From f01f4dece6ce64a3b7ee45cae7f3b42e9f8184dc Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Tue, 17 May 2022 11:19:13 +0200 Subject: [PATCH 01/24] minifirewall: add debug for variables --- minifirewall/tasks/main.yml | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/minifirewall/tasks/main.yml b/minifirewall/tasks/main.yml index 4a838ee9..483f8715 100644 --- a/minifirewall/tasks/main.yml +++ b/minifirewall/tasks/main.yml @@ -56,6 +56,11 @@ include: install.legacy.yml when: minifirewall_install_mode == 'legacy' +- name: Debug minifirewall_update_config + debug: + var: minifirewall_update_config | bool + verbosity: 1 + - name: Config tasks (modern mode) include: config.yml when: @@ -77,6 +82,11 @@ - name: Activation tasks include: activate.yml +- name: Debug minifirewall_tail_included + debug: + var: minifirewall_tail_included | bool + verbosity: 1 + - name: Tail tasks (modern mode) include: tail.yml when: @@ -91,6 +101,11 @@ # Restart? +- name: Debug minifirewall_restart_force + debug: + var: minifirewall_restart_force | bool + verbosity: 1 + - name: Force restart minifirewall (modern mode) command: /etc/init.d/minifirewall restart register: minifirewall_init_restart From 19ca65f55fb07c5dffe6569c0d85da7351719633 Mon Sep 17 00:00:00 2001 From: Eric Morino Date: Tue, 17 May 2022 15:05:20 +0200 Subject: [PATCH 02/24] Add task for VMware provider for install open-vm-tools --- evolinux-base/tasks/provider_vmware.yml | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) create mode 100644 evolinux-base/tasks/provider_vmware.yml diff --git a/evolinux-base/tasks/provider_vmware.yml b/evolinux-base/tasks/provider_vmware.yml new file mode 100644 index 00000000..1249d6fb --- /dev/null +++ b/evolinux-base/tasks/provider_vmware.yml @@ -0,0 +1,17 @@ +--- +- name: Check if the virtual machine on VMWare Host + shell: "dmidecode | grep -q 'VMware'" + check_mode: no + register: vmware_provider + failed_when: False + changed_when: False + tags: + - packages + +- name: OpenVM Tools are installed for vmware + apt: + state: present + name: open-vm-tools + tags: + - packages + when: vmware_provider == 0 From c6dec34f10c0d175a84f0834e5446cee63cf3126 Mon Sep 17 00:00:00 2001 From: Eric Morino Date: Tue, 17 May 2022 15:09:16 +0200 Subject: [PATCH 03/24] Add wmware_provider.rc variable --- evolinux-base/tasks/provider_vmware.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/evolinux-base/tasks/provider_vmware.yml b/evolinux-base/tasks/provider_vmware.yml index 1249d6fb..dbf93d0e 100644 --- a/evolinux-base/tasks/provider_vmware.yml +++ b/evolinux-base/tasks/provider_vmware.yml @@ -14,4 +14,4 @@ name: open-vm-tools tags: - packages - when: vmware_provider == 0 + when: vmware_provider.rc == 0 From 134355d1903b01ed189c87486a557715fcae1649 Mon Sep 17 00:00:00 2001 From: Ludovic Poujol Date: Tue, 24 May 2022 16:22:49 +0200 Subject: [PATCH 04/24] docker: Allow live-restore to be toggled with docker_conf_live_restore --- CHANGELOG.md | 2 ++ docker-host/defaults/main.yml | 3 +++ docker-host/templates/daemon.json.j2 | 2 +- 3 files changed, 6 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 67315979..d9cd0803 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -14,6 +14,8 @@ The **patch** part changes is incremented if multiple releases happen the same m ### Changed +* docker: Allow "live-restore" to be toggled with docker_conf_live_restore + ### Fixed ### Removed diff --git a/docker-host/defaults/main.yml b/docker-host/defaults/main.yml index 5b64f342..3f713930 100644 --- a/docker-host/defaults/main.yml +++ b/docker-host/defaults/main.yml @@ -9,6 +9,9 @@ docker_conf_use_iptables: False # Disable the possibility for containers processes to gain new privileges docker_conf_no_newprivileges: False +# Toggle live restore (need to be disabled in swarm mode) +docker_conf_live_restore: True + # Disable all default network connectivity docker_conf_disable_default_networking: False diff --git a/docker-host/templates/daemon.json.j2 b/docker-host/templates/daemon.json.j2 index c73268d9..08dcb1b2 100644 --- a/docker-host/templates/daemon.json.j2 +++ b/docker-host/templates/daemon.json.j2 @@ -5,7 +5,7 @@ "data-root": "{{ docker_home }}", {# Keep containers running while docker daemon downtime #} - "live-restore": true, + "live-restore": {{ docker_conf_live_restore | to_json }},, {# Turn on user namespace remaping #} "userns-remap": "default", From 145edbd3f70bb02814982744f476362420720dba Mon Sep 17 00:00:00 2001 From: Alexis Ben Miloud--Josselin Date: Tue, 24 May 2022 18:04:55 +0200 Subject: [PATCH 05/24] Use is-enabled to check if alert5 is enabled --- minifirewall/files/check_minifirewall | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/minifirewall/files/check_minifirewall b/minifirewall/files/check_minifirewall index 6588c469..e14d73f2 100644 --- a/minifirewall/files/check_minifirewall +++ b/minifirewall/files/check_minifirewall @@ -10,7 +10,7 @@ is_alert5_enabled() { if test -f /etc/init.d/alert5; then test -f /etc/rc2.d/S*alert5 else - systemctl is-active alert5 | grep -q "^active$" + systemctl is-enabled alert5 | grep -q "^enabled$" fi } From c1f0178daa54ccca4329ea43a333b4c788862d70 Mon Sep 17 00:00:00 2001 From: "William Hirigoyen (Evolix)" Date: Wed, 25 May 2022 09:31:34 +0200 Subject: [PATCH 06/24] =?UTF-8?q?Suppression=20lien=20symbolique=20boucle?= =?UTF-8?q?=20r=C3=A9cursive=20(cr=C3=A9=C3=A9=20par=20Victor=20en=20mars?= =?UTF-8?q?=202018)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- evolix | 1 - 1 file changed, 1 deletion(-) delete mode 120000 evolix diff --git a/evolix b/evolix deleted file mode 120000 index 945c9b46..00000000 --- a/evolix +++ /dev/null @@ -1 +0,0 @@ -. \ No newline at end of file From 852ed38b56dc384f0d5871c684f4ab232a54c51d Mon Sep 17 00:00:00 2001 From: "William Hirigoyen (Evolix)" Date: Wed, 25 May 2022 09:37:46 +0200 Subject: [PATCH 07/24] =?UTF-8?q?Revert=20"Suppression=20lien=20symbolique?