Commit f352bfb1 authored by Paul Cammish's avatar Paul Cammish
Browse files

Merge branch 'bullseye-testing' into 'bullseye'

Bullseye testing -> stable

* Update to fix MOTD not displaying in some situations, improve MOTD information and reduce load
* Improved serial/VGA banner
* Various fixes to Exim configuration for changes in Bullseye
* Cleanup of replacement of Webalizer with AWFFull
* Fixes bug with mailbox password daemon not working on IPv6-only #315

See merge request !235
parents 0380835c b45b5b56
CHANGELOG
---------
2021-08-19
all:
* Debian Bullseye Release
core:
* Updates to MOTD and banners
2021-08-18
sympl-core:
* Check htdocs/stats for AWFFull rather than Webalizer
sympl-web
* Update Webalizer references to AWFFull
* Disable default AWFFull cron
sympl-mail
* Further fixes for Exim 4.94 in Debian Bullseye
2021-08-13
sympl-mail:
* use systemd socket activation for sympl-mail-poppassd
2021-04-09
sympl-core
* Update sympl.host to sympl.io
......
sympl-backup (11.20210818.1) stable; urgency=medium
* Debian Bullseye Release
-- Paul Cammish <sympl@kelduum.net> Wed, 18 Aug 2021 14:00:00 +0100
sympl-backup (11.20210215.0) stable; urgency=medium
* Updated version numbering format
......
......@@ -9,8 +9,8 @@ XS-Ruby-Versions: all
Package: sympl-backup
Architecture: all
Depends: backup2l, ruby, sympl-core (>= 9.0.190611.0), make, libfilesys-df-perl, libswitch-perl, ${misc:Depends}
Description: Automatically backup your files
Depends: backup2l, ruby, sympl-core, make, libfilesys-df-perl, libswitch-perl, ${misc:Depends}
Description: Automatic backups for Sympl
This package configures backup2l to backup your data.
.
This backup won't protect you against system failure, but will prevent
......
sympl-core (11.20210819.0) stable; urgency=medium
* Fixes for missing MOTD
-- Paul Cammish <sympl@kelduum.net> Thu, 19 Aug 2021 10:30:00 +0100
sympl-core (11.20210818.1) stable; urgency=medium
* Debian Bullseye Release
-- Paul Cammish <sympl@kelduum.net> Wed, 18 Aug 2021 14:00:00 +0100
sympl-core (11.20210818.0) stable; urgency=medium
* Check htdocs/stats for AWFFull rather than Webalizer
-- Paul Cammish <sympl@kelduum.net> Wed, 18 Aug 2021 12:15:00 +0100
sympl-core (11.20210409.0) stable; urgency=medium
* Updated sympl.host to sympl.io
......
......@@ -19,7 +19,7 @@ Recommends: sympl-backup, sympl-cron, sympl-mail, sympl-firewall,
sympl-dns, sympl-webmail, sympl-updater,
openssh-server, nano, vim, htop, strace, wget, curl, iotop, less, lsof,
psmisc, rsync, screen, smartmontools, telnet, mtr-tiny, xfsprogs, tree
Description: Easy, complete, and friendly server administration system
Description: Sympl - Easy server management via SSH
This is libraries and a metapackage which will pull in each
package which is a component of the Sympl system.
.
......@@ -12,13 +12,13 @@ if [ "$1" != "configure" ]; then
fi
#
# Enable the MOTD
# Move the standard Debian MOTD
#
if [ -f /etc/motd ] ; then
echo "I: Enabling dynamic MOTD"
if [ $( grep -c '^The programs included with the Debian' /etc/motd ) -gt 0 ]; then
echo "I: Moving stock MOTD"
mv /etc/motd /etc/motd.dpkg-sympl-orig
ln -s /run/motd /etc/motd
echo "" /etc/motd
fi
#
......
......@@ -32,18 +32,19 @@ case "$1" in
log_action_msg "System configured with $DESC"
echo "$(tput bold)"
cat <<EOF
┌─────┐ v10.0
└─┐ │
┌─────────┐ ┌───┐ ┌───┐ ┌─────────────┐ ┌───────────┐ │ │
┌─┘ ┌───────┘ │ │ │ │ │ ┌─┐ ┌─┐ └─┐ │ ┌─────┐ └─┐ │ │
│ └─┐ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │
└─┐ └───┐ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │
└───┐ └─┐ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │
└─┐ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │
┌───────┘ ┌─┘ └─┐ └─────┘ │ │ │ │ │ │ │ │ └─────┘ ┌─┘ ┌─┘ └─┐
└─────────┘ └───────┐ │ └───┘ └───┘ └───┘ │ ┌───────┘ └───────┘
┌───────┘ ┌─┘ │ │
└─────────┘ └───┘ https://sympl.io
###### v11
####
########## #### #### ############## ############ ####
#### #### #### #### #### #### #### #### ####
###### #### #### #### #### #### #### #### ####
######## #### #### #### #### #### #### #### ####
###### #### #### #### #### #### #### #### ####
#### #### #### #### #### #### #### #### ####
########## ############ #### #### #### ############ ########
#### ####
########## #### https://sympl.io
EOF
echo "$(tput sgr0)"
;;
......
