diff options
Diffstat (limited to '')
-rw-r--r-- | CHANGELOG.txt | 18 | ||||
-rw-r--r-- | VERSION.txt | 2 | ||||
-rw-r--r-- | dehydrated/TODO | 2 | ||||
-rwxr-xr-x | dehydrated/bin/dehydrated-nsupdate | 2 | ||||
-rwxr-xr-x | dehydrated/share/hooks/deploy_cert.extra | 46 | ||||
-rwxr-xr-x | dehydrated/share/hooks/exit_hook.service-reload | 10 | ||||
-rwxr-xr-x | git/bin/git-pull-branches | 5 | ||||
-rwxr-xr-x | linux/bin/linux-i40e | 2 | ||||
-rwxr-xr-x | linux/bin/linux-ice | 156 | ||||
-rw-r--r-- | linux/share/man/linux-i40e.1.rst | 1 | ||||
-rw-r--r-- | linux/share/man/linux-ice.1.rst | 86 | ||||
-rw-r--r-- | linux/share/systemd/linux-ice.service | 17 |
12 files changed, 334 insertions, 13 deletions
diff --git a/CHANGELOG.txt b/CHANGELOG.txt index 5222caa..a9f029c 100644 --- a/CHANGELOG.txt +++ b/CHANGELOG.txt @@ -1,6 +1,20 @@ -2022-12-31 Daniel Baumann <daniel.baumann@open-infrastructure.net> +2022-12-24 Daniel Baumann <daniel.baumann@open-infrastructure.net> - * Releasing version 20221231. + * Releasing version 20221224. + + [ Daniel Baumann ] + * Correcting wrong date for previous release in changelog. + * Also calling pull the current branch in git-pull-branches. + * Excluding onboard i40e cards in linux-i40e script, as they are not configurable. + * Adding linux-ice script. + * Updating dehydrated todo. + * Removing superfluous dot in output-message of dehydrated-nsupdate. + * Adding freeradius to dehydrated service-reload hook. + * Adding preferred chain compatibility in deploy_cert.extra dehydrated hook. + +2022-12-23 Daniel Baumann <daniel.baumann@open-infrastructure.net> + + * Releasing version 20221223. [ Daniel Baumann ] * Adding znuny-tools. diff --git a/VERSION.txt b/VERSION.txt index 7a58b9c..84446d7 100644 --- a/VERSION.txt +++ b/VERSION.txt @@ -1 +1 @@ -20221223 +20221224 diff --git a/dehydrated/TODO b/dehydrated/TODO index efbd047..b6cc845 100644 --- a/dehydrated/TODO +++ b/dehydrated/TODO @@ -1,7 +1,9 @@ TODO ==== + * add cleanup hook for extra certificates * add manpages for individual dehydrated hooks * use /etc/default for dehydrated-cron * use /etc/default for dehydrated-hook * use settings from _dehydrated.$domain.$tld for automatic configuration + * allow to configure 'use NS records' or 'use mname in SOA' per zone/tsig diff --git a/dehydrated/bin/dehydrated-nsupdate b/dehydrated/bin/dehydrated-nsupdate index c6bf6c5..657cc48 100755 --- a/dehydrated/bin/dehydrated-nsupdate +++ b/dehydrated/bin/dehydrated-nsupdate @@ -199,7 +199,7 @@ do esac fi - echo -n " + sending '${HOOK_ACTION}' for ${TXT_RECORD} to ${NAMESERVER}..." + echo -n " + sending '${HOOK_ACTION}' for ${TXT_RECORD} to ${NAMESERVER}.." # shellcheck disable=SC2086 echo "server ${NAMESERVER} diff --git a/dehydrated/share/hooks/deploy_cert.extra b/dehydrated/share/hooks/deploy_cert.extra index 56ca2f4..fd93fad 100755 --- a/dehydrated/share/hooks/deploy_cert.extra +++ b/dehydrated/share/hooks/deploy_cert.extra @@ -25,15 +25,47 @@ echo -n " + Creating extra certificate files..." DIRECTORY="$(dirname "${CERTFILE}")" -# root and intermediate CA -TMPFILE="$(mktemp -p "${DIRECTORY}" -u ca.XXXXXXXXXX)" -grep -Ev '^$' "${CHAINFILE}" | csplit -f "${TMPFILE}" -s -z - '/-----BEGIN CERTIFICATE-----/' '{*}' +if [ "$(grep -c 'BEGIN CERTIFICATE' ${FULLCHAINFILE})" -ge 3 ] +then + # - chain.pem: R3 | ISRG Root X1 + # - fullchain.pem: Certificate | R3 | ISRG Root X1 + CHAIN="long" +else + # - chain.pem: R3 + # - fullchain.pem: Certificate | R3 + CHAIN="short" +fi -mv "${TMPFILE}00" "${DIRECTORY}/intermediate-${TIMESTAMP}.pem" -ln -sf "${DIRECTORY}/intermediate-${TIMESTAMP}.pem" "${DIRECTORY}/intermediate.pem" +case "${CHAIN}" in + long) + # split chain.pem + TMPFILE="$(mktemp -p "${DIRECTORY}" -u ca.XXXXXXXXXX)" + grep -Ev '^$' "${CHAINFILE}" | csplit -f "${TMPFILE}" -s -z - '/-----BEGIN CERTIFICATE-----/' '{*}' -mv "${TMPFILE}01" "${DIRECTORY}/root-${TIMESTAMP}.pem" -ln -sf "${DIRECTORY}/root-${TIMESTAMP}.pem" "${DIRECTORY}/root.pem" + # intermediate (R3) + mv "${TMPFILE}00" "${DIRECTORY}/intermediate-${TIMESTAMP}.pem" + ln -sf "${DIRECTORY}/intermediate-${TIMESTAMP}.pem" "${DIRECTORY}/intermediate.pem" + + # root (ISRG Root X1) + mv "${TMPFILE}01" "${DIRECTORY}/root-${TIMESTAMP}.pem" + ln -sf "${DIRECTORY}/root-${TIMESTAMP}.pem" "${DIRECTORY}/root.pem" + ;; + + short) + # intermediate (R3) + cp "${DIRECTORY}/chain-${TIMESTAMP}.pem" "${DIRECTORY}/intermediate-${TIMESTAMP}.pem" + ln -sf "${DIRECTORY}/intermediate-${TIMESTAMP}.pem" "${DIRECTORY}/intermediate.pem" + + # root (ISRG Root X1) + ISSUER_URI="$(openssl x509 -in "${DIRECTORY}/chain-${TIMESTAMP}.pem" -text -noout | grep 'Authority Information Access:' -A1 | awk -FURI: '/http/ { print $2 }')" + + if [ -n "${ISSUER_URI}" ] + then + wget -q "${ISSUER_URI}" -O - | openssl x509 -outform PEM > "${DIRECTORY}/root-${TIMESTAMP}.pem" + ln -sf "${DIRECTORY}/root-${TIMESTAMP}.pem" "${DIRECTORY}/root.pem" + fi + ;; +esac # extra certificate permutations: # * privkey_fullchain.pem: postfix diff --git a/dehydrated/share/hooks/exit_hook.service-reload b/dehydrated/share/hooks/exit_hook.service-reload index c62c133..6d20eb9 100755 --- a/dehydrated/share/hooks/exit_hook.service-reload +++ b/dehydrated/share/hooks/exit_hook.service-reload @@ -38,6 +38,14 @@ Run_chrony () fi } +Run_freeradius () +{ + if grep -Eqrs 'certificate_file = /var/lib/dehydrated' /etc/freeradius/*/* + then + service freeradius reload + fi +} + Run_haproxy () { if grep 'ssl crt' /etc/haproxy/haproxy.cfg | grep -qsv '^#' @@ -96,7 +104,7 @@ Run_redis_server () echo " + Reloading services:" -SERVICES="apache2 chrony haproxy knot-resolver postfix postgresql redis-sentinel redis-server" +SERVICES="apache2 chrony freeradius haproxy knot-resolver postfix postgresql redis-sentinel redis-server" for SERVICE in ${SERVICES} do diff --git a/git/bin/git-pull-branches b/git/bin/git-pull-branches index 9effa17..afa2e63 100755 --- a/git/bin/git-pull-branches +++ b/git/bin/git-pull-branches @@ -24,6 +24,10 @@ set -e CURRENT_BRANCH="$(git branch --show-current)" REMOTE_BRANCHES="$(git branch -r | awk '{ print $1 }')" +# pull current branch +git pull + +# pull remote branches for REMOTE_BRANCH in ${REMOTE_BRANCHES} do BRANCH="$(echo "${REMOTE_BRANCH}" | cut -d/ -f 2-)" @@ -43,6 +47,7 @@ do fi done +# checkout current branch if [ "$(git branch --show-current)" != "${CURRENT_BRANCH}" ] then git checkout "${CURRENT_BRANCH}" diff --git a/linux/bin/linux-i40e b/linux/bin/linux-i40e index ffe17b3..3b46d5b 100755 --- a/linux/bin/linux-i40e +++ b/linux/bin/linux-i40e @@ -130,7 +130,7 @@ then exit 1 fi -DEVICES="$(grep -s '^DRIVER=i40e' /sys/class/net/*/device/uevent | awk -F/ '{ print $5 }' | sort -V)" +DEVICES="$(grep -s '^DRIVER=i40e' /sys/class/net/*/device/uevent | awk -F/ '{ print $5 }' | grep -v eno | sort -V)" if [ -z "${DEVICES}" ] then diff --git a/linux/bin/linux-ice b/linux/bin/linux-ice new file mode 100755 index 0000000..6a25aa8 --- /dev/null +++ b/linux/bin/linux-ice @@ -0,0 +1,156 @@ +#!