Merge branch 'master' into debian
This commit is contained in:
commit
cb06825b0b
15
CHANGELOG.md
15
CHANGELOG.md
|
@ -18,6 +18,21 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
|
||||||
|
|
||||||
### Security
|
### Security
|
||||||
|
|
||||||
|
## [2.4.0] - 2020-08-19
|
||||||
|
|
||||||
|
### Added
|
||||||
|
|
||||||
|
* New command bkctld upgrade-config to move the legacy config file "/etc/evobackup/<jail>" to the new config structure "/etc/evobackup/<jail>.d/incs_policy"
|
||||||
|
|
||||||
|
### Changed
|
||||||
|
|
||||||
|
* bkctld-update: start jail after upgrade if it was started before
|
||||||
|
* bkctld: don't replace SSH host keys when creating/updating a jail
|
||||||
|
* Split check into check-jails and check-setup
|
||||||
|
* bkctld-check-jails checks if jails
|
||||||
|
* bkctld-check-setup checks if the partition is mounted and writable, if firewall is configured and if all jails are in their expected state
|
||||||
|
* create new ssh keys for new jails instead of copying those from the host
|
||||||
|
|
||||||
## [2.3.3] - 2020-05-28
|
## [2.3.3] - 2020-05-28
|
||||||
|
|
||||||
### Fixed
|
### Fixed
|
||||||
|
|
8
bkctld
8
bkctld
|
@ -36,9 +36,13 @@ fi
|
||||||
|
|
||||||
subcommand="${1:-}"
|
subcommand="${1:-}"
|
||||||
case "${subcommand}" in
|
case "${subcommand}" in
|
||||||
"inc" | "rm" | "check" | "stats" | "help" | "list")
|
"inc" | "rm" | "check-jails" | "check-setup" | "stats" | "help" | "list")
|
||||||
"${LIBDIR}/bkctld-${subcommand}"
|
"${LIBDIR}/bkctld-${subcommand}"
|
||||||
;;
|
;;
|
||||||
|
"check")
|
||||||
|
# backward compatibility
|
||||||
|
"${LIBDIR}/bkctld-check-jails"
|
||||||
|
;;
|
||||||
"check-incs")
|
"check-incs")
|
||||||
option="${2:-}"
|
option="${2:-}"
|
||||||
if [ "${option}" = "all" ] || [ -z "${option}" ]; then
|
if [ "${option}" = "all" ] || [ -z "${option}" ]; then
|
||||||
|
@ -69,7 +73,7 @@ case "${subcommand}" in
|
||||||
"${LIBDIR}/bkctld-${subcommand}" "${jail_name}" "${option}"
|
"${LIBDIR}/bkctld-${subcommand}" "${jail_name}" "${option}"
|
||||||
fi
|
fi
|
||||||
;;
|
;;
|
||||||
"start" | "stop" | "reload" | "restart" | "sync" | "update" | "remove" | "firewall")
|
"start" | "stop" | "reload" | "restart" | "sync" | "update" | "remove" | "firewall" | "upgrade-config")
|
||||||
jail_name="${2:-}"
|
jail_name="${2:-}"
|
||||||
if [ "${jail_name}" = "all" ]; then
|
if [ "${jail_name}" = "all" ]; then
|
||||||
"${LIBDIR}/bkctld-list" | xargs --no-run-if-empty --max-args=1 --max-procs=0 "${LIBDIR}/bkctld-${subcommand}"
|
"${LIBDIR}/bkctld-list" | xargs --no-run-if-empty --max-args=1 --max-procs=0 "${LIBDIR}/bkctld-${subcommand}"
|
||||||
|
|
|
@ -14,43 +14,6 @@ nb_ok=0
|
||||||
nb_unkn=0
|
nb_unkn=0
|
||||||
output=""
|
output=""
|
||||||
|
|
||||||
# Check if the backup disk is properly mounted
|
|
||||||
|
|
||||||
if [ -b "${BACKUP_DISK}" ]; then
|
|
||||||
# If backup disk is encrypted, verify that it's open
|
|
||||||
cryptsetup isLuks "${BACKUP_DISK}"
|
|
||||||
if [ "$?" -eq 0 ]; then
|
|
||||||
if [ ! -b '/dev/mapper/backup' ]; then
|
|
||||||
echo "Luks disk \`${BACKUP_DISK}' is not mounted !\n"
|
|
||||||
echo "cryptsetup luksOpen ${BACKUP_DISK} backup"
|
|
||||||
exit 2
|
|
||||||
fi
|
|
||||||
# Change value to real device
|
|
||||||
BACKUP_DISK='/dev/mapper/backup'
|
|
||||||
fi
|
|
||||||
# Verify that it's mounted and writable
|
|
||||||
findmnt --source ${BACKUP_DISK} -O rw > /dev/null
|
|
||||||
if [ "$?" -ne 0 ]; then
|
|
||||||
echo "Backup disk \`${BACKUP_DISK}' is not mounted (or read-only) !\n"
|
|
||||||
echo "mount ${BACKUP_DISK} /backup"
|
|
||||||
exit 2
|
|
||||||
fi
|
|
||||||
fi
|
|
||||||
|
|
||||||
# Check if the firewall file is sourced
|
|
||||||
|
|
||||||
minifirewall_config=/etc/default/minifirewall
|
|
||||||
|
|
||||||
if [ -n "${FIREWALL_RULES}" ] \
|
|
||||||
&& [ -r "${FIREWALL_RULES}" ] \
|
|
||||||
&& [ -f "${minifirewall_config}" ]; then
|
|
||||||
if ! grep -qE "^(\.|source) ${FIREWALL_RULES}" "${minifirewall_config}"; then
|
|
||||||
nb_warn=$((nb_warn + 1))
|
|
||||||
output="${output}WARNING - Firewall file '${FIREWALL_RULES}' doesn't seem to be sourced by '${minifirewall_config}'\n"
|
|
||||||
[ "${return}" -le 1 ] && return=1
|
|
||||||
fi
|
|
||||||
fi
|
|
||||||
|
|
||||||
# Check each jail status
|
# Check each jail status
|
||||||
|
|
||||||
check_jail() {
|
check_jail() {
|
||||||
|
@ -64,8 +27,8 @@ check_jail() {
|
||||||
check_policy_file=$(current_jail_check_policy_file "${jail_name}")
|
