Use dedicated system user, backup before upgrade

conf/php-fpm.conf

@@ -8,8 +8,8 @@ listen.group = www-data
 listen.mode = 0600
 
 ; Unix user/group of processes.
-user = www-data
+user = {USER}
-group = www-data
+group = {USER}
 
 ; Choose how the process manager will control the number of child processes.
 pm = dynamic

scripts/_common.sh

@@ -104,6 +104,35 @@ CHECK_FINALPATH () {	# Check if destination directory already exists
 }
 
 
+BACKUP_FAIL_UPGRADE () {
+	WARNING echo "Upgrade failed."
+	app_bck=${app//_/-}	# Replace all '_' by '-'
+	if sudo yunohost backup list | grep -q $app_bck-pre-upgrade$backup_number; then	# Check if existing archive before removing app and restoring
+		sudo yunohost app remove $app	# Remove app before restoring it
+		sudo yunohost backup restore --ignore-hooks $app_bck-pre-upgrade$backup_number --apps $app --force	# Restore the backup if upgrade failed
+		ynh_die "The app was restored to the way it was before the failed upgrade."
+	fi
+}
+
+BACKUP_BEFORE_UPGRADE () {	# Backup the current version of the app, restore it if the upgrade fails
+	backup_number=1
+	old_backup_number=2
+	app_bck=${app//_/-}	# Replace all '_' by '-'
+	if sudo yunohost backup list | grep -q $app_bck-pre-upgrade1; then	# Check for existing archive numbered 1
+		backup_number=2	# And change archive number to 2
+		old_backup_number=1
+	fi
+
+	sudo yunohost backup create --ignore-hooks --apps $app --name $app_bck-pre-upgrade$backup_number	# Create a backup different from the existing one
+	if [ "$?" -eq 0 ]; then	# If backup succfessful, delete former archive
+		if sudo yunohost backup list | grep -q $app_bck-pre-upgrade$old_backup_number; then	# Check for existing archive before removing it
+			QUIET sudo yunohost backup delete $app_bck-pre-upgrade$old_backup_number
+		fi
+	else	# If backup failed
+		ynh_die "Backup failed, the upgrade process was aborted."
+	fi
+}
+
 #=================================================
 # FUTURE YUNOHOST HELPERS - TO BE REMOVED LATER
 #=================================================
@@ -275,3 +304,34 @@ ynh_secure_remove () {
 		fi
 	fi
 }
+
+# Create a system user
+#
+# usage: ynh_system_user_create user_name [home_dir]
+# | arg: user_name - Name of the system user that will be create
+# | arg: home_dir - Path of the home dir for the user. Usually the final path of the app. If this argument is omitted, the user will be created without home
+ynh_system_user_create () {
+	if ! ynh_system_user_exists "$1"	# Check if the user exists on the system
+	then	# If the user doesn't exist
+		if [ $# -ge 2 ]; then	# If a home dir is mentioned
+			user_home_dir="-d $2"
+		else
+			user_home_dir="--no-create-home"
+		fi
+		sudo useradd $user_home_dir --system --user-group $1 --shell /usr/sbin/nologin || ynh_die "Unable to create $1 system account"
+	fi
+}
+
+# Delete a system user
+#
+# usage: ynh_system_user_delete user_name
+# | arg: user_name - Name of the system user that will be create
+ynh_system_user_delete () {
+    if ynh_system_user_exists "$1"	# Check if the user exists on the system
+    then
+		echo "Remove the user $1" >&2
+		sudo userdel $1
+	else
+		echo "The user $1 was not found" >&2
+    fi
+}

scripts/install

@@ -75,9 +75,14 @@ ynh_mysql_create_db "$db_name" "$db_user" "$dbpass"
 
 ynh_app_setting_set $app final_path "$final_path"
 # Create tmp directory and fetch app inside
-TMPDIR=$(ynh_mkdir_tmp)
+TMPDIR=$(mktemp -d)
 extract_wallabag "$TMPDIR"
 
+#=================================================
+# CREATE DEDICATED USER
+#=================================================
+
+ynh_system_user_create $app	# Create a dedicated system user
 
 #=================================================
 # SPECIFIC SETUP
@@ -95,22 +100,22 @@ ynh_replace_string "{DESKEY}" "${deskey}" "$wb_conf"
 sudo mv "$TMPDIR" "$final_path"
 
 # Set rights for www-data
-sudo chown -R www-data: $final_path
+sudo chown -R $app: $final_path
 
 # Install dependencies and Wallabag
-exec_console www-data "$final_path" wallabag:install
+exec_console $app "$final_path" wallabag:install
 
