Merge branch 'unstable' into stable
This commit is contained in:
commit
24f34b200c
16
CHANGELOG.md
16
CHANGELOG.md
|
@ -22,6 +22,22 @@ The **patch** part changes is incremented if multiple releases happen the same m
|
|||
|
||||
### Security
|
||||
|
||||
## [22.06] 2022-06-03
|
||||
|
||||
### Added
|
||||
|
||||
* certbot: add hapee (HAProxy Enterprise Edition) deploy hook
|
||||
* evolinux-base: add dir-check script
|
||||
* evolinux-base: add update-evobackup-canary script
|
||||
* mysql: add post-backup-hook to evomariabackup
|
||||
* mysql: use dir-check inside evomariabackup
|
||||
|
||||
### Changed
|
||||
|
||||
* docker: Allow "live-restore" to be toggled with docker_conf_live_restore
|
||||
* evocheck: upstream release 22.06
|
||||
* mysql: add "set crypt_use_gpgme=no" Mutt option, for mysqltuner
|
||||
|
||||
## [22.05.1] 2022-05-12
|
||||
|
||||
### Added
|
||||
|
|
|
@ -2,4 +2,4 @@
|
|||
|
||||
deb http://mirror.evolix.org/debian bullseye {{ apt_basics_components | mandatory }}
|
||||
deb http://mirror.evolix.org/debian/ bullseye-updates {{ apt_basics_components | mandatory }}
|
||||
deb https://deb.debian.org/debian-security bullseye-security {{ apt_basics_components | mandatory }}
|
||||
deb http://security.debian.org/debian-security bullseye-security {{ apt_basics_components | mandatory }}
|
||||
|
|
93
certbot/files/hooks/deploy/hapee.sh
Normal file
93
certbot/files/hooks/deploy/hapee.sh
Normal file
|
@ -0,0 +1,93 @@
|
|||
#!/bin/sh
|
||||
|
||||
error() {
|
||||
>&2 echo "${PROGNAME}: $1"
|
||||
exit 1
|
||||
}
|
||||
debug() {
|
||||
if [ "${VERBOSE}" = "1" ] && [ "${QUIET}" != "1" ]; then
|
||||
>&2 echo "${PROGNAME}: $1"
|
||||
fi
|
||||
}
|
||||
daemon_found_and_running() {
|
||||
test -n "$(pidof hapee-lb)" && test -n "${hapee_bin}"
|
||||
}
|
||||
found_renewed_lineage() {
|
||||
test -f "${RENEWED_LINEAGE}/fullchain.pem" && test -f "${RENEWED_LINEAGE}/privkey.pem"
|
||||
}
|
||||
config_check() {
|
||||
${hapee_bin} -c -f "${hapee_config_file}" > /dev/null 2>&1
|
||||
}
|
||||
concat_files() {
|
||||
# shellcheck disable=SC2174
|
||||
mkdir --mode=700 --parents "${hapee_cert_dir}"
|
||||
chown root: "${hapee_cert_dir}"
|
||||
|
||||
debug "Concatenating certificate files to ${hapee_cert_file}"
|
||||
cat "${RENEWED_LINEAGE}/fullchain.pem" "${RENEWED_LINEAGE}/privkey.pem" > "${hapee_cert_file}"
|
||||
chmod 600 "${hapee_cert_file}"
|
||||
chown root: "${hapee_cert_file}"
|
||||
}
|
||||
cert_and_key_mismatch() {
|
||||
hapee_cert_md5=$(openssl x509 -noout -modulus -in "${hapee_cert_file}" | openssl md5)
|
||||
hapee_key_md5=$(openssl rsa -noout -modulus -in "${hapee_cert_file}" | openssl md5)
|
||||
|
||||
test "${hapee_cert_md5}" != "${hapee_key_md5}"
|
||||
}
|
||||
detect_hapee_cert_dir() {
|
||||
# get last field or line wich defines the crt directory
|
||||
config_cert_dir=$(grep -r -o -E -h '^\s*bind .* crt /etc/\S+' "${hapee_config_file}" | head -1 | awk '{ print $(NF)}')
|
||||
if [ -n "${config_cert_dir}" ]; then
|
||||
debug "Cert directory is configured with ${config_cert_dir}"
|
||||
echo "${config_cert_dir}"
|
||||
elif [ -d "/etc/haproxy/ssl" ]; then
|
||||
debug "No configured cert directory found, but /etc/haproxy/ssl exists"
|
||||
echo "/etc/haproxy/ssl"
|
||||
elif [ -d "/etc/ssl/haproxy" ]; then
|
||||
debug "No configured cert directory found, but /etc/ssl/haproxy exists"
|
||||
echo "/etc/ssl/haproxy"
|
||||
else
|
||||
error "Cert directory not found."
|
||||
fi
|
||||
}
|
||||
main() {
|
||||
if [ -z "${RENEWED_LINEAGE}" ]; then
|
||||
error "This script must be called only by certbot!"
|
||||
fi
|
||||
|
||||
if daemon_found_and_running; then
|
||||
readonly hapee_config_file="/etc/hapee-2.4/hapee-lb.cfg"
|
||||
readonly hapee_cert_dir=$(detect_hapee_cert_dir)
|
||||
|
||||
if found_renewed_lineage; then
|
||||
hapee_cert_file="${hapee_cert_dir}/$(basename "${RENEWED_LINEAGE}").pem"
|
||||
failed_cert_file="/root/$(basename "${RENEWED_LINEAGE}").failed.pem"
|
||||
|
||||
concat_files
|
||||
|
||||
if cert_and_key_mismatch; then
|
||||
mv "${hapee_cert_file}" "${failed_cert_file}"
|
||||
error "Key and cert don't match, we moved the file to ${failed_cert_file} for inspection"
|
||||
fi
|
||||
|
||||
if config_check; then
|
||||
debug "HAPEE detected... reloading"
|
||||
systemctl reload hapee-2.4-lb.service
|
||||
else
|
||||
error "HAPEE config is broken, you must fix it !"
