diff --git a/CHANGELOG.md b/CHANGELOG.md index 12239973..54e4bc4d 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -23,6 +23,7 @@ The **patch** part changes is incremented if multiple releases happen the same m * webapps/nextcloud: Add condition for config tasks * remount-usr: do not try to remount /usr RW if /usr is not a mounted partition * minifirewall: Fix nagios check for old versions of minifirewall +* autosysadmin: Add a role to automatically deploy autosysadmin on evolixisation ### Changed diff --git a/autosysadmin/defaults/main.yml b/autosysadmin/defaults/main.yml new file mode 100644 index 00000000..56190633 --- /dev/null +++ b/autosysadmin/defaults/main.yml @@ -0,0 +1,22 @@ +--- + +general_scripts_dir: "/usr/share/scripts" +autosysadmin_dir: "{{ general_scripts_dir }}/autosysadmin" + +# Default values for enabled checks +repair_amavis: 'on' +repair_disk: 'on' +repair_elasticsearch: 'on' +repair_http: 'on' +repair_mysql: 'on' +repair_opendkim: 'off' +repair_php_fpm56: 'off' +repair_php_fpm70: 'off' +repair_php_fpm73: 'off' +repair_php_fpm74: 'off' +repair_php_fpm80: 'off' +repair_php_fpm81: 'off' +repair_php_fpm82: 'off' +repair_php_fpm83: 'off' +repair_redis: 'off' +repair_tomcat_instance: 'off' diff --git a/autosysadmin/files/logrotate_autosysadmin.conf b/autosysadmin/files/logrotate_autosysadmin.conf new file mode 100644 index 00000000..41606de5 --- /dev/null +++ b/autosysadmin/files/logrotate_autosysadmin.conf @@ -0,0 +1,13 @@ +/var/log/autosysadmin.log { + daily + missingok + rotate 365 + compress + nodelaycompress + notifempty + dateext + dateformat .%Y-%m-%d + dateyesterday + copytruncate + create 0640 root adm +} diff --git a/autosysadmin/files/rsyslog_autosysadmin.conf b/autosysadmin/files/rsyslog_autosysadmin.conf new file mode 100644 index 00000000..dd3c037f --- /dev/null +++ b/autosysadmin/files/rsyslog_autosysadmin.conf @@ -0,0 +1,3 @@ +$template autosysadmin, "/var/log/autosysadmin.log" +if $programname contains 'autosysadmin' then ?autosysadmin +& stop diff --git a/autosysadmin/files/scripts/functions.sh b/autosysadmin/files/scripts/functions.sh new file mode 100644 index 00000000..95f1a901 --- /dev/null +++ b/autosysadmin/files/scripts/functions.sh @@ -0,0 +1,478 @@ +#!/bin/bash + +get_system() { + uname -s +} + +get_fqdn() { + if [ "$(get_system)" = "Linux" ]; then + hostname --fqdn + elif [ "$(get_system)" = "OpenBSD" ]; then + hostname + else + log_error_exit "OS not detected!" + fi +} + +get_complete_hostname() { + REAL_HOSTNAME="$(get_fqdn)" + if [ "${HOSTNAME}" = "${REAL_HOSTNAME}" ]; then + echo "${HOSTNAME}" + else + echo "${HOSTNAME} (${REAL_HOSTNAME})" + fi +} + +get_evomaintenance_mail() { + email="$(grep "EVOMAINTMAIL=" /etc/evomaintenance.cf | cut -d '=' -f2)" + + if [[ -z "$email" ]]; then + email='alert5@evolix.fr' + fi + + echo "${email}" +} + +arguments="${*}" + +get_argument() { + no_found=1 + for argument in ${arguments} ; do + if [ "${argument}" = "${1}" ] ; + then + no_found=0 + fi + done + return ${no_found} +} + +internal_info() { + INTERNAL_INFO="$(printf '%b\n%s' "${INTERNAL_INFO}" "$*")" +} + +log_action() { + log "Action : $*" + ACTIONS="$(printf '%s\n%s' "${ACTIONS}" "$*")" +} + +log() { + INTERNAL_LOG="$(printf '%s\n%s %s %s %s' "${INTERNAL_LOG}" "$(date -Isec)" "$(hostname)" "$(basename "$0")" "$*")" + printf '%s %s %s %s\n' "$(date -Isec)" "$(hostname)" "$(basename "$0")" "$*" | tee -a "${LOG_DIR}/autosysadmin.log" + echo "$*" | /usr/bin/logger -p local0.notice -t autosysadmin."$0" +} + +log_error_exit() { + log "ERROR : $*" + AUTOSYSADMIN=1 /usr/share/scripts/evomaintenance.sh -m "$0: $*" --no-commit --no-mail + exit 1 +} + +log_check_php_fpm() { + + # Extraire seulement les chiffres du nom du script exécuté + # ./repair_php_fpm81.sh ==> 81 + PHP_VERSION="${0//[^0-9]/}" + + PHP_PATH_POOL=$(find /var/lib/lxc/php"${PHP_VERSION}"/ -type d -name "pool.d") + /usr/local/lib/nagios/plugins/check_phpfpm_multi "${PHP_PATH_POOL}" > "${LOG_DIR}/nrpe.txt" +} + +log_system_status() { + DUMP_SERVER_STATE_BIN="$(command -v dump-server-state || command -v backup-server-state)" + + if [ -z "${DUMP_SERVER_STATE_BIN}" ]; then + log "Warning: dump-server-state is not present. No server state recorded...." + fi + + if [ -x "${DUMP_SERVER_STATE_BIN}" ]; then + + # NOTE We don't want the logging to take too much time, so we kill it + # if it take more than 20 seconds. + timeout --signal 9 20 \ + "${DUMP_SERVER_STATE_BIN}" \ + --dump-dir="$LOG_DIR" \ + --df \ + --dmesg \ + --iptables \ + --lxc \ + --netcfg \ + --netstat \ + --uname \ + --processes \ + --systemctl \ + --uptime \ + --virsh \ + --disks \ + --mysql-processes \ + --no-apt-states \ + --no-apt-config \ + --no-dpkg-full \ + --no-dpkg-status \ + --no-mount \ + --no-packages \ + --no-sysctl \ + --no-etc + + log "System status logged in ${LOG_DIR}" + fi +} + +read_log_system_status(){ + files="df.txt dmesg.txt lxc-list.txt netstat-legacy.txt netstat-ss.txt pstree.txt ps.txt systemctl-failed-services.txt" + echo -e "\n\n#### Détails de dump-server-state" + for file in ${files} ; do + echo -e "\n### cat ${LOG_DIR}/${file} :" + tail -n 1000 "${LOG_DIR}"/"${file}" + done +} + +ensure_no_active_users_or_exit() { + if is_debug; then return; fi + + # Is there any active user ? + for user in $(LC_ALL=C who --users|awk '{print $1}'); do + idle_time="$(LC_ALL=C who --users | grep "${user}" | awk '{ print $6}')" + for sameusertime in $(LC_ALL=C who --users | grep "${user}" | awk '{ print $6}'); do + if is_active_user "$sameusertime"; then + hook_mail abort_active_users + log_error_exit 'At least one user was recently active. That requires human intervention. Nothing to do here!' + fi + done + done +} + +is_active_user() { + # Check if a user was active in the last 30 minutes + idle_time="$1" + + if [ "${idle_time}" = "old" ]; + then + return 1 + elif [ "${idle_time}" = "." ]; + then + return 0 + else + hh="$(echo "${idle_time}" | awk -F':' '{print $1}')" + mm="$(echo "${idle_time}" | awk -F':' '{print $2}')" + idle_minutes="$(( 60 * "${hh}" + "${mm}" ))" + if [ "${idle_minutes}" -ge 30 ]; + then + return 1 + else + return 0 + fi + fi +} + +is_debug() { + debug_file="/etc/evolinux/autosysadmin.debug" + + if [ -e "${debug_file}" ]; then + last_change=$(stat -c %Z "${debug_file}") + limit_date=$(date --date "14400 seconds ago" +"%s") + + if [ $(( last_change - limit_date )) -le "0" ]; then + rm "${debug_file}" + else + return 0 + fi + fi + + return 1 +} + +check_nrpe() { + check="$1" + list_command_nrpe=$( grep --exclude=*~ -E "\[${check}\]" -r /etc/nagios/ | grep -v '#command' ) + command_nrpe_primary=$( echo "${list_command_nrpe}" | grep "/etc/nagios/nrpe.d/evolix.cfg" | cut -d'=' -f2- ) + command_nrpe_secondary=$( echo "${list_command_nrpe}" | head -n1 | cut -d'=' -f2- ) + + if [ -z "${command_nrpe_primary}" ] && [ -z "${command_nrpe_secondary}" ] + then + return 1 + else + if [ -n "${command_nrpe_primary}" ] + then + ${command_nrpe_primary} + else + ${command_nrpe_secondary} + fi + fi +} + +acquire_lock_or_exit() { + lockfile="$1" + waittime="$2" + + # si le temps d’attente n’est pas compréhensible par sleep(1), il vaut 0 + if ! echo "${waittime}" | grep -Eq '^[0-9]+[smhd]?