diff --git a/bin/restart-getty b/bin/restart-getty new file mode 100755 index 0000000..29db5cc --- /dev/null +++ b/bin/restart-getty @@ -0,0 +1,59 @@ +#!/bin/bash -e + +# This script is intended to be automatically triggered by +# inithooks-restart-getty.service, which in turn is intended to be started +# when inithooks.service exits (regardless of exit status) +# +# Assuming this script _was_ triggered by inithooks.service exit, on most +# systems this loop should only run once. Even on low power systems it should +# only loop 1 additional times. However to ensure that it is as robust as +# possible, it will wait up to 10 secs for inithooks.service to stop. + +fatal() { echo "$*" >&2; exit 1; } + +if [[ "$_STARTED_BY_SYSTEMD" == yes ]]; then + echo "$(basename "$0") running" +else + fatal "$(basename "$0") not started by systemd - exiting" +fi + +getty1_services=(getty@tty1.service container-getty@1.service) +getty_target=/etc/systemd/system/getty.target.wants +getty1_service= + +for _getty1 in "${getty1_services[@]}"; do + _getty_target="$getty_target/$_getty1" + if [[ -L "$_getty_target" ]]; then + if [[ -f "$_getty_target" ]]; then + getty1_service="$_getty1" + echo "system getty service is '$getty1_service'" + break + fi + fi +done +if [[ -z "$getty1_service" ]]; then + fatal "Could not find valid getty1 service (tried ${getty1_services[*]})" +fi + +for i in {10..0}; do + if systemctl is-active -q inithooks.service; then + msg="inithooks.service running" + if [[ $1 -gt 0 ]]; then + echo "$msg - waiting $i more seconds for it to stop" >&2 + else + fatal "$msg - giving up..." + fi + sleep 1 + else + echo "inithooks service is not running" + if systemctl is-active -q "$getty1_service"; then + echo "$getty1_service already running, nothing to do" + else + echo "starting $getty1_service" + if ! systemctl start ; then + fatal "failed to start $getty1_service" + fi + fi + exit 0 + fi +done diff --git a/bin/turnkey-init-fence b/bin/turnkey-init-fence new file mode 100755 index 0000000..b001f21 --- /dev/null +++ b/bin/turnkey-init-fence @@ -0,0 +1,80 @@ +#!/bin/bash -eu + +# TurnKey web interface fence - blocks access to web app until system is +# initialized (admin password configure, etc) + +iptables_delete_redirect() { + local dport=$1 + local to_port=$2 + + while true; do + (2>&1 iptables -t nat -D PREROUTING -p tcp --dport "$dport" -j REDIRECT --to-port "$to_port") > /dev/null || break + done +} + +iptables_add_redirect() { + local dport=$1 + local to_port=$2 + + iptables_delete_redirect "$dport" "$to_port" + iptables -t nat -A PREROUTING -p tcp --dport "$dport" -j REDIRECT --to-port "$to_port" +} + +iptables_unensure_accept() { + # remove ACCEPT line for fence ports (used in appliances that have a + # `filter` policy of `DROP`) + local dport=$1 + while true; do + (2>&1 iptables -t filter -D INPUT -p tcp -m tcp --dport "$dport" -j ACCEPT) > /dev/null || break + done +} + +iptables_ensure_accept() { + # add ACCEPT line for fence ports (used in appliances that have a + # `filter` policy of `DROP`) + local dport=$1 + iptables_unensure_accept "$dport" + iptables -t filter -A INPUT -p tcp -m tcp --dport "$dport" -j ACCEPT +} + +iptables_redirect() { + local op + local mop + local port + case "$1" in + start) + op=iptables_add_redirect + mop=iptables_ensure_accept + ;; + stop) + op=iptables_delete_redirect + mop=iptables_unensure_accept + ;; + esac + + for port in "${HTTP_PORTS[@]}"; do + $op "$port" "$HTTP_FENCE_PORT" + done + + for port in "${HTTPS_PORTS[@]}"; do + $op "$port" "$HTTPS_FENCE_PORT" + done + + $mop "$HTTP_FENCE_PORT" + $mop "$HTTPS_FENCE_PORT" +} + +case "$1" in + start) + echo "Starting turnkey-init-fence" + iptables_redirect start + ;; + stop) + echo "Stopping turnkey-init-fence" + iptables_redirect stop + ;; + *) + echo "Unknown command: $1" >&2 + exit 1 + ;; +esac diff --git a/debian/inithooks.install b/debian/inithooks.install index 2bf7897..2e83fde 100644 --- a/debian/inithooks.install +++ b/debian/inithooks.install @@ -5,8 +5,8 @@ everyboot.d/* /usr/lib/inithooks/everyboot.d run /usr/lib/inithooks rsyslog.d/* /etc/rsyslog.d -turnkey-init-fence/turnkey-init-fence /etc/init.d -turnkey-init-fence/htdocs /var/lib/inithooks/turnkey-init-fence +turnkey-init-fence/turnkey-init-fence.service /usr/lib/systemd/system +turnkey-init-fence/htdocs /usr/lib/inithooks/turnkey-init-fence turnkey-init /usr/sbin turnkey-sudoadmin /usr/sbin diff --git a/default/turnkey-init-fence b/default/turnkey-init-fence index 0ec3a18..2970ecd 100644 --- a/default/turnkey-init-fence +++ b/default/turnkey-init-fence @@ -1,6 +1,6 @@ -WEBROOT=/var/lib/inithooks/turnkey-init-fence/htdocs -HTTP_PORTS=80 -HTTPS_PORTS="443 12321 12320" +WEBROOT=/usr/lib/inithooks/turnkey-init-fence/htdocs +HTTP_PORTS=(80) +HTTPS_PORTS=(443 12321 12322) RUNAS=nobody diff --git a/systemd/system/container-getty@1.service.d/10-container-getty-tkl-login.conf b/systemd/system/container-getty@1.service.d/10-container-getty-tkl-login.conf deleted file mode 100644 index 56039ca..0000000 --- a/systemd/system/container-getty@1.service.d/10-container-getty-tkl-login.conf +++ /dev/null @@ -1,5 +0,0 @@ -[Service] -EnvironmentFile= -EnvironmentFile=/etc/default/inithooks -ExecStart= -ExecStart=-/sbin/agetty -n -l /bin/bash -o "/usr/lib/inithooks/bin/login_script.sh" --noclear --keep-baud pts/%I 115200,38400,9600 $TERM diff --git a/systemd/system/getty@tty1.service.d/10-getty-tkl-login.conf b/systemd/system/getty@tty1.service.d/10-getty-tkl-login.conf deleted file mode 100644 index e689252..0000000 --- a/systemd/system/getty@tty1.service.d/10-getty-tkl-login.conf +++ /dev/null @@ -1,3 +0,0 @@ -[Service] -ExecStartPre= -ExecStartPre=/usr/lib/inithooks/bin/login_script.sh diff --git a/systemd/system/inithooks-restart-getty.service b/systemd/system/inithooks-restart-getty.service new file mode 100644 index 0000000..f57791e --- /dev/null +++ b/systemd/system/inithooks-restart-getty.service @@ -0,0 +1,7 @@ +[Unit] +Description=Restart getty1 - triggered when inithooks.service exits + +[Service] +Type=exec +Environment="_STARTED_BY_SYSTEMD=yes" +ExecStart=/usr/lib/inithooks/bin/restart-getty diff --git a/systemd/system/inithooks.service b/systemd/system/inithooks.service new file mode 100644 index 0000000..5fa5e35 --- /dev/null +++ b/systemd/system/inithooks.service @@ -0,0 +1,26 @@ +[Unit] +Description=Run boot scripts and start confconsole on tty1 +# ensure inithooks only runs once per boot +ConditionPathExists=!