diff --git a/.gitignore b/.gitignore index a295864..cfd4193 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,5 @@ *.pyc __pycache__ +.pybuild/ +inithooks.egg-info/ +debian/debhelper-build-stamp diff --git a/bin/restart-getty b/bin/restart-getty index 29db5cc..90d1306 100755 --- a/bin/restart-getty +++ b/bin/restart-getty @@ -1,7 +1,7 @@ #!/bin/bash -e # This script is intended to be automatically triggered by -# inithooks-restart-getty.service, which in turn is intended to be started +# inithooks-restart-getty1.service, which in turn is intended to be started # when inithooks.service exits (regardless of exit status) # # Assuming this script _was_ triggered by inithooks.service exit, on most @@ -9,24 +9,33 @@ # only loop 1 additional times. However to ensure that it is as robust as # possible, it will wait up to 10 secs for inithooks.service to stop. -fatal() { echo "$*" >&2; exit 1; } +# systemd honors syslog-style priority prefixes on stdout/stderr +# supports journalctl log level filtering - and colors the messages +warn() { echo "<4>$*" >&2; } +fatal() { + echo "<3>$*" >&2 + echo "<3>Please report to support@turnkeylinux.org" + exit 1 +} +# only run this script if started by systemd if [[ "$_STARTED_BY_SYSTEMD" == yes ]]; then - echo "$(basename "$0") running" + echo "$(basename "$0") script running" else - fatal "$(basename "$0") not started by systemd - exiting" + echo "$(basename "$0") script not started by systemd - exiting" >&2 + exit 0 fi getty1_services=(getty@tty1.service container-getty@1.service) getty_target=/etc/systemd/system/getty.target.wants -getty1_service= +getty1_service="" for _getty1 in "${getty1_services[@]}"; do _getty_target="$getty_target/$_getty1" if [[ -L "$_getty_target" ]]; then if [[ -f "$_getty_target" ]]; then getty1_service="$_getty1" - echo "system getty service is '$getty1_service'" + echo "Found default system getty service: '$getty1_service'" break fi fi @@ -35,23 +44,34 @@ if [[ -z "$getty1_service" ]]; then fatal "Could not find valid getty1 service (tried ${getty1_services[*]})" fi +echo "Starting $getty1_service" for i in {10..0}; do if systemctl is-active -q inithooks.service; then msg="inithooks.service running" if [[ $1 -gt 0 ]]; then - echo "$msg - waiting $i more seconds for it to stop" >&2 + msg="inithooks.service running" + warn "$msg - waiting $i more seconds for it to stop" >&2 else - fatal "$msg - giving up..." + warn "Failed to stop inithooks.service - giving up..." + fatal "$getty1_service could not be started" fi sleep 1 else - echo "inithooks service is not running" + echo "inithooks.service is not running" if systemctl is-active -q "$getty1_service"; then - echo "$getty1_service already running, nothing to do" + warn "$getty1_service already running, nothing to do" else - echo "starting $getty1_service" - if ! systemctl start ; then - fatal "failed to start $getty1_service" + echo "Starting $getty1_service..." + if ! systemctl start "$getty1_service"; then + fatal "Failed to start $getty1_service" + else + # because getty@.service is 'Type=idle' systemctl start may + # exit zero even if it fails, so double check to be sure + if ! systemctl is-active -q "$getty1_service"; then + fatal "$getty1_service failed" + else + echo "$getty1_service started..." + fi fi fi exit 0 diff --git a/bin/turnkey-init-fence b/bin/turnkey-init-fence index b001f21..2244e95 100755 --- a/bin/turnkey-init-fence +++ b/bin/turnkey-init-fence @@ -3,6 +3,8 @@ # TurnKey web interface fence - blocks access to web app until system is # initialized (admin password configure, etc) +source /etc/default/turnkey-init-fence + iptables_delete_redirect() { local dport=$1 local to_port=$2 @@ -66,15 +68,15 @@ iptables_redirect() { case "$1" in start) - echo "Starting turnkey-init-fence" + echo "Starting turnkey-init-fence" iptables_redirect start - ;; + ;; stop) - echo "Stopping turnkey-init-fence" + echo "Stopping turnkey-init-fence" iptables_redirect stop - ;; - *) - echo "Unknown command: $1" >&2 + ;; + *) + echo "Unknown command: $1" >&2 exit 1 - ;; + ;; esac diff --git a/debian/compat b/debian/compat deleted file mode 100644 index f599e28..0000000 --- a/debian/compat +++ /dev/null @@ -1 +0,0 @@ -10 diff --git a/debian/control b/debian/control index 7f33cb7..4a65b14 100644 --- a/debian/control +++ b/debian/control @@ -3,11 +3,11 @@ Section: admin Priority: optional Maintainer: Stefan Davis Build-Depends: - debhelper (>= 10), + debhelper-compat (= 13), dh-python, - python3-all (>= 3.5~), -Standards-Version: 4.0.0 -X-Python-Version: >= 3.5 + python3 (>= 3.13~), + python3-dialog (>= 3.5.3~), +Standards-Version: 4.7.2 Package: inithooks Architecture: all @@ -16,8 +16,13 @@ Depends: ${misc:Depends}, ${python3:Depends}, turnkey-ssl, - python3-dialog (>= 3.4.0~), + python3-dialog (>= 3.5.3~), dialog (>= 1.3~), Recommends: - confconsole (>= 1.1.0~) + confconsole (>= 2.1.0~) Description: Executes firstboot and everyboot scripts + Inithooks provides facility to run scripts at boot time. It's + primary use is for firstboot system configuration/setup. Scripts in + firstboot.d (or everboot.d) are run in alphanumeric order. TurnKey + default firstboot script helpers (generally interactive python scripts) + are contained in a separate bin/ directory. diff --git a/debian/copyright b/debian/copyright index dbde083..e1d2158 100644 --- a/debian/copyright +++ b/debian/copyright @@ -1,4 +1,5 @@ Copyright (C) 2009 Alon Swartz +Copyright (C) 2010-2026 TurnKey Linux maintainers This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -11,8 +12,7 @@ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License -along with this program; if not, write to the Free Software -Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA +along with this program; If not, see . On Debian and Ubuntu systems, the complete text of the GNU General Public License can be found in /usr/share/common-licenses/GPL file. diff --git a/systemd/system/inithooks-restart-getty.service b/debian/inithooks.inithooks-restart-getty1.service similarity index 100% rename from systemd/system/inithooks-restart-getty.service rename to debian/inithooks.inithooks-restart-getty1.service diff --git a/debian/inithooks.install b/debian/inithooks.install index 2e83fde..df98d01 100644 --- a/debian/inithooks.install +++ b/debian/inithooks.install @@ -5,11 +5,8 @@ everyboot.d/* /usr/lib/inithooks/everyboot.d run /usr/lib/inithooks rsyslog.d/* /etc/rsyslog.d -turnkey-init-fence/turnkey-init-fence.service /usr/lib/systemd/system turnkey-init-fence/htdocs /usr/lib/inithooks/turnkey-init-fence turnkey-init /usr/sbin turnkey-sudoadmin /usr/sbin turnkey-install-security-updates /usr/sbin - -systemd /etc diff --git a/debian/inithooks.links b/debian/inithooks.links new file mode 100644 index 0000000..a09c042 --- /dev/null +++ b/debian/inithooks.links @@ -0,0 +1 @@ +usr/lib/python3/dist-packages/libinithooks/inithooks_cache.py usr/lib/inithooks/bin/inithooks_cache.py diff --git a/debian/inithooks.lintian-overrides b/debian/inithooks.lintian-overrides new file mode 100644 index 0000000..1f8f00b --- /dev/null +++ b/debian/inithooks.lintian-overrides @@ -0,0 +1,29 @@ +# TODO (feature): +# - avoid use of Google's CDN for jquery - advantages are two-fold: +# - increases user privacy +# - increases performance +# - improves offline support + +inithooks binary: privacy-breach-uses-embedded-file [usr/lib/inithooks/turnkey-init-fence/htdocs/index.html] + +# TODO (wishlist): +# - set ownership of inithooks cache dir at buildtime and/or runtime as +# appropriate; rather than at install time. +# - OTOH it works "as is" and is a "best practice" issue, rather than a +# functional problem - thus low priority + +inithooks binary: recursive-privilege-change "chown -R" [postinst:9] + +# TODO (wishlist): +# - man files... + +inithooks binary: no-manual-page [usr/sbin/turnkey-init] +inithooks binary: no-manual-page [usr/sbin/turnkey-install-security-updates] +inithooks binary: no-manual-page [usr/sbin/turnkey-sudoadmin] + +# these files are intentionally not executable as it is not always desireable +# to execute them - they will be updated if/when