on;
+	keepalive_timeout 65;
+	types_hash_max_size 2048;
+
+  include mime.types;
+  default_type application/octet-stream;
+
+	access_log /var/log/nginx/access.log;
+	error_log /var/log/nginx/error.log;
+
+  map $request_method $proxy_body {
+    POST $request_body;
+    GET $query_string;
+  }
+  map $http_upgrade $connection_upgrade {
+    default upgrade;
+    '' close;
+  }
+
+  server {
+    listen 80;
+    return 301 https://$host$request_uri;
+  }
+
+  server {
+
+    listen 443 ssl http2;
+
+    ssl_protocols TLSv1.2 TLSv1.3;
+    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
+    ssl_prefer_server_ciphers on;
+    ssl_dhparam dhparam.pem;
+    ssl_session_cache shared:SSL:1m;
+    ssl_session_timeout 5m;
+    ssl_session_tickets off;
+    ssl_certificate cert.pem;
+    ssl_certificate_key cert.key;
+    ssl_trusted_certificate cert.pem;
+
+    add_header Referrer-Policy same-origin always;
+    add_header X-Frame-Options SAMEORIGIN always;
+    add_header X-Content-Type-Options nosniff always;
+    add_header X-XSS-Protection "1; mode=block" always;
+    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains" always;
+    add_header Content-Security-Policy "default-src 'self'; connect-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; img-src 'self' data:; style-src 'self' 'unsafe-inline'; font-src 'self';" always;
+
+    proxy_http_version 1.1;
+    proxy_read_timeout 20d;
+    proxy_set_header Host $host;
+    proxy_set_header Upgrade $http_upgrade;
+    proxy_set_header Connection $connection_upgrade;
+    proxy_set_header X-Real-IP $remote_addr;
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+
+   # Health check url
+    location /health {
+      return 200 'OK';
+      add_header Content-Type text/plain;
+    }
+
+    location / {
+      proxy_pass http://localhost:8787;
+    }
+
+    location /auth-do-sign-in {
+      proxy_pass http://localhost:8787;
+      proxy_redirect https://localhost:8787/ https://$host/;
+      proxy_set_header Cookie "csrf-token=$request_id";
+      proxy_method POST;
+      proxy_set_header Content-Type application/x-www-form-urlencoded;
+      proxy_set_body $proxy_body&csrf-token=$request_id;
+    }
+
+    location /auth-sign-in {
+      return 403;
+    }
+
+  }
+
+}
diff --git a/RStudio/machine-images/config/infra/files/rstudio/set-password b/RStudio/machine-images/config/infra/files/rstudio/set-password
@@ -3,14 +3,14 @@
 # Retrieving instance metadata information from within the EC2 instance
 # https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instancedata-data-retrieval.html
 
-instance_id=$(curl -s "http://169.254.169.254/latest/meta-data/instance-id")
+instance_id=$(curl -H "X-aws-ec2-metadata-token: $(curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600")" -s "http://169.254.169.254/latest/meta-data/instance-id")
 secret=$(cat "/root/secret.txt")
 password=$(echo -n "${instance_id}${secret}" | sha256sum | awk '{print $1}')
 echo "rstudio-user:$password" | /usr/sbin/chpasswd
 echo "Set rstudio-user password"
 
 sleep 10
 public_key=$(curl http://localhost:8787/auth-public-key)
-instance_region=$(curl -s "http://169.254.169.254/latest/meta-data/placement/region")
-aws ssm put-parameter --name "/rstudio/publickey/sc-environments/ec2-instance/${instance_id}" --value $public_key --region $instance_region --type SecureString --overwrite 
-echo "Stored rstudio public key in SSM"
+instance_region=$(curl -H "X-aws-ec2-metadata-token: $(curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600")" -s "http://169.254.169.254/latest/meta-data/placement/region")
+aws ssm put-parameter --name "/rstudio/publickey/sc-environments/ec2-instance/${instance_id}" --value $public_key --region $instance_region --type SecureString --overwrite
+echo "Stored rstudio public key in SSM"
diff --git a/RStudio/machine-images/config/infra/provisioners/install-r-packages.sh b/RStudio/machine-images/config/infra/provisioners/install-r-packages.sh
@@ -3,51 +3,73 @@
 # Restart RStudio server
 sudo systemctl restart rstudio-server
 