......@@ -86,12 +86,12 @@ function secure_domain_dir()
fi
# Lock down the public/htdocs/stats directory, if it exists and contains webalizer html
# Lock down the public/htdocs/stats directory, if it exists and contains awffull html
# By default this is left unprotected, and includes IP addresses which are classified
# under GDPR as personally identifiable
if [ ! -f "${domain}/public/htdocs/stats/.htaccess" ] && [ -f "${domain}/public/htdocs/stats/index.html" ]; then
if [ $( grep -c 'webalizer' "${domain}/public/htdocs/stats/index.html" ) != 0 ]; then
if [ $( grep -c 'awffull' "${domain}/public/htdocs/stats/index.html" ) != 0 ]; then
echo "# Prevent unauthorized access to stats and enforce HTTPS
RewriteEngine On
RewriteCond %{HTTPS} off
......
#!/usr/bin/python
#
# 20-updates - create the system updates section of the MOTD
# Copyright (c) 2013 Nick Charlton
#
# Authors: Nick Charlton <hello@nickcharlton.net>
# Based upon prior work by Dustin Kirkland and Michael Vogt.
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License along
# with this program; if not, write to the Free Software Foundation, Inc.,
# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
#!/bin/bash
import sys
import os.path
set -e
#
# On Ubuntu, check that we don't run this test twice. Let's use theirs.
#
if os.path.isfile("/usr/lib/update-notifier/update-motd-updates-available"):
sys.exit(0)
set -o pipefail
import re
import string
err_report() {
echo -e "\nWarning: Unable to identify if package updates are available.\n run 'apt-list upgradable' to check manually.\n"
exit 0
}
#
# Check the load average before we start
#
loadavg_fh = open('/proc/loadavg','r')
loadavg = string.split(loadavg_fh.read(), " ", 1)
loadavg_fh.close()
trap 'err_report' ERR
cpus = 0
for line in open("/proc/cpuinfo"):
if re.match(r"^processor\s+",line):
cpus += 1
upgradable="$( timeout -k 3 -s 9 2 apt list --upgradable 2> /dev/null )"
loadavg_1 = float(loadavg[0])
if loadavg_1 > cpus or (cpus == 0 and loadavg_1 > 1):
sys.exit(0)
if [ $( echo "$upgradable" | wc -l ) -eq 0 ]; then
err_report
fi
#
# Now move on with getting the distro
#
import apt_pkg
import subprocess
# Identify how many updates are available
standard="$( echo "$upgradable" | grep -v '^Listing' | wc -l || true )"
DISTRO = subprocess.Popen(["lsb_release", "-c", "-s"],
stdout=subprocess.PIPE).communicate()[0].strip()
if [ $standard -gt 0 ]; then
# Report number of updates available
printf "\n%6s package updates are available,\n" "$standard"
class OpNullProgress(object):
'''apt progress handler which supresses any output.'''
def update(self):
pass
def done(self):
pass
# Get number of security updates, and output
security="$( echo "$upgradable" | grep 'security' | wc -l || true )"
printf "%6s of which are security updates.\n\n" "$security"
fi
def is_security_upgrade(pkg):
'''
Checks to see if a package comes from a DISTRO-security source.
'''
security_package_sources = [("Ubuntu", "%s-security" % DISTRO),
("Debian", "%s-updates" % DISTRO)]
for (file, index) in pkg.file_list:
for origin, archive in security_package_sources:
if (file.archive == archive and file.origin == origin):
return True
return False
# init apt and config
apt_pkg.init()
# open the apt cache
try:
cache = apt_pkg.Cache(OpNullProgress())
except SystemError, e:
sys.stderr.write("Error: Opening the cache (%s)" % e)
sys.exit(-1)
# setup a DepCache instance to interact with the repo
depcache = apt_pkg.DepCache(cache)
# take into account apt policies
depcache.read_pinfile()
# initialise it
depcache.init()
# give up if packages are broken
if depcache.broken_count > 0:
sys.stderr.write("Error: Broken packages exist.")
