From 463112de12485be123dc1716a066085e5606266b Mon Sep 17 00:00:00 2001 From: Kay0u Date: Fri, 8 Nov 2019 21:22:28 +0900 Subject: [PATCH 01/94] add subcategories --- data/actionsmap/yunohost_completion.py | 83 +++++++++++++++++++------- 1 file changed, 61 insertions(+), 22 deletions(-) diff --git a/data/actionsmap/yunohost_completion.py b/data/actionsmap/yunohost_completion.py index a4c17c4d6..45d15f16c 100644 --- a/data/actionsmap/yunohost_completion.py +++ b/data/actionsmap/yunohost_completion.py @@ -3,7 +3,7 @@ Simple automated generation of a bash_completion file for yunohost command from the actionsmap. Generates a bash completion file assuming the structure -`yunohost domain action` +`yunohost category action` adds `--help` at the end if one presses [tab] again. author: Christophe Vuillot @@ -15,18 +15,39 @@ THIS_SCRIPT_DIR = os.path.dirname(os.path.abspath(__file__)) ACTIONSMAP_FILE = THIS_SCRIPT_DIR + '/yunohost.yml' BASH_COMPLETION_FILE = THIS_SCRIPT_DIR + '/../bash-completion.d/yunohost' +def get_dict_actions(OPTION_SUBTREE, category): + ACTIONS = [action for action in OPTION_SUBTREE[category]["actions"].keys() + if not action.startswith('_')] + ACTIONS_STR = '{}'.format(' '.join(ACTIONS)) + + DICT = { "actions_str": ACTIONS_STR } + + return DICT + with open(ACTIONSMAP_FILE, 'r') as stream: - # Getting the dictionary containning what actions are possible per domain + # Getting the dictionary containning what actions are possible per category OPTION_TREE = yaml.load(stream) - DOMAINS = [str for str in OPTION_TREE.keys() if not str.startswith('_')] - DOMAINS_STR = '"{}"'.format(' '.join(DOMAINS)) + + CATEGORY = [category for category in OPTION_TREE.keys() if not category.startswith('_')] + + CATEGORY_STR = '{}'.format(' '.join(CATEGORY)) ACTIONS_DICT = {} - for domain in DOMAINS: - ACTIONS = [str for str in OPTION_TREE[domain]['actions'].keys() - if not str.startswith('_')] - ACTIONS_STR = '"{}"'.format(' '.join(ACTIONS)) - ACTIONS_DICT[domain] = ACTIONS_STR + for category in CATEGORY: + ACTIONS_DICT[category] = get_dict_actions(OPTION_TREE, category) + + ACTIONS_DICT[category]["subcategories"] = {} + ACTIONS_DICT[category]["subcategories_str"] = "" + + if "subcategories" in OPTION_TREE[category].keys(): + SUBCATEGORIES = [ subcategory for subcategory in OPTION_TREE[category]["subcategories"].keys() ] + + SUBCATEGORIES_STR = '{}'.format(' '.join(SUBCATEGORIES)) + + ACTIONS_DICT[category]["subcategories_str"] = SUBCATEGORIES_STR + + for subcategory in SUBCATEGORIES: + ACTIONS_DICT[category]["subcategories"][subcategory] = get_dict_actions(OPTION_TREE[category]["subcategories"], subcategory) with open(BASH_COMPLETION_FILE, 'w') as generated_file: @@ -47,31 +68,49 @@ with open(ACTIONSMAP_FILE, 'r') as stream: generated_file.write('\tnarg=${#COMP_WORDS[@]}\n\n') generated_file.write('\t# the current word being typed\n') generated_file.write('\tcur="${COMP_WORDS[COMP_CWORD]}"\n\n') - generated_file.write('\t# the last typed word\n') - generated_file.write('\tprev="${COMP_WORDS[COMP_CWORD-1]}"\n\n') - # If one is currently typing a domain then match with the domain list - generated_file.write('\t# If one is currently typing a domain,\n') - generated_file.write('\t# match with domains\n') + # If one is currently typing a category then match with the category list + generated_file.write('\t# If one is currently typing a category,\n') + generated_file.write('\t# match with categorys\n') generated_file.write('\tif [[ $narg == 2 ]]; then\n') - generated_file.write('\t\topts={}\n'.format(DOMAINS_STR)) + generated_file.write('\t\topts="{}"\n'.format(CATEGORY_STR)) generated_file.write('\tfi\n\n') # If one is currently typing an action then match with the action list - # of the previously typed domain - generated_file.write('\t# If one already typed a domain,\n') - generated_file.write('\t# match the actions of that domain\n') + # of the previously typed category + generated_file.write('\t# If one already typed a category,\n') + generated_file.write('\t# match the actions or the subcategories of that category\n') generated_file.write('\tif [[ $narg == 3 ]]; then\n') - for domain in DOMAINS: - generated_file.write('\t\tif [[ $prev == "{}" ]]; then\n'.format(domain)) - generated_file.write('\t\t\topts={}\n'.format(ACTIONS_DICT[domain])) + generated_file.write('\t\t# the category typed\n') + generated_file.write('\t\tcategory="${COMP_WORDS[1]}"\n\n') + for category in CATEGORY: + generated_file.write('\t\tif [[ $category == "{}" ]]; then\n'.format(category)) + generated_file.write('\t\t\topts="{} {}"\n'.format(ACTIONS_DICT[category]["actions_str"], ACTIONS_DICT[category]["subcategories_str"])) generated_file.write('\t\tfi\n') generated_file.write('\tfi\n\n') - # If both domain and action have been typed or the domain + generated_file.write('\t# If one already typed an action or a subcategory,\n') + generated_file.write('\t# match the actions of that subcategory\n') + generated_file.write('\tif [[ $narg == 4 ]]; then\n') + generated_file.write('\t\t# the category typed\n') + generated_file.write('\t\tcategory="${COMP_WORDS[1]}"\n\n') + generated_file.write('\t\t# the action or the subcategory typed\n') + generated_file.write('\t\taction_or_subcategory="${COMP_WORDS[2]}"\n\n') + for category in CATEGORY: + if len(ACTIONS_DICT[category]["subcategories"]): + generated_file.write('\t\tif [[ $category == "{}" ]]; then\n'.format(category)) + for subcategory in ACTIONS_DICT[category]["subcategories"]: + generated_file.write('\t\t\tif [[ $action_or_subcategory == "{}" ]]; then\n'.format(subcategory)) + generated_file.write('\t\t\t\topts="{}"\n'.format(ACTIONS_DICT[category]["subcategories"][subcategory]["actions_str"])) + generated_file.write('\t\t\tfi\n') + generated_file.write('\t\tfi\n') + generated_file.write('\tfi\n\n') + + # If both category and action have been typed or the category # was not recognized propose --help (only once) generated_file.write('\t# If no options were found propose --help\n') generated_file.write('\tif [ -z "$opts" ]; then\n') + generated_file.write('\t\tprev="${COMP_WORDS[COMP_CWORD-1]}"\n\n') generated_file.write('\t\tif [[ $prev != "--help" ]]; then\n') generated_file.write('\t\t\topts=( --help )\n') generated_file.write('\t\tfi\n') From e0fa39ad01abd0b58c6db7c43c4081dcb934c2d6 Mon Sep 17 00:00:00 2001 From: Augustin Trancart Date: Sat, 30 Nov 2019 15:52:00 +0100 Subject: [PATCH 02/94] =?UTF-8?q?[fix]=20prevent=20firefox=20to=20mix=20CA?= =?UTF-8?q?=C2=A0and=20server=20certificate?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fixes #1479: yunohost was using the exact same Distinguished Name for the CA certificate and the main domain server certificate. When creating alternate domain name, firefox thought the CA for this second domain was the server certificate for the first domain. As the key mismatches, Firefox raised a bad key usage error, which is not bypassable. To fix this, we "simply" need to make sure the DN for the CA is distinct for any other DN. I did so by adding a Organization to it, and I decided to just remove the last part of the domain and use that as an organization name. It is certainly possible to do something else, as long as we end up having a distinct DN. So yolo.test gives a yolo organization for instance. More info here https://bugzilla.mozilla.org/show_bug.cgi?id=1590217 --- src/yunohost/tools.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/yunohost/tools.py b/src/yunohost/tools.py index c05933dc0..ce219c4bc 100644 --- a/src/yunohost/tools.py +++ b/src/yunohost/tools.py @@ -321,7 +321,7 @@ def tools_postinstall(operation_logger, domain, password, ignore_dyndns=False, 'touch %s/index.txt' % ssl_dir, 'cp %s/openssl.cnf %s/openssl.ca.cnf' % (ssl_dir, ssl_dir), 'sed -i s/yunohost.org/%s/g %s/openssl.ca.cnf ' % (domain, ssl_dir), - 'openssl req -x509 -new -config %s/openssl.ca.cnf -days 3650 -out %s/ca/cacert.pem -keyout %s/ca/cakey.pem -nodes -batch' % (ssl_dir, ssl_dir, ssl_dir), + 'openssl req -x509 -new -config %s/openssl.ca.cnf -days 3650 -out %s/ca/cacert.pem -keyout %s/ca/cakey.pem -nodes -batch -subj /CN=%s/O=%s' % (ssl_dir, ssl_dir, ssl_dir, domain, os.path.splitext(domain)[0]), 'cp %s/ca/cacert.pem /etc/ssl/certs/ca-yunohost_crt.pem' % ssl_dir, 'update-ca-certificates' ] From 0081d988ab635e859a406db3f5ab3203331c0cb5 Mon Sep 17 00:00:00 2001 From: Maniack Crudelis Date: Sun, 9 Feb 2020 18:45:49 +0100 Subject: [PATCH 03/94] Replace __PHPVERSION__ by $YNH_PHP_VERSION in nginx conf files --- data/helpers.d/nginx | 2 ++ 1 file changed, 2 insertions(+) diff --git a/data/helpers.d/nginx b/data/helpers.d/nginx index e3e45d2d4..b34ebb4e1 100644 --- a/data/helpers.d/nginx +++ b/data/helpers.d/nginx @@ -12,6 +12,7 @@ # __PORT__ by $port # __NAME__ by $app # __FINALPATH__ by $final_path +# __PHPVERSION__ by $YNH_PHP_VERSION ($YNH_PHP_VERSION is either the default php version or the version defined for the app) # # And dynamic variables (from the last example) : # __PATH_2__ by $path_2 @@ -44,6 +45,7 @@ ynh_add_nginx_config () { if test -n "${final_path:-}"; then ynh_replace_string --match_string="__FINALPATH__" --replace_string="$final_path" --target_file="$finalnginxconf" fi + ynh_replace_string --match_string="__PHPVERSION__" --replace_string="$YNH_PHP_VERSION" --target_file="$finalnginxconf" # Replace all other variable given as arguments for var_to_replace in $others_var From a489a06daa01e195d35f159658f8805a2af4c349 Mon Sep 17 00:00:00 2001 From: Maniack Crudelis Date: Sun, 9 Feb 2020 18:49:27 +0100 Subject: [PATCH 04/94] Use the default php version into the php helpers --- data/helpers.d/php | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/data/helpers.d/php b/data/helpers.d/php index 41af467c5..56d35cee8 100644 --- a/data/helpers.d/php +++ b/data/helpers.d/php @@ -1,5 +1,9 @@ #!/bin/bash +# Declare the actual php version to use. +# A packager willing to use another version of php can override the variable into its _common.sh. +YNH_PHP_VERSION=${YNH_PHP_VERSION:-$YNH_DEFAULT_PHP_VERSION} + # Create a dedicated php-fpm config # # usage: ynh_add_fpm_config [--phpversion=7.X] @@ -14,8 +18,8 @@ ynh_add_fpm_config () { # Manage arguments with getopts ynh_handle_getopts_args "$@" - # Configure PHP-FPM 7.0 by default - phpversion="${phpversion:-7.0}" + # Set the default PHP-FPM version by default + phpversion="${phpversion:-$YNH_PHP_VERSION}" local fpm_config_dir="/etc/php/$phpversion/fpm" local fpm_service="php${phpversion}-fpm" @@ -26,6 +30,7 @@ ynh_add_fpm_config () { fi ynh_app_setting_set --app=$app --key=fpm_config_dir --value="$fpm_config_dir" ynh_app_setting_set --app=$app --key=fpm_service --value="$fpm_service" + ynh_app_setting_set --app=$app --key=phpversion --value=$phpversion finalphpconf="$fpm_config_dir/pool.d/$app.conf" ynh_backup_if_checksum_is_different --file="$finalphpconf" cp ../conf/php-fpm.conf "$finalphpconf" @@ -56,10 +61,10 @@ ynh_add_fpm_config () { ynh_remove_fpm_config () { local fpm_config_dir=$(ynh_app_setting_get --app=$app --key=fpm_config_dir) local fpm_service=$(ynh_app_setting_get --app=$app --key=fpm_service) - # Assume php version 7 if not set + # Assume default php version if not set if [ -z "$fpm_config_dir" ]; then - fpm_config_dir="/etc/php/7.0/fpm" - fpm_service="php7.0-fpm" + fpm_config_dir="/etc/php/$YNH_DEFAULT_PHP_VERSION/fpm" + fpm_service="php$YNH_DEFAULT_PHP_VERSION-fpm" fi ynh_secure_remove --file="$fpm_config_dir/pool.d/$app.conf" ynh_secure_remove --file="$fpm_config_dir/conf.d/20-$app.ini" 2>&1 From 940162a31ff6836273ddaa209abb4d3813b8db62 Mon Sep 17 00:00:00 2001 From: Maniack Crudelis Date: Sun, 9 Feb 2020 18:52:43 +0100 Subject: [PATCH 05/94] Set the default version for php And propagate it as an env variable for apps. --- src/yunohost/app.py | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/src/yunohost/app.py b/src/yunohost/app.py index b05d7b818..2311ab8e5 100644 --- a/src/yunohost/app.py +++ b/src/yunohost/app.py @@ -59,6 +59,7 @@ APPS_CATALOG_CONF = '/etc/yunohost/apps_catalog.yml' APPS_CATALOG_CRON_PATH = "/etc/cron.daily/yunohost-fetch-apps-catalog" APPS_CATALOG_API_VERSION = 2 APPS_CATALOG_DEFAULT_URL = "https://app.yunohost.org/default" +APPS_DEFAULT_PHP_VERSION = "7.0" re_github_repo = re.compile( r'^(http[s]?://|git@)github.com[/:]' @@ -347,6 +348,7 @@ def app_change_url(operation_logger, app, domain, path): env_dict["YNH_APP_ID"] = app_id env_dict["YNH_APP_INSTANCE_NAME"] = app env_dict["YNH_APP_INSTANCE_NUMBER"] = str(app_instance_nb) + env_dict["YNH_DEFAULT_PHP_VERSION"] = APPS_DEFAULT_PHP_VERSION env_dict["YNH_APP_OLD_DOMAIN"] = old_domain env_dict["YNH_APP_OLD_PATH"] = old_path @@ -483,6 +485,7 @@ def app_upgrade(app=[], url=None, file=None): env_dict["YNH_APP_ID"] = app_id env_dict["YNH_APP_INSTANCE_NAME"] = app_instance_name env_dict["YNH_APP_INSTANCE_NUMBER"] = str(app_instance_nb) + env_dict["YNH_DEFAULT_PHP_VERSION"] = APPS_DEFAULT_PHP_VERSION # Start register change on system related_to = [('app', app_instance_name)] @@ -695,6 +698,7 @@ def app_install(operation_logger, app, label=None, args=None, no_remove_on_failu env_dict["YNH_APP_ID"] = app_id env_dict["YNH_APP_INSTANCE_NAME"] = app_instance_name env_dict["YNH_APP_INSTANCE_NUMBER"] = str(instance_number) + env_dict["YNH_DEFAULT_PHP_VERSION"] = APPS_DEFAULT_PHP_VERSION # Start register change on system operation_logger.extra.update({'env': env_dict}) @@ -803,6 +807,7 @@ def app_install(operation_logger, app, label=None, args=None, no_remove_on_failu env_dict_remove["YNH_APP_ID"] = app_id env_dict_remove["YNH_APP_INSTANCE_NAME"] = app_instance_name env_dict_remove["YNH_APP_INSTANCE_NUMBER"] = str(instance_number) + env_dict_remove["YNH_DEFAULT_PHP_VERSION"] = APPS_DEFAULT_PHP_VERSION # Execute remove script operation_logger_remove = OperationLogger('remove_on_failed_install', @@ -980,6 +985,7 @@ def app_remove(operation_logger, app): env_dict["YNH_APP_ID"] = app_id env_dict["YNH_APP_INSTANCE_NAME"] = app env_dict["YNH_APP_INSTANCE_NUMBER"] = str(app_instance_nb) + env_dict["YNH_DEFAULT_PHP_VERSION"] = APPS_DEFAULT_PHP_VERSION operation_logger.extra.update({'env': env_dict}) operation_logger.flush() @@ -1403,6 +1409,7 @@ def app_action_run(operation_logger, app, action, args=None): env_dict["YNH_APP_ID"] = app_id env_dict["YNH_APP_INSTANCE_NAME"] = app env_dict["YNH_APP_INSTANCE_NUMBER"] = str(app_instance_nb) + env_dict["YNH_DEFAULT_PHP_VERSION"] = APPS_DEFAULT_PHP_VERSION env_dict["YNH_ACTION"] = action _, path = tempfile.mkstemp() @@ -1466,6 +1473,7 @@ def app_config_show_panel(operation_logger, app): "YNH_APP_ID": app_id, "YNH_APP_INSTANCE_NAME": app, "YNH_APP_INSTANCE_NUMBER": str(app_instance_nb), + "YNH_DEFAULT_PHP_VERSION": APPS_DEFAULT_PHP_VERSION, } return_code, parsed_values = hook_exec(config_script, @@ -1539,6 +1547,7 @@ def app_config_apply(operation_logger, app, args): "YNH_APP_ID": app_id, "YNH_APP_INSTANCE_NAME": app, "YNH_APP_INSTANCE_NUMBER": str(app_instance_nb), + "YNH_DEFAULT_PHP_VERSION": APPS_DEFAULT_PHP_VERSION, } args = dict(urlparse.parse_qsl(args, keep_blank_values=True)) if args else {} From 55d17a61017378b907a79bbeee5fb614737956e0 Mon Sep 17 00:00:00 2001 From: Maniack Crudelis Date: Sun, 9 Feb 2020 19:11:06 +0100 Subject: [PATCH 06/94] Add the helper ynh_install_php --- data/helpers.d/php | 80 ++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 80 insertions(+) diff --git a/data/helpers.d/php b/data/helpers.d/php index 41af467c5..224c0a3d9 100644 --- a/data/helpers.d/php +++ b/data/helpers.d/php @@ -65,3 +65,83 @@ ynh_remove_fpm_config () { ynh_secure_remove --file="$fpm_config_dir/conf.d/20-$app.ini" 2>&1 ynh_systemd_action --service_name=$fpm_service --action=reload } + +# Install another version of php. +# +# usage: ynh_install_php --phpversion=phpversion [--package=packages] +# | arg: -v, --phpversion - Version of php to install. +# | arg: -p, --package - Additionnal php packages to install +ynh_install_php () { + # Declare an array to define the options of this helper. + local legacy_args=vp + declare -Ar args_array=( [v]=phpversion= [p]=package= ) + local phpversion + local package + # Manage arguments with getopts + ynh_handle_getopts_args "$@" + package=${package:-} + + # Store phpversion into the config of this app + ynh_app_setting_set $app phpversion $phpversion + + if [ "$phpversion" == "7.0" ] + then + ynh_die "Do not use ynh_install_php to install php7.0" + fi + + # Store the ID of this app and the version of php requested for it + echo "$YNH_APP_INSTANCE_NAME:$phpversion" | tee --append "/etc/php/ynh_app_version" + + # Add an extra repository for those packages + ynh_install_extra_repo --repo="https://packages.sury.org/php/ $(lsb_release -sc) main" --key="https://packages.sury.org/php/apt.gpg" --priority=995 --name=extra_php_version + + # Install requested dependencies from this extra repository. + # Install php-fpm first, otherwise php will install apache as a dependency. + ynh_add_app_dependencies --package="php${phpversion}-fpm" + ynh_add_app_dependencies --package="php$phpversion php${phpversion}-common $package" + + # Set php7.0 back as the default version for php-cli. + update-alternatives --set php /usr/bin/php7.0 + + # Pin this extra repository after packages are installed to prevent sury of doing shit + ynh_pin_repo --package="*" --pin="origin \"packages.sury.org\"" 200 --name=extra_php_version + ynh_pin_repo --package="php7.0*" --pin="origin \"packages.sury.org\"" 600 --name=extra_php_version --append + + # Advertise service in admin panel + yunohost service add php${phpversion}-fpm --log "/var/log/php${phpversion}-fpm.log" +} + +# Remove the specific version of php used by the app. +# +# usage: ynh_install_php +ynh_remove_php () { + # Get the version of php used by this app + local phpversion=$(ynh_app_setting_get $app phpversion) + + if [ "$phpversion" == "7.0" ] || [ -z "$phpversion" ] + then + if [ "$phpversion" == "7.0" ] + then + ynh_print_err "Do not use ynh_remove_php to install php7.0" + fi + return 0 + fi + + # Remove the line for this app + sed --in-place "/$YNH_APP_INSTANCE_NAME:$phpversion/d" "/etc/php/ynh_app_version" + + # If no other app uses this version of php, remove it. + if ! grep --quiet "$phpversion" "/etc/php/ynh_app_version" + then + # Purge php dependences for this version. + ynh_package_autopurge "php$phpversion php${phpversion}-fpm php${phpversion}-common" + # Remove the service from the admin panel + yunohost service remove php${phpversion}-fpm + fi + + # If no other app uses alternate php versions, remove the extra repo for php + if [ ! -s "/etc/php/ynh_app_version" ] + then + ynh_secure_remove /etc/php/ynh_app_version + fi +} From 7a5760db55986b2bbf7cc642f70c792c5b3310c4 Mon Sep 17 00:00:00 2001 From: Maniack Crudelis Date: Sun, 9 Feb 2020 19:55:38 +0100 Subject: [PATCH 07/94] Add the helper ynh_install_extra_app_dependencies And the helpers used by this one. --- data/helpers.d/apt | 275 ++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 272 insertions(+), 3 deletions(-) diff --git a/data/helpers.d/apt b/data/helpers.d/apt index 55c85c90b..0f973dda5 100644 --- a/data/helpers.d/apt +++ b/data/helpers.d/apt @@ -205,7 +205,8 @@ ynh_package_install_from_equivs () { # Requires YunoHost version 2.6.4 or higher. ynh_install_app_dependencies () { local dependencies=$@ - local dependencies=${dependencies// /, } + # Add a comma for each space between packages. But not add a comma if the space separate a version specification. (See below) + dependencies="$(echo "$dependencies" | sed 's/\([^\<=\>]\)\ \([^(]\)/\1, \2/g')" local dependencies=${dependencies//|/ | } local manifest_path="../manifest.json" if [ ! -e "$manifest_path" ]; then @@ -218,6 +219,20 @@ ynh_install_app_dependencies () { fi local dep_app=${app//_/-} # Replace all '_' by '-' + # Handle specific versions + if [[ "$dependencies" =~ [\<=\>] ]] + then + # Replace version specifications by relationships syntax + # https://www.debian.org/doc/debian-policy/ch-relationships.html + # Sed clarification + # [^(\<=\>] ignore if it begins by ( or < = >. To not apply twice. + # [\<=\>] matches < = or > + # \+ matches one or more occurence of the previous characters, for >= or >>. + # [^,]\+ matches all characters except ',' + # Ex: 'package>=1.0' will be replaced by 'package (>= 1.0)' + dependencies="$(echo "$dependencies" | sed 's/\([^(\<=\>]\)\([\<=\>]\+\)\([^,]\+\)/\1 (\2 \3)/g')" + fi + # # Epic ugly hack to fix the goddamn dependency nightmare of sury # Sponsored by the "Djeezusse Fokin Kraiste Why Do Adminsys Has To Be So Fucking Complicated I Should Go Grow Potatoes Instead Of This Shit" collective @@ -233,8 +248,11 @@ ynh_install_app_dependencies () { if ! grep -nrq "sury" /etc/apt/sources.list* then # Re-add sury - echo "deb https://packages.sury.org/php/ $(lsb_release -sc) main" > /etc/apt/sources.list.d/sury.list - wget -O /etc/apt/trusted.gpg.d/sury.gpg https://packages.sury.org/php/apt.gpg + ynh_install_extra_repo --repo="https://packages.sury.org/php/ $(lsb_release -sc) main" --key="https://packages.sury.org/php/apt.gpg" --name=extra_php_version + + # Pin this sury repository to prevent sury of doing shit + ynh_pin_repo --package="*" --pin="origin \"packages.sury.org\"" 200 --name=extra_php_version + ynh_pin_repo --package="php7.0*" --pin="origin \"packages.sury.org\"" 600 --name=extra_php_version --append fi fi fi @@ -255,6 +273,38 @@ EOF ynh_app_setting_set --app=$app --key=apt_dependencies --value="$dependencies" } +# Add dependencies to install with ynh_install_app_dependencies +# +# [internal] +# +# usage: ynh_add_app_dependencies --package=phpversion [--replace] +# | arg: -p, --package - Packages to add as dependencies for the app. +# | arg: -r, --replace - Replace dependencies instead of adding to existing ones. +ynh_add_app_dependencies () { + # Declare an array to define the options of this helper. + local legacy_args=pr + declare -Ar args_array=( [p]=package= [r]=replace) + local package + local replace + # Manage arguments with getopts + ynh_handle_getopts_args "$@" + replace=${replace:-0} + + local current_dependencies="" + if [ $replace -eq 0 ] + then + local dep_app=${app//_/-} # Replace all '_' by '-' + if ynh_package_is_installed --package="${dep_app}-ynh-deps" + then + current_dependencies="$(dpkg-query --show --showformat='${Depends}' ${dep_app}-ynh-deps) " + fi + + current_dependencies=${current_dependencies// | /|} + fi + + ynh_install_app_dependencies "${current_dependencies}${package}" +} + # Remove fake package and its dependencies # # Dependencies will removed only if no other package need them. @@ -266,3 +316,222 @@ ynh_remove_app_dependencies () { local dep_app=${app//_/-} # Replace all '_' by '-' ynh_package_autopurge ${dep_app}-ynh-deps # Remove the fake package and its dependencies if they not still used. } + +#================================================= + +# Install packages from an extra repository properly. +# +# usage: ynh_install_extra_app_dependencies --repo="repo" --package="dep1 dep2" [--key=key_url] [--name=name] +# | arg: -r, --repo - Complete url of the extra repository. +# | arg: -p, --package - The packages to install from this extra repository +# | arg: -k, --key - url to get the public key. +# | arg: -n, --name - Name for the files for this repo, $app as default value. +ynh_install_extra_app_dependencies () { + # Declare an array to define the options of this helper. + local legacy_args=rpkn + declare -Ar args_array=( [r]=repo= [p]=package= [k]=key= [n]=name= ) + local repo + local package + local key + local name + # Manage arguments with getopts + ynh_handle_getopts_args "$@" + name="${name:-$app}" + key=${key:-0} + + # Set a key only if asked + if [ -n "$key" ] + then + key="--key=$key" + fi + # Add an extra repository for those packages + ynh_install_extra_repo --repo="$repo" $key --priority=995 --name=$name + + # Install requested dependencies from this extra repository. + ynh_add_app_dependencies --package="$package" + + # Remove this extra repository after packages are installed + ynh_remove_extra_repo --name=$app +} + +# Add an extra repository correctly, pin it and get the key. +# +# [internal] +# +# usage: ynh_install_extra_repo --repo="repo" [--key=key_url] [--priority=priority_value] [--name=name] [--append] +# | arg: -r, --repo - Complete url of the extra repository. +# | arg: -k, --key - url to get the public key. +# | arg: -p, --priority - Priority for the pin +# | arg: -n, --name - Name for the files for this repo, $app as default value. +# | arg: -a, --append - Do not overwrite existing files. +ynh_install_extra_repo () { + # Declare an array to define the options of this helper. + local legacy_args=rkpna + declare -Ar args_array=( [r]=repo= [k]=key= [p]=priority= [n]=name= [a]=append ) + local repo + local key + local priority + local name + local append + # Manage arguments with getopts + ynh_handle_getopts_args "$@" + name="${name:-$app}" + append=${append:-0} + key=${key:-0} + priority=${priority:-} + + if [ $append -eq 1 ] + then + append="--append" + wget_append="tee -a" + else + append="" + wget_append="tee" + fi + + # Split the repository into uri, suite and components. + # Remove "deb " at the beginning of the repo. + repo="${repo#deb }" + + # Get the uri + local uri="$(echo "$repo" | awk '{ print $1 }')" + + # Get the suite + local suite="$(echo "$repo" | awk '{ print $2 }')" + + # Get the components + local component="${repo##$uri $suite }" + + # Add the repository into sources.list.d + ynh_add_repo --uri="$uri" --suite="$suite" --component="$component" --name="$name" $append + + # Pin the new repo with the default priority, so it won't be used for upgrades. + # Build $pin from the uri without http and any sub path + local pin="${uri#*://}" + pin="${pin%%/*}" + # Set a priority only if asked + if [ -n "$priority" ] + then + priority="--priority=$priority" + fi + ynh_pin_repo --package="*" --pin="origin \"$pin\"" $priority --name="$name" $append + + # Get the public key for the repo + if [ -n "$key" ] + then + mkdir -p "/etc/apt/trusted.gpg.d" + wget -q "$key" -O - | gpg --dearmor | $wget_append /etc/apt/trusted.gpg.d/$name.gpg > /dev/null + fi + + # Update the list of package with the new repo + ynh_package_update +} + +# Remove an extra repository and the assiociated configuration. +# +# [internal] +# +# usage: ynh_remove_extra_repo [--name=name] +# | arg: -n, --name - Name for the files for this repo, $app as default value. +ynh_remove_extra_repo () { + # Declare an array to define the options of this helper. + local legacy_args=n + declare -Ar args_array=( [n]=name= ) + local name + # Manage arguments with getopts + ynh_handle_getopts_args "$@" + name="${name:-$app}" + + ynh_secure_remove "/etc/apt/sources.list.d/$name.list" + ynh_secure_remove "/etc/apt/preferences.d/$name" + ynh_secure_remove "/etc/apt/trusted.gpg.d/$name.gpg" + ynh_secure_remove "/etc/apt/trusted.gpg.d/$name.asc" + + # Update the list of package to exclude the old repo + ynh_package_update +} + +# Add a repository. +# +# [internal] +# +# usage: ynh_add_repo --uri=uri --suite=suite --component=component [--name=name] [--append] +# | arg: -u, --uri - Uri of the repository. +# | arg: -s, --suite - Suite of the repository. +# | arg: -c, --component - Component of the repository. +# | arg: -n, --name - Name for the files for this repo, $app as default value. +# | arg: -a, --append - Do not overwrite existing files. +# +# Example for a repo like deb http://forge.yunohost.org/debian/ stretch stable +# uri suite component +# ynh_add_repo --uri=http://forge.yunohost.org/debian/ --suite=stretch --component=stable +# +ynh_add_repo () { + # Declare an array to define the options of this helper. + local legacy_args=uscna + declare -Ar args_array=( [u]=uri= [s]=suite= [c]=component= [n]=name= [a]=append ) + local uri + local suite + local component + local name + local append + # Manage arguments with getopts + ynh_handle_getopts_args "$@" + name="${name:-$app}" + append=${append:-0} + + if [ $append -eq 1 ] + then + append="tee -a" + else + append="tee" + fi + + mkdir -p "/etc/apt/sources.list.d" + # Add the new repo in sources.list.d + echo "deb $uri $suite $component" \ + | $append "/etc/apt/sources.list.d/$name.list" +} + +# Pin a repository. +# +# [internal] +# +# usage: ynh_pin_repo --package=packages --pin=pin_filter [--priority=priority_value] [--name=name] [--append] +# | arg: -p, --package - Packages concerned by the pin. Or all, *. +# | arg: -i, --pin - Filter for the pin. +# | arg: -p, --priority - Priority for the pin +# | arg: -n, --name - Name for the files for this repo, $app as default value. +# | arg: -a, --append - Do not overwrite existing files. +# +# See https://manpages.debian.org/stretch/apt/apt_preferences.5.en.html for information about pinning. +# +ynh_pin_repo () { + # Declare an array to define the options of this helper. + local legacy_args=pirna + declare -Ar args_array=( [p]=package= [i]=pin= [r]=priority= [n]=name= [a]=append ) + local package + local pin + local priority + local name + local append + # Manage arguments with getopts + ynh_handle_getopts_args "$@" + package="${package:-*}" + priority=${priority:-50} + name="${name:-$app}" + append=${append:-0} + + if [ $append -eq 1 ] + then + append="tee -a" + else + append="tee" + fi + + mkdir -p "/etc/apt/preferences.d" + echo "Package: $package +Pin: $pin +Pin-Priority: $priority" \ + | $append "/etc/apt/preferences.d/$name" +} From 7ba253cb18b4badaa5467101417b5e06327155e6 Mon Sep 17 00:00:00 2001 From: Maniack Crudelis Date: Sun, 9 Feb 2020 20:08:00 +0100 Subject: [PATCH 08/94] Add the helper ynh_get_scalable_phpfpm And adapt ynh_add_fpm_config to generate a fpm config file without a template by using ynh_get_scalable_phpfpm --- data/helpers.d/php | 252 +++++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 244 insertions(+), 8 deletions(-) diff --git a/data/helpers.d/php b/data/helpers.d/php index 224c0a3d9..5e7a7ec78 100644 --- a/data/helpers.d/php +++ b/data/helpers.d/php @@ -2,18 +2,47 @@ # Create a dedicated php-fpm config # -# usage: ynh_add_fpm_config [--phpversion=7.X] +# usage 1: ynh_add_fpm_config [--phpversion=7.X] [--use_template] # | arg: -v, --phpversion - Version of php to use. +# | arg: -t, --use_template - Use this helper in template mode. +# +# ----------------------------------------------------------------------------- +# +# usage 2: ynh_add_fpm_config [--phpversion=7.X] --usage=usage --footprint=footprint +# | arg: -v, --phpversion - Version of php to use.