12 changed files with 145 additions and 553 deletions
--- a/bin/sau
+++ b/bin/sau
@ -1,4 +1,4 @@
-#!/usr/bin/env python3.7
+#!/usr/bin/env python3.6
 import configparser
 import logging
 import logging.handlers
@ -8,12 +8,11 @@ import sys
 import time
 import sau
 import sau.errors
 import sau.services
 import sau.platforms
 def init():
-    sau.config = configparser.ConfigParser()
+    sau.config = configparser.SafeConfigParser()
    conf = sau.config
    if platform.system() == 'FreeBSD':
@ -45,23 +44,12 @@ def init():
    log.addHandler(handler)
-def fork_and_reboot(report_success=True):
+def fork_and_reboot():
    log = logging.getLogger(sau.LOGNAME)
    if report_success:
        exit_code=0
    else:
        exit_code=1
    if os.path.exists('/proc/1/comm'):
        with open('/proc/1/comm', 'r') as f:
            if f.readline().strip() == 'systemd':
                os.execl('/usr/bin/systemctl', 'reboot')
                log.error("Failed to execl?")
                sys.exit(1)
    try:
        pid = os.fork()
        if pid != 0:
-            sys.exit(exit_code)
+            sys.exit(0)
    except OSError as err:
        log.error("Fork #1 failed when going for reboot: {}".format(err))
        sys.exit(1)
@ -88,6 +76,8 @@ def fork_and_reboot(report_success=True):
    os.dup2(stdout.fileno(), sys.stdout.fileno())
    os.dup2(stderr.fileno(), sys.stderr.fileno())
    log.warning("New fork!")
    # sleep for a short while to give parent time to exit
    time.sleep(30)
    try:
@ -105,39 +95,22 @@ def main():
    reboot_required = False
    reboot_recommended = False
-    try:
+    if conf.getboolean('default', 'do_system_upgrade', fallback=True):
-        if conf.getboolean('default', 'do_system_upgrade', fallback=True):
+        reboot_required = platform.system_upgrade()
            reboot_required = platform.system_upgrade()
-        if conf.getboolean('default', 'do_package_upgrade', fallback=True):
+    if conf.getboolean('default', 'do_package_upgrade', fallback=True):
-            reboot_required = reboot_required or platform.pkg_upgrade()
+        platform.pkg_upgrade()
    except sau.errors.UpgradeError as e:
        log.error(f'Upgrade failed: {e}')
        return 1
    if not conf.getboolean('default', 'live_system', fallback=True):
        return 0
    if conf.getboolean('default', 'do_service_restart', fallback=True):
        reboot_recommended = sau.services.restart_services()
    if conf.getboolean('default', 'do_reboot', fallback=False):
        if reboot_required:
-            log.info('Rebooting because of a system upgrade')
+            log.warning('Rebooting because of a system upgrade')
        elif reboot_recommended:
-            log.info('Rebooting because service restarts did not close all deleted files')
+            log.warning('Rebooting because service restarts did not close all deleted files')
        if reboot_required or reboot_recommended:
-            fork_and_reboot(report_success=conf.getboolean('default', 'reboot_is_success', fallback=True))
+            fork_and_reboot()
    if reboot_required:
        log.warning("Upgrade was success, but a reboot is required due to a system upgrade")
        return 1
    elif reboot_recommended:
        log.warning("Some services still uses old, deleted, files. You probably want to reboot")
        return 1
    return 0
 def _conf_level_to_logging_level(conf_level):
    if conf_level.lower() == 'debug':
--- a/config.cfg
+++ b/config.cfg
@ -12,25 +12,13 @@
 # 1.0.1 -> 1.0.1.1 (3)
 version_sensitivity=1
 # Set to no if you're using sau in an environment where running processes
 # shouldn't be touched and reboots shouldn't be done, for example in chroots
 live_system=yes
 # sau can reboot on system upgrades (FreeBSD) or if the service restarts does
 # not close all deleted files (any platform)
 do_reboot=no
-# Set to no to exit with failure code when going for reboot.
+# FreeBSD system update (freebsd-update fetch install, not freebsd-update upgrade)
 reboot_is_success=yes
 # Attempt to do a system upgrade
 # FreeBSD: upgrade to latest patch version using freebsd-update fetch install
 # Gentoo: allow upgrade of sys-kernel/-packages, clean old kernels, and update grub-config
 do_system_upgrade=yes
 # On Gentoo kernel upgrades, remove all but the last keep_kernels kernels from /boot
 keep_kernels=4
 # upgrade packages
 do_package_upgrade=yes
@ -42,14 +30,6 @@ default_service_policy=ignore
 # do depclean on Gentoo
 do_depclean=yes
 # do eix-sync on Gentoo
 do_reposync=yes
 # do live-rebuild, go-rebuild, rust-rebuild, perl-cleaner etc. on Gentoo
 # set to no if using binary packages that are bumped when needed.
 # Leave as yes on package builders and if not using binary packages.
 do_rebuilds=yes
 # to only write to stderr when something unexpected happens or manual action is required
 # set stderr_loglevel to warning
 stderr_loglevel=debug
@ -61,10 +41,12 @@ syslog_loglevel=info
 # platform
 [packages]
 # Gentoo uses the category/package naming scheme
-dev-db/postgresql=1
+dev-db/postgresql=2
-# It's safer to upgrade zfs manually
+# Gentoo kernel stuff should be updated manually
-sys-fs/zfs-kmod=99
+sys-kernel/gentoo-sources=-1
 sys-kernel/spl=-1
 sys-fs/zfs-kmod=-1
 # FreeBSD uses the short package name (without category)
 gitlab=2
@ -82,7 +64,7 @@ qemu-system-x86_64=
 #ruby24=puppetserver puppetdb
 # The services section contains restart policy for specific services.
-# valid policies are 'ignore', 'warn', 'restart', 'silent-restart' and 'reboot'.
