evolix
/
ansible-roles
22
2
Fork 2
Code Issues 61 Pull Requests 18 Releases 32 Wiki Activity

Merge branch 'unstable' into stable
continuous-integration/drone/push Build is passing Details
continuous-integration/drone/tag Build is failing Details

This commit is contained in:
Jérémy Lecour 2022-06-03 09:27:12 +02:00 committed by Jérémy Lecour
parent 40546d077a e8e99bb9b6
commit 24f34b200c
17 changed files with 775 additions and 35 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
CHANGELOG.md
View File

@ -22,6 +22,22 @@ The **patch** part changes is incremented if multiple releases happen the same m
### Security
## [22.06] 2022-06-03
### Added
* certbot: add hapee (HAProxy Enterprise Edition) deploy hook
* evolinux-base: add dir-check script
* evolinux-base: add update-evobackup-canary script
* mysql: add post-backup-hook to evomariabackup
* mysql: use dir-check inside evomariabackup
### Changed
* docker: Allow "live-restore" to be toggled with docker_conf_live_restore
* evocheck: upstream release 22.06
* mysql: add "set crypt_use_gpgme=no" Mutt option, for mysqltuner
## [22.05.1] 2022-05-12
### Added

2
apt/templates/bullseye_basics.list.j2
View File

@ -2,4 +2,4 @@
deb http://mirror.evolix.org/debian bullseye {{ apt_basics_components | mandatory }}
deb http://mirror.evolix.org/debian/ bullseye-updates {{ apt_basics_components | mandatory }}
deb https://deb.debian.org/debian-security bullseye-security {{ apt_basics_components | mandatory }}
deb http://security.debian.org/debian-security bullseye-security {{ apt_basics_components | mandatory }}

93
certbot/files/hooks/deploy/hapee.sh Normal file
View File

@ -0,0 +1,93 @@
#!/bin/sh
error() {
>&2 echo "${PROGNAME}: $1"
exit 1
}
debug() {
if [ "${VERBOSE}" = "1" ] && [ "${QUIET}" != "1" ]; then
>&2 echo "${PROGNAME}: $1"
fi
}
daemon_found_and_running() {
test -n "$(pidof hapee-lb)" && test -n "${hapee_bin}"
}
found_renewed_lineage() {
test -f "${RENEWED_LINEAGE}/fullchain.pem" && test -f "${RENEWED_LINEAGE}/privkey.pem"
}
config_check() {
${hapee_bin} -c -f "${hapee_config_file}" > /dev/null 2>&1
}
concat_files() {
# shellcheck disable=SC2174
mkdir --mode=700 --parents "${hapee_cert_dir}"
chown root: "${hapee_cert_dir}"
debug "Concatenating certificate files to ${hapee_cert_file}"
cat "${RENEWED_LINEAGE}/fullchain.pem" "${RENEWED_LINEAGE}/privkey.pem" > "${hapee_cert_file}"
chmod 600 "${hapee_cert_file}"
chown root: "${hapee_cert_file}"
}
cert_and_key_mismatch() {
hapee_cert_md5=$(openssl x509 -noout -modulus -in "${hapee_cert_file}" | openssl md5)
hapee_key_md5=$(openssl rsa -noout -modulus -in "${hapee_cert_file}" | openssl md5)
test "${hapee_cert_md5}" != "${hapee_key_md5}"
}
detect_hapee_cert_dir() {
# get last field or line wich defines the crt directory
config_cert_dir=$(grep -r -o -E -h '^\s*bind .* crt /etc/\S+' "${hapee_config_file}" | head -1 | awk '{ print $(NF)}')
if [ -n "${config_cert_dir}" ]; then
debug "Cert directory is configured with ${config_cert_dir}"
echo "${config_cert_dir}"
elif [ -d "/etc/haproxy/ssl" ]; then
debug "No configured cert directory found, but /etc/haproxy/ssl exists"
echo "/etc/haproxy/ssl"
elif [ -d "/etc/ssl/haproxy" ]; then
debug "No configured cert directory found, but /etc/ssl/haproxy exists"
echo "/etc/ssl/haproxy"
else
error "Cert directory not found."
fi
}
main() {
if [ -z "${RENEWED_LINEAGE}" ]; then
error "This script must be called only by certbot!"
fi
if daemon_found_and_running; then
readonly hapee_config_file="/etc/hapee-2.4/hapee-lb.cfg"
readonly hapee_cert_dir=$(detect_hapee_cert_dir)
if found_renewed_lineage; then
hapee_cert_file="${hapee_cert_dir}/$(basename "${RENEWED_LINEAGE}").pem"
failed_cert_file="/root/$(basename "${RENEWED_LINEAGE}").failed.pem"
concat_files
if cert_and_key_mismatch; then
mv "${hapee_cert_file}" "${failed_cert_file}"
error "Key and cert don't match, we moved the file to ${failed_cert_file} for inspection"
fi
if config_check; then
debug "HAPEE detected... reloading"
systemctl reload hapee-2.4-lb.service
else
error "HAPEE config is broken, you must fix it !"
fi
else
error "Couldn't find ${RENEWED_LINEAGE}/fullchain.pem or ${RENEWED_LINEAGE}/privkey.pem"
fi
else
debug "HAPEE is not running or missing. Skip."
fi
}
readonly PROGNAME=$(basename "$0")
readonly VERBOSE=${VERBOSE:-"0"}
readonly QUIET=${QUIET:-"0"}
readonly hapee_bin="/opt/hapee-2.4/sbin/hapee-lb"
main