= =?UTF-8?q?=20boucle=20r=C3=A9cursive=20(cr=C3=A9=C3=A9=20par=20Victor=20e?= =?UTF-8?q?n=20mars=202018)"?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This reverts commit c1f0178daa54ccca4329ea43a333b4c788862d70. --- evolix | 1 + 1 file changed, 1 insertion(+) create mode 120000 evolix diff --git a/evolix b/evolix new file mode 120000 index 00000000..945c9b46 --- /dev/null +++ b/evolix @@ -0,0 +1 @@ +. \ No newline at end of file From 2d98d50943a127e12c307cbe5bc6163a74c5c405 Mon Sep 17 00:00:00 2001 From: "William Hirigoyen (Evolix)" Date: Wed, 25 May 2022 17:48:46 +0200 Subject: [PATCH 08/24] Fix le chemin du paquet .deb d'Evoadmin-mail --- webapps/evoadmin-mail/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/webapps/evoadmin-mail/tasks/main.yml b/webapps/evoadmin-mail/tasks/main.yml index e5af6a7f..7f94281b 100644 --- a/webapps/evoadmin-mail/tasks/main.yml +++ b/webapps/evoadmin-mail/tasks/main.yml @@ -1,7 +1,7 @@ --- - name: Install evoadmin-mail package apt: - name: evoadmin-mail + deb: /tmp/evoadmin-mail.deb state: present tags: - evoadmin-mail From 269c7242a55c751e68ac6bf0b51144e613897d53 Mon Sep 17 00:00:00 2001 From: Gregory Colpart Date: Fri, 27 May 2022 23:05:07 +0200 Subject: [PATCH 09/24] correction du depot security pour Debian 11 --- apt/templates/bullseye_basics.list.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apt/templates/bullseye_basics.list.j2 b/apt/templates/bullseye_basics.list.j2 index 94b0995d..55f32b8d 100644 --- a/apt/templates/bullseye_basics.list.j2 +++ b/apt/templates/bullseye_basics.list.j2 @@ -2,4 +2,4 @@ deb http://mirror.evolix.org/debian bullseye {{ apt_basics_components | mandatory }} deb http://mirror.evolix.org/debian/ bullseye-updates {{ apt_basics_components | mandatory }} -deb https://deb.debian.org/debian-security bullseye-security {{ apt_basics_components | mandatory }} \ No newline at end of file +deb http://security.debian.org/debian-security bullseye-security {{ apt_basics_components | mandatory }} From b3dbcb082fdc7e1b637ac5fd1fa5eb85d0d198fe Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Tue, 31 May 2022 14:06:15 +0200 Subject: [PATCH 10/24] certbot: add hapee (HAProxy Enterprise Edition) deploy hook --- CHANGELOG.md | 2 + certbot/files/hooks/deploy/hapee.sh | 93 +++++++++++++++++++++++++++++ 2 files changed, 95 insertions(+) create mode 100644 certbot/files/hooks/deploy/hapee.sh diff --git a/CHANGELOG.md b/CHANGELOG.md index d9cd0803..a080d0df 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -12,6 +12,8 @@ The **patch** part changes is incremented if multiple releases happen the same m ### Added +certbot: add hapee (HAProxy Enterprise Edition) deploy hook + ### Changed * docker: Allow "live-restore" to be toggled with docker_conf_live_restore diff --git a/certbot/files/hooks/deploy/hapee.sh b/certbot/files/hooks/deploy/hapee.sh new file mode 100644 index 00000000..a8acdea9 --- /dev/null +++ b/certbot/files/hooks/deploy/hapee.sh @@ -0,0 +1,93 @@ +#!/bin/sh + +error() { + >&2 echo "${PROGNAME}: $1" + exit 1 +} +debug() { + if [ "${VERBOSE}" = "1" ] && [ "${QUIET}" != "1" ]; then + >&2 echo "${PROGNAME}: $1" + fi +} +daemon_found_and_running() { + test -n "$(pidof hapee-lb)" && test -n "${hapee_bin}" +} +found_renewed_lineage() { + test -f "${RENEWED_LINEAGE}/fullchain.pem" && test -f "${RENEWED_LINEAGE}/privkey.pem" +} +config_check() { + ${hapee_bin} -c -f "${hapee_config_file}" > /dev/null 2>&1 +} +concat_files() { + # shellcheck disable=SC2174 + mkdir --mode=700 --parents "${hapee_cert_dir}" + chown root: "${hapee_cert_dir}" + + debug "Concatenating certificate files to ${hapee_cert_file}" + cat "${RENEWED_LINEAGE}/fullchain.pem" "${RENEWED_LINEAGE}/privkey.pem" > "${hapee_cert_file}" + chmod 600 "${hapee_cert_file}" + chown root: "${hapee_cert_file}" +} +cert_and_key_mismatch() { + hapee_cert_md5=$(openssl x509 -noout -modulus -in "${hapee_cert_file}" | openssl md5) + hapee_key_md5=$(openssl rsa -noout -modulus -in "${hapee_cert_file}" | openssl md5) + + test "${hapee_cert_md5}" != "${hapee_key_md5}" +} +detect_hapee_cert_dir() { + # get last field or line wich defines the crt directory + config_cert_dir=$(grep -r -o -E -h '^\s*bind .* crt /etc/\S+' "${hapee_config_file}" | head -1 | awk '{ print $(NF)}') + if [ -n "${config_cert_dir}" ]; then + debug "Cert directory is configured with ${config_cert_dir}" + echo "${config_cert_dir}" + elif [ -d "/etc/haproxy/ssl" ]; then + debug "No configured cert directory found, but /etc/haproxy/ssl exists" + echo "/etc/haproxy/ssl" + elif [ -d "/etc/ssl/haproxy" ]; then + debug "No configured cert directory found, but /etc/ssl/haproxy exists" + echo "/etc/ssl/haproxy" + else + error "Cert directory not found." + fi +} +main() { + if [ -z "${RENEWED_LINEAGE}" ]; then + error "This script must be called only by certbot!" + fi + + if daemon_found_and_running; then + readonly hapee_config_file="/etc/hapee-2.4/hapee-lb.cfg" + readonly hapee_cert_dir=$(detect_hapee_cert_dir) + + if found_renewed_lineage; then + hapee_cert_file="${hapee_cert_dir}/$(basename "${RENEWED_LINEAGE}").pem" + failed_cert_file="/root/$(basename "${RENEWED_LINEAGE}").failed.pem" + + concat_files + + if cert_and_key_mismatch; then + mv "${hapee_cert_file}" "${failed_cert_file}" + error "Key and cert don't match, we moved the file to ${failed_cert_file} for inspection" + fi + + if config_check; then + debug "HAPEE detected... reloading" + systemctl reload hapee-2.4-lb.service + else + error "HAPEE config is broken, you must fix it !" + fi + else + error "Couldn't find ${RENEWED_LINEAGE}/fullchain.pem or ${RENEWED_LINEAGE}/privkey.pem" + fi + else + debug "HAPEE is not running or missing. Skip." + fi +} + +readonly PROGNAME=$(basename "$0") +readonly VERBOSE=${VERBOSE:-"0"} +readonly QUIET=${QUIET:-"0"} + +readonly hapee_bin="/opt/hapee-2.4/sbin/hapee-lb" + +main From e50fbdd2b842fb5edbd04dbf52f5bc6fe63cf530 Mon Sep 17 00:00:00 2001 From: "William Hirigoyen (Evolix)" Date: Tue, 31 May 2022 14:13:09 +0200 Subject: [PATCH 11/24] #66153 : fix missing locahost and localhost.localdomain in postfix main.cf mydestination --- postfix/templates/packmail_main.cf.