required. + +inithooks binary: script-not-executable [usr/lib/inithooks/firstboot.d/30turnkey-init-fence] +inithooks binary: script-not-executable [usr/lib/inithooks/firstboot.d/97turnkey-init-fence-disable] +inithooks binary: script-not-executable [usr/lib/inithooks/firstboot.d/99reboot] diff --git a/systemd/system/inithooks.service b/debian/inithooks.service similarity index 100% rename from systemd/system/inithooks.service rename to debian/inithooks.service diff --git a/turnkey-init-fence/turnkey-init-fence.service b/debian/inithooks.turnkey-init-fence.service similarity index 89% rename from turnkey-init-fence/turnkey-init-fence.service rename to debian/inithooks.turnkey-init-fence.service index a038d77..6b80e7a 100644 --- a/turnkey-init-fence/turnkey-init-fence.service +++ b/debian/inithooks.turnkey-init-fence.service @@ -6,7 +6,7 @@ Before=apache2.service nginx.service lighttpd.service [Service] Type=oneshot -EnvironmentFile=/etc/default/turnkey-init-fence +RemainAfterExit=true ExecStart=/usr/lib/inithooks/bin/turnkey-init-fence start ExecStop=/usr/lib/inithooks/bin/turnkey-init-fence stop diff --git a/debian/postinst b/debian/postinst index 8d77142..6f12836 100755 --- a/debian/postinst +++ b/debian/postinst @@ -6,7 +6,7 @@ mkdir -p /var/run/turnkey-init-fence if [ -f /etc/default/turnkey-init-fence ]; then RUNAS=$(sed -n 's/^RUNAS=//p' /etc/default/turnkey-init-fence) if [ -n "$RUNAS" ]; then - chown -R $RUNAS /var/run/turnkey-init-fence + chown -R "$RUNAS" /var/run/turnkey-init-fence fi fi diff --git a/debian/rules b/debian/rules index dbbb8b8..43f8788 100755 --- a/debian/rules +++ b/debian/rules @@ -9,3 +9,8 @@ export PYTHONDONTWRITEBYTECODE=1 %: dh $@ --with=python3 --buildsystem=pybuild + +override_dh_installsystemd: + dh_installsystemd --name=inithooks + dh_installsystemd --name=inithooks-restart-getty1 + dh_installsystemd --name=turnkey-init-fence diff --git a/firstboot.d/01ipconfig b/firstboot.d/01ipconfig index 9861b14..8f3b3ab 100755 --- a/firstboot.d/01ipconfig +++ b/firstboot.d/01ipconfig @@ -1,30 +1,51 @@ #!/bin/bash -e -# set ipconfig -. /etc/default/inithooks +# firstboot network interfaces file generation - runs non-interactively. +# - config can be customized via inithooks conf file (i.e. preseed) -fatal() { echo "fatal $@" >&2; exit 1; } +# shellcheck source=default/inithooks +source /etc/default/inithooks -[[ -e $INITHOOKS_CONF ]] && . $INITHOOKS_CONF -[[ -z "$IP_CONFIG" ]] && exit 0 -[[ "$IP_CONFIG" != "manual" ]] \ - && [[ "$IP_CONFIG" != "static" ]] \ - && [[ "$IP_CONFIG" != "dhcp" ]] \ - && fatal "IP_CONFIG set incorrectly" -[[ ! -e /etc/network/interfaces ]] && fatal "intefaces file not found" +fatal() { echo "fatal $*" >&2; exit 1; } -APP=$(turnkey-version -n) +if [[ -e $INITHOOKS_CONF ]]; then + source $INITHOOKS_CONF +fi -IP_IFACE="eth0" -[[ "$APP" == "lxc" ]] && IP_IFACE="br0" +if [[ -z "$IP_CONFIG" ]]; then + # exit cleanly if env var not set + exit 0 +fi -# if IP_CONFIG is not changed skip this script and avoid a interface -# reconfiguration -grep "iface $IP_IFACE inet $IP_CONFIG" /etc/network/interfaces >/dev/null \ - && exit 0 +case "$IP_CONFIG" in + manual|static|dhcp) + : # known/valid value, do nothing + ;; + *) + fatal "Invalid: IP_CONFIG='$IP_CONFIG' - valid values: manual|static|dhcp" + ;; +esac -# since debian 8 (systemd) ifdown no longer takes the interface down if we -# change between manual, static or dhcp so using 'ip' instead +if ! [[ -e /etc/network/interfaces ]]; then + fatal "/etc/network/interfaces file not found" +fi + + +if [[ "$(turnkey-version -n)" == "lxc" ]]; then + # LXC app not currently being built, but leaving for now... + IP_IFACE="br0" +else + IP_IFACE="eth0" +fi + +# if IP_CONFIG is not changed avoid a interface redundant reconfiguration +if grep --quiet --no-messages "iface $IP_IFACE inet $IP_CONFIG" \ + /etc/network/interfaces; then + exit 0 +fi + +# under systemd, ifdown no longer takes the interface down when changing +# between manual, static or dhcp so use 'ip' instead ip link set $IP_IFACE down cat > /etc/network/interfaces <