From 26f9d171a404b3d7dfcd9ea69b9df3a78c22284d Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Mon, 26 Sep 2022 23:46:29 +0200 Subject: [PATCH 01/72] lxc-solr: detect the real partition options --- CHANGELOG.md | 2 ++ lxc/tasks/main.yml | 16 ++++++++++++---- 2 files changed, 14 insertions(+), 4 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 71f7be80..50ad3561 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -14,6 +14,8 @@ The **patch** part changes is incremented if multiple releases happen the same m ### Changed +* lxc-solr: detect the real partition options + ### Fixed ### Removed diff --git a/lxc/tasks/main.yml b/lxc/tasks/main.yml index 70f5dc2b..3ec586bd 100644 --- a/lxc/tasks/main.yml +++ b/lxc/tasks/main.yml @@ -43,11 +43,19 @@ - lxc_unprivilegied_containers | bool - root_subuids.rc != 0 -- name: Check if /var has not mount options or nosuid or nodev or noexec - shell: findmnt | grep -E "/var[^/]" | grep -e nodev -e noexec -e nosuid - register: check_var +- name: Get filesystem options + command: findmnt --noheadings --target /var/lib/lxc --output OPTIONS changed_when: false - failed_when: "check_var.rc == 0" + check_mode: no + register: check_fs_options + +- name: Check if options are correct + assert: + that: + - "'nodev' not in check_fs_options.stdout" + - "'noexec' not in check_fs_options.stdout" + - "'nosuid' not in check_fs_options.stdout" + msg: "LXC directory is in a filesystem with incompatible options" - name: Create containers include: create-container.yml From 46deb04005449da75081ec18dfc22e84d7ad7530 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Mon, 26 Sep 2022 23:47:55 +0200 Subject: [PATCH 02/72] lxc-solr: choose java package and download URL according to Solr Version --- CHANGELOG.md | 1 + lxc-solr/tasks/solr.yml | 28 ++++++++++++++++++++++------ 2 files changed, 23 insertions(+), 6 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 50ad3561..09044345 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -14,6 +14,7 @@ The **patch** part changes is incremented if multiple releases happen the same m ### Changed +* lxc-solr: choose java package and download URL according to Solr Version * lxc-solr: detect the real partition options ### Fixed diff --git a/lxc-solr/tasks/solr.yml b/lxc-solr/tasks/solr.yml index 4cf521ae..3a4baa1f 100644 --- a/lxc-solr/tasks/solr.yml +++ b/lxc-solr/tasks/solr.yml @@ -1,16 +1,31 @@ --- -- name: Install openjdk-8-jre-headless and lsof packages - command: "lxc-attach -n {{name}} -- apt-get install -y openjdk-8-jre-headless lsof" + +- name: "Set values for Solr < 9.0.0" + set_fact: + java_package: openjdk-8-jre-headless + tarball_url: https://archive.apache.org/dist/lucene/solr/{{ solr_version }}/solr-{{ solr_version }}.tgz + tarball_path: /var/lib/lxc/{{ name }}/rootfs/root/solr-{{ solr_version }}.tgz + when: "solr_version is version('9.0.0', '<')" + +- name: "Set values for Solr >= 9.0.0" + set_fact: + java_package: openjdk-11-jre-headless + tarball_url: https://archive.apache.org/dist/solr/solr/{{ solr_version }}/solr-{{ solr_version }}.tgz + tarball_path: /var/lib/lxc/{{ name }}/rootfs/root/solr-{{ solr_version }}.tgz + when: "solr_version is version('9.0.0', '>=')" + +- name: Install java and lsof packages + command: "lxc-attach -n {{ name }} -- apt-get install -y {{ java_package }} lsof" - name: "Download Solr {{ solr_version }}" get_url: - url: "https://archive.apache.org/dist/lucene/solr/{{ solr_version }}/solr-{{ solr_version }}.tgz" - dest: "/var/lib/lxc/{{ name }}/rootfs/root/solr-{{ solr_version }}.tgz" + url: "{{ tarball_url }}" + dest: "{{ tarball_path }}" mode: '0644' - name: "Extract solr-{{ solr_version }}.tgz" unarchive: - src: /var/lib/lxc/{{ name }}/rootfs/root/solr-{{ solr_version }}.tgz + src: "{{ tarball_path }}" dest: /var/lib/lxc/{{ name }}/rootfs/root/ remote_src: yes @@ -36,7 +51,8 @@ - name: "Set Solr port to {{ solr_port }}" lineinfile: dest: /var/lib/lxc/{{ name }}/rootfs/etc/default/solr.in.sh - line: "SOLR_PORT={{ solr_port }}" + line: "SOLR_PORT=\"{{ solr_port }}\"" + regexp: "^SOLR_PORT=" - name: "Start Solr" command: "lxc-attach -n {{name}} -- /etc/init.d/solr start" From d52ab34f4f0159229f22d555f23e550ca8c599fa Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Mon, 26 Sep 2022 23:48:05 +0200 Subject: [PATCH 03/72] * lxc-solr : add comments --- lxc-solr/defaults/main.yml | 4 ++++ lxc/defaults/main.yml | 2 ++ 2 files changed, 6 insertions(+) diff --git a/lxc-solr/defaults/main.yml b/lxc-solr/defaults/main.yml index ad2a3e23..18144daa 100644 --- a/lxc-solr/defaults/main.yml +++ b/lxc-solr/defaults/main.yml @@ -14,5 +14,9 @@ # release: stretch # solr_version: 8.4.1 # solr_port: 8985 +# - name: solr9 +# release: bullseye +# solr_version: 9.0.0 +# solr_port: 8985 lxc_containers: [] diff --git a/lxc/defaults/main.yml b/lxc/defaults/main.yml index e7e1c1ff..d17e78a0 100644 --- a/lxc/defaults/main.yml +++ b/lxc/defaults/main.yml @@ -15,4 +15,6 @@ lxc_mount_part: "/home" # release: jessie # - name: php70 # release: stretch +# - name: php81 +# release: bullseye lxc_containers: [] From 6aeaab078dbca907af509e7ea96ac739ff9d8614 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Tue, 27 Sep 2022 07:47:26 +0200 Subject: [PATCH 04/72] lxc-solr: set homedir and port at install --- CHANGELOG.md | 1 + lxc-solr/tasks/main.yml | 6 +++++- lxc-solr/tasks/solr.yml | 30 ++++++++---------------------- 3 files changed, 14 insertions(+), 23 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 09044345..289ec68c 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -16,6 +16,7 @@ The **patch** part changes is incremented if multiple releases happen the same m * lxc-solr: choose java package and download URL according to Solr Version * lxc-solr: detect the real partition options +* lxc-solr: set homedir and port at install ### Fixed diff --git a/lxc-solr/tasks/main.yml b/lxc-solr/tasks/main.yml index d629bbf6..bc279a04 100644 --- a/lxc-solr/tasks/main.yml +++ b/lxc-solr/tasks/main.yml @@ -10,5 +10,9 @@ mode: '0755' loop: "{{ lxc_containers }}" -- include: "solr.yml name={{item.name}} solr_version={{item.solr_version}} solr_port={{item.solr_port}}" +- include: solr.yml + args: + name: "{{ item.name }}" + solr_version: "{{ item.solr_version }}" + solr_port: "{{ item.solr_port }}" loop: "{{ lxc_containers }}" diff --git a/lxc-solr/tasks/solr.yml b/lxc-solr/tasks/solr.yml index 3a4baa1f..8ded722e 100644 --- a/lxc-solr/tasks/solr.yml +++ b/lxc-solr/tasks/solr.yml @@ -5,6 +5,8 @@ java_package: openjdk-8-jre-headless tarball_url: https://archive.apache.org/dist/lucene/solr/{{ solr_version }}/solr-{{ solr_version }}.tgz tarball_path: /var/lib/lxc/{{ name }}/rootfs/root/solr-{{ solr_version }}.tgz + start_command: "/etc/init.d/solr start" + stop_command: "/etc/init.d/solr stop" when: "solr_version is version('9.0.0', '<')" - name: "Set values for Solr >= 9.0.0" @@ -12,6 +14,8 @@ java_package: openjdk-11-jre-headless tarball_url: https://archive.apache.org/dist/solr/solr/{{ solr_version }}/solr-{{ solr_version }}.tgz tarball_path: /var/lib/lxc/{{ name }}/rootfs/root/solr-{{ solr_version }}.tgz + start_command: "systemctl start solr" + stop_command: "systemctl stop solr" when: "solr_version is version('9.0.0', '>=')" - name: Install java and lsof packages @@ -29,30 +33,12 @@ dest: /var/lib/lxc/{{ name }}/rootfs/root/ remote_src: yes -- name: "Install Solr {{ solr_version }}" - command: "lxc-attach -n {{name}} -- /root/solr-{{ solr_version }}/bin/install_solr_service.sh /root/solr-{{ solr_version }}.tgz" - -- name: "Stop Solr" - command: "lxc-attach -n {{name}} -- /etc/init.d/solr stop" - ignore_errors: True - - name: "Make sure /home/solr exists" file: - path: /home/solr + path: /home/solr/{{ name }} + recurse: yes state: directory mode: '0755' -- name: "Move Solr data directory to /home/solr/{{name}}" - command: "lxc-attach -n {{name}} -- mv /var/solr /home/solr/{{name}}" - -- name: "Create a symbolic link to /home/solr/{{name}}" - command: "lxc-attach -n {{name}} -- ln -s /home/solr/{{name}} /var/solr" - -- name: "Set Solr port to {{ solr_port }}" - lineinfile: - dest: /var/lib/lxc/{{ name }}/rootfs/etc/default/solr.in.sh - line: "SOLR_PORT=\"{{ solr_port }}\"" - regexp: "^SOLR_PORT=" - -- name: "Start Solr" - command: "lxc-attach -n {{name}} -- /etc/init.d/solr start" +- name: "Install Solr {{ solr_version }}" + command: "lxc-attach -n {{name}} -- /root/solr-{{ solr_version }}/bin/install_solr_service.sh /root/solr-{{ solr_version }}.tgz -d /home/solr/{{name}} -p {{ solr_port }}" From 792d1170ab128ef8d6c53641abf8c36ed81a8f7f Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Fri, 30 Sep 2022 11:38:53 +0200 Subject: [PATCH 05/72] java: use default JRE when version is not specified --- CHANGELOG.md | 1 + java/defaults/main.yml | 2 +- java/tasks/openjdk.yml | 17 +++++++++++++++-- 3 files changed, 17 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 289ec68c..ae69cce3 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -14,6 +14,7 @@ The **patch** part changes is incremented if multiple releases happen the same m ### Changed +* java: use default JRE package when version is not specified * lxc-solr: choose java package and download URL according to Solr Version * lxc-solr: detect the real partition options * lxc-solr: set homedir and port at install diff --git a/java/defaults/main.yml b/java/defaults/main.yml index 89f5cdac..b28fd4a5 100644 --- a/java/defaults/main.yml +++ b/java/defaults/main.yml @@ -1,4 +1,4 @@ --- java_alternative: 'openjdk' -java_version: 8 +java_version: Null java_default_alternative: True diff --git a/java/tasks/openjdk.yml b/java/tasks/openjdk.yml index b41db0a7..4af3cec1 100644 --- a/java/tasks/openjdk.yml +++ b/java/tasks/openjdk.yml @@ -13,7 +13,17 @@ tags: - java -- name: Install openjdk package +- name: Install default openjdk package + apt: + name: "default-jre-headless" + default_release: "{{ java_apt_release }}" + state: present + tags: + - java + - packages + when: java_version is none + +- name: Install specific openjdk package apt: name: "openjdk-{{ java_version}}-jre-headless" default_release: "{{ java_apt_release }}" @@ -21,11 +31,14 @@ tags: - java - packages + when: java_version is not none - name: This openjdk version is the default alternative alternatives: name: java path: "{{ java_bin_path[java_version] }}" - when: java_default_alternative | bool tags: - java + when: + - java_default_alternative | bool + - java_version is not none From c6fb24f7d871eb32644bb6dc1be12e5b7ffec8b1 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Fri, 30 Sep 2022 11:39:50 +0200 Subject: [PATCH 06/72] lxc-solr: use default JRE package --- CHANGELOG.md | 2 +- lxc-solr/tasks/solr.yml | 4 +--- 2 files changed, 2 insertions(+), 4 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index ae69cce3..8520f9ba 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -15,7 +15,7 @@ The **patch** part changes is incremented if multiple releases happen the same m ### Changed * java: use default JRE package when version is not specified -* lxc-solr: choose java package and download URL according to Solr Version +* lxc-solr: download URL according to Solr Version * lxc-solr: detect the real partition options * lxc-solr: set homedir and port at install diff --git a/lxc-solr/tasks/solr.yml b/lxc-solr/tasks/solr.yml index 8ded722e..9e37bf44 100644 --- a/lxc-solr/tasks/solr.yml +++ b/lxc-solr/tasks/solr.yml @@ -2,7 +2,6 @@ - name: "Set values for Solr < 9.0.0" set_fact: - java_package: openjdk-8-jre-headless tarball_url: https://archive.apache.org/dist/lucene/solr/{{ solr_version }}/solr-{{ solr_version }}.tgz tarball_path: /var/lib/lxc/{{ name }}/rootfs/root/solr-{{ solr_version }}.tgz start_command: "/etc/init.d/solr start" @@ -11,7 +10,6 @@ - name: "Set values for Solr >= 9.0.0" set_fact: - java_package: openjdk-11-jre-headless tarball_url: https://archive.apache.org/dist/solr/solr/{{ solr_version }}/solr-{{ solr_version }}.tgz tarball_path: /var/lib/lxc/{{ name }}/rootfs/root/solr-{{ solr_version }}.tgz start_command: "systemctl start solr" @@ -19,7 +17,7 @@ when: "solr_version is version('9.0.0', '>=')" - name: Install java and lsof packages - command: "lxc-attach -n {{ name }} -- apt-get install -y {{ java_package }} lsof" + command: "lxc-attach -n {{ name }} -- apt-get install -y default-jre-headless lsof" - name: "Download Solr {{ solr_version }}" get_url: From 8e1b682ccc6838345b02237fd09eff00b33f6e46 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Mon, 3 Oct 2022 18:53:19 +0200 Subject: [PATCH 07/72] squid: whitelist deb.freexian.com --- CHANGELOG.md | 1 + squid/files/evolinux-whitelist-defaults.conf | 1 + squid/files/whitelist-evolinux.conf | 1 + 3 files changed, 3 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 8520f9ba..7f628094 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -18,6 +18,7 @@ The **patch** part changes is incremented if multiple releases happen the same m * lxc-solr: download URL according to Solr Version * lxc-solr: detect the real partition options * lxc-solr: set homedir and port at install +* squid: whitelist deb.freexian.com ### Fixed diff --git a/squid/files/evolinux-whitelist-defaults.conf b/squid/files/evolinux-whitelist-defaults.conf index fe9c0fb4..433b9ef8 100644 --- a/squid/files/evolinux-whitelist-defaults.conf +++ b/squid/files/evolinux-whitelist-defaults.conf @@ -11,6 +11,7 @@ ^repo\.mysql\.com$ ^deb\.nodesource\.com$ ^dl\.yarnpkg\.com$ +^deb\.freexian\.com$ # Let's Encrypt .+\.letsencrypt.org$ diff --git a/squid/files/whitelist-evolinux.conf b/squid/files/whitelist-evolinux.conf index 41b81221..c445e835 100644 --- a/squid/files/whitelist-evolinux.conf +++ b/squid/files/whitelist-evolinux.conf @@ -10,6 +10,7 @@ http://spamassassin.apache.org/.* http://.*sa-update.* http://pear.php.net/.* http://repo.mysql.com/.* +http://deb.freexian.com/.* # Let's Encrypt http://.*.letsencrypt.org/.* From 15d77568812e05c99575c62fa9d70a954bc00903 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Mon, 3 Oct 2022 18:54:29 +0200 Subject: [PATCH 08/72] minifirewall: whitelist deb.freexian.com --- CHANGELOG.md | 1 + minifirewall/files/minifirewall.legacy.conf | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 7f628094..cab57c5d 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -18,6 +18,7 @@ The **patch** part changes is incremented if multiple releases happen the same m * lxc-solr: download URL according to Solr Version * lxc-solr: detect the real partition options * lxc-solr: set homedir and port at install +* minifirewall: whitelist deb.freexian.com * squid: whitelist deb.freexian.com ### Fixed diff --git a/minifirewall/files/minifirewall.legacy.conf b/minifirewall/files/minifirewall.legacy.conf index 47be78bf..b63ad7d8 100644 --- a/minifirewall/files/minifirewall.legacy.conf +++ b/minifirewall/files/minifirewall.legacy.conf @@ -55,7 +55,7 @@ DNSSERVEURS='0.0.0.0/0' # HTTP authorizations # (you can use DNS names but set cron to reload minifirewall regularly) # (if you have HTTP proxy, set 0.0.0.0/0) -# HTTPSITES='security.debian.org pub.evolix.net security-cdn.debian.org mirror.evolix.org backports.debian.org hwraid.le-vert.net antispam00.evolix.org spamassassin.apache.org sa-update.space-pro.be sa-update.secnap.net www.sa-update.pccc.com sa-update.dnswl.org ocsp.int-x3.letsencrypt.org' +# HTTPSITES='security.debian.org pub.evolix.net security-cdn.debian.org mirror.evolix.org backports.debian.org hwraid.le-vert.net antispam00.evolix.org spamassassin.apache.org sa-update.space-pro.be sa-update.secnap.net www.sa-update.pccc.com sa-update.dnswl.org ocsp.int-x3.letsencrypt.org deb.freexian.com' HTTPSITES='0.0.0.0/0' # HTTPS authorizations From 8114f7c89bef424aaeba68695f9487c068e5ca2c Mon Sep 17 00:00:00 2001 From: David Prevot Date: Tue, 4 Oct 2022 15:49:00 +0200 Subject: [PATCH 09/72] mongodb: Allow to install version 5.0 on Bullseye --- mongodb/tasks/main_bullseye.yml | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/mongodb/tasks/main_bullseye.yml b/mongodb/tasks/main_bullseye.yml index 78459863..f97016ec 100644 --- a/mongodb/tasks/main_bullseye.yml +++ b/mongodb/tasks/main_bullseye.yml @@ -4,8 +4,12 @@ msg: Not compatible with Debian 11 (Bullseye) when: - ansible_distribution_release == "bullseye" - - mongodb_version is version('5.0', '<=') + - mongodb_version is version('5.0', '<') +- name: Look for legacy apt keyring + stat: + path: /etc/apt/trusted.gpg + register: _trusted_gpg_keyring - name: MongoDB embedded GPG key is absent apt_key: @@ -25,7 +29,7 @@ - name: enable APT sources list apt_repository: - repo: "deb http://repo.mongodb.org/apt/debian buster/mongodb-org/{{mongodb_version}} main" + repo: "deb http://repo.mongodb.org/apt/debian bullseye/mongodb-org/{{mongodb_version}} main" state: present filename: "mongodb-org-{{mongodb_version}}" update_cache: yes @@ -46,19 +50,19 @@ - name: install dependency for monitoring apt: - name: python-pymongo + name: python3-pymongo state: present - name: Custom configuration template: - src: mongodb_buster.conf.j2 + src: mongodb_bullseye.conf.j2 dest: "/etc/mongod.conf" force: "{{ mongodb_force_config | bool | ternary('yes', 'no') }}" notify: restart mongod - name: Configure logrotate template: - src: logrotate_buster.j2 + src: logrotate_bullseye.j2 dest: /etc/logrotate.d/mongodb force: yes backup: no From 4f9d6868e0db982e0e706bbe8f3afd78fd8e60ca Mon Sep 17 00:00:00 2001 From: Mathieu Trossevin Date: Fri, 7 Oct 2022 14:16:32 +0200 Subject: [PATCH 10/72] evolinux-user: sudoers privileges for check php\fpm80 and 81 --- CHANGELOG.md | 3 +++ evolinux-users/templates/sudoers_stretch.j2 | 3 ++- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index cab57c5d..dd4d1a33 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -14,6 +14,7 @@ The **patch** part changes is incremented if multiple releases happen the same m ### Changed +* evolinux-user: Add sudoers privilege for chck php\_fpm81 * java: use default JRE package when version is not specified * lxc-solr: download URL according to Solr Version * lxc-solr: detect the real partition options @@ -23,6 +24,8 @@ The **patch** part changes is incremented if multiple releases happen the same m ### Fixed +* evolinux-user: Fix sudoers privilege for chck php\_fpm80 + ### Removed ### Security diff --git a/evolinux-users/templates/sudoers_stretch.j2 b/evolinux-users/templates/sudoers_stretch.j2 index 4a522e1b..8211f121 100644 --- a/evolinux-users/templates/sudoers_stretch.j2 +++ b/evolinux-users/templates/sudoers_stretch.j2 @@ -12,7 +12,8 @@ nagios ALL = NOPASSWD: /usr/local/lib/nagios/plugins/check_phpfpm_multi nagios ALL = NOPASSWD: /usr/local/lib/nagios/plugins/check_phpfpm_multi /var/lib/lxc/php70/rootfs/etc/php/7.0/fpm/pool.d/ nagios ALL = NOPASSWD: /usr/local/lib/nagios/plugins/check_phpfpm_multi /var/lib/lxc/php73/rootfs/etc/php/7.3/fpm/pool.d/ nagios ALL = NOPASSWD: /usr/local/lib/nagios/plugins/check_phpfpm_multi /var/lib/lxc/php74/rootfs/etc/php/7.4/fpm/pool.d/ -nagios ALL = NOPASSWD: /usr/local/lib/nagios/plugins/check_phpfpm_multi /var/lib/lxc/php74/rootfs/etc/php/8.0/fpm/pool.d/ +nagios ALL = NOPASSWD: /usr/local/lib/nagios/plugins/check_phpfpm_multi /var/lib/lxc/php80/rootfs/etc/php/8.0/fpm/pool.d/ +nagios ALL = NOPASSWD: /usr/local/lib/nagios/plugins/check_phpfpm_multi /var/lib/lxc/php81/rootfs/etc/php/8.1/fpm/pool.d/ nagios ALL = NOPASSWD: /usr/sbin/megaclisas-status --nagios nagios ALL = NOPASSWD: /usr/lib/nagios/plugins/check_ipmi_sensor nagios ALL = NOPASSWD: /sbin/dmsetup status --noflush From 2d16aeb41e9ec31288afbef25d75a49f7f78110d Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Tue, 11 Oct 2022 13:37:21 +0200 Subject: [PATCH 11/72] evolinux-base: utils.yml can be excluded --- CHANGELOG.md | 1 + evolinux-base/defaults/main.yml | 3 +++ evolinux-base/tasks/main.yml | 5 +---- evolinux-base/tasks/utils.yml | 13 ++++++++++++- 4 files changed, 17 insertions(+), 5 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index dd4d1a33..613439ab 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -14,6 +14,7 @@ The **patch** part changes is incremented if multiple releases happen the same m ### Changed +* evolinux-base: utils.yml can be excluded * evolinux-user: Add sudoers privilege for chck php\_fpm81 * java: use default JRE package when version is not specified * lxc-solr: download URL according to Solr Version diff --git a/evolinux-base/defaults/main.yml b/evolinux-base/defaults/main.yml index ee307015..80db9d3b 100644 --- a/evolinux-base/defaults/main.yml +++ b/evolinux-base/defaults/main.yml @@ -224,3 +224,6 @@ evolinux_cron_checkhpraid_frequency: daily # Motd evolinux_motd_include: True + +# Utils +evolinux_utils_include: True \ No newline at end of file diff --git a/evolinux-base/tasks/main.yml b/evolinux-base/tasks/main.yml index dba5e97b..ecbfe069 100644 --- a/evolinux-base/tasks/main.yml +++ b/evolinux-base/tasks/main.yml @@ -102,6 +102,7 @@ when: evolinux_motd_include | bool - include: utils.yml + when: evolinux_utils_include | bool - name: Munin include_role: @@ -132,7 +133,3 @@ include_role: name: evolix/generate-ldif when: evolinux_generateldif_include | bool - -- include: top.yml - -- include: htop.yml diff --git a/evolinux-base/tasks/utils.yml b/evolinux-base/tasks/utils.yml index 2fd4b0c1..c8aa58e8 100644 --- a/evolinux-base/tasks/utils.yml +++ b/evolinux-base/tasks/utils.yml @@ -37,4 +37,15 @@ # force: True # owner: root # group: root -# mode: "0755" \ No newline at end of file +# mode: "0755" + +- name: Deploy htop configuration + copy: + src: htoprc + dest: /etc/htoprc + mode: "0644" + +- name: Deploy top configuration file + file: + path: /etc/topdefaultrc + state: absent From 05e782c6f81dc5bad83f014b1c0b8e0bdda22f0d Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Tue, 11 Oct 2022 17:58:27 +0200 Subject: [PATCH 12/72] evolinux-base: remove deprecated tasks files --- evolinux-base/tasks/htop.yml | 6 ------ evolinux-base/tasks/top.yml | 5 ----- 2 files changed, 11 deletions(-) delete mode 100644 evolinux-base/tasks/htop.yml delete mode 100644 evolinux-base/tasks/top.yml diff --git a/evolinux-base/tasks/htop.yml b/evolinux-base/tasks/htop.yml deleted file mode 100644 index eeb59beb..00000000 --- a/evolinux-base/tasks/htop.yml +++ /dev/null @@ -1,6 +0,0 @@ ---- -- name: Deploy htop configuration - copy: - src: htoprc - dest: /etc/htoprc - mode: "0644" diff --git a/evolinux-base/tasks/top.yml b/evolinux-base/tasks/top.yml deleted file mode 100644 index 367791e7..00000000 --- a/evolinux-base/tasks/top.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -- name: Deploy top configuration file - file: - path: /etc/topdefaultrc - state: absent From 6be2ff3b48da4a7ad7f42de3470d0ab453ecb3dd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=A9my=20Dubois?= Date: Mon, 17 Oct 2022 11:37:58 +0200 Subject: [PATCH 13/72] evolinux-todo: execute tasks only for Debian distribution (because this task is a dependency for others roles used on different distributions) --- CHANGELOG.md | 1 + evolinux-todo/tasks/main.yml | 2 ++ 2 files changed, 3 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 613439ab..2260ee81 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -22,6 +22,7 @@ The **patch** part changes is incremented if multiple releases happen the same m * lxc-solr: set homedir and port at install * minifirewall: whitelist deb.freexian.com * squid: whitelist deb.freexian.com +* evolinux-todo: execute tasks only for Debian distribution (because this task is a dependency for others roles used on different distributions) ### Fixed diff --git a/evolinux-todo/tasks/main.yml b/evolinux-todo/tasks/main.yml index bd098c72..8b5fa6b7 100644 --- a/evolinux-todo/tasks/main.yml +++ b/evolinux-todo/tasks/main.yml @@ -5,6 +5,7 @@ dest: /etc/evolinux mode: "0700" state: directory + when: ansible_distribution == "Debian" - name: /etc/evolinux/todo.txt is present copy: @@ -12,3 +13,4 @@ dest: /etc/evolinux/todo.txt mode: "0640" force: no + when: ansible_distribution == "Debian" From f71075d4efae66d9677b6685ef6ca9e9f74f5ae6 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Wed, 19 Oct 2022 16:32:36 +0200 Subject: [PATCH 14/72] evolinux-base: replace regular kernel by cloud kernel on virtual servers --- CHANGELOG.md | 2 ++ evolinux-base/defaults/main.yml | 1 + evolinux-base/tasks/kernel.yml | 18 ++++++++++++++++++ 3 files changed, 21 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 2260ee81..714e161e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -12,6 +12,8 @@ The **patch** part changes is incremented if multiple releases happen the same m ### Added +* evolinux-base: replace regular kernel by cloud kernel on virtual servers + ### Changed * evolinux-base: utils.yml can be excluded diff --git a/evolinux-base/defaults/main.yml b/evolinux-base/defaults/main.yml index 80db9d3b..d75a23bf 100644 --- a/evolinux-base/defaults/main.yml +++ b/evolinux-base/defaults/main.yml @@ -48,6 +48,7 @@ evolinux_internal_fqdn: "{{ evolinux_internal_hostname }}.{{ evolinux_intern evolinux_kernel_include: True +evolinux_kernel_cloud_auto: True evolinux_kernel_reboot_after_panic: True evolinux_kernel_disable_tcp_timestamps: True evolinux_kernel_customize_swappiness: True diff --git a/evolinux-base/tasks/kernel.yml b/evolinux-base/tasks/kernel.yml index 6ddeb57f..62569b08 100644 --- a/evolinux-base/tasks/kernel.yml +++ b/evolinux-base/tasks/kernel.yml @@ -1,5 +1,23 @@ --- +- name: "Use Cloud kernel on virtual servers" + apt: + name: "linux-image-cloud-amd64" + state: present + when: + - ansible_machine == "x86_64" + - ansible_virtualization_role == "guest" + - evolinux_kernel_cloud_auto | bool + +- name: "Remove non-Cloud kernel on virtual servers" + apt: + name: "linux-image-amd64" + state: absent + when: + - ansible_machine == "x86_64" + - ansible_virtualization_role == "guest" + - evolinux_kernel_cloud_auto | bool + - name: Reboot after panic sysctl: name: "{{ item.name }}" From ed4fdce58cdcd1682ef973448e3715c91b7599c0 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Wed, 19 Oct 2022 16:33:22 +0200 Subject: [PATCH 15/72] clean duplicate --- certbot/files/hooks/deploy/sync_remote.sh | 4 ---- 1 file changed, 4 deletions(-) diff --git a/certbot/files/hooks/deploy/sync_remote.sh b/certbot/files/hooks/deploy/sync_remote.sh index 7fc3ecf4..bbbe6f5f 100644 --- a/certbot/files/hooks/deploy/sync_remote.sh +++ b/certbot/files/hooks/deploy/sync_remote.sh @@ -28,10 +28,6 @@ main() { if [ -z "${RENEWED_LINEAGE}" ]; then error "Missing RENEWED_LINEAGE environment variable (usually provided by certbot)." fi - if [ -z "${servers}" ]; then - debug "Empty server list, skip." - exit 0 - fi if found_renewed_lineage; then RENEWED_DOMAINS=${RENEWED_DOMAINS:-$(domain_from_cert)} From fc52fbf4bcc78115440b783889379b71ff516f99 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Thu, 20 Oct 2022 14:36:47 +0200 Subject: [PATCH 16/72] redis: some values should be quoted When Redis overwrites its own config, it uses quoted string values, so it's better to do the same to avoid changes. --- CHANGELOG.md | 5 +++-- redis/templates/redis.conf.j2 | 14 +++++++------- 2 files changed, 10 insertions(+), 9 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 714e161e..da7c4dbc 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -17,14 +17,15 @@ The **patch** part changes is incremented if multiple releases happen the same m ### Changed * evolinux-base: utils.yml can be excluded +* evolinux-todo: execute tasks only for Debian distribution (because this task is a dependency for others roles used on different distributions) * evolinux-user: Add sudoers privilege for chck php\_fpm81 * java: use default JRE package when version is not specified -* lxc-solr: download URL according to Solr Version * lxc-solr: detect the real partition options +* lxc-solr: download URL according to Solr Version * lxc-solr: set homedir and port at install * minifirewall: whitelist deb.freexian.com +* redis: some values should be quoted * squid: whitelist deb.freexian.com -* evolinux-todo: execute tasks only for Debian distribution (because this task is a dependency for others roles used on different distributions) ### Fixed diff --git a/redis/templates/redis.conf.j2 b/redis/templates/redis.conf.j2 index 720f724f..4afced22 100644 --- a/redis/templates/redis.conf.j2 +++ b/redis/templates/redis.conf.j2 @@ -1,24 +1,24 @@ daemonize yes -pidfile {{ redis_pid_dir }}/redis-server.pid +pidfile "{{ redis_pid_dir }}/redis-server.pid" port {{ redis_port }} bind {{ redis_bind_interfaces | join(' ') }} {% if redis_socket_enabled %} -unixsocket {{ redis_socket_dir }}/redis.sock +unixsocket "{{ redis_socket_dir }}/redis.sock" unixsocketperm {{ redis_socket_perms }} {% endif %} {% if redis_password %} -requirepass {{ redis_password }} +requirepass "{{ redis_password }}" {% endif %} {% if redis_password_master %} -masterauth {{ redis_password_master }} +masterauth "{{ redis_password_master }}" {% endif %} timeout {{ redis_timeout }} loglevel {{ redis_log_level }} -logfile {{ redis_log_dir }}/redis-server.log +logfile "{{ redis_log_dir }}/redis-server.log" # To enable logging to the system logger, just set 'syslog-enabled' to yes, # and optionally update the other syslog parameters to suit your needs. @@ -33,8 +33,8 @@ save {{ save }} {% endfor %} rdbcompression {{ redis_rdbcompression | bool | ternary('yes','no') }} -dbfilename {{ redis_data_file }} -dir {{ redis_data_dir }} +dbfilename "{{ redis_data_file }}" +dir "{{ redis_data_dir }}" {% if redis_installed_version is version('3.2', '>=') %} protected-mode {{ redis_protected_mode | bool | ternary('yes','no') }} From 554c086b798755eeaec213cf4db05af178d39fa3 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Thu, 20 Oct 2022 14:38:12 +0200 Subject: [PATCH 17/72] redis: variable to disable transparent hugepage (default: do nothing) --- CHANGELOG.md | 1 + redis/defaults/main.yml | 4 ++++ redis/handlers/main.yml | 5 +++++ redis/tasks/main.yml | 24 ++++++++++++++---------- redis/tasks/thp.yml | 34 ++++++++++++++++++++++++++++++++++ 5 files changed, 58 insertions(+), 10 deletions(-) create mode 100644 redis/tasks/thp.yml diff --git a/CHANGELOG.md b/CHANGELOG.md index da7c4dbc..a7435530 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -25,6 +25,7 @@ The **patch** part changes is incremented if multiple releases happen the same m * lxc-solr: set homedir and port at install * minifirewall: whitelist deb.freexian.com * redis: some values should be quoted +* redis: variable to disable transparent hugepage (default: do nothing) * squid: whitelist deb.freexian.com ### Fixed diff --git a/redis/defaults/main.yml b/redis/defaults/main.yml index 1a86c95c..b5547597 100644 --- a/redis/defaults/main.yml +++ b/redis/defaults/main.yml @@ -61,5 +61,9 @@ redis_sentinel_install: False redis_default_server_disabled: False +# Set to Null to leave as is +# Set to "always", "madvise" or "never" for custom value +redis_sysctl_transparent_hugepage_enabled: Null + general_alert_email: "root@localhost" log2mail_alert_email: Null diff --git a/redis/handlers/main.yml b/redis/handlers/main.yml index d85dcbf8..6d870b39 100644 --- a/redis/handlers/main.yml +++ b/redis/handlers/main.yml @@ -23,3 +23,8 @@ service: name: log2mail state: restarted + +- name: restart sysfsutils + service: + name: sysfsutils + state: restarted diff --git a/redis/tasks/main.yml b/redis/tasks/main.yml index 871ab3eb..d9a57bb2 100644 --- a/redis/tasks/main.yml +++ b/redis/tasks/main.yml @@ -3,7 +3,19 @@ - set_fact: redis_restart_handler_name: "{{ redis_restart_if_needed | bool | ternary('restart redis', 'restart redis (noop)') }}" -- name: Redis is installed. +- name: Linux kernel overcommit memory setting is enabled + sysctl: + name: "vm.overcommit_memory" + value: "1" + sysctl_file: "/etc/sysctl.d/evolinux-redis.conf" + state: present + reload: yes + +- name: Customize Kernel Transparent Huge Page + include: thp.yml + when: redis_sysctl_transparent_hugepage_enabled is not none + +- name: Redis is installed apt: name: - redis-server @@ -13,7 +25,7 @@ - redis - packages -- name: Redis Sentinel is installed. +- name: Redis Sentinel is installed apt: name: "redis-sentinel" state: present @@ -22,14 +34,6 @@ - packages when: redis_sentinel_install | bool -- name: Linux kernel overcommit memory setting is enabled - sysctl: - name: "vm.overcommit_memory" - value: "1" - sysctl_file: "/etc/sysctl.d/evolinux-redis.conf" - state: present - reload: yes - - name: Get Redis version shell: "redis-server -v | grep -Eo '(v=\\S+)' | cut -d'=' -f 2 | grep -E '^([0-9]|\\.)+$'" changed_when: false diff --git a/redis/tasks/thp.yml b/redis/tasks/thp.yml new file mode 100644 index 00000000..7a0dce27 --- /dev/null +++ b/redis/tasks/thp.yml @@ -0,0 +1,34 @@ +--- + +- name: sysfsutils is installed + apt: + name: + - sysfsutils + state: present + tags: + - redis + - packages + - kernel + +- name: Check possible values for THP + assert: + that: redis_sysctl_transparent_hugepage_enabled is in ['always', 'madvise', 'never'] + msg: "redis_sysctl_transparent_hugepage_enabled has incorrect value : '{{ redis_sysctl_transparent_hugepage_enabled }}' not in ['always', 'madvise', 'never']" + tags: + - redis + - kernel + +- name: "Set THP to {{ redis_sysctl_transparent_hugepage_enabled }} at boot" + lineinfile: + path: /etc/sysfs.conf + line: kernel/mm/transparent_hugepage/enabled = {{ redis_sysctl_transparent_hugepage_enabled }} + regexp: "kernel/mm/transparent_hugepage/enabled" + tags: + - redis + - kernel + +- name: "Set THP to {{ redis_sysctl_transparent_hugepage_enabled }} for this boot" + shell: "echo '{{ redis_sysctl_transparent_hugepage_enabled }}' >> /sys/kernel/mm/transparent_hugepage/enabled" + tags: + - redis + - kernel \ No newline at end of file From 857b3e0e450e9b93f1152169c8bc37cf525eb34b Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Thu, 20 Oct 2022 15:46:04 +0200 Subject: [PATCH 18/72] nagios-nrpe: check_haproxy_stats supports DRAIN status --- CHANGELOG.md | 2 +- nagios-nrpe/files/plugins/check_haproxy_stats | 14 +++++++++++--- nagios-nrpe/templates/evolix.cfg.j2 | 2 +- 3 files changed, 13 insertions(+), 5 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index a7435530..7f4fc18f 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -13,7 +13,7 @@ The **patch** part changes is incremented if multiple releases happen the same m ### Added * evolinux-base: replace regular kernel by cloud kernel on virtual servers - +* nagios-nrpe: check_haproxy_stats supports DRAIN status ### Changed * evolinux-base: utils.yml can be excluded diff --git a/nagios-nrpe/files/plugins/check_haproxy_stats b/nagios-nrpe/files/plugins/check_haproxy_stats index fc51938f..d08c4103 100755 --- a/nagios-nrpe/files/plugins/check_haproxy_stats +++ b/nagios-nrpe/files/plugins/check_haproxy_stats @@ -5,6 +5,7 @@ # Copyright (C) 2012, Giacomo Montagner # 2015, Yann Fertat, Romain Dessort, Jeff Palmer, # Christophe Drevet-Droguet +# 2022, Jérémy Lecour # # This program is free software; you can redistribute it and/or modify it # under the same terms as Perl 5.10.1. @@ -15,7 +16,7 @@ # warranty of merchantability or fitness for a particular purpose. # -our $VERSION = "1.2.0"; +our $VERSION = "1.3.1"; open(STDERR, ">&STDOUT"); @@ -29,6 +30,8 @@ open(STDERR, ">&STDOUT"); # 1.1.0 - support for HTTP interface # 1.1.1 - drop perl 5.10 requirement # 1.2.0 - add an option for ignore NOLB +# 1.3.0 - add an option for ignore DRAIN +# 1.3.1 - support DRAIN/MAINT when set by agent use strict; use warnings; @@ -64,6 +67,8 @@ DESCRIPTION Assume servers in MAINT state to be ok. -n, --ignore-nolb Assume servers in NOLB state to be ok. + --ignore-drain + Assume servers in DRAIN state to be ok. -p, --proxy Check only named proxies, not every one. Use comma to separate proxies in list. @@ -132,6 +137,7 @@ my $pass = ''; my $dump; my $ignore_maint; my $ignore_nolb; +my $ignore_drain; my $proxy; my $no_proxy; my $help; @@ -143,7 +149,8 @@ GetOptions ( "d|dump" => \$dump, "h|help" => \$help, "m|ignore-maint" => \$ignore_maint, - "n|ignore-nolb" => \$ignore_nolb, + "n|ignore-nolb" => \$ignore_nolb, + "ignore-drain" => \$ignore_drain, "p|proxy=s" => \$proxy, "P|no-proxy=s" => \$no_proxy, "s|sock|socket=s" => \$sock, @@ -267,8 +274,9 @@ foreach (@hastats) { # Check of servers } else { if ($data[$status] ne 'UP') { - next if ($ignore_maint && $data[$status] eq 'MAINT'); + next if ($ignore_maint && ($data[$status] eq 'MAINT' || $data[$status] eq 'MAINT (agent)')); next if ($ignore_nolb && $data[$status] eq 'NOLB'); + next if ($ignore_drain && ($data[$status] eq 'DRAIN' || $data[$status] eq 'DRAIN (agent)')); next if $data[$status] eq 'no check'; # Ignore server if no check is configured to be run next if $data[$svname] eq 'sock-1'; $exitcode = 2; diff --git a/nagios-nrpe/templates/evolix.cfg.j2 b/nagios-nrpe/templates/evolix.cfg.j2 index ae0e0abd..dc6d09db 100644 --- a/nagios-nrpe/templates/evolix.cfg.j2 +++ b/nagios-nrpe/templates/evolix.cfg.j2 @@ -72,7 +72,7 @@ command[check_mongodb_connect]={{ nagios_plugins_directory }}/check_mongodb -H l command[check_glusterfs]={{ nagios_plugins_directory }}/check_glusterfs -v all -n 0 command[check_supervisord_status]={{ nagios_plugins_directory }}/check_supervisord command[check_varnish]={{ nagios_plugins_directory }}/check_varnish_health -i 127.0.0.1 -p 6082 -s /etc/varnish/secret -w 2 -c 4 -command[check_haproxy]=sudo {{ nagios_plugins_directory }}/check_haproxy_stats -s /run/haproxy/admin.sock -w 80 -c 90 --ignore-maint --ignore-nolb +command[check_haproxy]=sudo {{ nagios_plugins_directory }}/check_haproxy_stats -s /run/haproxy/admin.sock -w 80 -c 90 --ignore-maint --ignore-nolb --ignore-drain command[check_minifirewall]=sudo {{ nagios_plugins_directory }}/check_minifirewall command[check_redis_instances]={{ nagios_plugins_directory }}/check_redis_instances command[check_hpraid]={{ nagios_plugins_directory }}/check_hpraid From 2692ac5661b8ababcfb85d5ba16ae2a6cdaf73b1 Mon Sep 17 00:00:00 2001 From: "William Hirigoyen (Evolix)" Date: Thu, 16 Jun 2022 17:58:34 +0200 Subject: [PATCH 19/72] Ajoute l'umask 0007 au service php-fpm --- lxc-php/defaults/main.yml | 10 ++++++++++ lxc-php/handlers/main.yml | 11 +++++++++++ lxc-php/tasks/main.yml | 2 ++ lxc-php/tasks/umask.yml | 31 +++++++++++++++++++++++++++++++ 4 files changed, 54 insertions(+) create mode 100644 lxc-php/tasks/umask.yml diff --git a/lxc-php/defaults/main.yml b/lxc-php/defaults/main.yml index 415d1c9e..5567c4d0 100644 --- a/lxc-php/defaults/main.yml +++ b/lxc-php/defaults/main.yml @@ -21,3 +21,13 @@ lxc_php_container_releases: php74: "bullseye" php80: "bullseye" php81: "bullseye" + +lxc_php_services: + php56: 'php5-fpm.service' + php70: 'php7.0-fpm.service' + php73: 'php7.3-fpm.service' + php74: 'php7.4-fpm.service' + php80: 'php8.0-fpm.service' + php81: 'php8.1-fpm.service' + + diff --git a/lxc-php/handlers/main.yml b/lxc-php/handlers/main.yml index a757a2d0..eb52e86d 100644 --- a/lxc-php/handlers/main.yml +++ b/lxc-php/handlers/main.yml @@ -1,4 +1,10 @@ --- + +- name: Reload PHP-FPM + lxc_container: + name: "{{ lxc_php_version }}" + container_command: "systemctl reload {{ lxc_php_services[lxc_php_version] }}" + - name: Reload php81-fpm lxc_container: name: "{{ lxc_php_version }}" @@ -34,6 +40,11 @@ name: "{{ lxc_php_version }}" container_command: "systemctl restart opensmtpd" +- name: Daemon reload + lxc_container: + name: "{{ lxc_php_version }}" + container_command: "systemctl daemon-reload" + - name: Restart container lxc_container: name: "{{ lxc_php_version }}" diff --git a/lxc-php/tasks/main.yml b/lxc-php/tasks/main.yml index c6d85fbe..4471a709 100644 --- a/lxc-php/tasks/main.yml +++ b/lxc-php/tasks/main.yml @@ -27,4 +27,6 @@ - include: "php81.yml" when: lxc_php_version == "php81" +- include: "umask.yml" + - include: "misc.yml" diff --git a/lxc-php/tasks/umask.yml b/lxc-php/tasks/umask.yml new file mode 100644 index 00000000..5fca081a --- /dev/null +++ b/lxc-php/tasks/umask.yml @@ -0,0 +1,31 @@ +# Ajoute UMask=0007 à l'unité systemd PHP-FPM du conteneur LXC +# dans /etc/systemd/system/phpX.X-fpm.service.d/evolinux.conf +--- + +- name: "Définis le chemin du système de fichiers du conteneur LXC." + set_fact: + lxc_rootfs_path: "/var/lib/lxc/{{ lxc_php_version }}/rootfs" + +- name: "Crée des répertoires (si absents) pour surcharger la config des services PHP dans les conteneurs LXC." + ansible.builtin.file: + path: "{{ lxc_rootfs_path }}/etc/systemd/system/{{ lxc_php_services[lxc_php_version] }}.d" + register: systemd_path + state: directory + +- name: "[Service] est présent dans la surchage des services PHP-FPM des conteneurs LXC." + ansible.builtin.lineinfile: + path: "{{ systemd_path.path }}/evolinux.conf" + regex: "\\[Service\\]" + line: "[Service]" + create: yes + +- name: "UMask=0007 est présent dans la surchage des services PHP-FPM des conteneurs LXC." + ansible.builtin.lineinfile: + path: "{{ systemd_path.path }}/evolinux.conf" + regex: "^UMask=" + line: "UMask=0007" + insertafter: "\\[Service\\]" + notify: + - "Daemon reload" + - "Reload PHP-FPM" + From 18fb89234c9f8bc0996d1f61164dca205ca2f5fb Mon Sep 17 00:00:00 2001 From: William Hirigoyen Date: Wed, 26 Oct 2022 15:23:46 +0200 Subject: [PATCH 20/72] lxc-php: restart container instead of reload after php-fpm unit's umask change. --- lxc-php/handlers/main.yml | 5 +++++ lxc-php/tasks/umask.yml | 2 +- 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/lxc-php/handlers/main.yml b/lxc-php/handlers/main.yml index eb52e86d..0beaa055 100644 --- a/lxc-php/handlers/main.yml +++ b/lxc-php/handlers/main.yml @@ -5,6 +5,11 @@ name: "{{ lxc_php_version }}" container_command: "systemctl reload {{ lxc_php_services[lxc_php_version] }}" +- name: Restart PHP-FPM + lxc_container: + name: "{{ lxc_php_version }}" + container_command: "systemctl restart {{ lxc_php_services[lxc_php_version] }}" + - name: Reload php81-fpm lxc_container: name: "{{ lxc_php_version }}" diff --git a/lxc-php/tasks/umask.yml b/lxc-php/tasks/umask.yml index 5fca081a..8d43fdcd 100644 --- a/lxc-php/tasks/umask.yml +++ b/lxc-php/tasks/umask.yml @@ -27,5 +27,5 @@ insertafter: "\\[Service\\]" notify: - "Daemon reload" - - "Reload PHP-FPM" + - "Restart PHP-FPM" From 912cec5a7851aee393a5756f46c8be6d465a2e00 Mon Sep 17 00:00:00 2001 From: William Hirigoyen Date: Wed, 26 Oct 2022 15:25:22 +0200 Subject: [PATCH 21/72] lxc-php: update changelog. --- CHANGELOG.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 7f4fc18f..704d9494 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -14,6 +14,8 @@ The **patch** part changes is incremented if multiple releases happen the same m * evolinux-base: replace regular kernel by cloud kernel on virtual servers * nagios-nrpe: check_haproxy_stats supports DRAIN status +* lxc-php: set php-fpm umask to 007 + ### Changed * evolinux-base: utils.yml can be excluded From b1138c07eef190e522db6d2a0b300033b3a8c61e Mon Sep 17 00:00:00 2001 From: William Hirigoyen Date: Wed, 2 Nov 2022 11:10:56 +0100 Subject: [PATCH 22/72] lxc-php: Fix register instruction in wrong order and indentation --- lxc-php/tasks/umask.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lxc-php/tasks/umask.yml b/lxc-php/tasks/umask.yml index 8d43fdcd..4a2fde5d 100644 --- a/lxc-php/tasks/umask.yml +++ b/lxc-php/tasks/umask.yml @@ -9,8 +9,8 @@ - name: "Crée des répertoires (si absents) pour surcharger la config des services PHP dans les conteneurs LXC." ansible.builtin.file: path: "{{ lxc_rootfs_path }}/etc/systemd/system/{{ lxc_php_services[lxc_php_version] }}.d" - register: systemd_path state: directory + register: systemd_path - name: "[Service] est présent dans la surchage des services PHP-FPM des conteneurs LXC." ansible.builtin.lineinfile: From 4d259d3c04a8a6cf272c56e62e9d3b3f6dc4125b Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Wed, 2 Nov 2022 13:29:58 +0100 Subject: [PATCH 23/72] varnish: systemd override depends on Varnish Use Varnish version instead of Debian version to choose systemd override template, to make it forward compatible --- CHANGELOG.md | 3 +- varnish/tasks/main.yml | 55 ++++++++++++++----- ...nf.jessie.j2 => override.conf.varnish4.j2} | 0 ...nf.buster.j2 => override.conf.varnish6.j2} | 0 varnish/templates/override.conf.varnish7.j2 | 18 ++++++ 5 files changed, 60 insertions(+), 16 deletions(-) rename varnish/templates/{varnish.conf.jessie.j2 => override.conf.varnish4.j2} (100%) rename varnish/templates/{varnish.conf.buster.j2 => override.conf.varnish6.j2} (100%) create mode 100644 varnish/templates/override.conf.varnish7.j2 diff --git a/CHANGELOG.md b/CHANGELOG.md index 704d9494..dfece0b1 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -29,10 +29,11 @@ The **patch** part changes is incremented if multiple releases happen the same m * redis: some values should be quoted * redis: variable to disable transparent hugepage (default: do nothing) * squid: whitelist deb.freexian.com +* varnish: systemd override depends on Varnish version instead of Debian version ### Fixed -* evolinux-user: Fix sudoers privilege for chck php\_fpm80 +* evolinux-user: Fix sudoers privilege for check php\_fpm80 ### Removed diff --git a/varnish/tasks/main.yml b/varnish/tasks/main.yml index 75268841..be518130 100644 --- a/varnish/tasks/main.yml +++ b/varnish/tasks/main.yml @@ -6,6 +6,17 @@ tags: - varnish +- name: Fetch packages + package_facts: + manager: auto + tags: + - varnish + +- set_fact: + varnish_package_facts: ansible_facts.packages['varnish'] | first + tags: + - varnish + - name: Remove default varnish configuration files file: path: "{{ item }}" @@ -19,7 +30,7 @@ - varnish - config -- name: Copy Custom Varnish ExecReload script (Debian <10) +- name: Copy Custom Varnish ExecReload script (Debian < 10) template: src: "reload-vcl.sh.j2" dest: "/etc/varnish/reload-vcl.sh" @@ -38,27 +49,41 @@ tags: - varnish -- name: Override Varnish systemd unit (Stretch and before) - template: - src: varnish.conf.jessie.j2 - dest: /etc/systemd/system/varnish.service.d/evolinux.conf - force: yes - when: ansible_distribution_major_version is version('10', '<') +- name: Rename legacy systemd override + command: mv /etc/systemd/system/varnish.service.d/evolinux.conf /etc/systemd/system/varnish.service.d/override.conf + args: + removes: /etc/systemd/system/varnish.service.d/evolinux.conf + creates: /etc/systemd/system/varnish.service.d/override.conf notify: - reload systemd - - restart varnish tags: - varnish - - config - - update-config -# TODO: verify if it's still necessary for Debian 11 -- name: Override Varnish systemd unit (Buster and later) +- name: Varnish systemd override template (Varnish 4 and 5) + set_fact: + varnish_systemd_override_template: override.conf.varnish4.j2 + when: + - varnish_package_facts['version'] is version('4', '>=') + - varnish_package_facts['version'] is version('6', '<') + +- name: Varnish systemd override template (Varnish 6) + set_fact: + varnish_systemd_override_template: override.conf.varnish6.j2 + when: + - varnish_package_facts['version'] is version('6', '>=') + - varnish_package_facts['version'] is version('7', '<') + +- name: Varnish systemd override template (Varnish 7 and later) + set_fact: + varnish_systemd_override_template: override.conf.varnish7.j2 + when: + - varnish_package_facts['version'] is version('7', '>=') + +- name: Override Varnish systemd unit template: - src: varnish.conf.buster.j2 - dest: /etc/systemd/system/varnish.service.d/evolinux.conf + src: "{{ varnish_systemd_override_template }}" + dest: /etc/systemd/system/varnish.service.d/override.conf force: yes - when: ansible_distribution_major_version is version('10', '>=') notify: - reload systemd - restart varnish diff --git a/varnish/templates/varnish.conf.jessie.j2 b/varnish/templates/override.conf.varnish4.j2 similarity index 100% rename from varnish/templates/varnish.conf.jessie.j2 rename to varnish/templates/override.conf.varnish4.j2 diff --git a/varnish/templates/varnish.conf.buster.j2 b/varnish/templates/override.conf.varnish6.j2 similarity index 100% rename from varnish/templates/varnish.conf.buster.j2 rename to varnish/templates/override.conf.varnish6.j2 diff --git a/varnish/templates/override.conf.varnish7.j2 b/varnish/templates/override.conf.varnish7.j2 new file mode 100644 index 00000000..14a0b315 --- /dev/null +++ b/varnish/templates/override.conf.varnish7.j2 @@ -0,0 +1,18 @@ +# {{ ansible_managed }} + +[Service] +ExecStart= +ExecStart=/usr/sbin/varnishd \ + -j {{ varnish_jail }} \ + {{ varnish_addresses | map('regex_replace', '^(.*)$', '-a \\1') | list | join(' ') }} \ + -P %t/%N/varnishd.pid \ + -T {{ varnish_management_address }} \ + -f {{ varnish_config_file }} \ + -S {{ varnish_secret_file }} \ + -s {{ varnish_storage }} \ + -p feature=+http2 \ + -p thread_pools={{ varnish_thread_pools }} \ + -p thread_pool_add_delay={{ varnish_thread_pool_add_delay }} \ + -p thread_pool_min={{ varnish_thread_pool_min }} \ + -p thread_pool_max={{ varnish_thread_pool_max }} \ + {{ varnish_additional_options }} From c9ccda227795073e466a077532ae4d3cc72168ab Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Wed, 2 Nov 2022 19:45:15 +0100 Subject: [PATCH 24/72] varnish: create special tmp directory for syntax validation --- CHANGELOG.md | 1 + varnish/tasks/main.yml | 11 +++++++++++ 2 files changed, 12 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index dfece0b1..4546d4da 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -15,6 +15,7 @@ The **patch** part changes is incremented if multiple releases happen the same m * evolinux-base: replace regular kernel by cloud kernel on virtual servers * nagios-nrpe: check_haproxy_stats supports DRAIN status * lxc-php: set php-fpm umask to 007 +* varnish: create special tmp directory for syntax validation ### Changed diff --git a/varnish/tasks/main.yml b/varnish/tasks/main.yml index be518130..286d49dd 100644 --- a/varnish/tasks/main.yml +++ b/varnish/tasks/main.yml @@ -151,4 +151,15 @@ - config - update-config +# To validate the configuration, we must use a tmp directory that is mounted as exec +# We usually use /vat/tmp-cache then validate the syntax with this command: +# sudo -u vcache TMPDIR=/var/tmp-vcache varnishd -Cf /etc/varnish/default.vcl > /dev/null +- name: Special tmp directory + file: + path: "{{ varnish_tmp_dir }}" + state: directory + owner: vcache + group: varnish + mode: "0750" + - include: munin.yml From 7f3f7b3e04cd00f5635712bafff635371ec285a0 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Wed, 2 Nov 2022 22:30:09 +0100 Subject: [PATCH 25/72] varnish: fix tags and variables --- varnish/defaults/main.yml | 2 ++ varnish/tasks/main.yml | 22 +++++++++++++++++----- 2 files changed, 19 insertions(+), 5 deletions(-) diff --git a/varnish/defaults/main.yml b/varnish/defaults/main.yml index 2de75a15..acc9b114 100644 --- a/varnish/defaults/main.yml +++ b/varnish/defaults/main.yml @@ -18,3 +18,5 @@ varnish_additional_options: "" varnish_config_file: /etc/varnish/default.vcl varnish_secret_file: /etc/varnish/secret + +varnish_tmp_dir: /var/tmp-vcache \ No newline at end of file diff --git a/varnish/tasks/main.yml b/varnish/tasks/main.yml index 286d49dd..67fe2d6e 100644 --- a/varnish/tasks/main.yml +++ b/varnish/tasks/main.yml @@ -48,16 +48,16 @@ state: directory tags: - varnish + - config -- name: Rename legacy systemd override - command: mv /etc/systemd/system/varnish.service.d/evolinux.conf /etc/systemd/system/varnish.service.d/override.conf - args: - removes: /etc/systemd/system/varnish.service.d/evolinux.conf - creates: /etc/systemd/system/varnish.service.d/override.conf +- name: Remove legacy systemd override + file: + dest: /etc/systemd/system/varnish.service.d/evolinux.conf notify: - reload systemd tags: - varnish + - config - name: Varnish systemd override template (Varnish 4 and 5) set_fact: @@ -65,6 +65,10 @@ when: - varnish_package_facts['version'] is version('4', '>=') - varnish_package_facts['version'] is version('6', '<') + tags: + - varnish + - config + - update-config - name: Varnish systemd override template (Varnish 6) set_fact: @@ -72,12 +76,20 @@ when: - varnish_package_facts['version'] is version('6', '>=') - varnish_package_facts['version'] is version('7', '<') + tags: + - varnish + - config + - update-config - name: Varnish systemd override template (Varnish 7 and later) set_fact: varnish_systemd_override_template: override.conf.varnish7.j2 when: - varnish_package_facts['version'] is version('7', '>=') + tags: + - varnish + - config + - update-config - name: Override Varnish systemd unit template: From f531460f49b662c35d0db82a67c775cdc53f6ccd Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Wed, 2 Nov 2022 23:15:17 +0100 Subject: [PATCH 26/72] Use proper keyrings directory for APT version MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Debian 9 → 11 : /etc/apt/trusted.gpg.d Debian 12 : /etc/apt/keyrings --- CHANGELOG.md | 1 + apt/defaults/main.yml | 2 ++ apt/tasks/evolix_public.yml | 2 +- docker-host/defaults/main.yml | 2 ++ docker-host/tasks/main.yml | 2 +- elasticsearch/defaults/main.yml | 2 ++ elasticsearch/tasks/packages.yml | 2 +- evolinux-base/defaults/main.yml | 2 ++ evolinux-base/tasks/hardware.yml | 4 ++-- filebeat/defaults/main.yml | 2 ++ filebeat/tasks/main.yml | 2 +- fluentd/defaults/main.yml | 2 ++ fluentd/tasks/main.yml | 4 ++-- jenkins/defaults/main.yml | 3 +++ jenkins/tasks/main.yml | 2 +- kibana/defaults/main.yml | 2 ++ kibana/tasks/main.yml | 2 +- logstash/defaults/main.yml | 4 +++- logstash/tasks/main.yml | 2 +- lxc-php/defaults/main.yml | 2 +- lxc-php/tasks/php80.yml | 4 ++-- lxc-php/tasks/php81.yml | 4 ++-- metricbeat/defaults/main.yml | 2 ++ metricbeat/tasks/main.yml | 2 +- mongodb/defaults/main.yml | 4 +++- mongodb/tasks/main_bullseye.yml | 2 +- mongodb/tasks/main_buster.yml | 2 +- newrelic/defaults/main.yml | 2 ++ newrelic/tasks/sources.yml | 2 +- nodejs/defaults/main.yml | 2 ++ nodejs/tasks/main.yml | 2 +- nodejs/tasks/yarn.yml | 2 +- percona/defaults/main.yml | 2 ++ percona/tasks/main.yml | 2 +- php/defaults/main.yml | 2 ++ php/tasks/sury_pre.yml | 2 +- postgresql/defaults/main.yml | 2 ++ postgresql/tasks/pgdg-repo.yml | 2 +- 38 files changed, 61 insertions(+), 27 deletions(-) create mode 100644 jenkins/defaults/main.yml diff --git a/CHANGELOG.md b/CHANGELOG.md index 4546d4da..0a9a7496 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -12,6 +12,7 @@ The **patch** part changes is incremented if multiple releases happen the same m ### Added +* Use proper keyrings directory for APT version * evolinux-base: replace regular kernel by cloud kernel on virtual servers * nagios-nrpe: check_haproxy_stats supports DRAIN status * lxc-php: set php-fpm umask to 007 diff --git a/apt/defaults/main.yml b/apt/defaults/main.yml index e5093c6e..681f1d14 100644 --- a/apt/defaults/main.yml +++ b/apt/defaults/main.yml @@ -25,3 +25,5 @@ apt_check_hold_cron_hour: "*/4" apt_check_hold_cron_weekday: "*" apt_check_hold_cron_day: "*" apt_check_hold_cron_month: "*" + +apt_keyring_dir: "{{ ansible_distribution_major_version is version('12', '<') | ternary('/etc/apt/trusted.gpg.d', '/etc/apt/keyrings') }}" \ No newline at end of file diff --git a/apt/tasks/evolix_public.yml b/apt/tasks/evolix_public.yml index 8352e666..21062a32 100644 --- a/apt/tasks/evolix_public.yml +++ b/apt/tasks/evolix_public.yml @@ -19,7 +19,7 @@ - name: Add Evolix GPG key copy: src: reg.asc - dest: /etc/apt/trusted.gpg.d/reg.asc + dest: "{{ apt_keyring_dir }}/reg.asc" force: yes mode: "0644" owner: root diff --git a/docker-host/defaults/main.yml b/docker-host/defaults/main.yml index 3f713930..44496203 100644 --- a/docker-host/defaults/main.yml +++ b/docker-host/defaults/main.yml @@ -28,3 +28,5 @@ docker_tls_ca_key: ca/ca-key.pem docker_tls_cert: server/cert.pem docker_tls_key: server/key.pem docker_tls_csr: server/server.csr + +apt_keyring_dir: "{{ ansible_distribution_major_version is version('12', '<') | ternary('/etc/apt/trusted.gpg.d', '/etc/apt/keyrings') }}" \ No newline at end of file diff --git a/docker-host/tasks/main.yml b/docker-host/tasks/main.yml index b430de6f..861a352d 100644 --- a/docker-host/tasks/main.yml +++ b/docker-host/tasks/main.yml @@ -19,7 +19,7 @@ - name: Add Docker's official GPG key copy: src: docker-debian.asc - dest: /etc/apt/trusted.gpg.d/docker-debian.asc + dest: "{{ apt_keyring_dir }}/docker-debian.asc" force: yes mode: "0644" owner: root diff --git a/elasticsearch/defaults/main.yml b/elasticsearch/defaults/main.yml index 2b891953..98b1a646 100644 --- a/elasticsearch/defaults/main.yml +++ b/elasticsearch/defaults/main.yml @@ -29,3 +29,5 @@ elasticsearch_plugin_head_clone_dir: "{{ elasticsearch_plugin_head_home }}/www" elasticsearch_plugin_head_tmp_dir: "{{ elasticsearch_plugin_head_home }}/tmp" elasticsearch_additional_scripts_dir: /usr/share/scripts + +apt_keyring_dir: "{{ ansible_distribution_major_version is version('12', '<') | ternary('/etc/apt/trusted.gpg.d', '/etc/apt/keyrings') }}" \ No newline at end of file diff --git a/elasticsearch/tasks/packages.yml b/elasticsearch/tasks/packages.yml index 826fee1e..5070d554 100644 --- a/elasticsearch/tasks/packages.yml +++ b/elasticsearch/tasks/packages.yml @@ -29,7 +29,7 @@ - name: Elastic GPG key is installed copy: src: elastic.asc - dest: /etc/apt/trusted.gpg.d/elastic.asc + dest: "{{ apt_keyring_dir }}/elastic.asc" force: yes mode: "0644" owner: root diff --git a/evolinux-base/defaults/main.yml b/evolinux-base/defaults/main.yml index d75a23bf..497a3d2b 100644 --- a/evolinux-base/defaults/main.yml +++ b/evolinux-base/defaults/main.yml @@ -21,6 +21,8 @@ evolinux_apt_public_sources: True evolinux_apt_upgrade: True evolinux_apt_remove_aptitude: True +apt_keyring_dir: "{{ ansible_distribution_major_version is version('12', '<') | ternary('/etc/apt/trusted.gpg.d', '/etc/apt/keyrings') }}" + # etc-evolinux evolinux_etcevolinux_include: True diff --git a/evolinux-base/tasks/hardware.yml b/evolinux-base/tasks/hardware.yml index fefb8177..9762825b 100644 --- a/evolinux-base/tasks/hardware.yml +++ b/evolinux-base/tasks/hardware.yml @@ -81,7 +81,7 @@ - name: HPE GPG key is installed copy: src: hpePublicKey2048_key1.asc - dest: /etc/apt/trusted.gpg.d/hpePublicKey2048_key1.asc + dest: "{{ apt_keyring_dir }}/hpePublicKey2048_key1.asc" force: yes mode: "0644" owner: root @@ -208,7 +208,7 @@ - name: HWRaid GPG key is installed copy: src: hwraid.le-vert.net.asc - dest: /etc/apt/trusted.gpg.d/hwraid.le-vert.net.asc + dest: "{{ apt_keyring_dir }}/hwraid.le-vert.net.asc" force: yes mode: "0644" owner: root diff --git a/filebeat/defaults/main.yml b/filebeat/defaults/main.yml index deed1508..6538aab5 100644 --- a/filebeat/defaults/main.yml +++ b/filebeat/defaults/main.yml @@ -22,3 +22,5 @@ filebeat_use_config_template: False filebeat_update_config: True filebeat_force_config: True filebeat_upgrade_package: False + +apt_keyring_dir: "{{ ansible_distribution_major_version is version('12', '<') | ternary('/etc/apt/trusted.gpg.d', '/etc/apt/keyrings') }}" \ No newline at end of file diff --git a/filebeat/tasks/main.yml b/filebeat/tasks/main.yml index dd326cc8..d312a3fb 100644 --- a/filebeat/tasks/main.yml +++ b/filebeat/tasks/main.yml @@ -29,7 +29,7 @@ - name: Elastic GPG key is installed copy: src: elastic.asc - dest: /etc/apt/trusted.gpg.d/elastic.asc + dest: "{{ apt_keyring_dir }}/elastic.asc" force: yes mode: "0644" owner: root diff --git a/fluentd/defaults/main.yml b/fluentd/defaults/main.yml index 86475f51..18d9b0c7 100644 --- a/fluentd/defaults/main.yml +++ b/fluentd/defaults/main.yml @@ -10,3 +10,5 @@ fluentd_host_port: fluentd_flush_interval: fluentd_heartbeat_type: + +apt_keyring_dir: "{{ ansible_distribution_major_version is version('12', '<') | ternary('/etc/apt/trusted.gpg.d', '/etc/apt/keyrings') }}" \ No newline at end of file diff --git a/fluentd/tasks/main.yml b/fluentd/tasks/main.yml index 282accf2..9248db97 100644 --- a/fluentd/tasks/main.yml +++ b/fluentd/tasks/main.yml @@ -21,7 +21,7 @@ - name: Add Fluentd GPG key copy: src: fluentd.asc - dest: /etc/apt/trusted.gpg.d/fluentd.asc + dest: "{{ apt_keyring_dir }}/fluentd.asc" force: yes mode: "0644" owner: root @@ -32,7 +32,7 @@ - name: Fluentd sources list is available apt_repository: - repo: "deb http://packages.treasuredata.com/3/debian/{{ ansible_distribution_release }}/ {{ ansible_distribution_release }} contrib" + repo: "deb [signed-by={{ apt_keyring_dir }}/fluentd.asc] http://packages.treasuredata.com/3/debian/{{ ansible_distribution_release }}/ {{ ansible_distribution_release }} contrib" filename: treasuredata update_cache: yes state: present diff --git a/jenkins/defaults/main.yml b/jenkins/defaults/main.yml new file mode 100644 index 00000000..bf1296d7 --- /dev/null +++ b/jenkins/defaults/main.yml @@ -0,0 +1,3 @@ +--- + +apt_keyring_dir: "{{ ansible_distribution_major_version is version('12', '<') | ternary('/etc/apt/trusted.gpg.d', '/etc/apt/keyrings') }}" \ No newline at end of file diff --git a/jenkins/tasks/main.yml b/jenkins/tasks/main.yml index 8ed3d38c..54f1987e 100644 --- a/jenkins/tasks/main.yml +++ b/jenkins/tasks/main.yml @@ -20,7 +20,7 @@ - name: Add Jenkins GPG key copy: src: jenkins.asc - dest: /etc/apt/trusted.gpg.d/jenkins.asc + dest: "{{ apt_keyring_dir }}/jenkins.asc" force: yes mode: "0644" owner: root diff --git a/kibana/defaults/main.yml b/kibana/defaults/main.yml index 7107398c..900e579c 100644 --- a/kibana/defaults/main.yml +++ b/kibana/defaults/main.yml @@ -9,3 +9,5 @@ kibana_proxy_nginx: False kibana_proxy_domain: "kibana.