Bugfix init-fence some more

.gitignore

@@ -1,2 +1,5 @@
 *.pyc
 __pycache__
+.pybuild/
+inithooks.egg-info/
+debian/debhelper-build-stamp

bin/restart-getty

@@ -1,32 +1,41 @@
 #!/bin/bash -e
 
 # This script is intended to be automatically triggered by
-# inithooks-restart-getty.service, which in turn is intended to be started
+# inithooks-restart-getty1.service, which in turn is intended to be started
 # when inithooks.service exits (regardless of exit status)
 #
 # Assuming this script _was_ triggered by inithooks.service exit, on most
 # systems this loop should only run once. Even on low power systems it should
 # only loop 1 additional times. However to ensure that it is as robust as
 # possible, it will wait up to 10 secs for inithooks.service to stop.
 
-fatal() { echo "$*" >&2; exit 1; }
+# systemd honors syslog-style priority prefixes on stdout/stderr
+# supports journalctl log level filtering - and colors the messages
+warn() { echo "<4>$*" >&2; }
+fatal() {
+   echo "<3>$*" >&2
+   echo "<3>Please report to support@turnkeylinux.org"
+   exit 1
+}
 
+# only run this script if started by systemd
 if [[ "$_STARTED_BY_SYSTEMD" == yes ]]; then
-    echo "$(basename "$0") running"
+    echo "$(basename "$0") script running"
 else
-    fatal "$(basename "$0") not started by systemd - exiting"
+    echo "$(basename "$0") script not started by systemd - exiting" >&2
+    exit 0
 fi
 
 getty1_services=(getty@tty1.service container-getty@1.service)
 getty_target=/etc/systemd/system/getty.target.wants
-getty1_service=
+getty1_service=""
 
 for _getty1 in "${getty1_services[@]}"; do
     _getty_target="$getty_target/$_getty1"
     if [[ -L "$_getty_target" ]]; then
         if [[ -f "$_getty_target" ]]; then
             getty1_service="$_getty1"
-            echo "system getty service is '$getty1_service'"
+            echo "Found default system getty service: '$getty1_service'"
             break
         fi
     fi
@@ -35,23 +44,34 @@ if [[ -z "$getty1_service" ]]; then
     fatal "Could not find valid getty1 service (tried ${getty1_services[*]})"
 fi
 
+echo "Starting $getty1_service"
 for i in {10..0}; do
     if systemctl is-active -q inithooks.service; then
         msg="inithooks.service running"
         if [[ $1 -gt 0 ]]; then
-            echo "$msg - waiting $i more seconds for it to stop" >&2
+            msg="inithooks.service running"
+            warn "$msg - waiting $i more seconds for it to stop" >&2
         else
-            fatal "$msg - giving up..."
+            warn "Failed to stop inithooks.service - giving up..."
+            fatal "$getty1_service could not be started"
         fi
         sleep 1
     else
-        echo "inithooks service is not running"
+        echo "inithooks.service is not running"
         if systemctl is-active -q "$getty1_service"; then
-            echo "$getty1_service already running, nothing to do"
+            warn "$getty1_service already running, nothing to do"
         else
-            echo "starting $getty1_service"
-            if ! systemctl start ; then
-                fatal "failed to start $getty1_service"
+            echo "Starting $getty1_service..."
+            if ! systemctl start "$getty1_service"; then
+                fatal "Failed to start $getty1_service"
+            else
+                # because getty@.service is 'Type=idle' systemctl start may
+                # exit zero even if it fails, so double check to be sure
+                if ! systemctl is-active -q "$getty1_service"; then
+                    fatal "$getty1_service failed"
+                else
+                    echo "$getty1_service started..."
+                fi
             fi
         fi
         exit 0

bin/turnkey-init-fence

@@ -3,6 +3,8 @@
 # TurnKey web interface fence - blocks access to web app until system is
 # initialized (admin password configure, etc)
 