+# valid policies are 'ignore', 'warn', 'restart' and 'silent-restart'.
 # 'silent-restart' is like 'restart', but will not log a warning when
 # the service is restarted.
 [services]
--- a/sau/init.py
+++ b/sau/init.py
@ -1 +1,2 @@
 LOGNAME="sau"
--- a/sau/errors.py
+++ b/sau/errors.py
@ -5,5 +5,3 @@ class PlatformNotSupported(Exception):
 class UnknownServiceError(Exception):
    pass
 class UpgradeError(Exception):
    pass
--- a/sau/freebsd.py
+++ b/sau/freebsd.py
@ -132,14 +132,5 @@ def pkg_upgrade():
        for line in err.splitlines():
            log.warning('stderr: {}'.format(line))
    if conf.getboolean('default', 'do_depclean', fallback=False):
        cmd = [ PKG_PATH, 'autoremove', '-yq' ]
        ret, out, err = sau.helpers.exec_cmd(cmd, timeout=3600)
        if ret != 0 or err:
            log.warning('{} failed:'.format(' '.join(cmd)))
            for line in out.splitlines():
                log.warning('stdout: {}'.format(line))
            for line in err.splitlines():
                log.warning('stderr: {}'.format(line))
    return True
--- a/sau/gentoo.py
+++ b/sau/gentoo.py
@ -4,35 +4,32 @@ import re
 import sau
 import sau.helpers
 import sau.services
-EIX_SYNC_PATH='/usr/bin/eix-sync'
+EIX_UPDATE_PATH='/usr/bin/eix-update'
 RC_SERVICE_PATH='/sbin/rc-service'
 SYSTEMCTL='/usr/bin/systemctl'
 EMERGE_PATH='/usr/bin/emerge'
 EQUERY_PATH='/usr/bin/equery'
 EMAINT_PATH='/usr/sbin/emaint'
 PCLEAN_PATH='/usr/bin/perl-cleaner'
 GRUB_MKCONFIG='/usr/sbin/grub-mkconfig'
 # parsing output from eix -Ttnc
-package_re = re.compile(r'^\[([^\]])\] ([^ ]*) \((.*)\): .*$')
+package_re = re.compile('^\[([^\]])\] ([^ ]*) \((.*)\): .*$')
 # parsing version information from substrings of the above
-slot_re = re.compile(r'^(\(~\))?([^\(]+)(\([^\)]+\))$')
+slot_re = re.compile('^(\(~\))?([^\(]+)(\([^\)]+\))$')
 def identify_service_from_bin(exe):
    log = logging.getLogger(sau.LOGNAME)
-    if sau.services.on_systemd():
+    init_script_re = re.compile(r'/etc/init\.d/(.*)')
        init_script_re = re.compile(r'[^/]*(.*)\.service$')
    else:
        init_script_re = re.compile(r'/etc/init\.d/(.*)')
    cmd = [ EQUERY_PATH, '-Cq', 'b', exe ]
    ret, out, err = sau.helpers.exec_cmd(cmd)
    if ret != 0:
-        raise sau.errors.UnknownServiceError("searching for owner of {} failed:".format(exe))
+        log.warning("searching for owner of {} failed:".format(exe))
        for line in out.splitlines():
            log.warning("stdout: {}".format(line))
        for line in err.splitlines():
            log.warning("stderr: {}".format(line))
        return None
    pkg = out.strip()
    cmd = [ EQUERY_PATH, '-Cq', 'f', pkg ]
@ -51,9 +48,9 @@ def identify_service_from_bin(exe):
        if match:
            matches.add(match.group(1))
    if len(matches) < 1:
-        raise sau.errors.UnknownServiceError('Could not find any init script in package {}'.format(pkg))
+        log.warning('Could not find any init script in package {}'.format(pkg))
    elif len(matches) > 1:
-        raise sau.errors.UnknownServiceError('Found multiple init script in package {}'.format(pkg))
+        log.warning('Found multiple init script in package {}'.format(pkg))
    else:
        return matches.pop()
    return None
@ -61,10 +58,7 @@ def identify_service_from_bin(exe):
 def restart_service(service):
    log = logging.getLogger(sau.LOGNAME)
-    if sau.services.on_systemd():
+    cmd = [ RC_SERVICE_PATH, service, 'restart' ]
        cmd = [ SYSTEMCTL, 'restart', service ]
    else:
        cmd = [ RC_SERVICE_PATH, service, 'restart' ]
    ret, out, err = sau.helpers.exec_cmd(cmd)
    if ret != 0:
@ -78,121 +72,50 @@ def restart_service(service):
 def system_upgrade():
    log = logging.getLogger(sau.LOGNAME)
-    log.debug('Gentoo "system_upgrade" is done at package upgrade stage; ignoring here...')