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/postfix/templates/packmail_main.cf.j2 b/postfix/templates/packmail_main.cf.j2 index 397abc0d..d9d90836 100644 --- a/postfix/templates/packmail_main.cf.j2 +++ b/postfix/templates/packmail_main.cf.j2 @@ -74,7 +74,7 @@ myhostname = {{ ansible_fqdn }} # Liste des noms de domaine (ou IP) consideres comme local #par defaut, = $myhostname, localhost.$mydomain, localhost -mydestination = $myhostname +mydestination = $myhostname localhost.localdomain localhost # Indique le domaine apparaissant dans le courrier envoye #par defaut, = $myhostname From 17a2032a10d5b2df3789869718ac31eae889e983 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Wed, 1 Jun 2022 10:46:11 +0200 Subject: [PATCH 12/24] evolinux-base: add update-evobackup-canary script --- CHANGELOG.md | 1 + .../files/update-evobackup-canary.sh | 129 ++++++++++++++++++ evolinux-base/tasks/utils.yml | 17 ++- 3 files changed, 146 insertions(+), 1 deletion(-) create mode 100644 evolinux-base/files/update-evobackup-canary.sh diff --git a/CHANGELOG.md b/CHANGELOG.md index a080d0df..62cf1215 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -13,6 +13,7 @@ The **patch** part changes is incremented if multiple releases happen the same m ### Added certbot: add hapee (HAProxy Enterprise Edition) deploy hook +evolinux-base: add update-evobackup-canary script ### Changed diff --git a/evolinux-base/files/update-evobackup-canary.sh b/evolinux-base/files/update-evobackup-canary.sh new file mode 100644 index 00000000..20fc1a57 --- /dev/null +++ b/evolinux-base/files/update-evobackup-canary.sh @@ -0,0 +1,129 @@ +#!/bin/sh + +PROGNAME="update-evobackup-canary" +REPOSITORY="https://gitea.evolix.org/evolix/evobackup" + +VERSION="22.05" +readonly VERSION + +# base functions + +show_version() { + cat <, + Jérémy Lecour , + and others. + +${REPOSITORY} + +${PROGNAME} comes with ABSOLUTELY NO WARRANTY. This is free software, +and you are welcome to redistribute it under certain conditions. +See the GNU General Public License v3.0 for details. +END +} +show_help() { + cat <> "${canary_file}" +} + +# parse options +# based on https://gist.github.com/deshion/10d3cb5f88a21671e17a +while :; do + case $1 in + -h|-\?|--help) + show_help + exit 0 + ;; + -V|--version) + show_version + exit 0 + ;; + + -w|--who) + # with value separated by space + if [ -n "$2" ]; then + who=$2 + shift + else + printf 'ERROR: "-w|--who" requires a non-empty option argument.\n' >&2 + exit 1 + fi + ;; + --who=?*) + # with value speparated by = + who=${1#*=} + ;; + --who=) + # without value + printf 'ERROR: "--who" requires a non-empty option argument.\n' >&2 + exit 1 + ;; + + -f|--file) + # with value separated by space + if [ -n "$2" ]; then + canary_file=$2 + shift + else + printf 'ERROR: "-f|--file" requires a non-empty option argument.\n' >&2 + exit 1 + fi + ;; + --file=?*) + # with value speparated by = + canary_file=${1#*=} + ;; + --file=) + # without value + printf 'ERROR: "--file" requires a non-empty option argument.\n' >&2 + exit 1 + ;; + + --) + # End of all options. + shift + break + ;; + -?*) + # ignore unknown options + printf 'WARN: Unknown option : %s\n' "$1" >&2 + exit 1 + ;; + *) + # Default case: If no more options then break out of the loop. + break + ;; + esac + + shift +done + +export LC_ALL=C + +set -u + +main diff --git a/evolinux-base/tasks/utils.yml b/evolinux-base/tasks/utils.yml index 084f8b35..0dabc3dc 100644 --- a/evolinux-base/tasks/utils.yml +++ b/evolinux-base/tasks/utils.yml @@ -26,4 +26,19 @@ mode: "0700" owner: root group: root - force: no \ No newline at end of file + force: no + +- name: update-evobackup-canary script is present + copy: + src: "update-evobackup-canary.sh" + dest: /usr/local/bin/update-evobackup-canary + force: True + owner: root + group: root + mode: "0750" + +# TODO: delete when this has been run once on all our servers +- name: update-evobackup-canary is removed from sbin + file: + path: /usr/local/sbin/update-evobackup-canary + state: absent \ No newline at end of file From e9bc035fb9a1ba258813fbb9470d55c80c784a8c Mon Sep 17 00:00:00 2001 From: Gregory Colpart Date: Wed, 1 Jun 2022 15:24:47 +0200 Subject: [PATCH 13/24] add set crypt_use_gpgme=no Mutt option --- mysql-oracle/files/mysqltuner.cron.sh | 2 +- mysql/files/mysqltuner.cron.sh | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/mysql-oracle/files/mysqltuner.cron.sh b/mysql-oracle/files/mysqltuner.cron.sh index 5424aa90..ada4a0f8 100644 --- a/mysql-oracle/files/mysqltuner.cron.sh +++ b/mysql-oracle/files/mysqltuner.cron.sh @@ -44,7 +44,7 @@ Bien à vous, -- Rapport automatique Evolix EOT - mutt -x -e 'set send_charset="utf-8"' -H $template \ + mutt -x -e 'set send_charset="utf-8"' -e "set crypt_use_gpgme=no" -H $template \ -a /var/www/mysqlreport_${instance}.html < $body done chmod 644 /var/www/mysqlreport*html diff --git a/mysql/files/mysqltuner.cron.sh b/mysql/files/mysqltuner.cron.sh index 5424aa90..ada4a0f8 100644 --- a/mysql/files/mysqltuner.cron.sh +++ b/mysql/files/mysqltuner.cron.sh @@ -44,7 +44,7 @@ Bien à vous, -- Rapport automatique Evolix EOT - mutt -x -e 'set send_charset="utf-8"' -H $template \ + mutt -x -e 'set send_charset="utf-8"' -e "set crypt_use_gpgme=no" -H $template \ -a /var/www/mysqlreport_${instance}.html < $body done chmod 644 /var/www/mysqlreport*html From 249e53fc211fae08ec05d44d9eae8212f4477818 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Wed, 1 Jun 2022 17:23:56 +0200 Subject: [PATCH 14/24] evolinux-base: add dir-check script --- CHANGELOG.md | 5 +- evolinux-base/files/dir-check.sh | 299 +++++++++++++++++++++++++++++++ evolinux-base/tasks/utils.yml | 13 +- 3 files changed, 313 insertions(+), 4 deletions(-) create mode 100644 evolinux-base/files/dir-check.sh diff --git a/CHANGELOG.md b/CHANGELOG.md index 62cf1215..f6dffaa9 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -12,8 +12,9 @@ The **patch** part changes is incremented if multiple releases happen the same m ### Added -certbot: add hapee (HAProxy Enterprise Edition) deploy hook -evolinux-base: add update-evobackup-canary script +* certbot: add hapee (HAProxy Enterprise Edition) deploy hook +* evolinux-base: add dir-check script +* evolinux-base: add update-evobackup-canary script ### Changed diff --git a/evolinux-base/files/dir-check.sh b/evolinux-base/files/dir-check.sh new file mode 100644 index 00000000..b82ca939 --- /dev/null +++ b/evolinux-base/files/dir-check.sh @@ -0,0 +1,299 @@ +#!/bin/sh + +PROGNAME="dir-check" +REPOSITORY="https://gitea.evolix.org/evolix/ansible-roles" + +VERSION="22.06" +readonly VERSION + +show_version() { + cat <, + Jérémy Lecour + +${REPOSITORY} + +${PROGNAME} comes with ABSOLUTELY NO WARRANTY. This is free software, +and you are welcome to redistribute it under certain conditions. +See the GNU Affero General Public License v3.0 for details. +END +} +show_help() { + cat <> "${log_file}" + else + log_line "${level}" "${msg}" >&2 + fi + fi +} +log_info() { + level="INFO" + msg=$1 + if ! is_quiet; then + if is_log_file; then + log_line "${level}" "${msg}" >> "${log_file}" + else + log_line "${level}" "${msg}" >&2 + fi + fi +} +log_warning() { + level="WARNING" + msg=$1 + if ! is_quiet; then + if is_log_file; then + log_line "${level}" "${msg}" >> "${log_file}" + else + log_line "${level}" "${msg}" >&2 + fi + fi +} +log_error() { + level="ERROR" + msg=$1 + if ! is_quiet; then + if is_log_file; then + log_line "${level}" "${msg}" >> "${log_file}" + if tty -s; then + printf "%s\n" "${msg}" >&2 + fi + else + log_line "${level}" "${msg}" >&2 + fi + fi +} +log_fatal() { + level="FATAL" + msg=$1 + if is_log_file; then + log_line "${level}" "${msg}" >> "${log_file}" + if tty -s; then + printf "%s\n" "${msg}" >&2 + fi + else + log_line "${level}" "${msg}" >&2 + fi +} + +metadata_algorithm() { + echo "du --bytes" +} +list_files_with_size() { + path=$1 + find "${path}" -type f -exec $(metadata_algorithm) {} \; | sort -k2 +} +prepare_metadata() { + list_files_with_size "${final_dir}" > "${metadata_file}" + "${checksum_bin}" "${metadata_file}" > "${checksum_file}" +} +check_metadata() { + if [ -f "${checksum_file}" ]; then + # subshell to scope the commands to "parent_dir" + "${checksum_bin}" --status --check "${checksum_file}" + last_rc=$? + if [ ${last_rc} -ne 0 ]; then + log_error "Verification failed with checksum file ${checksum_file}." + exit 1 + fi + else + log_warning "Couldn't find checksum file ${checksum_file}. Skip verification." + fi + if [ -f "${metadata_file}" ]; then + while read metadata_line; do + expected_size=$(echo "${metadata_line}" | cut -f1) + file=$(echo "${metadata_line}" | cut -f2) + + if [ -f "${file}" ]; then + actual_size=$($(metadata_algorithm) "${file}" | cut -f1) + + if [ "${actual_size}" != "${expected_size}" ]; then + log_error "File ${file} has actual size of ${actual_size} instead of ${expected_size}." + rc=1 + fi + else + log_error "Couldn't find file ${file}." + rc=1 + fi + done < "${metadata_file}" + if [ ${rc} -eq 0 ]; then + log_info "Directory is consistent with metadata stored in metadata file ${metadata_file}." + fi + else + log_fatal "Couldn't find metadata file ${metadata_file}." + exit 1 + fi +} + +main() { + if [ -z "${dir}" ]; then + log_fatal "dir option is empty" + exit 1 + elif [ -e "${dir}" ] && [ ! -d "${dir}" ]; then + log_fatal "directory '${dir}' exists but is not a directory" + exit 1 + fi + + checksum_cmd="sha256sum" + checksum_bin=$(command -v ${checksum_cmd}) + if [ -z "${checksum_bin}" ]; then + log_fatal "Couldn't find ${checksum_cmd}.\nUse 'apt install ${checksum_cmd}'." + exit 1 + fi + + parent_dir=$(dirname "${dir}") + final_dir=$(basename "${dir}") + + metadata_file="${final_dir}.metadata" + checksum_file="${metadata_file}.${checksum_cmd}" + + cwd=${PWD} + cd "${parent_dir}" || log_error "Impossible to change to ${parent_dir}" + + case ${action} in + check) + check_metadata + ;; + prepare) + prepare_metadata + ;; + *) + log_fatal "Unknown action ${action}." + rc=1 + ;; + esac + + cd "${cwd}" || log_error "Impossible to change back to ${cwd}" +} + +# Declare variables + +verbose="" +quiet="" +action="" +dir="" +rc=0 + +# Parse options +# based on https://gist.github.com/deshion/10d3cb5f88a21671e17a +while :; do + case $1 in + -h|-\?|--help) + show_help + exit 0 + ;; + -V|--version) + show_version + exit 0 + ;; + + --dir) + # with value separated by space + if [ -n "$2" ]; then + dir="$2" + shift + else + log_fatal 'ERROR: "--dir" requires a non-empty option argument.' + fi + ;; + --dir=?*) + # with value speparated by = + dir=${1#*=} + ;; + --dir=) + # without value + log_fatal '"--dir" requires a non-empty option argument.' + ;; + + --prepare) + action="prepare" + ;; + + --check) + action="check" + ;; + + -v|--verbose) + verbose=1 + ;; + + --quiet) + quiet=1 + verbose=0 + ;; + + --) + # End of all options. + shift + break + ;; + -?