add support for grub

sau_t after restart

bin/sau

@@ -1,4 +1,4 @@
-#!/usr/bin/env python3.6
+#!/usr/bin/env python3.7
 import configparser
 import logging
 import logging.handlers
@@ -12,7 +12,7 @@ import sau.services
 import sau.platforms
 
 def init():
-    sau.config = configparser.SafeConfigParser()
+    sau.config = configparser.ConfigParser()
     conf = sau.config
 
     if platform.system() == 'FreeBSD':
@@ -99,16 +99,16 @@ def main():
         reboot_required = platform.system_upgrade()
 
     if conf.getboolean('default', 'do_package_upgrade', fallback=True):
-        platform.pkg_upgrade()
+        reboot_required = reboot_required or platform.pkg_upgrade()
 
     if conf.getboolean('default', 'do_service_restart', fallback=True):
         reboot_recommended = sau.services.restart_services()
 
     if conf.getboolean('default', 'do_reboot', fallback=False):
         if reboot_required:
-            log.warning('Rebooting because of a system upgrade')
+            log.info('Rebooting because of a system upgrade')
         elif reboot_recommended:
-            log.warning('Rebooting because service restarts did not close all deleted files')
+            log.info('Rebooting because service restarts did not close all deleted files')
         if reboot_required or reboot_recommended:
             fork_and_reboot()
 

config.cfg

@@ -30,6 +30,9 @@ default_service_policy=ignore
 # do depclean on Gentoo
 do_depclean=yes
 
+# do eix-sync on Gentoo
+do_reposync=yes
+
 # to only write to stderr when something unexpected happens or manual action is required
 # set stderr_loglevel to warning
 stderr_loglevel=debug
@@ -41,12 +44,12 @@ syslog_loglevel=info
 # platform
 [packages]
 # Gentoo uses the category/package naming scheme
-dev-db/postgresql=2
+dev-db/postgresql=1
 
 # Gentoo kernel stuff should be updated manually
-sys-kernel/gentoo-sources=-1
+sys-kernel/gentoo-sources=99
-sys-kernel/spl=-1
+sys-kernel/spl=99
-sys-fs/zfs-kmod=-1
+sys-fs/zfs-kmod=99
 
 # FreeBSD uses the short package name (without category)
 gitlab=2
@@ -64,7 +67,7 @@ qemu-system-x86_64=
 #ruby24=puppetserver puppetdb
 
 # The services section contains restart policy for specific services.
-# valid policies are 'ignore', 'warn', 'restart' and 'silent-restart'.
+# valid policies are 'ignore', 'warn', 'restart', 'silent-restart' and 'reboot'.
 # 'silent-restart' is like 'restart', but will not log a warning when
 # the service is restarted.
 [services]

sau/gentoo.py

@@ -5,10 +5,11 @@ import re
 import sau
 import sau.helpers
 
-EIX_UPDATE_PATH='/usr/bin/eix-update'
+EIX_SYNC_PATH='/usr/bin/eix-sync'
 RC_SERVICE_PATH='/sbin/rc-service'
 EMERGE_PATH='/usr/bin/emerge'
 EQUERY_PATH='/usr/bin/equery'
+GRUB_MKCONFIG='/usr/sbin/grub-mkconfig'
 
 # parsing output from eix -Ttnc
 package_re = re.compile('^\[([^\]])\] ([^ ]*) \((.*)\): .*$')
@@ -24,12 +25,7 @@ def identify_service_from_bin(exe):
     ret, out, err = sau.helpers.exec_cmd(cmd)
 
     if ret != 0:
-        log.warning("searching for owner of {} failed:".format(exe))
+        raise sau.errors.UnknownServiceError("searching for owner of {} failed:".format(exe))
-        for line in out.splitlines():
-            log.warning("stdout: {}".format(line))
-        for line in err.splitlines():
-            log.warning("stderr: {}".format(line))
-        return None
     
