summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--CHANGELOG.txt18
-rw-r--r--VERSION.txt2
-rw-r--r--dehydrated/TODO2
-rwxr-xr-xdehydrated/bin/dehydrated-nsupdate2
-rwxr-xr-xdehydrated/share/hooks/deploy_cert.extra46
-rwxr-xr-xdehydrated/share/hooks/exit_hook.service-reload10
-rwxr-xr-xgit/bin/git-pull-branches5
-rwxr-xr-xlinux/bin/linux-i40e2
-rwxr-xr-xlinux/bin/linux-ice156
-rw-r--r--linux/share/man/linux-i40e.1.rst1
-rw-r--r--linux/share/man/linux-ice.1.rst86
-rw-r--r--linux/share/systemd/linux-ice.service17
12 files changed, 334 insertions, 13 deletions
diff --git a/CHANGELOG.txt b/CHANGELOG.txt
index 5222caa..a9f029c 100644
--- a/CHANGELOG.txt
+++ b/CHANGELOG.txt
@@ -1,6 +1,20 @@
-2022-12-31 Daniel Baumann <daniel.baumann@open-infrastructure.net>
+2022-12-24 Daniel Baumann <daniel.baumann@open-infrastructure.net>
- * Releasing version 20221231.
+ * Releasing version 20221224.
+
+ [ Daniel Baumann ]
+ * Correcting wrong date for previous release in changelog.
+ * Also calling pull the current branch in git-pull-branches.
+ * Excluding onboard i40e cards in linux-i40e script, as they are not configurable.
+ * Adding linux-ice script.
+ * Updating dehydrated todo.
+ * Removing superfluous dot in output-message of dehydrated-nsupdate.
+ * Adding freeradius to dehydrated service-reload hook.
+ * Adding preferred chain compatibility in deploy_cert.extra dehydrated hook.
+
+2022-12-23 Daniel Baumann <daniel.baumann@open-infrastructure.net>
+
+ * Releasing version 20221223.
[ Daniel Baumann ]
* Adding znuny-tools.
diff --git a/VERSION.txt b/VERSION.txt
index 7a58b9c..84446d7 100644
--- a/VERSION.txt
+++ b/VERSION.txt
@@ -1 +1 @@
-20221223
+20221224
diff --git a/dehydrated/TODO b/dehydrated/TODO
index efbd047..b6cc845 100644
--- a/dehydrated/TODO
+++ b/dehydrated/TODO
@@ -1,7 +1,9 @@
TODO
====
+ * add cleanup hook for extra certificates
* add manpages for individual dehydrated hooks
* use /etc/default for dehydrated-cron
* use /etc/default for dehydrated-hook
* use settings from _dehydrated.$domain.$tld for automatic configuration
+ * allow to configure 'use NS records' or 'use mname in SOA' per zone/tsig
diff --git a/dehydrated/bin/dehydrated-nsupdate b/dehydrated/bin/dehydrated-nsupdate
index c6bf6c5..657cc48 100755
--- a/dehydrated/bin/dehydrated-nsupdate
+++ b/dehydrated/bin/dehydrated-nsupdate
@@ -199,7 +199,7 @@ do
esac
fi
- echo -n " + sending '${HOOK_ACTION}' for ${TXT_RECORD} to ${NAMESERVER}..."
+ echo -n " + sending '${HOOK_ACTION}' for ${TXT_RECORD} to ${NAMESERVER}.."
# shellcheck disable=SC2086
echo "server ${NAMESERVER}
diff --git a/dehydrated/share/hooks/deploy_cert.extra b/dehydrated/share/hooks/deploy_cert.extra
index 56ca2f4..fd93fad 100755
--- a/dehydrated/share/hooks/deploy_cert.extra
+++ b/dehydrated/share/hooks/deploy_cert.extra
@@ -25,15 +25,47 @@ echo -n " + Creating extra certificate files..."
