Compare commits
18 Commits
yum-suppor
...
v0.9.1
| Author | SHA1 | Date | |
|---|---|---|---|
9eebd56869
|
|||
|
5d5947c99e
|
|||
|
afa616916d
|
|||
|
fd66a30de4
|
|||
|
994b93e3b4
|
|||
|
8a29ab82b0
|
|||
|
13e56c6d56
|
|||
|
4ca971687b
|
|||
|
eca94f40d9
|
|||
|
81dfa5567e
|
|||
|
b1c520b257
|
|||
|
712a4e986f
|
|||
|
32b98e4dbc
|
|||
|
44088bd64b
|
|||
|
aadd0e2641
|
|||
|
1322918dcc
|
|||
| 79dd24809d | |||
| 04cbedb9c0 |
8
bin/sau
8
bin/sau
@ -1,4 +1,4 @@
|
|||||||
#!/usr/bin/env python3.6
|
#!/usr/bin/env python3.7
|
||||||
import configparser
|
import configparser
|
||||||
import logging
|
import logging
|
||||||
import logging.handlers
|
import logging.handlers
|
||||||
@ -12,7 +12,7 @@ import sau.services
|
|||||||
import sau.platforms
|
import sau.platforms
|
||||||
|
|
||||||
def init():
|
def init():
|
||||||
sau.config = configparser.SafeConfigParser()
|
sau.config = configparser.ConfigParser()
|
||||||
conf = sau.config
|
conf = sau.config
|
||||||
|
|
||||||
if platform.system() == 'FreeBSD':
|
if platform.system() == 'FreeBSD':
|
||||||
@ -106,9 +106,9 @@ def main():
|
|||||||
|
|
||||||
if conf.getboolean('default', 'do_reboot', fallback=False):
|
if conf.getboolean('default', 'do_reboot', fallback=False):
|
||||||
if reboot_required:
|
if reboot_required:
|
||||||
log.warning('Rebooting because of a system upgrade')
|
log.info('Rebooting because of a system upgrade')
|
||||||
elif reboot_recommended:
|
elif reboot_recommended:
|
||||||
log.warning('Rebooting because service restarts did not close all deleted files')
|
log.info('Rebooting because service restarts did not close all deleted files')
|
||||||
if reboot_required or reboot_recommended:
|
if reboot_required or reboot_recommended:
|
||||||
fork_and_reboot()
|
fork_and_reboot()
|
||||||
|
|
||||||
|
|||||||
@ -64,7 +64,7 @@ qemu-system-x86_64=
|
|||||||
#ruby24=puppetserver puppetdb
|
#ruby24=puppetserver puppetdb
|
||||||
|
|
||||||
# The services section contains restart policy for specific services.
|
# The services section contains restart policy for specific services.
|
||||||
# valid policies are 'ignore', 'warn', 'restart' and 'silent-restart'.
|
# valid policies are 'ignore', 'warn', 'restart', 'silent-restart' and 'reboot'.
|
||||||
# 'silent-restart' is like 'restart', but will not log a warning when
|
# 'silent-restart' is like 'restart', but will not log a warning when
|
||||||
# the service is restarted.
|
# the service is restarted.
|
||||||
[services]
|
[services]
|
||||||
|
|||||||
@ -5,7 +5,7 @@ import re
|
|||||||
import sau
|
import sau
|
||||||
import sau.helpers
|
import sau.helpers
|
||||||
|
|
||||||
EIX_UPDATE_PATH='/usr/bin/eix-update'
|
EIX_SYNC_PATH='/usr/bin/eix-sync'
|
||||||
RC_SERVICE_PATH='/sbin/rc-service'
|
RC_SERVICE_PATH='/sbin/rc-service'
|
||||||
EMERGE_PATH='/usr/bin/emerge'
|
EMERGE_PATH='/usr/bin/emerge'
|
||||||
EQUERY_PATH='/usr/bin/equery'
|
EQUERY_PATH='/usr/bin/equery'
|
||||||
@ -78,6 +78,10 @@ def system_upgrade():
|
|||||||
def _sync_portage():
|
def _sync_portage():
|
||||||
log = logging.getLogger(sau.LOGNAME)
|
log = logging.getLogger(sau.LOGNAME)
|
||||||
|
|
||||||
|
if os.path.exists(EIX_SYNC_PATH):
|
||||||
|
cmd = [ EIX_SYNC_PATH, '-q' ]
|
||||||
|
ret, out, err = sau.helpers.exec_cmd(cmd, timeout=3600)
|
||||||
|
else:
|
||||||
cmd = [ EMERGE_PATH, '-q', '--sync' ]
|
cmd = [ EMERGE_PATH, '-q', '--sync' ]
|
||||||
ret, out, err = sau.helpers.exec_cmd(cmd, timeout=3600)
|
ret, out, err = sau.helpers.exec_cmd(cmd, timeout=3600)