# +# | arg: -f, --footprint - Memory footprint of the service (low/medium/high). +# low - Less than 20Mb of ram by pool. +# medium - Between 20Mb and 40Mb of ram by pool. +# high - More than 40Mb of ram by pool. +# Or specify exactly the footprint, the load of the service as Mb by pool instead of having a standard value. +# To have this value, use the following command and stress the service. +# watch -n0.5 ps -o user,cmd,%cpu,rss -u APP +# +# | arg: -u, --usage - Expected usage of the service (low/medium/high). +# low - Personal usage, behind the sso. +# medium - Low usage, few people or/and publicly accessible. +# high - High usage, frequently visited website. # # Requires YunoHost version 2.7.2 or higher. ynh_add_fpm_config () { # Declare an array to define the options of this helper. - local legacy_args=v - declare -Ar args_array=( [v]=phpversion= ) + local legacy_args=vtuf + declare -Ar args_array=( [v]=phpversion= [t]=use_template [u]=usage= [f]=footprint= ) local phpversion + local use_template + local usage + local footprint # Manage arguments with getopts ynh_handle_getopts_args "$@" + # The default behaviour is to use the template. + use_template="${use_template:-1}" + usage="${usage:-}" + footprint="${footprint:-}" + if [ -n "$usage" ] || [ -n "$footprint" ]; then + use_template=0 + fi + # Configure PHP-FPM 7.0 by default phpversion="${phpversion:-7.0}" @@ -28,11 +57,65 @@ ynh_add_fpm_config () { ynh_app_setting_set --app=$app --key=fpm_service --value="$fpm_service" finalphpconf="$fpm_config_dir/pool.d/$app.conf" ynh_backup_if_checksum_is_different --file="$finalphpconf" - cp ../conf/php-fpm.conf "$finalphpconf" - ynh_replace_string --match_string="__NAMETOCHANGE__" --replace_string="$app" --target_file="$finalphpconf" - ynh_replace_string --match_string="__FINALPATH__" --replace_string="$final_path" --target_file="$finalphpconf" - ynh_replace_string --match_string="__USER__" --replace_string="$app" --target_file="$finalphpconf" - ynh_replace_string --match_string="__PHPVERSION__" --replace_string="$phpversion" --target_file="$finalphpconf" + + if [ $use_template -eq 1 ] + then + # Usage 1, use the template in ../conf/php-fpm.conf + cp ../conf/php-fpm.conf "$finalphpconf" + ynh_replace_string --match_string="__NAMETOCHANGE__" --replace_string="$app" --target_file="$finalphpconf" + ynh_replace_string --match_string="__FINALPATH__" --replace_string="$final_path" --target_file="$finalphpconf" + ynh_replace_string --match_string="__USER__" --replace_string="$app" --target_file="$finalphpconf" + ynh_replace_string --match_string="__PHPVERSION__" --replace_string="$phpversion" --target_file="$finalphpconf" + + else + # Usage 2, generate a php-fpm config file with ynh_get_scalable_phpfpm + ynh_get_scalable_phpfpm --usage=$usage --footprint=$footprint + + # Copy the default file + cp "$fpm_config_dir/pool.d/www.conf" "$finalphpconf" + + # Replace standard variables into the default file + ynh_replace_string --match_string="^\[www\]" --replace_string="[$app]" --target_file="$finalphpconf" + ynh_replace_string --match_string=".*listen = .*" --replace_string="listen = /var/run/php/php$phpversion-fpm-$app.sock" --target_file="$finalphpconf" + ynh_replace_string --match_string="^user = .*" --replace_string="user = $app" --target_file="$finalphpconf" + ynh_replace_string --match_string="^group = .*" --replace_string="group = $app" --target_file="$finalphpconf" + ynh_replace_string --match_string=".*chdir = .*" --replace_string="chdir = $final_path" --target_file="$finalphpconf" + + # Configure fpm children + ynh_replace_string --match_string=".*pm = .*" --replace_string="pm = $php_pm" --target_file="$finalphpconf" + ynh_replace_string --match_string=".*pm.max_children = .*" --replace_string="pm.max_children = $php_max_children" --target_file="$finalphpconf" + ynh_replace_string --match_string=".*pm.max_requests = .*" --replace_string="pm.max_requests = 500" --target_file="$finalphpconf" + ynh_replace_string --match_string=".*request_terminate_timeout = .*" --replace_string="request_terminate_timeout = 1d" --target_file="$finalphpconf" + if [ "$php_pm" = "dynamic" ] + then + ynh_replace_string --match_string=".*pm.start_servers = .*" --replace_string="pm.start_servers = $php_start_servers" --target_file="$finalphpconf" + ynh_replace_string --match_string=".*pm.min_spare_servers = .*" --replace_string="pm.min_spare_servers = $php_min_spare_servers" --target_file="$finalphpconf" + ynh_replace_string --match_string=".*pm.max_spare_servers = .*" --replace_string="pm.max_spare_servers = $php_max_spare_servers" --target_file="$finalphpconf" + elif [ "$php_pm" = "ondemand" ] + then + ynh_replace_string --match_string=".*pm.process_idle_timeout = .*" --replace_string="pm.process_idle_timeout = 10s" --target_file="$finalphpconf" + fi + + # Comment unused parameters + if [ "$php_pm" != "dynamic" ] + then + ynh_replace_string --match_string=".*\(pm.start_servers = .*\)" --replace_string=";\1" --target_file="$finalphpconf" + ynh_replace_string --match_string=".*\(pm.min_spare_servers = .*\)" --replace_string=";\1" --target_file="$finalphpconf" + ynh_replace_string --match_string=".*\(pm.max_spare_servers = .*\)" --replace_string=";\1" --target_file="$finalphpconf" + fi + if [ "$php_pm" != "ondemand" ] + then + ynh_replace_string --match_string=".*\(pm.process_idle_timeout = .*\)" --replace_string=";\1" --target_file="$finalphpconf" + fi + + # Concatene the extra config. + if [ -e ../conf/extra_php-fpm.conf ]; then + cat ../conf/extra_php-fpm.conf >> "$finalphpconf" + fi + fi + + + chown root: "$finalphpconf" ynh_store_file_checksum --file="$finalphpconf" @@ -45,6 +128,7 @@ ynh_add_fpm_config () { chown root: "$finalphpini" ynh_store_file_checksum "$finalphpini" fi + ynh_systemd_action --service_name=$fpm_service --action=reload } @@ -145,3 +229,155 @@ ynh_remove_php () { ynh_secure_remove /etc/php/ynh_app_version fi } + +# Define the values to configure php-fpm +# +# usage: ynh_get_scalable_phpfpm --usage=usage --footprint=footprint [--print] +# | arg: -f, --footprint - Memory footprint of the service (low/medium/high). +# low - Less than 20Mb of ram by pool. +# medium - Between 20Mb and 40Mb of ram by pool. +# high - More than 40Mb of ram by pool. +# Or specify exactly the footprint, the load of the service as Mb by pool instead of having a standard value. +# To have this value, use the following command and stress the service. +# watch -n0.5 ps -o user,cmd,%cpu,rss -u APP +# +# | arg: -u, --usage - Expected usage of the service (low/medium/high). +# low - Personal usage, behind the sso. +# medium - Low usage, few people or/and publicly accessible. +# high - High usage, frequently visited website. +# +# | arg: -p, --print - Print the result +# +# +# The footprint of the service will be used to defined the maximum footprint we can allow, which is half the maximum RAM. +# So it will be used to defined 'pm.max_children' +# A lower value for the footprint will allow more children for 'pm.max_children'. And so for +# 'pm.start_servers', 'pm.min_spare_servers' and 'pm.max_spare_servers' which are defined from the +# value of 'pm.max_children' +# NOTE: 'pm.max_children' can't exceed 4 times the number of processor's cores. +# +# The usage value will defined the way php will handle the children for the pool. +# A value set as 'low' will set the process manager to 'ondemand'. Children will start only if the +# service is used, otherwise no child will stay alive. This config gives the lower footprint when the +# service is idle. But will use more proc since it has to start a child as soon it's used. +# Set as 'medium', the process manager will be at dynamic. If the service is idle, a number of children +# equal to pm.min_spare_servers will stay alive. So the service can be quick to answer to any request. +# The number of children can grow if needed. The footprint can stay low if the service is idle, but +# not null. The impact on the proc is a little bit less than 'ondemand' as there's always a few +# children already available. +# Set as 'high', the process manager will be set at 'static'. There will be always as many children as +# 'pm.max_children', the footprint is important (but will be set as maximum a quarter of the maximum +# RAM) but the impact on the proc is lower. The service will be quick to answer as there's always many +# children ready to answer. +ynh_get_scalable_phpfpm () { + local legacy_args=ufp + # Declare an array to define the options of this helper. + declare -Ar args_array=( [u]=usage= [f]=footprint= [p]=print ) + local usage + local footprint + local print + # Manage arguments with getopts + ynh_handle_getopts_args "$@" + # Set all characters as lowercase + footprint=${footprint,,} + usage=${usage,,} + print=${print:-0} + + if [ "$footprint" = "low" ] + then + footprint=20 + elif [ "$footprint" = "medium" ] + then + footprint=35 + elif [ "$footprint" = "high" ] + then + footprint=50 + fi + + # Define the way the process manager handle child processes. + if [ "$usage" = "low" ] + then + php_pm=ondemand + elif [ "$usage" = "medium" ] + then + php_pm=dynamic + elif [ "$usage" = "high" ] + then + php_pm=static + else + ynh_die --message="Does not recognize '$usage' as an usage value." + fi + + # Get the total of RAM available, except swap. + local max_ram=$(ynh_check_ram --no_swap) + + less0() { + # Do not allow value below 1 + if [ $1 -le 0 ] + then + echo 1 + else + echo $1 + fi + } + + # Define pm.max_children + # The value of pm.max_children is the total amount of ram divide by 2 and divide again by the footprint of a pool for this app. + # So if php-fpm start the maximum of children, it won't exceed half of the ram. + php_max_children=$(( $max_ram / 2 / $footprint )) + # If process manager is set as static, use half less children. + # Used as static, there's always as many children as the value of pm.max_children + if [ "$php_pm" = "static" ] + then + php_max_children=$(( $php_max_children / 2 )) + fi + php_max_children=$(less0 $php_max_children) + + # To not overload the proc, limit the number of children to 4 times the number of cores. + local core_number=$(nproc) + local max_proc=$(( $core_number * 4 )) + if [ $php_max_children -gt $max_proc ] + then + php_max_children=$max_proc + fi + + if [ "$php_pm" = "dynamic" ] + then + # Define pm.start_servers, pm.min_spare_servers and pm.max_spare_servers for a dynamic process manager + php_min_spare_servers=$(( $php_max_children / 8 )) + php_min_spare_servers=$(less0 $php_min_spare_servers) + + php_max_spare_servers=$(( $php_max_children / 2 )) + php_max_spare_servers=$(less0 $php_max_spare_servers) + + php_start_servers=$(( $php_min_spare_servers + ( $php_max_spare_servers - $php_min_spare_servers ) /2 )) + php_start_servers=$(less0 $php_start_servers) + else + php_min_spare_servers=0 + php_max_spare_servers=0 + php_start_servers=0 + fi + + if [ $print -eq 1 ] + then + ynh_debug --message="Footprint=${footprint}Mb by pool." + ynh_debug --message="Process manager=$php_pm" + ynh_debug --message="Max RAM=${max_ram}Mb" + if [ "$php_pm" != "static" ]; then + ynh_debug --message="\nMax estimated footprint=$(( $php_max_children * $footprint ))" + ynh_debug --message="Min estimated footprint=$(( $php_min_spare_servers * $footprint ))" + fi + if [ "$php_pm" = "dynamic" ]; then + ynh_debug --message="Estimated average footprint=$(( $php_max_spare_servers * $footprint ))" + elif [ "$php_pm" = "static" ]; then + ynh_debug --message="Estimated footprint=$(( $php_max_children * $footprint ))" + fi + ynh_debug --message="\nRaw php-fpm values:" + ynh_debug --message="pm.max_children = $php_max_children" + if [ "$php_pm" = "dynamic" ]; then + ynh_debug --message="pm.start_servers = $php_start_servers" + ynh_debug --message="pm.min_spare_servers = $php_min_spare_servers" + ynh_debug --message="pm.max_spare_servers = $php_max_spare_servers" + fi + fi +} From 96095624f5c506340954a2b86b41a41ba93b0f7f Mon Sep 17 00:00:00 2001 From: Maniack Crudelis Date: Sun, 9 Feb 2020 20:10:27 +0100 Subject: [PATCH 09/94] Add the helper ynh_check_ram --- data/helpers.d/hardware | 72 +++++++++++++++++++++++++++++++++++++++++ 1 file changed, 72 insertions(+) create mode 100644 data/helpers.d/hardware diff --git a/data/helpers.d/hardware b/data/helpers.d/hardware new file mode 100644 index 000000000..11012a3d1 --- /dev/null +++ b/data/helpers.d/hardware @@ -0,0 +1,72 @@ +#!/bin/bash + +# Check the amount of available RAM +# +# usage: ynh_check_ram [--required=RAM required in Mb] [--no_swap|--only_swap] [--free_ram] +# | arg: -r, --required= - Amount of RAM required in Mb. The helper will return 0 is there's enough RAM, or 1 otherwise. +# If --required isn't set, the helper will print the amount of RAM, in Mb. +# | arg: -s, --no_swap - Ignore swap +# | arg: -o, --only_swap - Ignore real RAM, consider only swap. +# | arg: -f, --free_ram - Count only free RAM, not the total amount of RAM available. +ynh_check_ram () { + # Declare an array to define the options of this helper. + declare -Ar args_array=( [r]=required= [s]=no_swap [o]=only_swap [f]=free_ram ) + local required + local no_swap + local only_swap + # Manage arguments with getopts + ynh_handle_getopts_args "$@" + required=${required:-} + no_swap=${no_swap:-0} + only_swap=${only_swap:-0} + + local total_ram=$(vmstat --stats --unit M | grep "total memory" | awk '{print $1}') + local total_swap=$(vmstat --stats --unit M | grep "total swap" | awk '{print $1}') + local total_ram_swap=$(( total_ram + total_swap )) + + local free_ram=$(vmstat --stats --unit M | grep "free memory" | awk '{print $1}') + local free_swap=$(vmstat --stats --unit M | grep "free swap" | awk '{print $1}') + local free_ram_swap=$(( free_ram + free_swap )) + + # Use the total amount of ram + local ram=$total_ram_swap + if [ $free_ram -eq 1 ] + then + # Use the total amount of free ram + ram=$free_ram_swap + if [ $no_swap -eq 1 ] + then + # Use only the amount of free ram + ram=$free_ram + elif [ $only_swap -eq 1 ] + then + # Use only the amount of free swap + ram=$free_swap + fi + else + if [ $no_swap -eq 1 ] + then + # Use only the amount of free ram + ram=$total_ram + elif [ $only_swap -eq 1 ] + then + # Use only the amount of free swap + ram=$total_swap + fi + fi + + if [ -n "$required" ] + then + # Return 1 if the amount of ram isn't enough. + if [ $ram -lt $required ] + then + return 1 + else + return 0 + fi + + # If no RAM is required, return the amount of available ram. + else + echo $ram + fi +} From e3bcc4b4c93053f9c728929b2b7ab7f610f9d0fa Mon Sep 17 00:00:00 2001 From: Maniack Crudelis Date: Mon, 24 Feb 2020 13:54:43 +0100 Subject: [PATCH 10/94] Fix pin priority issue --- data/helpers.d/apt | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/data/helpers.d/apt b/data/helpers.d/apt index 0f973dda5..756f077ab 100644 --- a/data/helpers.d/apt +++ b/data/helpers.d/apt @@ -251,8 +251,8 @@ ynh_install_app_dependencies () { ynh_install_extra_repo --repo="https://packages.sury.org/php/ $(lsb_release -sc) main" --key="https://packages.sury.org/php/apt.gpg" --name=extra_php_version # Pin this sury repository to prevent sury of doing shit - ynh_pin_repo --package="*" --pin="origin \"packages.sury.org\"" 200 --name=extra_php_version - ynh_pin_repo --package="php7.0*" --pin="origin \"packages.sury.org\"" 600 --name=extra_php_version --append + ynh_pin_repo --package="*" --pin="origin \"packages.sury.org\"" --priority=200 --name=extra_php_version + ynh_pin_repo --package="php7.0*" --pin="origin \"packages.sury.org\"" --priority=600 --name=extra_php_version --append fi fi fi From 052ade602d2d9d74ea37d373aa5693e44179d66b Mon Sep 17 00:00:00 2001 From: Maniack Crudelis Date: Tue, 10 Mar 2020 21:02:40 +0100 Subject: [PATCH 11/94] Fix missing option in ynh_install_php --- data/helpers.d/php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/data/helpers.d/php b/data/helpers.d/php index 5e7a7ec78..817be7f4d 100644 --- a/data/helpers.d/php +++ b/data/helpers.d/php @@ -188,8 +188,8 @@ ynh_install_php () { update-alternatives --set php /usr/bin/php7.0 # Pin this extra repository after packages are installed to prevent sury of doing shit - ynh_pin_repo --package="*" --pin="origin \"packages.sury.org\"" 200 --name=extra_php_version - ynh_pin_repo --package="php7.0*" --pin="origin \"packages.sury.org\"" 600 --name=extra_php_version --append + ynh_pin_repo --package="*" --pin="origin \"packages.sury.org\"" --priority=200 --name=extra_php_version + ynh_pin_repo --package="php7.0*" --pin="origin \"packages.sury.org\"" --priority=600 --name=extra_php_version --append # Advertise service in admin panel yunohost service add php${phpversion}-fpm --log "/var/log/php${phpversion}-fpm.log" From b7a5847c30473ae4c180aaee9eabee421d6a29db Mon Sep 17 00:00:00 2001 From: Maniack Crudelis Date: Tue, 10 Mar 2020 21:05:04 +0100 Subject: [PATCH 12/94] Add a line between each pin instructions --- data/helpers.d/apt | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/data/helpers.d/apt b/data/helpers.d/apt index 756f077ab..def430055 100644 --- a/data/helpers.d/apt +++ b/data/helpers.d/apt @@ -532,6 +532,7 @@ ynh_pin_repo () { mkdir -p "/etc/apt/preferences.d" echo "Package: $package Pin: $pin -Pin-Priority: $priority" \ +Pin-Priority: $priority +" \ | $append "/etc/apt/preferences.d/$name" } From 9b698e669d2e3af5f24b23e5127f748f341429f3 Mon Sep 17 00:00:00 2001 From: Kay0u Date: Fri, 27 Mar 2020 23:59:35 +0100 Subject: [PATCH 13/94] Fix those damn locales --- locales/de.json | 2 +- locales/fr.json | 12 ++++++------ 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/locales/de.json b/locales/de.json index ac9efddb2..5587a4e48 100644 --- a/locales/de.json +++ b/locales/de.json @@ -308,7 +308,7 @@ "experimental_feature": "Warnung: Diese Funktion ist experimentell und gilt nicht als stabil. Sie sollten sie nur verwenden, wenn Sie wissen, was Sie tun.", "error_when_removing_sftpuser_group": "Fehler beim Versuch, die Gruppe sftpusers zu entfernen", "edit_permission_with_group_all_users_not_allowed": "Sie dürfen die Berechtigung für die Gruppe \"all_users\" nicht bearbeiten. Verwenden Sie stattdessen \"yunohost user permission clear APP\" oder \"yunohost user permission add APP -u USER\".", - "edit_group_not_allowed": "Du bist nicht berechtigt zum Bearbeiten der Gruppe {group: s}", + "edit_group_not_allowed": "Du bist nicht berechtigt zum Bearbeiten der Gruppe {group:s}", "dyndns_domain_not_provided": "Der DynDNS-Anbieter {provider:s} kann die Domain(s) {domain:s} nicht bereitstellen.", "dyndns_could_not_check_available": "Konnte nicht überprüfen, ob {domain:s} auf {provider:s} verfügbar ist.", "dyndns_could_not_check_provide": "Konnte nicht überprüft, ob {provider:s} die Domain(s) {domain:s} bereitstellen kann.", diff --git a/locales/fr.json b/locales/fr.json index 53aedc1ae..f175a5704 100644 --- a/locales/fr.json +++ b/locales/fr.json @@ -280,7 +280,7 @@ "certmanager_domain_not_resolved_locally": "Le domaine {domain:s} ne peut être résolu depuis votre serveur YunoHost. Cela peut se produire si vous avez récemment modifié votre enregistrement DNS. Si c'est le cas, merci d’attendre quelques heures qu’il se propage. Si le problème persiste, envisager d’ajouter {domain:s} au fichier /etc/hosts. (Si vous savez ce que vous faites, utilisez --no-checks pour désactiver ces vérifications.)", "certmanager_http_check_timeout": "Expiration du délai lorsque le serveur a essayé de se contacter lui-même via HTTP en utilisant l'adresse IP public {ip:s} du domaine {domain:s}. Vous rencontrez peut-être un problème d’hairpinning ou alors le pare-feu/routeur en amont de votre serveur est mal configuré.", "certmanager_couldnt_fetch_intermediate_cert": "Expiration du délai lors de la tentative de récupération du certificat intermédiaire depuis Let’s Encrypt. L’installation ou le renouvellement du certificat a été annulé. Veuillez réessayer plus tard.", - "appslist_retrieve_bad_format": "Impossible de lire la liste des applications extraites '{appslist: s}'", + "appslist_retrieve_bad_format": "Impossible de lire la liste des applications extraites '{appslist:s}'", "domain_hostname_failed": "Échec de l’utilisation d’un nouveau nom d’hôte. Cela pourrait causer des soucis plus tard (peut-être que ça n’en causera pas).", "yunohost_ca_creation_success": "L’autorité de certification locale créée.", "appslist_name_already_tracked": "Une liste d'applications enregistrées portant le nom {name:s} existe déjà.", @@ -607,11 +607,11 @@ "migration_0011_update_LDAP_database": "Mise à jour de la base de données LDAP…", "system_groupname_exists": "Le nom de groupe existe déjà dans le groupe du systèmes", "tools_update_failed_to_app_fetchlist": "Impossible de mettre à jour les listes d'applications de YunoHost car: {error}", - "user_already_in_group": "L'utilisateur '{user:}' est déjà dans le groupe '{group: s}'", - "user_not_in_group": "L'utilisateur '{user: s}' ne fait pas partie du groupe {group: s}", + "user_already_in_group": "L'utilisateur '{user:}' est déjà dans le groupe '{group:s}'", + "user_not_in_group": "L'utilisateur '{user:s}' ne fait pas partie du groupe {group:s}", "migration_0011_backup_before_migration": "Création d'une sauvegarde des paramètres de la base de données LDAP et des applications avant la migration.", "permission_not_found": "Autorisation '{permission:s}' introuvable", - "permission_name_not_valid": "Choisissez un nom d'autorisation autorisé pour '{permission: s}'", + "permission_name_not_valid": "Choisissez un nom d'autorisation autorisé pour '{permission:s}'", "permission_update_failed": "Impossible de mettre à jour la permission '{permission}': {error}", "permission_generated": "Base de données des autorisations mise à jour", "permission_updated": "Permission '{permission:s}' mise à jour", @@ -626,13 +626,13 @@ "migrations_success_forward": "Migration {id} terminée", "need_define_permission_before": "Redéfinissez l'autorisation à l'aide de 'yunohost user permission add -u USER' avant de supprimer un groupe autorisé", "operation_interrupted": "L'opération a été interrompue manuellement ?", - "permission_already_clear": "L'autorisation '{permission: s}' est déjà vide pour l'application {app: s}", + "permission_already_clear": "L'autorisation '{permission:s}' est déjà vide pour l'application {app:s}", "permission_already_exist": "L'autorisation '{permission}' existe déjà", "permission_created": "Permission '{permission:s}' créée", "permission_creation_failed": "Impossible de créer l'autorisation '{permission}': {erreur}", "permission_deleted": "Permission '{permission:s}' supprimée", "permission_deletion_failed": "Impossible de supprimer la permission '{permission}': {error}", - "remove_user_of_group_not_allowed": "Vous n'êtes pas autorisé à supprimer l'utilisateur '{utilisateur: s}' dans le groupe '{groupe: s}'", + "remove_user_of_group_not_allowed": "Vous n'êtes pas autorisé à supprimer l'utilisateur '{utilisateur:s}' dans le groupe '{groupe:s}'", "migration_description_0011_setup_group_permission": "Initialiser les groupes d'utilisateurs et autorisations pour les applications et les services", "migration_0011_LDAP_config_dirty": "Il semble que vous ayez personnalisé votre configuration LDAP. Pour cette migration, la configuration LDAP doit être mise à jour.\nVous devez enregistrer votre configuration actuelle, réintialiser la configuration d'origine en exécutant 'yunohost tools regen-conf -f', puis réessayer la migration", "migration_0011_LDAP_update_failed": "Impossible de mettre à jour LDAP. Erreur: {error:s}", From 5ded6ecbe6677e9de21ca9e9272e1943428a667b Mon Sep 17 00:00:00 2001 From: Kay0u Date: Sat, 28 Mar 2020 00:04:32 +0100 Subject: [PATCH 14/94] Merge resolved --- locales/oc.json | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) diff --git a/locales/oc.json b/locales/oc.json index 55f7a002a..a06520ae5 100644 --- a/locales/oc.json +++ b/locales/oc.json @@ -439,13 +439,8 @@ "log_service_regen_conf": "Regenerar la configuracion sistèma de « {} »", "log_user_create": "Ajustar l’utilizaire « {} »", "log_user_delete": "Levar l’utilizaire « {} »", -<<<<<<< HEAD - "log_user_update": "Actualizar las informacions a l’utilizaire « {} »", - "log_tools_maindomain": "Far venir « {} » lo domeni màger", -======= "log_user_update": "Actualizar las informacions de l’utilizaire « {} »", - "log_domain_main_domain": "Far venir « {} » lo domeni màger", ->>>>>>> b968dff2... Translated using Weblate (Occitan) + "log_tools_maindomain": "Far venir « {} » lo domeni màger", "log_tools_migrations_migrate_forward": "Migrar", "log_tools_migrations_migrate_backward": "Tornar en arrièr", "log_tools_postinstall": "Realizar la post installacion del servidor YunoHost", From 3574527311eaa3c9a169cd8e6d04283a3a2e47ad Mon Sep 17 00:00:00 2001 From: Alexandre Aubin Date: Sat, 28 Mar 2020 00:33:52 +0100 Subject: [PATCH 15/94] Fix mess due to automatic translation tools ~_~ --- locales/ar.json | 6 +++--- locales/ca.json | 4 ++-- locales/de.json | 6 +++--- locales/eo.json | 20 ++++++++++---------- locales/fr.json | 12 ++++++------ locales/nl.json | 2 +- locales/oc.json | 18 +++++++++--------- 7 files changed, 34 insertions(+), 34 deletions(-) diff --git a/locales/ar.json b/locales/ar.json index 936b54d2e..6bcbb9333 100644 --- a/locales/ar.json +++ b/locales/ar.json @@ -182,7 +182,7 @@ "firewall_reloaded": "The firewall has been reloaded", "firewall_rules_cmd_failed": "Some firewall rules commands have failed. For more information, see the log.", "format_datetime_short": "%m/%d/%Y %I:%M %p", - "global_settings_bad_choice_for_enum": "Bad value for setting {setting:s}, received {received_type:s}, except {expected_type:s}", + "global_settings_bad_choice_for_enum": "Bad value for setting {setting:s}, received {choice:s}, except {available_choices:s}", "global_settings_bad_type_for_setting": "Bad type for setting {setting:s}, received {received_type:s}, except {expected_type:s}", "global_settings_cant_open_settings": "Failed to open settings file, reason: {reason:s}", "global_settings_cant_serialize_settings": "Failed to serialize settings data, reason: {reason:s}", @@ -227,8 +227,8 @@ "migrations_current_target": "Migration target is {}", "migrations_error_failed_to_load_migration": "ERROR: failed to load migration {number} {name}", "migrations_forward": "Migrating forward", - "migrations_loading_migration": "Loading migration {number} {name}…", - "migrations_migration_has_failed": "Migration {number} {name} has failed with exception {exception}, aborting", + "migrations_loading_migration": "Loading migration {id}…", + "migrations_migration_has_failed": "Migration {id} has failed with exception {exception}, aborting", "migrations_no_migrations_to_run": "No migrations to run", "migrations_show_currently_running_migration": "Running migration {number} {name}…", "migrations_show_last_migration": "Last ran migration is {}", diff --git a/locales/ca.json b/locales/ca.json index 5d9ed318d..61d832c30 100644 --- a/locales/ca.json +++ b/locales/ca.json @@ -167,7 +167,7 @@ "domain_created": "S'ha creat el domini", "domain_creation_failed": "No s'ha pogut crear el domini {domain}: {error}", "domain_deleted": "S'ha eliminat el domini", - "domain_deletion_failed": "No s'ha pogut eliminar el domini {domini}: {error}", + "domain_deletion_failed": "No s'ha pogut eliminar el domini {domain}: {error}", "domain_exists": "El domini ja existeix", "app_action_cannot_be_ran_because_required_services_down": "Aquests serveis necessaris haurien d'estar funcionant per poder executar aquesta acció: {services} Intenteu reiniciar-los per continuar (i possiblement investigar perquè estan aturats).", "domain_dns_conf_is_just_a_recommendation": "Aquesta ordre mostra la configuració *recomanada*. En cap cas fa la configuració del DNS. És la vostra responsabilitat configurar la zona DNS en el vostre registrar en acord amb aquesta recomanació.", @@ -459,7 +459,7 @@ "service_description_yunohost-firewall": "Gestiona els ports de connexió oberts i tancats als serveis", "service_disable_failed": "No s'han pogut fer que el servei «{service:s}» no comenci a l'arrancada.\n\nRegistres recents: {logs:s}", "service_disabled": "El servei «{service:s}» ja no començarà al arrancar el sistema.", - "service_enable_failed": "No s'ha pogut fer que el servei «{service:s}» comenci automàticament a l'arrancada.\n\nRegistres recents: {log:s}", + "service_enable_failed": "No s'ha pogut fer que el servei «{service:s}» comenci automàticament a l'arrancada.