DIRECTORY="$(dirname "${CERTFILE}")"
-# root and intermediate CA
-TMPFILE="$(mktemp -p "${DIRECTORY}" -u ca.XXXXXXXXXX)"
-grep -Ev '^$' "${CHAINFILE}" | csplit -f "${TMPFILE}" -s -z - '/-----BEGIN CERTIFICATE-----/' '{*}'
+if [ "$(grep -c 'BEGIN CERTIFICATE' ${FULLCHAINFILE})" -ge 3 ]
+then
+ # - chain.pem: R3 | ISRG Root X1
+ # - fullchain.pem: Certificate | R3 | ISRG Root X1
+ CHAIN="long"
+else
+ # - chain.pem: R3
+ # - fullchain.pem: Certificate | R3
+ CHAIN="short"
+fi
-mv "${TMPFILE}00" "${DIRECTORY}/intermediate-${TIMESTAMP}.pem"
-ln -sf "${DIRECTORY}/intermediate-${TIMESTAMP}.pem" "${DIRECTORY}/intermediate.pem"
+case "${CHAIN}" in
+ long)
+ # split chain.pem
+ TMPFILE="$(mktemp -p "${DIRECTORY}" -u ca.XXXXXXXXXX)"
+ grep -Ev '^$' "${CHAINFILE}" | csplit -f "${TMPFILE}" -s -z - '/-----BEGIN CERTIFICATE-----/' '{*}'
-mv "${TMPFILE}01" "${DIRECTORY}/root-${TIMESTAMP}.pem"
-ln -sf "${DIRECTORY}/root-${TIMESTAMP}.pem" "${DIRECTORY}/root.pem"
+ # intermediate (R3)
+ mv "${TMPFILE}00" "${DIRECTORY}/intermediate-${TIMESTAMP}.pem"
+ ln -sf "${DIRECTORY}/intermediate-${TIMESTAMP}.pem" "${DIRECTORY}/intermediate.pem"
+
+ # root (ISRG Root X1)
+ mv "${TMPFILE}01" "${DIRECTORY}/root-${TIMESTAMP}.pem"
+ ln -sf "${DIRECTORY}/root-${TIMESTAMP}.pem" "${DIRECTORY}/root.pem"
+ ;;
+
+ short)
+ # intermediate (R3)
+ cp "${DIRECTORY}/chain-${TIMESTAMP}.pem" "${DIRECTORY}/intermediate-${TIMESTAMP}.pem"
+ ln -sf "${DIRECTORY}/intermediate-${TIMESTAMP}.pem" "${DIRECTORY}/intermediate.pem"
+
+ # root (ISRG Root X1)
+ ISSUER_URI="$(openssl x509 -in "${DIRECTORY}/chain-${TIMESTAMP}.pem" -text -noout | grep 'Authority Information Access:' -A1 | awk -FURI: '/http/ { print $2 }')"
+
+ if [ -n "${ISSUER_URI}" ]
+ then
+ wget -q "${ISSUER_URI}" -O - | openssl x509 -outform PEM > "${DIRECTORY}/root-${TIMESTAMP}.pem"
+ ln -sf "${DIRECTORY}/root-${TIMESTAMP}.pem" "${DIRECTORY}/root.pem"
+ fi
+ ;;
+esac
# extra certificate permutations:
# * privkey_fullchain.pem: postfix
diff --git a/dehydrated/share/hooks/exit_hook.service-reload b/dehydrated/share/hooks/exit_hook.service-reload
index c62c133..6d20eb9 100755
--- a/dehydrated/share/hooks/exit_hook.service-reload
+++ b/dehydrated/share/hooks/exit_hook.service-reload
@@ -38,6 +38,14 @@ Run_chrony ()
fi
}
+Run_freeradius ()
+{
+ if grep -Eqrs 'certificate_file = /var/lib/dehydrated' /etc/freeradius/*/*
+ then
+ service freeradius reload
+ fi
+}
+
Run_haproxy ()
{
if grep 'ssl crt' /etc/haproxy/haproxy.cfg | grep -qsv '^#'
@@ -96,7 +104,7 @@ Run_redis_server ()
echo " + Reloading services:"
-SERVICES="apache2 chrony haproxy knot-resolver postfix postgresql redis-sentinel redis-server"
+SERVICES="apache2 chrony freeradius haproxy knot-resolver postfix postgresql redis-sentinel redis-server"
for SERVICE in ${SERVICES}
do
diff --git a/git/bin/git-pull-branches b/git/bin/git-pull-branches
index 9effa17..afa2e63 100755
--- a/git/bin/git-pull-branches
+++ b/git/bin/git-pull-branches
@@ -24,6 +24,10 @@ set -e
CURRENT_BRANCH="$(git branch --show-current)"
REMOTE_BRANCHES="$(git branch -r | awk '{ print $1 }')"
+# pull current branch
+git pull
+
+# pull remote branches
for REMOTE_BRANCH in ${REMOTE_BRANCHES}
do
BRANCH="$(echo "${REMOTE_BRANCH}" | cut -d/ -f 2-)"
@@ -43,6 +47,7 @@ do
fi
done
+# checkout current branch
if [ "$(git branch --show-current)" != "${CURRENT_BRANCH}" ]
then
git checkout "${CURRENT_BRANCH}"
diff --git a/linux/bin/linux-i40e b/linux/bin/linux-i40e
index ffe17b3..3b46d5b 100755
--- a/linux/bin/linux-i40e
+++ b/linux/bin/linux-i40e
@@ -130,7 +130,7 @@ then
exit 1
fi
-DEVICES="$(grep -s '^DRIVER=i40e' /sys/class/net/*/device/uevent | awk -F/ '{ print $5 }' | sort -V)"
+DEVICES="$(grep -s '^DRIVER=i40e' /sys/class/net/*/device/uevent | awk -F/ '{ print $5 }' | grep -v eno | sort -V)"
if [ -z "${DEVICES}" ]
then
diff --git a/linux/bin/linux-ice b/linux/bin/linux-ice
new file mode 100755
index 0000000..6a25aa8
--- /dev/null
+++ b/linux/bin/linux-ice
@@ -0,0 +1,156 @@
+#!/bin/sh
+
+# Open Infrastructure: service-tools
+
+# Copyright (C) 2014-2022 Daniel Baumann <daniel.baumann@open-infrastructure.net>
+#
+# SPDX-License-Identifier: GPL-3.0+
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <https://www.gnu.org/licenses/>.