$' + then + waittime=0 + fi + + # si le temps d’attente est supérieur à 0 et si le lock existe, on attend + if test "${waittime}" -gt 0 && test -f "${lockfile}" + then + sleep "${waittime}" + fi + + # si le lock existe, on s’arrête + if test -f "${lockfile}" + then + log_error_exit "lock file ${lockfile} exists" + fi + touch "${lockfile}" +} + +is_too_soon() { + if is_debug; then return; fi + + witness="/tmp/autosysadmin_witness_$(basename "$0")" + if test -f "${witness}" + then + compare="$(($(date +%s)-$(stat -c "%Y" "${witness}")))" + if [ "${compare}" -lt 1800 ]; + then + log_error_exit 'already executed less than 30 minutes ago' + fi + rm "${witness}" + fi + touch "${witness}" +} + +init_autosysadmin() { + PATH="${PATH}":/usr/sbin:/sbin↩ + unset ACTIONS + + SCRIPTNAME=$(basename "$0") + PROGNAME=${SCRIPTNAME%.sh} + + RUN_ID="$(date +"%Y-%m-%d_%H-%M")_${SCRIPTNAME}_$(openssl rand -hex 6)" + LOG_DIR="/var/log/autosysadmin/${RUN_ID}" + mkdir -p "${LOG_DIR}" + + log "Autosysadmin : Script ${SCRIPTNAME} triggered" + + # Detect operating system name, version and release↩ + detect_os +} + +load_conf() { + # Load conf and enable script by default. + # To disable script locally, set "$PROGNAME"=off in /etc/evolinux/autosysadmin. + # To disable script globally, set "$PROGNAME"=off in the script, after load_conf() call. + declare -g "$PROGNAME"=on # dynamic variable assignment ($PROGNAME == repair_*) + + # Source configuration file + # shellcheck source=../roles/deploy_autosysadmin/templates/autosysadmin.cfg.j2 + test -f /etc/evolinux/autosysadmin && source /etc/evolinux/autosysadmin +} + +detect_os() { + # OS detection + DEBIAN_RELEASE="" + LSB_RELEASE_BIN="$(command -v lsb_release)" + + if [ -e /etc/debian_version ]; then + DEBIAN_VERSION="$(cut -d "." -f 1 < /etc/debian_version)" + if [ -x "${LSB_RELEASE_BIN}" ]; then + DEBIAN_RELEASE="$("${LSB_RELEASE_BIN}" --codename --short)" + else + case "${DEBIAN_VERSION}" in + 8) DEBIAN_RELEASE="jessie";; + 9) DEBIAN_RELEASE="stretch";; + 10) DEBIAN_RELEASE="buster";; + 11) DEBIAN_RELEASE="bullseye";; + esac + fi + fi +} + +is_debian_jessie() { + test "${DEBIAN_RELEASE}" = "jessie" +} +is_debian_stretch() { + test "${DEBIAN_RELEASE}" = "stretch" +} +is_debian_buster() { + test "${DEBIAN_RELEASE}" = "buster" +} +is_debian_bullseye() { + test "${DEBIAN_RELEASE}" = "bullseye" +} + +systemd_list_service_failed() { + systemctl list-units --failed --no-legend --full --type=service "$1" | + awk '{print $1}' +} + +systemd_list_units_enabled() { + list_units_enabled=$(systemctl list-unit-files --state=enabled --no-legend | awk "/$1/{print \$1}") + if [ -z "${list_units_enabled}" ] + then + return 1 + else + echo "${list_units_enabled}" + fi +} + +format_mail_success() { + cat < +Content-Type: text/plain; charset=UTF-8 +MIME-Version: 1.0 +Content-Transfer-Encoding: 8bit +X-Script: $(basename "$0") +X-RunId: ${RUN_ID} +To: ${EMAIL_CLIENT:-alert5@evolix.fr} +Cc: autosysadmin@evolix.fr +Subject: [autosysadmin] Intervention sur ${HOSTNAME_TEXT} + +Bonjour, + +Une intervention automatique vient de se terminer. + +Nom du serveur : ${HOSTNAME_TEXT} +Heure d'intervention : $(LC_ALL=fr_FR.utf8 date) + +### Renseignements sur l'intervention + +${ACTIONS} + +### Réagir à cette intervention + +Vous pouvez répondre à ce message (sur l'adresse mail equipe@evolix.net). +En cas d'urgence, utilisez l'adresse maintenance@evolix.fr ou +notre téléphone portable d'astreinte (04.26.99.99.26) + +-- +Votre AutoSysadmin +EOTEMPLATE +} + +format_mail_abort_active_users() { + cat < +Content-Type: text/plain; charset=UTF-8 +MIME-Version: 1.0 +Content-Transfer-Encoding: 8bit +X-Script: $(basename "$0") +X-RunId: ${RUN_ID} +To: ${EMAIL_CLIENT:-alert5@evolix.fr} +Cc: autosysadmin@evolix.fr +Subject: [autosysadmin] Intervention interrompue sur ${HOSTNAME_TEXT} + +Bonjour, + +Une intervention automatique a été interrompue en raison +d'un utilisateur actuellement actif sur le serveur. + +Nom du serveur : ${HOSTNAME_TEXT} +Heure d'intervention : $(LC_ALL=fr_FR.utf8 date) + +### Utilisateur(s) connecté(s) +$(w) + +-- +Votre AutoSysadmin +EOTEMPLATE +} + +format_mail_internal_info() { + cat < +Content-Type: text/plain; charset=UTF-8 +MIME-Version: 1.0 +Content-Transfer-Encoding: 8bit +X-Script: $(basename "$0") +X-RunId: ${RUN_ID} +To: autosysadmin@evolix.fr +Subject: [autosysadmin] Complements (interne) - Intervention sur ${HOSTNAME_TEXT} + +Bonjour, + +Une intervention automatique vient de se terminer. + +Nom du serveur : ${HOSTNAME_TEXT} +Heure d'intervention : $(LC_ALL=fr_FR.utf8 date) +Script déclenché : $(basename "$0") + +### Actions effectuées + +${ACTIONS} + +### Logs autosysadmin + +${INTERNAL_LOG} + +### Utilisateur(s) connecté(s) + +$(w) + +### Informations additionnelles données par le script $(basename "$0") + +${INTERNAL_INFO} + +-- +Votre AutoSysadmin +EOTEMPLATE +} + +hook_mail() { + if is_debug; then return; fi + + HOSTNAME="${HOSTNAME:-"$(get_fqdn)"}" + HOSTNAME_TEXT="$(get_complete_hostname)" + EMAIL_CLIENT="$(get_evomaintenance_mail)" + + MAIL_CONTENT="$(format_mail_"$1")" + + SENDMAIL_BIN="$(command -v sendmail)" + + if [ -z "${SENDMAIL_BIN}" ]; then + log "No \`sendmail' command has been found, can't send mail." + fi + + if [ -x "${SENDMAIL_BIN}" ]; then + echo "${MAIL_CONTENT}" | "${SENDMAIL_BIN}" -oi -t -f "equipe@evolix.net" + fi +} + + + +# We need stable output for gcal, so we force some language environment variables +export TZ=Europe/Paris +export LANGUAGE=fr_FR.UTF-8 + +is_holiday() { + # gcal mark today as a holiday by surrounding with < and > the day + # of the month of that holiday line. For exemple if today is 2022-05-01 we'll + # get among other lines: + # Fête du Travail (FR) + Di, < 1>Mai 2022 + # Jour de la Victoire (FR) + Di, : 8:Mai 2022 = +7 jours + gcal --cc-holidays=fr --holiday-list=short | grep -E '<[0-9 ]{2}>' --quiet +} + +is_weekend() { + day_of_week=$(date +%u) + if [ "$day_of_week" != 6 ] && [ "$day_of_week" != 7 ]; then + return 1 + fi +} + +is_workday() { + if is_holiday || is_weekend; then + return 1 + fi +} + +is_worktime() { + if ! is_workday; then + return 1 + fi + + hour=$(date +%H) + if [ "${hour}" -lt 9 ] || { [ "${hour}" -ge 12 ] && [ "${hour}" -lt 14 ] ; } || [ "${hour}" -ge 18 ]; then + return 1 + fi +} diff --git a/autosysadmin/files/scripts/repair_amavis.sh b/autosysadmin/files/scripts/repair_amavis.sh new file mode 100644 index 00000000..5139b927 --- /dev/null +++ b/autosysadmin/files/scripts/repair_amavis.sh @@ -0,0 +1,33 @@ +#!