\n\nRegistres recents: {logs:s}", "service_enabled": "El servei «{service:s}» començarà automàticament durant l'arrancada del sistema.", "service_no_log": "No hi ha cap registre pel servei «{service:s}»", "service_regen_conf_is_deprecated": "«yunohost service regen-conf» està desfasat! Utilitzeu «yunohost tools regen-conf» en el seu lloc.", diff --git a/locales/de.json b/locales/de.json index 5587a4e48..d259fb7b9 100644 --- a/locales/de.json +++ b/locales/de.json @@ -302,7 +302,7 @@ "app_change_url_success": "{app:s} URL ist nun {domain:s}{path:s}", "backup_applying_method_borg": "Sende alle Dateien zur Sicherung ins borg-backup repository…", "invalid_url_format": "ungültiges URL Format", - "global_settings_bad_type_for_setting": "Falscher Typ für Einstellung {setting:s}. Empfangen: {receive_type:s}, aber erwartet: {expected_type:s}", + "global_settings_bad_type_for_setting": "Falscher Typ für Einstellung {setting:s}. Empfangen: {received_type:s}, aber erwartet: {expected_type:s}", "global_settings_bad_choice_for_enum": "Falsche Wahl für die Einstellung {setting:s}. Habe '{choice:s}' erhalten, aber es stehen nur folgende Auswahlmöglichkeiten zur Verfügung: {available_choices:s}", "file_does_not_exist": "Die Datei {path:s} existiert nicht.", "experimental_feature": "Warnung: Diese Funktion ist experimentell und gilt nicht als stabil. Sie sollten sie nur verwenden, wenn Sie wissen, was Sie tun.", @@ -333,7 +333,7 @@ "backup_custom_mount_error": "Bei der benutzerdefinierten Sicherungsmethode ist beim Arbeitsschritt \"Einhängen/Verbinden\" ein Fehler aufgetreten", "backup_custom_backup_error": "Bei der benutzerdefinierten Sicherungsmethode ist beim Arbeitsschritt \"Sicherung\" ein Fehler aufgetreten", "backup_csv_creation_failed": "Die zur Wiederherstellung erforderliche CSV-Datei kann nicht erstellt werden", - "backup_couldnt_bind": "{Src:s} konnte nicht an {dest:s} angebunden werden.", + "backup_couldnt_bind": "{src:s} konnte nicht an {dest:s} angebunden werden.", "backup_borg_not_implemented": "Die Borg-Sicherungsmethode ist noch nicht implementiert", "backup_ask_for_copying_if_needed": "Möchten Sie die Sicherung mit {size:s} MB temporär durchführen? (Dieser Weg wird verwendet, da einige Dateien nicht mit einer effizienteren Methode vorbereitet werden konnten).", "backup_actually_backuping": "Erstellt ein Backup-Archiv aus den gesammelten Dateien …", @@ -343,7 +343,7 @@ "apps_permission_restoration_failed": "Erteilen der Berechtigung '{permission:s}' für die Wiederherstellung der App {app:s} erforderlich", "apps_permission_not_found": "Keine Berechtigung für die installierten Apps gefunden", "app_upgrade_some_app_failed": "Einige Anwendungen können nicht aktualisiert werden", - "app_upgrade_app_name": "{App} wird jetzt aktualisiert…", + "app_upgrade_app_name": "{app} wird jetzt aktualisiert…", "app_upgrade_several_apps": "Die folgenden Apps werden aktualisiert: {apps}", "app_start_restore": "Anwendung {app} wird wiederhergestellt…", "app_start_backup": "Sammeln von Dateien, die für {app} gesichert werden sollen…", diff --git a/locales/eo.json b/locales/eo.json index 906648120..5047fff09 100644 --- a/locales/eo.json +++ b/locales/eo.json @@ -74,7 +74,7 @@ "backup_invalid_archive": "Ĉi tio ne estas rezerva ar archiveivo", "ask_current_admin_password": "Pasvorto pri aktuala administrado", "backup_creation_failed": "Ne povis krei la rezervan ar archiveivon", - "backup_hook_unknown": "La rezerva hoko '{hoko:s}' estas nekonata", + "backup_hook_unknown": "La rezerva hoko '{hook:s}' estas nekonata", "backup_custom_backup_error": "Propra rezerva metodo ne povis preterpasi la paŝon \"sekurkopio\"", "ask_main_domain": "Ĉefa domajno", "backup_method_tar_finished": "TAR-rezerva ar archiveivo kreita", @@ -97,15 +97,15 @@ "app_start_backup": "Kolekti dosierojn por esti subtenata por la '{app}' …", "backup_archive_name_exists": "Rezerva arkivo kun ĉi tiu nomo jam ekzistas.", "backup_applying_method_tar": "Krei la rezervan TAR-ar archiveivon …", - "backup_method_custom_finished": "Propra rezerva metodo '{metodo:s}' finiĝis", - "appslist_retrieve_error": "Ne eblas akiri la forajn listojn '{appslist:s}': {eraro:s}", + "backup_method_custom_finished": "Propra rezerva metodo '{method:s}' finiĝis", + "appslist_retrieve_error": "Ne eblas akiri la forajn listojn '{appslist:s}': {error:s}", "app_already_installed_cant_change_url": "Ĉi tiu app estas jam instalita. La URL ne povas esti ŝanĝita nur per ĉi tiu funkcio. Rigardu \"app changeurl\" se ĝi haveblas.", "app_not_correctly_installed": "{app:s} ŝajnas esti malĝuste instalita", "app_removed": "{app:s} forigita", "backup_delete_error": "Ne povis forigi '{path:s}'", "app_package_need_update": "La pakaĵo {app} devas esti ĝisdatigita por sekvi YunoHost-ŝanĝojn", "backup_nothings_done": "Nenio por ŝpari", - "backup_applying_method_custom": "Nomante la kutiman rezervan metodon '{metodo:s}' …", + "backup_applying_method_custom": "Nomante la kutiman rezervan metodon '{method:s}' …", "appslist_fetched": "Ĝisdatigis la liston de aplikoj '{appslist:s}'", "backup_app_failed": "Ne eblis rezervi la programon '{app:s}'", "app_upgrade_some_app_failed": "Iuj aplikoj ne povis esti altgradigitaj", @@ -268,7 +268,7 @@ "pattern_positive_number": "Devas esti pozitiva nombro", "monitor_stats_file_not_found": "Ne povis trovi la statistikan dosieron", "certmanager_error_no_A_record": "Neniu DNS 'A' rekordo trovita por '{domain:s}'. Vi bezonas atentigi vian domajnan nomon al via maŝino por povi instali atestilon Lasu-Ĉifri. (Se vi scias, kion vi faras, uzu '--no-checks' por malŝalti tiujn ĉekojn.)", - "update_apt_cache_failed": "Ne eblis ĝisdatigi la kaŝmemoron de APT (paka administranto de Debian). Jen rubujo de la sources.list-linioj, kiuj povus helpi identigi problemajn liniojn:\n{sourcelist}", + "update_apt_cache_failed": "Ne eblis ĝisdatigi la kaŝmemoron de APT (paka administranto de Debian). Jen rubujo de la sources.list-linioj, kiuj povus helpi identigi problemajn liniojn:\n{sourceslist}", "migrations_no_migrations_to_run": "Neniuj migradoj por funkcii", "executing_command": "Plenumanta komandon '{command:s}' …", "diagnosis_no_apps": "Neniu tia instalita app", @@ -332,7 +332,7 @@ "tools_upgrade_at_least_one": "Bonvolu specifi '--apps' aŭ '--system'", "service_already_stopped": "La servo '{service:s}' jam ĉesis", "unit_unknown": "Nekonata unuo '{unit:s}'", - "migration_0003_modified_files": "Bonvolu noti, ke la jenaj dosieroj estis trovitaj mane kaj modifitaj kaj povus esti anstataŭigitaj sekve de la ĝisdatigo: {manual_modified_files}", + "migration_0003_modified_files": "Bonvolu noti, ke la jenaj dosieroj estis trovitaj mane kaj modifitaj kaj povus esti anstataŭigitaj sekve de la ĝisdatigo: {manually_modified_files}", "tools_upgrade_cant_both": "Ne eblas ĝisdatigi ambaŭ sistemon kaj programojn samtempe", "restore_extracting": "Eltirante bezonatajn dosierojn el la ar theivo…", "upnp_port_open_failed": "Ne povis malfermi havenon per UPnP", @@ -390,7 +390,7 @@ "regenconf_up_to_date": "La agordo jam estas ĝisdatigita por kategorio '{category}'", "migration_0003_patching_sources_list": "Patching the sources.lists …", "global_settings_setting_security_ssh_compatibility": "Kongruo vs sekureca kompromiso por la SSH-servilo. Afektas la ĉifradojn (kaj aliajn aspektojn pri sekureco)", - "migrations_need_to_accept_disclaimer": "Por funkciigi la migradon {id}, via devas akcepti la sekvan malakcepton:\n---\n{malavantaĝo}\n---\nSe vi akceptas funkcii la migradon, bonvolu rekonduki la komandon kun la opcio '--accept-disclaimer'.", + "migrations_need_to_accept_disclaimer": "Por funkciigi la migradon {id}, via devas akcepti la sekvan malakcepton:\n---\n{disclaimer}\n---\nSe vi akceptas funkcii la migradon, bonvolu rekonduki la komandon kun la opcio '--accept-disclaimer'.", "regenconf_file_remove_failed": "Ne povis forigi la agordodosieron '{conf}'", "not_enough_disk_space": "Ne sufiĉe libera spaco sur '{path:s}'", "migration_0006_disclaimer": "YunoHost nun atendas, ke la pasvortoj de admin kaj radiko estos sinkronigitaj. Ĉi tiu migrado anstataŭigas vian radikan pasvorton kun la administran pasvorton.", @@ -465,10 +465,10 @@ "global_settings_cant_open_settings": "Ne eblis malfermi agordojn, tial: {reason:s}", "user_created": "Uzanto kreita", "service_description_avahi-daemon": "Permesas al vi atingi vian servilon uzante 'yunohost.local' en via loka reto", - "certmanager_attempt_to_replace_valid_cert": "Vi provas anstataŭigi bonan kaj validan atestilon por domajno {domajno:s}! (Uzu --forte pretervidi)", + "certmanager_attempt_to_replace_valid_cert": "Vi provas anstataŭigi bonan kaj validan atestilon por domajno {domain:s}! (Uzu --forte pretervidi)", "monitor_stats_period_unavailable": "Ne ekzistas disponeblaj statistikoj por la periodo", "regenconf_updated": "Agordo ĝisdatigita por '{category}'", - "update_apt_cache_warning": "Io iris malbone dum la ĝisdatigo de la kaŝmemoro de APT (paka administranto de Debian). Jen rubujo de la sources.list-linioj, kiuj povus helpi identigi problemajn liniojn:\n{sourcelist}", + "update_apt_cache_warning": "Io iris malbone dum la ĝisdatigo de la kaŝmemoro de APT (paka administranto de Debian). Jen rubujo de la sources.list-linioj, kiuj povus helpi identigi problemajn liniojn:\n{sourceslist}", "regenconf_dry_pending_applying": "Kontrolado de pritraktata agordo, kiu estus aplikita por kategorio '{category}'…", "regenconf_file_copy_failed": "Ne povis kopii la novan agordodosieron '{new}' al '{conf}'", "global_settings_setting_example_string": "Ekzemple korda elekto", @@ -487,7 +487,7 @@ "mysql_db_creation_failed": "Ne povis krei MySQL-datumbazon", "ldap_initialized": "LDAP inicializis", "migrate_tsig_not_needed": "Vi ne ŝajnas uzi DynDNS-domajnon, do neniu migrado necesas.", - "certmanager_domain_cert_not_selfsigned": "La atestilo por domajno {domajno:s} ne estas mem-subskribita. Ĉu vi certas, ke vi volas anstataŭigi ĝin? (Uzu '--force' por fari tion.)", + "certmanager_domain_cert_not_selfsigned": "La atestilo por domajno {domain:s} ne estas mem-subskribita. Ĉu vi certas, ke vi volas anstataŭigi ĝin? (Uzu '--force' por fari tion.)", "certmanager_unable_to_parse_self_CA_name": "Ne povis trapasi nomon de mem-subskribinta aŭtoritato (dosiero: {file:s})", "log_selfsigned_cert_install": "Instalu mem-subskribitan atestilon sur '{}' domajno", "log_tools_reboot": "Reklamu vian servilon", diff --git a/locales/fr.json b/locales/fr.json index f175a5704..4ea52c8af 100644 --- a/locales/fr.json +++ b/locales/fr.json @@ -242,7 +242,7 @@ "user_home_creation_failed": "Impossible de créer le dossier personnel de l’utilisateur", "user_info_failed": "Impossible de récupérer les informations de l’utilisateur", "user_unknown": "L'utilisateur {user:s} est inconnu", - "user_update_failed": "Impossible de mettre à jour l'utilisateur {utilisateur}: {erreur}", + "user_update_failed": "Impossible de mettre à jour l'utilisateur {user}: {error}", "user_updated": "L’utilisateur a été modifié", "yunohost_already_installed": "YunoHost est déjà installé", "yunohost_ca_creation_failed": "Impossible de créer l’autorité de certification", @@ -320,7 +320,7 @@ "backup_archive_system_part_not_available": "La partie '{part:s}' du système n’est pas disponible dans cette sauvegarde", "backup_archive_mount_failed": "Le montage de l’archive de sauvegarde a échoué", "backup_archive_writing_error": "Impossible d'ajouter des fichiers '{source:s}' (nommés dans l'archive : '{dest:s}') à sauvegarder dans l'archive compressée '{archive:s}'", - "backup_ask_for_copying_if_needed": "Voulez-vous effectuer la sauvegarde en utilisant {taille:s} temporairement? (Cette méthode est utilisée car certains fichiers n'ont pas pu être préparés avec une méthode plus efficace.)", + "backup_ask_for_copying_if_needed": "Voulez-vous effectuer la sauvegarde en utilisant {size:s} temporairement? (Cette méthode est utilisée car certains fichiers n'ont pas pu être préparés avec une méthode plus efficace.)", "backup_borg_not_implemented": "La méthode de sauvegarde Borg n’est pas encore implémentée", "backup_cant_mount_uncompress_archive": "Impossible de monter en lecture seule le dossier de l’archive décompressée", "backup_copying_to_organize_the_archive": "Copie de {size:s} Mo pour organiser l’archive", @@ -466,7 +466,7 @@ "migration_description_0005_postgresql_9p4_to_9p6": "Migration des bases de données de PostgreSQL 9.4 vers PostgreSQL 9.6", "migration_0005_postgresql_94_not_installed": "PostgreSQL n’a pas été installé sur votre système. Rien à faire !", "migration_0005_postgresql_96_not_installed": "PostgreSQL 9.4 a été trouvé et installé, mais pas PostgreSQL 9.6 !? Quelque chose d’étrange a dû arriver à votre système… :(", - "migration_0005_not_enough_space": "Laissez suffisamment d'espace disponible dans {chemin} pour exécuter la migration.", + "migration_0005_not_enough_space": "Laissez suffisamment d'espace disponible dans {path} pour exécuter la migration.", "recommend_to_add_first_user": "La post-installation est terminée mais YunoHost a besoin d’au moins un utilisateur pour fonctionner correctement. Vous devez en ajouter un en utilisant la commande 'yunohost user create $nomdutilisateur' ou bien via l’interface d’administration web.", "service_description_php7.0-fpm": "Exécute des applications écrites en PHP avec NGINX", "users_available": "Liste des utilisateurs disponibles :", @@ -600,7 +600,7 @@ "migration_description_0012_postgresql_password_to_md5_authentication": "Forcer l'authentification PostgreSQL à utiliser MD5 pour les connexions locales", "migrations_exclusive_options": "'auto', '--skip' et '--force-rerun' sont des options mutuellement exclusives.", "migrations_not_pending_cant_skip": "Ces migrations ne sont pas en attente et ne peuvent donc pas être ignorées: {ids}", - "migration_0011_can_not_backup_before_migration": "La sauvegarde du système n'a pas pu être terminée avant l'échec de la migration. Erreur: {erreur:s}", + "migration_0011_can_not_backup_before_migration": "La sauvegarde du système n'a pas pu être terminée avant l'échec de la migration. Erreur: {error:s}", "migration_0011_migrate_permission": "Migration des autorisations des paramètres des applications vers LDAP…", "migration_0011_migration_failed_trying_to_rollback": "La migration a échouée… Tentative de restauration du système.", "migration_0011_rollback_success": "Système restauré.", @@ -629,10 +629,10 @@ "permission_already_clear": "L'autorisation '{permission:s}' est déjà vide pour l'application {app:s}", "permission_already_exist": "L'autorisation '{permission}' existe déjà", "permission_created": "Permission '{permission:s}' créée", - "permission_creation_failed": "Impossible de créer l'autorisation '{permission}': {erreur}", + "permission_creation_failed": "Impossible de créer l'autorisation '{permission}': {error}", "permission_deleted": "Permission '{permission:s}' supprimée", "permission_deletion_failed": "Impossible de supprimer la permission '{permission}': {error}", - "remove_user_of_group_not_allowed": "Vous n'êtes pas autorisé à supprimer l'utilisateur '{utilisateur:s}' dans le groupe '{groupe:s}'", + "remove_user_of_group_not_allowed": "Vous n'êtes pas autorisé à supprimer l'utilisateur '{user:s}' dans le groupe '{group:s}'", "migration_description_0011_setup_group_permission": "Initialiser les groupes d'utilisateurs et autorisations pour les applications et les services", "migration_0011_LDAP_config_dirty": "Il semble que vous ayez personnalisé votre configuration LDAP. Pour cette migration, la configuration LDAP doit être mise à jour.\nVous devez enregistrer votre configuration actuelle, réintialiser la configuration d'origine en exécutant 'yunohost tools regen-conf -f', puis réessayer la migration", "migration_0011_LDAP_update_failed": "Impossible de mettre à jour LDAP. Erreur: {error:s}", diff --git a/locales/nl.json b/locales/nl.json index 832ca4ea2..9406d9bea 100644 --- a/locales/nl.json +++ b/locales/nl.json @@ -82,7 +82,7 @@ "port_available": "Poort {port:d} is beschikbaar", "port_unavailable": "Poort {port:d} is niet beschikbaar", "restore_app_failed": "De app '{app:s}' kon niet worden terug gezet", - "restore_hook_unavailable": "De herstel-hook '{hook:s}' is niet beschikbaar op dit systeem", + "restore_hook_unavailable": "De herstel-hook '{part:s}' is niet beschikbaar op dit systeem", "service_add_failed": "Kan service '{service:s}' niet toevoegen", "service_already_started": "Service '{service:s}' draait al", "service_cmd_exec_failed": "Kan '{command:s}' niet uitvoeren", diff --git a/locales/oc.json b/locales/oc.json index a06520ae5..00d7aa5c5 100644 --- a/locales/oc.json +++ b/locales/oc.json @@ -144,7 +144,7 @@ "domain_created": "Domeni creat", "domain_creation_failed": "Creacion del domeni {domain}: impossibla", "domain_deleted": "Domeni suprimit", - "domain_deletion_failed": "Supression impossibla del domeni {domini}: {error}", + "domain_deletion_failed": "Supression impossibla del domeni {domain}: {error}", "domain_dyndns_invalid": "Domeni incorrècte per una utilizacion amb DynDNS", "domain_dyndns_root_unknown": "Domeni DynDNS màger desconegut", "domain_exists": "Lo domeni existís ja", @@ -247,7 +247,7 @@ "firewall_reload_failed": "Impossible de recargar lo parafuòc", "firewall_reloaded": "Parafuòc recargat", "firewall_rules_cmd_failed": "Unas règlas del parafuòc an fracassat. Per mai informacions, consultatz lo jornal.", - "global_settings_bad_choice_for_enum": "La valor del paramètre {setting:s} es incorrècta. Recebut : {received_type:s}, mas las opcions esperadas son : {expected_type:s}", + "global_settings_bad_choice_for_enum": "La valor del paramètre {setting:s} es incorrècta. Recebut : {choice:s}, mas las opcions esperadas son : {available_choices:s}", "global_settings_bad_type_for_setting": "Lo tipe del paramètre {setting:s} es incorrècte, recebut : {received_type:s}, esperat {expected_type:s}", "global_settings_cant_write_settings": "Fracàs de l’escritura del fichièr de configuracion, rason : {reason:s}", "global_settings_setting_example_enum": "Exemple d’opcion de tipe enumeracion", @@ -491,7 +491,7 @@ "migration_0007_cannot_restart": "SSH pòt pas èsser reavit aprèp aver ensajat d’anullar la migracion numèro 6.", "migrations_success": "Migracion {number} {name} reüssida !", "service_conf_now_managed_by_yunohost": "Lo fichièr de configuracion « {conf} » es ara gerit per YunoHost.", - "service_reloaded": "Lo servici « {servici:s} » es estat tornat cargar", + "service_reloaded": "Lo servici « {service:s} » es estat tornat cargar", "already_up_to_date": "I a pas res a far ! Tot es ja a jorn !", "app_action_cannot_be_ran_because_required_services_down": "Aquestas aplicacions necessitan d’èsser lançadas per poder executar aquesta accion : {services}. Abans de contunhar deuriatz ensajar de reaviar los servicis seguents (e tanben cercar perque son tombats en pana) : {services}", "confirm_app_install_warning": "Atencion : aquesta aplicacion fonciona mas non es pas ben integrada amb YunoHost. Unas foncionalitats coma l’autentificacion unica e la còpia de seguretat/restauracion pòdon èsser indisponiblas. volètz l’installar de totas manièras ? [{answers:s}] ", @@ -584,16 +584,16 @@ "migration_0011_migrate_permission": "Migracion de las permission dels paramètres d’aplicacion a LDAP…", "migration_0011_update_LDAP_database": "Actualizacion de la basa de donadas LDAP…", "migration_0011_update_LDAP_schema": "Actualizacion de l’esquèma LDAP…", - "permission_already_exist": "La permission « {permission:s} » per l’aplicacion {app:s} existís ja", - "permission_created": "Permission creada « {permission:s} » per l’aplicacion{app:s}", + "permission_already_exist": "La permission « {permission:s} » existís ja", + "permission_created": "Permission « {permission:s} » creada", "permission_creation_failed": "Creacion impossibla de la permission", - "permission_deleted": "Permission « {permission:s} » per l’aplicacion {app:s} suprimida", - "permission_deletion_failed": "Fracàs de la supression de la permission « {permission:s} » per l’aplicacion {app:s}", - "permission_not_found": "Permission « {permission:s} » pas trobada per l’aplicacion {app:s}", + "permission_deleted": "Permission « {permission:s} » suprimida", + "permission_deletion_failed": "Fracàs de la supression de la permission « {permission:s} »", + "permission_not_found": "Permission « {permission:s} » pas trobada", "permission_name_not_valid": "Lo nom de la permission « {permission:s} » es pas valid", "permission_update_failed": "Fracàs de l’actualizacion de la permission", "permission_generated": "La basa de donadas de las permission es estada actualizada", - "permission_updated": "La permission « {permission:s} » per l’aplicacion {app:s} es estada actualizada", + "permission_updated": "La permission « {permission:s} » es estada actualizada", "permission_update_nothing_to_do": "Cap de permission d’actualizar", "remove_main_permission_not_allowed": "Se pòt pas suprimir la permission màger", "remove_user_of_group_not_allowed": "Sètz pas autorizat a suprimir {user:s} del grop {group:s}", From 0397aa91d94364a6652987b51af702f258ba1863 Mon Sep 17 00:00:00 2001 From: kay0u Date: Fri, 27 Mar 2020 23:50:50 +0000 Subject: [PATCH 16/94] Update changelog for 3.7.0.11 release --- debian/changelog | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/debian/changelog b/debian/changelog index 1f137ba16..cc026e268 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +yunohost (3.7.0.11) stable; urgency=low + + - [fix] Mess due to automatic translation tools ~_~ + + -- Kay0u Fri, 27 Mar 2020 23:49:45 +0000 + yunohost (3.7.0.10) stable; urgency=low - [fix] On some weird setup, this folder and content ain't readable by group ... gotta make sure to make rx for group other slapd will explode From a2b4e151e4ab016f9d96d698848beaaaf848886d Mon Sep 17 00:00:00 2001 From: Alexandre Aubin Date: Sat, 28 Mar 2020 14:51:19 +0100 Subject: [PATCH 17/94] Ugh, this gotta go into an m18n.n to work... --- src/yunohost/user.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/yunohost/user.py b/src/yunohost/user.py index 34b367d7d..4a047b58f 100644 --- a/src/yunohost/user.py +++ b/src/yunohost/user.py @@ -577,7 +577,7 @@ def user_group_create(operation_logger, groupname, gid=None, primary_group=False all_existing_groupnames = {x.gr_name for x in grp.getgrall()} if groupname in all_existing_groupnames: if primary_group: - logger.warning('group_already_exist_on_system_but_removing_it', group=groupname) + logger.warning(m18n.n('group_already_exist_on_system_but_removing_it', group=groupname)) subprocess.check_call("sed --in-place '/^%s:/d' /etc/group" % groupname, shell=True) else: raise YunohostError('group_already_exist_on_system', group=groupname) From f54701eacc7ed8589ab0d9fc90c3d5c751fb90cc Mon Sep 17 00:00:00 2001 From: Alexandre Aubin Date: Sat, 28 Mar 2020 14:52:42 +0100 Subject: [PATCH 18/94] Update changelog for 3.7.0.12 --- debian/changelog | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/debian/changelog b/debian/changelog index cc026e268..9bcaea043 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +yunohost (3.7.0.12) stable; urgency=low + + - Fix previous buggy hotfix about deleting existing primary groups ... + + -- Alexandre Aubin Sat, 28 Mar 2020 14:52:00 +0000 + yunohost (3.7.0.11) stable; urgency=low - [fix] Mess due to automatic translation tools ~_~ From ff4f644cd073d63ad8bb03b3de671f98039a07e2 Mon Sep 17 00:00:00 2001 From: Alexandre Aubin Date: Sat, 28 Mar 2020 21:17:28 +0100 Subject: [PATCH 19/94] Fix possible security issue with these cookie files --- data/helpers.d/utils | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/data/helpers.d/utils b/data/helpers.d/utils index 50671dba0..133a47247 100644 --- a/data/helpers.d/utils +++ b/data/helpers.d/utils @@ -237,9 +237,14 @@ ynh_local_curl () { # Wait untils nginx has fully reloaded (avoid curl fail with http2) sleep 2 + + local cookiefile=/tmp/ynh-$app-cookie.txt + touch $cookiefile + chown root $cookiefile + chmod 700 $cookiefile # Curl the URL - curl --silent --show-error -kL -H "Host: $domain" --resolve $domain:443:127.0.0.1 $POST_data "$full_page_url" --cookie-jar /tmp/ynh-$app-cookie.txt --cookie /tmp/ynh-$app-cookie.txt + curl --silent --show-error -kL -H "Host: $domain" --resolve $domain:443:127.0.0.1 $POST_data "$full_page_url" --cookie-jar $cookiefile --cookie $cookiefile } # Render templates with Jinja2 From 51a0502e9100b10356eb62b6d148a41c79d00f44 Mon Sep 17 00:00:00 2001 From: Kay0u Date: Mon, 30 Mar 2020 19:36:41 +0200 Subject: [PATCH 20/94] add ynh_permission_has_user --- data/actionsmap/yunohost.yml | 9 +++++++++ data/helpers.d/setting | 19 +++++++++++++++++++ src/yunohost/permission.py | 22 ++++++++++++++++++++++ src/yunohost/user.py | 6 ++++++ 4 files changed, 56 insertions(+) diff --git a/data/actionsmap/yunohost.yml b/data/actionsmap/yunohost.yml index 3a4c9db97..c0eca3d03 100644 --- a/data/actionsmap/yunohost.yml +++ b/data/actionsmap/yunohost.yml @@ -296,6 +296,15 @@ user: help: Display all info known about each permission, including the full user list of each group it is granted to. action: store_true + ### user_permission_info() + info: + action_help: Get information about a specific permission + api: GET /users/permissions/ + arguments: + permission: + help: Name of the permission to fetch info about + extra: + pattern: *pattern_username ### user_permission_update() update: diff --git a/data/helpers.d/setting b/data/helpers.d/setting index 384fdc399..1c1139442 100644 --- a/data/helpers.d/setting +++ b/data/helpers.d/setting @@ -367,3 +367,22 @@ ynh_permission_update() { yunohost user permission update "$app.$permission" ${add:-} ${remove:-} } + +# Check if a permission exists +# +# usage: ynh_permission_has_user --permission=permission --user=user +# | arg: -p, --permission - the permission to check +# | arg: -u, --user - the user seek in the permission +# +# Requires YunoHost version 3.7.1 or higher. +ynh_permission_has_user() { + declare -Ar args_array=( [p]=permission= [u]=user) + local permission + ynh_handle_getopts_args "$@" + + if ! ynh_permission_exists --permission $permission + return 1 + fi + + yunohost user permission info $permission | grep -w -q "$user" +} \ No newline at end of file diff --git a/src/yunohost/permission.py b/src/yunohost/permission.py index 2aea6f4c4..05def2101 100644 --- a/src/yunohost/permission.py +++ b/src/yunohost/permission.py @@ -196,6 +196,28 @@ def user_permission_reset(operation_logger, permission, sync_perm=True): return new_permission + +def user_permission_info(permission, sync_perm=True): + """ + Return informations about a specific permission + + Keyword argument: + permission -- Name of the permission (e.g. mail or nextcloud or wordpress.editors) + """ + + # By default, manipulate main permission + if "." not in permission: + permission = permission + ".main" + + # Fetch existing permission + + existing_permission = user_permission_list(full=True)["permissions"].get(permission, None) + if existing_permission is None: + raise YunohostError('permission_not_found', permission=permission) + + return existing_permission + + # # # The followings methods are *not* directly exposed. diff --git a/src/yunohost/user.py b/src/yunohost/user.py index 39a2d8f15..74ad9f977 100644 --- a/src/yunohost/user.py +++ b/src/yunohost/user.py @@ -780,6 +780,12 @@ def user_permission_reset(permission, sync_perm=True): sync_perm=sync_perm) +def user_permission_info(permission, sync_perm=True): + import yunohost.permission + return yunohost.permission.user_permission_info(permission, + sync_perm=sync_perm) + + # # SSH subcategory # From 288a617975cbe06321fcddb5bbf558989925cf6a Mon Sep 17 00:00:00 2001 From: Maniack Crudelis Date: Mon, 30 Mar 2020 19:58:06 +0200 Subject: [PATCH 21/94] Let's have a working helper --- data/helpers.d/setting | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/data/helpers.d/setting b/data/helpers.d/setting index 1c1139442..5e88bf259 100644 --- a/data/helpers.d/setting +++ b/data/helpers.d/setting @@ -374,15 +374,22 @@ ynh_permission_update() { # | arg: -p, --permission - the permission to check # | arg: -u, --user - the user seek in the permission # +# example: ynh_permission_has_user --permission=nextcloud.main --user=visitors +# # Requires YunoHost version 3.7.1 or higher. ynh_permission_has_user() { - declare -Ar args_array=( [p]=permission= [u]=user) + local legacy_args=pu + # Declare an array to define the options of this helper. + declare -Ar args_array=( [p]=permission= [u]=user= ) local permission + local user + # Manage arguments with getopts ynh_handle_getopts_args "$@" - if ! ynh_permission_exists --permission $permission + if ! ynh_permission_exists --permission=$permission + then return 1 fi yunohost user permission info $permission | grep -w -q "$user" -} \ No newline at end of file +} From ad22677994399065785b0ffa889a842c284b2f9f Mon Sep 17 00:00:00 2001 From: Alexandre Aubin Date: Mon, 30 Mar 2020 20:09:26 +0200 Subject: [PATCH 22/94] Attempt to simplify permission migration --- data/helpers.d/setting | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/data/helpers.d/setting b/data/helpers.d/setting index 384fdc399..557afb332 100644 --- a/data/helpers.d/setting +++ b/data/helpers.d/setting @@ -197,7 +197,7 @@ EOF if [[ "$1" == "set" ]] && [[ "${4:-}" == "/" ]] then ynh_permission_update --permission "main" --add "visitors" - elif [[ "$1" == "delete" ]] && [[ "${current_value:-}" == "/" ]] + elif [[ "$1" == "delete" ]] && [[ "${current_value:-}" == "/" ]] && [[ -n "$(ynh_app_setting_get --app=$2 --key='is_public' )" ]] then ynh_permission_update --permission "main" --remove "visitors" fi From 90459e7ae6a4af5d7a6c532e8d53ccef3a6e8c50 Mon Sep 17 00:00:00 2001 From: Kay0u Date: Mon, 30 Mar 2020 21:32:29 +0200 Subject: [PATCH 23/94] Add legacy_args, fix the helper --- data/actionsmap/yunohost.yml | 2 -- data/helpers.d/setting | 18 ++++++++++++++++-- 2 files changed, 16 insertions(+), 4 deletions(-) diff --git a/data/actionsmap/yunohost.yml b/data/actionsmap/yunohost.yml index c0eca3d03..b0bb7f9dc 100644 --- a/data/actionsmap/yunohost.yml +++ b/data/actionsmap/yunohost.yml @@ -303,8 +303,6 @@ user: arguments: permission: help: Name of the permission to fetch info about - extra: - pattern: *pattern_username ### user_permission_update() update: diff --git a/data/helpers.d/setting b/data/helpers.d/setting index 1c1139442..4782afd84 100644 --- a/data/helpers.d/setting +++ b/data/helpers.d/setting @@ -270,6 +270,8 @@ ynh_webpath_register () { # # Requires YunoHost version 3.7.0 or higher. ynh_permission_create() { + # Declare an array to define the options of this helper. + local legacy_args=pua declare -Ar args_array=( [p]=permission= [u]=url= [a]=allowed= ) local permission local url @@ -298,6 +300,8 @@ ynh_permission_create() { # # Requires YunoHost version 3.7.0 or higher. ynh_permission_delete() { + # Declare an array to define the options of this helper. + local legacy_args=p declare -Ar args_array=( [p]=permission= ) local permission ynh_handle_getopts_args "$@" @@ -312,6 +316,8 @@ ynh_permission_delete() { # # Requires YunoHost version 3.7.0 or higher. ynh_permission_exists() { + # Declare an array to define the options of this helper. + local legacy_args=p declare -Ar args_array=( [p]=permission= ) local permission ynh_handle_getopts_args "$@" @@ -327,6 +333,8 @@ ynh_permission_exists() { # # Requires YunoHost version 3.7.0 or higher. ynh_permission_url() { + # Declare an array to define the options of this helper. + local legacy_args=pu declare -Ar args_array=([p]=permission= [u]=url=) local permission local url @@ -352,6 +360,8 @@ ynh_permission_url() { # example: ynh_permission_update --permission admin --add samdoe --remove all_users # Requires YunoHost version 3.7.0 or higher. ynh_permission_update() { + # Declare an array to define the options of this helper. + local legacy_args=par declare -Ar args_array=( [p]=permission= [a]=add= [r]=remove= ) local permission local add @@ -376,13 +386,17 @@ ynh_permission_update() { # # Requires YunoHost version 3.7.1 or higher. ynh_permission_has_user() { + # Declare an array to define the options of this helper. + local legacy_args=pu declare -Ar args_array=( [p]=permission= [u]=user) local permission + local user ynh_handle_getopts_args "$@" - if ! ynh_permission_exists --permission $permission + if ! ynh_permission_exists --permission "$permission" + then return 1 fi - yunohost user permission info $permission | grep -w -q "$user" + yunohost user permission info "$app.