+
+set -e
+
+PROGRAM="$(basename "${0}")"
+
+RED="\033[1;33;31m"
+GREEN="\033[1;33;32m"
+NORMAL="\033[0m"
+
+Ethtool_get ()
+{
+ DEVICE="${1}"
+ FLAG="${2}"
+ TARGET_VALUE="${3}"
+
+ if ethtool --show-priv-flags "${DEVICE}" | awk '{ print $1 }' | grep -qs "^${FLAG}$"
+ then
+ CURRENT_VALUE="$(ethtool --show-priv-flags "${DEVICE}" | awk "/^${FLAG} / { print \$3 }")"
+
+ if [ "${CURRENT_VALUE}" = "${TARGET_VALUE}" ]
+ then
+ echo -n " ${FLAG}=${GREEN}${CURRENT_VALUE}${NORMAL}"
+ else
+ echo -n " ${FLAG}=${RED}${CURRENT_VALUE}${NORMAL}"
+ fi
+ fi
+}
+
+Ethtool_set ()
+{
+ DEVICE="${1}"
+ FLAG="${2}"
+ VALUE="${3}"
+
+ if ethtool --show-priv-flags "${DEVICE}" | awk '{ print $1 }' | grep -qs "^${FLAG}$"
+ then
+ echo -n " ${FLAG}"
+ ethtool --set-priv-flags "${DEVICE}" "${FLAG}" "${VALUE}"
+ echo -n "=${VALUE}"
+ fi
+}
+
+Test_root ()
+{
+ case "$(id -u)" in
+ 0)
+ ;;
+
+ *)
+ echo "'${PROGRAM}': must be run as root (or use sudo)" >&2
+ exit 1
+ ;;
+ esac
+}
+
+Start ()
+{
+ Test_root
+
+ for DEVICE in ${DEVICES}
+ do
+ echo -n "Configuring ${DEVICE}:"
+ Ethtool_set "${DEVICE}" disable-fw-lldp on
+ Ethtool_set "${DEVICE}" link-down-on-close on
+ echo
+ done
+}
+
+Stop ()
+{
+ Test_root
+
+ for DEVICE in ${DEVICES}
+ do
+ echo -n "Deconfiguring ${DEVICE}:"
+ Ethtool_set "${DEVICE}" disable-fw-lldp off
+ Ethtool_set "${DEVICE}" link-down-on-close off
+ echo
+ done
+}
+
+Status ()
+{
+ for DEVICE in ${DEVICES}
+ do
+ echo -n "${DEVICE}:"
+ Ethtool_get "${DEVICE}" disable-fw-lldp on
+ Ethtool_get "${DEVICE}" link-down-on-close on
+ echo
+ done
+}
+
+Usage ()
+{
+ echo "Usage: ${PROGRAM} {start|stop|status}" >&2
+ echo >&2
+ echo "See ${PROGRAM}(1) for more information." >&2
+
+ exit 1
+}
+
+if [ -z "${1}" ]
+then
+ Usage
+fi
+
+if [ ! -x /usr/sbin/ethtool ]
+then
+ echo "'${PROGRAM}': /usr/sbin/ethtool - no such file." >&2
+ exit 1
+fi
+
+DEVICES="$(grep -s '^DRIVER=ice' /sys/class/net/*/device/uevent | awk -F/ '{ print $5 }' | grep -v eno | sort -V)"
+
+if [ -z "${DEVICES}" ]
+then
+ echo "'${PROGRAM}': no network devices available with ice driver" >&2
+fi
+
+case "${1}" in
+ start)
+ Start
+ ;;
+
+ stop)
+ Stop
+ ;;
+
+ status)
+ Status
+ ;;
+
+ *)
+ Usage
+ ;;
+esac
diff --git a/linux/share/man/linux-i40e.1.rst b/linux/share/man/linux-i40e.1.rst
index f4c2eb7..b1f8c30 100644
--- a/linux/share/man/linux-i40e.1.rst
+++ b/linux/share/man/linux-i40e.1.rst
@@ -59,6 +59,7 @@ Recommended options
See also
========
+| linux-ice(1),
| ethtool(8),
| https://www.kernel.org/doc/Documentation/networking/i40e.txt
diff --git a/linux/share/man/linux-ice.1.rst b/linux/share/man/linux-ice.1.rst
new file mode 100644
index 0000000..60b718e
--- /dev/null
+++ b/linux/share/man/linux-ice.1.rst
@@ -0,0 +1,86 @@
+.. Open Infrastructure: service-tools
+
+.. Copyright (C) 2014-2022 Daniel Baumann <daniel.baumann@open-infrastructure.net>
+..