 # Add users to Wallabag
 for username in $(ynh_user_list); do
   user_email=$(sudo yunohost user info "$username" --output-as plain \
                  | ynh_get_plain_key mail)
   user_pass=$(ynh_string_random)
-  exec_console www-data "$final_path" fos:user:create \
+  exec_console $app "$final_path" fos:user:create \
       "$username" "$user_email" "$user_pass"
 done
 
 # Set admin user
-exec_console www-data "$final_path" fos:user:promote --super "$admin"
+exec_console $app "$final_path" fos:user:promote --super "$admin"
 
 #=================================================
 # NGINX CONFIGURATION
@@ -133,6 +138,7 @@ sudo cp "$nginx_conf" "/etc/nginx/conf.d/${domain}.d/${app}.conf"
 phpfpm_conf="/etc/php5/fpm/pool.d/${app}.conf"
 ynh_replace_string "{POOLNAME}" "${app}" "$PKGDIR/conf/php-fpm.conf"
 ynh_replace_string "{DESTDIR}" "${final_path}" "$PKGDIR/conf/php-fpm.conf"
+ynh_replace_string "{USER}" "${app}" "$PKGDIR/conf/php-fpm.conf"
 sudo cp $PKGDIR/conf/php-fpm.conf "$phpfpm_conf"
 
 # Set SSOwat rules

scripts/remove

@@ -61,3 +61,9 @@ ynh_remove_app_dependencies
 # The following command is keeped as a matter of transition with the previous way
 # of managing dependencies
 ynh_package_autoremove "wallabag-deps" || true
+
+#=================================================
+# REMOVE DEDICATED USER
+#=================================================
+
+ynh_system_user_delete $app

scripts/restore

@@ -60,12 +60,17 @@ db_pwd=$(ynh_app_setting_get $app mysqlpwd)
 ynh_mysql_create_db $db_name $db_name $db_pwd
 ynh_mysql_connect_as $db_name $db_pwd $db_name < ./db.sql
 
+#=================================================
+# RECREATE OF THE DEDICATED USER
+#=================================================
+
+ynh_system_user_create $app	# Recreate the dedicated user, if not existing
 
 #=================================================
 # RESTORE USER RIGHTS
 #=================================================
 
-sudo chown -R www-data: $final_path
+sudo chown -R $app: $final_path
 
 #=================================================
 # RESTORE PHP-FPM CONFIGURATION

scripts/upgrade

@@ -48,6 +48,16 @@ if [ -z "$db_name" ] ; then
   ynh_app_setting_set "$app" db_name "$db_name"
 fi
 
+#=================================================
+# MANAGE SCRIPT FAILURE
+#=================================================
+
+BACKUP_BEFORE_UPGRADE # Backup the current version of the app
+ynh_clean_setup () {
+    BACKUP_FAIL_UPGRADE
+}
+ynh_abort_if_errors	# Stop script if an error is detected
+
 #=================================================
 # INSTALL DEPENDENCIES
 #=================================================
@@ -62,6 +72,12 @@ ynh_install_app_dependencies "$PKG_DEPENDENCIES"
 TMPDIR=$(ynh_mkdir_tmp)
 extract_wallabag "$TMPDIR"
 
+#=================================================
+# CREATE DEDICATED USER
+#=================================================
+
+ynh_system_user_create $app # Create dedicated  user if not existing
+
 #=================================================
 # SPECIFIC SETUP
 #=================================================
@@ -77,11 +93,11 @@ ynh_replace_string "{DESKEY}" "${deskey}" "$wb_conf"
 # Replace files and set permissions
 ynh_secure_remove "${final_path}"
 sudo mv "$TMPDIR" "${final_path}"
-sudo chown -R www-data: "${final_path}"
+sudo chown -R $app: "${final_path}"
 
 # Upgrade database and clear the cache
-exec_console www-data "${final_path}" doctrine:migrations:migrate
+exec_console $app "${final_path}" doctrine:migrations:migrate
-exec_console www-data "${final_path}" cache:clear
+exec_console $app "${final_path}" cache:clear
 
 #=================================================
 # NGINX CONFIGURATION
@@ -104,6 +120,7 @@ sudo cp "$nginx_conf" "/etc/nginx/conf.d/${domain}.d/${app}.conf"
 phpfpm_conf="/etc/php5/fpm/pool.d/${app}.conf"
 ynh_replace_string "{POOLNAME}" "${app}" "$PKGDIR/conf/php-fpm.conf"
 ynh_replace_string "{DESTDIR}" "${final_path}" "$PKGDIR/conf/php-fpm.conf"
+ynh_replace_string "{USER}" "${app}" "$PKGDIR/conf/php-fpm.conf"
 sudo cp $PKGDIR/conf/php-fpm.conf "$phpfpm_conf"