From 505e0f7f533307b6ed60a902918a26a49e80de02 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Thu, 28 May 2020 11:08:29 +0200 Subject: [PATCH 01/13] New command bkctld upgrade-config It moves the legacy config file "/etc/evobackup/" to the new config structure "/etc/evobackup/.d/incs_policy" --- CHANGELOG.md | 2 ++ bkctld | 2 +- lib/bkctld-upgrade-config | 47 +++++++++++++++++++++++++++++++++++++++ 3 files changed, 50 insertions(+), 1 deletion(-) create mode 100644 lib/bkctld-upgrade-config diff --git a/CHANGELOG.md b/CHANGELOG.md index c6d4365..0687b48 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -8,6 +8,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ### Added +* New command bkctld upgrade-config to move the legacy config file "/etc/evobackup/" to the new config structure "/etc/evobackup/.d/incs_policy" + ### Changed ### Deprecated diff --git a/bkctld b/bkctld index 21ee88d..43dc3dc 100755 --- a/bkctld +++ b/bkctld @@ -69,7 +69,7 @@ case "${subcommand}" in "${LIBDIR}/bkctld-${subcommand}" "${jail_name}" "${option}" fi ;; - "start" | "stop" | "reload" | "restart" | "sync" | "update" | "remove" | "firewall") + "start" | "stop" | "reload" | "restart" | "sync" | "update" | "remove" | "firewall" | "upgrade-config") jail_name="${2:-}" if [ "${jail_name}" = "all" ]; then "${LIBDIR}/bkctld-list" | xargs --no-run-if-empty --max-args=1 --max-procs=0 "${LIBDIR}/bkctld-${subcommand}" diff --git a/lib/bkctld-upgrade-config b/lib/bkctld-upgrade-config new file mode 100644 index 0000000..59c8e37 --- /dev/null +++ b/lib/bkctld-upgrade-config @@ -0,0 +1,47 @@ +#!/bin/sh +# +# Update jail or all +# Usage: update |all +# + +# shellcheck source=./includes +LIBDIR="$(dirname $0)" && . "${LIBDIR}/includes" + +jail_name="${1:?}" +if [ ! -n "${jail_name}" ]; then + "${LIBDIR}/bkctld-help" && exit 1 +fi +jail_path=$(jail_path "${jail_name}") + +test -d "${jail_path}" || error "${jail_name}: jail not found" 2 + +legacy_incs_policy_file="${CONFDIR}/${jail_name}" +incs_policy_file=$(jail_incs_policy_file "${jail_name}") + +if [ -h "${legacy_incs_policy_file}" ]; then + if [ -f "${incs_policy_file}" ]; then + info "${jail_name}: config is already upgraded" + else + warning "${jail_name}: symlink present but inc policy file \`${incs_policy_file}' not found" + fi +elif [ ! -e "${legacy_incs_policy_file}" ] ; then + if [ -f "${incs_policy_file}" ]; then + # create a symlink for backward compatibility + ln -s "${incs_policy_file}" "${legacy_incs_policy_file}" + + info "${jail_name}: config has been symlinked" + else + warning "${jail_name}: inc policy file \`${incs_policy_file}' not found" + fi +elif [ -f "${legacy_incs_policy_file}" ]; then + # Create directory if missing + mkdir -p "$(jail_config_dir "${jail_name}")" + # move the main config file + mv "${legacy_incs_policy_file}" "${incs_policy_file}" + # create a symlink for backward compatibility + ln -s "${incs_policy_file}" "${legacy_incs_policy_file}" + # create a check_policy file if missing + touch "$(jail_check_policy_file "${jail_name}")" + + info "${jail_name}: config has been upgraded" +fi From 049bdb921629081fc7e9711597a6cc69c380e312 Mon Sep 17 00:00:00 2001 From: Bruno TATU Date: Tue, 9 Jun 2020 10:59:23 +0200 Subject: [PATCH 02/13] add --relative to rsync from zzz_evobackup --- zzz_evobackup | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/zzz_evobackup b/zzz_evobackup index e722d44..d60f56d 100755 --- a/zzz_evobackup +++ b/zzz_evobackup @@ -368,7 +368,7 @@ if [ "${SYNC_TASKS}" = "1" ]; then # ignore check because we want it to split the different arguments to $rep # shellcheck disable=SC2086 - rsync -avzh --stats --delete --delete-excluded --force --ignore-errors --partial \ + rsync -avzh --relative --stats --delete --delete-excluded --force --ignore-errors --partial \ --exclude "lost+found" \ --exclude ".nfs.