From 936ab9cbe68ebda48939d6646b06ecd368208566 Mon Sep 17 00:00:00 2001 From: Tristan PILAT Date: Tue, 18 Jun 2019 17:45:15 +0200 Subject: [PATCH 01/14] Fix condition check mistakes in templates --- webapps/evoadmin-web/templates/web-add.conf.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/webapps/evoadmin-web/templates/web-add.conf.j2 b/webapps/evoadmin-web/templates/web-add.conf.j2 index b3362fbe..4bc41ad8 100644 --- a/webapps/evoadmin-web/templates/web-add.conf.j2 +++ b/webapps/evoadmin-web/templates/web-add.conf.j2 @@ -1,5 +1,5 @@ CONTACT_MAIL="{{ evoadmin_contact_email or general_alert_email | mandatory }}" WWWBOUNCE_MAIL="{{ evoadmin_bounce_email or general_alert_email | mandatory }}" -{% if evoadmin_multi_php == "True" %} +{% if evoadmin_multi_php == True %} PHP_VERSIONS=(56 70 73) {% endif %} From b6d53bfae97ca64754d946465c50f5892f65197a Mon Sep 17 00:00:00 2001 From: Tristan PILAT Date: Tue, 18 Jun 2019 18:19:45 +0200 Subject: [PATCH 02/14] Add lxc-php README file --- lxc-php/README.md | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) create mode 100644 lxc-php/README.md diff --git a/lxc-php/README.md b/lxc-php/README.md new file mode 100644 index 00000000..bb7475d9 --- /dev/null +++ b/lxc-php/README.md @@ -0,0 +1,23 @@ +# lxc-php + +Create LXC containers and install all the required PHP packages as a way to use multiple PHP version on Debian. + +*note : this role depend on the lxc role.* + +## Tasks + +Everything is in the `tasks/main.yml` file. + +## Available variables + +As this role depend on the lxc role, please refer to it for a variable exhaustive list. + +Here is the list of available variables for the PHP part: + +* `php_conf_short_open_tag` Default: `"Off"` +* `php_conf_expose_php` Default: `"Off"` +* `php_conf_display_errors` Default: `"Off"` +* `php_conf_log_errors` Default: `"On"` +* `php_conf_html_errors` Default: `"Off"` +* `php_conf_allow_url_fopen` Default: `"Off"` +* `php_conf_disable_functions` Default: `"exec,shell-exec,system,passthru,putenv,popen"` From 0401c01f36e01de400433f109f83f7c5b7eee615 Mon Sep 17 00:00:00 2001 From: Tristan PILAT Date: Wed, 19 Jun 2019 17:59:42 +0200 Subject: [PATCH 03/14] Add restart apache2 handler --- webapps/evoadmin-web/handlers/main.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/webapps/evoadmin-web/handlers/main.yml b/webapps/evoadmin-web/handlers/main.yml index edb3404e..669b0553 100644 --- a/webapps/evoadmin-web/handlers/main.yml +++ b/webapps/evoadmin-web/handlers/main.yml @@ -5,5 +5,10 @@ name: apache2 state: reloaded +- name: restart apache2 + service: + name: apache2 + state: restarted + - name: newaliases command: newaliases From 93e2c81fb2b77f5ea51d1e27e280fc7b14613beb Mon Sep 17 00:00:00 2001 From: Tristan PILAT Date: Wed, 19 Jun 2019 18:00:19 +0200 Subject: [PATCH 04/14] Add proxy_fcgi activation for multi php --- webapps/evoadmin-web/tasks/web.yml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/webapps/evoadmin-web/tasks/web.yml b/webapps/evoadmin-web/tasks/web.yml index d8405f8f..7cd79b96 100644 --- a/webapps/evoadmin-web/tasks/web.yml +++ b/webapps/evoadmin-web/tasks/web.yml @@ -46,3 +46,10 @@ owner: evoadmin group: evoadmin force: no + +- name: Enable proxy_fcgi + apache2_module: + state: present + name: proxy_fcgi + notify: restart apache2 + when: evoadmin_multi_php == True From a8ef97fcde61e2b3abcb9c3a80d2db6b619f04e3 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Wed, 19 Jun 2019 15:12:00 +0200 Subject: [PATCH 05/14] Revert "evolinux-base: install "spectre-meltdown-checker" (Debian 9 and later)" This reverts commit 65414d8ae748de19c9bcb7df79518f4ac0ba7481. --- CHANGELOG.md | 1 - evolinux-base/tasks/packages.yml | 1 - 2 files changed, 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index adfc4355..dce1ae48 