3
docker-host/defaults/main.yml
View File

@ -9,6 +9,9 @@ docker_conf_use_iptables: False
# Disable the possibility for containers processes to gain new privileges
docker_conf_no_newprivileges: False
# Toggle live restore (need to be disabled in swarm mode)
docker_conf_live_restore: True
# Disable all default network connectivity
docker_conf_disable_default_networking: False

2
docker-host/templates/daemon.json.j2
View File

@ -5,7 +5,7 @@
"data-root": "{{ docker_home }}",
{# Keep containers running while docker daemon downtime #}
"live-restore": true,
"live-restore": {{ docker_conf_live_restore | to_json }},,
{# Turn on user namespace remaping #}
"userns-remap": "default",

27
evocheck/files/evocheck.sh
View File

@ -4,7 +4,7 @@
# Script to verify compliance of a Debian/OpenBSD server
# powered by Evolix
VERSION="22.05"
VERSION="22.06"
readonly VERSION
# base functions
@ -19,7 +19,8 @@ Copyright 2009-2022 Evolix <info@evolix.fr>,
Gregory Colpart <reg@evolix.fr>,
Jérémy Lecour <jlecour@evolix.fr>,
Tristan Pilat <tpilat@evolix.fr>,
Victor Laborie <vlaborie@evolix.fr>
Victor Laborie <vlaborie@evolix.fr>,
Alexis Ben Miloud--Josselin <abenmiloud@evolix.fr>,
and others.
evocheck comes with ABSOLUTELY NO WARRANTY. This is free software,
@ -235,7 +236,7 @@ check_debiansecurity() {
if is_debian_bullseye; then
# https://www.debian.org/releases/bullseye/amd64/release-notes/ch-information.html#security-archive
# https://www.debian.org/security/
pattern="^deb https://(deb|security)\.debian\.org/debian-security/? bullseye-security main"
pattern="^deb http://security\.debian\.org/debian-security/? bullseye-security main"
elif is_debian_buster; then
pattern="^deb http://security\.debian\.org/debian-security/? buster/updates main"
elif is_debian_stretch; then
@ -337,6 +338,8 @@ check_alert5boot() {
else
if [ -n "$(find /etc/rc2.d/ -name 'S*alert5')" ]; then
grep -q "^date" /etc/rc2.d/S*alert5 || failed "IS_ALERT5BOOT" "boot mail is not sent by alert5 init script"
elif [ -n "$(find /etc/init.d/ -name 'alert5')" ]; then
grep -q "^date" /etc/init.d/alert5 || failed "IS_ALERT5BOOT" "boot mail is not sent by alert5 int script"
else
failed "IS_ALERT5BOOT" "alert5 init script is missing"
fi
@ -350,6 +353,9 @@ check_alert5minifw() {
if [ -n "$(find /etc/rc2.d/ -name 'S*alert5')" ]; then
grep -q "^/etc/init.d/minifirewall" /etc/rc2.d/S*alert5 \
|| failed "IS_ALERT5MINIFW" "Minifirewall is not started by alert5 init script"