+    log.debug('Gentoo has no concept of system upgrade, ignoring...')
    return False
 def _sync_portage():
    log = logging.getLogger(sau.LOGNAME)
-    if os.path.exists(EIX_SYNC_PATH):
+    cmd = [ EMERGE_PATH, '-q', '--sync' ]
        cmd = [ EIX_SYNC_PATH, '-q' ]
        ret, out, err = sau.helpers.exec_cmd(cmd, timeout=3600)
    else:
        cmd = [ EMERGE_PATH, '-q', '--sync' ]
        ret, out, err = sau.helpers.exec_cmd(cmd, timeout=3600)
    if ret != 0:
        log.error("Portage sync failed:")
        for line in out.splitlines():
            log.error("stdout: {}".format(line))
        for line in err.splitlines():
            log.error("stderr: {}".format(line))
        raise sau.errors.UpgradeError(f'Sync command {cmd} failed')
    cmd = [ EMAINT_PATH, '-f', 'all' ]
    ret, out, err = sau.helpers.exec_cmd(cmd, timeout=3600)
    if ret != 0:
-        log.warning("emaint failed:")
+        log.warning("Portage sync failed:")
        for line in out.splitlines():
            log.warning("stdout: {}".format(line))
        for line in err.splitlines():
            log.warning("stderr: {}".format(line))
-def is_system_package(atom, eclasses):
+    if os.path.exists(EIX_UPDATE_PATH):
-    log = logging.getLogger(sau.LOGNAME)
+        cmd = [ EIX_UPDATE_PATH, '-q' ]
-    name=re.sub(r'^[<=>]*(.*?)(?:-\d)?(?:::\w+)?$', r'\1', atom)
+        ret, out, err = sau.helpers.exec_cmd(cmd, timeout=3600)
-    # sys-boot/ category should probably always be considered
+        if ret != 0:
-    # system-packages
+            log.warning("eix-update failed:")
-    if name.split('/')[0] == 'sys-boot':
+            for line in out.splitlines():
-        log.debug(f"{name} is a sys-boot package")
+                log.warning("stdout: {}".format(line))
-        return True
+            for line in err.splitlines():
-
+                log.warning("stderr: {}".format(line))
    if eclasses is True:
        return True
    # libc-packages should be considered system-packages as they generally
    # requires the system to be restarted. Not sure if there is a better way
    # then just checking for specific packages here, but as far as I know there
    # are not many of them anyway...
    if re.search(r'^sys-libs/(glibc|musl)', name):
        log.debug(f"{name} is a libc package")
        return True
    if any([
            x in eclasses for x in [
                'dist-kernel-utils',
                'linux-mod',
                'kernel-install' ]
            ]):
        log.debug(f"{name} is of system eclass (eclasses: {eclasses})")
        return True
    return False
 def get_eclasses(atom):
    log = logging.getLogger(sau.LOGNAME)
    eclasses = []
    name=re.sub(r'^[<=>]*(.*?)(?:-\d+)?(?:::\w+)?$', r'\1', atom)
    test_re = re.compile(r'^\s*inherit\s+')
    cmd=[ EQUERY_PATH, 'w', name ]
    ret, out, err = sau.helpers.exec_cmd(cmd)
    if not ret == 0:
        log.warning(f'Unable to locate ebuild for {atom}')
        # better safe than sorry; if we don't know, let's pretend it's a system
        # package
        return True
    path = out.strip()
    if not os.path.isfile(path):
        log.warning(f"This path doesn't look lika a path to the ebuild for {name}: {path}")
        return True
    with open(path, 'r', encoding='utf-8') as f:
        for line in f.readlines():
            if eclasses and eclasses[-1] == '\\':
                eclasses = eclasses[:-1]
                eclasses.extend(line.split())
            if re.search(test_re, line):
                if re.search(test_re, line):
                    eclasses.extend(line.split()[1:])
    # Remove revisions from eclasses, hopefully makes it less messy if they get
    # updated
    eclasses = [re.sub(r'^(.*?)-r\d+', r'\1', x) for x in eclasses]
    return eclasses
 def get_dependencies(atom):
    cmd=[ EQUERY_PATH, '-q', 'd', '-F', '$cp', atom ]
    ret, out, err = sau.helpers.exec_cmd(cmd)
    dependencies = [l.strip() for l in out.splitlines()]
    return dependencies
 def pkg_upgrade():
    log = logging.getLogger(sau.LOGNAME)
    conf = sau.config
    do_system_upgrade = conf.getboolean('default', 'do_system_upgrade', fallback=False)
-    if conf.getboolean('default', 'do_reposync', fallback=True):
+    _sync_portage()
        _sync_portage()
    # [ebuild     U ] media-plugins/alsa-plugins-1.1.8 [1.1.6]
-    pretend_re = re.compile(r'^\[(?:ebuild|binary) ([^\]]*)\] ([^ ]+?)-(\d[-\.\w]*)( \[[^\]]+\])?')
+    pretend_re = re.compile(r'^\[ebuild ([^\]]*)\] ([^ ]+)( \[[^\]]+\])?')