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -14,7 +14,6 @@ The **patch** part changes incrementally at each release. * apache: add server status suffix in VHost (and default site) if missing * apt: add a script to manage packages with "hold" mark * etc-git: gitignore /etc/letsencrypt/.certbot.lock -* evolinux-base: install "spectre-meltdown-checker" (Debian 9 and later) * evomaintenance: make hooks configurable * nginx: add server status suffix in VHost (and default site) if missing * redmine: enable gzip compression in nginx vhost diff --git a/evolinux-base/tasks/packages.yml b/evolinux-base/tasks/packages.yml index aab2f6da..c510bab5 100644 --- a/evolinux-base/tasks/packages.yml +++ b/evolinux-base/tasks/packages.yml @@ -91,7 +91,6 @@ name: "{{ item }}" with_items: - net-tools - - spectre-meltdown-checker when: - evolinux_packages_stretch - ansible_distribution_major_version | version_compare('9', '>=') From 49d90fff094a8f290628dc89f2bfb17b03c64f6f Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Thu, 20 Jun 2019 17:29:23 +0200 Subject: [PATCH 06/14] apache: add a variable to customize the server-status host --- CHANGELOG.md | 1 + apache/defaults/main.yml | 2 ++ apache/tasks/server_status.yml | 5 +++-- 3 files changed, 6 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index dce1ae48..560dc89d 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -12,6 +12,7 @@ The **patch** part changes incrementally at each release. ### Added * apache: add server status suffix in VHost (and default site) if missing +* apache: add a variable to customize the server-status host * apt: add a script to manage packages with "hold" mark * etc-git: gitignore /etc/letsencrypt/.certbot.lock * evomaintenance: make hooks configurable diff --git a/apache/defaults/main.yml b/apache/defaults/main.yml index ffc74b4e..15ff1a53 100644 --- a/apache/defaults/main.yml +++ b/apache/defaults/main.yml @@ -19,3 +19,5 @@ apache_munin_include: True general_alert_email: "root@localhost" log2mail_alert_email: Null + +apache_serverstatus_host: 127.0.0.1 diff --git a/apache/tasks/server_status.yml b/apache/tasks/server_status.yml index 6497966b..1d6cd8df 100644 --- a/apache/tasks/server_status.yml +++ b/apache/tasks/server_status.yml @@ -62,7 +62,8 @@ - name: apache-status URL is configured for Munin lineinfile: dest: /etc/munin/plugin-conf.d/munin-node - line: "env.url http://127.0.0.1/server-status-{{ apache_serverstatus_suffix }}?auto" - regexp: "env.url http://127.0.0.1/server-status" + line: "env.url http://{{ apache_serverstatus_host }}/server-status-{{ apache_serverstatus_suffix }}?auto" + regexp: 'env.url http://[^\\/]+/server-status' insertafter: "[apache_*]" create: no + notify: restart munin-node From ce12e32375438c1304cb688cbf8e6d48e87b300d Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Fri, 21 Jun 2019 09:42:02 +0200 Subject: [PATCH 07/14] evocheck : update from upstream --- CHANGELOG.md | 3 ++- evocheck/files/evocheck.sh | 48 ++++++++++++++++++++++++++------------ 2 files changed, 35 insertions(+), 16 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 560dc89d..8f12bf19 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -15,12 +15,13 @@ The **patch** part changes incrementally at each release. * apache: add a variable to customize the server-status host * apt: add a script to manage packages with "hold" mark * etc-git: gitignore /etc/letsencrypt/.certbot.lock +* evolinux-base: install "spectre-meltdown-checker" (Debian 10 and later) * evomaintenance: make hooks configurable * nginx: add server status suffix in VHost (and default site) if missing * redmine: enable gzip compression in nginx vhost ### Changed -* evocheck : version 19.04 from upstream +* evocheck : update (unreleased) from upstream * evomaintenance : use the web API instead of PG Insert * rbenv: update