check_policy_file=$(current_jail_check_policy_file "${jail_name}")
|
||||||
|
|
||||||
if [ -f "${check_policy_file}" ]; then
|
if [ -f "${check_policy_file}" ]; then
|
||||||
local_critical=$(read_variable "${check_policy_file}" "CRITICAL")
|
local_critical=$(read_numerical_variable "${check_policy_file}" "CRITICAL")
|
||||||
local_warning=$(read_variable "${check_policy_file}" "WARNING")
|
local_warning=$(read_numerical_variable "${check_policy_file}" "WARNING")
|
||||||
else
|
else
|
||||||
unset local_critical
|
unset local_critical
|
||||||
unset local_warning
|
unset local_warning
|
84
lib/bkctld-check-setup
Executable file
84
lib/bkctld-check-setup
Executable file
|
@ -0,0 +1,84 @@
|
||||||
|
#!/bin/sh
|
||||||
|
#
|
||||||
|
# Run check on jails (NRPE output)
|
||||||
|
# Usage: check
|
||||||
|
#
|
||||||
|
|
||||||
|
# shellcheck source=./includes
|
||||||
|
LIBDIR="$(dirname $0)" && . "${LIBDIR}/includes"
|
||||||
|
|
||||||
|
return=0
|
||||||
|
nb_crit=0
|
||||||
|
nb_warn=0
|
||||||
|
nb_ok=0
|
||||||
|
nb_unkn=0
|
||||||
|
output=""
|
||||||
|
|
||||||
|
# Verify backup partition is mounted and writable
|
||||||
|
|
||||||
|
findmnt --mountpoint "${BACKUP_PARTITION}" -O rw > /dev/null
|
||||||
|
if [ "$?" -ne 0 ]; then
|
||||||
|
nb_crit=$((nb_crit + 1))
|
||||||
|
output="${output}CRITICAL - Backup disk \`/backup' is not mounted (or read-only) !\n"
|
||||||
|
return=2
|
||||||
|
else
|
||||||
|
nb_ok=$((nb_ok + 1))
|
||||||
|
output="${output}OK - Backup disk \`/backup' is mounted and writable.\n"
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Check if the firewall file is sourced
|
||||||
|
|
||||||
|
minifirewall_config=/etc/default/minifirewall
|
||||||
|
|
||||||
|
if [ -n "${FIREWALL_RULES}" ] \
|
||||||
|
&& [ -r "${FIREWALL_RULES}" ] \
|
||||||
|
&& [ -f "${minifirewall_config}" ]; then
|
||||||
|
if grep -qE "^(\.|source) ${FIREWALL_RULES}" "${minifirewall_config}"; then
|
||||||
|
nb_ok=$((nb_ok + 1))
|
||||||
|
output="${output}OK - Firewall file \`${FIREWALL_RULES}' is sourced by \`${minifirewall_config}'.\n"
|
||||||
|
else
|
||||||
|
nb_warn=$((nb_warn + 1))
|
||||||
|
output="${output}WARNING - Firewall file \`${FIREWALL_RULES}' doesn't seem to be sourced by \`${minifirewall_config}'\n"
|
||||||
|
[ "${return}" -le 1 ] && return=1
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Check if jails are started
|
||||||
|
nb_on=0
|
||||||
|
nb_off=0
|
||||||
|
for jail_name in $(jails_list); do
|
||||||
|
if "${LIBDIR}/bkctld-is-on" "${jail_name}"; then
|
||||||
|
nb_on=$((nb_on + 1))
|
||||||
|
else
|
||||||
|
expected_state="ON"
|
||||||
|
check_policy_file=$(current_jail_check_policy_file "${jail_name}")
|
||||||
|
|
||||||
|
if [ -f "${check_policy_file}" ]; then
|
||||||
|
expected_state=$(read_variable "${check_policy_file}" "EXPECTED_STATE")
|
||||||
|
fi
|
||||||
|
if [ "${expected_state}" != "OFF" ]; then
|
||||||
|
nb_off=$((nb_off + 1))
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
if [ "${nb_off}" -eq 0 ]; then
|
||||||
|
output="${output}OK - all jails are in their expected state.\n"
|
||||||
|
else
|
||||||
|
output="${output}CRITICAL - ${nb_off} jail(s) shouldn't be OFF !\n"
|
||||||
|
nb_crit=$((nb_crit + 1))
|
||||||
|
[ "${return}" -le 2 ] && return=2
|
||||||
|
fi
|
||||||
|
|
||||||
|
[ "${return}" -ge 0 ] && header="OK"
|
||||||
|
[ "${return}" -ge 1 ] && header="WARNING"
|
||||||
|
[ "${return}" -ge 2 ] && header="CRITICAL"
|
||||||
|
[ "${return}" -ge 3 ] && header="UNKNOWN"
|
||||||
|
|
||||||
|
printf "%s - %s UNK / %s CRIT / %s WARN / %s OK\n\n" "${header}" "${nb_unkn}" "${nb_crit}" "${nb_warn}" "${nb_ok}"
|
||||||
|
|
||||||
|
printf "${output}" | grep -E "^UNKNOWN"
|
||||||
|
printf "${output}" | grep -E "^CRITICAL"
|
||||||
|
printf "${output}" | grep -E "^WARNING"
|
||||||
|
printf "${output}" | grep -E "^OK"
|
||||||
|
|
||||||
|
exit "${return}"
|
|
@ -15,8 +15,24 @@ jail_path=$(jail_path "${jail_name}")
|
||||||
|
|
||||||
test -d "${jail_path}" || error "${jail_name}: jail not found" 2
|
test -d "${jail_path}" || error "${jail_name}: jail not found" 2
|
||||||
|
|
||||||
"${LIBDIR}/bkctld-is-on" "${jail_name}" && "${LIBDIR}/bkctld-stop" "${jail_name}"
|
"${LIBDIR}/bkctld-is-on" "${jail_name}" 2>/dev/null
|
||||||
|
case "$?" in
|
||||||
|
0)
|
||||||
|
jail_initial_status="on"
|
||||||
|
;;
|
||||||
|
100)
|
||||||
|
jail_initial_status="off"
|
||||||
|
;;
|
||||||
|
*)
|
||||||
|
unset jail_initial_status
|
||||||
|
error "Error evaluating jail \`${jail_name}' state. bkctld-is-on exited with \`$?'"
