From e718156f86e6c0bf992613018e85c5d032c1d68f Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Fri, 3 Jun 2022 10:19:35 +0200 Subject: [PATCH 01/13] fix CHANGELOG --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index c58739a5..227adc5e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -34,6 +34,7 @@ The **patch** part changes is incremented if multiple releases happen the same m * docker: Allow "live-restore" to be toggled with docker_conf_live_restore * evocheck: upstream release 22.06 +* minifirewall: tail template follows symlinks * mysql: add "set crypt_use_gpgme=no" Mutt option, for mysqltuner ## [22.05.1] 2022-05-12 From b9f0e0d06187ddae97ba5aa840eaa0fe30bf7cf9 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Fri, 3 Jun 2022 11:09:38 +0200 Subject: [PATCH 02/13] Log BEGIN/END of main action --- mysql/files/evomariabackup.sh | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/mysql/files/evomariabackup.sh b/mysql/files/evomariabackup.sh index dd46a9ec..85b32168 100644 --- a/mysql/files/evomariabackup.sh +++ b/mysql/files/evomariabackup.sh @@ -417,6 +417,10 @@ post_backup_hook() { } main() { + if ! is_quiet; then + log_info "BEGIN evomariabackup" + fi + kill_or_clean_lockfile "${lock_file}" # shellcheck disable=SC2064 trap "rm -f ${lock_file};" 0 @@ -437,6 +441,10 @@ main() { if [ -n "${post_backup_hook}" ]; then post_backup_hook fi + + if ! is_quiet; then + log_info "END evomariabackup" + fi } # Declare variables From 8753f598235eaf45c86853315aead23981aa8c63 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Fri, 3 Jun 2022 11:12:47 +0200 Subject: [PATCH 03/13] mysql: fix comment for evomariabackup --- mysql/files/evomariabackup.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/mysql/files/evomariabackup.sh b/mysql/files/evomariabackup.sh index 85b32168..6e3bbe72 100644 --- a/mysql/files/evomariabackup.sh +++ b/mysql/files/evomariabackup.sh @@ -38,7 +38,7 @@ Options Example usage for a backup then compress : # /usr/local/bin/evomariabackup --verbose \ --backup-dir /backup/mariabackup/current \ - --compress-file /backup/mariabackup/compressed/$(date +%H).tgz \ + --compress-file /backup/mariabackup/compressed/$(date +\%H).tgz \ --log-file /var/log/evomariabackup.log max-age possible values: From 3e4c851c3e5c51c78060ae3718c3d3174aa2c69f Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Fri, 3 Jun 2022 11:13:36 +0200 Subject: [PATCH 04/13] mysql: match default value to documentation, in evomariabackup --- mysql/files/evomariabackup.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/mysql/files/evomariabackup.sh b/mysql/files/evomariabackup.sh index 6e3bbe72..37343f0f 100644 --- a/mysql/files/evomariabackup.sh +++ b/mysql/files/evomariabackup.sh @@ -651,7 +651,7 @@ done lock_file="${lock_file:-/run/lock/evomariabackup.lock}" verbose=${verbose:-0} quiet=${quiet:-0} -max_age="${max_age:-86400}" +max_age="${max_age:-1d}" do_backup="${do_backup:-1}" do_dircheck="${do_dircheck:-0}" do_compress="${do_compress:-0}" From 6c7108a35aa6e2616bb209c950ca35675eb9cda4 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Fri, 3 Jun 2022 11:14:09 +0200 Subject: [PATCH 05/13] mysql: add --force-unlock option to evomariabackup --- mysql/files/evomariabackup.sh | 21 +++++++++++++++++++-- 1 file changed, 19 insertions(+), 2 deletions(-) diff --git a/mysql/files/evomariabackup.sh b/mysql/files/evomariabackup.sh index 37343f0f..f91c24b0 100644 --- a/mysql/files/evomariabackup.sh +++ b/mysql/files/evomariabackup.sh @@ -32,6 +32,7 @@ Options --quiet Ouput only the