elif [ -n "$(find /etc/init.d/ -name 'alert5')" ]; then
grep -q "^/etc/init.d/minifirewall" /etc/init.d/alert5 \
|| failed "IS_ALERT5MINIFW" "Minifirewall is not started by alert5 init script"
else
failed "IS_ALERT5MINIFW" "alert5 init script is missing"
fi
@ -571,7 +577,7 @@ check_network_interfaces() {
# Verify if all if are in auto
check_autoif() {
if is_debian_stretch || is_debian_buster || is_debian_bullseye; then
interfaces=$(/sbin/ip address show up | grep "^[0-9]*:" | grep -E -v "(lo|vnet|docker|veth|tun|tap|macvtap|vrrp|lxcbr)" | cut -d " " -f 2 | tr -d : | cut -d@ -f1 | tr "\n" " ")
interfaces=$(/sbin/ip address show up | grep "^[0-9]*:" | grep -E -v "(lo|vnet|docker|veth|tun|tap|macvtap|vrrp|lxcbr|wg)" | cut -d " " -f 2 | tr -d : | cut -d@ -f1 | tr "\n" " ")
else
interfaces=$(/sbin/ifconfig -s | tail -n +2 | grep -E -v "^(lo|vnet|docker|veth|tun|tap|macvtap|vrrp)" | cut -d " " -f 1 |tr "\n" " ")
fi
@ -589,6 +595,16 @@ check_interfacesgw() {
number=$(grep -Ec "^[^#]*gateway [0-9a-fA-F]+:" /etc/network/interfaces)
test "$number" -gt 1 && failed "IS_INTERFACESGW" "there is more than 1 IPv6 gateway"
}
# Verification de létat du service networking
check_networking_service() {
if is_debian_stretch || is_debian_buster || is_debian_bullseye; then
if systemctl is-enabled networking.service > /dev/null; then
if ! systemctl is-active networking.service > /dev/null; then
failed "IS_NETWORKING_SERVICE" "networking.service is not active"
fi
fi
fi
}
# Verification de la mise en place d'evobackup
check_evobackup() {
evobackup_found=$(find /etc/cron* -name '*evobackup*' | wc -l)
@ -955,7 +971,7 @@ check_mongo_backup() {
# You could change the default path in /etc/evocheck.cf
MONGO_BACKUP_PATH=${MONGO_BACKUP_PATH:-"/home/backup/mongodump"}
if [ -d "$MONGO_BACKUP_PATH" ]; then
for file in "${MONGO_BACKUP_PATH}"/*/*.{json,bson}; do
for file in "${MONGO_BACKUP_PATH}"/*/*.{json,bson}.*; do
# Skip indexes file.
if ! [[ "$file" =~ indexes ]]; then
limit=$(date +"%s" -d "now - 2 day")
@ -1577,6 +1593,7 @@ main() {
test "${IS_NETWORK_INTERFACES:=1}" = 1 && check_network_interfaces
test "${IS_AUTOIF:=1}" = 1 && check_autoif
test "${IS_INTERFACESGW:=1}" = 1 && check_interfacesgw
test "${IS_NETWORKING_SERVICE:=1}" = 1 && check_networking_service
test "${IS_EVOBACKUP:=1}" = 1 && check_evobackup
test "${IS_EVOBACKUP_EXCLUDE_MOUNT:=1}" = 1 && check_evobackup_exclude_mount
test "${IS_USERLOGROTATE:=1}" = 1 && check_userlogrotate