*" \ --exclude "/var/log" \ From d07b4931316b671b941a777e6182ad8b37af56aa Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Thu, 9 Jul 2020 17:14:49 +0200 Subject: [PATCH 03/13] bkctld-update: start jail after upgrade if it was started before --- CHANGELOG.md | 2 ++ lib/bkctld-update | 18 +++++++++++++++++- 2 files changed, 19 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 0687b48..54e9300 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -12,6 +12,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ### Changed +* bkctld-update: start jail after upgrade if it was started before + ### Deprecated ### Removed diff --git a/lib/bkctld-update b/lib/bkctld-update index c5b4ec2..bc64af2 100755 --- a/lib/bkctld-update +++ b/lib/bkctld-update @@ -15,8 +15,24 @@ jail_path=$(jail_path "${jail_name}") test -d "${jail_path}" || error "${jail_name}: jail not found" 2 -"${LIBDIR}/bkctld-is-on" "${jail_name}" && "${LIBDIR}/bkctld-stop" "${jail_name}" +"${LIBDIR}/bkctld-is-on" "${jail_name}" 2>/dev/null +case "$?" in + 0) + jail_initial_status="on" + ;; + 100) + jail_initial_status="off" + ;; + *) + unset jail_initial_status + error "Error evaluating jail \`${jail_name}' state. bkctld-is-on exited with \`$?'" + ;; +esac + +test "${jail_initial_status}" = "on" && "${LIBDIR}/bkctld-stop" "${jail_name}" setup_jail_chroot "${jail_name}" +test "${jail_initial_status}" = "on" && "${LIBDIR}/bkctld-start" "${jail_name}" + notice "Update jail \`${jail_name}' : OK" From 0ad1e8d34290c527d6bb48b54c20b18d5bcd67e3 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Fri, 10 Jul 2020 14:34:06 +0200 Subject: [PATCH 04/13] Split check into check-jails and check-setup bkctld-check-setup checks if the partition is mounted and writable, if firewall is configured and if all jails are started --- CHANGELOG.md | 2 + bkctld | 6 +- lib/{bkctld-check => bkctld-check-jails} | 41 +-------- lib/bkctld-check-setup | 86 +++++++++++++++++ lib/includes | 16 +++- test/checks.bats | 112 ++++++++++++++++------- 6 files changed, 189 insertions(+), 74 deletions(-) rename lib/{bkctld-check => bkctld-check-jails} (61%) create mode 100755 lib/bkctld-check-setup diff --git a/CHANGELOG.md b/CHANGELOG.md index 54e9300..d6a7fba 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -13,6 +13,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ### Changed * bkctld-update: start jail after upgrade if it was started before +* Split check into check-jails and check-setup +* bkctld-check-setup checks if the partition is mounted and writable, if firewall is configured and if all jails are started ### Deprecated diff --git a/bkctld b/bkctld index 43dc3dc..353773b 100755 --- a/bkctld +++ b/bkctld @@ -36,9 +36,13 @@ fi subcommand="${1:-}" case "${subcommand}" in - "inc" | "rm" | "check" | "stats" | "help" | "list") + "inc" | "rm" | "check-jails" | "check-setup" | "stats" | "help" | "list") "${LIBDIR}/bkctld-${subcommand}" ;; + "check") + # backward compatibility + "${LIBDIR}/bkctld-check-jails" + ;; "check-incs") option="${2:-}" if [ "${option}" = "all" ] || [ -z "${option}" ]; then diff --git a/lib/bkctld-check b/lib/bkctld-check-jails similarity index 61% rename from lib/bkctld-check rename to lib/bkctld-check-jails index 4cd5054..80981f5 100755 --- a/lib/bkctld-check +++ b/lib/bkctld-check-jails @@ -14,43 +14,6 @@ nb_ok=0 nb_unkn=0 output="" -# Check if the backup disk is properly mounted - -if [ -b "${BACKUP_DISK}" ]; then - # If backup disk is encrypted, verify that it's open - cryptsetup isLuks "${BACKUP_DISK}" - if [ "$?" -eq 0 ]; then - if [ ! -b '/dev/mapper/backup' ]; then - echo "Luks disk \`${BACKUP_DISK}' is not mounted !\n" - echo "cryptsetup luksOpen ${BACKUP_DISK} backup" - exit 2 - fi - # Change value to real device - BACKUP_DISK='/dev/mapper/backup' - fi - # Verify that it's mounted and writable - findmnt --source ${BACKUP_DISK} -O rw > /dev/null - if [ "$?" -ne 0 ]; then - echo "Backup disk \`${BACKUP_DISK}' is not mounted (or read-only) !