|
||||||
|
|
||||||
@ -88,16 +92,6 @@ def _sync_portage():
|
|||||||
for line in err.splitlines():
|
for line in err.splitlines():
|
||||||
log.warning("stderr: {}".format(line))
|
log.warning("stderr: {}".format(line))
|
||||||
|
|
||||||
if os.path.exists(EIX_UPDATE_PATH):
|
|
||||||
cmd = [ EIX_UPDATE_PATH, '-q' ]
|
|
||||||
ret, out, err = sau.helpers.exec_cmd(cmd, timeout=3600)
|
|
||||||
|
|
||||||
if ret != 0:
|
|
||||||
log.warning("eix-update failed:")
|
|
||||||
for line in out.splitlines():
|
|
||||||
log.warning("stdout: {}".format(line))
|
|
||||||
for line in err.splitlines():
|
|
||||||
log.warning("stderr: {}".format(line))
|
|
||||||
|
|
||||||
|
|
||||||
def pkg_upgrade():
|
def pkg_upgrade():
|
||||||
@ -157,7 +151,7 @@ def pkg_upgrade():
|
|||||||
return False
|
return False
|
||||||
|
|
||||||
cmd = [ EMERGE_PATH, '--color', 'n', '-uDNq', '@world' ]
|
cmd = [ EMERGE_PATH, '--color', 'n', '-uDNq', '@world' ]
|
||||||
ret, out, err = sau.helpers.exec_cmd(cmd, timeout=36000)
|
ret, out, err = sau.helpers.exec_cmd(cmd, timeout=72000)
|
||||||
|
|
||||||
if ret != 0 or err:
|
if ret != 0 or err:
|
||||||
log.warning('emerge returned {}'.format(ret))
|
log.warning('emerge returned {}'.format(ret))
|
||||||
@ -172,7 +166,7 @@ def pkg_upgrade():
|
|||||||
log.warning(line)
|
log.warning(line)
|
||||||
|
|
||||||
cmd = [ EMERGE_PATH, '--color', 'n', '-q', '@preserved-rebuild' ]
|
cmd = [ EMERGE_PATH, '--color', 'n', '-q', '@preserved-rebuild' ]
|
||||||
ret, out, err = sau.helpers.exec_cmd(cmd, timeout=36000)
|
ret, out, err = sau.helpers.exec_cmd(cmd, timeout=72000)
|
||||||
|
|
||||||
if ret != 0 or err:
|
if ret != 0 or err:
|
||||||
log.warning('preserved-rebuild returned {}'.format(ret))
|
log.warning('preserved-rebuild returned {}'.format(ret))
|
||||||
|
|||||||
@ -1,17 +1,21 @@
|
|||||||
import logging
|
import logging
|
||||||
|
import os
|
||||||
import subprocess
|
import subprocess
|
||||||
import time
|
import time
|
||||||
|
|
||||||
import sau
|
import sau
|
||||||
|
|
||||||
def exec_cmd(cmd, timeout=900, env = None):
|
def exec_cmd(cmd, timeout=900, env = None):
|
||||||
|
my_env = os.environ.copy()
|
||||||
|
if env:
|
||||||
|
my_env.update(env)
|
||||||
log = logging.getLogger(sau.LOGNAME)
|
log = logging.getLogger(sau.LOGNAME)
|
||||||
log.debug('Executing "{}"'.format(' '.join(cmd)))
|
log.debug('Executing "{}"'.format(' '.join(cmd)))
|
||||||
proc = subprocess.Popen(
|
proc = subprocess.Popen(
|
||||||
cmd,
|
cmd,
|
||||||
stdout=subprocess.PIPE,
|
stdout=subprocess.PIPE,
|
||||||
stderr=subprocess.PIPE,
|
stderr=subprocess.PIPE,
|
||||||
env = env)
|
env = my_env)
|
||||||
out = b""
|
out = b""
|
||||||
err = b""
|
err = b""
|
||||||
|
|
||||||
|
|||||||
@ -1,3 +1,4 @@
|
|||||||
|
import os
|
||||||
import platform
|
import platform
|
||||||
|
|
||||||
import sau.errors
|
import sau.errors
|
||||||
@ -9,9 +10,10 @@ def get_platform():
|
|||||||
if platform.system() == 'FreeBSD':
|
if platform.system() == 'FreeBSD':
|
||||||
platform_mod = sau.freebsd
|
platform_mod = sau.freebsd
|
||||||
elif platform.system() == 'Linux':
|
elif platform.system() == 'Linux':
|
||||||
if 'gentoo' in platform.release():
|
if os.path.exists('/usr/bin/emerge'):
|
||||||
platform_mod = sau.gentoo
|
platform_mod = sau.gentoo
|
||||||
|
|
||||||
|
|
||||||
if not platform_mod:
|
if not platform_mod:
|
||||||
raise sau.errors.PlatformNotSupported("System: {} Release: {} Version: {} is not supported".format(