329
evolinux-base/files/dir-check.sh Normal file
View File

@ -0,0 +1,329 @@
#!/bin/sh
PROGNAME="dir-check"
REPOSITORY="https://gitea.evolix.org/evolix/ansible-roles"
VERSION="22.06.1"
readonly VERSION
show_version() {
cat <<END
${PROGNAME} version ${VERSION}
Copyright 2022 Evolix <info@evolix.fr>,
Jérémy Lecour <jlecour@evolix.fr>
${REPOSITORY}
${PROGNAME} comes with ABSOLUTELY NO WARRANTY. This is free software,
and you are welcome to redistribute it under certain conditions.
See the GNU Affero General Public License v3.0 for details.
END
}
show_help() {
cat <<EOF
Usage: ${PROGNAME} [ACTION] [OPTIONS] --dir /path/to/directory-to-check
Action
--prepare Create the metadata files
--check Checks the data against the metadata previously stored
Options
-h|--help|-? Display help
-v|--verbose Display more informatrion
-q|--quiet Do not display anything on stderr/stdout
-V|--version Display version, authors and license
EOF
}
log_date() {
date +"%Y-%m-%d %H:%M:%S"
}
is_log_file() {
test -n "${log_file}"
}
is_verbose() {
test "${verbose}" = "1"
}
is_quiet() {
test "${quiet}" = "1"
}
log_line() {
level=$1
msg=$2
# printf "[%s] %s: %s\n" "$(log_date)" "${level}" "${msg}"
printf "%s: %s\n" "${level}" "${msg}"
}
log_debug() {
level="DEBUG"
msg=$1
if ! is_quiet && is_verbose; then
if is_log_file; then
log_line "${level}" "${msg}" >> "${log_file}"
else
log_line "${level}" "${msg}" >&2
fi
fi
}
log_info() {
level="INFO"
msg=$1
if ! is_quiet; then
if is_log_file; then
log_line "${level}" "${msg}" >> "${log_file}"
else
log_line "${level}" "${msg}" >&2
fi
fi
}
log_warning() {
level="WARNING"
msg=$1
if ! is_quiet; then
if is_log_file; then
log_line "${level}" "${msg}" >> "${log_file}"
else
log_line "${level}" "${msg}" >&2
fi
fi
}
log_error() {
level="ERROR"
msg=$1
if ! is_quiet; then
if is_log_file; then
log_line "${level}" "${msg}" >> "${log_file}"
if tty -s; then
printf "%s\n" "${msg}" >&2
fi
else
log_line "${level}" "${msg}" >&2
fi
fi
}
log_fatal() {
level="FATAL"
msg=$1
if is_log_file; then
log_line "${level}" "${msg}" >> "${log_file}"
if tty -s; then
printf "%s\n" "${msg}" >&2
fi
else
log_line "${level}" "${msg}" >&2
fi
}
data_command() {
echo "du --bytes"
}
list_files_with_size() {
path=$1
# shellcheck disable=SC2014,SC2046
find "${path}" -type f -exec $(data_command) {} \; | sort -k2
}
prepare_data() {
list_files_with_size "${final_dir}" > "${data_file}"
"${checksum_bin}" "${data_file}" > "${checksum_file}"
}
check_data() {
if [ -f "${checksum_file}" ]; then
# subshell to scope the commands to "parent_dir"
"${checksum_bin}" --status --check "${checksum_file}"
last_rc=$?
if [ ${last_rc} -ne 0 ]; then
log_error "Verification failed with checksum file \`${checksum_file}' (inside \`${parent_dir}')."
exit 1
fi
else
log_warning "Couldn't find checksum file \`${checksum_file}' (inside \`${parent_dir}'). Skip verification."
fi
if [ -f "${data_file}" ]; then
while read -r data_line; do
expected_size=$(echo "${data_line}" | cut -f1)