+source /etc/default/turnkey-init-fence
+
 iptables_delete_redirect() {
     local dport=$1
     local to_port=$2
@@ -66,15 +68,15 @@ iptables_redirect() {
 
 case "$1" in
     start)
-	    echo "Starting turnkey-init-fence"
+        echo "Starting turnkey-init-fence"
         iptables_redirect start
-	    ;;
+        ;;
     stop)
-	    echo "Stopping turnkey-init-fence"
+        echo "Stopping turnkey-init-fence"
         iptables_redirect stop
-	    ;;
-	*)
-		echo "Unknown command: $1" >&2
+        ;;
+    *)
+        echo "Unknown command: $1" >&2
         exit 1
-		;;
+        ;;
 esac

debian/control

@@ -3,11 +3,11 @@ Section: admin
 Priority: optional
 Maintainer: Stefan Davis <stefan@turnkeylinux.org>
 Build-Depends:
- debhelper (>= 10),
+ debhelper-compat (= 13),
  dh-python,
- python3-all (>= 3.5~),
-Standards-Version: 4.0.0
-X-Python-Version: >= 3.5
+ python3 (>= 3.13~),
+ python3-dialog (>= 3.5.3~),
+Standards-Version: 4.7.2
 
 Package: inithooks
 Architecture: all
@@ -16,8 +16,13 @@ Depends:
  ${misc:Depends},
  ${python3:Depends},
  turnkey-ssl,
- python3-dialog (>= 3.4.0~),
+ python3-dialog (>= 3.5.3~),
  dialog (>= 1.3~),
 Recommends:
- confconsole (>= 1.1.0~)
+ confconsole (>= 2.1.0~)
 Description: Executes firstboot and everyboot scripts
+ Inithooks provides facility to run scripts at boot time. It's
+ primary use is for firstboot system configuration/setup. Scripts in
+ firstboot.d (or everboot.d) are run in alphanumeric order. TurnKey
+ default firstboot script helpers (generally interactive python scripts)
+ are contained in a separate bin/ directory.

debian/copyright

@@ -1,4 +1,5 @@
 Copyright (C) 2009 Alon Swartz <alon@turnkeylinux.org>
+Copyright (C) 2010-2026 TurnKey Linux maintainers <admin@turnkeylinux.org>
 
 This program is free software; you can redistribute it and/or modify
 it under the terms of the GNU General Public License as published by
@@ -11,8 +12,7 @@ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
 GNU General Public License for more details.
 
 You should have received a copy of the GNU General Public License
-along with this program; if not, write to the Free Software
-Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
+along with this program; If not, see <https://www.gnu.org/licenses/>.
 
 On Debian and Ubuntu systems, the complete text of the GNU General Public
 License can be found in /usr/share/common-licenses/GPL file.

debian/inithooks.install

@@ -5,11 +5,8 @@ everyboot.d/*                           /usr/lib/inithooks/everyboot.d
 run                                     /usr/lib/inithooks
 rsyslog.d/*                             /etc/rsyslog.d
 
-turnkey-init-fence/turnkey-init-fence.service   /usr/lib/systemd/system
 turnkey-init-fence/htdocs               /usr/lib/inithooks/turnkey-init-fence
 
 turnkey-init                            /usr/sbin
 turnkey-sudoadmin                       /usr/sbin
 turnkey-install-security-updates        /usr/sbin
-
-systemd                                 /etc

debian/inithooks.links

@@ -0,0 +1 @@
+usr/lib/python3/dist-packages/libinithooks/inithooks_cache.py usr/lib/inithooks/bin/inithooks_cache.py

debian/inithooks.lintian-overrides

@@ -0,0 +1,29 @@
+# TODO (feature):
+# - avoid use of Google's CDN for jquery - advantages are two-fold:
+#   - increases user privacy
+#   - increases performance
+#   - improves offline support
+
+inithooks binary: privacy-breach-uses-embedded-file [usr/lib/inithooks/turnkey-init-fence/htdocs/index.html]
+
+# TODO (wishlist):
+# - set ownership of inithooks cache dir at buildtime and/or runtime as
+#   appropriate; rather than at install time.
+# - OTOH it works "as is" and is a "best practice" issue, rather than a
+#   functional problem - thus low priority
+
+inithooks binary: recursive-privilege-change "chown -R" [postinst:9]
+
+# TODO (wishlist):
+# - man files...
+
+inithooks binary: no-manual-page [usr/sbin/turnkey-init]
+inithooks binary: no-manual-page [usr/sbin/turnkey-install-security-updates]
+inithooks binary: no-manual-page [usr/sbin/turnkey-sudoadmin]
+
+# these files are intentionally not executable as it is not always desireable
+# to execute them - they will be updated if/when required.
+
+inithooks binary: script-not-executable [usr/lib/inithooks/firstboot.d/30turnkey-init-fence]
+inithooks binary: script-not-executable [usr/lib/inithooks/firstboot.d/97turnkey-init-fence-disable]
+inithooks binary: script-not-executable [usr/lib/inithooks/firstboot.d/99reboot]

turnkey-init-fence/turnkey-init-fence.service → debian/inithooks.turnkey-init-fence.service