    # media-plugins/alsa-plugins-1.1.8
    version_re = re.compile(r'^(.*/.*)-(\d+.*)$')
    ignore_re = re.compile(r'^(|.*caus.* rebuilds.*|.*scheduled for merge.*|.*waiting for lock on.*)$')
    default_version_sens = conf.getint('default', 'version_sensitivity', fallback=1)
-    ## Query upgradeable packages
+    cmd = [ EMERGE_PATH, '--color', 'n', '-uDNpq', '@world' ]
    cmd = [ EMERGE_PATH, '--color', 'n', '-uDNpq', '--with-bdeps=y', '@world' ]
    ret, out, err = sau.helpers.exec_cmd(cmd)
    if not ret == 0:
@ -201,11 +124,9 @@ def pkg_upgrade():
            log.error('stdout: {}'.format(line))
        for line in err.splitlines():
            log.error('stderr: {}'.format(line))
-        raise sau.errors.UpgradeError(f'Failed to calculate upgrade path')
+        return False
    do_rebuild = True
    do_grub = False
    rebuild_packages = {}
    for line in out.splitlines():
        if re.match(ignore_re, line):
            continue
@ -215,225 +136,67 @@ def pkg_upgrade():
            continue
        status = match.group(1)
        name = match.group(2)
-        new = match.group(3)
+        old = match.group(3)
        old = match.group(4)
        if not old:
            continue
        old = old.strip(' []')
        nmatch = re.match(version_re, name)
        name = nmatch.group(1)
        version = nmatch.group(2)
        sens = conf.getint('packages', name, fallback=default_version_sens)
-        common = sau.helpers.version_diff(new, old)
+        common = sau.helpers.version_diff(version, old)
        if sens <= common:
-            log.info('{} -- {} -> {} configured level {} <= pkg level {}'.format(name, old, new, sens, common))
+            log.info('{}-{} -> {} configured level {} <= pkg level {}'.format(name, old, version, sens, common))
        else:
-            log.error('{} -- {} -> {} configured level {} > pkg level {}'.format(name, old, new, sens, common))
+            log.warning('{}-{} -> {} configured level {} > pkg level {}'.format(name, old, version, sens, common))
            do_rebuild = False
        nameversion = f'{name}-{new}'
        eclasses = get_eclasses(nameversion)
        rebuild_packages[name] = eclasses
    for package,eclasses in rebuild_packages.items():
        if is_system_package(package, eclasses):
            if do_system_upgrade:
                do_grub = True
            else:
                raise sau.errors.UpgradeError(f"System package {package} has an update, but system upgrade is disabled")
    if not do_rebuild:
-        raise sau.errors.UpgradeError('Some packages require manual attention, did not upgrade')
+        log.warning('Some packages require manual attention, did not upgrade')
    if not rebuild_packages:
        log.info('No packages to upgrade')
        return False
-    ## Actual upgrade
+    cmd = [ EMERGE_PATH, '--color', 'n', '-uDNq', '@world' ]
-    cmd = [ EMERGE_PATH, '--color', 'n', '-uDNq', '--with-bdeps=y', '@world' ]
+    ret, out, err = sau.helpers.exec_cmd(cmd, timeout=36000)
    ret, out, err = sau.helpers.exec_cmd(cmd, timeout=72000)
    if ret != 0 or err:
-        log.error('emerge returned {}'.format(ret))
+        log.warning('emerge returned {}'.format(ret))
        for line in out.splitlines():
-            log.error('stdout: {}'.format(line))
+            log.warning('stdout: {}'.format(line))
        for line in err.splitlines():
-            log.error('stderr: {}'.format(line))
+            log.warning('stderr: {}'.format(line))
        raise sau.errors.UpgradeError(f'Error during upgrade')
    else:
        log.info('upgrade complete')
        for line in out.splitlines():
            if line.startswith(' * '):
                log.warning(line)
-    ## rebuild as needed
+    cmd = [ EMERGE_PATH, '--color', 'n', '-q', '@preserved-rebuild' ]
-    do_rebuild = conf.getboolean('default', 'do_rebuilds', fallback=True)
+    ret, out, err = sau.helpers.exec_cmd(cmd, timeout=36000)
    if do_rebuild:
        # from here on we shouldn't need to rebuild the upgraded packages again
        exclude_list = ' --exclude '.join(rebuild_packages.keys()).split()
        # Rebuild go
        go_packages = []
        cmd = None
        for package,eclasses in rebuild_packages.items():
            if 'go-module' in eclasses or package == 'dev-lang/go':
                go_packages.append(package)
        if 'dev-lang/go' in go_packages:
            log.info("Running golang-rebuild due to update of dev-lang/go")
            cmd = [
                    EMERGE_PATH,
                    '--color', 'n',
                    '-q',
                    '--usepkg', 'n',
                    '@golang-rebuild',
                    '--exclude' ] + exclude_list
        elif go_packages:
            dependencies = []
            for package in go_packages:
                dependencies.extend(get_dependencies(package))
            dependencies = set(dependencies)
            upgraded = set(rebuild_packages.keys())
            not_upgraded = dependencies-upgraded
            if not_upgraded:
                log.info(f'Rebuilding packages dependant of go modules {", ".join(go_packages)}')
                cmd = [
                    EMERGE_PATH,
                    '--color', 'n',
                    '-q',
                    '--usepkg', 'n'] + not_upgraded
        if cmd:
            ret, out, err = sau.helpers.exec_cmd(cmd, timeout=72000)
            if ret != 0 or err:
                log.error('Rebuild of go packages returned {}'.format(ret))
                for line in out.splitlines():