file=$(echo "${data_line}" | cut -f2)
if [ -f "${file}" ]; then
actual_size=$($(data_command) "${file}" | cut -f1)
if [ "${actual_size}" != "${expected_size}" ]; then
log_error "File \`${file}' has actual size of ${actual_size} instead of ${expected_size}."
rc=1
fi
else
log_error "Couldn't find file \`${file}'."
rc=1
fi
done < "${data_file}"
if [ ${rc} -eq 0 ]; then
log_info "Directory \`${final_dir}' is consistent with data stored in \`${data_file}' (inside \`${parent_dir}')."
fi
else
log_fatal "Couldn't find data file \`${data_file}' (inside \`${parent_dir}')."
exit 1
fi
}
main() {
if [ -z "${dir}" ]; then
log_fatal "dir option is empty"
exit 1
elif [ -e "${dir}" ] && [ ! -d "${dir}" ]; then
log_fatal "Directory \`${dir}' exists but is not a directory"
exit 1
fi
checksum_cmd="sha256sum"
checksum_bin=$(command -v ${checksum_cmd})
if [ -z "${checksum_bin}" ]; then
log_fatal "Couldn't find \`${checksum_cmd}'.\nUse 'apt install ${checksum_cmd}'."
exit 1
fi
parent_dir=$(dirname "${dir}")
final_dir=$(basename "${dir}")
data_file="${PROGNAME}.db"
checksum_file="${data_file}.${checksum_cmd}"
cwd=${PWD}
cd "${parent_dir}" || log_error "Impossible to change to \`${parent_dir}'"
if [ -z "${action}" ]; then
log_fatal "Missing --check or --prepare option."
echo "" >&2
show_help >&2
exit 1
fi
case ${action} in
check)
check_data
;;
prepare)
prepare_data
;;
*)
log_fatal "Unknown action \`${action}'."
rc=1
;;
esac
if [ -d "${cwd}" ]; then
cd "${cwd}" || log_error "Impossible to change back to \`${cwd}'"
else
log_error "Previous working directory \`${cwd}' is not a directory."
fi
}
# Declare variables
verbose=""
quiet=""
action=""
dir=""
rc=0
# Parse options
# based on https://gist.github.com/deshion/10d3cb5f88a21671e17a
while :; do
case $1 in
-h|-\?|--help)
show_help
exit 0
;;
-V|--version)
show_version
exit 0
;;
-d|--dir)
# with value separated by space
if [ -n "$2" ]; then
dir="$2"
shift
else
log_fatal 'ERROR: "--dir" requires a non-empty option argument.'
fi
;;
--dir=?*)
# with value speparated by =
dir=${1#*=}
;;
--dir=)
# without value
log_fatal '"--dir" requires a non-empty option argument.'
;;
-l|--log)
# with value separated by space
if [ -n "$2" ]; then
log_file="$2"
shift
else
log_fatal 'ERROR: "--log" requires a non-empty option argument.'
fi
;;
--log=?*)
# with value speparated by =
log_file=${1#*=}
;;
--log=)
# without value
log_fatal '"--log" requires a non-empty option argument.'
;;
--prepare)
action="prepare"
;;
--check)
action="check"
;;
-v|--verbose)
verbose=1
;;
--quiet)
quiet=1
verbose=0
;;
--)
# End of all options.
shift
break
;;
-?*|[[:alnum:]]*)
# ignore unknown options
if tty -s; then
printf 'Unknown option : %s\n' "$1" >&2
echo "" >&2
show_usage >&2
exit 1
else
log_fatal "Unknown option : $1"
fi
;;
*)
# Default case: If no more options then break out of the loop.
break
;;
esac
shift
done
# Default values
verbose=${verbose:-0}
quiet=${quiet:-0}
action=${action:-}
log_file=${log_file:-}
set -u
main
exit ${rc}