|
||||
fi
|
||||
else
|
||||
error "Couldn't find ${RENEWED_LINEAGE}/fullchain.pem or ${RENEWED_LINEAGE}/privkey.pem"
|
||||
fi
|
||||
else
|
||||
debug "HAPEE is not running or missing. Skip."
|
||||
fi
|
||||
}
|
||||
|
||||
readonly PROGNAME=$(basename "$0")
|
||||
readonly VERBOSE=${VERBOSE:-"0"}
|
||||
readonly QUIET=${QUIET:-"0"}
|
||||
|
||||
readonly hapee_bin="/opt/hapee-2.4/sbin/hapee-lb"
|
||||
|
||||
main
|
|
@ -9,6 +9,9 @@ docker_conf_use_iptables: False
|
|||
# Disable the possibility for containers processes to gain new privileges
|
||||
docker_conf_no_newprivileges: False
|
||||
|
||||
# Toggle live restore (need to be disabled in swarm mode)
|
||||
docker_conf_live_restore: True
|
||||
|
||||
# Disable all default network connectivity
|
||||
docker_conf_disable_default_networking: False
|
||||
|
||||
|
|
|
@ -5,7 +5,7 @@
|
|||
"data-root": "{{ docker_home }}",
|
||||
|
||||
{# Keep containers running while docker daemon downtime #}
|
||||
"live-restore": true,
|
||||
"live-restore": {{ docker_conf_live_restore | to_json }},,
|
||||
|
||||
{# Turn on user namespace remaping #}
|
||||
"userns-remap": "default",
|
||||
|
|
|
@ -4,7 +4,7 @@
|
|||
# Script to verify compliance of a Debian/OpenBSD server
|
||||
# powered by Evolix
|
||||
|
||||
VERSION="22.05"
|
||||
VERSION="22.06"
|
||||
readonly VERSION
|
||||
|
||||
# base functions
|
||||
|
@ -19,7 +19,8 @@ Copyright 2009-2022 Evolix <info@evolix.fr>,
|
|||
Gregory Colpart <reg@evolix.fr>,
|
||||
Jérémy Lecour <jlecour@evolix.fr>,
|
||||
Tristan Pilat <tpilat@evolix.fr>,
|
||||
Victor Laborie <vlaborie@evolix.fr>
|
||||
Victor Laborie <vlaborie@evolix.fr>,
|
||||
Alexis Ben Miloud--Josselin <abenmiloud@evolix.fr>,
|
||||
and others.
|
||||
|
||||
evocheck comes with ABSOLUTELY NO WARRANTY. This is free software,
|
||||
|
@ -235,7 +236,7 @@ check_debiansecurity() {
|
|||
if is_debian_bullseye; then
|
||||
# https://www.debian.org/releases/bullseye/amd64/release-notes/ch-information.html#security-archive
|
||||
# https://www.debian.org/security/
|
||||
pattern="^deb https://(deb|security)\.debian\.org/debian-security/? bullseye-security main"
|
||||
pattern="^deb http://security\.debian\.org/debian-security/? bullseye-security main"
|
||||
elif is_debian_buster; then
|
||||
pattern="^deb http://security\.debian\.org/debian-security/? buster/updates main"
|
||||
elif is_debian_stretch; then
|
||||
|
@ -337,6 +338,8 @@ check_alert5boot() {
|
|||
else
|
||||
if [ -n "$(find /etc/rc2.d/ -name 'S*alert5')" ]; then
|
||||
grep -q "^date" /etc/rc2.d/S*alert5 || failed "IS_ALERT5BOOT" "boot mail is not sent by alert5 init script"
|
||||
elif [ -n "$(find /etc/init.d/ -name 'alert5')" ]; then
|
||||
grep -q "^date" /etc/init.d/alert5 || failed "IS_ALERT5BOOT" "boot mail is not sent by alert5 int script"
|
||||
else
|
||||
failed "IS_ALERT5BOOT" "alert5 init script is missing"
|
||||
fi
|
||||
|
@ -350,6 +353,9 @@ check_alert5minifw() {
|
|||
if [ -n "$(find /etc/rc2.d/ -name 'S*alert5')" ]; then
|
||||
grep -q "^/etc/init.d/minifirewall" /etc/rc2.d/S*alert5 \
|
||||
|| failed "IS_ALERT5MINIFW" "Minifirewall is not started by alert5 init script"
|
||||
elif [ -n "$(find /etc/init.d/ -name 'alert5')" ]; then
|
||||
grep -q "^/etc/init.d/minifirewall" /etc/init.d/alert5 \
|
||||
|| failed "IS_ALERT5MINIFW" "Minifirewall is not started by alert5 init script"
|
||||
else
|
||||
failed "IS_ALERT5MINIFW" "alert5 init script is missing"
|
||||
fi
|
||||
|
@ -571,7 +577,7 @@ check_network_interfaces() {
|
|||
# Verify if all if are in auto
|
||||
check_autoif() {
|
||||
if is_debian_stretch || is_debian_buster || is_debian_bullseye; then
|
||||
interfaces=$(/sbin/ip address show up | grep "^[0-9]*:" | grep -E -v "(lo|vnet|docker|veth|tun|tap|macvtap|vrrp|lxcbr)" | cut -d " " -f 2 | tr -d : | cut -d@ -f1 | tr "\n" " ")
|
||||
interfaces=$(/sbin/ip address show up | grep "^[0-9]*:" | grep -E -v "(lo|vnet|docker|veth|tun|tap|macvtap|vrrp|lxcbr|wg)" | cut -d " " -f 2 | tr -d : | cut -d@ -f1 | tr "\n" " ")
|
||||