@@ -6,7 +6,7 @@ Before=apache2.service nginx.service lighttpd.service
 
 [Service]
 Type=oneshot
-EnvironmentFile=/etc/default/turnkey-init-fence
+RemainAfterExit=true
 ExecStart=/usr/lib/inithooks/bin/turnkey-init-fence start
 ExecStop=/usr/lib/inithooks/bin/turnkey-init-fence stop
 

debian/postinst

@@ -6,7 +6,7 @@ mkdir -p /var/run/turnkey-init-fence
 if [ -f /etc/default/turnkey-init-fence ]; then
     RUNAS=$(sed -n 's/^RUNAS=//p' /etc/default/turnkey-init-fence)
     if [ -n "$RUNAS" ]; then
-        chown -R $RUNAS /var/run/turnkey-init-fence 
+        chown -R "$RUNAS" /var/run/turnkey-init-fence
     fi
 fi
 

debian/rules

@@ -9,3 +9,8 @@ export PYTHONDONTWRITEBYTECODE=1
 
 %:
 	dh $@ --with=python3 --buildsystem=pybuild
+
+override_dh_installsystemd:
+	dh_installsystemd --name=inithooks
+	dh_installsystemd --name=inithooks-restart-getty1
+	dh_installsystemd --name=turnkey-init-fence

firstboot.d/01ipconfig

@@ -1,30 +1,51 @@
 #!/bin/bash -e
-# set ipconfig
 
-. /etc/default/inithooks
+# firstboot network interfaces file generation - runs non-interactively.
+# - config can be customized via inithooks conf file (i.e. preseed)
 
-fatal() { echo "fatal $@" >&2; exit 1; }
+# shellcheck source=default/inithooks
+source /etc/default/inithooks
 
-[[ -e $INITHOOKS_CONF ]] && . $INITHOOKS_CONF
-[[ -z "$IP_CONFIG" ]] && exit 0
-[[ "$IP_CONFIG" != "manual" ]] \
-    && [[ "$IP_CONFIG" != "static" ]] \
-    && [[ "$IP_CONFIG" != "dhcp" ]] \
-    && fatal "IP_CONFIG set incorrectly"
-[[ ! -e /etc/network/interfaces ]] && fatal "intefaces file not found"
+fatal() { echo "fatal $*" >&2; exit 1; }
 
-APP=$(turnkey-version -n)
+if [[ -e $INITHOOKS_CONF ]]; then
+    source $INITHOOKS_CONF
+fi
 
-IP_IFACE="eth0"
-[[ "$APP" == "lxc" ]] && IP_IFACE="br0"
+if [[ -z "$IP_CONFIG" ]]; then
+    # exit cleanly if env var not set
+    exit 0
+fi
 
-# if IP_CONFIG is not changed skip this script and avoid a interface
-# reconfiguration
-grep "iface $IP_IFACE inet $IP_CONFIG" /etc/network/interfaces >/dev/null \
-    && exit 0
+case "$IP_CONFIG" in
+    manual|static|dhcp)
+        : # known/valid value, do nothing
+        ;;
+    *)
+        fatal "Invalid: IP_CONFIG='$IP_CONFIG' - valid values: manual|static|dhcp"
+        ;;
+esac
 
-# since debian 8 (systemd) ifdown no longer takes the interface down if we
-# change between manual, static or dhcp so using 'ip' instead
+if ! [[ -e /etc/network/interfaces ]]; then
+    fatal "/etc/network/interfaces file not found"
+fi
+
+
+if [[ "$(turnkey-version -n)" == "lxc" ]]; then
+    # LXC app not currently being built, but leaving for now...
+    IP_IFACE="br0"
+else
+    IP_IFACE="eth0"
+fi
+
+# if IP_CONFIG is not changed avoid a interface redundant reconfiguration
+if grep --quiet --no-messages "iface $IP_IFACE inet $IP_CONFIG" \
+        /etc/network/interfaces; then
+    exit 0
+fi
+
+# under systemd, ifdown no longer takes the interface down when changing
+# between manual, static or dhcp so use 'ip' instead
 ip link set $IP_IFACE down
 
 cat > /etc/network/interfaces <<EOF
@@ -46,7 +67,8 @@ if [[ "$IP_CONFIG" == "static" ]]; then
     gateway $IP_GW
     dns-nameservers $IP_DNS1 $IP_DNS2
 EOF
+fi
 
-ifup --exclude=lo -a
+ifup --all --exclude=lo
 
 exit $?