     pkg = out.strip()
     cmd = [ EQUERY_PATH, '-Cq', 'f', pkg ]
@@ -48,9 +44,9 @@ def identify_service_from_bin(exe):
         if match:
             matches.add(match.group(1))
     if len(matches) < 1:
-        log.warning('Could not find any init script in package {}'.format(pkg))
+        raise sau.errors.UnknownServiceError('Could not find any init script in package {}'.format(pkg))
     elif len(matches) > 1:
-        log.warning('Found multiple init script in package {}'.format(pkg))
+        raise sau.errors.UnknownServiceError('Found multiple init script in package {}'.format(pkg))
     else:
         return matches.pop()
     return None
@@ -72,12 +68,16 @@ def restart_service(service):
 
 def system_upgrade():
     log = logging.getLogger(sau.LOGNAME)
-    log.debug('Gentoo has no concept of system upgrade, ignoring...')
+    log.debug('Gentoo "system_upgrade" is done at package upgrade stage; ignoring here...')
     return False
 
 def _sync_portage():
     log = logging.getLogger(sau.LOGNAME)
 
+    if os.path.exists(EIX_SYNC_PATH):
+        cmd = [ EIX_SYNC_PATH, '-q' ]
+        ret, out, err = sau.helpers.exec_cmd(cmd, timeout=3600)
+    else:
         cmd = [ EMERGE_PATH, '-q', '--sync' ]
         ret, out, err = sau.helpers.exec_cmd(cmd, timeout=3600)
 
@@ -88,34 +88,23 @@ def _sync_portage():
         for line in err.splitlines():
             log.warning("stderr: {}".format(line))
 
-    if os.path.exists(EIX_UPDATE_PATH):
-        cmd = [ EIX_UPDATE_PATH, '-q' ]
-        ret, out, err = sau.helpers.exec_cmd(cmd, timeout=3600)
-
-        if ret != 0:
-            log.warning("eix-update failed:")
-            for line in out.splitlines():
-                log.warning("stdout: {}".format(line))
-            for line in err.splitlines():
-                log.warning("stderr: {}".format(line))
 
 
 def pkg_upgrade():
     log = logging.getLogger(sau.LOGNAME)
     conf = sau.config
+    do_system_upgrade = conf.getboolean('default', 'do_system_upgrade', fallback=False)
 
+    if conf.getboolean('default', 'do_reposync', fallback=True):
         _sync_portage()
 
     # [ebuild     U ] media-plugins/alsa-plugins-1.1.8 [1.1.6]
-    pretend_re = re.compile(r'^\[ebuild ([^\]]*)\] ([^ ]+)( \[[^\]]+\])?')
+    pretend_re = re.compile(r'^\[(?:ebuild|binary) ([^\]]*)\] ([^ ]+?)-(\d[-\.\w]*)( \[[^\]]+\])?')
-    # media-plugins/alsa-plugins-1.1.8
-    version_re = re.compile(r'^(.*/.*)-(\d+.*)$')
-
     ignore_re = re.compile(r'^(|.*caus.* rebuilds.*|.*scheduled for merge.*|.*waiting for lock on.*)$')
     
     default_version_sens = conf.getint('default', 'version_sensitivity', fallback=1)
 
-    cmd = [ EMERGE_PATH, '--color', 'n', '-uDNpq', '@world' ]
+    cmd = [ EMERGE_PATH, '--color', 'n', '-uDNpq', '--with-bdeps=y', '@world' ]
     ret, out, err = sau.helpers.exec_cmd(cmd)
 
     if not ret == 0:
@@ -127,6 +116,7 @@ def pkg_upgrade():
         return False
 
     do_rebuild = True
+    do_grub = False
     for line in out.splitlines():
         if re.match(ignore_re, line):
             continue
@@ -136,28 +126,32 @@ def pkg_upgrade():
             continue
         status = match.group(1)
         name = match.group(2)
-        old = match.group(3)
+        new = match.group(3)
+        old = match.group(4)
         if not old:
             continue
         old = old.strip(' []')
-        nmatch = re.match(version_re, name)
-        name = nmatch.group(1)
-        version = nmatch.group(2)
 