|
raise sau.errors.PlatformNotSupported("System: {} Release: {} Version: {} is not supported".format(
|
||||||
platform.system(),
|
platform.system(),
|
||||||
|
|||||||
@ -1,4 +1,3 @@
|
|||||||
#!/usr/bin/env python3.6
|
|
||||||
import logging
|
import logging
|
||||||
import os
|
import os
|
||||||
import re
|
import re
|
||||||
@ -12,6 +11,11 @@ import sau.platforms
|
|||||||
|
|
||||||
proc_fd_map_re = re.compile(r'^.*(/[^\(]*) \(deleted\)$')
|
proc_fd_map_re = re.compile(r'^.*(/[^\(]*) \(deleted\)$')
|
||||||
|
|
||||||
|
def _warn(policy, msg):
|
||||||
|
log = logging.getLogger(sau.LOGNAME)
|
||||||
|
if not policy.startswith('silent'):
|
||||||
|
log.warning(msg)
|
||||||
|
|
||||||
def _get_deleted_open_files(proc):
|
def _get_deleted_open_files(proc):
|
||||||
log = logging.getLogger(sau.LOGNAME)
|
log = logging.getLogger(sau.LOGNAME)
|
||||||
files = set()
|
files = set()
|
||||||
@ -93,6 +97,8 @@ def restart_services():
|
|||||||
processes = {}
|
processes = {}
|
||||||
services = {}
|
services = {}
|
||||||
for proc in service_procs:
|
for proc in service_procs:
|
||||||
|
if not proc:
|
||||||
|
continue
|
||||||
try:
|
try:
|
||||||
service_exe = proc.exe()
|
service_exe = proc.exe()
|
||||||
proc_name = proc.name()
|
proc_name = proc.name()
|
||||||
@ -108,6 +114,7 @@ def restart_services():
|
|||||||
services[proc_name] = service_name
|
services[proc_name] = service_name
|
||||||
processes[service_name] = [proc]
|
processes[service_name] = [proc]
|
||||||
|
|
||||||
|
recommend_restart = False
|
||||||
for service in set([x for x in services.values() if x]):
|
for service in set([x for x in services.values() if x]):
|
||||||
policy = _get_service_restart_policy(service)
|
policy = _get_service_restart_policy(service)
|
||||||
if policy == 'ignore':
|
if policy == 'ignore':
|
||||||
@ -116,11 +123,12 @@ def restart_services():
|
|||||||
elif policy == 'warn':
|
elif policy == 'warn':
|
||||||
log.warning('Service "{}" has open deleted files and should be restarted'.format(service))
|
log.warning('Service "{}" has open deleted files and should be restarted'.format(service))
|
||||||
continue
|
continue
|
||||||
if not policy.startswith('silent'):
|
elif 'reboot' in policy:
|
||||||
log.warning('Restarting service {}'.format(service))
|
_warn(policy, 'Rebooting because {} has opened files'.format(service))
|
||||||
|
recommend_restart = True
|
||||||
|
_warn(policy, 'Restarting service {}'.format(service))
|
||||||
platform.restart_service(service)
|
platform.restart_service(service)
|
||||||
|
|
||||||
recommend_restart = False
|
|
||||||
tested_parents = set()
|
tested_parents = set()
|
||||||
for proc in retest_procs:
|
for proc in retest_procs:
|
||||||
parent = _get_top_parent(proc)
|
parent = _get_top_parent(proc)
|
||||||
@ -138,10 +146,11 @@ def restart_services():
|
|||||||
log.warning('could not re-check process {} - failed to identify service'.format(proc))
|
log.warning('could not re-check process {} - failed to identify service'.format(proc))
|
||||||
recommend_restart = True
|
recommend_restart = True
|
||||||
continue
|
continue
|
||||||
|
policy = _get_service_restart_policy(service)
|
||||||
|
|
||||||
log.debug('{} is in service {}'.format(proc, service))
|
log.debug('{} is in service {}'.format(proc, service))
|
||||||
if parent_name in services and not services[parent_name]:
|
if parent_name in services and not services[parent_name]:
|
||||||