{{ ansible_fqdn }}" kibana_proxy_ssl_cert: "/etc/ssl/certs/{{ ansible_fqdn }}.crt" kibana_proxy_ssl_key: "/etc/ssl/private/{{ ansible_fqdn }}.key" + +apt_keyring_dir: "{{ ansible_distribution_major_version is version('12', '<') | ternary('/etc/apt/trusted.gpg.d', '/etc/apt/keyrings') }}" \ No newline at end of file diff --git a/kibana/tasks/main.yml b/kibana/tasks/main.yml index d0694094..1978e90e 100644 --- a/kibana/tasks/main.yml +++ b/kibana/tasks/main.yml @@ -29,7 +29,7 @@ - name: Elastic GPG key is installed copy: src: elastic.asc - dest: /etc/apt/trusted.gpg.d/elastic.asc + dest: "{{ apt_keyring_dir }}/elastic.asc" force: yes mode: "0644" owner: root diff --git a/logstash/defaults/main.yml b/logstash/defaults/main.yml index 7cc40e49..b42fc347 100644 --- a/logstash/defaults/main.yml +++ b/logstash/defaults/main.yml @@ -7,4 +7,6 @@ logstash_log_rotate_days: 365 logstash_custom_tmpdir: Null logstash_default_tmpdir: /var/lib/logstash/tmp logstash_log_syslog_enabled: True -logstash_config_force: True \ No newline at end of file +logstash_config_force: True + +apt_keyring_dir: "{{ ansible_distribution_major_version is version('12', '<') | ternary('/etc/apt/trusted.gpg.d', '/etc/apt/keyrings') }}" \ No newline at end of file diff --git a/logstash/tasks/main.yml b/logstash/tasks/main.yml index 856ceba1..ccb2a1bc 100644 --- a/logstash/tasks/main.yml +++ b/logstash/tasks/main.yml @@ -29,7 +29,7 @@ - name: Elastic GPG key is installed copy: src: elastic.asc - dest: /etc/apt/trusted.gpg.d/elastic.asc + dest: "{{ apt_keyring_dir }}/elastic.asc" force: yes mode: "0644" owner: root diff --git a/lxc-php/defaults/main.yml b/lxc-php/defaults/main.yml index 5567c4d0..9b501b6c 100644 --- a/lxc-php/defaults/main.yml +++ b/lxc-php/defaults/main.yml @@ -30,4 +30,4 @@ lxc_php_services: php80: 'php8.0-fpm.service' php81: 'php8.1-fpm.service' - +apt_keyring_dir: "{{ ansible_distribution_major_version is version('12', '<') | ternary('/etc/apt/trusted.gpg.d', '/etc/apt/keyrings') }}" \ No newline at end of file diff --git a/lxc-php/tasks/php80.yml b/lxc-php/tasks/php80.yml index 47039fe7..a6539bff 100644 --- a/lxc-php/tasks/php80.yml +++ b/lxc-php/tasks/php80.yml @@ -25,7 +25,7 @@ - name: copy pub.evolix.net GPG key copy: src: reg.asc - dest: /var/lib/lxc/{{ lxc_php_version }}/rootfs/etc/apt/trusted.gpg.d/reg.asc + dest: /var/lib/lxc/{{ lxc_php_version }}/rootfs{{ apt_keyring_dir }}/reg.asc mode: "0644" owner: root group: root @@ -33,7 +33,7 @@ - name: copy packages.sury.org GPG Key copy: src: sury.gpg - dest: /var/lib/lxc/{{ lxc_php_version }}/rootfs/etc/apt/trusted.gpg.d/sury.gpg + dest: /var/lib/lxc/{{ lxc_php_version }}/rootfs{{ apt_keyring_dir }}/sury.gpg mode: "0644" owner: root group: root diff --git a/lxc-php/tasks/php81.yml b/lxc-php/tasks/php81.yml index 8883cbcc..057f15fc 100644 --- a/lxc-php/tasks/php81.yml +++ b/lxc-php/tasks/php81.yml @@ -25,7 +25,7 @@ - name: copy pub.evolix.net GPG key copy: src: reg.asc - dest: /var/lib/lxc/{{ lxc_php_version }}/rootfs/etc/apt/trusted.gpg.d/reg.asc + dest: /var/lib/lxc/{{ lxc_php_version }}/rootfs{{ apt_keyring_dir }}/reg.asc mode: "0644" owner: root group: root @@ -33,7 +33,7 @@ - name: copy packages.sury.org GPG Key copy: src: sury.gpg - dest: /var/lib/lxc/{{ lxc_php_version }}/rootfs/etc/apt/trusted.gpg.d/sury.gpg + dest: /var/lib/lxc/{{ lxc_php_version }}/rootfs{{ apt_keyring_dir }}/sury.gpg mode: "0644" owner: root group: root diff --git a/metricbeat/defaults/main.yml b/metricbeat/defaults/main.yml index 780a4ffd..f6eb2a3e 100644 --- a/metricbeat/defaults/main.yml +++ b/metricbeat/defaults/main.yml @@ -28,3 +28,5 @@ metricbeat_tags: Null # metricbeat_fields: # - "env: staging" metricbeat_fields: Null + +apt_keyring_dir: "{{ ansible_distribution_major_version is version('12', '<') | ternary('/etc/apt/trusted.gpg.d', '/etc/apt/keyrings') }}" \ No newline at end of file diff --git a/metricbeat/tasks/main.yml b/metricbeat/tasks/main.yml index 8a009f7f..9f432ffe 100644 --- a/metricbeat/tasks/main.yml +++ b/metricbeat/tasks/main.yml @@ -29,7 +29,7 @@ - name: Elastic GPG key is installed copy: src: elastic.asc - dest: /etc/apt/trusted.gpg.d/elastic.asc + dest: "{{ apt_keyring_dir }}/elastic.asc" force: yes mode: "0644" owner: root diff --git a/mongodb/defaults/main.yml b/mongodb/defaults/main.yml index c118f588..667d68d5 100644 --- a/mongodb/defaults/main.yml +++ b/mongodb/defaults/main.yml @@ -7,4 +7,6 @@ mongodb_bind: 127.0.0.1 # otherwise it can disable important settings, like authorization :/ mongodb_force_config: False -mongodb_version: 4.4 \ No newline at end of file +mongodb_version: 4.4 + +apt_keyring_dir: "{{ ansible_distribution_major_version is version('12', '<') | ternary('/etc/apt/trusted.gpg.d', '/etc/apt/keyrings') }}" \ No newline at end of file diff --git a/mongodb/tasks/main_bullseye.yml b/mongodb/tasks/main_bullseye.yml index f97016ec..2a9a1c3a 100644 --- a/mongodb/tasks/main_bullseye.yml +++ b/mongodb/tasks/main_bullseye.yml @@ -21,7 +21,7 @@ - name: Add MongoDB GPG key copy: src: "server-{{mongodb_version}}.asc" - dest: "/etc/apt/trusted.gpg.d/mongodb-server-{{mongodb_version}}.asc" + dest: "{{ apt_keyring_dir }}/mongodb-server-{{mongodb_version}}.asc" force: yes mode: "0644" owner: root diff --git a/mongodb/tasks/main_buster.yml b/mongodb/tasks/main_buster.yml index cf5ce2ae..8de5e447 100644 --- a/mongodb/tasks/main_buster.yml +++ b/mongodb/tasks/main_buster.yml @@ -15,7 +15,7 @@ - name: Add MongoDB GPG key copy: src: "server-{{mongodb_version}}.asc" - dest: "/etc/apt/trusted.gpg.d/mongodb-server-{{mongodb_version}}.asc" + dest: "{{ apt_keyring_dir }}/mongodb-server-{{ mongodb_version }}.asc" force: yes mode: "0644" owner: root diff --git a/newrelic/defaults/main.yml b/newrelic/defaults/main.yml index cddbcb0b..3205e53b 100644 --- a/newrelic/defaults/main.yml +++ b/newrelic/defaults/main.yml @@ -5,3 +5,5 @@ newrelic_php: False newrelic_license: "" newrelic_appname: "" + +apt_keyring_dir: "{{ ansible_distribution_major_version is version('12', '<') | ternary('/etc/apt/trusted.gpg.d', '/etc/apt/keyrings') }}" \ No newline at end of file diff --git a/newrelic/tasks/sources.yml b/newrelic/tasks/sources.yml index c27de24d..bd674f11 100644 --- a/newrelic/tasks/sources.yml +++ b/newrelic/tasks/sources.yml @@ -15,7 +15,7 @@ - name: Add NewRelic GPG key copy: src: newrelic.asc - dest: /etc/apt/trusted.gpg.d/newrelic.asc + dest: "{{ apt_keyring_dir }}/newrelic.asc" force: yes mode: "0644" owner: root diff --git a/nodejs/defaults/main.yml b/nodejs/defaults/main.yml index 8f36de49..a8adbb47 100644 --- a/nodejs/defaults/main.yml +++ b/nodejs/defaults/main.yml @@ -4,3 +4,5 @@ nodejs_apt_version: 'node_16.x' nodejs_install_yarn: False + +apt_keyring_dir: "{{ ansible_distribution_major_version is version('12', '<') | ternary('/etc/apt/trusted.gpg.d', '/etc/apt/keyrings') }}" \ No newline at end of file diff --git a/nodejs/tasks/main.yml b/nodejs/tasks/main.yml index 5ab49e70..d127f44f 100644 --- a/nodejs/tasks/main.yml +++ b/nodejs/tasks/main.yml @@ -32,7 +32,7 @@ - name: NodeJS GPG key is installed copy: src: nodesource.asc - dest: /etc/apt/trusted.gpg.d/nodesource.asc + dest: "{{ apt_keyring_dir }}/nodesource.asc" mode: "0644" owner: root group: root diff --git a/nodejs/tasks/yarn.yml b/nodejs/tasks/yarn.yml index e3dfe1da..6e38f019 100644 --- a/nodejs/tasks/yarn.yml +++ b/nodejs/tasks/yarn.yml @@ -25,7 +25,7 @@ - name: Yarn GPG key is installed copy: src: yarn.asc - dest: /etc/apt/trusted.gpg.d/yarn.asc + dest: "{{ apt_keyring_dir }}/yarn.asc" mode: "0644" owner: root group: root diff --git a/percona/defaults/main.yml b/percona/defaults/main.yml index 46a86904..316eccc9 100644 --- a/percona/defaults/main.yml +++ b/percona/defaults/main.yml @@ -2,3 +2,5 @@ percona__install_xtrabackup: True percona__xtrabackup_package_name: percona-xtrabackup-24 + +apt_keyring_dir: "{{ ansible_distribution_major_version is version('12', '<') | ternary('/etc/apt/trusted.gpg.d', '/etc/apt/keyrings') }}" \ No newline at end of file diff --git a/percona/tasks/main.yml b/percona/tasks/main.yml index 27544252..6dc319ff 100644 --- a/percona/tasks/main.yml +++ b/percona/tasks/main.yml @@ -18,7 +18,7 @@ - name: Add Percona GPG key copy: src: percona.asc - dest: /etc/apt/trusted.gpg.d/percona.asc + dest: "{{ apt_keyring_dir }}/percona.asc" force: yes mode: "0644" owner: root diff --git a/php/defaults/main.yml b/php/defaults/main.yml index 19040baf..2e633d0f 100644 --- a/php/defaults/main.yml +++ b/php/defaults/main.yml @@ -8,3 +8,5 @@ php_symfony_requirements: False php_modules_mysqlnd: False php_fpm_remove_default_pool: False + +apt_keyring_dir: "{{ ansible_distribution_major_version is version('12', '<') | ternary('/etc/apt/trusted.gpg.d', '/etc/apt/keyrings') }}" \ No newline at end of file diff --git a/php/tasks/sury_pre.yml b/php/tasks/sury_pre.yml index 13dcc4ec..b528268a 100644 --- a/php/tasks/sury_pre.yml +++ b/php/tasks/sury_pre.yml @@ -3,7 +3,7 @@ - name: Setup deb.sury.org repository - Add GPG key copy: src: sury.gpg - dest: /etc/apt/trusted.gpg.d/sury.gpg + dest: "{{ apt_keyring_dir }}/sury.gpg" mode: "0644" owner: root group: root diff --git a/postgresql/defaults/main.yml b/postgresql/defaults/main.yml index dcdffb05..ffc3007c 100644 --- a/postgresql/defaults/main.yml +++ b/postgresql/defaults/main.yml @@ -20,3 +20,5 @@ locales_default: fr_FR.UTF-8 # PostGIS postgresql_install_postgis: False + +apt_keyring_dir: "{{ ansible_distribution_major_version is version('12', '<') | ternary('/etc/apt/trusted.gpg.d', '/etc/apt/keyrings') }}" \ No newline at end of file diff --git a/postgresql/tasks/pgdg-repo.yml b/postgresql/tasks/pgdg-repo.yml index 38f21079..b6315f37 100644 --- a/postgresql/tasks/pgdg-repo.yml +++ b/postgresql/tasks/pgdg-repo.yml @@ -23,7 +23,7 @@ - name: Add PGDG GPG key copy: src: postgresql.asc - dest: /etc/apt/trusted.gpg.d/postgresql.asc + dest: "{{ apt_keyring_dir }}/postgresql.asc" force: yes mode: "0644" owner: root From 28540247f080097d7201fd63d751033d03cad937 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Wed, 2 Nov 2022 23:17:08 +0100 Subject: [PATCH 27/72] Add signed-by option for additional APT sources --- CHANGELOG.md | 3 ++- apt/templates/evolix_public.list.j2 | 2 +- docker-host/tasks/main.yml | 2 +- elasticsearch/tasks/packages.yml | 2 +- evolinux-base/tasks/hardware.yml | 4 ++-- filebeat/tasks/main.yml | 2 +- jenkins/tasks/main.yml | 2 +- kibana/tasks/main.yml | 2 +- logstash/tasks/main.yml | 2 +- lxc-php/tasks/php80.yml | 4 ++-- lxc-php/tasks/php81.yml | 4 ++-- metricbeat/tasks/main.yml | 2 +- mongodb/tasks/main_bullseye.yml | 2 +- mongodb/tasks/main_buster.yml | 2 +- newrelic/tasks/sources.yml | 2 +- nodejs/tasks/main.yml | 2 +- nodejs/tasks/yarn.yml | 2 +- php/tasks/sury_pre.yml | 2 +- postgresql/tasks/pgdg-repo.yml | 2 +- 19 files changed, 23 insertions(+), 22 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 0a9a7496..be0903af 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -12,7 +12,8 @@ The **patch** part changes is incremented if multiple releases happen the same m ### Added -* Use proper keyrings directory for APT version +* all: Use proper keyrings directory for APT version +* all: Add signed-by option for additional APT sources * evolinux-base: replace regular kernel by cloud kernel on virtual servers * nagios-nrpe: check_haproxy_stats supports DRAIN status * lxc-php: set php-fpm umask to 007 diff --git a/apt/templates/evolix_public.list.j2 b/apt/templates/evolix_public.list.j2 index 06de99c0..be7b45e8 100644 --- a/apt/templates/evolix_public.list.j2 +++ b/apt/templates/evolix_public.list.j2 @@ -1,3 +1,3 @@ # {{ ansible_managed }} -deb http://pub.evolix.net/ {{ ansible_distribution_release }}/ +deb [signed-by={{ apt_keyring_dir }}/reg.asc] http://pub.evolix.net/ {{ ansible_distribution_release }}/ diff --git a/docker-host/tasks/main.yml b/docker-host/tasks/main.yml index 861a352d..1262dd03 100644 --- a/docker-host/tasks/main.yml +++ b/docker-host/tasks/main.yml @@ -27,7 +27,7 @@ - name: Add Docker repository apt_repository: - repo: 'deb [arch=amd64] https://download.docker.com/linux/debian {{ ansible_distribution_release }} stable' + repo: 'deb [arch=amd64 signed-by={{ apt_keyring_dir }}/docker-debian.asc] https://download.docker.com/linux/debian {{ ansible_distribution_release }} stable' state: present filename: docker.list diff --git a/elasticsearch/tasks/packages.yml b/elasticsearch/tasks/packages.yml index 5070d554..bb5b99da 100644 --- a/elasticsearch/tasks/packages.yml +++ b/elasticsearch/tasks/packages.yml @@ -40,7 +40,7 @@ - name: Elastic sources list is available apt_repository: - repo: "deb https://artifacts.elastic.co/packages/{{ elastic_stack_version | mandatory }}/apt stable main" + repo: "deb [signed-by={{ apt_keyring_dir }}/elastic.asc] https://artifacts.elastic.co/packages/{{ elastic_stack_version | mandatory }}/apt stable main" filename: elastic state: present update_cache: yes diff --git a/evolinux-base/tasks/hardware.yml b/evolinux-base/tasks/hardware.yml index 9762825b..146cf455 100644 --- a/evolinux-base/tasks/hardware.yml +++ b/evolinux-base/tasks/hardware.yml @@ -91,7 +91,7 @@ - name: Add HPE repository apt_repository: - repo: 'deb https://downloads.linux.hpe.com/SDR/repo/mcp {{ ansible_distribution_release }}/current non-free' + repo: 'deb [signed-by={{ apt_keyring_dir }}/hpePublicKey2048_key1.asc] https://downloads.linux.hpe.com/SDR/repo/mcp {{ ansible_distribution_release }}/current non-free' state: present tags: - packages @@ -219,7 +219,7 @@ - name: Add HW tool repository apt_repository: - repo: 'deb http://hwraid.le-vert.net/debian {{ ansible_distribution_release }} main' + repo: 'deb [signed-by={{ apt_keyring_dir }}/hwraid.le-vert.net.asc] http://hwraid.le-vert.net/debian {{ ansible_distribution_release }} main' state: present tags: - packages diff --git a/filebeat/tasks/main.yml b/filebeat/tasks/main.yml index d312a3fb..cde924b1 100644 --- a/filebeat/tasks/main.yml +++ b/filebeat/tasks/main.yml @@ -40,7 +40,7 @@ - name: Elastic sources list is available apt_repository: - repo: "deb https://artifacts.elastic.co/packages/{{ elastic_stack_version | mandatory }}/apt stable main" + repo: "deb [signed-by={{ apt_keyring_dir }}/elastic.asc] https://artifacts.elastic.co/packages/{{ elastic_stack_version | mandatory }}/apt stable main" filename: elastic state: present update_cache: yes diff --git a/jenkins/tasks/main.yml b/jenkins/tasks/main.yml index 54f1987e..4346ef1e 100644 --- a/jenkins/tasks/main.yml +++ b/jenkins/tasks/main.yml @@ -28,7 +28,7 @@ - name: Add jenkins APT repository apt_repository: - repo: deb http://pkg.jenkins-ci.org/debian-stable binary/ + repo: deb [signed-by={{ apt_keyring_dir }}/jenkins.asc] http://pkg.jenkins-ci.org/debian-stable binary/ filename: jenkins update_cache: yes diff --git a/kibana/tasks/main.yml b/kibana/tasks/main.yml index 1978e90e..5e9b0016 100644 --- a/kibana/tasks/main.yml +++ b/kibana/tasks/main.yml @@ -40,7 +40,7 @@ - name: Elastic sources list is available apt_repository: - repo: "deb https://artifacts.elastic.co/packages/{{ elastic_stack_version | mandatory }}/apt stable main" + repo: "deb [signed-by={{ apt_keyring_dir }}/elastic.asc] https://artifacts.elastic.co/packages/{{ elastic_stack_version | mandatory }}/apt stable main" filename: elastic state: present update_cache: yes diff --git a/logstash/tasks/main.yml b/logstash/tasks/main.yml index ccb2a1bc..9ead6db2 100644 --- a/logstash/tasks/main.yml +++ b/logstash/tasks/main.yml @@ -40,7 +40,7 @@ - name: Elastic sources list is available apt_repository: - repo: "deb https://artifacts.elastic.co/packages/{{ elastic_stack_version | mandatory }}/apt stable main" + repo: "deb [signed-by={{ apt_keyring_dir }}/.asc] https://artifacts.elastic.co/packages/{{ elastic_stack_version | mandatory }}/apt stable main" filename: elastic state: present update_cache: yes diff --git a/lxc-php/tasks/php80.yml b/lxc-php/tasks/php80.yml index a6539bff..b0ff90fe 100644 --- a/lxc-php/tasks/php80.yml +++ b/lxc-php/tasks/php80.yml @@ -19,8 +19,8 @@ create: yes mode: "0644" loop: - - "deb https://packages.sury.org/php/ bullseye main" - - "deb http://pub.evolix.net/ bullseye-php80/" + - "deb [signed-by={{ apt_keyring_dir }}/sury.gpg] https://packages.sury.org/php/ bullseye main" + - "deb [signed-by={{ apt_keyring_dir }}/reg.asc] http://pub.evolix.net/ bullseye-php80/" - name: copy pub.evolix.net GPG key copy: diff --git a/lxc-php/tasks/php81.yml b/lxc-php/tasks/php81.yml index 057f15fc..91dc38e1 100644 --- a/lxc-php/tasks/php81.yml +++ b/lxc-php/tasks/php81.yml @@ -19,8 +19,8 @@ create: yes mode: "0644" loop: - - "deb https://packages.sury.org/php/ bullseye main" - - "deb http://pub.evolix.net/ bullseye-php81/" + - "deb [signed-by={{ apt_keyring_dir }}/sury.gpg] https://packages.sury.org/php/ bullseye main" + - "deb [signed-by={{ apt_keyring_dir }}/reg.asc] http://pub.evolix.net/ bullseye-php81/" - name: copy pub.evolix.net GPG key copy: diff --git a/metricbeat/tasks/main.yml b/metricbeat/tasks/main.yml index 9f432ffe..021b4ae2 100644 --- a/metricbeat/tasks/main.yml +++ b/metricbeat/tasks/main.yml @@ -40,7 +40,7 @@ - name: Elastic sources list is available apt_repository: - repo: "deb https://artifacts.elastic.co/packages/{{ elastic_stack_version | mandatory }}/apt stable main" + repo: "deb [signed-by={{ apt_keyring_dir }}/elastic.asc] https://artifacts.elastic.co/packages/{{ elastic_stack_version | mandatory }}/apt stable main" filename: elastic state: present update_cache: yes diff --git a/mongodb/tasks/main_bullseye.yml b/mongodb/tasks/main_bullseye.yml index 2a9a1c3a..4c654ae6 100644 --- a/mongodb/tasks/main_bullseye.yml +++ b/mongodb/tasks/main_bullseye.yml @@ -29,7 +29,7 @@ - name: enable APT sources list apt_repository: - repo: "deb http://repo.mongodb.org/apt/debian bullseye/mongodb-org/{{mongodb_version}} main" + repo: "deb [signed-by={{ apt_keyring_dir }}/mongodb-server-{{mongodb_version}}.asc] http://repo.mongodb.org/apt/debian bullseye/mongodb-org/{{mongodb_version}} main" state: present filename: "mongodb-org-{{mongodb_version}}" update_cache: yes diff --git a/mongodb/tasks/main_buster.yml b/mongodb/tasks/main_buster.yml index 8de5e447..d2d96a3f 100644 --- a/mongodb/tasks/main_buster.yml +++ b/mongodb/tasks/main_buster.yml @@ -23,7 +23,7 @@ - name: enable APT sources list apt_repository: - repo: "deb http://repo.mongodb.org/apt/debian buster/mongodb-org/{{mongodb_version}} main" + repo: "deb [signed-by={{ apt_keyring_dir }}/mongodb-server-{{ mongodb_version }}.asc] http://repo.mongodb.org/apt/debian buster/mongodb-org/{{ mongodb_version }} main" state: present filename: "mongodb-org-{{mongodb_version}}" update_cache: yes diff --git a/newrelic/tasks/sources.yml b/newrelic/tasks/sources.yml index bd674f11..ad3545ae 100644 --- a/newrelic/tasks/sources.yml +++ b/newrelic/tasks/sources.yml @@ -23,7 +23,7 @@ - name: Install NewRelic repository apt_repository: - repo: "deb http://apt.newrelic.com/debian/ newrelic non-free" + repo: "deb [signed-by={{ apt_keyring_dir }}/newrelic.asc] http://apt.newrelic.com/debian/ newrelic non-free" state: present filename: newrelic update_cache: yes diff --git a/nodejs/tasks/main.yml b/nodejs/tasks/main.yml index d127f44f..cdd733f2 100644 --- a/nodejs/tasks/main.yml +++ b/nodejs/tasks/main.yml @@ -43,7 +43,7 @@ - name: NodeJS sources list ({{ nodejs_apt_version }}) is available apt_repository: - repo: "deb https://deb.nodesource.com/{{ nodejs_apt_version }} {{ ansible_distribution_release }} main" + repo: "deb [signed-by={{ apt_keyring_dir }}/nodesource.asc] https://deb.nodesource.com/{{ nodejs_apt_version }} {{ ansible_distribution_release }} main" filename: nodesource update_cache: yes state: present diff --git a/nodejs/tasks/yarn.yml b/nodejs/tasks/yarn.yml index 6e38f019..f4f2dc37 100644 --- a/nodejs/tasks/yarn.yml +++ b/nodejs/tasks/yarn.yml @@ -37,7 +37,7 @@ - name: Yarn sources list is available apt_repository: - repo: "deb https://dl.yarnpkg.com/debian/ stable main" + repo: "deb [signed-by={{ apt_keyring_dir }}/yarn.asc] https://dl.yarnpkg.com/debian/ stable main" filename: yarn update_cache: yes state: present diff --git a/php/tasks/sury_pre.yml b/php/tasks/sury_pre.yml index b528268a..eca1d4d6 100644 --- a/php/tasks/sury_pre.yml +++ b/php/tasks/sury_pre.yml @@ -20,7 +20,7 @@ - name: Setup deb.sury.org repository - Add source list apt_repository: - repo: "deb https://packages.sury.org/php/ {{ ansible_distribution_release }} main" + repo: "deb [signed-by={{ apt_keyring_dir }}/sury.gpg] https://packages.sury.org/php/ {{ ansible_distribution_release }} main" filename: sury state: present diff --git a/postgresql/tasks/pgdg-repo.yml b/postgresql/tasks/pgdg-repo.yml index b6315f37..69374502 100644 --- a/postgresql/tasks/pgdg-repo.yml +++ b/postgresql/tasks/pgdg-repo.yml @@ -31,7 +31,7 @@ - name: Add PGDG repository apt_repository: - repo: "deb http://apt.postgresql.org/pub/repos/apt/ {{ansible_distribution_release}}-pgdg main" + repo: "deb [signed-by={{ apt_keyring_dir }}/postgresql.asc] http://apt.postgresql.org/pub/repos/apt/ {{ansible_distribution_release}}-pgdg main" update_cache: yes - name: Add APT preference file From 573a6e1d97bb526b9285a4071d66e73b4c938972 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Thu, 3 Nov 2022 14:39:35 +0100 Subject: [PATCH 28/72] logstash: fix elastic signature --- logstash/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/logstash/tasks/main.yml b/logstash/tasks/main.yml index 9ead6db2..6b46ce69 100644 --- a/logstash/tasks/main.yml +++ b/logstash/tasks/main.yml @@ -40,7 +40,7 @@ - name: Elastic sources list is available apt_repository: - repo: "deb [signed-by={{ apt_keyring_dir }}/.asc] https://artifacts.elastic.co/packages/{{ elastic_stack_version | mandatory }}/apt stable main" + repo: "deb [signed-by={{ apt_keyring_dir }}/elastic.asc] https://artifacts.elastic.co/packages/{{ elastic_stack_version | mandatory }}/apt stable main" filename: elastic state: present update_cache: yes From a1bf300d54c5335af64073d8e89c6d7c53d014b3 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Sat, 5 Nov 2022 21:15:21 +0100 Subject: [PATCH 29/72] bookworm-detect: transitional role to help dealing with unreleased bookworm version --- CHANGELOG.md | 1 + bookworm-detect/tasks/main.yml | 11 +++++++++++ 2 files changed, 12 insertions(+) create mode 100644 bookworm-detect/tasks/main.yml diff --git a/CHANGELOG.md b/CHANGELOG.md index 4546d4da..8b8f1bce 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -463,6 +463,7 @@ The **patch** part changes is incremented if multiple releases happen the same m ### Added +* bookworm-detect: transitional role to help dealing with unreleased bookworm version * dovecot: Update munin plugin & configure it * dovecot: vmail uid/gid are configurable * evoacme: variable to disable Debian version check (default: False) diff --git a/bookworm-detect/tasks/main.yml b/bookworm-detect/tasks/main.yml new file mode 100644 index 00000000..47dfd623 --- /dev/null +++ b/bookworm-detect/tasks/main.yml @@ -0,0 +1,11 @@ +--- + +- debug: + var: ansible_lsb + +# Force facts until Debian 12 is released because Ansible is dumb +- set_fact: + ansible_distribution_major_version: 12 + ansible_distribution: "Debian" + ansible_distribution_release: "bookworm" + when: "ansible_lsb.codename == 'bookworm'" \ No newline at end of file From b36d4c4766bd106d45ad7348ae44854444a079a5 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Sun, 6 Nov 2022 15:20:31 +0100 Subject: [PATCH 30/72] various fixes for Debian 12 --- CHANGELOG.md | 1 + apt/templates/bookworm_basics.list.j2 | 5 ++ mysql/tasks/main.yml | 36 ++++---- mysql/tasks/utils.yml | 15 +++- php/tasks/main.yml | 15 ++-- php/tasks/main_bookworm.yml | 108 ++++++++++++++++++++++++ postgresql/tasks/packages_bookworm.yml | 16 ++++ rabbitmq/tasks/nrpe.yml | 2 +- webapps/evoadmin-web/tasks/packages.yml | 8 ++ webapps/evoadmin-web/tasks/web.yml | 15 +++- 10 files changed, 190 insertions(+), 31 deletions(-) create mode 100644 apt/templates/bookworm_basics.list.j2 create mode 100644 php/tasks/main_bookworm.yml create mode 100644 postgresql/tasks/packages_bookworm.yml diff --git a/CHANGELOG.md b/CHANGELOG.md index 1bdfb87d..006d7a11 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -14,6 +14,7 @@ The **patch** part changes is incremented if multiple releases happen the same m * all: Use proper keyrings directory for APT version * all: Add signed-by option for additional APT sources +* all: preliminary work to support Debian 12 * evolinux-base: replace regular kernel by cloud kernel on virtual servers * nagios-nrpe: check_haproxy_stats supports DRAIN status * lxc-php: set php-fpm umask to 007 diff --git a/apt/templates/bookworm_basics.list.j2 b/apt/templates/bookworm_basics.list.j2 new file mode 100644 index 00000000..1c6bc15b --- /dev/null +++ b/apt/templates/bookworm_basics.list.j2 @@ -0,0 +1,5 @@ +# {{ ansible_managed }} + +deb http://mirror.evolix.org/debian bookworm {{ apt_basics_components | mandatory }} +deb http://mirror.evolix.org/debian/ bookworm-updates {{ apt_basics_components | mandatory }} +deb http://security.debian.org/debian-security bookworm-security {{ apt_basics_components | mandatory }} diff --git a/mysql/tasks/main.yml b/mysql/tasks/main.yml index a7c38808..70a972f3 100644 --- a/mysql/tasks/main.yml +++ b/mysql/tasks/main.yml @@ -4,44 +4,44 @@ set_fact: mysql_restart_handler_name: "{{ mysql_restart_if_needed | bool | ternary('restart mysql', 'restart mysql (noop)') }}" -- include: packages_stretch.yml +- include_tasks: packages_stretch.yml when: ansible_distribution_major_version is version('9', '>=') -- include: packages_jessie.yml +- include_tasks: packages_jessie.yml when: ansible_distribution_release == "jessie" -## There is nothing to do with users on Debian 11 - yet we need a /root/.my.cnf for compatibility -- include: users_bullseye.yml - when: ansible_distribution_release == "bullseye" +## There is nothing to do with users on Debian 11+ - yet we need a /root/.my.cnf for compatibility +- include_tasks: users_bullseye.yml + when: ansible_distribution_major_version is version('11', '>=') -- include: users_buster.yml +- include_tasks: users_buster.yml when: ansible_distribution_release == "buster" -- include: users_stretch.yml +- include_tasks: users_stretch.yml when: ansible_distribution_release == "stretch" -- include: users_jessie.yml +- include_tasks: users_jessie.yml when: ansible_distribution_release == "jessie" -- include: config_stretch.yml +- include_tasks: config_stretch.yml when: ansible_distribution_major_version is version('9', '>=') -- include: config_jessie.yml +- include_tasks: config_jessie.yml when: ansible_distribution_release == "jessie" -- include: replication.yml +- include_tasks: replication.yml when: mysql_replication | bool -- include: datadir.yml +- include_tasks: datadir.yml -- include: logdir.yml +- include_tasks: logdir.yml -- include: tmpdir.yml +- include_tasks: tmpdir.yml -- include: nrpe.yml +- include_tasks: nrpe.yml -- include: munin.yml +- include_tasks: munin.yml -- include: log2mail.yml +- include_tasks: log2mail.yml -- include: utils.yml +- include_tasks: utils.yml diff --git a/mysql/tasks/utils.yml b/mysql/tasks/utils.yml index e55b6361..1ac8f2df 100644 --- a/mysql/tasks/utils.yml +++ b/mysql/tasks/utils.yml @@ -17,7 +17,7 @@ # mytop -- name: "Install mytop (Debian 9)" +- name: "Install mytop (Debian 8)" apt: name: mytop state: present @@ -43,14 +43,23 @@ - libterm-readkey-perl when: ansible_distribution_release == "buster" -- name: "Install dependencies for mytop (Debian 11 or later)" +- name: "Install dependencies for mytop (Debian 11)" apt: name: - mariadb-client-10.5 - libconfig-inifiles-perl - libterm-readkey-perl - libdbd-mariadb-perl - when: ansible_distribution_major_version is version('11', '>=') + when: ansible_distribution_release == "bullseye" + +- name: "Install dependencies for mytop (Debian 12 or later)" + apt: + name: + - mariadb-client-10.6 + - libconfig-inifiles-perl + - libterm-readkey-perl + - libdbd-mariadb-perl + when: ansible_distribution_major_version is version('12', '=') - name: Read debian-sys-maint password (Debian < 11) shell: 'cat /etc/mysql/debian.cnf | grep -m1 "password = .*" | cut -d" " -f3' diff --git a/php/tasks/main.yml b/php/tasks/main.yml index 86bde74f..180712b2 100644 --- a/php/tasks/main.yml +++ b/php/tasks/main.yml @@ -4,17 +4,20 @@ that: - ansible_distribution == "Debian" - ansible_distribution_major_version is version('8', '>=') - - ansible_distribution_major_version is version('11', '<=') - msg: This is only compatible with Debian 8 → 11 + - ansible_distribution_major_version is version('12', '<=') + msg: This is only compatible with Debian 8 → 12 -- include: main_jessie.yml +- include_tasks: main_jessie.yml when: ansible_distribution_release == "jessie" -- include: main_stretch.yml +- include_tasks: main_stretch.yml when: ansible_distribution_release == "stretch" -- include: main_buster.yml +- include_tasks: main_buster.yml when: ansible_distribution_release == "buster" -- include: main_bullseye.yml +- include_tasks: main_bullseye.yml when: ansible_distribution_release == "bullseye" + +- include_tasks: main_bookworm.yml + when: ansible_distribution_release == "bookworm" diff --git a/php/tasks/main_bookworm.yml b/php/tasks/main_bookworm.yml new file mode 100644 index 00000000..4dcde767 --- /dev/null +++ b/php/tasks/main_bookworm.yml @@ -0,0 +1,108 @@ +--- + +- name: "Set php version to 8.1 (Debian 12)" + set_fact: + php_version: "8.1" + +- name: "Set php config directories (Debian 12)" + set_fact: + php_cli_conf_dir: "/etc/php/{{ php_version }}/cli/conf.d" + php_apache_conf_dir: "/etc/php/{{ php_version }}/apache2/conf.d" + php_fpm_conf_dir: "/etc/php/{{ php_version }}/fpm/conf.d" + php_fpm_pool_dir: "/etc/php/{{ php_version }}/fpm/pool.d" + +- name: "Set php config files (Debian 12)" + set_fact: + php_cli_defaults_ini_file: "{{ php_cli_conf_dir }}/z-evolinux-defaults.ini" + php_cli_custom_ini_file: "{{ php_cli_conf_dir }}/zzz-evolinux-custom.ini" + php_apache_defaults_ini_file: "{{ php_apache_conf_dir }}/z-evolinux-defaults.ini" + php_apache_custom_ini_file: "{{ php_apache_conf_dir }}/zzz-evolinux-custom.ini" + php_fpm_defaults_ini_file: "{{ php_fpm_conf_dir }}/z-evolinux-defaults.ini" + php_fpm_custom_ini_file: "{{ php_fpm_conf_dir }}/zzz-evolinux-custom.ini" + php_fpm_debian_default_pool_file: "{{ php_fpm_pool_dir}}/www.conf" + php_fpm_default_pool_file: "{{ php_fpm_pool_dir}}/www-evolinux-defaults.conf" + php_fpm_default_pool_custom_file: "{{ php_fpm_pool_dir}}/www-evolinux-zcustom.conf" + php_fpm_default_pool_socket: "/var/run/php/php{{ php_version }}-fpm.sock" + php_fpm_service_name: "php{{ php_version }}-fpm" + +# Packages + +- name: "Set package list (Debian 12)" + set_fact: + php_stretch_packages: + - php-cli + - php-gd + - php-intl + - php-imap + - php-ldap + - php-mysql + # php-mcrypt is no longer packaged for PHP 7.2 + - php-pgsql + - php-sqlite3 + - php-curl + - php-ssh2 + - php-xml + - php-zip + - composer + - libphp-phpmailer + +- include: sury_pre.yml + when: php_sury_enable + +- name: "Install PHP packages (Debian 12)" + apt: + name: '{{ php_stretch_packages }}' + state: present + +- name: "Install mod_php packages (Debian 12)" + apt: + name: + - libapache2-mod-php + - php + state: present + when: php_apache_enable + +- name: "Install PHP FPM packages (Debian 12)" + apt: + name: + - php-fpm + - php + state: present + when: php_fpm_enable + +# Configuration + +- name: "Enforce permissions on PHP directory (Debian 12)" + file: + dest: "{{ item }}" + mode: "0755" + with_items: + - /etc/php + - /etc/php/{{ php_version }} + +- include: config_cli.yml +- name: "Enforce permissions on PHP cli directory (Debian 12)" + file: + dest: /etc/php/{{ php_version }}/cli + mode: "0755" + +- include: config_fpm.yml + when: php_fpm_enable + +- name: "Enforce permissions on PHP fpm directory (Debian 12)" + file: + dest: /etc/php/{{ php_version }}/fpm + mode: "0755" + when: php_fpm_enable + +- include: config_apache.yml + when: php_apache_enable + +- name: "Enforce permissions on PHP apache2 directory (Debian 12)" + file: + dest: /etc/php/{{ php_version }}/apache2 + mode: "0755" + when: php_apache_enable + +- include: sury_post.yml + when: php_sury_enable diff --git a/postgresql/tasks/packages_bookworm.yml b/postgresql/tasks/packages_bookworm.yml new file mode 100644 index 00000000..2a78b967 --- /dev/null +++ b/postgresql/tasks/packages_bookworm.yml @@ -0,0 +1,16 @@ +--- + +- name: "Set variables (Debian 12)" + set_fact: + postgresql_version: '15' + when: postgresql_version is none or postgresql_version | length == 0 + +- include: pgdg-repo.yml + when: postgresql_version != '15' + +- name: Install postgresql package + apt: + name: + - "postgresql-{{postgresql_version}}" + - pgtop + - libdbd-pg-perl diff --git a/rabbitmq/tasks/nrpe.yml b/rabbitmq/tasks/nrpe.yml index ba6b8d47..b2f2a3a8 100644 --- a/rabbitmq/tasks/nrpe.yml +++ b/rabbitmq/tasks/nrpe.yml @@ -34,7 +34,7 @@ group: root mode: "0755" force: yes - when: ansible_distribution_major_version is version('11', '==') + when: ansible_distribution_major_version is version('11', '>=') - name: check_rabbitmq is available for NRPE lineinfile: diff --git a/webapps/evoadmin-web/tasks/packages.yml b/webapps/evoadmin-web/tasks/packages.yml index e78f6c7b..1d0af87a 100644 --- a/webapps/evoadmin-web/tasks/packages.yml +++ b/webapps/evoadmin-web/tasks/packages.yml @@ -17,6 +17,14 @@ - 'http://mirror.evolix.org/debian/pool/main/p/php-log/php-log_1.12.9-2_all.deb' when: ansible_distribution_major_version is version('10', '=') +- name: Install PHP packages from sid (Debian 12) + apt: + deb: '{{ item }}' + state: present + loop: + - 'http://mirror.evolix.org/debian/pool/main/p/php-log/php-log_1.13.2-1_all.deb' + when: ansible_distribution_major_version is version('12', '=') + - name: Install PHP packages apt: name: diff --git a/webapps/evoadmin-web/tasks/web.yml b/webapps/evoadmin-web/tasks/web.yml index 9778da4e..ea4019a3 100644 --- a/webapps/evoadmin-web/tasks/web.yml +++ b/webapps/evoadmin-web/tasks/web.yml @@ -16,7 +16,7 @@ option: "disable_functions" value: "shell-exec,system,passthru,putenv,popen" notify: reload apache2 - when: ansible_distribution_major_version is version('9', '=') + when: ansible_distribution_release == "stretch" - name: "Set custom values for PHP config (Debian 10)" ini_file: @@ -25,7 +25,7 @@ option: "disable_functions" value: "shell-exec,system,passthru,putenv,popen" notify: reload apache2 - when: ansible_distribution_major_version is version('10', '=') + when: ansible_distribution_release == "buster" - name: "Set custom values for PHP config (Debian 11)" ini_file: @@ -34,7 +34,16 @@ option: "disable_functions" value: "shell-exec,system,passthru,putenv,popen" notify: reload apache2 - when: ansible_distribution_major_version is version('11', '=') + when: ansible_distribution_release == "bullseye" + +- name: "Set custom values for PHP config (Debian 11)" + ini_file: + dest: /etc/php/8.1/apache2/conf.d/zzz-evolinux-custom.ini + section: PHP + option: "disable_functions" + value: "shell-exec,system,passthru,putenv,popen" + notify: reload apache2 + when: ansible_distribution_release == "bookworm" - name: Install evoadmin VHost template: From 1fae737ac4ff0291c002395cfca4f2d9f7e85ba8 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Sun, 6 Nov 2022 15:21:00 +0100 Subject: [PATCH 31/72] Use bullseye suite even for bookworm --- apt/templates/evolix_public.list.j2 | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/apt/templates/evolix_public.list.j2 b/apt/templates/evolix_public.list.j2 index be7b45e8..e0bc0de7 100644 --- a/apt/templates/evolix_public.list.j2 +++ b/apt/templates/evolix_public.list.j2 @@ -1,3 +1,7 @@ # {{ ansible_managed }} +{% if ansible_distribution_release == "bookworm" %} +deb [signed-by={{ apt_keyring_dir }}/reg.asc] http://pub.evolix.net/ bullseye/ +{% else %} deb [signed-by={{ apt_keyring_dir }}/reg.asc] http://pub.evolix.net/ {{ ansible_distribution_release }}/ +{% endif %} \ No newline at end of file From 4050dbea7ae12f1e5c5f394505b489756df965ad Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Sun, 6 Nov 2022 15:24:12 +0100 Subject: [PATCH 32/72] packweb-apache: enable log_forensic module --- CHANGELOG.md | 3 ++- packweb-apache/tasks/apache.yml | 1 + 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 006d7a11..fdcbe65e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -16,8 +16,9 @@ The **patch** part changes is incremented if multiple releases happen the same m * all: Add signed-by option for additional APT sources * all: preliminary work to support Debian 12 * evolinux-base: replace regular kernel by cloud kernel on virtual servers -* nagios-nrpe: check_haproxy_stats supports DRAIN status * lxc-php: set php-fpm umask to 007 +* nagios-nrpe: check_haproxy_stats supports DRAIN status +* packweb-apache: enable log_forensic module * varnish: create special tmp directory for syntax validation ### Changed diff --git a/packweb-apache/tasks/apache.yml b/packweb-apache/tasks/apache.yml index 57b360ce..96c11e3a 100644 --- a/packweb-apache/tasks/apache.yml +++ b/packweb-apache/tasks/apache.yml @@ -33,6 +33,7 @@ - include - negotiation - alias + - log_forensic - name: Copy Apache settings for modules copy: From faeb92230b679151cf0474756f19db63064191a9 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Sun, 6 Nov 2022 15:24:54 +0100 Subject: [PATCH 33/72] packweb-apache: manual dependencies resolution --- CHANGELOG.md | 1 + packweb-apache/meta/main.yml | 17 +----- packweb-apache/tasks/dependencies.yml | 80 +++++++++++++++++++++++++++ packweb-apache/tasks/main.yml | 3 + 4 files changed, 86 insertions(+), 15 deletions(-) create mode 100644 packweb-apache/tasks/dependencies.yml diff --git a/CHANGELOG.md b/CHANGELOG.md index fdcbe65e..b9642581 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -31,6 +31,7 @@ The **patch** part changes is incremented if multiple releases happen the same m * lxc-solr: download URL according to Solr Version * lxc-solr: set homedir and port at install * minifirewall: whitelist deb.freexian.com +* packweb-apache: manual dependencies resolution * redis: some values should be quoted * redis: variable to disable transparent hugepage (default: do nothing) * squid: whitelist deb.freexian.com diff --git a/packweb-apache/meta/main.yml b/packweb-apache/meta/main.yml index bbf086ce..47d29159 100644 --- a/packweb-apache/meta/main.yml +++ b/packweb-apache/meta/main.yml @@ -26,18 +26,5 @@ galaxy_info: allow_duplicates: true -dependencies: - - { role: evolix/apache } - - { role: evolix/php, php_apache_enable: True, when: packweb_apache_modphp } - - { role: evolix/php, php_fpm_enable: True, when: packweb_apache_fpm } - - { role: evolix/squid, squid_localproxy_enable: True } - - { role: evolix/mysql, when: packweb_mysql_variant == "debian" } - - { role: evolix/mysql-oracle, when: packweb_mysql_variant == "oracle" } - - { role: evolix/lxc-php, lxc_php_version: php56, lxc_php_create_mysql_link: True, when: "'php56' in packweb_multiphp_versions" } - - { role: evolix/lxc-php, lxc_php_version: php70, lxc_php_create_mysql_link: True, when: "'php70' in packweb_multiphp_versions" } - - { role: evolix/lxc-php, lxc_php_version: php73, lxc_php_create_mysql_link: True, when: "'php73' in packweb_multiphp_versions" } - - { role: evolix/lxc-php, lxc_php_version: php74, lxc_php_create_mysql_link: True, when: "'php74' in packweb_multiphp_versions" } - - { role: evolix/lxc-php, lxc_php_version: php80, lxc_php_create_mysql_link: True, when: "'php80' in packweb_multiphp_versions" } - - { role: evolix/lxc-php, lxc_php_version: php81, lxc_php_create_mysql_link: True, when: "'php81' in packweb_multiphp_versions" } - - { role: evolix/webapps/evoadmin-web, evoadmin_enable_vhost: "{{ packweb_enable_evoadmin_vhost }}", evoadmin_multiphp_versions: "{{ packweb_multiphp_versions }}" } - - { role: evolix/evoacme } +dependencies: [] + diff --git a/packweb-apache/tasks/dependencies.yml b/packweb-apache/tasks/dependencies.yml new file mode 100644 index 00000000..0182654c --- /dev/null +++ b/packweb-apache/tasks/dependencies.yml @@ -0,0 +1,80 @@ +--- + +- import_role: + name: evolix/apache + +- import_role: + name: evolix/php + vars: + php_apache_enable: True + when: packweb_apache_modphp + +- import_role: + name: evolix/php + vars: + php_fpm_enable: True + when: packweb_apache_fpm + +- import_role: + name: evolix/squid + vars: + squid_localproxy_enable: True + +- import_role: + name: evolix/mysql + when: packweb_mysql_variant == "debian" + +- import_role: + name: evolix/mysql-oracle + when: packweb_mysql_variant == "oracle" + +- import_role: + name: evolix/lxc-php + vars: + lxc_php_version: php56 + lxc_php_create_mysql_link: True + when: "'php56' in packweb_multiphp_versions" + +- import_role: + name: evolix/lxc-php + vars: + lxc_php_version: php70 + lxc_php_create_mysql_link: True + when: "'php70' in packweb_multiphp_versions" + +- import_role: + name: evolix/lxc-php + vars: + lxc_php_version: php73 + lxc_php_create_mysql_link: True + when: "'php73' in packweb_multiphp_versions" + +- import_role: + name: evolix/lxc-php + vars: + lxc_php_version: php74 + lxc_php_create_mysql_link: True + when: "'php74' in packweb_multiphp_versions" + +- import_role: + name: evolix/lxc-php + vars: + lxc_php_version: php80 + lxc_php_create_mysql_link: True + when: "'php80' in packweb_multiphp_versions" + +- import_role: + name: evolix/lxc-php + vars: + lxc_php_version: php81 + lxc_php_create_mysql_link: True + when: "'php81' in packweb_multiphp_versions" + +- import_role: + name: evolix/webapps/evoadmin-web + vars: + evoadmin_enable_vhost: "{{ packweb_enable_evoadmin_vhost }}" + evoadmin_multiphp_versions: "{{ packweb_multiphp_versions }}" + +- import_role: + name: evolix/evoacme \ No newline at end of file diff --git a/packweb-apache/tasks/main.yml b/packweb-apache/tasks/main.yml index 5e2f9e92..ff3cd9a7 100644 --- a/packweb-apache/tasks/main.yml +++ b/packweb-apache/tasks/main.yml @@ -1,5 +1,8 @@ --- +- name: Dependencies are satisfied + include_tasks: dependencies.yml + - fail: msg: only compatible with Debian >= 8 when: From 9d120ee95818b2e9abfbff1bbd1e05ebf5d7ed1a Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Sun, 6 Nov 2022 15:27:49 +0100 Subject: [PATCH 34/72] php: add restart handler for php8.1-fpm --- php/handlers/main.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/php/handlers/main.yml b/php/handlers/main.yml index 973c0069..079a14d5 100644 --- a/php/handlers/main.yml +++ b/php/handlers/main.yml @@ -19,3 +19,8 @@ service: name: php7.4-fpm state: restarted + +- name: restart php8.1-fpm + service: + name: php8.1-fpm + state: restarted From 83138f0a0ba58049c58d0ccd8937bdab2ae3901e Mon Sep 17 00:00:00 2001 From: Mathieu Trossevin Date: Wed, 9 Nov 2022 17:05:54 +0100 Subject: [PATCH 35/72] nagios-nrpe: Correct port for check_opendkim --- CHANGELOG.md | 1 + nagios-nrpe/templates/evolix.cfg.j2 | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 8b8f1bce..2f490d12 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -35,6 +35,7 @@ The **patch** part changes is incremented if multiple releases happen the same m ### Fixed * evolinux-user: Fix sudoers privilege for check php\_fpm80 +* nagios-nrpe: Fix check opendkim for recent change in listening port ### Removed diff --git a/nagios-nrpe/templates/evolix.cfg.j2 b/nagios-nrpe/templates/evolix.cfg.j2 index dc6d09db..263fde10 100644 --- a/nagios-nrpe/templates/evolix.cfg.j2 +++ b/nagios-nrpe/templates/evolix.cfg.j2 @@ -51,7 +51,7 @@ command[check_ssl]=/usr/lib/nagios/plugins/check_http -f follow -I 127.0.0.1 -S command[check_ssl_local]={{ nagios_plugins_directory }}/check_ssl_local command[check_elasticsearch]=/usr/lib/nagios/plugins/check_http -I 127.0.0.1 -u /_cat/health?h=st -p 9200 -r 'red' --invert-regex command[check_memcached]=/usr/lib/nagios/plugins/check_tcp -H 127.0.0.1 -p 11211 -command[check_opendkim]=/usr/lib/nagios/plugins/check_tcp -H 127.0.0.1 -p 54321 +command[check_opendkim]=/usr/lib/nagios/plugins/check_tcp -H 127.0.0.1 -p 8891 command[check_bkctld_setup]=sudo /usr/sbin/bkctld check-setup command[check_bkctld_jails]=sudo /usr/sbin/bkctld check-jails # "check_bkctld" is here as backward compatibility, but is replaced by "check_bkctld_jails" From b797a5059a3202c8a0079103adfa6db9d11651b4 Mon Sep 17 00:00:00 2001 From: Alexis Ben Miloud--Josselin Date: Tue, 15 Nov 2022 11:06:47 +0100 Subject: [PATCH 36/72] nagios-nrpe: add ceph checks --- nagios-nrpe/files/plugins/check_ceph_df | 232 +++++++++++++++++++ nagios-nrpe/files/plugins/check_ceph_health | 200 ++++++++++++++++ nagios-nrpe/files/plugins/check_ceph_mds | 188 +++++++++++++++ nagios-nrpe/files/plugins/check_ceph_mgr | 188 +++++++++++++++ nagios-nrpe/files/plugins/check_ceph_mon | 163 +++++++++++++ nagios-nrpe/files/plugins/check_ceph_osd | 154 ++++++++++++ nagios-nrpe/files/plugins/check_ceph_osd_db | 152 ++++++++++++ nagios-nrpe/files/plugins/check_ceph_osd_df | 153 ++++++++++++ nagios-nrpe/files/plugins/check_ceph_rgw | 118 ++++++++++ nagios-nrpe/files/plugins/check_ceph_rgw_api | 116 ++++++++++ 10 files changed, 1664 insertions(+) create mode 100755 nagios-nrpe/files/plugins/check_ceph_df create mode 100755 nagios-nrpe/files/plugins/check_ceph_health create mode 100755 nagios-nrpe/files/plugins/check_ceph_mds create mode 100755 nagios-nrpe/files/plugins/check_ceph_mgr create mode 100755 nagios-nrpe/files/plugins/check_ceph_mon create mode 100755 nagios-nrpe/files/plugins/check_ceph_osd create mode 100755 nagios-nrpe/files/plugins/check_ceph_osd_db create mode 100755 nagios-nrpe/files/plugins/check_ceph_osd_df create mode 100755 nagios-nrpe/files/plugins/check_ceph_rgw create mode 100755 nagios-nrpe/files/plugins/check_ceph_rgw_api diff --git a/nagios-nrpe/files/plugins/check_ceph_df b/nagios-nrpe/files/plugins/check_ceph_df new file mode 100755 index 00000000..0f798aa1 --- /dev/null +++ b/nagios-nrpe/files/plugins/check_ceph_df @@ -0,0 +1,232 @@ +#!