*|[[:alnum:]]*) + # ignore unknown options + if tty -s; then + printf 'Unknown option : %s\n' "$1" >&2 + echo "" >&2 + show_usage >&2 + exit 1 + else + log_fatal "Unknown option : $1" + fi + ;; + *) + # Default case: If no more options then break out of the loop. + break + ;; + esac + + shift +done + +# Default values + +verbose=${verbose:-0} +quiet=${quiet:-0} +action=${action:-} +log_file=${log_file:-} + +set -u + +main + +exit ${rc} \ No newline at end of file diff --git a/evolinux-base/tasks/utils.yml b/evolinux-base/tasks/utils.yml index 0dabc3dc..6c9e27b0 100644 --- a/evolinux-base/tasks/utils.yml +++ b/evolinux-base/tasks/utils.yml @@ -35,10 +35,19 @@ force: True owner: root group: root - mode: "0750" + mode: "0755" # TODO: delete when this has been run once on all our servers - name: update-evobackup-canary is removed from sbin file: path: /usr/local/sbin/update-evobackup-canary - state: absent \ No newline at end of file + state: absent + +- name: dir-check script is present + copy: + src: "dir-check.sh" + dest: /usr/local/bin/dir-check + force: True + owner: root + group: root + mode: "0755" \ No newline at end of file From b8b96bb5b7d2cc954fe33a53a0db9e114c5f44dd Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Wed, 1 Jun 2022 17:24:51 +0200 Subject: [PATCH 15/24] mysql: use dir-check inside evomariabackup --- CHANGELOG.md | 1 + mysql/files/evomariabackup.sh | 50 +++++++++++++++++++++++++++++++++-- 2 files changed, 49 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index f6dffaa9..d9edccd9 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -15,6 +15,7 @@ The **patch** part changes is incremented if multiple releases happen the same m * certbot: add hapee (HAProxy Enterprise Edition) deploy hook * evolinux-base: add dir-check script * evolinux-base: add update-evobackup-canary script +* mysql: use dir-check inside evomariabackup ### Changed diff --git a/mysql/files/evomariabackup.sh b/mysql/files/evomariabackup.sh index 0e3de84b..f90debf2 100644 --- a/mysql/files/evomariabackup.sh +++ b/mysql/files/evomariabackup.sh @@ -301,6 +301,38 @@ backup() { log_info "END mariabackup prepare phase" fi } +list_files_with_size() { + path=$1 + find "${path}" -type f -exec du --bytes {} \; | sort -k2 +} +dircheck_prepare() { + if [ -z "${backup_dir}" ]; then + log_fatal "backup-dir option is empty" + exit 1 + elif [ -e "${backup_dir}" ] && [ ! -d "${backup_dir}" ]; then + log_fatal "backup directory '${backup_dir}' exists but is not a directory" + exit 1 + fi + + dircheck_cmd="dir-check" + dircheck_bin=$(command -v ${dircheck_cmd}) + if [ -z "${dircheck_bin}" ]; then + log_fatal "Couldn't find ${dircheck_cmd}." + exit 1 + fi + + backup_parent_dir=$(dirname "${backup_dir}") + backup_final_dir=$(basename "${backup_dir}") + + log_info "BEGIN dir-check phase" + cwd=${PWD} + cd "${backup_parent_dir}" || log_fatal "Impossible to change to ${backup_parent_dir}" + + "${dircheck_bin}" --prepare --dir "${backup_final_dir}" + + cd ${cwd} || log_fatal "Impossible to change back to ${cwd}" + log_info "END dir-check phase" +} compress() { compress_dir=$(dirname "${compress_file}") @@ -362,11 +394,15 @@ main() { new_lock_file "${lock_file}" if [ "${do_backup}" = "1" ] && [ -n "${backup_dir}" ]; then - backup "${backup_dir}" + backup + fi + + if [ "${do_dircheck}" = "1" ] && [ -n "${backup_dir}" ]; then + dircheck_prepare fi if [ "${do_compress}" = "1" ] && [ -n "${compress_file}" ]; then - compress "${backup_dir}" "${compress_file}" + compress fi } @@ -380,6 +416,7 @@ max_age="" max_age="" do_backup="" backup_dir="" +do_dircheck="" do_compress="" compress_file="" @@ -440,6 +477,14 @@ while :; do log_fatal '"--backup-dir" requires a non-empty option argument.' ;; + --dir-check) + do_dircheck=1 + ;; + + --no-dir-check) + do_dircheck=0 + ;; + --compress) do_compress=1 ;; @@ -549,6 +594,7 @@ verbose=${verbose:-0} quiet=${quiet:-0} max_age="${max_age:-86400}" do_backup="${do_backup:-1}" +do_dircheck="${do_dircheck:-0}" do_compress="${do_compress:-0}" main \ No newline at end of file From f0e967518ba5446caa8b49a9b71b72ee307b0081 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Wed, 1 Jun 2022 17:38:45 +0200 Subject: [PATCH 16/24] small fixes to dir-check --- evolinux-base/files/dir-check.sh | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/evolinux-base/files/dir-check.sh b/evolinux-base/files/dir-check.sh index b82ca939..4a346c92 100644 --- a/evolinux-base/files/dir-check.sh +++ b/evolinux-base/files/dir-check.sh @@ -131,11 +131,11 @@ check_metadata() { "${checksum_bin}" --status --check "${checksum_file}" last_rc=$? if [ ${last_rc} -ne 0 ]; then - log_error "Verification failed with checksum file ${checksum_file}." + log_error "Verification failed with checksum file \`${checksum_file}' (inside \`${parent_dir}')." exit 1 fi else - log_warning "Couldn't find checksum file ${checksum_file}. Skip verification." + log_warning "Couldn't find checksum file \`${checksum_file}' (inside \`${parent_dir}'). Skip verification." fi if [ -f "${metadata_file}" ]; then while read metadata_line; do @@ -146,19 +146,19 @@ check_metadata() { actual_size=$($(metadata_algorithm) "${file}" | cut -f1) if [ "${actual_size}" != "${expected_size}" ]; then - log_error "File ${file} has actual size of ${actual_size} instead of ${expected_size}." + log_error "File ${file}' has actual size of ${actual_size} instead of ${expected_size}." rc=1 fi else - log_error "Couldn't find file ${file}." + log_error "Couldn't find file \`${file}'." rc=1 fi done < "${metadata_file}" if [ ${rc} -eq 0 ]; then - log_info "Directory is consistent with metadata stored in metadata file ${metadata_file}." + log_info "Directory \`${final_dir}' is consistent with metadata stored in \`${metadata_file}' (inside \`${parent_dir}')." fi else - log_fatal "Couldn't find metadata file ${metadata_file}." + log_fatal "Couldn't find metadata file \`${metadata_file}' (inside \`${parent_dir}')." exit 1 fi } @@ -168,14 +168,14 @@ main() { log_fatal "dir option is empty" exit 1 elif [ -e "${dir}" ] && [ ! -d "${dir}" ]; then - log_fatal "directory '${dir}' exists but is not a directory" + log_fatal "Directory \`${dir}' exists but is not a directory" exit 1 fi checksum_cmd="sha256sum" checksum_bin=$(command -v ${checksum_cmd}) if [ -z "${checksum_bin}" ]; then - log_fatal "Couldn't find ${checksum_cmd}.