\n" - echo "mount ${BACKUP_DISK} /backup" - exit 2 - fi -fi - -# Check if the firewall file is sourced - -minifirewall_config=/etc/default/minifirewall - -if [ -n "${FIREWALL_RULES}" ] \ -&& [ -r "${FIREWALL_RULES}" ] \ -&& [ -f "${minifirewall_config}" ]; then - if ! grep -qE "^(\.|source) ${FIREWALL_RULES}" "${minifirewall_config}"; then - nb_warn=$((nb_warn + 1)) - output="${output}WARNING - Firewall file '${FIREWALL_RULES}' doesn't seem to be sourced by '${minifirewall_config}'\n" - [ "${return}" -le 1 ] && return=1 - fi -fi - # Check each jail status check_jail() { @@ -64,8 +27,8 @@ check_jail() { check_policy_file=$(current_jail_check_policy_file "${jail_name}") if [ -f "${check_policy_file}" ]; then - local_critical=$(read_variable "${check_policy_file}" "CRITICAL") - local_warning=$(read_variable "${check_policy_file}" "WARNING") + local_critical=$(read_numerical_variable "${check_policy_file}" "CRITICAL") + local_warning=$(read_numerical_variable "${check_policy_file}" "WARNING") else unset local_critical unset local_warning diff --git a/lib/bkctld-check-setup b/lib/bkctld-check-setup new file mode 100755 index 0000000..e68648d --- /dev/null +++ b/lib/bkctld-check-setup @@ -0,0 +1,86 @@ +#!/bin/sh +# +# Run check on jails (NRPE output) +# Usage: check +# + +# shellcheck source=./includes +LIBDIR="$(dirname $0)" && . "${LIBDIR}/includes" + +return=0 +nb_crit=0 +nb_warn=0 +nb_ok=0 +nb_unkn=0 +output="" + +# Verify backup partition is mounted and writable + +findmnt --mountpoint "${BACKUP_PARTITION}" -O rw > /dev/null +if [ "$?" -ne 0 ]; then + nb_crit=$((nb_crit + 1)) + output="${output}CRITICAL - Backup disk \`/backup' is not mounted (or read-only) !\n" + return=2 +else + nb_ok=$((nb_ok + 1)) + output="${output}OK - Backup disk \`/backup' is mounted and writable.\n" +fi + +# Check if the firewall file is sourced + +minifirewall_config=/etc/default/minifirewall + +if [ -n "${FIREWALL_RULES}" ] \ +&& [ -r "${FIREWALL_RULES}" ] \ +&& [ -f "${minifirewall_config}" ]; then + if grep -qE "^(\.|source) ${FIREWALL_RULES}" "${minifirewall_config}"; then + nb_ok=$((nb_ok + 1)) + output="${output}OK - Firewall file \`${FIREWALL_RULES}' is sourced by \`${minifirewall_config}'.\n" + else + nb_warn=$((nb_warn + 1)) + output="${output}WARNING - Firewall file \`${FIREWALL_RULES}' doesn't seem to be sourced by \`${minifirewall_config}'\n" + [ "${return}" -le 1 ] && return=1 + fi +fi + +# Check if jails are started +set -x +nb_on=0 +nb_off=0 +for jail_name in $(jails_list); do + if "${LIBDIR}/bkctld-is-on" "${jail_name}"; then + nb_on=$((nb_on + 1)) + else + expected_state="ON" + check_policy_file=$(current_jail_check_policy_file "${jail_name}") + + if [ -f "${check_policy_file}" ]; then + expected_state=$(read_variable "${check_policy_file}" "EXPECTED_STATE") + fi + if [ "${expected_state}" != "OFF" ]; then + nb_off=$((nb_off + 1)) + fi + fi +done +if [ "${nb_off}" -eq 0 ]; then + output="${output}OK - all jails are in their expected state .\n" +else + output="${output}CRITICAL - ${nb_off} jail(s) shouldn't be OFF !\n" + nb_crit=$((nb_crit + 1)) + [ "${return}" -le 2 ] && return=2 +fi +set +x + +[ "${return}" -ge 0 ] && header="OK" +[ "${return}" -ge 1 ] && header="WARNING" +[ "${return}" -ge 2 ] && header="CRITICAL" +[ "${return}" -ge 3 ] && header="UNKNOWN" + +printf "%s - %s UNK / %s CRIT / %s WARN / %s OK\n\n" "${header}" "${nb_unkn}" "${nb_crit}" "${nb_warn}" "${nb_ok}" + +printf "${output}" | grep -E "^UNKNOWN" +printf "${output}" | grep -E "^CRITICAL" +printf "${output}" | grep -E "^WARNING" +printf "${output}" | grep -E "^OK" + +exit "${return}" diff --git a/lib/includes b/lib/includes index 6ba6fec..4ca709e 100755 --- a/lib/includes +++ b/lib/includes @@ -7,12 +7,13 @@ LIBDIR=${LIBDIR:-/usr/lib/bkctld} CONFDIR="${CONFDIR:-/etc/evobackup}" BACKUP_DISK="${BACKUP_DISK:-}" -JAILDIR="${JAILDIR:-/backup/jails}" -INCDIR="${INCDIR:-/backup/incs}" +BACKUP_PARTITION="${BACKUP_PARTITION:-/backup}" +JAILDIR="${JAILDIR:-${BACKUP_PARTITION}/jails}" +INCDIR="${INCDIR:-${BACKUP_PARTITION}/incs}" TPLDIR="${TPLDIR:-/usr/share/bkctld}" LOCALTPLDIR="${LOCALTPLDIR:-/usr/local/share/bkctld}" LOCKDIR="${LOCKDIR:-/run/lock/bkctld}" -INDEX_DIR="${INDEX_DIR:-/backup/index}" +INDEX_DIR="${INDEX_DIR:-${BACKUP_PARTITION}/index}" IDX_FILE="${IDX_FILE:-${INDEX_DIR}/bkctld-jails.idx}" SSHD_PID="${SSHD_PID:-/run/sshd.pid}" SSHD_CONFIG="${SSHD_CONFIG:-/etc/ssh/sshd_config}" @@ -337,6 +338,15 @@ read_variable() { file=${1:?