sys.exit(-1)
# mark possible packages
try:
# run distro-upgrade
depcache.upgrade(True)
# reset if packages get marked as deleted -> we don't want to break anything
if depcache.del_count > 0:
depcache.init()
# then a standard upgrade
depcache.upgrade()
except SystemError, e:
sys.stderr.write("Error: Couldn't mark the upgrade (%s)" % e)
sys.exit(-1)
# run around the packages
upgrades = 0
security_upgrades = 0
for pkg in cache.packages:
# skip packages not marked as upgraded/installed
if not (depcache.marked_install(pkg) or depcache.marked_upgrade(pkg)):
continue
candidate = depcache.get_candidate_ver(pkg)
current = pkg.current_ver
# Only count packages where the version number is different
if current == candidate:
continue
# increment the upgrade counter
upgrades += 1
# keep another count for security upgrades
if is_security_upgrade(candidate):
security_upgrades += 1
continue
# double check for security upgrades masked by another package
for version in pkg.version_list:
if (current and apt_pkg.version_compare(version.ver_str, current.ver_str) <= 0):
continue
if is_security_upgrade(version):
security_upgrades += 1
break
if upgrades > 0 or security_upgrades > 0 :
print " => There are %d packages to upgrade, of which %d are security-related." % (upgrades, security_upgrades)
print "" # leave a trailing blank line
exit 0
\ No newline at end of file
#!/usr/bin/env ruby
#
#
require 'date' # stdlib
if File.exist?("/usr/lib/update-notifier/update-motd-fsck-at-reboot")
exit 0
end
TIME_FMT = "%a %b %d %H:%M:%S %Y"
if Process.uid > 0
exit 0
end
class Filesystem
attr_reader :dev,:mp
def initialize(dev,mp)
@facts = nil
@dev = dev
@mp = mp
end
def uuid
facts[:filesystem_uuid]
end
def facts
# cache it
return @facts.nil? ? real_facts : @facts
end
def [](param)
facts[param]
end
def check_needed?
check_reasons.length > 0
end
def check_reasons
reasons = []
reasons << is_max_mount_count_reached?
reasons << is_date_check_needed?
reasons << is_manual_check_requested?
reasons.map do |ra|
ra[0] == true ? ra[1] : nil
end.reject{|a|a.nil?}
end
def eql?(other)
other.uuid == self.uuid
end
private
# the various is_? methods return [true,reason] if they find that a situation
# will necessitate a check on next reboot. Otherwise [false,nil]
#
# ok, so a filesystem will be checked if (any):
# a) it's mount count > maximum mount count
# b) it's next check date is before today
# c) /forcefsck exists
#
# on Debian, the presence of "/fastboot" will negate the fsck requirement.
def is_max_mount_count_reached?
max_count = facts[:maximum_mount_count].to_i
count = facts[:mount_count].to_i
if max_count > 0
if count > max_count
return [true, "Maximum mount count exceeded! (#{max_count} > #{count})"]
end
end
return [false,nil]
end
def is_date_check_needed?
if facts[:next_check_after]
next_check = DateTime.strptime(facts[:next_check_after],TIME_FMT)
last_check = DateTime.strptime(facts[:last_checked],TIME_FMT)
if next_check < DateTime.now
return [true,"Not checked since #{last_check.to_s}"]
end
end
[false,nil]
end
def is_manual_check_requested?
forcefsck_path = File.join(@mp,"forcefsck")
fastboot_path = File.join(@mp,"fastboot")
if File.exists? forcefsck_path
if File.exists? fastboot_path
return [false,nil]
else
return [true,"#{forcefsck_path} exists!"]
end
end
return [false,nil]
end
def real_facts
fs_info = %x[/sbin/dumpe2fs -h #{@dev} 2>/dev/null].each_line.map do |l|
(k,v) = l.split(":",2).map{|a|a.strip}
unless k.length == 0
k = k.gsub(/\s/,"_").downcase.to_sym
end
[k,v]
end
@facts = Hash[fs_info]
end
end
begin
# check dumpe2fs is there otherwise we might as well give up
if !File.exists? "/sbin/dumpe2fs"
exit 0
end
# first get the filesystems that we might check on boot
ext_fs = open("/etc/fstab","r").readlines.map do |fst|
(dev,mp,fs,opt,d,check) = fst.split
if dev =~ /^UUID=(.*)/
base_uuid_path = "/dev/disk/by-uuid"
rel_dev_path = File.readlink(File.join(base_uuid_path,$1))
dev = File.expand_path(rel_dev_path,base_uuid_path)
end
[dev,mp] if (fs =~ /^ext/ and check != nil and check.to_i > 0)
end.reject{|a|a.nil?}.map{|a|Filesystem.new(*a)}.uniq
ext_fs.find_all{|a|a.check_needed?}.each do |fs|
puts " => #{fs.dev} will be checked at next reboot for the following reason(s)!"
fs.check_reasons.each do |r|
puts " * #{r}"
end
puts "This may cause an extended reboot."