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
|
||||||
|
test "${jail_initial_status}" = "on" && "${LIBDIR}/bkctld-stop" "${jail_name}"
|
||||||
|
|
||||||
setup_jail_chroot "${jail_name}"
|
setup_jail_chroot "${jail_name}"
|
||||||
|
|
||||||
|
test "${jail_initial_status}" = "on" && "${LIBDIR}/bkctld-start" "${jail_name}"
|
||||||
|
|
||||||
notice "Update jail \`${jail_name}' : OK"
|
notice "Update jail \`${jail_name}' : OK"
|
||||||
|
|
47
lib/bkctld-upgrade-config
Normal file
47
lib/bkctld-upgrade-config
Normal file
|
@ -0,0 +1,47 @@
|
||||||
|
#!/bin/sh
|
||||||
|
#
|
||||||
|
# Update jail <jailname> or all
|
||||||
|
# Usage: update <jailname>|all
|
||||||
|
#
|
||||||
|
|
||||||
|
# shellcheck source=./includes
|
||||||
|
LIBDIR="$(dirname $0)" && . "${LIBDIR}/includes"
|
||||||
|
|
||||||
|
jail_name="${1:?}"
|
||||||
|
if [ ! -n "${jail_name}" ]; then
|
||||||
|
"${LIBDIR}/bkctld-help" && exit 1
|
||||||
|
fi
|
||||||
|
jail_path=$(jail_path "${jail_name}")
|
||||||
|
|
||||||
|
test -d "${jail_path}" || error "${jail_name}: jail not found" 2
|
||||||
|
|
||||||
|
legacy_incs_policy_file="${CONFDIR}/${jail_name}"
|
||||||
|
incs_policy_file=$(jail_incs_policy_file "${jail_name}")
|
||||||
|
|
||||||
|
if [ -h "${legacy_incs_policy_file}" ]; then
|
||||||
|
if [ -f "${incs_policy_file}" ]; then
|
||||||
|
info "${jail_name}: config is already upgraded"
|
||||||
|
else
|
||||||
|
warning "${jail_name}: symlink present but inc policy file \`${incs_policy_file}' not found"
|
||||||
|
fi
|
||||||
|
elif [ ! -e "${legacy_incs_policy_file}" ] ; then
|
||||||
|
if [ -f "${incs_policy_file}" ]; then
|
||||||
|
# create a symlink for backward compatibility
|
||||||
|
ln -s "${incs_policy_file}" "${legacy_incs_policy_file}"
|
||||||
|
|
||||||
|
info "${jail_name}: config has been symlinked"
|
||||||
|
else
|
||||||
|
warning "${jail_name}: inc policy file \`${incs_policy_file}' not found"
|
||||||
|
fi
|
||||||
|
elif [ -f "${legacy_incs_policy_file}" ]; then
|
||||||
|
# Create directory if missing
|
||||||
|
mkdir -p "$(jail_config_dir "${jail_name}")"
|
||||||
|
# move the main config file
|
||||||
|
mv "${legacy_incs_policy_file}" "${incs_policy_file}"
|
||||||
|
# create a symlink for backward compatibility
|
||||||
|
ln -s "${incs_policy_file}" "${legacy_incs_policy_file}"
|
||||||
|
# create a check_policy file if missing
|
||||||
|
touch "$(jail_check_policy_file "${jail_name}")"
|
||||||
|
|
||||||
|
info "${jail_name}: config has been upgraded"
|
||||||
|
fi
|
51
lib/includes
51
lib/includes
|
@ -7,12 +7,13 @@
|
||||||
LIBDIR=${LIBDIR:-/usr/lib/bkctld}
|
LIBDIR=${LIBDIR:-/usr/lib/bkctld}
|
||||||
CONFDIR="${CONFDIR:-/etc/evobackup}"
|
CONFDIR="${CONFDIR:-/etc/evobackup}"
|
||||||
BACKUP_DISK="${BACKUP_DISK:-}"
|
BACKUP_DISK="${BACKUP_DISK:-}"
|
||||||
JAILDIR="${JAILDIR:-/backup/jails}"
|
BACKUP_PARTITION="${BACKUP_PARTITION:-/backup}"
|
||||||
INCDIR="${INCDIR:-/backup/incs}"
|
JAILDIR="${JAILDIR:-${BACKUP_PARTITION}/jails}"
|
||||||
|
INCDIR="${INCDIR:-${BACKUP_PARTITION}/incs}"
|
||||||
TPLDIR="${TPLDIR:-/usr/share/bkctld}"
|
TPLDIR="${TPLDIR:-/usr/share/bkctld}"
|
||||||
LOCALTPLDIR="${LOCALTPLDIR:-/usr/local/share/bkctld}"
|
LOCALTPLDIR="${LOCALTPLDIR:-/usr/local/share/bkctld}"
|
||||||
LOCKDIR="${LOCKDIR:-/run/lock/bkctld}"
|
LOCKDIR="${LOCKDIR:-/run/lock/bkctld}"
|
||||||
INDEX_DIR="${INDEX_DIR:-/backup/index}"
|
INDEX_DIR="${INDEX_DIR:-${BACKUP_PARTITION}/index}"
|
||||||
IDX_FILE="${IDX_FILE:-${INDEX_DIR}/bkctld-jails.idx}"
|
IDX_FILE="${IDX_FILE:-${INDEX_DIR}/bkctld-jails.idx}"
|
||||||
SSHD_PID="${SSHD_PID:-/run/sshd.pid}"
|
SSHD_PID="${SSHD_PID:-/run/sshd.pid}"
|
||||||
SSHD_CONFIG="${SSHD_CONFIG:-/etc/ssh/sshd_config}"
|
SSHD_CONFIG="${SSHD_CONFIG:-/etc/ssh/sshd_config}"
|
||||||
|
@ -225,7 +226,16 @@ setup_jail_chroot() {
|
||||||
umask 077
|
umask 077
|
||||||
|
|
||||||
info "1 - Creating the chroot"
|
info "1 - Creating the chroot"
|
||||||
rm -rf ./bin ./lib ./lib64 ./run ./usr ./var/run ./etc/ssh/*key
|
|
||||||
|
rm -rf ./bin
|
||||||
|
rm -rf ./lib
|
||||||
|
rm -rf ./lib64
|
||||||
|
rm -rf ./run
|
||||||
|
rm -rf ./usr
|
||||||
|
rm -rf ./var/run
|
||||||
|
# Let's not delete the existing SSH host keys,
|
||||||
|
# otherwise the clients will have to accept the new keys
|
||||||
|
|
||||||
mkdir -p ./dev
|