/usr/bin/env python +# -*- coding: utf-8 -*- +# +# Copyright (c) 2013 SWITCH http://www.switch.ch +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +from __future__ import print_function +import argparse +import os +import subprocess +import sys + +__version__ = '1.7.1' + +# default ceph values +CEPH_COMMAND = '/usr/bin/ceph' + +# nagios exit code +STATUS_OK = 0 +STATUS_WARNING = 1 +STATUS_ERROR = 2 +STATUS_UNKNOWN = 3 + +def main(): + + # parse args + parser = argparse.ArgumentParser(description="'ceph df' nagios plugin.") + parser.add_argument('-e','--exe', help='ceph executable [%s]' % CEPH_COMMAND) + parser.add_argument('-c','--conf', help='alternative ceph conf file') + parser.add_argument('-m','--monaddress', help='ceph monitor address[:port]') + parser.add_argument('-i','--id', help='ceph client id') + parser.add_argument('-n','--name', help='ceph client name') + parser.add_argument('-k','--keyring', help='ceph client keyring file') + parser.add_argument('-p','--pool', help='ceph pool name') + parser.add_argument('-d','--detail', help="show pool details on warn and critical", action='store_true') + parser.add_argument('-W','--warn', help="warn above this percent RAW USED", type=float) + parser.add_argument('-C','--critical', help="critical alert above this percent RAW USED", type=float) + parser.add_argument('-V','--version', help='show version and exit', action='store_true') + args = parser.parse_args() + + # validate args + ceph_exec = args.exe if args.exe else CEPH_COMMAND + if not os.path.exists(ceph_exec): + print("ERROR: ceph executable '%s' doesn't exist" % ceph_exec) + return STATUS_UNKNOWN + + if args.version: + print('version %s' % __version__) + return STATUS_OK + + if args.conf and not os.path.exists(args.conf): + print("ERROR: ceph conf file '%s' doesn't exist" % args.conf) + return STATUS_UNKNOWN + + if args.keyring and not os.path.exists(args.keyring): + print("ERROR: keyring file '%s' doesn't exist" % args.keyring) + return STATUS_UNKNOWN + + if not args.warn or not args.critical or args.warn > args.critical: + print("ERROR: warn and critical level must be set and critical must be greater than warn") + return STATUS_UNKNOWN + + # build command + ceph_df = [ceph_exec] + if args.monaddress: + ceph_df.append('-m') + ceph_df.append(args.monaddress) + if args.conf: + ceph_df.append('-c') + ceph_df.append(args.conf) + if args.id: + ceph_df.append('--id') + ceph_df.append(args.id) + if args.name: + ceph_df.append('--name') + ceph_df.append(args.name) + if args.keyring: + ceph_df.append('--keyring') + ceph_df.append(args.keyring) + ceph_df.append('df') + + #print ceph_df + + # exec command + p = subprocess.Popen(ceph_df,stdout=subprocess.PIPE,stderr=subprocess.PIPE) + output, err = p.communicate() + + # parse output + # print "DEBUG: output:", output + # print "DEBUG: err:", err + if output: + output = output.decode('utf-8') + # parse output + # if detail switch was not set only show global values and compare to warning and critical + # otherwise show space for pools too + result=output.splitlines() + # values for GLOBAL are in 3rd line of output + globalline = result[2] + globalvals = globalline.split() + # Luminous vs Minic output (27.3TiB vs 27.3 TiB) + if len(globalvals) == 7: + gv = [] + gv.append("{}{}".format(globalvals[0], globalvals[1])) + gv.append("{}{}".format(globalvals[2], globalvals[3])) + gv.append("{}{}".format(globalvals[4], globalvals[5])) + gv.append(globalvals[6]) + globalvals = gv + #print "XXX: globalvals: {} {}".format(len(globalvals), globalvals) + # Nautilus output + if len(globalvals) == 10: + gv = [] + gv.append("{}{}".format(globalvals[1], globalvals[2])) + gv.append("{}{}".format(globalvals[3], globalvals[4])) + gv.append("{}{}".format(globalvals[5], globalvals[6])) + gv.append(globalvals[9]) + globalvals = gv + #print "XXX: globalvals: {} {}".format(len(globalvals), globalvals) + + # prepare pool values + # pool output starts in line 4 with the bare word POOLS: followed by the output + poollines = result[3:] + + if args.pool: + for line in poollines: + if args.pool in line: + poolvals = line.split() + # Luminous vs Minic output (27.3TiB vs 27.3 TiB) + if len(poolvals) == 8: + pv = [] + pv.append(poolvals[0]) # NAME + pv.append(poolvals[1]) # ID + pv.append("{}{}".format(poolvals[2], poolvals[3])) # USED 27.3 TiB + pv.append(poolvals[4]) # %USED + pv.append("{}{}".format(poolvals[5], poolvals[6])) # MAX AVAIL 27.3 TiB + # pv.append(poolvals[7]) # OBJECTS + poolvals = pv + #print "XXX: poolvals: {} {}".format(len(poolvals), poolvals) + # Nautilus output + if len(poolvals) == 10: + pv = [] + pv.append(poolvals[0]) # NAME + pv.append(poolvals[1]) # ID + pv.append("{}{}".format(poolvals[2], poolvals[3])) # USED 27.3 TiB + pv.append(poolvals[7]) # %USED + pv.append("{}{}".format(poolvals[8], poolvals[9])) # MAX AVAIL 27.3 TiB + # pv.append(poolvals[7]) # OBJECTS, not used + poolvals = pv + #print "XXX: poolvals: {} {}".format(len(poolvals), poolvals) + # Octopus >= v15.2.8 (pgs added to ceph-df) + if len(poolvals) == 11: + pv = [] + pv.append(poolvals[0]) # NAME + pv.append(poolvals[1]) # ID + #pv.append(poolvals[2]) # PGS, not used + pv.append("{}{}".format(poolvals[3], poolvals[4])) # USED 27.3 TiB + pv.append(poolvals[8]) # %USED + pv.append("{}{}".format(poolvals[9], poolvals[10])) # MAX AVAIL 27.3 TiB + # pv.append(poolvals[7]) # OBJECTS, not used + poolvals = pv + #print "XXX: poolvals: {} {}".format(len(poolvals), poolvals) + + + pool_used = poolvals[2] + pool_usage_percent = float(poolvals[3]) + pool_available_space = poolvals[4] + # pool_objects = float(poolvals[5]) # not used + + if pool_usage_percent > args.critical: + print('CRITICAL: %s%% usage in Pool \'%s\' is above %s%% (%s used) | Usage=%s%%;%s;%s;;' % (pool_usage_percent, args.pool, args.critical, pool_used, pool_usage_percent, args.warn, args.critical)) + return STATUS_ERROR + if pool_usage_percent > args.warn: + print('WARNING: %s%% usage in Pool \'%s\' is above %s%% (%s used) | Usage=%s%%;%s;%s;;' % (pool_usage_percent, args.pool, args.warn, pool_used, pool_usage_percent, args.warn, args.critical)) + return STATUS_WARNING + else: + print('%s%% usage in Pool \'%s\' | Usage=%s%%;%s;%s;;' % (pool_usage_percent, args.pool, pool_usage_percent, args.warn, args.critical)) + return STATUS_OK + else: + # print 'DEBUG:', globalvals + # finally 4th element contains percentual value + # print 'DEBUG USAGE:', globalvals[3] + global_usage_percent = float(globalvals[3]) + global_available_space = globalvals[1] + global_total_space = globalvals[0] + # print 'DEBUG WARNLEVEL:', args.warn + # print 'DEBUG CRITICALLEVEL:', args.critical + if global_usage_percent > args.critical: + if args.detail: + poollines.insert(0, '\n') + poolout = '\n '.join(poollines) + else: + poolout = '' + print('CRITICAL: global RAW usage of %s%% is above %s%% (%s of %s free)%s | Usage=%s%%;%s;%s;;' % (global_usage_percent, args.critical, global_available_space, global_total_space, poolout, global_usage_percent, args.warn, args.critical)) + return STATUS_ERROR + elif global_usage_percent > args.warn: + if args.detail: + poollines.insert(0, '\n') + poolout = '\n '.join(poollines) + else: + poolout = '' + print('WARNING: global RAW usage of %s%% is above %s%% (%s of %s free)%s | Usage=%s%%;%s;%s;;' % (global_usage_percent, args.warn, global_available_space, global_total_space, poolout, global_usage_percent, args.warn, args.critical)) + return STATUS_WARNING + else: + print('RAW usage %s%% | Usage=%s%%;%s;%s;;' % (global_usage_percent, global_usage_percent, args.warn, args.critical)) + return STATUS_OK + + #for + elif err: + # read only first line of error + one_line = err.split('\n')[0] + if '-1 ' in one_line: + idx = one_line.rfind('-1 ') + print('ERROR: %s: %s' % (ceph_exec, one_line[idx+len('-1 '):])) + else: + print(one_line) + + return STATUS_UNKNOWN + + +if __name__ == "__main__": + sys.exit(main()) diff --git a/nagios-nrpe/files/plugins/check_ceph_health b/nagios-nrpe/files/plugins/check_ceph_health new file mode 100755 index 00000000..ede44914 --- /dev/null +++ b/nagios-nrpe/files/plugins/check_ceph_health @@ -0,0 +1,200 @@ +#!/usr/bin/env python +# -*- coding: utf-8 -*- +# +# Copyright (c) 2013-2016 SWITCH http://www.switch.ch +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +from __future__ import print_function +import argparse +import os +import subprocess +import sys +import re +import json + +__version__ = '1.7.0' + +# default ceph values +CEPH_ADM_COMMAND = '/usr/sbin/cephadm' +CEPH_COMMAND = '/usr/bin/ceph' + +# nagios exit code +STATUS_OK = 0 +STATUS_WARNING = 1 +STATUS_ERROR = 2 +STATUS_UNKNOWN = 3 + + +def main(): + + # parse args + parser = argparse.ArgumentParser(description="'ceph health' nagios plugin.") + parser.add_argument('-e','--exe', help='ceph executable [%s]' % CEPH_COMMAND) + parser.add_argument('-A','--admexe', help='cephadm executable [%s]' % CEPH_ADM_COMMAND) + parser.add_argument('--cluster', help='ceph cluster name') + parser.add_argument('-c','--conf', help='alternative ceph conf file') + parser.add_argument('-m','--monaddress', help='ceph monitor address[:port]') + parser.add_argument('-i','--id', help='ceph client id') + parser.add_argument('-n','--name', help='ceph client name') + parser.add_argument('-k','--keyring', help='ceph client keyring file') + parser.add_argument('--check', help='regexp of which check(s) to check (luminous+) ' + "Can be inverted, e.g. '^((?!(PG_DEGRADED|OBJECT_MISPLACED)$).)*$'") + parser.add_argument('-w','--whitelist', help='whitelist regexp for ceph health warnings') + parser.add_argument('-d','--detail', help="exec 'ceph health detail'", action='store_true') + parser.add_argument('-V','--version', help='show version and exit', action='store_true') + parser.add_argument('-a','--cephadm', help='uses cephadm to execute the command', action='store_true') + parser.add_argument('-s','--skip-muted', help='skip muted checks', action='store_true') + args = parser.parse_args() + + # validate args + cephadm_exec = args.admexe if args.admexe else CEPH_ADM_COMMAND + ceph_exec = args.exe if args.exe else CEPH_COMMAND + + if args.cephadm: + if not os.path.exists(cephadm_exec): + print("ERROR: cephadm executable '%s' doesn't exist" % cephadm_exec) + return STATUS_UNKNOWN + else: + if not os.path.exists(ceph_exec): + print("ERROR: ceph executable '%s' doesn't exist" % ceph_exec) + return STATUS_UNKNOWN + + if args.version: + print('version %s' % __version__) + return STATUS_OK + + if args.conf and not os.path.exists(args.conf): + print("ERROR: ceph conf file '%s' doesn't exist" % args.conf) + return STATUS_UNKNOWN + + if args.keyring and not os.path.exists(args.keyring): + print("ERROR: keyring file '%s' doesn't exist" % args.keyring) + return STATUS_UNKNOWN + + # build command + ceph_health = [ceph_exec] + + if args.cephadm: + # Prepend the command with the cephadm binary and the shell command + ceph_health = [cephadm_exec, 'shell'] + ceph_health + + if args.monaddress: + ceph_health.append('-m') + ceph_health.append(args.monaddress) + if args.cluster: + ceph_health.append('--cluster') + ceph_health.append(args.cluster) + if args.conf: + ceph_health.append('-c') + ceph_health.append(args.conf) + if args.id: + ceph_health.append('--id') + ceph_health.append(args.id) + if args.name: + ceph_health.append('--name') + ceph_health.append(args.name) + if args.keyring: + ceph_health.append('--keyring') + ceph_health.append(args.keyring) + ceph_health.append('health') + if args.detail: + ceph_health.append('detail') + + ceph_health.append('--format') + ceph_health.append('json') + #print(ceph_health) + + # exec command + p = subprocess.Popen(ceph_health,stdout=subprocess.PIPE,stderr=subprocess.PIPE) + output, err = p.communicate() + try: + output = json.loads(output) + except ValueError: + output = dict() + + # parse output + # print "output:", output + #print "err:", err + if output: + ret = STATUS_OK + msg = "" + extended = [] + if 'checks' in output: + #luminous + for check,status in output['checks'].items(): + # skip check if not selected + if args.check and not re.search(args.check, check): + continue + + if args.skip_muted and ('muted' in status and status['muted']): + continue + + check_detail = "%s( %s )" % (check, status['summary']['message']) + + if status["severity"] == "HEALTH_ERR": + extended.append(msg) + msg = "CRITICAL: %s" % check_detail + ret = STATUS_ERROR + continue + + if args.whitelist and re.search(args.whitelist,status['summary']['message']): + continue + + check_msg = "WARNING: %s" % check_detail + if not msg: + msg = check_msg + ret = STATUS_WARNING + else: + extended.append(check_msg) + else: + #pre-luminous + for status in output["summary"]: + if status != "HEALTH_OK": + if status == "HEALTH_ERROR": + msg = "CRITICAL: %s" % status['summary'] + ret = STATUS_ERROR + continue + + if args.whitelist and re.search(args.whitelist,status['summary']): + continue + + if not msg: + msg = "WARNING: %s" % status['summary'] + ret = STATUS_WARNING + else: + extended.append("WARNING: %s" % status['summary']) + + if msg: + print(msg) + else: + print("HEALTH OK") + if extended: print('\n'.join(extended)) + return ret + + + elif err: + # read only first line of error + one_line = err.split('\n')[0] + if '-1 ' in one_line: + idx = one_line.rfind('-1 ') + print('ERROR: %s: %s' % (ceph_exec, one_line[idx+len('-1 '):])) + else: + print(one_line) + + return STATUS_UNKNOWN + + +if __name__ == "__main__": + sys.exit(main()) diff --git a/nagios-nrpe/files/plugins/check_ceph_mds b/nagios-nrpe/files/plugins/check_ceph_mds new file mode 100755 index 00000000..4e654c05 --- /dev/null +++ b/nagios-nrpe/files/plugins/check_ceph_mds @@ -0,0 +1,188 @@ +#!/usr/bin/env python +# -*- coding: utf-8 -*- +# +# Copyright (c) 2013 Catalyst IT http://www.catalyst.net.nz +# Copyright (c) 2015 SWITCH http://www.switch.ch +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + + +from __future__ import print_function +import argparse +import socket +import os +import re +import subprocess +import sys +import json + +__version__ = '1.6.0' + +# default ceph values +CEPH_EXEC = '/usr/bin/ceph' +CEPH_COMMAND = 'mds stat -f json' + +# nagios exit code +STATUS_OK = 0 +STATUS_WARNING = 1 +STATUS_ERROR = 2 +STATUS_UNKNOWN = 3 + +def main(): + # parse args + parser = argparse.ArgumentParser(description="'ceph mds stat' nagios plugin.") + parser.add_argument('-e','--exe', help='ceph executable [%s]' % CEPH_EXEC) + parser.add_argument('-c','--conf', help='alternative ceph conf file') + parser.add_argument('-m','--monaddress', help='ceph monitor to use for queries (address[:port])') + parser.add_argument('-i','--id', help='ceph client id') + parser.add_argument('-k','--keyring', help='ceph client keyring file') + parser.add_argument('-V','--version', help='show version and exit', action='store_true') + parser.add_argument('-n','--name', help='mds daemon name', required=True) + parser.add_argument('-f','--filesystem', help='mds filesystem name', required=True) + args = parser.parse_args() + + if args.version: + print('version %s' % __version__) + return STATUS_OK + + # validate args + ceph_exec = args.exe if args.exe else CEPH_EXEC + if not os.path.exists(ceph_exec): + print("MDS ERROR: ceph executable '%s' doesn't exist" % ceph_exec) + return STATUS_UNKNOWN + + if args.conf and not os.path.exists(args.conf): + print("MDS ERROR: ceph conf file '%s' doesn't exist" % args.conf) + return STATUS_UNKNOWN + + if args.keyring and not os.path.exists(args.keyring): + print("MDS ERROR: keyring file '%s' doesn't exist" % args.keyring) + return STATUS_UNKNOWN + + # build command + ceph_cmd = [ceph_exec] + if args.monaddress: + ceph_cmd.append('-m') + ceph_cmd.append(args.monaddress) + if args.conf: + ceph_cmd.append('-c') + ceph_cmd.append(args.conf) + if args.id: + ceph_cmd.append('--id') + ceph_cmd.append(args.id) + if args.keyring: + ceph_cmd.append('--keyring') + ceph_cmd.append(args.keyring) + ceph_cmd.extend(CEPH_COMMAND.split(' ')) + + # exec command + p = subprocess.Popen(ceph_cmd,stdout=subprocess.PIPE,stderr=subprocess.PIPE) + output, err = p.communicate() + + if p.returncode != 0 or not output: + print("MDS ERROR: %s" % err) + return STATUS_ERROR + + # load json output and parse + mds_stat = None + try: + mds_stat = json.loads(output) + except Exception as e: + print("MDS ERROR: could not parse '%s' output: %s: %s" % (CEPH_COMMAND,output,e)) + return STATUS_UNKNOWN + + return check_target_mds(mds_stat, args.filesystem, args.name) + +def check_target_mds(mds_stat, fs_name, name): + # find mds from standby list + standby_mdss = _get_standby_mds(mds_stat) + for mds in standby_mdss: + if mds.get_name() == name: + print("MDS OK: %s" % (mds)) + return STATUS_OK + + # find mds from active list + active_mdss = _get_active_mds(mds_stat, fs_name) + + if active_mdss: + for mds in active_mdss: + if mds.get_name() != name: + continue + # target mds in active list + print("MDS %s: %s" % ("WARN" if mds.is_laggy() else "OK", mds)) + return STATUS_WARNING if mds.is_laggy() else STATUS_OK + + # mds not found + print("MDS ERROR: MDS '%s' is not found (offline?)" % (name)) + return STATUS_ERROR + else: + # fs not found in map, perhaps user input error + print("MDS ERROR: FS '%s' is not found in fsmap" % (fs_name)) + return STATUS_ERROR + +def _get_standby_mds(mds_stat): + mds_array = [] + for mds in mds_stat['fsmap']['standbys']: + name = mds['name'] + state = mds['state'] + laggy_since = mds['laggy_since'] if 'laggy_since' in mds else None + mds_array.append(MDS(name, state)) + + return mds_array + +def _get_active_mds(mds_stat, fs_name): + mds_fs = mds_stat['fsmap']['filesystems'] + + # find filesystem in stat + for i in range(len(mds_fs)): + mdsmap = mds_fs[i]['mdsmap'] + if mdsmap['fs_name'] != fs_name: + continue + # put mds to array + mds_array = [] + infos = mds_stat['fsmap']['filesystems'][i]['mdsmap']['info'] + for gid in infos: + name = infos[gid]['name'] + state = infos[gid]['state'] + laggy_since = infos[gid]['laggy_since'] if 'laggy_since' in infos[gid] else None + mds_array.append(MDS(name, state, laggy_since)) + + return mds_array + + # no fs found + return None + +class MDS(object): + def __init__(self, name, state, laggy_since=None): + self.name = name + self.state = state + self.laggy_since = laggy_since + + def get_name(self): + return self.name + + def get_state(self): + return self.state + + def is_laggy(self): + return self.laggy_since is not None + + def __str__(self): + msg = "MDS '%s' is %s" % (self.name, self.state) + if self.laggy_since is not None: + msg += " (laggy or crashed)" + return msg + +# main +if __name__ == "__main__": + sys.exit(main()) diff --git a/nagios-nrpe/files/plugins/check_ceph_mgr b/nagios-nrpe/files/plugins/check_ceph_mgr new file mode 100755 index 00000000..019e4a3f --- /dev/null +++ b/nagios-nrpe/files/plugins/check_ceph_mgr @@ -0,0 +1,188 @@ +#!/usr/bin/env python +# -*- coding: utf-8 -*- +# +# Copyright (c) 2018 SWITCH http://www.switch.ch +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +from __future__ import print_function +import argparse +import os +import subprocess +import sys +import json + +__version__ = '1.0.0' + +# default ceph values +CEPH_EXEC = '/usr/bin/ceph' +CEPH_COMMAND = 'mgr dump -f json' + +CEPH_MGR_DUMP_EXAMPLE = ''' +$ ceph --version +ceph version 12.2.7 (3ec878d1e53e1aeb47a9f619c49d9e7c0aa384d5) luminous (stable) +$ ceph mgr dump -f json|jq . +{ + "epoch": 165, + "active_gid": 248001409, + "active_name": "zhdk0013", + "active_addr": "10.10.10.9:6800/810408", + "available": true, + "standbys": [ + { + "gid": 247991934, + "name": "zhdk0009", + "available_modules": [ + "balancer", + "dashboard", + "influx", + "localpool", + "prometheus", + "restful", + "selftest", + "status", + "zabbix" + ] + }, + { + "gid": 248011196, + "name": "zhdk0025", + "available_modules": [ + "balancer", + "dashboard", + "influx", + "localpool", + "prometheus", + "restful", + "selftest", + "status", + "zabbix" + ] + } + ], + "modules": [ + "balancer", + "restful", + "status" + ], + "available_modules": [ + "balancer", + "dashboard", + "influx", + "localpool", + "prometheus", + "restful", + "selftest", + "status", + "zabbix" + ], + "services": {} +} +''' + +# nagios exit code +STATUS_OK = 0 +STATUS_WARNING = 1 +STATUS_ERROR = 2 +STATUS_UNKNOWN = 3 + + +def main(): + # parse args + parser = argparse.ArgumentParser(description="'ceph mgr dump' nagios plugin.") + parser.add_argument('-e', '--exe', help='ceph executable [%s]' % CEPH_EXEC) + parser.add_argument('-c', '--conf', help='alternative ceph conf file') + parser.add_argument('-m', '--monaddress', help='ceph monitor to use for queries (address[:port])') + parser.add_argument('-i', '--id', help='ceph client id') + parser.add_argument('-n', '--name', help='ceph client name') + parser.add_argument('-k', '--keyring', help='ceph client keyring file') + parser.add_argument('-V', '--version', help='show version and exit', action='store_true') + args = parser.parse_args() + + if args.version: + print("version {}".format(__version__)) + return STATUS_OK + + # validate args + ceph_exec = args.exe if args.exe else CEPH_EXEC + if not os.path.exists(ceph_exec): + print("MGR ERROR: ceph executable '{}' doesn't exist".format(ceph_exec)) + return STATUS_UNKNOWN + + if args.conf and not os.path.exists(args.conf): + print("MGR ERROR: ceph conf file '{}' doesn't exist".format(args.conf)) + return STATUS_UNKNOWN + + if args.keyring and not os.path.exists(args.keyring): + print("MGR ERROR: keyring file '{}' doesn't exist".format(args.keyring)) + return STATUS_UNKNOWN + + # build command + ceph_cmd = [ceph_exec] + if args.monaddress: + ceph_cmd.append('-m') + ceph_cmd.append(args.monaddress) + if args.conf: + ceph_cmd.append('-c') + ceph_cmd.append(args.conf) + if args.id: + ceph_cmd.append('--id') + ceph_cmd.append(args.id) + if args.name: + ceph_cmd.append('--name') + ceph_cmd.append(args.name) + if args.keyring: + ceph_cmd.append('--keyring') + ceph_cmd.append(args.keyring) + ceph_cmd.extend(CEPH_COMMAND.split(' ')) + + # exec command + p = subprocess.Popen(ceph_cmd, stdout=subprocess.PIPE, stderr=subprocess.PIPE) + output, err = p.communicate() + + if p.returncode != 0 or not output: + print("MGR ERROR: {}".format(err)) + return STATUS_UNKNOWN + + # load json output and parse + mgr_dump = None + try: + mgr_dump = json.loads(output) + except Exception as e: + print("MGR ERROR: could not parse '{}' output: {}: {}".format(ceph_cmd, output, e)) + return STATUS_UNKNOWN + + # check active + if 'active_name' not in mgr_dump: + print("MGR CRITICAL: not active mgr found") + print("JSON: {}".format(json.dumps(mgr_dump))) + return STATUS_ERROR + + active_mgr_name = mgr_dump['active_name'] + # check standby + standby_mgr_names = [] + for standby_mgr in mgr_dump['standbys']: + standby_mgr_names.append(standby_mgr['name']) + + if len(standby_mgr_names) <= 0: + print("MGR WARN: active: {} but no standbys".format(active_mgr_name)) + return STATUS_WARNING + else: + print("MGR OK: active: {}, standbys: {}".format(active_mgr_name, + ", ".join(standby_mgr_names))) + return STATUS_OK + +# main +if __name__ == "__main__": + sys.exit(main()) diff --git a/nagios-nrpe/files/plugins/check_ceph_mon b/nagios-nrpe/files/plugins/check_ceph_mon new file mode 100755 index 00000000..db417676 --- /dev/null +++ b/nagios-nrpe/files/plugins/check_ceph_mon @@ -0,0 +1,163 @@ +#!/usr/bin/env python +# -*- coding: utf-8 -*- +# +# Copyright (c) 2013 Catalyst IT http://www.catalyst.net.nz +# Copyright (c) 2015 SWITCH http://www.switch.ch +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +from __future__ import print_function +import argparse +import socket +import os +import re +import subprocess +import sys +import json + +__version__ = '1.5.0' + +# default ceph values +CEPH_EXEC = '/usr/bin/ceph' +CEPH_COMMAND = 'quorum_status' + +# nagios exit code +STATUS_OK = 0 +STATUS_WARNING = 1 +STATUS_ERROR = 2 +STATUS_UNKNOWN = 3 + +## +# ceph quorum_status output example +## +ceph_quorum_status_output_example = '''{ + "quorum_leader_name" : "s0001", + "monmap" : { + "mons" : [ + { + "name" : "s0001", + "addr" : "[2001:620:5ca1:8000::1001]:6789/0", + "rank" : 0 + }, + { + "name" : "s0003", + "addr" : "[2001:620:5ca1:8000::1003]:6789/0", + "rank" : 1 + } + ], + "created" : "2014-12-15 08:28:35.153650", + "epoch" : 2, + "modified" : "2014-12-15 08:28:40.371878", + "fsid" : "22348d2b-b69d-46cc-9a79-ca93cd6bae84" + }, + "quorum_names" : [ + "s0001", + "s0003" + ], + "quorum" : [ + 0, + 1 + ], + "election_epoch" : 24 +}''' + +def main(): + + # parse args + parser = argparse.ArgumentParser(description="'ceph quorum_status' nagios plugin.") + parser.add_argument('-e','--exe', help='ceph executable [%s]' % CEPH_EXEC) + parser.add_argument('-c','--conf', help='alternative ceph conf file') + parser.add_argument('-m','--monaddress', help='ceph monitor to use for queries (address[:port])') + parser.add_argument('-i','--id', help='ceph client id') + parser.add_argument('-k','--keyring', help='ceph client keyring file') + parser.add_argument('-V','--version', help='show version and exit', action='store_true') + parser.add_argument('-I','--monid', help='mon ID to be checked for availability') + args = parser.parse_args() + + if args.version: + print('version %s' % __version__) + return STATUS_OK + + # validate args + ceph_exec = args.exe if args.exe else CEPH_EXEC + if not os.path.exists(ceph_exec): + print("MON ERROR: ceph executable '%s' doesn't exist" % ceph_exec) + return STATUS_UNKNOWN + + if args.conf and not os.path.exists(args.conf): + print("MON ERROR: ceph conf file '%s' doesn't exist" % args.conf) + return STATUS_UNKNOWN + + if args.keyring and not os.path.exists(args.keyring): + print("MON ERROR: keyring file '%s' doesn't exist" % args.keyring) + return STATUS_UNKNOWN + + if not args.monid: + print("MON ERROR: no MON ID given, use -I/--monid parameter") + return STATUS_UNKNOWN + + # build command + ceph_cmd = [ceph_exec] + if args.monaddress: + ceph_cmd.append('-m') + ceph_cmd.append(args.monaddress) + if args.conf: + ceph_cmd.append('-c') + ceph_cmd.append(args.conf) + if args.id: + ceph_cmd.append('--id') + ceph_cmd.append(args.id) + if args.keyring: + ceph_cmd.append('--keyring') + ceph_cmd.append(args.keyring) + ceph_cmd.append(CEPH_COMMAND) + + # exec command + p = subprocess.Popen(ceph_cmd,stdout=subprocess.PIPE,stderr=subprocess.PIPE) + output, err = p.communicate() + + if p.returncode != 0 or not output: + print("MON ERROR: %s" % err) + return STATUS_ERROR + + # load json output and parse + quorum_status = False + try: + quorum_status = json.loads(output) + except Exception as e: + print("MON ERROR: could not parse '%s' output: %s: %s" % (CEPH_COMMAND,output,e)) + return STATUS_UNKNOWN + + #print "XXX: quorum_status['quorum_names']:", quorum_status['quorum_names'] + + # do our checks + is_monitor = False + for mon in quorum_status['monmap']['mons']: + if mon['name'] == args.monid: + is_monitor = True + if not is_monitor: + print("MON WARN: mon '%s' is not in monmap: %s" % (args.monid,quorum_status['monmap']['mons'])) + return STATUS_WARNING + + in_quorum = args.monid in quorum_status['quorum_names'] + if in_quorum: + print("MON OK") + return STATUS_OK + else: + print("MON WARN: no MON '%s' found in quorum" % args.monid) + return STATUS_WARNING + +# main +if __name__ == "__main__": + sys.exit(main()) diff --git a/nagios-nrpe/files/plugins/check_ceph_osd b/nagios-nrpe/files/plugins/check_ceph_osd new file mode 100755 index 00000000..88a37488 --- /dev/null +++ b/nagios-nrpe/files/plugins/check_ceph_osd @@ -0,0 +1,154 @@ +#!/usr/bin/env python +# -*- coding: utf-8 -*- +# +# Copyright (c) 2013 Catalyst IT http://www.catalyst.net.nz +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# 1.5.2 (2019-06-16) Martin Seener: fixed regex to work with Ceph Nautilus (14.2.x) + +from __future__ import print_function +import argparse +import os +import re +import subprocess +import sys +import socket + +__version__ = '1.5.2' + +# default ceph values +CEPH_COMMAND = '/usr/bin/ceph' + +# nagios exit code +STATUS_OK = 0 +STATUS_WARNING = 1 +STATUS_ERROR = 2 +STATUS_UNKNOWN = 3 + +def main(): + + # parse args + parser = argparse.ArgumentParser(description="'ceph osd' nagios plugin.") + parser.add_argument('-e','--exe', help='ceph executable [%s]' % CEPH_COMMAND) + parser.add_argument('-c','--conf', help='alternative ceph conf file') + parser.add_argument('-m','--monaddress', help='ceph monitor address[:port]') + parser.add_argument('-i','--id', help='ceph client id') + parser.add_argument('-k','--keyring', help='ceph client keyring file') + parser.add_argument('-V','--version', help='show version and exit', action='store_true') + parser.add_argument('-H','--host', help='osd host', required=True) + parser.add_argument('-I','--osdid', help='osd id', required=False) + parser.add_argument('-C','--crit', help='Number of failed OSDs to trigger critical (default=2)',type=int,default=2, required=False) + parser.add_argument('-o','--out', help='check osds that are set OUT', default=False, action='store_true', required=False) + args = parser.parse_args() + + # validate args + ceph_exec = args.exe if args.exe else CEPH_COMMAND + if not os.path.exists(ceph_exec): + print("OSD ERROR: ceph executable '%s' doesn't exist" % ceph_exec) + return STATUS_UNKNOWN + + if args.version: + print('version %s' % __version__) + return STATUS_OK + + if args.conf and not os.path.exists(args.conf): + print("OSD ERROR: ceph conf file '%s' doesn't exist" % args.conf) + return STATUS_UNKNOWN + + if args.keyring and not os.path.exists(args.keyring): + print("OSD ERROR: keyring file '%s' doesn't exist" % args.keyring) + return STATUS_UNKNOWN + + if not args.osdid: + args.osdid = '[^ ]*' + + if not args.host: + print("OSD ERROR: no OSD hostname given") + return STATUS_UNKNOWN + + try: + addrinfo = socket.getaddrinfo(args.host, None, 0, socket.SOCK_STREAM) + args.host = addrinfo[0][-1][0] + if addrinfo[0][0] == socket.AF_INET6: + args.host = "[%s]" % args.host + except: + print('OSD ERROR: could not resolve %s' % args.host) + return STATUS_UNKNOWN + + + # build command + ceph_cmd = [ceph_exec] + if args.monaddress: + ceph_cmd.append('-m') + ceph_cmd.append(args.monaddress) + if args.conf: + ceph_cmd.append('-c') + ceph_cmd.append(args.conf) + if args.id: + ceph_cmd.append('--id') + ceph_cmd.append(args.id) + if args.keyring: + ceph_cmd.append('--keyring') + ceph_cmd.append(args.keyring) + ceph_cmd.append('osd') + ceph_cmd.append('dump') + + # exec command + p = subprocess.Popen(ceph_cmd,stdout=subprocess.PIPE,stderr=subprocess.PIPE) + output, err = p.communicate() + output = output.decode('utf8') + + if err or not output: + print("OSD ERROR: %s" % err) + return STATUS_ERROR + + # escape IPv4 host address + osd_host = args.host.replace('.', '\.') + # escape IPv6 host address + osd_host = osd_host.replace('[', '\[') + osd_host = osd_host.replace(']', '\]') + up = re.findall(r"^(osd\.%s) up.*%s:" % (args.osdid, osd_host), output, re.MULTILINE) + if args.out: + down = re.findall(r"^(osd\.%s) down.*%s:" % (args.osdid, osd_host), output, re.MULTILINE) + down_in = re.findall(r"^(osd\.%s) down[ ]+in.*%s:" % (args.osdid, osd_host), output, re.MULTILINE) + down_out = re.findall(r"^(osd\.%s) down[ ]+out.*%s:" % (args.osdid, osd_host), output, re.MULTILINE) + else: + down = re.findall(r"^(osd\.%s) down[ ]+in.*%s:" % (args.osdid, osd_host), output, re.MULTILINE) + down_in = down + down_out = re.findall(r"^(osd\.%s) down[ ]+out.*%s:" % (args.osdid, osd_host), output, re.MULTILINE) + + if down: + print("OSD %s: Down OSD%s on %s: %s" % ('CRITICAL' if len(down)>=args.crit else 'WARNING' ,'s' if len(down)>1 else '', args.host, " ".join(down))) + print("Up OSDs: " + " ".join(up)) + print("Down+In OSDs: " + " ".join(down_in)) + print("Down+Out OSDs: " + " ".join(down_out)) + print("| 'osd_up'=%d 'osd_down_in'=%d;;%d 'osd_down_out'=%d;;%d" % (len(up), len(down_in), args.crit, len(down_out), args.crit)) + if len(down)>=args.crit: + return STATUS_ERROR + else: + return STATUS_WARNING + + if up: + print("OSD OK") + print("Up OSDs: " + " ".join(up)) + print("Down+In OSDs: " + " ".join(down_in)) + print("Down+Out OSDs: " + " ".join(down_out)) + print("| 'osd_up'=%d 'osd_down_in'=%d;;%d 'osd_down_out'=%d;;%d" % (len(up), len(down_in), args.crit, len(down_out), args.crit)) + return STATUS_OK + + print("OSD WARN: no OSD.%s found on host %s" % (args.osdid, args.host)) + return STATUS_WARNING + +if __name__ == "__main__": + sys.exit(main()) diff --git a/nagios-nrpe/files/plugins/check_ceph_osd_db b/nagios-nrpe/files/plugins/check_ceph_osd_db new file mode 100755 index 00000000..6a01836b --- /dev/null +++ b/nagios-nrpe/files/plugins/check_ceph_osd_db @@ -0,0 +1,152 @@ +#!/usr/bin/env python +# -*- coding: utf-8 -*- +# +# Copyright (c) 2020 Binero AB https://binero.com +# Copyright (c) 2013 Catalyst IT http://www.catalyst.net.nz +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +import argparse +import os +import re +import subprocess +import sys +import socket +import json + + +CEPH_COMMAND = '/usr/bin/ceph' + +STATUS_OK = 0 +STATUS_CRITICAL = 2 +STATUS_UNKNOWN = 3 + + +def main(): + parser = argparse.ArgumentParser(description="'ceph osd' nagios plugin.") + + parser.add_argument('-e','--exe', help='ceph executable [%s]' % CEPH_COMMAND) + parser.add_argument('-c','--conf', help='alternative ceph conf file') + parser.add_argument('-m','--monaddress', help='ceph monitor address[:port]') + parser.add_argument('-i','--id', help='ceph client id') + parser.add_argument('-k','--keyring', help='ceph client keyring file') + parser.add_argument('-H','--host', help='osd host', required=True) + parser.add_argument('-C','--critical', help='critical threshold', default=60) + + args = parser.parse_args() + + ceph_exec = args.exe if args.exe else CEPH_COMMAND + if not os.path.exists(ceph_exec): + print("UNKNOWN: ceph executable '%s' doesn't exist" % ceph_exec) + return STATUS_UNKNOWN + + if args.conf and not os.path.exists(args.conf): + print("UNKNOWN: ceph conf file '%s' doesn't exist" % args.conf) + return STATUS_UNKNOWN + + if args.keyring and not os.path.exists(args.keyring): + print("UNKNOWN: keyring file '%s' doesn't exist" % args.keyring) + return STATUS_UNKNOWN + + if not args.host: + print("UNKNOWN: no OSD hostname given") + return STATUS_UNKNOWN + + try: + addrinfo = socket.getaddrinfo(args.host, None, 0, socket.SOCK_STREAM) + args.host = addrinfo[0][-1][0] + if addrinfo[0][0] == socket.AF_INET6: + args.host = "[%s]" % args.host + except Exception: + print('UNKNOWN: could not resolve %s' % args.host) + return STATUS_UNKNOWN + + ceph_cmd = [ceph_exec] + if args.monaddress: + ceph_cmd.append('-m') + ceph_cmd.append(args.monaddress) + if args.conf: + ceph_cmd.append('-c') + ceph_cmd.append(args.conf) + if args.id: + ceph_cmd.append('--id') + ceph_cmd.append(args.id) + if args.keyring: + ceph_cmd.append('--keyring') + ceph_cmd.append(args.keyring) + + ceph_cmd.append('osd') + ceph_cmd.append('dump') + + p = subprocess.Popen(ceph_cmd,stdout=subprocess.PIPE,stderr=subprocess.PIPE) + output, err = p.communicate() + + if err or not output: + print("CRITICAL: %s" % err) + return STATUS_CRITICAL + + # escape IPv4 host address + osd_host = args.host.replace('.', '\.') + # escape IPv6 host address + osd_host = osd_host.replace('[', '\[') + osd_host = osd_host.replace(']', '\]') + + osds_up = re.findall(r"^(osd\.[^ ]*) up.*%s:" % (osd_host), output, re.MULTILINE) + + final_status = STATUS_OK + lines = [] + + for osd in osds_up: + daemon_ceph_cmd = [ceph_exec, '--format', 'json'] + daemon_ceph_cmd.append('daemon') + daemon_ceph_cmd.append(osd) + daemon_ceph_cmd.append('perf') + daemon_ceph_cmd.append('dump') + + p = subprocess.Popen(daemon_ceph_cmd,stdout=subprocess.PIPE,stderr=subprocess.PIPE) + output, err = p.communicate() + + if err or not output: + print("CRITICAL: %s" % err) + return STATUS_CRITICAL + + try: + data = json.loads(output) + except Exception: + print("CRITICAL: failed to load json") + return STATUS_CRITICAL + + bluefs = data.get('bluefs', None) + + if not bluefs: + continue + + db_total_bytes = bluefs.get('db_total_bytes') + db_used_bytes = bluefs.get('db_used_bytes') + perc = (float(db_used_bytes) / float(db_total_bytes) * 100) + + if perc >= args.critical and final_status == STATUS_OK: + final_status = STATUS_CRITICAL + + lines.append("%s=%.2f%%" % (osd, perc)) + + if final_status == STATUS_OK: + print("OK: %s" % (' '.join(lines))) + else: + print("CRITICAL: %s" % (' '.join(lines))) + + return final_status + + +if __name__ == "__main__": + sys.exit(main()) diff --git a/nagios-nrpe/files/plugins/check_ceph_osd_df b/nagios-nrpe/files/plugins/check_ceph_osd_df new file mode 100755 index 00000000..fb1c2806 --- /dev/null +++ b/nagios-nrpe/files/plugins/check_ceph_osd_df @@ -0,0 +1,153 @@ +#!/usr/bin/env python +# -*- coding: utf-8 -*- +# +# check_ceph_osd_df - Check OSD DF output +# Copyright (c) 2020 noris network AG https://www.noris.de +# +# This plugin will not output perfdata as there is likely a lot of output +# which should be gathered using other tools. +# +# Parts based on code from check_ceph_df which is +# Copyright (c) 2013 SWITCH http://www.switch.ch +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +from __future__ import print_function +import argparse +import os +import subprocess +import sys +import json +from operator import itemgetter + +# Semver +__version__ = '1.0.0' + +# default ceph values +CEPH_COMMAND = '/usr/bin/ceph' + +# nagios exit code +STATUS_OK = 0 +STATUS_WARNING = 1 +STATUS_ERROR = 2 +STATUS_UNKNOWN = 3 + +def main(): + + # parse args + parser = argparse.ArgumentParser(description="'ceph osd df' nagios plugin.") + parser.add_argument('-e','--exe', help='ceph executable [%s]' % CEPH_COMMAND) + parser.add_argument('-c','--conf', help='alternative ceph conf file') + parser.add_argument('-m','--monaddress', help='ceph monitor address[:port]') + parser.add_argument('-i','--id', help='ceph client id') + parser.add_argument('-n','--name', help='ceph client name') + parser.add_argument('-k','--keyring', help='ceph client keyring file') + parser.add_argument('-W','--warn', help="warn above this percent USED", type=float) + parser.add_argument('-C','--critical', help="critical alert above this percent USED", type=float) + parser.add_argument('-V','--version', help='show version and exit', action='store_true') + args = parser.parse_args() + + # validate args + ceph_exec = args.exe if args.exe else CEPH_COMMAND + if not os.path.exists(ceph_exec): + print("ERROR: ceph executable '%s' doesn't exist" % ceph_exec) + return STATUS_UNKNOWN + + if args.version: + print('version %s' % __version__) + return STATUS_OK + + if args.conf and not os.path.exists(args.conf): + print("ERROR: ceph conf file '%s' doesn't exist" % args.conf) + return STATUS_UNKNOWN + + if args.keyring and not os.path.exists(args.keyring): + print("ERROR: keyring file '%s' doesn't exist" % args.keyring) + return STATUS_UNKNOWN + + if not args.warn or not args.critical or args.warn > args.critical: + print("ERROR: warn and critical level must be set and critical must be greater than warn") + return STATUS_UNKNOWN + + # build command + ceph_osd_df = [ceph_exec] + if args.monaddress: + ceph_osd_df.append('-m') + ceph_osd_df.append(args.monaddress) + if args.conf: + ceph_osd_df.append('-c') + ceph_osd_df.append(args.conf) + if args.id: + ceph_osd_df.append('--id') + ceph_osd_df.append(args.id) + if args.name: + ceph_osd_df.append('--name') + ceph_osd_df.append(args.name) + if args.keyring: + ceph_osd_df.append('--keyring') + ceph_osd_df.append(args.keyring) + ceph_osd_df.append('osd') + ceph_osd_df.append('df') + ceph_osd_df.append('--format=json') + + # exec command + p = subprocess.Popen(ceph_osd_df,stdout=subprocess.PIPE,stderr=subprocess.PIPE) + output, err = p.communicate() + + # parse output + # print "DEBUG: output:", output + # print "DEBUG: err:", err + if output: + # parse output + try: + result = json.loads(output) + check_return_value = STATUS_OK + nodes_sorted = sorted(result["nodes"], key=itemgetter('utilization','id')) + + warn_crit_osds = [] + + for node in reversed(nodes_sorted): + if node["utilization"] >= args.warn and check_return_value is not STATUS_ERROR: + check_return_value = STATUS_WARNING + warn_crit_osds.append("{}={:04.2f}".format(node["name"], node["utilization"])) + + if node["utilization"] >= args.critical: + check_return_value = STATUS_ERROR + warn_crit_osds.append("{}={:04.2f}".format(node["name"], node["utilization"])) + + if check_return_value == STATUS_OK: + print("OK: All OSDs within limits") + return STATUS_OK + elif check_return_value == STATUS_WARNING: + print("WARNING: OSD usage above warn threshold: {:.4054}".format(", ".join(warn_crit_osds))) + return STATUS_WARNING + elif check_return_value == STATUS_ERROR: + print("CRITICAL: OSD usage above critical or warn threshold: {:.4041}".format(", ".join(warn_crit_osds))) + return STATUS_ERROR + except: + print("ERROR: {}".format(sys.exc_info()[0])) + return STATUS_UNKNOWN + elif err: + # read only first line of error + one_line = err.split('\n')[0] + if '-1 ' in one_line: + idx = one_line.rfind('-1 ') + print('ERROR: %s: %s' % (ceph_exec, one_line[idx+len('-1 '):])) + else: + print(one_line) + + return STATUS_UNKNOWN + +if __name__ == "__main__": + sys.exit(main()) diff --git a/nagios-nrpe/files/plugins/check_ceph_rgw b/nagios-nrpe/files/plugins/check_ceph_rgw new file mode 100755 index 00000000..39773f79 --- /dev/null +++ b/nagios-nrpe/files/plugins/check_ceph_rgw @@ -0,0 +1,118 @@ +#!/usr/bin/env python +# -*- coding: utf-8 -*- +# +# Copyright (c) 2014 Catalyst IT http://www.catalyst.net.nz +# Copyright (c) 2015 SWITCH http://www.switch.ch +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + + +from __future__ import print_function +import argparse +import os +import re +import subprocess +import sys +import json + +__version__ = '1.5.1' + +# default ceph values +RGW_COMMAND = '/usr/bin/radosgw-admin' + +# nagios exit code +STATUS_OK = 0 +STATUS_WARNING = 1 +STATUS_ERROR = 2 +STATUS_UNKNOWN = 3 + +def main(): + + # parse args + parser = argparse.ArgumentParser(description="'radosgw-admin bucket stats' nagios plugin.") + parser.add_argument('-d','--detail', help='output perf data for all buckets', action='store_true') + parser.add_argument('-B','--byte', help='output perf data in Byte instead of KB', action='store_true') + parser.add_argument('-e','--exe', help='radosgw-admin executable [%s]' % RGW_COMMAND) + parser.add_argument('-c','--conf', help='alternative ceph conf file') + parser.add_argument('-i','--id', help='ceph client id') + parser.add_argument('-n','--name', help='ceph client name (type.id)') + parser.add_argument('-V','--version', help='show version and exit', action='store_true') + args = parser.parse_args() + + # validate args + rgw_exec = args.exe if args.exe else RGW_COMMAND + if not os.path.exists(rgw_exec): + print("RGW ERROR: radosgw-admin executable '%s' doesn't exist" % rgw_exec) + return STATUS_UNKNOWN + + if args.version: + print('version %s' % __version__) + return STATUS_OK + + if args.conf and not os.path.exists(args.conf): + print("RGW ERROR: ceph conf file '%s' doesn't exist" % args.conf) + return STATUS_UNKNOWN + + # build command + rgw_cmd = [rgw_exec] + if args.conf: + rgw_cmd.append('-c') + rgw_cmd.append(args.conf) + if args.id: + rgw_cmd.append('--id') + rgw_cmd.append(args.id) + if args.name: + rgw_cmd.append('-n') + rgw_cmd.append(args.name) + rgw_cmd.append('bucket') + rgw_cmd.append('stats') + + # exec command + p = subprocess.Popen(rgw_cmd,stdout=subprocess.PIPE,stderr=subprocess.PIPE) + output, err = p.communicate() + + if p.returncode != 0 or not output: + print("RGW ERROR: %s :: %s" % (output, err)) + return STATUS_ERROR + + bucket_stats = json.loads(output) + #print bucket_stats + + buckets = [] + for i in bucket_stats: + if type(i) is dict: + bucket_name = i['bucket'] + usage_dict = i['usage'] + if usage_dict and 'rgw.main' in usage_dict: + bucket_usage_kb = usage_dict['rgw.main']['size_kb_actual'] + else: + bucket_usage_kb = 0 + buckets.append((bucket_name, bucket_usage_kb)) + buckets_total_kb = sum([b[1] for b in buckets]) + + if args.byte: + status = "RGW OK: {} buckets, {} KB total | /={}B ".format(len(buckets),buckets_total_kb,buckets_total_kb*1024) + else: + status = "RGW OK: {} buckets, {} KB total | /={}KB ".format(len(buckets),buckets_total_kb,buckets_total_kb) + #print buckets + if buckets and args.detail: + if args.byte: + status = status + " ".join(["{}={}B".format(b[0],b[1]*1024) for b in buckets]) + else: + status = status + " ".join(["{}={}KB".format(b[0],b[1]) for b in buckets]) + + print(status) + return STATUS_OK + +if __name__ == "__main__": + sys.exit(main()) diff --git a/nagios-nrpe/files/plugins/check_ceph_rgw_api b/nagios-nrpe/files/plugins/check_ceph_rgw_api new file mode 100755 index 00000000..1235f98d --- /dev/null +++ b/nagios-nrpe/files/plugins/check_ceph_rgw_api @@ -0,0 +1,116 @@ +#!/usr/bin/env python +# -*- coding: utf-8 -*- +# +# Copyright (c) 2014 Catalyst IT http://www.catalyst.net.nz +# Copyright (c) 2015 SWITCH http://www.switch.ch +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +from __future__ import print_function +import requests +import warnings +import json +import argparse +import sys +from awsauth import S3Auth + +__version__ = '1.7.2' + +# nagios exit code +STATUS_OK = 0 +STATUS_WARNING = 1 +STATUS_CRITICAL = 2 +STATUS_UNKNOWN = 3 + +def main(): + + # parse args + parser = argparse.ArgumentParser(description="'radosgw api bucket stats' nagios plugin.") + parser.add_argument('-H', '--host', help="Server URL for the radosgw api (example: http://objects.dreamhost.com/)", required=True) + parser.add_argument('-k', '--insecure', help="Allow insecure server connections when using SSL", action="store_false") + parser.add_argument('-e', '--admin_entry', help="The entry point for an admin request URL [default is '%(default)s']", default="admin") + parser.add_argument('-a', '--access_key', help="S3 access key", required=True) + parser.add_argument('-s', '--secret_key', help="S3 secret key", required=True) + parser.add_argument('-d', '--detail', help="output perf data for all buckets", action="store_true") + parser.add_argument('-b', '--byte', help="output perf data in Byte instead of KB", action="store_true") + parser.add_argument('-v', '--version', help='show version and exit', action="store_true") + args = parser.parse_args() + + if args.version: + print("version {0}".format(__version__)) + return STATUS_OK + + # helpers for default schema + if not args.host.startswith("http"): + args.host = "http://{0}".format(args.host) + # and for request_uri + if not args.host.endswith("/"): + args.host = "{0}/".format(args.host) + + url = "{0}{1}/bucket?format=json&stats=True".format(args.host, + args.admin_entry) + + try: + # Inversion of condition, when '--insecure' is defined we disable + # requests warning about certificate hostname mismatch. + if not args.insecure: + warnings.filterwarnings('ignore', message='Unverified HTTPS request') + + response = requests.get(url, verify=args.insecure, + auth=S3Auth(args.access_key, args.secret_key, + args.host)) + + if response.status_code == requests.codes.ok: + bucket_stats = response.json() + else: + # no usage caps or wrong admin entry + print("RGW ERROR [{0}]: {1}".format(response.status_code, + response.content.decode('utf-8'))) + return STATUS_WARNING + +# DNS, connection errors, etc + except requests.exceptions.RequestException as e: + print("RGW ERROR: {0}".format(e)) + return STATUS_UNKNOWN + + #print(bucket_stats) + buckets = [] + for i in bucket_stats: + if type(i) is dict: + bucket_name = i['bucket'] + usage_dict = i['usage'] + if usage_dict and 'rgw.main' in usage_dict: + bucket_usage_kb = usage_dict['rgw.main']['size_kb_actual'] + else: + bucket_usage_kb = 0 + buckets.append((bucket_name, bucket_usage_kb)) + buckets_total_kb = sum([b[1] for b in buckets]) + + status = "RGW OK: {0} buckets, {1} KB total | /={2}{3} " + + if args.byte: + status = status.format(len(buckets), buckets_total_kb, buckets_total_kb*1024, "B") + else: + status = status.format(len(buckets), buckets_total_kb, buckets_total_kb, "KB") + #print(buckets) + if buckets and args.detail: + if args.byte: + status = status + " ".join(["{}={}B".format(b[0], b[1]*1024) for b in buckets]) + else: + status = status + " ".join(["{}={}KB".format(b[0], b[1]) for b in buckets]) + + print(status) + return STATUS_OK + +if __name__ == "__main__": + sys.exit(main()) From 396afa0a75254b4847839ea98b8eb4a716139c3b Mon Sep 17 00:00:00 2001 From: Alexis Ben Miloud--Josselin Date: Tue, 15 Nov 2022 11:08:01 +0100 Subject: [PATCH 37/72] nagios-nrpe: add ceph checks to changelog --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 2f490d12..81a9ea7b 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -16,6 +16,7 @@ The **patch** part changes is incremented if multiple releases happen the same m * nagios-nrpe: check_haproxy_stats supports DRAIN status * lxc-php: set php-fpm umask to 007 * varnish: create special tmp directory for syntax validation +* nagios-nrpe: check_ceph_* ### Changed From d289c769703c88aa67f862b4eaac609e95a92b3a Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Mon, 21 Nov 2022 14:15:49 +0100 Subject: [PATCH 38/72] varnish: fix package facts --- varnish/tasks/main.yml | 17 ++++++++++++++++- 1 file changed, 16 insertions(+), 1 deletion(-) diff --git a/varnish/tasks/main.yml b/varnish/tasks/main.yml index 67fe2d6e..663b6461 100644 --- a/varnish/tasks/main.yml +++ b/varnish/tasks/main.yml @@ -9,13 +9,27 @@ - name: Fetch packages package_facts: manager: auto + check_mode: no tags: - varnish + - config + - update-config - set_fact: - varnish_package_facts: ansible_facts.packages['varnish'] | first + varnish_package_facts: "{{ ansible_facts.packages['varnish'] | first }}" + check_mode: no tags: - varnish + - config + - update-config + +# - debug: +# var: varnish_package_facts +# check_mode: no +# tags: +# - varnish +# - config +# - update-config - name: Remove default varnish configuration files file: @@ -53,6 +67,7 @@ - name: Remove legacy systemd override file: dest: /etc/systemd/system/varnish.service.d/evolinux.conf + state: absent notify: - reload systemd tags: From ecd9d1543fce0a7fff46ed55600ac66fbc23671c Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Mon, 21 Nov 2022 15:46:46 +0100 Subject: [PATCH 39/72] varnish: better package facts usage with check mode and tags --- CHANGELOG.md | 1 + varnish/tasks/main.yml | 16 +++++++++++++++- 2 files changed, 16 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 81a9ea7b..dac275af 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -31,6 +31,7 @@ The **patch** part changes is incremented if multiple releases happen the same m * redis: some values should be quoted * redis: variable to disable transparent hugepage (default: do nothing) * squid: whitelist deb.freexian.com +* varnish: better package facts usage with check mode and tags * varnish: systemd override depends on Varnish version instead of Debian version ### Fixed diff --git a/varnish/tasks/main.yml b/varnish/tasks/main.yml index 67fe2d6e..f2545264 100644 --- a/varnish/tasks/main.yml +++ b/varnish/tasks/main.yml @@ -9,13 +9,27 @@ - name: Fetch packages package_facts: manager: auto + check_mode: no tags: - varnish + - config + - update-config - set_fact: - varnish_package_facts: ansible_facts.packages['varnish'] | first + varnish_package_facts: "{{ ansible_facts.packages['varnish'] | first }}" + check_mode: no tags: - varnish + - config + - update-config + +# - debug: +# var: varnish_package_facts +# check_mode: no +# tags: +# - varnish +# - config +# - update-config - name: Remove default varnish configuration files file: From 171ece7bbad0b2ff2a160e1c00e36cc6e01fc3b8 Mon Sep 17 00:00:00 2001 From: David Prevot Date: Thu, 24 Nov 2022 11:13:12 +0100 Subject: [PATCH 40/72] MongoDB: Dimiss apt-key use (#58271) and allow to choose mongodb_version on Jessie --- mongodb/tasks/main_jessie.yml | 26 +++++++++++++++++++++----- 1 file changed, 21 insertions(+), 5 deletions(-) diff --git a/mongodb/tasks/main_jessie.yml b/mongodb/tasks/main_jessie.yml index db69c7c7..8c13e0e4 100644 --- a/mongodb/tasks/main_jessie.yml +++ b/mongodb/tasks/main_jessie.yml @@ -1,15 +1,31 @@ --- -- name: MongoDB public GPG Key +- name: Look for legacy apt keyring + stat: + path: /etc/apt/trusted.gpg + register: _trusted_gpg_keyring + +- name: MongoDB embedded GPG key is absent apt_key: - # url: https://www.mongodb.org/static/pgp/server-3.4.asc - data: "{{ lookup('file', 'server-3.4.asc') }}" + id: "B8612B5D" + keyring: /etc/apt/trusted.gpg + state: absent + when: _trusted_gpg_keyring.stat.exists + +- name: Add MongoDB GPG key + copy: + src: "server-{{mongodb_version}}.asc" + dest: "/etc/apt/trusted.gpg.d/mongodb-server-{{mongodb_version}}.asc" + force: yes + mode: "0644" + owner: root + group: root - name: enable APT sources list apt_repository: - repo: deb http://repo.mongodb.org/apt/debian jessie/mongodb-org/3.4 main + repo: "deb http://repo.mongodb.org/apt/debian jessie/mongodb-org/{{mongodb_version}} main" state: present - filename: mongodb + filename: "mongodb-org-{{mongodb_version}}" update_cache: yes - name: Install packages From 057224fb38a1d73ba69b4da86c75cf9e83bced71 Mon Sep 17 00:00:00 2001 From: David Prevot Date: Fri, 25 Nov 2022 15:56:19 +0100 Subject: [PATCH 41/72] Skip task in check_mode --- lxc-php/tasks/umask.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/lxc-php/tasks/umask.yml b/lxc-php/tasks/umask.yml index 4a2fde5d..170851ab 100644 --- a/lxc-php/tasks/umask.yml +++ b/lxc-php/tasks/umask.yml @@ -25,6 +25,7 @@ regex: "^UMask=" line: "UMask=0007" insertafter: "\\[Service\\]" + when: not ansible_check_mode notify: - "Daemon reload" - "Restart PHP-FPM" From 665177556ed9acd69f038e4fb71d6f39f893a991 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Sat, 26 Nov 2022 19:09:05 +0100 Subject: [PATCH 42/72] evomaintenance: allow missing API endpoint if APi is disabled --- CHANGELOG.md | 1 + evomaintenance/tasks/config.yml | 1 + 2 files changed, 2 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index dac275af..47673655 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -23,6 +23,7 @@ The **patch** part changes is incremented if multiple releases happen the same m * evolinux-base: utils.yml can be excluded * evolinux-todo: execute tasks only for Debian distribution (because this task is a dependency for others roles used on different distributions) * evolinux-user: Add sudoers privilege for chck php\_fpm81 +* evomaintenance: allow missing API endpoint if APi is disabled * java: use default JRE package when version is not specified * lxc-solr: detect the real partition options * lxc-solr: download URL according to Solr Version diff --git a/evomaintenance/tasks/config.yml b/evomaintenance/tasks/config.yml index 097e9770..99339874 100644 --- a/evomaintenance/tasks/config.yml +++ b/evomaintenance/tasks/config.yml @@ -5,6 +5,7 @@ - evomaintenance_api_endpoint is not none - evomaintenance_api_key is not none msg: evomaintenance api variables must be set + when: evomaintenance_hook_api | bool - name: Configuration is installed template: From 54dca82838d2d2d04bec5b13e100c219af15a020 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Sat, 26 Nov 2022 19:10:21 +0100 Subject: [PATCH 43/72] varnish: fix missing state, that blocked the task --- CHANGELOG.md | 1 + varnish/tasks/main.yml | 3 ++- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 47673655..e2b758ef 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -39,6 +39,7 @@ The **patch** part changes is incremented if multiple releases happen the same m * evolinux-user: Fix sudoers privilege for check php\_fpm80 * nagios-nrpe: Fix check opendkim for recent change in listening port +* varnish: fix missing state, that blocked the task ### Removed diff --git a/varnish/tasks/main.yml b/varnish/tasks/main.yml index f2545264..43399f0d 100644 --- a/varnish/tasks/main.yml +++ b/varnish/tasks/main.yml @@ -66,7 +66,8 @@ - name: Remove legacy systemd override file: - dest: /etc/systemd/system/varnish.service.d/evolinux.conf + path: /etc/systemd/system/varnish.service.d/evolinux.conf + state: absent notify: - reload systemd tags: From 4156142c856aa6cc90d7c77671b1118c9cf2a76b Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Sun, 27 Nov 2022 18:07:30 +0100 Subject: [PATCH 44/72] docker: no need to specify the architecture We use only adm64 servers (for now) --- docker-host/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docker-host/tasks/main.yml b/docker-host/tasks/main.yml index 1262dd03..c60763d8 100644 --- a/docker-host/tasks/main.yml +++ b/docker-host/tasks/main.yml @@ -27,7 +27,7 @@ - name: Add Docker repository apt_repository: - repo: 'deb [arch=amd64 signed-by={{ apt_keyring_dir }}/docker-debian.asc] https://download.docker.com/linux/debian {{ ansible_distribution_release }} stable' + repo: 'deb [signed-by={{ apt_keyring_dir }}/docker-debian.asc] https://download.docker.com/linux/debian {{ ansible_distribution_release }} stable' state: present filename: docker.list From c96f28e47b6c6e48f77009bdd66d21bd007cf876 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Sun, 27 Nov 2022 22:14:39 +0100 Subject: [PATCH 45/72] evocheck: install script according to Debian version --- CHANGELOG.md | 1 + evocheck/files/evocheck.jessie.sh | 1307 +++++++++++++++++++++++++++++ evocheck/files/evocheck.sh | 570 ++++--------- evocheck/files/evocheck.wheezy.sh | 1252 +++++++++++++++++++++++++++ evocheck/tasks/install.yml | 17 +- 5 files changed, 2749 insertions(+), 398 deletions(-) create mode 100755 evocheck/files/evocheck.jessie.sh create mode 100755 evocheck/files/evocheck.wheezy.sh diff --git a/CHANGELOG.md b/CHANGELOG.md index f0d8879a..6fa86d5d 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -24,6 +24,7 @@ The **patch** part changes is incremented if multiple releases happen the same m ### Changed +* evocheck: install script according to Debian version * evolinux-base: utils.yml can be excluded * evolinux-todo: execute tasks only for Debian distribution (because this task is a dependency for others roles used on different distributions) * evolinux-user: Add sudoers privilege for chck php\_fpm81 diff --git a/evocheck/files/evocheck.jessie.sh b/evocheck/files/evocheck.jessie.sh new file mode 100755 index 00000000..a5a32a5a --- /dev/null +++ b/evocheck/files/evocheck.jessie.sh @@ -0,0 +1,1307 @@ +#!