else
|
||||
interfaces=$(/sbin/ifconfig -s | tail -n +2 | grep -E -v "^(lo|vnet|docker|veth|tun|tap|macvtap|vrrp)" | cut -d " " -f 1 |tr "\n" " ")
|
||||
fi
|
||||
|
@ -589,6 +595,16 @@ check_interfacesgw() {
|
|||
number=$(grep -Ec "^[^#]*gateway [0-9a-fA-F]+:" /etc/network/interfaces)
|
||||
test "$number" -gt 1 && failed "IS_INTERFACESGW" "there is more than 1 IPv6 gateway"
|
||||
}
|
||||
# Verification de l’état du service networking
|
||||
check_networking_service() {
|
||||
if is_debian_stretch || is_debian_buster || is_debian_bullseye; then
|
||||
if systemctl is-enabled networking.service > /dev/null; then
|
||||
if ! systemctl is-active networking.service > /dev/null; then
|
||||
failed "IS_NETWORKING_SERVICE" "networking.service is not active"
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
}
|
||||
# Verification de la mise en place d'evobackup
|
||||
check_evobackup() {
|
||||
evobackup_found=$(find /etc/cron* -name '*evobackup*' | wc -l)
|
||||
|
@ -955,7 +971,7 @@ check_mongo_backup() {
|
|||
# You could change the default path in /etc/evocheck.cf
|
||||
MONGO_BACKUP_PATH=${MONGO_BACKUP_PATH:-"/home/backup/mongodump"}
|
||||
if [ -d "$MONGO_BACKUP_PATH" ]; then
|
||||
for file in "${MONGO_BACKUP_PATH}"/*/*.{json,bson}; do
|
||||
for file in "${MONGO_BACKUP_PATH}"/*/*.{json,bson}.*; do
|
||||
# Skip indexes file.
|
||||
if ! [[ "$file" =~ indexes ]]; then
|
||||
limit=$(date +"%s" -d "now - 2 day")
|
||||
|
@ -1577,6 +1593,7 @@ main() {
|
|||
test "${IS_NETWORK_INTERFACES:=1}" = 1 && check_network_interfaces
|
||||
test "${IS_AUTOIF:=1}" = 1 && check_autoif
|
||||
test "${IS_INTERFACESGW:=1}" = 1 && check_interfacesgw
|
||||
test "${IS_NETWORKING_SERVICE:=1}" = 1 && check_networking_service
|
||||
test "${IS_EVOBACKUP:=1}" = 1 && check_evobackup
|
||||
test "${IS_EVOBACKUP_EXCLUDE_MOUNT:=1}" = 1 && check_evobackup_exclude_mount
|
||||
test "${IS_USERLOGROTATE:=1}" = 1 && check_userlogrotate
|
||||
|
|
329
evolinux-base/files/dir-check.sh
Normal file
329
evolinux-base/files/dir-check.sh
Normal file
|
@ -0,0 +1,329 @@
|
|||
#!/bin/sh
|
||||
|
||||
PROGNAME="dir-check"
|
||||
REPOSITORY="https://gitea.evolix.org/evolix/ansible-roles"
|
||||
|
||||
VERSION="22.06.1"
|
||||
readonly VERSION
|
||||
|
||||
show_version() {
|
||||
cat <<END
|
||||
${PROGNAME} version ${VERSION}
|
||||
|
||||
Copyright 2022 Evolix <info@evolix.fr>,
|
||||
Jérémy Lecour <jlecour@evolix.fr>
|
||||
|
||||
${REPOSITORY}
|
||||
|
||||
${PROGNAME} comes with ABSOLUTELY NO WARRANTY. This is free software,
|
||||
and you are welcome to redistribute it under certain conditions.
|
||||
See the GNU Affero General Public License v3.0 for details.
|
||||
END
|
||||
}
|
||||
show_help() {
|
||||
cat <<EOF
|
||||
Usage: ${PROGNAME} [ACTION] [OPTIONS] --dir /path/to/directory-to-check
|
||||
|
||||
Action
|
||||
--prepare Create the metadata files
|
||||
--check Checks the data against the metadata previously stored
|
||||
|
||||
Options
|
||||
-h|--help|-? Display help
|
||||
-v|--verbose Display more informatrion
|
||||
-q|--quiet Do not display anything on stderr/stdout
|
||||
-V|--version Display version, authors and license
|
||||
EOF
|
||||
}
|
||||
|
||||
log_date() {
|
||||
date +"%Y-%m-%d %H:%M:%S"
|
||||
}
|
||||
is_log_file() {
|
||||
test -n "${log_file}"
|
||||
}
|
||||
is_verbose() {
|
||||
test "${verbose}" = "1"
|
||||
}
|
||||
is_quiet() {
|
||||
test "${quiet}" = "1"
|
||||
}
|
||||
log_line() {
|
||||
level=$1
|
||||
msg=$2
|
||||
# printf "[%s] %s: %s\n" "$(log_date)" "${level}" "${msg}"
|
||||
printf "%s: %s\n" "${level}" "${msg}"
|
||||
}
|
||||
log_debug() {
|
||||
level="DEBUG"
|
||||
msg=$1
|
||||
if ! is_quiet && is_verbose; then
|
||||
if is_log_file; then
|
||||
log_line "${level}" "${msg}" >> "${log_file}"
|
||||
else
|
||||
log_line "${level}" "${msg}" >&2
|
||||
fi
|
||||
fi
|
||||
}
|
||||
log_info() {
|
||||
level="INFO"
|
||||
msg=$1
|
||||
if ! is_quiet; then
|
||||
if is_log_file; then
|
||||
log_line "${level}" "${msg}" >> "${log_file}"
|
||||