                    log.error('stdout: {}'.format(line))
                for line in err.splitlines():
                    log.error('stderr: {}'.format(line))
                raise sau.errors.UpgradeError(f'Error during go rebuild')
            else:
                log.info('go rebuild complete')
                for line in out.splitlines():
                    if line.startswith(' * '):
                        log.warning(line)
        # rebuild rust
        if any([x in rebuild_packages for x in ('dev-lang/rust', 'dev-lang/rust-bin')]):
            log.info("Running rust-rebuild due to update of rust")
            cmd = [
                    EMERGE_PATH,
                    '--color', 'n',
                    '-q',
                    '--usepkg', 'n',
                    '@rust-rebuild',
                    '--exclude' ] + exclude_list
            ret, out, err = sau.helpers.exec_cmd(cmd, timeout=72000)
            if ret != 0 or err:
                log.error('Rebuild of rust packages returned {}'.format(ret))
                for line in out.splitlines():
                    log.error('stdout: {}'.format(line))
                for line in err.splitlines():
                    log.error('stderr: {}'.format(line))
                raise sau.errors.UpgradeError(f'Error during rust rebuild')
            else:
                log.info('rust rebuild complete')
                for line in out.splitlines():
                    if line.startswith(' * '):
                        log.warning(line)
        # run perl-cleaner
        if 'dev-lang/perl' in rebuild_packages:
            log.info("Running perl-cleaner due to perl upgrade")
            cmd = [ PCLEAN_PATH, '--all', '--', '-q', '--usepkg', 'n']
            ret, out, err = sau.helpers.exec_cmd(cmd, timeout=72000)
            if ret != 0 or err:
                log.error('perl-cleaner failed with code {}'.format(ret))
                for line in out.splitlines():
                    log.error('stdout: {}'.format(line))
                for line in err.splitlines():
                    log.error('stderr: {}'.format(line))
                raise sau.errors.UpgradeError(f'Error during perl-cleaner')
            else:
                log.info('perl-cleaner complete')
                for line in out.splitlines():
                    if line.startswith(' * '):
                        log.warning(line)
        # rebuild live packages
        cmd = [ EMERGE_PATH, '--color', 'n', '-q', '--usepkg', 'n', '@live-rebuild' ]
        ret, out, err = sau.helpers.exec_cmd(cmd, timeout=3600)
        if ret != 0 or err:
            log.error('live-rebuild returned {}'.format(ret))
            for line in out.splitlines():
                log.error('stdout: {}'.format(line))
            for line in err.splitlines():
                log.error('stderr: {}'.format(line))
            raise sau.errors.UpgradeError(f'Error during live-rebuild')
        else:
            log.info('live-rebuild complete')
            for line in out.splitlines():
                if line.startswith(' * '):
                    log.warning(line)
    ## Depclean
    if conf.getboolean('default', 'do_depclean', fallback=False):
        cmd = [ EMERGE_PATH, '--color', 'n', '-q', '--depclean' ]
        ret, out, err = sau.helpers.exec_cmd(cmd, timeout=3600)
        if ret != 0 or err:
            log.error('depclean returned {}'.format(ret))
            for line in out.splitlines():
                log.error('stdout: {}'.format(line))
            for line in err.splitlines():
                log.error('stderr: {}'.format(line))
            raise sau.errors.UpgradeError(f'Error during depclean')
        else:
            log.info('depclean complete')
            for line in out.splitlines():
                if line.startswith(' * '):
                    log.warning(line)
    ## Preserved rebuild
    cmd = [ EMERGE_PATH, '--color', 'n', '--usepkg', 'n', '-q', '@preserved-rebuild' ]
    ret, out, err = sau.helpers.exec_cmd(cmd, timeout=72000)
    if ret != 0 or err:
-        log.error('preserved-rebuild returned {}'.format(ret))
+        log.warning('preserved-rebuild returned {}'.format(ret))
        for line in out.splitlines():
-            log.error('stdout: {}'.format(line))
+            log.warning('stdout: {}'.format(line))
        for line in err.splitlines():
-            log.error('stderr: {}'.format(line))
+            log.warning('stderr: {}'.format(line))
        raise sau.errors.UpgradeError(f'Error during preserved-rebuild')
    else:
        log.info('preserved-rebuild complete')
        for line in out.splitlines():
            if line.startswith(' * '):
                log.warning(line)
-
+    if conf.getboolean('default', 'do_depclean', fallback=False):
-    # doing grub reconfig and clean old kernels
+        cmd = [ EMERGE_PATH, '--color', 'n', '-q', '--depclean' ]
-    if do_grub and os.path.exists(GRUB_MKCONFIG):
+        ret, out, err = sau.helpers.exec_cmd(cmd, timeout=3600)
-        keep_kernels = conf.getint('default', 'keep_kernels', fallback=4)
+        if ret != 0 or err:
-        if keep_kernels < 1:
+            log.warning('depclean returned {}'.format(ret))
            log.error('keep_kernels cannot be less than one; falling back to default')
            keep_kernels = 4
        for root, dirs, files in os.walk('/boot'):
            for sysfile in ['config', 'initramfs', 'System.map', 'vmlinuz', 'kernel']:
                match = sorted(
                        [f for f in files if f.startswith(f'{sysfile}-')],
                        reverse=True)