129
evolinux-base/files/update-evobackup-canary.sh Normal file
View File

@ -0,0 +1,129 @@
#!/bin/sh
PROGNAME="update-evobackup-canary"
REPOSITORY="https://gitea.evolix.org/evolix/evobackup"
VERSION="22.05"
readonly VERSION
# base functions
show_version() {
cat <<END
${PROGNAME} version ${VERSION}
Copyright 2022 Evolix <info@evolix.fr>,
Jérémy Lecour <jlecour@evolix.fr>,
and others.
${REPOSITORY}
${PROGNAME} comes with ABSOLUTELY NO WARRANTY. This is free software,
and you are welcome to redistribute it under certain conditions.
See the GNU General Public License v3.0 for details.
END
}
show_help() {
cat <<END
${PROGNAME} is updating a canary file for evobackup.
Usage: ${PROGNAME} [OPTIONS]
Main options
-w, --who who has updated the file (default: logname())
-f, --file path of the canary file (default: /zzz_evobackup_canary)
-V, --version print version and exit
-h, --help print this message and exit
END
}
main() {
if [ -z "${who:-}" ]; then
who=$(logname)
fi
if [ -z "${canary_file:-}" ]; then
canary_file="/zzz_evobackup_canary"
fi
# This option is supported since (at least) Debian 8
date=$(date --iso-8601=seconds)
printf "%s %s\n" "${date}" "${who}" >> "${canary_file}"
}
# parse options
# based on https://gist.github.com/deshion/10d3cb5f88a21671e17a
while :; do
case $1 in
-h|-\?|--help)
show_help
exit 0
;;
-V|--version)
show_version
exit 0
;;
-w|--who)
# with value separated by space
if [ -n "$2" ]; then
who=$2
shift
else
printf 'ERROR: "-w|--who" requires a non-empty option argument.\n' >&2
exit 1
fi
;;
--who=?*)
# with value speparated by =
who=${1#*=}
;;
--who=)
# without value
printf 'ERROR: "--who" requires a non-empty option argument.\n' >&2
exit 1
;;
-f|--file)
# with value separated by space
if [ -n "$2" ]; then
canary_file=$2
shift
else
printf 'ERROR: "-f|--file" requires a non-empty option argument.\n' >&2
exit 1
fi
;;
--file=?*)
# with value speparated by =
canary_file=${1#*=}
;;
--file=)
# without value
printf 'ERROR: "--file" requires a non-empty option argument.\n' >&2
exit 1
;;
--)
# End of all options.
shift
break
;;
-?*)
# ignore unknown options
printf 'WARN: Unknown option : %s\n' "$1" >&2
exit 1
;;
*)
# Default case: If no more options then break out of the loop.
break
;;
esac
shift
done
export LC_ALL=C
set -u
main

17
evolinux-base/tasks/provider_vmware.yml Normal file
View File

@ -0,0 +1,17 @@
---
- name: Check if the virtual machine on VMWare Host
shell: "dmidecode | grep -q 'VMware'"
check_mode: no
register: vmware_provider
failed_when: False
changed_when: False
tags:
- packages
- name: OpenVM Tools are installed for vmware
apt:
state: present
name: open-vm-tools
tags:
- packages
when: vmware_provider.rc == 0

24
evolinux-base/tasks/utils.yml
View File

@ -27,3 +27,27 @@
owner: root
group: root
force: no
- name: update-evobackup-canary script is present
copy:
src: "update-evobackup-canary.sh"
dest: /usr/local/bin/update-evobackup-canary
force: True
owner: root
group: root
mode: "0755"
# TODO: delete when this has been run once on all our servers
- name: update-evobackup-canary is removed from sbin
file:
path: /usr/local/sbin/update-evobackup-canary
state: absent
- name: dir-check script is present
copy:
src: "dir-check.sh"
dest: /usr/local/bin/dir-check
force: True
owner: root
group: root
mode: "0755"

2
minifirewall/files/check_minifirewall
View File

@ -10,7 +10,7 @@ is_alert5_enabled() {
if test -f /etc/init.d/alert5; then
test -f /etc/rc2.d/S*alert5
else
systemctl is-active alert5 | grep -q "^active$"
systemctl is-enabled alert5 | grep -q "^enabled$"
fi
}

15
minifirewall/tasks/main.yml
View File

@ -56,6 +56,11 @@
include: install.legacy.yml
when: minifirewall_install_mode == 'legacy'
- name: Debug minifirewall_update_config
debug:
var: minifirewall_update_config | bool
verbosity: 1
- name: Config tasks (modern mode)
include: config.yml
when:
@ -77,6 +82,11 @@
- name: Activation tasks
include: activate.yml
- name: Debug minifirewall_tail_included
debug:
var: minifirewall_tail_included | bool
verbosity: 1
- name: Tail tasks (modern mode)
include: tail.yml
when:
@ -91,6 +101,11 @@
# Restart?
- name: Debug minifirewall_restart_force
debug:
var: minifirewall_restart_force | bool
verbosity: 1
- name: Force restart minifirewall (modern mode)
command: /etc/init.d/minifirewall restart
register: minifirewall_init_restart