defaults rbenv version to 1.1.2 and ruby version to 2.5.5 * redmine: update default version to 4.0.3 diff --git a/evocheck/files/evocheck.sh b/evocheck/files/evocheck.sh index 6e9985f2..9fba8154 100644 --- a/evocheck/files/evocheck.sh +++ b/evocheck/files/evocheck.sh @@ -315,7 +315,7 @@ check_nrpeperms() { } check_minifwperms() { if [ -f "$MINIFW_FILE" ]; then - actual=$(stat --format "%a" $MINIFW_FILE) + actual=$(stat --format "%a" "$MINIFW_FILE") expected="600" test "$expected" = "$actual" || failed "IS_MINIFWPERMS" fi @@ -386,7 +386,7 @@ check_raidsoft() { } # Verification du LogFormat de AWStats check_awstatslogformat() { - if is_installed apache2.2-common awstats; then + if is_installed apache2 awstats; then grep -qE '^LogFormat=1' /etc/awstats/awstats.conf.local \ || failed "IS_AWSTATSLOGFORMAT" fi @@ -531,20 +531,30 @@ check_userlogrotate() { } # Verification de la syntaxe de la conf d'Apache check_apachectl() { - if is_installed apache2.2-common; then + if is_installed apache2; then /usr/sbin/apache2ctl configtest 2>&1 | grep -q "^Syntax OK$" || failed "IS_APACHECTL" fi } # Check if there is regular files in Apache sites-enabled. check_apachesymlink() { - if is_installed apache2.2-common; then - stat -c %F /etc/apache2/sites-enabled/* | grep -q regular && failed "IS_APACHESYMLINK" + if is_installed apache2; then + apacheFind=$(find /etc/apache2/sites-enabled ! -type l -type f -print) + nbApacheFind=$(wc -m <<< "$apacheFind") + if [[ $nbApacheFind -gt 1 ]]; then + if [[ $VERBOSE == 1 ]]; then + while read -r line; do + failed "IS_APACHESYMLINK" "Not a symlink: $line" + done <<< "$apacheFind" + else + failed "IS_APACHESYMLINK" + fi + fi fi } # Check if there is real IP addresses in Allow/Deny directives (no trailing space, inline comments or so). check_apacheipinallow() { # Note: Replace "exit 1" by "print" in Perl code to debug it. - if is_installed apache2.2-common; then + if is_installed apache2; then grep -IrE "^[^#] *(Allow|Deny) from" /etc/apache2/ \ | grep -iv "from all" \ | grep -iv "env=" \ @@ -559,7 +569,7 @@ check_muninapacheconf() { else muninconf="/etc/apache2/conf-available/munin.conf" fi - if is_installed apache2.2-common; then + if is_installed apache2; then test -e $muninconf && grep -vEq "^( |\t)*#" "$muninconf" && failed "IS_MUNINAPACHECONF" fi } @@ -881,12 +891,19 @@ check_mysqlmunin() { } check_mysqlnrpe() { if is_debian_stretch && is_installed mariadb-server; then - nagios_file="~nagios/.my.cnf" - { test -f $nagios_file \ - && [ "$(stat -c %U $nagios_file)" = "nagios" ] \ - && [ "$(stat -c %a $nagios_file)" = "600" ] \ - && grep -q -F "command[check_mysql]=/usr/lib/nagios/plugins/check_mysql -H localhost -f $nagios_file"; - } || failed "IS_MYSQLNRPE" + nagios_home=$(getent passwd "nagios" | cut -d: -f6) + nagios_file_abs="${nagios_home}/.my.cnf" + nagios_file_sym="~nagios/.my.cnf" + + if ! test -f $nagios_file_abs; then + failed "IS_MYSQLNRPE" "$nagios_file_abs is missing" + elif [ "$(stat -c %U $nagios_file_abs)" != "nagios" ] \ + || [ "$(stat -c %a $nagios_file_abs)" != "600" ]; then + failed "IS_MYSQLNRPE" "$nagios_file_abs has wrong permissions" + else + grep -q -F "command[check_mysql]=/usr/lib/nagios/plugins/check_mysql -H localhost -f $nagios_file_sym" /etc/nagios/nrpe.d/evolix.cfg \ + || failed "IS_MYSQLNRPE" "check_mysql is missing" + fi fi } check_phpevolinuxconf() { @@ -1102,7 +1119,7 @@ check_evobackup_incs() { if is_installed bkctld; then bkctld_cron_file=${bkctld_cron_file:-/etc/cron.d/bkctld} if [ -f "${bkctld_cron_file}" ]; then - root_crontab=$(grep -v "^#" ${bkctld_cron_file}) + root_crontab=$(grep -v "^#" "${bkctld_cron_file}") echo "${root_crontab}" | grep -q "bkctld inc" || failed "IS_EVOBACKUP_INCS" "\`bkctld inc' is missing in ${bkctld_cron_file}" echo "${root_crontab}" | grep -q "check-incs.sh" || failed "IS_EVOBACKUP_INCS" "\`check-incs.sh' is missing in ${bkctld_cron_file}" else @@ -1158,7 +1175,7 @@ main() { test "${IS_LISTCHANGESCONF:=1}" = 1 && check_listchangesconf test "${IS_CUSTOMCRONTAB:=1}" = 1 && check_customcrontab test "${IS_SSHALLOWUSERS:=1}" = 1 && check_sshallowusers - test "${IS_DISKPERF:=1}" = 1 && check_diskperf + test "${IS_DISKPERF:=0}" = 1 && check_diskperf test "${IS_TMOUTPROFILE:=1}" = 1 && check_tmoutprofile test "${IS_ALERT5BOOT:=1}" = 1 && check_alert5boot test "${IS_ALERT5MINIFW:=1}" = 1 && check_alert5minifw @@ -1396,4 +1413,5 @@ while :; do shift done +# shellcheck disable=SC2086 main ${ARGS} From c2500827e19ad831565040ba48db2c31d7e0dca7 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Fri, 21 Jun 2019 10:18:54 +0200 Subject: [PATCH 08/14] tags and whitespaces --- apt/tasks/backports.yml | 10 ++++++---- apt/tasks/basics.yml | 12 +++++++----- apt/tasks/config.yml | 22 ++++++++++++++++------ apt/tasks/evolix_public.yml | 6 ++++-- apt/tasks/hold_packages.yml | 14 ++++++++++++++ apt/tasks/main.yml | 14 +++++++------- 6 files changed, 54 insertions(+), 24 deletions(-) diff --git a/apt/tasks/backports.yml b/apt/tasks/backports.yml index 6acf8114..3f95300c 100644 --- a/apt/tasks/backports.yml +++ b/apt/tasks/backports.yml @@ -5,7 +5,7 @@ regexp: "backports" state: absent tags: - - apt + - apt - name: Backports sources list is installed template: @@ -15,7 +15,7 @@ mode: "0640" register: apt_backports_list tags: - - apt + - apt - name: Backports configuration copy: @@ -25,7 +25,7 @@ mode: "0640" register: apt_backports_config tags: - - apt + - apt - name: Archived backport are accepted (jessie) lineinfile: @@ -34,10 +34,12 @@ create: yes state: present when: ansible_distribution_release == "jessie" + tags: + - apt - name: Apt update apt: update_cache: yes when: apt_backports_list | changed or apt_backports_config | changed tags: - - apt + - apt diff --git a/apt/tasks/basics.yml b/apt/tasks/basics.yml index f615c030..2c736aa9 100644 --- a/apt/tasks/basics.yml +++ b/apt/tasks/basics.yml @@ -8,21 +8,23 @@ force: yes register: apt_basic_list tags: - - apt + - apt - name: Clean GANDI sources.list.d/debian-security.list file: path: '{{ item }}' state: absent with_items: - - /etc/apt/sources.list.d/debian-security.list - - /etc/apt/sources.list.d/debian-stretch.list - - /etc/apt/sources.list.d/debian-update.list + - /etc/apt/sources.list.d/debian-security.list + - /etc/apt/sources.list.d/debian-stretch.list + - /etc/apt/sources.list.d/debian-update.list when: apt_clean_gandi_sourceslist + tags: + - apt - name: Apt update apt: update_cache: yes when: apt_basic_list | changed tags: - - apt + - apt diff --git a/apt/tasks/config.yml b/apt/tasks/config.yml index 264e8dd7..988aac7a 100644 --- a/apt/tasks/config.yml +++ b/apt/tasks/config.yml @@ -9,9 +9,11 @@ state: present mode: "0640" with_items: - - { line: "APT::Install-Recommends \"false\";", regexp: 'APT::Install-Recommends' } - - { line: "APT::Install-Suggests \"false\";", regexp: 'APT::Install-Suggests' } + - { line: "APT::Install-Recommends \"false\";", regexp: 'APT::Install-Recommends' } + - { line: "APT::Install-Suggests \"false\";", regexp: 'APT::Install-Suggests' } when: apt_evolinux_config + tags: + - apt - name: DPkg invoke hooks lineinfile: @@ -21,24 +23,32 @@ state: present mode: "0640" with_items: - - "DPkg::Pre-Invoke { \"df /tmp | grep -q /tmp && mount -oremount,exec /tmp || true\"; };" - - "DPkg::Pre-Invoke { \"df /usr | grep -q /usr && mount -oremount,rw /usr || true\"; };" - - "DPkg::Post-Invoke { \"df /tmp | grep -q /tmp && mount -oremount /tmp || true\"; };" - - "DPkg::Post-Invoke { \"df /usr | grep -q /usr && mount -oremount /usr || true\"; };" + - "DPkg::Pre-Invoke { \"df /tmp | grep -q /tmp && mount -oremount,exec /tmp || true\"; };" + - "DPkg::Pre-Invoke { \"df /usr | grep -q /usr && mount -oremount,rw /usr || true\"; };" + - "DPkg::Post-Invoke { \"df /tmp | grep -q /tmp && mount -oremount /tmp || true\"; };" + - "DPkg::Post-Invoke { \"df /usr | grep -q /usr && mount -oremount /usr || true\"; };" when: apt_hooks + tags: + - apt - name: Remove Aptitude apt: name: aptitude state: absent when: apt_remove_aptitude + tags: + - apt - name: Updating APT cache apt: update_cache: yes changed_when: False + tags: + - apt - name: Upgrading system apt: upgrade: dist when: apt_upgrade + tags: + - apt diff --git a/apt/tasks/evolix_public.yml b/apt/tasks/evolix_public.yml index b1db38ab..3e00a602 100644 --- a/apt/tasks/evolix_public.yml +++ b/apt/tasks/evolix_public.yml @@ -12,6 +12,8 @@ apt_key: #url: http://keyserver.ubuntu.com/pks/lookup?op=get&search=0x44975278B8612B5D data: "{{ lookup('file', 'reg.gpg') }}" + tags: + - apt - name: Evolix public list is installed template: @@ -21,11 +23,11 @@ mode: "0640" register: apt_evolix_public tags: - - apt + - apt - name: Apt update apt: update_cache: yes when: apt_evolix_public | changed tags: - - apt + - apt diff --git a/apt/tasks/hold_packages.yml b/apt/tasks/hold_packages.yml index 0939335b..b44a1581 100644 --- a/apt/tasks/hold_packages.yml +++ b/apt/tasks/hold_packages.yml @@ -5,6 +5,8 @@ register: apt_mark changed_when: "'{{ item }} set on hold.' in apt_mark.stdout" with_items: "{{ apt_hold_packages }}" + tags: + - apt - name: "hold packages (config)" lineinfile: @@ -13,12 +15,16 @@ create: True state: present with_items: "{{ apt_hold_packages }}" + tags: + - apt - name: "unhold packages (apt)" shell: "(apt-mark showhold | grep --quiet {{ item }}) && apt-mark unhold {{ item }}" register: apt_mark changed_when: "'Canceled hold on {{ item }}.' in apt_mark.stdout" with_items: "{{ apt_unhold_packages }}" + tags: + - apt - name: "unhold packages (config)" lineinfile: @@ -27,6 +33,8 @@ create: True state: absent with_items: "{{ apt_unhold_packages }}" + tags: + - apt - name: /usr/share/scripts exists file: @@ -35,6 +43,8 @@ owner: root group: root state: directory + tags: + - apt - name: Check scripts is installed copy: @@ -42,6 +52,8 @@ dest: /usr/share/scripts/check_held_packages.sh force: yes mode: "0755" + tags: + - apt - name: Check for held packages (script) cron: @@ -55,3 +67,5 @@ day: "{{ apt_check_hold_cron_day }}" month: "{{ apt_check_hold_cron_month }}" state: "present" + tags: + - apt diff --git a/apt/tasks/main.yml b/apt/tasks/main.yml index b02e779f..bb531d4e 100644 --- a/apt/tasks/main.yml +++ b/apt/tasks/main.yml @@ -4,36 +4,36 @@ fail: msg: only compatible with Debian >= 8 when: - - ansible_distribution != "Debian" or ansible_distribution_major_version | version_compare('8', '<') + - ansible_distribution != "Debian" or ansible_distribution_major_version | version_compare('8', '<') tags: - - apt + - apt - name: Custom configuration include: config.yml when: apt_config tags: - - apt + - apt - name: Install basics repositories include: basics.yml when: apt_install_basics tags: - - apt + - apt - name: Install APT Backports repository include: backports.yml when: apt_install_backports tags: - - apt + - apt - name: Install Evolix Public APT repository include: evolix_public.yml when: apt_install_evolix_public tags: - - apt + - apt - name: Install check for packages marked hold include: hold_packages.yml when: apt_install_hold_packages tags: - - apt + - apt From 84207912240aff0a967a3d915d0a8a66848d7de8 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Fri, 21 Jun 2019 10:29:18 +0200 Subject: [PATCH 09/14] fluentd: store gpg key locally --- CHANGELOG.md | 1 + fluentd/files/fluentd.gpg | 53 +++++++++++++++++++++++++++++++++++++++ fluentd/tasks/main.yml | 3 ++- 3 files changed, 56 insertions(+), 1 deletion(-) create mode 100644 