                for f in match[keep_kernels:]:
                    log.debug(f"Removing old kernel file {f}")
                    os.remove(os.path.join(root, f))
            break
        cmd = [ GRUB_MKCONFIG, '-o', '/boot/grub/grub.cfg' ]
        ret, out, err = sau.helpers.exec_cmd(cmd)
        if ret != 0:
            log.error(f"grub-mkconfig returned {ret}:")
            for line in out.splitlines():
-                log.error('stdout: {}'.format(line))
+                log.warning('stdout: {}'.format(line))
            for line in err.splitlines():
-                log.error('stderr: {}'.format(line))
+                log.warning('stderr: {}'.format(line))
            raise sau.errors.UpgradeError(f'Failed to reconfiugre grub')
        else:
-            log.info("grub reconfigured")
+            log.info('depclean complete')
-            return True
+            for line in out.splitlines():
                if line.startswith(' * '):
                    log.warning(line)
--- a/sau/helpers.py
+++ b/sau/helpers.py
@ -1,21 +1,17 @@
 import logging
 import os
 import subprocess
 import time
 import sau
 def exec_cmd(cmd, timeout=900, env = None):
    my_env = os.environ.copy()
    if env:
        my_env.update(env)
    log = logging.getLogger(sau.LOGNAME)
    log.debug('Executing "{}"'.format(' '.join(cmd)))
    proc = subprocess.Popen(
            cmd,
            stdout=subprocess.PIPE,
            stderr=subprocess.PIPE,
-            env = my_env)
+            env = env)
    out = b""
    err = b""
--- a/sau/platforms.py
+++ b/sau/platforms.py
@ -1,4 +1,3 @@
 import os
 import platform
 import sau.errors
@ -10,10 +9,9 @@ def get_platform():
    if platform.system() == 'FreeBSD':
        platform_mod = sau.freebsd
    elif platform.system() == 'Linux':
-        if os.path.exists('/usr/bin/emerge'):
+        if 'gentoo' in platform.release():
            platform_mod = sau.gentoo
    if not platform_mod:
        raise sau.errors.PlatformNotSupported("System: {} Release: {} Version: {} is not supported".format(
            platform.system(),
--- a/sau/services.py
+++ b/sau/services.py
@ -1,3 +1,4 @@
 #!/usr/bin/env python3.6
 import logging
 import os
 import re
@ -7,20 +8,11 @@ import psutil
 import sau
 import sau.errors
 import sau.helpers
 import sau.platforms
-proc_fd_map_re = re.compile(r'^.*(/(?:usr|lib|opt|etc|s?bin)[^\(]*) \(deleted\)$')
+proc_fd_map_re = re.compile(r'^.*(/[^\(]*) \(deleted\)$')
-valid_service_policies=('restart', 'warn', 'ignore', 'silent-restart',
+def _get_deleted_open_files(proc):
                        'reboot', 'silent-reboot')
 def _warn(policy, msg):
    log = logging.getLogger(sau.LOGNAME)
    if not policy.startswith('silent'):
        log.warning(msg)
 def get_deleted_open_files(proc):
    log = logging.getLogger(sau.LOGNAME)
    files = set()
@ -31,8 +23,7 @@ def get_deleted_open_files(proc):
            for line in f:
                match = re.match(proc_fd_map_re, line)
                if match:
-                    fname = match.group(1)
+                    files.add(match.group(1))
                    files.add(fname)
        return files
    # on FreeBSD psutils open_files() helpfully returns a null path if a file
@ -67,42 +58,25 @@ def get_exe_file(name):
                    log.debug('Found binary for {} at {}'.format(name, root))
                    return os.path.join(root, name)
 # return all processes with open files
 def _get_processes():
    log = logging.getLogger(sau.LOGNAME)
    check_procs = set()
    for proc in psutil.process_iter():
        files = get_deleted_open_files(proc)
        if files:
            log.debug('{} has open deleted files'.format(proc))
            check_procs.add(proc)
    return check_procs
 # Just return True if system is running on systemd
 def on_systemd():
    try:
        init_proc = psutil.Process(pid=1)
        if init_proc.name() == 'systemd':
            return True
    except psutil.NoSuchProcess:
        pass
    return False
 def restart_services():
    log = logging.getLogger(sau.LOGNAME)
    platform = sau.platforms.get_platform()
    conf = sau.config
    check_procs = set()
    for proc in psutil.process_iter():
        files = _get_deleted_open_files(proc)
        if files:
            log.info('{} has open deleted files'.format(proc))
            check_procs.add(proc)
    check_procs = _get_processes()
    # wait before the second test
-    time.sleep(5)
+    time.sleep(1)
    # perform a second check to remove potential false positives
    service_procs = set()
    retest_procs = set()
    for proc in check_procs:
-        files = get_deleted_open_files(proc)
+        files = _get_deleted_open_files(proc)
        if not files:
            # no deleted open files for this process any longer
            continue
@ -111,73 +85,71 @@ def restart_services():
        except (psutil.NoSuchProcess, psutil.ZombieProcess, psutil.AccessDenied):
            # either of the above exceptions means the process has quit
            continue
-        if on_systemd():
+        parent = _get_top_parent(proc)
            service_procs.add(proc)
        else:
            parent = _get_top_parent(proc)
            service_procs.add(parent)
        service_procs.add(parent)
        retest_procs.add(proc)
-    recommend_restart = False
+    processes = {}
    services = {}
    for proc in service_procs:
        if not proc:
            continue
        service_name = None
        try:
            service_exe = proc.exe()
            proc_name = proc.name()
        except (psutil.NoSuchProcess, psutil.ZombieProcess, psutil.AccessDenied):