+.. SPDX-License-Identifier: GPL-3.0+
+..
+.. This program is free software: you can redistribute it and/or modify
+.. it under the terms of the GNU General Public License as published by
+.. the Free Software Foundation, either version 3 of the License, or
+.. (at your option) any later version.
+..
+.. This program is distributed in the hope that it will be useful,
+.. but WITHOUT ANY WARRANTY; without even the implied warranty of
+.. MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+.. GNU General Public License for more details.
+..
+.. You should have received a copy of the GNU General Public License
+.. along with this program. If not, see <https://www.gnu.org/licenses/>.
+
+=========
+linux-ice
+=========
+
+------------------------------------------------------------
+setting recommended options for the Linux ice device driver
+------------------------------------------------------------
+
+:manual section: 1
+:manual group: Open Infrastructure
+
+Synopsis
+========
+
+| **linux-ice** start|stop|status
+
+Description
+===========
+
+**linux-ice** sets all recommended options for the Linux ice device driver.
+
+Recommended options
+===================
+
+| **Enabling disable-fw-lldp**
+| Many Intel network cards such as the X700 Series drop LLDP pakets by default.
+| When using LACP (802.1ad) this has the effect that after a reboot of one switch,
+| the bond interfaces do not recover. Disabling the firewalling of LLDP pakets on
+| the network card allows the operating system (= Linux kernel) to actually recieve
+| the pakets and re-establish the bonded connection.
+
+| **Enabling link-down-on-close**
+| Many Intel network cards such as the X700 Series do not take down the link
+| when the corresponding interface is deconfigured. This is in contrast to the
+| consumer (Intel) network cards that usually do this. Therefore, without enabling
+| the link-down-on-close, most assumptions of HA stacks (e.g. pacemaker/corosync)
+| are not met and can lead to various unwanted effects. Enabling this options
+| restores the usual behaviour.
+
+See also
+========
+
+| linux-i40e(1),
+| ethtool(8),
+| https://www.kernel.org/doc/Documentation/networking/ice.txt
+
+Homepage
+========
+
+More information about service-tools and the Open Infrastructure project can be
+found on the homepage (https://open-infrastructure.net).
+
+Contact
+=======
+
+Bug reports, feature requests, help, patches, support and everything else are
+welcome on the Open Infrastructure Software Mailing List
+<software@lists.open-infrastructure.net>.
+
+Debian specific bugs can also be reported in the Debian Bug Tracking System
+(https://bugs.debian.org).
+
+Authors
+=======
+
+service-tools were written by Daniel Baumann
+<daniel.baumann@open-infrastructure.net> and others.
diff --git a/linux/share/systemd/linux-ice.service b/linux/share/systemd/linux-ice.service
new file mode 100644
index 0000000..ee8a727
--- /dev/null
+++ b/linux/share/systemd/linux-ice.service
@@ -0,0 +1,17 @@
+# Open Infrastructure: service-tools
+
+[Unit]
+Description=setting recommended options for the Linux ice device driver
+Documentation=man:linux-ice
+Before=network.target
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+ExecStart=/usr/bin/linux-ice start
+ExecStop=/usr/bin/linux-ice stop
+StandardOutput=journal
+StandardError=journal
+
+[Install]
+WantedBy=multi-user.target