\nUse 'apt install ${checksum_cmd}'." + log_fatal "Couldn't find \`${checksum_cmd}'.\nUse 'apt install ${checksum_cmd}'." exit 1 fi @@ -186,7 +186,7 @@ main() { checksum_file="${metadata_file}.${checksum_cmd}" cwd=${PWD} - cd "${parent_dir}" || log_error "Impossible to change to ${parent_dir}" + cd "${parent_dir}" || log_error "Impossible to change to \`${parent_dir}'" case ${action} in check) @@ -196,12 +196,12 @@ main() { prepare_metadata ;; *) - log_fatal "Unknown action ${action}." + log_fatal "Unknown action \`${action}'." rc=1 ;; esac - cd "${cwd}" || log_error "Impossible to change back to ${cwd}" + cd "${cwd}" || log_error "Impossible to change back to \`${cwd}'" } # Declare variables From df0c850ceb4f6ad2227afe0318ad11e1a0b90590 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Wed, 1 Jun 2022 17:49:28 +0200 Subject: [PATCH 17/24] dir-check: mandatory action parameter --- evolinux-base/files/dir-check.sh | 16 +++++++++++++--- 1 file changed, 13 insertions(+), 3 deletions(-) diff --git a/evolinux-base/files/dir-check.sh b/evolinux-base/files/dir-check.sh index 4a346c92..869ad2ad 100644 --- a/evolinux-base/files/dir-check.sh +++ b/evolinux-base/files/dir-check.sh @@ -22,13 +22,16 @@ END } show_help() { cat <&2 + show_help >&2 + exit 1 + fi + case ${action} in check) check_metadata From db28f0c47dc8664c25c12afb8b4e12e291bd0b88 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Thu, 2 Jun 2022 18:23:40 +0200 Subject: [PATCH 18/24] dir-check: change naming and add log file --- evolinux-base/files/dir-check.sh | 70 ++++++++++++++++++++------------ 1 file changed, 45 insertions(+), 25 deletions(-) diff --git a/evolinux-base/files/dir-check.sh b/evolinux-base/files/dir-check.sh index 869ad2ad..9d586cef 100644 --- a/evolinux-base/files/dir-check.sh +++ b/evolinux-base/files/dir-check.sh @@ -3,7 +3,7 @@ PROGNAME="dir-check" REPOSITORY="https://gitea.evolix.org/evolix/ansible-roles" -VERSION="22.06" +VERSION="22.06.1" readonly VERSION show_version() { @@ -48,9 +48,6 @@ is_verbose() { is_quiet() { test "${quiet}" = "1" } -is_check() { - test "${check}" = "1" -} log_line() { level=$1 msg=$2 @@ -117,18 +114,19 @@ log_fatal() { fi } -metadata_algorithm() { +data_command() { echo "du --bytes" } list_files_with_size() { path=$1 - find "${path}" -type f -exec $(metadata_algorithm) {} \; | sort -k2 + # shellcheck disable=SC2014,SC2046 + find "${path}" -type f -exec $(data_command) {} \; | sort -k2 } -prepare_metadata() { - list_files_with_size "${final_dir}" > "${metadata_file}" - "${checksum_bin}" "${metadata_file}" > "${checksum_file}" +prepare_data() { + list_files_with_size "${final_dir}" > "${data_file}" + "${checksum_bin}" "${data_file}" > "${checksum_file}" } -check_metadata() { +check_data() { if [ -f "${checksum_file}" ]; then # subshell to scope the commands to "parent_dir" "${checksum_bin}" --status --check "${checksum_file}" @@ -140,28 +138,28 @@ check_metadata() { else log_warning "Couldn't find checksum file \`${checksum_file}' (inside \`${parent_dir}'). Skip verification." fi - if [ -f "${metadata_file}" ]; then - while read metadata_line; do - expected_size=$(echo "${metadata_line}" | cut -f1) - file=$(echo "${metadata_line}" | cut -f2) + if [ -f "${data_file}" ]; then + while read -r data_line; do + expected_size=$(echo "${data_line}" | cut -f1) + file=$(echo "${data_line}" | cut -f2) if [ -f "${file}" ]; then - actual_size=$($(metadata_algorithm) "${file}" | cut -f1) + actual_size=$($(data_command) "${file}" | cut -f1) if [ "${actual_size}" != "${expected_size}" ]; then - log_error "File ${file}' has actual size of ${actual_size} instead of ${expected_size}." + log_error "File \`${file}' has actual size of ${actual_size} instead of ${expected_size}." rc=1 fi else log_error "Couldn't find file \`${file}'." rc=1 fi - done < "${metadata_file}" + done < "${data_file}" if [ ${rc} -eq 0 ]; then - log_info "Directory \`${final_dir}' is consistent with metadata stored in \`${metadata_file}' (inside \`${parent_dir}')." + log_info "Directory \`${final_dir}' is consistent with data stored in \`${data_file}' (inside \`${parent_dir}')." fi else - log_fatal "Couldn't find metadata file \`${metadata_file}' (inside \`${parent_dir}')." + log_fatal "Couldn't find data file \`${data_file}' (inside \`${parent_dir}')." exit 1 fi } @@ -185,8 +183,8 @@ main() { parent_dir=$(dirname "${dir}") final_dir=$(basename "${dir}") - metadata_file="${final_dir}.metadata" - checksum_file="${metadata_file}.${checksum_cmd}" + data_file="${PROGNAME}.db" + checksum_file="${data_file}.${checksum_cmd}" cwd=${PWD} cd "${parent_dir}" || log_error "Impossible to change to \`${parent_dir}'" @@ -200,10 +198,10 @@ main() { case ${action} in check) - check_metadata + check_data ;; prepare) - prepare_metadata + prepare_data ;; *) log_fatal "Unknown action \`${action}'." @@ -211,7 +209,11 @@ main() { ;; esac - cd "${cwd}" || log_error "Impossible to change back to \`${cwd}'" + if [ -d "${cwd}" ]; then + cd "${cwd}" || log_error "Impossible to change back to \`${cwd}'" + else + log_error "Previous working directory \`${cwd}' is not a directory." + fi } # Declare variables @@ -235,7 +237,7 @@ while :; do exit 0 ;; - --dir) + -d|--dir) # with value separated by space if [ -n "$2" ]; then dir="$2" @@ -253,6 +255,24 @@ while :; do log_fatal '"--dir" requires a non-empty option argument.' ;; + -l|--log) + # with value separated by space + if [ -n "$2" ]; then + log_file="$2" + shift + else + log_fatal 'ERROR: "--log" requires a non-empty option argument.' + fi + ;; + --log=?