/bin/bash + +# Source functions file +# shellcheck source=./functions.sh +source /usr/share/scripts/autosysadmin/functions.sh +# shellcheck source=./restart_amavis.sh +source /usr/share/scripts/autosysadmin/restart_amavis.sh + +init_autosysadmin +load_conf + +test "${repair_amavis:=off}" = off && log_error_exit 'Script disabled, nothing to do here!' + +# Verify if check_nrpe are not OK +check_nrpe "check_amavis" && log_error_exit 'check_amavis is OK, nothing to do here!' + +# Has it recently been run? +get_argument "--no-delay" || is_too_soon + +lockfile="/run/lock/repair_amavis" +cleanup() { + rm -f "${lockfile}" +} +trap 'cleanup' 0 +acquire_lock_or_exit "${lockfile}" + +ensure_no_active_users_or_exit + +# The actual work starts below ! +restart_amavis + +hook_mail success +AUTOSYSADMIN=1 /usr/share/scripts/evomaintenance.sh -m "$0: done" --no-commit --no-mail diff --git a/autosysadmin/files/scripts/repair_disk.sh b/autosysadmin/files/scripts/repair_disk.sh new file mode 100644 index 00000000..fc35438c --- /dev/null +++ b/autosysadmin/files/scripts/repair_disk.sh @@ -0,0 +1,173 @@ +#!/bin/bash + +# Source functions file +# shellcheck source=./functions.sh +source /usr/share/scripts/autosysadmin/functions.sh + +init_autosysadmin +load_conf + +test "${repair_disk:=off}" = off && log_error_exit 'Script disabled, nothing to do here!' + +# Has it recently been run? +is_too_soon + +lockfile="/run/lock/repair_disk" +cleanup() { + rm -f "${lockfile}" +} +trap 'cleanup' 0 +acquire_lock_or_exit "${lockfile}" + +ensure_no_active_users_or_exit + +# The actual work starts below ! + +get_mountpoints() { + # the $(...) get the check_disk1 command + # the cut command selects the critical part of the check_disk1 output + # the grep command extracts the mountpoints and available disk space + # the last cut command selects the mountpoints + $(grep check_disk1 /etc/nagios/nrpe.d/evolix.cfg | cut -d'=' -f2-) -e | cut -d'|' -f1 | grep -Eo '/[[:graph:]]* [0-9]+ [A-Z][A-Z]' | cut -f1 -d' ' +} + +is_reserved-blocks() { + fs_type="$(findmnt -n --output=fstype "$1")" + if [ "${fs_type}" = "ext4" ]; + then + device="$(findmnt -n --output=source "$1")" + reserved_block_count="$(tune2fs -l "${device}" | grep 'Reserved block count' | awk -F':' '{ gsub (" ", "", $0); print $2}')" + block_count="$(tune2fs -l "${device}" | grep 'Block count' | awk -F':' '{ gsub (" ", "", $0); print $2}')" + percentage=$(awk "BEGIN { pc=100*${reserved_block_count}/${block_count}; i=int(pc); print (pc-i<0.5)?i:i+1 }") + + log "Reserved blocks for $1 is curently at $percentage%" + if [ "${percentage}" -gt "1" ] + then + log "Allowing tune2fs action to reduce the number of reserved blocks" + return 0 + else + log "Reserved blocks already at or bellow 1%, no automatic action possible" + return 1 + fi + else + log "Filesystem for $1 partition is not ext4" + + return 1 + fi +} + +change_reserved-blocks() { + # We alwasy keep some reserved blocks to avoid missing some logs + # https://gitea.evolix.org/evolix/autosysadmin/issues/22 + tune2fs -m 1 "$(findmnt -n --output=source "$1")" + log_action "Reserved blocks for $1 changed to 1 percent" +} + +is_tmp_to_delete() { + size="$(find /var/log/ -type f -ctime +1 -exec du {} \+ | awk '{s+=$1}END{print s / 1024}')" + if [ -n "${size}" ] + then + return 0 + else + return 1 + fi +} + +is_log_to_delete() { + size="$(find /var/log/ -type f -mtime +365 -exec du {} \+ | awk '{s+=$1}END{print s / 1024}')" + if [ -n "${size}" ] + then + return 0 + else + return 1 + fi +} + +clean_apt_cache() { + for lxc in $(du -ax /var | sort -nr | head -n10 | grep -E '/var/lib/lxc/php[0-9]+/rootfs/var/cache$' | grep -Eo 'php[0-9]+') + do + lxc-attach --name "${lxc}" -- apt-get clean + log_action '[lxc/'"${lxc}"'] Clean apt cache' + done + case "$(du -sx /var/* | sort -rn | sed 's/^[0-9]\+[[:space:]]\+//;q')" in + '/var/cache') + apt-get clean + log_action 'Clean apt cache' + ;; + esac +} + +clean_amavis_virusmails() { + if du --inodes /var/lib/* | sort -n | tail -n3 | grep -q 'virusmails$' + then + find /var/lib/amavis/virusmails/ -type f -atime +30 -delete + log_action 'Clean /var/lib/amavis/virusmails' + fi +} + +for mountpoint in $(get_mountpoints) +do + case "${mountpoint}" in + /var) + #if is_log_to_delete + #then + # find /var/log/ -type f -mtime +365 -delete + # log_action "$size Mo of disk space freed in /var" + #fi + if is_reserved-blocks /var + then + change_reserved-blocks /var + clean_apt_cache + clean_amavis_virusmails + hook_mail success + fi + ;; + /tmp) + #if is_tmp_to_delete + #then + # find /tmp/ -type f -ctime +1 -delete + # log_action "$size Mo of disk space freed in /tmp" + #fi + if is_reserved-blocks /tmp + then + change_reserved-blocks /tmp + hook_mail success + fi + ;; + /home) + if is_reserved-blocks /home + then + change_reserved-blocks /home + hook_mail success + fi + ;; + /srv) + if is_reserved-blocks /srv + then + change_reserved-blocks /srv + hook_mail success + fi + ;; + /filer) + if is_reserved-blocks /filer + then + change_reserved-blocks /filer + hook_mail success + fi + ;; + /) + if is_reserved-blocks / + then + change_reserved-blocks / + hook_mail success + # Suggest remove old kernel ? + fi + ;; + *) + # unknown + log 'Unknown partition (or weird case) or nothing to do' + ;; + esac +done + +AUTOSYSADMIN=1 /usr/share/scripts/evomaintenance.sh -m "$0: done" --no-commit --no-mail diff --git a/autosysadmin/files/scripts/repair_elasticsearch.sh b/autosysadmin/files/scripts/repair_elasticsearch.sh new file mode 100644 index 00000000..3b45c6e0 --- /dev/null +++ b/autosysadmin/files/scripts/repair_elasticsearch.sh @@ -0,0 +1,57 @@ +#!/bin/bash + +# Source functions file +# shellcheck source=./functions.sh +source /usr/share/scripts/autosysadmin/functions.sh + +init_autosysadmin +load_conf + +test "${repair_elasticsearch:=off}" = off && log_error_exit 'Script disabled, nothing to do here!' + +# Has it recently been run? +is_too_soon + +lockfile="/run/lock/repair_elasticsearch" +cleanup() { + rm -f "${lockfile}" +} +trap 'cleanup' 0 +acquire_lock_or_exit "${lockfile}" + +ensure_no_active_users_or_exit + +# The actual work starts below ! + +elasticsearch_is_enabled() { + systemd_list_units_enabled "elasticsearch.service" + +} + +elasticsearch_restart() { + if ! timeout 60 systemctl restart elasticsearch.service > /dev/null + then + log_error_exit 'failed to restart elasticsearch' + fi +} + +# Test functions +test_elasticsearch_process_present() { + pgrep -u elasticsearch > /dev/null +} + +if elasticsearch_is_enabled +then + if ! test_elasticsearch_process_present + then + log_action "Redémarrage de elasticsearch" + elasticsearch_restart + hook_mail success + else + log_error_exit "Elasticsearch process alive. Aborting" + fi +else + log_error_exit "Elasticsearch is not enabled. Aborting" +fi + +AUTOSYSADMIN=1 /usr/share/scripts/evomaintenance.sh -m "$0: done" --no-commit --no-mail diff --git a/autosysadmin/files/scripts/repair_http.sh b/autosysadmin/files/scripts/repair_http.sh new file mode 100644 index 00000000..b1642858 --- /dev/null +++ b/autosysadmin/files/scripts/repair_http.sh @@ -0,0 +1,141 @@ +#!