most critical information --lock-file Specify which lock file to use (default: /run/lock/mariabackup.lock) --max-age Lock file is ignored if older than this (default: 1d) + --force-unlock If a lock is present, do as if it has expired -h|--help|-? Display help -V|--version Display version, authors and license @@ -152,6 +153,9 @@ lock_file_age() { echo "${created_at}" } +is_force_unlock() { + test "${force_unlock}" = "1" +} is_lock_file_too_old() { test "$(lock_file_age)" -ge "${max_age}" } @@ -168,13 +172,20 @@ kill_or_clean_lockfile() { log_debug "Found process with pid ${pid}" lock_file_created_at_human=$(date --date "@$(lock_file_created_at)" +"%Y-%m-%d %H:%M:%S") - if is_lock_file_too_old ; then + if is_lock_file_too_old || is_force_unlock ; then # Kill the children pkill -9 --parent "${pid}" # Kill the parent kill -9 "${pid}" # Only one process can run in parallel - log_warning "Process \`${pid}' (started at ${lock_file_created_at_human}) has been killed by \`$$'" + if is_lock_file_too_old; then + unlock_reason="lock is older than ${max_age}" + elif is_force_unlock; then + unlock_reason="--force-unlock was used" + else + unlock_reason="unknown reason" + fi + log_warning "Process \`${pid}' (started at ${lock_file_created_at_human}) has been killed by \`$$' (${unlock_reason})." else log_info "Process \`${pid}' (started at ${lock_file_created_at_human}) has precedence. Let's leave it work." # make sure that this exit doesn't remove the existing lockfile !! @@ -454,6 +465,7 @@ log_file="" verbose="" quiet="" max_age="" +force_unlock="" do_backup="" backup_dir="" do_dircheck="" @@ -576,6 +588,10 @@ while :; do log_fatal '"--lock-file" requires a non-empty option argument.' ;; + --force-unlock) + force_unlock=1 + ;; + --log-file) # with value separated by space if [ -n "$2" ]; then @@ -652,6 +668,7 @@ lock_file="${lock_file:-/run/lock/evomariabackup.lock}" verbose=${verbose:-0} quiet=${quiet:-0} max_age="${max_age:-1d}" +force_unlock=${force_unlock:-0} do_backup="${do_backup:-1}" do_dircheck="${do_dircheck:-0}" do_compress="${do_compress:-0}" From 36b11c4455634a607e9d18b31fbf17ab479b3669 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Fri, 3 Jun 2022 11:26:13 +0200 Subject: [PATCH 06/13] evolinux-base: improve dir-check logging --- evolinux-base/files/dir-check.sh | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/evolinux-base/files/dir-check.sh b/evolinux-base/files/dir-check.sh index 9d586cef..f5c8944b 100644 --- a/evolinux-base/files/dir-check.sh +++ b/evolinux-base/files/dir-check.sh @@ -131,7 +131,9 @@ check_data() { # subshell to scope the commands to "parent_dir" "${checksum_bin}" --status --check "${checksum_file}" last_rc=$? - if [ ${last_rc} -ne 0 ]; then + if [ ${last_rc} -eq 0 ]; then + log_debug "Verification succeeded with checksum file \`${checksum_file}' (inside \`${parent_dir}')." + else log_error "Verification failed with checksum file \`${checksum_file}' (inside \`${parent_dir}')." exit 1 fi @@ -146,8 +148,10 @@ check_data() { if [ -f "${file}" ]; then actual_size=$($(data_command) "${file}" | cut -f1) - if [ "${actual_size}" != "${expected_size}" ]; then - log_error "File \`${file}' has actual size of ${actual_size} instead of ${expected_size}." + if [ "${actual_size}" = "${expected_size}" ]; then + log_debug "File \`${file}' has a consistent size of ${actual_size}." + else + log_error "File \`${file}' has an actual size of ${actual_size} instead of ${expected_size}." rc=1 fi else @@ -157,6 +161,8 @@ check_data() { done < "${data_file}" if [ ${rc} -eq 0 ]; then log_info "Directory \`${final_dir}' is consistent with data stored in \`${data_file}' (inside \`${parent_dir}')." + else + log_error "Directory \`${final_dir}' is not consistent with data stored in \`${data_file}' (inside \`${parent_dir}')." fi else log_fatal "Couldn't find data file \`${data_file}' (inside \`${parent_dir}')." From c4023a4f496e714879137b8020caec515eba7773 Mon Sep 17 00:00:00 2001 From: "William Hirigoyen (Evolix)" Date: Fri, 3 Jun 2022 14:32:32 +0200 Subject: [PATCH 07/13] =?UTF-8?q?D=C3=A9tecte=20automatiquement=20si=20le?= =?UTF-8?q?=20serveur=20est=20baremetal=20pour=20installer=20les=20outils?= =?UTF-8?q?=20hw,=20suppression=20de=20la=20variable=20evolinux=5Fpackages?= =?UTF-8?q?=5Fhardware=20inutile?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- evolinux-base/defaults/main.yml | 3 +-- evolinux-base/tasks/packages.yml | 2 +- 2 files changed, 2 insertions(+), 3 deletions(-) diff --git a/evolinux-base/defaults/main.yml b/evolinux-base/defaults/main.yml index 9debc8ab..6f28fd5e 100644 --- a/evolinux-base/defaults/main.yml +++ b/evolinux-base/defaults/main.yml @@ -77,7 +77,6 @@ evolinux_packages_include: True evolinux_packages_system: True evolinux_packages_diagnostic: True -evolinux_packages_hardware: True evolinux_packages_hardware_raid: True evolinux_packages_common: True evolinux_packages_stretch: True @@ -223,4 +222,4 @@ evolinux_generateldif_include: True evolinux_cron_checkhpraid_frequency: daily # Motd -evolinux_motd_include: True \ No newline at end of file +evolinux_motd_include: True diff --git a/evolinux-base/tasks/packages.yml b/evolinux-base/tasks/packages.yml index f4eafc6c..b4a1d666 100644 --- a/evolinux-base/tasks/packages.yml +++ b/evolinux-base/tasks/packages.yml @@ -44,7 +44,7 @@ - hdparm - smartmontools - lm-sensors - when: evolinux_packages_hardware | bool + when: ansible_virtualization_role == "host" - name: Install/Update common tools apt: From 6d0e49ba9015821948c87a6e50797f2cf5e38ccc Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Sun, 5 Jun 2022 21:48:01 +0200 Subject: [PATCH 08/13] mysql: reorganize evomariabackup to use mtree instead of our own dir-check --- CHANGELOG.md | 2 + mysql/files/evomariabackup.sh | 155 +++++++++++++++++++++------------- 2 files changed, 99 insertions(+), 58 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 227adc5e..b7393a42 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -14,6 +14,8 @@ The **patch** part changes is incremented if multiple releases happen the same m ### Changed +* mysql: reorganize evomariabackup to use mtree instead of our own dir-check + ### Fixed ### Removed diff --git a/mysql/files/evomariabackup.sh b/mysql/files/evomariabackup.sh index f91c24b0..6aac0f05 100644 --- a/mysql/files/evomariabackup.sh +++ b/mysql/files/evomariabackup.sh @@ -20,12 +20,18 @@ show_help() { cat < "${lock_file}" - log_debug "Lock file '${lock_file}' has been created" + log_debug "Lock file \`${lock_file}' has been created" else - log_fatal "Failed to acquire lock file '${lock_file}'. Abort." + log_fatal "Failed to acquire lock file \`${lock_file}'. Abort." exit 1 fi } @@ -222,30 +229,30 @@ check_backup_dir() { if [ -d "${backup_dir:?}" ]; then if [ "$(ls -A "${backup_dir:?}")" ]; then if is_mariabackup_directory "${backup_dir:?}"; then - log_debug "The backup directory ${backup_dir:?} is not empty but looks like a mariabackup target. Let's clear it." + log_debug "The backup directory \`${backup_dir:?}' is not empty but looks like a mariabackup target. Let's clear it." rm -rf "${backup_dir:?