+#SELinux stuff
+sudo /sbin/selinuxenabled >& /dev/null
+if [ $? -eq 0 ]; then
+  #/tmp context won't allow building packages
+  export tmpDir="/home/ec2-user/tmp/r-cran"
+else
+  export tmpDir="/tmp/r-cran"
+fi
+
 # Create temporary package installation script for R
-tmpDir="/tmp/r-cran"
 mkdir -p $tmpDir
 tmpFile="$tmpDir/packages.R"
-sudo cat << END >> "$tmpFile"
-# Install additional R Packages
-install.packages('tidyverse', version='1.3.2', repos='http://cran.r-project.org/')
-install.packages('dplyr', version='1.1.0', repos='http://cran.r-project.org/')
-install.packages('tidyr', version='1.3.0', repos='http://cran.r-project.org/')
-install.packages('ggplot2', version='3.4.1', repos='http://cran.r-project.org/')
-install.packages('data.table', version='1.14.6', repos='http://cran.r-project.org/')
-install.packages('kableExtra', version='1.3.4', repos='http://cran.r-project.org/')
-install.packages('survival', version='3.5.3', repos='http://cran.r-project.org/')
-install.packages('survminer', version='0.4.9', repos='http://cran.r-project.org/')
-install.packages('MASS', version='7.3.58.2', repos='http://cran.r-project.org/')
-install.packages('quantreg', version='5.94', repos='http://cran.r-project.org/')
-install.packages('DescTools', version='0.99.47', repos='http://cran.r-project.org/')
-install.packages('rentrez', version='1.2.3', repos='http://cran.r-project.org/')
-install.packages('XML', version='3.99.0.13', repos='http://cran.r-project.org/')
-install.packages('Matrix', version='1.5.3', repos='http://cran.r-project.org/')
-install.packages('irlba', version='2.3.5.1', repos='http://cran.r-project.org/')
-install.packages('threejs', version='0.3.3', repos='http://cran.r-project.org/')
-install.packages('seqinr', version='4.2.23', repos='http://cran.r-project.org/')
-install.packages('urltools', version='1.7.3', repos='http://cran.r-project.org/')
-install.packages('bitops', version='1.0.7', repos='http://cran.r-project.org/')
-install.packages('maptools', version='1.1.6', repos='http://cran.r-project.org/')
-install.packages('randomForest', version='4.7.1.1', repos='http://cran.r-project.org/')
-install.packages('RCurl', version='1.98.1.10', repos='http://cran.r-project.org/')
-install.packages('arsenal', version='3.6.3', repos='http://cran.r-project.org/')
 
+# Setup Rprofile for default options
+echo 'options(repos=c(CRAN="https://cran.rstudio.com"))' | sudo tee -a /root/.Rprofile
+echo 'options(Ncpus=parallel::detectCores() * 2)' | sudo tee -a /root/.Rprofile
+
+sudo cat << END >> "$tmpFile"
 # Install and load remotes package
-install.packages('remotes', version='2.4.2', repos='http://cran.r-project.org/')
+install.packages('remotes', version='2.4.2')
 library('remotes')
 
-remotes::install_github('YuLab-SMU/ggtree', version='3.7.1.2', dep=TRUE)
-
 # Install repos that need a specific order
 remotes::install_github('rstudio/httpuv', version='1.6.9', dep=TRUE)
-install.packages('shiny', version='1.7.4', repos='http://cran.r-project.org/') # needs httpuv
-install.packages('devtools', version='2.4.5', repos='http://cran.r-project.org/') # needs shiny
-install.packages('adegenet', version='2.1.10', repos='http://cran.r-project.org/') # needs devtools
+install.packages('shiny', version='1.7.4') # needs httpuv
+install.packages('devtools', version='2.4.5') # needs shiny
+install.packages('adegenet', version='2.1.10') # needs devtools
+
+packages <- c(
+'tidyverse=1.3.2',
+'dplyr=1.1.0',
+'tidyr=1.3.0',
+'ggplot2=3.4.1',
+'data.table=1.14.6',
+'kableExtra=1.3.4',
+'survival=3.5.3',
+'survminer=0.4.9',
+'MASS=7.3.58.2',
+'quantreg=5.94',
+'DescTools=0.99.47',
+'rentrez=1.2.3',
+'XML=3.99.0.13',
+'Matrix=1.5.3',
+'irlba=2.3.5.1',
+'threejs=0.3.3',
+'seqinr=4.2.23',
+'urltools=1.7.3',
+'bitops=1.0.7',
+'maptools=1.1.6',
+'randomForest=4.7.1.1',
+'RCurl=1.98.1.10',
+'arsenal=3.6.3'
+)
+
+for (pkg in packages) {
+  pkg_split <- strsplit(pkg, "=")[[1]]
+  pkg_name <- pkg_split[1]
+  pkg_version <- pkg_split[2]
+  devtools::install_version(pkg_name, version = pkg_version, dependencies = TRUE)
+}
+
+remotes::install_github('YuLab-SMU/ggtree', version='3.7.1.2', dep=TRUE)
+
 END
 
 # Execute installation script
-sudo su - -c "R -e \"source('$tmpFile')\""
+sudo su - -c "export TMPDIR=$tmpDir; Rscript $tmpFile"
 
 # Output R library packages
 sudo su - -c "R -e \"installed.packages(lib.loc='/usr/local/lib64/R/library')[,'Version']\""