/bin/bash + +# Source functions file +# shellcheck source=./functions.sh +source /usr/share/scripts/autosysadmin/functions.sh + +init_autosysadmin +load_conf + +test "${repair_http:=off}" = off && log_error_exit 'Script disabled, nothing to do here!' + +# Has it recently been run? +is_too_soon + +lockfile="/run/lock/repair_http" +cleanup() { + rm -f "${lockfile}" +} +trap 'cleanup' 0 +acquire_lock_or_exit "${lockfile}" + +ensure_no_active_users_or_exit + +# The actual work starts below ! + +log_system_status + +http_detect_service() { + # check whether nginx, apache or both are supposed to be running + if is_debian_jessie; then + find /etc/rc2.d/ + else + systemctl list-unit-files --state=enabled + fi | awk '/nginx/ { nginx = 1 } /apache2/ { apache2 = 1 } END { if (nginx && apache2) { print "both" } else if (nginx) { print "nginx" } else if (apache2) { print "apache2" } }' + # The previous awk command looks for two patterns: "nginx" + # and "apache2". If a line matches the patterns, a variable + # "nginx" or "apache2" is set to 1 (true). The "END" checks + # if one or both patterns has been found. +} + +http_handle_apache() { + # check syntax + if ! apache2ctl -t > /dev/null 2> /dev/null + then + log_error_exit 'apache2 configuration syntax is not valid' + fi + + # try restart + if ! timeout 20 systemctl restart apache2.service > /dev/null 2> /dev/null + then + log_error_exit 'failed to restart apache2' + fi + + log_action "Redémarrage de Apache" + + internal_info "#### grep $(LANG=en_US.UTF-8 date '+%b %d') /home/*/log/error.log /var/log/apache2/*error.log (avec filtrage)" + ERROR_LOG=$(grep "$(LANG=en_US.UTF-8 date '+%b %d')" /home/*/log/error.log /var/log/apache2/*error.log | grep -v -e "Got error 'PHP message:" -e "No matching DirectoryIndex" -e "client denied by server configuration" -e "server certificate does NOT include an ID which matches the server name" ) + internal_info "$ERROR_LOG" + +} + +http_handle_nginx() { + # check syntax + if ! nginx -t > /dev/null 2> /dev/null + then + log_error_exit 'nginx configuration syntax is not valid' + fi + + # try restart + if ! timeout 20 systemctl restart nginx.service > /dev/null 2> /dev/null + then + log_error_exit 'failed to restart nginx' + fi + + log_action "Redémarrage de Nginx" +} + +http_handle_lxc_php() { + # check whether containers are used for PHP and reboot them if so + if systemd_list_units_enabled 'lxc' + then + for php in $(lxc-ls | grep 'php'); do + lxc-stop -n "$php" + lxc-start --daemon -n "$php" + log_action "lxc-fpm - Redémarrage container ${php}" + done + + fi +} + +http_handle_fpm_php() { + # check whether php-fpm is installed and restart it if so + if enabled_units="$(systemd_list_units_enabled "php.*-fpm")" + then + systemctl restart "${enabled_units}" + log_action 'php-fpm - Redémarrage de php-fpm' + fi +} + +case "$(http_detect_service)" in +nginx) + + http_handle_nginx + + http_handle_lxc_php + http_handle_fpm_php + + hook_mail success + hook_mail internal_info + ;; + +apache2) + + http_handle_apache + + http_handle_lxc_php + http_handle_fpm_php + + hook_mail success + hook_mail internal_info + ;; + +both) + + http_handle_nginx + http_handle_apache + + http_handle_lxc_php + http_handle_fpm_php + + hook_mail success + hook_mail internal_info + ;; + +*) + # unknown + log 'nothing to do' + ;; +esac + +AUTOSYSADMIN=1 /usr/share/scripts/evomaintenance.sh -m "$0: done" --no-commit --no-mail diff --git a/autosysadmin/files/scripts/repair_mysql.sh b/autosysadmin/files/scripts/repair_mysql.sh new file mode 100644 index 00000000..f80d5af7 --- /dev/null +++ b/autosysadmin/files/scripts/repair_mysql.sh @@ -0,0 +1,71 @@ +#!/bin/bash + +# Source functions file +# shellcheck source=./functions.sh +source /usr/share/scripts/autosysadmin/functions.sh + +init_autosysadmin +load_conf + +test "${repair_mysql:=off}" = off && log_error_exit 'Script disabled, nothing to do here!' + +# Has it recently been run? +is_too_soon + +lockfile="/run/lock/repair_mysql" +cleanup() { + rm -f "${lockfile}" +} +trap 'cleanup' 0 +acquire_lock_or_exit "${lockfile}" + +ensure_no_active_users_or_exit + +# The actual work starts below ! + +log_system_status + +mysql_is_enabled() { + if is_debian_jessie + then + find /etc/rc2.d/ -name '*mysql*' > /dev/null + else + systemd_list_units_enabled "mysql.service" + fi +} + +mysql_restart() { + if is_debian_jessie + then + if ! timeout 60 /etc/init.d/mysql restart > /dev/null + then + log_error_exit 'failed to restart mysql' + fi + else + if ! timeout 60 systemctl restart mysql.service > /dev/null + then + log_error_exit 'failed to restart mysql' + fi + fi +} + +# Test functions +test_mysql_process_present() { + pgrep -u mysql mysqld > /dev/null +} + +if mysql_is_enabled +then + if ! test_mysql_process_present + then + log_action "Redémarrage de MySQL" + mysql_restart + hook_mail success + else + log_error_exit "mysqld process alive. Aborting" + fi +else + log_error_exit "MySQL/MariaDB not enabled. Aborting" +fi + +AUTOSYSADMIN=1 /usr/share/scripts/evomaintenance.sh -m "$0: done" --no-commit --no-mail diff --git a/autosysadmin/files/scripts/repair_opendkim.sh b/autosysadmin/files/scripts/repair_opendkim.sh new file mode 100644 index 00000000..f7735028 --- /dev/null +++ b/autosysadmin/files/scripts/repair_opendkim.sh @@ -0,0 +1,61 @@ +#!/bin/bash + +# Source functions file +# shellcheck source=./functions.sh +source /usr/share/scripts/autosysadmin/functions.sh + +init_autosysadmin +load_conf + +test "${repair_opendkim:=off}" = off && log_error_exit 'Script disabled, nothing to do here!' + +# Has it recently been run? +is_too_soon + +lockfile="/run/lock/repair_opendkim" +cleanup() { + rm -f "${lockfile}" +} +trap 'cleanup' 0 +acquire_lock_or_exit "${lockfile}" + +ensure_no_active_users_or_exit + +log_system_status + +# Functions dedicated to this repair script + +opendkim_is_enabled() { + systemd_list_units_enabled "opendkim.service" + +} + +opendkim_restart() { + if ! timeout 60 systemctl restart opendkim.service > /dev/null + then + log_error_exit 'failed to restart opendkim' + fi +} + +opendkim_test_process_present() { + pgrep -u opendkim > /dev/null +} + + +# Main logic + +if opendkim_is_enabled +then + if ! opendkim_test_process_present + then + log_action "Redémarrage de opendkim" + opendkim_restart + hook_mail success + else + log_error_exit "opendkim process alive. Aborting" + fi +else + log_error_exit "opendkim is not enabled. Aborting" +fi + +AUTOSYSADMIN=1 /usr/share/scripts/evomaintenance.sh -m "$0: done" --no-commit --no-mail diff --git a/autosysadmin/files/scripts/repair_php_fpm56.sh b/autosysadmin/files/scripts/repair_php_fpm56.sh new file mode 100644 index 00000000..6c67e0b6 --- /dev/null +++ b/autosysadmin/files/scripts/repair_php_fpm56.sh @@ -0,0 +1,53 @@ +#!