         sens = conf.getint('packages', name, fallback=default_version_sens)
-        common = sau.helpers.version_diff(version, old)
+        common = sau.helpers.version_diff(new, old)
         if sens <= common:
-            log.info('{}-{} -> {} configured level {} <= pkg level {}'.format(name, old, version, sens, common))
+            log.info('{} -- {} -> {} configured level {} <= pkg level {}'.format(name, old, new, sens, common))
         else:
-            log.warning('{}-{} -> {} configured level {} > pkg level {}'.format(name, old, version, sens, common))
+            log.warning('{} -- {} -> {} configured level {} > pkg level {}'.format(name, old, new, sens, common))
+            do_rebuild = False
+        if name.startswith('sys-kernel/'):
+            if do_system_upgrade:
+                do_grub = True
+            else:
+                log.warning(f"Kernel package {name} has an update, but system upgrade is disabled")
                 do_rebuild = False
 
     if not do_rebuild:
         log.warning('Some packages require manual attention, did not upgrade')
         return False
 
-    cmd = [ EMERGE_PATH, '--color', 'n', '-uDNq', '@world' ]
+    cmd = [ EMERGE_PATH, '--color', 'n', '-uDNq', '--with-bdeps=y', '@world' ]
-    ret, out, err = sau.helpers.exec_cmd(cmd, timeout=36000)
+    ret, out, err = sau.helpers.exec_cmd(cmd, timeout=72000)
 
     if ret != 0 or err:
         log.warning('emerge returned {}'.format(ret))
@@ -172,7 +166,7 @@ def pkg_upgrade():
                 log.warning(line)
 
     cmd = [ EMERGE_PATH, '--color', 'n', '-q', '@preserved-rebuild' ]
-    ret, out, err = sau.helpers.exec_cmd(cmd, timeout=36000)
+    ret, out, err = sau.helpers.exec_cmd(cmd, timeout=72000)
 
     if ret != 0 or err:
         log.warning('preserved-rebuild returned {}'.format(ret))
@@ -200,3 +194,26 @@ def pkg_upgrade():
             for line in out.splitlines():
                 if line.startswith(' * '):
                     log.warning(line)
+
+    if do_grub:
+        for root, dirs, files in os.walk('/boot'):
+            for sysfile in ['config', 'initramfs', 'System.map', 'vmlinuz']:
+                match = sorted(
+                        [f for f in files if f.startswith(f'{sysfile}-')],
+                        reverse=True)
+                for f in match[4:]:
+                    log.debug(f"Removing old kernel file {f}")
+                    os.remove(os.path.join(root, f))
+            break
+
+        cmd = [ GRUB_MKCONFIG, '-o', '/boot/grub/grub.cfg' ]
+        ret, out, err = sau.helpers.exec_cmd(cmd)
+        if ret != 0:
+            log.warning(f"grub-mkconfig returned {ret}:")
+            for line in out.splitlines():
+                log.warning('stdout: {}'.format(line))
+            for line in err.splitlines():
+                log.warning('stderr: {}'.format(line))
+        else:
+            log.info("grub reconfigured")
+            return True

sau/helpers.py

@@ -1,17 +1,21 @@
 import logging
+import os
 import subprocess
 import time
 
 import sau
 
 def exec_cmd(cmd, timeout=900, env = None):
+    my_env = os.environ.copy()
+    if env:
+        my_env.update(env)
     log = logging.getLogger(sau.LOGNAME)
     log.debug('Executing "{}"'.format(' '.join(cmd)))
     proc = subprocess.Popen(
             cmd,
             stdout=subprocess.PIPE,
             stderr=subprocess.PIPE,
-            env = env)
+            env = my_env)
     out = b""
     err = b""
 

sau/platforms.py

@@ -1,3 +1,4 @@
+import os
 import platform
 
 import sau.errors
@@ -9,9 +10,10 @@ def get_platform():
     if platform.system() == 'FreeBSD':
         platform_mod = sau.freebsd
     elif platform.system() == 'Linux':
-        if 'gentoo' in platform.release():
+        if os.path.exists('/usr/bin/emerge'):
             platform_mod = sau.gentoo
 
