Jérémy Lecour
cae0de17df
All checks were successful
continuous-integration/drone/push Build is passing
281 lines
9.9 KiB
Bash
281 lines
9.9 KiB
Bash
#!/bin/bash
|
|
|
|
# Exit codes :
|
|
# - 30 : $skip_releases or $skip_packages is set to "all"
|
|
# - 40 : current release is in $skip_releases list
|
|
# - 50 : all upgradable packages are in the $skip_packages list
|
|
# - 60 : current release is not in the $r_releases list
|
|
# - 70 : at least an upgradable package is not in the $r_packages list
|
|
|
|
set -e
|
|
|
|
configFile="/etc/evolinux/listupgrade.cnf"
|
|
|
|
packages=$(mktemp --tmpdir=/tmp evoupdate.XXX)
|
|
packagesHold=$(mktemp --tmpdir=/tmp evoupdate.XXX)
|
|
servicesToRestart=$(mktemp --tmpdir=/tmp evoupdate.XXX)
|
|
template=$(mktemp --tmpdir=/tmp evoupdate.XXX)
|
|
clientmail=$(grep EVOMAINTMAIL /etc/evomaintenance.cf | cut -d'=' -f2)
|
|
mailto="${clientmail}"
|
|
date="Ce jeudi entre 18h00 et 23h00."
|
|
hostname=$(grep HOSTNAME /etc/evomaintenance.cf | cut -d'=' -f2)
|
|
hostname=${hostname%%.evolix.net}
|
|
|
|
# If hostname is composed with -, remove the first part.
|
|
if [[ "${hostname}" =~ "-" ]]; then
|
|
hostname=$(echo "${hostname}" | cut -d'-' -f2-)
|
|
fi
|
|
# Edit $configFile to override some variables.
|
|
# shellcheck disable=SC1090,SC1091
|
|
[ -r "${configFile}" ] && . "${configFile}"
|
|
|
|
# Remove temporary files on exit.
|
|
# shellcheck disable=SC2064
|
|
trap "rm ${packages} ${packagesHold} ${servicesToRestart} ${template}" EXIT
|
|
|
|
# Parse line in retrieved upgrade file and ensure there is no malicious values.
|
|
get_value() {
|
|
file="$1"
|
|
variable="$2"
|
|
value="$(grep "^${variable}:" "${file}" | head -n 1 | cut -d ':' -f 2 | sed 's/^ //')"
|
|
|
|
if echo "${value}" | grep -q -E '^[-.: [:alnum:]]*$'; then
|
|
echo "${value}"
|
|
else
|
|
printf >&2 "Error parsing value \"%s\" for variable %s.\n" "${value}" "${variable}"
|
|
fi
|
|
}
|
|
|
|
# Fetch which packages/releases will be upgraded.
|
|
fetch_upgrade_info() {
|
|
upgradeInfo=$(mktemp --tmpdir=/tmp evoupdate.XXX)
|
|
wget --no-check-certificate --quiet --output-document="${upgradeInfo}" https://upgrades.evolix.org/upgrade
|
|
|
|
# shellcheck disable=SC2181
|
|
if [ "$?" != "0" ]; then
|
|
printf >&2 "Error fetching upgrade directives.\n"
|
|
fi
|
|
|
|
r_releases="$(get_value "${upgradeInfo}" "releases")"
|
|
r_skip_releases="$(get_value "${upgradeInfo}" "skip_releases")"
|
|
r_packages="$(get_value "${upgradeInfo}" "packages")"
|
|
r_skip_packages="$(get_value "${upgradeInfo}" "skip_packages")"
|
|
|
|
rm "${upgradeInfo}"
|
|
}
|
|
|
|
# Check if element $element is in (space separated) list $list.
|
|
is_in() {
|
|
list="$1"
|
|
element="$2"
|
|
|
|
for i in ${list}; do
|
|
if [ "${element}" = "${i}" ]; then
|
|
return 0
|
|
fi
|
|
done
|
|
|
|
return 1
|
|
}
|
|
|
|
if [[ "$1" != "--cron" ]]; then
|
|
echo "À quel date/heure allez vous planifier l'envoi ?"
|
|
echo "Exemple : le jeudi 6 mars entre 18h00 et 23h00"
|
|
echo -n "> "
|
|
read -r date
|
|
echo "À qui envoyer le mail ?"