else
|
||||
log_line "${level}" "${msg}" >&2
|
||||
fi
|
||||
fi
|
||||
}
|
||||
log_warning() {
|
||||
level="WARNING"
|
||||
msg=$1
|
||||
if ! is_quiet; then
|
||||
if is_log_file; then
|
||||
log_line "${level}" "${msg}" >> "${log_file}"
|
||||
else
|
||||
log_line "${level}" "${msg}" >&2
|
||||
fi
|
||||
fi
|
||||
}
|
||||
log_error() {
|
||||
level="ERROR"
|
||||
msg=$1
|
||||
if ! is_quiet; then
|
||||
if is_log_file; then
|
||||
log_line "${level}" "${msg}" >> "${log_file}"
|
||||
if tty -s; then
|
||||
printf "%s\n" "${msg}" >&2
|
||||
fi
|
||||
else
|
||||
log_line "${level}" "${msg}" >&2
|
||||
fi
|
||||
fi
|
||||
}
|
||||
log_fatal() {
|
||||
level="FATAL"
|
||||
msg=$1
|
||||
if is_log_file; then
|
||||
log_line "${level}" "${msg}" >> "${log_file}"
|
||||
if tty -s; then
|
||||
printf "%s\n" "${msg}" >&2
|
||||
fi
|
||||
else
|
||||
log_line "${level}" "${msg}" >&2
|
||||
fi
|
||||
}
|
||||
|
||||
data_command() {
|
||||
echo "du --bytes"
|
||||
}
|
||||
list_files_with_size() {
|
||||
path=$1
|
||||
# shellcheck disable=SC2014,SC2046
|
||||
find "${path}" -type f -exec $(data_command) {} \; | sort -k2
|
||||
}
|
||||
prepare_data() {
|
||||
list_files_with_size "${final_dir}" > "${data_file}"
|
||||
"${checksum_bin}" "${data_file}" > "${checksum_file}"
|
||||
}
|
||||
check_data() {
|
||||
if [ -f "${checksum_file}" ]; then
|
||||
# subshell to scope the commands to "parent_dir"
|
||||
"${checksum_bin}" --status --check "${checksum_file}"
|
||||
last_rc=$?
|
||||
if [ ${last_rc} -ne 0 ]; then
|
||||
log_error "Verification failed with checksum file \`${checksum_file}' (inside \`${parent_dir}')."
|
||||
exit 1
|
||||
fi
|
||||
else
|
||||
log_warning "Couldn't find checksum file \`${checksum_file}' (inside \`${parent_dir}'). Skip verification."
|
||||
fi
|
||||
if [ -f "${data_file}" ]; then
|
||||
while read -r data_line; do
|
||||
expected_size=$(echo "${data_line}" | cut -f1)
|
||||
file=$(echo "${data_line}" | cut -f2)
|
||||
|
||||
if [ -f "${file}" ]; then
|
||||
actual_size=$($(data_command) "${file}" | cut -f1)
|
||||
|
||||
if [ "${actual_size}" != "${expected_size}" ]; then
|
||||
log_error "File \`${file}' has actual size of ${actual_size} instead of ${expected_size}."
|
||||
rc=1
|
||||
fi
|
||||
else
|
||||
log_error "Couldn't find file \`${file}'."
|
||||
rc=1
|
||||
fi
|
||||
done < "${data_file}"
|
||||
if [ ${rc} -eq 0 ]; then
|
||||
log_info "Directory \`${final_dir}' is consistent with data stored in \`${data_file}' (inside \`${parent_dir}')."
|
||||
fi
|
||||
else
|
||||
log_fatal "Couldn't find data file \`${data_file}' (inside \`${parent_dir}')."
|
||||
exit 1
|
||||
fi
|
||||
}
|
||||
|
||||
main() {
|
||||
if [ -z "${dir}" ]; then
|
||||
log_fatal "dir option is empty"
|
||||
exit 1
|
||||
elif [ -e "${dir}" ] && [ ! -d "${dir}" ]; then
|
||||
log_fatal "Directory \`${dir}' exists but is not a directory"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
checksum_cmd="sha256sum"
|
||||
checksum_bin=$(command -v ${checksum_cmd})
|
||||
if [ -z "${checksum_bin}" ]; then
|
||||
log_fatal "Couldn't find \`${checksum_cmd}'.\nUse 'apt install ${checksum_cmd}'."
|
||||
exit 1
|
||||
fi
|
||||
|
||||
parent_dir=$(dirname "${dir}")
|
||||
final_dir=$(basename "${dir}")
|
||||
|
||||
data_file="${PROGNAME}.db"
|
||||
checksum_file="${data_file}.${checksum_cmd}"
|
||||
|
||||
cwd=${PWD}
|
||||
cd "${parent_dir}" || log_error "Impossible to change to \`${parent_dir}'"
|
||||
|
||||
if [ -z "${action}" ]; then
|
||||
log_fatal "Missing --check or --prepare option."
|
||||
echo "" >&2
|
||||
show_help >&2
|
||||
exit 1
|
||||
fi
|
||||
|
||||
case ${action} in
|
||||
check)
|
||||
check_data
|
||||
;;
|
||||
prepare)
|
||||
prepare_data
|
||||
;;
|
||||
*)
|
||||
log_fatal "Unknown action \`${action}'."
|
||||
rc=1
|
||||
;;
|
||||
esac
|
||||
|
||||
if [ -d "${cwd}" ]; then
|
||||
cd "${cwd}" || log_error "Impossible to change back to \`${cwd}'"
|
||||
else
|
||||
log_error "Previous working directory \`${cwd}' is not a directory."