/bin/bash + +# EvoCheck +# Script to verify compliance of a Linux (Debian) server +# powered by Evolix + +VERSION="22.11" +readonly VERSION + +# base functions + +show_version() { + cat <, + Romain Dessort , + Benoit Série , + Gregory Colpart , + Jérémy Lecour , + Tristan Pilat , + Victor Laborie , + Alexis Ben Miloud--Josselin , + and others. + +evocheck comes with ABSOLUTELY NO WARRANTY. This is free software, +and you are welcome to redistribute it under certain conditions. +See the GNU General Public License v3.0 for details. +END +} +show_help() { + cat <&2 + echo "This version is built for Debian 8 only." >&2 + exit + fi + + DEBIAN_RELEASE="jessie" + fi +} + +is_pack_web(){ + test -e /usr/share/scripts/web-add.sh || test -e /usr/share/scripts/evoadmin/web-add.sh +} +is_pack_samba(){ + test -e /usr/share/scripts/add.pl +} +is_installed(){ + for pkg in "$@"; do + dpkg -l "$pkg" 2> /dev/null | grep -q -E '^(i|h)i' || return 1 + done +} + +# logging + +failed() { + check_name=$1 + shift + check_comments=$* + + RC=1 + if [ "${QUIET}" != 1 ]; then + if [ -n "${check_comments}" ] && [ "${VERBOSE}" = 1 ]; then + printf "%s FAILED! %s\n" "${check_name}" "${check_comments}" >> "${main_output_file}" + else + printf "%s FAILED!\n" "${check_name}" >> "${main_output_file}" + fi + fi +} + +# check functions + +check_lsbrelease(){ + if [ -x "${LSB_RELEASE_BIN}" ]; then + ## only the major version matters + lhs=$(${LSB_RELEASE_BIN} --release --short | cut -d "." -f 1) + rhs=$(cut -d "." -f 1 < /etc/debian_version) + test "$lhs" = "$rhs" || failed "IS_LSBRELEASE" "release is not consistent between lsb_release (${lhs}) and /etc/debian_version (${rhs})" + else + failed "IS_LSBRELEASE" "lsb_release is missing or not executable" + fi +} + +# Verifying check_mailq in Nagios NRPE config file. (Option "-M postfix" need to be set if the MTA is Postfix) +check_nrpepostfix() { + if is_installed postfix; then + { test -e /etc/nagios/nrpe.cfg \ + && grep -qr "^command.*check_mailq -M postfix" /etc/nagios/nrpe.*; + } || failed "IS_NRPEPOSTFIX" "NRPE \"check_mailq\" for postfix is missing" + fi +} +# Check if mod-security config file is present +check_customsudoers() { + grep -E -qr "umask=0077" /etc/sudoers* || failed "IS_CUSTOMSUDOERS" "missing umask=0077 in sudoers file" +} +check_vartmpfs() { + FINDMNT_BIN=$(command -v findmnt) + if [ -x "${FINDMNT_BIN}" ]; then + ${FINDMNT_BIN} /var/tmp --type tmpfs --noheadings > /dev/null || failed "IS_VARTMPFS" "/var/tmp is not a tmpfs" + else + df /var/tmp | grep -q tmpfs || failed "IS_VARTMPFS" "/var/tmp is not a tmpfs" + fi +} +check_serveurbase() { + is_installed serveur-base || failed "IS_SERVEURBASE" "serveur-base package is not installed" +} +check_logrotateconf() { + test -e /etc/logrotate.d/zsyslog || failed "IS_LOGROTATECONF" "missing zsyslog in logrotate.d" +} +check_syslogconf() { + grep -q "^# Syslog for Pack Evolix serveur" /etc/*syslog.conf \ + || failed "IS_SYSLOGCONF" "syslog evolix config file missing" +} +check_debiansecurity() { + # Look for enabled "Debian-Security" sources from the "Debian" origin + apt-cache policy | grep "\bl=Debian-Security\b" | grep "\bo=Debian\b" | grep --quiet "\bc=main\b" + test $? -eq 0 || failed "IS_DEBIANSECURITY" "missing Debian-Security repository" +} +check_aptitude() { + test -e /usr/bin/aptitude && failed "IS_APTITUDE" "aptitude may not be installed on Debian >=8" +} +check_aptgetbak() { + test -e /usr/bin/apt-get.bak && failed "IS_APTGETBAK" "prohibit the installation of apt-get.bak with dpkg-divert(1)" +} +check_usrro() { + grep /usr /etc/fstab | grep -qE "\bro\b" || failed "IS_USRRO" "missing ro directive on fstab for /usr" +} +check_tmpnoexec() { + FINDMNT_BIN=$(command -v findmnt) + if [ -x "${FINDMNT_BIN}" ]; then + options=$(${FINDMNT_BIN} --noheadings --first-only --output OPTIONS /tmp) + echo "${options}" | grep -qE "\bnoexec\b" || failed "IS_TMPNOEXEC" "/tmp is not mounted with 'noexec'" + else + mount | grep "on /tmp" | grep -qE "\bnoexec\b" || failed "IS_TMPNOEXEC" "/tmp is not mounted with 'noexec' (WARNING: findmnt(8) is not found)" + fi +} +check_mountfstab() { + # Test if lsblk available, if not skip this test... + LSBLK_BIN=$(command -v lsblk) + if test -x "${LSBLK_BIN}"; then + for mountPoint in $(${LSBLK_BIN} -o MOUNTPOINT -l -n | grep '/'); do + grep -Eq "$mountPoint\W" /etc/fstab \ + || failed "IS_MOUNT_FSTAB" "partition(s) detected mounted but no presence in fstab" + done + fi +} +check_listchangesconf() { + if [ -e "/etc/apt/listchanges.conf" ]; then + lines=$(grep -cE "(which=both|confirm=1)" /etc/apt/listchanges.conf) + if [ "$lines" != 2 ]; then + failed "IS_LISTCHANGESCONF" "apt-listchanges config is incorrect" + fi + else + failed "IS_LISTCHANGESCONF" "apt-listchanges config is missing" + fi +} +check_customcrontab() { + found_lines=$(grep -c -E "^(17 \*|25 6|47 6|52 6)" /etc/crontab) + test "$found_lines" = 4 && failed "IS_CUSTOMCRONTAB" "missing custom field in crontab" +} +check_sshallowusers() { + grep -E -qir "(AllowUsers|AllowGroups)" /etc/ssh/sshd_config /etc/ssh/sshd_config.d \ + || failed "IS_SSHALLOWUSERS" "missing AllowUsers or AllowGroups directive in sshd_config" +} +check_diskperf() { + perfFile="/root/disk-perf.txt" + test -e $perfFile || failed "IS_DISKPERF" "missing ${perfFile}" +} +check_tmoutprofile() { + grep -sq "TMOUT=" /etc/profile /etc/profile.d/evolinux.sh || failed "IS_TMOUTPROFILE" "TMOUT is not set" +} +check_alert5boot() { + if [ -n "$(find /etc/rc2.d/ -name 'S*alert5')" ]; then + grep -q "^date" /etc/rc2.d/S*alert5 || failed "IS_ALERT5BOOT" "boot mail is not sent by alert5 init script" + elif [ -n "$(find /etc/init.d/ -name 'alert5')" ]; then + grep -q "^date" /etc/init.d/alert5 || failed "IS_ALERT5BOOT" "boot mail is not sent by alert5 int script" + else + failed "IS_ALERT5BOOT" "alert5 init script is missing" + fi +} +check_alert5minifw() { + if [ -n "$(find /etc/rc2.d/ -name 'S*alert5')" ]; then + grep -q "^/etc/init.d/minifirewall" /etc/rc2.d/S*alert5 \ + || failed "IS_ALERT5MINIFW" "Minifirewall is not started by alert5 init script" + elif [ -n "$(find /etc/init.d/ -name 'alert5')" ]; then + grep -q "^/etc/init.d/minifirewall" /etc/init.d/alert5 \ + || failed "IS_ALERT5MINIFW" "Minifirewall is not started by alert5 init script" + else + failed "IS_ALERT5MINIFW" "alert5 init script is missing" + fi +} +check_minifw() { + /sbin/iptables -L -n | grep -q -E "^ACCEPT\s*all\s*--\s*31\.170\.8\.4\s*0\.0\.0\.0/0\s*$" \ + || failed "IS_MINIFW" "minifirewall seems not started" +} +check_nrpeperms() { + if [ -d /etc/nagios ]; then + nagiosDir="/etc/nagios" + actual=$(stat --format "%a" $nagiosDir) + expected="750" + test "$expected" = "$actual" || failed "IS_NRPEPERMS" "${nagiosDir} must be ${expected}" + fi +} +check_minifwperms() { + if [ -f "/etc/default/minifirewall" ]; then + actual=$(stat --format "%a" "/etc/default/minifirewall") + expected="600" + test "$expected" = "$actual" || failed "IS_MINIFWPERMS" "/etc/default/minifirewall must be ${expected}" + fi +} +check_nrpedisks() { + NRPEDISKS=$(grep command.check_disk /etc/nagios/nrpe.cfg | grep "^command.check_disk[0-9]" | sed -e "s/^command.check_disk\([0-9]\+\).*/\1/" | sort -n | tail -1) + DFDISKS=$(df -Pl | grep -c -E -v "(^Filesystem|/lib/init/rw|/dev/shm|udev|rpc_pipefs)") + test "$NRPEDISKS" = "$DFDISKS" || failed "IS_NRPEDISKS" "there must be $DFDISKS check_disk in nrpe.cfg" +} +check_nrpepid() { + { test -e /etc/nagios/nrpe.cfg \ + && grep -q "^pid_file=/var/run/nagios/nrpe.pid" /etc/nagios/nrpe.cfg; + } || failed "IS_NRPEPID" "missing or wrong pid_file directive in nrpe.cfg" +} +check_grsecprocs() { + if uname -a | grep -q grsec; then + { grep -q "^command.check_total_procs..sudo" /etc/nagios/nrpe.cfg \ + && grep -A1 "^\[processes\]" /etc/munin/plugin-conf.d/munin-node | grep -q "^user root"; + } || failed "IS_GRSECPROCS" "missing munin's plugin processes directive for grsec" + fi +} +check_apachemunin() { + if test -e /etc/apache2/apache2.conf; then + pattern="/server-status-[[:alnum:]]{4,}" + { grep -r -q -s -E "^env.url.*${pattern}" /etc/munin/plugin-conf.d \ + && { grep -q -s -E "${pattern}" /etc/apache2/apache2.conf \ + || grep -q -s -E "${pattern}" /etc/apache2/mods-enabled/status.conf; + }; + } || failed "IS_APACHEMUNIN" "server status is not properly configured" + fi +} +# Verification mytop + Munin si MySQL +check_mysqlutils() { + MYSQL_ADMIN=${MYSQL_ADMIN:-mysqladmin} + if is_installed mysql-server; then + # You can configure MYSQL_ADMIN in evocheck.cf + if ! grep -qs "^user *= *${MYSQL_ADMIN}" /root/.my.cnf; then + failed "IS_MYSQLUTILS" "${MYSQL_ADMIN} missing in /root/.my.cnf" + fi + if ! test -x /usr/bin/mytop; then + if ! test -x /usr/local/bin/mytop; then + failed "IS_MYSQLUTILS" "mytop binary missing" + fi + fi + if ! grep -qs '^user *=' /root/.mytop; then + failed "IS_MYSQLUTILS" "credentials missing in /root/.mytop" + fi + fi +} +# Verification de la configuration du raid soft (mdadm) +check_raidsoft() { + if test -e /proc/mdstat && grep -q md /proc/mdstat; then + { grep -q "^AUTOCHECK=true" /etc/default/mdadm \ + && grep -q "^START_DAEMON=true" /etc/default/mdadm \ + && grep -qv "^MAILADDR ___MAIL___" /etc/mdadm/mdadm.conf; + } || failed "IS_RAIDSOFT" "missing or wrong config for mdadm" + fi +} +# Verification du LogFormat de AWStats +check_awstatslogformat() { + if is_installed apache2 awstats; then + awstatsFile="/etc/awstats/awstats.conf.local" + grep -qE '^LogFormat=1' $awstatsFile \ + || failed "IS_AWSTATSLOGFORMAT" "missing or wrong LogFormat directive in $awstatsFile" + fi +} +# Verification de la présence de la config logrotate pour Munin +check_muninlogrotate() { + { test -e /etc/logrotate.d/munin-node \ + && test -e /etc/logrotate.d/munin; + } || failed "IS_MUNINLOGROTATE" "missing lorotate file for munin" +} +# Verification de l'activation de Squid dans le cas d'un pack mail +check_squid() { + squidconffile="/etc/squid*/squid.conf" + if is_pack_web && (is_installed squid || is_installed squid3); then + host=$(hostname -i) + # shellcheck disable=SC2086 + http_port=$(grep -E "^http_port\s+[0-9]+" $squidconffile | awk '{ print $2 }') + { grep -qE "^[^#]*iptables -t nat -A OUTPUT -p tcp --dport 80 -m owner --uid-owner proxy -j ACCEPT" "/etc/default/minifirewall" \ + && grep -qE "^[^#]*iptables -t nat -A OUTPUT -p tcp --dport 80 -d $host -j ACCEPT" "/etc/default/minifirewall" \ + && grep -qE "^[^#]*iptables -t nat -A OUTPUT -p tcp --dport 80 -d 127.0.0.(1|0/8) -j ACCEPT" "/etc/default/minifirewall" \ + && grep -qE "^[^#]*iptables -t nat -A OUTPUT -p tcp --dport 80 -j REDIRECT --to-port.* $http_port" "/etc/default/minifirewall"; + } || grep -qE "^PROXY='?on'?" "/etc/default/minifirewall" \ + || failed "IS_SQUID" "missing squid rules in minifirewall" + fi +} +check_evomaintenance_fw() { + if [ -f "/etc/default/minifirewall" ]; then + hook_db=$(grep -E '^\s*HOOK_DB' /etc/evomaintenance.cf | tr -d ' ' | cut -d= -f2) + rulesNumber=$(grep -c "/sbin/iptables -A INPUT -p tcp --sport 5432 --dport 1024:65535 -s .* -m state --state ESTABLISHED,RELATED -j ACCEPT" "/etc/default/minifirewall") + if [ "$hook_db" = "1" ] && [ "$rulesNumber" -lt 2 ]; then + failed "IS_EVOMAINTENANCE_FW" "HOOK_DB is enabled but missing evomaintenance rules in minifirewall" + fi + fi +} +# Verification de la conf et de l'activation de mod-deflate +check_moddeflate() { + f=/etc/apache2/mods-enabled/deflate.conf + if is_installed apache2.2; then + { test -e $f && grep -q "AddOutputFilterByType DEFLATE text/html text/plain text/xml" $f \ + && grep -q "AddOutputFilterByType DEFLATE text/css" $f \ + && grep -q "AddOutputFilterByType DEFLATE application/x-javascript application/javascript" $f; + } || failed "IS_MODDEFLATE" "missing AddOutputFilterByType directive for apache mod deflate" + fi +} +# Verification de la conf log2mail +check_log2mailrunning() { + if is_pack_web && is_installed log2mail; then + pgrep log2mail >/dev/null || failed "IS_LOG2MAILRUNNING" "log2mail is not running" + fi +} +check_log2mailapache() { + conf=/etc/log2mail/config/default + if is_pack_web && is_installed log2mail; then + grep -s -q "^file = /var/log/apache2/error.log" $conf \ + || failed "IS_LOG2MAILAPACHE" "missing log2mail directive for apache" + fi +} +check_log2mailmysql() { + if is_pack_web && is_installed log2mail; then + grep -s -q "^file = /var/log/syslog" /etc/log2mail/config/{default,mysql,mysql.conf} \ + || failed "IS_LOG2MAILMYSQL" "missing log2mail directive for mysql" + fi +} +check_log2mailsquid() { + if is_pack_web && is_installed log2mail; then + grep -s -q "^file = /var/log/squid.*/access.log" /etc/log2mail/config/* \ + || failed "IS_LOG2MAILSQUID" "missing log2mail directive for squid" + fi +} +# Verification si bind est chroote +check_bindchroot() { + if is_installed bind9; then + if netstat -utpln | grep "/named" | grep :53 | grep -qvE "(127.0.0.1|::1)"; then + if grep -q '^OPTIONS=".*-t' /etc/default/bind9 && grep -q '^OPTIONS=".*-u' /etc/default/bind9; then + md5_original=$(md5sum /usr/sbin/named | cut -f 1 -d ' ') + md5_chrooted=$(md5sum /var/chroot-bind/usr/sbin/named | cut -f 1 -d ' ') + if [ "$md5_original" != "$md5_chrooted" ]; then + failed "IS_BINDCHROOT" "the chrooted bind binary is different than the original binary" + fi + else + failed "IS_BINDCHROOT" "bind process is not chrooted" + fi + fi + fi +} +# /etc/network/interfaces should be present, we don't manage systemd-network yet +check_network_interfaces() { + if ! test -f /etc/network/interfaces; then + IS_AUTOIF=0 + IS_INTERFACESGW=0 + failed "IS_NETWORK_INTERFACES" "systemd network configuration is not supported yet" + fi +} +# Verify if all if are in auto +check_autoif() { + interfaces=$(/sbin/ifconfig -s | tail -n +2 | grep -E -v "^(lo|vnet|docker|veth|tun|tap|macvtap|vrrp)" | cut -d " " -f 1 |tr "\n" " ") + for interface in $interfaces; do + if grep -Rq "^iface $interface" /etc/network/interfaces* && ! grep -Rq "^auto $interface" /etc/network/interfaces*; then + failed "IS_AUTOIF" "Network interface \`${interface}' is statically defined but not set to auto" + test "${VERBOSE}" = 1 || break + fi + done +} +# Network conf verification +check_interfacesgw() { + number=$(grep -Ec "^[^#]*gateway [0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}" /etc/network/interfaces) + test "$number" -gt 1 && failed "IS_INTERFACESGW" "there is more than 1 IPv4 gateway" + number=$(grep -Ec "^[^#]*gateway [0-9a-fA-F]+:" /etc/network/interfaces) + test "$number" -gt 1 && failed "IS_INTERFACESGW" "there is more than 1 IPv6 gateway" +} +# Verification de la mise en place d'evobackup +check_evobackup() { + evobackup_found=$(find /etc/cron* -name '*evobackup*' | wc -l) + test "$evobackup_found" -gt 0 || failed "IS_EVOBACKUP" "missing evobackup cron" +} +# Vérification de l'exclusion des montages (NFS) dans les sauvegardes +check_evobackup_exclude_mount() { + excludes_file=$(mktemp --tmpdir="${TMPDIR:-/tmp}" "evocheck.evobackup_exclude_mount.XXXXX") + files_to_cleanup="${files_to_cleanup} ${excludes_file}" + + # shellcheck disable=SC2044 + for evobackup_file in $(find /etc/cron* -name '*evobackup*' | grep -v -E ".disabled$"); do + # if the file seems to be a backup script, with an Rsync invocation + if grep -q "^\s*rsync" "${evobackup_file}"; then + # If rsync is not limited by "one-file-system" + # then we verify that every mount is excluded + if ! grep -q -- "^\s*--one-file-system" "${evobackup_file}"; then + grep -- "--exclude " "${evobackup_file}" | grep -E -o "\"[^\"]+\"" | tr -d '"' > "${excludes_file}" + not_excluded=$(findmnt --type nfs,nfs4,fuse.sshfs, -o target --noheadings | grep -v -f "${excludes_file}") + for mount in ${not_excluded}; do + failed "IS_EVOBACKUP_EXCLUDE_MOUNT" "${mount} is not excluded from ${evobackup_file} backup script" + done + fi + fi + done +} +# Verification de la presence du userlogrotate +check_userlogrotate() { + if is_pack_web; then + test -x /etc/cron.weekly/userlogrotate || failed "IS_USERLOGROTATE" "missing userlogrotate cron" + fi +} +# Verification de la syntaxe de la conf d'Apache +check_apachectl() { + if is_installed apache2; then + /usr/sbin/apache2ctl configtest 2>&1 | grep -q "^Syntax OK$" \ + || failed "IS_APACHECTL" "apache errors detected, run a configtest" + fi +} +# Check if there is regular files in Apache sites-enabled. +check_apachesymlink() { + if is_installed apache2; then + apacheFind=$(find /etc/apache2/sites-enabled ! -type l -type f -print) + nbApacheFind=$(wc -m <<< "$apacheFind") + if [[ $nbApacheFind -gt 1 ]]; then + if [[ $VERBOSE == 1 ]]; then + while read -r line; do + failed "IS_APACHESYMLINK" "Not a symlink: $line" + done <<< "$apacheFind" + else + failed "IS_APACHESYMLINK" + fi + fi + fi +} +# Check if there is real IP addresses in Allow/Deny directives (no trailing space, inline comments or so). +check_apacheipinallow() { + # Note: Replace "exit 1" by "print" in Perl code to debug it. + if is_installed apache2; then + grep -IrE "^[^#] *(Allow|Deny) from" /etc/apache2/ \ + | grep -iv "from all" \ + | grep -iv "env=" \ + | perl -ne 'exit 1 unless (/from( [\da-f:.\/]+)+$/i)' \ + || failed "IS_APACHEIPINALLOW" "bad (Allow|Deny) directives in apache" + fi +} +# Check if default Apache configuration file for munin is absent (or empty or commented). +check_muninapacheconf() { + muninconf="/etc/apache2/conf-available/munin.conf" + if is_installed apache2; then + test -e $muninconf && grep -vEq "^( |\t)*#" "$muninconf" \ + && failed "IS_MUNINAPACHECONF" "default munin configuration may be commented or disabled" + fi +} +# Check if default Apache configuration file for phpMyAdmin is absent (or empty or commented). +check_phpmyadminapacheconf() { + phpmyadminconf0="/etc/apache2/conf-available/phpmyadmin.conf" + phpmyadminconf1="/etc/apache2/conf-enabled/phpmyadmin.conf" + if is_installed apache2; then + test -e $phpmyadminconf0 && grep -vEq "^( |\t)*#" "$phpmyadminconf0" \ + && failed "IS_PHPMYADMINAPACHECONF" "default phpmyadmin configuration ($phpmyadminconf0) may be commented or disabled" + test -e $phpmyadminconf1 && grep -vEq "^( |\t)*#" "$phpmyadminconf1" \ + && failed "IS_PHPMYADMINAPACHECONF" "default phpmyadmin configuration ($phpmyadminconf1) may be commented or disabled" + fi +} +# Verification si le système doit redémarrer suite màj kernel. +check_kerneluptodate() { + if is_installed linux-image*; then + # shellcheck disable=SC2012 + kernel_installed_at=$(date -d "$(ls --full-time -lcrt /boot | tail -n1 | awk '{print $6}')" +%s) + last_reboot_at=$(($(date +%s) - $(cut -f1 -d '.' /proc/uptime))) + if [ "$kernel_installed_at" -gt "$last_reboot_at" ]; then + failed "IS_KERNELUPTODATE" "machine is running an outdated kernel, reboot advised" + fi + fi +} +# Check if the server is running for more than a year. +check_uptime() { + if is_installed linux-image*; then + limit=$(date -d "now - 2 year" +%s) + last_reboot_at=$(($(date +%s) - $(cut -f1 -d '.' /proc/uptime))) + if [ "$limit" -gt "$last_reboot_at" ]; then + failed "IS_UPTIME" "machine has an uptime of more than 2 years, reboot on new kernel advised" + fi + fi +} +# Check if munin-node running and RRD files are up to date. +check_muninrunning() { + if ! pgrep munin-node >/dev/null; then + failed "IS_MUNINRUNNING" "Munin is not running" + elif [ -d "/var/lib/munin/" ] && [ -d "/var/cache/munin/" ]; then + limit=$(date +"%s" -d "now - 10 minutes") + + if [ -n "$(find /var/lib/munin/ -name '*load-g.rrd')" ]; then + updated_at=$(stat -c "%Y" /var/lib/munin/*/*load-g.rrd |sort |tail -1) + [ "$limit" -gt "$updated_at" ] && failed "IS_MUNINRUNNING" "Munin load RRD has not been updated in the last 10 minutes" + else + failed "IS_MUNINRUNNING" "Munin is not installed properly (load RRD not found)" + fi + + if [ -n "$(find /var/cache/munin/www/ -name 'load-day.png')" ]; then + updated_at=$(stat -c "%Y" /var/cache/munin/www/*/*/load-day.png |sort |tail -1) + grep -sq "^graph_strategy cron" /etc/munin/munin.conf && [ "$limit" -gt "$updated_at" ] && failed "IS_MUNINRUNNING" "Munin load PNG has not been updated in the last 10 minutes" + else + failed "IS_MUNINRUNNING" "Munin is not installed properly (load PNG not found)" + fi + else + failed "IS_MUNINRUNNING" "Munin is not installed properly (main directories are missing)" + fi +} +# Check if files in /home/backup/ are up-to-date +check_backupuptodate() { + backup_dir="/home/backup" + if [ -d "${backup_dir}" ]; then + if [ -n "$(ls -A ${backup_dir})" ]; then + find "${backup_dir}" -maxdepth 1 -type f | while read -r file; do + limit=$(date +"%s" -d "now - 2 day") + updated_at=$(stat -c "%Y" "$file") + + if [ "$limit" -gt "$updated_at" ]; then + failed "IS_BACKUPUPTODATE" "$file has not been backed up" + test "${VERBOSE}" = 1 || break; + fi + done + else + failed "IS_BACKUPUPTODATE" "${backup_dir}/ is empty" + fi + else + failed "IS_BACKUPUPTODATE" "${backup_dir}/ is missing" + fi +} +check_etcgit() { + export GIT_DIR="/etc/.git" GIT_WORK_TREE="/etc" + git rev-parse --is-inside-work-tree > /dev/null 2>&1 \ + || failed "IS_ETCGIT" "/etc is not a git repository" +} +# Check if /etc/.git/ has read/write permissions for root only. +check_gitperms() { + GIT_DIR="/etc/.git" + if test -d $GIT_DIR; then + expected="700" + actual=$(stat -c "%a" $GIT_DIR) + [ "$expected" = "$actual" ] || failed "IS_GITPERMS" "$GIT_DIR must be $expected" + fi +} +# Check if no package has been upgraded since $limit. +check_notupgraded() { + last_upgrade=0 + upgraded=false + for log in /var/log/dpkg.log*; do + if zgrep -qsm1 upgrade "$log"; then + # There is at least one upgrade + upgraded=true + break + fi + done + if $upgraded; then + last_upgrade=$(date +%s -d "$(zgrep -h upgrade /var/log/dpkg.log* | sort -n | tail -1 | cut -f1 -d ' ')") + fi + if grep -qs '^mailto="listupgrade-todo@' /etc/evolinux/listupgrade.cnf \ + || grep -qs -E '^[[:digit:]]+[[:space:]]+[[:digit:]]+[[:space:]]+[^\*]' /etc/cron.d/listupgrade; then + # Manual upgrade process + limit=$(date +%s -d "now - 180 days") + else + # Regular process + limit=$(date +%s -d "now - 90 days") + fi + install_date=0 + if [ -d /var/log/installer ]; then + install_date=$(stat -c %Z /var/log/installer) + fi + # Check install_date if the system never received an upgrade + if [ "$last_upgrade" -eq 0 ]; then + [ "$install_date" -lt "$limit" ] && failed "IS_NOTUPGRADED" "The system has never been updated" + else + [ "$last_upgrade" -lt "$limit" ] && failed "IS_NOTUPGRADED" "The system hasn't been updated for too long" + fi +} +# Check if reserved blocks for root is at least 5% on every mounted partitions. +check_tune2fs_m5() { + min=5 + parts=$(grep -E "ext(3|4)" /proc/mounts | cut -d ' ' -f1 | tr -s '\n' ' ') + FINDMNT_BIN=$(command -v findmnt) + for part in $parts; do + blockCount=$(dumpe2fs -h "$part" 2>/dev/null | grep -e "Block count:" | grep -Eo "[0-9]+") + # If buggy partition, skip it. + if [ -z "$blockCount" ]; then + continue + fi + reservedBlockCount=$(dumpe2fs -h "$part" 2>/dev/null | grep -e "Reserved block count:" | grep -Eo "[0-9]+") + # Use awk to have a rounded percentage + # python is slow, bash is unable and bc rounds weirdly + percentage=$(awk "BEGIN { pc=100*${reservedBlockCount}/${blockCount}; i=int(pc); print (pc-i<0.5)?i:i+1 }") + + if [ "$percentage" -lt "${min}" ]; then + if [ -x "${FINDMNT_BIN}" ]; then + mount=$(${FINDMNT_BIN} --noheadings --first-only --output TARGET "${part}") + else + mount="unknown mount point" + fi + failed "IS_TUNE2FS_M5" "Partition ${part} (${mount}) has less than ${min}% reserved blocks (${percentage}%)" + fi + done +} +check_broadcomfirmware() { + LSPCI_BIN=$(command -v lspci) + if [ -x "${LSPCI_BIN}" ]; then + if ${LSPCI_BIN} | grep -q 'NetXtreme II'; then + { is_installed firmware-bnx2 \ + && grep -q "^deb http://mirror.evolix.org/debian.* non-free" /etc/apt/sources.list; + } || failed "IS_BROADCOMFIRMWARE" "missing non-free repository" + fi + else + failed "IS_BROADCOMFIRMWARE" "lspci not found in ${PATH}" + fi +} +check_hardwareraidtool() { + LSPCI_BIN=$(command -v lspci) + if [ -x "${LSPCI_BIN}" ]; then + if ${LSPCI_BIN} | grep -q 'MegaRAID'; then + # shellcheck disable=SC2015 + is_installed megacli && { is_installed megaclisas-status || is_installed megaraidsas-status; } \ + || failed "IS_HARDWARERAIDTOOL" "Mega tools not found" + fi + if ${LSPCI_BIN} | grep -q 'Hewlett-Packard Company Smart Array'; then + is_installed cciss-vol-status || failed "IS_HARDWARERAIDTOOL" "cciss-vol-status not installed" + fi + else + failed "IS_HARDWARERAIDTOOL" "lspci not found in ${PATH}" + fi +} +check_listupgrade() { + test -f /etc/cron.d/listupgrade \ + || failed "IS_LISTUPGRADE" "missing listupgrade cron" + test -x /usr/share/scripts/listupgrade.sh \ + || failed "IS_LISTUPGRADE" "missing listupgrade script or not executable" +} +check_sql_backup() { + if (is_installed "mysql-server" || is_installed "mariadb-server"); then + # You could change the default path in /etc/evocheck.cf + SQL_BACKUP_PATH=${SQL_BACKUP_PATH:-"/home/backup/mysql.bak.gz"} + for backup_path in ${SQL_BACKUP_PATH}; do + if [ ! -f "${backup_path}" ]; then + failed "IS_SQL_BACKUP" "MySQL dump is missing (${backup_path})" + test "${VERBOSE}" = 1 || break + fi + done + fi +} +check_postgres_backup() { + if is_installed "postgresql-9*" || is_installed "postgresql-1*"; then + # If you use something like barman, you should disable this check + # You could change the default path in /etc/evocheck.cf + POSTGRES_BACKUP_PATH=${POSTGRES_BACKUP_PATH:-"/home/backup/pg.dump.bak*"} + for backup_path in ${POSTGRES_BACKUP_PATH}; do + if [ ! -f "${backup_path}" ]; then + failed "IS_POSTGRES_BACKUP" "PostgreSQL dump is missing (${backup_path})" + test "${VERBOSE}" = 1 || break + fi + done + fi +} +check_mongo_backup() { + if is_installed "mongodb-org-server"; then + # You could change the default path in /etc/evocheck.cf + MONGO_BACKUP_PATH=${MONGO_BACKUP_PATH:-"/home/backup/mongodump"} + if [ -d "$MONGO_BACKUP_PATH" ]; then + for file in "${MONGO_BACKUP_PATH}"/*/*.{json,bson}*; do + # Skip indexes file. + if ! [[ "$file" =~ indexes ]]; then + limit=$(date +"%s" -d "now - 2 day") + updated_at=$(stat -c "%Y" "$file") + if [ -f "$file" ] && [ "$limit" -gt "$updated_at" ]; then + failed "IS_MONGO_BACKUP" "MongoDB hasn't been dumped for more than 2 days" + break + fi + fi + done + else + failed "IS_MONGO_BACKUP" "MongoDB dump directory is missing (${MONGO_BACKUP_PATH})" + fi + fi +} +check_ldap_backup() { + if is_installed slapd; then + # You could change the default path in /etc/evocheck.cf + LDAP_BACKUP_PATH=${LDAP_BACKUP_PATH:-"/home/backup/ldap.bak"} + test -f "$LDAP_BACKUP_PATH" || failed "IS_LDAP_BACKUP" "LDAP dump is missing (${LDAP_BACKUP_PATH})" + fi +} +check_redis_backup() { + if is_installed redis-server; then + # You could change the default path in /etc/evocheck.cf + # REDIS_BACKUP_PATH may contain space-separated paths, example: + # REDIS_BACKUP_PATH='/home/backup/redis-instance1/dump.rdb /home/backup/redis-instance2/dump.rdb' + REDIS_BACKUP_PATH=${REDIS_BACKUP_PATH:-"/home/backup/redis/dump.rdb"} + for file in ${REDIS_BACKUP_PATH}; do + test -f "${file}" || failed "IS_REDIS_BACKUP" "Redis dump is missing (${file})" + done + fi +} +check_elastic_backup() { + if is_installed elasticsearch; then + # You could change the default path in /etc/evocheck.cf + ELASTIC_BACKUP_PATH=${ELASTIC_BACKUP_PATH:-"/home/backup-elasticsearch"} + test -d "$ELASTIC_BACKUP_PATH" || failed "IS_ELASTIC_BACKUP" "Elastic snapshot is missing (${ELASTIC_BACKUP_PATH})" + fi +} +check_duplicate_fs_label() { + # Do it only if thereis blkid binary + BLKID_BIN=$(command -v blkid) + if [ -n "$BLKID_BIN" ]; then + tmpFile=$(mktemp --tmpdir="${TMPDIR:-/tmp}" "evocheck.duplicate_fs_label.XXXXX") + files_to_cleanup="${files_to_cleanup} ${tmpFile}" + + parts=$($BLKID_BIN -c /dev/null | grep -ve raid_member -e EFI_SYSPART | grep -Eo ' LABEL=".*"' | cut -d'"' -f2) + for part in $parts; do + echo "$part" >> "$tmpFile" + done + tmpOutput=$(sort < "$tmpFile" | uniq -d) + # If there is no duplicate, uniq will have no output + # So, if $tmpOutput is not null, there is a duplicate + if [ -n "$tmpOutput" ]; then + # shellcheck disable=SC2086 + labels=$(echo -n $tmpOutput | tr '\n' ' ') + failed "IS_DUPLICATE_FS_LABEL" "Duplicate labels: $labels" + fi + else + failed "IS_DUPLICATE_FS_LABEL" "blkid not found in ${PATH}" + fi +} +check_evolix_user() { + grep -q -E "^evolix:" /etc/passwd \ + && failed "IS_EVOLIX_USER" "evolix user should be deleted, used only for install" +} +check_evoacme_cron() { + if [ -f "/usr/local/sbin/evoacme" ]; then + # Old cron file, should be deleted + test -f /etc/cron.daily/certbot && failed "IS_EVOACME_CRON" "certbot cron is incompatible with evoacme" + # evoacme cron file should be present + test -f /etc/cron.daily/evoacme || failed "IS_EVOACME_CRON" "evoacme cron is missing" + fi +} +check_evoacme_livelinks() { + EVOACME_BIN=$(command -v evoacme) + if [ -x "$EVOACME_BIN" ]; then + # Sometimes evoacme is installed but no certificates has been generated + numberOfLinks=$(find /etc/letsencrypt/ -type l | wc -l) + if [ "$numberOfLinks" -gt 0 ]; then + for live in /etc/letsencrypt/*/live; do + actualLink=$(readlink -f "$live") + actualVersion=$(basename "$actualLink") + + certDir=$(dirname "$live") + certName=$(basename "$certDir") + # shellcheck disable=SC2012 + lastCertDir=$(ls -ds "${certDir}"/[0-9]* | tail -1) + lastVersion=$(basename "$lastCertDir") + + if [[ "$lastVersion" != "$actualVersion" ]]; then + failed "IS_EVOACME_LIVELINKS" "Certificate \`$certName' hasn't been updated" + test "${VERBOSE}" = 1 || break + fi + done + fi + fi +} +check_apache_confenabled() { + # Starting from Jessie and Apache 2.4, /etc/apache2/conf.d/ + # must be replaced by conf-available/ and config files symlinked + # to conf-enabled/ + if [ -f /etc/apache2/apache2.conf ]; then + test -d /etc/apache2/conf.d/ \ + && failed "IS_APACHE_CONFENABLED" "apache's conf.d directory must not exists" + grep -q 'Include conf.d' /etc/apache2/apache2.conf \ + && failed "IS_APACHE_CONFENABLED" "apache2.conf must not Include conf.d" + fi +} +check_meltdown_spectre() { + # For Jessie this is quite complicated to verify and we need to use kernel config file + if grep -q "BOOT_IMAGE=" /proc/cmdline; then + kernelPath=$(grep -Eo 'BOOT_IMAGE=[^ ]+' /proc/cmdline | cut -d= -f2) + kernelVer=${kernelPath##*/vmlinuz-} + kernelConfig="config-${kernelVer}" + # Sometimes autodetection of kernel config file fail, so we test if the file really exists. + if [ -f "/boot/${kernelConfig}" ]; then + grep -Eq '^CONFIG_PAGE_TABLE_ISOLATION=y' "/boot/$kernelConfig" \ + || failed "IS_MELTDOWN_SPECTRE" \ + "PAGE_TABLE_ISOLATION must be enabled in kernel, outdated kernel?" + grep -Eq '^CONFIG_RETPOLINE=y' "/boot/$kernelConfig" \ + || failed "IS_MELTDOWN_SPECTRE" \ + "RETPOLINE must be enabled in kernel, outdated kernel?" + fi + fi +} +check_old_home_dir() { + homeDir=${homeDir:-/home} + for dir in "$homeDir"/*; do + statResult=$(stat -c "%n has owner %u resolved as %U" "$dir" \ + | grep -Eve '.bak' -e '\.[0-9]{2}-[0-9]{2}-[0-9]{4}' \ + | grep "UNKNOWN") + # There is at least one dir matching + if [[ -n "$statResult" ]]; then + failed "IS_OLD_HOME_DIR" "$statResult" + test "${VERBOSE}" = 1 || break + fi + done +} +check_tmp_1777() { + actual=$(stat --format "%a" /tmp) + expected="1777" + test "$expected" = "$actual" || failed "IS_TMP_1777" "/tmp must be $expected" +} +check_root_0700() { + actual=$(stat --format "%a" /root) + expected="700" + test "$expected" = "$actual" || failed "IS_ROOT_0700" "/root must be $expected" +} +check_usrsharescripts() { + actual=$(stat --format "%a" /usr/share/scripts) + expected="700" + test "$expected" = "$actual" || failed "IS_USRSHARESCRIPTS" "/usr/share/scripts must be $expected" +} +check_sshpermitrootno() { + sshd_args="-C addr=,user=,host=,laddr=,lport=0" + # shellcheck disable=SC2086 + if ! (sshd -T ${sshd_args} 2> /dev/null | grep -qi 'permitrootlogin no'); then + failed "IS_SSHPERMITROOTNO" "PermitRoot should be set to no" + fi +} +check_evomaintenanceusers() { + if [ -f /etc/sudoers.d/evolinux ]; then + sudoers="/etc/sudoers.d/evolinux" + else + sudoers="/etc/sudoers" + fi + # combine users from User_Alias and sudo group + users=$({ grep "^User_Alias *ADMIN" $sudoers | cut -d= -f2 | tr -d " "; grep "^sudo" /etc/group | cut -d: -f 4; } | tr "," "\n" | sort -u) + for user in $users; do + user_home=$(getent passwd "$user" | cut -d: -f6) + if [ -n "$user_home" ] && [ -d "$user_home" ]; then + if ! grep -qs "^trap.*sudo.*evomaintenance.sh" "${user_home}"/.*profile; then + failed "IS_EVOMAINTENANCEUSERS" "${user} doesn't have an evomaintenance trap" + test "${VERBOSE}" = 1 || break + fi + fi + done +} +check_evomaintenanceconf() { + f=/etc/evomaintenance.cf + if [ -e "$f" ]; then + perms=$(stat -c "%a" $f) + test "$perms" = "600" || failed "IS_EVOMAINTENANCECONF" "Wrong permissions on \`$f' ($perms instead of 600)" + + { grep "^export PGPASSWORD" $f | grep -qv "your-passwd" \ + && grep "^PGDB" $f | grep -qv "your-db" \ + && grep "^PGTABLE" $f | grep -qv "your-table" \ + && grep "^PGHOST" $f | grep -qv "your-pg-host" \ + && grep "^FROM" $f | grep -qv "jdoe@example.com" \ + && grep "^FULLFROM" $f | grep -qv "John Doe " \ + && grep "^URGENCYFROM" $f | grep -qv "mama.doe@example.com" \ + && grep "^URGENCYTEL" $f | grep -qv "06.00.00.00.00" \ + && grep "^REALM" $f | grep -qv "example.com" + } || failed "IS_EVOMAINTENANCECONF" "evomaintenance is not correctly configured" + else + failed "IS_EVOMAINTENANCECONF" "Configuration file \`$f' is missing" + fi +} +check_privatekeyworldreadable() { + # a simple globbing fails if directory is empty + if [ -n "$(ls -A /etc/ssl/private/)" ]; then + for f in /etc/ssl/private/*; do + perms=$(stat -L -c "%a" "$f") + if [ "${perms: -1}" != 0 ]; then + failed "IS_PRIVKEYWOLRDREADABLE" "$f is world-readable" + test "${VERBOSE}" = 1 || break + fi + done + fi +} +check_evobackup_incs() { + if is_installed bkctld; then + bkctld_cron_file=${bkctld_cron_file:-/etc/cron.d/bkctld} + if [ -f "${bkctld_cron_file}" ]; then + root_crontab=$(grep -v "^#" "${bkctld_cron_file}") + echo "${root_crontab}" | grep -q "bkctld inc" || failed "IS_EVOBACKUP_INCS" "\`bkctld inc' is missing in ${bkctld_cron_file}" + echo "${root_crontab}" | grep -qE "(check-incs.sh|bkctld check-incs)" || failed "IS_EVOBACKUP_INCS" "\`check-incs.sh' is missing in ${bkctld_cron_file}" + else + failed "IS_EVOBACKUP_INCS" "Crontab \`${bkctld_cron_file}' is missing" + fi + fi +} + +check_osprober() { + if is_installed os-prober qemu-kvm; then + failed "IS_OSPROBER" \ + "Removal of os-prober package is recommended as it can cause serious issue on KVM server" + fi +} + +check_jessie_backports() { + jessieBackports=$(grep -hs "jessie-backports" /etc/apt/sources.list /etc/apt/sources.list.d/*) + if test -n "$jessieBackports"; then + if ! grep -q "archive.debian.org" <<< "$jessieBackports"; then + failed "IS_JESSIE_BACKPORTS" "You must use deb http://archive.debian.org/debian/ jessie-backports main" + fi + fi +} + +check_apt_valid_until() { + aptvalidFile="/etc/apt/apt.conf.d/99no-check-valid-until" + aptvalidText="Acquire::Check-Valid-Until no;" + if grep -qs "archive.debian.org" /etc/apt/sources.list /etc/apt/sources.list.d/*; then + if ! grep -qs "$aptvalidText" /etc/apt/apt.conf.d/*; then + failed "IS_APT_VALID_UNTIL" \ + "As you use archive.mirror.org you need ${aptvalidFile}: ${aptvalidText}" + fi + fi +} + +check_chrooted_binary_uptodate() { + # list of processes to check + process_list="sshd" + for process_name in ${process_list}; do + # what is the binary path? + original_bin=$(command -v "${process_name}") + for pid in $(pgrep ${process_name}); do + process_bin=$(realpath "/proc/${pid}/exe") + # Is the process chrooted? + real_root=$(realpath "/proc/${pid}/root") + if [ "${real_root}" != "/" ]; then + chrooted_md5=$(md5sum "${process_bin}" | cut -f 1 -d ' ') + original_md5=$(md5sum "${original_bin}" | cut -f 1 -d ' ') + # compare md5 checksums + if [ "$original_md5" != "$chrooted_md5" ]; then + failed "IS_CHROOTED_BINARY_UPTODATE" "${process_bin} (${pid}) is different than ${original_bin}." + test "${VERBOSE}" = 1 || break + fi + fi + done + done +} +check_nginx_letsencrypt_uptodate() { + if [ -d /etc/nginx ]; then + snippets=$(find /etc/nginx -type f -name "letsencrypt.conf") + if [ -n "${snippets}" ]; then + while read -r snippet; do + if ! grep -qE "^\s*alias\s+/.+/\.well-known/acme-challenge" "${snippet}"; then + failed "IS_NGINX_LETSENCRYPT_UPTODATE" "Nginx snippet ${snippet} is not compatible with Nginx on Debian 8." + fi + done <<< "${snippets}" + fi + fi +} + +check_lxc_container_resolv_conf() { + if is_installed lxc; then + container_list=$(lxc-ls) + current_resolvers=$(grep nameserver /etc/resolv.conf | sed 's/nameserver//g' ) + + for container in $container_list; do + if [ -f "/var/lib/lxc/${container}/rootfs/etc/resolv.conf" ]; then + + while read -r resolver; do + if ! grep -qE "^nameserver\s+${resolver}" "/var/lib/lxc/${container}/rootfs/etc/resolv.conf"; then + failed "IS_LXC_CONTAINER_RESOLV_CONF" "resolv.conf miss-match beween host and container : missing nameserver ${resolver} in container ${container} resolv.conf" + fi + done <<< "${current_resolvers}" + + else + failed "IS_LXC_CONTAINER_RESOLV_CONF" "resolv.conf missing in container ${container}" + fi + done + fi +} +download_versions() { + local file + file=${1:-} + + ## The file is supposed to list programs : each on a line, then its latest version number + ## Examples: + # evoacme 21.06 + # evomaintenance 0.6.4 + + versions_url="https://upgrades.evolix.org/versions-${DEBIAN_RELEASE}" + + # fetch timeout, in seconds + timeout=10 + + if command -v curl > /dev/null; then + curl --max-time ${timeout} --fail --silent --output "${versions_file}" "${versions_url}" + elif command -v wget > /dev/null; then + wget --timeout=${timeout} --quiet "${versions_url}" -O "${versions_file}" + elif command -v GET; then + GET -t ${timeout}s "${versions_url}" > "${versions_file}" + else + failed "IS_CHECK_VERSIONS" "failed to find curl, wget or GET" + fi + test "$?" -eq 0 || failed "IS_CHECK_VERSIONS" "failed to download ${versions_url} to ${versions_file}" +} +get_command() { + local program + program=${1:-} + + case "${program}" in + ## Special cases where the program name is different than the command name + evocheck) echo "${0}" ;; + evomaintenance) command -v "evomaintenance.sh" ;; + listupgrade) command -v "evolistupgrade.sh" ;; + old-kernel-autoremoval) command -v "old-kernel-autoremoval.sh" ;; + mysql-queries-killer) command -v "mysql-queries-killer.sh" ;; + minifirewall) echo "/etc/init.d/minifirewall" ;; + + ## General case, where the program name is the same as the command name + *) command -v "${program}" ;; + esac +} +get_version() { + local program + local command + program=${1:-} + command=${2:-} + + case "${program}" in + ## Special case if `command --version => 'command` is not the standard way to get the version + # my_command) + # /path/to/my_command --get-version + # ;; + + add-vm) + grep '^VERSION=' "${command}" | head -1 | cut -d '=' -f 2 + ;; + minifirewall) + ${command} version | head -1 | cut -d ' ' -f 3 + ;; + ## Let's try the --version flag before falling back to grep for the constant + kvmstats) + if ${command} --version > /dev/null 2> /dev/null; then + ${command} --version 2> /dev/null | head -1 | cut -d ' ' -f 3 + else + grep '^VERSION=' "${command}" | head -1 | cut -d '=' -f 2 + fi + ;; + + ## General case to get the version + *) ${command} --version 2> /dev/null | head -1 | cut -d ' ' -f 3 ;; + esac +} +check_version() { + local program + local expected_version + program=${1:-} + expected_version=${2:-} + + command=$(get_command "${program}") + if [ -n "${command}" ]; then + # shellcheck disable=SC2086 + actual_version=$(get_version "${program}" "${command}") + # printf "program:%s expected:%s actual:%s\n" "${program}" "${expected_version}" "${actual_version}" + if [ -z "${actual_version}" ]; then + failed "IS_CHECK_VERSIONS" "failed to lookup actual version of ${program}" + elif dpkg --compare-versions "${actual_version}" lt "${expected_version}"; then + failed "IS_CHECK_VERSIONS" "${program} version ${actual_version} is older than expected version ${expected_version}" + elif dpkg --compare-versions "${actual_version}" gt "${expected_version}"; then + failed "IS_CHECK_VERSIONS" "${program} version ${actual_version} is newer than expected version ${expected_version}, you should update your index." + else + : # Version check OK + fi + fi +} +add_to_path() { + local new_path + new_path=${1:-} + + echo "$PATH" | grep -qF "${new_path}" || export PATH="${PATH}:${new_path}" +} +check_versions() { + versions_file=$(mktemp --tmpdir="${TMPDIR:-/tmp}" "evocheck.versions.XXXXX") + files_to_cleanup="${files_to_cleanup} ${versions_file}" + + download_versions "${versions_file}" + add_to_path "/usr/share/scripts" + + grep -v '^ *#' < "${versions_file}" | while IFS= read -r line; do + local program + local version + program=$(echo "${line}" | cut -d ' ' -f 1) + version=$(echo "${line}" | cut -d ' ' -f 2) + + if [ -n "${program}" ]; then + if [ -n "${version}" ]; then + check_version "${program}" "${version}" + else + failed "IS_CHECK_VERSIONS" "failed to lookup expected version for ${program}" + fi + fi + done +} + +main() { + # Default return code : 0 = no error + RC=0 + # Detect operating system name, version and release + detect_os + + main_output_file=$(mktemp --tmpdir="${TMPDIR:-/tmp}" "evocheck.main.XXXXX") + files_to_cleanup="${files_to_cleanup} ${main_output_file}" + + test "${IS_TMP_1777:=1}" = 1 && check_tmp_1777 + test "${IS_ROOT_0700:=1}" = 1 && check_root_0700 + test "${IS_USRSHARESCRIPTS:=1}" = 1 && check_usrsharescripts + test "${IS_SSHPERMITROOTNO:=1}" = 1 && check_sshpermitrootno + test "${IS_EVOMAINTENANCEUSERS:=1}" = 1 && check_evomaintenanceusers + # Verification de la configuration d'evomaintenance + test "${IS_EVOMAINTENANCECONF:=1}" = 1 && check_evomaintenanceconf + test "${IS_PRIVKEYWOLRDREADABLE:=1}" = 1 && check_privatekeyworldreadable + + test "${IS_LSBRELEASE:=1}" = 1 && check_lsbrelease + test "${IS_NRPEPOSTFIX:=1}" = 1 && check_nrpepostfix + test "${IS_CUSTOMSUDOERS:=1}" = 1 && check_customsudoers + test "${IS_VARTMPFS:=1}" = 1 && check_vartmpfs + test "${IS_SERVEURBASE:=1}" = 1 && check_serveurbase + test "${IS_LOGROTATECONF:=1}" = 1 && check_logrotateconf + test "${IS_SYSLOGCONF:=1}" = 1 && check_syslogconf + test "${IS_DEBIANSECURITY:=1}" = 1 && check_debiansecurity + test "${IS_APTITUDE:=1}" = 1 && check_aptitude + test "${IS_APTGETBAK:=1}" = 1 && check_aptgetbak + test "${IS_USRRO:=1}" = 1 && check_usrro + test "${IS_TMPNOEXEC:=1}" = 1 && check_tmpnoexec + test "${IS_MOUNT_FSTAB:=1}" = 1 && check_mountfstab + test "${IS_LISTCHANGESCONF:=1}" = 1 && check_listchangesconf + test "${IS_CUSTOMCRONTAB:=1}" = 1 && check_customcrontab + test "${IS_SSHALLOWUSERS:=1}" = 1 && check_sshallowusers + test "${IS_DISKPERF:=0}" = 1 && check_diskperf + test "${IS_TMOUTPROFILE:=1}" = 1 && check_tmoutprofile + test "${IS_ALERT5BOOT:=1}" = 1 && check_alert5boot + test "${IS_ALERT5MINIFW:=1}" = 1 && check_alert5minifw + test "${IS_ALERT5MINIFW:=1}" = 1 && test "${IS_MINIFW:=1}" = 1 && check_minifw + test "${IS_NRPEPERMS:=1}" = 1 && check_nrpeperms + test "${IS_MINIFWPERMS:=1}" = 1 && check_minifwperms + test "${IS_NRPEDISKS:=0}" = 1 && check_nrpedisks + test "${IS_NRPEPID:=1}" = 1 && check_nrpepid + test "${IS_GRSECPROCS:=1}" = 1 && check_grsecprocs + test "${IS_APACHEMUNIN:=1}" = 1 && check_apachemunin + test "${IS_MYSQLUTILS:=1}" = 1 && check_mysqlutils + test "${IS_RAIDSOFT:=1}" = 1 && check_raidsoft + test "${IS_AWSTATSLOGFORMAT:=1}" = 1 && check_awstatslogformat + test "${IS_MUNINLOGROTATE:=1}" = 1 && check_muninlogrotate + test "${IS_SQUID:=1}" = 1 && check_squid + test "${IS_EVOMAINTENANCE_FW:=1}" = 1 && check_evomaintenance_fw + test "${IS_MODDEFLATE:=1}" = 1 && check_moddeflate + test "${IS_LOG2MAILRUNNING:=1}" = 1 && check_log2mailrunning + test "${IS_LOG2MAILAPACHE:=1}" = 1 && check_log2mailapache + test "${IS_LOG2MAILMYSQL:=1}" = 1 && check_log2mailmysql + test "${IS_LOG2MAILSQUID:=1}" = 1 && check_log2mailsquid + test "${IS_BINDCHROOT:=1}" = 1 && check_bindchroot + test "${IS_NETWORK_INTERFACES:=1}" = 1 && check_network_interfaces + test "${IS_AUTOIF:=1}" = 1 && check_autoif + test "${IS_INTERFACESGW:=1}" = 1 && check_interfacesgw + test "${IS_EVOBACKUP:=1}" = 1 && check_evobackup + test "${IS_EVOBACKUP_EXCLUDE_MOUNT:=1}" = 1 && check_evobackup_exclude_mount + test "${IS_USERLOGROTATE:=1}" = 1 && check_userlogrotate + test "${IS_APACHECTL:=1}" = 1 && check_apachectl + test "${IS_APACHESYMLINK:=1}" = 1 && check_apachesymlink + test "${IS_APACHEIPINALLOW:=1}" = 1 && check_apacheipinallow + test "${IS_MUNINAPACHECONF:=1}" = 1 && check_muninapacheconf + test "${IS_PHPMYADMINAPACHECONF:=1}" = 1 && check_phpmyadminapacheconf + test "${IS_KERNELUPTODATE:=1}" = 1 && check_kerneluptodate + test "${IS_UPTIME:=1}" = 1 && check_uptime + test "${IS_MUNINRUNNING:=1}" = 1 && check_muninrunning + test "${IS_BACKUPUPTODATE:=1}" = 1 && check_backupuptodate + test "${IS_ETCGIT:=1}" = 1 && check_etcgit + test "${IS_GITPERMS:=1}" = 1 && check_gitperms + test "${IS_NOTUPGRADED:=1}" = 1 && check_notupgraded + test "${IS_TUNE2FS_M5:=1}" = 1 && check_tune2fs_m5 + test "${IS_BROADCOMFIRMWARE:=1}" = 1 && check_broadcomfirmware + test "${IS_HARDWARERAIDTOOL:=1}" = 1 && check_hardwareraidtool + test "${IS_LISTUPGRADE:=1}" = 1 && check_listupgrade + test "${IS_SQL_BACKUP:=1}" = 1 && check_sql_backup + test "${IS_POSTGRES_BACKUP:=1}" = 1 && check_postgres_backup + test "${IS_MONGO_BACKUP:=1}" = 1 && check_mongo_backup + test "${IS_LDAP_BACKUP:=1}" = 1 && check_ldap_backup + test "${IS_REDIS_BACKUP:=1}" = 1 && check_redis_backup + test "${IS_ELASTIC_BACKUP:=1}" = 1 && check_elastic_backup + test "${IS_DUPLICATE_FS_LABEL:=1}" = 1 && check_duplicate_fs_label + test "${IS_EVOLIX_USER:=1}" = 1 && check_evolix_user + test "${IS_EVOACME_CRON:=1}" = 1 && check_evoacme_cron + test "${IS_EVOACME_LIVELINKS:=1}" = 1 && check_evoacme_livelinks + test "${IS_APACHE_CONFENABLED:=1}" = 1 && check_apache_confenabled + test "${IS_MELTDOWN_SPECTRE:=1}" = 1 && check_meltdown_spectre + test "${IS_OLD_HOME_DIR:=0}" = 1 && check_old_home_dir + test "${IS_EVOBACKUP_INCS:=1}" = 1 && check_evobackup_incs + test "${IS_OSPROBER:=1}" = 1 && check_osprober + test "${IS_JESSIE_BACKPORTS:=1}" = 1 && check_jessie_backports + test "${IS_APT_VALID_UNTIL:=1}" = 1 && check_apt_valid_until + test "${IS_CHROOTED_BINARY_UPTODATE:=1}" = 1 && check_chrooted_binary_uptodate + test "${IS_NGINX_LETSENCRYPT_UPTODATE:=1}" = 1 && check_nginx_letsencrypt_uptodate + test "${IS_LXC_CONTAINER_RESOLV_CONF:=1}" = 1 && check_lxc_container_resolv_conf + test "${IS_CHECK_VERSIONS:=1}" = 1 && check_versions + + if [ -f "${main_output_file}" ]; then + lines_found=$(wc -l < "${main_output_file}") + # shellcheck disable=SC2086 + if [ ${lines_found} -gt 0 ]; then + + cat "${main_output_file}" 2>&1 + fi + fi + + exit ${RC} +} +cleanup_temp_files() { + # shellcheck disable=SC2086 + rm -f ${files_to_cleanup} +} + +PROGNAME=$(basename "$0") +# shellcheck disable=SC2034 +readonly PROGNAME + +# shellcheck disable=SC2124 +ARGS=$@ +readonly ARGS + +# Disable LANG* +export LANG=C +export LANGUAGE=C + +files_to_cleanup="" +# shellcheck disable=SC2064 +trap cleanup_temp_files 0 + +# Source configuration file +# shellcheck disable=SC1091 +test -f /etc/evocheck.cf && . /etc/evocheck.cf + +# Parse options +# based on https://gist.github.com/deshion/10d3cb5f88a21671e17a +while :; do + case $1 in + -h|-\?|--help) + show_help + exit 0 + ;; + --version) + show_version + exit 0 + ;; + --cron) + IS_KERNELUPTODATE=0 + IS_UPTIME=0 + IS_MELTDOWN_SPECTRE=0 + IS_CHECK_VERSIONS=0 + IS_NETWORKING_SERVICE=0 + ;; + -v|--verbose) + VERBOSE=1 + ;; + -q|--quiet) + QUIET=1 + VERBOSE=0 + ;; + --) + # End of all options. + shift + break + ;; + -?*|[[:alnum:]]*) + # ignore unknown options + if [ "${QUIET}" != 1 ]; then + printf 'WARN: Unknown option (ignored): %s\n' "$1" >&2 + fi + ;; + *) + # Default case: If no more options then break out of the loop. + break + ;; + esac + + shift +done + +# shellcheck disable=SC2086 +main ${ARGS} diff --git a/evocheck/files/evocheck.sh b/evocheck/files/evocheck.sh index 7c01da51..c5cd8fbd 100644 --- a/evocheck/files/evocheck.sh +++ b/evocheck/files/evocheck.sh @@ -4,7 +4,7 @@ # Script to verify compliance of a Linux (Debian) server # powered by Evolix -VERSION="22.09" +VERSION="22.11" readonly VERSION # base functions @@ -52,16 +52,19 @@ detect_os() { LSB_RELEASE_BIN=$(command -v lsb_release) if [ -e /etc/debian_version ]; then - DEBIAN_VERSION=$(cut -d "." -f 1 < /etc/debian_version) + DEBIAN_MAIN_VERSION=$(cut -d "." -f 1 < /etc/debian_version) + + if [ "${DEBIAN_MAIN_VERSION}" -lt "9" ]; then + echo "Debian ${DEBIAN_MAIN_VERSION} is incompatible with this version of evocheck." >&2 + echo "This version is built for Debian 9 and later." >&2 + exit + fi + if [ -x "${LSB_RELEASE_BIN}" ]; then DEBIAN_RELEASE=$(${LSB_RELEASE_BIN} --codename --short) else - case ${DEBIAN_VERSION} in - 5) DEBIAN_RELEASE="lenny";; - 6) DEBIAN_RELEASE="squeeze";; - 7) DEBIAN_RELEASE="wheezy";; - 8) DEBIAN_RELEASE="jessie";; - 9) DEBIAN_RELEASE="stretch";; + case ${DEBIAN_MAIN_VERSION} in + 9) DEBIAN_RELEASE="stretch";; 10) DEBIAN_RELEASE="buster";; 11) DEBIAN_RELEASE="bullseye";; 12) DEBIAN_RELEASE="bookworm";; @@ -70,21 +73,6 @@ detect_os() { fi } -is_debian() { - test -n "${DEBIAN_RELEASE}" -} -is_debian_lenny() { - test "${DEBIAN_RELEASE}" = "lenny" -} -is_debian_squeeze() { - test "${DEBIAN_RELEASE}" = "squeeze" -} -is_debian_wheezy() { - test "${DEBIAN_RELEASE}" = "wheezy" -} -is_debian_jessie() { - test "${DEBIAN_RELEASE}" = "jessie" -} is_debian_stretch() { test "${DEBIAN_RELEASE}" = "stretch" } @@ -97,12 +85,6 @@ is_debian_bullseye() { is_debian_bookworm() { test "${DEBIAN_RELEASE}" = "bookworm" } -debian_release() { - printf "%s" "${DEBIAN_RELEASE}" -} -debian_version() { - printf "%s" "${DEBIAN_VERSION}" -} is_pack_web(){ test -e /usr/share/scripts/web-add.sh || test -e /usr/share/scripts/evoadmin/web-add.sh @@ -115,16 +97,6 @@ is_installed(){ dpkg -l "$pkg" 2> /dev/null | grep -q -E '^(i|h)i' || return 1 done } -minifirewall_file() { - case ${DEBIAN_RELEASE} in - lenny) echo "/etc/firewall.rc" ;; - squeeze) echo "/etc/firewall.rc" ;; - wheezy) echo "/etc/firewall.rc" ;; - jessie) echo "/etc/default/minifirewall" ;; - stretch) echo "/etc/default/minifirewall" ;; - *) echo "/etc/default/minifirewall" ;; - esac -} # logging @@ -156,54 +128,18 @@ check_lsbrelease(){ fi } check_dpkgwarning() { - if is_debian_squeeze; then - if [ "$IS_USRRO" = 1 ] || [ "$IS_TMPNOEXEC" = 1 ]; then - count=$(grep -c -E -i "(Pre-Invoke ..echo Are you sure to have rw on|Post-Invoke ..echo Dont forget to mount -o remount)" /etc/apt/apt.conf) - test "$count" = 2 || failed "IS_DPKGWARNING" "Pre/Post-Invoke are missing." - fi - elif is_debian_wheezy; then - if [ "$IS_USRRO" = 1 ] || [ "$IS_TMPNOEXEC" = 1 ]; then - test -e /etc/apt/apt.conf.d/80evolinux \ - || failed "IS_DPKGWARNING" "/etc/apt/apt.conf.d/80evolinux is missing" - test -e /etc/apt/apt.conf \ - && failed "IS_DPKGWARNING" "/etc/apt/apt.conf is missing" - fi - elif is_debian_stretch || is_debian_buster || is_debian_bullseye; then - test -e /etc/apt/apt.conf.d/z-evolinux.conf \ - || failed "IS_DPKGWARNING" "/etc/apt/apt.conf.d/z-evolinux.conf is missing" - fi -} -check_umasksudoers(){ - if is_debian_squeeze; then - grep -q "^Defaults.*umask=0077" /etc/sudoers \ - || failed "IS_UMASKSUDOERS" "sudoers must set umask to 0077" - fi + test -e /etc/apt/apt.conf.d/z-evolinux.conf \ + || failed "IS_DPKGWARNING" "/etc/apt/apt.conf.d/z-evolinux.conf is missing" } # Verifying check_mailq in Nagios NRPE config file. (Option "-M postfix" need to be set if the MTA is Postfix) check_nrpepostfix() { if is_installed postfix; then - if is_debian_squeeze; then - grep -q "^command.*check_mailq -M postfix" /etc/nagios/nrpe.cfg \ - || failed "IS_NRPEPOSTFIX" "NRPE \"check_mailq\" for postfix is missing" - else - { test -e /etc/nagios/nrpe.cfg \ - && grep -qr "^command.*check_mailq -M postfix" /etc/nagios/nrpe.*; - } || failed "IS_NRPEPOSTFIX" "NRPE \"check_mailq\" for postfix is missing" - fi + { test -e /etc/nagios/nrpe.cfg \ + && grep -qr "^command.*check_mailq -M postfix" /etc/nagios/nrpe.*; + } || failed "IS_NRPEPOSTFIX" "NRPE \"check_mailq\" for postfix is missing" fi } # Check if mod-security config file is present -check_modsecurity() { - if is_debian_squeeze; then - if is_installed libapache-mod-security; then - test -e /etc/apache2/conf.d/mod-security2.conf || failed "IS_MODSECURITY" "missing configuration file" - fi - elif is_debian_wheezy; then - if is_installed libapache2-modsecurity; then - test -e /etc/apache2/conf.d/mod-security2.conf || failed "IS_MODSECURITY" "missing configuration file" - fi - fi -} check_customsudoers() { grep -E -qr "umask=0077" /etc/sudoers* || failed "IS_CUSTOMSUDOERS" "missing umask=0077 in sudoers file" } @@ -226,46 +162,15 @@ check_syslogconf() { || failed "IS_SYSLOGCONF" "syslog evolix config file missing" } check_debiansecurity() { - if is_debian_bullseye; then - # https://www.debian.org/releases/bullseye/amd64/release-notes/ch-information.html#security-archive - # https://www.debian.org/security/ - pattern="^deb ?(\[.*\])? ?http://security\.debian\.org/debian-security/? bullseye-security main" - elif is_debian_buster; then - pattern="^deb ?(\[.