/bin/bash + +# Source functions file +# shellcheck source=./functions.sh +source /usr/share/scripts/autosysadmin/functions.sh + +init_autosysadmin +load_conf + +test "${repair_php_fpm56:=off}" = off && log_error_exit 'Script disabled, nothing to do here!' + +# Has it recently been run? +is_too_soon + +lockfile="/run/lock/repair_http" +cleanup() { + rm -f "${lockfile}" +} +trap 'cleanup' 0 +acquire_lock_or_exit "${lockfile}" 15s + +ensure_no_active_users_or_exit + +# The actual work starts below ! + +log_system_status +log_check_php_fpm + +if systemd_list_units_enabled 'lxc' +then + + if lxc-ls | grep -q php56 + then + lxc-stop -n php56 + lxc-start --daemon -n php56 + log_action "lxc-fpm - Redémarrage container php56" + + internal_info "#### tail /var/lib/lxc/php56/rootfs/var/log/php5-fpm.log" + FPM_LOG=$(tail /var/lib/lxc/php56/rootfs/var/log/php5-fpm.log) + internal_info "$FPM_LOG" "$(read_log_system_status)" + + hook_mail success + hook_mail internal_info + + else + log 'Not possible :v' + fi + +else + log 'Error, not a multi-php install' +fi + +AUTOSYSADMIN=1 /usr/share/scripts/evomaintenance.sh -m "$0: done" --no-commit --no-mail diff --git a/autosysadmin/files/scripts/repair_php_fpm70.sh b/autosysadmin/files/scripts/repair_php_fpm70.sh new file mode 100644 index 00000000..5bf8cab2 --- /dev/null +++ b/autosysadmin/files/scripts/repair_php_fpm70.sh @@ -0,0 +1,53 @@ +#!/bin/bash + +# Source functions file +# shellcheck source=./functions.sh +source /usr/share/scripts/autosysadmin/functions.sh + +init_autosysadmin +load_conf + +test "${repair_php_fpm70:=off}" = off && log_error_exit 'Script disabled, nothing to do here!' + +# Has it recently been run? +is_too_soon + +lockfile="/run/lock/repair_http" +cleanup() { + rm -f "${lockfile}" +} +trap 'cleanup' 0 +acquire_lock_or_exit "${lockfile}" 15s + +ensure_no_active_users_or_exit + +# The actual work starts below ! + +log_system_status +log_check_php_fpm + +if systemd_list_units_enabled 'lxc' +then + + if lxc-ls | grep -q php70 + then + lxc-stop -n php70 + lxc-start --daemon -n php70 + log_action "lxc-fpm - Redémarrage container php70" + + internal_info "#### tail /var/lib/lxc/php70/rootfs/var/log/php7.0-fpm.log" + FPM_LOG=$(tail /var/lib/lxc/php70/rootfs/var/log/php7.0-fpm.log) + internal_info "$FPM_LOG" "$(read_log_system_status)" + + hook_mail success + hook_mail internal_info + + else + log 'Not possible :v' + fi + +else + log 'Error, not a multi-php install' +fi + +AUTOSYSADMIN=1 /usr/share/scripts/evomaintenance.sh -m "$0: done" --no-commit --no-mail diff --git a/autosysadmin/files/scripts/repair_php_fpm73.sh b/autosysadmin/files/scripts/repair_php_fpm73.sh new file mode 100644 index 00000000..6b2094fd --- /dev/null +++ b/autosysadmin/files/scripts/repair_php_fpm73.sh @@ -0,0 +1,53 @@ +#!/bin/bash + +# Source functions file +# shellcheck source=./functions.sh +source /usr/share/scripts/autosysadmin/functions.sh + +init_autosysadmin +load_conf + +test "${repair_php_fpm73:=off}" = off && log_error_exit 'Script disabled, nothing to do here!' + +# Has it recently been run? +is_too_soon + +lockfile="/run/lock/repair_http" +cleanup() { + rm -f "${lockfile}" +} +trap 'cleanup' 0 +acquire_lock_or_exit "${lockfile}" 15s + +ensure_no_active_users_or_exit + +# The actual work starts below ! + +log_system_status +log_check_php_fpm + +if systemd_list_units_enabled 'lxc' +then + + if lxc-ls | grep -q php73 + then + lxc-stop -n php73 + lxc-start --daemon -n php73 + log_action "lxc-fpm - Redémarrage container php73" + + internal_info "#### tail /var/lib/lxc/php73/rootfs/var/log/php7.3-fpm.log" + FPM_LOG=$(tail /var/lib/lxc/php73/rootfs/var/log/php7.3-fpm.log) + internal_info "$FPM_LOG" "$(read_log_system_status)" + + hook_mail success + hook_mail internal_info + + else + log 'Not possible :v' + fi + +else + log 'Error, not a multi-php install' +fi + +AUTOSYSADMIN=1 /usr/share/scripts/evomaintenance.sh -m "$0: done" --no-commit --no-mail diff --git a/autosysadmin/files/scripts/repair_php_fpm74.sh b/autosysadmin/files/scripts/repair_php_fpm74.sh new file mode 100644 index 00000000..dab16a8a --- /dev/null +++ b/autosysadmin/files/scripts/repair_php_fpm74.sh @@ -0,0 +1,53 @@ +#!/bin/bash + +# Source functions file +# shellcheck source=./functions.sh +source /usr/share/scripts/autosysadmin/functions.sh + +init_autosysadmin +load_conf + +test "${repair_php_fpm74:=off}" = off && log_error_exit 'Script disabled, nothing to do here!' + +# Has it recently been run? +is_too_soon + +lockfile="/run/lock/repair_http" +cleanup() { + rm -f "${lockfile}" +} +trap 'cleanup' 0 +acquire_lock_or_exit "${lockfile}" 15s + +ensure_no_active_users_or_exit + +# The actual work starts below ! + +log_system_status +log_check_php_fpm + +if systemd_list_units_enabled 'lxc' +then + + if lxc-ls | grep -q php74 + then + lxc-stop -n php74 + lxc-start --daemon -n php74 + log_action "lxc-fpm - Redémarrage container php74" + + internal_info "#### tail /var/lib/lxc/php74/rootfs/var/log/php7.4-fpm.log" + FPM_LOG=$(tail /var/lib/lxc/php74/rootfs/var/log/php7.4-fpm.log) + internal_info "$FPM_LOG" "$(read_log_system_status)" + + hook_mail success + hook_mail internal_info + + else + log 'Not possible :v' + fi + +else + log 'Error, not a multi-php install' +fi + +AUTOSYSADMIN=1 /usr/share/scripts/evomaintenance.sh -m "$0: done" --no-commit --no-mail diff --git a/autosysadmin/files/scripts/repair_php_fpm80.sh b/autosysadmin/files/scripts/repair_php_fpm80.sh new file mode 100644 index 00000000..35b9e36c --- /dev/null +++ b/autosysadmin/files/scripts/repair_php_fpm80.sh @@ -0,0 +1,53 @@ +#!/bin/bash + +# Source functions file +# shellcheck source=./functions.sh +source /usr/share/scripts/autosysadmin/functions.sh + +init_autosysadmin +load_conf + +test "${repair_php_fpm80:=off}" = off && log_error_exit 'Script disabled, nothing to do here!' + +# Has it recently been run? +is_too_soon + +lockfile="/run/lock/repair_http" +cleanup() { + rm -f "${lockfile}" +} +trap 'cleanup' 0 +acquire_lock_or_exit "${lockfile}" 15s + +ensure_no_active_users_or_exit + +# The actual work starts below ! + +log_system_status +log_check_php_fpm + +if systemd_list_units_enabled 'lxc' +then + + if lxc-ls | grep -q php80 + then + lxc-stop -n php80 + lxc-start --daemon -n php80 + log_action "lxc-fpm - Redémarrage container php80" + + internal_info "#### tail /var/lib/lxc/php80/rootfs/var/log/php8.0-fpm.log" + FPM_LOG=$(tail /var/lib/lxc/php80/rootfs/var/log/php8.0-fpm.log) + internal_info "$FPM_LOG" "$(read_log_system_status)" + + hook_mail success + hook_mail internal_info + + else + log 'Not possible :v' + fi + +else + log 'Error, not a multi-php install' +fi + +AUTOSYSADMIN=1 /usr/share/scripts/evomaintenance.sh -m "$0: done" --no-commit --no-mail diff --git a/autosysadmin/files/scripts/repair_php_fpm81.sh b/autosysadmin/files/scripts/repair_php_fpm81.sh new file mode 100644 index 00000000..e567f6aa --- /dev/null +++ b/autosysadmin/files/scripts/repair_php_fpm81.sh @@ -0,0 +1,53 @@ +#!