$permission" | grep -w -q "$user" } \ No newline at end of file From 9dd6d799f4e241bf70a9efb737788795297d6068 Mon Sep 17 00:00:00 2001 From: Kay0u Date: Mon, 30 Mar 2020 21:37:25 +0200 Subject: [PATCH 24/94] fix example --- data/helpers.d/setting | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/data/helpers.d/setting b/data/helpers.d/setting index ec9404d5f..9466c5631 100644 --- a/data/helpers.d/setting +++ b/data/helpers.d/setting @@ -384,7 +384,7 @@ ynh_permission_update() { # | arg: -p, --permission - the permission to check # | arg: -u, --user - the user seek in the permission # -# example: ynh_permission_has_user --permission=nextcloud.main --user=visitors +# example: ynh_permission_has_user --permission=main --user=visitors # # Requires YunoHost version 3.7.1 or higher. ynh_permission_has_user() { From b0e67460dff0a40713a3c80d6eee91d4faa5ee7e Mon Sep 17 00:00:00 2001 From: Alexandre Aubin Date: Wed, 1 Apr 2020 17:24:08 +0200 Subject: [PATCH 25/94] Add conflict rule against apache2 and bind9 --- debian/control | 1 + 1 file changed, 1 insertion(+) diff --git a/debian/control b/debian/control index 42bafc16c..aed123246 100644 --- a/debian/control +++ b/debian/control @@ -43,6 +43,7 @@ Conflicts: iptables-persistent , yunohost-config-dovecot, yunohost-config-slapd , yunohost-config-nginx, yunohost-config-amavis , yunohost-config-mysql, yunohost-predepends + , apache2, bind9 Replaces: moulinette-yunohost, yunohost-config , yunohost-config-others, yunohost-config-postfix , yunohost-config-dovecot, yunohost-config-slapd From 23617a9386e2549f5288dcbcf1b0349bc0eb7ca7 Mon Sep 17 00:00:00 2001 From: Alexandre Aubin Date: Fri, 3 Apr 2020 03:41:37 +0200 Subject: [PATCH 26/94] Update dovecot SSL conf according to Mozilla recommentation --- data/templates/dovecot/dovecot.conf | 19 +++++++++++++++++-- 1 file changed, 17 insertions(+), 2 deletions(-) diff --git a/data/templates/dovecot/dovecot.conf b/data/templates/dovecot/dovecot.conf index 477ccbfb1..0a3c185ee 100644 --- a/data/templates/dovecot/dovecot.conf +++ b/data/templates/dovecot/dovecot.conf @@ -12,10 +12,25 @@ protocols = imap sieve {% if pop3_enabled == "True" %}pop3{% endif %} mail_plugins = $mail_plugins quota -ssl = yes +############################################################################### + +# generated 2020-04-03, Mozilla Guideline v5.4, Dovecot 2.2.27, OpenSSL 1.1.1l, intermediate configuration +# https://ssl-config.mozilla.org/#server=dovecot&version=2.2.27&config=intermediate&openssl=1.1.1l&guideline=5.4 + +ssl = required + ssl_cert = Date: Fri, 3 Apr 2020 03:41:52 +0200 Subject: [PATCH 27/94] Update postfix SSL conf according to Moz^Cla recommentation --- data/templates/postfix/main.cf | 44 ++++++++++++++++++---------------- 1 file changed, 24 insertions(+), 20 deletions(-) diff --git a/data/templates/postfix/main.cf b/data/templates/postfix/main.cf index 045b8edd0..79a551a6c 100644 --- a/data/templates/postfix/main.cf +++ b/data/templates/postfix/main.cf @@ -18,35 +18,39 @@ append_dot_mydomain = no readme_directory = no # -- TLS for incoming connections -# By default, TLS is disabled in the Postfix SMTP server, so no difference to -# plain Postfix is visible. Explicitly switch it on with "smtpd_tls_security_level = may". -smtpd_tls_security_level=may +############################################################################### +# generated 2020-04-03, Mozilla Guideline v5.4, Postfix 3.1.14, OpenSSL 1.1.1l, intermediate configuration +# https://ssl-config.mozilla.org/#server=postfix&version=3.1.14&config=intermediate&openssl=1.1.1l&guideline=5.4 -# Sending AUTH data over an unencrypted channel poses a security risk. -# When TLS layer encryption is optional ("smtpd_tls_security_level = may"), it -# may however still be useful to only offer AUTH when TLS is active. To maintain -# compatibility with non-TLS clients, the default is to accept AUTH without -# encryption. In order to change this behavior, we set "smtpd_tls_auth_only = yes". -smtpd_tls_auth_only=yes +# (No modern conf support until we're on buster...) +# {% if compatibility == "intermediate" %} {% else %} {% endif %} + +smtpd_use_tls = yes + +smtpd_tls_security_level = may +smtpd_tls_auth_only = yes smtpd_tls_cert_file = /etc/yunohost/certs/{{ main_domain }}/crt.pem smtpd_tls_key_file = /etc/yunohost/certs/{{ main_domain }}/key.pem -smtpd_tls_exclude_ciphers = aNULL, MD5, DES, ADH, RC4, 3DES +smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1 +smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1 +smtpd_tls_mandatory_ciphers = medium + +# curl https://ssl-config.mozilla.org/ffdhe2048.txt > /path/to/dhparam.pem +# not actually 1024 bits, this applies to all DHE >= 1024 bits +# smtpd_tls_dh1024_param_file = /path/to/dhparam.pem + +tls_medium_cipherlist = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384 +tls_preempt_cipherlist = no +############################################################################### smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache smtpd_tls_loglevel=1 -{% if compatibility == "intermediate" %} -smtpd_tls_mandatory_protocols=!SSLv2,!SSLv3 -{% else %} -smtpd_tls_mandatory_protocols=!SSLv2,!SSLv3,!TLSv1,!TLSv1.1 -{% endif %} -smtpd_tls_mandatory_ciphers=high -smtpd_tls_eecdh_grade = ultra # -- TLS for outgoing connections # Use TLS if this is supported by the remote SMTP server, otherwise use plaintext. smtp_tls_security_level=may smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache -smtp_tls_exclude_ciphers = $smtpd_tls_exclude_ciphers -smtp_tls_mandatory_ciphers= $smtpd_tls_mandatory_ciphers +smtp_tls_exclude_ciphers = aNULL, MD5, DES, ADH, RC4, 3DES +smtp_tls_mandatory_ciphers= high smtp_tls_loglevel=1 # Configure Root CA certificates @@ -167,4 +171,4 @@ default_destination_rate_delay = 5s # By default it's possible to detect if the email adress exist # So it's easly possible to scan a server to know which email adress is valid # and after to send spam -disable_vrfy_command = yes \ No newline at end of file +disable_vrfy_command = yes From 6813a64cf6e17c23515786de4618456c966c9eb4 Mon Sep 17 00:00:00 2001 From: Kay0u Date: Fri, 3 Apr 2020 20:28:13 +0200 Subject: [PATCH 28/94] remove sync_perm argument --- src/yunohost/permission.py | 2 +- src/yunohost/user.py | 5 ++--- 2 files changed, 3 insertions(+), 4 deletions(-) diff --git a/src/yunohost/permission.py b/src/yunohost/permission.py index 05def2101..b5ef0884f 100644 --- a/src/yunohost/permission.py +++ b/src/yunohost/permission.py @@ -197,7 +197,7 @@ def user_permission_reset(operation_logger, permission, sync_perm=True): return new_permission -def user_permission_info(permission, sync_perm=True): +def user_permission_info(permission): """ Return informations about a specific permission diff --git a/src/yunohost/user.py b/src/yunohost/user.py index 74ad9f977..4afcc4e72 100644 --- a/src/yunohost/user.py +++ b/src/yunohost/user.py @@ -780,10 +780,9 @@ def user_permission_reset(permission, sync_perm=True): sync_perm=sync_perm) -def user_permission_info(permission, sync_perm=True): +def user_permission_info(permission): import yunohost.permission - return yunohost.permission.user_permission_info(permission, - sync_perm=sync_perm) + return yunohost.permission.user_permission_info(permission) # From f7ac93b0b74b370674ec9492047b679eb02a459b Mon Sep 17 00:00:00 2001 From: Alexandre Aubin Date: Sun, 5 Apr 2020 18:31:16 +0200 Subject: [PATCH 29/94] We in fact only have ssl 1.1.0l, not 1.1.1l on Stretch. --- data/templates/dovecot/dovecot.conf | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/data/templates/dovecot/dovecot.conf b/data/templates/dovecot/dovecot.conf index 0a3c185ee..8fc0e75ae 100644 --- a/data/templates/dovecot/dovecot.conf +++ b/data/templates/dovecot/dovecot.conf @@ -14,8 +14,8 @@ mail_plugins = $mail_plugins quota ############################################################################### -# generated 2020-04-03, Mozilla Guideline v5.4, Dovecot 2.2.27, OpenSSL 1.1.1l, intermediate configuration -# https://ssl-config.mozilla.org/#server=dovecot&version=2.2.27&config=intermediate&openssl=1.1.1l&guideline=5.4 +# generated 2020-04-03, Mozilla Guideline v5.4, Dovecot 2.2.27, OpenSSL 1.1.0l, intermediate configuration +# https://ssl-config.mozilla.org/#server=dovecot&version=2.2.27&config=intermediate&openssl=1.1.0l&guideline=5.4 ssl = required @@ -25,7 +25,7 @@ ssl_key = Date: Sun, 5 Apr 2020 18:31:33 +0200 Subject: [PATCH 30/94] We in fact only have ssl 1.1.0l, not 1.1.1l on Stretch. --- data/templates/postfix/main.cf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/data/templates/postfix/main.cf b/data/templates/postfix/main.cf index 79a551a6c..2642fd8f0 100644 --- a/data/templates/postfix/main.cf +++ b/data/templates/postfix/main.cf @@ -19,8 +19,8 @@ readme_directory = no # -- TLS for incoming connections ############################################################################### -# generated 2020-04-03, Mozilla Guideline v5.4, Postfix 3.1.14, OpenSSL 1.1.1l, intermediate configuration -# https://ssl-config.mozilla.org/#server=postfix&version=3.1.14&config=intermediate&openssl=1.1.1l&guideline=5.4 +# generated 2020-04-03, Mozilla Guideline v5.4, Postfix 3.1.14, OpenSSL 1.1.0l, intermediate configuration +# https://ssl-config.mozilla.org/#server=postfix&version=3.1.14&config=intermediate&openssl=1.1.0l&guideline=5.4 # (No modern conf support until we're on buster...) # {% if compatibility == "intermediate" %} {% else %} {% endif %} From ecdb30aab234ebef95dd4e54e4847623327178e8 Mon Sep 17 00:00:00 2001 From: Kay0u Date: Sun, 5 Apr 2020 19:44:39 +0200 Subject: [PATCH 31/94] [fix] config_appy return link --- src/yunohost/app.py | 1 + 1 file changed, 1 insertion(+) diff --git a/src/yunohost/app.py b/src/yunohost/app.py index de2a74c9c..39793ec1a 100644 --- a/src/yunohost/app.py +++ b/src/yunohost/app.py @@ -1574,6 +1574,7 @@ def app_config_apply(operation_logger, app, args): logger.success("Config updated as expected") return { + "app": app, "logs": operation_logger.success(), } From ecce6f11cc467d4745aa7e94fa3cbb4184e30f32 Mon Sep 17 00:00:00 2001 From: Alexandre Aubin Date: Sun, 5 Apr 2020 20:22:17 +0200 Subject: [PATCH 32/94] Move wildcard DNS record to 'extra' category --- src/yunohost/domain.py | 78 ++++++++++++++++++++++++++---------------- src/yunohost/dyndns.py | 12 ++++++- 2 files changed, 59 insertions(+), 31 deletions(-) diff --git a/src/yunohost/domain.py b/src/yunohost/domain.py index 456dfa4bf..23b5a4179 100644 --- a/src/yunohost/domain.py +++ b/src/yunohost/domain.py @@ -236,8 +236,7 @@ def domain_dns_conf(domain, ttl=None): for record in record_list: result += "\n{name} {ttl} IN {type} {value}".format(**record) - is_cli = True if msettings.get('interface') == 'cli' else False - if is_cli: + if msettings.get('interface') == 'cli': logger.info(m18n.n("domain_dns_conf_is_just_a_recommendation")) return result @@ -406,10 +405,8 @@ def _build_dns_conf(domain, ttl=3600): "basic": [ # if ipv4 available {"type": "A", "name": "@", "value": "123.123.123.123", "ttl": 3600}, - {"type": "A", "name": "*", "value": "123.123.123.123", "ttl": 3600}, # if ipv6 available {"type": "AAAA", "name": "@", "value": "valid-ipv6", "ttl": 3600}, - {"type": "AAAA", "name": "*", "value": "valid-ipv6", "ttl": 3600}, ], "xmpp": [ {"type": "SRV", "name": "_xmpp-client._tcp", "value": "0 5 5222 domain.tld.", "ttl": 3600}, @@ -426,6 +423,10 @@ def _build_dns_conf(domain, ttl=3600): {"type": "TXT", "name": "_dmarc", "value": "\"v=DMARC1; p=none\"", "ttl": 3600} ], "extra": [ + # if ipv4 available + {"type": "A", "name": "*", "value": "123.123.123.123", "ttl": 3600}, + # if ipv6 available + {"type": "AAAA", "name": "*", "value": "valid-ipv6", "ttl": 3600}, {"type": "CAA", "name": "@", "value": "128 issue \"letsencrypt.org\"", "ttl": 3600}, ], "example_of_a_custom_rule": [ @@ -437,32 +438,21 @@ def _build_dns_conf(domain, ttl=3600): ipv4 = get_public_ip() ipv6 = get_public_ip(6) - basic = [] + ########################### + # Basic ipv4/ipv6 records # + ########################### - # Basic ipv4/ipv6 records + basic = [] if ipv4: - basic += [ - ["@", ttl, "A", ipv4], - ["*", ttl, "A", ipv4], - ] + basic.append(["@", ttl, "A", ipv4]) if ipv6: - basic += [ - ["@", ttl, "AAAA", ipv6], - ["*", ttl, "AAAA", ipv6], - ] + basic.append(["@", ttl, "AAAA", ipv6]) - # XMPP - xmpp = [ - ["_xmpp-client._tcp", ttl, "SRV", "0 5 5222 %s." % domain], - ["_xmpp-server._tcp", ttl, "SRV", "0 5 5269 %s." % domain], - ["muc", ttl, "CNAME", "@"], - ["pubsub", ttl, "CNAME", "@"], - ["vjud", ttl, "CNAME", "@"], - ["xmpp-upload", ttl, "CNAME", "@"], - ] + ######### + # Email # + ######### - # SPF record spf_record = '"v=spf1 a mx' if ipv4: spf_record += ' ip4:{ip4}'.format(ip4=ipv4) @@ -470,7 +460,6 @@ def _build_dns_conf(domain, ttl=3600): spf_record += ' ip6:{ip6}'.format(ip6=ipv6) spf_record += ' -all"' - # Email mail = [ ["@", ttl, "MX", "10 %s." % domain], ["@", ttl, "TXT", spf_record], @@ -485,12 +474,36 @@ def _build_dns_conf(domain, ttl=3600): ["_dmarc", ttl, "TXT", '"v=DMARC1; p=none"'], ] - # Extra - extra = [ - ["@", ttl, "CAA", '128 issue "letsencrypt.org"'] + ######## + # XMPP # + ######## + + xmpp = [ + ["_xmpp-client._tcp", ttl, "SRV", "0 5 5222 %s." % domain], + ["_xmpp-server._tcp", ttl, "SRV", "0 5 5269 %s." % domain], + ["muc", ttl, "CNAME", "@"], + ["pubsub", ttl, "CNAME", "@"], + ["vjud", ttl, "CNAME", "@"], + ["xmpp-upload", ttl, "CNAME", "@"], ] - # Official record + ######### + # Extra # + ######### + + extra = [] + + if ipv4: + extra.append(["*", ttl, "A", ipv4]) + if ipv6: + extra.append(["*", ttl, "AAAA", ipv6]) + + extra.append(["@", ttl, "CAA", '128 issue "letsencrypt.org"']) + + #################### + # Standard records # + #################### + records = { "basic": [{"name": name, "ttl": ttl, "type": type_, "value": value} for name, ttl, type_, value in basic], "xmpp": [{"name": name, "ttl": ttl, "type": type_, "value": value} for name, ttl, type_, value in xmpp], @@ -498,7 +511,12 @@ def _build_dns_conf(domain, ttl=3600): "extra": [{"name": name, "ttl": ttl, "type": type_, "value": value} for name, ttl, type_, value in extra], } - # Custom records + ################## + # Custom records # + ################## + + # Defined by custom hooks ships in apps for example ... + hook_results = hook_callback('custom_dns_rules', args=[domain]) for hook_name, results in hook_results.items(): # diff --git a/src/yunohost/dyndns.py b/src/yunohost/dyndns.py index 70817b3fe..6e597fbbf 100644 --- a/src/yunohost/dyndns.py +++ b/src/yunohost/dyndns.py @@ -258,7 +258,17 @@ def dyndns_update(operation_logger, dyn_host="dyndns.yunohost.org", domain=None, logger.info("Updated needed, going on...") dns_conf = _build_dns_conf(domain) - del dns_conf["extra"] # Ignore records from the 'extra' category + + for i, record in enumerate(dns_conf["extra"]): + # Ignore CAA record ... not sure why, we could probably enforce it... + if record[3] == "CAA": + del dns_conf["extra"][i] + + # Delete custom DNS records, we don't support them (have to explicitly + # authorize them on dynette) + for category in dns_conf.keys(): + if category not in ["basic", "mail", "xmpp", "extra"]: + del dns_conf[category] # Delete the old records for all domain/subdomains From f032ba16cc5b6778e18a7042943f45e212fab6f0 Mon Sep 17 00:00:00 2001 From: Alexandre Aubin Date: Sun, 5 Apr 2020 20:23:32 +0200 Subject: [PATCH 33/94] Only diagnose basic records for subdomains --- data/hooks/diagnosis/12-dnsrecords.py | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/data/hooks/diagnosis/12-dnsrecords.py b/data/hooks/diagnosis/12-dnsrecords.py index 96ac31d55..a889201b9 100644 --- a/data/hooks/diagnosis/12-dnsrecords.py +++ b/data/hooks/diagnosis/12-dnsrecords.py @@ -28,21 +28,24 @@ class DNSRecordsDiagnoser(Diagnoser): all_domains = domain_list()["domains"] for domain in all_domains: self.logger_debug("Diagnosing DNS conf for %s" % domain) - for report in self.check_domain(domain, domain == main_domain): + is_subdomain = domain.split(".",1)[1] in all_domains + for report in self.check_domain(domain, domain == main_domain, is_subdomain=is_subdomain): yield report # FIXME : somewhere, should implement a check for reverse DNS ... # FIXME / TODO : somewhere, could also implement a check for domain expiring soon - def check_domain(self, domain, is_main_domain): + def check_domain(self, domain, is_main_domain, is_subdomain): expected_configuration = _build_dns_conf(domain) - # Here if there are no AAAA record, we should add something to expect "no" AAAA record + # FIXME: Here if there are no AAAA record, we should add something to expect "no" AAAA record # to properly diagnose situations where people have a AAAA record but no IPv6 - categories = ["basic", "mail", "xmpp", "extra"] + if is_subdomain: + categories = ["basic"] + for category in categories: records = expected_configuration[category] From a4d28efa6c249e7585f48e222ff8510e287b7889 Mon Sep 17 00:00:00 2001 From: Alexandre Aubin Date: Sun, 5 Apr 2020 22:37:24 +0200 Subject: [PATCH 34/94] less0 -> at_least_one --- data/helpers.d/php | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/data/helpers.d/php b/data/helpers.d/php index 817be7f4d..4f5e63dfd 100644 --- a/data/helpers.d/php +++ b/data/helpers.d/php @@ -311,7 +311,7 @@ ynh_get_scalable_phpfpm () { # Get the total of RAM available, except swap. local max_ram=$(ynh_check_ram --no_swap) - less0() { + at_least_one() { # Do not allow value below 1 if [ $1 -le 0 ] then @@ -331,7 +331,7 @@ ynh_get_scalable_phpfpm () { then php_max_children=$(( $php_max_children / 2 )) fi - php_max_children=$(less0 $php_max_children) + php_max_children=$(at_least_one $php_max_children) # To not overload the proc, limit the number of children to 4 times the number of cores. local core_number=$(nproc) @@ -345,13 +345,13 @@ ynh_get_scalable_phpfpm () { then # Define pm.start_servers, pm.min_spare_servers and pm.max_spare_servers for a dynamic process manager php_min_spare_servers=$(( $php_max_children / 8 )) - php_min_spare_servers=$(less0 $php_min_spare_servers) + php_min_spare_servers=$(at_least_one $php_min_spare_servers) php_max_spare_servers=$(( $php_max_children / 2 )) - php_max_spare_servers=$(less0 $php_max_spare_servers) + php_max_spare_servers=$(at_least_one $php_max_spare_servers) php_start_servers=$(( $php_min_spare_servers + ( $php_max_spare_servers - $php_min_spare_servers ) /2 )) - php_start_servers=$(less0 $php_start_servers) + php_start_servers=$(at_least_one $php_start_servers) else php_min_spare_servers=0 php_max_spare_servers=0 From 810e5b0d0909da9393367694790dc645144897f8 Mon Sep 17 00:00:00 2001 From: Alexandre Aubin Date: Sun, 5 Apr 2020 22:53:56 +0200 Subject: [PATCH 35/94] no_swap -> ignore_swap --- data/helpers.d/hardware | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/data/helpers.d/hardware b/data/helpers.d/hardware index 11012a3d1..11c7b27dc 100644 --- a/data/helpers.d/hardware +++ b/data/helpers.d/hardware @@ -2,22 +2,22 @@ # Check the amount of available RAM # -# usage: ynh_check_ram [--required=RAM required in Mb] [--no_swap|--only_swap] [--free_ram] +# usage: ynh_check_ram [--required=RAM required in Mb] [--ignore_swap|--only_swap] [--free_ram] # | arg: -r, --required= - Amount of RAM required in Mb. The helper will return 0 is there's enough RAM, or 1 otherwise. # If --required isn't set, the helper will print the amount of RAM, in Mb. -# | arg: -s, --no_swap - Ignore swap +# | arg: -s, --ignore_swap - Ignore swap # | arg: -o, --only_swap - Ignore real RAM, consider only swap. # | arg: -f, --free_ram - Count only free RAM, not the total amount of RAM available. -ynh_check_ram () { +ynh_available_ram () { # Declare an array to define the options of this helper. - declare -Ar args_array=( [r]=required= [s]=no_swap [o]=only_swap [f]=free_ram ) + declare -Ar args_array=( [r]=required= [s]=ignore_swap [o]=only_swap [f]=free_ram ) local required - local no_swap + local ignore_swap local only_swap # Manage arguments with getopts ynh_handle_getopts_args "$@" required=${required:-} - no_swap=${no_swap:-0} + ignore_swap=${ignore_swap:-0} only_swap=${only_swap:-0} local total_ram=$(vmstat --stats --unit M | grep "total memory" | awk '{print $1}') @@ -34,7 +34,7 @@ ynh_check_ram () { then # Use the total amount of free ram ram=$free_ram_swap - if [ $no_swap -eq 1 ] + if [ $ignore_swap -eq 1 ] then # Use only the amount of free ram ram=$free_ram @@ -44,7 +44,7 @@ ynh_check_ram () { ram=$free_swap fi else - if [ $no_swap -eq 1 ] + if [ $ignore_swap -eq 1 ] then # Use only the amount of free ram ram=$total_ram From cbf573c34689502b815a6ea29fce3350ad0d2b29 Mon Sep 17 00:00:00 2001 From: Alexandre Aubin Date: Sun, 5 Apr 2020 23:57:43 +0200 Subject: [PATCH 36/94] Try to improve the semantic of RAM helper --- data/helpers.d/hardware | 86 +++++++++++++++++++++++++++-------------- 1 file changed, 57 insertions(+), 29 deletions(-) diff --git a/data/helpers.d/hardware b/data/helpers.d/hardware index 11c7b27dc..be669568e 100644 --- a/data/helpers.d/hardware +++ b/data/helpers.d/hardware @@ -1,24 +1,25 @@ #!/bin/bash -# Check the amount of available RAM +# Get the total or free amount of RAM+swap on the system # -# usage: ynh_check_ram [--required=RAM required in Mb] [--ignore_swap|--only_swap] [--free_ram] -# | arg: -r, --required= - Amount of RAM required in Mb. The helper will return 0 is there's enough RAM, or 1 otherwise. -# If --required isn't set, the helper will print the amount of RAM, in Mb. -# | arg: -s, --ignore_swap - Ignore swap -# | arg: -o, --only_swap - Ignore real RAM, consider only swap. -# | arg: -f, --free_ram - Count only free RAM, not the total amount of RAM available. -ynh_available_ram () { +# usage: ynh_get_ram [--free|--total] [--ignore_swap|--only_swap] +# | arg: -f, --free - Count free RAM+swap +# | arg: -t, --total - Count total RAM+swap +# | arg: -s, --ignore_swap - Ignore swap, consider only real RAM +# | arg: -o, --only_swap - Ignore real RAM, consider only swap +ynh_get_ram () { # Declare an array to define the options of this helper. - declare -Ar args_array=( [r]=required= [s]=ignore_swap [o]=only_swap [f]=free_ram ) - local required + declare -Ar args_array=( [f]=free [t]=total [s]=ignore_swap [o]=only_swap ) + local free + local total local ignore_swap local only_swap # Manage arguments with getopts ynh_handle_getopts_args "$@" - required=${required:-} ignore_swap=${ignore_swap:-0} only_swap=${only_swap:-0} + free=${free:-0} + total=${total:-0} local total_ram=$(vmstat --stats --unit M | grep "total memory" | awk '{print $1}') local total_swap=$(vmstat --stats --unit M | grep "total swap" | awk '{print $1}') @@ -29,11 +30,10 @@ ynh_available_ram () { local free_ram_swap=$(( free_ram + free_swap )) # Use the total amount of ram - local ram=$total_ram_swap - if [ $free_ram -eq 1 ] + if [ $free -eq 1 ] then # Use the total amount of free ram - ram=$free_ram_swap + local ram=$free_ram_swap if [ $ignore_swap -eq 1 ] then # Use only the amount of free ram @@ -43,7 +43,9 @@ ynh_available_ram () { # Use only the amount of free swap ram=$free_swap fi - else + elif [ $total -eq 1 ] + then + local ram=$total_ram_swap if [ $ignore_swap -eq 1 ] then # Use only the amount of free ram @@ -53,20 +55,46 @@ ynh_available_ram () { # Use only the amount of free swap ram=$total_swap fi + else + echo "Uhoh, you should choose --free or --total when using ynh_get_ram" >&2 + ram=0 fi - if [ -n "$required" ] - then - # Return 1 if the amount of ram isn't enough. - if [ $ram -lt $required ] - then - return 1 - else - return 0 - fi - - # If no RAM is required, return the amount of available ram. - else - echo $ram - fi + echo $ram +} + +# Return 0 or 1 depending if the system has a given amount of RAM+swap free or total +# +# usage: ynh_require_ram [--amount=RAM required in Mb] [--free|--total] [--ignore_swap|--only_swap] +# | arg: -a, --amount - The amount to require, in Mb +# | arg: -f, --free - Count free RAM+swap +# | arg: -t, --total - Count total RAM+swap +# | arg: -s, --ignore_swap - Ignore swap, consider only real RAM +# | arg: -o, --only_swap - Ignore real RAM, consider only swap +ynh_require_ram () { + # Declare an array to define the options of this helper. + declare -Ar args_array=( [a]=amount= [f]=free [t]=total [s]=ignore_swap [o]=only_swap ) + local amount + local free + local total + local ignore_swap + local only_swap + # Manage arguments with getopts + ynh_handle_getopts_args "$@" + amount=${amount:-0} + # Dunno if that's the right way to do, but that's some black magic to be able to + # forward the bool args to ynh_get_ram easily? + free=${free:+--free} + total=${total:+--total} + ignore_swap=${ignore_swap:+--ignore_swap} + only_swap=${only_swap:+--only_swap} + + local ram=$(ynh_get_ram $free $total $ignore_swap $only_swap) + + if [ $ram -lt $amount ] + then + return 1 + else + return 0 + fi } From fdc0ecf6e5346b629a48d0f50bd72916314b966c Mon Sep 17 00:00:00 2001 From: Alexandre Aubin Date: Mon, 6 Apr 2020 00:20:16 +0200 Subject: [PATCH 37/94] Propagate change in RAM helper to php helper where it's used --- data/helpers.d/php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/data/helpers.d/php b/data/helpers.d/php index 4f5e63dfd..78c4f1bc0 100644 --- a/data/helpers.d/php +++ b/data/helpers.d/php @@ -309,7 +309,7 @@ ynh_get_scalable_phpfpm () { fi # Get the total of RAM available, except swap. - local max_ram=$(ynh_check_ram --no_swap) + local max_ram=$(ynh_get_ram --total --ignore_swap) at_least_one() { # Do not allow value below 1 From 3234b14b78657ccf36fba2e38d5aa0209d1cd453 Mon Sep 17 00:00:00 2001 From: Maniack Crudelis Date: Mon, 6 Apr 2020 12:54:05 +0200 Subject: [PATCH 38/94] Update data/helpers.d/php Co-Authored-By: Alexandre Aubin --- data/helpers.d/php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/data/helpers.d/php b/data/helpers.d/php index 817be7f4d..24314b52f 100644 --- a/data/helpers.d/php +++ b/data/helpers.d/php @@ -246,7 +246,7 @@ ynh_remove_php () { # medium - Low usage, few people or/and publicly accessible. # high - High usage, frequently visited website. # -# | arg: -p, --print - Print the result +# | arg: -p, --print - Print the result (intended for debug purpose only when packaging the app) # # # The footprint of the service will be used to defined the maximum footprint we can allow, which is half the maximum RAM. From 3bd6a7aa2983f19237939ade661ebee1780461ed Mon Sep 17 00:00:00 2001 From: Alexandre Aubin Date: Mon, 6 Apr 2020 15:39:40 +0200 Subject: [PATCH 39/94] Explicitly depends on lsb-release --- debian/control | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/debian/control b/debian/control index aed123246..4b3837c1b 100644 --- a/debian/control +++ b/debian/control @@ -15,7 +15,7 @@ Depends: ${python:Depends}, ${misc:Depends} , python-psutil, python-requests, python-dnspython, python-openssl , python-apt, python-miniupnpc, python-dbus, python-jinja2 , python-toml - , apt-transport-https + , apt, apt-transport-https, lsb-release , dnsutils, bind9utils, unzip, git, curl, cron, wget, jq , ca-certificates, netcat-openbsd, iproute2 , mariadb-server, php-mysql | php-mysqlnd From 4d99cbe87075fc9180b49f12ef45d51db2d3892d Mon Sep 17 00:00:00 2001 From: Alexandre Aubin Date: Mon, 6 Apr 2020 16:54:25 +0200 Subject: [PATCH 40/94] Add ref for security headers --- data/templates/nginx/security.conf.inc | 3 +++ 1 file changed, 3 insertions(+) diff --git a/data/templates/nginx/security.conf.inc b/data/templates/nginx/security.conf.inc index 272a29e26..28d12055b 100644 --- a/data/templates/nginx/security.conf.inc +++ b/data/templates/nginx/security.conf.inc @@ -20,6 +20,9 @@ ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECD #ssl_dhparam /etc/ssl/private/dh2048.pem; {% endif %} +# Follows the Web Security Directives from the Mozilla Dev Lab and the Mozilla Obervatory + Partners +# https://wiki.mozilla.org/Security/Guidelines/Web_Security +# https://observatory.mozilla.org/ more_set_headers "Content-Security-Policy : upgrade-insecure-requests"; more_set_headers "Content-Security-Policy-Report-Only : default-src https: data: 'unsafe-inline' 'unsafe-eval'"; more_set_headers "X-Content-Type-Options : nosniff"; From 22b9565eb72161e1a66db5980aad8ad56d220a3c Mon Sep 17 00:00:00 2001 From: Alexandre Aubin Date: Mon, 6 Apr 2020 16:56:53 +0200 Subject: [PATCH 41/94] Forgot to check that these headers are different from the default in security.conf ... maybe we want to keep them as is? Not clear why they have different values tan the domain configs... --- data/templates/nginx/yunohost_admin.conf | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/data/templates/nginx/yunohost_admin.conf b/data/templates/nginx/yunohost_admin.conf index 63d466ecd..3df838c4a 100644 --- a/data/templates/nginx/yunohost_admin.conf +++ b/data/templates/nginx/yunohost_admin.conf @@ -20,6 +20,10 @@ server { ssl_certificate /etc/yunohost/certs/yunohost.org/crt.pem; ssl_certificate_key /etc/yunohost/certs/yunohost.org/key.pem; + more_set_headers "Strict-Transport-Security : max-age=63072000; includeSubDomains; preload"; + more_set_headers "Referrer-Policy : 'same-origin'"; + more_set_headers "Content-Security-Policy : upgrade-insecure-requests; object-src 'none'; script-src https: 'unsafe-eval'"; + location / { return 302 https://$http_host/yunohost/admin; } From 3a7b93d8aac481f41f3dcea3b4e0b6409b0fc0c9 Mon Sep 17 00:00:00 2001 From: Alexandre Aubin Date: Sun, 5 Apr 2020 18:12:24 +0200 Subject: [PATCH 42/94] Get rid of domain-specific acme-challenge snippet, use a single snippet including in every conf --- data/hooks/conf_regen/15-nginx | 15 ++++++ .../nginx/plain/acme-challenge.conf.inc | 5 ++ data/templates/nginx/server.tpl.conf | 2 + locales/en.json | 1 - src/yunohost/certificate.py | 47 ------------------- 5 files changed, 22 insertions(+), 48 deletions(-) create mode 100644 data/templates/nginx/plain/acme-challenge.conf.inc diff --git a/data/hooks/conf_regen/15-nginx b/data/hooks/conf_regen/15-nginx index 11e5f596c..90d99ff5e 100755 --- a/data/hooks/conf_regen/15-nginx +++ b/data/hooks/conf_regen/15-nginx @@ -110,6 +110,21 @@ do_post_regen() { mkdir -p "/etc/nginx/conf.d/${domain}.d" done + # Get rid of legacy lets encrypt snippets + for domain in $domain_list; do + # If the legacy letsencrypt / acme-challenge domain-specific snippet is still there + if [ -e /etc/nginx/conf.d/${domain}.d/000-acmechallenge.conf ] + then + # And if we're effectively including the new domain-independant snippet now + if grep -q "include /etc/nginx/conf.d/acme-challenge.conf.inc;" /etc/nginx/conf.d/${domain}.conf + then + # Delete the old domain-specific snippet + rm /etc/nginx/conf.d/${domain}.d/000-acmechallenge.conf + fi + fi + done + + # Reload nginx configuration pgrep nginx && service nginx reload } diff --git a/data/templates/nginx/plain/acme-challenge.conf.inc b/data/templates/nginx/plain/acme-challenge.conf.inc new file mode 100644 index 000000000..aae3e0eb3 --- /dev/null +++ b/data/templates/nginx/plain/acme-challenge.conf.inc @@ -0,0 +1,5 @@ +location ^~ '/.well-known/acme-challenge/' +{ + default_type "text/plain"; + alias /tmp/acme-challenge-public/; +} diff --git a/data/templates/nginx/server.tpl.conf b/data/templates/nginx/server.tpl.conf index 6316960c4..485079883 100644 --- a/data/templates/nginx/server.tpl.conf +++ b/data/templates/nginx/server.tpl.conf @@ -10,6 +10,8 @@ server { access_by_lua_file /usr/share/ssowat/access.lua; + include /etc/nginx/conf.d/acme-challenge.conf.inc; + include /etc/nginx/conf.d/{{ domain }}.d/*.conf; location /yunohost/admin { diff --git a/locales/en.json b/locales/en.json index 567b6a460..f6aa35f67 100644 --- a/locales/en.json +++ b/locales/en.json @@ -120,7 +120,6 @@ "certmanager_cert_renew_success": "Let's Encrypt certificate renewed for the domain '{domain:s}'", "certmanager_cert_signing_failed": "Could not sign the new certificate", "certmanager_certificate_fetching_or_enabling_failed": "Trying to use the new certificate for {domain:s} did not work…", - "certmanager_conflicting_nginx_file": "Could not prepare domain for ACME challenge: the NGINX configuration file {filepath:s} is conflicting and should be removed first", "certmanager_couldnt_fetch_intermediate_cert": "Timed out when trying to fetch intermediate certificate from Let's Encrypt. Certificate installation/renewal aborted—please try again later.", "certmanager_domain_cert_not_selfsigned": "The certificate for domain {domain:s} is not self-signed. Are you sure you want to replace it? (Use '--force' to do so.)", "certmanager_domain_dns_ip_differs_from_public_ip": "The DNS 'A' record for the domain '{domain:s}' is different from this server's IP. If you recently modified your A record, please wait for it to propagate (some DNS propagation checkers are available online). (If you know what you are doing, use '--no-checks' to turn off those checks.)", diff --git a/src/yunohost/certificate.py b/src/yunohost/certificate.py index 5fae59060..fd792ccae 100644 --- a/src/yunohost/certificate.py +++ b/src/yunohost/certificate.py @@ -285,7 +285,6 @@ def _certificate_install_letsencrypt(domain_list, force=False, no_checks=False, operation_logger.start() - _configure_for_acme_challenge(domain) _fetch_and_enable_new_certificate(domain, staging, no_checks=no_checks) _install_cron(no_checks=no_checks) @@ -468,52 +467,6 @@ Subject: %s smtp.quit() -def _configure_for_acme_challenge(domain): - - nginx_conf_folder = "/etc/nginx/conf.d/%s.d" % domain - nginx_conf_file = "%s/000-acmechallenge.conf" % nginx_conf_folder - - nginx_configuration = ''' -location ^~ '/.well-known/acme-challenge/' -{ - default_type "text/plain"; - alias %s; -} - ''' % WEBROOT_FOLDER - - # Check there isn't a conflicting file for the acme-challenge well-known - # uri - for path in glob.glob('%s/*.conf' % nginx_conf_folder): - - if path == nginx_conf_file: - continue - - with open(path) as f: - contents = f.read() - - if '/.well-known/acme-challenge' in contents: - raise YunohostError('certmanager_conflicting_nginx_file', filepath=path) - - # Write the conf - if os.path.exists(nginx_conf_file): - logger.debug( - "Nginx configuration file for ACME challenge already exists for domain, skipping.") - return - - logger.debug( - "Adding Nginx configuration file for Acme challenge for domain %s.", domain) - - with open(nginx_conf_file, "w") as f: - f.write(nginx_configuration) - - # Assume nginx conf is okay, and reload it - # (FIXME : maybe add a check that it is, using nginx -t, haven't found - # any clean function already implemented in yunohost to do this though) - _run_service_command("reload", "nginx") - - app_ssowatconf() - - def _check_acme_challenge_configuration(domain): # Check nginx conf file exists nginx_conf_folder = "/etc/nginx/conf.d/%s.d" % domain From be8427d5a117fd34ade956d8b67f0ad42533e2e6 Mon Sep 17 00:00:00 2001 From: Alexandre Aubin Date: Wed, 8 Apr 2020 12:15:01 +0200 Subject: [PATCH 43/94] Gotta generate security.conf.inc during .deb deployment because it's needed by yunohost_admin.conf --- data/hooks/conf_regen/15-nginx | 1 + 1 file changed, 1 insertion(+) diff --git a/data/hooks/conf_regen/15-nginx b/data/hooks/conf_regen/15-nginx index 11e5f596c..412320e0b 100755 --- a/data/hooks/conf_regen/15-nginx +++ b/data/hooks/conf_regen/15-nginx @@ -23,6 +23,7 @@ do_init_regen() { rm -f "${nginx_dir}/sites-enabled/default" export compatibility="intermediate" + ynh_render_template "security.conf.inc" "${nginx_conf_dir}/security.conf.inc" ynh_render_template "yunohost_admin.conf" "${nginx_conf_dir}/yunohost_admin.conf" # Restart nginx if conf looks good, otherwise display error and exit unhappy From 0a482fd879ce721c3e362e2b0ae876515051b75d Mon Sep 17 00:00:00 2001 From: Alexandre Aubin Date: Wed, 8 Apr 2020 12:56:47 +0200 Subject: [PATCH 44/94] Move openssh-server to Depends, reorganize Depends list --- debian/control | 25 +++++++++++++------------ 1 file changed, 13 insertions(+), 12 deletions(-) diff --git a/debian/control b/debian/control index 4b3837c1b..5bcd78491 100644 --- a/debian/control +++ b/debian/control @@ -15,22 +15,23 @@ Depends: ${python:Depends}, ${misc:Depends} , python-psutil, python-requests, python-dnspython, python-openssl , python-apt, python-miniupnpc, python-dbus, python-jinja2 , python-toml - , apt, apt-transport-https, lsb-release - , dnsutils, bind9utils, unzip, git, curl, cron, wget, jq - , ca-certificates, netcat-openbsd, iproute2 + , apt, apt-transport-https + , nginx, nginx-extras (>=1.6.2) + , php-fpm, php-ldap, php-intl , mariadb-server, php-mysql | php-mysqlnd + , openssh-server, iptables, fail2ban, dnsutils, bind9utils + , openssl, ca-certificates, netcat-openbsd, iproute2 , slapd, ldap-utils, sudo-ldap, libnss-ldapd, unscd, libpam-ldapd - , postfix-ldap, postfix-policyd-spf-perl, postfix-pcre, procmail, mailutils, postsrsd - , dovecot-ldap, dovecot-lmtpd, dovecot-managesieved - , dovecot-antispam, fail2ban, iptables - , nginx-extras (>=1.6.2), php-fpm, php-ldap, php-intl - , dnsmasq, openssl, avahi-daemon, libnss-mdns, resolvconf, libnss-myhostname + , dnsmasq, avahi-daemon, libnss-mdns, resolvconf, libnss-myhostname + , postfix, postfix-ldap, postfix-policyd-spf-perl, postfix-pcre + , dovecot-core, dovecot-ldap, dovecot-lmtpd, dovecot-managesieved, dovecot-antispam + , rspamd (>= 1.6.0), opendkim-tools, postsrsd, procmail, mailutils + , redis-server , metronome - , rspamd (>= 1.6.0), redis-server, opendkim-tools - , haveged, fake-hwclock - , equivs, lsof + , git, curl, wget, cron, unzip, jq + , lsb-release, haveged, fake-hwclock, equivs, lsof Recommends: yunohost-admin - , openssh-server, ntp, inetutils-ping | iputils-ping + , ntp, inetutils-ping | iputils-ping , bash-completion, rsyslog , php-gd, php-curl, php-gettext, php-mcrypt , python-pip From f390f02077294cc1033977601071ba242da4bf85 Mon Sep 17 00:00:00 2001 From: Alexandre Aubin Date: Fri, 3 Apr 2020 03:12:09 +0200 Subject: [PATCH 45/94] Update nginx security.conf.inc with new Mozilla recommendation --- data/templates/nginx/security.conf.inc | 28 ++++++++++++-------------- data/templates/nginx/server.tpl.conf | 12 ++++------- 2 files changed, 17 insertions(+), 23 deletions(-) diff --git a/data/templates/nginx/security.conf.inc b/data/templates/nginx/security.conf.inc index 28d12055b..79a891a21 100644 --- a/data/templates/nginx/security.conf.inc +++ b/data/templates/nginx/security.conf.inc @@ -1,24 +1,22 @@ -{% if compatibility == "modern" %} -# Ciphers with modern compatibility -# https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=nginx-1.6.2&openssl=1.0.1t&hsts=yes&profile=modern -# The following configuration use modern ciphers, but remove compatibility with some old clients (android < 5.0, Internet Explorer < 10, ...) -ssl_protocols TLSv1.2; -ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256'; -ssl_prefer_server_ciphers on; -{% else %} -# As suggested by Mozilla : https://wiki.mozilla.org/Security/Server_Side_TLS and https://en.wikipedia.org/wiki/Curve25519 -ssl_ecdh_curve secp521r1:secp384r1:prime256v1; -ssl_prefer_server_ciphers on; +ssl_session_timeout 1d; +ssl_session_cache shared:SSL:10m; # about 40000 sessions +ssl_session_tickets off; + +# nginx 1.10 in stretch doesn't support TLS1.3 and Mozilla doesn't have any +# "modern" config recommendation with it. +# So until buster the modern conf is same as intermediate +{% if compatibility == "modern" %} {% else %} {% endif %} # Ciphers with intermediate compatibility -# https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=nginx-1.6.2&openssl=1.0.1t&hsts=yes&profile=intermediate -ssl_protocols TLSv1 TLSv1.1 TLSv1.2; -ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS'; +# generated 2020-04-03, Mozilla Guideline v5.4, nginx 1.10.3, OpenSSL 1.1.1l, intermediate configuration +# https://ssl-config.mozilla.org/#server=nginx&version=1.10.3&config=intermediate&openssl=1.1.1l&guideline=5.4 +ssl_protocols TLSv1.2; +ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; +ssl_prefer_server_ciphers off; # Uncomment the following directive after DH generation # > openssl dhparam -out /etc/ssl/private/dh2048.pem -outform PEM -2 2048 #ssl_dhparam /etc/ssl/private/dh2048.pem; -{% endif %} # Follows the Web Security Directives from the Mozilla Dev Lab and the Mozilla Obervatory + Partners # https://wiki.mozilla.org/Security/Guidelines/Web_Security diff --git a/data/templates/nginx/server.tpl.conf b/data/templates/nginx/server.tpl.conf index 6316960c4..dcfd139ba 100644 --- a/data/templates/nginx/server.tpl.conf +++ b/data/templates/nginx/server.tpl.conf @@ -33,12 +33,10 @@ server { listen [::]:443 ssl http2; server_name {{ domain }}; + include /etc/nginx/conf.d/security.conf.inc; + ssl_certificate /etc/yunohost/certs/{{ domain }}/crt.pem; ssl_certificate_key /etc/yunohost/certs/{{ domain }}/key.pem; - ssl_session_timeout 5m; - ssl_session_cache shared:SSL:50m; - - include /etc/nginx/conf.d/security.conf.inc; {% if domain_cert_ca != "Self-signed" %} more_set_headers "Strict-Transport-Security : max-age=63072000; includeSubDomains; preload"; @@ -85,12 +83,10 @@ server { client_max_body_size 105M; # Choose a value a bit higher than the max upload configured in XMPP server } + include /etc/nginx/conf.d/security.conf.inc; + ssl_certificate /etc/yunohost/certs/{{ domain }}/crt.pem; ssl_certificate_key /etc/yunohost/certs/{{ domain }}/key.pem; - ssl_session_timeout 5m; - ssl_session_cache shared:SSL:50m; - - include /etc/nginx/conf.d/security.conf.inc; {% if domain_cert_ca != "Self-signed" %} more_set_headers "Strict-Transport-Security : max-age=63072000; includeSubDomains; preload"; From 71cc4fde97514b580705c6af517e6e2635e6bd5e Mon Sep 17 00:00:00 2001 From: Alexandre Aubin Date: Sun, 5 Apr 2020 18:32:03 +0200 Subject: [PATCH 46/94] We in fact only have ssl 1.1.0l, not 1.1.1l on Stretch. --- data/templates/nginx/security.conf.inc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/data/templates/nginx/security.conf.inc b/data/templates/nginx/security.conf.inc index 79a891a21..a7e1ac718 100644 --- a/data/templates/nginx/security.conf.inc +++ b/data/templates/nginx/security.conf.inc @@ -8,8 +8,8 @@ ssl_session_tickets off; {% if compatibility == "modern" %} {% else %} {% endif %} # Ciphers with intermediate compatibility -# generated 2020-04-03, Mozilla Guideline v5.4, nginx 1.10.3, OpenSSL 1.1.1l, intermediate configuration -# https://ssl-config.mozilla.org/#server=nginx&version=1.10.3&config=intermediate&openssl=1.1.1l&guideline=5.4 +# generated 2020-04-03, Mozilla Guideline v5.4, nginx 1.10.3, OpenSSL 1.1.0l, intermediate configuration +# https://ssl-config.mozilla.org/#server=nginx&version=1.10.3&config=intermediate&openssl=1.1.0l&guideline=5.4 ssl_protocols TLSv1.2; ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; ssl_prefer_server_ciphers off; From c06fe42078d13ccf6494ac23ee9cef99d1895c64 Mon Sep 17 00:00:00 2001 From: Alexandre Aubin Date: Wed, 8 Apr 2020 21:33:34 +0200 Subject: [PATCH 47/94] Hmgn don't change the value for the session cache size otherwise that break test for restore from old version for stupid reasons -.- --- data/templates/nginx/security.conf.inc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/data/templates/nginx/security.conf.inc b/data/templates/nginx/security.conf.inc index a7e1ac718..ff3d2ee99 100644 --- a/data/templates/nginx/security.conf.inc +++ b/data/templates/nginx/security.conf.inc @@ -1,5 +1,5 @@ ssl_session_timeout 1d; -ssl_session_cache shared:SSL:10m; # about 40000 sessions +ssl_session_cache shared:SSL:50m; # about 200000 sessions ssl_session_tickets off; # nginx 1.10 in stretch doesn't support TLS1.3 and Mozilla doesn't have any From c0f94ba98ae3b8e64a5b7254144e3f4a65ef1bb9 Mon Sep 17 00:00:00 2001 From: Laurent Peuch Date: Thu, 9 Apr 2020 12:29:44 +0200 Subject: [PATCH 48/94] [fix] uid will be tested as a string --- src/yunohost/user.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/yunohost/user.py b/src/yunohost/user.py index 39a2d8f15..fd67314d8 100644 --- a/src/yunohost/user.py +++ b/src/yunohost/user.py @@ -165,8 +165,8 @@ def user_create(operation_logger, username, firstname, lastname, mail, password, operation_logger.start() # Get random UID/GID - all_uid = {x.pw_uid for x in pwd.getpwall()} - all_gid = {x.gr_gid for x in grp.getgrall()} + all_uid = {str(x.pw_uid) for x in pwd.getpwall()} + all_gid = {str(x.gr_gid) for x in grp.getgrall()} uid_guid_found = False while not uid_guid_found: From 3c8442925852a27a73c21a51cc84738c51a37861 Mon Sep 17 00:00:00 2001 From: Alexandre Aubin Date: Wed, 20 Nov 2019 15:31:55 +0100 Subject: [PATCH 49/94] Improve messages wording ? More consistent service 'X' vs. 'X' service --- locales/en.json | 23 +++++++++++------------ 1 file changed, 11 insertions(+), 12 deletions(-) diff --git a/locales/en.json b/locales/en.json index 4bde03919..6a2af5e41 100644 --- a/locales/en.json +++ b/locales/en.json @@ -446,7 +446,7 @@ "regenconf_file_updated": "Configuration file '{conf}' updated", "regenconf_now_managed_by_yunohost": "The configuration file '{conf}' is now managed by YunoHost (category {category}).", "regenconf_up_to_date": "The configuration is already up-to-date for category '{category}'", - "regenconf_updated": "Configuration for category '{category}' updated", + "regenconf_updated": "Configuration updated for '{category}'", "regenconf_would_be_updated": "The configuration would have been updated for category '{category}'", "regenconf_dry_pending_applying": "Checking pending configuration which would have been applied for category '{category}'…", "regenconf_failed": "Could not regenerate the configuration for category(s): {categories}", @@ -495,24 +495,23 @@ "service_description_ssh": "Allows you to connect remotely to your server via a terminal (SSH protocol)", "service_description_yunohost-api": "Manages interactions between the YunoHost web interface and the system", "service_description_yunohost-firewall": "Manages open and close connection ports to services", - "service_disable_failed": "Could not turn off the service '{service:s}'\n\nRecent service logs:{logs:s}", - "service_disabled": "The '{service:s}' service was turned off", - "service_enable_failed": "Could not turn on the service '{service:s}'\n\nRecent service logs:{logs:s}", - "service_enabled": "The '{service:s}' service was turned off", - "service_no_log": "No logs to display for the service '{service:s}'", + "service_disable_failed": "Could not make the service '{service:s}' not start at boot.\n\nRecent service logs:{logs:s}", + "service_disabled": "The service '{service:s}' will not be started anymore when system boots.", + "service_enable_failed": "Could not make the service '{service:s}' automatically start at boot.\n\nRecent service logs:{logs:s}", + "service_enabled": "The service '{service:s}' will now be automatically started during system boots.", "service_regen_conf_is_deprecated": "'yunohost service regen-conf' is deprecated! Please use 'yunohost tools regen-conf' instead.", "service_remove_failed": "Could not remove the service '{service:s}'", - "service_removed": "'{service:s}' service removed", + "service_removed": "Service '{service:s}' removed", "service_reload_failed": "Could not reload the service '{service:s}'\n\nRecent service logs:{logs:s}", - "service_reloaded": "The '{service:s}' service was reloaded", + "service_reloaded": "Service '{service:s}' reloaded", "service_restart_failed": "Could not restart the service '{service:s}'\n\nRecent service logs:{logs:s}", - "service_restarted": "'{service:s}' service restarted", + "service_restarted": "Service '{service:s}' restarted", "service_reload_or_restart_failed": "Could not reload or restart the service '{service:s}'\n\nRecent service logs:{logs:s}", - "service_reloaded_or_restarted": "The '{service:s}' service was reloaded or restarted", + "service_reloaded_or_restarted": "The service '{service:s}' was reloaded or restarted", "service_start_failed": "Could not start the service '{service:s}'\n\nRecent service logs:{logs:s}", - "service_started": "'{service:s}' service started", + "service_started": "Service '{service:s}' started", "service_stop_failed": "Could not stop the service '{service:s}'\n\nRecent service logs:{logs:s}", - "service_stopped": "The '{service:s}' service stopped", + "service_stopped": "Service '{service:s}' stopped", "service_unknown": "Unknown service '{service:s}'", "ssowat_conf_generated": "SSOwat configuration generated", "ssowat_conf_updated": "SSOwat configuration updated", From 031f8a6e3814dd9c387814e1c1c61b284df95174 Mon Sep 17 00:00:00 2001 From: Matthew DeAbreu Date: Wed, 20 Nov 2019 09:52:01 -0800 Subject: [PATCH 50/94] ensure metronome owns domain dir When adding new domains to Yunohost a directory for each newly added domain is created in `/var/lib/metronome` unfortunately since the directory is created with `sudo mkdir` that means `root:root` owns the directory. Metronome will now fail to write to the directory. --- data/hooks/conf_regen/12-metronome | 1 + 1 file changed, 1 insertion(+) diff --git a/data/hooks/conf_regen/12-metronome b/data/hooks/conf_regen/12-metronome index 4214722fc..f3df22317 100755 --- a/data/hooks/conf_regen/12-metronome +++ b/data/hooks/conf_regen/12-metronome @@ -51,6 +51,7 @@ do_post_regen() { # create metronome directories for domains for domain in $domain_list; do sudo mkdir -p "/var/lib/metronome/${domain//./%2e}/pep" + sudo chown -R metronome: /var/lib/metronome/${domain//./%2e}/ done [[ -z "$regen_conf_files" ]] \ From 1f623830b3b54e49bf776d47295de98eced004d5 Mon Sep 17 00:00:00 2001 From: Matthew DeAbreu Date: Fri, 22 Nov 2019 09:02:01 -0800 Subject: [PATCH 51/94] Update 12-metronome simplify change by reordering operations --- data/hooks/conf_regen/12-metronome | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/data/hooks/conf_regen/12-metronome b/data/hooks/conf_regen/12-metronome index f3df22317..7047af660 100755 --- a/data/hooks/conf_regen/12-metronome +++ b/data/hooks/conf_regen/12-metronome @@ -41,19 +41,18 @@ do_pre_regen() { do_post_regen() { regen_conf_files=$1 - # fix some permissions - sudo chown -R metronome: /var/lib/metronome/ - sudo chown -R metronome: /etc/metronome/conf.d/ - # retrieve variables domain_list=$(sudo yunohost domain list --output-as plain --quiet) # create metronome directories for domains for domain in $domain_list; do sudo mkdir -p "/var/lib/metronome/${domain//./%2e}/pep" - sudo chown -R metronome: /var/lib/metronome/${domain//./%2e}/ done + # fix some permissions + sudo chown -R metronome: /var/lib/metronome/ + sudo chown -R metronome: /etc/metronome/conf.d/ + [[ -z "$regen_conf_files" ]] \ || sudo service metronome restart } From be88a2835a5663c64d31917581772c5d754ef51c Mon Sep 17 00:00:00 2001 From: Alexandre Aubin Date: Wed, 27 Nov 2019 23:58:36 +0100 Subject: [PATCH 52/94] Remove those random sudo which are useless yet triggers LDAP warning when LDAP is in bad state --- data/helpers.d/apt | 2 +- data/helpers.d/backup | 24 +++++++++++----------- data/helpers.d/logging | 4 ++-- data/helpers.d/logrotate | 6 +++--- data/helpers.d/mysql | 8 ++++---- data/helpers.d/nginx | 2 +- data/helpers.d/php | 8 ++++---- data/helpers.d/postgresql | 10 ++++----- data/helpers.d/setting | 4 ++-- data/helpers.d/string | 2 +- data/helpers.d/systemd | 8 ++++---- data/helpers.d/user | 6 +++--- data/hooks/backup/05-conf_ldap | 4 ++-- data/hooks/conf_regen/01-yunohost | 14 ++++++------- data/hooks/conf_regen/02-ssl | 6 +++--- data/hooks/conf_regen/06-slapd | 2 +- data/hooks/conf_regen/09-nslcd | 2 +- data/hooks/conf_regen/12-metronome | 12 +++++------ data/hooks/conf_regen/15-nginx | 8 ++++---- data/hooks/conf_regen/19-postfix | 4 ++-- data/hooks/conf_regen/25-dovecot | 20 +++++++++--------- data/hooks/conf_regen/31-rspamd | 24 +++++++++++----------- data/hooks/conf_regen/34-mysql | 16 +++++++-------- data/hooks/conf_regen/37-avahi-daemon | 2 +- data/hooks/conf_regen/40-glances | 2 +- data/hooks/conf_regen/43-dnsmasq | 4 ++-- data/hooks/conf_regen/46-nsswitch | 2 +- data/hooks/conf_regen/52-fail2ban | 2 +- data/hooks/restore/05-conf_ldap | 2 +- data/hooks/restore/08-conf_ssh | 4 ++-- data/hooks/restore/11-conf_ynh_mysql | 16 +++++++-------- data/hooks/restore/14-conf_ssowat | 2 +- data/hooks/restore/17-data_home | 2 +- data/hooks/restore/20-conf_ynh_firewall | 4 ++-- data/hooks/restore/21-conf_ynh_certs | 8 ++++---- data/hooks/restore/23-data_mail | 8 ++++---- data/hooks/restore/26-conf_xmpp | 6 +++--- data/hooks/restore/29-conf_nginx | 4 ++-- data/hooks/restore/32-conf_cron | 4 ++-- data/hooks/restore/40-conf_ynh_currenthost | 2 +- src/yunohost/tools.py | 6 +++--- 41 files changed, 138 insertions(+), 138 deletions(-) diff --git a/data/helpers.d/apt b/data/helpers.d/apt index da2740d01..55c85c90b 100644 --- a/data/helpers.d/apt +++ b/data/helpers.d/apt @@ -13,7 +13,7 @@ ynh_wait_dpkg_free() { for try in `seq 1 17` do # Check if /var/lib/dpkg/lock is used by another process - if sudo lsof /var/lib/dpkg/lock > /dev/null + if lsof /var/lib/dpkg/lock > /dev/null then echo "apt is already in use..." # Sleep an exponential time at each round diff --git a/data/helpers.d/backup b/data/helpers.d/backup index d3ffffcd3..590e951a5 100644 --- a/data/helpers.d/backup +++ b/data/helpers.d/backup @@ -179,7 +179,7 @@ ynh_restore () { # usage: _get_archive_path ORIGIN_PATH _get_archive_path () { # For security reasons we use csv python library to read the CSV - sudo python -c " + python -c " import sys import csv with open(sys.argv[1], 'r') as backup_file: @@ -302,7 +302,7 @@ ynh_store_file_checksum () { ynh_handle_getopts_args "$@" local checksum_setting_name=checksum_${file//[\/ ]/_} # Replace all '/' and ' ' by '_' - ynh_app_setting_set --app=$app --key=$checksum_setting_name --value=$(sudo md5sum "$file" | cut -d' ' -f1) + ynh_app_setting_set --app=$app --key=$checksum_setting_name --value=$(md5sum "$file" | cut -d' ' -f1) # If backup_file_checksum isn't empty, ynh_backup_if_checksum_is_different has made a backup if [ -n "${backup_file_checksum-}" ] @@ -339,11 +339,11 @@ ynh_backup_if_checksum_is_different () { backup_file_checksum="" if [ -n "$checksum_value" ] then # Proceed only if a value was stored into the app settings - if [ -e $file ] && ! echo "$checksum_value $file" | sudo md5sum -c --status + if [ -e $file ] && ! echo "$checksum_value $file" | md5sum -c --status then # If the checksum is now different backup_file_checksum="/home/yunohost.conf/backup/$file.backup.$(date '+%Y%m%d.%H%M%S')" - sudo mkdir -p "$(dirname "$backup_file_checksum")" - sudo cp -a "$file" "$backup_file_checksum" # Backup the current file + mkdir -p "$(dirname "$backup_file_checksum")" + cp -a "$file" "$backup_file_checksum" # Backup the current file ynh_print_warn "File $file has been manually modified since the installation or last upgrade. So it has been duplicated in $backup_file_checksum" echo "$backup_file_checksum" # Return the name of the backup file fi @@ -394,7 +394,7 @@ ynh_backup_before_upgrade () { if [ "$NO_BACKUP_UPGRADE" -eq 0 ] then # Check if a backup already exists with the prefix 1 - if sudo yunohost backup list | grep -q $app_bck-pre-upgrade1 + if yunohost backup list | grep -q $app_bck-pre-upgrade1 then # Prefix becomes 2 to preserve the previous backup backup_number=2 @@ -402,14 +402,14 @@ ynh_backup_before_upgrade () { fi # Create backup - sudo BACKUP_CORE_ONLY=1 yunohost backup create --apps $app --name $app_bck-pre-upgrade$backup_number --debug + BACKUP_CORE_ONLY=1 yunohost backup create --apps $app --name $app_bck-pre-upgrade$backup_number --debug if [ "$?" -eq 0 ] then # If the backup succeeded, remove the previous backup - if sudo yunohost backup list | grep -q $app_bck-pre-upgrade$old_backup_number + if yunohost backup list | grep -q $app_bck-pre-upgrade$old_backup_number then # Remove the previous backup only if it exists - sudo yunohost backup delete $app_bck-pre-upgrade$old_backup_number > /dev/null + yunohost backup delete $app_bck-pre-upgrade$old_backup_number > /dev/null fi else ynh_die --message="Backup failed, the upgrade process was aborted." @@ -438,12 +438,12 @@ ynh_restore_upgradebackup () { if [ "$NO_BACKUP_UPGRADE" -eq 0 ] then # Check if an existing backup can be found before removing and restoring the application. - if sudo yunohost backup list | grep -q $app_bck-pre-upgrade$backup_number + if yunohost backup list | grep -q $app_bck-pre-upgrade$backup_number then # Remove the application then restore it - sudo yunohost app remove $app + yunohost app remove $app # Restore the backup - sudo yunohost backup restore $app_bck-pre-upgrade$backup_number --apps $app --force --debug + yunohost backup restore $app_bck-pre-upgrade$backup_number --apps $app --force --debug ynh_die --message="The app was restored to the way it was before the failed upgrade." fi else diff --git a/data/helpers.d/logging b/data/helpers.d/logging index be33b75a5..89fb89c6e 100644 --- a/data/helpers.d/logging +++ b/data/helpers.d/logging @@ -46,10 +46,10 @@ ynh_print_info() { # Requires YunoHost version 2.6.4 or higher. ynh_no_log() { local ynh_cli_log=/var/log/yunohost/yunohost-cli.log - sudo cp -a ${ynh_cli_log} ${ynh_cli_log}-move + cp -a ${ynh_cli_log} ${ynh_cli_log}-move eval $@ local exit_code=$? - sudo mv ${ynh_cli_log}-move ${ynh_cli_log} + mv ${ynh_cli_log}-move ${ynh_cli_log} return $? } diff --git a/data/helpers.d/logrotate b/data/helpers.d/logrotate index 82cdee6a5..9e2429218 100644 --- a/data/helpers.d/logrotate +++ b/data/helpers.d/logrotate @@ -90,8 +90,8 @@ $logfile { $su_directive } EOF - sudo mkdir -p $(dirname "$logfile") # Create the log directory, if not exist - cat ${app}-logrotate | sudo $customtee /etc/logrotate.d/$app > /dev/null # Append this config to the existing config file, or replace the whole config file (depending on $customtee) + mkdir -p $(dirname "$logfile") # Create the log directory, if not exist + cat ${app}-logrotate | $customtee /etc/logrotate.d/$app > /dev/null # Append this config to the existing config file, or replace the whole config file (depending on $customtee) } # Remove the app's logrotate config. @@ -101,6 +101,6 @@ EOF # Requires YunoHost version 2.6.4 or higher. ynh_remove_logrotate () { if [ -e "/etc/logrotate.d/$app" ]; then - sudo rm "/etc/logrotate.d/$app" + rm "/etc/logrotate.d/$app" fi } diff --git a/data/helpers.d/mysql b/data/helpers.d/mysql index e9cf59b3c..91d4abcd2 100644 --- a/data/helpers.d/mysql +++ b/data/helpers.d/mysql @@ -44,7 +44,7 @@ ynh_mysql_execute_as_root() { ynh_handle_getopts_args "$@" database="${database:-}" - ynh_mysql_connect_as --user="root" --password="$(sudo cat $MYSQL_ROOT_PWD_FILE)" \ + ynh_mysql_connect_as --user="root" --password="$(cat $MYSQL_ROOT_PWD_FILE)" \ --database="$database" <<< "$sql" } @@ -65,7 +65,7 @@ ynh_mysql_execute_file_as_root() { ynh_handle_getopts_args "$@" database="${database:-}" - ynh_mysql_connect_as --user="root" --password="$(sudo cat $MYSQL_ROOT_PWD_FILE)" \ + ynh_mysql_connect_as --user="root" --password="$(cat $MYSQL_ROOT_PWD_FILE)" \ --database="$database" < "$file" } @@ -126,7 +126,7 @@ ynh_mysql_dump_db() { # Manage arguments with getopts ynh_handle_getopts_args "$@" - mysqldump -u "root" -p"$(sudo cat $MYSQL_ROOT_PWD_FILE)" --single-transaction --skip-dump-date "$database" + mysqldump -u "root" -p"$(cat $MYSQL_ROOT_PWD_FILE)" --single-transaction --skip-dump-date "$database" } # Create a user @@ -223,7 +223,7 @@ ynh_mysql_remove_db () { # Manage arguments with getopts ynh_handle_getopts_args "$@" - local mysql_root_password=$(sudo cat $MYSQL_ROOT_PWD_FILE) + local mysql_root_password=$(cat $MYSQL_ROOT_PWD_FILE) if mysqlshow -u root -p$mysql_root_password | grep -q "^| $db_name"; then # Check if the database exists ynh_mysql_drop_db $db_name # Remove the database else diff --git a/data/helpers.d/nginx b/data/helpers.d/nginx index ce6b61d3c..e3e45d2d4 100644 --- a/data/helpers.d/nginx +++ b/data/helpers.d/nginx @@ -22,7 +22,7 @@ ynh_add_nginx_config () { finalnginxconf="/etc/nginx/conf.d/$domain.d/$app.conf" local others_var=${1:-} ynh_backup_if_checksum_is_different --file="$finalnginxconf" - sudo cp ../conf/nginx.conf "$finalnginxconf" + cp ../conf/nginx.conf "$finalnginxconf" # To avoid a break by set -u, use a void substitution ${var:-}. If the variable is not set, it's simply set with an empty variable. # Substitute in a nginx config file only if the variable is not empty diff --git a/data/helpers.d/php b/data/helpers.d/php index c9e3ba9ed..41af467c5 100644 --- a/data/helpers.d/php +++ b/data/helpers.d/php @@ -28,12 +28,12 @@ ynh_add_fpm_config () { ynh_app_setting_set --app=$app --key=fpm_service --value="$fpm_service" finalphpconf="$fpm_config_dir/pool.d/$app.conf" ynh_backup_if_checksum_is_different --file="$finalphpconf" - sudo cp ../conf/php-fpm.conf "$finalphpconf" + cp ../conf/php-fpm.conf "$finalphpconf" ynh_replace_string --match_string="__NAMETOCHANGE__" --replace_string="$app" --target_file="$finalphpconf" ynh_replace_string --match_string="__FINALPATH__" --replace_string="$final_path" --target_file="$finalphpconf" ynh_replace_string --match_string="__USER__" --replace_string="$app" --target_file="$finalphpconf" ynh_replace_string --match_string="__PHPVERSION__" --replace_string="$phpversion" --target_file="$finalphpconf" - sudo chown root: "$finalphpconf" + chown root: "$finalphpconf" ynh_store_file_checksum --file="$finalphpconf" if [ -e "../conf/php-fpm.ini" ] @@ -41,8 +41,8 @@ ynh_add_fpm_config () { echo "Packagers ! Please do not use a separate php ini file, merge your directives in the pool file instead." >&2 finalphpini="$fpm_config_dir/conf.d/20-$app.ini" ynh_backup_if_checksum_is_different "$finalphpini" - sudo cp ../conf/php-fpm.ini "$finalphpini" - sudo chown root: "$finalphpini" + cp ../conf/php-fpm.ini "$finalphpini" + chown root: "$finalphpini" ynh_store_file_checksum "$finalphpini" fi ynh_systemd_action --service_name=$fpm_service --action=reload diff --git a/data/helpers.d/postgresql b/data/helpers.d/postgresql index d252ae2dc..6d8524e54 100644 --- a/data/helpers.d/postgresql +++ b/data/helpers.d/postgresql @@ -45,7 +45,7 @@ ynh_psql_execute_as_root() { ynh_handle_getopts_args "$@" database="${database:-}" - ynh_psql_connect_as --user="postgres" --password="$(sudo cat $PSQL_ROOT_PWD_FILE)" \ + ynh_psql_connect_as --user="postgres" --password="$(cat $PSQL_ROOT_PWD_FILE)" \ --database="$database" <<<"$sql" } @@ -66,7 +66,7 @@ ynh_psql_execute_file_as_root() { ynh_handle_getopts_args "$@" database="${database:-}" - ynh_psql_connect_as --user="postgres" --password="$(sudo cat $PSQL_ROOT_PWD_FILE)" \ + ynh_psql_connect_as --user="postgres" --password="$(cat $PSQL_ROOT_PWD_FILE)" \ --database="$database" <"$file" } @@ -160,7 +160,7 @@ ynh_psql_user_exists() { # Manage arguments with getopts ynh_handle_getopts_args "$@" - if ! sudo --login --user=postgres PGUSER="postgres" PGPASSWORD="$(sudo cat $PSQL_ROOT_PWD_FILE)" psql -tAc "SELECT rolname FROM pg_roles WHERE rolname='$user';" | grep --quiet "$user" ; then + if ! sudo --login --user=postgres PGUSER="postgres" PGPASSWORD="$(cat $PSQL_ROOT_PWD_FILE)" psql -tAc "SELECT rolname FROM pg_roles WHERE rolname='$user';" | grep --quiet "$user" ; then return 1 else return 0 @@ -179,7 +179,7 @@ ynh_psql_database_exists() { # Manage arguments with getopts ynh_handle_getopts_args "$@" - if ! sudo --login --user=postgres PGUSER="postgres" PGPASSWORD="$(sudo cat $PSQL_ROOT_PWD_FILE)" psql -tAc "SELECT datname FROM pg_database WHERE datname='$database';" | grep --quiet "$database"; then + if ! sudo --login --user=postgres PGUSER="postgres" PGPASSWORD="$(cat $PSQL_ROOT_PWD_FILE)" psql -tAc "SELECT datname FROM pg_database WHERE datname='$database';" | grep --quiet "$database"; then return 1 else return 0 @@ -243,7 +243,7 @@ ynh_psql_remove_db() { # Manage arguments with getopts ynh_handle_getopts_args "$@" - local psql_root_password=$(sudo cat $PSQL_ROOT_PWD_FILE) + local psql_root_password=$(cat $PSQL_ROOT_PWD_FILE) if ynh_psql_database_exists --database=$db_name; then # Check if the database exists ynh_psql_drop_db $db_name # Remove the database else diff --git a/data/helpers.d/setting b/data/helpers.d/setting index 9f68cb5d9..384fdc399 100644 --- a/data/helpers.d/setting +++ b/data/helpers.d/setting @@ -222,7 +222,7 @@ ynh_webpath_available () { # Manage arguments with getopts ynh_handle_getopts_args "$@" - sudo yunohost domain url-available $domain $path_url + yunohost domain url-available $domain $path_url } # Register/book a web path for an app @@ -245,7 +245,7 @@ ynh_webpath_register () { # Manage arguments with getopts ynh_handle_getopts_args "$@" - sudo yunohost app register-url $app $domain $path_url + yunohost app register-url $app $domain $path_url } # Create a new permission for the app diff --git a/data/helpers.d/string b/data/helpers.d/string index fcbc5190d..e50f781fe 100644 --- a/data/helpers.d/string +++ b/data/helpers.d/string @@ -49,7 +49,7 @@ ynh_replace_string () { match_string=${match_string//${delimit}/"\\${delimit}"} replace_string=${replace_string//${delimit}/"\\${delimit}"} - sudo sed --in-place "s${delimit}${match_string}${delimit}${replace_string}${delimit}g" "$target_file" + sed --in-place "s${delimit}${match_string}${delimit}${replace_string}${delimit}g" "$target_file" } # Substitute/replace a special string by another in a file diff --git a/data/helpers.d/systemd b/data/helpers.d/systemd index 105678b88..960382f8f 100644 --- a/data/helpers.d/systemd +++ b/data/helpers.d/systemd @@ -28,7 +28,7 @@ ynh_add_systemd_config () { finalsystemdconf="/etc/systemd/system/$service.service" ynh_backup_if_checksum_is_different --file="$finalsystemdconf" - sudo cp ../conf/$template "$finalsystemdconf" + cp ../conf/$template "$finalsystemdconf" # To avoid a break by set -u, use a void substitution ${var:-}. If the variable is not set, it's simply set with an empty variable. # Substitute in a nginx config file only if the variable is not empty @@ -40,9 +40,9 @@ ynh_add_systemd_config () { fi ynh_store_file_checksum --file="$finalsystemdconf" - sudo chown root: "$finalsystemdconf" - sudo systemctl enable $service - sudo systemctl daemon-reload + chown root: "$finalsystemdconf" + systemctl enable $service + systemctl daemon-reload } # Remove the dedicated systemd config diff --git a/data/helpers.d/user b/data/helpers.d/user index e7890ccb2..7051ed4c0 100644 --- a/data/helpers.d/user +++ b/data/helpers.d/user @@ -16,7 +16,7 @@ ynh_user_exists() { # Manage arguments with getopts ynh_handle_getopts_args "$@" - sudo yunohost user list --output-as json | grep -q "\"username\": \"${username}\"" + yunohost user list --output-as json | grep -q "\"username\": \"${username}\"" } # Retrieve a YunoHost user information @@ -38,7 +38,7 @@ ynh_user_get_info() { # Manage arguments with getopts ynh_handle_getopts_args "$@" - sudo yunohost user info "$username" --output-as plain | ynh_get_plain_key "$key" + yunohost user info "$username" --output-as plain | ynh_get_plain_key "$key" } # Get the list of YunoHost users @@ -50,7 +50,7 @@ ynh_user_get_info() { # # Requires YunoHost version 2.4.0 or higher. ynh_user_list() { - sudo yunohost user list --output-as plain --quiet \ + yunohost user list --output-as plain --quiet \ | awk '/^##username$/{getline; print}' } diff --git a/data/hooks/backup/05-conf_ldap b/data/hooks/backup/05-conf_ldap index 9ae22095e..75b4c2075 100755 --- a/data/hooks/backup/05-conf_ldap +++ b/data/hooks/backup/05-conf_ldap @@ -11,7 +11,7 @@ backup_dir="${1}/conf/ldap" # Backup the configuration ynh_backup "/etc/ldap/slapd.conf" "${backup_dir}/slapd.conf" -sudo slapcat -b cn=config -l "${backup_dir}/cn=config.master.ldif" +slapcat -b cn=config -l "${backup_dir}/cn=config.master.ldif" # Backup the database -sudo slapcat -b dc=yunohost,dc=org -l "${backup_dir}/dc=yunohost-dc=org.ldif" +slapcat -b dc=yunohost,dc=org -l "${backup_dir}/dc=yunohost-dc=org.ldif" diff --git a/data/hooks/conf_regen/01-yunohost b/data/hooks/conf_regen/01-yunohost index f22de7a53..1abfca35e 100755 --- a/data/hooks/conf_regen/01-yunohost +++ b/data/hooks/conf_regen/01-yunohost @@ -38,25 +38,25 @@ do_pre_regen() { if [[ -f $services_path ]]; then tmp_services_path="${services_path}-tmp" new_services_path="${services_path}-new" - sudo cp "$services_path" "$tmp_services_path" + cp "$services_path" "$tmp_services_path" _update_services "$new_services_path" || { - sudo mv "$tmp_services_path" "$services_path" + mv "$tmp_services_path" "$services_path" exit 1 } if [[ -f $new_services_path ]]; then # replace services.yml with new one - sudo mv "$new_services_path" "$services_path" - sudo mv "$tmp_services_path" "${services_path}-old" + mv "$new_services_path" "$services_path" + mv "$tmp_services_path" "${services_path}-old" else - sudo rm -f "$tmp_services_path" + rm -f "$tmp_services_path" fi else - sudo cp services.yml /etc/yunohost/services.yml + cp services.yml /etc/yunohost/services.yml fi } _update_services() { - sudo python2 - << EOF + python2 - << EOF import yaml diff --git a/data/hooks/conf_regen/02-ssl b/data/hooks/conf_regen/02-ssl index 1df3a3260..a893b21e1 100755 --- a/data/hooks/conf_regen/02-ssl +++ b/data/hooks/conf_regen/02-ssl @@ -99,13 +99,13 @@ do_post_regen() { [[ -f "${index_txt}" ]] || { if [[ -f "${index_txt}.saved" ]]; then # use saved database from 2.2 - sudo cp "${index_txt}.saved" "${index_txt}" + cp "${index_txt}.saved" "${index_txt}" elif [[ -f "${index_txt}.old" ]]; then # ... or use the state-1 database - sudo cp "${index_txt}.old" "${index_txt}" + cp "${index_txt}.old" "${index_txt}" else # ... or create an empty one - sudo touch "${index_txt}" + touch "${index_txt}" fi } diff --git a/data/hooks/conf_regen/06-slapd b/data/hooks/conf_regen/06-slapd index 50149392b..2fa108baa 100755 --- a/data/hooks/conf_regen/06-slapd +++ b/data/hooks/conf_regen/06-slapd @@ -127,7 +127,7 @@ do_post_regen() { # wait a maximum time of 5 minutes # yes, force-reload behave like a restart number_of_wait=0 - while ! sudo su admin -c '' && ((number_of_wait < 60)) + while ! su admin -c '' && ((number_of_wait < 60)) do sleep 5 ((number_of_wait += 1)) diff --git a/data/hooks/conf_regen/09-nslcd b/data/hooks/conf_regen/09-nslcd index 5071ac1fd..7090fc758 100755 --- a/data/hooks/conf_regen/09-nslcd +++ b/data/hooks/conf_regen/09-nslcd @@ -14,7 +14,7 @@ do_post_regen() { regen_conf_files=$1 [[ -z "$regen_conf_files" ]] \ - || sudo service nslcd restart + || service nslcd restart } FORCE=${2:-0} diff --git a/data/hooks/conf_regen/12-metronome b/data/hooks/conf_regen/12-metronome index 7047af660..fbd956e7c 100755 --- a/data/hooks/conf_regen/12-metronome +++ b/data/hooks/conf_regen/12-metronome @@ -14,7 +14,7 @@ do_pre_regen() { # retrieve variables main_domain=$(cat /etc/yunohost/current_host) - domain_list=$(sudo yunohost domain list --output-as plain --quiet) + domain_list=$(yunohost domain list --output-as plain --quiet) # install main conf file cat metronome.cfg.lua \ @@ -42,19 +42,19 @@ do_post_regen() { regen_conf_files=$1 # retrieve variables - domain_list=$(sudo yunohost domain list --output-as plain --quiet) + domain_list=$(yunohost domain list --output-as plain --quiet) # create metronome directories for domains for domain in $domain_list; do - sudo mkdir -p "/var/lib/metronome/${domain//./%2e}/pep" + mkdir -p "/var/lib/metronome/${domain//./%2e}/pep" done # fix some permissions - sudo chown -R metronome: /var/lib/metronome/ - sudo chown -R metronome: /etc/metronome/conf.d/ + chown -R metronome: /var/lib/metronome/ + chown -R metronome: /etc/metronome/conf.d/ [[ -z "$regen_conf_files" ]] \ - || sudo service metronome restart + || service metronome restart } FORCE=${2:-0} diff --git a/data/hooks/conf_regen/15-nginx b/data/hooks/conf_regen/15-nginx index 59654a771..55a5494b2 100755 --- a/data/hooks/conf_regen/15-nginx +++ b/data/hooks/conf_regen/15-nginx @@ -45,7 +45,7 @@ do_pre_regen() { # retrieve variables main_domain=$(cat /etc/yunohost/current_host) - domain_list=$(sudo yunohost domain list --output-as plain --quiet) + domain_list=$(yunohost domain list --output-as plain --quiet) # Support different strategy for security configurations export compatibility="$(yunohost settings get 'security.nginx.compatibility')" @@ -102,15 +102,15 @@ do_post_regen() { [ -z "$regen_conf_files" ] && exit 0 # retrieve variables - domain_list=$(sudo yunohost domain list --output-as plain --quiet) + domain_list=$(yunohost domain list --output-as plain --quiet) # create NGINX conf directories for domains for domain in $domain_list; do - sudo mkdir -p "/etc/nginx/conf.d/${domain}.d" + mkdir -p "/etc/nginx/conf.d/${domain}.d" done # Reload nginx configuration - pgrep nginx && sudo service nginx reload + pgrep nginx && service nginx reload } FORCE=${2:-0} diff --git a/data/hooks/conf_regen/19-postfix b/data/hooks/conf_regen/19-postfix index b37425984..0f09f0299 100755 --- a/data/hooks/conf_regen/19-postfix +++ b/data/hooks/conf_regen/19-postfix @@ -20,7 +20,7 @@ do_pre_regen() { # prepare main.cf conf file main_domain=$(cat /etc/yunohost/current_host) - domain_list=$(sudo yunohost domain list --output-as plain --quiet | tr '\n' ' ') + domain_list=$(yunohost domain list --output-as plain --quiet | tr '\n' ' ') # Support different strategy for security configurations export compatibility="$(yunohost settings get 'security.postfix.compatibility')" @@ -49,7 +49,7 @@ do_post_regen() { regen_conf_files=$1 [[ -z "$regen_conf_files" ]] \ - || { sudo service postfix restart && sudo service postsrsd restart; } + || { service postfix restart && service postsrsd restart; } } diff --git a/data/hooks/conf_regen/25-dovecot b/data/hooks/conf_regen/25-dovecot index 4c5ae24c1..2638c7f6f 100755 --- a/data/hooks/conf_regen/25-dovecot +++ b/data/hooks/conf_regen/25-dovecot @@ -35,28 +35,28 @@ do_pre_regen() { do_post_regen() { regen_conf_files=$1 - sudo mkdir -p "/etc/dovecot/yunohost.d/pre-ext.d" - sudo mkdir -p "/etc/dovecot/yunohost.d/post-ext.d" + mkdir -p "/etc/dovecot/yunohost.d/pre-ext.d" + mkdir -p "/etc/dovecot/yunohost.d/post-ext.d" # create vmail user id vmail > /dev/null 2>&1 \ - || sudo adduser --system --ingroup mail --uid 500 vmail + || adduser --system --ingroup mail --uid 500 vmail # fix permissions - sudo chown -R vmail:mail /etc/dovecot/global_script - sudo chmod 770 /etc/dovecot/global_script - sudo chown root:mail /var/mail - sudo chmod 1775 /var/mail + chown -R vmail:mail /etc/dovecot/global_script + chmod 770 /etc/dovecot/global_script + chown root:mail /var/mail + chmod 1775 /var/mail [ -z "$regen_conf_files" ] && exit 0 # compile sieve script [[ "$regen_conf_files" =~ dovecot\.sieve ]] && { - sudo sievec /etc/dovecot/global_script/dovecot.sieve - sudo chown -R vmail:mail /etc/dovecot/global_script + sievec /etc/dovecot/global_script/dovecot.sieve + chown -R vmail:mail /etc/dovecot/global_script } - sudo service dovecot restart + service dovecot restart } FORCE=${2:-0} diff --git a/data/hooks/conf_regen/31-rspamd b/data/hooks/conf_regen/31-rspamd index d263d9cc9..26fea4336 100755 --- a/data/hooks/conf_regen/31-rspamd +++ b/data/hooks/conf_regen/31-rspamd @@ -22,11 +22,11 @@ do_post_regen() { ## # create DKIM directory with proper permission - sudo mkdir -p /etc/dkim - sudo chown _rspamd /etc/dkim + mkdir -p /etc/dkim + chown _rspamd /etc/dkim # retrieve domain list - domain_list=$(sudo yunohost domain list --output-as plain --quiet) + domain_list=$(yunohost domain list --output-as plain --quiet) # create DKIM key for domains for domain in $domain_list; do @@ -34,30 +34,30 @@ do_post_regen() { [ ! -f "$domain_key" ] && { # We use a 1024 bit size because nsupdate doesn't seem to be able to # handle 2048... - sudo opendkim-genkey --domain="$domain" \ + opendkim-genkey --domain="$domain" \ --selector=mail --directory=/etc/dkim -b 1024 - sudo mv /etc/dkim/mail.private "$domain_key" - sudo mv /etc/dkim/mail.txt "/etc/dkim/${domain}.mail.txt" + mv /etc/dkim/mail.private "$domain_key" + mv /etc/dkim/mail.txt "/etc/dkim/${domain}.mail.txt" } done # fix DKIM keys permissions - sudo chown _rspamd /etc/dkim/*.mail.key - sudo chmod 400 /etc/dkim/*.mail.key + chown _rspamd /etc/dkim/*.mail.key + chmod 400 /etc/dkim/*.mail.key regen_conf_files=$1 [ -z "$regen_conf_files" ] && exit 0 # compile sieve script [[ "$regen_conf_files" =~ rspamd\.sieve ]] && { - sudo sievec /etc/dovecot/global_script/rspamd.sieve - sudo chown -R vmail:mail /etc/dovecot/global_script - sudo systemctl restart dovecot + sievec /etc/dovecot/global_script/rspamd.sieve + chown -R vmail:mail /etc/dovecot/global_script + systemctl restart dovecot } # Restart rspamd due to the upgrade # https://rspamd.com/announce/2016/08/01/rspamd-1.3.1.html - sudo systemctl -q restart rspamd.service + systemctl -q restart rspamd.service } FORCE=${2:-0} diff --git a/data/hooks/conf_regen/34-mysql b/data/hooks/conf_regen/34-mysql index 8f7b5455e..43f9fdde1 100755 --- a/data/hooks/conf_regen/34-mysql +++ b/data/hooks/conf_regen/34-mysql @@ -18,12 +18,12 @@ do_post_regen() { if [ ! -f /etc/yunohost/mysql ]; then # ensure that mysql is running - sudo systemctl -q is-active mysql.service \ - || sudo service mysql start + systemctl -q is-active mysql.service \ + || service mysql start # generate and set new root password mysql_password=$(ynh_string_random 10) - sudo mysqladmin -s -u root -pyunohost password "$mysql_password" || { + mysqladmin -s -u root -pyunohost password "$mysql_password" || { if [ $FORCE -eq 1 ]; then echo "It seems that you have already configured MySQL." \ "YunoHost needs to have a root access to MySQL to runs its" \ @@ -31,13 +31,13 @@ do_post_regen() { "You can find this new password in /etc/yunohost/mysql." >&2 # set new password with debconf - sudo debconf-set-selections << EOF + debconf-set-selections << EOF $MYSQL_PKG mysql-server/root_password password $mysql_password $MYSQL_PKG mysql-server/root_password_again password $mysql_password EOF # reconfigure Debian package - sudo dpkg-reconfigure -freadline -u "$MYSQL_PKG" 2>&1 + dpkg-reconfigure -freadline -u "$MYSQL_PKG" 2>&1 else echo "It seems that you have already configured MySQL." \ "YunoHost needs to have a root access to MySQL to runs its" \ @@ -49,12 +49,12 @@ EOF } # store new root password - echo "$mysql_password" | sudo tee /etc/yunohost/mysql - sudo chmod 400 /etc/yunohost/mysql + echo "$mysql_password" | tee /etc/yunohost/mysql + chmod 400 /etc/yunohost/mysql fi [[ -z "$regen_conf_files" ]] \ - || sudo service mysql restart + || service mysql restart } FORCE=${2:-0} diff --git a/data/hooks/conf_regen/37-avahi-daemon b/data/hooks/conf_regen/37-avahi-daemon index 655a2e054..239c3ad0c 100755 --- a/data/hooks/conf_regen/37-avahi-daemon +++ b/data/hooks/conf_regen/37-avahi-daemon @@ -15,7 +15,7 @@ do_post_regen() { regen_conf_files=$1 [[ -z "$regen_conf_files" ]] \ - || sudo service avahi-daemon restart + || service avahi-daemon restart } FORCE=${2:-0} diff --git a/data/hooks/conf_regen/40-glances b/data/hooks/conf_regen/40-glances index a19d35d56..70b8f4b5a 100755 --- a/data/hooks/conf_regen/40-glances +++ b/data/hooks/conf_regen/40-glances @@ -14,7 +14,7 @@ do_post_regen() { regen_conf_files=$1 [[ -z "$regen_conf_files" ]] \ - || sudo service glances restart + || service glances restart } FORCE=${2:-0} diff --git a/data/hooks/conf_regen/43-dnsmasq b/data/hooks/conf_regen/43-dnsmasq index ed795c058..90e96a04c 100755 --- a/data/hooks/conf_regen/43-dnsmasq +++ b/data/hooks/conf_regen/43-dnsmasq @@ -26,7 +26,7 @@ do_pre_regen() { ynh_validate_ip4 "$ipv4" || ipv4='127.0.0.1' ipv6=$(curl -s -6 https://ip6.yunohost.org 2>/dev/null || true) ynh_validate_ip6 "$ipv6" || ipv6='' - domain_list=$(sudo yunohost domain list --output-as plain --quiet) + domain_list=$(yunohost domain list --output-as plain --quiet) # add domain conf files for domain in $domain_list; do @@ -51,7 +51,7 @@ do_post_regen() { regen_conf_files=$1 [[ -z "$regen_conf_files" ]] \ - || sudo service dnsmasq restart + || service dnsmasq restart } FORCE=${2:-0} diff --git a/data/hooks/conf_regen/46-nsswitch b/data/hooks/conf_regen/46-nsswitch index 06a596e44..fa9b07511 100755 --- a/data/hooks/conf_regen/46-nsswitch +++ b/data/hooks/conf_regen/46-nsswitch @@ -14,7 +14,7 @@ do_post_regen() { regen_conf_files=$1 [[ -z "$regen_conf_files" ]] \ - || sudo service unscd restart + || service unscd restart } FORCE=${2:-0} diff --git a/data/hooks/conf_regen/52-fail2ban b/data/hooks/conf_regen/52-fail2ban index 950f27b5b..3cb499db7 100755 --- a/data/hooks/conf_regen/52-fail2ban +++ b/data/hooks/conf_regen/52-fail2ban @@ -20,7 +20,7 @@ do_post_regen() { regen_conf_files=$1 [[ -z "$regen_conf_files" ]] \ - || sudo service fail2ban restart + || service fail2ban restart } FORCE=${2:-0} diff --git a/data/hooks/restore/05-conf_ldap b/data/hooks/restore/05-conf_ldap index eb6824993..74093136d 100644 --- a/data/hooks/restore/05-conf_ldap +++ b/data/hooks/restore/05-conf_ldap @@ -5,7 +5,7 @@ if [[ $EUID -ne 0 ]]; then # We need to execute this script as root, since the ldap # service will be shut down during the operation (and sudo # won't be available) - sudo /bin/bash $(readlink -f $0) $1 + /bin/bash $(readlink -f $0) $1 else diff --git a/data/hooks/restore/08-conf_ssh b/data/hooks/restore/08-conf_ssh index 0c0f9bf9b..4b69d1696 100644 --- a/data/hooks/restore/08-conf_ssh +++ b/data/hooks/restore/08-conf_ssh @@ -1,8 +1,8 @@ backup_dir="$1/conf/ssh" if [ -d /etc/ssh/ ]; then - sudo cp -a $backup_dir/. /etc/ssh - sudo service ssh restart + cp -a $backup_dir/. /etc/ssh + service ssh restart else echo "SSH is not installed" fi diff --git a/data/hooks/restore/11-conf_ynh_mysql b/data/hooks/restore/11-conf_ynh_mysql index 24cdb1e79..f54641d6f 100644 --- a/data/hooks/restore/11-conf_ynh_mysql +++ b/data/hooks/restore/11-conf_ynh_mysql @@ -9,15 +9,15 @@ service mysql status >/dev/null 2>&1 \ # retrieve current and new password [ -f /etc/yunohost/mysql ] \ - && curr_pwd=$(sudo cat /etc/yunohost/mysql) -new_pwd=$(sudo cat "${backup_dir}/root_pwd" || sudo cat "${backup_dir}/mysql") + && curr_pwd=$(cat /etc/yunohost/mysql) +new_pwd=$(cat "${backup_dir}/root_pwd" || cat "${backup_dir}/mysql") [ -z "$curr_pwd" ] && curr_pwd="yunohost" [ -z "$new_pwd" ] && { new_pwd=$(ynh_string_random 10) } # attempt to change it -sudo mysqladmin -s -u root -p"$curr_pwd" password "$new_pwd" || { +mysqladmin -s -u root -p"$curr_pwd" password "$new_pwd" || { echo "It seems that you have already configured MySQL." \ "YunoHost needs to have a root access to MySQL to runs its" \ @@ -25,18 +25,18 @@ sudo mysqladmin -s -u root -p"$curr_pwd" password "$new_pwd" || { "You can find this new password in /etc/yunohost/mysql." >&2 # set new password with debconf - sudo debconf-set-selections << EOF + debconf-set-selections << EOF $MYSQL_PKG mysql-server/root_password password $new_pwd $MYSQL_PKG mysql-server/root_password_again password $new_pwd EOF # reconfigure Debian package - sudo dpkg-reconfigure -freadline -u "$MYSQL_PKG" 2>&1 + dpkg-reconfigure -freadline -u "$MYSQL_PKG" 2>&1 } # store new root password -echo "$new_pwd" | sudo tee /etc/yunohost/mysql -sudo chmod 400 /etc/yunohost/mysql +echo "$new_pwd" | tee /etc/yunohost/mysql +chmod 400 /etc/yunohost/mysql # reload the grant tables -sudo mysqladmin -s -u root -p"$new_pwd" reload +mysqladmin -s -u root -p"$new_pwd" reload diff --git a/data/hooks/restore/14-conf_ssowat b/data/hooks/restore/14-conf_ssowat index 01ac787ee..71a011488 100644 --- a/data/hooks/restore/14-conf_ssowat +++ b/data/hooks/restore/14-conf_ssowat @@ -1,3 +1,3 @@ backup_dir="$1/conf/ssowat" -sudo cp -a $backup_dir/. /etc/ssowat +cp -a $backup_dir/. /etc/ssowat diff --git a/data/hooks/restore/17-data_home b/data/hooks/restore/17-data_home index a7ba2733c..6226eab6d 100644 --- a/data/hooks/restore/17-data_home +++ b/data/hooks/restore/17-data_home @@ -1,3 +1,3 @@ backup_dir="$1/data/home" -sudo cp -a $backup_dir/. /home +cp -a $backup_dir/. /home diff --git a/data/hooks/restore/20-conf_ynh_firewall b/data/hooks/restore/20-conf_ynh_firewall index c0ee18818..1789aed1e 100644 --- a/data/hooks/restore/20-conf_ynh_firewall +++ b/data/hooks/restore/20-conf_ynh_firewall @@ -1,4 +1,4 @@ backup_dir="$1/conf/ynh/firewall" -sudo cp -a $backup_dir/. /etc/yunohost -sudo yunohost firewall reload +cp -a $backup_dir/. /etc/yunohost +yunohost firewall reload diff --git a/data/hooks/restore/21-conf_ynh_certs b/data/hooks/restore/21-conf_ynh_certs index 34e651319..983bfb5a1 100644 --- a/data/hooks/restore/21-conf_ynh_certs +++ b/data/hooks/restore/21-conf_ynh_certs @@ -1,7 +1,7 @@ backup_dir="$1/conf/ynh/certs" -sudo mkdir -p /etc/yunohost/certs/ +mkdir -p /etc/yunohost/certs/ -sudo cp -a $backup_dir/. /etc/yunohost/certs/ -sudo service nginx reload -sudo service metronome reload +cp -a $backup_dir/. /etc/yunohost/certs/ +service nginx reload +service metronome reload diff --git a/data/hooks/restore/23-data_mail b/data/hooks/restore/23-data_mail index 81b9b923f..f9fd6e699 100644 --- a/data/hooks/restore/23-data_mail +++ b/data/hooks/restore/23-data_mail @@ -1,8 +1,8 @@ backup_dir="$1/data/mail" -sudo cp -a $backup_dir/. /var/mail/ || echo 'No mail found' -sudo chown -R vmail:mail /var/mail/ +cp -a $backup_dir/. /var/mail/ || echo 'No mail found' +chown -R vmail:mail /var/mail/ # Restart services to use migrated certs -sudo service postfix restart -sudo service dovecot restart +service postfix restart +service dovecot restart diff --git a/data/hooks/restore/26-conf_xmpp b/data/hooks/restore/26-conf_xmpp index 61692b316..a300a7268 100644 --- a/data/hooks/restore/26-conf_xmpp +++ b/data/hooks/restore/26-conf_xmpp @@ -1,7 +1,7 @@ backup_dir="$1/conf/xmpp" -sudo cp -a $backup_dir/etc/. /etc/metronome -sudo cp -a $backup_dir/var/. /var/lib/metronome +cp -a $backup_dir/etc/. /etc/metronome +cp -a $backup_dir/var/. /var/lib/metronome # Restart to apply new conf and certs -sudo service metronome restart +service metronome restart diff --git a/data/hooks/restore/29-conf_nginx b/data/hooks/restore/29-conf_nginx index 0795f53df..7288f52f3 100644 --- a/data/hooks/restore/29-conf_nginx +++ b/data/hooks/restore/29-conf_nginx @@ -1,7 +1,7 @@ backup_dir="$1/conf/nginx" # Copy all conf except apps specific conf located in DOMAIN.d -sudo find $backup_dir/ -mindepth 1 -maxdepth 1 -name '*.d' -or -exec sudo cp -a {} /etc/nginx/conf.d/ \; +find $backup_dir/ -mindepth 1 -maxdepth 1 -name '*.d' -or -exec cp -a {} /etc/nginx/conf.d/ \; # Restart to use new conf and certs -sudo service nginx restart +service nginx restart diff --git a/data/hooks/restore/32-conf_cron b/data/hooks/restore/32-conf_cron index 68657963e..59a2bde61 100644 --- a/data/hooks/restore/32-conf_cron +++ b/data/hooks/restore/32-conf_cron @@ -1,6 +1,6 @@ backup_dir="$1/conf/cron" -sudo cp -a $backup_dir/. /etc/cron.d +cp -a $backup_dir/. /etc/cron.d # Restart just in case -sudo service cron restart +service cron restart diff --git a/data/hooks/restore/40-conf_ynh_currenthost b/data/hooks/restore/40-conf_ynh_currenthost index a0bdf94d3..700e806b4 100644 --- a/data/hooks/restore/40-conf_ynh_currenthost +++ b/data/hooks/restore/40-conf_ynh_currenthost @@ -1,3 +1,3 @@ backup_dir="$1/conf/ynh" -sudo cp -a "${backup_dir}/current_host" /etc/yunohost/current_host +cp -a "${backup_dir}/current_host" /etc/yunohost/current_host diff --git a/src/yunohost/tools.py b/src/yunohost/tools.py index f4bb83c15..a3aa26fc5 100644 --- a/src/yunohost/tools.py +++ b/src/yunohost/tools.py @@ -233,9 +233,9 @@ def _set_hostname(hostname, pretty_hostname=None): # Then call hostnamectl commands = [ - "sudo hostnamectl --static set-hostname".split() + [hostname], - "sudo hostnamectl --transient set-hostname".split() + [hostname], - "sudo hostnamectl --pretty set-hostname".split() + [pretty_hostname] + "hostnamectl --static set-hostname".split() + [hostname], + "hostnamectl --transient set-hostname".split() + [hostname], + "hostnamectl --pretty set-hostname".split() + [pretty_hostname] ] for command in commands: From f56f4724c36a5261d53c8c78f30d62c12f85fe0e Mon Sep 17 00:00:00 2001 From: Alexandre Aubin Date: Sun, 22 Mar 2020 01:23:55 +0100 Subject: [PATCH 53/94] Attempt to anonymize data pasted to paste.yunohost.org (in particular domain names) --- src/yunohost/utils/yunopaste.py | 45 +++++++++++++++++++++++++++++++++ 1 file changed, 45 insertions(+) diff --git a/src/yunohost/utils/yunopaste.py b/src/yunohost/utils/yunopaste.py index 89c62d761..530295735 100644 --- a/src/yunohost/utils/yunopaste.py +++ b/src/yunohost/utils/yunopaste.py @@ -2,14 +2,23 @@ import requests import json +import logging +from yunohost.domain import _get_maindomain, domain_list +from yunohost.utils.network import get_public_ip from yunohost.utils.error import YunohostError +logger = logging.getLogger('yunohost.utils.yunopaste') def yunopaste(data): paste_server = "https://paste.yunohost.org" + try: + data = anonymize(data) + except Exception as e: + logger.warning("For some reason, YunoHost was not able to anonymize the pasted data. Sorry about that. Be careful about sharing the link, as it may contain somewhat private infos like domain names or IP addresses. Error: %s" % e) + try: r = requests.post("%s/documents" % paste_server, data=data, timeout=30) except Exception as e: @@ -24,3 +33,39 @@ def yunopaste(data): raise YunohostError("Uhoh, couldn't parse the answer from paste.yunohost.org : %s" % r.text, raw_msg=True) return "%s/raw/%s" % (paste_server, url) + + +def anonymize(data): + + # First, let's replace every occurence of the main domain by "domain.tld" + # This should cover a good fraction of the info leaked + main_domain = _get_maindomain() + data = data.replace(main_domain, "maindomain.tld") + + # Next, let's replace other domains. We do this in increasing lengths, + # because e.g. knowing that the domain is a sub-domain of another domain may + # still be informative. + # So e.g. if there's jitsi.foobar.com as a subdomain of foobar.com, it may + # be interesting to know that the log is about a supposedly dedicated domain + # for jisti (hopefully this explanation make sense). + domains = domain_list()["domains"] + domains = sorted(domains, key=lambda d: len(d)) + + count = 2 + for domain in domains: + if domain not in data: + continue + data = data.replace(domain, "domain%s.tld" % count) + count += 1 + + # We also want to anonymize the ips + ipv4 = get_public_ip() + ipv6 = get_public_ip(6) + + if ipv4: + data = data.replace(str(ipv4), "xx.xx.xx.xx") + + if ipv6: + data = data.replace(str(ipv6), "xx:xx:xx:xx:xx:xx") + + return data From 210d5f3fc4b5ce5630ad81b795828377fbf4575e Mon Sep 17 00:00:00 2001 From: Alexandre Aubin Date: Sun, 22 Mar 2020 01:28:37 +0100 Subject: [PATCH 54/94] [enh] Tell apt to explain what's wrong when there are unmet dependencies (#889) * Ask apt to explain what's wrong when dependencies fail to install * Add comment explaining the syntax Co-Authored-By: Maniack Crudelis Co-authored-by: Maniack Crudelis --- data/helpers.d/apt | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/data/helpers.d/apt b/data/helpers.d/apt index 55c85c90b..b2c781faf 100644 --- a/data/helpers.d/apt +++ b/data/helpers.d/apt @@ -186,7 +186,10 @@ ynh_package_install_from_equivs () { (cd "$TMPDIR" equivs-build ./control 1> /dev/null dpkg --force-depends -i "./${pkgname}_${pkgversion}_all.deb" 2>&1) - ynh_package_install -f || ynh_die --message="Unable to install dependencies" + # If install fails we use "apt-get check" to try to debug and diagnose possible unmet dependencies + # Note the use of { } which allows to group commands without starting a subshell (otherwise the ynh_die wouldn't exit the current shell). + # Be careful with the syntax : the semicolon + space at the end is important! + ynh_package_install -f || { apt-get check 2>&1; ynh_die --message="Unable to install dependencies"; } [[ -n "$TMPDIR" ]] && rm -rf $TMPDIR # Remove the temp dir. # check if the package is actually installed From d17fcaf94f9bb2f9f601033ccd700ce4917f98e3 Mon Sep 17 00:00:00 2001 From: Alexandre Aubin Date: Mon, 23 Mar 2020 19:35:41 +0100 Subject: [PATCH 55/94] When dumping debug info after app script failure, be slightly smarter and stop at ynh_die to have more meaningul lines being shown --- src/yunohost/app.