mkdir -p ./dev
|
||||||
mkdir -p ./proc
|
mkdir -p ./proc
|
||||||
mkdir -p ./usr/bin
|
mkdir -p ./usr/bin
|
||||||
|
@ -241,18 +251,22 @@ setup_jail_chroot() {
|
||||||
mkdir -p ./root/.ssh --mode 0700
|
mkdir -p ./root/.ssh --mode 0700
|
||||||
# shellcheck disable=SC2174
|
# shellcheck disable=SC2174
|
||||||
mkdir -p ./var/backup --mode 0700
|
mkdir -p ./var/backup --mode 0700
|
||||||
|
|
||||||
ln -s ./usr/bin ./bin
|
ln -s ./usr/bin ./bin
|
||||||
ln -s ./usr/lib ./lib
|
ln -s ./usr/lib ./lib
|
||||||
ln -s ./usr/lib64 ./lib64
|
ln -s ./usr/lib64 ./lib64
|
||||||
ln -s --target-directory=./var ../run
|
ln -s --target-directory=./var ../run
|
||||||
|
|
||||||
touch ./var/log/lastlog ./var/log/wtmp ./run/utmp
|
touch ./var/log/lastlog ./var/log/wtmp ./run/utmp
|
||||||
|
|
||||||
info "2 - Copying essential files"
|
info "2 - Copying essential files"
|
||||||
[ -f /etc/ssh/ssh_host_rsa_key ] && cp /etc/ssh/ssh_host_rsa_key ./etc/ssh
|
|
||||||
[ -f /etc/ssh/ssh_host_ecdsa_key ] && cp /etc/ssh/ssh_host_ecdsa_key ./etc/ssh
|
# Generate SSH host keys is missing
|
||||||
[ -f /etc/ssh/ssh_host_ed25519_key ] && cp /etc/ssh/ssh_host_ed25519_key ./etc/ssh
|
ssh-keygen -A -f "${jail_path}"
|
||||||
|
|
||||||
touch "./${AUTHORIZED_KEYS}"
|
touch "./${AUTHORIZED_KEYS}"
|
||||||
chmod 600 "./${AUTHORIZED_KEYS}"
|
chmod 600 "./${AUTHORIZED_KEYS}"
|
||||||
|
|
||||||
cp "${passwd}" ./etc
|
cp "${passwd}" ./etc
|
||||||
cp "${shadow}" ./etc
|
cp "${shadow}" ./etc
|
||||||
cp "${group}" ./etc
|
cp "${group}" ./etc
|
||||||
|
@ -262,7 +276,19 @@ setup_jail_chroot() {
|
||||||
cp -f /lib/ld-linux.so.2 ./lib 2>/dev/null || cp -f /lib64/ld-linux-x86-64.so.2 ./lib64
|
cp -f /lib/ld-linux.so.2 ./lib 2>/dev/null || cp -f /lib64/ld-linux-x86-64.so.2 ./lib64
|
||||||
cp /lib/x86_64-linux-gnu/libnss* ./lib/x86_64-linux-gnu
|
cp /lib/x86_64-linux-gnu/libnss* ./lib/x86_64-linux-gnu
|
||||||
|
|
||||||
for dbin in /bin/sh /bin/ls /bin/mkdir /bin/cat /bin/rm /bin/sed /usr/bin/rsync /usr/bin/lastlog /usr/bin/touch /usr/sbin/sshd /usr/lib/openssh/sftp-server; do
|
for dbin in \
|
||||||
|
/bin/sh \
|
||||||
|
/bin/ls \
|
||||||
|
/bin/mkdir \
|
||||||
|
/bin/cat \
|
||||||
|
/bin/rm \
|
||||||
|
/bin/sed \
|
||||||
|
/usr/bin/rsync \
|
||||||
|
/usr/bin/lastlog \
|
||||||
|
/usr/bin/touch \
|
||||||
|
/usr/sbin/sshd \
|
||||||
|
/usr/lib/openssh/sftp-server\
|
||||||
|
; do
|
||||||
cp -f "${dbin}" "./${dbin}";
|
cp -f "${dbin}" "./${dbin}";
|
||||||
for lib in $(ldd "${dbin}" | grep -Eo "/.*so.[0-9\.]+"); do
|
for lib in $(ldd "${dbin}" | grep -Eo "/.*so.[0-9\.]+"); do
|
||||||
cp -p "${lib}" "./${lib}"
|
cp -p "${lib}" "./${lib}"
|
||||||
|
@ -337,6 +363,15 @@ read_variable() {
|
||||||
file=${1:?}
|
file=${1:?}
|
||||||
var_name=${2:?}
|
var_name=${2:?}
|
||||||
|
|
||||||
|
pattern="^\s*${var_name}=.+"
|
||||||
|
|
||||||
|
grep --extended-regexp --only-matching "${pattern}" "${file}" | cut -d= -f2
|
||||||
|
}
|
||||||
|
|
||||||
|
read_numerical_variable() {
|
||||||
|
file=${1:?}
|
||||||
|
var_name=${2:?}
|
||||||
|
|
||||||
pattern="^\s*${var_name}=-?[0-9]+"
|
pattern="^\s*${var_name}=-?[0-9]+"
|
||||||
|
|
||||||
grep --extended-regexp --only-matching "${pattern}" "${file}" | cut -d= -f2
|
grep --extended-regexp --only-matching "${pattern}" "${file}" | cut -d= -f2
|
||||||
|
|
112
test/checks.bats
112
test/checks.bats
|
@ -3,33 +3,38 @@
|
||||||
|
|
||||||
load test_helper
|
load test_helper
|
||||||
|
|
||||||
@test "Check OK for default values" {
|
@test "Check jails OK" {
|
||||||
touch "${JAILPATH}/var/log/lastlog"
|
run /usr/lib/bkctld/bkctld-check-jails
|
||||||
# With default values (2 days critical, 1 day warning),
|
|
||||||
# a freshly connected jail should be "ok"
|
|
||||||
run /usr/lib/bkctld/bkctld-check
|
|
||||||
assert_equal "0" "$status"
|
assert_equal "0" "$status"
|
||||||
}
|
}
|
||||||
|
|
||||||
@test "Check WARNING for default values" {
|
@test "Check jails OK for default values" {
|
||||||
|
touch "${JAILPATH}/var/log/lastlog"
|
||||||
|
# With default values (2 days critical, 1 day warning),
|
||||||
|
# a freshly connected jail should be "ok"
|
||||||
|
run /usr/lib/bkctld/bkctld-check-jails
|
||||||
|
assert_equal "0" "$status"
|
||||||
|
}
|
||||||
|
|
||||||
|
@test "Check jails WARNING for default values" {
|
||||||