/bin/bash + +# Source functions file +# shellcheck source=./functions.sh +source /usr/share/scripts/autosysadmin/functions.sh + +init_autosysadmin +load_conf + +test "${repair_php_fpm81:=off}" = off && log_error_exit 'Script disabled, nothing to do here!' + +# Has it recently been run? +is_too_soon + +lockfile="/run/lock/repair_http" +cleanup() { + rm -f "${lockfile}" +} +trap 'cleanup' 0 +acquire_lock_or_exit "${lockfile}" 15s + +ensure_no_active_users_or_exit + +# The actual work starts below ! + +log_system_status +log_check_php_fpm + +if systemd_list_units_enabled 'lxc' +then + + if lxc-ls | grep -q php81 + then + lxc-stop -n php81 + lxc-start --daemon -n php81 + log_action "lxc-fpm - Redémarrage container php81" + + internal_info "#### tail /var/lib/lxc/php81/rootfs/var/log/php8.1-fpm.log" + FPM_LOG=$(tail /var/lib/lxc/php81/rootfs/var/log/php8.1-fpm.log) + internal_info "$FPM_LOG" "$(read_log_system_status)" + + hook_mail success + hook_mail internal_info + + else + log 'Not possible :v' + fi + +else + log 'Error, not a multi-php install' +fi + +AUTOSYSADMIN=1 /usr/share/scripts/evomaintenance.sh -m "$0: done" --no-commit --no-mail diff --git a/autosysadmin/files/scripts/repair_php_fpm82.sh b/autosysadmin/files/scripts/repair_php_fpm82.sh new file mode 100644 index 00000000..295abbcd --- /dev/null +++ b/autosysadmin/files/scripts/repair_php_fpm82.sh @@ -0,0 +1,53 @@ +#!/bin/bash + +# Source functions file +# shellcheck source=./functions.sh +source /usr/share/scripts/autosysadmin/functions.sh + +init_autosysadmin +load_conf + +test "${repair_php_fpm82:=off}" = off && log_error_exit 'Script disabled, nothing to do here!' + +# Has it recently been run? +is_too_soon + +lockfile="/run/lock/repair_http" +cleanup() { + rm -f "${lockfile}" +} +trap 'cleanup' 0 +acquire_lock_or_exit "${lockfile}" 15s + +ensure_no_active_users_or_exit + +# The actual work starts below ! + +log_system_status +log_check_php_fpm + +if systemd_list_units_enabled 'lxc' +then + + if lxc-ls | grep -q php82 + then + lxc-stop -n php82 + lxc-start --daemon -n php82 + log_action "lxc-fpm - Redémarrage container php82" + + internal_info "#### tail /var/lib/lxc/php82/rootfs/var/log/php8.2-fpm.log" + FPM_LOG=$(tail /var/lib/lxc/php82/rootfs/var/log/php8.2-fpm.log) + internal_info "$FPM_LOG" "$(read_log_system_status)" + + hook_mail success + hook_mail internal_info + + else + log 'Not possible :v' + fi + +else + log 'Error, not a multi-php install' +fi + +AUTOSYSADMIN=1 /usr/share/scripts/evomaintenance.sh -m "$0: done" --no-commit --no-mail diff --git a/autosysadmin/files/scripts/repair_php_fpm83.sh b/autosysadmin/files/scripts/repair_php_fpm83.sh new file mode 100644 index 00000000..5344c2e4 --- /dev/null +++ b/autosysadmin/files/scripts/repair_php_fpm83.sh @@ -0,0 +1,53 @@ +#!/bin/bash + +# Source functions file +# shellcheck source=./functions.sh +source /usr/share/scripts/autosysadmin/functions.sh + +init_autosysadmin +load_conf + +test "${repair_php_fpm83:=off}" = off && log_error_exit 'Script disabled, nothing to do here!' + +# Has it recently been run? +is_too_soon + +lockfile="/run/lock/repair_http" +cleanup() { + rm -f "${lockfile}" +} +trap 'cleanup' 0 +acquire_lock_or_exit "${lockfile}" 15s + +ensure_no_active_users_or_exit + +# The actual work starts below ! + +log_system_status +log_check_php_fpm + +if systemd_list_units_enabled 'lxc' +then + + if lxc-ls | grep -q php83 + then + lxc-stop -n php83 + lxc-start --daemon -n php83 + log_action "lxc-fpm - Redémarrage container php83" + + internal_info "#### tail /var/lib/lxc/php83/rootfs/var/log/php8.3-fpm.log" + FPM_LOG=$(tail /var/lib/lxc/php83/rootfs/var/log/php8.3-fpm.log) + internal_info "$FPM_LOG" "$(read_log_system_status)" + + hook_mail success + hook_mail internal_info + + else + log 'Not possible :v' + fi + +else + log 'Error, not a multi-php install' +fi + +AUTOSYSADMIN=1 /usr/share/scripts/evomaintenance.sh -m "$0: done" --no-commit --no-mail diff --git a/autosysadmin/files/scripts/repair_redis.sh b/autosysadmin/files/scripts/repair_redis.sh new file mode 100644 index 00000000..be5cfd77 --- /dev/null +++ b/autosysadmin/files/scripts/repair_redis.sh @@ -0,0 +1,58 @@ +#!/bin/bash + +# Source functions file +# shellcheck source=./functions.sh +source /usr/share/scripts/autosysadmin/functions.sh + +init_autosysadmin +load_conf + +test "${repair_redis:=off}" = off && log_error_exit 'Script disabled, nothing to do here!' + +# Has it recently been run? +is_too_soon + +lockfile="/run/lock/repair_redis" +cleanup() { + rm -f "${lockfile}" +} +trap 'cleanup' 0 +acquire_lock_or_exit "${lockfile}" + +ensure_no_active_users_or_exit + +# The actual work starts below ! + +handle_redis() { + for service in $(systemd_list_service_failed redis*) + do + # ne rien faire si le service est désactivé + if ! systemctl is-enabled --quiet "${service}" + then + continue + fi + + # ne rien faire si le service est actif + if systemctl is-active --quiet "${service}" + then + continue + fi + + if ! timeout 20 systemctl restart redis.service > /dev/null 2> /dev/null + then + log_error_exit "failed to restart redis ${service}" + fi + + log_action "Redémarrer service ${service}" + done +} + +if ( systemd_list_units_enabled 'redis.*\.service$' ) > /dev/null +then + handle_redis + hook_mail success +else + log 'Error: redis service is not enabled' +fi + +AUTOSYSADMIN=1 /usr/share/scripts/evomaintenance.sh -m "$0: done" --no-commit --no-mail diff --git a/autosysadmin/files/scripts/repair_template.sh b/autosysadmin/files/scripts/repair_template.sh new file mode 100644 index 00000000..33db0aac --- /dev/null +++ b/autosysadmin/files/scripts/repair_template.sh @@ -0,0 +1,63 @@ +#!