*\])? ?http://security\.debian\.org/debian-security/? buster/updates main" - elif is_debian_stretch; then - pattern="^deb ?(\[.*\])? ?http://security\.debian\.org/debian-security/? stretch/updates main" - else - pattern="^deb.*security" - fi - - source_file="/etc/apt/sources.list" - grep -qE "${pattern}" "${source_file}" || failed "IS_DEBIANSECURITY" "missing debian security repository" -} -check_aptitudeonly() { - if is_debian_squeeze || is_debian_wheezy; then - test -e /usr/bin/apt-get && failed "IS_APTITUDEONLY" \ - "only aptitude may be enabled on Debian <=7, apt-get should be disabled" - fi + # Look for enabled "Debian-Security" sources from the "Debian" origin + apt-cache policy | grep "\bl=Debian-Security\b" | grep "\bo=Debian\b" | grep --quiet "\bc=main\b" + test $? -eq 0 || failed "IS_DEBIANSECURITY" "missing Debian-Security repository" } check_aptitude() { - if is_debian_jessie || is_debian_stretch || is_debian_buster || is_debian_bullseye; then - test -e /usr/bin/aptitude && failed "IS_APTITUDE" "aptitude may not be installed on Debian >=8" - fi + test -e /usr/bin/aptitude && failed "IS_APTITUDE" "aptitude may not be installed on Debian >=8" } check_aptgetbak() { - if is_debian_jessie || is_debian_stretch || is_debian_buster || is_debian_bullseye; then - test -e /usr/bin/apt-get.bak && failed "IS_APTGETBAK" "prohibit the installation of apt-get.bak with dpkg-divert(1)" - fi -} -check_apticron() { - status="OK" - test -e /etc/cron.d/apticron || status="fail" - test -e /etc/cron.daily/apticron && status="fail" - test "$status" = "fail" || test -e /usr/bin/apt-get.bak || status="fail" - - if is_debian_squeeze || is_debian_wheezy; then - test "$status" = "fail" && failed "IS_APTICRON" "apticron must be in cron.d not cron.daily" - fi + test -e /usr/bin/apt-get.bak && failed "IS_APTGETBAK" "prohibit the installation of apt-get.bak with dpkg-divert(1)" } check_usrro() { grep /usr /etc/fstab | grep -qE "\bro\b" || failed "IS_USRRO" "missing ro directive on fstab for /usr" @@ -290,19 +195,8 @@ check_mountfstab() { fi } check_listchangesconf() { - if is_debian_stretch || is_debian_buster || is_debian_bullseye; then - if is_installed apt-listchanges; then - failed "IS_LISTCHANGESCONF" "apt-listchanges must not be installed on Debian >=9" - fi - else - if [ -e "/etc/apt/listchanges.conf" ]; then - lines=$(grep -cE "(which=both|confirm=1)" /etc/apt/listchanges.conf) - if [ "$lines" != 2 ]; then - failed "IS_LISTCHANGESCONF" "apt-listchanges config is incorrect" - fi - else - failed "IS_LISTCHANGESCONF" "apt-listchanges config is missing" - fi + if is_installed apt-listchanges; then + failed "IS_LISTCHANGESCONF" "apt-listchanges must not be installed on Debian >=9" fi } check_customcrontab() { @@ -321,14 +215,7 @@ check_tmoutprofile() { grep -sq "TMOUT=" /etc/profile /etc/profile.d/evolinux.sh || failed "IS_TMOUTPROFILE" "TMOUT is not set" } check_alert5boot() { - if is_debian_buster || is_debian_bullseye; then - grep -qs "^date" /usr/share/scripts/alert5.sh || failed "IS_ALERT5BOOT" "boot mail is not sent by alert5 init script" - if [ -f /etc/systemd/system/alert5.service ]; then - systemctl is-enabled alert5.service -q || failed "IS_ALERT5BOOT" "alert5 unit is not enabled" - else - failed "IS_ALERT5BOOT" "alert5 unit file is missing" - fi - else + if is_debian_stretch; then if [ -n "$(find /etc/rc2.d/ -name 'S*alert5')" ]; then grep -q "^date" /etc/rc2.d/S*alert5 || failed "IS_ALERT5BOOT" "boot mail is not sent by alert5 init script" elif [ -n "$(find /etc/init.d/ -name 'alert5')" ]; then @@ -336,13 +223,17 @@ check_alert5boot() { else failed "IS_ALERT5BOOT" "alert5 init script is missing" fi + else + grep -qs "^date" /usr/share/scripts/alert5.sh || failed "IS_ALERT5BOOT" "boot mail is not sent by alert5 init script" + if [ -f /etc/systemd/system/alert5.service ]; then + systemctl is-enabled alert5.service -q || failed "IS_ALERT5BOOT" "alert5 unit is not enabled" + else + failed "IS_ALERT5BOOT" "alert5 unit file is missing" + fi fi } check_alert5minifw() { - if is_debian_buster || is_debian_bullseye; then - grep -qs "^/etc/init.d/minifirewall" /usr/share/scripts/alert5.sh \ - || failed "IS_ALERT5MINIFW" "Minifirewall is not started by alert5 script or script is missing" - else + if is_debian_stretch; then if [ -n "$(find /etc/rc2.d/ -name 'S*alert5')" ]; then grep -q "^/etc/init.d/minifirewall" /etc/rc2.d/S*alert5 \ || failed "IS_ALERT5MINIFW" "Minifirewall is not started by alert5 init script" @@ -352,6 +243,9 @@ check_alert5minifw() { else failed "IS_ALERT5MINIFW" "alert5 init script is missing" fi + else + grep -qs "^/etc/init.d/minifirewall" /usr/share/scripts/alert5.sh \ + || failed "IS_ALERT5MINIFW" "Minifirewall is not started by alert5 script or script is missing" fi } check_minifw() { @@ -360,8 +254,8 @@ check_minifw() { } check_minifw_includes() { if is_debian_bullseye; then - if grep -q -e '/sbin/iptables' -e '/sbin/ip6tables' "${MINIFW_FILE}"; then - failed "IS_MINIFWINCLUDES" "minifirewall has direct iptables invocations in ${MINIFW_FILE} that should go in /etc/minifirewall.d/" + if grep -q -e '/sbin/iptables' -e '/sbin/ip6tables' "/etc/default/minifirewall"; then + failed "IS_MINIFWINCLUDES" "minifirewall has direct iptables invocations in /etc/default/minifirewall that should go in /etc/minifirewall.d/" fi fi } @@ -374,10 +268,10 @@ check_nrpeperms() { fi } check_minifwperms() { - if [ -f "$MINIFW_FILE" ]; then - actual=$(stat --format "%a" "$MINIFW_FILE") + if [ -f "/etc/default/minifirewall" ]; then + actual=$(stat --format "%a" "/etc/default/minifirewall") expected="600" - test "$expected" = "$actual" || failed "IS_MINIFWPERMS" "${MINIFW_FILE} must be ${expected}" + test "$expected" = "$actual" || failed "IS_MINIFWPERMS" "/etc/default/minifirewall must be ${expected}" fi } check_nrpedisks() { @@ -390,7 +284,7 @@ check_nrpepid() { { test -e /etc/nagios/nrpe.cfg \ && grep -q "^pid_file=/run/nagios/nrpe.pid" /etc/nagios/nrpe.cfg; } || failed "IS_NRPEPID" "missing or wrong pid_file directive in nrpe.cfg" - elif ! is_debian_squeeze; then + else { test -e /etc/nagios/nrpe.cfg \ && grep -q "^pid_file=/var/run/nagios/nrpe.pid" /etc/nagios/nrpe.cfg; } || failed "IS_NRPEPID" "missing or wrong pid_file directive in nrpe.cfg" @@ -405,20 +299,11 @@ check_grsecprocs() { } check_apachemunin() { if test -e /etc/apache2/apache2.conf; then - if is_debian_stretch || is_debian_buster || is_debian_bullseye; then - { test -h /etc/apache2/mods-enabled/status.load \ - && test -h /etc/munin/plugins/apache_accesses \ - && test -h /etc/munin/plugins/apache_processes \ - && test -h /etc/munin/plugins/apache_volume; - } || failed "IS_APACHEMUNIN" "missing munin plugins for Apache" - else - pattern="/server-status-[[:alnum:]]{4,}" - { grep -r -q -s -E "^env.url.*${pattern}" /etc/munin/plugin-conf.d \ - && { grep -q -s -E "${pattern}" /etc/apache2/apache2.conf \ - || grep -q -s -E "${pattern}" /etc/apache2/mods-enabled/status.conf; - }; - } || failed "IS_APACHEMUNIN" "server status is not properly configured" - fi + { test -h /etc/apache2/mods-enabled/status.load \ + && test -h /etc/munin/plugins/apache_accesses \ + && test -h /etc/munin/plugins/apache_processes \ + && test -h /etc/munin/plugins/apache_volume; + } || failed "IS_APACHEMUNIN" "missing munin plugins for Apache" fi } # Verification mytop + Munin si MySQL @@ -426,7 +311,7 @@ check_mysqlutils() { MYSQL_ADMIN=${MYSQL_ADMIN:-mysqladmin} if is_installed mysql-server; then # With Debian 11 and later, root can connect to MariaDB with the socket - if is_debian_wheezy || is_debian_jessie || is_debian_stretch || is_debian_buster; then + if is_debian_stretch || is_debian_buster; then # You can configure MYSQL_ADMIN in evocheck.cf if ! grep -qs "^user *= *${MYSQL_ADMIN}" /root/.my.cnf; then failed "IS_MYSQLUTILS" "${MYSQL_ADMIN} missing in /root/.my.cnf" @@ -467,27 +352,23 @@ check_muninlogrotate() { } # Verification de l'activation de Squid dans le cas d'un pack mail check_squid() { - if is_debian_stretch || is_debian_buster || is_debian_bullseye; then - squidconffile="/etc/squid/evolinux-custom.conf" - else - squidconffile="/etc/squid*/squid.conf" - fi + squidconffile="/etc/squid/evolinux-custom.conf" if is_pack_web && (is_installed squid || is_installed squid3); then host=$(hostname -i) # shellcheck disable=SC2086 http_port=$(grep -E "^http_port\s+[0-9]+" $squidconffile | awk '{ print $2 }') - { grep -qE "^[^#]*iptables -t nat -A OUTPUT -p tcp --dport 80 -m owner --uid-owner proxy -j ACCEPT" "$MINIFW_FILE" \ - && grep -qE "^[^#]*iptables -t nat -A OUTPUT -p tcp --dport 80 -d $host -j ACCEPT" "$MINIFW_FILE" \ - && grep -qE "^[^#]*iptables -t nat -A OUTPUT -p tcp --dport 80 -d 127.0.0.(1|0/8) -j ACCEPT" "$MINIFW_FILE" \ - && grep -qE "^[^#]*iptables -t nat -A OUTPUT -p tcp --dport 80 -j REDIRECT --to-port.* $http_port" "$MINIFW_FILE"; - } || grep -qE "^PROXY='?on'?" "$MINIFW_FILE" \ + { grep -qE "^[^#]*iptables -t nat -A OUTPUT -p tcp --dport 80 -m owner --uid-owner proxy -j ACCEPT" "/etc/default/minifirewall" \ + && grep -qE "^[^#]*iptables -t nat -A OUTPUT -p tcp --dport 80 -d $host -j ACCEPT" "/etc/default/minifirewall" \ + && grep -qE "^[^#]*iptables -t nat -A OUTPUT -p tcp --dport 80 -d 127.0.0.(1|0/8) -j ACCEPT" "/etc/default/minifirewall" \ + && grep -qE "^[^#]*iptables -t nat -A OUTPUT -p tcp --dport 80 -j REDIRECT --to-port.* $http_port" "/etc/default/minifirewall"; + } || grep -qE "^PROXY='?on'?" "/etc/default/minifirewall" \ || failed "IS_SQUID" "missing squid rules in minifirewall" fi } check_evomaintenance_fw() { - if [ -f "$MINIFW_FILE" ]; then + if [ -f "/etc/default/minifirewall" ]; then hook_db=$(grep -E '^\s*HOOK_DB' /etc/evomaintenance.cf | tr -d ' ' | cut -d= -f2) - rulesNumber=$(grep -c "/sbin/iptables -A INPUT -p tcp --sport 5432 --dport 1024:65535 -s .* -m state --state ESTABLISHED,RELATED -j ACCEPT" "$MINIFW_FILE") + rulesNumber=$(grep -c "/sbin/iptables -A INPUT -p tcp --sport 5432 --dport 1024:65535 -s .* -m state --state ESTABLISHED,RELATED -j ACCEPT" "/etc/default/minifirewall") if [ "$hook_db" = "1" ] && [ "$rulesNumber" -lt 2 ]; then failed "IS_EVOMAINTENANCE_FW" "HOOK_DB is enabled but missing evomaintenance rules in minifirewall" fi @@ -510,11 +391,7 @@ check_log2mailrunning() { fi } check_log2mailapache() { - if is_debian_stretch || is_debian_buster || is_debian_bullseye; then - conf=/etc/log2mail/config/apache - else - conf=/etc/log2mail/config/default - fi + conf=/etc/log2mail/config/Apache if is_pack_web && is_installed log2mail; then grep -s -q "^file = /var/log/apache2/error.log" $conf \ || failed "IS_LOG2MAILAPACHE" "missing log2mail directive for apache" @@ -548,17 +425,6 @@ check_bindchroot() { fi fi } -# Verification de la présence du depot volatile -check_repvolatile() { - if is_debian_lenny; then - grep -qE "^deb http://volatile.debian.org/debian-volatile" /etc/apt/sources.list \ - || failed "IS_REPVOLATILE" "missing debian-volatile repository" - fi - if is_debian_squeeze; then - grep -qE "^deb.*squeeze-updates" /etc/apt/sources.list \ - || failed "IS_REPVOLATILE" "missing squeeze-updates repository" - fi -} # /etc/network/interfaces should be present, we don't manage systemd-network yet check_network_interfaces() { if ! test -f /etc/network/interfaces; then @@ -569,11 +435,7 @@ check_network_interfaces() { } # Verify if all if are in auto check_autoif() { - if is_debian_stretch || is_debian_buster || is_debian_bullseye; then - interfaces=$(/sbin/ip address show up | grep "^[0-9]*:" | grep -E -v "(lo|vnet|docker|veth|tun|tap|macvtap|vrrp|lxcbr|wg)" | cut -d " " -f 2 | tr -d : | cut -d@ -f1 | tr "\n" " ") - else - interfaces=$(/sbin/ifconfig -s | tail -n +2 | grep -E -v "^(lo|vnet|docker|veth|tun|tap|macvtap|vrrp)" | cut -d " " -f 1 |tr "\n" " ") - fi + interfaces=$(/sbin/ip address show up | grep "^[0-9]*:" | grep -E -v "(lo|vnet|docker|veth|tun|tap|macvtap|vrrp|lxcbr|wg)" | cut -d " " -f 2 | tr -d : | cut -d@ -f1 | tr "\n" " ") for interface in $interfaces; do if grep -Rq "^iface $interface" /etc/network/interfaces* && ! grep -Rq "^auto $interface" /etc/network/interfaces*; then failed "IS_AUTOIF" "Network interface \`${interface}' is statically defined but not set to auto" @@ -590,11 +452,9 @@ check_interfacesgw() { } # Verification de l’état du service networking check_networking_service() { - if is_debian_stretch || is_debian_buster || is_debian_bullseye; then - if systemctl is-enabled networking.service > /dev/null; then - if ! systemctl is-active networking.service > /dev/null; then - failed "IS_NETWORKING_SERVICE" "networking.service is not active" - fi + if systemctl is-enabled networking.service > /dev/null; then + if ! systemctl is-active networking.service > /dev/null; then + failed "IS_NETWORKING_SERVICE" "networking.service is not active" fi fi } @@ -674,23 +534,21 @@ check_apacheipinallow() { } # Check if default Apache configuration file for munin is absent (or empty or commented). check_muninapacheconf() { - if is_debian_squeeze || is_debian_wheezy; then - muninconf="/etc/apache2/conf.d/munin" - else - muninconf="/etc/apache2/conf-available/munin.conf" - fi + muninconf="/etc/apache2/conf-available/munin.conf" if is_installed apache2; then test -e $muninconf && grep -vEq "^( |\t)*#" "$muninconf" \ && failed "IS_MUNINAPACHECONF" "default munin configuration may be commented or disabled" fi } -# Verification de la priorité du package samba si les backports sont utilisés -check_sambainpriority() { - if is_debian_lenny && is_pack_samba; then - if grep -qrE "^[^#].*backport" /etc/apt/sources.list{,.d}; then - priority=$(grep -E -A2 "^Package:.*samba" /etc/apt/preferences | grep -A1 "^Pin: release a=lenny-backports" | grep "^Pin-Priority:" | cut -f2 -d" ") - test "$priority" -gt 500 || failed "IS_SAMBAPINPRIORITY" "bad pinning priority for samba" - fi +# Check if default Apache configuration file for phpMyAdmin is absent (or empty or commented). +check_phpmyadminapacheconf() { + phpmyadminconf0="/etc/apache2/conf-available/phpmyadmin.conf" + phpmyadminconf1="/etc/apache2/conf-enabled/phpmyadmin.conf" + if is_installed apache2; then + test -e $phpmyadminconf0 && grep -vEq "^( |\t)*#" "$phpmyadminconf0" \ + && failed "IS_PHPMYADMINAPACHECONF" "default phpmyadmin configuration ($phpmyadminconf0) may be commented or disabled" + test -e $phpmyadminconf1 && grep -vEq "^( |\t)*#" "$phpmyadminconf1" \ + && failed "IS_PHPMYADMINAPACHECONF" "default phpmyadmin configuration ($phpmyadminconf1) may be commented or disabled" fi } # Verification si le système doit redémarrer suite màj kernel. @@ -833,60 +691,48 @@ check_tune2fs_m5() { done } check_evolinuxsudogroup() { - if is_debian_stretch || is_debian_buster || is_debian_bullseye; then - if grep -q "^evolinux-sudo:" /etc/group; then - if [ -f /etc/sudoers.d/evolinux ]; then - grep -qE '^%evolinux-sudo +ALL ?= ?\(ALL:ALL\) ALL' /etc/sudoers.d/evolinux \ - || failed "IS_EVOLINUXSUDOGROUP" "missing evolinux-sudo directive in sudoers file" - fi + if grep -q "^evolinux-sudo:" /etc/group; then + if [ -f /etc/sudoers.d/evolinux ]; then + grep -qE '^%evolinux-sudo +ALL ?= ?\(ALL:ALL\) ALL' /etc/sudoers.d/evolinux \ + || failed "IS_EVOLINUXSUDOGROUP" "missing evolinux-sudo directive in sudoers file" fi fi } check_userinadmgroup() { - if is_debian_stretch || is_debian_buster || is_debian_bullseye; then - users=$(grep "^evolinux-sudo:" /etc/group | awk -F: '{print $4}' | tr ',' ' ') - for user in $users; do - if ! groups "$user" | grep -q adm; then - failed "IS_USERINADMGROUP" "User $user doesn't belong to \`adm' group" - test "${VERBOSE}" = 1 || break - fi - done - fi + users=$(grep "^evolinux-sudo:" /etc/group | awk -F: '{print $4}' | tr ',' ' ') + for user in $users; do + if ! groups "$user" | grep -q adm; then + failed "IS_USERINADMGROUP" "User $user doesn't belong to \`adm' group" + test "${VERBOSE}" = 1 || break + fi + done } check_apache2evolinuxconf() { - if is_debian_stretch || is_debian_buster || is_debian_bullseye; then - if is_installed apache2; then - { test -L /etc/apache2/conf-enabled/z-evolinux-defaults.conf \ - && test -L /etc/apache2/conf-enabled/zzz-evolinux-custom.conf \ - && test -f /etc/apache2/ipaddr_whitelist.conf; - } || failed "IS_APACHE2EVOLINUXCONF" "missing custom evolinux apache config" - fi + if is_installed apache2; then + { test -L /etc/apache2/conf-enabled/z-evolinux-defaults.conf \ + && test -L /etc/apache2/conf-enabled/zzz-evolinux-custom.conf \ + && test -f /etc/apache2/ipaddr_whitelist.conf; + } || failed "IS_APACHE2EVOLINUXCONF" "missing custom evolinux apache config" fi } check_backportsconf() { - if is_debian_stretch || is_debian_buster || is_debian_bullseye; then - grep -qsE "^[^#].*backports" /etc/apt/sources.list \ - && failed "IS_BACKPORTSCONF" "backports can't be in main sources list" - if grep -qsE "^[^#].*backports" /etc/apt/sources.list.d/*.list; then - grep -qsE "^[^#].*backports" /etc/apt/preferences.d/* \ - || failed "IS_BACKPORTSCONF" "backports must have preferences" - fi + grep -qsE "^[^#].*backports" /etc/apt/sources.list \ + && failed "IS_BACKPORTSCONF" "backports can't be in main sources list" + if grep -qsE "^[^#].*backports" /etc/apt/sources.list.d/*.list; then + grep -qsE "^[^#].*backports" /etc/apt/preferences.d/* \ + || failed "IS_BACKPORTSCONF" "backports must have preferences" fi } check_bind9munin() { - if is_debian_stretch || is_debian_buster || is_debian_bullseye; then - if is_installed bind9; then - { test -L /etc/munin/plugins/bind9 \ - && test -e /etc/munin/plugin-conf.d/bind9; - } || failed "IS_BIND9MUNIN" "missing bind plugin for munin" - fi + if is_installed bind9; then + { test -L /etc/munin/plugins/bind9 \ + && test -e /etc/munin/plugin-conf.d/bind9; + } || failed "IS_BIND9MUNIN" "missing bind plugin for munin" fi } check_bind9logrotate() { - if is_debian_stretch || is_debian_buster || is_debian_bullseye; then - if is_installed bind9; then - test -e /etc/logrotate.d/bind9 || failed "IS_BIND9LOGROTATE" "missing bind logrotate file" - fi + if is_installed bind9; then + test -e /etc/logrotate.d/bind9 || failed "IS_BIND9LOGROTATE" "missing bind logrotate file" fi } check_broadcomfirmware() { @@ -917,14 +763,12 @@ check_hardwareraidtool() { fi } check_log2mailsystemdunit() { - if is_debian_stretch || is_debian_buster || is_debian_bullseye; then - systemctl -q is-active log2mail.service \ - || failed "IS_LOG2MAILSYSTEMDUNIT" "log2mail unit not running" - test -f /etc/systemd/system/log2mail.service \ - || failed "IS_LOG2MAILSYSTEMDUNIT" "missing log2mail unit file" - test -f /etc/init.d/log2mail \ - && failed "IS_LOG2MAILSYSTEMDUNIT" "/etc/init.d/log2mail may be deleted (use systemd unit)" - fi + systemctl -q is-active log2mail.service \ + || failed "IS_LOG2MAILSYSTEMDUNIT" "log2mail unit not running" + test -f /etc/systemd/system/log2mail.service \ + || failed "IS_LOG2MAILSYSTEMDUNIT" "missing log2mail unit file" + test -f /etc/init.d/log2mail \ + && failed "IS_LOG2MAILSYSTEMDUNIT" "/etc/init.d/log2mail may be deleted (use systemd unit)" } check_listupgrade() { test -f /etc/cron.d/listupgrade \ @@ -933,13 +777,11 @@ check_listupgrade() { || failed "IS_LISTUPGRADE" "missing listupgrade script or not executable" } check_mariadbevolinuxconf() { - if is_debian_stretch || is_debian_buster || is_debian_bullseye; then - if is_installed mariadb-server; then - { test -f /etc/mysql/mariadb.conf.d/z-evolinux-defaults.cnf \ - && test -f /etc/mysql/mariadb.conf.d/zzz-evolinux-custom.cnf; - } || failed "IS_MARIADBEVOLINUXCONF" "missing mariadb custom config" + if is_installed mariadb-server; then + { test -f /etc/mysql/mariadb.conf.d/z-evolinux-defaults.cnf \ + && test -f /etc/mysql/mariadb.conf.d/zzz-evolinux-custom.cnf; + } || failed "IS_MARIADBEVOLINUXCONF" "missing mariadb custom config" fi - fi } check_sql_backup() { if (is_installed "mysql-server" || is_installed "mariadb-server"); then @@ -997,8 +839,12 @@ check_ldap_backup() { check_redis_backup() { if is_installed redis-server; then # You could change the default path in /etc/evocheck.cf - REDIS_BACKUP_PATH=${REDIS_BACKUP_PATH:-"/home/backup/dump.rdb"} - test -f "$REDIS_BACKUP_PATH" || failed "IS_REDIS_BACKUP" "Redis dump is missing (${REDIS_BACKUP_PATH})" + # REDIS_BACKUP_PATH may contain space-separated paths, example: + # REDIS_BACKUP_PATH='/home/backup/redis-instance1/dump.rdb /home/backup/redis-instance2/dump.rdb' + REDIS_BACKUP_PATH=${REDIS_BACKUP_PATH:-"/home/backup/redis/dump.rdb"} + for file in ${REDIS_BACKUP_PATH}; do + test -f "${file}" || failed "IS_REDIS_BACKUP" "Redis dump is missing (${file})" + done fi } check_elastic_backup() { @@ -1020,73 +866,63 @@ check_mariadbsystemdunit() { fi } check_mysqlmunin() { - if is_debian_stretch || is_debian_buster || is_debian_bullseye; then - if is_installed mariadb-server; then - for file in mysql_bytes mysql_queries mysql_slowqueries \ - mysql_threads mysql_connections mysql_files_tables \ - mysql_innodb_bpool mysql_innodb_bpool_act mysql_innodb_io \ - mysql_innodb_log mysql_innodb_rows mysql_innodb_semaphores \ - mysql_myisam_indexes mysql_qcache mysql_qcache_mem \ - mysql_sorts mysql_tmp_tables; do + if is_installed mariadb-server; then + for file in mysql_bytes mysql_queries mysql_slowqueries \ + mysql_threads mysql_connections mysql_files_tables \ + mysql_innodb_bpool mysql_innodb_bpool_act mysql_innodb_io \ + mysql_innodb_log mysql_innodb_rows mysql_innodb_semaphores \ + mysql_myisam_indexes mysql_qcache mysql_qcache_mem \ + mysql_sorts mysql_tmp_tables; do - if [[ ! -L /etc/munin/plugins/$file ]]; then - failed "IS_MYSQLMUNIN" "missing munin plugin '$file'" - test "${VERBOSE}" = 1 || break - fi - done - munin-run mysql_commands 2> /dev/null > /dev/null - test $? -eq 0 || failed "IS_MYSQLMUNIN" "Munin plugin mysql_commands returned an error" - fi + if [[ ! -L /etc/munin/plugins/$file ]]; then + failed "IS_MYSQLMUNIN" "missing munin plugin '$file'" + test "${VERBOSE}" = 1 || break + fi + done + munin-run mysql_commands 2> /dev/null > /dev/null + test $? -eq 0 || failed "IS_MYSQLMUNIN" "Munin plugin mysql_commands returned an error" fi } check_mysqlnrpe() { - if is_debian_stretch || is_debian_buster || is_debian_bullseye; then - if is_installed mariadb-server; then - nagios_file=~nagios/.my.cnf - if ! test -f ${nagios_file}; then - failed "IS_MYSQLNRPE" "${nagios_file} is missing" - elif [ "$(stat -c %U ${nagios_file})" != "nagios" ] \ - || [ "$(stat -c %a ${nagios_file})" != "600" ]; then - failed "IS_MYSQLNRPE" "${nagios_file} has wrong permissions" - else - grep -q -F "command[check_mysql]=/usr/lib/nagios/plugins/check_mysql" /etc/nagios/nrpe.d/evolix.cfg \ - || failed "IS_MYSQLNRPE" "check_mysql is missing" - fi + if is_installed mariadb-server; then + nagios_file=~nagios/.my.cnf + if ! test -f ${nagios_file}; then + failed "IS_MYSQLNRPE" "${nagios_file} is missing" + elif [ "$(stat -c %U ${nagios_file})" != "nagios" ] \ + || [ "$(stat -c %a ${nagios_file})" != "600" ]; then + failed "IS_MYSQLNRPE" "${nagios_file} has wrong permissions" + else + grep -q -F "command[check_mysql]=/usr/lib/nagios/plugins/check_mysql" /etc/nagios/nrpe.d/evolix.cfg \ + || failed "IS_MYSQLNRPE" "check_mysql is missing" + fi fi - fi } check_phpevolinuxconf() { - if is_debian_stretch || is_debian_buster || is_debian_bullseye; then - is_debian_stretch && phpVersion="7.0" - is_debian_buster && phpVersion="7.3" - is_debian_bullseye && phpVersion="7.4" - if is_installed php; then - { test -f /etc/php/${phpVersion}/cli/conf.d/z-evolinux-defaults.ini \ - && test -f /etc/php/${phpVersion}/cli/conf.d/zzz-evolinux-custom.ini - } || failed "IS_PHPEVOLINUXCONF" "missing php evolinux config" - fi + is_debian_stretch && phpVersion="7.0" + is_debian_buster && phpVersion="7.3" + is_debian_bullseye && phpVersion="7.4" + if is_installed php; then + { test -f /etc/php/${phpVersion}/cli/conf.d/z-evolinux-defaults.ini \ + && test -f /etc/php/${phpVersion}/cli/conf.d/zzz-evolinux-custom.ini + } || failed "IS_PHPEVOLINUXCONF" "missing php evolinux config" fi } check_squidlogrotate() { - if is_debian_stretch || is_debian_buster || is_debian_bullseye; then - if is_installed squid; then - grep -q -e monthly -e daily /etc/logrotate.d/squid \ - || failed "IS_SQUIDLOGROTATE" "missing squid logrotate file" - fi + if is_installed squid; then + grep -q -e monthly -e daily /etc/logrotate.d/squid \ + || failed "IS_SQUIDLOGROTATE" "missing squid logrotate file" fi } check_squidevolinuxconf() { - if is_debian_stretch || is_debian_buster || is_debian_bullseye; then - if is_installed squid; then - { grep -qs "^CONFIG=/etc/squid/evolinux-defaults.conf$" /etc/default/squid \ - && test -f /etc/squid/evolinux-defaults.conf \ - && test -f /etc/squid/evolinux-whitelist-defaults.conf \ - && test -f /etc/squid/evolinux-whitelist-custom.conf \ - && test -f /etc/squid/evolinux-acl.conf \ - && test -f /etc/squid/evolinux-httpaccess.conf \ - && test -f /etc/squid/evolinux-custom.conf; - } || failed "IS_SQUIDEVOLINUXCONF" "missing squid evolinux config" - fi + if is_installed squid; then + { grep -qs "^CONFIG=/etc/squid/evolinux-defaults.conf$" /etc/default/squid \ + && test -f /etc/squid/evolinux-defaults.conf \ + && test -f /etc/squid/evolinux-whitelist-defaults.conf \ + && test -f /etc/squid/evolinux-whitelist-custom.conf \ + && test -f /etc/squid/evolinux-acl.conf \ + && test -f /etc/squid/evolinux-httpaccess.conf \ + && test -f /etc/squid/evolinux-custom.conf; + } || failed "IS_SQUIDEVOLINUXCONF" "missing squid evolinux config" fi } check_duplicate_fs_label() { @@ -1152,41 +988,20 @@ check_apache_confenabled() { # Starting from Jessie and Apache 2.4, /etc/apache2/conf.d/ # must be replaced by conf-available/ and config files symlinked # to conf-enabled/ - if is_debian_jessie || is_debian_stretch || is_debian_buster || is_debian_bullseye; then - if [ -f /etc/apache2/apache2.conf ]; then - test -d /etc/apache2/conf.d/ \ - && failed "IS_APACHE_CONFENABLED" "apache's conf.d directory must not exists" - grep -q 'Include conf.d' /etc/apache2/apache2.conf \ - && failed "IS_APACHE_CONFENABLED" "apache2.conf must not Include conf.d" - fi + if [ -f /etc/apache2/apache2.conf ]; then + test -d /etc/apache2/conf.d/ \ + && failed "IS_APACHE_CONFENABLED" "apache's conf.d directory must not exists" + grep -q 'Include conf.d' /etc/apache2/apache2.conf \ + && failed "IS_APACHE_CONFENABLED" "apache2.conf must not Include conf.d" fi } check_meltdown_spectre() { - # For Stretch, detection is easy as the kernel use # /sys/devices/system/cpu/vulnerabilities/ - if is_debian_stretch || is_debian_buster || is_debian_bullseye; then - for vuln in meltdown spectre_v1 spectre_v2; do - test -f "/sys/devices/system/cpu/vulnerabilities/$vuln" \ - || failed "IS_MELTDOWN_SPECTRE" "vulnerable to $vuln" - test "${VERBOSE}" = 1 || break - done - # For Jessie this is quite complicated to verify and we need to use kernel config file - elif is_debian_jessie; then - if grep -q "BOOT_IMAGE=" /proc/cmdline; then - kernelPath=$(grep -Eo 'BOOT_IMAGE=[^ ]+' /proc/cmdline | cut -d= -f2) - kernelVer=${kernelPath##*/vmlinuz-} - kernelConfig="config-${kernelVer}" - # Sometimes autodetection of kernel config file fail, so we test if the file really exists. - if [ -f "/boot/${kernelConfig}" ]; then - grep -Eq '^CONFIG_PAGE_TABLE_ISOLATION=y' "/boot/$kernelConfig" \ - || failed "IS_MELTDOWN_SPECTRE" \ - "PAGE_TABLE_ISOLATION must be enabled in kernel, outdated kernel?" - grep -Eq '^CONFIG_RETPOLINE=y' "/boot/$kernelConfig" \ - || failed "IS_MELTDOWN_SPECTRE" \ - "RETPOLINE must be enabled in kernel, outdated kernel?" - fi - fi - fi + for vuln in meltdown spectre_v1 spectre_v2; do + test -f "/sys/devices/system/cpu/vulnerabilities/$vuln" \ + || failed "IS_MELTDOWN_SPECTRE" "vulnerable to $vuln" + test "${VERBOSE}" = 1 || break + done } check_old_home_dir() { homeDir=${homeDir:-/home} @@ -1218,7 +1033,7 @@ check_usrsharescripts() { } check_sshpermitrootno() { sshd_args="-C addr=,user=,host=,laddr=,lport=0" - if is_debian_jessie || is_debian_stretch; then + if is_debian_stretch; then # Noop, we'll use the default $sshd_args : elif is_debian_buster; then @@ -1234,17 +1049,7 @@ check_sshpermitrootno() { fi } check_evomaintenanceusers() { - if is_debian_stretch || is_debian_buster || is_debian_bullseye; then - users=$(getent group evolinux-sudo | cut -d':' -f4 | tr ',' ' ') - else - if [ -f /etc/sudoers.d/evolinux ]; then - sudoers="/etc/sudoers.d/evolinux" - else - sudoers="/etc/sudoers" - fi - # combine users from User_Alias and sudo group - users=$({ grep "^User_Alias *ADMIN" $sudoers | cut -d= -f2 | tr -d " "; grep "^sudo" /etc/group | cut -d: -f 4; } | tr "," "\n" | sort -u) - fi + users=$(getent group evolinux-sudo | cut -d':' -f4 | tr ',' ' ') for user in $users; do user_home=$(getent passwd "$user" | cut -d: -f6) if [ -n "$user_home" ] && [ -d "$user_home" ]; then @@ -1307,17 +1112,6 @@ check_osprober() { fi } -check_jessie_backports() { - if is_debian_jessie; then - jessieBackports=$(grep -hs "jessie-backports" /etc/apt/sources.list /etc/apt/sources.list.d/*) - if test -n "$jessieBackports"; then - if ! grep -q "archive.debian.org" <<< "$jessieBackports"; then - failed "IS_JESSIE_BACKPORTS" "You must use deb http://archive.debian.org/debian/ jessie-backports main" - fi - fi - fi -} - check_apt_valid_until() { aptvalidFile="/etc/apt/apt.conf.d/99no-check-valid-until" aptvalidText="Acquire::Check-Valid-Until no;" @@ -1356,14 +1150,8 @@ check_nginx_letsencrypt_uptodate() { snippets=$(find /etc/nginx -type f -name "letsencrypt.conf") if [ -n "${snippets}" ]; then while read -r snippet; do - if is_debian_jessie; then - if ! grep -qE "^\s*alias\s+/.+/\.well-known/acme-challenge" "${snippet}"; then - failed "IS_NGINX_LETSENCRYPT_UPTODATE" "Nginx snippet ${snippet} is not compatible with Nginx on Debian 8." - fi - else - if grep -qE "^\s*alias\s+/.+/\.well-known/acme-challenge" "${snippet}"; then - failed "IS_NGINX_LETSENCRYPT_UPTODATE" "Nginx snippet ${snippet} is not compatible with Nginx on Debian 9+." - fi + if grep -qE "^\s*alias\s+/.+/\.well-known/acme-challenge" "${snippet}"; then + failed "IS_NGINX_LETSENCRYPT_UPTODATE" "Nginx snippet ${snippet} is not compatible with Nginx on Debian 9+." fi done <<< "${snippets}" fi @@ -1399,11 +1187,7 @@ download_versions() { # evoacme 21.06 # evomaintenance 0.6.4 - if is_debian; then - versions_url="https://upgrades.evolix.org/versions-${DEBIAN_RELEASE}" - else - failed "IS_CHECK_VERSIONS" "error determining os release" - fi + versions_url="https://upgrades.evolix.org/versions-${DEBIAN_RELEASE}" # fetch timeout, in seconds timeout=10 @@ -1527,8 +1311,6 @@ main() { main_output_file=$(mktemp --tmpdir="${TMPDIR:-/tmp}" "evocheck.main.XXXXX") files_to_cleanup="${files_to_cleanup} ${main_output_file}" - MINIFW_FILE=$(minifirewall_file) - test "${IS_TMP_1777:=1}" = 1 && check_tmp_1777 test "${IS_ROOT_0700:=1}" = 1 && check_root_0700 test "${IS_USRSHARESCRIPTS:=1}" = 1 && check_usrsharescripts @@ -1540,19 +1322,15 @@ main() { test "${IS_LSBRELEASE:=1}" = 1 && check_lsbrelease test "${IS_DPKGWARNING:=1}" = 1 && check_dpkgwarning - test "${IS_UMASKSUDOERS:=1}" = 1 && check_umasksudoers test "${IS_NRPEPOSTFIX:=1}" = 1 && check_nrpepostfix - test "${IS_MODSECURITY:=1}" = 1 && check_modsecurity test "${IS_CUSTOMSUDOERS:=1}" = 1 && check_customsudoers test "${IS_VARTMPFS:=1}" = 1 && check_vartmpfs test "${IS_SERVEURBASE:=1}" = 1 && check_serveurbase test "${IS_LOGROTATECONF:=1}" = 1 && check_logrotateconf test "${IS_SYSLOGCONF:=1}" = 1 && check_syslogconf test "${IS_DEBIANSECURITY:=1}" = 1 && check_debiansecurity - test "${IS_APTITUDEONLY:=1}" = 1 && check_aptitudeonly test "${IS_APTITUDE:=1}" = 1 && check_aptitude test "${IS_APTGETBAK:=1}" = 1 && check_aptgetbak - test "${IS_APTICRON:=0}" = 1 && check_apticron test "${IS_USRRO:=1}" = 1 && check_usrro test "${IS_TMPNOEXEC:=1}" = 1 && check_tmpnoexec test "${IS_MOUNT_FSTAB:=1}" = 1 && check_mountfstab @@ -1584,7 +1362,6 @@ main() { test "${IS_LOG2MAILMYSQL:=1}" = 1 && check_log2mailmysql test "${IS_LOG2MAILSQUID:=1}" = 1 && check_log2mailsquid test "${IS_BINDCHROOT:=1}" = 1 && check_bindchroot - test "${IS_REPVOLATILE:=1}" = 1 && check_repvolatile test "${IS_NETWORK_INTERFACES:=1}" = 1 && check_network_interfaces test "${IS_AUTOIF:=1}" = 1 && check_autoif test "${IS_INTERFACESGW:=1}" = 1 && check_interfacesgw @@ -1596,7 +1373,7 @@ main() { test "${IS_APACHESYMLINK:=1}" = 1 && check_apachesymlink test "${IS_APACHEIPINALLOW:=1}" = 1 && check_apacheipinallow test "${IS_MUNINAPACHECONF:=1}" = 1 && check_muninapacheconf - test "${IS_SAMBAPINPRIORITY:=1}" = 1 && check_sambainpriority + test "${IS_PHPMYADMINAPACHECONF:=1}" = 1 && check_phpmyadminapacheconf test "${IS_KERNELUPTODATE:=1}" = 1 && check_kerneluptodate test "${IS_UPTIME:=1}" = 1 && check_uptime test "${IS_MUNINRUNNING:=1}" = 1 && check_muninrunning @@ -1637,7 +1414,6 @@ main() { test "${IS_OLD_HOME_DIR:=0}" = 1 && check_old_home_dir test "${IS_EVOBACKUP_INCS:=1}" = 1 && check_evobackup_incs test "${IS_OSPROBER:=1}" = 1 && check_osprober - test "${IS_JESSIE_BACKPORTS:=1}" = 1 && check_jessie_backports test "${IS_APT_VALID_UNTIL:=1}" = 1 && check_apt_valid_until test "${IS_CHROOTED_BINARY_UPTODATE:=1}" = 1 && check_chrooted_binary_uptodate test "${IS_NGINX_LETSENCRYPT_UPTODATE:=1}" = 1 && check_nginx_letsencrypt_uptodate diff --git a/evocheck/files/evocheck.wheezy.sh b/evocheck/files/evocheck.wheezy.sh new file mode 100755 index 00000000..cd41cb50 --- /dev/null +++ b/evocheck/files/evocheck.wheezy.sh @@ -0,0 +1,1252 @@ +#!/bin/bash + +# EvoCheck +# Script to verify compliance of a Linux (Debian) server +# powered by Evolix + +VERSION="22.11" +readonly VERSION + +# base functions + +show_version() { + cat <, + Romain Dessort , + Benoit Série , + Gregory Colpart , + Jérémy Lecour , + Tristan Pilat , + Victor Laborie , + Alexis Ben Miloud--Josselin , + and others. + +evocheck comes with ABSOLUTELY NO WARRANTY. This is free software, +and you are welcome to redistribute it under certain conditions. +See the GNU General Public License v3.0 for details. +END +} +show_help() { + cat <&2 + echo "This version is built for Debian 7 only." >&2 + exit + fi + + if [ -x "${LSB_RELEASE_BIN}" ]; then + DEBIAN_RELEASE=$(${LSB_RELEASE_BIN} --codename --short) + else + case ${DEBIAN_MAIN_VERSION} in + 5) DEBIAN_RELEASE="lenny";; + 6) DEBIAN_RELEASE="squeeze";; + 7) DEBIAN_RELEASE="wheezy";; + esac + fi + fi +} + +is_debian_lenny() { + test "${DEBIAN_RELEASE}" = "lenny" +} +is_debian_squeeze() { + test "${DEBIAN_RELEASE}" = "squeeze" +} +is_debian_wheezy() { + test "${DEBIAN_RELEASE}" = "wheezy" +} + +is_pack_web(){ + test -e /usr/share/scripts/web-add.sh || test -e /usr/share/scripts/evoadmin/web-add.sh +} +is_pack_samba(){ + test -e /usr/share/scripts/add.pl +} +is_installed(){ + for pkg in "$@"; do + dpkg -l "$pkg" 2> /dev/null | grep -q -E '^(i|h)i' || return 1 + done +} + +# logging + +failed() { + check_name=$1 + shift + check_comments=$* + + RC=1 + if [ "${QUIET}" != 1 ]; then + if [ -n "${check_comments}" ] && [ "${VERBOSE}" = 1 ]; then + printf "%s FAILED! %s\n" "${check_name}" "${check_comments}" >> "${main_output_file}" + else + printf "%s FAILED!\n" "${check_name}" >> "${main_output_file}" + fi + fi +} + +# check functions + +check_lsbrelease(){ + if [ -x "${LSB_RELEASE_BIN}" ]; then + ## only the major version matters + lhs=$(${LSB_RELEASE_BIN} --release --short | cut -d "." -f 1) + rhs=$(cut -d "." -f 1 < /etc/debian_version) + test "$lhs" = "$rhs" || failed "IS_LSBRELEASE" "release is not consistent between lsb_release (${lhs}) and /etc/debian_version (${rhs})" + else + failed "IS_LSBRELEASE" "lsb_release is missing or not executable" + fi +} +check_dpkgwarning() { + if [ "$IS_USRRO" = 1 ] || [ "$IS_TMPNOEXEC" = 1 ]; then + test -e /etc/apt/apt.conf.d/80evolinux \ + || failed "IS_DPKGWARNING" "/etc/apt/apt.conf.d/80evolinux is missing" + test -e /etc/apt/apt.conf \ + && failed "IS_DPKGWARNING" "/etc/apt/apt.conf is missing" + fi +} +# Verifying check_mailq in Nagios NRPE config file. (Option "-M postfix" need to be set if the MTA is Postfix) +check_nrpepostfix() { + if is_installed postfix; then + { test -e /etc/nagios/nrpe.cfg \ + && grep -qr "^command.*check_mailq -M postfix" /etc/nagios/nrpe.*; + } || failed "IS_NRPEPOSTFIX" "NRPE \"check_mailq\" for postfix is missing" + fi +} +# Check if mod-security config file is present +check_modsecurity() { + if is_installed libapache2-modsecurity; then + test -e /etc/apache2/conf.d/mod-security2.conf || failed "IS_MODSECURITY" "missing configuration file" + fi +} +check_customsudoers() { + grep -E -qr "umask=0077" /etc/sudoers* || failed "IS_CUSTOMSUDOERS" "missing umask=0077 in sudoers file" +} +check_vartmpfs() { + FINDMNT_BIN=$(command -v findmnt) + if [ -x "${FINDMNT_BIN}" ]; then + ${FINDMNT_BIN} /var/tmp --type tmpfs --noheadings > /dev/null || failed "IS_VARTMPFS" "/var/tmp is not a tmpfs" + else + df /var/tmp | grep -q tmpfs || failed "IS_VARTMPFS" "/var/tmp is not a tmpfs" + fi +} +check_serveurbase() { + is_installed serveur-base || failed "IS_SERVEURBASE" "serveur-base package is not installed" +} +check_logrotateconf() { + test -e /etc/logrotate.d/zsyslog || failed "IS_LOGROTATECONF" "missing zsyslog in logrotate.d" +} +check_syslogconf() { + grep -q "^# Syslog for Pack Evolix serveur" /etc/*syslog.conf \ + || failed "IS_SYSLOGCONF" "syslog evolix config file missing" +} +check_debiansecurity() { + # Look for enabled "Debian-Security" sources from the "Debian" origin + apt-cache policy | grep "\bl=Debian-Security\b" | grep "\bo=Debian\b" | grep --quiet "\bc=main\b" + test $? -eq 0 || failed "IS_DEBIANSECURITY" "missing Debian-Security repository" +} +check_aptitudeonly() { + test -e /usr/bin/apt-get && failed "IS_APTITUDEONLY" \ + "only aptitude may be enabled on Debian <=7, apt-get should be disabled" +} + +check_apticron() { + status="OK" + test -e /etc/cron.d/apticron || status="fail" + test -e /etc/cron.daily/apticron && status="fail" + test "$status" = "fail" || test -e /usr/bin/apt-get.bak || status="fail" + + test "$status" = "fail" && failed "IS_APTICRON" "apticron must be in cron.d not cron.daily" +} +check_usrro() { + grep /usr /etc/fstab | grep -qE "\bro\b" || failed "IS_USRRO" "missing ro directive on fstab for /usr" +} +check_tmpnoexec() { + FINDMNT_BIN=$(command -v findmnt) + if [ -x "${FINDMNT_BIN}" ]; then + options=$(${FINDMNT_BIN} --noheadings --first-only --output OPTIONS /tmp) + echo "${options}" | grep -qE "\bnoexec\b" || failed "IS_TMPNOEXEC" "/tmp is not mounted with 'noexec'" + else + mount | grep "on /tmp" | grep -qE "\bnoexec\b" || failed "IS_TMPNOEXEC" "/tmp is not mounted with 'noexec' (WARNING: findmnt(8) is not found)" + fi +} +check_mountfstab() { + # Test if lsblk available, if not skip this test... + LSBLK_BIN=$(command -v lsblk) + if test -x "${LSBLK_BIN}"; then + for mountPoint in $(${LSBLK_BIN} -o MOUNTPOINT -l -n | grep '/'); do + grep -Eq "$mountPoint\W" /etc/fstab \ + || failed "IS_MOUNT_FSTAB" "partition(s) detected mounted but no presence in fstab" + done + fi +} +check_listchangesconf() { + if [ -e "/etc/apt/listchanges.conf" ]; then + lines=$(grep -cE "(which=both|confirm=1)" /etc/apt/listchanges.conf) + if [ "$lines" != 2 ]; then + failed "IS_LISTCHANGESCONF" "apt-listchanges config is incorrect" + fi + else + failed "IS_LISTCHANGESCONF" "apt-listchanges config is missing" + fi +} +check_customcrontab() { + found_lines=$(grep -c -E "^(17 \*|25 6|47 6|52 6)" /etc/crontab) + test "$found_lines" = 4 && failed "IS_CUSTOMCRONTAB" "missing custom field in crontab" +} +check_sshallowusers() { + grep -E -qir "(AllowUsers|AllowGroups)" /etc/ssh/sshd_config /etc/ssh/sshd_config.d \ + || failed "IS_SSHALLOWUSERS" "missing AllowUsers or AllowGroups directive in sshd_config" +} +check_diskperf() { + perfFile="/root/disk-perf.txt" + test -e $perfFile || failed "IS_DISKPERF" "missing ${perfFile}" +} +check_tmoutprofile() { + grep -sq "TMOUT=" /etc/profile /etc/profile.d/evolinux.sh || failed "IS_TMOUTPROFILE" "TMOUT is not set" +} +check_alert5boot() { + if [ -n "$(find /etc/rc2.d/ -name 'S*alert5')" ]; then + grep -q "^date" /etc/rc2.d/S*alert5 || failed "IS_ALERT5BOOT" "boot mail is not sent by alert5 init script" + elif [ -n "$(find /etc/init.d/ -name 'alert5')" ]; then + grep -q "^date" /etc/init.d/alert5 || failed "IS_ALERT5BOOT" "boot mail is not sent by alert5 int script" + else + failed "IS_ALERT5BOOT" "alert5 init script is missing" + fi +} +check_alert5minifw() { + if [ -n "$(find /etc/rc2.d/ -name 'S*alert5')" ]; then + grep -q "^/etc/init.d/minifirewall" /etc/rc2.d/S*alert5 \ + || failed "IS_ALERT5MINIFW" "Minifirewall is not started by alert5 init script" + elif [ -n "$(find /etc/init.d/ -name 'alert5')" ]; then + grep -q "^/etc/init.d/minifirewall" /etc/init.d/alert5 \ + || failed "IS_ALERT5MINIFW" "Minifirewall is not started by alert5 init script" + else + failed "IS_ALERT5MINIFW" "alert5 init script is missing" + fi +} +check_minifw() { + /sbin/iptables -L -n | grep -q -E "^ACCEPT\s*all\s*--\s*31\.170\.8\.4\s*0\.0\.0\.0/0\s*$" \ + || failed "IS_MINIFW" "minifirewall seems not started" +} +check_nrpeperms() { + if [ -d /etc/nagios ]; then + nagiosDir="/etc/nagios" + actual=$(stat --format "%a" $nagiosDir) + expected="750" + test "$expected" = "$actual" || failed "IS_NRPEPERMS" "${nagiosDir} must be ${expected}" + fi +} +check_minifwperms() { + if [ -f "/etc/firewall.rc" ]; then + actual=$(stat --format "%a" "/etc/firewall.rc") + expected="600" + test "$expected" = "$actual" || failed "IS_MINIFWPERMS" "/etc/firewall.rc must be ${expected}" + fi +} +check_nrpedisks() { + NRPEDISKS=$(grep command.check_disk /etc/nagios/nrpe.cfg | grep "^command.check_disk[0-9]" | sed -e "s/^command.check_disk\([0-9]\+\).*/\1/" | sort -n | tail -1) + DFDISKS=$(df -Pl | grep -c -E -v "(^Filesystem|/lib/init/rw|/dev/shm|udev|rpc_pipefs)") + test "$NRPEDISKS" = "$DFDISKS" || failed "IS_NRPEDISKS" "there must be $DFDISKS check_disk in nrpe.cfg" +} +check_nrpepid() { + { test -e /etc/nagios/nrpe.cfg \ + && grep -q "^pid_file=/var/run/nagios/nrpe.pid" /etc/nagios/nrpe.cfg; + } || failed "IS_NRPEPID" "missing or wrong pid_file directive in nrpe.cfg" +} +check_grsecprocs() { + if uname -a | grep -q grsec; then + { grep -q "^command.check_total_procs..sudo" /etc/nagios/nrpe.cfg \ + && grep -A1 "^\[processes\]" /etc/munin/plugin-conf.d/munin-node | grep -q "^user root"; + } || failed "IS_GRSECPROCS" "missing munin's plugin processes directive for grsec" + fi +} +check_apachemunin() { + if test -e /etc/apache2/apache2.conf; then + pattern="/server-status-[[:alnum:]]{4,}" + { grep -r -q -s -E "^env.url.*${pattern}" /etc/munin/plugin-conf.d \ + && { grep -q -s -E "${pattern}" /etc/apache2/apache2.conf \ + || grep -q -s -E "${pattern}" /etc/apache2/mods-enabled/status.conf; + }; + } || failed "IS_APACHEMUNIN" "server status is not properly configured" + fi +} +# Verification mytop + Munin si MySQL +check_mysqlutils() { + MYSQL_ADMIN=${MYSQL_ADMIN:-mysqladmin} + if is_installed mysql-server; then + # You can configure MYSQL_ADMIN in evocheck.cf + if ! grep -qs "^user *= *${MYSQL_ADMIN}" /root/.my.cnf; then + failed "IS_MYSQLUTILS" "${MYSQL_ADMIN} missing in /root/.my.cnf" + fi + if ! test -x /usr/bin/mytop; then + if ! test -x /usr/local/bin/mytop; then + failed "IS_MYSQLUTILS" "mytop binary missing" + fi + fi + if ! grep -qs '^user *=' /root/.mytop; then + failed "IS_MYSQLUTILS" "credentials missing in /root/.mytop" + fi + fi +} +# Verification de la configuration du raid soft (mdadm) +check_raidsoft() { + if test -e /proc/mdstat && grep -q md /proc/mdstat; then + { grep -q "^AUTOCHECK=true" /etc/default/mdadm \ + && grep -q "^START_DAEMON=true" /etc/default/mdadm \ + && grep -qv "^MAILADDR ___MAIL___" /etc/mdadm/mdadm.conf; + } || failed "IS_RAIDSOFT" "missing or wrong config for mdadm" + fi +} +# Verification du LogFormat de AWStats +check_awstatslogformat() { + if is_installed apache2 awstats; then + awstatsFile="/etc/awstats/awstats.conf.local" + grep -qE '^LogFormat=1' $awstatsFile \ + || failed "IS_AWSTATSLOGFORMAT" "missing or wrong LogFormat directive in $awstatsFile" + fi +} +# Verification de la présence de la config logrotate pour Munin +check_muninlogrotate() { + { test -e /etc/logrotate.d/munin-node \ + && test -e /etc/logrotate.d/munin; + } || failed "IS_MUNINLOGROTATE" "missing lorotate file for munin" +} +# Verification de l'activation de Squid dans le cas d'un pack mail +check_squid() { + squidconffile="/etc/squid*/squid.conf" + if is_pack_web && (is_installed squid || is_installed squid3); then + host=$(hostname -i) + # shellcheck disable=SC2086 + http_port=$(grep -E "^http_port\s+[0-9]+" $squidconffile | awk '{ print $2 }') + { grep -qE "^[^#]*iptables -t nat -A OUTPUT -p tcp --dport 80 -m owner --uid-owner proxy -j ACCEPT" "/etc/firewall.rc" \ + && grep -qE "^[^#]*iptables -t nat -A OUTPUT -p tcp --dport 80 -d $host -j ACCEPT" "/etc/firewall.rc" \ + && grep -qE "^[^#]*iptables -t nat -A OUTPUT -p tcp --dport 80 -d 127.0.0.(1|0/8) -j ACCEPT" "/etc/firewall.rc" \ + && grep -qE "^[^#]*iptables -t nat -A OUTPUT -p tcp --dport 80 -j REDIRECT --to-port.* $http_port" "/etc/firewall.rc"; + } || grep -qE "^PROXY='?on'?" "/etc/firewall.rc" \ + || failed "IS_SQUID" "missing squid rules in minifirewall" + fi +} +check_evomaintenance_fw() { + if [ -f "/etc/firewall.rc" ]; then + hook_db=$(grep -E '^\s*HOOK_DB' /etc/evomaintenance.cf | tr -d ' ' | cut -d= -f2) + rulesNumber=$(grep -c "/sbin/iptables -A INPUT -p tcp --sport 5432 --dport 1024:65535 -s .* -m state --state ESTABLISHED,RELATED -j ACCEPT" "/etc/firewall.rc") + if [ "$hook_db" = "1" ] && [ "$rulesNumber" -lt 2 ]; then + failed "IS_EVOMAINTENANCE_FW" "HOOK_DB is enabled but missing evomaintenance rules in minifirewall" + fi + fi +} +# Verification de la conf et de l'activation de mod-deflate +check_moddeflate() { + f=/etc/apache2/mods-enabled/deflate.conf + if is_installed apache2.2; then + { test -e $f && grep -q "AddOutputFilterByType DEFLATE text/html text/plain text/xml" $f \ + && grep -q "AddOutputFilterByType DEFLATE text/css" $f \ + && grep -q "AddOutputFilterByType DEFLATE application/x-javascript application/javascript" $f; + } || failed "IS_MODDEFLATE" "missing AddOutputFilterByType directive for apache mod deflate" + fi +} +# Verification de la conf log2mail +check_log2mailrunning() { + if is_pack_web && is_installed log2mail; then + pgrep log2mail >/dev/null || failed "IS_LOG2MAILRUNNING" "log2mail is not running" + fi +} +check_log2mailapache() { + conf=/etc/log2mail/config/default + if is_pack_web && is_installed log2mail; then + grep -s -q "^file = /var/log/apache2/error.log" $conf \ + || failed "IS_LOG2MAILAPACHE" "missing log2mail directive for apache" + fi +} +check_log2mailmysql() { + if is_pack_web && is_installed log2mail; then + grep -s -q "^file = /var/log/syslog" /etc/log2mail/config/{default,mysql,mysql.conf} \ + || failed "IS_LOG2MAILMYSQL" "missing log2mail directive for mysql" + fi +} +check_log2mailsquid() { + if is_pack_web && is_installed log2mail; then + grep -s -q "^file = /var/log/squid.*/access.log" /etc/log2mail/config/* \ + || failed "IS_LOG2MAILSQUID" "missing log2mail directive for squid" + fi +} +# Verification si bind est chroote +check_bindchroot() { + if is_installed bind9; then + if netstat -utpln | grep "/named" | grep :53 | grep -qvE "(127.0.0.1|::1)"; then + if grep -q '^OPTIONS=".*-t' /etc/default/bind9 && grep -q '^OPTIONS=".*-u' /etc/default/bind9; then + md5_original=$(md5sum /usr/sbin/named | cut -f 1 -d ' ') + md5_chrooted=$(md5sum /var/chroot-bind/usr/sbin/named | cut -f 1 -d ' ') + if [ "$md5_original" != "$md5_chrooted" ]; then + failed "IS_BINDCHROOT" "the chrooted bind binary is different than the original binary" + fi + else + failed "IS_BINDCHROOT" "bind process is not chrooted" + fi + fi + fi +} +# /etc/network/interfaces should be present, we don't manage systemd-network yet +check_network_interfaces() { + if ! test -f /etc/network/interfaces; then + IS_AUTOIF=0 + IS_INTERFACESGW=0 + failed "IS_NETWORK_INTERFACES" "systemd network configuration is not supported yet" + fi +} +# Verify if all if are in auto +check_autoif() { + interfaces=$(/sbin/ifconfig -s | tail -n +2 | grep -E -v "^(lo|vnet|docker|veth|tun|tap|macvtap|vrrp)" | cut -d " " -f 1 |tr "\n" " ") + for interface in $interfaces; do + if grep -Rq "^iface $interface" /etc/network/interfaces* && ! grep -Rq "^auto $interface" /etc/network/interfaces*; then + failed "IS_AUTOIF" "Network interface \`${interface}' is statically defined but not set to auto" + test "${VERBOSE}" = 1 || break + fi + done +} +# Network conf verification +check_interfacesgw() { + number=$(grep -Ec "^[^#]*gateway [0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}" /etc/network/interfaces) + test "$number" -gt 1 && failed "IS_INTERFACESGW" "there is more than 1 IPv4 gateway" + number=$(grep -Ec "^[^#]*gateway [0-9a-fA-F]+:" /etc/network/interfaces) + test "$number" -gt 1 && failed "IS_INTERFACESGW" "there is more than 1 IPv6 gateway" +} +# Verification de la mise en place d'evobackup +check_evobackup() { + evobackup_found=$(find /etc/cron* -name '*evobackup*' | wc -l) + test "$evobackup_found" -gt 0 || failed "IS_EVOBACKUP" "missing evobackup cron" +} +# Vérification de l'exclusion des montages (NFS) dans les sauvegardes +check_evobackup_exclude_mount() { + excludes_file=$(mktemp --tmpdir="${TMPDIR:-/tmp}" "evocheck.evobackup_exclude_mount.XXXXX") + files_to_cleanup="${files_to_cleanup} ${excludes_file}" + + # shellcheck disable=SC2044 + for evobackup_file in $(find /etc/cron* -name '*evobackup*' | grep -v -E ".disabled$"); do + # if the file seems to be a backup script, with an Rsync invocation + if grep -q "^\s*rsync" "${evobackup_file}"; then + # If rsync is not limited by "one-file-system" + # then we verify that every mount is excluded + if ! grep -q -- "^\s*--one-file-system" "${evobackup_file}"; then + grep -- "--exclude " "${evobackup_file}" | grep -E -o "\"[^\"]+\"" | tr -d '"' > "${excludes_file}" + not_excluded=$(findmnt --type nfs,nfs4,fuse.sshfs, -o target --noheadings | grep -v -f "${excludes_file}") + for mount in ${not_excluded}; do + failed "IS_EVOBACKUP_EXCLUDE_MOUNT" "${mount} is not excluded from ${evobackup_file} backup script" + done + fi + fi + done +} +# Verification de la presence du userlogrotate +check_userlogrotate() { + if is_pack_web; then + test -x /etc/cron.weekly/userlogrotate || failed "IS_USERLOGROTATE" "missing userlogrotate cron" + fi +} +# Verification de la syntaxe de la conf d'Apache +check_apachectl() { + if is_installed apache2; then + /usr/sbin/apache2ctl configtest 2>&1 | grep -q "^Syntax OK$" \ + || failed "IS_APACHECTL" "apache errors detected, run a configtest" + fi +} +# Check if there is regular files in Apache sites-enabled. +check_apachesymlink() { + if is_installed apache2; then + apacheFind=$(find /etc/apache2/sites-enabled ! -type l -type f -print) + nbApacheFind=$(wc -m <<< "$apacheFind") + if [[ $nbApacheFind -gt 1 ]]; then + if [[ $VERBOSE == 1 ]]; then + while read -r line; do + failed "IS_APACHESYMLINK" "Not a symlink: $line" + done <<< "$apacheFind" + else + failed "IS_APACHESYMLINK" + fi + fi + fi +} +# Check if there is real IP addresses in Allow/Deny directives (no trailing space, inline comments or so). +check_apacheipinallow() { + # Note: Replace "exit 1" by "print" in Perl code to debug it. + if is_installed apache2; then + grep -IrE "^[^#] *(Allow|Deny) from" /etc/apache2/ \ + | grep -iv "from all" \ + | grep -iv "env=" \ + | perl -ne 'exit 1 unless (/from( [\da-f:.\/]+)+$/i)' \ + || failed "IS_APACHEIPINALLOW" "bad (Allow|Deny) directives in apache" + fi +} +# Check if default Apache configuration file for munin is absent (or empty or commented). +check_muninapacheconf() { + muninconf="/etc/apache2/conf.d/munin" + if is_installed apache2; then + test -e $muninconf && grep -vEq "^( |\t)*#" "$muninconf" \ + && failed "IS_MUNINAPACHECONF" "default munin configuration may be commented or disabled" + fi +} +# Check if default Apache configuration file for phpMyAdmin is absent (or empty or commented). +check_phpmyadminapacheconf() { + phpmyadminconf0="/etc/apache2/conf-available/phpmyadmin.conf" + phpmyadminconf1="/etc/apache2/conf-enabled/phpmyadmin.conf" + if is_installed apache2; then + test -e $phpmyadminconf0 && grep -vEq "^( |\t)*#" "$phpmyadminconf0" \ + && failed "IS_PHPMYADMINAPACHECONF" "default phpmyadmin configuration ($phpmyadminconf0) may be commented or disabled" + test -e $phpmyadminconf1 && grep -vEq "^( |\t)*#" "$phpmyadminconf1" \ + && failed "IS_PHPMYADMINAPACHECONF" "default phpmyadmin configuration ($phpmyadminconf1) may be commented or disabled" + fi +} +# Verification si le système doit redémarrer suite màj kernel. +check_kerneluptodate() { + if is_installed linux-image*; then + # shellcheck disable=SC2012 + kernel_installed_at=$(date -d "$(ls --full-time -lcrt /boot | tail -n1 | awk '{print $6}')" +%s) + last_reboot_at=$(($(date +%s) - $(cut -f1 -d '.' /proc/uptime))) + if [ "$kernel_installed_at" -gt "$last_reboot_at" ]; then + failed "IS_KERNELUPTODATE" "machine is running an outdated kernel, reboot advised" + fi + fi +} +# Check if the server is running for more than a year. +check_uptime() { + if is_installed linux-image*; then + limit=$(date -d "now - 2 year" +%s) + last_reboot_at=$(($(date +%s) - $(cut -f1 -d '.' /proc/uptime))) + if [ "$limit" -gt "$last_reboot_at" ]; then + failed "IS_UPTIME" "machine has an uptime of more than 2 years, reboot on new kernel advised" + fi + fi +} +# Check if munin-node running and RRD files are up to date. +check_muninrunning() { + if ! pgrep munin-node >/dev/null; then + failed "IS_MUNINRUNNING" "Munin is not running" + elif [ -d "/var/lib/munin/" ] && [ -d "/var/cache/munin/" ]; then + limit=$(date +"%s" -d "now - 10 minutes") + + if [ -n "$(find /var/lib/munin/ -name '*load-g.rrd')" ]; then + updated_at=$(stat -c "%Y" /var/lib/munin/*/*load-g.rrd |sort |tail -1) + [ "$limit" -gt "$updated_at" ] && failed "IS_MUNINRUNNING" "Munin load RRD has not been updated in the last 10 minutes" + else + failed "IS_MUNINRUNNING" "Munin is not installed properly (load RRD not found)" + fi + + if [ -n "$(find /var/cache/munin/www/ -name 'load-day.png')" ]; then + updated_at=$(stat -c "%Y" /var/cache/munin/www/*/*/load-day.png |sort |tail -1) + grep -sq "^graph_strategy cron" /etc/munin/munin.conf && [ "$limit" -gt "$updated_at" ] && failed "IS_MUNINRUNNING" "Munin load PNG has not been updated in the last 10 minutes" + else + failed "IS_MUNINRUNNING" "Munin is not installed properly (load PNG not found)" + fi + else + failed "IS_MUNINRUNNING" "Munin is not installed properly (main directories are missing)" + fi +} +# Check if files in /home/backup/ are up-to-date +check_backupuptodate() { + backup_dir="/home/backup" + if [ -d "${backup_dir}" ]; then + if [ -n "$(ls -A ${backup_dir})" ]; then + find "${backup_dir}" -maxdepth 1 -type f | while read -r file; do + limit=$(date +"%s" -d "now - 2 day") + updated_at=$(stat -c "%Y" "$file") + + if [ "$limit" -gt "$updated_at" ]; then + failed "IS_BACKUPUPTODATE" "$file has not been backed up" + test "${VERBOSE}" = 1 || break; + fi + done + else + failed "IS_BACKUPUPTODATE" "${backup_dir}/ is empty" + fi + else + failed "IS_BACKUPUPTODATE" "${backup_dir}/ is missing" + fi +} +check_etcgit() { + export GIT_DIR="/etc/.git" GIT_WORK_TREE="/etc" + git rev-parse --is-inside-work-tree > /dev/null 2>&1 \ + || failed "IS_ETCGIT" "/etc is not a git repository" +} +# Check if /etc/.git/ has read/write permissions for root only. +check_gitperms() { + GIT_DIR="/etc/.git" + if test -d $GIT_DIR; then + expected="700" + actual=$(stat -c "%a" $GIT_DIR) + [ "$expected" = "$actual" ] || failed "IS_GITPERMS" "$GIT_DIR must be $expected" + fi +} +# Check if no package has been upgraded since $limit. +check_notupgraded() { + last_upgrade=0 + upgraded=false + for log in /var/log/dpkg.log*; do + if zgrep -qsm1 upgrade "$log"; then + # There is at least one upgrade + upgraded=true + break + fi + done + if $upgraded; then + last_upgrade=$(date +%s -d "$(zgrep -h upgrade /var/log/dpkg.log* | sort -n | tail -1 | cut -f1 -d ' ')") + fi + if grep -qs '^mailto="listupgrade-todo@' /etc/evolinux/listupgrade.cnf \ + || grep -qs -E '^[[:digit:]]+[[:space:]]+[[:digit:]]+[[:space:]]+[^\*]' /etc/cron.d/listupgrade; then + # Manual upgrade process + limit=$(date +%s -d "now - 180 days") + else + # Regular process + limit=$(date +%s -d "now - 90 days") + fi + install_date=0 + if [ -d /var/log/installer ]; then + install_date=$(stat -c %Z /var/log/installer) + fi + # Check install_date if the system never received an upgrade + if [ "$last_upgrade" -eq 0 ]; then + [ "$install_date" -lt "$limit" ] && failed "IS_NOTUPGRADED" "The system has never been updated" + else + [ "$last_upgrade" -lt "$limit" ] && failed "IS_NOTUPGRADED" "The system hasn't been updated for too long" + fi +} +# Check if reserved blocks for root is at least 5% on every mounted partitions. +check_tune2fs_m5() { + min=5 + parts=$(grep -E "ext(3|4)" /proc/mounts | cut -d ' ' -f1 | tr -s '\n' ' ') + FINDMNT_BIN=$(command -v findmnt) + for part in $parts; do + blockCount=$(dumpe2fs -h "$part" 2>/dev/null | grep -e "Block count:" | grep -Eo "[0-9]+") + # If buggy partition, skip it. + if [ -z "$blockCount" ]; then + continue + fi + reservedBlockCount=$(dumpe2fs -h "$part" 2>/dev/null | grep -e "Reserved block count:" | grep -Eo "[0-9]+") + # Use awk to have a rounded percentage + # python is slow, bash is unable and bc rounds weirdly + percentage=$(awk "BEGIN { pc=100*${reservedBlockCount}/${blockCount}; i=int(pc); print (pc-i<0.5)?i:i+1 }") + + if [ "$percentage" -lt "${min}" ]; then + if [ -x "${FINDMNT_BIN}" ]; then + mount=$(${FINDMNT_BIN} --noheadings --first-only --output TARGET "${part}") + else + mount="unknown mount point" + fi + failed "IS_TUNE2FS_M5" "Partition ${part} (${mount}) has less than ${min}% reserved blocks (${percentage}%)" + fi + done +} + +check_broadcomfirmware() { + LSPCI_BIN=$(command -v lspci) + if [ -x "${LSPCI_BIN}" ]; then + if ${LSPCI_BIN} | grep -q 'NetXtreme II'; then + { is_installed firmware-bnx2 \ + && grep -q "^deb http://mirror.evolix.org/debian.