            log.debug('{} died before it could be restarted'.format(proc))
            continue
        service_name = _get_service_from_proc(proc)
        if not service_name:
-            log.warning('no service for process {}'.format(proc))
+            log.debug('no service for process {}'.format(proc))
            recommend_restart = True
            continue
        if service_name == 'systemd':
            log.info("Upgrade of systemd detected; doing daemon-reexec")
            sau.helpers.exec_cmd([ '/usr/bin/systemctl', 'daemon-reexec' ])
            continue
        elif service_name == '@ignore':
            log.info(f"Process {proc} ignored by configuration")
            retest_procs.discard(proc)
            continue
        services[proc_name] = service_name
        processes[service_name] = [proc]
    for service in set([x for x in services.values() if x]):
        policy = _get_service_restart_policy(service)
        if policy == 'ignore':
            log.info('Service "{}" ignored by configuration'.format(service))
            [retest_procs.discard(x) for x,y in services.items() if y == service]
            continue
        elif policy == 'warn':
            log.warning('Service "{}" has open deleted files and should be restarted'.format(service))
            continue
-        elif 'reboot' in policy:
+        if not policy.startswith('silent'):
-            _warn(policy, 'Rebooting because {} has opened files'.format(service))
+            log.warning('Restarting service {}'.format(service))
            recommend_restart = True
        _warn(policy, 'Restarting service {}'.format(service))
        platform.restart_service(service)
    recommend_restart = False
    tested_parents = set()
    for proc in retest_procs:
-        try:
+        parent = _get_top_parent(proc)
-            proc_name = proc.name()
+        if not parent:
-            if proc_name not in services:
+            continue
-                continue
+        parent_name = parent.name()
-        except (psutil.NoSuchProcess, psutil.ZombieProcess, psutil.AccessDenied):
+        if parent in tested_parents:
            log.debug('{} belongs to already tested parent {}'.format(proc, parent))
            continue
-        if get_deleted_open_files(proc):
+        if _get_deleted_open_files(proc):
-            service = services[proc_name]
+            tested_parents.add(parent)
-            policy = _get_service_restart_policy(service)
+            service = _get_service_from_proc(parent)
-            _warn(policy, f'{proc} still has deleted files open')
+            if not service:
                log.warning('could not re-check process {} - failed to identify service'.format(proc))
                recommend_restart = True
                continue
            log.debug('{} is in service {}'.format(proc, service))
            if parent_name in services and not services[parent_name]:
                log.warning('{} (parent {}) does not belong to a service and could not be restarted'.format(proc, parent))
                recommend_restart = True
                continue
            elif parent_name in services:
                policy = _get_service_restart_policy(service)
                log.debug('service {} has policy {}'.format(service, policy))
                if policy in ('ignore', 'warn'):
                    continue
            log.warning('{} (parent {}) still has deleted files open'.format(proc, parent))
            recommend_restart = True
    return recommend_restart
@ -185,13 +157,13 @@ def _get_service_restart_policy(service):
    log = logging.getLogger(sau.LOGNAME)
    conf = sau.config
    policy = conf.get('services', service, fallback=None)
-    if policy and policy.lower() in valid_service_policies:
+    if policy and policy.lower() in ('restart', 'warn', 'ignore', 'silent-restart'):
        return policy.lower()
    elif policy:
        log.warning('service policy {} for {} is invalid'.format(policy, service))
    default_policy = conf.get('default', 'default_service_policy', fallback='warn')
-    if default_policy.lower() in ('restart', 'warn', 'ignore', 'silent-restart', 'reboot'):
+    if default_policy.lower() in ('restart', 'warn', 'ignore', 'silent-restart'):
        return default_policy.lower()
    log.warning('default service policy {} is invalid'.format(default_policy))
    return 'warn'
@ -199,53 +171,21 @@ def _get_service_restart_policy(service):
 def _get_service_from_proc(proc):
    conf = sau.config
    platform = sau.platforms.get_platform()
-    if not on_systemd():
+    proc = _get_top_parent(proc)
        proc = _get_top_parent(proc)
    log = logging.getLogger(sau.LOGNAME)
    try:
        proc_name = proc.name()
        service_exe = proc.exe()
    except (psutil.NoSuchProcess, psutil.ZombieProcess, psutil.AccessDenied):
        log.debug('{} died'.format(proc))
-        return '@ignore'
+        return None
    service_name = conf.get('processes', proc_name, fallback=None)
    log.debug(f'configuration of process "{proc_name}" in config: "{service_name}"')
    if service_name == '':
        log.debug('Ignoring process {}'.format(proc))
-        return '@ignore'
+        return None
    if not service_name:
        # Systemd has it's own way...
        if on_systemd():
            if proc.pid == 1:
                return 'systemd'
            ret, unit, err = sau.helpers.exec_cmd([ '/usr/bin/systemctl', 'whoami', f'{proc.pid}' ])
            unit = unit.strip()
            name, unit_type = unit.split('.')