/run/inithooks-complete +# kill getty service if it's running +Conflicts=getty@tty1.service container-getty@1.service +After=getty.target getty@tty1.service container-getty@1.service + +# (re)start getty1 if inithooks.service exits non-zero +OnFailure=test-inithooks-restart-getty1.service + +[Service] +Type=exec +ExecStart=/usr/lib/inithooks/run +# ensure inithooks only runs once per boot +ExecStartPost=/usr/bin/touch /run/inithooks-complete +# (re)start getty1 if inithooks.service exits cleanly +ExecStopPost=/bin/systemctl start inithooks-restart-getty1.service + +StandardInput=tty +StandardOutput=tty +StandardError=journal +TTYPath=/dev/tty1 + +[Install] +WantedBy=multi-user.target diff --git a/turnkey-init-fence/turnkey-init-fence b/turnkey-init-fence/turnkey-init-fence deleted file mode 100755 index 19f4eb1..0000000 --- a/turnkey-init-fence/turnkey-init-fence +++ /dev/null @@ -1,216 +0,0 @@ -#!/bin/bash -e -### BEGIN INIT INFO -# Provides: turnkey-init-fence -# Required-Start: $remote_fs $syslog -# Required-Stop: $remote_fs $syslog -# Default-Start: 2 3 4 5 -# Default-Stop: 0 1 6 -# Short-Description: Fences off appliance ports until after initialization -### END INIT INFO -# -# Author: Liraz Siri -# -# how it works: iptables redirects http/https TCP connections to simplehttpd.py -# -# redirect $HTTP_PORTS-> $HTTP_FENCE_PORT -# redirect $HTTPS_PORTS -> $HTTPS_FENCE_PORT -# -# configuration @ /etc/default/turnkey-init-fence -# -# HTTP_FENCE_PORT=60080 -# HTTPS_FENCE_PORT=60443 -# HTTP_PORT=80 -# HTTPS_PORTS=443 -# - -# PATH should only include /usr/* if it runs after the mountnfs.sh script -PATH=/sbin:/usr/sbin:/bin:/usr/bin -DESC="Description of the service" -NAME=turnkey-init-fence -DAEMON=/usr/lib/inithooks/bin/simplehttpd.py -PIDFILE=/var/run/$NAME/simplehttpd.pid -SCRIPTNAME=/etc/init.d/$NAME - -# Exit if the package is not installed -[ -x "$DAEMON" ] || exit 0 - -# Create pidfile directory -mkdir -p $(dirname $PIDFILE) - -# Read configuration variable file if it is present -[ -r /etc/default/$NAME ] && . /etc/default/$NAME -chown -R $RUNAS $(dirname $PIDFILE) - -# Load the VERBOSE setting and other rcS variables -. /lib/init/vars.sh - -# Define LSB log_* functions. -# Depend on lsb-base (>= 3.2-14) to ensure that this file is present -# and status_of_proc is working. -. /lib/lsb/init-functions - -iptables_delete_redirect() -{ - dport=$1 - to_port=$2 - - while true; do - (2>&1 iptables -t nat -D PREROUTING -p tcp --dport $dport -j REDIRECT --to-port $to_port) > /dev/null || break - done -} - -iptables_add_redirect() -{ - dport=$1 - to_port=$2 - - iptables_delete_redirect $1 $2 - iptables -t nat -A PREROUTING -p tcp --dport $dport -j REDIRECT --to-port $to_port -} - -iptables_unensure_accept() -{ - # remove ACCEPT line for fence ports (used in appliances that have a - # `filter` policy of `DROP`) - dport=$1 - while true; do - (2>&1 iptables -t filter -D INPUT -p tcp -m tcp --dport $dport -j ACCEPT) > /dev/null || break - done -} - -iptables_ensure_accept() -{ - # add ACCEPT line for fence ports (used in appliances that have a - # `filter` policy of `DROP`) - dport=$1 - iptables_unensure_accept $1 - iptables -t filter -A INPUT -p tcp -m tcp --dport $dport -j ACCEPT -} - - -iptables_redirect() -{ - case "$1" in - start) - op=iptables_add_redirect - mop=iptables_ensure_accept - ;; - stop) - op=iptables_delete_redirect - mop=iptables_unensure_accept - ;; - esac - - for port in $HTTP_PORTS; do - $op $port $HTTP_FENCE_PORT - done - - for port in $HTTPS_PORTS; do - $op $port $HTTPS_FENCE_PORT - done - - $mop $HTTP_FENCE_PORT - $mop $HTTPS_FENCE_PORT -} - -# -# Function that starts the daemon/service -# -do_start() -{ - # Return - # 0 if daemon has been started - # 1 if daemon was already running - # 2 if daemon could not be started - start-stop-daemon --start --quiet --pidfile $PIDFILE --name $(basename $DAEMON) --startas $DAEMON --test > /dev/null \ - || return 1 - start-stop-daemon --start --pidfile $PIDFILE --exec $DAEMON -- --runas=$RUNAS \ - --daemonize=$PIDFILE $WEBROOT $HTTP_FENCE_PORT $HTTPS_FENCE_PORT $HTTPS_FENCE_CERTFILE $HTTPS_FENCE_KEYFILE - - # Add code here, if necessary, that waits for the process to be ready - # to handle requests from services started subsequently which depend - # on this one. As a last resort, sleep for some time. - - iptables_redirect start -} - -# -# Function that stops the daemon/service -# -do_stop() -{ - iptables_redirect stop - - # Return - # 0 if daemon has been stopped - # 1 if daemon was already stopped - # 2 if daemon could not be stopped - # other if a failure occurred - start-stop-daemon --stop --retry=TERM/30/KILL/5 --pidfile $PIDFILE --name $(basename $DAEMON) - RETVAL="$?" - [ "$RETVAL" = 2 ] && return 2 - # Wait for children to finish too if this is a daemon that forks - # and if the daemon is only ever run from this initscript. - # If the above conditions are not satisfied then add some other code - # that waits for the process to drop all resources that could be - # needed by services started subsequently. A last resort is to - # sleep for some time. - start-stop-daemon --stop --quiet --oknodo --retry=TERM/30/KILL/5 --user $RUNAS --name $(basename $DAEMON) - - [ "$?" = 2 ] && return 2 - # Many daemons don't delete their pidfiles when they exit. - rm -f $PIDFILE - - return "$RETVAL" -} - -case "$1" in - start) - [ "$VERBOSE" != no ] && log_daemon_msg "Starting $DESC" "$NAME" - do_start - case "$?" in - 0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;; - 2) [ "$VERBOSE" != no ] && log_end_msg 1 ;; - esac - ;; - stop) - [ "$VERBOSE" != no ] && log_daemon_msg "Stopping $DESC" "$NAME" - do_stop - case "$?" in - 0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;; - 2) [ "$VERBOSE" != no ] && log_end_msg 1 ;; - esac - ;; - status) - status_of_proc "$DAEMON" "$NAME" && exit 0 || exit $? - ;; - restart) - # - # If the "reload" option is implemented then remove the - # 'force-reload' alias - # - log_daemon_msg "Restarting $DESC" "$NAME" - do_stop - case "$?" in - 0|1) - do_start - case "$?" in - 0) log_end_msg 0 ;; - 1) log_end_msg 1 ;; # Old process is still running - *) log_end_msg 1 ;; # Failed to start - esac - ;; - *) - # Failed to stop - log_end_msg 1 - ;; - esac - ;; - *) - echo "Usage: $SCRIPTNAME {start|stop|status|restart}" >&2 - exit 3 - ;; -esac - -: - diff --git a/turnkey-init-fence/turnkey-init-fence.service b/turnkey-init-fence/turnkey-init-fence.service new file mode 100644 index 0000000..1c0c12e --- /dev/null +++ b/turnkey-init-fence/turnkey-init-fence.service @@ -0,0 +1,14 @@ +[Unit] +Description=TurnKey Initialization web interface fence +After=network.target network-online.target +After=iptables.service firewalld.service ip6tables.service ipset.service nftables.service +Before=apache2.service nginx.service lighttpd.service + +[Service] +Type=one-shot +EnvironmentFile=/etc/default/turnkey-init-fence +ExecStart=/usr/lib/inithooks/bin/turnkey-init-fence start +ExecStop=/usr/lib/inithooks/bin/turnkey-init-fence stop + +[Install] +WantedBy=multi-user.target