}" else - log_fatal "The backup directory ${backup_dir:?} is not empty and doesn't look like a mariabackup target. Please verify and clear the directory if you are sure." + log_fatal "The backup directory \`${backup_dir:?}' is not empty and doesn't look like a mariabackup target. Please verify and clear the directory if you are sure." exit 1 fi else - log_debug "The backup directory ${backup_dir:?} exists but is empty. Let's proceed." + log_debug "The backup directory \`${backup_dir:?}' exists but is empty. Let's proceed." fi else - log_debug "The backup directory ${backup_dir:?} doesn't exist. Let's proceed." + log_debug "The backup directory \`${backup_dir:?}' doesn't exist. Let's proceed." fi mkdir -p "${backup_dir:?}" } check_compress_dir() { if [ -d "${compress_dir:?}" ]; then - log_debug "The compress_dir directory ${compress_dir:?} exists. Let's proceed." + log_debug "The compress_dir directory \`${compress_dir:?}' exists. Let's proceed." else - log_debug "The compress_dir directory ${compress_dir:?} doesn't exist. Let's proceed." + log_debug "The compress_dir directory \`${compress_dir:?}' doesn't exist. Let's proceed." fi mkdir -p "${compress_dir:?}" } -backup() { +backup_phase() { if [ -z "${backup_dir}" ]; then log_fatal "backup-dir option is empty" else @@ -254,7 +261,7 @@ backup() { mariabackup_bin=$(command -v mariabackup) if [ -z "${mariabackup_bin}" ]; then - log_fatal "Couldn't find mariabackup.\nUse 'apt install mariadb-backup'." + log_fatal "Couldn't find mariabackup.\nYou can install it with 'apt install mariadb-backup'." exit 1 fi @@ -312,46 +319,44 @@ backup() { log_info "END mariabackup prepare phase" fi } -list_files_with_size() { - path=$1 - find "${path}" -type f -exec du --bytes {} \; | sort -k2 -} -dircheck_prepare() { +mtree_phase() { if [ -z "${backup_dir}" ]; then log_fatal "backup-dir option is empty" exit 1 elif [ -e "${backup_dir}" ] && [ ! -d "${backup_dir}" ]; then - log_fatal "backup directory '${backup_dir}' exists but is not a directory" + log_fatal "backup directory \`${backup_dir}' exists but is not a directory" exit 1 fi - dircheck_cmd="dir-check" - dircheck_bin=$(command -v ${dircheck_cmd}) - if [ -z "${dircheck_bin}" ]; then - log_fatal "Couldn't find ${dircheck_cmd}." + if [ -z "${mtree_file}" ]; then + mtree_file="${backup_dir}.mtree" + fi + + mtree_cmd="mtree" + mtree_bin=$(command -v ${mtree_cmd}) + if [ -z "${mtree_bin}" ]; then + log_fatal "Couldn't find ${mtree_cmd}.\nYou can install it with 'apt install mtree-netbsd'." exit 1 fi backup_parent_dir=$(dirname "${backup_dir}") backup_final_dir=$(basename "${backup_dir}") - log_info "BEGIN dir-check phase" - cwd=${PWD} - cd "${backup_parent_dir}" || log_fatal "Impossible to change to ${backup_parent_dir}" + log_info "BEGIN mtree phase" + log_debug "Store mtree specification of \`${backup_dir}' to \`${mtree_file}' using \`${mtree_bin}'" - "${dircheck_bin}" --prepare --dir "${backup_final_dir}" + "${mtree_bin}" -x -c -p "${backup_dir}" > "${mtree_file}" - cd ${cwd} || log_fatal "Impossible to change back to ${cwd}" - log_info "END dir-check phase" + log_info "END mtree phase" } -compress() { +compress_phase() { compress_dir=$(dirname "${compress_file}") if [ -z "${backup_dir}" ]; then log_fatal "backup-dir option is empty" exit 1 elif [ -e "${backup_dir}" ] && [ ! -d "${backup_dir}" ]; then - log_fatal "backup directory '${backup_dir}' exists but is not a directory" + log_fatal "backup directory \`${backup_dir}' exists but is not a directory" exit 1 fi if [ -z "${compress_file}" ]; then @@ -370,13 +375,13 @@ compress() { elif [ -n "${gzip_bin}" ]; then compress_program="${gzip_bin} -6" else - log_fatal "Couldn't find pigz nor gzip.