} var_name=${2:?} + pattern="^\s*${var_name}=.+" + + grep --extended-regexp --only-matching "${pattern}" "${file}" | cut -d= -f2 +} + +read_numerical_variable() { + file=${1:?} + var_name=${2:?} + pattern="^\s*${var_name}=-?[0-9]+" grep --extended-regexp --only-matching "${pattern}" "${file}" | cut -d= -f2 diff --git a/test/checks.bats b/test/checks.bats index 77a7b4a..f8e5c85 100644 --- a/test/checks.bats +++ b/test/checks.bats @@ -3,33 +3,38 @@ load test_helper -@test "Check OK for default values" { - touch "${JAILPATH}/var/log/lastlog" - # With default values (2 days critical, 1 day warning), - # a freshly connected jail should be "ok" - run /usr/lib/bkctld/bkctld-check +@test "Check jails OK" { + run /usr/lib/bkctld/bkctld-check-jails assert_equal "0" "$status" } -@test "Check WARNING for default values" { +@test "Check jails OK for default values" { + touch "${JAILPATH}/var/log/lastlog" + # With default values (2 days critical, 1 day warning), + # a freshly connected jail should be "ok" + run /usr/lib/bkctld/bkctld-check-jails + assert_equal "0" "$status" +} + +@test "Check jails WARNING for default values" { lastlog_date=$(date -d -2days --iso-8601=seconds) touch --date="${lastlog_date}" "${JAILPATH}/var/log/lastlog" # With default values (2 days critical, 1 day warning), # a 2 days old jail should be "warning" - run /usr/lib/bkctld/bkctld-check + run /usr/lib/bkctld/bkctld-check-jails assert_equal "1" "$status" } -@test "Check CRITICAL for default values" { +@test "Check jails CRITICAL for default values" { lastlog_date=$(date -d -3days --iso-8601=seconds) touch --date="${lastlog_date}" "${JAILPATH}/var/log/lastlog" # With default values (2 days critical, 1 day warning), # a 3 days old jail should be "critical" - run /usr/lib/bkctld/bkctld-check + run /usr/lib/bkctld/bkctld-check-jails assert_equal "2" "$status" } -@test "Check OK for custom values" { +@test "Check jails OK for custom values" { lastlog_date=$(date -d -3days --iso-8601=seconds) touch --date="${lastlog_date}" "${JAILPATH}/var/log/lastlog" @@ -39,11 +44,11 @@ WARNING=96 OUT # With custom values (5 days critical, 4 days warning), # a 3 days old jail should be "ok" - run /usr/lib/bkctld/bkctld-check + run /usr/lib/bkctld/bkctld-check-jails assert_equal "0" "$status" } -@test "Check WARNING for custom values" { +@test "Check jails WARNING for custom values" { lastlog_date=$(date -d -3days --iso-8601=seconds) touch --date="${lastlog_date}" "${JAILPATH}/var/log/lastlog" @@ -53,11 +58,11 @@ WARNING=48 OUT # With custom values (4 days critical, 3 days warning), # a 3 days old jail should be "warning" - run /usr/lib/bkctld/bkctld-check + run /usr/lib/bkctld/bkctld-check-jails assert_equal "1" "$status" } -@test "Check CRITICAL for custom values" { +@test "Check jails CRITICAL for custom values" { lastlog_date=$(date -d -10days --iso-8601=seconds) touch --date="${lastlog_date}" "${JAILPATH}/var/log/lastlog" @@ -67,11 +72,11 @@ WARNING=48 OUT # With custom values (4 days critical, 3 days warning), # a 10 days old jail should be "critical" - run /usr/lib/bkctld/bkctld-check + run /usr/lib/bkctld/bkctld-check-jails assert_equal "2" "$status" } -@test "Check OK for disabled WARNING" { +@test "Check jails OK for disabled WARNING" { lastlog_date=$(date -d -2days --iso-8601=seconds) touch --date="${lastlog_date}" "${JAILPATH}/var/log/lastlog" @@ -80,11 +85,11 @@ WARNING=0 OUT # With custom values (warning disabled, default critical), # a 2 days old jail should still be "ok" - run /usr/lib/bkctld/bkctld-check + run /usr/lib/bkctld/bkctld-check-jails