lastlog_date=$(date -d -2days --iso-8601=seconds)
|
lastlog_date=$(date -d -2days --iso-8601=seconds)
|
||||||
touch --date="${lastlog_date}" "${JAILPATH}/var/log/lastlog"
|
touch --date="${lastlog_date}" "${JAILPATH}/var/log/lastlog"
|
||||||
# With default values (2 days critical, 1 day warning),
|
# With default values (2 days critical, 1 day warning),
|
||||||
# a 2 days old jail should be "warning"
|
# a 2 days old jail should be "warning"
|
||||||
run /usr/lib/bkctld/bkctld-check
|
run /usr/lib/bkctld/bkctld-check-jails
|
||||||
assert_equal "1" "$status"
|
assert_equal "1" "$status"
|
||||||
}
|
}
|
||||||
|
|
||||||
@test "Check CRITICAL for default values" {
|
@test "Check jails CRITICAL for default values" {
|
||||||
lastlog_date=$(date -d -3days --iso-8601=seconds)
|
lastlog_date=$(date -d -3days --iso-8601=seconds)
|
||||||
touch --date="${lastlog_date}" "${JAILPATH}/var/log/lastlog"
|
touch --date="${lastlog_date}" "${JAILPATH}/var/log/lastlog"
|
||||||
# With default values (2 days critical, 1 day warning),
|
# With default values (2 days critical, 1 day warning),
|
||||||
# a 3 days old jail should be "critical"
|
# a 3 days old jail should be "critical"
|
||||||
run /usr/lib/bkctld/bkctld-check
|
run /usr/lib/bkctld/bkctld-check-jails
|
||||||
assert_equal "2" "$status"
|
assert_equal "2" "$status"
|
||||||
}
|
}
|
||||||
|
|
||||||
@test "Check OK for custom values" {
|
@test "Check jails OK for custom values" {
|
||||||
lastlog_date=$(date -d -3days --iso-8601=seconds)
|
lastlog_date=$(date -d -3days --iso-8601=seconds)
|
||||||
touch --date="${lastlog_date}" "${JAILPATH}/var/log/lastlog"
|
touch --date="${lastlog_date}" "${JAILPATH}/var/log/lastlog"
|
||||||
|
|
||||||
|
@ -39,11 +44,11 @@ WARNING=96
|
||||||
OUT
|
OUT
|
||||||
# With custom values (5 days critical, 4 days warning),
|
# With custom values (5 days critical, 4 days warning),
|
||||||
# a 3 days old jail should be "ok"
|
# a 3 days old jail should be "ok"
|
||||||
run /usr/lib/bkctld/bkctld-check
|
run /usr/lib/bkctld/bkctld-check-jails
|
||||||
assert_equal "0" "$status"
|
assert_equal "0" "$status"
|
||||||
}
|
}
|
||||||
|
|
||||||
@test "Check WARNING for custom values" {
|
@test "Check jails WARNING for custom values" {
|
||||||
lastlog_date=$(date -d -3days --iso-8601=seconds)
|
lastlog_date=$(date -d -3days --iso-8601=seconds)
|
||||||
touch --date="${lastlog_date}" "${JAILPATH}/var/log/lastlog"
|
touch --date="${lastlog_date}" "${JAILPATH}/var/log/lastlog"
|
||||||
|
|
||||||
|
@ -53,11 +58,11 @@ WARNING=48
|
||||||
OUT
|
OUT
|
||||||
# With custom values (4 days critical, 3 days warning),
|
# With custom values (4 days critical, 3 days warning),
|
||||||
# a 3 days old jail should be "warning"
|
# a 3 days old jail should be "warning"
|
||||||
run /usr/lib/bkctld/bkctld-check
|
run /usr/lib/bkctld/bkctld-check-jails
|
||||||
assert_equal "1" "$status"
|
assert_equal "1" "$status"
|
||||||
}
|
}
|
||||||
|
|
||||||
@test "Check CRITICAL for custom values" {
|
@test "Check jails CRITICAL for custom values" {
|
||||||
lastlog_date=$(date -d -10days --iso-8601=seconds)
|
lastlog_date=$(date -d -10days --iso-8601=seconds)
|
||||||
touch --date="${lastlog_date}" "${JAILPATH}/var/log/lastlog"
|
touch --date="${lastlog_date}" "${JAILPATH}/var/log/lastlog"
|
||||||
|
|
||||||
|
@ -67,11 +72,11 @@ WARNING=48
|
||||||
OUT
|
OUT
|
||||||
# With custom values (4 days critical, 3 days warning),
|
# With custom values (4 days critical, 3 days warning),
|
||||||
# a 10 days old jail should be "critical"
|
# a 10 days old jail should be "critical"
|
||||||
run /usr/lib/bkctld/bkctld-check
|
run /usr/lib/bkctld/bkctld-check-jails
|
||||||
assert_equal "2" "$status"
|
assert_equal "2" "$status"
|
||||||
}
|
}
|
||||||
|
|
||||||
@test "Check OK for disabled WARNING" {
|
@test "Check jails OK for disabled WARNING" {
|
||||||
lastlog_date=$(date -d -2days --iso-8601=seconds)
|
lastlog_date=$(date -d -2days --iso-8601=seconds)
|
||||||
touch --date="${lastlog_date}" "${JAILPATH}/var/log/lastlog"
|
touch --date="${lastlog_date}" "${JAILPATH}/var/log/lastlog"
|
||||||
|
|
||||||
|
@ -80,11 +85,11 @@ WARNING=0
|
||||||
OUT
|
OUT
|
||||||
# With custom values (warning disabled, default critical),
|
# With custom values (warning disabled, default critical),
|
||||||
# a 2 days old jail should still be "ok"
|