\nUse 'apt install pigz' or 'apt install gzip'." + log_fatal "Couldn't find pigz nor gzip.\nYou can install it with 'apt install pigz' or 'apt install gzip'." exit 1 fi if ! is_quiet; then log_info "BEGIN compression phase" - log_debug "Compression of ${backup_dir} to ${compress_file} using \`${compress_program}'" + log_debug "Compression of \`${backup_dir}' to \`${compress_file}' using \`${compress_program}'" fi if is_quiet || ! is_verbose ; then tar --use-compress-program="${compress_program}" -cf "${compress_file}" "${backup_dir}" >/dev/null 2>&1 @@ -392,13 +397,13 @@ compress() { fi if [ ${tar_rc} -ne 0 ]; then - log_fatal "An error occured while compressing ${backup_dir} to ${compress_file}" + log_fatal "An error occured while compressing \`${backup_dir}' to \`${compress_file}'" exit 1 elif ! is_quiet; then log_info "END compression phase" fi } -post_backup_hook() { +post_backup_hook_phase() { if [ -x "${post_backup_hook}" ]; then if ! is_quiet; then @@ -438,19 +443,19 @@ main() { new_lock_file "${lock_file}" if [ "${do_backup}" = "1" ] && [ -n "${backup_dir}" ]; then - backup + backup_phase fi - if [ "${do_dircheck}" = "1" ] && [ -n "${backup_dir}" ]; then - dircheck_prepare + if [ "${do_mtree}" = "1" ] && [ -n "${backup_dir}" ]; then + mtree_phase fi if [ "${do_compress}" = "1" ] && [ -n "${compress_file}" ]; then - compress + compress_phase fi if [ -n "${post_backup_hook}" ]; then - post_backup_hook + post_backup_hook_phase fi if ! is_quiet; then @@ -468,7 +473,8 @@ max_age="" force_unlock="" do_backup="" backup_dir="" -do_dircheck="" +do_mtree="" +mtree_file="" do_compress="" compress_file="" post_backup_hook="" @@ -530,14 +536,6 @@ while :; do log_fatal '"--backup-dir" requires a non-empty option argument.' ;; - --dir-check) - do_dircheck=1 - ;; - - --no-dir-check) - do_dircheck=0 - ;; - --compress) do_compress=1 ;; @@ -570,6 +568,38 @@ while :; do log_fatal '"--compress-file" requires a non-empty option argument.' ;; + --mtree) + do_mtree=1 + ;; + + --no-mtree) + do_mtree=0 + ;; + + --mtree-file) + # with value separated by space + if [ -n "$2" ]; then + mtree_file="$2" + if [ -z "${do_mtree}" ]; then + do_mtree=1 + fi + shift + else + log_fatal '"--mtree-file" requires a non-empty option argument.' + fi + ;; + --mtree-file=?*) + # with value speparated by = + mtree_file=${1#*=} + if [ -z "${do_mtree}" ]; then + do_mtree=1 + fi + ;; + --mtree-file=) + # without value + log_fatal '"--mtree-file" requires a non-empty option argument.' + ;; + --lock-file) # with value separated by space if [ -n "$2" ]; then @@ -647,7 +677,7 @@ while :; do if tty -s; then printf 'Unknown option : %s\n' "$1" >&2 echo "" >&2 - show_usage >&2 + show_help >&2 exit 1 else log_fatal 'Unknown option : %s\n' "$1" >&2 @@ -669,8 +699,17 @@ verbose=${verbose:-0} quiet=${quiet:-0} max_age="${max_age:-1d}" force_unlock=${force_unlock:-0} -do_backup="${do_backup:-1}" -do_dircheck="${do_dircheck:-0}" -do_compress="${do_compress:-0}" +# Enable backup phase if not disabled and backup_dir is set +if [ -z "${do_backup}" ] && [ -n "${backup_dir}" ]; then + do_backup="1" +fi +# Enable mtree phase if not disabled and mtree_file is set +if [ -z "${do_mtree}" ] && [ -n "${mtree_file}" ]; then + do_mtree="1" +fi +# Enable compress phase if not disabled and compress_file is set +if [ -z "${do_compress}" ] && [ -n "${compress_file}" ]; then + do_compress="1" +fi main \ No newline at end of file From 56c2c19d613da54a07a03882701b3ee470b7c29b Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Sun, 5 Jun 2022 21:49:23 +0200 Subject: [PATCH 09/13] evomariabackup: release 22.06.1 --- CHANGELOG.md | 1 + mysql/files/evomariabackup.sh | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index b7393a42..f2388301 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -14,6 +14,7 @@ The **patch** part changes is incremented if multiple releases happen the same m ### Changed +* mysql: evomariabackup release 22.06.1 * mysql: reorganize evomariabackup to use mtree instead of our own dir-check ### Fixed diff --git a/mysql/files/evomariabackup.sh b/mysql/files/evomariabackup.sh index 6aac0f05..df8a3884 100644 --- a/mysql/files/evomariabackup.sh +++ b/mysql/files/evomariabackup.sh @@ -1,6 +1,6 @@ #!/bin/sh -VERSION="22.06" +VERSION="22.06.1" show_version() { cat < Date: Mon, 6 Jun 2022 14:42:22 +0200 Subject: [PATCH 10/13] minifirewall: upstream release 22.06 --- CHANGELOG.md | 1 + minifirewall/files/minifirewall | 18 +++++++++++++++++- 2 files changed, 18 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index f2388301..069514cd 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -14,6 +14,7 @@ The **patch** part changes is incremented if multiple releases happen the same m ### Changed +* minifirewall: upstream release 22.06 * mysql: evomariabackup release 22.06.1 * mysql: reorganize evomariabackup to use mtree instead of our own dir-check diff --git a/minifirewall/files/minifirewall b/minifirewall/files/minifirewall index 7dae5787..4beeaf7d 100755 --- a/minifirewall/files/minifirewall +++ b/minifirewall/files/minifirewall @@ -29,7 +29,7 @@ # Description: Firewall designed for standalone server ### END INIT INFO -VERSION="22.05" +VERSION="22.06" NAME="minifirewall" # shellcheck disable=SC2034 @@ -121,6 +121,7 @@ if [ -t 1 ]; then # see if it supports colors... ncolors=$(tput colors) + # shellcheck disable=SC2086 if [ -n "${ncolors}" ] && [ ${ncolors} -ge 8 ]; then RED=$(tput setaf 1) GREEN=$(tput setaf 2) @@ -363,6 +364,7 @@ start() { if [ "${SYSCTL_ICMP_ECHO_IGNORE_BROADCASTS}" = "1" ] || [ "${SYSCTL_ICMP_ECHO_IGNORE_BROADCASTS}" = "0" ]; then echo "${SYSCTL_ICMP_ECHO_IGNORE_BROADCASTS}" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts + # Apparently not applicable to IPv6 else printf "${RED}ERROR: invalid %s value '%s', must be '0' or '1'.\n" "SYSCTL_ICMP_ECHO_IGNORE_BROADCASTS" "${SYSCTL_ICMP_ECHO_IGNORE_BROADCASTS}" >&2 exit 1 @@ -370,6 +372,7 @@ start() { if [ "${SYSCTL_ICMP_IGNORE_BOGUS_ERROR_RESPONSES}" = "1" ] || [ "${SYSCTL_ICMP_IGNORE_BOGUS_ERROR_RESPONSES}" = "0" ]; then echo "${SYSCTL_ICMP_IGNORE_BOGUS_ERROR_RESPONSES}" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses + # Apparently not applicable to IPv6 else printf "${RED}ERROR: invalid %s value '%s', must be '0' or '1'.\n" "SYSCTL_ICMP_IGNORE_BOGUS_ERROR_RESPONSES" "${SYSCTL_ICMP_IGNORE_BOGUS_ERROR_RESPONSES}" >&2 exit 1 @@ -379,6 +382,11 @@ start() { for proc_sys_file in /proc/sys/net/ipv4/conf/*/accept_source_route; do echo "${SYSCTL_ACCEPT_SOURCE_ROUTE}" > "${proc_sys_file}" done + if is_ipv6_enabled; then + for proc_sys_file in /proc/sys/net/ipv6/conf/*/accept_source_route; do + echo "${SYSCTL_ACCEPT_SOURCE_ROUTE}" > "${proc_sys_file}" + done + fi else printf "${RED}ERROR: invalid %s value '%s', must be '0' or '1'.