assert_equal "0" "$status" } -@test "Check WARNING for disabled CRITICAL" { +@test "Check jails WARNING for disabled CRITICAL" { lastlog_date=$(date -d -3days --iso-8601=seconds) touch --date="${lastlog_date}" "${JAILPATH}/var/log/lastlog" @@ -93,11 +98,11 @@ CRITICAL=0 OUT # With custom values (critical disabled, default warning), # a 3 days old jail should only be "warning" - run /usr/lib/bkctld/bkctld-check + run /usr/lib/bkctld/bkctld-check-jails assert_equal "1" "$status" } -@test "Custom values are parsed with only integers after equal" { +@test "Custom jails values are parsed with only integers after equal" { lastlog_date=$(date -d -3days --iso-8601=seconds) touch --date="${lastlog_date}" "${JAILPATH}/var/log/lastlog" @@ -106,7 +111,7 @@ CRITICAL=0 # foo OUT # With custom values (critical disabled, default warning), # a 3 days old jail should only be "warning" - run /usr/lib/bkctld/bkctld-check + run /usr/lib/bkctld/bkctld-check-jails assert_equal "1" "$status" } @@ -119,7 +124,7 @@ OUT OUT # With commented custom values (critical disabled), # a 3 days old jail should still be "critical" - run /usr/lib/bkctld/bkctld-check + run /usr/lib/bkctld/bkctld-check-jails assert_equal "2" "$status" } @@ -132,40 +137,85 @@ CRITICAL=foo OUT # With commented custom values (critical disabled), # a 3 days old jail should still be "critical" - run /usr/lib/bkctld/bkctld-check + run /usr/lib/bkctld/bkctld-check-jails assert_equal "2" "$status" } -@test "Check WARNING if firewall rules are not sourced" { +@test "Check setup WARNING if firewall rules are not sourced" { + /usr/lib/bkctld/bkctld-start ${JAILNAME} + firewall_rules_file="/etc/firewall.rc.jails" set_variable "/etc/default/bkctld" "FIREWALL_RULES" "${firewall_rules_file}" echo "" > "${firewall_rules_file}" # Without sourcing echo "" > "/etc/default/minifirewall" - # … the check should be "critical" - run /usr/lib/bkctld/bkctld-check + # … the check should be "warning" + run /usr/lib/bkctld/bkctld-check-setup assert_equal "1" "$status" } -@test "Check OK if firewall rules are sourced" { +@test "Check setup OK if firewall rules are sourced" { + /usr/lib/bkctld/bkctld-start ${JAILNAME} + firewall_rules_file="/etc/firewall.rc.jails" set_variable "/etc/default/bkctld" "FIREWALL_RULES" "${firewall_rules_file}" echo "" > "${firewall_rules_file}" # Sourcing file with '.' echo ". ${firewall_rules_file}" > "/etc/default/minifirewall" - # … the check should be "critical" - run /usr/lib/bkctld/bkctld-check + # … the check should be "ok" + run /usr/lib/bkctld/bkctld-check-setup assert_equal "0" "$status" # Sourcing file with 'source' echo "source ${firewall_rules_file}" > "/etc/default/minifirewall" - # … the check should be "critical" - run /usr/lib/bkctld/bkctld-check + # … the check should be "ok" + run /usr/lib/bkctld/bkctld-check-setup assert_equal "0" "$status" } +@test "Check setup CRITICAL if jail is stopped" { + run /usr/lib/bkctld/bkctld-check-setup + assert_equal "2" "$status" +} + +@test "Check setup OK if all jails are started" { + /usr/lib/bkctld/bkctld-start ${JAILNAME} + + run /usr/lib/bkctld/bkctld-check-setup + assert_equal "0" "$status" +} + +@test "Check setup OK if jail is supposed to be stopped" { + cat > "/etc/evobackup/${JAILNAME}.d/check_policy" < Date: Thu, 16 Jul 2020 22:16:34 +0200 Subject: [PATCH 05/13] zzz_evobackup: add template for multiple redis instances --- zzz_evobackup | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/zzz_evobackup b/zzz_evobackup index d60f56d..fd20af1 100755 --- a/zzz_evobackup +++ b/zzz_evobackup @@ -229,7 +229,14 @@ if [ "${LOCAL_TASKS}" = "1" ]; then ## Redis ## example with copy .rdb file + ## for the default instance : # cp /var/lib/redis/dump.rdb ${LOCAL_BACKUP_DIR}/ + ## for multiple instances : + # for instance in $(ls -d /var/lib/redis-*); do + # name=$(basename $instance) + # mkdir -p ${LOCAL_BACKUP_DIR}/${name} + # cp -a ${instance}/dump.rdb ${LOCAL_BACKUP_DIR}/${name} + # done ## ElasticSearch From 3a6e21dce816e1617b751505e0be575ed93cd8ac Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=A9my=20Lecour?