+
     if not platform_mod:
         raise sau.errors.PlatformNotSupported("System: {} Release: {} Version: {} is not supported".format(
             platform.system(),

sau/services.py

@@ -1,4 +1,3 @@
-#!/usr/bin/env python3.6
 import logging
 import os
 import re
@@ -12,6 +11,11 @@ import sau.platforms
 
 proc_fd_map_re = re.compile(r'^.*(/[^\(]*) \(deleted\)$')
 
+def _warn(policy, msg):
+    log = logging.getLogger(sau.LOGNAME)
+    if not policy.startswith('silent'):
+        log.warning(msg)
+
 def _get_deleted_open_files(proc):
     log = logging.getLogger(sau.LOGNAME)
     files = set()
@@ -93,6 +97,8 @@ def restart_services():
     processes = {}
     services = {}
     for proc in service_procs:
+        if not proc:
+            continue
         try:
             service_exe = proc.exe()
             proc_name = proc.name()
@@ -108,6 +114,7 @@ def restart_services():
         services[proc_name] = service_name
         processes[service_name] = [proc]
 
+    recommend_restart = False
     for service in set([x for x in services.values() if x]):
         policy = _get_service_restart_policy(service)
         if policy == 'ignore':
@@ -116,11 +123,12 @@ def restart_services():
         elif policy == 'warn':
             log.warning('Service "{}" has open deleted files and should be restarted'.format(service))
             continue
-        if not policy.startswith('silent'):
+        elif 'reboot' in policy:
-            log.warning('Restarting service {}'.format(service))
+            _warn(policy, 'Rebooting because {} has opened files'.format(service))
+            recommend_restart = True
+        _warn(policy, 'Restarting service {}'.format(service))
         platform.restart_service(service)
 
-    recommend_restart = False
     tested_parents = set()
     for proc in retest_procs:
         parent = _get_top_parent(proc)
@@ -138,10 +146,11 @@ def restart_services():
                 log.warning('could not re-check process {} - failed to identify service'.format(proc))
                 recommend_restart = True
                 continue
+            policy = _get_service_restart_policy(service)
 
             log.debug('{} is in service {}'.format(proc, service))
             if parent_name in services and not services[parent_name]:
-                log.warning('{} (parent {}) does not belong to a service and could not be restarted'.format(proc, parent))
+                _warn(policy, '{} (parent {}) does not belong to a service and could not be restarted'.format(proc, parent))
                 recommend_restart = True
                 continue
             elif parent_name in services:
@@ -149,7 +158,7 @@ def restart_services():
                 log.debug('service {} has policy {}'.format(service, policy))
                 if policy in ('ignore', 'warn'):
                     continue
-            log.warning('{} (parent {}) still has deleted files open'.format(proc, parent))
+            _warn(policy, '{} (parent {}) still has deleted files open'.format(proc, parent))
             recommend_restart = True
     return recommend_restart
 
@@ -157,13 +166,13 @@ def _get_service_restart_policy(service):
     log = logging.getLogger(sau.LOGNAME)
     conf = sau.config
     policy = conf.get('services', service, fallback=None)
-    if policy and policy.lower() in ('restart', 'warn', 'ignore', 'silent-restart'):
+    if policy and policy.lower() in ('restart', 'warn', 'ignore', 'silent-restart', 'reboot', 'silent-reboot'):
         return policy.lower()
     elif policy:
         log.warning('service policy {} for {} is invalid'.format(policy, service))
 
     default_policy = conf.get('default', 'default_service_policy', fallback='warn')
-    if default_policy.lower() in ('restart', 'warn', 'ignore', 'silent-restart'):
+    if default_policy.lower() in ('restart', 'warn', 'ignore', 'silent-restart', 'reboot'):
         return default_policy.lower()
     log.warning('default service policy {} is invalid'.format(default_policy))
     return 'warn'