            if ret != 0:
                log.debug(f'Non-success ({ret}) when checking unit for process: {err}')
                return None
            elif unit_type != 'service':
                log.warning(f'not restarting non-service unit "{unit}"; owner of {proc}')
                return None
            elif name.startswith('user@'):
                log.warning(f'Not restarting user service {unit}; please log out and log in again')
                return None
            else:
                policy = conf.get('services', name, fallback=None)
                if policy and policy.lower() in valid_service_policies:
                    return name
                _ret, enabled, _err = sau.helpers.exec_cmd([ '/usr/bin/systemctl', 'is-enabled', unit ])
                enabled = enabled.strip()
                if enabled not in ('enabled', 'static'):
                    log.warning(f'Unit {name}.service has enable status: {enabled} - will only restart "enabled" services')
                    return None
                else:
                    return name
            log.error(f'This should be an unreachable path when checking process {proc}')
            return None
        # if the exe file has been deleted since started, service_exe will be empty
        # and we'll have to guess
        if not service_exe:
--- a/selinux/sau.fc
+++ b/selinux/sau.fc
@ -1,7 +1,2 @@
-/usr/bin/sau -- gen_context(system_u:object_r:sau_exec_t,s0)
+/usr/bin/sau gen_context(system_u:object_r:sau_exec_t,s0)
-
+/etc/sau.cfg gen_context(system_u:object_r:sau_config_t,s0)
 # on gentoo python executables are executed via python-exec
 /usr/lib/python-exec/python[0-9\.]*/sau -- gen_context(system_u:object_r:sau_exec_t,s0)
 /etc/sau.cfg -- gen_context(system_u:object_r:sau_config_t,s0)
--- a/selinux/sau.te
+++ b/selinux/sau.te
@ -1,4 +1,4 @@
-policy_module(sau, 0.9.1)
+policy_module(sau, 0.1)
 gen_require(`
  type system_cronjob_t;
@ -16,11 +16,6 @@ domain_type(sau_t)
 domain_entry_file(sau_t, sau_exec_t)
 files_config_file(sau_config_t)
 read_files_pattern(sau_t, etc_t, sau_config_t);
 read_files_pattern(sau_t, etc_t, etc_t)
 files_read_etc_runtime_files(sau_t);
 search_dirs_pattern(sau_t, etc_t, etc_runtime_t);
 files_manage_generic_tmp_files(sau_t)
 files_manage_generic_tmp_dirs(sau_t)
 role sysadm_r types sau_t;
 role system_r types sau_t;
@ -28,54 +23,14 @@ role system_r types sau_t;
 domain_auto_transition_pattern(sysadm_t, sau_exec_t, sau_t)
 domain_auto_transition_pattern(system_cronjob_t, sau_exec_t, sau_t)
-domain_use_interactive_fds(sau_t)
+# this should be fixed, but I don't know enough selinux magic to restrict this
-userdom_use_user_ptys(sau_t)
+# while still allowing it to inspect all open files for all processes
-userdom_use_all_users_fds(sau_t)
+unconfined_domain_noaudit(sau_t)
 # required for python
 corecmd_mmap_bin_files(sau_t)
 mmap_exec_files_pattern(sau_t, tmp_t, tmp_t);
 read_files_pattern(sau_t, usr_t, usr_t)
 miscfiles_read_localization(sau_t)
 logging_send_syslog_msg(sau_t)
 allow sau_t self:fifo_file { read write };
 corecmd_exec_shell(sau_t)
 corecmd_exec_bin(sau_t)
 # list processes
 kernel_read_system_state(sau_t)
 domain_read_all_domains_state(sau_t)
 allow sau_t self:capability sys_ptrace;
 # I've tried it all; I don't know how to give sau permission to
 # run init-scripts :(
 init_all_labeled_script_domtrans(sau_t)
 init_domtrans_script(sau_t)
 init_read_utmp(sau_t)
 init_signull_script(sau_t)
 #init_startstop_all_script_services(sau_t)
 #init_use_script_ptys(sau_t)
 #init_domtrans_labeled_script(sau_t)
 #init_manage_script_service(sau_t)
 #init_read_script_status_files(sau_t)
 #allow sau_t initrc_state_t:lnk_file { getattr read };
 #allow sau_t initrc_state_t:dir { search read };
 #init_admin(sau_t)
 # FIXME: shouldn't have to be unconfined...
 unconfined_domain(sau_t)
 # allow during troubleshooting...
 #files_getattr_all_dirs(sau_t)
 #files_getattr_all_files(sau_t)
 # Gentoo specific
 portage_read_config(sau_t)
 portage_read_ebuild(sau_t)
 portage_read_db(sau_t)
 portage_read_cache(sau_t)
 portage_domtrans(sau_t)
 # postfix
 postfix_admin(sau_t, system_r)
--- a/setup.py
+++ b/setup.py
@ -1,11 +1,11 @@
-#!/usr/bin/env python3
+#!/usr/bin/env python3.6
 from os import environ
 from setuptools import setup, find_packages
 setup(
        name='sau',
-        version='1.4.5',
+        version='0.9.0',
        description='Tool for auto-updating OS and packages',
        author='Feffe',
        author_email='feffe@fulh.ax',