= Date: Thu, 16 Jul 2020 22:20:05 +0200 Subject: [PATCH 06/13] use ${LOCAL_BACKUP_DIR}/mysql/ instead of /home/mysqldump/ --- zzz_evobackup | 26 +++++++++++++------------- 1 file changed, 13 insertions(+), 13 deletions(-) diff --git a/zzz_evobackup b/zzz_evobackup index fd20af1..be16fb8 100755 --- a/zzz_evobackup +++ b/zzz_evobackup @@ -156,37 +156,37 @@ if [ "${LOCAL_TASKS}" = "1" ]; then ## example with two dumps for each table (.sql/.txt) for all databases # for i in $(echo SHOW DATABASES | mysql --defaults-extra-file=/etc/mysql/debian.cnf -P 3306 \ # | egrep -v "^(Database|information_schema|performance_schema|sys)" ); \ - # do mkdir -p -m 700 /home/mysqldump/$i ; chown -RL mysql /home/mysqldump ; \ + # do mkdir -p -m 700 ${LOCAL_BACKUP_DIR}/mysql/$i ; chown -RL mysql /home/mysqldump ; \ # mysqldump --defaults-extra-file=/etc/mysql/debian.cnf --force -P 3306 -Q --opt --events --hex-blob --skip-comments \ - # --fields-enclosed-by='\"' --fields-terminated-by=',' -T /home/mysqldump/$i $i; done + # --fields-enclosed-by='\"' --fields-terminated-by=',' -T ${LOCAL_BACKUP_DIR}/mysql/$i $i; done ## Dump all grants (requires 'percona-toolkit' package) - # mkdir -p -m 700 /home/mysqldump/ - # pt-show-grants --flush --no-header > /home/mysqldump/all_grants.sql + # mkdir -p -m 700 ${LOCAL_BACKUP_DIR}/mysql/ + # pt-show-grants --flush --no-header > ${LOCAL_BACKUP_DIR}/mysql/all_grants.sql ## example with SQL dump (schema only, no data) for each databases - # mkdir -p -m 700 /home/mysqldump/ + # mkdir -p -m 700 ${LOCAL_BACKUP_DIR}/mysql/ # for i in $(mysql --defaults-extra-file=/etc/mysql/debian.cnf -P 3306 -e 'show databases' -s --skip-column-names \ # | egrep -v "^(Database|information_schema|performance_schema|sys)"); do - # mysqldump --defaults-extra-file=/etc/mysql/debian.cnf --force -P 3306 --no-data --databases $i > /home/mysqldump/${i}.schema.sql + # mysqldump --defaults-extra-file=/etc/mysql/debian.cnf --force -P 3306 --no-data --databases $i > ${LOCAL_BACKUP_DIR}/mysql/${i}.schema.sql # done ## example with compressed SQL dump (with data) for each databases - # mkdir -p -m 700 /home/mysqldump/ + # mkdir -p -m 700 ${LOCAL_BACKUP_DIR}/mysql/ # for i in $(mysql --defaults-extra-file=/etc/mysql/debian.cnf -P 3306 -e 'show databases' -s --skip-column-names \ # | egrep -v "^(Database|information_schema|performance_schema|sys)"); do - # mysqldump --defaults-extra-file=/etc/mysql/debian.cnf --force -P 3306 --events --hex-blob $i | gzip --best > /home/mysqldump/${i}.sql.gz + # mysqldump --defaults-extra-file=/etc/mysql/debian.cnf --force -P 3306 --events --hex-blob $i | gzip --best > ${LOCAL_BACKUP_DIR}/mysql/${i}.sql.gz # done ## example with *one* uncompressed SQL dump for *one* database (MYBASE) - # mkdir -p -m 700 /home/mysqldump/MYBASE - # chown -RL mysql /home/mysqldump/ + # mkdir -p -m 700 ${LOCAL_BACKUP_DIR}/mysql/MYBASE + # chown -RL mysql ${LOCAL_BACKUP_DIR}/mysql/ # mysqldump --defaults-extra-file=/etc/mysql/debian.cnf --force -Q \ - # --opt --events --hex-blob --skip-comments -T /home/mysqldump/MYBASE MYBASE + # --opt --events --hex-blob --skip-comments -T ${LOCAL_BACKUP_DIR}/mysql/MYBASE MYBASE ## example with mysqlhotcopy - # mkdir -p -m 700 /home/mysqlhotcopy/ - # mysqlhotcopy BASE /home/mysqlhotcopy/ + # mkdir -p -m 700 ${LOCAL_BACKUP_DIR}/mysqlhotcopy/ + # mysqlhotcopy BASE ${LOCAL_BACKUP_DIR}/mysql/mysqlhotcopy/ ## example for multiples MySQL instances # mysqladminpasswd=$(grep -m1 'password = .