selinux/sau.fc

@@ -1,2 +1,7 @@
-/usr/bin/sau gen_context(system_u:object_r:sau_exec_t,s0)
+/usr/bin/sau -- gen_context(system_u:object_r:sau_exec_t,s0)
-/etc/sau.cfg gen_context(system_u:object_r:sau_config_t,s0)
+
+# on gentoo python executables are executed via python-exec
+/usr/lib/python-exec/python[0-9\.]*/sau -- gen_context(system_u:object_r:sau_exec_t,s0)
+
+
+/etc/sau.cfg -- gen_context(system_u:object_r:sau_config_t,s0)

selinux/sau.te

@@ -1,4 +1,4 @@
-policy_module(sau, 0.1)
+policy_module(sau, 0.9.1)
 
 gen_require(`
   type system_cronjob_t;
@@ -16,6 +16,11 @@ domain_type(sau_t)
 domain_entry_file(sau_t, sau_exec_t)
 files_config_file(sau_config_t)
 read_files_pattern(sau_t, etc_t, sau_config_t);
+read_files_pattern(sau_t, etc_t, etc_t)
+files_read_etc_runtime_files(sau_t);
+search_dirs_pattern(sau_t, etc_t, etc_runtime_t);
+files_manage_generic_tmp_files(sau_t)
+files_manage_generic_tmp_dirs(sau_t)
 
 role sysadm_r types sau_t;
 role system_r types sau_t;
@@ -23,14 +28,54 @@ role system_r types sau_t;
 domain_auto_transition_pattern(sysadm_t, sau_exec_t, sau_t)
 domain_auto_transition_pattern(system_cronjob_t, sau_exec_t, sau_t)
 
-# this should be fixed, but I don't know enough selinux magic to restrict this
+domain_use_interactive_fds(sau_t)
-# while still allowing it to inspect all open files for all processes
+userdom_use_user_ptys(sau_t)
-unconfined_domain_noaudit(sau_t)
+userdom_use_all_users_fds(sau_t)
+
+# required for python
+corecmd_mmap_bin_files(sau_t)
+mmap_exec_files_pattern(sau_t, tmp_t, tmp_t);
+
+
+read_files_pattern(sau_t, usr_t, usr_t)
+miscfiles_read_localization(sau_t)
+logging_send_syslog_msg(sau_t)
+allow sau_t self:fifo_file { read write };
+corecmd_exec_shell(sau_t)
+corecmd_exec_bin(sau_t)
+
+# list processes
+kernel_read_system_state(sau_t)
+domain_read_all_domains_state(sau_t)
+allow sau_t self:capability sys_ptrace;
+
+# I've tried it all; I don't know how to give sau permission to
+# run init-scripts :(
+init_all_labeled_script_domtrans(sau_t)
+init_domtrans_script(sau_t)
+init_read_utmp(sau_t)
+init_signull_script(sau_t)
+#init_startstop_all_script_services(sau_t)
+#init_use_script_ptys(sau_t)
+#init_domtrans_labeled_script(sau_t)
+#init_manage_script_service(sau_t)
+#init_read_script_status_files(sau_t)
+#allow sau_t initrc_state_t:lnk_file { getattr read };
+#allow sau_t initrc_state_t:dir { search read };
+#init_admin(sau_t)
+# FIXME: shouldn't have to be unconfined...
+unconfined_domain(sau_t)
+
+
+# allow during troubleshooting...
+#files_getattr_all_dirs(sau_t)
+#files_getattr_all_files(sau_t)
 
 # Gentoo specific
+portage_read_config(sau_t)
+portage_read_ebuild(sau_t)
+portage_read_db(sau_t)
+portage_read_cache(sau_t)
 portage_domtrans(sau_t)
 
 
-# postfix
-postfix_admin(sau_t, system_r)
-

setup.py

@@ -1,11 +1,11 @@
-#!/usr/bin/env python3.6
+#!/usr/bin/env python3.7
 from os import environ
 
 from setuptools import setup, find_packages
 
 setup(
         name='sau',
-        version='0.9.0',
+        version='0.9.4',
         description='Tool for auto-updating OS and packages',
         author='Feffe',
         author_email='feffe@fulh.ax',