From e0a237c85771babf9665e7df03b36ec894e53e80 Mon Sep 17 00:00:00 2001 From: downtownallday Date: Fri, 2 Dec 2022 15:09:29 -0500 Subject: [PATCH] Fixes #17: start services after unattended upgrades --- conf/ehdd-unattended-upgrades-after.path | 9 +++++ conf/ehdd-unattended-upgrades-after.service | 7 ++++ ehdd/ehdd_funcs.sh | 9 +++++ ehdd/postinstall.sh | 39 ++++++++++----------- ehdd/run-this-after-reboot.sh | 14 +++++--- setup/system.sh | 29 +++++++++++++++ 6 files changed, 81 insertions(+), 26 deletions(-) create mode 100644 conf/ehdd-unattended-upgrades-after.path create mode 100644 conf/ehdd-unattended-upgrades-after.service diff --git a/conf/ehdd-unattended-upgrades-after.path b/conf/ehdd-unattended-upgrades-after.path new file mode 100644 index 00000000..e6852f0e --- /dev/null +++ b/conf/ehdd-unattended-upgrades-after.path @@ -0,0 +1,9 @@ +[Unit] +Description=Monitor unattended upgrades and ensure ehdd services are started after upgrades + +[Path] +PathModified=/var/lib/apt/periodic/unattended-upgrades-stamp +Unit=ehdd-unattended-upgrades-after.service + +[Install] +WantedBy=paths.target diff --git a/conf/ehdd-unattended-upgrades-after.service b/conf/ehdd-unattended-upgrades-after.service new file mode 100644 index 00000000..236da610 --- /dev/null +++ b/conf/ehdd-unattended-upgrades-after.service @@ -0,0 +1,7 @@ +[Unit] +Description=Starts ehdd services + +[Service] +Type=oneshot +WorkingDirectory= +ExecStart=/ehdd/run-this-after-reboot.sh --no-mount diff --git a/ehdd/ehdd_funcs.sh b/ehdd/ehdd_funcs.sh index 0d5c17ef..5593b781 100644 --- a/ehdd/ehdd_funcs.sh +++ b/ehdd/ehdd_funcs.sh @@ -50,3 +50,12 @@ is_mounted() { return 1 fi } + +system_installed_with_encryption_at_rest() { + # must be mounted! + if [ -e "$EHDD_IMG" -a ! -z "$STORAGE_ROOT" -a \ + -e "$STORAGE_ROOT/ssl/ssl_private_key.pem" ]; then + return 0 + fi + return 1 +} diff --git a/ehdd/postinstall.sh b/ehdd/postinstall.sh index f5a829a3..5e7cd2fa 100755 --- a/ehdd/postinstall.sh +++ b/ehdd/postinstall.sh @@ -11,28 +11,25 @@ . "ehdd/ehdd_funcs.sh" || exit 1 -if [ -e "$EHDD_IMG" ]; then - - if [ -s /etc/mailinabox.conf ]; then - echo "" - echo "** Disabling system services **" - systemctl disable --quiet postfix - systemctl disable --quiet dovecot - systemctl disable --quiet postgrey - systemctl disable --quiet cron - systemctl disable --quiet nginx - systemctl disable --quiet php8.0-fpm - systemctl disable --quiet mailinabox - systemctl disable --quiet fail2ban - systemctl disable --quiet miabldap-capture - #systemctl disable nsd - [ -x /usr/sbin/slapd ] && systemctl disable --quiet slapd +if system_installed_with_encryption_at_rest; then + echo "" + echo "** Disabling system services that require encrypted HDD to be mounted **" + systemctl disable --quiet postfix + systemctl disable --quiet dovecot + systemctl disable --quiet postgrey + systemctl disable --quiet cron + systemctl disable --quiet nginx + systemctl disable --quiet php8.0-fpm + systemctl disable --quiet mailinabox + systemctl disable --quiet fail2ban + systemctl disable --quiet miabldap-capture + #systemctl disable nsd + [ -x /usr/sbin/slapd ] && systemctl disable --quiet slapd - echo "" - echo "IMPORTANT:" - echo " Services have been disabled at startup because the encrypted HDD will" - echo " be unavailable. Run ehdd/run-this-after-reboot.sh after a reboot." - fi + echo "" + echo "IMPORTANT:" + echo " Services have been disabled at startup because the encrypted HDD will" + echo " be unavailable. Run ehdd/run-this-after-reboot.sh after a reboot." fi diff --git a/ehdd/run-this-after-reboot.sh b/ehdd/run-this-after-reboot.sh index 1ce801a8..07ae1bc3 100755 --- a/ehdd/run-this-after-reboot.sh +++ b/ehdd/run-this-after-reboot.sh @@ -8,21 +8,25 @@ ##### details. ##### -ehdd/mount.sh || exit 1 +if [ "${1:-}" != "--no-mount" ]; then + ehdd/mount.sh || exit 1 +fi -if [ -s /etc/mailinabox.conf ]; then +. ehdd/ehdd_funcs.sh || exit 1 + +if system_installed_with_encryption_at_rest; then [ -x /usr/sbin/slapd ] && systemctl start slapd systemctl start php8.0-fpm systemctl start dovecot systemctl start postfix # postgrey's main database and local client whitelist are in user-data - systemctl restart postgrey + systemctl start postgrey systemctl start nginx systemctl start cron #systemctl start nsd - systemctl link -f $(pwd)/conf/mailinabox.service + systemctl link -q -f /lib/systemd/system/mailinabox.service systemctl start fail2ban - systemctl restart mailinabox + systemctl start mailinabox systemctl start miabldap-capture fi diff --git a/setup/system.sh b/setup/system.sh index f12d1af5..c55b5135 100755 --- a/setup/system.sh +++ b/setup/system.sh @@ -410,3 +410,32 @@ EOF [ -e /var/log/mail.log ] && chown syslog:adm /var/log/mail.log [ -e /var/log/mail.err ] && chown syslog:adm /var/log/mail.err restart_service rsyslog + + +# Encryption-at-rest disables certain services after setup runs (see +# ehdd/postinstall.sh) because the STORAGE_ROOT directory won't be +# mounted after a reboot and those services would fail. This causes a +# problem if one of those services is upgraded by unattended-upgrades. +# +# The issue: when the system is running normally and +# unattended-upgrades updates a disabled (but running) service +# (eg. mariadb), the service is stopped for the upgrade but is +# never re-started. +# +# The fix: have systemd watch unattended-upgrades, then start all +# disabled services that were upgraded after updates have been +# applied. + +cp conf/ehdd-unattended-upgrades-after.path \ + conf/ehdd-unattended-upgrades-after.service \ + /etc/systemd/system + +tools/editconf.py \ + /etc/systemd/system/ehdd-unattended-upgrades-after.service \ + -ini-section Service \ + "WorkingDirectory=$(pwd)" \ + "ExecStart=$(pwd)/ehdd/run-this-after-reboot.sh --no-mount" + +systemctl daemon-reload +systemctl enable -q ehdd-unattended-upgrades-after.path +systemctl start -q ehdd-unattended-upgrades-after.path