2
mysql-oracle/files/mysqltuner.cron.sh
View File

@ -44,7 +44,7 @@ Bien à vous,
--
Rapport automatique Evolix
EOT
mutt -x -e 'set send_charset="utf-8"' -H $template \
mutt -x -e 'set send_charset="utf-8"' -e "set crypt_use_gpgme=no" -H $template \
-a /var/www/mysqlreport_${instance}.html < $body
done
chmod 644 /var/www/mysqlreport*html

115
mysql/files/evomariabackup.sh
View File

@ -1,12 +1,12 @@
#!/bin/sh
VERSION="21.11"
VERSION="22.06"
show_version() {
cat <<END
evomariabackup version ${VERSION}
Copyright 2004-2021 Evolix <info@evolix.fr>,
Copyright 2004-2022 Evolix <info@evolix.fr>,
Éric Morino <emorino@evolix.fr>,
Jérémy Lecour <jlecour@evolix.fr>
and others.
@ -27,6 +27,7 @@ Options
--compress Force compress phase
--no-compress Skip compress phase
--log-file Log file to send messages
--post-backup-hook Script to execute after other tasks
--verbose Output much more information (to stdout/stderr or the log file)
--quiet Ouput only the most critical information
--lock-file Specify which lock file to use (default: /run/lock/mariabackup.lock)
@ -248,10 +249,9 @@ backup() {
backup_command="${mariabackup_bin} --backup --slave-info --target-dir=${backup_dir:?}"
if ! is_quiet; then
log_debug "${backup_command}"
log_info "BEGIN mariabackup backup phase"
log_debug "${backup_command}"
fi
if is_quiet || ! is_verbose ; then
@ -277,8 +277,8 @@ backup() {
prepare_command="${mariabackup_bin} --prepare --target-dir=${backup_dir:?}"
if ! is_quiet; then
log_debug "${prepare_command}"
log_info "BEGIN mariabackup prepare phase"
log_debug "${prepare_command}"
fi
if is_quiet || ! is_verbose ; then
@ -301,6 +301,38 @@ backup() {
log_info "END mariabackup prepare phase"
fi
}
list_files_with_size() {
path=$1
find "${path}" -type f -exec du --bytes {} \; | sort -k2
}
dircheck_prepare() {
if [ -z "${backup_dir}" ]; then
log_fatal "backup-dir option is empty"
exit 1
elif [ -e "${backup_dir}" ] && [ ! -d "${backup_dir}" ]; then
log_fatal "backup directory '${backup_dir}' exists but is not a directory"
exit 1
fi
dircheck_cmd="dir-check"
dircheck_bin=$(command -v ${dircheck_cmd})
if [ -z "${dircheck_bin}" ]; then
log_fatal "Couldn't find ${dircheck_cmd}."
exit 1
fi
backup_parent_dir=$(dirname "${backup_dir}")
backup_final_dir=$(basename "${backup_dir}")
log_info "BEGIN dir-check phase"
cwd=${PWD}
cd "${backup_parent_dir}" || log_fatal "Impossible to change to ${backup_parent_dir}"
"${dircheck_bin}" --prepare --dir "${backup_final_dir}"
cd ${cwd} || log_fatal "Impossible to change back to ${cwd}"
log_info "END dir-check phase"
}
compress() {
compress_dir=$(dirname "${compress_file}")
@ -332,8 +364,8 @@ compress() {
fi
if ! is_quiet; then
log_debug "Compression of ${backup_dir} to ${compress_file} using \`${compress_program}'"
log_info "BEGIN compression phase"
log_debug "Compression of ${backup_dir} to ${compress_file} using \`${compress_program}'"
fi
if is_quiet || ! is_verbose ; then
tar --use-compress-program="${compress_program}" -cf "${compress_file}" "${backup_dir}" >/dev/null 2>&1
@ -355,6 +387,35 @@ compress() {
log_info "END compression phase"
fi
}