* non-free" /etc/apt/sources.list; + } || failed "IS_BROADCOMFIRMWARE" "missing non-free repository" + fi + else + failed "IS_BROADCOMFIRMWARE" "lspci not found in ${PATH}" + fi +} +check_hardwareraidtool() { + LSPCI_BIN=$(command -v lspci) + if [ -x "${LSPCI_BIN}" ]; then + if ${LSPCI_BIN} | grep -q 'MegaRAID'; then + # shellcheck disable=SC2015 + is_installed megacli && { is_installed megaclisas-status || is_installed megaraidsas-status; } \ + || failed "IS_HARDWARERAIDTOOL" "Mega tools not found" + fi + if ${LSPCI_BIN} | grep -q 'Hewlett-Packard Company Smart Array'; then + is_installed cciss-vol-status || failed "IS_HARDWARERAIDTOOL" "cciss-vol-status not installed" + fi + else + failed "IS_HARDWARERAIDTOOL" "lspci not found in ${PATH}" + fi +} +check_sql_backup() { + if (is_installed "mysql-server" || is_installed "mariadb-server"); then + # You could change the default path in /etc/evocheck.cf + SQL_BACKUP_PATH=${SQL_BACKUP_PATH:-"/home/backup/mysql.bak.gz"} + for backup_path in ${SQL_BACKUP_PATH}; do + if [ ! -f "${backup_path}" ]; then + failed "IS_SQL_BACKUP" "MySQL dump is missing (${backup_path})" + test "${VERBOSE}" = 1 || break + fi + done + fi +} +check_postgres_backup() { + if is_installed "postgresql-9*" || is_installed "postgresql-1*"; then + # If you use something like barman, you should disable this check + # You could change the default path in /etc/evocheck.cf + POSTGRES_BACKUP_PATH=${POSTGRES_BACKUP_PATH:-"/home/backup/pg.dump.bak*"} + for backup_path in ${POSTGRES_BACKUP_PATH}; do + if [ ! -f "${backup_path}" ]; then + failed "IS_POSTGRES_BACKUP" "PostgreSQL dump is missing (${backup_path})" + test "${VERBOSE}" = 1 || break + fi + done + fi +} +check_mongo_backup() { + if is_installed "mongodb-org-server"; then + # You could change the default path in /etc/evocheck.cf + MONGO_BACKUP_PATH=${MONGO_BACKUP_PATH:-"/home/backup/mongodump"} + if [ -d "$MONGO_BACKUP_PATH" ]; then + for file in "${MONGO_BACKUP_PATH}"/*/*.{json,bson}*; do + # Skip indexes file. + if ! [[ "$file" =~ indexes ]]; then + limit=$(date +"%s" -d "now - 2 day") + updated_at=$(stat -c "%Y" "$file") + if [ -f "$file" ] && [ "$limit" -gt "$updated_at" ]; then + failed "IS_MONGO_BACKUP" "MongoDB hasn't been dumped for more than 2 days" + break + fi + fi + done + else + failed "IS_MONGO_BACKUP" "MongoDB dump directory is missing (${MONGO_BACKUP_PATH})" + fi + fi +} +check_ldap_backup() { + if is_installed slapd; then + # You could change the default path in /etc/evocheck.cf + LDAP_BACKUP_PATH=${LDAP_BACKUP_PATH:-"/home/backup/ldap.bak"} + test -f "$LDAP_BACKUP_PATH" || failed "IS_LDAP_BACKUP" "LDAP dump is missing (${LDAP_BACKUP_PATH})" + fi +} +check_redis_backup() { + if is_installed redis-server; then + # You could change the default path in /etc/evocheck.cf + # REDIS_BACKUP_PATH may contain space-separated paths, example: + # REDIS_BACKUP_PATH='/home/backup/redis-instance1/dump.rdb /home/backup/redis-instance2/dump.rdb' + REDIS_BACKUP_PATH=${REDIS_BACKUP_PATH:-"/home/backup/redis/dump.rdb"} + for file in ${REDIS_BACKUP_PATH}; do + test -f "${file}" || failed "IS_REDIS_BACKUP" "Redis dump is missing (${file})" + done + fi +} +check_elastic_backup() { + if is_installed elasticsearch; then + # You could change the default path in /etc/evocheck.cf + ELASTIC_BACKUP_PATH=${ELASTIC_BACKUP_PATH:-"/home/backup-elasticsearch"} + test -d "$ELASTIC_BACKUP_PATH" || failed "IS_ELASTIC_BACKUP" "Elastic snapshot is missing (${ELASTIC_BACKUP_PATH})" + fi +} +check_duplicate_fs_label() { + # Do it only if thereis blkid binary + BLKID_BIN=$(command -v blkid) + if [ -n "$BLKID_BIN" ]; then + tmpFile=$(mktemp --tmpdir="${TMPDIR:-/tmp}" "evocheck.duplicate_fs_label.XXXXX") + files_to_cleanup="${files_to_cleanup} ${tmpFile}" + + parts=$($BLKID_BIN -c /dev/null | grep -ve raid_member -e EFI_SYSPART | grep -Eo ' LABEL=".*"' | cut -d'"' -f2) + for part in $parts; do + echo "$part" >> "$tmpFile" + done + tmpOutput=$(sort < "$tmpFile" | uniq -d) + # If there is no duplicate, uniq will have no output + # So, if $tmpOutput is not null, there is a duplicate + if [ -n "$tmpOutput" ]; then + # shellcheck disable=SC2086 + labels=$(echo -n $tmpOutput | tr '\n' ' ') + failed "IS_DUPLICATE_FS_LABEL" "Duplicate labels: $labels" + fi + else + failed "IS_DUPLICATE_FS_LABEL" "blkid not found in ${PATH}" + fi +} +check_evolix_user() { + grep -q -E "^evolix:" /etc/passwd \ + && failed "IS_EVOLIX_USER" "evolix user should be deleted, used only for install" +} +check_old_home_dir() { + homeDir=${homeDir:-/home} + for dir in "$homeDir"/*; do + statResult=$(stat -c "%n has owner %u resolved as %U" "$dir" \ + | grep -Eve '.bak' -e '\.[0-9]{2}-[0-9]{2}-[0-9]{4}' \ + | grep "UNKNOWN") + # There is at least one dir matching + if [[ -n "$statResult" ]]; then + failed "IS_OLD_HOME_DIR" "$statResult" + test "${VERBOSE}" = 1 || break + fi + done +} +check_tmp_1777() { + actual=$(stat --format "%a" /tmp) + expected="1777" + test "$expected" = "$actual" || failed "IS_TMP_1777" "/tmp must be $expected" +} +check_root_0700() { + actual=$(stat --format "%a" /root) + expected="700" + test "$expected" = "$actual" || failed "IS_ROOT_0700" "/root must be $expected" +} +check_usrsharescripts() { + actual=$(stat --format "%a" /usr/share/scripts) + expected="700" + test "$expected" = "$actual" || failed "IS_USRSHARESCRIPTS" "/usr/share/scripts must be $expected" +} +check_sshpermitrootno() { + # shellcheck disable=SC2086 + if ! (sshd -T 2> /dev/null | grep -qi 'permitrootlogin no'); then + failed "IS_SSHPERMITROOTNO" "PermitRoot should be set to no" + fi +} +check_evomaintenanceusers() { + if [ -f /etc/sudoers.d/evolinux ]; then + sudoers="/etc/sudoers.d/evolinux" + else + sudoers="/etc/sudoers" + fi + # combine users from User_Alias and sudo group + users=$({ grep "^User_Alias *ADMIN" $sudoers | cut -d= -f2 | tr -d " "; grep "^sudo" /etc/group | cut -d: -f 4; } | tr "," "\n" | sort -u) + + for user in $users; do + user_home=$(getent passwd "$user" | cut -d: -f6) + if [ -n "$user_home" ] && [ -d "$user_home" ]; then + if ! grep -qs "^trap.*sudo.*evomaintenance.sh" "${user_home}"/.*profile; then + failed "IS_EVOMAINTENANCEUSERS" "${user} doesn't have an evomaintenance trap" + test "${VERBOSE}" = 1 || break + fi + fi + done +} +check_evomaintenanceconf() { + f=/etc/evomaintenance.cf + if [ -e "$f" ]; then + perms=$(stat -c "%a" $f) + test "$perms" = "600" || failed "IS_EVOMAINTENANCECONF" "Wrong permissions on \`$f' ($perms instead of 600)" + + { grep "^export PGPASSWORD" $f | grep -qv "your-passwd" \ + && grep "^PGDB" $f | grep -qv "your-db" \ + && grep "^PGTABLE" $f | grep -qv "your-table" \ + && grep "^PGHOST" $f | grep -qv "your-pg-host" \ + && grep "^FROM" $f | grep -qv "jdoe@example.com" \ + && grep "^FULLFROM" $f | grep -qv "John Doe " \ + && grep "^URGENCYFROM" $f | grep -qv "mama.doe@example.com" \ + && grep "^URGENCYTEL" $f | grep -qv "06.00.00.00.00" \ + && grep "^REALM" $f | grep -qv "example.com" + } || failed "IS_EVOMAINTENANCECONF" "evomaintenance is not correctly configured" + else + failed "IS_EVOMAINTENANCECONF" "Configuration file \`$f' is missing" + fi +} +check_privatekeyworldreadable() { + # a simple globbing fails if directory is empty + if [ -n "$(ls -A /etc/ssl/private/)" ]; then + for f in /etc/ssl/private/*; do + perms=$(stat -L -c "%a" "$f") + if [ "${perms: -1}" != 0 ]; then + failed "IS_PRIVKEYWOLRDREADABLE" "$f is world-readable" + test "${VERBOSE}" = 1 || break + fi + done + fi +} +check_evobackup_incs() { + if is_installed bkctld; then + bkctld_cron_file=${bkctld_cron_file:-/etc/cron.d/bkctld} + if [ -f "${bkctld_cron_file}" ]; then + root_crontab=$(grep -v "^#" "${bkctld_cron_file}") + echo "${root_crontab}" | grep -q "bkctld inc" || failed "IS_EVOBACKUP_INCS" "\`bkctld inc' is missing in ${bkctld_cron_file}" + echo "${root_crontab}" | grep -qE "(check-incs.sh|bkctld check-incs)" || failed "IS_EVOBACKUP_INCS" "\`check-incs.sh' is missing in ${bkctld_cron_file}" + else + failed "IS_EVOBACKUP_INCS" "Crontab \`${bkctld_cron_file}' is missing" + fi + fi +} + +check_osprober() { + if is_installed os-prober qemu-kvm; then + failed "IS_OSPROBER" \ + "Removal of os-prober package is recommended as it can cause serious issue on KVM server" + fi +} + +check_apt_valid_until() { + aptvalidFile="/etc/apt/apt.conf.d/99no-check-valid-until" + aptvalidText="Acquire::Check-Valid-Until no;" + if grep -qs "archive.debian.org" /etc/apt/sources.list /etc/apt/sources.list.d/*; then + if ! grep -qs "$aptvalidText" /etc/apt/apt.conf.d/*; then + failed "IS_APT_VALID_UNTIL" \ + "As you use archive.mirror.org you need ${aptvalidFile}: ${aptvalidText}" + fi + fi +} + +check_chrooted_binary_uptodate() { + # list of processes to check + process_list="sshd" + for process_name in ${process_list}; do + # what is the binary path? + original_bin=$(command -v "${process_name}") + for pid in $(pgrep ${process_name}); do + process_bin=$(realpath "/proc/${pid}/exe") + # Is the process chrooted? + real_root=$(realpath "/proc/${pid}/root") + if [ "${real_root}" != "/" ]; then + chrooted_md5=$(md5sum "${process_bin}" | cut -f 1 -d ' ') + original_md5=$(md5sum "${original_bin}" | cut -f 1 -d ' ') + # compare md5 checksums + if [ "$original_md5" != "$chrooted_md5" ]; then + failed "IS_CHROOTED_BINARY_UPTODATE" "${process_bin} (${pid}) is different than ${original_bin}." + test "${VERBOSE}" = 1 || break + fi + fi + done + done +} + +check_lxc_container_resolv_conf() { + if is_installed lxc; then + container_list=$(lxc-ls) + current_resolvers=$(grep nameserver /etc/resolv.conf | sed 's/nameserver//g' ) + + for container in $container_list; do + if [ -f "/var/lib/lxc/${container}/rootfs/etc/resolv.conf" ]; then + + while read -r resolver; do + if ! grep -qE "^nameserver\s+${resolver}" "/var/lib/lxc/${container}/rootfs/etc/resolv.conf"; then + failed "IS_LXC_CONTAINER_RESOLV_CONF" "resolv.conf miss-match beween host and container : missing nameserver ${resolver} in container ${container} resolv.conf" + fi + done <<< "${current_resolvers}" + + else + failed "IS_LXC_CONTAINER_RESOLV_CONF" "resolv.conf missing in container ${container}" + fi + done + fi +} +download_versions() { + local file + file=${1:-} + + ## The file is supposed to list programs : each on a line, then its latest version number + ## Examples: + # evoacme 21.06 + # evomaintenance 0.6.4 + + versions_url="https://upgrades.evolix.org/versions-${DEBIAN_RELEASE}" + + # fetch timeout, in seconds + timeout=10 + + if command -v curl > /dev/null; then + curl --max-time ${timeout} --fail --silent --output "${versions_file}" "${versions_url}" + elif command -v wget > /dev/null; then + wget --timeout=${timeout} --quiet "${versions_url}" -O "${versions_file}" + elif command -v GET; then + GET -t ${timeout}s "${versions_url}" > "${versions_file}" + else + failed "IS_CHECK_VERSIONS" "failed to find curl, wget or GET" + fi + test "$?" -eq 0 || failed "IS_CHECK_VERSIONS" "failed to download ${versions_url} to ${versions_file}" +} +get_command() { + local program + program=${1:-} + + case "${program}" in + ## Special cases where the program name is different than the command name + evocheck) echo "${0}" ;; + evomaintenance) command -v "evomaintenance.sh" ;; + listupgrade) command -v "evolistupgrade.sh" ;; + old-kernel-autoremoval) command -v "old-kernel-autoremoval.sh" ;; + mysql-queries-killer) command -v "mysql-queries-killer.sh" ;; + minifirewall) echo "/etc/init.d/minifirewall" ;; + + ## General case, where the program name is the same as the command name + *) command -v "${program}" ;; + esac +} +get_version() { + local program + local command + program=${1:-} + command=${2:-} + + case "${program}" in + ## Special case if `command --version => 'command` is not the standard way to get the version + # my_command) + # /path/to/my_command --get-version + # ;; + + add-vm) + grep '^VERSION=' "${command}" | head -1 | cut -d '=' -f 2 + ;; + minifirewall) + ${command} version | head -1 | cut -d ' ' -f 3 + ;; + ## Let's try the --version flag before falling back to grep for the constant + kvmstats) + if ${command} --version > /dev/null 2> /dev/null; then + ${command} --version 2> /dev/null | head -1 | cut -d ' ' -f 3 + else + grep '^VERSION=' "${command}" | head -1 | cut -d '=' -f 2 + fi + ;; + + ## General case to get the version + *) ${command} --version 2> /dev/null | head -1 | cut -d ' ' -f 3 ;; + esac +} +check_version() { + local program + local expected_version + program=${1:-} + expected_version=${2:-} + + command=$(get_command "${program}") + if [ -n "${command}" ]; then + # shellcheck disable=SC2086 + actual_version=$(get_version "${program}" "${command}") + # printf "program:%s expected:%s actual:%s\n" "${program}" "${expected_version}" "${actual_version}" + if [ -z "${actual_version}" ]; then + failed "IS_CHECK_VERSIONS" "failed to lookup actual version of ${program}" + elif dpkg --compare-versions "${actual_version}" lt "${expected_version}"; then + failed "IS_CHECK_VERSIONS" "${program} version ${actual_version} is older than expected version ${expected_version}" + elif dpkg --compare-versions "${actual_version}" gt "${expected_version}"; then + failed "IS_CHECK_VERSIONS" "${program} version ${actual_version} is newer than expected version ${expected_version}, you should update your index." + else + : # Version check OK + fi + fi +} +add_to_path() { + local new_path + new_path=${1:-} + + echo "$PATH" | grep -qF "${new_path}" || export PATH="${PATH}:${new_path}" +} +check_versions() { + versions_file=$(mktemp --tmpdir="${TMPDIR:-/tmp}" "evocheck.versions.XXXXX") + files_to_cleanup="${files_to_cleanup} ${versions_file}" + + download_versions "${versions_file}" + add_to_path "/usr/share/scripts" + + grep -v '^ *#' < "${versions_file}" | while IFS= read -r line; do + local program + local version + program=$(echo "${line}" | cut -d ' ' -f 1) + version=$(echo "${line}" | cut -d ' ' -f 2) + + if [ -n "${program}" ]; then + if [ -n "${version}" ]; then + check_version "${program}" "${version}" + else + failed "IS_CHECK_VERSIONS" "failed to lookup expected version for ${program}" + fi + fi + done +} + +main() { + # Default return code : 0 = no error + RC=0 + # Detect operating system name, version and release + detect_os + + main_output_file=$(mktemp --tmpdir="${TMPDIR:-/tmp}" "evocheck.main.XXXXX") + files_to_cleanup="${files_to_cleanup} ${main_output_file}" + + test "${IS_TMP_1777:=1}" = 1 && check_tmp_1777 + test "${IS_ROOT_0700:=1}" = 1 && check_root_0700 + test "${IS_USRSHARESCRIPTS:=1}" = 1 && check_usrsharescripts + test "${IS_SSHPERMITROOTNO:=1}" = 1 && check_sshpermitrootno + test "${IS_EVOMAINTENANCEUSERS:=1}" = 1 && check_evomaintenanceusers + # Verification de la configuration d'evomaintenance + test "${IS_EVOMAINTENANCECONF:=1}" = 1 && check_evomaintenanceconf + test "${IS_PRIVKEYWOLRDREADABLE:=1}" = 1 && check_privatekeyworldreadable + + test "${IS_LSBRELEASE:=1}" = 1 && check_lsbrelease + test "${IS_DPKGWARNING:=1}" = 1 && check_dpkgwarning + test "${IS_NRPEPOSTFIX:=1}" = 1 && check_nrpepostfix + test "${IS_MODSECURITY:=1}" = 1 && check_modsecurity + test "${IS_CUSTOMSUDOERS:=1}" = 1 && check_customsudoers + test "${IS_VARTMPFS:=1}" = 1 && check_vartmpfs + test "${IS_SERVEURBASE:=1}" = 1 && check_serveurbase + test "${IS_LOGROTATECONF:=1}" = 1 && check_logrotateconf + test "${IS_SYSLOGCONF:=1}" = 1 && check_syslogconf + test "${IS_DEBIANSECURITY:=1}" = 1 && check_debiansecurity + test "${IS_APTITUDEONLY:=1}" = 1 && check_aptitudeonly + test "${IS_APTICRON:=0}" = 1 && check_apticron + test "${IS_USRRO:=1}" = 1 && check_usrro + test "${IS_TMPNOEXEC:=1}" = 1 && check_tmpnoexec + test "${IS_MOUNT_FSTAB:=1}" = 1 && check_mountfstab + test "${IS_LISTCHANGESCONF:=1}" = 1 && check_listchangesconf + test "${IS_CUSTOMCRONTAB:=1}" = 1 && check_customcrontab + test "${IS_SSHALLOWUSERS:=1}" = 1 && check_sshallowusers + test "${IS_DISKPERF:=0}" = 1 && check_diskperf + test "${IS_TMOUTPROFILE:=1}" = 1 && check_tmoutprofile + test "${IS_ALERT5BOOT:=1}" = 1 && check_alert5boot + test "${IS_ALERT5MINIFW:=1}" = 1 && check_alert5minifw + test "${IS_ALERT5MINIFW:=1}" = 1 && test "${IS_MINIFW:=1}" = 1 && check_minifw + test "${IS_NRPEPERMS:=1}" = 1 && check_nrpeperms + test "${IS_MINIFWPERMS:=1}" = 1 && check_minifwperms + test "${IS_NRPEDISKS:=0}" = 1 && check_nrpedisks + test "${IS_NRPEPID:=1}" = 1 && check_nrpepid + test "${IS_GRSECPROCS:=1}" = 1 && check_grsecprocs + test "${IS_APACHEMUNIN:=1}" = 1 && check_apachemunin + test "${IS_MYSQLUTILS:=1}" = 1 && check_mysqlutils + test "${IS_RAIDSOFT:=1}" = 1 && check_raidsoft + test "${IS_AWSTATSLOGFORMAT:=1}" = 1 && check_awstatslogformat + test "${IS_MUNINLOGROTATE:=1}" = 1 && check_muninlogrotate + test "${IS_SQUID:=1}" = 1 && check_squid + test "${IS_EVOMAINTENANCE_FW:=1}" = 1 && check_evomaintenance_fw + test "${IS_MODDEFLATE:=1}" = 1 && check_moddeflate + test "${IS_LOG2MAILRUNNING:=1}" = 1 && check_log2mailrunning + test "${IS_LOG2MAILAPACHE:=1}" = 1 && check_log2mailapache + test "${IS_LOG2MAILMYSQL:=1}" = 1 && check_log2mailmysql + test "${IS_LOG2MAILSQUID:=1}" = 1 && check_log2mailsquid + test "${IS_BINDCHROOT:=1}" = 1 && check_bindchroot + test "${IS_NETWORK_INTERFACES:=1}" = 1 && check_network_interfaces + test "${IS_AUTOIF:=1}" = 1 && check_autoif + test "${IS_INTERFACESGW:=1}" = 1 && check_interfacesgw + test "${IS_EVOBACKUP:=1}" = 1 && check_evobackup + test "${IS_EVOBACKUP_EXCLUDE_MOUNT:=1}" = 1 && check_evobackup_exclude_mount + test "${IS_USERLOGROTATE:=1}" = 1 && check_userlogrotate + test "${IS_APACHECTL:=1}" = 1 && check_apachectl + test "${IS_APACHESYMLINK:=1}" = 1 && check_apachesymlink + test "${IS_APACHEIPINALLOW:=1}" = 1 && check_apacheipinallow + test "${IS_MUNINAPACHECONF:=1}" = 1 && check_muninapacheconf + test "${IS_PHPMYADMINAPACHECONF:=1}" = 1 && check_phpmyadminapacheconf + test "${IS_KERNELUPTODATE:=1}" = 1 && check_kerneluptodate + test "${IS_UPTIME:=1}" = 1 && check_uptime + test "${IS_MUNINRUNNING:=1}" = 1 && check_muninrunning + test "${IS_BACKUPUPTODATE:=1}" = 1 && check_backupuptodate + test "${IS_ETCGIT:=1}" = 1 && check_etcgit + test "${IS_GITPERMS:=1}" = 1 && check_gitperms + test "${IS_NOTUPGRADED:=1}" = 1 && check_notupgraded + test "${IS_TUNE2FS_M5:=1}" = 1 && check_tune2fs_m5 + test "${IS_BROADCOMFIRMWARE:=1}" = 1 && check_broadcomfirmware + test "${IS_HARDWARERAIDTOOL:=1}" = 1 && check_hardwareraidtool + test "${IS_SQL_BACKUP:=1}" = 1 && check_sql_backup + test "${IS_POSTGRES_BACKUP:=1}" = 1 && check_postgres_backup + test "${IS_MONGO_BACKUP:=1}" = 1 && check_mongo_backup + test "${IS_LDAP_BACKUP:=1}" = 1 && check_ldap_backup + test "${IS_REDIS_BACKUP:=1}" = 1 && check_redis_backup + test "${IS_ELASTIC_BACKUP:=1}" = 1 && check_elastic_backup + test "${IS_DUPLICATE_FS_LABEL:=1}" = 1 && check_duplicate_fs_label + test "${IS_EVOLIX_USER:=1}" = 1 && check_evolix_user + test "${IS_OLD_HOME_DIR:=0}" = 1 && check_old_home_dir + test "${IS_EVOBACKUP_INCS:=1}" = 1 && check_evobackup_incs + test "${IS_OSPROBER:=1}" = 1 && check_osprober + test "${IS_APT_VALID_UNTIL:=1}" = 1 && check_apt_valid_until + test "${IS_CHROOTED_BINARY_UPTODATE:=1}" = 1 && check_chrooted_binary_uptodate + test "${IS_CHECK_VERSIONS:=1}" = 1 && check_versions + + if [ -f "${main_output_file}" ]; then + lines_found=$(wc -l < "${main_output_file}") + # shellcheck disable=SC2086 + if [ ${lines_found} -gt 0 ]; then + + cat "${main_output_file}" 2>&1 + fi + fi + + exit ${RC} +} +cleanup_temp_files() { + # shellcheck disable=SC2086 + rm -f ${files_to_cleanup} +} + +PROGNAME=$(basename "$0") +# shellcheck disable=SC2034 +readonly PROGNAME + +# shellcheck disable=SC2124 +ARGS=$@ +readonly ARGS + +# Disable LANG* +export LANG=C +export LANGUAGE=C + +files_to_cleanup="" +# shellcheck disable=SC2064 +trap cleanup_temp_files 0 + +# Source configuration file +# shellcheck disable=SC1091 +test -f /etc/evocheck.cf && . /etc/evocheck.cf + +# Parse options +# based on https://gist.github.com/deshion/10d3cb5f88a21671e17a +while :; do + case $1 in + -h|-\?|--help) + show_help + exit 0 + ;; + --version) + show_version + exit 0 + ;; + --cron) + IS_KERNELUPTODATE=0 + IS_UPTIME=0 + IS_MELTDOWN_SPECTRE=0 + IS_CHECK_VERSIONS=0 + IS_NETWORKING_SERVICE=0 + ;; + -v|--verbose) + VERBOSE=1 + ;; + -q|--quiet) + QUIET=1 + VERBOSE=0 + ;; + --) + # End of all options. + shift + break + ;; + -?*|[[:alnum:]]*) + # ignore unknown options + if [ "${QUIET}" != 1 ]; then + printf 'WARN: Unknown option (ignored): %s\n' "$1" >&2 + fi + ;; + *) + # Default case: If no more options then break out of the loop. + break + ;; + esac + + shift +done + +# shellcheck disable=SC2086 +main ${ARGS} diff --git a/evocheck/tasks/install.yml b/evocheck/tasks/install.yml index 7d4a0e6a..c996542e 100644 --- a/evocheck/tasks/install.yml +++ b/evocheck/tasks/install.yml @@ -15,9 +15,24 @@ tags: - evocheck +- name: Script for Debian 7 and earlier + set_fact: + evocheck_script_src: evocheck.wheezy.sh + when: ansible_distribution_major_version is version('7', '<=') + +- name: Script for Debian 8 + set_fact: + evocheck_script_src: evocheck.jessie.sh + when: ansible_distribution_major_version is version('8', '=') + +- name: Script for Debian 9 and later + set_fact: + evocheck_script_src: evocheck.sh + when: ansible_distribution_major_version is version('9', '>=') + - name: Copy evocheck.sh copy: - src: evocheck.sh + src: "{{ evocheck_script_src }}" dest: "{{ evocheck_bin_dir }}/evocheck.sh" mode: "0700" owner: root From cd2c1931b154cfe7730e3867e9d28b66f815c9a3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=A9my=20Dubois?= Date: Mon, 28 Nov 2022 17:16:28 +0100 Subject: [PATCH 46/72] keepalived: change exit code (warning if runnin but not on expected state ; critical if not running) --- CHANGELOG.md | 1 + keepalived/files/check_keepalived | 27 +++++++++++++++------------ 2 files changed, 16 insertions(+), 12 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 6fa86d5d..e24bbd8e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -40,6 +40,7 @@ The **patch** part changes is incremented if multiple releases happen the same m * squid: whitelist deb.freexian.com * varnish: better package facts usage with check mode and tags * varnish: systemd override depends on Varnish version instead of Debian version +* keepalived: change exit code (warning if runnin but not on expected state ; critical if not running) ### Fixed diff --git a/keepalived/files/check_keepalived b/keepalived/files/check_keepalived index e518e99e..a457551d 100644 --- a/keepalived/files/check_keepalived +++ b/keepalived/files/check_keepalived @@ -18,35 +18,38 @@ MASTER='true' # checking if there are alive keepalived processes so we can trust the content of the notify 'state' file KEEPALIVENUM=`ps uax|grep '/usr/sbin/keepalived'|grep -v grep|wc -l|tr -d "\n"` -if [ $KEEPALIVENUM -gt 0 ]; then +if [ ${KEEPALIVENUM} -gt 0 ]; then KEEPALIVESTATE=`cat /var/run/keepalive.state` - if [ "$MASTER" == "true" ]; then + if [ "${MASTER}" == "true" ]; then - if [[ $KEEPALIVESTATE == *"MASTER"* ]];then - echo $KEEPALIVESTATE + if [[ ${KEEPALIVESTATE} == *"MASTER"* ]];then + echo "OK - ${KEEPALIVESTATE}" exit 0 fi - if [[ $KEEPALIVESTATE == *"BACKUP"* ]];then - echo $KEEPALIVESTATE - exit 2 + if [[ ${KEEPALIVESTATE} == *"BACKUP"* ]];then + echo "WARNING - ${KEEPALIVESTATE}" + exit 1 fi else - if [[ $KEEPALIVESTATE == *"BACKUP"* ]];then - echo $KEEPALIVESTATE + if [[ ${KEEPALIVESTATE} == *"BACKUP"* ]];then + echo "OK - ${KEEPALIVESTATE}" exit 0 fi - if [[ $KEEPALIVESTATE == *"MASTER"* ]];then - echo $KEEPALIVESTATE - exit 2 + if [[ ${KEEPALIVESTATE} == *"MASTER"* ]];then + echo "WARNING - ${KEEPALIVESTATE}" + exit 1 fi fi +else + echo "CRITICAL - keepalived is not running" + exit 2 fi echo "Keepalived is in UNKNOWN state" From cca072425b9f035afa4fd028e5233921d1c34db0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=A9my=20Dubois?= Date: Thu, 1 Dec 2022 16:55:28 +0100 Subject: [PATCH 47/72] openvpn: shellpki upstream release 22.12 --- CHANGELOG.md | 1 + openvpn/files/shellpki/cert-expirations.sh | 136 ++++++++++++++++++--- openvpn/files/shellpki/openssl.cnf | 2 + openvpn/files/shellpki/shellpki | 29 +++-- 4 files changed, 137 insertions(+), 31 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index e24bbd8e..089f1346 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -41,6 +41,7 @@ The **patch** part changes is incremented if multiple releases happen the same m * varnish: better package facts usage with check mode and tags * varnish: systemd override depends on Varnish version instead of Debian version * keepalived: change exit code (warning if runnin but not on expected state ; critical if not running) +* openvpn: shellpki upstream release 22.12 ### Fixed diff --git a/openvpn/files/shellpki/cert-expirations.sh b/openvpn/files/shellpki/cert-expirations.sh index 9e27dcc7..dbb25357 100644 --- a/openvpn/files/shellpki/cert-expirations.sh +++ b/openvpn/files/shellpki/cert-expirations.sh @@ -1,26 +1,124 @@ #!/bin/sh -carp=$(/sbin/ifconfig carp0 2>/dev/null | grep 'status' | cut -d' ' -f2) +VERSION="22.12" -if [ "$carp" = "backup" ]; then - exit 0 -fi +show_version() { + cat <, + Jérémy Lecour , + Jérémy Dubois + and others. -echo "CA certificate:" -openssl x509 -enddate -noout -in /etc/shellpki/cacert.pem \ - | cut -d '=' -f 2 \ - | sed -e "s/^\(.*\)\ \(20..\).*/- \2 \1/" +cert-expirations.sh comes with ABSOLUTELY NO WARRANTY. This is free software, +and you are welcome to redistribute it under certain conditions. +See the MIT Licence for details. +END +} -echo "" +show_usage() { + cat </dev/null | grep 'status' | cut -d' ' -f2) + + if [ "$carp" = "backup" ]; then + exit 0 + fi + fi + + cacert_path="/etc/openvpn/ssl/ca/cacert.pem" + index_path="/etc/openvpn/ssl/ca/index.txt" + somedays="3456000" # 40 days currently + expired_certs="" + expiring_soon_certs="" + still_valid_certs="" + + case "$1" in + version|--version) + show_version + exit 0 + ;; + + help|--help) + show_usage + exit 0 + ;; + + "") + echo "Warning : all times are in UTC !" + echo "" + check_ca_expiration + echo "" + check_certs_expiration + ;; + + *) + show_usage >&2 + exit 1 + ;; + esac +} + +main "$@" diff --git a/openvpn/files/shellpki/openssl.cnf b/openvpn/files/shellpki/openssl.cnf index 2c87f10d..5e1e3c83 100644 --- a/openvpn/files/shellpki/openssl.cnf +++ b/openvpn/files/shellpki/openssl.cnf @@ -1,3 +1,5 @@ +# VERSION="22.04" + [ ca ] default_ca = CA_default diff --git a/openvpn/files/shellpki/shellpki b/openvpn/files/shellpki/shellpki index 5d139866..5e7169c9 100755 --- a/openvpn/files/shellpki/shellpki +++ b/openvpn/files/shellpki/shellpki @@ -5,7 +5,7 @@ set -u -VERSION="22.04" +VERSION="22.12" show_version() { cat </dev/null 2>&1 } get_real_path() { # --canonicalize is supported on Linux - # -f is supported on Linux and OpenBSD + # -f is supported on Linux and OpenBSD readlink -f -- "${1}" } @@ -227,6 +227,7 @@ init() { [ -d "${CA_DIR}" ] || mkdir -m 0750 "${CA_DIR}" [ -d "${CRT_DIR}" ] || mkdir -m 0750 "${CRT_DIR}" [ -f "${INDEX_FILE}" ] || touch "${INDEX_FILE}" + [ -f "${INDEX_FILE}.attr" ] || touch "${INDEX_FILE}.attr" [ -f "${CRL}" ] || touch "${CRL}" [ -f "${SERIAL}" ] || echo "01" > "${SERIAL}" @@ -278,17 +279,18 @@ init() { passout_arg="" if [ -n "${CA_PASSWORD:-}" ]; then - passout_arg="-passout pass:${CA_PASSWORD}" + passout_arg="-pass pass:${CA_PASSWORD}" elif [ "${non_interactive}" -eq 1 ]; then error "In non-interactive mode, you must pass CA_PASSWORD as environment variable." fi if [ ! -f "${CA_KEY}" ]; then - "${OPENSSL_BIN}" genrsa \ + "${OPENSSL_BIN}" genpkey \ + -algorithm RSA \ -out "${CA_KEY}" \ ${passout_arg} \ -aes256 \ - "${CA_KEY_LENGTH}" \ + -pkeyopt "rsa_keygen_bits:${CA_KEY_LENGTH}" \ >/dev/null 2>&1 # shellcheck disable=SC2181 if [ "$?" -ne 0 ]; then @@ -355,9 +357,10 @@ ocsp() { port=$(echo "${ocsp_uri}" | cut -d':' -f2) if [ ! -f "${OCSP_KEY}" ]; then - "${OPENSSL_BIN}" genrsa \ + "${OPENSSL_BIN}" genpkey \ + -algorithm RSA \ -out "${OCSP_KEY}" \ - "${KEY_LENGTH}" \ + -pkeyopt "rsa_keygen_bits:${KEY_LENGTH}" \ >/dev/null 2>&1 # shellcheck disable=SC2181 if [ "$?" -ne 0 ]; then @@ -680,17 +683,19 @@ create() { # generate private key pass_args="" if [ -n "${password_file:-}" ]; then - pass_args="-aes256 -passout file:${password_file}" + pass_args="-aes256 -pass file:${password_file}" elif [ -n "${PASSWORD:-}" ]; then - pass_args="-aes256 -passout pass:${PASSWORD}" + pass_args="-aes256 -pass pass:${PASSWORD}" fi - "${OPENSSL_BIN}" genrsa \ + "${OPENSSL_BIN}" genpkey \ + -algorithm RSA \ -out "${key_file}" \ ${pass_args} \ - "${KEY_LENGTH}" \ + -pkeyopt "rsa_keygen_bits:${KEY_LENGTH}" \ >/dev/null 2>&1 # shellcheck disable=SC2181 if [ "$?" -eq 0 ]; then + chmod 600 "${key_file}" echo "The KEY file is available at \`${key_file}'" else error "Error generating the private key" From a1bad43b252b0326dff91917a299533760fc52e7 Mon Sep 17 00:00:00 2001 From: David Prevot Date: Fri, 2 Dec 2022 15:17:42 +0100 Subject: [PATCH 48/72] Drop unsigned repository when adding a signed one --- docker-host/tasks/main.yml | 6 ++++++ elasticsearch/tasks/packages.yml | 10 ++++++++++ evolinux-base/tasks/hardware.yml | 14 ++++++++++++++ filebeat/tasks/main.yml | 10 ++++++++++ fluentd/tasks/main.yml | 10 ++++++++++ jenkins/tasks/main.yml | 7 +++++++ kibana/tasks/main.yml | 10 ++++++++++ logstash/tasks/main.yml | 10 ++++++++++ metricbeat/tasks/main.yml | 10 ++++++++++ mongodb/tasks/main_bullseye.yml | 9 ++++++++- mongodb/tasks/main_buster.yml | 9 ++++++++- mongodb/tasks/main_jessie.yml | 9 ++++++++- newrelic/tasks/sources.yml | 7 +++++++ nodejs/tasks/main.yml | 11 +++++++++++ nodejs/tasks/yarn.yml | 12 ++++++++++++ php/tasks/sury_pre.yml | 6 ++++++ postgresql/tasks/pgdg-repo.yml | 6 ++++++ 17 files changed, 153 insertions(+), 3 deletions(-) diff --git a/docker-host/tasks/main.yml b/docker-host/tasks/main.yml index c60763d8..b73fde0b 100644 --- a/docker-host/tasks/main.yml +++ b/docker-host/tasks/main.yml @@ -31,6 +31,12 @@ state: present filename: docker.list +- name: Drop unsigned Docker repository + apt_repository: + repo: 'deb https://download.docker.com/linux/debian {{ ansible_distribution_release }} stable' + state: absent + filename: docker.list + - name: Install Docker apt: name: diff --git a/elasticsearch/tasks/packages.yml b/elasticsearch/tasks/packages.yml index bb5b99da..097d85e5 100644 --- a/elasticsearch/tasks/packages.yml +++ b/elasticsearch/tasks/packages.yml @@ -48,6 +48,16 @@ - elasticsearch - packages +- name: Unsigned Elastic sources list is not available + apt_repository: + repo: "deb https://artifacts.elastic.co/packages/{{ elastic_stack_version | mandatory }}/apt stable main" + filename: elastic + state: absent + update_cache: yes + tags: + - elasticsearch + - packages + - name: Elasticsearch is installed apt: name: elasticsearch diff --git a/evolinux-base/tasks/hardware.yml b/evolinux-base/tasks/hardware.yml index 146cf455..7ebecc82 100644 --- a/evolinux-base/tasks/hardware.yml +++ b/evolinux-base/tasks/hardware.yml @@ -96,6 +96,13 @@ tags: - packages + - name: Remove unsigned HPE repository + apt_repository: + repo: 'deb https://downloads.linux.hpe.com/SDR/repo/mcp {{ ansible_distribution_release }}/current non-free' + state: absent + tags: + - packages + - name: Install HPE Smart Storage Administrator (ssacli) apt: name: ssacli @@ -224,6 +231,13 @@ tags: - packages + - name: Remove unsigned HW tool repository + apt_repository: + repo: 'deb http://hwraid.le-vert.net/debian {{ ansible_distribution_release }} main' + state: absent + tags: + - packages + - name: Install packages for DELL/LSI hardware apt: name: diff --git a/filebeat/tasks/main.yml b/filebeat/tasks/main.yml index cde924b1..fa24a893 100644 --- a/filebeat/tasks/main.yml +++ b/filebeat/tasks/main.yml @@ -48,6 +48,16 @@ - filebeat - packages +- name: Unsigned Elastic sources list is not available + apt_repository: + repo: "deb https://artifacts.elastic.co/packages/{{ elastic_stack_version | mandatory }}/apt stable main" + filename: elastic + state: absent + update_cache: yes + tags: + - filebeat + - packages + - name: Filebeat is installed apt: name: filebeat diff --git a/fluentd/tasks/main.yml b/fluentd/tasks/main.yml index 9248db97..09f93082 100644 --- a/fluentd/tasks/main.yml +++ b/fluentd/tasks/main.yml @@ -40,6 +40,16 @@ - packages - fluentd +- name: Unsigned Fluentd sources list is not available + apt_repository: + repo: "deb http://packages.treasuredata.com/3/debian/{{ ansible_distribution_release }}/ {{ ansible_distribution_release }} contrib" + filename: treasuredata + update_cache: yes + state: absent + tags: + - packages + - fluentd + - name: Fluentd is installed. apt: name: td-agent diff --git a/jenkins/tasks/main.yml b/jenkins/tasks/main.yml index 4346ef1e..956892f4 100644 --- a/jenkins/tasks/main.yml +++ b/jenkins/tasks/main.yml @@ -32,6 +32,13 @@ filename: jenkins update_cache: yes +- name: Remove unsigned jenkins APT repository + apt_repository: + repo: deb http://pkg.jenkins-ci.org/debian-stable binary/ + filename: jenkins + update_cache: yes + state: absent + - name: Install Jenkins apt: name: jenkins diff --git a/kibana/tasks/main.yml b/kibana/tasks/main.yml index 5e9b0016..e6377dde 100644 --- a/kibana/tasks/main.yml +++ b/kibana/tasks/main.yml @@ -48,6 +48,16 @@ - kibana - packages +- name: Unsigned Elastic sources list is not available + apt_repository: + repo: "deb https://artifacts.elastic.co/packages/{{ elastic_stack_version | mandatory }}/apt stable main" + filename: elastic + state: absent + update_cache: yes + tags: + - kibana + - packages + - name: Kibana is installed apt: name: kibana diff --git a/logstash/tasks/main.yml b/logstash/tasks/main.yml index 6b46ce69..d1f4b2da 100644 --- a/logstash/tasks/main.yml +++ b/logstash/tasks/main.yml @@ -48,6 +48,16 @@ - logstash - packages +- name: Unsigned Elastic sources list is not available + apt_repository: + repo: "deb https://artifacts.elastic.co/packages/{{ elastic_stack_version | mandatory }}/apt stable main" + filename: elastic + state: absent + update_cache: yes + tags: + - logstash + - packages + - name: Logstash is installed apt: name: logstash diff --git a/metricbeat/tasks/main.yml b/metricbeat/tasks/main.yml index 021b4ae2..71d65022 100644 --- a/metricbeat/tasks/main.yml +++ b/metricbeat/tasks/main.yml @@ -48,6 +48,16 @@ - metricbeat - packages +- name: Elastic sources list is available + apt_repository: + repo: "deb https://artifacts.elastic.co/packages/{{ elastic_stack_version | mandatory }}/apt stable main" + filename: elastic + state: absent + update_cache: yes + tags: + - metricbeat + - packages + - name: Metricbeat is installed apt: name: metricbeat diff --git a/mongodb/tasks/main_bullseye.yml b/mongodb/tasks/main_bullseye.yml index 4c654ae6..cd8bb15f 100644 --- a/mongodb/tasks/main_bullseye.yml +++ b/mongodb/tasks/main_bullseye.yml @@ -27,13 +27,20 @@ owner: root group: root -- name: enable APT sources list +- name: Enable APT sources list apt_repository: repo: "deb [signed-by={{ apt_keyring_dir }}/mongodb-server-{{mongodb_version}}.asc] http://repo.mongodb.org/apt/debian bullseye/mongodb-org/{{mongodb_version}} main" state: present filename: "mongodb-org-{{mongodb_version}}" update_cache: yes +- name: Disable unsigned APT sources list + apt_repository: + repo: "deb http://repo.mongodb.org/apt/debian bullseye/mongodb-org/{{mongodb_version}} main" + state: absent + filename: "mongodb-org-{{mongodb_version}}" + update_cache: yes + - name: Install packages apt: name: mongodb-org diff --git a/mongodb/tasks/main_buster.yml b/mongodb/tasks/main_buster.yml index d2d96a3f..5d2024c8 100644 --- a/mongodb/tasks/main_buster.yml +++ b/mongodb/tasks/main_buster.yml @@ -21,13 +21,20 @@ owner: root group: root -- name: enable APT sources list +- name: Enable APT sources list apt_repository: repo: "deb [signed-by={{ apt_keyring_dir }}/mongodb-server-{{ mongodb_version }}.asc] http://repo.mongodb.org/apt/debian buster/mongodb-org/{{ mongodb_version }} main" state: present filename: "mongodb-org-{{mongodb_version}}" update_cache: yes +- name: Disable unsigned APT sources list + apt_repository: + repo: "deb http://repo.mongodb.org/apt/debian buster/mongodb-org/{{ mongodb_version }} main" + state: absent + filename: "mongodb-org-{{mongodb_version}}" + update_cache: yes + - name: Install packages apt: name: mongodb-org diff --git a/mongodb/tasks/main_jessie.yml b/mongodb/tasks/main_jessie.yml index 8c13e0e4..7fdb3df5 100644 --- a/mongodb/tasks/main_jessie.yml +++ b/mongodb/tasks/main_jessie.yml @@ -21,13 +21,20 @@ owner: root group: root -- name: enable APT sources list +- name: Enable APT sources list apt_repository: repo: "deb http://repo.mongodb.org/apt/debian jessie/mongodb-org/{{mongodb_version}} main" state: present filename: "mongodb-org-{{mongodb_version}}" update_cache: yes +- name: Disable APT sources list + apt_repository: + repo: "deb http://repo.mongodb.org/apt/debian jessie/mongodb-org/{{mongodb_version}} main" + state: absent + filename: "mongodb-org-{{mongodb_version}}" + update_cache: yes + - name: Install packages apt: name: mongodb-org diff --git a/newrelic/tasks/sources.yml b/newrelic/tasks/sources.yml index ad3545ae..cda58a85 100644 --- a/newrelic/tasks/sources.yml +++ b/newrelic/tasks/sources.yml @@ -27,3 +27,10 @@ state: present filename: newrelic update_cache: yes + +- name: Desinstall unsigned NewRelic repository + apt_repository: + repo: "deb http://apt.newrelic.com/debian/ newrelic non-free" + state: absent + filename: newrelic + update_cache: yes diff --git a/nodejs/tasks/main.yml b/nodejs/tasks/main.yml index cdd733f2..1bd6d38f 100644 --- a/nodejs/tasks/main.yml +++ b/nodejs/tasks/main.yml @@ -52,6 +52,17 @@ - packages - nodejs +- name: Unsigned NodeJS sources list ({{ nodejs_apt_version }}) is not available + apt_repository: + repo: "deb https://deb.nodesource.com/{{ nodejs_apt_version }} {{ ansible_distribution_release }} main" + filename: nodesource + update_cache: yes + state: absent + tags: + - system + - packages + - nodejs + - name: NodeJS is installed apt: name: nodejs diff --git a/nodejs/tasks/yarn.yml b/nodejs/tasks/yarn.yml index f4f2dc37..5d585c42 100644 --- a/nodejs/tasks/yarn.yml +++ b/nodejs/tasks/yarn.yml @@ -47,6 +47,18 @@ - nodejs - yarn +- name: Unsigned Yarn sources list is not available + apt_repository: + repo: "deb https://dl.yarnpkg.com/debian/ stable main" + filename: yarn + update_cache: yes + state: absent + tags: + - system + - packages + - nodejs + - yarn + - name: Yarn is installed apt: name: yarn diff --git a/php/tasks/sury_pre.yml b/php/tasks/sury_pre.yml index eca1d4d6..a1dcbb0e 100644 --- a/php/tasks/sury_pre.yml +++ b/php/tasks/sury_pre.yml @@ -24,6 +24,12 @@ filename: sury state: present +- name: Setup deb.sury.org repository - Remove unsigned source list + apt_repository: + repo: "deb https://packages.sury.org/php/ {{ ansible_distribution_release }} main" + filename: sury + state: absent + - name: "Override package list for Sury (Debian 9 or later)" set_fact: php_stretch_packages: diff --git a/postgresql/tasks/pgdg-repo.yml b/postgresql/tasks/pgdg-repo.yml index 69374502..f03ae52f 100644 --- a/postgresql/tasks/pgdg-repo.yml +++ b/postgresql/tasks/pgdg-repo.yml @@ -34,6 +34,12 @@ repo: "deb [signed-by={{ apt_keyring_dir }}/postgresql.asc] http://apt.postgresql.org/pub/repos/apt/ {{ansible_distribution_release}}-pgdg main" update_cache: yes +- name: Remove unsigned PGDG repository + apt_repository: + repo: "deb http://apt.postgresql.org/pub/repos/apt/ {{ansible_distribution_release}}-pgdg main" + update_cache: yes + state: absent + - name: Add APT preference file template: src: postgresql.pref.j2 From fafff25c202095e7d140fb70ba6c4c7461bb1c05 Mon Sep 17 00:00:00 2001 From: David Prevot Date: Thu, 1 Dec 2022 18:18:25 +0100 Subject: [PATCH 49/72] =?UTF-8?q?Add=20=E2=80=9Cwhen:=20not=20ansible=5Fch?= =?UTF-8?q?eck=5Fmode=E2=80=9D=20to=20allow=20more=20--check?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- apache/handlers/main.yml | 3 +++ apache/tasks/auth.yml | 3 +++ apache/tasks/ip_whitelist.yml | 1 + apache/tasks/log2mail.yml | 1 + apache/tasks/main.yml | 6 ++++++ apache/tasks/munin.yml | 3 +++ apache/tasks/server_status.yml | 7 +++++++ etc-git/tasks/main.yml | 5 ++++- etc-git/tasks/repositories.yml | 2 +- etc-git/tasks/repository.yml | 4 +++- evoacme/handlers/main.yml | 5 +++++ evocheck/tasks/exec.yml | 4 +++- evolinux-base/tasks/default_www.yml | 1 + evolinux-base/tasks/hardware.yml | 8 +++++++- evolinux-base/tasks/log2mail.yml | 2 ++ evolinux-base/tasks/packages.yml | 4 +++- evolinux-base/tasks/postfix.yml | 14 +++++++++++--- evolinux-users/tasks/user.yml | 2 ++ haproxy/handlers/main.yml | 3 +++ haproxy/tasks/main.yml | 2 ++ lxc-php/tasks/php74.yml | 1 + lxc-php/tasks/php80.yml | 1 + lxc-php/tasks/php81.yml | 1 + lxc/tasks/create-container.yml | 6 ++++++ lxc/tasks/main.yml | 2 ++ minifirewall/tasks/config.yml | 22 ++++++++++++++++++---- munin/handlers/main.yml | 4 +++- munin/tasks/main.yml | 4 ++++ mysql/tasks/datadir.yml | 1 + mysql/tasks/logdir.yml | 1 + mysql/tasks/packages_jessie.yml | 1 + mysql/tasks/packages_stretch.yml | 3 ++- mysql/tasks/utils.yml | 3 ++- nagios-nrpe/handlers/main.yml | 2 ++ ntpd/tasks/main.yml | 1 + packweb-apache/tasks/apache.yml | 6 +++++- packweb-apache/tasks/awstats.yml | 4 ++++ packweb-apache/tasks/main.yml | 3 +++ packweb-apache/tasks/multiphp.yml | 1 + packweb-apache/tasks/phpmyadmin.yml | 5 +++++ php/handlers/main.yml | 5 +++++ php/tasks/config_cli.yml | 2 ++ php/tasks/main_bookworm.yml | 4 ++++ php/tasks/main_bullseye.yml | 4 ++++ php/tasks/main_buster.yml | 4 ++++ php/tasks/main_jessie.yml | 4 ++++ php/tasks/main_stretch.yml | 4 ++++ php/tasks/sury_post.yml | 3 +++ proftpd/handlers/main.yml | 1 + proftpd/tasks/main.yml | 2 ++ squid/handlers/main.yml | 7 +++++++ squid/tasks/main.yml | 1 + webapps/evoadmin-web/tasks/ftp.yml | 1 + webapps/evoadmin-web/tasks/main.yml | 5 ++++- webapps/evoadmin-web/tasks/ssl.yml | 1 + webapps/evoadmin-web/tasks/user.yml | 8 ++++++-- 56 files changed, 188 insertions(+), 20 deletions(-) diff --git a/apache/handlers/main.yml b/apache/handlers/main.yml index 96daa368..931e9c94 100644 --- a/apache/handlers/main.yml +++ b/apache/handlers/main.yml @@ -3,13 +3,16 @@ service: name: apache2 state: restarted + when: not ansible_check_mode - name: reload apache service: name: apache2 state: reloaded + when: not ansible_check_mode - name: restart munin-node service: name: munin-node state: restarted + when: not ansible_check_mode diff --git a/apache/tasks/auth.yml b/apache/tasks/auth.yml index fd01517c..bebd39e9 100644 --- a/apache/tasks/auth.yml +++ b/apache/tasks/auth.yml @@ -22,6 +22,7 @@ state: present tags: - apache + when: not ansible_check_mode - name: Copy private_htpasswd copy: @@ -44,6 +45,7 @@ notify: reload apache tags: - apache + when: not ansible_check_mode - name: remove user:pwd from private htpasswd lineinfile: @@ -54,3 +56,4 @@ notify: reload apache tags: - apache + when: not ansible_check_mode diff --git a/apache/tasks/ip_whitelist.yml b/apache/tasks/ip_whitelist.yml index 18f4a681..a40d6075 100644 --- a/apache/tasks/ip_whitelist.yml +++ b/apache/tasks/ip_whitelist.yml @@ -10,6 +10,7 @@ tags: - apache - ips + when: not ansible_check_mode - name: remove IP addresses from private IP whitelist lineinfile: diff --git a/apache/tasks/log2mail.yml b/apache/tasks/log2mail.yml index 3b0650b7..daf59db9 100644 --- a/apache/tasks/log2mail.yml +++ b/apache/tasks/log2mail.yml @@ -6,6 +6,7 @@ state: present tags: - apache + when: not ansible_check_mode - name: Add log2mail config for Apache segfaults template: diff --git a/apache/tasks/main.yml b/apache/tasks/main.yml index 1a028205..f6763278 100644 --- a/apache/tasks/main.yml +++ b/apache/tasks/main.yml @@ -53,6 +53,7 @@ notify: reload apache tags: - apache + when: not ansible_check_mode - name: basic modules are enabled apache2_module: @@ -64,6 +65,7 @@ when: apache_mpm == "prefork" or apache_mpm == "itk" tags: - apache + when: not ansible_check_mode - name: Copy Apache defaults config file @@ -133,6 +135,7 @@ when: apache_evolinux_default_enabled | bool tags: - apache + when: not ansible_check_mode - include: server_status.yml tags: @@ -158,6 +161,7 @@ when: envvar_grep_umask.rc != 0 tags: - apache + when: not ansible_check_mode - include_role: name: evolix/remount-usr @@ -190,6 +194,7 @@ replace: "{{ apache_logrotate_frequency }}" tags: - apache + when: not ansible_check_mode - name: "logrotate: rotate {{ apache_logrotate_rotate }}" replace: @@ -198,6 +203,7 @@ replace: '\1 {{ apache_logrotate_rotate }}' tags: - apache + when: not ansible_check_mode - include: log2mail.yml when: apache_log2mail_include diff --git a/apache/tasks/munin.yml b/apache/tasks/munin.yml index fe07a5cf..b9602511 100644 --- a/apache/tasks/munin.yml +++ b/apache/tasks/munin.yml @@ -23,6 +23,7 @@ tags: - apache - munin + when: not ansible_check_mode - name: "Install fcgi packages for Munin graphs" apt: @@ -43,6 +44,7 @@ tags: - apache - munin + when: not ansible_check_mode - name: "Apache has access to /var/log/munin/" file: @@ -51,3 +53,4 @@ tags: - apache - munin + when: not ansible_check_mode diff --git a/apache/tasks/server_status.yml b/apache/tasks/server_status.yml index efd2b00e..fa54090f 100644 --- a/apache/tasks/server_status.yml +++ b/apache/tasks/server_status.yml @@ -26,10 +26,12 @@ changed_when: False check_mode: no register: new_apache_serverstatus_suffix + when: not ansible_check_mode - name: overwrite apache_serverstatus_suffix set_fact: apache_serverstatus_suffix: "{{ new_apache_serverstatus_suffix.stdout }}" + when: not ansible_check_mode - debug: var: apache_serverstatus_suffix @@ -40,12 +42,14 @@ dest: /var/www/index.html regexp: '__SERVERSTATUS_SUFFIX__' replace: "{{ apache_serverstatus_suffix }}" + when: not ansible_check_mode - name: add server-status suffix in default site index if missing replace: dest: /var/www/index.html regexp: '"/server-status-?"' replace: '"/server-status-{{ apache_serverstatus_suffix }}"' + when: not ansible_check_mode - name: add server-status suffix in default VHost replace: @@ -53,12 +57,14 @@ regexp: '' replace: '' notify: reload apache + when: not ansible_check_mode - name: Munin configuration has a section for apache lineinfile: dest: /etc/munin/plugin-conf.d/munin-node line: "[apache_*]" create: no + when: not ansible_check_mode - name: apache-status URL is configured for Munin lineinfile: @@ -68,3 +74,4 @@ insertafter: "[apache_*]" create: no notify: restart munin-node + when: not ansible_check_mode diff --git a/etc-git/tasks/main.yml b/etc-git/tasks/main.yml index f71ba552..e29d249f 100644 --- a/etc-git/tasks/main.yml +++ b/etc-git/tasks/main.yml @@ -8,6 +8,7 @@ - etc-git when: - ansible_distribution == "Debian" + - not ansible_check_mode - name: Install and configure utilities include: utils.yml @@ -18,4 +19,6 @@ include: repositories.yml tags: - etc-git - when: etc_git_config_repositories | bool \ No newline at end of file + when: + - etc_git_config_repositories | bool + - not ansible_check_mode diff --git a/etc-git/tasks/repositories.yml b/etc-git/tasks/repositories.yml index 71ff0665..27bba9c3 100644 --- a/etc-git/tasks/repositories.yml +++ b/etc-git/tasks/repositories.yml @@ -34,4 +34,4 @@ - _usr_share_scripts.stat.isdir - ansible_distribution_major_version is version('10', '>=') tags: - - etc-git \ No newline at end of file + - etc-git diff --git a/etc-git/tasks/repository.yml b/etc-git/tasks/repository.yml index 80987da2..b1619c03 100644 --- a/etc-git/tasks/repository.yml +++ b/etc-git/tasks/repository.yml @@ -22,6 +22,7 @@ value: "root@{{ ansible_fqdn | default('localhost') }}" tags: - etc-git + when: not ansible_check_mode - name: "{{ repository_path }}/.git is restricted to root" file: @@ -49,6 +50,7 @@ loop: "{{ gitignore_items | default([]) }}" tags: - etc-git + when: not ansible_check_mode - name: "does {{ repository_path }}/ have any commit?" command: "git log" @@ -70,4 +72,4 @@ register: git_commit when: git_log.rc != 0 or (git_init is defined and git_init is changed) tags: - - etc-git \ No newline at end of file + - etc-git diff --git a/evoacme/handlers/main.yml b/evoacme/handlers/main.yml index 1ea11783..fb817eb7 100644 --- a/evoacme/handlers/main.yml +++ b/evoacme/handlers/main.yml @@ -1,14 +1,17 @@ - name: newaliases command: newaliases + when: not ansible_check_mode - name: Test Apache conf command: apache2ctl -t notify: "Reload Apache conf" + when: not ansible_check_mode - name: reload apache2 service: name: apache2 state: reloaded + when: not ansible_check_mode - name: apt update apt: @@ -18,8 +21,10 @@ service: name: squid3 state: reloaded + when: not ansible_check_mode - name: reload squid service: name: squid state: reloaded + when: not ansible_check_mode diff --git a/evocheck/tasks/exec.yml b/evocheck/tasks/exec.yml index 306cf019..1338a97b 100644 --- a/evocheck/tasks/exec.yml +++ b/evocheck/tasks/exec.yml @@ -10,6 +10,8 @@ - debug: var: evocheck_run.stdout_lines - when: evocheck_run.stdout | length > 0 + when: + - not ansible_check_mode + - evocheck_run.stdout | length > 0 tags: - evocheck-exec diff --git a/evolinux-base/tasks/default_www.yml b/evolinux-base/tasks/default_www.yml index 84580b54..4d8905b5 100644 --- a/evolinux-base/tasks/default_www.yml +++ b/evolinux-base/tasks/default_www.yml @@ -38,6 +38,7 @@ owner: root group: ssl-cert mode: "0640" + when: not ansible_check_mode - name: Create certificate for default site command: openssl x509 -req -days 3650 -sha256 -in /etc/ssl/{{ ansible_fqdn }}.csr -signkey /etc/ssl/private/{{ ansible_fqdn }}.key -out /etc/ssl/certs/{{ ansible_fqdn }}.crt diff --git a/evolinux-base/tasks/hardware.yml b/evolinux-base/tasks/hardware.yml index 7ebecc82..d8a966d8 100644 --- a/evolinux-base/tasks/hardware.yml +++ b/evolinux-base/tasks/hardware.yml @@ -43,7 +43,9 @@ state: present tags: - packages - when: ansible_virtualization_role == "host" + when: + - ansible_virtualization_role == "host" + - not ansible_check_mode ## RAID # Dell and others: MegaRAID SAS @@ -108,6 +110,7 @@ name: ssacli tags: - packages + when: not ansible_check_mode when: - "'Hewlett-Packard Company Smart Array' in raidmodel.stdout" - "'Adaptec Smart Storage PQI' in raidmodel.stdout" @@ -134,6 +137,7 @@ state: present tags: - packages + when: not ansible_check_mode - name: cciss-vol-statusd init script is present (HP gen <10) template: @@ -246,6 +250,7 @@ allow_unauthenticated: yes tags: - packages + when: not ansible_check_mode - name: Configure packages for DELL/LSI hardware template: @@ -263,6 +268,7 @@ tags: - packages - config + when: not ansible_check_mode when: - "'MegaRAID' in raidmodel.stdout" - evolinux_packages_hardware_raid | bool diff --git a/evolinux-base/tasks/log2mail.yml b/evolinux-base/tasks/log2mail.yml index 35ce19cf..25937b3e 100644 --- a/evolinux-base/tasks/log2mail.yml +++ b/evolinux-base/tasks/log2mail.yml @@ -16,6 +16,7 @@ daemon-reload: yes state: started enabled: yes + when: not ansible_check_mode - name: log2mail config is present blockinfile: @@ -32,4 +33,5 @@ notify: restart log2mail tags: - log2mail + when: not ansible_check_mode diff --git a/evolinux-base/tasks/packages.yml b/evolinux-base/tasks/packages.yml index b4a1d666..ad72ed55 100644 --- a/evolinux-base/tasks/packages.yml +++ b/evolinux-base/tasks/packages.yml @@ -89,7 +89,9 @@ apt: name: serveur-base allow_unauthenticated: yes - when: evolinux_packages_serveur_base | bool + when: + - evolinux_packages_serveur_base | bool + - not ansible_check_mode - name: Install/Update packages for Stretch and later apt: diff --git a/evolinux-base/tasks/postfix.yml b/evolinux-base/tasks/postfix.yml index 6a46548b..53017d1f 100644 --- a/evolinux-base/tasks/postfix.yml +++ b/evolinux-base/tasks/postfix.yml @@ -20,6 +20,7 @@ notify: reload postfix tags: - postfix + when: not ansible_check_mode - name: configure postfix mynetworks lineinfile: @@ -30,6 +31,7 @@ notify: reload postfix tags: - postfix + when: not ansible_check_mode - name: fetch users list shell: "set -o pipefail && getent passwd | cut -d':' -f 1 | grep -v root" @@ -48,7 +50,9 @@ line: "{{ item }}: root" loop: "{{ non_root_users_list.stdout_lines }}" notify: newaliases - when: evolinux_postfix_users_alias_root | bool + when: + - evolinux_postfix_users_alias_root | bool + - not ansible_check_mode tags: - postfix @@ -65,7 +69,9 @@ - error - bounce notify: newaliases - when: evolinux_postfix_mailer_alias_root | bool + when: + - evolinux_postfix_mailer_alias_root | bool + - not ansible_check_mode tags: - postfix @@ -75,7 +81,9 @@ regexp: "^root:" line: "root: {{ postfix_alias_email or general_alert_email | mandatory }}" notify: newaliases - when: evolinux_postfix_root_alias | bool + when: + - evolinux_postfix_root_alias | bool + - not ansible_check_mode tags: - postfix diff --git a/evolinux-users/tasks/user.yml b/evolinux-users/tasks/user.yml index 0f8bd480..50af1812 100644 --- a/evolinux-users/tasks/user.yml +++ b/evolinux-users/tasks/user.yml @@ -161,6 +161,7 @@ insertafter: EOF line: 'trap "sudo /usr/share/scripts/evomaintenance.sh" 0' when: grep_profile_evomaintenance.rc != 0 + when: not ansible_check_mode # SSH keys @@ -192,5 +193,6 @@ when: - user.ssh_keys is defined - user.ssh_keys | length > 0 + - not ansible_check_mode - meta: flush_handlers diff --git a/haproxy/handlers/main.yml b/haproxy/handlers/main.yml index 9cf3b9cb..24378067 100644 --- a/haproxy/handlers/main.yml +++ b/haproxy/handlers/main.yml @@ -3,13 +3,16 @@ service: name: haproxy state: reloaded + when: not ansible_check_mode - name: restart haproxy service: name: haproxy state: restarted + when: not ansible_check_mode - name: restart munin-node service: name: munin-node state: restarted + when: not ansible_check_mode diff --git a/haproxy/tasks/main.yml b/haproxy/tasks/main.yml index d38e83af..62664415 100644 --- a/haproxy/tasks/main.yml +++ b/haproxy/tasks/main.yml @@ -123,6 +123,7 @@ tags: - haproxy - logrotate + when: not ansible_check_mode - name: Rotate logs with nodelaycompress lineinfile: @@ -133,6 +134,7 @@ tags: - haproxy - logrotate + when: not ansible_check_mode - name: Set net.ipv4.ip_nonlocal_bind sysctl: diff --git a/lxc-php/tasks/php74.yml b/lxc-php/tasks/php74.yml index 64677009..85211747 100644 --- a/lxc-php/tasks/php74.yml +++ b/lxc-php/tasks/php74.yml @@ -10,6 +10,7 @@ dest: "/var/lib/lxc/{{ lxc_php_version }}/rootfs/etc/apt/sources.list" regexp: 'bullseye/updates' replace: 'bullseye-security' + when: not ansible_check_mode - name: "{{ lxc_php_version }} - Copy evolinux PHP configuration" template: diff --git a/lxc-php/tasks/php80.yml b/lxc-php/tasks/php80.yml index b0ff90fe..98b2c4d8 100644 --- a/lxc-php/tasks/php80.yml +++ b/lxc-php/tasks/php80.yml @@ -10,6 +10,7 @@ dest: "/var/lib/lxc/{{ lxc_php_version }}/rootfs/etc/apt/sources.list" regexp: 'bullseye/updates' replace: 'bullseye-security' + when: not ansible_check_mode - name: "{{ lxc_php_version }} - Add sury repo" lineinfile: diff --git a/lxc-php/tasks/php81.yml b/lxc-php/tasks/php81.yml index 91dc38e1..6ca43148 100644 --- a/lxc-php/tasks/php81.yml +++ b/lxc-php/tasks/php81.yml @@ -10,6 +10,7 @@ dest: "/var/lib/lxc/{{ lxc_php_version }}/rootfs/etc/apt/sources.list" regexp: 'bullseye/updates' replace: 'bullseye-security' + when: not ansible_check_mode - name: "{{ lxc_php_version }} - Add sury repo" lineinfile: diff --git a/lxc/tasks/create-container.yml b/lxc/tasks/create-container.yml index ad4f35d6..b841bb67 100644 --- a/lxc/tasks/create-container.yml +++ b/lxc/tasks/create-container.yml @@ -4,6 +4,7 @@ changed_when: false check_mode: no register: container_exists + when: not ansible_check_mode - name: "Create container {{ name }}" lxc_container: @@ -13,6 +14,7 @@ state: stopped template_options: "--arch amd64 --release {{ release }}" when: container_exists.stdout_lines | length == 0 + when: not ansible_check_mode - name: "Disable network configuration inside container {{ name }}" replace: @@ -20,12 +22,14 @@ regexp: "^#CONFIGURE_INTERFACES=yes" replace: CONFIGURE_INTERFACES=no when: lxc_network_type == "none" + when: not ansible_check_mode - name: "Disable interface shut down on halt inside container {{ name }} (Jessie container)" lineinfile: name: "/var/lib/lxc/{{ name }}/rootfs/etc/default/halt" line: "NETDOWN=no" when: lxc_network_type == "none" and release == "jessie" + when: not ansible_check_mode - name: "Make the container {{ name }} poweroff on SIGPWR sent by lxc-stop (Jessie container)" file: @@ -44,6 +48,7 @@ lineinfile: name: "/var/lib/lxc/{{ name }}/rootfs/etc/hosts" line: "127.0.0.1 {{ name }}" + when: not ansible_check_mode - name: "Fix permission on /dev for container {{ name }}" lineinfile: @@ -51,6 +56,7 @@ line: "chmod 755 /dev" insertbefore: "^exit 0$" when: release == 'jessie' + when: not ansible_check_mode - name: "Ensure that {{ name }} container is running" lxc_container: diff --git a/lxc/tasks/main.yml b/lxc/tasks/main.yml index 3ec586bd..6f9f0875 100644 --- a/lxc/tasks/main.yml +++ b/lxc/tasks/main.yml @@ -48,6 +48,7 @@ changed_when: false check_mode: no register: check_fs_options + when: not ansible_check_mode - name: Check if options are correct assert: @@ -56,6 +57,7 @@ - "'noexec' not in check_fs_options.stdout" - "'nosuid' not in check_fs_options.stdout" msg: "LXC directory is in a filesystem with incompatible options" + when: not ansible_check_mode - name: Create containers include: create-container.yml diff --git a/minifirewall/tasks/config.yml b/minifirewall/tasks/config.yml index b0a1d7a6..ae38ff4d 100644 --- a/minifirewall/tasks/config.yml +++ b/minifirewall/tasks/config.yml @@ -30,6 +30,7 @@ line: "# BEGIN ANSIBLE MANAGED BLOCK FOR IPS" insertbefore: '^# Main interface' create: no + when: not ansible_check_mode - name: End marker for IP addresses lineinfile: @@ -37,6 +38,7 @@ create: no line: "# END ANSIBLE MANAGED BLOCK FOR IPS" insertafter: '^PRIVILEGIEDIPS=' + when: not ansible_check_mode - name: Verify that at least 1 trusted IP is provided assert: @@ -84,6 +86,7 @@ PRIVILEGIEDIPS='{{ minifirewall_privilegied_ips | join(' ') }}' create: no register: minifirewall_config_ips + when: not ansible_check_mode - name: Begin marker for ports lineinfile: @@ -91,6 +94,7 @@ line: "# BEGIN ANSIBLE MANAGED BLOCK FOR PORTS" insertbefore: '^# Protected services' create: no + when: not ansible_check_mode - name: End marker for ports lineinfile: @@ -98,6 +102,7 @@ line: "# END ANSIBLE MANAGED BLOCK FOR PORTS" insertafter: '^SERVICESUDP3=' create: no + when: not ansible_check_mode - name: Configure ports blockinfile: @@ -122,6 +127,7 @@ SERVICESUDP3='{{ minifirewall_private_ports_udp | join(' ') }}' create: no register: minifirewall_config_ports + when: not ansible_check_mode - name: Configure DNSSERVEURS lineinfile: @@ -193,7 +199,9 @@ line: "PROXY='{{ minifirewall_proxy }}'" regexp: "PROXY=('|\").