|
||||
fi
|
||||
}
|
||||
|
||||
# Declare variables
|
||||
|
||||
verbose=""
|
||||
quiet=""
|
||||
action=""
|
||||
dir=""
|
||||
rc=0
|
||||
|
||||
# Parse options
|
||||
# based on https://gist.github.com/deshion/10d3cb5f88a21671e17a
|
||||
while :; do
|
||||
case $1 in
|
||||
-h|-\?|--help)
|
||||
show_help
|
||||
exit 0
|
||||
;;
|
||||
-V|--version)
|
||||
show_version
|
||||
exit 0
|
||||
;;
|
||||
|
||||
-d|--dir)
|
||||
# with value separated by space
|
||||
if [ -n "$2" ]; then
|
||||
dir="$2"
|
||||
shift
|
||||
else
|
||||
log_fatal 'ERROR: "--dir" requires a non-empty option argument.'
|
||||
fi
|
||||
;;
|
||||
--dir=?*)
|
||||
# with value speparated by =
|
||||
dir=${1#*=}
|
||||
;;
|
||||
--dir=)
|
||||
# without value
|
||||
log_fatal '"--dir" requires a non-empty option argument.'
|
||||
;;
|
||||
|
||||
-l|--log)
|
||||
# with value separated by space
|
||||
if [ -n "$2" ]; then
|
||||
log_file="$2"
|
||||
shift
|
||||
else
|
||||
log_fatal 'ERROR: "--log" requires a non-empty option argument.'
|
||||
fi
|
||||
;;
|
||||
--log=?*)
|
||||
# with value speparated by =
|
||||
log_file=${1#*=}
|
||||
;;
|
||||
--log=)
|
||||
# without value
|
||||
log_fatal '"--log" requires a non-empty option argument.'
|
||||
;;
|
||||
|
||||
--prepare)
|
||||
action="prepare"
|
||||
;;
|
||||
|
||||
--check)
|
||||
action="check"
|
||||
;;
|
||||
|
||||
-v|--verbose)
|
||||
verbose=1
|
||||
;;
|
||||
|
||||
--quiet)
|
||||
quiet=1
|
||||
verbose=0
|
||||
;;
|
||||
|
||||
--)
|
||||
# End of all options.
|
||||
shift
|
||||
break
|
||||
;;
|
||||
-?*|[[:alnum:]]*)
|
||||
# ignore unknown options
|
||||
if tty -s; then
|
||||
printf 'Unknown option : %s\n' "$1" >&2
|
||||
echo "" >&2
|
||||
show_usage >&2
|
||||
exit 1
|
||||
else
|
||||
log_fatal "Unknown option : $1"
|
||||
fi
|
||||
;;
|
||||
*)
|
||||
# Default case: If no more options then break out of the loop.
|
||||
break
|
||||
;;
|
||||
esac
|
||||
|
||||
shift
|
||||
done
|
||||
|
||||
# Default values
|
||||
|
||||
verbose=${verbose:-0}
|
||||
quiet=${quiet:-0}
|
||||
action=${action:-}
|
||||
log_file=${log_file:-}
|
||||
|
||||
set -u
|
||||
|
||||
main
|
||||
|
||||
exit ${rc}
|
129
evolinux-base/files/update-evobackup-canary.sh
Normal file
129
evolinux-base/files/update-evobackup-canary.sh
Normal file
|
@ -0,0 +1,129 @@
|
|||
#!/bin/sh
|
||||
|
||||
PROGNAME="update-evobackup-canary"
|
||||
REPOSITORY="https://gitea.evolix.org/evolix/evobackup"
|
||||
|
||||
VERSION="22.05"
|
||||
readonly VERSION
|
||||
|
||||
# base functions
|
||||
|
||||
show_version() {
|
||||
cat <<END
|
||||
${PROGNAME} version ${VERSION}
|
||||
|
||||
Copyright 2022 Evolix <info@evolix.fr>,
|
||||
Jérémy Lecour <jlecour@evolix.fr>,
|
||||
and others.
|
||||
|
||||
${REPOSITORY}
|
||||
|
||||
${PROGNAME} comes with ABSOLUTELY NO WARRANTY. This is free software,
|
||||
and you are welcome to redistribute it under certain conditions.
|
||||
See the GNU General Public License v3.0 for details.
|
||||
END
|
||||
}
|
||||
show_help() {
|
||||
cat <<END
|
||||
${PROGNAME} is updating a canary file for evobackup.
|
||||
|
||||
Usage: ${PROGNAME} [OPTIONS]
|
||||
|
||||
Main options
|
||||
-w, --who who has updated the file (default: logname())
|
||||
-f, --file path of the canary file (default: /zzz_evobackup_canary)
|
||||
-V, --version print version and exit
|
||||
-h, --help print this message and exit
|
||||
END
|
||||
}
|
||||
|
||||
main() {
|
||||
if [ -z "${who:-}" ]; then
|
||||
who=$(logname)
|
||||
fi
|
||||
if [ -z "${canary_file:-}" ]; then
|
||||
canary_file="/zzz_evobackup_canary"
|
||||
fi
|
||||
# This option is supported since (at least) Debian 8
|
||||
date=$(date --iso-8601=seconds)
|
||||
|
||||
printf "%s %s\n" "${date}" "${who}" >> "${canary_file}"
|
||||
}
|
||||
|
||||
# parse options
|
||||
# based on https://gist.github.com/deshion/10d3cb5f88a21671e17a
|
||||
while :; do
|
||||
case $1 in
|
||||
-h|-\?|--help)
|
||||
show_help
|
||||
exit 0
|
||||
;;
|
||||
-V|--version)
|
||||
show_version
|
||||
exit 0
|
||||
;;
|
||||
|
||||
-w|--who)
|
||||
# with value separated by space
|
||||
if [ -n "$2" ]; then
|
||||
who=$2
|
||||
shift
|
||||
else
|
||||
printf 'ERROR: "-w|--who" requires a non-empty option argument.\n' >&2
|
||||
exit 1
|
||||
fi
|
||||
;;
|
||||
--who=?*)
|
||||
# with value speparated by =
|
||||
who=${1#*=}
|
||||
;;
|
||||
--who=)
|
||||
# without value
|
||||
printf 'ERROR: "--who" requires a non-empty option argument.\n' >&2
|
||||
exit 1
|
||||
;;
|
||||
|
||||
-f|--file)
|
||||
# with value separated by space
|
||||
if [ -n "$2" ]; then
|
||||
canary_file=$2
|
||||
shift
|
||||
else
|
||||
printf 'ERROR: "-f|--file" requires a non-empty option argument.\n' >&2
|
||||
exit 1
|
||||
fi
|
||||
;;
|
||||
--file=?*)
|
||||
# with value speparated by =
|
||||
canary_file=${1#*=}
|
||||
;;
|
||||
--file=)
|
||||
# without value
|
||||
printf 'ERROR: "--file" requires a non-empty option argument.\n' >&2
|
||||
exit 1
|
||||
;;
|
||||
|
||||
--)