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/yunohost/app.py b/src/yunohost/app.py index 3feca796e..21e31d34d 100644 --- a/src/yunohost/app.py +++ b/src/yunohost/app.py @@ -1139,7 +1139,7 @@ def dump_app_log_extract_for_debugging(operation_logger): line = line.strip().split(": ", 1)[1] lines_to_display.append(line) - if line.endswith("+ ynh_exit_properly"): + if line.endswith("+ ynh_exit_properly") or " + ynh_die " in line: break elif len(lines_to_display) > 20: lines_to_display.pop(0) From af8981e4e033d7426700333020fbbfe27455222c Mon Sep 17 00:00:00 2001 From: Alexandre Aubin Date: Mon, 30 Mar 2020 20:54:57 +0200 Subject: [PATCH 56/94] Lazy loading might improve performances a bit --- src/yunohost/domain.py | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/src/yunohost/domain.py b/src/yunohost/domain.py index 3f906748b..18c4bd8e2 100644 --- a/src/yunohost/domain.py +++ b/src/yunohost/domain.py @@ -32,8 +32,7 @@ from moulinette.core import MoulinetteError from yunohost.utils.error import YunohostError from moulinette.utils.log import getActionLogger -import yunohost.certificate - +from yunohost.app import app_ssowatconf from yunohost.regenconf import regen_conf from yunohost.utils.network import get_public_ip from yunohost.log import is_unit_operation @@ -105,6 +104,7 @@ def domain_add(operation_logger, domain, dyndns=False): dyndns_subscribe(domain=domain) try: + import yunohost.certificate yunohost.certificate._certificate_install_selfsigned([domain], False) attr_dict = { @@ -234,14 +234,17 @@ def domain_dns_conf(domain, ttl=None): def domain_cert_status(domain_list, full=False): + import yunohost.certificate return yunohost.certificate.certificate_status(domain_list, full) def domain_cert_install(domain_list, force=False, no_checks=False, self_signed=False, staging=False): + import yunohost.certificate return yunohost.certificate.certificate_install(domain_list, force, no_checks, self_signed, staging) def domain_cert_renew(domain_list, force=False, no_checks=False, email=False, staging=False): + import yunohost.certificate return yunohost.certificate.certificate_renew(domain_list, force, no_checks, email, staging) From 7d3238140c0913641cd2b5405c7b759659b50567 Mon Sep 17 00:00:00 2001 From: Alexandre Aubin Date: Fri, 3 Apr 2020 00:12:58 +0200 Subject: [PATCH 57/94] Force locale to C/en to avoid perl whining and flooding logs about the damn missing locale --- data/helpers.d/apt | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/data/helpers.d/apt b/data/helpers.d/apt index b2c781faf..7859d44c5 100644 --- a/data/helpers.d/apt +++ b/data/helpers.d/apt @@ -94,7 +94,7 @@ ynh_package_version() { # Requires YunoHost version 2.4.0.3 or higher. ynh_apt() { ynh_wait_dpkg_free - DEBIAN_FRONTEND=noninteractive apt-get -y $@ + LC_ALL=C DEBIAN_FRONTEND=noninteractive apt-get -y $@ } # Update package index files @@ -184,7 +184,7 @@ ynh_package_install_from_equivs () { ynh_wait_dpkg_free cp "$controlfile" "${TMPDIR}/control" (cd "$TMPDIR" - equivs-build ./control 1> /dev/null + LC_ALL=C equivs-build ./control 1> /dev/null dpkg --force-depends -i "./${pkgname}_${pkgversion}_all.deb" 2>&1) # If install fails we use "apt-get check" to try to debug and diagnose possible unmet dependencies # Note the use of { } which allows to group commands without starting a subshell (otherwise the ynh_die wouldn't exit the current shell). From 1eef9b6760f70d86ea58edad17f0ef76abd36085 Mon Sep 17 00:00:00 2001 From: Alexandre Aubin Date: Fri, 3 Apr 2020 01:32:05 +0200 Subject: [PATCH 58/94] Do not redact stuff corresponding to --manifest_key --- src/yunohost/log.py | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/yunohost/log.py b/src/yunohost/log.py index 72e497b5d..cd08bdfe0 100644 --- a/src/yunohost/log.py +++ b/src/yunohost/log.py @@ -315,9 +315,9 @@ class RedactingFormatter(Formatter): try: # This matches stuff like db_pwd=the_secret or admin_password=other_secret # (the secret part being at least 3 chars to avoid catching some lines like just "db_pwd=") - # For 'key', we require to at least have one word char [a-zA-Z0-9_] before it to avoid catching "--key" used in many helpers - match = re.search(r'(pwd|pass|password|secret|\wkey|token)=(\S{3,})$', record.strip()) - if match and match.group(2) not in self.data_to_redact: + # Some names like "key" or "manifest_key" are ignored, used in helpers like ynh_app_setting_set or ynh_read_manifest + match = re.search(r'(pwd|pass|password|secret|\w+key|token)=(\S{3,})$', record.strip()) + if match and match.group(2) not in self.data_to_redact and match.group(1) not in ["key", "manifest_key"]: self.data_to_redact.append(match.group(2)) except Exception as e: logger.warning("Failed to parse line to try to identify data to redact ... : %s" % e) From a886053de76927d6186bad1c5a05bd33ff31bd4f Mon Sep 17 00:00:00 2001 From: Laurent Peuch Date: Thu, 9 Apr 2020 12:29:44 +0200 Subject: [PATCH 59/94] [fix] uid will be tested as a string --- src/yunohost/user.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/yunohost/user.py b/src/yunohost/user.py index 4a047b58f..bc19bc5ea 100644 --- a/src/yunohost/user.py +++ b/src/yunohost/user.py @@ -165,8 +165,8 @@ def user_create(operation_logger, username, firstname, lastname, mail, password, operation_logger.start() # Get random UID/GID - all_uid = {x.pw_uid for x in pwd.getpwall()} - all_gid = {x.gr_gid for x in grp.getgrall()} + all_uid = {str(x.pw_uid) for x in pwd.getpwall()} + all_gid = {str(x.gr_gid) for x in grp.getgrall()} uid_guid_found = False while not uid_guid_found: From 5aa25563062c972d542fd2800b3c8aa863111400 Mon Sep 17 00:00:00 2001 From: Kay0u Date: Sun, 5 Apr 2020 19:44:39 +0200 Subject: [PATCH 60/94] [fix] config_appy return link --- src/yunohost/app.py | 1 + 1 file changed, 1 insertion(+) diff --git a/src/yunohost/app.py b/src/yunohost/app.py index 21e31d34d..4e4878f9e 100644 --- a/src/yunohost/app.py +++ b/src/yunohost/app.py @@ -1947,6 +1947,7 @@ def app_config_apply(operation_logger, app, args): logger.success("Config updated as expected") return { + "app": app, "logs": operation_logger.success(), } From 5b0269622a90936b3b194ca2f3d0541df49fa85c Mon Sep 17 00:00:00 2001 From: Alexandre Aubin Date: Mon, 30 Mar 2020 20:09:26 +0200 Subject: [PATCH 61/94] Attempt to simplify permission migration --- data/helpers.d/setting | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/data/helpers.d/setting b/data/helpers.d/setting index 384fdc399..557afb332 100644 --- a/data/helpers.d/setting +++ b/data/helpers.d/setting @@ -197,7 +197,7 @@ EOF if [[ "$1" == "set" ]] && [[ "${4:-}" == "/" ]] then ynh_permission_update --permission "main" --add "visitors" - elif [[ "$1" == "delete" ]] && [[ "${current_value:-}" == "/" ]] + elif [[ "$1" == "delete" ]] && [[ "${current_value:-}" == "/" ]] && [[ -n "$(ynh_app_setting_get --app=$2 --key='is_public' )" ]] then ynh_permission_update --permission "main" --remove "visitors" fi From 729aeb2425985182950d3a967361c351b290fc8b Mon Sep 17 00:00:00 2001 From: Kay0u Date: Mon, 30 Mar 2020 19:36:41 +0200 Subject: [PATCH 62/94] add ynh_permission_has_user --- data/actionsmap/yunohost.yml | 9 +++++++++ data/helpers.d/setting | 19 +++++++++++++++++++ src/yunohost/permission.py | 22 ++++++++++++++++++++++ src/yunohost/user.py | 6 ++++++ 4 files changed, 56 insertions(+) diff --git a/data/actionsmap/yunohost.yml b/data/actionsmap/yunohost.yml index 245b3615d..af697efc0 100644 --- a/data/actionsmap/yunohost.yml +++ b/data/actionsmap/yunohost.yml @@ -296,6 +296,15 @@ user: help: Display all info known about each permission, including the full user list of each group it is granted to. action: store_true + ### user_permission_info() + info: + action_help: Get information about a specific permission + api: GET /users/permissions/ + arguments: + permission: + help: Name of the permission to fetch info about + extra: + pattern: *pattern_username ### user_permission_update() update: diff --git a/data/helpers.d/setting b/data/helpers.d/setting index 557afb332..917d4def7 100644 --- a/data/helpers.d/setting +++ b/data/helpers.d/setting @@ -367,3 +367,22 @@ ynh_permission_update() { yunohost user permission update "$app.$permission" ${add:-} ${remove:-} } + +# Check if a permission exists +# +# usage: ynh_permission_has_user --permission=permission --user=user +# | arg: -p, --permission - the permission to check +# | arg: -u, --user - the user seek in the permission +# +# Requires YunoHost version 3.7.1 or higher. +ynh_permission_has_user() { + declare -Ar args_array=( [p]=permission= [u]=user) + local permission + ynh_handle_getopts_args "$@" + + if ! ynh_permission_exists --permission $permission + return 1 + fi + + yunohost user permission info $permission | grep -w -q "$user" +} \ No newline at end of file diff --git a/src/yunohost/permission.py b/src/yunohost/permission.py index 71472eeaf..79b346a1f 100644 --- a/src/yunohost/permission.py +++ b/src/yunohost/permission.py @@ -196,6 +196,28 @@ def user_permission_reset(operation_logger, permission, sync_perm=True): return new_permission + +def user_permission_info(permission, sync_perm=True): + """ + Return informations about a specific permission + + Keyword argument: + permission -- Name of the permission (e.g. mail or nextcloud or wordpress.editors) + """ + + # By default, manipulate main permission + if "." not in permission: + permission = permission + ".main" + + # Fetch existing permission + + existing_permission = user_permission_list(full=True)["permissions"].get(permission, None) + if existing_permission is None: + raise YunohostError('permission_not_found', permission=permission) + + return existing_permission + + # # # The followings methods are *not* directly exposed. diff --git a/src/yunohost/user.py b/src/yunohost/user.py index bc19bc5ea..69baf4435 100644 --- a/src/yunohost/user.py +++ b/src/yunohost/user.py @@ -792,6 +792,12 @@ def user_permission_reset(permission, sync_perm=True): sync_perm=sync_perm) +def user_permission_info(permission, sync_perm=True): + import yunohost.permission + return yunohost.permission.user_permission_info(permission, + sync_perm=sync_perm) + + # # SSH subcategory # From 9e1cc92ce823c3679fecee05faa5eab506222aa7 Mon Sep 17 00:00:00 2001 From: Maniack Crudelis Date: Mon, 30 Mar 2020 19:58:06 +0200 Subject: [PATCH 63/94] Let's have a working helper --- data/helpers.d/setting | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/data/helpers.d/setting b/data/helpers.d/setting index 917d4def7..1ab2b6efe 100644 --- a/data/helpers.d/setting +++ b/data/helpers.d/setting @@ -374,15 +374,22 @@ ynh_permission_update() { # | arg: -p, --permission - the permission to check # | arg: -u, --user - the user seek in the permission # +# example: ynh_permission_has_user --permission=nextcloud.main --user=visitors +# # Requires YunoHost version 3.7.1 or higher. ynh_permission_has_user() { - declare -Ar args_array=( [p]=permission= [u]=user) + local legacy_args=pu + # Declare an array to define the options of this helper. + declare -Ar args_array=( [p]=permission= [u]=user= ) local permission + local user + # Manage arguments with getopts ynh_handle_getopts_args "$@" - if ! ynh_permission_exists --permission $permission + if ! ynh_permission_exists --permission=$permission + then return 1 fi yunohost user permission info $permission | grep -w -q "$user" -} \ No newline at end of file +} From 3e6cbe4e845d4355c937bd17510fd858f89a5b3a Mon Sep 17 00:00:00 2001 From: Kay0u Date: Mon, 30 Mar 2020 21:32:29 +0200 Subject: [PATCH 64/94] Add legacy_args, fix the helper --- data/actionsmap/yunohost.yml | 2 -- data/helpers.d/setting | 12 +++++++++++- 2 files changed, 11 insertions(+), 3 deletions(-) diff --git a/data/actionsmap/yunohost.yml b/data/actionsmap/yunohost.yml index af697efc0..efded2450 100644 --- a/data/actionsmap/yunohost.yml +++ b/data/actionsmap/yunohost.yml @@ -303,8 +303,6 @@ user: arguments: permission: help: Name of the permission to fetch info about - extra: - pattern: *pattern_username ### user_permission_update() update: diff --git a/data/helpers.d/setting b/data/helpers.d/setting index 1ab2b6efe..c859fc398 100644 --- a/data/helpers.d/setting +++ b/data/helpers.d/setting @@ -270,6 +270,8 @@ ynh_webpath_register () { # # Requires YunoHost version 3.7.0 or higher. ynh_permission_create() { + # Declare an array to define the options of this helper. + local legacy_args=pua declare -Ar args_array=( [p]=permission= [u]=url= [a]=allowed= ) local permission local url @@ -298,6 +300,8 @@ ynh_permission_create() { # # Requires YunoHost version 3.7.0 or higher. ynh_permission_delete() { + # Declare an array to define the options of this helper. + local legacy_args=p declare -Ar args_array=( [p]=permission= ) local permission ynh_handle_getopts_args "$@" @@ -312,6 +316,8 @@ ynh_permission_delete() { # # Requires YunoHost version 3.7.0 or higher. ynh_permission_exists() { + # Declare an array to define the options of this helper. + local legacy_args=p declare -Ar args_array=( [p]=permission= ) local permission ynh_handle_getopts_args "$@" @@ -327,6 +333,8 @@ ynh_permission_exists() { # # Requires YunoHost version 3.7.0 or higher. ynh_permission_url() { + # Declare an array to define the options of this helper. + local legacy_args=pu declare -Ar args_array=([p]=permission= [u]=url=) local permission local url @@ -352,6 +360,8 @@ ynh_permission_url() { # example: ynh_permission_update --permission admin --add samdoe --remove all_users # Requires YunoHost version 3.7.0 or higher. ynh_permission_update() { + # Declare an array to define the options of this helper. + local legacy_args=par declare -Ar args_array=( [p]=permission= [a]=add= [r]=remove= ) local permission local add @@ -391,5 +401,5 @@ ynh_permission_has_user() { return 1 fi - yunohost user permission info $permission | grep -w -q "$user" + yunohost user permission info "$app.$permission" | grep -w -q "$user" } From a221b7b9f0bc9b00d97bb6aba69d5e7c5166125e Mon Sep 17 00:00:00 2001 From: Alexandre Aubin Date: Thu, 9 Apr 2020 14:53:34 +0200 Subject: [PATCH 65/94] Update changelog for 3.7.1 --- debian/changelog | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/debian/changelog b/debian/changelog index 9bcaea043..018807b16 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,20 @@ +yunohost (3.7.1) stable; urgency=low + + - [enh] Add ynh_permission_has_user helper (#905) + - [mod] Change behavior of ynh_setting_delete to try to make migrating away from legacy permissions easier (#906) + - [fix] app_config_apply should also return 'app' info (#918) + - [fix] uid/gid conflicts in user_create because of inconsistent comparison (#924) + - [fix] Ensure metronome owns its directories (1f623830, 031f8a6e) + - [mod] Remove useless sudos in helpers (be88a283) + - [enh] Improve message wording for services (3c844292) + - [enh] Attempt to anonymize data pasted to paste.yunohost.org (f56f4724) + - [enh] Lazy load yunohost.certificate to possibly improve perfs (af8981e4) + - [fix] Improve logging / debugging (1eef9b67, 7d323814, d17fcaf9, 210d5f3f) + + Thanks to all contributors <3 ! (Bram, Kay0u, Maniack, Matthew D.) + + -- Alexandre Aubin Thu, 9 April 2020 14:52:00 +0000 + yunohost (3.7.0.12) stable; urgency=low - Fix previous buggy hotfix about deleting existing primary groups ... From 68d6ed911e97d2274638facc0082773bb9a476d7 Mon Sep 17 00:00:00 2001 From: Laurent Peuch Date: Thu, 9 Apr 2020 17:37:04 +0200 Subject: [PATCH 66/94] [fix] also invalidate group cache --- src/yunohost/user.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/yunohost/user.py b/src/yunohost/user.py index fd67314d8..af5ff77fb 100644 --- a/src/yunohost/user.py +++ b/src/yunohost/user.py @@ -201,8 +201,9 @@ def user_create(operation_logger, username, firstname, lastname, mail, password, except Exception as e: raise YunohostError('user_creation_failed', user=username, error=e) - # Invalidate passwd to take user creation into account + # Invalidate passwd and group to take user and group creation into account subprocess.call(['nscd', '-i', 'passwd']) + subprocess.call(['nscd', '-i', 'group']) try: # Attempt to create user home folder From 3d44560e26f15d23dfdf474908001f1a651ee2cb Mon Sep 17 00:00:00 2001 From: kay0u Date: Thu, 9 Apr 2020 19:51:18 +0000 Subject: [PATCH 67/94] remove the placeholder --- debian/changelog | 9 +-------- 1 file changed, 1 insertion(+), 8 deletions(-) diff --git a/debian/changelog b/debian/changelog index d64900b25..364757b92 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,10 +1,3 @@ -yunohost (3.8.0~alpha) testing; urgency=low - - Placeholder for upcoming 3.8 to avoid funky stuff with version numbers in - builds etc. - - -- Alexandre Aubin Mon, 16 Mar 2020 01:00:00 +0000 - yunohost (3.7.1) stable; urgency=low - [enh] Add ynh_permission_has_user helper (#905) @@ -20,7 +13,7 @@ yunohost (3.7.1) stable; urgency=low Thanks to all contributors <3 ! (Bram, Kay0u, Maniack, Matthew D.) - -- Alexandre Aubin Thu, 9 April 2020 14:52:00 +0000 + -- Alexandre Aubin Thu, 9 Apr 2020 14:52:00 +0000 yunohost (3.7.0.12) stable; urgency=low From d8dbf81f77bb9615559cd4875b5ce759f8b0d969 Mon Sep 17 00:00:00 2001 From: kay0u Date: Thu, 9 Apr 2020 20:10:49 +0000 Subject: [PATCH 68/94] Update changelog for 3.8.0 release --- debian/changelog | 47 +++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 47 insertions(+) diff --git a/debian/changelog b/debian/changelog index 364757b92..29f086b09 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,50 @@ +yunohost (3.8.0) testing; urgency=low + + # Major stuff + + - [enh] New diagnosis system (#534, #872, #919, a416044, a354425, 4ab3653, decb372, e686dc6, b5d18d6, 69bc124, 937d339, cc2288c, aaa9805, 526a3a2) + - [enh] App categories (#778, #853) + - [enh] Support XMPP http upload (#831) + - [enh] Many small improvements in the way we manage services (#838, fa5c0e9, dd92a34, c97a839) + - [enh] Add subcategories management in bash completion (#839) + - [mod] Add conflict with apache2 and bind9, other minor changes in Depends (#909, 3bd6a7a, 0a482fd) + - [enh] Setting to enable POP3 in email stack (#791) + - [enh] Better UX for CLI/API to change maindomain (#796) + + # Misc technical + + - Update ciphers for nginx, postfix and dovecot according to new Mozilla recommendation (#913, #914) + - Get rid of domain-specific acme-challenge snippet, use a single snippet included in every conf (#917) + - [enh] Persist cookies between multiple ynh_local_curl calls for the same app (#884, #903) + - [fix] ynh_find_port didn't detect port already used on UDP (#827, #907) + - [fix] prevent firefox to mix CA and server certificate (#857) + - [enh] add operation logger for config panel (#869) + - [fix] psql helpers: Revoke sessions before dropping tables (#895) + - [fix] moulinette logs were never displayed #lol (#758) + + # Tests, cleaning, refactoring + + - Add core CI, improve/fix tests (#856, #863, 6eb8efb, c4590ab, 711cc35, 6c24755) + - Refactoring (#805, 101d3be, #784) + - Drop some very-old deprecated app helpers (though still somewhat supporting them through hacky patching) (#780) + - Drop glances and the old monitoring system (#821) + - Drop app_debug (#824) + - Drop app's status.json (#834) + - Drop ynh_add_skipped/(un)protected_uris helpers (#910) + - Use a common security.conf.inc instead of having cipher setting in each nginx's domain file (1285776, 4d99cbe, be8427d, 22b9565) + - Don't add weird tmp redirected_urls after postinstall (#902) + - Don't do weird stuff with yunohost-firewall during debian's postinst (978d9d5) + + # i18n, messaging + + - Unit tests / lint / cleaning for translation files (#901) + - Improve message wording, spelling (8b0c9e5, 9fe43b1, f69ab4c, 0decb64, 986f38f, 8d40c73, 8fe343a, 1d84f17) + - Improve translations for French, Catalan, Bengali (Bangladesh), Italian, Dutch, Norwegian Bokmål, Chinese, Occitan, Spanish, Esperanto, German, Nepali, Portuguese, Arabic, Russian, Hungarian, Hindi, Polish, Greek + + Thanks to all contributors <3 ! (Aeris One, Aleks, Allan N., Alvaro, Armando F., Arthur L., Augustin T., Bram, ButterflyOfFire, Damien P., Gustavo M., Jeroen F., Jimmy M., Josué, Kay0u, Maniack Crudelis, Mario, Matthew D., Mélanie C., Patrick B., Quentí, Yasss Gurl, amirale qt, Elie G., ljf, pitchum, Romain R., tituspijean, xaloc33, yalh76) + + -- Kay0u Thu, 09 Apr 2020 19:59:18 +0000 + yunohost (3.7.1) stable; urgency=low - [enh] Add ynh_permission_has_user helper (#905) From b06e8c0f7a77fab4ad09720053a726caf36b50d7 Mon Sep 17 00:00:00 2001 From: Maniack Crudelis Date: Thu, 9 Apr 2020 23:47:16 +0200 Subject: [PATCH 69/94] Minor fix to avoid the key to be used if not asked --- data/helpers.d/apt | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/data/helpers.d/apt b/data/helpers.d/apt index def430055..286985026 100644 --- a/data/helpers.d/apt +++ b/data/helpers.d/apt @@ -337,7 +337,7 @@ ynh_install_extra_app_dependencies () { # Manage arguments with getopts ynh_handle_getopts_args "$@" name="${name:-$app}" - key=${key:-0} + key=${key:-} # Set a key only if asked if [ -n "$key" ] @@ -377,7 +377,7 @@ ynh_install_extra_repo () { ynh_handle_getopts_args "$@" name="${name:-$app}" append=${append:-0} - key=${key:-0} + key=${key:-} priority=${priority:-} if [ $append -eq 1 ] From 0b17aece2ea72e87708e64e806d2c356c44bce52 Mon Sep 17 00:00:00 2001 From: Maniack Crudelis Date: Fri, 10 Apr 2020 00:05:56 +0200 Subject: [PATCH 70/94] Various insignificant corrections --- data/helpers.d/hardware | 40 ++++++++++++++++++++-------------------- 1 file changed, 20 insertions(+), 20 deletions(-) diff --git a/data/helpers.d/hardware b/data/helpers.d/hardware index be669568e..f98006aae 100644 --- a/data/helpers.d/hardware +++ b/data/helpers.d/hardware @@ -10,16 +10,16 @@ ynh_get_ram () { # Declare an array to define the options of this helper. declare -Ar args_array=( [f]=free [t]=total [s]=ignore_swap [o]=only_swap ) - local free - local total + local free + local total local ignore_swap local only_swap # Manage arguments with getopts ynh_handle_getopts_args "$@" ignore_swap=${ignore_swap:-0} only_swap=${only_swap:-0} - free=${free:-0} - total=${total:-0} + free=${free:-0} + total=${total:-0} local total_ram=$(vmstat --stats --unit M | grep "total memory" | awk '{print $1}') local total_swap=$(vmstat --stats --unit M | grep "total swap" | awk '{print $1}') @@ -43,9 +43,9 @@ ynh_get_ram () { # Use only the amount of free swap ram=$free_swap fi - elif [ $total -eq 1 ] - then - local ram=$total_ram_swap + elif [ $total -eq 1 ] + then + local ram=$total_ram_swap if [ $ignore_swap -eq 1 ] then # Use only the amount of free ram @@ -55,9 +55,9 @@ ynh_get_ram () { # Use only the amount of free swap ram=$total_swap fi - else - echo "Uhoh, you should choose --free or --total when using ynh_get_ram" >&2 - ram=0 + else + ynh_print_warn --message="You have to choose --free or --total when using ynh_get_ram" + ram=0 fi echo $ram @@ -65,25 +65,25 @@ ynh_get_ram () { # Return 0 or 1 depending if the system has a given amount of RAM+swap free or total # -# usage: ynh_require_ram [--amount=RAM required in Mb] [--free|--total] [--ignore_swap|--only_swap] -# | arg: -a, --amount - The amount to require, in Mb +# usage: ynh_require_ram --required=RAM required in Mb [--free|--total] [--ignore_swap|--only_swap] +# | arg: -r, --required - The amount to require, in Mb # | arg: -f, --free - Count free RAM+swap # | arg: -t, --total - Count total RAM+swap # | arg: -s, --ignore_swap - Ignore swap, consider only real RAM # | arg: -o, --only_swap - Ignore real RAM, consider only swap ynh_require_ram () { # Declare an array to define the options of this helper. - declare -Ar args_array=( [a]=amount= [f]=free [t]=total [s]=ignore_swap [o]=only_swap ) - local amount + declare -Ar args_array=( [r]=required= [f]=free [t]=total [s]=ignore_swap [o]=only_swap ) + local required local free local total - local ignore_swap - local only_swap - # Manage arguments with getopts - ynh_handle_getopts_args "$@" - amount=${amount:-0} + local ignore_swap + local only_swap + # Manage arguments with getopts + ynh_handle_getopts_args "$@" # Dunno if that's the right way to do, but that's some black magic to be able to # forward the bool args to ynh_get_ram easily? + # If the variable $free is not empty, set it to '--free' free=${free:+--free} total=${total:+--total} ignore_swap=${ignore_swap:+--ignore_swap} @@ -91,7 +91,7 @@ ynh_require_ram () { local ram=$(ynh_get_ram $free $total $ignore_swap $only_swap) - if [ $ram -lt $amount ] + if [ $ram -lt $required ] then return 1 else From bdeac5a92575ffb22cdd8c5073929bcce5c5a4df Mon Sep 17 00:00:00 2001 From: Maniack Crudelis Date: Fri, 10 Apr 2020 00:17:50 +0200 Subject: [PATCH 71/94] Move the comments about php where we can read it --- data/helpers.d/php | 46 ++++++++++++++++++++++++---------------------- 1 file changed, 24 insertions(+), 22 deletions(-) diff --git a/data/helpers.d/php b/data/helpers.d/php index 24314b52f..92fab46f6 100644 --- a/data/helpers.d/php +++ b/data/helpers.d/php @@ -23,6 +23,28 @@ # medium - Low usage, few people or/and publicly accessible. # high - High usage, frequently visited website. # +# +# The footprint of the service will be used to defined the maximum footprint we can allow, which is half the maximum RAM. +# So it will be used to defined 'pm.max_children' +# A lower value for the footprint will allow more children for 'pm.max_children'. And so for +# 'pm.start_servers', 'pm.min_spare_servers' and 'pm.max_spare_servers' which are defined from the +# value of 'pm.max_children' +# NOTE: 'pm.max_children' can't exceed 4 times the number of processor's cores. +# +# The usage value will defined the way php will handle the children for the pool. +# A value set as 'low' will set the process manager to 'ondemand'. Children will start only if the +# service is used, otherwise no child will stay alive. This config gives the lower footprint when the +# service is idle. But will use more proc since it has to start a child as soon it's used. +# Set as 'medium', the process manager will be at dynamic. If the service is idle, a number of children +# equal to pm.min_spare_servers will stay alive. So the service can be quick to answer to any request. +# The number of children can grow if needed. The footprint can stay low if the service is idle, but +# not null. The impact on the proc is a little bit less than 'ondemand' as there's always a few +# children already available. +# Set as 'high', the process manager will be set at 'static'. There will be always as many children as +# 'pm.max_children', the footprint is important (but will be set as maximum a quarter of the maximum +# RAM) but the impact on the proc is lower. The service will be quick to answer as there's always many +# children ready to answer. +# # Requires YunoHost version 2.7.2 or higher. ynh_add_fpm_config () { # Declare an array to define the options of this helper. @@ -232,6 +254,8 @@ ynh_remove_php () { # Define the values to configure php-fpm # +# [internal] +# # usage: ynh_get_scalable_phpfpm --usage=usage --footprint=footprint [--print] # | arg: -f, --footprint - Memory footprint of the service (low/medium/high). # low - Less than 20Mb of ram by pool. @@ -247,28 +271,6 @@ ynh_remove_php () { # high - High usage, frequently visited website. # # | arg: -p, --print - Print the result (intended for debug purpose only when packaging the app) -# -# -# The footprint of the service will be used to defined the maximum footprint we can allow, which is half the maximum RAM. -# So it will be used to defined 'pm.max_children' -# A lower value for the footprint will allow more children for 'pm.max_children'. And so for -# 'pm.start_servers', 'pm.min_spare_servers' and 'pm.max_spare_servers' which are defined from the -# value of 'pm.max_children' -# NOTE: 'pm.max_children' can't exceed 4 times the number of processor's cores. -# -# The usage value will defined the way php will handle the children for the pool. -# A value set as 'low' will set the process manager to 'ondemand'. Children will start only if the -# service is used, otherwise no child will stay alive. This config gives the lower footprint when the -# service is idle. But will use more proc since it has to start a child as soon it's used. -# Set as 'medium', the process manager will be at dynamic. If the service is idle, a number of children -# equal to pm.min_spare_servers will stay alive. So the service can be quick to answer to any request. -# The number of children can grow if needed. The footprint can stay low if the service is idle, but -# not null. The impact on the proc is a little bit less than 'ondemand' as there's always a few -# children already available. -# Set as 'high', the process manager will be set at 'static'. There will be always as many children as -# 'pm.max_children', the footprint is important (but will be set as maximum a quarter of the maximum -# RAM) but the impact on the proc is lower. The service will be quick to answer as there's always many -# children ready to answer. ynh_get_scalable_phpfpm () { local legacy_args=ufp # Declare an array to define the options of this helper. From 017b0e929c7f6a07f7828013316da7fcc3fe80f5 Mon Sep 17 00:00:00 2001 From: Maniack Crudelis Date: Fri, 10 Apr 2020 00:31:06 +0200 Subject: [PATCH 72/94] Use YNH_DEFAULT_PHP_VERSION instead of 7.0 --- data/helpers.d/php | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/data/helpers.d/php b/data/helpers.d/php index 07bf5ab7c..29b9995d4 100644 --- a/data/helpers.d/php +++ b/data/helpers.d/php @@ -195,9 +195,9 @@ ynh_install_php () { # Store phpversion into the config of this app ynh_app_setting_set $app phpversion $phpversion - if [ "$phpversion" == "7.0" ] + if [ "$phpversion" == "$YNH_DEFAULT_PHP_VERSION" ] then - ynh_die "Do not use