*' /root/.my.cnf|cut -d" " -f3) From 1f29162da4d0a3f498a3ce83c43c172d94c241d8 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Wed, 22 Jul 2020 23:00:17 +0200 Subject: [PATCH 07/13] evobackup script timeout defaults to 90 seconds --- zzz_evobackup | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/zzz_evobackup b/zzz_evobackup index be16fb8..b01dc7b 100755 --- a/zzz_evobackup +++ b/zzz_evobackup @@ -30,7 +30,7 @@ SERVERS="node0.backup.example.com:2XXX node1.backup.example.com:2XXX" SERVERS_FALLBACK=${SERVERS_FALLBACK:-1} # timeout (in seconds) for SSH connections -SSH_CONNECT_TIMEOUT=${SSH_CONNECT_TIMEOUT:-30} +SSH_CONNECT_TIMEOUT=${SSH_CONNECT_TIMEOUT:-90} ## We use /home/backup : feel free to use your own dir LOCAL_BACKUP_DIR="/home/backup" From c141986a6d31fc588930fe89cbe3c5c1260d5140 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Fri, 7 Aug 2020 14:24:17 +0200 Subject: [PATCH 08/13] create new ssh keys for new jails instead of copying those from the host It increases the security by having different keys between jails. It reduces the risk of changing the keys of jails after creationtheir creation. --- CHANGELOG.md | 2 ++ lib/includes | 4 +--- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index d6a7fba..69694d4 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -14,7 +14,9 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 * bkctld-update: start jail after upgrade if it was started before * Split check into check-jails and check-setup +* bkctld-check-jails checks if jails * bkctld-check-setup checks if the partition is mounted and writable, if firewall is configured and if all jails are started +* create new ssh keys for new jails instead of copying those from the host ### Deprecated diff --git a/lib/includes b/lib/includes index 4ca709e..0c0f297 100755 --- a/lib/includes +++ b/lib/includes @@ -249,9 +249,7 @@ setup_jail_chroot() { touch ./var/log/lastlog ./var/log/wtmp ./run/utmp info "2 - Copying essential files" - [ -f /etc/ssh/ssh_host_rsa_key ] && cp /etc/ssh/ssh_host_rsa_key ./etc/ssh - [ -f /etc/ssh/ssh_host_ecdsa_key ] && cp /etc/ssh/ssh_host_ecdsa_key ./etc/ssh - [ -f /etc/ssh/ssh_host_ed25519_key ] && cp /etc/ssh/ssh_host_ed25519_key ./etc/ssh + ssh-keygen -A -f . touch "./${AUTHORIZED_KEYS}" chmod 600 "./${AUTHORIZED_KEYS}" cp "${passwd}" ./etc From 1063dfe74d3cb1cafd90a92f84dcd5885eb82168 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Wed, 19 Aug 2020 13:57:18 +0200 Subject: [PATCH 09/13] bkctld: don't replace SSH host keys when creating/updating a jail --- CHANGELOG.md | 1 + lib/includes | 11 ++++++++++- 2 files changed, 11 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 69694d4..ad6af39 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -13,6 +13,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ### Changed * bkctld-update: start jail after upgrade if it was started before +* bkctld: don't replace SSH host keys when creating/updating a jail * Split check into check-jails and check-setup * bkctld-check-jails checks if jails * bkctld-check-setup checks if the partition is mounted and writable, if firewall is configured and if all jails are started diff --git a/lib/includes b/lib/includes index 0c0f297..745f477 100755 --- a/lib/includes +++ b/lib/includes @@ -226,7 +226,16 @@ setup_jail_chroot() { umask 077 info "1 - Creating the chroot" - rm -rf ./bin ./lib ./lib64 ./run ./usr ./var/run ./etc/ssh/*key + + rm -rf ./bin + rm -rf ./lib + rm -rf ./lib64 + rm -rf ./run + rm -rf ./usr + rm -rf ./var/run + # Let's not delete the existing SSH host keys, + # otherwise the clients will have to accept the new keys + mkdir -p ./dev mkdir -p ./proc mkdir -p ./usr/bin From ea9aac50a3aa46787e2f827cee560a1479f76763 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Wed, 19 Aug 2020 13:58:03 +0200 Subject: [PATCH 10/13] explicit path refix for ssh-keygen --- lib/includes | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/includes b/lib/includes index 745f477..ac88e1e 100755 --- a/lib/includes +++ b/lib/includes @@ -258,7 +258,7 @@ setup_jail_chroot() { touch ./var/log/lastlog ./var/log/wtmp ./run/utmp info "2 - Copying essential files" - ssh-keygen -A -f . + ssh-keygen -A -f "${jail_path}" touch "./${AUTHORIZED_KEYS}" chmod 600 "./${AUTHORIZED_KEYS}" cp "${passwd}" ./etc From