# a 2 days old jail should still be "ok"
|
||||||
run /usr/lib/bkctld/bkctld-check
|
run /usr/lib/bkctld/bkctld-check-jails
|
||||||
assert_equal "0" "$status"
|
assert_equal "0" "$status"
|
||||||
}
|
}
|
||||||
|
|
||||||
@test "Check WARNING for disabled CRITICAL" {
|
@test "Check jails WARNING for disabled CRITICAL" {
|
||||||
lastlog_date=$(date -d -3days --iso-8601=seconds)
|
lastlog_date=$(date -d -3days --iso-8601=seconds)
|
||||||
touch --date="${lastlog_date}" "${JAILPATH}/var/log/lastlog"
|
touch --date="${lastlog_date}" "${JAILPATH}/var/log/lastlog"
|
||||||
|
|
||||||
|
@ -93,11 +98,11 @@ CRITICAL=0
|
||||||
OUT
|
OUT
|
||||||
# With custom values (critical disabled, default warning),
|
# With custom values (critical disabled, default warning),
|
||||||
# a 3 days old jail should only be "warning"
|
# a 3 days old jail should only be "warning"
|
||||||
run /usr/lib/bkctld/bkctld-check
|
run /usr/lib/bkctld/bkctld-check-jails
|
||||||
assert_equal "1" "$status"
|
assert_equal "1" "$status"
|
||||||
}
|
}
|
||||||
|
|
||||||
@test "Custom values are parsed with only integers after equal" {
|
@test "Custom jails values are parsed with only integers after equal" {
|
||||||
lastlog_date=$(date -d -3days --iso-8601=seconds)
|
lastlog_date=$(date -d -3days --iso-8601=seconds)
|
||||||
touch --date="${lastlog_date}" "${JAILPATH}/var/log/lastlog"
|
touch --date="${lastlog_date}" "${JAILPATH}/var/log/lastlog"
|
||||||
|
|
||||||
|
@ -106,7 +111,7 @@ CRITICAL=0 # foo
|
||||||
OUT
|
OUT
|
||||||
# With custom values (critical disabled, default warning),
|
# With custom values (critical disabled, default warning),
|
||||||
# a 3 days old jail should only be "warning"
|
# a 3 days old jail should only be "warning"
|
||||||
run /usr/lib/bkctld/bkctld-check
|
run /usr/lib/bkctld/bkctld-check-jails
|
||||||
assert_equal "1" "$status"
|
assert_equal "1" "$status"
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -119,7 +124,7 @@ OUT
|
||||||
OUT
|
OUT
|
||||||
# With commented custom values (critical disabled),
|
# With commented custom values (critical disabled),
|
||||||
# a 3 days old jail should still be "critical"
|
# a 3 days old jail should still be "critical"
|
||||||
run /usr/lib/bkctld/bkctld-check
|
run /usr/lib/bkctld/bkctld-check-jails
|
||||||
assert_equal "2" "$status"
|
assert_equal "2" "$status"
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -132,40 +137,85 @@ CRITICAL=foo
|
||||||
OUT
|
OUT
|
||||||
# With commented custom values (critical disabled),
|
# With commented custom values (critical disabled),
|
||||||
# a 3 days old jail should still be "critical"
|
# a 3 days old jail should still be "critical"
|
||||||
run /usr/lib/bkctld/bkctld-check
|
run /usr/lib/bkctld/bkctld-check-jails
|
||||||
assert_equal "2" "$status"
|
assert_equal "2" "$status"
|
||||||
}
|
}
|
||||||
|
|
||||||
@test "Check WARNING if firewall rules are not sourced" {
|
@test "Check setup WARNING if firewall rules are not sourced" {
|
||||||
|
/usr/lib/bkctld/bkctld-start ${JAILNAME}
|
||||||
|
|
||||||
firewall_rules_file="/etc/firewall.rc.jails"
|
firewall_rules_file="/etc/firewall.rc.jails"
|
||||||
set_variable "/etc/default/bkctld" "FIREWALL_RULES" "${firewall_rules_file}"
|
set_variable "/etc/default/bkctld" "FIREWALL_RULES" "${firewall_rules_file}"
|
||||||
echo "" > "${firewall_rules_file}"
|
echo "" > "${firewall_rules_file}"
|
||||||
|
|
||||||
# Without sourcing
|
# Without sourcing
|
||||||
echo "" > "/etc/default/minifirewall"
|
echo "" > "/etc/default/minifirewall"
|
||||||
# … the check should be "critical"
|
# … the check should be "warning"
|
||||||
run /usr/lib/bkctld/bkctld-check
|
run /usr/lib/bkctld/bkctld-check-setup
|
||||||
assert_equal "1" "$status"
|
assert_equal "1" "$status"
|
||||||
}
|
}
|
||||||
|
|
||||||
@test "Check OK if firewall rules are sourced" {
|
@test "Check setup OK if firewall rules are sourced" {
|
||||||
|
/usr/lib/bkctld/bkctld-start ${JAILNAME}
|
||||||
|
|
||||||
firewall_rules_file="/etc/firewall.rc.jails"
|
firewall_rules_file="/etc/firewall.rc.jails"
|
||||||
set_variable "/etc/default/bkctld" "FIREWALL_RULES" "${firewall_rules_file}"
|
set_variable "/etc/default/bkctld" "FIREWALL_RULES" "${firewall_rules_file}"
|
||||||
echo "" > "${firewall_rules_file}"
|
echo "" > "${firewall_rules_file}"