\n" "SYSCTL_ACCEPT_SOURCE_ROUTE" "${SYSCTL_ACCEPT_SOURCE_ROUTE}" >&2 exit 1 @@ -386,6 +394,7 @@ start() { if [ "${SYSCTL_TCP_SYNCOOKIES}" = "1" ] || [ "${SYSCTL_TCP_SYNCOOKIES}" = "0" ]; then echo "${SYSCTL_TCP_SYNCOOKIES}" > /proc/sys/net/ipv4/tcp_syncookies + # Apparently not applicable to IPv6 else printf "${RED}ERROR: invalid %s value '%s', must be '0' or '1'.\n" "SYSCTL_TCP_SYNCOOKIES" "${SYSCTL_TCP_SYNCOOKIES}" >&2 exit 1 @@ -398,6 +407,11 @@ start() { for proc_sys_file in /proc/sys/net/ipv4/conf/*/send_redirects; do echo "${SYSCTL_ICMP_REDIRECTS}" > "${proc_sys_file}" done + if is_ipv6_enabled; then + for proc_sys_file in /proc/sys/net/ipv6/conf/*/accept_redirects; do + echo "${SYSCTL_ICMP_REDIRECTS}" > "${proc_sys_file}" + done + fi else printf "${RED}ERROR: invalid %s value '%s', must be '0' or '1'.\n" "SYSCTL_ICMP_REDIRECTS" "${SYSCTL_ICMP_REDIRECTS}" >&2 exit 1 @@ -407,6 +421,7 @@ start() { for proc_sys_file in /proc/sys/net/ipv4/conf/*/rp_filter; do echo "${SYSCTL_RP_FILTER}" > "${proc_sys_file}" done + # Apparently not applicable to IPv6 else printf "${RED}ERROR: invalid %s value '%s', must be '0' or '1'.\n" "SYSCTL_RP_FILTER" "${SYSCTL_RP_FILTER}" >&2 exit 1 @@ -416,6 +431,7 @@ start() { for proc_sys_file in /proc/sys/net/ipv4/conf/*/log_martians; do echo "${SYSCTL_LOG_MARTIANS}" > "${proc_sys_file}" done + # Apparently not applicable to IPv6 else printf "${RED}ERROR: invalid %s value '%s', must be '0' or '1'.\n" "SYSCTL_LOG_MARTIANS" "${SYSCTL_LOG_MARTIANS}" >&2 exit 1 From 16cdd6b3260a49a7b8423f586c754653d5df14ea Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Mon, 6 Jun 2022 14:43:18 +0200 Subject: [PATCH 11/13] evolinux-base: dir-check makes a file named after the reference directory --- evolinux-base/files/dir-check.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/evolinux-base/files/dir-check.sh b/evolinux-base/files/dir-check.sh index f5c8944b..d127632d 100644 --- a/evolinux-base/files/dir-check.sh +++ b/evolinux-base/files/dir-check.sh @@ -189,7 +189,7 @@ main() { parent_dir=$(dirname "${dir}") final_dir=$(basename "${dir}") - data_file="${PROGNAME}.db" + data_file="${final_dir}.${PROGNAME}.db" checksum_file="${data_file}.${checksum_cmd}" cwd=${PWD} From 3d70438f7e22e01e478ba9b9fa7ef59145905005 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Mon, 6 Jun 2022 15:05:59 +0200 Subject: [PATCH 12/13] evocheck: upstream release 22.06.1 --- CHANGELOG.md | 1 + evocheck/files/evocheck.sh | 37 ++++++++++++++++++++++--------------- 2 files changed, 23 insertions(+), 15 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 069514cd..86fccbe2 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -14,6 +14,7 @@ The **patch** part changes is incremented if multiple releases happen the same m ### Changed +* evocheck: upstream release 22.06.1 * minifirewall: upstream release 22.06 * mysql: evomariabackup release 22.06.1 * mysql: reorganize evomariabackup to use mtree instead of our own dir-check diff --git a/evocheck/files/evocheck.sh b/evocheck/files/evocheck.sh index 6bba06c1..5b1afb09 100644 --- a/evocheck/files/evocheck.sh +++ b/evocheck/files/evocheck.sh @@ -4,7 +4,7 @@ # Script to verify compliance of a Debian/OpenBSD server # powered by Evolix -VERSION="22.06" +VERSION="22.06.1" readonly VERSION # base functions @@ -236,11 +236,11 @@ check_debiansecurity() { if is_debian_bullseye; then # https://www.debian.org/releases/bullseye/amd64/release-notes/ch-information.html#security-archive # https://www.debian.org/security/ - pattern="^deb http://security\.debian\.org/debian-security/? bullseye-security main" + pattern="^deb ?(\[.