|
|
echo -n "> "
|
|
read -r mailto
|
|
fi
|
|
|
|
# Update APT cache and get packages to upgrade and packages on hold.
|
|
aptUpdateOutput=$(apt update 2>&1 | (grep -E -ve '^(Listing|WARNING|$)' -e upgraded -e 'up to date' || true ))
|
|
|
|
if echo "${aptUpdateOutput}" | grep -E "^Err(:[0-9]+)? http"; then
|
|
echo "FATAL - Not able to fetch all sources (probably a pesky (mini)firewall). Please, fix me"
|
|
exit 100
|
|
fi
|
|
|
|
apt-mark showhold > "${packagesHold}"
|
|
apt list --upgradable 2>&1 | grep -v -f "${packagesHold}" | grep -Ev '^(Listing|WARNING|$)' > "${packages}"
|
|
packagesParsable=$(cut -f 1 -d / < "${packages}" |tr '\n' ' ')
|
|
|
|
# No updates? Exit!
|
|
test ! -s "${packages}" && exit 0
|
|
test ! -s "${packagesHold}" && echo 'Aucun' > "${packagesHold}"
|
|
|
|
fetch_upgrade_info
|
|
local_release=$(cut -f 1 -d . </etc/debian_version)
|
|
|
|
# Exit if skip_releases or skip_packages in upgrade info file are set to all.
|
|
if [ "${r_skip_releases}" = "all" ] || [ "${r_skip_packages}" = "all" ]; then
|
|
exit 30
|
|
fi
|
|
|
|
# Exit if the server's release is in skip_releases.
|
|
if [ -n "${r_skip_releases}" ] && is_in "${r_skip_releases}" "${local_release}"; then
|
|
exit 40
|
|
fi
|
|
|
|
# Exit if all packages to upgrade are listed in skip_packages:
|
|
# we remove each package to skip from the $packageToUpgrade list. At the end,
|
|
# if there is no additional packages to upgrade, we can exit.
|
|
if [ -n "${r_skip_packages}" ]; then
|
|
packageToUpgrade="${packagesParsable}"
|
|
for pkg in ${r_skip_packages}; do
|
|
packageToUpgrade="${packageToUpgrade}/${pkg}"
|
|
done
|
|
packageToUpgrade=$(echo "${packageToUpgrade}" | sed 's/ \+//g')
|
|
if [ -z "${packageToUpgrade}" ]; then
|
|
exit 50
|
|
fi
|
|
fi
|
|
|
|
# Exit if the server's release is not in releases.
|
|
if [ -n "${r_releases}" ] && [ "${r_releases}" != "all" ]; then
|
|
is_in "${r_releases}" "${local_release}" || exit 60
|
|
fi
|
|
|
|
# Exit if there is packages to upgrades that are not in packages list:
|
|
# we exit at the first package encountered that is not in packages list.
|
|
if [ -n "${r_packages}" ] && [ "${r_packages}" != "all" ]; then
|
|
for pkg in ${packagesParsable}; do
|
|
is_in "${r_packages}" "${pkg}" || exit 70
|
|
done
|
|
fi
|
|
|
|
# Guess which services will be restarted.
|
|
for pkg in ${packagesParsable}; do
|
|
if echo "${pkg}" | grep -qE "^(lib)?apache2"; then
|
|
echo "Apache2" >> "${servicesToRestart}"
|
|
elif echo "${pkg}" | grep -q "^nginx"; then
|
|
echo "Nginx" >> "${servicesToRestart}"
|
|
elif echo "${pkg}" | grep -q "^php5-fpm"; then
|
|
echo "PHP FPM" >> "${servicesToRestart}"
|
|
elif echo "${pkg}" | grep -q "^mysql-server"; then
|
|
echo "MySQL" >> "${servicesToRestart}"
|
|
elif echo "${pkg}" | grep -q "^mariadb-server"; then
|
|
echo "MariaDB" >> "${servicesToRestart}"
|
|
elif echo "${pkg}" | grep -qE "^postgresql-[[:digit:]]+\.[[:digit:]]+$"; then
|
|
echo "PostgreSQL" >> "${servicesToRestart}"
|
|
elif echo "${pkg}" | grep -qE "^tomcat[[:digit:]]+$"; then
|
|
echo "Tomcat" >> "${servicesToRestart}"
|
|
elif [ "${pkg}" = "redis-server" ]; then
|
|
echo "Redis" >> "${servicesToRestart}"
|
|
elif [ "${pkg}" = "mongodb-server" ]; then
|
|
echo "MondoDB" >> "${servicesToRestart}"
|
|
elif echo "${pkg}" | grep -qE "^courier-(pop|imap)"; then
|
|
echo "Courier POP/IMAP" >> "${servicesToRestart}"
|
|
elif echo "${pkg}" | grep -qE "^dovecot-(pop|imap)d"; then
|
|
echo "Dovecot POP/IMAP" >> "${servicesToRestart}"
|
|
elif [ "${pkg}" = "samba" ]; then
|
|
echo "Samba" >> "${servicesToRestart}"
|
|
elif [ "${pkg}" = "slapd" ]; then
|
|
echo "OpenLDAP" >> "${servicesToRestart}"
|
|
elif [ "${pkg}" = "bind9" ]; then
|
|
echo "Bind9" >> "${servicesToRestart}"
|
|
elif [ "${pkg}" = "postfix" ]; then
|
|
echo "Postfix" >> "${servicesToRestart}"