post_backup_hook() {
if [ -x "${post_backup_hook}" ]; then
if ! is_quiet; then
log_debug "Execution of \`${post_backup_hook}'"
log_info "BEGIN hook phase"
fi
(
export BACKUP_DIR="${backup_dir}"
if is_log_file; then
export LOG_FILE="${log_file}"
fi
"${post_backup_hook}"
)
hook_rc=$?
if [ ${hook_rc} -ne 0 ]; then
log_fatal "An error occured while executing post backup hook \`${post_backup_hook}'"
exit 1
elif ! is_quiet; then
log_info "END hook phase"
fi
else
log_fatal "Post backup hook \`${post_backup_hook}' is missing or not executable"
exit 1
fi
}
main() {
kill_or_clean_lockfile "${lock_file}"
# shellcheck disable=SC2064
@ -362,11 +423,19 @@ main() {
new_lock_file "${lock_file}"
if [ "${do_backup}" = "1" ] && [ -n "${backup_dir}" ]; then
backup "${backup_dir}"
backup
fi
if [ "${do_dircheck}" = "1" ] && [ -n "${backup_dir}" ]; then
dircheck_prepare
fi
if [ "${do_compress}" = "1" ] && [ -n "${compress_file}" ]; then
compress "${backup_dir}" "${compress_file}"
compress
fi
if [ -n "${post_backup_hook}" ]; then
post_backup_hook
fi
}
@ -377,11 +446,12 @@ log_file=""
verbose=""
quiet=""
max_age=""
max_age=""
do_backup=""
backup_dir=""
do_dircheck=""
do_compress=""
compress_file=""
post_backup_hook=""
# Parse options
# based on https://gist.github.com/deshion/10d3cb5f88a21671e17a
@ -440,6 +510,14 @@ while :; do
log_fatal '"--backup-dir" requires a non-empty option argument.'
;;
--dir-check)
do_dircheck=1
;;
--no-dir-check)
do_dircheck=0
;;
--compress)
do_compress=1
;;
@ -508,6 +586,24 @@ while :; do
log_fatal '"--log-file" requires a non-empty option argument.'
;;
--post-backup-hook)
# with value separated by space
if [ -n "$2" ]; then
post_backup_hook="$2"
shift
else
log_fatal '"--post-backup-hook" requires a non-empty option argument.'
fi
;;
--post-backup-hook=?*)
# with value speparated by =
post_backup_hook=${1#*=}
;;
--post-backup-hook=)
# without value
log_fatal '"--post-backup-hook" requires a non-empty option argument.'
;;
-v|--verbose)
verbose=1
;;
@ -549,6 +645,7 @@ verbose=${verbose:-0}
quiet=${quiet:-0}
max_age="${max_age:-86400}"
do_backup="${do_backup:-1}"
do_dircheck="${do_dircheck:-0}"
do_compress="${do_compress:-0}"
main

2
mysql/files/mysqltuner.cron.sh
View File

@ -44,7 +44,7 @@ Bien à vous,
--
Rapport automatique Evolix
EOT
mutt -x -e 'set send_charset="utf-8"' -H $template \
mutt -x -e 'set send_charset="utf-8"' -e "set crypt_use_gpgme=no" -H $template \
-a /var/www/mysqlreport_${instance}.html < $body
done
chmod 644 /var/www/mysqlreport*html

2
postfix/templates/packmail_main.cf.j2
View File

@ -74,7 +74,7 @@ myhostname = {{ ansible_fqdn }}
# Liste des noms de domaine (ou IP) consideres comme local
#par defaut, = $myhostname, localhost.$mydomain, localhost
mydestination = $myhostname
mydestination = $myhostname localhost.localdomain localhost
# Indique le domaine apparaissant dans le courrier envoye
#par defaut, = $myhostname

2
webapps/evoadmin-mail/tasks/main.yml
View File

@ -1,7 +1,7 @@
---
- name: Install evoadmin-mail package
apt:
name: evoadmin-mail
deb: /tmp/evoadmin-mail.deb
state: present
tags:
- evoadmin-mail