*('|\")" create: no - when: minifirewall_proxy is not none + when: + - minifirewall_proxy is not none + - not ansible_check_mode - name: Configure PROXYPORT lineinfile: @@ -201,7 +209,9 @@ line: "PROXYPORT='{{ minifirewall_proxyport }}'" regexp: "PROXYPORT=('|\").*('|\")" create: no - when: minifirewall_proxyport is not none + when: + - minifirewall_proxyport is not none + - not ansible_check_mode # Warning: keep double quotes for the value, # since we often reference a shell variable that needs to be interpolated @@ -211,7 +221,9 @@ line: "PROXYBYPASS=\"{{ minifirewall_proxybypass | join(' ') }}\"" regexp: "PROXYBYPASS=('|\").*('|\")" create: no - when: minifirewall_proxybypass is not none + when: + - minifirewall_proxyport is not none + - not ansible_check_mode - name: Configure BACKUPSERVERS lineinfile: @@ -219,7 +231,9 @@ line: "BACKUPSERVERS='{{ minifirewall_backupservers | join(' ') }}'" regexp: "BACKUPSERVERS=('|\").*('|\")" create: no - when: minifirewall_backupservers is not none + when: + - minifirewall_backupservers is not none + - not ansible_check_mode - name: Configure SYSCTL_ICMP_ECHO_IGNORE_BROADCASTS lineinfile: diff --git a/munin/handlers/main.yml b/munin/handlers/main.yml index 8654181d..6dcd127d 100644 --- a/munin/handlers/main.yml +++ b/munin/handlers/main.yml @@ -4,12 +4,14 @@ service: name: munin-node state: restarted + when: not ansible_check_mode - name: restart munin_node service: name: munin_node state: restarted + when: not ansible_check_mode - name: systemd daemon-reload systemd: - daemon_reload: yes \ No newline at end of file + daemon_reload: yes diff --git a/munin/tasks/main.yml b/munin/tasks/main.yml index a4ea9a49..f4aab7c6 100644 --- a/munin/tasks/main.yml +++ b/munin/tasks/main.yml @@ -33,6 +33,7 @@ notify: restart munin-node when: not ansible_hostname == "localdomain" + when: not ansible_check_mode tags: - munin @@ -79,6 +80,7 @@ notify: restart munin-node tags: - munin + when: not ansible_check_mode - name: Enable sensors_ plugin on dedicated hardware file: @@ -92,6 +94,7 @@ notify: restart munin-node tags: - munin + when: not ansible_check_mode - name: Enable ipmi_ plugin on dedicated hardware file: @@ -105,6 +108,7 @@ - temp - power - volts + when: not ansible_check_mode - name: adjustments for grsec kernel blockinfile: diff --git a/mysql/tasks/datadir.yml b/mysql/tasks/datadir.yml index c375f5d5..da4af342 100644 --- a/mysql/tasks/datadir.yml +++ b/mysql/tasks/datadir.yml @@ -43,3 +43,4 @@ - mysql_custom_datadir | length > 0 - mysql_custom_datadir != mysql_current_real_datadir_test.stdout - not mysql_custom_datadir_test.stat.exists + - not ansible_check_mode diff --git a/mysql/tasks/logdir.yml b/mysql/tasks/logdir.yml index bd6ecab2..1779667a 100644 --- a/mysql/tasks/logdir.yml +++ b/mysql/tasks/logdir.yml @@ -43,3 +43,4 @@ - mysql_custom_logdir | length > 0 - mysql_custom_logdir != mysql_current_real_logdir_test.stdout - not mysql_custom_logdir_test.stat.exists + - not ansible_check_mode diff --git a/mysql/tasks/packages_jessie.yml b/mysql/tasks/packages_jessie.yml index 652eace7..99c89d8a 100644 --- a/mysql/tasks/packages_jessie.yml +++ b/mysql/tasks/packages_jessie.yml @@ -42,6 +42,7 @@ tags: - mysql - services + when: not ansible_check_mode - name: apg package is installed apt: diff --git a/mysql/tasks/packages_stretch.yml b/mysql/tasks/packages_stretch.yml index 880f5050..34e4d2b6 100644 --- a/mysql/tasks/packages_stretch.yml +++ b/mysql/tasks/packages_stretch.yml @@ -28,6 +28,7 @@ tags: - mysql - services + when: not ansible_check_mode - name: apg package is installed apt: @@ -57,4 +58,4 @@ tags: - mysql - packages - when: ansible_python_version is version('3', '>=') \ No newline at end of file + when: ansible_python_version is version('3', '>=') diff --git a/mysql/tasks/utils.yml b/mysql/tasks/utils.yml index 1ac8f2df..9ae7fd15 100644 --- a/mysql/tasks/utils.yml +++ b/mysql/tasks/utils.yml @@ -156,6 +156,7 @@ dest: /etc/cron.{{ mysql_cron_optimize_frequency | mandatory }}/mysql-optimize.sh state: link when: mysql_cron_optimize | bool + when: not ansible_check_mode tags: - mysql @@ -248,4 +249,4 @@ mode: "0755" force: no tags: - - mysql \ No newline at end of file + - mysql diff --git a/nagios-nrpe/handlers/main.yml b/nagios-nrpe/handlers/main.yml index 25ab29ad..de27314f 100644 --- a/nagios-nrpe/handlers/main.yml +++ b/nagios-nrpe/handlers/main.yml @@ -4,8 +4,10 @@ service: name: nagios-nrpe-server state: restarted + when: not ansible_check_mode - name: restart nrpe service: name: nrpe state: restarted + when: not ansible_check_mode diff --git a/ntpd/tasks/main.yml b/ntpd/tasks/main.yml index 2d66d765..ae4a97c5 100644 --- a/ntpd/tasks/main.yml +++ b/ntpd/tasks/main.yml @@ -21,3 +21,4 @@ notify: restart ntp tags: - ntp + when: not ansible_check_mode diff --git a/packweb-apache/tasks/apache.yml b/packweb-apache/tasks/apache.yml index 96c11e3a..c2efd93f 100644 --- a/packweb-apache/tasks/apache.yml +++ b/packweb-apache/tasks/apache.yml @@ -14,7 +14,9 @@ block: | # Used for Evoadmin-web export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin - when: envvar_grep_path.rc != 0 + when: + - envvar_grep_path.rc != 0 + - not ansible_check_mode - name: Additional packages are installed apt: @@ -34,6 +36,7 @@ - negotiation - alias - log_forensic + when: not ansible_check_mode - name: Copy Apache settings for modules copy: @@ -60,3 +63,4 @@ loop: - evolinux-evasive - evolinux-modsec + when: not ansible_check_mode diff --git a/packweb-apache/tasks/awstats.yml b/packweb-apache/tasks/awstats.yml index 5ea0fa57..a423aaf8 100644 --- a/packweb-apache/tasks/awstats.yml +++ b/packweb-apache/tasks/awstats.yml @@ -22,6 +22,7 @@ AllowFullYearView=3 ErrorMessages="An error occured. Contact your Administrator" mode: "0644" + when: not ansible_check_mode - name: Create conf-available/awstats-icon.conf file copy: @@ -39,6 +40,7 @@ register: command_result changed_when: "'Enabling' in command_result.stderr" notify: reload apache + when: not ansible_check_mode - name: Create awstats cron lineinfile: @@ -46,6 +48,7 @@ create: yes regexp: '-config=awstats' line: "10 */6 * * * root umask 033; [ -x /usr/lib/cgi-bin/awstats.pl -a -f /etc/awstats/awstats.conf -a -r /var/log/apache2/access.log ] && /usr/lib/cgi-bin/awstats.pl -config=awstats -update >/dev/null" + when: not ansible_check_mode - name: Comment default awstat cron's tasks lineinfile: @@ -54,3 +57,4 @@ line: '#\1' backrefs: yes state: present + when: not ansible_check_mode diff --git a/packweb-apache/tasks/main.yml b/packweb-apache/tasks/main.yml index ff3cd9a7..58b2047c 100644 --- a/packweb-apache/tasks/main.yml +++ b/packweb-apache/tasks/main.yml @@ -26,6 +26,7 @@ dest: /var/www/index.html line: '
  • Infos PHP
    • ' regexp: "Infos PHP" + when: not ansible_check_mode - name: install opcache.php copy: @@ -38,6 +39,7 @@ dest: /var/www/index.html line: '
  • Infos OpCache PHP
    • ' regexp: "Infos OpCache PHP" + when: not ansible_check_mode - name: Add elements to user account template file: @@ -64,6 +66,7 @@ loop: - access.log - error.log + when: not ansible_check_mode - name: "Install userlogrotate (jessie)" copy: diff --git a/packweb-apache/tasks/multiphp.yml b/packweb-apache/tasks/multiphp.yml index 8a7c9613..80a6f34a 100644 --- a/packweb-apache/tasks/multiphp.yml +++ b/packweb-apache/tasks/multiphp.yml @@ -5,6 +5,7 @@ state: present name: proxy_fcgi notify: restart apache2 + when: not ansible_check_mode - include_role: name: remount-usr diff --git a/packweb-apache/tasks/phpmyadmin.yml b/packweb-apache/tasks/phpmyadmin.yml index f83b0a5d..9e894786 100644 --- a/packweb-apache/tasks/phpmyadmin.yml +++ b/packweb-apache/tasks/phpmyadmin.yml @@ -65,10 +65,12 @@ changed_when: False check_mode: no register: new_packweb_phpmyadmin_suffix + when: not ansible_check_mode - name: overwrite packweb_phpmyadmin_suffix set_fact: packweb_phpmyadmin_suffix: "{{ new_packweb_phpmyadmin_suffix.stdout }}" + when: not ansible_check_mode - debug: var: packweb_phpmyadmin_suffix @@ -86,15 +88,18 @@ Require all denied Include /etc/apache2/ipaddr_whitelist.conf + when: not ansible_check_mode - name: enable phpmyadmin link in default site index replace: dest: /var/www/index.html regexp: '' replace: '
  • Accès PhpMyAdmin
    • ' + when: not ansible_check_mode - name: replace phpmyadmin suffix in default site index replace: dest: /var/www/index.html regexp: '__PHPMYADMIN_SUFFIX__' replace: "{{ packweb_phpmyadmin_suffix }}" + when: not ansible_check_mode diff --git a/php/handlers/main.yml b/php/handlers/main.yml index 079a14d5..75fe86ba 100644 --- a/php/handlers/main.yml +++ b/php/handlers/main.yml @@ -4,23 +4,28 @@ service: name: php5-fpm state: restarted + when: not ansible_check_mode - name: restart php7.0-fpm service: name: php7.0-fpm state: restarted + when: not ansible_check_mode - name: restart php7.3-fpm service: name: php7.3-fpm state: restarted + when: not ansible_check_mode - name: restart php7.4-fpm service: name: php7.4-fpm state: restarted + when: not ansible_check_mode - name: restart php8.1-fpm service: name: php8.1-fpm state: restarted + when: not ansible_check_mode diff --git a/php/tasks/config_cli.yml b/php/tasks/config_cli.yml index d327690a..19030c0c 100644 --- a/php/tasks/config_cli.yml +++ b/php/tasks/config_cli.yml @@ -25,6 +25,7 @@ file: dest: "{{ php_cli_custom_ini_file }}" mode: "0644" + when: not ansible_check_mode - name: "Set custom values for PHP to enable Symfony" ini_file: @@ -36,3 +37,4 @@ loop: - { option: "date.timezone", value: "Europe/Paris" } when: php_symfony_requirements | bool + when: not ansible_check_mode diff --git a/php/tasks/main_bookworm.yml b/php/tasks/main_bookworm.yml index 4dcde767..b9dd9ac2 100644 --- a/php/tasks/main_bookworm.yml +++ b/php/tasks/main_bookworm.yml @@ -79,12 +79,14 @@ with_items: - /etc/php - /etc/php/{{ php_version }} + when: not ansible_check_mode - include: config_cli.yml - name: "Enforce permissions on PHP cli directory (Debian 12)" file: dest: /etc/php/{{ php_version }}/cli mode: "0755" + when: not ansible_check_mode - include: config_fpm.yml when: php_fpm_enable @@ -94,6 +96,7 @@ dest: /etc/php/{{ php_version }}/fpm mode: "0755" when: php_fpm_enable + when: not ansible_check_mode - include: config_apache.yml when: php_apache_enable @@ -103,6 +106,7 @@ dest: /etc/php/{{ php_version }}/apache2 mode: "0755" when: php_apache_enable + when: not ansible_check_mode - include: sury_post.yml when: php_sury_enable diff --git a/php/tasks/main_bullseye.yml b/php/tasks/main_bullseye.yml index 403a7b76..7d2d7e11 100644 --- a/php/tasks/main_bullseye.yml +++ b/php/tasks/main_bullseye.yml @@ -68,12 +68,14 @@ with_items: - /etc/php - /etc/php/7.4 + when: not ansible_check_mode - include: config_cli.yml - name: "Enforce permissions on PHP cli directory (Debian 11)" file: dest: /etc/php/7.4/cli mode: "0755" + when: not ansible_check_mode - include: config_fpm.yml when: php_fpm_enable @@ -83,6 +85,7 @@ dest: /etc/php/7.4/fpm mode: "0755" when: php_fpm_enable + when: not ansible_check_mode - include: config_apache.yml when: php_apache_enable @@ -92,6 +95,7 @@ dest: /etc/php/7.4/apache2 mode: "0755" when: php_apache_enable + when: not ansible_check_mode - include: sury_post.yml when: php_sury_enable diff --git a/php/tasks/main_buster.yml b/php/tasks/main_buster.yml index 2fc4293e..ff27e410 100644 --- a/php/tasks/main_buster.yml +++ b/php/tasks/main_buster.yml @@ -68,12 +68,14 @@ loop: - /etc/php - /etc/php/7.3 + when: not ansible_check_mode - include: config_cli.yml - name: "Enforce permissions on PHP cli directory (Debian 10)" file: dest: /etc/php/7.3/cli mode: "0755" + when: not ansible_check_mode - include: config_fpm.yml when: php_fpm_enable | bool @@ -83,6 +85,7 @@ dest: /etc/php/7.3/fpm mode: "0755" when: php_fpm_enable | bool + when: not ansible_check_mode - include: config_apache.yml when: php_apache_enable | bool @@ -92,6 +95,7 @@ dest: /etc/php/7.3/apache2 mode: "0755" when: php_apache_enable | bool + when: not ansible_check_mode - include: sury_post.yml when: php_sury_enable | bool diff --git a/php/tasks/main_jessie.yml b/php/tasks/main_jessie.yml index 75105166..1082dcf5 100644 --- a/php/tasks/main_jessie.yml +++ b/php/tasks/main_jessie.yml @@ -56,6 +56,7 @@ file: dest: /etc/php5 mode: "0755" + when: not ansible_check_mode - include: config_cli.yml @@ -63,6 +64,7 @@ file: dest: /etc/php5/cli mode: "0755" + when: not ansible_check_mode - include: config_fpm.yml when: php_fpm_enable | bool @@ -72,6 +74,7 @@ dest: /etc/php5/fpm mode: "0755" when: php_fpm_enable | bool + when: not ansible_check_mode - include: config_apache.yml when: php_apache_enable | bool @@ -81,3 +84,4 @@ dest: /etc/php5/apache2 mode: "0755" when: php_apache_enable | bool + when: not ansible_check_mode diff --git a/php/tasks/main_stretch.yml b/php/tasks/main_stretch.yml index 698621ac..6188877c 100644 --- a/php/tasks/main_stretch.yml +++ b/php/tasks/main_stretch.yml @@ -68,6 +68,7 @@ loop: - /etc/php - /etc/php/7.0 + when: not ansible_check_mode - include: config_cli.yml @@ -75,6 +76,7 @@ file: dest: /etc/php/7.0/cli mode: "0755" + when: not ansible_check_mode - include: config_fpm.yml when: php_fpm_enable | bool @@ -84,6 +86,7 @@ dest: /etc/php/7.0/fpm mode: "0755" when: php_fpm_enable | bool + when: not ansible_check_mode - include: config_apache.yml when: php_apache_enable | bool @@ -93,6 +96,7 @@ dest: /etc/php/7.0/apache2 mode: "0755" when: php_apache_enable | bool + when: not ansible_check_mode - include: sury_post.yml when: php_sury_enable | bool diff --git a/php/tasks/sury_post.yml b/php/tasks/sury_post.yml index 4e706889..14ffabab 100644 --- a/php/tasks/sury_post.yml +++ b/php/tasks/sury_post.yml @@ -14,6 +14,7 @@ file: dest: /etc/php/7.4/cli mode: "0755" + when: not ansible_check_mode - name: Symlink Evolix Apache config files from 7.4 to 7.0 file: @@ -31,6 +32,7 @@ dest: /etc/php/7.4/apache2 mode: "0755" when: php_apache_enable | bool + when: not ansible_check_mode - name: Symlink Evolix FPM config files from 7.4 to 7.0 file: @@ -50,3 +52,4 @@ dest: /etc/php/7.4/fpm mode: "0755" when: php_fpm_enable | bool + when: not ansible_check_mode diff --git a/proftpd/handlers/main.yml b/proftpd/handlers/main.yml index 0914d289..bffa7ede 100644 --- a/proftpd/handlers/main.yml +++ b/proftpd/handlers/main.yml @@ -3,3 +3,4 @@ service: name: proftpd state: restarted + when: not ansible_check_mode diff --git a/proftpd/tasks/main.yml b/proftpd/tasks/main.yml index 9ddb6273..d4fe03f4 100644 --- a/proftpd/tasks/main.yml +++ b/proftpd/tasks/main.yml @@ -70,6 +70,7 @@ notify: restart proftpd tags: - proftpd + when: not ansible_check_mode - name: Put empty vpasswd file if missing copy: @@ -92,6 +93,7 @@ notify: restart proftpd tags: - proftpd + when: not ansible_check_mode - include: accounts.yml when: proftpd_accounts | length > 0 diff --git a/squid/handlers/main.yml b/squid/handlers/main.yml index 4f5329b9..675a9dbd 100644 --- a/squid/handlers/main.yml +++ b/squid/handlers/main.yml @@ -3,31 +3,38 @@ service: name: munin-node state: restarted + when: not ansible_check_mode - name: restart squid service: name: squid state: restarted + when: not ansible_check_mode - name: reload squid service: name: squid state: reloaded + when: not ansible_check_mode - name: restart squid3 service: name: squid3 state: restarted + when: not ansible_check_mode - name: reload squid3 service: name: squid3 state: reloaded + when: not ansible_check_mode - name: restart log2mail service: name: log2mail state: restarted + when: not ansible_check_mode - name: restart minifirewall command: /etc/init.d/minifirewall restart + when: not ansible_check_mode diff --git a/squid/tasks/main.yml b/squid/tasks/main.yml index 4a3cab4d..540e56d9 100644 --- a/squid/tasks/main.yml +++ b/squid/tasks/main.yml @@ -121,6 +121,7 @@ when: - squid_localproxy_enable | bool - ansible_distribution_major_version is version('9', '>=') + - not ansible_check_mode - name: "evolinux custom overrides (Debian 9 or later)" copy: diff --git a/webapps/evoadmin-web/tasks/ftp.yml b/webapps/evoadmin-web/tasks/ftp.yml index 98f275ff..074b38fb 100644 --- a/webapps/evoadmin-web/tasks/ftp.yml +++ b/webapps/evoadmin-web/tasks/ftp.yml @@ -10,3 +10,4 @@ remote_src: False src: ftp/evolinux.conf.diff dest: /etc/proftpd/conf.d/z-evolinux.conf + when: not ansible_check_mode diff --git a/webapps/evoadmin-web/tasks/main.yml b/webapps/evoadmin-web/tasks/main.yml index 1acb2aa5..d9589548 100644 --- a/webapps/evoadmin-web/tasks/main.yml +++ b/webapps/evoadmin-web/tasks/main.yml @@ -3,7 +3,9 @@ - name: "Ensure that evoadmin_contact_email is defined" fail: msg: Please configure var evoadmin_contact_email - when: evoadmin_contact_email is none or evoadmin_contact_email | length == 0 + when: + - evoadmin_contact_email is none or evoadmin_contact_email | length == 0 + - not ansible_check_mode - include: packages.yml @@ -23,3 +25,4 @@ marker: "" block: |
  • Interface admin web (EvoAdmin-web)
    • + when: not ansible_check_mode diff --git a/webapps/evoadmin-web/tasks/ssl.yml b/webapps/evoadmin-web/tasks/ssl.yml index 6bdf1421..eb7a31cd 100644 --- a/webapps/evoadmin-web/tasks/ssl.yml +++ b/webapps/evoadmin-web/tasks/ssl.yml @@ -17,6 +17,7 @@ owner: root group: ssl-cert mode: "0640" + when: not ansible_check_mode - name: Create certificate for default site command: openssl x509 -req -days 3650 -sha256 -in /etc/ssl/{{ evoadmin_host }}.csr -signkey /etc/ssl/private/{{ evoadmin_host }}.key -out /etc/ssl/certs/{{ evoadmin_host }}.crt diff --git a/webapps/evoadmin-web/tasks/user.yml b/webapps/evoadmin-web/tasks/user.yml index bbad1b8f..fa61b830 100644 --- a/webapps/evoadmin-web/tasks/user.yml +++ b/webapps/evoadmin-web/tasks/user.yml @@ -54,7 +54,9 @@ dest: "{{ evoadmin_document_root }}" version: jessie update: False - when: ansible_distribution_release == "jessie" + when: + - ansible_distribution_release == "jessie" + - not ansible_check_mode - name: "Clone evoadmin repository (Debian 9 or later)" git: @@ -62,7 +64,9 @@ dest: "{{ evoadmin_document_root }}" version: master update: False - when: ansible_distribution_major_version is version('9', '>=') + when: + - ansible_distribution_major_version is version('9', '>=') + - not ansible_check_mode - name: Change ownership on git repository file: From 5e63340aa9aea99989b27a88025853c447b5de35 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=A9my=20Dubois?= Date: Fri, 2 Dec 2022 18:05:56 +0100 Subject: [PATCH 50/72] openvpn: shellpki upstream release 22.12.1 --- openvpn/files/shellpki/cert-expirations.sh | 26 ++++++++++++---------- 1 file changed, 14 insertions(+), 12 deletions(-) diff --git a/openvpn/files/shellpki/cert-expirations.sh b/openvpn/files/shellpki/cert-expirations.sh index dbb25357..b0cfc09a 100644 --- a/openvpn/files/shellpki/cert-expirations.sh +++ b/openvpn/files/shellpki/cert-expirations.sh @@ -1,6 +1,6 @@ #!/bin/sh -VERSION="22.12" +VERSION="22.12.1" show_version() { cat </dev/null | grep 'status' | cut -d' ' -f2) + + if [ "$carp" = "backup" ]; then + exit 0 + fi + fi +} + check_ca_expiration() { echo "CA certificate:" openssl x509 -enddate -noout -in ${cacert_path} \ @@ -79,17 +89,8 @@ check_certs_expiration() { main() { SYSTEM=$(uname | tr '[:upper:]' '[:lower:]') - - if [ "${SYSTEM}" = "openbsd" ]; then - carp=$(/sbin/ifconfig carp0 2>/dev/null | grep 'status' | cut -d' ' -f2) - - if [ "$carp" = "backup" ]; then - exit 0 - fi - fi - - cacert_path="/etc/openvpn/ssl/ca/cacert.pem" - index_path="/etc/openvpn/ssl/ca/index.txt" + cacert_path="/etc/shellpki/cacert.pem" + index_path="/etc/shellpki/index.txt" somedays="3456000" # 40 days currently expired_certs="" expiring_soon_certs="" @@ -107,6 +108,7 @@ main() { ;; "") + check_carp_state echo "Warning : all times are in UTC !" echo "" check_ca_expiration From 6cc3e03864965c5d2805bd3c4e47853ebdccb88f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=A9my=20Dubois?= Date: Mon, 5 Dec 2022 09:50:29 +0100 Subject: [PATCH 51/72] openvpn: specifies that the mail for expirations is for OpenVPN --- CHANGELOG.md | 1 + openvpn/tasks/debian.yml | 2 +- openvpn/tasks/openbsd.yml | 2 +- 3 files changed, 3 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 089f1346..e69a5b72 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -42,6 +42,7 @@ The **patch** part changes is incremented if multiple releases happen the same m * varnish: systemd override depends on Varnish version instead of Debian version * keepalived: change exit code (warning if runnin but not on expected state ; critical if not running) * openvpn: shellpki upstream release 22.12 +* openvpn: specifies that the mail for expirations is for OpenVPN ### Fixed diff --git a/openvpn/tasks/debian.yml b/openvpn/tasks/debian.yml index 55ca2f8e..9c809cfd 100644 --- a/openvpn/tasks/debian.yml +++ b/openvpn/tasks/debian.yml @@ -261,7 +261,7 @@ cron: name: "OpenVPN certificates expiration" special_time: monthly - job: '/usr/share/scripts/cert-expirations.sh | mail -E -s "PKI VPN {{ ansible_hostname }} : recapitulatif expirations" {{ client_email }}' + job: '/usr/share/scripts/cert-expirations.sh | mail -E -s "PKI OpenVPN {{ ansible_hostname }} : recapitulatif expirations" {{ client_email }}' - name: Generate the CA password set_fact: diff --git a/openvpn/tasks/openbsd.yml b/openvpn/tasks/openbsd.yml index f5d9e4ff..7dc75b83 100644 --- a/openvpn/tasks/openbsd.yml +++ b/openvpn/tasks/openbsd.yml @@ -189,7 +189,7 @@ cron: name: "OpenVPN certificates expiration" special_time: monthly - job: '/usr/share/scripts/cert-expirations.sh | mail -E -s "PKI VPN {{ ansible_hostname }} : recapitulatif expirations" {{ client_email }}' + job: '/usr/share/scripts/cert-expirations.sh | mail -E -s "PKI OpenVPN {{ ansible_hostname }} : recapitulatif expirations" {{ client_email }}' - name: Generate the CA password set_fact: From 22f30b59f2ba8e18addee08737ade01f1d8d7097 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Mon, 5 Dec 2022 14:22:08 +0100 Subject: [PATCH 52/72] certbot: auto-detect HAPEE version in renewal hook --- CHANGELOG.md | 1 + certbot/files/hooks/deploy/hapee.sh | 23 ++++++++++++----------- 2 files changed, 13 insertions(+), 11 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index e69a5b72..a4c3b3f6 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -24,6 +24,7 @@ The **patch** part changes is incremented if multiple releases happen the same m ### Changed +* certbot: auto-detect HAPEE version in renewal hook * evocheck: install script according to Debian version * evolinux-base: utils.yml can be excluded * evolinux-todo: execute tasks only for Debian distribution (because this task is a dependency for others roles used on different distributions) diff --git a/certbot/files/hooks/deploy/hapee.sh b/certbot/files/hooks/deploy/hapee.sh index a8acdea9..89b04452 100644 --- a/certbot/files/hooks/deploy/hapee.sh +++ b/certbot/files/hooks/deploy/hapee.sh @@ -10,7 +10,17 @@ debug() { fi } daemon_found_and_running() { - test -n "$(pidof hapee-lb)" && test -n "${hapee_bin}" + readonly hapee_main_pid=$(ps -u root u | grep hapee-lb | grep -v grep | awk '{print $2}') + if [ -n "${hapee_main_pid}" ] && [ -d "/proc/${hapee_main_pid}" ] ; then + readonly hapee_bin=$(readlink "/proc/${hapee_main_pid}/exe") + readonly hapee_config_file=$(cat "/proc/${hapee_main_pid}/cmdline" | tr "\0" " " | grep --only-matching --extended-regexp -- "-f \S+" | awk '{print $2}') + readonly hapee_pid_file=$(cat "/proc/${hapee_main_pid}/cmdline" | tr "\0" " " | grep --only-matching --extended-regexp -- "-p \S+" | awk '{print $2}') + readonly hapee_service_name="$(basename -s .pid "${hapee_pid_file}").service" + + kill -0 "${hapee_main_pid}" && test -n "${hapee_bin}" && test -f "${hapee_config_file}" && systemctl -q is-active "${hapee_service_name}" + else + return 1 + fi } found_renewed_lineage() { test -f "${RENEWED_LINEAGE}/fullchain.pem" && test -f "${RENEWED_LINEAGE}/privkey.pem" @@ -40,12 +50,6 @@ detect_hapee_cert_dir() { if [ -n "${config_cert_dir}" ]; then debug "Cert directory is configured with ${config_cert_dir}" echo "${config_cert_dir}" - elif [ -d "/etc/haproxy/ssl" ]; then - debug "No configured cert directory found, but /etc/haproxy/ssl exists" - echo "/etc/haproxy/ssl" - elif [ -d "/etc/ssl/haproxy" ]; then - debug "No configured cert directory found, but /etc/ssl/haproxy exists" - echo "/etc/ssl/haproxy" else error "Cert directory not found." fi @@ -56,7 +60,6 @@ main() { fi if daemon_found_and_running; then - readonly hapee_config_file="/etc/hapee-2.4/hapee-lb.cfg" readonly hapee_cert_dir=$(detect_hapee_cert_dir) if found_renewed_lineage; then @@ -72,7 +75,7 @@ main() { if config_check; then debug "HAPEE detected... reloading" - systemctl reload hapee-2.4-lb.service + systemctl reload "${hapee_service_name}" else error "HAPEE config is broken, you must fix it !" fi @@ -88,6 +91,4 @@ readonly PROGNAME=$(basename "$0") readonly VERBOSE=${VERBOSE:-"0"} readonly QUIET=${QUIET:-"0"} -readonly hapee_bin="/opt/hapee-2.4/sbin/hapee-lb" - main From 982112bd64f11ac411543b29bec90148662dfbfb Mon Sep 17 00:00:00 2001 From: Alexis Ben Miloud--Josselin Date: Wed, 7 Dec 2022 15:46:40 +0100 Subject: [PATCH 53/72] rabbitmq: add link in default page --- CHANGELOG.md | 1 + rabbitmq/tasks/main.yml | 6 ++++++ 2 files changed, 7 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index a4c3b3f6..a82c636a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -21,6 +21,7 @@ The **patch** part changes is incremented if multiple releases happen the same m * nagios-nrpe: check_haproxy_stats supports DRAIN status * packweb-apache: enable log_forensic module * varnish: create special tmp directory for syntax validation +* rabbitmq: add link in default page ### Changed diff --git a/rabbitmq/tasks/main.yml b/rabbitmq/tasks/main.yml index c8e49407..a3438adc 100644 --- a/rabbitmq/tasks/main.yml +++ b/rabbitmq/tasks/main.yml @@ -47,3 +47,9 @@ - include: munin.yml when: etc_munin_directory.stat.exists + +- name: entry for RabbitMQ in web page is present + lineinfile: + dest: /var/www/index.html + insertbefore: '' + line: '
  • RabbitMQ
    • ' From 3c2369a3a291916bcf232de78db6001f79ac0a35 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Wed, 7 Dec 2022 21:04:33 +0100 Subject: [PATCH 54/72] listupgrade: better detection for PostgreSQL --- CHANGELOG.md | 1 + listupgrade/files/listupgrade.sh | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index a82c636a..521fb2a8 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -32,6 +32,7 @@ The **patch** part changes is incremented if multiple releases happen the same m * evolinux-user: Add sudoers privilege for chck php\_fpm81 * evomaintenance: allow missing API endpoint if APi is disabled * java: use default JRE package when version is not specified +* listupgrade: better detection for PostgreSQL * lxc-solr: detect the real partition options * lxc-solr: download URL according to Solr Version * lxc-solr: set homedir and port at install diff --git a/listupgrade/files/listupgrade.sh b/listupgrade/files/listupgrade.sh index 74a673aa..df19b173 100644 --- a/listupgrade/files/listupgrade.sh +++ b/listupgrade/files/listupgrade.sh @@ -240,7 +240,7 @@ main() { echo "MySQL" >>"${servicesToRestart}" elif echo "${pkg}" | grep -q "^mariadb-server"; then echo "MariaDB" >>"${servicesToRestart}" - elif echo "${pkg}" | grep -qE "^postgresql-[[:digit:]]+\.[[:digit:]]+$"; then + elif echo "${pkg}" | grep -qE "^postgresql-[[:digit:]]+(\.[[:digit:]]+)?$"; then echo "PostgreSQL" >>"${servicesToRestart}" elif echo "${pkg}" | grep -qE "^tomcat[[:digit:]]+$"; then echo "Tomcat" >>"${servicesToRestart}" From ce361c6819c510f39a36de754856f596e9ba74f0 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Wed, 7 Dec 2022 21:05:12 +0100 Subject: [PATCH 55/72] listupgrade: sort/uniq of packages/services lists in email template --- CHANGELOG.md | 1 + listupgrade/files/listupgrade.sh | 6 +++--- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 521fb2a8..8b6e6388 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -33,6 +33,7 @@ The **patch** part changes is incremented if multiple releases happen the same m * evomaintenance: allow missing API endpoint if APi is disabled * java: use default JRE package when version is not specified * listupgrade: better detection for PostgreSQL +* listupgrade: sort/uniq of packages/services lists in email template * lxc-solr: detect the real partition options * lxc-solr: download URL according to Solr Version * lxc-solr: set homedir and port at install diff --git a/listupgrade/files/listupgrade.sh b/listupgrade/files/listupgrade.sh index df19b173..3e1baa39 100644 --- a/listupgrade/files/listupgrade.sh +++ b/listupgrade/files/listupgrade.sh @@ -100,15 +100,15 @@ semaine prochaine. Voici la listes de packages qui seront mis à jour : -$(cat "${packages}") +$(cat "${packages}" | sort | uniq) Liste des packages dont la mise-à-jour a été manuellement suspendue : -$(cat "${packagesHold}") +$(cat "${packagesHold}" | sort | uniq) Liste des services qui seront redémarrés : -$(cat "${servicesToRestart}") +$(cat "${servicesToRestart}" | sort | uniq) N'hésitez pas à nous faire toute remarque sur ce créneau d'intervention le plus tôt possible. From e4158005089825f4d5a4fee43295eba35c758cec Mon Sep 17 00:00:00 2001 From: Bruno Tatu Date: Thu, 8 Dec 2022 17:17:32 +0100 Subject: [PATCH 56/72] Run if there are enough place --- fail2ban/templates/fail2ban_dbpurge.j2 | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/fail2ban/templates/fail2ban_dbpurge.j2 b/fail2ban/templates/fail2ban_dbpurge.j2 index 1611bcbd..528c44bb 100644 --- a/fail2ban/templates/fail2ban_dbpurge.j2 +++ b/fail2ban/templates/fail2ban_dbpurge.j2 @@ -1,3 +1,11 @@ #!/bin/sh -# Juin 2022 : #64088 -/usr/bin/sqlite3 /var/lib/fail2ban/fail2ban.sqlite3 "DELETE FROM bans WHERE date('now', '-{{ fail2ban_recidive_bantime | default(default_dbpurgeage.stdout) }}') > datetime(timeofban, 'unixepoch'); VACUUM;" +# Juin - Decembre 2022 : #64088 +# Purge pour Stretch et Buster + +place_dispo=$( df -h /var/lib/fail2ban/fail2ban.sqlite3 --output="avail" -h --block-size=1 |tail -n1 ) +place_pris=$( echo "$(stat --format %s /var/lib/fail2ban/fail2ban.sqlite3 ) * 2" |bc ) + +if [ $place_pris -lt $place_dispo ] +then + /usr/bin/ionice -c3 /usr/bin/sqlite3 /var/lib/fail2ban/fail2ban.sqlite3 "DELETE FROM bans WHERE datetime('now', '-{{ fail2ban_recidive_bantime | default(default_dbpurgeage.stdout) }} second') > datetime(timeofban, 'unixepoch'); VACUUM;" +fi From 101c2828469c608d503d1db3fa2ec20d1085a388 Mon Sep 17 00:00:00 2001 From: Mathieu Trossevin Date: Thu, 8 Dec 2022 17:32:53 +0100 Subject: [PATCH 57/72] proftpd: Fix format of public key files controlled by ansible The comments used by ansible's blockinfile module break the format expected by proftpd for public ssh keys, making them unusable. Replace with a template, we will just have to accept that we need to use ansible for all changes to these file. --- CHANGELOG.md | 1 + proftpd/tasks/accounts.yml | 10 +++++----- proftpd/templates/authorized_keys.j2 | 3 +++ 3 files changed, 9 insertions(+), 5 deletions(-) create mode 100644 proftpd/templates/authorized_keys.j2 diff --git a/CHANGELOG.md b/CHANGELOG.md index 8b6e6388..af42fcb4 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -53,6 +53,7 @@ The **patch** part changes is incremented if multiple releases happen the same m * evolinux-user: Fix sudoers privilege for check php\_fpm80 * nagios-nrpe: Fix check opendkim for recent change in listening port * varnish: fix missing state, that blocked the task +* proftpd: Fix format of public key files controlled by ansible ### Removed diff --git a/proftpd/tasks/accounts.yml b/proftpd/tasks/accounts.yml index 0ff57272..833cc1c1 100644 --- a/proftpd/tasks/accounts.yml +++ b/proftpd/tasks/accounts.yml @@ -62,13 +62,13 @@ - proftpd - name: Allow keys for SFTP account - blockinfile: - dest: "/etc/proftpd/sftp.authorized_keys/{{ item.name }}" - state: present - block: "{{ item.sshkeys }}" - create: yes + template: + dest: "/etc/proftpd/sftp.authorized_keys/{{ _proftpd_account.name }}" + src: authorized_keys.j2 mode: 0600 loop: "{{ proftpd_accounts_final }}" + loop_control: + loop_var: _proftpd_account notify: restart proftpd when: - proftpd_sftp_enable | bool diff --git a/proftpd/templates/authorized_keys.j2 b/proftpd/templates/authorized_keys.j2 new file mode 100644 index 00000000..620e50f9 --- /dev/null +++ b/proftpd/templates/authorized_keys.j2 @@ -0,0 +1,3 @@ +{%- for key in _proftpd_account.sshkeys %} +{{ key }} +{%- endfor %} From bc1facd1ba89b381c612b7500d3127f6bdbe7bee Mon Sep 17 00:00:00 2001 From: Mathieu Trossevin Date: Fri, 9 Dec 2022 10:19:51 +0100 Subject: [PATCH 58/72] proftpd: Fix mode of public key files and directory --- CHANGELOG.md | 1 + proftpd/tasks/accounts.yml | 2 +- proftpd/tasks/main.yml | 2 +- 3 files changed, 3 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index af42fcb4..fa4175fb 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -54,6 +54,7 @@ The **patch** part changes is incremented if multiple releases happen the same m * nagios-nrpe: Fix check opendkim for recent change in listening port * varnish: fix missing state, that blocked the task * proftpd: Fix format of public key files controlled by ansible +* proftpd: Fix mode of public key directory and files (they have to be accessible by proftpd:nobody) ### Removed diff --git a/proftpd/tasks/accounts.yml b/proftpd/tasks/accounts.yml index 833cc1c1..4db814ef 100644 --- a/proftpd/tasks/accounts.yml +++ b/proftpd/tasks/accounts.yml @@ -65,7 +65,7 @@ template: dest: "/etc/proftpd/sftp.authorized_keys/{{ _proftpd_account.name }}" src: authorized_keys.j2 - mode: 0600 + mode: 0644 loop: "{{ proftpd_accounts_final }}" loop_control: loop_var: _proftpd_account diff --git a/proftpd/tasks/main.yml b/proftpd/tasks/main.yml index d4fe03f4..f29fbd81 100644 --- a/proftpd/tasks/main.yml +++ b/proftpd/tasks/main.yml @@ -52,7 +52,7 @@ file: path: /etc/proftpd/sftp.authorized_keys/ state: directory - mode: "0700" + mode: "0755" owner: root group: root notify: restart proftpd From 4e7a46c9c3ada50015f5ba326a78ffbf5e324848 Mon Sep 17 00:00:00 2001 From: Bruno Tatu Date: Mon, 12 Dec 2022 11:02:31 +0100 Subject: [PATCH 59/72] Run VACUUM where there are enough space and always delete old IPs --- fail2ban/templates/fail2ban_dbpurge.j2 | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/fail2ban/templates/fail2ban_dbpurge.j2 b/fail2ban/templates/fail2ban_dbpurge.j2 index 528c44bb..3de092a3 100644 --- a/fail2ban/templates/fail2ban_dbpurge.j2 +++ b/fail2ban/templates/fail2ban_dbpurge.j2 @@ -2,10 +2,12 @@ # Juin - Decembre 2022 : #64088 # Purge pour Stretch et Buster +/usr/bin/ionice -c3 /usr/bin/sqlite3 /var/lib/fail2ban/fail2ban.sqlite3 "DELETE FROM bans WHERE datetime('now', '-{{ bantime.stdout }} second') > datetime(timeofban, 'unixepoch');" + place_dispo=$( df -h /var/lib/fail2ban/fail2ban.sqlite3 --output="avail" -h --block-size=1 |tail -n1 ) place_pris=$( echo "$(stat --format %s /var/lib/fail2ban/fail2ban.sqlite3 ) * 2" |bc ) if [ $place_pris -lt $place_dispo ] then - /usr/bin/ionice -c3 /usr/bin/sqlite3 /var/lib/fail2ban/fail2ban.sqlite3 "DELETE FROM bans WHERE datetime('now', '-{{ fail2ban_recidive_bantime | default(default_dbpurgeage.stdout) }} second') > datetime(timeofban, 'unixepoch'); VACUUM;" + /usr/bin/ionice -c3 /usr/bin/sqlite3 /var/lib/fail2ban/fail2ban.sqlite3 "VACUUM;" fi From ce5e4b12c68b378628f94b7aacabdec76da0b59a Mon Sep 17 00:00:00 2001 From: David Prevot Date: Mon, 12 Dec 2022 11:53:55 +0100 Subject: [PATCH 60/72] Apache: Drop duplicate when keys --- apache/tasks/main.yml | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) diff --git a/apache/tasks/main.yml b/apache/tasks/main.yml index f6763278..acbde71c 100644 --- a/apache/tasks/main.yml +++ b/apache/tasks/main.yml @@ -62,10 +62,11 @@ loop: - cgi notify: reload apache - when: apache_mpm == "prefork" or apache_mpm == "itk" + when: + - apache_mpm == "prefork" or apache_mpm == "itk" + - not ansible_check_mode tags: - apache - when: not ansible_check_mode - name: Copy Apache defaults config file @@ -132,10 +133,11 @@ state: link force: yes notify: reload apache - when: apache_evolinux_default_enabled | bool + when: + - apache_evolinux_default_enabled | bool + - not ansible_check_mode tags: - apache - when: not ansible_check_mode - include: server_status.yml tags: @@ -158,10 +160,11 @@ ## Set umask for writing by Apache user. ## Set rights on files and directories written by Apache umask 007 - when: envvar_grep_umask.rc != 0 + when: + - envvar_grep_umask.rc != 0 + - not ansible_check_mode tags: - apache - when: not ansible_check_mode - include_role: name: evolix/remount-usr From b02400fd846dd53e9c26a1bb464790cad74dff13 Mon Sep 17 00:00:00 2001 From: Ludovic Poujol Date: Mon, 12 Dec 2022 12:36:29 +0100 Subject: [PATCH 61/72] php: (partial) fix duplicate when --- php/tasks/main_bullseye.yml | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/php/tasks/main_bullseye.yml b/php/tasks/main_bullseye.yml index 7d2d7e11..9b1fdf33 100644 --- a/php/tasks/main_bullseye.yml +++ b/php/tasks/main_bullseye.yml @@ -84,8 +84,9 @@ file: dest: /etc/php/7.4/fpm mode: "0755" - when: php_fpm_enable - when: not ansible_check_mode + when: + - php_fpm_enable + - not ansible_check_mode - include: config_apache.yml when: php_apache_enable @@ -94,8 +95,9 @@ file: dest: /etc/php/7.4/apache2 mode: "0755" - when: php_apache_enable - when: not ansible_check_mode + when: + - php_apache_enable + - not ansible_check_mode - include: sury_post.yml when: php_sury_enable From d4f58b9395096039e6cb14419cf4ca9ff15ff319 Mon Sep 17 00:00:00 2001 From: David Prevot Date: Mon, 12 Dec 2022 14:29:07 +0100 Subject: [PATCH 62/72] Drop duplicate when keys introduced in fafff25c202095e7d140fb70ba6c4c7461bb1c05 --- evolinux-users/tasks/user.yml | 5 +++-- lxc/tasks/create-container.yml | 20 ++++++++++++-------- munin/tasks/main.yml | 5 +++-- mysql/tasks/utils.yml | 5 +++-- php/tasks/config_cli.yml | 5 +++-- php/tasks/main_bookworm.yml | 10 ++++++---- php/tasks/main_buster.yml | 10 ++++++---- php/tasks/main_jessie.yml | 10 ++++++---- php/tasks/main_stretch.yml | 10 ++++++---- php/tasks/sury_post.yml | 10 ++++++---- 10 files changed, 54 insertions(+), 36 deletions(-) diff --git a/evolinux-users/tasks/user.yml b/evolinux-users/tasks/user.yml index 50af1812..d6bcde9b 100644 --- a/evolinux-users/tasks/user.yml +++ b/evolinux-users/tasks/user.yml @@ -160,8 +160,9 @@ dest: '/home/{{ user.name }}/.profile' insertafter: EOF line: 'trap "sudo /usr/share/scripts/evomaintenance.sh" 0' - when: grep_profile_evomaintenance.rc != 0 - when: not ansible_check_mode + when: + - grep_profile_evomaintenance.rc != 0 + - not ansible_check_mode # SSH keys diff --git a/lxc/tasks/create-container.yml b/lxc/tasks/create-container.yml index b841bb67..24e009f9 100644 --- a/lxc/tasks/create-container.yml +++ b/lxc/tasks/create-container.yml @@ -13,23 +13,26 @@ template: debian state: stopped template_options: "--arch amd64 --release {{ release }}" - when: container_exists.stdout_lines | length == 0 - when: not ansible_check_mode + when: + - container_exists.stdout_lines | length == 0 + - not ansible_check_mode - name: "Disable network configuration inside container {{ name }}" replace: name: "/var/lib/lxc/{{ name }}/rootfs/etc/default/networking" regexp: "^#CONFIGURE_INTERFACES=yes" replace: CONFIGURE_INTERFACES=no - when: lxc_network_type == "none" - when: not ansible_check_mode + when: + - lxc_network_type == "none" + - not ansible_check_mode - name: "Disable interface shut down on halt inside container {{ name }} (Jessie container)" lineinfile: name: "/var/lib/lxc/{{ name }}/rootfs/etc/default/halt" line: "NETDOWN=no" - when: lxc_network_type == "none" and release == "jessie" - when: not ansible_check_mode + when: + - lxc_network_type == "none" and release == "jessie" + - not ansible_check_mode - name: "Make the container {{ name }} poweroff on SIGPWR sent by lxc-stop (Jessie container)" file: @@ -55,8 +58,9 @@ name: "/var/lib/lxc/{{ name }}/rootfs/etc/rc.local" line: "chmod 755 /dev" insertbefore: "^exit 0$" - when: release == 'jessie' - when: not ansible_check_mode + when: + - release == 'jessie' + - not ansible_check_mode - name: "Ensure that {{ name }} container is running" lxc_container: diff --git a/munin/tasks/main.yml b/munin/tasks/main.yml index f4aab7c6..93f50e07 100644 --- a/munin/tasks/main.yml +++ b/munin/tasks/main.yml @@ -32,8 +32,9 @@ removes: /var/lib/munin/localdomain notify: restart munin-node - when: not ansible_hostname == "localdomain" - when: not ansible_check_mode + when: + - not ansible_hostname == "localdomain" + - not ansible_check_mode tags: - munin diff --git a/mysql/tasks/utils.yml b/mysql/tasks/utils.yml index 9ae7fd15..e3fe76da 100644 --- a/mysql/tasks/utils.yml +++ b/mysql/tasks/utils.yml @@ -155,8 +155,9 @@ src: "{{ _mysql_scripts_dir }}/mysql-optimize.sh" dest: /etc/cron.{{ mysql_cron_optimize_frequency | mandatory }}/mysql-optimize.sh state: link - when: mysql_cron_optimize | bool - when: not ansible_check_mode + when: + - mysql_cron_optimize | bool + - not ansible_check_mode tags: - mysql diff --git a/php/tasks/config_cli.yml b/php/tasks/config_cli.yml index 19030c0c..e4fac4a7 100644 --- a/php/tasks/config_cli.yml +++ b/php/tasks/config_cli.yml @@ -36,5 +36,6 @@ mode: "0644" loop: - { option: "date.timezone", value: "Europe/Paris" } - when: php_symfony_requirements | bool - when: not ansible_check_mode + when: + - php_symfony_requirements | bool + - not ansible_check_mode diff --git a/php/tasks/main_bookworm.yml b/php/tasks/main_bookworm.yml index b9dd9ac2..49c91719 100644 --- a/php/tasks/main_bookworm.yml +++ b/php/tasks/main_bookworm.yml @@ -95,8 +95,9 @@ file: dest: /etc/php/{{ php_version }}/fpm mode: "0755" - when: php_fpm_enable - when: not ansible_check_mode + when: + - php_fpm_enable + - not ansible_check_mode - include: config_apache.yml when: php_apache_enable @@ -105,8 +106,9 @@ file: dest: /etc/php/{{ php_version }}/apache2 mode: "0755" - when: php_apache_enable - when: not ansible_check_mode + when: + - php_apache_enable + - not ansible_check_mode - include: sury_post.yml when: php_sury_enable diff --git a/php/tasks/main_buster.yml b/php/tasks/main_buster.yml index ff27e410..eff2dc8f 100644 --- a/php/tasks/main_buster.yml +++ b/php/tasks/main_buster.yml @@ -84,8 +84,9 @@ file: dest: /etc/php/7.3/fpm mode: "0755" - when: php_fpm_enable | bool - when: not ansible_check_mode + when: + - php_fpm_enable | bool + - not ansible_check_mode - include: config_apache.yml when: php_apache_enable | bool @@ -94,8 +95,9 @@ file: dest: /etc/php/7.3/apache2 mode: "0755" - when: php_apache_enable | bool - when: not ansible_check_mode + when: + - php_apache_enable | bool + - not ansible_check_mode - include: sury_post.yml when: php_sury_enable | bool diff --git a/php/tasks/main_jessie.yml b/php/tasks/main_jessie.yml index 1082dcf5..a5aecdb7 100644 --- a/php/tasks/main_jessie.yml +++ b/php/tasks/main_jessie.yml @@ -73,8 +73,9 @@ file: dest: /etc/php5/fpm mode: "0755" - when: php_fpm_enable | bool - when: not ansible_check_mode + when: + - php_fpm_enable | bool + - not ansible_check_mode - include: config_apache.yml when: php_apache_enable | bool @@ -83,5 +84,6 @@ file: dest: /etc/php5/apache2 mode: "0755" - when: php_apache_enable | bool - when: not ansible_check_mode + when: + - php_apache_enable | bool + - not ansible_check_mode diff --git a/php/tasks/main_stretch.yml b/php/tasks/main_stretch.yml index 6188877c..6934fa6a 100644 --- a/php/tasks/main_stretch.yml +++ b/php/tasks/main_stretch.yml @@ -85,8 +85,9 @@ file: dest: /etc/php/7.0/fpm mode: "0755" - when: php_fpm_enable | bool - when: not ansible_check_mode + when: + - php_fpm_enable | bool + - not ansible_check_mode - include: config_apache.yml when: php_apache_enable | bool @@ -95,8 +96,9 @@ file: dest: /etc/php/7.0/apache2 mode: "0755" - when: php_apache_enable | bool - when: not ansible_check_mode + when: + - php_apache_enable | bool + - not ansible_check_mode - include: sury_post.yml when: php_sury_enable | bool diff --git a/php/tasks/sury_post.yml b/php/tasks/sury_post.yml index 14ffabab..6855214b 100644 --- a/php/tasks/sury_post.yml +++ b/php/tasks/sury_post.yml @@ -31,8 +31,9 @@ file: dest: /etc/php/7.4/apache2 mode: "0755" - when: php_apache_enable | bool - when: not ansible_check_mode + when: + - php_apache_enable | bool + - not ansible_check_mode - name: Symlink Evolix FPM config files from 7.4 to 7.0 file: @@ -51,5 +52,6 @@ file: dest: /etc/php/7.4/fpm mode: "0755" - when: php_fpm_enable | bool - when: not ansible_check_mode + when: + - php_fpm_enable | bool + - not ansible_check_mode From 0722b84341984d8a1bfb2bc6ce330c20b49e16b1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=A9my=20Dubois?= Date: Tue, 13 Dec 2022 17:49:21 +0100 Subject: [PATCH 63/72] openvpn: shellpki upstream release 22.12.2 --- CHANGELOG.md | 2 +- openvpn/files/shellpki/openssl.cnf | 4 ++-- openvpn/files/shellpki/shellpki | 10 ++++++---- 3 files changed, 9 insertions(+), 7 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index fa4175fb..034d7a6c 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -45,7 +45,7 @@ The **patch** part changes is incremented if multiple releases happen the same m * varnish: better package facts usage with check mode and tags * varnish: systemd override depends on Varnish version instead of Debian version * keepalived: change exit code (warning if runnin but not on expected state ; critical if not running) -* openvpn: shellpki upstream release 22.12 +* openvpn: shellpki upstream release 22.12.2 * openvpn: specifies that the mail for expirations is for OpenVPN ### Fixed diff --git a/openvpn/files/shellpki/openssl.cnf b/openvpn/files/shellpki/openssl.cnf index 5e1e3c83..48ab9bd5 100644 --- a/openvpn/files/shellpki/openssl.cnf +++ b/openvpn/files/shellpki/openssl.cnf @@ -1,4 +1,4 @@ -# VERSION="22.04" +# VERSION="22.12.2" [ ca ] default_ca = CA_default @@ -14,7 +14,7 @@ crl = $dir/crl.pem private_key = $dir/cakey.key RANDFILE = $dir/.rand default_days = 365 -default_crl_days= 365 +default_crl_days= 730 default_md = sha256 preserve = no policy = policy_match diff --git a/openvpn/files/shellpki/shellpki b/openvpn/files/shellpki/shellpki index 5e7169c9..ac1d263d 100755 --- a/openvpn/files/shellpki/shellpki +++ b/openvpn/files/shellpki/shellpki @@ -5,7 +5,7 @@ set -u -VERSION="22.12" +VERSION="22.12.2" show_version() { cat < Date: Tue, 13 Dec 2022 17:53:59 +0100 Subject: [PATCH 64/72] openvpn: Deleted the task fixing the CRL rights since it has been fixed in upstream --- CHANGELOG.md | 2 ++ openvpn/tasks/debian.yml | 10 ---------- openvpn/tasks/openbsd.yml | 10 ---------- 3 files changed, 2 insertions(+), 20 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 034d7a6c..72f793e6 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -58,6 +58,8 @@ The **patch** part changes is incremented if multiple releases happen the same m ### Removed +* openvpn: Deleted the task fixing the CRL rights since it has been fixed in upstream + ### Security ## [22.09] 2022-09-19 diff --git a/openvpn/tasks/debian.yml b/openvpn/tasks/debian.yml index 9c809cfd..463df8e9 100644 --- a/openvpn/tasks/debian.yml +++ b/openvpn/tasks/debian.yml @@ -77,16 +77,6 @@ - include_role: name: evolix/remount-usr -- name: Fix CRL rights in shellpki command - lineinfile: - dest: "/usr/local/sbin/shellpki" - regexp: '{{ item.regexp }}' - insertafter: "{{ item.insertafter }}" - line: "{{ item.line }}" - with_items: - - { regexp: '^ chmod 604 /etc/shellpki/crl.pem$', line: " chmod 604 /etc/shellpki/crl.pem", insertafter: '^ chmod 640 "\${CACERT}"$' } - - { regexp: '^ chmod 751 /etc/shellpki/$', line: " chmod 751 /etc/shellpki/", insertafter: '^ chmod 604 /etc/shellpki/crl.pem$' } - - name: Deploy OpenVPN server config template: src: "server.conf.j2" diff --git a/openvpn/tasks/openbsd.yml b/openvpn/tasks/openbsd.yml index 7dc75b83..a594e12d 100644 --- a/openvpn/tasks/openbsd.yml +++ b/openvpn/tasks/openbsd.yml @@ -60,16 +60,6 @@ path: /etc/shellpki/dh2048.pem size: 2048 -- name: Fix CRL rights in shellpki command - lineinfile: - dest: "/usr/local/sbin/shellpki" - regexp: '{{ item.regexp }}' - insertafter: "{{ item.insertafter }}" - line: "{{ item.line }}" - with_items: - - { regexp: '^ chmod 604 /etc/shellpki/crl.pem$', line: " chmod 604 /etc/shellpki/crl.pem", insertafter: '^ chmod 640 "\${CACERT}"$' } - - { regexp: '^ chmod 751 /etc/shellpki/$', line: " chmod 751 /etc/shellpki/", insertafter: '^ chmod 604 /etc/shellpki/crl.pem$' } - - name: Deploy OpenVPN server config template: src: "server.conf.j2" From 91b40ce72f659f7e7c91a30984f39184f7cc0f69 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=A9my=20Dubois?