CHANGELOG for previous commits

linux/CHANGELOG

@@ -6,6 +6,10 @@ and this project **does not adhere to [Semantic Versioning](http://semver.org/sp
 ### Added
 
 * trixie and forky support (Debian 13, 14)
+* IS_LXC_OPENSSH: check in openssh is installed in containers
+* IS_LXC_PHP_BAD_DEBIAN_VERSION: check if php containers use the expected Debian release
+* IS_DEBIANSECURITY_LXC: IS_DEBIANSECURITY in containers
+* IS_SURY_LXC: in containers
 
 ### Changed
 

linux/evocheck.sh

@@ -201,6 +201,15 @@ check_debiansecurity() {
     apt-cache policy | grep "\bl=Debian-Security\b" | grep "\bo=Debian\b" | grep --quiet "\bc=main\b"
     test $? -eq 0 || failed "IS_DEBIANSECURITY" "missing Debian-Security repository"
 }
+check_debiansecurity_lxc() {
+    if is_installed lxc; then
+        container_list=$(lxc-ls)
+        for container in $container_list; do
+            lxc-attach --name $container apt-cache policy | grep "\bl=Debian-Security\b" | grep "\bo=Debian\b" | grep --quiet "\bc=main\b"
+            test $? -eq 0 || failed "IS_DEBIANSECURITY_LXC" "missing Debian-Security repository in container ${container}"
+        done
+    fi
+}
 check_oldpub() {
     # Look for enabled pub.evolix.net sources (supersed by pub.evolix.org since Stretch)
     apt-cache policy | grep --quiet pub.evolix.net
@@ -216,7 +225,19 @@ check_sury() {
     apt-cache policy | grep --quiet packages.sury.org
     if [ $? -eq 0 ]; then
          apt-cache policy | grep "\bl=Evolix\b" | grep php --quiet
-	 test $? -eq 0 || failed "IS_SURY" "packages.sury.org is present but our safeguard pub.evolix.org repository is missing"
+         test $? -eq 0 || failed "IS_SURY" "packages.sury.org is present but our safeguard pub.evolix.org repository is missing"
+    fi
+}
+check_sury_lxc() {
+    if is_installed lxc; then
+        container_list=$(lxc-ls)
+        for container in $container_list; do
+            lxc-attach --name $container apt-cache policy | grep --quiet packages.sury.org
+            if [ $? -eq 0 ]; then
+                 lxc-attach --name $container apt-cache policy | grep "\bl=Evolix\b" | grep php --quiet
+                 test $? -eq 0 || failed "IS_SURY_LXC" "packages.sury.org is present but our safeguard pub.evolix.org repository is missing in container ${container}"
+            fi
+        done
     fi
 }
 check_aptitude() {
@@ -1269,7 +1290,7 @@ check_lxc_container_resolv_conf() {
         container_list=$(lxc-ls)
         current_resolvers=$(grep nameserver /etc/resolv.conf | sed 's/nameserver//g' )
 
-       for container in $container_list; do
+        for container in $container_list; do
             if [ -f "/var/lib/lxc/${container}/rootfs/etc/resolv.conf" ]; then
 
                 while read -r resolver; do
@@ -1315,6 +1336,34 @@ check_lxc_php_fpm_service_umask_set() {
         fi
     fi
 }
+# Check that LXC containers have the proper Debian version.
+check_lxc_php_bad_debian_version() {
+    if is_installed lxc; then
+        php_containers_list=$(lxc-ls --filter php)
+        missing_umask=""
+        for container in $php_containers_list; do
+            if [ "$container" = "php56" ]; then
+                grep --quiet 'VERSION_ID="8"' /var/lib/lxc/${container}/rootfs/etc/os-release || failed "IS_LXC_PHP_BAD_DEBIAN_VERSION" "Container ${container} should use Jessie"
+            elif [ "$container" = "php70" ]; then
+                grep --quiet 'VERSION_ID="9"' /var/lib/lxc/${container}/rootfs/etc/os-release || failed "IS_LXC_PHP_BAD_DEBIAN_VERSION" "Container ${container} should use Stretch"
+            elif [ "$container" = "php73" ]; then
+                grep --quiet 'VERSION_ID="10"' /var/lib/lxc/${container}/rootfs/etc/os-release || failed "IS_LXC_PHP_BAD_DEBIAN_VERSION" "Container ${container} should use Buster"
+            elif [ "$container" = "php74" ]; then
+                grep --quiet 'VERSION_ID="11"' /var/lib/lxc/${container}/rootfs/etc/os-release || failed "IS_LXC_PHP_BAD_DEBIAN_VERSION" "Container ${container} should use Bullseye"
+            elif [ "$container" = "php82" ]; then
+                grep --quiet 'VERSION_ID="12"' /var/lib/lxc/${container}/rootfs/etc/os-release || failed "IS_LXC_PHP_BAD_DEBIAN_VERSION" "Container ${container} should use Bookworm"
+            fi
+        done
+    fi
+}
+check_lxc_openssh() {
+    if is_installed lxc; then
+        container_list=$(lxc-ls)
+        for container in $container_list; do
+            test -e /var/lib/lxc/${container}/rootfs/usr/sbin/sshd && failed "IS_LXC_OPENSSH" "openssh-server should not be installed in container ${container}"
+        done
+    fi
+}
 
 download_versions() {
     local file
@@ -1468,9 +1517,11 @@ main() {
     test "${IS_LOGROTATECONF:=1}" = 1 && check_logrotateconf
     test "${IS_SYSLOGCONF:=1}" = 1 && check_syslogconf
     test "${IS_DEBIANSECURITY:=1}" = 1 && check_debiansecurity
+    test "${IS_DEBIANSECURITY_LXC:=1}" = 1 && check_debiansecurity_lxc
     test "${IS_OLDPUB:=1}" = 1 && check_oldpub
     test "${IS_NEWPUB:=1}" = 1 && check_newpub
     test "${IS_SURY:=1}" = 1 && check_sury
+    test "${IS_SURY_LXC:=1}" = 1 && check_sury_lxc
     test "${IS_APTITUDE:=1}" = 1 && check_aptitude
     test "${IS_APTGETBAK:=1}" = 1 && check_aptgetbak
     test "${IS_USRRO:=1}" = 1 && check_usrro
@@ -1565,6 +1616,8 @@ main() {
     test "${IS_LXC_CONTAINER_RESOLV_CONF:=1}" = 1 && check_lxc_container_resolv_conf
     test "${IS_NO_LXC_CONTAINER:=1}" = 1 && check_no_lxc_container
     test "${IS_LXC_PHP_FPM_SERVICE_UMASK_SET:=1}" = 1 && check_lxc_php_fpm_service_umask_set
+    test "${IS_LXC_PHP_BAD_DEBIAN_VERSION:=1}" = 1 && check_lxc_php_bad_debian_version
+    test "${IS_LXC_OPENSSH:=1}" = 1 && check_lxc_openssh
     test "${IS_CHECK_VERSIONS:=1}" = 1 && check_versions
 
     if [ -f "${main_output_file}" ]; then