|
||||||
|
|
||||||
# Sourcing file with '.'
|
# Sourcing file with '.'
|
||||||
echo ". ${firewall_rules_file}" > "/etc/default/minifirewall"
|
echo ". ${firewall_rules_file}" > "/etc/default/minifirewall"
|
||||||
# … the check should be "critical"
|
# … the check should be "ok"
|
||||||
run /usr/lib/bkctld/bkctld-check
|
run /usr/lib/bkctld/bkctld-check-setup
|
||||||
assert_equal "0" "$status"
|
assert_equal "0" "$status"
|
||||||
|
|
||||||
# Sourcing file with 'source'
|
# Sourcing file with 'source'
|
||||||
echo "source ${firewall_rules_file}" > "/etc/default/minifirewall"
|
echo "source ${firewall_rules_file}" > "/etc/default/minifirewall"
|
||||||
# … the check should be "critical"
|
# … the check should be "ok"
|
||||||
run /usr/lib/bkctld/bkctld-check
|
run /usr/lib/bkctld/bkctld-check-setup
|
||||||
assert_equal "0" "$status"
|
assert_equal "0" "$status"
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@test "Check setup CRITICAL if jail is stopped" {
|
||||||
|
run /usr/lib/bkctld/bkctld-check-setup
|
||||||
|
assert_equal "2" "$status"
|
||||||
|
}
|
||||||
|
|
||||||
|
@test "Check setup OK if all jails are started" {
|
||||||
|
/usr/lib/bkctld/bkctld-start ${JAILNAME}
|
||||||
|
|
||||||
|
run /usr/lib/bkctld/bkctld-check-setup
|
||||||
|
assert_equal "0" "$status"
|
||||||
|
}
|
||||||
|
|
||||||
|
@test "Check setup OK if jail is supposed to be stopped" {
|
||||||
|
cat > "/etc/evobackup/${JAILNAME}.d/check_policy" <<OUT
|
||||||
|
EXPECTED_STATE=OFF
|
||||||
|
OUT
|
||||||
|
|
||||||
|
run /usr/lib/bkctld/bkctld-check-setup
|
||||||
|
assert_equal "0" "$status"
|
||||||
|
}
|
||||||
|
|
||||||
|
@test "Check setup CRITICAL if backup partition is not mounted" {
|
||||||
|
umount --force /backup
|
||||||
|
|
||||||
|
run /usr/lib/bkctld/bkctld-check-setup
|
||||||
|
|
||||||
|
mount /dev/vdb /backup
|
||||||
|
|
||||||
|
assert_equal "2" "$status"
|
||||||
|
}
|
||||||
|
|
||||||
|
@test "Check setup CRITICAL if backup partition is read-only" {
|
||||||
|
mount -o remount,ro /backup
|
||||||
|
|
||||||
|
run /usr/lib/bkctld/bkctld-check-setup
|
||||||
|
|
||||||
|
mount -o remount,rw /backup
|
||||||
|
|
||||||
|
assert_equal "2" "$status"
|
||||||
|
}
|
||||||
|
|
||||||
@test "Check-last-incs OK if jail is present" {
|
@test "Check-last-incs OK if jail is present" {
|
||||||
/usr/lib/bkctld/bkctld-inc
|
/usr/lib/bkctld/bkctld-inc
|
||||||
|
|
||||||
|
|
|
@ -30,7 +30,7 @@ SERVERS="node0.backup.example.com:2XXX node1.backup.example.com:2XXX"
|
||||||
SERVERS_FALLBACK=${SERVERS_FALLBACK:-1}
|
SERVERS_FALLBACK=${SERVERS_FALLBACK:-1}
|
||||||
|
|
||||||
# timeout (in seconds) for SSH connections
|
# timeout (in seconds) for SSH connections
|
||||||
SSH_CONNECT_TIMEOUT=${SSH_CONNECT_TIMEOUT:-30}
|
SSH_CONNECT_TIMEOUT=${SSH_CONNECT_TIMEOUT:-90}
|
||||||
|
|
||||||
## We use /home/backup : feel free to use your own dir
|
## We use /home/backup : feel free to use your own dir
|
||||||
LOCAL_BACKUP_DIR="/home/backup"
|
LOCAL_BACKUP_DIR="/home/backup"
|
||||||
|
@ -156,37 +156,37 @@ if [ "${LOCAL_TASKS}" = "1" ]; then
|
||||||
## example with two dumps for each table (.sql/.txt) for all databases
|
## example with two dumps for each table (.sql/.txt) for all databases
|
||||||
# for i in $(echo SHOW DATABASES | mysql --defaults-extra-file=/etc/mysql/debian.cnf -P 3306 \
|
# for i in $(echo SHOW DATABASES | mysql --defaults-extra-file=/etc/mysql/debian.cnf -P 3306 \
|
||||||
# | egrep -v "^(Database|information_schema|performance_schema|sys)" ); \
|
# | egrep -v "^(Database|information_schema|performance_schema|sys)" ); \
|
||||||
# do mkdir -p -m 700 /home/mysqldump/$i ; chown -RL mysql /home/mysqldump ; \
|
# do mkdir -p -m 700 ${LOCAL_BACKUP_DIR}/mysql/$i ; chown -RL mysql /home/mysqldump ; \
|
||||||
# mysqldump --defaults-extra-file=/etc/mysql/debian.cnf --force -P 3306 -Q --opt --events --hex-blob --skip-comments \
|
# mysqldump --defaults-extra-file=/etc/mysql/debian.cnf --force -P 3306 -Q --opt --events --hex-blob --skip-comments \
|
||||||
# --fields-enclosed-by='\"' --fields-terminated-by=',' -T /home/mysqldump/$i $i; done
|
# --fields-enclosed-by='\"' --fields-terminated-by=',' -T ${LOCAL_BACKUP_DIR}/mysql/$i $i; done
|
||||||
|
|
||||||
## Dump all grants (requires 'percona-toolkit' package)
|
## Dump all grants (requires 'percona-toolkit' package)
|
||||||
# mkdir -p -m 700 /home/mysqldump/
|
# mkdir -p -m 700 ${LOCAL_BACKUP_DIR}/mysql/
|
||||||
# pt-show-grants --flush --no-header > /home/mysqldump/all_grants.sql
|
# pt-show-grants --flush --no-header > ${LOCAL_BACKUP_DIR}/mysql/all_grants.sql
|