|
|
elif [ "${pkg}" = "haproxy" ]; then
|
|
echo "HAProxy" >> "${servicesToRestart}"
|
|
elif [ "${pkg}" = "varnish" ]; then
|
|
echo "Varnish" >> "${servicesToRestart}"
|
|
elif [ "${pkg}" = "squid" ]; then
|
|
echo "Squid" >> "${servicesToRestart}"
|
|
elif [ "${pkg}" = "elasticsearch" ]; then
|
|
echo "Elasticsearch" >> "${servicesToRestart}"
|
|
elif [ "${pkg}" = "logstash" ]; then
|
|
echo "Logstash" >> "${servicesToRestart}"
|
|
elif [ "${pkg}" = "kibana" ]; then
|
|
echo "Kibana" >> "${servicesToRestart}"
|
|
elif [ "${pkg}" = "libc6" ]; then
|
|
echo "Tous les services sont susceptibles d'être redémarrés (mise à jour de libc6)." > "${servicesToRestart}"
|
|
break
|
|
elif [ "${pkg}" = "libstdc++6" ]; then
|
|
echo "Tous les services sont susceptibles d'être redémarrés (mise à jour de libstdc++6)." > "${servicesToRestart}"
|
|
break
|
|
elif echo "${pkg}" | grep -q "^libssl"; then
|
|
echo "Tous les services sont susceptibles d'être redémarrés (mise à jour de libssl)." > "${servicesToRestart}"
|
|
break
|
|
fi
|
|
done
|
|
test ! -s "${servicesToRestart}" && echo "Aucun" > "${servicesToRestart}"
|
|
|
|
cat << EOT > "${template}"
|
|
Content-Type: text/plain; charset="utf-8"
|
|
Reply-To: equipe@evolix.fr
|
|
From: equipe@evolix.net
|
|
To: ${clientmail}
|
|
Subject: Prochain creneau pour mise a jour de votre serveur ${hostname}
|
|
X-Debian-Release: ${local_release}
|
|
X-Packages: ${packagesParsable}
|
|
X-Date: ${date}
|
|
|
|
Bonjour,
|
|
|
|
Des mises-à-jour de sécurité ou mineures sont à réaliser sur votre serveur
|
|
${hostname}.
|
|
Sauf indication contraire de votre part, le prochain créneau prévu pour
|
|
intervenir manuellement pour réaliser ces mises-à-jour est :
|
|
${date}
|
|
|
|
Si nous intervenons, un redémarrage des éventuels services concernés sera
|
|
réalisé, entraînant a priori quelques secondes de coupure. Si nous ne sommes
|
|
pas intervenus sur ce créneau, vous recevrez une nouvelle notification la
|
|
semaine prochaine.
|
|
|
|
Voici la listes de packages qui seront mis à jour :
|
|
|
|
$(cat "${packages}")
|
|
|
|
Liste des packages dont la mise-à-jour a été manuellement suspendue :
|
|
|
|
$(cat "${packagesHold}")
|
|
|
|
Liste des services qui seront redémarrés :
|
|
|
|
$(cat "${servicesToRestart}")
|
|
|
|
N'hésitez pas à nous faire toute remarque sur ce créneau d'intervention le plus
|
|
tôt possible.
|
|
|
|
Cordialement,
|
|
--
|
|
Équipe Evolix - Hébergement et Infogérance Open Source
|
|
http://evolix.com | Twitter: @Evolix @EvolixNOC | http://blog.evolix.com
|
|
EOT
|
|
|
|
< "${template}" /usr/sbin/sendmail "${mailto}"
|
|
|
|
# Now we try to fetch all the packages for the next update session
|
|
downloadstatus=$(apt dist-upgrade --assume-yes --download-only -q2 2>&1)
|
|
echo "${downloadstatus}" | grep -q 'Download complete and in download only mode'
|
|
|
|
# shellcheck disable=SC2181
|
|
if [ $? -ne 0 ]; then
|
|
echo "${downloadstatus}"
|
|
fi;
|
|
|
|
|
|
# Also, we try to update each container apt sources
|
|
if which lxc-ls > /dev/null; then
|
|
for container in $(lxc-ls); do
|
|
|
|
aptUpdateOutput=$(lxc-attach -n "${container}" -- apt update 2>&1 | (grep -Eve '^(Listing|WARNING|$)' -e upgraded -e 'up to date' || true ))
|
|
|
|
if (echo "${aptUpdateOutput}" | grep -E "^Err(:[0-9]+)? http"); then
|
|
echo "FATAL CONTAINER - Not able to fetch all sources (probably a pesky (mini)firewall). Please, fix me"
|
|
exit 150
|
|
fi
|
|
|
|
# Now we try to fetch all the packages for the next update session
|
|
downloadstatus=$(lxc-attach -n "${container}" -- apt dist-upgrade --assume-yes --download-only -q2 2>&1)
|
|
echo "${downloadstatus}" | grep -q 'Download complete and in download only mode'
|
|
|
|
if [ $? -ne 0 ]; then
|
|
echo "${downloadstatus}"
|
|
fi;
|
|
|
|
done
|
|
fi
|