fluentd/files/fluentd.gpg diff --git a/CHANGELOG.md b/CHANGELOG.md index 8f12bf19..b64b465b 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -23,6 +23,7 @@ The **patch** part changes incrementally at each release. ### Changed * evocheck : update (unreleased) from upstream * evomaintenance : use the web API instead of PG Insert +* fluentd: store gpg key locally * rbenv: update defaults rbenv version to 1.1.2 and ruby version to 2.5.5 * redmine: update default version to 4.0.3 * nagios-nrpe: change required status code for http and https check diff --git a/fluentd/files/fluentd.gpg b/fluentd/files/fluentd.gpg new file mode 100644 index 00000000..7a998316 --- /dev/null +++ b/fluentd/files/fluentd.gpg @@ -0,0 +1,53 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- +Version: GnuPG v2 + +mQINBFhiI8wBEADThWLNd8IKPRw7Ygu3DHS4Sb/Yc6vSZSaMGJ6Wkj245jScvI+C +nG4C4rtO/8ObUj5cUpb4CyfYZX8W4tp9x+W68c4paXevG4s+X4EE3uUsgdwTnFXi +GMa57QDzR4p/JvjUjfGJ2UAr4Bfj8Q2S54LmIu6UAe82ce2B4tEHCeYSxkmVUDAZ +utfmgKoVTbnceTemU0m5ANS6IC1/53KEhgB1sKm5G/FjRJGslHWb3mf+bLrhmlkP +pA4BOKF2w3eFYH3LhWskxMS0SPM7J6aq+6LyNNqtlKL6lUS7qVjRQ6PlgFcmtG4J +tijsZI62bDn1f44DmeLY+LMS/nM0xyIx94lYumGH5EYmjUECagqMool98/+Wx79A +Thtg/1pYNzo8Z76qr0i3xLSRtsQ2Om2Rfal7VGadOrx4sqlkSaUaGI+hBc1r4tNy +tERvBEMGSf78bWDbdzxSNEW4LUDUpniNQb0DrURfWkqRa3q4WcTJr8lpQM/NmAru +owayAXQwKob+OIZ09/O69EaqVJ9MqsM3keQouSHShKvzNrppuo3D3z+Dpy05FsYw +MAiIN7auXxy+XQwCVsKF083YaDHcC0I22GReEgt43yZXQ/b/J9QNrm5nJ+3Cpso3 +jJnMzubuniSOOdd3mXQ6MwgZvWgtH/nPF8oUX9VSGwqNohiKWcxQDxW7qQARAQAB +tFRUcmVhc3VyZSBEYXRhLCBJbmMgKFRyZWFzdXJlIEFnZW50IE9mZmljaWFsIFNp +Z25pbmcga2V5KSA8c3VwcG9ydEB0cmVhc3VyZS1kYXRhLmNvbT6JAjcEEwEIACEF +AlhiI8wCGwMFCwkIBwMFFQoJCAsFFgIDAQACHgECF4AACgkQkB+Rd6uXrL5GrhAA +nh82+caSu9Qu/LW256gN5UjPUFhph66ElT1OVyAR2FoOmz2pJH3t8YYD5cUV2W6/ +xqJDmjl+vnL2HBgxjHKRCo2K3hrq6z4LoU7SpWDI1cZ03lkjh1yNx13S+9JvZNlp +jit0WRIspke0n0vWSpNo4nh19Yg3EA1c+vGeHnmlYo6xwRHu6XOhhCwywtFRGC3a +iMJzAV4N69ZU6P5VZZkC6LjYYQtF4aI10COLZ4AcObH2htGAZTj2KlZfdJHmr+Oa +wY57giUYz7OF45LLCuqe+VwpGp2d3UK/MtCnXRLi5InMVJKDvyt18MzRDFuyA27e +WSt+JumVqhEjawh3hmdzIS1cHKmv19gdeE8On2i2Lf8lyek8fsB/YPgADAmp2oSe +cjLu0ocGbgxRjuCR29+6IG+DiUDFCkqFZNdLiGVqzjpjpYHaPhVe77ciwA8TCPru +3dh5t/qv2HglSd7lj95IApZBtny5AK8NS4qtaOeZbBbbDRuOPL0c7fU3bqyIPy57 +zvdYi3KdjWZVCawcAmk3ILP83eFSivCRPRoyCqO+HX8U647BBWvlFuEbPa+Y1sgE +12MEF/Y6VVJh3Ptw+h/qKRbra4LdA+5Y30q/9l6WGgbO/4h3NKmGeVCrAFvS3h92 +fS0ABYD1nAP7fSNS9RfYIqfBXtJem+tJ14YKJwWiAYW5Ag0EWGIjzAEQAMw5EMJu +RBFRdhXD5UeA7I7wwkql/iYof8ydUALBxh9NSpmwaACkb4Me6h/rHdVsPRO3vIoo +uXftSjkRk2frjziihfEdeYxYU5PPawZxwCRDInr/OLZmcCCA2yCkRnFBhZxQy8NW +iJz0tlJtohhuJ7NRK7+HVJ3rPrtoV1lZVricDrB7DdVySp+7VciEM/XQhKKlesyd +gYXic4fx7xvPS6hRmH/fNVdvFobIhQBNUuPfKJeKpeJqPHeqkCNRz1Kl6NW9XXBq +hNyAlC7SPdKmjsv4UVIcFLUXP5wv7nprtEh15LoDlJCvFEF/iDJzaWI3QeVqY8XS +EI77WNsA/w7nlVNO3lGOPMjW8cxn4Jd2s4lpNa/e+RfrG/PD+ODSS92ISkuihBIU +Z2XeFa1xjQ1ayint4lVe3FGWTBJjqK8qX3JaOVeUD0AlSWqFcJzI7KxfNtVZCOaZ +WL/PVG124A118AUMFEWfb3r2Le8ddl+AKFP5Etsb+00VEWL06VPDampJIHanGjyX +h3dZkzORO3l3dt/P6embimic2QDOmO5x+wESnD8spITPKDl9OuqebCB8Z2oShnnG ++xhKDl045UFCPMVOXLb4kHonBmN2wBT/GIh4qqZj/7mm6r4P194HzN8LQuZsloJs +A6tnEpEmSe33xBDfGAeS0eNxFiATGwAcCRyRABEBAAGJAh8EGAEIAAkFAlhiI8wC +GwwACgkQkB+Rd6uXrL559w/9GfoTxZS+VJQsQc1inW9YKZaWl99Hd4u8CGhE057S +zvzMnIH6fcgib3m+TelevplSEN1QN1GGTvn95n8JQ8RX36xy8SQVzrPIlO4gXGAF +J1uHmSp3SSplrwKIBQk3MORrfbTg78CN9527GCQHih8+qgB3IYe23NhsKLre3mbZ +h9NAWOeMsBF0jG0c0Cu3/F8muY2XSTqENB8R263YJsQSC3qaiaq9TtstisOe/HWK +yQix2Hofg3H96dZXsqbQEvxgyema+A6ptCm7S66eSYoPPeXQaraTsz6nLlVtvhSD +kll2axjAK4NDbSjJuZI/54CkO+FB00bkXDxPFgnfDPWgvPMF1cBuuX0QN1BO8n4C +eA9zyBBdTw9bbzO1kRdeBHLa7n845ecVbEh15Hvtf20/CJB9ua+qRlcXtgxhUf3+ +pm/xbAM22z/F3+RsLwGOG8T0Vy2q//VVqLxSFlawiZW9RkClKyV6A1KH0EA6W84d +GcxiDgwrBHd+d40s3VDE/Wlmj0w73xeebEaXCmaTO/Hp5DIA64LfXHB2ckvwv15I +ISQV2g55+ghnwaD/02uGCGpJl0zJgQ+PKvrFAz+wIUqrQJxXP4epqWycmzG98T7g +pi20lwzO87S6b1GIL9t6Q/Zge8bbB7lG5mBR2U5XyGhfHXGaHTb6nQQYh3hCet8G +5Ow= +=Me4L +-----END PGP PUBLIC KEY BLOCK----- diff --git a/fluentd/tasks/main.yml b/fluentd/tasks/main.yml index 118b78b0..41c532d1 100644 --- a/fluentd/tasks/main.yml +++ b/fluentd/tasks/main.yml @@ -2,7 +2,8 @@ - name: Fluentd GPG key is installed apt_key: - url: https://packages.treasuredata.com/GPG-KEY-td-agent + # url: https://packages.treasuredata.com/GPG-KEY-td-agent + data: "{{ lookup('file', 'fluentd.gpg') }}" tags: - packages - fluentd From 1e28210834ab39c908fb72c264072f5c732dbc7e Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Fri, 21 Jun 2019 10:36:32 +0200 Subject: [PATCH 10/14] whitespaces and syntax --- lxc/tasks/main.yml | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/lxc/tasks/main.yml b/lxc/tasks/main.yml index c606a02c..11d267c5 100644 --- a/lxc/tasks/main.yml +++ b/lxc/tasks/main.yml @@ -3,9 +3,9 @@ apt: name: '{{ item }}' with_items: - - lxc - - debootstrap - - xz-utils + - lxc + - debootstrap + - xz-utils - name: Copy LXC default containers configuration template: @@ -21,8 +21,13 @@ - name: Add subuid and subgid ranges to root command: usermod -v 100000-199999 -w 100000-109999 root - when: lxc_unprivilegied_containers and root_subuids.rc + when: + - lxc_unprivilegied_containers + - root_subuids.rc - name: Create containers - include: "create-container.yml name={{item.name}} release={{item.release}}" + include: create-container.yml + vars: + name: "{{ item.name }}" + release: "{{item.release}}" with_items: "{{lxc_containers}}" From bb0189e5a4be8ab7b3062d2febf679ed05cc8e47 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Fri, 21 Jun 2019 10:43:20 +0200 Subject: [PATCH 11/14] rbenv: install Ruby 2.6.3 by default --- CHANGELOG.md | 2 +- rbenv/defaults/main.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index b64b465b..7b7350c4 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -24,7 +24,7 @@ The **patch** part changes incrementally at each release. * evocheck : update (unreleased) from upstream * evomaintenance : use the web API instead of PG Insert * fluentd: store gpg key locally -* rbenv: update defaults rbenv version to 1.1.2 and ruby version to 2.5.5 +* rbenv: update defaults rbenv version to 1.1.2 and ruby version to 2.6.3 * redmine: update default version to 4.0.3 * nagios-nrpe: change required status code for http and https check * redmine: use custom errors-pages in Nginx vhost diff --git a/rbenv/defaults/main.yml b/rbenv/defaults/main.yml index 2c0ecd28..533834cd 100644 --- a/rbenv/defaults/main.yml +++ b/rbenv/defaults/main.yml @@ -1,6 +1,6 @@ --- rbenv_version: v1.1.2 -rbenv_ruby_version: 2.5.5 +rbenv_ruby_version: 2.6.3 rbenv_root: "~/.rbenv" rbenv_repo: "https://github.com/rbenv/rbenv.git" rbenv_plugins: From 39d0167408122ecc960707ecbe20b6963ec453bd Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Fri, 21 Jun 2019 10:46:08 +0200 Subject: [PATCH 12/14] Release 9.10.0 --- CHANGELOG.md | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 7b7350c4..bf20de3e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -10,6 +10,16 @@ The **patch** part changes incrementally at each release. ## [Unreleased] +### Added + +### Changed + +### Fixed + +### Security + +## [9.10.0] - 2019-06-21 + ### Added * apache: add server status suffix in VHost (and default site) if missing * apache: add a variable to customize the server-status host @@ -41,8 +51,6 @@ The **patch** part changes incrementally at each release. * evolinux-users: Validate sshd config with "-t" instead of "-T" * nagios-nrpe: Replace the dummy packages nagios-plugins-* with monitoring-plugins-* -### Security - ## [9.9.0] - 2019-04-16 ### Added From a5ee2771cacc59776b32761f3371cfc8e8e5e733 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Fri, 