log.warning('{} (parent {}) does not belong to a service and could not be restarted'.format(proc, parent))
|
_warn(policy, '{} (parent {}) does not belong to a service and could not be restarted'.format(proc, parent))
|
||||||
recommend_restart = True
|
recommend_restart = True
|
||||||
continue
|
continue
|
||||||
elif parent_name in services:
|
elif parent_name in services:
|
||||||
@ -149,7 +158,7 @@ def restart_services():
|
|||||||
log.debug('service {} has policy {}'.format(service, policy))
|
log.debug('service {} has policy {}'.format(service, policy))
|
||||||
if policy in ('ignore', 'warn'):
|
if policy in ('ignore', 'warn'):
|
||||||
continue
|
continue
|
||||||
log.warning('{} (parent {}) still has deleted files open'.format(proc, parent))
|
_warn(policy, '{} (parent {}) still has deleted files open'.format(proc, parent))
|
||||||
recommend_restart = True
|
recommend_restart = True
|
||||||
return recommend_restart
|
return recommend_restart
|
||||||
|
|
||||||
@ -157,13 +166,13 @@ def _get_service_restart_policy(service):
|
|||||||
log = logging.getLogger(sau.LOGNAME)
|
log = logging.getLogger(sau.LOGNAME)
|
||||||
conf = sau.config
|
conf = sau.config
|
||||||
policy = conf.get('services', service, fallback=None)
|
policy = conf.get('services', service, fallback=None)
|
||||||
if policy and policy.lower() in ('restart', 'warn', 'ignore', 'silent-restart'):
|
if policy and policy.lower() in ('restart', 'warn', 'ignore', 'silent-restart', 'reboot', 'silent-reboot'):
|
||||||
return policy.lower()
|
return policy.lower()
|
||||||
elif policy:
|
elif policy:
|
||||||
log.warning('service policy {} for {} is invalid'.format(policy, service))
|
log.warning('service policy {} for {} is invalid'.format(policy, service))
|
||||||
|
|
||||||
default_policy = conf.get('default', 'default_service_policy', fallback='warn')
|
default_policy = conf.get('default', 'default_service_policy', fallback='warn')
|
||||||
if default_policy.lower() in ('restart', 'warn', 'ignore', 'silent-restart'):
|
if default_policy.lower() in ('restart', 'warn', 'ignore', 'silent-restart', 'reboot'):
|
||||||
return default_policy.lower()
|
return default_policy.lower()
|
||||||
log.warning('default service policy {} is invalid'.format(default_policy))
|
log.warning('default service policy {} is invalid'.format(default_policy))
|
||||||
return 'warn'
|
return 'warn'
|
||||||
|
|||||||
@ -1,2 +1,7 @@
|
|||||||
/usr/bin/sau gen_context(system_u:object_r:sau_exec_t,s0)
|
/usr/bin/sau -- gen_context(system_u:object_r:sau_exec_t,s0)
|
||||||
/etc/sau.cfg gen_context(system_u:object_r:sau_config_t,s0)
|
|
||||||
|
# on gentoo python executables are executed via python-exec
|
||||||
|
/usr/lib/python-exec/python[0-9\.]*/sau -- gen_context(system_u:object_r:sau_exec_t,s0)
|
||||||
|
|
||||||
|
|
||||||
|
/etc/sau.cfg -- gen_context(system_u:object_r:sau_config_t,s0)
|
||||||
|
|||||||
@ -1,4 +1,4 @@
|
|||||||
policy_module(sau, 0.1)
|
policy_module(sau, 0.9.1)
|
||||||
|
|
||||||
gen_require(`
|
gen_require(`
|
||||||
type system_cronjob_t;
|
type system_cronjob_t;
|
||||||
@ -16,6 +16,11 @@ domain_type(sau_t)
|
|||||||
domain_entry_file(sau_t, sau_exec_t)
|
domain_entry_file(sau_t, sau_exec_t)
|
||||||
files_config_file(sau_config_t)
|
files_config_file(sau_config_t)
|
||||||
read_files_pattern(sau_t, etc_t, sau_config_t);
|
read_files_pattern(sau_t, etc_t, sau_config_t);
|
||||||
|
read_files_pattern(sau_t, etc_t, etc_t)
|
||||||
|
files_read_etc_runtime_files(sau_t);
|
||||||
|