*) + # with value speparated by = + log_file=${1#*=} + ;; + --log=) + # without value + log_fatal '"--log" requires a non-empty option argument.' + ;; + --prepare) action="prepare" ;; From 9af289b2a9e1e447cd1bb94905f786fc75e6aaa1 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Thu, 2 Jun 2022 18:25:12 +0200 Subject: [PATCH 19/24] evomariabackup: reorder log lines --- mysql/files/evomariabackup.sh | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/mysql/files/evomariabackup.sh b/mysql/files/evomariabackup.sh index f90debf2..ec202d1f 100644 --- a/mysql/files/evomariabackup.sh +++ b/mysql/files/evomariabackup.sh @@ -248,10 +248,9 @@ backup() { backup_command="${mariabackup_bin} --backup --slave-info --target-dir=${backup_dir:?}" - if ! is_quiet; then - log_debug "${backup_command}" log_info "BEGIN mariabackup backup phase" + log_debug "${backup_command}" fi if is_quiet || ! is_verbose ; then @@ -277,8 +276,8 @@ backup() { prepare_command="${mariabackup_bin} --prepare --target-dir=${backup_dir:?}" if ! is_quiet; then - log_debug "${prepare_command}" log_info "BEGIN mariabackup prepare phase" + log_debug "${prepare_command}" fi if is_quiet || ! is_verbose ; then @@ -364,8 +363,8 @@ compress() { fi if ! is_quiet; then - log_debug "Compression of ${backup_dir} to ${compress_file} using \`${compress_program}'" log_info "BEGIN compression phase" + log_debug "Compression of ${backup_dir} to ${compress_file} using \`${compress_program}'" fi if is_quiet || ! is_verbose ; then tar --use-compress-program="${compress_program}" -cf "${compress_file}" "${backup_dir}" >/dev/null 2>&1 From 586aa206a8d1534d7428b9bff3059a7b04d18063 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Thu, 2 Jun 2022 18:26:23 +0200 Subject: [PATCH 20/24] mysql: add post-backup-hook to evomariabackup --- CHANGELOG.md | 1 + mysql/files/evomariabackup.sh | 53 ++++++++++++++++++++++++++++++++++- 2 files changed, 53 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index d9edccd9..f199e913 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -15,6 +15,7 @@ The **patch** part changes is incremented if multiple releases happen the same m * certbot: add hapee (HAProxy Enterprise Edition) deploy hook * evolinux-base: add dir-check script * evolinux-base: add update-evobackup-canary script +* mysql: add post-backup-hook to evomariabackup * mysql: use dir-check inside evomariabackup ### Changed diff --git a/mysql/files/evomariabackup.sh b/mysql/files/evomariabackup.sh index ec202d1f..eae23436 100644 --- a/mysql/files/evomariabackup.sh +++ b/mysql/files/evomariabackup.sh @@ -386,6 +386,35 @@ compress() { log_info "END compression phase" fi } +post_backup_hook() { + if [ -x "${post_backup_hook}" ]; then + + if ! is_quiet; then + log_debug "Execution of \`${post_backup_hook}'" + log_info "BEGIN hook phase" + fi + + ( + export BACKUP_DIR="${backup_dir}" + if is_log_file; then + export LOG_FILE="${log_file}" + fi + "${post_backup_hook}" + ) + hook_rc=$? + + if [ ${hook_rc} -ne 0 ]; then + log_fatal "An error occured while executing post backup hook \`${post_backup_hook}'" + exit 1 + elif ! is_quiet; then + log_info "END hook phase" + fi + else + log_fatal "Post backup hook \`${post_backup_hook}' is missing or not executable" + exit 1 + fi +} + main() { kill_or_clean_lockfile "${lock_file}" # shellcheck disable=SC2064 @@ -403,6 +432,10 @@ main() { if [ "${do_compress}" = "1" ] && [ -n "${compress_file}" ]; then compress fi + + if [ -n "${post_backup_hook}" ]; then + post_backup_hook + fi } # Declare variables @@ -412,12 +445,12 @@ log_file="" verbose="" quiet="" max_age="" -max_age="" do_backup="" backup_dir="" do_dircheck="" do_compress="" compress_file="" +post_backup_hook="" # Parse options # based on https://gist.github.com/deshion/10d3cb5f88a21671e17a @@ -552,6 +585,24 @@ while :; do log_fatal '"--log-file" requires a non-empty option argument.' ;; + --post-backup-hook) + # with value separated by space + if [ -n "$2" ]; then + post_backup_hook="$2" + shift + else + log_fatal '"--post-backup-hook" requires a non-empty option argument.' + fi + ;; + --post-backup-hook=?*) + # with value speparated by = + post_backup_hook=${1#*=} + ;; + --post-backup-hook=) + # without value + log_fatal '"--post-backup-hook" requires a non-empty option argument.' + ;; + -v|--verbose) verbose=1 ;; From c4f279cf8e495dfc5e6cd21d417b40d30564c7cc Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Thu, 2 Jun 2022 18:27:59 +0200 Subject: [PATCH 21/24] evomariabackup: release 22.06 --- mysql/files/evomariabackup.sh | 31 ++++++++++++++++--------------- 1 file changed, 16 insertions(+), 15 deletions(-) diff --git a/mysql/files/evomariabackup.sh b/mysql/files/evomariabackup.sh index eae23436..dd46a9ec 100644 --- a/mysql/files/evomariabackup.sh +++ b/mysql/files/evomariabackup.sh @@ -1,12 +1,12 @@ #!