21 Jun 2019 14:35:59 +0200 Subject: [PATCH 13/14] evocheck : update (version 19.06) from upstream --- CHANGELOG.md | 1 + evocheck/files/evocheck.sh | 29 ++++++++++++++++------------- 2 files changed, 17 insertions(+), 13 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index bf20de3e..83d13b6d 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -13,6 +13,7 @@ The **patch** part changes incrementally at each release. ### Added ### Changed +* evocheck : update (version 19.06) from upstream ### Fixed diff --git a/evocheck/files/evocheck.sh b/evocheck/files/evocheck.sh index 9fba8154..857b7919 100644 --- a/evocheck/files/evocheck.sh +++ b/evocheck/files/evocheck.sh @@ -891,17 +891,15 @@ check_mysqlmunin() { } check_mysqlnrpe() { if is_debian_stretch && is_installed mariadb-server; then - nagios_home=$(getent passwd "nagios" | cut -d: -f6) - nagios_file_abs="${nagios_home}/.my.cnf" - nagios_file_sym="~nagios/.my.cnf" + nagios_file=~nagios/.my.cnf - if ! test -f $nagios_file_abs; then - failed "IS_MYSQLNRPE" "$nagios_file_abs is missing" - elif [ "$(stat -c %U $nagios_file_abs)" != "nagios" ] \ - || [ "$(stat -c %a $nagios_file_abs)" != "600" ]; then - failed "IS_MYSQLNRPE" "$nagios_file_abs has wrong permissions" + if ! test -f ${nagios_file}; then + failed "IS_MYSQLNRPE" "${nagios_file} is missing" + elif [ "$(stat -c %U ${nagios_file})" != "nagios" ] \ + || [ "$(stat -c %a ${nagios_file})" != "600" ]; then + failed "IS_MYSQLNRPE" "${nagios_file} has wrong permissions" else - grep -q -F "command[check_mysql]=/usr/lib/nagios/plugins/check_mysql -H localhost -f $nagios_file_sym" /etc/nagios/nrpe.d/evolix.cfg \ + grep -q -F "command[check_mysql]=/usr/lib/nagios/plugins/check_mysql" /etc/nagios/nrpe.d/evolix.cfg \ || failed "IS_MYSQLNRPE" "check_mysql is missing" fi fi @@ -1095,9 +1093,7 @@ check_evomaintenanceconf() { && grep "^FULLFROM" $f | grep -qv "John Doe " \ && grep "^URGENCYFROM" $f | grep -qv "mama.doe@example.com" \ && grep "^URGENCYTEL" $f | grep -qv "06.00.00.00.00" \ - && grep "^REALM" $f | grep -qv "example.com" \ - && grep "^API_ENDPOINT" $f | grep -qv "https://example.com/api/" \ - && grep "^API_KEY" $f | grep -qv "secretkey"; + && grep "^REALM" $f | grep -qv "example.com" } || failed "IS_EVOMAINTENANCECONF" "evomaintenance is not correctly configured" else failed "IS_EVOMAINTENANCECONF" "Configuration file \`$f' is missing" @@ -1128,6 +1124,12 @@ check_evobackup_incs() { fi } +check_osprober() { + if is_installed os-prober qemu-kvm; then + failed "IS_OSPROBER" "Removal of os-prober package is recommended as it can cause serious issue on KVM server" + fi +} + main() { # Default return code : 0 = no error RC=0 @@ -1248,6 +1250,7 @@ main() { test "${IS_MELTDOWN_SPECTRE:=1}" = 1 && check_meltdown_spectre test "${IS_OLD_HOME_DIR:=1}" = 1 && check_old_home_dir test "${IS_EVOBACKUP_INCS:=1}" = 1 && check_evobackup_incs + test "${IS_OSPROBER:=1}" = 1 && check_osprober fi #----------------------------------------------------------- @@ -1360,7 +1363,7 @@ readonly PROGDIR=$(realpath -m "$(dirname "$0")") # shellcheck disable=2124 readonly ARGS=$@ -readonly VERSION="19.04" +readonly VERSION="19.06" # Disable LANG* export LANG=C From 16bdd6893d28e686841a08fdb2c0127ac170811c Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Fri, 21 Jun 2019 14:36:20 +0200 Subject: [PATCH 14/14] Release 9.10.1 --- CHANGELOG.md | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 83d13b6d..9472e665 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -13,12 +13,16 @@ The **patch** part changes incrementally at each release. ### Added ### Changed -* evocheck : update (version 19.06) from upstream ### Fixed ### Security +## [9.10.1] - 2019-06-21 + +### Changed +* evocheck : update (version 19.06) from upstream + ## [9.10.0] - 2019-06-21 ### Added