bc6a571595451500fe342b90074b1820a3bb0663 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Wed, 19 Aug 2020 13:58:23 +0200 Subject: [PATCH 11/13] whitespaces for readability --- lib/includes | 20 +++++++++++++++++++- 1 file changed, 19 insertions(+), 1 deletion(-) diff --git a/lib/includes b/lib/includes index ac88e1e..639dd3f 100755 --- a/lib/includes +++ b/lib/includes @@ -251,16 +251,22 @@ setup_jail_chroot() { mkdir -p ./root/.ssh --mode 0700 # shellcheck disable=SC2174 mkdir -p ./var/backup --mode 0700 + ln -s ./usr/bin ./bin ln -s ./usr/lib ./lib ln -s ./usr/lib64 ./lib64 ln -s --target-directory=./var ../run + touch ./var/log/lastlog ./var/log/wtmp ./run/utmp info "2 - Copying essential files" + + # Generate SSH host keys is missing ssh-keygen -A -f "${jail_path}" + touch "./${AUTHORIZED_KEYS}" chmod 600 "./${AUTHORIZED_KEYS}" + cp "${passwd}" ./etc cp "${shadow}" ./etc cp "${group}" ./etc @@ -270,7 +276,19 @@ setup_jail_chroot() { cp -f /lib/ld-linux.so.2 ./lib 2>/dev/null || cp -f /lib64/ld-linux-x86-64.so.2 ./lib64 cp /lib/x86_64-linux-gnu/libnss* ./lib/x86_64-linux-gnu - for dbin in /bin/sh /bin/ls /bin/mkdir /bin/cat /bin/rm /bin/sed /usr/bin/rsync /usr/bin/lastlog /usr/bin/touch /usr/sbin/sshd /usr/lib/openssh/sftp-server; do + for dbin in \ + /bin/sh \ + /bin/ls \ + /bin/mkdir \ + /bin/cat \ + /bin/rm \ + /bin/sed \ + /usr/bin/rsync \ + /usr/bin/lastlog \ + /usr/bin/touch \ + /usr/sbin/sshd \ + /usr/lib/openssh/sftp-server\ + ; do cp -f "${dbin}" "./${dbin}"; for lib in $(ldd "${dbin}" | grep -Eo "/.*so.[0-9\.]+"); do cp -p "${lib}" "./${lib}" From 08a2e067c2769fe61fd4c30e5c03a96080b42576 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Wed, 19 Aug 2020 14:01:57 +0200 Subject: [PATCH 12/13] bkctld-check-setup: remove "set -x" --- lib/bkctld-check-setup | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/lib/bkctld-check-setup b/lib/bkctld-check-setup index e68648d..1e68989 100755 --- a/lib/bkctld-check-setup +++ b/lib/bkctld-check-setup @@ -44,7 +44,6 @@ if [ -n "${FIREWALL_RULES}" ] \ fi # Check if jails are started -set -x nb_on=0 nb_off=0 for jail_name in $(jails_list); do @@ -63,13 +62,12 @@ for jail_name in $(jails_list); do fi done if [ "${nb_off}" -eq 0 ]; then - output="${output}OK - all jails are in their expected state .\n" + output="${output}OK - all jails are in their expected state.\n" else output="${output}CRITICAL - ${nb_off} jail(s) shouldn't be OFF !\n" nb_crit=$((nb_crit + 1)) [ "${return}" -le 2 ] && return=2 fi -set +x [ "${return}" -ge 0 ] && header="OK" [ "${return}" -ge 1 ] && header="WARNING" From e5d40f8fe4603ad4ae3a896ae39e937ca6c524a4 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Wed, 19 Aug 2020 14:08:01 +0200 Subject: [PATCH 13/13] Release 2.4.0 --- CHANGELOG.md | 24 +++++++++++++++--------- 1 file changed, 15 insertions(+), 9 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index ad6af39..c093720 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -8,6 +8,20 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ### Added +### Changed + +### Deprecated + +### Removed + +### Fixed + +### Security + +## [2.4.0] - 2020-08-19 + +### Added + * New command bkctld upgrade-config to move the legacy config file "/etc/evobackup/" to the new config structure "/etc/evobackup/.d/incs_policy" ### Changed @@ -16,17 +30,9 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 * bkctld: don't replace SSH host keys when creating/updating a jail * Split check into check-jails and check-setup * bkctld-check-jails checks if jails -* bkctld-check-setup checks if the partition is mounted and writable, if firewall is configured and if all jails are started +* bkctld-check-setup checks if the partition is mounted and writable, if firewall is configured and if all jails are in their expected state * create new ssh keys for new jails instead of copying those from the host -### Deprecated - -### Removed - -### Fixed - -### Security - ## [2.3.3] - 2020-05-28 ### Fixed