|
||||
# End of all options.
|
||||
shift
|
||||
break
|
||||
;;
|
||||
-?*)
|
||||
# ignore unknown options
|
||||
printf 'WARN: Unknown option : %s\n' "$1" >&2
|
||||
exit 1
|
||||
;;
|
||||
*)
|
||||
# Default case: If no more options then break out of the loop.
|
||||
break
|
||||
;;
|
||||
esac
|
||||
|
||||
shift
|
||||
done
|
||||
|
||||
export LC_ALL=C
|
||||
|
||||
set -u
|
||||
|
||||
main
|
17
evolinux-base/tasks/provider_vmware.yml
Normal file
17
evolinux-base/tasks/provider_vmware.yml
Normal file
|
@ -0,0 +1,17 @@
|
|||
---
|
||||
- name: Check if the virtual machine on VMWare Host
|
||||
shell: "dmidecode | grep -q 'VMware'"
|
||||
check_mode: no
|
||||
register: vmware_provider
|
||||
failed_when: False
|
||||
changed_when: False
|
||||
tags:
|
||||
- packages
|
||||
|
||||
- name: OpenVM Tools are installed for vmware
|
||||
apt:
|
||||
state: present
|
||||
name: open-vm-tools
|
||||
tags:
|
||||
- packages
|
||||
when: vmware_provider.rc == 0
|
|
@ -27,3 +27,27 @@
|
|||
owner: root
|
||||
group: root
|
||||
force: no
|
||||
|
||||
- name: update-evobackup-canary script is present
|
||||
copy:
|
||||
src: "update-evobackup-canary.sh"
|
||||
dest: /usr/local/bin/update-evobackup-canary
|
||||
force: True
|
||||
owner: root
|
||||
group: root
|
||||
mode: "0755"
|
||||
|
||||
# TODO: delete when this has been run once on all our servers
|
||||
- name: update-evobackup-canary is removed from sbin
|
||||
file:
|
||||
path: /usr/local/sbin/update-evobackup-canary
|
||||
state: absent
|
||||
|
||||
- name: dir-check script is present
|
||||
copy:
|
||||
src: "dir-check.sh"
|
||||
dest: /usr/local/bin/dir-check
|
||||
force: True
|
||||
owner: root
|
||||
group: root
|
||||
mode: "0755"
|
|
@ -10,7 +10,7 @@ is_alert5_enabled() {
|
|||
if test -f /etc/init.d/alert5; then
|
||||
test -f /etc/rc2.d/S*alert5
|
||||
else
|
||||
systemctl is-active alert5 | grep -q "^active$"
|
||||
systemctl is-enabled alert5 | grep -q "^enabled$"
|
||||
fi
|
||||
}
|
||||
|
||||
|
|
|
@ -56,6 +56,11 @@
|
|||
include: install.legacy.yml
|
||||
when: minifirewall_install_mode == 'legacy'
|
||||
|
||||
- name: Debug minifirewall_update_config
|
||||
debug:
|
||||
var: minifirewall_update_config | bool
|
||||
verbosity: 1
|
||||
|
||||
- name: Config tasks (modern mode)
|
||||
include: config.yml
|
||||
when:
|
||||
|
@ -77,6 +82,11 @@
|
|||
- name: Activation tasks
|
||||
include: activate.yml
|
||||
|
||||
- name: Debug minifirewall_tail_included
|
||||
debug:
|
||||
var: minifirewall_tail_included | bool
|
||||
verbosity: 1
|
||||
|
||||
- name: Tail tasks (modern mode)
|
||||
include: tail.yml
|
||||
when:
|
||||
|
@ -91,6 +101,11 @@
|
|||
|
||||
# Restart?
|
||||
|
||||
- name: Debug minifirewall_restart_force
|
||||
debug:
|
||||
var: minifirewall_restart_force | bool
|
||||
verbosity: 1
|
||||
|
||||
- name: Force restart minifirewall (modern mode)
|
||||
command: /etc/init.d/minifirewall restart
|
||||
register: minifirewall_init_restart
|
||||
|
|
|
@ -44,7 +44,7 @@ Bien à vous,
|
|||
--
|
||||
Rapport automatique Evolix
|
||||
EOT
|
||||
mutt -x -e 'set send_charset="utf-8"' -H $template \
|
||||
mutt -x -e 'set send_charset="utf-8"' -e "set crypt_use_gpgme=no" -H $template \
|
||||
-a /var/www/mysqlreport_${instance}.html < $body
|
||||
done
|
||||
chmod 644 /var/www/mysqlreport*html
|
||||
|
|
|
@ -1,12 +1,12 @@
|
|||
#!/bin/sh
|
||||
|
||||
VERSION="21.11"
|
||||
VERSION="22.06"
|
||||
|
||||
show_version() {
|
||||
cat <<END
|
||||
evomariabackup version ${VERSION}
|
||||
|
||||
Copyright 2004-2021 Evolix <info@evolix.fr>,
|
||||
Copyright 2004-2022 Evolix <info@evolix.fr>,
|
||||
Éric Morino <emorino@evolix.fr>,
|
||||
Jérémy Lecour <jlecour@evolix.fr>
|
||||
and others.