/bin/sh -VERSION="21.11" +VERSION="22.06" show_version() { cat <, +Copyright 2004-2022 Evolix , Éric Morino , Jérémy Lecour and others. @@ -20,19 +20,20 @@ show_help() { cat < Date: Fri, 3 Jun 2022 09:15:04 +0200 Subject: [PATCH 22/24] evocheck: upstream release 22.06 --- CHANGELOG.md | 1 + evocheck/files/evocheck.sh | 27 ++++++++++++++++++++++----- 2 files changed, 23 insertions(+), 5 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index f199e913..4bea0b2b 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -21,6 +21,7 @@ The **patch** part changes is incremented if multiple releases happen the same m ### Changed * docker: Allow "live-restore" to be toggled with docker_conf_live_restore +* evocheck: upstream release 22.06 ### Fixed diff --git a/evocheck/files/evocheck.sh b/evocheck/files/evocheck.sh index cf901bb0..6bba06c1 100644 --- a/evocheck/files/evocheck.sh +++ b/evocheck/files/evocheck.sh @@ -4,7 +4,7 @@ # Script to verify compliance of a Debian/OpenBSD server # powered by Evolix -VERSION="22.05" +VERSION="22.06" readonly VERSION # base functions @@ -19,7 +19,8 @@ Copyright 2009-2022 Evolix , Gregory Colpart , Jérémy Lecour , Tristan Pilat , - Victor Laborie + Victor Laborie , + Alexis Ben Miloud--Josselin , and others. evocheck comes with ABSOLUTELY NO WARRANTY. This is free software, @@ -235,7 +236,7 @@ check_debiansecurity() { if is_debian_bullseye; then # https://www.debian.org/releases/bullseye/amd64/release-notes/ch-information.html#security-archive # https://www.debian.org/security/ - pattern="^deb https://(deb|security)\.debian\.org/debian-security/? bullseye-security main" + pattern="^deb http://security\.debian\.org/debian-security/? bullseye-security main" elif is_debian_buster; then pattern="^deb http://security\.debian\.org/debian-security/? buster/updates main" elif is_debian_stretch; then @@ -337,6 +338,8 @@ check_alert5boot() { else if [ -n "$(find /etc/rc2.d/ -name 'S*alert5')" ]; then grep -q "^date" /etc/rc2.d/S*alert5 || failed "IS_ALERT5BOOT" "boot mail is not sent by alert5 init script" + elif [ -n "$(find /etc/init.d/ -name 'alert5')" ]; then + grep -q "^date" /etc/init.d/alert5 || failed "IS_ALERT5BOOT" "boot mail is not sent by alert5 int script" else failed "IS_ALERT5BOOT" "alert5 init script is missing" fi @@ -350,6 +353,9 @@ check_alert5minifw() { if [ -n "$(find /etc/rc2.d/ -name 'S*alert5')" ]; then grep -q "^/etc/init.d/minifirewall" /etc/rc2.d/S*alert5 \ || failed "IS_ALERT5MINIFW" "Minifirewall is not started by alert5 init script" + elif [ -n "$(find /etc/init.d/ -name 'alert5')" ]; then + grep -q "^/etc/init.d/minifirewall" /etc/init.d/alert5 \ + || failed "IS_ALERT5MINIFW" "Minifirewall is not started by alert5 init script" else failed "IS_ALERT5MINIFW" "alert5 init script is missing" fi @@ -571,7 +577,7 @@ check_network_interfaces() { # Verify if all if are in auto check_autoif() { if is_debian_stretch || is_debian_buster || is_debian_bullseye; then - interfaces=$(/sbin/ip address show up | grep "^[0-9]*:" | grep -E -v "(lo|vnet|docker|veth|tun|tap|macvtap|vrrp|lxcbr)" | cut -d " " -f 2 | tr -d : | cut -d@ -f1 | tr "\n" " ") + interfaces=$(/sbin/ip address show up | grep "^[0-9]*:" | grep -E -v "(lo|vnet|docker|veth|tun|tap|macvtap|vrrp|lxcbr|wg)" | cut -d " " -f 2 | tr -d : | cut -d@ -f1 | tr "\n" " ") else interfaces=$(/sbin/ifconfig -s | tail -n +2 | grep -E -v "^(lo|vnet|docker|veth|tun|tap|macvtap|vrrp)" | cut -d " " -f 1 |tr "\n" " ") fi @@ -589,6 +595,16 @@ check_interfacesgw() { number=$(grep -Ec "^[^#]*gateway [0-9a-fA-F]+:" /etc/network/interfaces) test "$number" -gt 1 && failed "IS_INTERFACESGW" "there is more than 1 IPv6 gateway" } +# Verification de l’état du service networking +check_networking_service() { + if is_debian_stretch || is_debian_buster || is_debian_bullseye; then + if systemctl is-enabled networking.service > /dev/null; then + if ! systemctl is-active networking.service > /dev/null; then + failed "IS_NETWORKING_SERVICE" "networking.service is not active" + fi + fi + fi +} # Verification de la mise en place d'evobackup check_evobackup() { evobackup_found=$(find /etc/cron* -name '*evobackup*' | wc -l) @@ -955,7 +971,7 @@ check_mongo_backup() { # You could change the default path in /etc/evocheck.cf MONGO_BACKUP_PATH=${MONGO_BACKUP_PATH:-"/home/backup/mongodump"} if [ -d "$MONGO_BACKUP_PATH" ]; then - for file in "${MONGO_BACKUP_PATH}"/*/*.{json,bson}; do + for file in "${MONGO_BACKUP_PATH}"/*/*.{json,bson}.*; do # Skip indexes file. if ! [[ "$file" =~ indexes ]]; then limit=$(date +"%s" -d "now - 2 day") @@ -1577,6 +1593,7 @@ main() { test "${IS_NETWORK_INTERFACES:=1}" = 1 && check_network_interfaces test "${IS_AUTOIF:=1}" = 1 && check_autoif test "${IS_INTERFACESGW:=1}" = 1 && check_interfacesgw + test "${IS_NETWORKING_SERVICE:=1}" = 1 && check_networking_service test "${IS_EVOBACKUP:=1}" = 1 && check_evobackup test "${IS_EVOBACKUP_EXCLUDE_MOUNT:=1}" = 1 && check_evobackup_exclude_mount test "${IS_USERLOGROTATE:=1}" = 1 && check_userlogrotate From 9378f5634c26d71d069e92e852c78ceb4fad6109 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Fri, 3 Jun 2022 09:26:07 +0200 Subject: [PATCH 23/24] add missing entry in CHANGELOG --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 4bea0b2b..12fae39c 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -22,6 +22,7 @@ The **patch** part changes is incremented if multiple releases happen the same m * docker: Allow "live-restore" to be toggled with docker_conf_live_restore * evocheck: upstream release 22.06 +* mysql: add "set crypt_use_gpgme=no" Mutt option, for mysqltuner ### Fixed From e8e99bb9b6e765d2a519d5de52f1a153f609f692 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Fri, 3 Jun 2022 09:27:01 +0200 Subject: [PATCH 24/24] Release 22.06 --- CHANGELOG.md | 18 ++++++++++++------ 1 file changed, 12 insertions(+), 6 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 12fae39c..c58739a5 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -12,6 +12,18 @@ The **patch** part changes is incremented if multiple releases happen the same m ### Added +### Changed + +### Fixed + +### Removed + +### Security + +## [22.06] 2022-06-03 + +### Added + * certbot: add hapee (HAProxy Enterprise Edition) deploy hook * evolinux-base: add dir-check script * evolinux-base: add update-evobackup-canary script @@ -24,12 +36,6 @@ The **patch** part changes is incremented if multiple releases happen the same m * evocheck: upstream release 22.06 * mysql: add "set crypt_use_gpgme=no" Mutt option, for mysqltuner -### Fixed - -### Removed - -### Security - ## [22.05.1] 2022-05-12 ### Added