||||||
|
|
||||||
## example with SQL dump (schema only, no data) for each databases
|
## example with SQL dump (schema only, no data) for each databases
|
||||||
# mkdir -p -m 700 /home/mysqldump/
|
# mkdir -p -m 700 ${LOCAL_BACKUP_DIR}/mysql/
|
||||||
# for i in $(mysql --defaults-extra-file=/etc/mysql/debian.cnf -P 3306 -e 'show databases' -s --skip-column-names \
|
# for i in $(mysql --defaults-extra-file=/etc/mysql/debian.cnf -P 3306 -e 'show databases' -s --skip-column-names \
|
||||||
# | egrep -v "^(Database|information_schema|performance_schema|sys)"); do
|
# | egrep -v "^(Database|information_schema|performance_schema|sys)"); do
|
||||||
# mysqldump --defaults-extra-file=/etc/mysql/debian.cnf --force -P 3306 --no-data --databases $i > /home/mysqldump/${i}.schema.sql
|
# mysqldump --defaults-extra-file=/etc/mysql/debian.cnf --force -P 3306 --no-data --databases $i > ${LOCAL_BACKUP_DIR}/mysql/${i}.schema.sql
|
||||||
# done
|
# done
|
||||||
|
|
||||||
## example with compressed SQL dump (with data) for each databases
|
## example with compressed SQL dump (with data) for each databases
|
||||||
# mkdir -p -m 700 /home/mysqldump/
|
# mkdir -p -m 700 ${LOCAL_BACKUP_DIR}/mysql/
|
||||||
# for i in $(mysql --defaults-extra-file=/etc/mysql/debian.cnf -P 3306 -e 'show databases' -s --skip-column-names \
|
# for i in $(mysql --defaults-extra-file=/etc/mysql/debian.cnf -P 3306 -e 'show databases' -s --skip-column-names \
|
||||||
# | egrep -v "^(Database|information_schema|performance_schema|sys)"); do
|
# | egrep -v "^(Database|information_schema|performance_schema|sys)"); do
|
||||||
# mysqldump --defaults-extra-file=/etc/mysql/debian.cnf --force -P 3306 --events --hex-blob $i | gzip --best > /home/mysqldump/${i}.sql.gz
|
# mysqldump --defaults-extra-file=/etc/mysql/debian.cnf --force -P 3306 --events --hex-blob $i | gzip --best > ${LOCAL_BACKUP_DIR}/mysql/${i}.sql.gz
|
||||||
# done
|
# done
|
||||||
|
|
||||||
## example with *one* uncompressed SQL dump for *one* database (MYBASE)
|
## example with *one* uncompressed SQL dump for *one* database (MYBASE)
|
||||||
# mkdir -p -m 700 /home/mysqldump/MYBASE
|
# mkdir -p -m 700 ${LOCAL_BACKUP_DIR}/mysql/MYBASE
|
||||||
# chown -RL mysql /home/mysqldump/
|
# chown -RL mysql ${LOCAL_BACKUP_DIR}/mysql/
|
||||||
# mysqldump --defaults-extra-file=/etc/mysql/debian.cnf --force -Q \
|
# mysqldump --defaults-extra-file=/etc/mysql/debian.cnf --force -Q \
|
||||||
# --opt --events --hex-blob --skip-comments -T /home/mysqldump/MYBASE MYBASE
|
# --opt --events --hex-blob --skip-comments -T ${LOCAL_BACKUP_DIR}/mysql/MYBASE MYBASE
|
||||||
|
|
||||||
## example with mysqlhotcopy
|
## example with mysqlhotcopy
|
||||||
# mkdir -p -m 700 /home/mysqlhotcopy/
|
# mkdir -p -m 700 ${LOCAL_BACKUP_DIR}/mysqlhotcopy/
|
||||||
# mysqlhotcopy BASE /home/mysqlhotcopy/
|
# mysqlhotcopy BASE ${LOCAL_BACKUP_DIR}/mysql/mysqlhotcopy/
|
||||||
|
|
||||||
## example for multiples MySQL instances
|
## example for multiples MySQL instances
|
||||||
# mysqladminpasswd=$(grep -m1 'password = .*' /root/.my.cnf|cut -d" " -f3)
|
# mysqladminpasswd=$(grep -m1 'password = .*' /root/.my.cnf|cut -d" " -f3)
|
||||||
|
@ -229,7 +229,14 @@ if [ "${LOCAL_TASKS}" = "1" ]; then
|
||||||
## Redis
|
## Redis
|
||||||
|
|
||||||
## example with copy .rdb file
|
## example with copy .rdb file
|
||||||
|
## for the default instance :
|
||||||
# cp /var/lib/redis/dump.rdb ${LOCAL_BACKUP_DIR}/
|
# cp /var/lib/redis/dump.rdb ${LOCAL_BACKUP_DIR}/
|
||||||
|
## for multiple instances :
|
||||||
|
# for instance in $(ls -d /var/lib/redis-*); do
|
||||||
|
# name=$(basename $instance)
|
||||||
|
# mkdir -p ${LOCAL_BACKUP_DIR}/${name}
|
||||||
|
# cp -a ${instance}/dump.rdb ${LOCAL_BACKUP_DIR}/${name}
|
||||||
|
# done
|
||||||
|
|
||||||
## ElasticSearch
|
## ElasticSearch
|
||||||
|
|
||||||
|
@ -368,7 +375,7 @@ if [ "${SYNC_TASKS}" = "1" ]; then
|
||||||
|
|
||||||
# ignore check because we want it to split the different arguments to $rep
|
# ignore check because we want it to split the different arguments to $rep
|
||||||
# shellcheck disable=SC2086
|
# shellcheck disable=SC2086
|
||||||
rsync -avzh --stats --delete --delete-excluded --force --ignore-errors --partial \
|
rsync -avzh --relative --stats --delete --delete-excluded --force --ignore-errors --partial \
|
||||||
--exclude "lost+found" \
|
--exclude "lost+found" \
|
||||||
--exclude ".nfs.*" \
|
--exclude ".nfs.*" \
|
||||||
--exclude "/var/log" \
|
--exclude "/var/log" \
|
||||||
|
|
Loading…
Reference in a new issue