end
ensure # we have to exit 0 or we'll make Molly[-guard] sad
exit 0
end
#!/bin/bash
set -e
set -o pipefail
err_report() {
echo failed# fail silently
exit 0
}
trap 'err_report' ERR
echo
if [ -f /run/reboot-required ]; then
echo "** A reboot is required to apply a pending update"
echo
fi
if [ ! -f /fastboot ]; then
if [ -f /forcefsck ]; then
echo "** A filesystem check will be performed at next reboot"
echo " because the file /forcefsck exists."
echo
fi
mountinfo="$( timeout -k 2 -s 9 1 tune2fs -l $( findmnt / -no source ) | grep '[Mm]ount count:' )"
if [ "x$mountinfo" == "x" ]; then exit 0 ; fi
max_mount="$( echo "$mountinfo" | grep -i '^Maximum mount' | sed "s|.*: *||" )"
if [ "$max_mount" != "-1" ]; then
mount_count="$( echo "$mountinfo" | grep -i '^Mount count' | sed "s|.*: *||" )"
if [ $mount_count -gt $max_mount ]; then
echo "** A filesystem check is expected at next reboot"
echo " as the maximum mount count has been exceeded."
echo
fi
fi
fi
exit 0
sympl-cron (11.20210818.1) stable; urgency=medium
* Debian Bullseye Release
-- Paul Cammish <sympl@kelduum.net> Wed, 18 Aug 2021 14:00:00 +0100
sympl-cron (11.20210215.0) stable; urgency=medium
* Updated version numbering format
......
......@@ -9,7 +9,7 @@ XS-Ruby-Versions: all
Package: sympl-cron
Architecture: any
Depends: ruby, cron, sympl-core (>= 9.0.190611.0), ${shlibs:Depends}, ${misc:Depends}
Description: Provide per-domain crontab support
Depends: ruby, cron, sympl-core, ${shlibs:Depends}, ${misc:Depends}
Description: Per-domain crontab support for Sympl
This package provides a setuid wrapper script which allows each hosted
domain to have crontab entries, executed as the appropriate domain owner.
sympl-dns (11.20210818.1) stable; urgency=medium
* Debian Bullseye Release
-- Paul Cammish <sympl@kelduum.net> Wed, 18 Aug 2021 14:00:00 +0100
sympl-dns (11.20210215.0) stable; urgency=medium
* Updated version numbering format
......
......@@ -9,8 +9,8 @@ XS-Ruby-Versions: all
Package: sympl-dns
Architecture: all
Depends: rsync, wget, unzip, ruby, sympl-core (>= 9.0.190611.0), ${misc:Depends}
Description: Automatic DNS record creation and uploading for Bytemark customers
Depends: rsync, wget, unzip, ruby, sympl-core, ${misc:Depends}
Description: Automatic DNS record generation for Sympl
This package contains tools to create TinyDNS files which may be uploaded
to the Bytemark DNS host.
.
......
sympl-firewall (11.20210818.1) stable; urgency=medium
* Debian Bullseye Release
-- Paul Cammish <sympl@kelduum.net> Wed, 18 Aug 2021 14:00:00 +0100
sympl-firewall (11.20210215.0) stable; urgency=medium
* Updated version numbering format
......
......@@ -9,8 +9,8 @@ XS-Ruby-Versions: all
Package: sympl-firewall
Architecture: any
Depends: iptables, ruby, sympl-core (>= 9.0.190611.0), libruby, ruby-sqlite3, ${shlibs:Depends}, ${misc:Depends}
Description: Sympl firewall generator
Depends: iptables, ruby, sympl-core, libruby, ruby-sqlite3, ${shlibs:Depends}, ${misc:Depends}
Description: Firewall generator for Sympl
This package contains a firewall generator which makes it simple to restrict
the incoming and outgoing connections a machine is permitted to accept or
initiate.
sympl-ftp (11.20210818.1) stable; urgency=medium
* Debian Bullseye Release
-- Paul Cammish <sympl@kelduum.net> Wed, 18 Aug 2021 14:00:00 +0100
sympl-ftp (11.20210215.0) stable; urgency=medium
* Updated version numbering format
......
......@@ -10,7 +10,7 @@ XS-Ruby-Versions: all
Package: sympl-ftp
Architecture: all
Depends: pure-ftpd, ${misc:Depends}, sympl-core (>= 9.0.190611.0), procps, ruby
Description: Tools to manage FTP virtual hosting
Description: Virtual FTP hosting in Sympl
This package contains tools to FTP access to any virtual hosts which
have been setup with the Sympl packges.
.
......
sympl-mail (11.20210818.1) stable; urgency=medium
* Debian Bullseye Release
-- Paul Cammish <sympl@kelduum.net> Wed, 18 Aug 2021 14:00:00 +0100
sympl-mail (11.20210818.0) stable; urgency=medium
* Further fixes for Exim 4.94 in Debian Bullseye
-- Paul Cammish <sympl@kelduum.net> Wed, 18 Aug 2021 12:15:00 +0100
sympl-mail (11.20210813.1) stable; urgency=medium