|
||||
|
@ -20,19 +20,20 @@ show_help() {
|
|||
cat <<EOF
|
||||
Usage: evomariabackup --backup-dir /path/to/mariabackup-target --compress-file /path/to/compressed.tgz
|
||||
Options
|
||||
--backup-dir mariabackup target directory
|
||||
--compress-file File name for the compressed version
|
||||
--backup Force backup phase
|
||||
--no-backup Skip backup phase
|
||||
--compress Force compress phase
|
||||
--no-compress Skip compress phase
|
||||
--log-file Log file to send messages
|
||||
--verbose Output much more information (to stdout/stderr or the log file)
|
||||
--quiet Ouput only the most critical information
|
||||
--lock-file Specify which lock file to use (default: /run/lock/mariabackup.lock)
|
||||
--max-age Lock file is ignored if older than this (default: 1d)
|
||||
-h|--help|-? Display help
|
||||
-V|--version Display version, authors and license
|
||||
--backup-dir mariabackup target directory
|
||||
--compress-file File name for the compressed version
|
||||
--backup Force backup phase
|
||||
--no-backup Skip backup phase
|
||||
--compress Force compress phase
|
||||
--no-compress Skip compress phase
|
||||
--log-file Log file to send messages
|
||||
--post-backup-hook Script to execute after other tasks
|
||||
--verbose Output much more information (to stdout/stderr or the log file)
|
||||
--quiet Ouput only the most critical information
|
||||
--lock-file Specify which lock file to use (default: /run/lock/mariabackup.lock)
|
||||
--max-age Lock file is ignored if older than this (default: 1d)
|
||||
-h|--help|-? Display help
|
||||
-V|--version Display version, authors and license
|
||||
|
||||
Example usage for a backup then compress :
|
||||
# /usr/local/bin/evomariabackup --verbose \
|
||||
|
@ -248,10 +249,9 @@ backup() {
|
|||
|
||||
backup_command="${mariabackup_bin} --backup --slave-info --target-dir=${backup_dir:?}"
|
||||
|
||||
|
||||
if ! is_quiet; then
|
||||
log_debug "${backup_command}"
|
||||
log_info "BEGIN mariabackup backup phase"
|
||||
log_debug "${backup_command}"
|
||||
fi
|
||||
|
||||
if is_quiet || ! is_verbose ; then
|
||||
|
@ -277,8 +277,8 @@ backup() {
|
|||
prepare_command="${mariabackup_bin} --prepare --target-dir=${backup_dir:?}"
|
||||
|
||||
if ! is_quiet; then
|
||||
log_debug "${prepare_command}"
|
||||
log_info "BEGIN mariabackup prepare phase"
|
||||
log_debug "${prepare_command}"
|
||||
fi
|
||||
|
||||
if is_quiet || ! is_verbose ; then
|
||||
|
@ -301,6 +301,38 @@ backup() {
|
|||
log_info "END mariabackup prepare phase"
|
||||
fi
|
||||
}
|
||||
list_files_with_size() {
|
||||
path=$1
|
||||
find "${path}" -type f -exec du --bytes {} \; | sort -k2
|
||||
}
|
||||
dircheck_prepare() {
|
||||
if [ -z "${backup_dir}" ]; then
|
||||
log_fatal "backup-dir option is empty"
|
||||
exit 1
|
||||
elif [ -e "${backup_dir}" ] && [ ! -d "${backup_dir}" ]; then
|
||||
log_fatal "backup directory '${backup_dir}' exists but is not a directory"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
dircheck_cmd="dir-check"
|
||||
dircheck_bin=$(command -v ${dircheck_cmd})
|
||||
if [ -z "${dircheck_bin}" ]; then
|
||||
log_fatal "Couldn't find ${dircheck_cmd}."
|
||||
exit 1
|
||||
fi
|
||||
|
||||
backup_parent_dir=$(dirname "${backup_dir}")
|
||||
backup_final_dir=$(basename "${backup_dir}")
|
||||
|
||||
log_info "BEGIN dir-check phase"
|
||||
cwd=${PWD}
|
||||
cd "${backup_parent_dir}" || log_fatal "Impossible to change to ${backup_parent_dir}"
|
||||
|
||||
"${dircheck_bin}" --prepare --dir "${backup_final_dir}"
|
||||
|
||||
cd ${cwd} || log_fatal "Impossible to change back to ${cwd}"
|
||||
log_info "END dir-check phase"
|
||||
}
|
||||
compress() {
|
||||
compress_dir=$(dirname "${compress_file}")
|
||||
|
||||
|
@ -332,8 +364,8 @@ compress() {
|
|||
fi
|
||||
|
||||
if ! is_quiet; then
|
||||
log_debug "Compression of ${backup_dir} to ${compress_file} using \`${compress_program}'"
|
||||
log_info "BEGIN compression phase"
|
||||
log_debug "Compression of ${backup_dir} to ${compress_file} using \`${compress_program}'"
|
||||
fi
|
||||
if is_quiet || ! is_verbose ; then
|
||||
tar --use-compress-program="${compress_program}" -cf "${compress_file}" "${backup_dir}" >/dev/null 2>&1
|
||||
|
@ -355,6 +387,35 @@ compress() {
|
|||
log_info "END compression phase"
|
||||
fi
|
||||
}
|
||||
post_backup_hook() {
|
||||
if [ -x "${post_backup_hook}" ]; then
|
||||
|
||||
if ! is_quiet; then
|
||||
log_debug "Execution of \`${post_backup_hook}'"
|
||||
log_info "BEGIN hook phase"
|
||||
fi
|
||||
|
||||
(
|
||||
export BACKUP_DIR="${backup_dir}"
|
||||
if is_log_file; then
|
||||
export LOG_FILE="${log_file}"
|
||||
fi
|
||||
"${post_backup_hook}"
|
||||
)
|
||||
hook_rc=$?