/bin/bash + +# Source functions file +# shellcheck source=./functions.sh +source /usr/share/scripts/autosysadmin/functions.sh + +init_autosysadmin +load_conf + +# Comment this line to enable +repair_template=off +test "${repair_template:=off}" = off && log_error_exit 'Script disabled, nothing to do here!' + +# Has it recently been run? +is_too_soon + +lockfile="/run/lock/repair_template" +cleanup() { + rm -f "${lockfile}" +} +trap 'cleanup' 0 +acquire_lock_or_exit "${lockfile}" + +ensure_no_active_users_or_exit + +log_system_status + +# Functions dedicated to this repair script + +template_is_enabled() { + systemd_list_units_enabled "template.service" + +} + +template_restart() { + if ! timeout 60 systemctl restart template.service > /dev/null + then + log_error_exit 'failed to restart template' + fi +} + +template_test_process_present() { + pgrep -u template > /dev/null +} + + +# Main logic + +if template_is_enabled +then + if ! template_test_process_present + then + log_action "Redémarrage de template" + template_restart + hook_mail success + else + log_error_exit "template process alive. Aborting" + fi +else + log_error_exit "template is not enabled. Aborting" +fi + +AUTOSYSADMIN=1 /usr/share/scripts/evomaintenance.sh -m "$0: done" --no-commit --no-mail diff --git a/autosysadmin/files/scripts/repair_tomcat_instance.sh b/autosysadmin/files/scripts/repair_tomcat_instance.sh new file mode 100644 index 00000000..9bf9949c --- /dev/null +++ b/autosysadmin/files/scripts/repair_tomcat_instance.sh @@ -0,0 +1,53 @@ +#!/bin/bash + +# Source functions file +# shellcheck source=./functions.sh +source /usr/share/scripts/autosysadmin/functions.sh + +init_autosysadmin +load_conf + +test "${repair_tomcat_instance:=off}" = off && log_error_exit 'Script disabled, nothing to do here!' + +# Has it recently been run? +is_too_soon + +lockfile="/run/lock/repair_tomcat_instance" +cleanup() { + rm -f "${lockfile}" +} +trap 'cleanup' 0 +acquire_lock_or_exit "${lockfile}" + +ensure_no_active_users_or_exit + +# The actual work starts below ! + +log_system_status + +repair_tomcat_instance_handle_tomcat() { + + if /bin/su - "${1}" -c "/bin/systemctl --quiet --user is-active tomcat.service" ; then + if ! /bin/su - "${1}" -c "/usr/bin/timeout 20 /bin/systemctl --quiet --user restart tomcat.service" + then + log_error_exit "Echec de redémarrage instance tomcat utilisateur ${1}" + else + log_action "Redémarrage instance tomcat utilisateur ${1}" + fi + elif /bin/systemctl --quiet is-active "${1}".service ; then + if ! /usr/bin/timeout 20 systemctl --quiet restart "${1}".service + then + log_error_exit "Echec de redémarrage instance tomcat ${1}" + else + log_action "Redémarrage instance tomcat ${1}" + fi + fi + +} + +for instance in $( /usr/local/lib/nagios/plugins/check_tomcat_instance.sh |grep CRITICAL |awk '{print $3}' |sed '1d') ; +do + repair_tomcat_instance_handle_tomcat "${instance}" +done + +AUTOSYSADMIN=1 /usr/share/scripts/evomaintenance.sh -m "$0: done" --no-commit --no-mail diff --git a/autosysadmin/files/scripts/restart_amavis.sh b/autosysadmin/files/scripts/restart_amavis.sh new file mode 100644 index 00000000..ef8c255d --- /dev/null +++ b/autosysadmin/files/scripts/restart_amavis.sh @@ -0,0 +1,35 @@ +#!/bin/bash + +restart_amavis() { + /etc/init.d/amavis stop 2>/dev/null + /etc/init.d/clamav-freshclam stop 2>/dev/null + /etc/init.d/clamav-daemon stop 2>/dev/null + + if systemctl is-enabled --quiet 'clamav-freshclam.service' + then + freshclam + log_action "Mise à jour des définitions antivirus" + fi + + if systemctl is-enabled --quiet 'clamav-daemon.service' + then + /etc/init.d/clamav-daemon start + log_action "Redémarrage de clamav-daemon" + else + log 'Error, clamav not installed' + fi + + if systemctl is-enabled --quiet 'clamav-freshclam.service' + then + /etc/init.d/clamav-freshclam start + log_action "Redémarrage de clamav-freshclam" + fi + + if systemctl is-enabled --quiet 'amavis.service' + then + /etc/init.d/amavis start + log_action "Redémarrage de amavis" + else + log 'Error, amavis not installed' + fi +} diff --git a/autosysadmin/handlers/main.yml b/autosysadmin/handlers/main.yml new file mode 100644 index 00000000..2c0b1a7f --- /dev/null +++ b/autosysadmin/handlers/main.yml @@ -0,0 +1,16 @@ +--- + +- name: Restart nagios-nrpe-server + ansible.builtin.service: + name: nagios-nrpe-server + state: restarted + +- name: Restart nrpe + ansible.builtin.service: + name: nrpe + state: restarted + +- name: Restart rsyslog + ansible.builtin.service: + name: rsyslog + state: restarted diff --git a/autosysadmin/tasks/autosysadmin_scripts.yml b/autosysadmin/tasks/autosysadmin_scripts.yml new file mode 100644 index 00000000..4ff1c5be --- /dev/null +++ b/autosysadmin/tasks/autosysadmin_scripts.yml @@ -0,0 +1,61 @@ +--- +- name: "Remount /usr if needed" + ansible.builtin.import_role: + name: remount-usr + +- name: Create autosysadmin directory + ansible.builtin.file: + path: "{{ autosysadmin_dir }}" + state: directory + owner: "root" + group: "root" + mode: "0750" + tags: + - autosysadmin + +- name: Copy scripts + ansible.builtin.copy: + src: "files/scripts/{{ item }}" + dest: "{{ autosysadmin_dir }}/{{ item }}" + owner: root + group: root + mode: "0750" + loop: + - "functions.sh" + - "restart_amavis.sh" + - "repair_amavis.sh" + - "repair_disk.sh" + - "repair_elasticsearch.sh" + - "repair_http.sh" + - "repair_mysql.sh" + - "repair_php_fpm56.sh" + - "repair_php_fpm70.sh" + - "repair_php_fpm73.sh" + - "repair_php_fpm74.sh" + - "repair_php_fpm80.sh" + - "repair_php_fpm81.sh" + - "repair_php_fpm82.sh" + - "repair_php_fpm83.sh" + - "repair_tomcat_instance.sh" + tags: + - autosysadmin + +- name: Ensure /etc/evolinux folder exists + ansible.builtin.file: + path: "/etc/evolinux" + state: directory + owner: "root" + group: "root" + mode: "0700" + tags: + - autosysadmin + +- name: Copy the configuration file + ansible.builtin.template: + src: "autosysadmin.cf.j2" + dest: "/etc/evolinux/autosysadmin" + owner: root + group: root + mode: "0640" + tags: + - autosysadmin diff --git a/autosysadmin/tasks/dependencies.yml b/autosysadmin/tasks/dependencies.yml new file mode 100644 index 00000000..4f120944 --- /dev/null +++ b/autosysadmin/tasks/dependencies.yml @@ -0,0 +1,4 @@ +--- +- name: Install gcal + ansible.builtin.apt: + name: gcal diff --git a/autosysadmin/tasks/logrotate.yml b/autosysadmin/tasks/logrotate.yml new file mode 100644 index 00000000..d4fe7a5c --- /dev/null +++ b/autosysadmin/tasks/logrotate.yml @@ -0,0 +1,10 @@ +--- +- name: Copy logrotate configuration for autosysadmin + ansible.builtin.copy: + src: "files/logrotate_autosysadmin.conf" + dest: "/etc/logrotate.d/autosysadmin" + owner: root + group: root + mode: "0644" + tags: + - autosysadmin diff --git a/autosysadmin/tasks/main.yml b/autosysadmin/tasks/main.yml new file mode 100644 index 00000000..60204162 --- /dev/null +++ b/autosysadmin/tasks/main.yml @@ -0,0 +1,37 @@ +--- +- name: Install dependencies + ansible.builtin.import_tasks: dependencies.yml + tags: + - autosysadmin + +- name: Install autosysadmin scripts + ansible.builtin.import_tasks: autosysadmin_scripts.yml + tags: + - autosysadmin + +- name: Amend NRPE configuration + ansible.builtin.import_tasks: nrpe.yml + tags: + - autosysadmin + +- name: Amend sudo configuration + ansible.builtin.import_tasks: sudo.yml + tags: + - autosysadmin + +- name: Amend rsyslog configuration + ansible.builtin.import_tasks: rsyslog.yml + tags: + - autosysadmin + +- name: Amend logrotate configuration + ansible.builtin.import_tasks: logrotate.yml + tags: + - autosysadmin + +- name: Install last version of dump-server-state + ansible.builtin.import_role: + name: evolinux-base + tasks_from: dump-server-state.yml + tags: + - autosysadmin diff --git a/autosysadmin/tasks/nrpe.yml b/autosysadmin/tasks/nrpe.yml new file mode 100644 index 00000000..f6f5c78b --- /dev/null +++ b/autosysadmin/tasks/nrpe.yml @@ -0,0 +1,11 @@ +--- +- name: Custom configuration is present + ansible.builtin.template: + src: autosysadmin.cfg.j2 + dest: /etc/nagios/nrpe.d/autosysadmin.cfg + group: nagios + mode: "0640" + force: true + notify: Restart nagios-nrpe-server + tags: + - autosysadmin diff --git a/autosysadmin/tasks/rsyslog.yml b/autosysadmin/tasks/rsyslog.yml new file mode 100644 index 00000000..6f0702c5 --- /dev/null +++ b/autosysadmin/tasks/rsyslog.yml @@ -0,0 +1,11 @@ +--- +- name: Copy rsyslog configuration for autosysadmin + ansible.builtin.copy: + src: "files/rsyslog_autosysadmin.conf" + dest: "/etc/rsyslog.d/autosysadmin.conf" + owner: root + group: root + mode: "0644" + notify: Restart rsyslog + tags: + - autosysadmin diff --git a/autosysadmin/tasks/sudo.yml b/autosysadmin/tasks/sudo.yml new file mode 100644 index 00000000..24249ab7 --- /dev/null +++ b/autosysadmin/tasks/sudo.yml @@ -0,0 +1,9 @@ +--- +- name: Add autosysadmin sudoers file + ansible.builtin.template: + src: sudoers.j2 + dest: /etc/sudoers.d/autosysadmin + mode: "0600" + validate: "visudo -cf %s" + tags: + - autosysadmin diff --git a/autosysadmin/templates/autosysadmin.cf.j2 b/autosysadmin/templates/autosysadmin.cf.j2 new file mode 100644 index 00000000..0be506c2 --- /dev/null +++ b/autosysadmin/templates/autosysadmin.cf.j2 @@ -0,0 +1,74 @@ +# +# Ansible managed - DO NOT MODIFY, your changes will be **overwritten** ! +# +# Update the hosts_vars/group_vars on the autosysadmin project +# https://gitea.evolix.org/evolix/autosysadmin/src/branch/master +# + +# Configuration for autosysadmin +# Use this file to change configuration values defined in repair scripts +# Ex : repair_http=off + +{% if repair_amavis == "off" %} +repair_amavis=off +{% endif %} + +{% if repair_disk == "off" %} +repair_disk=off +{% endif %} + +{% if repair_elasticsearch == "off" %} +repair_elasticsearch=off +{% endif %} + +{% if repair_http == "off" %} +repair_http=off +{% endif %} + +{% if repair_mysql == "off" %} +repair_mysql=off +{% endif %} + +{% if repair_opendkim == "off" %} +repair_opendkim=off +{% endif %} + +{% if repair_php_fpm56 == "off" %} +repair_php_fpm56=off +{% endif %} + +{% if repair_php_fpm70 == "off" %} +repair_php_fpm70=off +{% endif %} + +{% if repair_php_fpm73 == "off" %} +repair_php_fpm73=off +{% endif %} + +{% if repair_php_fpm74 == "off" %} +repair_php_fpm74=off +{% endif %} + +{% if repair_php_fpm80 == "off" %} +repair_php_fpm80=off +{% endif %} + +{% if repair_php_fpm81 == "off" %} +repair_php_fpm81=off +{% endif %} + +{% if repair_php_fpm82 == "off" %} +repair_php_fpm82=off +{% endif %} + +{% if repair_php_fpm83 == "off" %} +repair_php_fpm83=off +{% endif %} + +{% if repair_redis == "off" %} +repair_redis=off +{% endif %} + +{% if repair_tomcat_instance == "off" %} +repair_tomcat_instance=off +{% endif %} diff --git a/autosysadmin/templates/autosysadmin.cfg.j2 b/autosysadmin/templates/autosysadmin.cfg.j2 new file mode 100644 index 00000000..fa6fcfd2 --- /dev/null +++ b/autosysadmin/templates/autosysadmin.cfg.j2 @@ -0,0 +1,22 @@ +# +# Ansible managed - DO NOT MODIFY, your changes will be overwritten ! +# + +# Autosysadmin repair commands +command[repair_amavis]=sudo {{ autosysadmin_dir }}/repair_amavis.sh +command[repair_disk]=sudo {{ autosysadmin_dir }}/repair_disk.sh +command[repair_elasticsearch]=sudo {{ autosysadmin_dir }}/repair_elasticsearch.sh +command[repair_http]=sudo {{ autosysadmin_dir }}/repair_http.sh +command[repair_mysql]=sudo {{ autosysadmin_dir }}/repair_mysql.sh +command[repair_opendkim]=sudo {{ autosysadmin_dir }}/repair_opendkim.sh +command[repair_php_fpm56]=sudo {{ autosysadmin_dir }}/repair_php_fpm56.sh +command[repair_php_fpm70]=sudo {{ autosysadmin_dir }}/repair_php_fpm70.sh +command[repair_php_fpm73]=sudo {{ autosysadmin_dir }}/repair_php_fpm73.sh +command[repair_php_fpm74]=sudo {{ autosysadmin_dir }}/repair_php_fpm74.sh +command[repair_php_fpm80]=sudo {{ autosysadmin_dir }}/repair_php_fpm80.sh +command[repair_php_fpm81]=sudo {{ autosysadmin_dir }}/repair_php_fpm81.sh +command[repair_php_fpm82]=sudo {{ autosysadmin_dir }}/repair_php_fpm82.sh +command[repair_php_fpm83]=sudo {{ autosysadmin_dir }}/repair_php_fpm83.sh +command[repair_redis]=sudo {{ autosysadmin_dir }}/repair_redis.sh +command[repair_tomcat_instance]=sudo {{ autosysadmin_dir }}/repair_tomcat_instance.sh + diff --git a/autosysadmin/templates/sudoers.j2 b/autosysadmin/templates/sudoers.j2 new file mode 100644 index 00000000..0a458292 --- /dev/null +++ b/autosysadmin/templates/sudoers.j2 @@ -0,0 +1,21 @@ +# +# Ansible managed - DO NOT MODIFY, your changes will be overwritten ! +# + +nagios ALL = NOPASSWD: {{ autosysadmin_dir }}/repair_amavis.sh +nagios ALL = NOPASSWD: {{ autosysadmin_dir }}/repair_disk.sh +nagios ALL = NOPASSWD: {{ autosysadmin_dir }}/repair_elasticsearch.sh +nagios ALL = NOPASSWD: {{ autosysadmin_dir }}/repair_http.sh +nagios ALL = NOPASSWD: {{ autosysadmin_dir }}/repair_mysql.sh +nagios ALL = NOPASSWD: {{ autosysadmin_dir }}/repair_opendkim.sh +nagios ALL = NOPASSWD: {{ autosysadmin_dir }}/repair_php_fpm56.sh +nagios ALL = NOPASSWD: {{ autosysadmin_dir }}/repair_php_fpm70.sh +nagios ALL = NOPASSWD: {{ autosysadmin_dir }}/repair_php_fpm73.sh +nagios ALL = NOPASSWD: {{ autosysadmin_dir }}/repair_php_fpm74.sh +nagios ALL = NOPASSWD: {{ autosysadmin_dir }}/repair_php_fpm80.sh +nagios ALL = NOPASSWD: {{ autosysadmin_dir }}/repair_php_fpm81.sh +nagios ALL = NOPASSWD: {{ autosysadmin_dir }}/repair_php_fpm82.sh +nagios ALL = NOPASSWD: {{ autosysadmin_dir }}/repair_php_fpm83.sh +nagios ALL = NOPASSWD: {{ autosysadmin_dir }}/repair_redis.sh +nagios ALL = NOPASSWD: {{ autosysadmin_dir }}/repair_tomcat_instance.sh + diff --git a/evolinux-base/defaults/main.yml b/evolinux-base/defaults/main.yml index f92fa90b..bf56d6de 100644 --- a/evolinux-base/defaults/main.yml +++ b/evolinux-base/defaults/main.yml @@ -235,3 +235,6 @@ evolinux_motd_include: True # Utils evolinux_utils_include: True + +# Autosysadmin +evolinux_autosysadmin_include: false diff --git a/evolinux-base/tasks/main.yml b/evolinux-base/tasks/main.yml index 582bcfe0..d482981a 100644 --- a/evolinux-base/tasks/main.yml +++ b/evolinux-base/tasks/main.yml @@ -127,6 +127,11 @@ name: evolix/nagios-nrpe when: evolinux_nagios_nrpe_include | bool +- name: Autosysadmin + ansible.builtin.include_role: + name: 'evolix/autosysadmin' + when: evolinux_autosysadmin_include | bool + - name: fail2ban ansible.builtin.include_role: name: evolix/fail2ban