*\])? ?http://security\.debian\.org/debian-security/? bullseye-security main" elif is_debian_buster; then - pattern="^deb http://security\.debian\.org/debian-security/? buster/updates main" + pattern="^deb ?(\[.*\])? ?http://security\.debian\.org/debian-security/? buster/updates main" elif is_debian_stretch; then - pattern="^deb http://security\.debian\.org/debian-security/? stretch/updates main" + pattern="^deb ?(\[.*\])? ?http://security\.debian\.org/debian-security/? stretch/updates main" else pattern="^deb.*security" fi @@ -363,7 +363,7 @@ check_alert5minifw() { } check_minifw() { /sbin/iptables -L -n | grep -q -E "^ACCEPT\s*all\s*--\s*31\.170\.8\.4\s*0\.0\.0\.0/0\s*$" \ - || failed "IS_MINIFW" "minifirewall seems not starded" + || failed "IS_MINIFW" "minifirewall seems not started" } check_minifw_includes() { if is_debian_bullseye; then @@ -742,12 +742,13 @@ check_backupuptodate() { backup_dir="/home/backup" if [ -d "${backup_dir}" ]; then if [ -n "$(ls -A ${backup_dir})" ]; then - # shellcheck disable=SC2231 - for file in ${backup_dir}/*; do + # Look for all files, including subdirectories. + # If this turns out to be problematic, we can go back to first level only, with --max-depth=1 + find "${backup_dir}" -type f | while read -r file; do limit=$(date +"%s" -d "now - 2 day") updated_at=$(stat -c "%Y" "$file") - if [ -f "$file" ] && [ "$limit" -gt "$updated_at" ]; then + if [ "$limit" -gt "$updated_at" ]; then failed "IS_BACKUPUPTODATE" "$file has not been backed up" test "${VERBOSE}" = 1 || break; fi @@ -1217,14 +1218,20 @@ check_usrsharescripts() { test "$expected" = "$actual" || failed "IS_USRSHARESCRIPTS" "/usr/share/scripts must be $expected" } check_sshpermitrootno() { - if is_debian_stretch || is_debian_buster || is_debian_bullseye; then - if grep -q "^PermitRoot" /etc/ssh/sshd_config; then - grep -E -qi "PermitRoot.*no" /etc/ssh/sshd_config \ - || failed "IS_SSHPERMITROOTNO" "PermitRoot should be set at no" - fi + sshd_args="-C addr=,user=,host=,laddr=,lport=0" + if is_debian_jessie || is_debian_stretch; then + # Noop, we'll use the default $sshd_args + : + elif is_debian_buster; then + sshd_args="${sshd_args},rdomain=" else - grep -E -qi "PermitRoot.*no" /etc/ssh/sshd_config \ - || failed "IS_SSHPERMITROOTNO" "PermitRoot should be set at no" + # NOTE: From Debian Bullseye 11 onward, with OpenSSH 8.1, the argument + # -T doesn't require the additional -C. + sshd_args= + fi + # XXX: We want parameter expension here + if ! (sshd -T $sshd_args | grep -q 'permitrootlogin no'); then + failed "IS_SSHPERMITROOTNO" "PermitRoot should be set to no" fi } check_evomaintenanceusers() { From 1895c549d4eac89c82a300761f73cfc5fb35efab Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Mon, 6 Jun 2022 15:07:10 +0200 Subject: [PATCH 13/13] Release 22.06.1 --- CHANGELOG.md | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 86fccbe2..7033e693 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -14,17 +14,21 @@ The **patch** part changes is incremented if multiple releases happen the same m ### Changed -* evocheck: upstream release 22.06.1 -* minifirewall: upstream release 22.06 -* mysql: evomariabackup release 22.06.1 -* mysql: reorganize evomariabackup to use mtree instead of our own dir-check - ### Fixed ### Removed ### Security +## [22.06.1] 2022-06-06 + +### Changed + +* evocheck: upstream release 22.06.1 +* minifirewall: upstream release 22.06 +* mysql: evomariabackup release 22.06.1 +* mysql: reorganize evomariabackup to use mtree instead of our own dir-check + ## [22.06] 2022-06-03 ### Added