|
||||
|
||||
if [ ${hook_rc} -ne 0 ]; then
|
||||
log_fatal "An error occured while executing post backup hook \`${post_backup_hook}'"
|
||||
exit 1
|
||||
elif ! is_quiet; then
|
||||
log_info "END hook phase"
|
||||
fi
|
||||
else
|
||||
log_fatal "Post backup hook \`${post_backup_hook}' is missing or not executable"
|
||||
exit 1
|
||||
fi
|
||||
}
|
||||
|
||||
main() {
|
||||
kill_or_clean_lockfile "${lock_file}"
|
||||
# shellcheck disable=SC2064
|
||||
|
@ -362,11 +423,19 @@ main() {
|
|||
new_lock_file "${lock_file}"
|
||||
|
||||
if [ "${do_backup}" = "1" ] && [ -n "${backup_dir}" ]; then
|
||||
backup "${backup_dir}"
|
||||
backup
|
||||
fi
|
||||
|
||||
if [ "${do_dircheck}" = "1" ] && [ -n "${backup_dir}" ]; then
|
||||
dircheck_prepare
|
||||
fi
|
||||
|
||||
if [ "${do_compress}" = "1" ] && [ -n "${compress_file}" ]; then
|
||||
compress "${backup_dir}" "${compress_file}"
|
||||
compress
|
||||
fi
|
||||
|
||||
if [ -n "${post_backup_hook}" ]; then
|
||||
post_backup_hook
|
||||
fi
|
||||
}
|
||||
|
||||
|
@ -377,11 +446,12 @@ log_file=""
|
|||
verbose=""
|
||||
quiet=""
|
||||
max_age=""
|
||||
max_age=""
|
||||
do_backup=""
|
||||
backup_dir=""
|
||||
do_dircheck=""
|
||||
do_compress=""
|
||||
compress_file=""
|
||||
post_backup_hook=""
|
||||
|
||||
# Parse options
|
||||
# based on https://gist.github.com/deshion/10d3cb5f88a21671e17a
|
||||
|
@ -440,6 +510,14 @@ while :; do
|
|||
log_fatal '"--backup-dir" requires a non-empty option argument.'
|
||||
;;
|
||||
|
||||
--dir-check)
|
||||
do_dircheck=1
|
||||
;;
|
||||
|
||||
--no-dir-check)
|
||||
do_dircheck=0
|
||||
;;
|
||||
|
||||
--compress)
|
||||
do_compress=1
|
||||
;;
|
||||
|
@ -508,6 +586,24 @@ while :; do
|
|||
log_fatal '"--log-file" requires a non-empty option argument.'
|
||||
;;
|
||||
|
||||
--post-backup-hook)
|
||||
# with value separated by space
|
||||
if [ -n "$2" ]; then
|
||||
post_backup_hook="$2"
|
||||
shift
|
||||
else
|
||||
log_fatal '"--post-backup-hook" requires a non-empty option argument.'
|
||||
fi
|
||||
;;
|
||||
--post-backup-hook=?*)
|
||||
# with value speparated by =
|
||||
post_backup_hook=${1#*=}
|
||||
;;
|
||||
--post-backup-hook=)
|
||||
# without value
|
||||
log_fatal '"--post-backup-hook" requires a non-empty option argument.'
|
||||
;;
|
||||
|
||||
-v|--verbose)
|
||||
verbose=1
|
||||
;;
|
||||
|
@ -549,6 +645,7 @@ verbose=${verbose:-0}
|
|||
quiet=${quiet:-0}
|
||||
max_age="${max_age:-86400}"
|
||||
do_backup="${do_backup:-1}"
|
||||
do_dircheck="${do_dircheck:-0}"
|
||||
do_compress="${do_compress:-0}"
|
||||
|
||||
main
|
|
@ -44,7 +44,7 @@ Bien à vous,
|
|||
--
|
||||
Rapport automatique Evolix
|
||||
EOT
|
||||
mutt -x -e 'set send_charset="utf-8"' -H $template \
|
||||
mutt -x -e 'set send_charset="utf-8"' -e "set crypt_use_gpgme=no" -H $template \
|
||||
-a /var/www/mysqlreport_${instance}.html < $body
|
||||
done
|
||||
chmod 644 /var/www/mysqlreport*html
|
||||
|
|
|
@ -74,7 +74,7 @@ myhostname = {{ ansible_fqdn }}
|
|||
|
||||
# Liste des noms de domaine (ou IP) consideres comme local
|
||||
#par defaut, = $myhostname, localhost.$mydomain, localhost
|
||||
mydestination = $myhostname
|
||||
mydestination = $myhostname localhost.localdomain localhost
|
||||
|
||||
# Indique le domaine apparaissant dans le courrier envoye
|
||||
#par defaut, = $myhostname
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
---
|
||||
- name: Install evoadmin-mail package
|
||||
apt:
|
||||
name: evoadmin-mail
|
||||
deb: /tmp/evoadmin-mail.deb
|
||||
state: present
|
||||
tags:
|
||||
- evoadmin-mail
|
||||
|
|
Loading…
Reference in a new issue