search_dirs_pattern(sau_t, etc_t, etc_runtime_t);
|
||||||
|
files_manage_generic_tmp_files(sau_t)
|
||||||
|
files_manage_generic_tmp_dirs(sau_t)
|
||||||
|
|
||||||
role sysadm_r types sau_t;
|
role sysadm_r types sau_t;
|
||||||
role system_r types sau_t;
|
role system_r types sau_t;
|
||||||
@ -23,14 +28,54 @@ role system_r types sau_t;
|
|||||||
domain_auto_transition_pattern(sysadm_t, sau_exec_t, sau_t)
|
domain_auto_transition_pattern(sysadm_t, sau_exec_t, sau_t)
|
||||||
domain_auto_transition_pattern(system_cronjob_t, sau_exec_t, sau_t)
|
domain_auto_transition_pattern(system_cronjob_t, sau_exec_t, sau_t)
|
||||||
|
|
||||||
# this should be fixed, but I don't know enough selinux magic to restrict this
|
domain_use_interactive_fds(sau_t)
|
||||||
# while still allowing it to inspect all open files for all processes
|
userdom_use_user_ptys(sau_t)
|
||||||
unconfined_domain_noaudit(sau_t)
|
userdom_use_all_users_fds(sau_t)
|
||||||
|
|
||||||
|
# required for python
|
||||||
|
corecmd_mmap_bin_files(sau_t)
|
||||||
|
mmap_exec_files_pattern(sau_t, tmp_t, tmp_t);
|
||||||
|
|
||||||
|
|
||||||
|
read_files_pattern(sau_t, usr_t, usr_t)
|
||||||
|
miscfiles_read_localization(sau_t)
|
||||||
|
logging_send_syslog_msg(sau_t)
|
||||||
|
allow sau_t self:fifo_file { read write };
|
||||||
|
corecmd_exec_shell(sau_t)
|
||||||
|
corecmd_exec_bin(sau_t)
|
||||||
|
|
||||||
|
# list processes
|
||||||
|
kernel_read_system_state(sau_t)
|
||||||
|
domain_read_all_domains_state(sau_t)
|
||||||
|
allow sau_t self:capability sys_ptrace;
|
||||||
|
|
||||||
|
# I've tried it all; I don't know how to give sau permission to
|
||||||
|
# run init-scripts :(
|
||||||
|
init_all_labeled_script_domtrans(sau_t)
|
||||||
|
init_domtrans_script(sau_t)
|
||||||
|
init_read_utmp(sau_t)
|
||||||
|
init_signull_script(sau_t)
|
||||||
|
#init_startstop_all_script_services(sau_t)
|
||||||
|
#init_use_script_ptys(sau_t)
|
||||||
|
#init_domtrans_labeled_script(sau_t)
|
||||||
|
#init_manage_script_service(sau_t)
|
||||||
|
#init_read_script_status_files(sau_t)
|
||||||
|
#allow sau_t initrc_state_t:lnk_file { getattr read };
|
||||||
|
#allow sau_t initrc_state_t:dir { search read };
|
||||||
|
#init_admin(sau_t)
|
||||||
|
# FIXME: shouldn't have to be unconfined...
|
||||||
|
unconfined_domain(sau_t)
|
||||||
|
|
||||||
|
|
||||||
|
# allow during troubleshooting...
|
||||||
|
#files_getattr_all_dirs(sau_t)
|
||||||
|
#files_getattr_all_files(sau_t)
|
||||||
|
|
||||||
# Gentoo specific
|
# Gentoo specific
|
||||||
|
portage_read_config(sau_t)
|
||||||
|
portage_read_ebuild(sau_t)
|
||||||
|
portage_read_db(sau_t)
|
||||||
|
portage_read_cache(sau_t)
|
||||||
portage_domtrans(sau_t)
|
portage_domtrans(sau_t)
|
||||||
|
|
||||||
|
|
||||||
# postfix
|
|
||||||
postfix_admin(sau_t, system_r)
|
|
||||||
|
|
||||||
|
|||||||
4
setup.py
4
setup.py
@ -1,11 +1,11 @@
|
|||||||
#!/usr/bin/env python3.6
|
#!/usr/bin/env python3.7
|
||||||
from os import environ
|
from os import environ
|
||||||
|
|
||||||
from setuptools import setup, find_packages
|
from setuptools import setup, find_packages
|
||||||
|
|
||||||
setup(
|
setup(
|
||||||
name='sau',
|
name='sau',
|
||||||
version='0.9.0',
|
version='0.9.1',
|
||||||
description='Tool for auto-updating OS and packages',
|
description='Tool for auto-updating OS and packages',
|
||||||
author='Feffe',
|
author='Feffe',
|
||||||
author_email='feffe@fulh.ax',
|
author_email='feffe@fulh.ax',
|
||||||
|
|||||||
Reference in New Issue
Block a user