/bin/sh + +# Open Infrastructure: service-tools + +# Copyright (C) 2014-2022 Daniel Baumann <daniel.baumann@open-infrastructure.net> +# +# SPDX-License-Identifier: GPL-3.0+ +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <https://www.gnu.org/licenses/>. + +set -e + +PROGRAM="$(basename "${0}")" + +RED="\033[1;33;31m" +GREEN="\033[1;33;32m" +NORMAL="\033[0m" + +Ethtool_get () +{ + DEVICE="${1}" + FLAG="${2}" + TARGET_VALUE="${3}" + + if ethtool --show-priv-flags "${DEVICE}" | awk '{ print $1 }' | grep -qs "^${FLAG}$" + then + CURRENT_VALUE="$(ethtool --show-priv-flags "${DEVICE}" | awk "/^${FLAG} / { print \$3 }")" + + if [ "${CURRENT_VALUE}" = "${TARGET_VALUE}" ] + then + echo -n " ${FLAG}=${GREEN}${CURRENT_VALUE}${NORMAL}" + else + echo -n " ${FLAG}=${RED}${CURRENT_VALUE}${NORMAL}" + fi + fi +} + +Ethtool_set () +{ + DEVICE="${1}" + FLAG="${2}" + VALUE="${3}" + + if ethtool --show-priv-flags "${DEVICE}" | awk '{ print $1 }' | grep -qs "^${FLAG}$" + then + echo -n " ${FLAG}" + ethtool --set-priv-flags "${DEVICE}" "${FLAG}" "${VALUE}" + echo -n "=${VALUE}" + fi +} + +Test_root () +{ + case "$(id -u)" in + 0) + ;; + + *) + echo "'${PROGRAM}': must be run as root (or use sudo)" >&2 + exit 1 + ;; + esac +} + +Start () +{ + Test_root + + for DEVICE in ${DEVICES} + do + echo -n "Configuring ${DEVICE}:" + Ethtool_set "${DEVICE}" disable-fw-lldp on + Ethtool_set "${DEVICE}" link-down-on-close on + echo + done +} + +Stop () +{ + Test_root + + for DEVICE in ${DEVICES} + do + echo -n "Deconfiguring ${DEVICE}:" + Ethtool_set "${DEVICE}" disable-fw-lldp off + Ethtool_set "${DEVICE}" link-down-on-close off + echo + done +} + +Status () +{ + for DEVICE in ${DEVICES} + do + echo -n "${DEVICE}:" + Ethtool_get "${DEVICE}" disable-fw-lldp on + Ethtool_get "${DEVICE}" link-down-on-close on + echo + done +} + +Usage () +{ + echo "Usage: ${PROGRAM} {start|stop|status}" >&2 + echo >&2 + echo "See ${PROGRAM}(1) for more information." >&2 + + exit 1 +} + +if [ -z "${1}" ] +then + Usage +fi + +if [ ! -x /usr/sbin/ethtool ] +then + echo "'${PROGRAM}': /usr/sbin/ethtool - no such file." >&2 + exit 1 +fi + +DEVICES="$(grep -s '^DRIVER=ice' /sys/class/net/*/device/uevent | awk -F/ '{ print $5 }' | grep -v eno | sort -V)" + +if [ -z "${DEVICES}" ] +then + echo "'${PROGRAM}': no network devices available with ice driver" >&2 +fi + +case "${1}" in + start) + Start + ;; + + stop) + Stop + ;; + + status) + Status + ;; + + *) + Usage + ;; +esac diff --git a/linux/share/man/linux-i40e.1.rst b/linux/share/man/linux-i40e.1.rst index f4c2eb7..b1f8c30 100644 --- a/linux/share/man/linux-i40e.1.rst +++ b/linux/share/man/linux-i40e.1.rst @@ -59,6 +59,7 @@ Recommended options See also ======== +| linux-ice(1), | ethtool(8), | https://www.kernel.org/doc/Documentation/networking/i40e.txt diff --git a/linux/share/man/linux-ice.1.rst b/linux/share/man/linux-ice.1.rst new file mode 100644 index 0000000..60b718e --- /dev/null +++ b/linux/share/man/linux-ice.1.rst @@ -0,0 +1,86 @@ +.. Open Infrastructure: service-tools + +.. Copyright (C) 2014-2022 Daniel Baumann <daniel.baumann@open-infrastructure.net> +.. +.. SPDX-License-Identifier: GPL-3.0+ +.. +.. This program is free software: you can redistribute it and/or modify +.. it under the terms of the GNU General Public License as published by +.. the Free Software Foundation, either version 3 of the License, or +.. (at your option) any later version. +.. +.. This program is distributed in the hope that it will be useful, +.. but WITHOUT ANY WARRANTY; without even the implied warranty of +.. MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +.. GNU General Public License for more details. +.. +.. You should have received a copy of the GNU General Public License +.. along with this program. If not, see <https://www.gnu.org/licenses/>. + +========= +linux-ice +========= + +------------------------------------------------------------ +setting recommended options for the Linux ice device driver +------------------------------------------------------------ + +:manual section: 1 +:manual group: Open Infrastructure + +Synopsis +======== + +| **linux-ice** start|stop|status + +Description +=========== + +**linux-ice** sets all recommended options for the Linux ice device driver. + +Recommended options +=================== + +| **Enabling disable-fw-lldp** +| Many Intel network cards such as the X700 Series drop LLDP pakets by default. +| When using LACP (802.1ad) this has the effect that after a reboot of one switch, +| the bond interfaces do not recover. Disabling the firewalling of LLDP pakets on +| the network card allows the operating system (= Linux kernel) to actually recieve +| the pakets and re-establish the bonded connection. + +| **Enabling link-down-on-close** +| Many Intel network cards such as the X700 Series do not take down the link +| when the corresponding interface is deconfigured. This is in contrast to the +| consumer (Intel) network cards that usually do this. Therefore, without enabling +| the link-down-on-close, most assumptions of HA stacks (e.g. pacemaker/corosync) +| are not met and can lead to various unwanted effects. Enabling this options +| restores the usual behaviour. + +See also +======== + +| linux-i40e(1), +| ethtool(8), +| https://www.kernel.org/doc/Documentation/networking/ice.txt + +Homepage +======== + +More information about service-tools and the Open Infrastructure project can be +found on the homepage (https://open-infrastructure.net). + +Contact +======= + +Bug reports, feature requests, help, patches, support and everything else are +welcome on the Open Infrastructure Software Mailing List +<software@lists.open-infrastructure.net>. + +Debian specific bugs can also be reported in the Debian Bug Tracking System +(https://bugs.debian.org). + +Authors +======= + +service-tools were written by Daniel Baumann +<daniel.baumann@open-infrastructure.net> and others. diff --git a/linux/share/systemd/linux-ice.service b/linux/share/systemd/linux-ice.service new file mode 100644 index 0000000..ee8a727 --- /dev/null +++ b/linux/share/systemd/linux-ice.service @@ -0,0 +1,17 @@ +# Open Infrastructure: service-tools + +[Unit] +Description=setting recommended options for the Linux ice device driver +Documentation=man:linux-ice +Before=network.target + +[Service] +Type=oneshot +RemainAfterExit=yes +ExecStart=/usr/bin/linux-ice start +ExecStop=/usr/bin/linux-ice stop +StandardOutput=journal +StandardError=journal + +[Install] +WantedBy=multi-user.target |