= Date: Tue, 13 Dec 2022 19:37:54 +0100 Subject: [PATCH 65/72] openvpn: Fix mode of shellpki script --- CHANGELOG.md | 1 + openvpn/tasks/debian.yml | 2 +- openvpn/tasks/openbsd.yml | 2 +- 3 files changed, 3 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 72f793e6..1ca523a4 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -55,6 +55,7 @@ The **patch** part changes is incremented if multiple releases happen the same m * varnish: fix missing state, that blocked the task * proftpd: Fix format of public key files controlled by ansible * proftpd: Fix mode of public key directory and files (they have to be accessible by proftpd:nobody) +* openvpn: Fix mode of shellpki script ### Removed diff --git a/openvpn/tasks/debian.yml b/openvpn/tasks/debian.yml index 463df8e9..b0201f0c 100644 --- a/openvpn/tasks/debian.yml +++ b/openvpn/tasks/debian.yml @@ -48,7 +48,7 @@ group: "{{ item.group }}" with_items: - { source: "openssl.cnf", destination: "/etc/shellpki/openssl.cnf", mode: "0640", owner: "shellpki", group: "shellpki" } - - { source: "shellpki", destination: "/usr/local/sbin/shellpki", mode: "0755", owner: "root", group: "root" } + - { source: "shellpki", destination: "/usr/local/sbin/shellpki", mode: "0750", owner: "root", group: "root" } - name: Add sudo rights lineinfile: diff --git a/openvpn/tasks/openbsd.yml b/openvpn/tasks/openbsd.yml index a594e12d..b0e629be 100644 --- a/openvpn/tasks/openbsd.yml +++ b/openvpn/tasks/openbsd.yml @@ -38,7 +38,7 @@ group: "{{ item.group }}" with_items: - { source: "openssl.cnf", destination: "/etc/shellpki/openssl.cnf", mode: "0640", owner: "_shellpki", group: "_shellpki" } - - { source: "shellpki", destination: "/usr/local/sbin/shellpki", mode: "0755", owner: "root", group: "wheel" } + - { source: "shellpki", destination: "/usr/local/sbin/shellpki", mode: "0750", owner: "root", group: "wheel" } - name: Add sudo rights lineinfile: From 1728eaee68118ac67477ae01c5c09486aa36b2f2 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Wed, 14 Dec 2022 07:38:04 +0100 Subject: [PATCH 66/72] =?UTF-8?q?Revert=20"Add=20=E2=80=9Cwhen:=20not=20an?= =?UTF-8?q?sible=5Fcheck=5Fmode=E2=80=9D=20to=20allow=20more=20--check"?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This reverts commit fafff25c202095e7d140fb70ba6c4c7461bb1c05. This reverts commit e64471c5a8084f95a8e6f955d3fa918c55b8e846. --- apache/handlers/main.yml | 3 --- apache/tasks/auth.yml | 3 --- apache/tasks/ip_whitelist.yml | 1 - apache/tasks/log2mail.yml | 1 - apache/tasks/main.yml | 18 ++++++------------ apache/tasks/munin.yml | 3 --- apache/tasks/server_status.yml | 7 ------- etc-git/tasks/main.yml | 5 +---- etc-git/tasks/repositories.yml | 2 +- etc-git/tasks/repository.yml | 4 +--- evoacme/handlers/main.yml | 5 ----- evocheck/tasks/exec.yml | 4 +--- evolinux-base/tasks/default_www.yml | 1 - evolinux-base/tasks/hardware.yml | 8 +------- evolinux-base/tasks/log2mail.yml | 2 -- evolinux-base/tasks/packages.yml | 4 +--- evolinux-base/tasks/postfix.yml | 14 +++----------- evolinux-users/tasks/user.yml | 5 +---- haproxy/handlers/main.yml | 3 --- haproxy/tasks/main.yml | 2 -- lxc-php/tasks/php74.yml | 1 - lxc-php/tasks/php80.yml | 1 - lxc-php/tasks/php81.yml | 1 - lxc/tasks/create-container.yml | 18 ++++-------------- lxc/tasks/main.yml | 2 -- minifirewall/tasks/config.yml | 22 ++++------------------ munin/handlers/main.yml | 4 +--- munin/tasks/main.yml | 7 +------ mysql/tasks/datadir.yml | 1 - mysql/tasks/logdir.yml | 1 - mysql/tasks/packages_jessie.yml | 1 - mysql/tasks/packages_stretch.yml | 3 +-- mysql/tasks/utils.yml | 6 ++---- nagios-nrpe/handlers/main.yml | 2 -- ntpd/tasks/main.yml | 1 - packweb-apache/tasks/apache.yml | 6 +----- packweb-apache/tasks/awstats.yml | 4 ---- packweb-apache/tasks/main.yml | 3 --- packweb-apache/tasks/multiphp.yml | 1 - packweb-apache/tasks/phpmyadmin.yml | 5 ----- php/handlers/main.yml | 5 ----- php/tasks/config_cli.yml | 5 +---- php/tasks/main_bookworm.yml | 10 ++-------- php/tasks/main_bullseye.yml | 10 ++-------- php/tasks/main_buster.yml | 10 ++-------- php/tasks/main_jessie.yml | 10 ++-------- php/tasks/main_stretch.yml | 10 ++-------- php/tasks/sury_post.yml | 9 ++------- proftpd/handlers/main.yml | 1 - proftpd/tasks/main.yml | 2 -- squid/handlers/main.yml | 7 ------- squid/tasks/main.yml | 1 - webapps/evoadmin-web/tasks/ftp.yml | 1 - webapps/evoadmin-web/tasks/main.yml | 5 +---- webapps/evoadmin-web/tasks/ssl.yml | 1 - webapps/evoadmin-web/tasks/user.yml | 8 ++------ 56 files changed, 46 insertions(+), 234 deletions(-) diff --git a/apache/handlers/main.yml b/apache/handlers/main.yml index 931e9c94..96daa368 100644 --- a/apache/handlers/main.yml +++ b/apache/handlers/main.yml @@ -3,16 +3,13 @@ service: name: apache2 state: restarted - when: not ansible_check_mode - name: reload apache service: name: apache2 state: reloaded - when: not ansible_check_mode - name: restart munin-node service: name: munin-node state: restarted - when: not ansible_check_mode diff --git a/apache/tasks/auth.yml b/apache/tasks/auth.yml index bebd39e9..fd01517c 100644 --- a/apache/tasks/auth.yml +++ b/apache/tasks/auth.yml @@ -22,7 +22,6 @@ state: present tags: - apache - when: not ansible_check_mode - name: Copy private_htpasswd copy: @@ -45,7 +44,6 @@ notify: reload apache tags: - apache - when: not ansible_check_mode - name: remove user:pwd from private htpasswd lineinfile: @@ -56,4 +54,3 @@ notify: reload apache tags: - apache - when: not ansible_check_mode diff --git a/apache/tasks/ip_whitelist.yml b/apache/tasks/ip_whitelist.yml index a40d6075..18f4a681 100644 --- a/apache/tasks/ip_whitelist.yml +++ b/apache/tasks/ip_whitelist.yml @@ -10,7 +10,6 @@ tags: - apache - ips - when: not ansible_check_mode - name: remove IP addresses from private IP whitelist lineinfile: diff --git a/apache/tasks/log2mail.yml b/apache/tasks/log2mail.yml index daf59db9..3b0650b7 100644 --- a/apache/tasks/log2mail.yml +++ b/apache/tasks/log2mail.yml @@ -6,7 +6,6 @@ state: present tags: - apache - when: not ansible_check_mode - name: Add log2mail config for Apache segfaults template: diff --git a/apache/tasks/main.yml b/apache/tasks/main.yml index acbde71c..39c8db24 100644 --- a/apache/tasks/main.yml +++ b/apache/tasks/main.yml @@ -53,7 +53,6 @@ notify: reload apache tags: - apache - when: not ansible_check_mode - name: basic modules are enabled apache2_module: @@ -62,11 +61,10 @@ loop: - cgi notify: reload apache - when: - - apache_mpm == "prefork" or apache_mpm == "itk" - - not ansible_check_mode + when: apache_mpm == "prefork" or apache_mpm == "itk" tags: - apache + when: not ansible_check_mode - name: Copy Apache defaults config file @@ -133,11 +131,10 @@ state: link force: yes notify: reload apache - when: - - apache_evolinux_default_enabled | bool - - not ansible_check_mode + when: apache_evolinux_default_enabled | bool tags: - apache + when: not ansible_check_mode - include: server_status.yml tags: @@ -160,11 +157,10 @@ ## Set umask for writing by Apache user. ## Set rights on files and directories written by Apache umask 007 - when: - - envvar_grep_umask.rc != 0 - - not ansible_check_mode + when: envvar_grep_umask.rc != 0 tags: - apache + when: not ansible_check_mode - include_role: name: evolix/remount-usr @@ -197,7 +193,6 @@ replace: "{{ apache_logrotate_frequency }}" tags: - apache - when: not ansible_check_mode - name: "logrotate: rotate {{ apache_logrotate_rotate }}" replace: @@ -206,7 +201,6 @@ replace: '\1 {{ apache_logrotate_rotate }}' tags: - apache - when: not ansible_check_mode - include: log2mail.yml when: apache_log2mail_include diff --git a/apache/tasks/munin.yml b/apache/tasks/munin.yml index b9602511..fe07a5cf 100644 --- a/apache/tasks/munin.yml +++ b/apache/tasks/munin.yml @@ -23,7 +23,6 @@ tags: - apache - munin - when: not ansible_check_mode - name: "Install fcgi packages for Munin graphs" apt: @@ -44,7 +43,6 @@ tags: - apache - munin - when: not ansible_check_mode - name: "Apache has access to /var/log/munin/" file: @@ -53,4 +51,3 @@ tags: - apache - munin - when: not ansible_check_mode diff --git a/apache/tasks/server_status.yml b/apache/tasks/server_status.yml index fa54090f..efd2b00e 100644 --- a/apache/tasks/server_status.yml +++ b/apache/tasks/server_status.yml @@ -26,12 +26,10 @@ changed_when: False check_mode: no register: new_apache_serverstatus_suffix - when: not ansible_check_mode - name: overwrite apache_serverstatus_suffix set_fact: apache_serverstatus_suffix: "{{ new_apache_serverstatus_suffix.stdout }}" - when: not ansible_check_mode - debug: var: apache_serverstatus_suffix @@ -42,14 +40,12 @@ dest: /var/www/index.html regexp: '__SERVERSTATUS_SUFFIX__' replace: "{{ apache_serverstatus_suffix }}" - when: not ansible_check_mode - name: add server-status suffix in default site index if missing replace: dest: /var/www/index.html regexp: '"/server-status-?"' replace: '"/server-status-{{ apache_serverstatus_suffix }}"' - when: not ansible_check_mode - name: add server-status suffix in default VHost replace: @@ -57,14 +53,12 @@ regexp: '' replace: '' notify: reload apache - when: not ansible_check_mode - name: Munin configuration has a section for apache lineinfile: dest: /etc/munin/plugin-conf.d/munin-node line: "[apache_*]" create: no - when: not ansible_check_mode - name: apache-status URL is configured for Munin lineinfile: @@ -74,4 +68,3 @@ insertafter: "[apache_*]" create: no notify: restart munin-node - when: not ansible_check_mode diff --git a/etc-git/tasks/main.yml b/etc-git/tasks/main.yml index e29d249f..f71ba552 100644 --- a/etc-git/tasks/main.yml +++ b/etc-git/tasks/main.yml @@ -8,7 +8,6 @@ - etc-git when: - ansible_distribution == "Debian" - - not ansible_check_mode - name: Install and configure utilities include: utils.yml @@ -19,6 +18,4 @@ include: repositories.yml tags: - etc-git - when: - - etc_git_config_repositories | bool - - not ansible_check_mode + when: etc_git_config_repositories | bool \ No newline at end of file diff --git a/etc-git/tasks/repositories.yml b/etc-git/tasks/repositories.yml index 27bba9c3..71ff0665 100644 --- a/etc-git/tasks/repositories.yml +++ b/etc-git/tasks/repositories.yml @@ -34,4 +34,4 @@ - _usr_share_scripts.stat.isdir - ansible_distribution_major_version is version('10', '>=') tags: - - etc-git + - etc-git \ No newline at end of file diff --git a/etc-git/tasks/repository.yml b/etc-git/tasks/repository.yml index b1619c03..80987da2 100644 --- a/etc-git/tasks/repository.yml +++ b/etc-git/tasks/repository.yml @@ -22,7 +22,6 @@ value: "root@{{ ansible_fqdn | default('localhost') }}" tags: - etc-git - when: not ansible_check_mode - name: "{{ repository_path }}/.git is restricted to root" file: @@ -50,7 +49,6 @@ loop: "{{ gitignore_items | default([]) }}" tags: - etc-git - when: not ansible_check_mode - name: "does {{ repository_path }}/ have any commit?" command: "git log" @@ -72,4 +70,4 @@ register: git_commit when: git_log.rc != 0 or (git_init is defined and git_init is changed) tags: - - etc-git + - etc-git \ No newline at end of file diff --git a/evoacme/handlers/main.yml b/evoacme/handlers/main.yml index fb817eb7..1ea11783 100644 --- a/evoacme/handlers/main.yml +++ b/evoacme/handlers/main.yml @@ -1,17 +1,14 @@ - name: newaliases command: newaliases - when: not ansible_check_mode - name: Test Apache conf command: apache2ctl -t notify: "Reload Apache conf" - when: not ansible_check_mode - name: reload apache2 service: name: apache2 state: reloaded - when: not ansible_check_mode - name: apt update apt: @@ -21,10 +18,8 @@ service: name: squid3 state: reloaded - when: not ansible_check_mode - name: reload squid service: name: squid state: reloaded - when: not ansible_check_mode diff --git a/evocheck/tasks/exec.yml b/evocheck/tasks/exec.yml index 1338a97b..306cf019 100644 --- a/evocheck/tasks/exec.yml +++ b/evocheck/tasks/exec.yml @@ -10,8 +10,6 @@ - debug: var: evocheck_run.stdout_lines - when: - - not ansible_check_mode - - evocheck_run.stdout | length > 0 + when: evocheck_run.stdout | length > 0 tags: - evocheck-exec diff --git a/evolinux-base/tasks/default_www.yml b/evolinux-base/tasks/default_www.yml index 4d8905b5..84580b54 100644 --- a/evolinux-base/tasks/default_www.yml +++ b/evolinux-base/tasks/default_www.yml @@ -38,7 +38,6 @@ owner: root group: ssl-cert mode: "0640" - when: not ansible_check_mode - name: Create certificate for default site command: openssl x509 -req -days 3650 -sha256 -in /etc/ssl/{{ ansible_fqdn }}.csr -signkey /etc/ssl/private/{{ ansible_fqdn }}.key -out /etc/ssl/certs/{{ ansible_fqdn }}.crt diff --git a/evolinux-base/tasks/hardware.yml b/evolinux-base/tasks/hardware.yml index d8a966d8..7ebecc82 100644 --- a/evolinux-base/tasks/hardware.yml +++ b/evolinux-base/tasks/hardware.yml @@ -43,9 +43,7 @@ state: present tags: - packages - when: - - ansible_virtualization_role == "host" - - not ansible_check_mode + when: ansible_virtualization_role == "host" ## RAID # Dell and others: MegaRAID SAS @@ -110,7 +108,6 @@ name: ssacli tags: - packages - when: not ansible_check_mode when: - "'Hewlett-Packard Company Smart Array' in raidmodel.stdout" - "'Adaptec Smart Storage PQI' in raidmodel.stdout" @@ -137,7 +134,6 @@ state: present tags: - packages - when: not ansible_check_mode - name: cciss-vol-statusd init script is present (HP gen <10) template: @@ -250,7 +246,6 @@ allow_unauthenticated: yes tags: - packages - when: not ansible_check_mode - name: Configure packages for DELL/LSI hardware template: @@ -268,7 +263,6 @@ tags: - packages - config - when: not ansible_check_mode when: - "'MegaRAID' in raidmodel.stdout" - evolinux_packages_hardware_raid | bool diff --git a/evolinux-base/tasks/log2mail.yml b/evolinux-base/tasks/log2mail.yml index 25937b3e..35ce19cf 100644 --- a/evolinux-base/tasks/log2mail.yml +++ b/evolinux-base/tasks/log2mail.yml @@ -16,7 +16,6 @@ daemon-reload: yes state: started enabled: yes - when: not ansible_check_mode - name: log2mail config is present blockinfile: @@ -33,5 +32,4 @@ notify: restart log2mail tags: - log2mail - when: not ansible_check_mode diff --git a/evolinux-base/tasks/packages.yml b/evolinux-base/tasks/packages.yml index ad72ed55..b4a1d666 100644 --- a/evolinux-base/tasks/packages.yml +++ b/evolinux-base/tasks/packages.yml @@ -89,9 +89,7 @@ apt: name: serveur-base allow_unauthenticated: yes - when: - - evolinux_packages_serveur_base | bool - - not ansible_check_mode + when: evolinux_packages_serveur_base | bool - name: Install/Update packages for Stretch and later apt: diff --git a/evolinux-base/tasks/postfix.yml b/evolinux-base/tasks/postfix.yml index 53017d1f..6a46548b 100644 --- a/evolinux-base/tasks/postfix.yml +++ b/evolinux-base/tasks/postfix.yml @@ -20,7 +20,6 @@ notify: reload postfix tags: - postfix - when: not ansible_check_mode - name: configure postfix mynetworks lineinfile: @@ -31,7 +30,6 @@ notify: reload postfix tags: - postfix - when: not ansible_check_mode - name: fetch users list shell: "set -o pipefail && getent passwd | cut -d':' -f 1 | grep -v root" @@ -50,9 +48,7 @@ line: "{{ item }}: root" loop: "{{ non_root_users_list.stdout_lines }}" notify: newaliases - when: - - evolinux_postfix_users_alias_root | bool - - not ansible_check_mode + when: evolinux_postfix_users_alias_root | bool tags: - postfix @@ -69,9 +65,7 @@ - error - bounce notify: newaliases - when: - - evolinux_postfix_mailer_alias_root | bool - - not ansible_check_mode + when: evolinux_postfix_mailer_alias_root | bool tags: - postfix @@ -81,9 +75,7 @@ regexp: "^root:" line: "root: {{ postfix_alias_email or general_alert_email | mandatory }}" notify: newaliases - when: - - evolinux_postfix_root_alias | bool - - not ansible_check_mode + when: evolinux_postfix_root_alias | bool tags: - postfix diff --git a/evolinux-users/tasks/user.yml b/evolinux-users/tasks/user.yml index d6bcde9b..0f8bd480 100644 --- a/evolinux-users/tasks/user.yml +++ b/evolinux-users/tasks/user.yml @@ -160,9 +160,7 @@ dest: '/home/{{ user.name }}/.profile' insertafter: EOF line: 'trap "sudo /usr/share/scripts/evomaintenance.sh" 0' - when: - - grep_profile_evomaintenance.rc != 0 - - not ansible_check_mode + when: grep_profile_evomaintenance.rc != 0 # SSH keys @@ -194,6 +192,5 @@ when: - user.ssh_keys is defined - user.ssh_keys | length > 0 - - not ansible_check_mode - meta: flush_handlers diff --git a/haproxy/handlers/main.yml b/haproxy/handlers/main.yml index 24378067..9cf3b9cb 100644 --- a/haproxy/handlers/main.yml +++ b/haproxy/handlers/main.yml @@ -3,16 +3,13 @@ service: name: haproxy state: reloaded - when: not ansible_check_mode - name: restart haproxy service: name: haproxy state: restarted - when: not ansible_check_mode - name: restart munin-node service: name: munin-node state: restarted - when: not ansible_check_mode diff --git a/haproxy/tasks/main.yml b/haproxy/tasks/main.yml index 62664415..d38e83af 100644 --- a/haproxy/tasks/main.yml +++ b/haproxy/tasks/main.yml @@ -123,7 +123,6 @@ tags: - haproxy - logrotate - when: not ansible_check_mode - name: Rotate logs with nodelaycompress lineinfile: @@ -134,7 +133,6 @@ tags: - haproxy - logrotate - when: not ansible_check_mode - name: Set net.ipv4.ip_nonlocal_bind sysctl: diff --git a/lxc-php/tasks/php74.yml b/lxc-php/tasks/php74.yml index 85211747..64677009 100644 --- a/lxc-php/tasks/php74.yml +++ b/lxc-php/tasks/php74.yml @@ -10,7 +10,6 @@ dest: "/var/lib/lxc/{{ lxc_php_version }}/rootfs/etc/apt/sources.list" regexp: 'bullseye/updates' replace: 'bullseye-security' - when: not ansible_check_mode - name: "{{ lxc_php_version }} - Copy evolinux PHP configuration" template: diff --git a/lxc-php/tasks/php80.yml b/lxc-php/tasks/php80.yml index 98b2c4d8..b0ff90fe 100644 --- a/lxc-php/tasks/php80.yml +++ b/lxc-php/tasks/php80.yml @@ -10,7 +10,6 @@ dest: "/var/lib/lxc/{{ lxc_php_version }}/rootfs/etc/apt/sources.list" regexp: 'bullseye/updates' replace: 'bullseye-security' - when: not ansible_check_mode - name: "{{ lxc_php_version }} - Add sury repo" lineinfile: diff --git a/lxc-php/tasks/php81.yml b/lxc-php/tasks/php81.yml index 6ca43148..91dc38e1 100644 --- a/lxc-php/tasks/php81.yml +++ b/lxc-php/tasks/php81.yml @@ -10,7 +10,6 @@ dest: "/var/lib/lxc/{{ lxc_php_version }}/rootfs/etc/apt/sources.list" regexp: 'bullseye/updates' replace: 'bullseye-security' - when: not ansible_check_mode - name: "{{ lxc_php_version }} - Add sury repo" lineinfile: diff --git a/lxc/tasks/create-container.yml b/lxc/tasks/create-container.yml index 24e009f9..ad4f35d6 100644 --- a/lxc/tasks/create-container.yml +++ b/lxc/tasks/create-container.yml @@ -4,7 +4,6 @@ changed_when: false check_mode: no register: container_exists - when: not ansible_check_mode - name: "Create container {{ name }}" lxc_container: @@ -13,26 +12,20 @@ template: debian state: stopped template_options: "--arch amd64 --release {{ release }}" - when: - - container_exists.stdout_lines | length == 0 - - not ansible_check_mode + when: container_exists.stdout_lines | length == 0 - name: "Disable network configuration inside container {{ name }}" replace: name: "/var/lib/lxc/{{ name }}/rootfs/etc/default/networking" regexp: "^#CONFIGURE_INTERFACES=yes" replace: CONFIGURE_INTERFACES=no - when: - - lxc_network_type == "none" - - not ansible_check_mode + when: lxc_network_type == "none" - name: "Disable interface shut down on halt inside container {{ name }} (Jessie container)" lineinfile: name: "/var/lib/lxc/{{ name }}/rootfs/etc/default/halt" line: "NETDOWN=no" - when: - - lxc_network_type == "none" and release == "jessie" - - not ansible_check_mode + when: lxc_network_type == "none" and release == "jessie" - name: "Make the container {{ name }} poweroff on SIGPWR sent by lxc-stop (Jessie container)" file: @@ -51,16 +44,13 @@ lineinfile: name: "/var/lib/lxc/{{ name }}/rootfs/etc/hosts" line: "127.0.0.1 {{ name }}" - when: not ansible_check_mode - name: "Fix permission on /dev for container {{ name }}" lineinfile: name: "/var/lib/lxc/{{ name }}/rootfs/etc/rc.local" line: "chmod 755 /dev" insertbefore: "^exit 0$" - when: - - release == 'jessie' - - not ansible_check_mode + when: release == 'jessie' - name: "Ensure that {{ name }} container is running" lxc_container: diff --git a/lxc/tasks/main.yml b/lxc/tasks/main.yml index 6f9f0875..3ec586bd 100644 --- a/lxc/tasks/main.yml +++ b/lxc/tasks/main.yml @@ -48,7 +48,6 @@ changed_when: false check_mode: no register: check_fs_options - when: not ansible_check_mode - name: Check if options are correct assert: @@ -57,7 +56,6 @@ - "'noexec' not in check_fs_options.stdout" - "'nosuid' not in check_fs_options.stdout" msg: "LXC directory is in a filesystem with incompatible options" - when: not ansible_check_mode - name: Create containers include: create-container.yml diff --git a/minifirewall/tasks/config.yml b/minifirewall/tasks/config.yml index ae38ff4d..b0a1d7a6 100644 --- a/minifirewall/tasks/config.yml +++ b/minifirewall/tasks/config.yml @@ -30,7 +30,6 @@ line: "# BEGIN ANSIBLE MANAGED BLOCK FOR IPS" insertbefore: '^# Main interface' create: no - when: not ansible_check_mode - name: End marker for IP addresses lineinfile: @@ -38,7 +37,6 @@ create: no line: "# END ANSIBLE MANAGED BLOCK FOR IPS" insertafter: '^PRIVILEGIEDIPS=' - when: not ansible_check_mode - name: Verify that at least 1 trusted IP is provided assert: @@ -86,7 +84,6 @@ PRIVILEGIEDIPS='{{ minifirewall_privilegied_ips | join(' ') }}' create: no register: minifirewall_config_ips - when: not ansible_check_mode - name: Begin marker for ports lineinfile: @@ -94,7 +91,6 @@ line: "# BEGIN ANSIBLE MANAGED BLOCK FOR PORTS" insertbefore: '^# Protected services' create: no - when: not ansible_check_mode - name: End marker for ports lineinfile: @@ -102,7 +98,6 @@ line: "# END ANSIBLE MANAGED BLOCK FOR PORTS" insertafter: '^SERVICESUDP3=' create: no - when: not ansible_check_mode - name: Configure ports blockinfile: @@ -127,7 +122,6 @@ SERVICESUDP3='{{ minifirewall_private_ports_udp | join(' ') }}' create: no register: minifirewall_config_ports - when: not ansible_check_mode - name: Configure DNSSERVEURS lineinfile: @@ -199,9 +193,7 @@ line: "PROXY='{{ minifirewall_proxy }}'" regexp: "PROXY=('|\").*('|\")" create: no - when: - - minifirewall_proxy is not none - - not ansible_check_mode + when: minifirewall_proxy is not none - name: Configure PROXYPORT lineinfile: @@ -209,9 +201,7 @@ line: "PROXYPORT='{{ minifirewall_proxyport }}'" regexp: "PROXYPORT=('|\").*('|\")" create: no - when: - - minifirewall_proxyport is not none - - not ansible_check_mode + when: minifirewall_proxyport is not none # Warning: keep double quotes for the value, # since we often reference a shell variable that needs to be interpolated @@ -221,9 +211,7 @@ line: "PROXYBYPASS=\"{{ minifirewall_proxybypass | join(' ') }}\"" regexp: "PROXYBYPASS=('|\").*('|\")" create: no - when: - - minifirewall_proxyport is not none - - not ansible_check_mode + when: minifirewall_proxybypass is not none - name: Configure BACKUPSERVERS lineinfile: @@ -231,9 +219,7 @@ line: "BACKUPSERVERS='{{ minifirewall_backupservers | join(' ') }}'" regexp: "BACKUPSERVERS=('|\").*('|\")" create: no - when: - - minifirewall_backupservers is not none - - not ansible_check_mode + when: minifirewall_backupservers is not none - name: Configure SYSCTL_ICMP_ECHO_IGNORE_BROADCASTS lineinfile: diff --git a/munin/handlers/main.yml b/munin/handlers/main.yml index 6dcd127d..8654181d 100644 --- a/munin/handlers/main.yml +++ b/munin/handlers/main.yml @@ -4,14 +4,12 @@ service: name: munin-node state: restarted - when: not ansible_check_mode - name: restart munin_node service: name: munin_node state: restarted - when: not ansible_check_mode - name: systemd daemon-reload systemd: - daemon_reload: yes + daemon_reload: yes \ No newline at end of file diff --git a/munin/tasks/main.yml b/munin/tasks/main.yml index 93f50e07..a4ea9a49 100644 --- a/munin/tasks/main.yml +++ b/munin/tasks/main.yml @@ -32,9 +32,7 @@ removes: /var/lib/munin/localdomain notify: restart munin-node - when: - - not ansible_hostname == "localdomain" - - not ansible_check_mode + when: not ansible_hostname == "localdomain" tags: - munin @@ -81,7 +79,6 @@ notify: restart munin-node tags: - munin - when: not ansible_check_mode - name: Enable sensors_ plugin on dedicated hardware file: @@ -95,7 +92,6 @@ notify: restart munin-node tags: - munin - when: not ansible_check_mode - name: Enable ipmi_ plugin on dedicated hardware file: @@ -109,7 +105,6 @@ - temp - power - volts - when: not ansible_check_mode - name: adjustments for grsec kernel blockinfile: diff --git a/mysql/tasks/datadir.yml b/mysql/tasks/datadir.yml index da4af342..c375f5d5 100644 --- a/mysql/tasks/datadir.yml +++ b/mysql/tasks/datadir.yml @@ -43,4 +43,3 @@ - mysql_custom_datadir | length > 0 - mysql_custom_datadir != mysql_current_real_datadir_test.stdout - not mysql_custom_datadir_test.stat.exists - - not ansible_check_mode diff --git a/mysql/tasks/logdir.yml b/mysql/tasks/logdir.yml index 1779667a..bd6ecab2 100644 --- a/mysql/tasks/logdir.yml +++ b/mysql/tasks/logdir.yml @@ -43,4 +43,3 @@ - mysql_custom_logdir | length > 0 - mysql_custom_logdir != mysql_current_real_logdir_test.stdout - not mysql_custom_logdir_test.stat.exists - - not ansible_check_mode diff --git a/mysql/tasks/packages_jessie.yml b/mysql/tasks/packages_jessie.yml index 99c89d8a..652eace7 100644 --- a/mysql/tasks/packages_jessie.yml +++ b/mysql/tasks/packages_jessie.yml @@ -42,7 +42,6 @@ tags: - mysql - services - when: not ansible_check_mode - name: apg package is installed apt: diff --git a/mysql/tasks/packages_stretch.yml b/mysql/tasks/packages_stretch.yml index 34e4d2b6..880f5050 100644 --- a/mysql/tasks/packages_stretch.yml +++ b/mysql/tasks/packages_stretch.yml @@ -28,7 +28,6 @@ tags: - mysql - services - when: not ansible_check_mode - name: apg package is installed apt: @@ -58,4 +57,4 @@ tags: - mysql - packages - when: ansible_python_version is version('3', '>=') + when: ansible_python_version is version('3', '>=') \ No newline at end of file diff --git a/mysql/tasks/utils.yml b/mysql/tasks/utils.yml index e3fe76da..1ac8f2df 100644 --- a/mysql/tasks/utils.yml +++ b/mysql/tasks/utils.yml @@ -155,9 +155,7 @@ src: "{{ _mysql_scripts_dir }}/mysql-optimize.sh" dest: /etc/cron.{{ mysql_cron_optimize_frequency | mandatory }}/mysql-optimize.sh state: link - when: - - mysql_cron_optimize | bool - - not ansible_check_mode + when: mysql_cron_optimize | bool tags: - mysql @@ -250,4 +248,4 @@ mode: "0755" force: no tags: - - mysql + - mysql \ No newline at end of file diff --git a/nagios-nrpe/handlers/main.yml b/nagios-nrpe/handlers/main.yml index de27314f..25ab29ad 100644 --- a/nagios-nrpe/handlers/main.yml +++ b/nagios-nrpe/handlers/main.yml @@ -4,10 +4,8 @@ service: name: nagios-nrpe-server state: restarted - when: not ansible_check_mode - name: restart nrpe service: name: nrpe state: restarted - when: not ansible_check_mode diff --git a/ntpd/tasks/main.yml b/ntpd/tasks/main.yml index ae4a97c5..2d66d765 100644 --- a/ntpd/tasks/main.yml +++ b/ntpd/tasks/main.yml @@ -21,4 +21,3 @@ notify: restart ntp tags: - ntp - when: not ansible_check_mode diff --git a/packweb-apache/tasks/apache.yml b/packweb-apache/tasks/apache.yml index c2efd93f..96c11e3a 100644 --- a/packweb-apache/tasks/apache.yml +++ b/packweb-apache/tasks/apache.yml @@ -14,9 +14,7 @@ block: | # Used for Evoadmin-web export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin - when: - - envvar_grep_path.rc != 0 - - not ansible_check_mode + when: envvar_grep_path.rc != 0 - name: Additional packages are installed apt: @@ -36,7 +34,6 @@ - negotiation - alias - log_forensic - when: not ansible_check_mode - name: Copy Apache settings for modules copy: @@ -63,4 +60,3 @@ loop: - evolinux-evasive - evolinux-modsec - when: not ansible_check_mode diff --git a/packweb-apache/tasks/awstats.yml b/packweb-apache/tasks/awstats.yml index a423aaf8..5ea0fa57 100644 --- a/packweb-apache/tasks/awstats.yml +++ b/packweb-apache/tasks/awstats.yml @@ -22,7 +22,6 @@ AllowFullYearView=3 ErrorMessages="An error occured. Contact your Administrator" mode: "0644" - when: not ansible_check_mode - name: Create conf-available/awstats-icon.conf file copy: @@ -40,7 +39,6 @@ register: command_result changed_when: "'Enabling' in command_result.stderr" notify: reload apache - when: not ansible_check_mode - name: Create awstats cron lineinfile: @@ -48,7 +46,6 @@ create: yes regexp: '-config=awstats' line: "10 */6 * * * root umask 033; [ -x /usr/lib/cgi-bin/awstats.pl -a -f /etc/awstats/awstats.conf -a -r /var/log/apache2/access.log ] && /usr/lib/cgi-bin/awstats.pl -config=awstats -update >/dev/null" - when: not ansible_check_mode - name: Comment default awstat cron's tasks lineinfile: @@ -57,4 +54,3 @@ line: '#\1' backrefs: yes state: present - when: not ansible_check_mode diff --git a/packweb-apache/tasks/main.yml b/packweb-apache/tasks/main.yml index 58b2047c..ff3cd9a7 100644 --- a/packweb-apache/tasks/main.yml +++ b/packweb-apache/tasks/main.yml @@ -26,7 +26,6 @@ dest: /var/www/index.html line: '
  • Infos PHP
    • ' regexp: "Infos PHP" - when: not ansible_check_mode - name: install opcache.php copy: @@ -39,7 +38,6 @@ dest: /var/www/index.html line: '
  • Infos OpCache PHP
    • ' regexp: "Infos OpCache PHP" - when: not ansible_check_mode - name: Add elements to user account template file: @@ -66,7 +64,6 @@ loop: - access.log - error.log - when: not ansible_check_mode - name: "Install userlogrotate (jessie)" copy: diff --git a/packweb-apache/tasks/multiphp.yml b/packweb-apache/tasks/multiphp.yml index 80a6f34a..8a7c9613 100644 --- a/packweb-apache/tasks/multiphp.yml +++ b/packweb-apache/tasks/multiphp.yml @@ -5,7 +5,6 @@ state: present name: proxy_fcgi notify: restart apache2 - when: not ansible_check_mode - include_role: name: remount-usr diff --git a/packweb-apache/tasks/phpmyadmin.yml b/packweb-apache/tasks/phpmyadmin.yml index 9e894786..f83b0a5d 100644 --- a/packweb-apache/tasks/phpmyadmin.yml +++ b/packweb-apache/tasks/phpmyadmin.yml @@ -65,12 +65,10 @@ changed_when: False check_mode: no register: new_packweb_phpmyadmin_suffix - when: not ansible_check_mode - name: overwrite packweb_phpmyadmin_suffix set_fact: packweb_phpmyadmin_suffix: "{{ new_packweb_phpmyadmin_suffix.stdout }}" - when: not ansible_check_mode - debug: var: packweb_phpmyadmin_suffix @@ -88,18 +86,15 @@ Require all denied Include /etc/apache2/ipaddr_whitelist.conf - when: not ansible_check_mode - name: enable phpmyadmin link in default site index replace: dest: /var/www/index.html regexp: '' replace: '
  • Accès PhpMyAdmin
    • ' - when: not ansible_check_mode - name: replace phpmyadmin suffix in default site index replace: dest: /var/www/index.html regexp: '__PHPMYADMIN_SUFFIX__' replace: "{{ packweb_phpmyadmin_suffix }}" - when: not ansible_check_mode diff --git a/php/handlers/main.yml b/php/handlers/main.yml index 75fe86ba..079a14d5 100644 --- a/php/handlers/main.yml +++ b/php/handlers/main.yml @@ -4,28 +4,23 @@ service: name: php5-fpm state: restarted - when: not ansible_check_mode - name: restart php7.0-fpm service: name: php7.0-fpm state: restarted - when: not ansible_check_mode - name: restart php7.3-fpm service: name: php7.3-fpm state: restarted - when: not ansible_check_mode - name: restart php7.4-fpm service: name: php7.4-fpm state: restarted - when: not ansible_check_mode - name: restart php8.1-fpm service: name: php8.1-fpm state: restarted - when: not ansible_check_mode diff --git a/php/tasks/config_cli.yml b/php/tasks/config_cli.yml index e4fac4a7..d327690a 100644 --- a/php/tasks/config_cli.yml +++ b/php/tasks/config_cli.yml @@ -25,7 +25,6 @@ file: dest: "{{ php_cli_custom_ini_file }}" mode: "0644" - when: not ansible_check_mode - name: "Set custom values for PHP to enable Symfony" ini_file: @@ -36,6 +35,4 @@ mode: "0644" loop: - { option: "date.timezone", value: "Europe/Paris" } - when: - - php_symfony_requirements | bool - - not ansible_check_mode + when: php_symfony_requirements | bool diff --git a/php/tasks/main_bookworm.yml b/php/tasks/main_bookworm.yml index 49c91719..4dcde767 100644 --- a/php/tasks/main_bookworm.yml +++ b/php/tasks/main_bookworm.yml @@ -79,14 +79,12 @@ with_items: - /etc/php - /etc/php/{{ php_version }} - when: not ansible_check_mode - include: config_cli.yml - name: "Enforce permissions on PHP cli directory (Debian 12)" file: dest: /etc/php/{{ php_version }}/cli mode: "0755" - when: not ansible_check_mode - include: config_fpm.yml when: php_fpm_enable @@ -95,9 +93,7 @@ file: dest: /etc/php/{{ php_version }}/fpm mode: "0755" - when: - - php_fpm_enable - - not ansible_check_mode + when: php_fpm_enable - include: config_apache.yml when: php_apache_enable @@ -106,9 +102,7 @@ file: dest: /etc/php/{{ php_version }}/apache2 mode: "0755" - when: - - php_apache_enable - - not ansible_check_mode + when: php_apache_enable - include: sury_post.yml when: php_sury_enable diff --git a/php/tasks/main_bullseye.yml b/php/tasks/main_bullseye.yml index 9b1fdf33..403a7b76 100644 --- a/php/tasks/main_bullseye.yml +++ b/php/tasks/main_bullseye.yml @@ -68,14 +68,12 @@ with_items: - /etc/php - /etc/php/7.4 - when: not ansible_check_mode - include: config_cli.yml - name: "Enforce permissions on PHP cli directory (Debian 11)" file: dest: /etc/php/7.4/cli mode: "0755" - when: not ansible_check_mode - include: config_fpm.yml when: php_fpm_enable @@ -84,9 +82,7 @@ file: dest: /etc/php/7.4/fpm mode: "0755" - when: - - php_fpm_enable - - not ansible_check_mode + when: php_fpm_enable - include: config_apache.yml when: php_apache_enable @@ -95,9 +91,7 @@ file: dest: /etc/php/7.4/apache2 mode: "0755" - when: - - php_apache_enable - - not ansible_check_mode + when: php_apache_enable - include: sury_post.yml when: php_sury_enable diff --git a/php/tasks/main_buster.yml b/php/tasks/main_buster.yml index eff2dc8f..2fc4293e 100644 --- a/php/tasks/main_buster.yml +++ b/php/tasks/main_buster.yml @@ -68,14 +68,12 @@ loop: - /etc/php - /etc/php/7.3 - when: not ansible_check_mode - include: config_cli.yml - name: "Enforce permissions on PHP cli directory (Debian 10)" file: dest: /etc/php/7.3/cli mode: "0755" - when: not ansible_check_mode - include: config_fpm.yml when: php_fpm_enable | bool @@ -84,9 +82,7 @@ file: dest: /etc/php/7.3/fpm mode: "0755" - when: - - php_fpm_enable | bool - - not ansible_check_mode + when: php_fpm_enable | bool - include: config_apache.yml when: php_apache_enable | bool @@ -95,9 +91,7 @@ file: dest: /etc/php/7.3/apache2 mode: "0755" - when: - - php_apache_enable | bool - - not ansible_check_mode + when: php_apache_enable | bool - include: sury_post.yml when: php_sury_enable | bool diff --git a/php/tasks/main_jessie.yml b/php/tasks/main_jessie.yml index a5aecdb7..75105166 100644 --- a/php/tasks/main_jessie.yml +++ b/php/tasks/main_jessie.yml @@ -56,7 +56,6 @@ file: dest: /etc/php5 mode: "0755" - when: not ansible_check_mode - include: config_cli.yml @@ -64,7 +63,6 @@ file: dest: /etc/php5/cli mode: "0755" - when: not ansible_check_mode - include: config_fpm.yml when: php_fpm_enable | bool @@ -73,9 +71,7 @@ file: dest: /etc/php5/fpm mode: "0755" - when: - - php_fpm_enable | bool - - not ansible_check_mode + when: php_fpm_enable | bool - include: config_apache.yml when: php_apache_enable | bool @@ -84,6 +80,4 @@ file: dest: /etc/php5/apache2 mode: "0755" - when: - - php_apache_enable | bool - - not ansible_check_mode + when: php_apache_enable | bool diff --git a/php/tasks/main_stretch.yml b/php/tasks/main_stretch.yml index 6934fa6a..698621ac 100644 --- a/php/tasks/main_stretch.yml +++ b/php/tasks/main_stretch.yml @@ -68,7 +68,6 @@ loop: - /etc/php - /etc/php/7.0 - when: not ansible_check_mode - include: config_cli.yml @@ -76,7 +75,6 @@ file: dest: /etc/php/7.0/cli mode: "0755" - when: not ansible_check_mode - include: config_fpm.yml when: php_fpm_enable | bool @@ -85,9 +83,7 @@ file: dest: /etc/php/7.0/fpm mode: "0755" - when: - - php_fpm_enable | bool - - not ansible_check_mode + when: php_fpm_enable | bool - include: config_apache.yml when: php_apache_enable | bool @@ -96,9 +92,7 @@ file: dest: /etc/php/7.0/apache2 mode: "0755" - when: - - php_apache_enable | bool - - not ansible_check_mode + when: php_apache_enable | bool - include: sury_post.yml when: php_sury_enable | bool diff --git a/php/tasks/sury_post.yml b/php/tasks/sury_post.yml index 6855214b..4e706889 100644 --- a/php/tasks/sury_post.yml +++ b/php/tasks/sury_post.yml @@ -14,7 +14,6 @@ file: dest: /etc/php/7.4/cli mode: "0755" - when: not ansible_check_mode - name: Symlink Evolix Apache config files from 7.4 to 7.0 file: @@ -31,9 +30,7 @@ file: dest: /etc/php/7.4/apache2 mode: "0755" - when: - - php_apache_enable | bool - - not ansible_check_mode + when: php_apache_enable | bool - name: Symlink Evolix FPM config files from 7.4 to 7.0 file: @@ -52,6 +49,4 @@ file: dest: /etc/php/7.4/fpm mode: "0755" - when: - - php_fpm_enable | bool - - not ansible_check_mode + when: php_fpm_enable | bool diff --git a/proftpd/handlers/main.yml b/proftpd/handlers/main.yml index bffa7ede..0914d289 100644 --- a/proftpd/handlers/main.yml +++ b/proftpd/handlers/main.yml @@ -3,4 +3,3 @@ service: name: proftpd state: restarted - when: not ansible_check_mode diff --git a/proftpd/tasks/main.yml b/proftpd/tasks/main.yml index f29fbd81..f45958a9 100644 --- a/proftpd/tasks/main.yml +++ b/proftpd/tasks/main.yml @@ -70,7 +70,6 @@ notify: restart proftpd tags: - proftpd - when: not ansible_check_mode - name: Put empty vpasswd file if missing copy: @@ -93,7 +92,6 @@ notify: restart proftpd tags: - proftpd - when: not ansible_check_mode - include: accounts.yml when: proftpd_accounts | length > 0 diff --git a/squid/handlers/main.yml b/squid/handlers/main.yml index 675a9dbd..4f5329b9 100644 --- a/squid/handlers/main.yml +++ b/squid/handlers/main.yml @@ -3,38 +3,31 @@ service: name: munin-node state: restarted - when: not ansible_check_mode - name: restart squid service: name: squid state: restarted - when: not ansible_check_mode - name: reload squid service: name: squid state: reloaded - when: not ansible_check_mode - name: restart squid3 service: name: squid3 state: restarted - when: not ansible_check_mode - name: reload squid3 service: name: squid3 state: reloaded - when: not ansible_check_mode - name: restart log2mail service: name: log2mail state: restarted - when: not ansible_check_mode - name: restart minifirewall command: /etc/init.d/minifirewall restart - when: not ansible_check_mode diff --git a/squid/tasks/main.yml b/squid/tasks/main.yml index 540e56d9..4a3cab4d 100644 --- a/squid/tasks/main.yml +++ b/squid/tasks/main.yml @@ -121,7 +121,6 @@ when: - squid_localproxy_enable | bool - ansible_distribution_major_version is version('9', '>=') - - not ansible_check_mode - name: "evolinux custom overrides (Debian 9 or later)" copy: diff --git a/webapps/evoadmin-web/tasks/ftp.yml b/webapps/evoadmin-web/tasks/ftp.yml index 074b38fb..98f275ff 100644 --- a/webapps/evoadmin-web/tasks/ftp.yml +++ b/webapps/evoadmin-web/tasks/ftp.yml @@ -10,4 +10,3 @@ remote_src: False src: ftp/evolinux.conf.diff dest: /etc/proftpd/conf.d/z-evolinux.conf - when: not ansible_check_mode diff --git a/webapps/evoadmin-web/tasks/main.yml b/webapps/evoadmin-web/tasks/main.yml index d9589548..1acb2aa5 100644 --- a/webapps/evoadmin-web/tasks/main.yml +++ b/webapps/evoadmin-web/tasks/main.yml @@ -3,9 +3,7 @@ - name: "Ensure that evoadmin_contact_email is defined" fail: msg: Please configure var evoadmin_contact_email - when: - - evoadmin_contact_email is none or evoadmin_contact_email | length == 0 - - not ansible_check_mode + when: evoadmin_contact_email is none or evoadmin_contact_email | length == 0 - include: packages.yml @@ -25,4 +23,3 @@ marker: "" block: |
  • Interface admin web (EvoAdmin-web)
    • - when: not ansible_check_mode diff --git a/webapps/evoadmin-web/tasks/ssl.yml b/webapps/evoadmin-web/tasks/ssl.yml index eb7a31cd..6bdf1421 100644 --- a/webapps/evoadmin-web/tasks/ssl.yml +++ b/webapps/evoadmin-web/tasks/ssl.yml @@ -17,7 +17,6 @@ owner: root group: ssl-cert mode: "0640" - when: not ansible_check_mode - name: Create certificate for default site command: openssl x509 -req -days 3650 -sha256 -in /etc/ssl/{{ evoadmin_host }}.csr -signkey /etc/ssl/private/{{ evoadmin_host }}.key -out /etc/ssl/certs/{{ evoadmin_host }}.crt diff --git a/webapps/evoadmin-web/tasks/user.yml b/webapps/evoadmin-web/tasks/user.yml index fa61b830..bbad1b8f 100644 --- a/webapps/evoadmin-web/tasks/user.yml +++ b/webapps/evoadmin-web/tasks/user.yml @@ -54,9 +54,7 @@ dest: "{{ evoadmin_document_root }}" version: jessie update: False - when: - - ansible_distribution_release == "jessie" - - not ansible_check_mode + when: ansible_distribution_release == "jessie" - name: "Clone evoadmin repository (Debian 9 or later)" git: @@ -64,9 +62,7 @@ dest: "{{ evoadmin_document_root }}" version: master update: False - when: - - ansible_distribution_major_version is version('9', '>=') - - not ansible_check_mode + when: ansible_distribution_major_version is version('9', '>=') - name: Change ownership on git repository file: From 34fefa12122de3a093d1df92b7455147e996b4ba Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Wed, 14 Dec 2022 07:46:12 +0100 Subject: [PATCH 67/72] typos --- CHANGELOG.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 1ca523a4..e8a249ad 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -29,7 +29,7 @@ The **patch** part changes is incremented if multiple releases happen the same m * evocheck: install script according to Debian version * evolinux-base: utils.yml can be excluded * evolinux-todo: execute tasks only for Debian distribution (because this task is a dependency for others roles used on different distributions) -* evolinux-user: Add sudoers privilege for chck php\_fpm81 +* evolinux-user: Add sudoers privilege for check php\_fpm81 * evomaintenance: allow missing API endpoint if APi is disabled * java: use default JRE package when version is not specified * listupgrade: better detection for PostgreSQL @@ -44,7 +44,7 @@ The **patch** part changes is incremented if multiple releases happen the same m * squid: whitelist deb.freexian.com * varnish: better package facts usage with check mode and tags * varnish: systemd override depends on Varnish version instead of Debian version -* keepalived: change exit code (warning if runnin but not on expected state ; critical if not running) +* keepalived: change exit code (warning if running but not on expected state ; critical if not running) * openvpn: shellpki upstream release 22.12.2 * openvpn: specifies that the mail for expirations is for OpenVPN From 1acd2f63db44e7832604eb81dbd5219def28211c Mon Sep 17 00:00:00 2001 From: Bruno Tatu Date: Wed, 14 Dec 2022 09:50:16 +0100 Subject: [PATCH 68/72] =?UTF-8?q?on=20enl=C3=A8ve=20bc?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- fail2ban/templates/fail2ban_dbpurge.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fail2ban/templates/fail2ban_dbpurge.j2 b/fail2ban/templates/fail2ban_dbpurge.j2 index 3de092a3..ee984438 100644 --- a/fail2ban/templates/fail2ban_dbpurge.j2 +++ b/fail2ban/templates/fail2ban_dbpurge.j2 @@ -5,7 +5,7 @@ /usr/bin/ionice -c3 /usr/bin/sqlite3 /var/lib/fail2ban/fail2ban.sqlite3 "DELETE FROM bans WHERE datetime('now', '-{{ bantime.stdout }} second') > datetime(timeofban, 'unixepoch');" place_dispo=$( df -h /var/lib/fail2ban/fail2ban.sqlite3 --output="avail" -h --block-size=1 |tail -n1 ) -place_pris=$( echo "$(stat --format %s /var/lib/fail2ban/fail2ban.sqlite3 ) * 2" |bc ) +place_pris=$( echo $(("$(stat --format %s /var/lib/fail2ban/fail2ban.sqlite3 ) * 2" )) ) if [ $place_pris -lt $place_dispo ] then From ac85efe8aa9dc02bb1baaaba6b9499fc335d0049 Mon Sep 17 00:00:00 2001 From: Ludovic Poujol Date: Wed, 14 Dec 2022 11:01:03 +0100 Subject: [PATCH 69/72] vrrpd: Small fix to work in check mode --- vrrpd/tasks/ip.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/vrrpd/tasks/ip.yml b/vrrpd/tasks/ip.yml index 59594395..273c882e 100644 --- a/vrrpd/tasks/ip.yml +++ b/vrrpd/tasks/ip.yml @@ -17,4 +17,6 @@ daemon_reload: yes enabled: yes state: "{{ vrrp_address.state }}" - when: vrrp_systemd_unit is changed \ No newline at end of file + when: + - vrrp_systemd_unit is changed + - not ansible_check_mode \ No newline at end of file From 21ab9b1e68bb0dfff2848b88bd7ff65879843c24 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Wed, 14 Dec 2022 11:30:35 +0100 Subject: [PATCH 70/72] Revert ce5e4b12c68b378628f94b7aacabdec76da0b59a --- apache/tasks/main.yml | 3 --- 1 file changed, 3 deletions(-) diff --git a/apache/tasks/main.yml b/apache/tasks/main.yml index 39c8db24..1a028205 100644 --- a/apache/tasks/main.yml +++ b/apache/tasks/main.yml @@ -64,7 +64,6 @@ when: apache_mpm == "prefork" or apache_mpm == "itk" tags: - apache - when: not ansible_check_mode - name: Copy Apache defaults config file @@ -134,7 +133,6 @@ when: apache_evolinux_default_enabled | bool tags: - apache - when: not ansible_check_mode - include: server_status.yml tags: @@ -160,7 +158,6 @@ when: envvar_grep_umask.rc != 0 tags: - apache - when: not ansible_check_mode - include_role: name: evolix/remount-usr From 240ccee12b37b6e7f85ad32cd128d8929319caf1 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Wed, 14 Dec 2022 11:37:38 +0100 Subject: [PATCH 71/72] Release 22.12 --- CHANGELOG.md | 47 +++++++++++++++++++++++++++++------------------ 1 file changed, 29 insertions(+), 18 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index e8a249ad..1de94487 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -12,56 +12,67 @@ The **patch** part changes is incremented if multiple releases happen the same m ### Added -* all: Use proper keyrings directory for APT version -* all: Add signed-by option for additional APT sources +### Changed + +### Fixed + +### Removed + +### Security + +## [22.12] 2022-12-14 + +### Added + +* all: add signed-by option for additional APT sources * all: preliminary work to support Debian 12 +* all: use proper keyrings directory for APT version * evolinux-base: replace regular kernel by cloud kernel on virtual servers -* lxc-php: set php-fpm umask to 007 -* nagios-nrpe: check_ceph_* -* nagios-nrpe: check_haproxy_stats supports DRAIN status -* packweb-apache: enable log_forensic module -* varnish: create special tmp directory for syntax validation +* lxc-php: set php-fpm umask to `007` +* nagios-nrpe: `check_ceph_*` +* nagios-nrpe: `check_haproxy_stats` supports DRAIN status +* packweb-apache: enable `log_forensic` module * rabbitmq: add link in default page +* varnish: create special tmp directory for syntax validation ### Changed * certbot: auto-detect HAPEE version in renewal hook * evocheck: install script according to Debian version -* evolinux-base: utils.yml can be excluded +* evolinux-base: `utils.yml` can be excluded * evolinux-todo: execute tasks only for Debian distribution (because this task is a dependency for others roles used on different distributions) -* evolinux-user: Add sudoers privilege for check php\_fpm81 +* evolinux-user: add sudoers privilege for check `php_fpm81` * evomaintenance: allow missing API endpoint if APi is disabled * java: use default JRE package when version is not specified +* keepalived: change exit code (_warning_ if running but not on expected state ; _critical_ if not running) * listupgrade: better detection for PostgreSQL * listupgrade: sort/uniq of packages/services lists in email template * lxc-solr: detect the real partition options * lxc-solr: download URL according to Solr Version * lxc-solr: set homedir and port at install * minifirewall: whitelist deb.freexian.com +* openvpn: shellpki upstream release 22.12.2 +* openvpn: specifies that the mail for expirations is for OpenVPN * packweb-apache: manual dependencies resolution * redis: some values should be quoted * redis: variable to disable transparent hugepage (default: do nothing) -* squid: whitelist deb.freexian.com +* squid: whitelist `deb.freexian.com` * varnish: better package facts usage with check mode and tags * varnish: systemd override depends on Varnish version instead of Debian version -* keepalived: change exit code (warning if running but not on expected state ; critical if not running) -* openvpn: shellpki upstream release 22.12.2 -* openvpn: specifies that the mail for expirations is for OpenVPN ### Fixed -* evolinux-user: Fix sudoers privilege for check php\_fpm80 +* evolinux-user: Fix sudoers privilege for check `php_fpm80` * nagios-nrpe: Fix check opendkim for recent change in listening port -* varnish: fix missing state, that blocked the task -* proftpd: Fix format of public key files controlled by ansible -* proftpd: Fix mode of public key directory and files (they have to be accessible by proftpd:nobody) * openvpn: Fix mode of shellpki script +* proftpd: Fix format of public key files controlled by Ansible +* proftpd: Fix mode of public key directory and files (they have to be accessible by `proftpd:nobody`) +* varnish: fix missing state, that blocked the task ### Removed * openvpn: Deleted the task fixing the CRL rights since it has been fixed in upstream -### Security ## [22.09] 2022-09-19 From 0622e9ff1ee8f719e910600198c9b9557deff5db Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Wed, 14 Dec 2022 11:47:53 +0100 Subject: [PATCH 72/72] fix non-breaking spaces --- CHANGELOG.md | 2 +- evomaintenance/templates/evomaintenance.j2 | 2 +- fail2ban/templates/jail.local.j2 | 6 +++--- lxc-php/tasks/umask.yml | 10 +++++----- packweb-apache/tasks/update_userlogrotate.yml | 2 +- tomcat-instance/defaults/main.yml | 2 +- 6 files changed, 12 insertions(+), 12 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 1de94487..8f5e0e0c 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -205,7 +205,7 @@ The **patch** part changes is incremented if multiple releases happen the same m * minifirewall: tail template follows symlinks * mysql: add "set crypt_use_gpgme=no" Mutt option, for mysqltuner -### Fixed +### Fixed * Role `postfix`: Add missing `localhost.localdomain localhost` to `mydestination` variable which caused undelivered of some local mails. diff --git a/evomaintenance/templates/evomaintenance.j2 b/evomaintenance/templates/evomaintenance.j2 index 006d1c09..4a068fe6 100644 --- a/evomaintenance/templates/evomaintenance.j2 +++ b/evomaintenance/templates/evomaintenance.j2 @@ -11,7 +11,7 @@ FULLFROM="{{ evomaintenance_full_from }}" URGENCYFROM={{ evomaintenance_urgency_from }} URGENCYTEL="{{ evomaintenance_urgency_tel }}" REALM="{{ evomaintenance_realm }}" -API_ENDPOINT={{ evomaintenance_api_endpoint }} +API_ENDPOINT={{ evomaintenance_api_endpoint }} API_KEY={{ evomaintenance_api_key }} HOOK_API={{ evomaintenance_hook_api | bool | ternary('1','0') }} diff --git a/fail2ban/templates/jail.local.j2 b/fail2ban/templates/jail.local.j2 index 19c4f35b..3738ee33 100644 --- a/fail2ban/templates/jail.local.j2 +++ b/fail2ban/templates/jail.local.j2 @@ -38,7 +38,7 @@ bantime = {{ fail2ban_recidive_bantime }} # Evolix custom jails [wordpress-hard] -enabled = {{ fail2ban_wordpress_hard }} +enabled = {{ fail2ban_wordpress_hard }} port = http, https filter = wordpress-hard logpath = /var/log/auth.log @@ -47,7 +47,7 @@ findtime = {{ fail2ban_wordpress_hard_findtime }} bantime = {{ fail2ban_wordpress_hard_bantime }} [wordpress-soft] -enabled = {{ fail2ban_wordpress_soft }} +enabled = {{ fail2ban_wordpress_soft }} port = http, https filter = wordpress-soft logpath = /var/log/auth.log @@ -56,7 +56,7 @@ findtime = {{ fail2ban_wordpress_soft_findtime }} bantime = {{ fail2ban_wordpress_soft_bantime }} [roundcube] -enabled = {{ fail2ban_roundcube }} +enabled = {{ fail2ban_roundcube }} port = http, https filter = roundcube logpath = /var/lib/roundcube/logs/errors diff --git a/lxc-php/tasks/umask.yml b/lxc-php/tasks/umask.yml index 170851ab..8dc9039a 100644 --- a/lxc-php/tasks/umask.yml +++ b/lxc-php/tasks/umask.yml @@ -1,27 +1,27 @@ # Ajoute UMask=0007 à l'unité systemd PHP-FPM du conteneur LXC -# dans /etc/systemd/system/phpX.X-fpm.service.d/evolinux.conf +# dans /etc/systemd/system/phpX.X-fpm.service.d/evolinux.conf --- - name: "Définis le chemin du système de fichiers du conteneur LXC." set_fact: - lxc_rootfs_path: "/var/lib/lxc/{{ lxc_php_version }}/rootfs" + lxc_rootfs_path: "/var/lib/lxc/{{ lxc_php_version }}/rootfs" - name: "Crée des répertoires (si absents) pour surcharger la config des services PHP dans les conteneurs LXC." ansible.builtin.file: - path: "{{ lxc_rootfs_path }}/etc/systemd/system/{{ lxc_php_services[lxc_php_version] }}.d" + path: "{{ lxc_rootfs_path }}/etc/systemd/system/{{ lxc_php_services[lxc_php_version] }}.d" state: directory register: systemd_path - name: "[Service] est présent dans la surchage des services PHP-FPM des conteneurs LXC." ansible.builtin.lineinfile: - path: "{{ systemd_path.path }}/evolinux.conf" + path: "{{ systemd_path.path }}/evolinux.conf" regex: "\\[Service\\]" line: "[Service]" create: yes - name: "UMask=0007 est présent dans la surchage des services PHP-FPM des conteneurs LXC." ansible.builtin.lineinfile: - path: "{{ systemd_path.path }}/evolinux.conf" + path: "{{ systemd_path.path }}/evolinux.conf" regex: "^UMask=" line: "UMask=0007" insertafter: "\\[Service\\]" diff --git a/packweb-apache/tasks/update_userlogrotate.yml b/packweb-apache/tasks/update_userlogrotate.yml index a94080b0..1e8a6d85 100644 --- a/packweb-apache/tasks/update_userlogrotate.yml +++ b/packweb-apache/tasks/update_userlogrotate.yml @@ -9,7 +9,7 @@ - name: "Met-à-jour userlogrotate" ansible.builtin.copy: src: userlogrotate - dest: "{{ item }}" + dest: "{{ item }}" mode: "0755" loop: "{{ find_logrotate.files }}" when: find_logrotate.files | length>0 diff --git a/tomcat-instance/defaults/main.yml b/tomcat-instance/defaults/main.yml index 6a2ec877..92e68738 100644 --- a/tomcat-instance/defaults/main.yml +++ b/tomcat-instance/defaults/main.yml @@ -1,5 +1,5 @@ --- tomcat_instance_java_path: '/usr/lib/jvm/java-7-openjdk-amd64' tomcat_instance_root: '/srv/tomcat' -tomcat_instance_shutdown: "{{ tomcat_instance_port | int + 1 }}" +tomcat_instance_shutdown: "{{ tomcat_instance_port | int + 1 }}" tomcat_instance_mps: 256