ynh_install_php to install php7.0" + ynh_die "Do not use ynh_install_php to install php$YNH_DEFAULT_PHP_VERSION" fi # Store the ID of this app and the version of php requested for it @@ -211,12 +211,12 @@ ynh_install_php () { ynh_add_app_dependencies --package="php${phpversion}-fpm" ynh_add_app_dependencies --package="php$phpversion php${phpversion}-common $package" - # Set php7.0 back as the default version for php-cli. - update-alternatives --set php /usr/bin/php7.0 + # Set the default php version back as the default version for php-cli. + update-alternatives --set php /usr/bin/php$YNH_DEFAULT_PHP_VERSION # Pin this extra repository after packages are installed to prevent sury of doing shit ynh_pin_repo --package="*" --pin="origin \"packages.sury.org\"" --priority=200 --name=extra_php_version - ynh_pin_repo --package="php7.0*" --pin="origin \"packages.sury.org\"" --priority=600 --name=extra_php_version --append + ynh_pin_repo --package="php${$YNH_DEFAULT_PHP_VERSION}*" --pin="origin \"packages.sury.org\"" --priority=600 --name=extra_php_version --append # Advertise service in admin panel yunohost service add php${phpversion}-fpm --log "/var/log/php${phpversion}-fpm.log" @@ -229,11 +229,11 @@ ynh_remove_php () { # Get the version of php used by this app local phpversion=$(ynh_app_setting_get $app phpversion) - if [ "$phpversion" == "7.0" ] || [ -z "$phpversion" ] + if [ "$phpversion" == "$YNH_DEFAULT_PHP_VERSION" ] || [ -z "$phpversion" ] then - if [ "$phpversion" == "7.0" ] + if [ "$phpversion" == "$YNH_DEFAULT_PHP_VERSION" ] then - ynh_print_err "Do not use ynh_remove_php to install php7.0" + ynh_print_err "Do not use ynh_remove_php to install php$YNH_DEFAULT_PHP_VERSION" fi return 0 fi From 475754de1ed2f6c11a249f36c81a6b8233591286 Mon Sep 17 00:00:00 2001 From: Maniack Crudelis Date: Fri, 10 Apr 2020 00:35:28 +0200 Subject: [PATCH 73/94] Add legacy_args --- data/helpers.d/hardware | 2 ++ 1 file changed, 2 insertions(+) diff --git a/data/helpers.d/hardware b/data/helpers.d/hardware index f98006aae..46e27caf4 100644 --- a/data/helpers.d/hardware +++ b/data/helpers.d/hardware @@ -9,6 +9,7 @@ # | arg: -o, --only_swap - Ignore real RAM, consider only swap ynh_get_ram () { # Declare an array to define the options of this helper. + local legacy_args=ftso declare -Ar args_array=( [f]=free [t]=total [s]=ignore_swap [o]=only_swap ) local free local total @@ -73,6 +74,7 @@ ynh_get_ram () { # | arg: -o, --only_swap - Ignore real RAM, consider only swap ynh_require_ram () { # Declare an array to define the options of this helper. + local legacy_args=rftso declare -Ar args_array=( [r]=required= [f]=free [t]=total [s]=ignore_swap [o]=only_swap ) local required local free From 1e6da91c783ce565087d1be96815b2b85864c0e6 Mon Sep 17 00:00:00 2001 From: Alexandre Aubin Date: Sat, 11 Apr 2020 00:29:49 +0200 Subject: [PATCH 74/94] Add automail conf for https, + increase priority for automail conf and diagnosis --- data/templates/nginx/server.tpl.conf | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/data/templates/nginx/server.tpl.conf b/data/templates/nginx/server.tpl.conf index 093e96b0e..f2e9de2de 100644 --- a/data/templates/nginx/server.tpl.conf +++ b/data/templates/nginx/server.tpl.conf @@ -18,11 +18,11 @@ server { return 301 https://$http_host$request_uri; } - location /.well-known/ynh-diagnosis/ { + location ^~ '/.well-known/ynh-diagnosis/' { alias /tmp/.well-known/ynh-diagnosis/; } - location /.well-known/autoconfig/mail/ { + location ^~ '/.well-known/autoconfig/mail/' { alias /var/www/.well-known/{{ domain }}/autoconfig/mail/; } @@ -52,6 +52,10 @@ server { resolver_timeout 5s; {% endif %} + location ^~ '/.well-known/autoconfig/mail/' { + alias /var/www/.well-known/{{ domain }}/autoconfig/mail/; + } + access_by_lua_file /usr/share/ssowat/access.lua; include /etc/nginx/conf.d/{{ domain }}.d/*.conf; From 7b38b064d71d129cc11be2fa72bede9c81a579ef Mon Sep 17 00:00:00 2001 From: Maniack Crudelis Date: Sat, 11 Apr 2020 01:54:32 +0200 Subject: [PATCH 75/94] Fixes and enhancements --- data/helpers.d/apt | 2 +- data/helpers.d/php | 76 +++++++++++++++++++++++++++++++++------------- 2 files changed, 56 insertions(+), 22 deletions(-) diff --git a/data/helpers.d/apt b/data/helpers.d/apt index 09b881bdc..9a038ac4d 100644 --- a/data/helpers.d/apt +++ b/data/helpers.d/apt @@ -255,7 +255,7 @@ ynh_install_app_dependencies () { # Pin this sury repository to prevent sury of doing shit ynh_pin_repo --package="*" --pin="origin \"packages.sury.org\"" --priority=200 --name=extra_php_version - ynh_pin_repo --package="php7.0*" --pin="origin \"packages.sury.org\"" --priority=600 --name=extra_php_version --append + ynh_pin_repo --package="php${$YNH_DEFAULT_PHP_VERSION}*" --pin="origin \"packages.sury.org\"" --priority=600 --name=extra_php_version --append fi fi fi diff --git a/data/helpers.d/php b/data/helpers.d/php index 680f37245..bdd68e4bb 100644 --- a/data/helpers.d/php +++ b/data/helpers.d/php @@ -13,7 +13,7 @@ YNH_PHP_VERSION=${YNH_PHP_VERSION:-$YNH_DEFAULT_PHP_VERSION} # ----------------------------------------------------------------------------- # # usage 2: ynh_add_fpm_config [--phpversion=7.X] --usage=usage --footprint=footprint -# | arg: -v, --phpversion - Version of php to use.# +# | arg: -v, --phpversion - Version of php to use. # | arg: -f, --footprint - Memory footprint of the service (low/medium/high). # low - Less than 20Mb of ram by pool. # medium - Between 20Mb and 40Mb of ram by pool. @@ -61,7 +61,7 @@ ynh_add_fpm_config () { # Manage arguments with getopts ynh_handle_getopts_args "$@" - # The default behaviour is to use the template. + # The default behaviour is to use the template. use_template="${use_template:-1}" usage="${usage:-}" footprint="${footprint:-}" @@ -72,6 +72,13 @@ ynh_add_fpm_config () { # Set the default PHP-FPM version by default phpversion="${phpversion:-$YNH_PHP_VERSION}" + # If the requested php version is not the default version for YunoHost + if [ "$phpversion" != "$YNH_DEFAULT_PHP_VERSION" ] + then + # Install this specific version of php. + ynh_install_php --phpversion=$phpversion + fi + local fpm_config_dir="/etc/php/$phpversion/fpm" local fpm_service="php${phpversion}-fpm" # Configure PHP-FPM 5 on Debian Jessie @@ -87,7 +94,7 @@ ynh_add_fpm_config () { if [ $use_template -eq 1 ] then - # Usage 1, use the template in ../conf/php-fpm.conf + # Usage 1, use the template in ../conf/php-fpm.conf cp ../conf/php-fpm.conf "$finalphpconf" ynh_replace_string --match_string="__NAMETOCHANGE__" --replace_string="$app" --target_file="$finalphpconf" ynh_replace_string --match_string="__FINALPATH__" --replace_string="$final_path" --target_file="$finalphpconf" @@ -95,7 +102,9 @@ ynh_add_fpm_config () { ynh_replace_string --match_string="__PHPVERSION__" --replace_string="$phpversion" --target_file="$finalphpconf" else - # Usage 2, generate a php-fpm config file with ynh_get_scalable_phpfpm + # Usage 2, generate a php-fpm config file with ynh_get_scalable_phpfpm + + # Define the values to use for the configuration of php. ynh_get_scalable_phpfpm --usage=$usage --footprint=$footprint # Copy the default file @@ -141,14 +150,12 @@ ynh_add_fpm_config () { fi fi - - chown root: "$finalphpconf" ynh_store_file_checksum --file="$finalphpconf" if [ -e "../conf/php-fpm.ini" ] then - echo "Packagers ! Please do not use a separate php ini file, merge your directives in the pool file instead." >&2 + ynh_print_warn -message="Packagers ! Please do not use a separate php ini file, merge your directives in the pool file instead." finalphpini="$fpm_config_dir/conf.d/20-$app.ini" ynh_backup_if_checksum_is_different "$finalphpini" cp ../conf/php-fpm.ini "$finalphpini" @@ -167,18 +174,36 @@ ynh_add_fpm_config () { ynh_remove_fpm_config () { local fpm_config_dir=$(ynh_app_setting_get --app=$app --key=fpm_config_dir) local fpm_service=$(ynh_app_setting_get --app=$app --key=fpm_service) - # Assume default php version if not set + # Get the version of php used by this app + local phpversion=$(ynh_app_setting_get $app phpversion) + + # Assume default PHP-FPM version by default + phpversion="${phpversion:-$YNH_DEFAULT_PHP_VERSION}" + + # Assume default php files if not set if [ -z "$fpm_config_dir" ]; then fpm_config_dir="/etc/php/$YNH_DEFAULT_PHP_VERSION/fpm" fpm_service="php$YNH_DEFAULT_PHP_VERSION-fpm" fi ynh_secure_remove --file="$fpm_config_dir/pool.d/$app.conf" ynh_secure_remove --file="$fpm_config_dir/conf.d/20-$app.ini" 2>&1 - ynh_systemd_action --service_name=$fpm_service --action=reload + + if ynh_package_is_installed --package="php${phpversion}-fpm"; then + ynh_systemd_action --service_name=$fpm_service --action=reload + fi + + # If the php version used is not the default version for YunoHost + if [ "$phpversion" != "$YNH_DEFAULT_PHP_VERSION" ] + then + # Remove this specific version of php + ynh_remove_php + fi } # Install another version of php. # +# [internal] +# # usage: ynh_install_php --phpversion=phpversion [--package=packages] # | arg: -v, --phpversion - Version of php to install. # | arg: -p, --package - Additionnal php packages to install @@ -200,8 +225,15 @@ ynh_install_php () { ynh_die "Do not use ynh_install_php to install php$YNH_DEFAULT_PHP_VERSION" fi - # Store the ID of this app and the version of php requested for it - echo "$YNH_APP_INSTANCE_NAME:$phpversion" | tee --append "/etc/php/ynh_app_version" + # Create the file if doesn't exist already + touch /etc/php/ynh_app_version + + # Do not add twice the same line + if ! grep --quiet "$YNH_APP_INSTANCE_NAME:" "/etc/php/ynh_app_version" + then + # Store the ID of this app and the version of php requested for it + echo "$YNH_APP_INSTANCE_NAME:$phpversion" | tee --append "/etc/php/ynh_app_version" + fi # Add an extra repository for those packages ynh_install_extra_repo --repo="https://packages.sury.org/php/ $(lsb_release -sc) main" --key="https://packages.sury.org/php/apt.gpg" --priority=995 --name=extra_php_version @@ -216,7 +248,7 @@ ynh_install_php () { # Pin this extra repository after packages are installed to prevent sury of doing shit ynh_pin_repo --package="*" --pin="origin \"packages.sury.org\"" --priority=200 --name=extra_php_version - ynh_pin_repo --package="php${$YNH_DEFAULT_PHP_VERSION}*" --pin="origin \"packages.sury.org\"" --priority=600 --name=extra_php_version --append + ynh_pin_repo --package="php${YNH_DEFAULT_PHP_VERSION}*" --pin="origin \"packages.sury.org\"" --priority=600 --name=extra_php_version --append # Advertise service in admin panel yunohost service add php${phpversion}-fpm --log "/var/log/php${phpversion}-fpm.log" @@ -224,6 +256,8 @@ ynh_install_php () { # Remove the specific version of php used by the app. # +# [internal] +# # usage: ynh_install_php ynh_remove_php () { # Get the version of php used by this app @@ -233,27 +267,27 @@ ynh_remove_php () { then if [ "$phpversion" == "$YNH_DEFAULT_PHP_VERSION" ] then - ynh_print_err "Do not use ynh_remove_php to install php$YNH_DEFAULT_PHP_VERSION" + ynh_print_err "Do not use ynh_remove_php to remove php$YNH_DEFAULT_PHP_VERSION !" fi return 0 fi + # Create the file if doesn't exist already + touch /etc/php/ynh_app_version + # Remove the line for this app sed --in-place "/$YNH_APP_INSTANCE_NAME:$phpversion/d" "/etc/php/ynh_app_version" # If no other app uses this version of php, remove it. if ! grep --quiet "$phpversion" "/etc/php/ynh_app_version" then - # Purge php dependences for this version. - ynh_package_autopurge "php$phpversion php${phpversion}-fpm php${phpversion}-common" # Remove the service from the admin panel - yunohost service remove php${phpversion}-fpm - fi + if ynh_package_is_installed --package="php${phpversion}-fpm"; then + yunohost service remove php${phpversion}-fpm + fi - # If no other app uses alternate php versions, remove the extra repo for php - if [ ! -s "/etc/php/ynh_app_version" ] - then - ynh_secure_remove /etc/php/ynh_app_version + # Purge php dependencies for this version. + ynh_package_autopurge "php$phpversion php${phpversion}-fpm php${phpversion}-common" fi } From 7154bca33c9de5377c9fb76b0429ddbe2035608e Mon Sep 17 00:00:00 2001 From: Maniack Crudelis Date: Sat, 11 Apr 2020 20:52:52 +0200 Subject: [PATCH 76/94] Fix php migration, integrate --package= to ynh_add_fpm_config --- data/helpers.d/php | 25 ++++++++++++++++++++----- 1 file changed, 20 insertions(+), 5 deletions(-) diff --git a/data/helpers.d/php b/data/helpers.d/php index bdd68e4bb..a72cae3b3 100644 --- a/data/helpers.d/php +++ b/data/helpers.d/php @@ -6,13 +6,14 @@ YNH_PHP_VERSION=${YNH_PHP_VERSION:-$YNH_DEFAULT_PHP_VERSION} # Create a dedicated php-fpm config # -# usage 1: ynh_add_fpm_config [--phpversion=7.X] [--use_template] +# usage 1: ynh_add_fpm_config [--phpversion=7.X] [--use_template] [--package=packages] # | arg: -v, --phpversion - Version of php to use. # | arg: -t, --use_template - Use this helper in template mode. +# | arg: -p, --package - Additionnal php packages to install # # ----------------------------------------------------------------------------- # -# usage 2: ynh_add_fpm_config [--phpversion=7.X] --usage=usage --footprint=footprint +# usage 2: ynh_add_fpm_config [--phpversion=7.X] --usage=usage --footprint=footprint [--package=packages] # | arg: -v, --phpversion - Version of php to use. # | arg: -f, --footprint - Memory footprint of the service (low/medium/high). # low - Less than 20Mb of ram by pool. @@ -27,6 +28,8 @@ YNH_PHP_VERSION=${YNH_PHP_VERSION:-$YNH_DEFAULT_PHP_VERSION} # medium - Low usage, few people or/and publicly accessible. # high - High usage, frequently visited website. # +# | arg: -p, --package - Additionnal php packages to install for a specific version of php +# # # The footprint of the service will be used to defined the maximum footprint we can allow, which is half the maximum RAM. # So it will be used to defined 'pm.max_children' @@ -52,14 +55,16 @@ YNH_PHP_VERSION=${YNH_PHP_VERSION:-$YNH_DEFAULT_PHP_VERSION} # Requires YunoHost version 2.7.2 or higher. ynh_add_fpm_config () { # Declare an array to define the options of this helper. - local legacy_args=vtuf - declare -Ar args_array=( [v]=phpversion= [t]=use_template [u]=usage= [f]=footprint= ) + local legacy_args=vtufp + declare -Ar args_array=( [v]=phpversion= [t]=use_template [u]=usage= [f]=footprint= [p]=package= ) local phpversion local use_template local usage local footprint + local package # Manage arguments with getopts ynh_handle_getopts_args "$@" + package=${package:-} # The default behaviour is to use the template. use_template="${use_template:-1}" @@ -75,8 +80,18 @@ ynh_add_fpm_config () { # If the requested php version is not the default version for YunoHost if [ "$phpversion" != "$YNH_DEFAULT_PHP_VERSION" ] then + # If the argument --package is used, add the packages to ynh_install_php to install them from sury + if [ -n "$package" ]; then + local additionnal_packages="--package=$package" + else + local additionnal_packages="" + fi # Install this specific version of php. - ynh_install_php --phpversion=$phpversion + ynh_install_php --phpversion=$phpversion "$additionnal_packages" + elif [ -n "$package" ] + then + # Install the additionnal packages from the default repository + ynh_add_app_dependencies --package="$package" fi local fpm_config_dir="/etc/php/$phpversion/fpm" From 49d9832f0bc1ca4f2e27810a6439f8a921ac3b17 Mon Sep 17 00:00:00 2001 From: Maniack Crudelis Date: Sat, 11 Apr 2020 20:53:16 +0200 Subject: [PATCH 77/94] Better apt logging --- data/helpers.d/apt | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/data/helpers.d/apt b/data/helpers.d/apt index 9a038ac4d..bcce02dcb 100644 --- a/data/helpers.d/apt +++ b/data/helpers.d/apt @@ -189,7 +189,16 @@ ynh_package_install_from_equivs () { # If install fails we use "apt-get check" to try to debug and diagnose possible unmet dependencies # Note the use of { } which allows to group commands without starting a subshell (otherwise the ynh_die wouldn't exit the current shell). # Be careful with the syntax : the semicolon + space at the end is important! - ynh_package_install -f || { apt-get check 2>&1; ynh_die --message="Unable to install dependencies"; } + + ynh_package_install -f || \ + { # If the installation failed + # Get the list of dependencies from the deb + local dependencies="$(dpkg --info "$TMPDIR/${pkgname}_${pkgversion}_all.deb" | grep Depends | \ + sed 's/^ Depends: //' | sed 's/,//g')" + # Fake an install of those dependencies to see the errors + # The sed command here is, Print only from '--fix-broken' to the end. + ynh_package_install $dependencies --dry-run | sed -n '/--fix-broken/,$p' >&2 + ynh_die --message="Unable to install dependencies"; } [[ -n "$TMPDIR" ]] && rm -rf $TMPDIR # Remove the temp dir. # check if the package is actually installed @@ -507,7 +516,7 @@ ynh_add_repo () { # | arg: -n, --name - Name for the files for this repo, $app as default value. # | arg: -a, --append - Do not overwrite existing files. # -# See https://manpages.debian.org/stretch/apt/apt_preferences.5.en.html for information about pinning. +# See https://manpages.debian.org/stretch/apt/apt_preferences.5.en.html#How_APT_Interprets_Priorities for information about pinning. # ynh_pin_repo () { # Declare an array to define the options of this helper. From bf291a0c506f076a951116a123ed7cb791db3147 Mon Sep 17 00:00:00 2001 From: Alexandre Aubin Date: Sat, 11 Apr 2020 23:25:51 +0200 Subject: [PATCH 78/94] Add 'yunohost tools versions' to have a simple way to fetch version from the webadmin --- data/actionsmap/yunohost.yml | 5 +++++ src/yunohost/tools.py | 4 +++- 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/data/actionsmap/yunohost.yml b/data/actionsmap/yunohost.yml index b0bb7f9dc..44419a342 100644 --- a/data/actionsmap/yunohost.yml +++ b/data/actionsmap/yunohost.yml @@ -1459,6 +1459,11 @@ tools: help: List pending configuration files and exit action: store_true + ### tools_versions() + versions: + action_help: Display YunoHost's packages versions + api: GET /versions + subcategories: migrations: diff --git a/src/yunohost/tools.py b/src/yunohost/tools.py index e6d013894..3208bda60 100644 --- a/src/yunohost/tools.py +++ b/src/yunohost/tools.py @@ -43,7 +43,7 @@ from yunohost.dyndns import _dyndns_available, _dyndns_provides from yunohost.firewall import firewall_upnp from yunohost.service import service_start, service_enable from yunohost.regenconf import regen_conf -from yunohost.utils.packages import _dump_sources_list, _list_upgradable_apt_packages +from yunohost.utils.packages import _dump_sources_list, _list_upgradable_apt_packages, ynh_packages_version from yunohost.utils.error import YunohostError from yunohost.log import is_unit_operation, OperationLogger @@ -53,6 +53,8 @@ MIGRATIONS_STATE_PATH = "/etc/yunohost/migrations.yaml" logger = getActionLogger('yunohost.tools') +def tools_versions(): + return ynh_packages_version() def tools_ldapinit(): """ From 21c3cc4a5398dc435886e62e939a39ac3e8057e7 Mon Sep 17 00:00:00 2001 From: Maniack Crudelis Date: Sun, 12 Apr 2020 00:29:47 +0200 Subject: [PATCH 79/94] Store fpm_footprint and fpm_usage --- data/helpers.d/php | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/data/helpers.d/php b/data/helpers.d/php index a72cae3b3..dbb5f5930 100644 --- a/data/helpers.d/php +++ b/data/helpers.d/php @@ -119,6 +119,10 @@ ynh_add_fpm_config () { else # Usage 2, generate a php-fpm config file with ynh_get_scalable_phpfpm + # Store settings + ynh_app_setting_set --app=$app --key=fpm_footprint --value=$footprint + ynh_app_setting_set --app=$app --key=fpm_usage --value=$usage + # Define the values to use for the configuration of php. ynh_get_scalable_phpfpm --usage=$usage --footprint=$footprint From b0cd37aecad25bacd74c765101473d8ca8150d7d Mon Sep 17 00:00:00 2001 From: Alexandre Aubin Date: Sun, 12 Apr 2020 01:57:56 +0200 Subject: [PATCH 80/94] Make sure we have at least the standard stuff in /usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games:/snap/bin:/snap/bin:/var/lib/snapd/snap/bin:/snap/bin:/var/lib/snapd/snap/bin ~.~ --- bin/yunohost | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/bin/yunohost b/bin/yunohost index 10a21a9da..b640c8c52 100755 --- a/bin/yunohost +++ b/bin/yunohost @@ -179,6 +179,10 @@ def _retrieve_namespaces(): ret.append(n) return ret +# Stupid PATH management because sometimes (e.g. some cron job) PATH is only /usr/bin:/bin ... +default_path = "/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" +if os.environ["PATH"] != default_path: + os.environ["PATH"] = default_path + ":" + os.environ["PATH"] # Main action ---------------------------------------------------------- From 240a7d76d8b36942cd9a5360f14ebb6b044928bd Mon Sep 17 00:00:00 2001 From: Laurent Peuch Date: Fri, 10 Apr 2020 23:44:13 +0200 Subject: [PATCH 81/94] [fix] lxc uid number is limited to 65536 by default --- src/yunohost/user.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/yunohost/user.py b/src/yunohost/user.py index af5ff77fb..3696272d0 100644 --- a/src/yunohost/user.py +++ b/src/yunohost/user.py @@ -170,7 +170,8 @@ def user_create(operation_logger, username, firstname, lastname, mail, password, uid_guid_found = False while not uid_guid_found: - uid = str(random.randint(200, 99999)) + # LXC uid number is limited to 65536 by default + uid = str(random.randint(200, 65000)) uid_guid_found = uid not in all_uid and uid not in all_gid # Adapt values for LDAP From 2fcc93fcc80a7e8571b194ed9602c4198a9363a6 Mon Sep 17 00:00:00 2001 From: Kay0u Date: Sun, 12 Apr 2020 16:37:55 +0200 Subject: [PATCH 82/94] add YNH_DEFAULT_PHP_VERSION in backup.py --- src/yunohost/backup.py | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/src/yunohost/backup.py b/src/yunohost/backup.py index 8408e7fa3..7ae6069e3 100644 --- a/src/yunohost/backup.py +++ b/src/yunohost/backup.py @@ -51,6 +51,7 @@ from yunohost.hook import ( from yunohost.tools import tools_postinstall from yunohost.regenconf import regen_conf from yunohost.log import OperationLogger +from yunohost.app import APPS_DEFAULT_PHP_VERSION from functools import reduce BACKUP_PATH = '/home/yunohost.backup' @@ -561,6 +562,7 @@ class BackupManager(): env_var["YNH_APP_ID"] = app_id env_var["YNH_APP_INSTANCE_NAME"] = app env_var["YNH_APP_INSTANCE_NUMBER"] = str(app_instance_nb) + env_var["YNH_DEFAULT_PHP_VERSION"] = APPS_DEFAULT_PHP_VERSION tmp_app_dir = os.path.join('apps/', app) tmp_app_bkp_dir = os.path.join(self.work_dir, tmp_app_dir, 'backup') env_var["YNH_APP_BACKUP_DIR"] = tmp_app_bkp_dir @@ -1411,6 +1413,7 @@ class RestoreManager(): env_dict_remove["YNH_APP_ID"] = app_id env_dict_remove["YNH_APP_INSTANCE_NAME"] = app_instance_name env_dict_remove["YNH_APP_INSTANCE_NUMBER"] = str(app_instance_nb) + env_dict_remove["YNH_DEFAULT_PHP_VERSION"] = APPS_DEFAULT_PHP_VERSION operation_logger = OperationLogger('remove_on_failed_restore', [('app', app_instance_name)], @@ -1458,6 +1461,7 @@ class RestoreManager(): env_var["YNH_APP_ID"] = app_id env_var["YNH_APP_INSTANCE_NAME"] = app env_var["YNH_APP_INSTANCE_NUMBER"] = str(app_instance_nb) + env_var["YNH_DEFAULT_PHP_VERSION"] = APPS_DEFAULT_PHP_VERSION env_var["YNH_APP_BACKUP_DIR"] = app_backup_in_archive return env_var From ef2f4b2a6ecb68557671710c1ef50d7b842d15f2 Mon Sep 17 00:00:00 2001 From: Kay0u Date: Sun, 12 Apr 2020 16:52:23 +0200 Subject: [PATCH 83/94] some hooks use helpers without php --- data/helpers.d/php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/data/helpers.d/php b/data/helpers.d/php index 56d35cee8..c099fd7a2 100644 --- a/data/helpers.d/php +++ b/data/helpers.d/php @@ -2,7 +2,7 @@ # Declare the actual php version to use. # A packager willing to use another version of php can override the variable into its _common.sh. -YNH_PHP_VERSION=${YNH_PHP_VERSION:-$YNH_DEFAULT_PHP_VERSION} +YNH_PHP_VERSION=${YNH_PHP_VERSION:-${YNH_DEFAULT_PHP_VERSION:-7.0}} # Create a dedicated php-fpm config # From 509190532933f27e72b8519db2be19361fbc096e Mon Sep 17 00:00:00 2001 From: Alexandre Aubin Date: Sun, 12 Apr 2020 17:22:57 +0200 Subject: [PATCH 84/94] Update data/helpers.d/php Co-Authored-By: Kayou --- data/helpers.d/php | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/data/helpers.d/php b/data/helpers.d/php index c099fd7a2..4c711056d 100644 --- a/data/helpers.d/php +++ b/data/helpers.d/php @@ -2,7 +2,9 @@ # Declare the actual php version to use. # A packager willing to use another version of php can override the variable into its _common.sh. -YNH_PHP_VERSION=${YNH_PHP_VERSION:-${YNH_DEFAULT_PHP_VERSION:-7.0}} +if [ -n "$YNH_DEFAULT_PHP_VERSION" ]; then + YNH_PHP_VERSION=${YNH_PHP_VERSION:-YNH_DEFAULT_PHP_VERSION} +fi # Create a dedicated php-fpm config # From 6c9187e7e4d0458b9310ee1fed931e9e28385c56 Mon Sep 17 00:00:00 2001 From: Kayou Date: Sun, 12 Apr 2020 17:43:33 +0200 Subject: [PATCH 85/94] Update php --- data/helpers.d/php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/data/helpers.d/php b/data/helpers.d/php index 4c711056d..55c24ac57 100644 --- a/data/helpers.d/php +++ b/data/helpers.d/php @@ -2,7 +2,7 @@ # Declare the actual php version to use. # A packager willing to use another version of php can override the variable into its _common.sh. -if [ -n "$YNH_DEFAULT_PHP_VERSION" ]; then +if [ -n "${YNH_DEFAULT_PHP_VERSION:-}" ]; then YNH_PHP_VERSION=${YNH_PHP_VERSION:-YNH_DEFAULT_PHP_VERSION} fi From b20b7f3a852ed40ea20d74136c1ba0d010a01720 Mon Sep 17 00:00:00 2001 From: Kayou Date: Sun, 12 Apr 2020 20:03:09 +0200 Subject: [PATCH 86/94] Update php --- data/helpers.d/php | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/data/helpers.d/php b/data/helpers.d/php index 55c24ac57..eaeee23ed 100644 --- a/data/helpers.d/php +++ b/data/helpers.d/php @@ -2,9 +2,8 @@ # Declare the actual php version to use. # A packager willing to use another version of php can override the variable into its _common.sh. -if [ -n "${YNH_DEFAULT_PHP_VERSION:-}" ]; then - YNH_PHP_VERSION=${YNH_PHP_VERSION:-YNH_DEFAULT_PHP_VERSION} -fi +YNH_DEFAULT_PHP_VERSION=${YNH_DEFAULT_PHP_VERSION:-7.0} +YNH_PHP_VERSION=${YNH_PHP_VERSION:-YNH_DEFAULT_PHP_VERSION} # Create a dedicated php-fpm config # From aaabf8c75c993030ef3056f2aba7e87d55278a4b Mon Sep 17 00:00:00 2001 From: Laurent Peuch Date: Thu, 9 Apr 2020 17:37:04 +0200 Subject: [PATCH 87/94] [fix] also invalidate group cache --- src/yunohost/user.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/yunohost/user.py b/src/yunohost/user.py index 69baf4435..ee3504135 100644 --- a/src/yunohost/user.py +++ b/src/yunohost/user.py @@ -213,8 +213,9 @@ def user_create(operation_logger, username, firstname, lastname, mail, password, except Exception as e: raise YunohostError('user_creation_failed', user=username, error=e) - # Invalidate passwd to take user creation into account + # Invalidate passwd and group to take user and group creation into account subprocess.call(['nscd', '-i', 'passwd']) + subprocess.call(['nscd', '-i', 'group']) try: # Attempt to create user home folder From f03bb82aadd1d16226cafdad9581390c0a866799 Mon Sep 17 00:00:00 2001 From: Alexandre Aubin Date: Sun, 12 Apr 2020 01:57:56 +0200 Subject: [PATCH 88/94] Make sure we have at least the standard stuff in /usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games:/snap/bin:/snap/bin:/var/lib/snapd/snap/bin:/snap/bin:/var/lib/snapd/snap/bin ~.~ --- bin/yunohost | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/bin/yunohost b/bin/yunohost index 10a21a9da..b640c8c52 100755 --- a/bin/yunohost +++ b/bin/yunohost @@ -179,6 +179,10 @@ def _retrieve_namespaces(): ret.append(n) return ret +# Stupid PATH management because sometimes (e.g. some cron job) PATH is only /usr/bin:/bin ... +default_path = "/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" +if os.environ["PATH"] != default_path: + os.environ["PATH"] = default_path + ":" + os.environ["PATH"] # Main action ---------------------------------------------------------- From 0c9a4509f765a60cc6f2840c243b8abb1c09a676 Mon Sep 17 00:00:00 2001 From: Laurent Peuch Date: Fri, 10 Apr 2020 23:44:13 +0200 Subject: [PATCH 89/94] [fix] lxc uid number is limited to 65536 by default --- src/yunohost/user.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/yunohost/user.py b/src/yunohost/user.py index ee3504135..df0527655 100644 --- a/src/yunohost/user.py +++ b/src/yunohost/user.py @@ -170,7 +170,8 @@ def user_create(operation_logger, username, firstname, lastname, mail, password, uid_guid_found = False while not uid_guid_found: - uid = str(random.randint(200, 99999)) + # LXC uid number is limited to 65536 by default + uid = str(random.randint(200, 65000)) uid_guid_found = uid not in all_uid and uid not in all_gid # Adapt values for LDAP From 37fd69653a13e7cd90c61df8fbb52580d143f776 Mon Sep 17 00:00:00 2001 From: Alexandre Aubin Date: Sun, 12 Apr 2020 23:14:07 +0200 Subject: [PATCH 90/94] Update changelog for 3.7.1.1 --- debian/changelog | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/debian/changelog b/debian/changelog index 018807b16..6245bb4b0 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,11 @@ +yunohost (3.7.1.1) stable; urgency=low + + - [fix] lxc uid number is limited to 65536 by default (0c9a4509) + - [fix] also invalidate group cache when creating users (aaabf8c7) + - [fix] Make sure to have a path that include sbin for stupid cron jobs (f03bb82a) + + -- Alexandre Aubin Sun, 12 Apr 2020 23:15:00 +0000 + yunohost (3.7.1) stable; urgency=low - [enh] Add ynh_permission_has_user helper (#905) @@ -13,7 +21,7 @@ yunohost (3.7.1) stable; urgency=low Thanks to all contributors <3 ! (Bram, Kay0u, Maniack, Matthew D.) - -- Alexandre Aubin Thu, 9 April 2020 14:52:00 +0000 + -- Alexandre Aubin Thu, 9 Apr 2020 14:52:00 +0000 yunohost (3.7.0.12) stable; urgency=low From 23c6ca52364b549afda78a42f21cbf9a0e1405c2 Mon Sep 17 00:00:00 2001 From: Kay0u Date: Sun, 12 Apr 2020 23:43:39 +0200 Subject: [PATCH 91/94] Remove APPS_DEFAULT_PHP_VERSION from the core --- src/yunohost/app.py | 9 --------- src/yunohost/backup.py | 4 ---- 2 files changed, 13 deletions(-) diff --git a/src/yunohost/app.py b/src/yunohost/app.py index 5a0403af2..39793ec1a 100644 --- a/src/yunohost/app.py +++ b/src/yunohost/app.py @@ -59,7 +59,6 @@ APPS_CATALOG_CONF = '/etc/yunohost/apps_catalog.yml' APPS_CATALOG_CRON_PATH = "/etc/cron.daily/yunohost-fetch-apps-catalog" APPS_CATALOG_API_VERSION = 2 APPS_CATALOG_DEFAULT_URL = "https://app.yunohost.org/default" -APPS_DEFAULT_PHP_VERSION = "7.0" re_github_repo = re.compile( r'^(http[s]?://|git@)github.com[/:]' @@ -348,7 +347,6 @@ def app_change_url(operation_logger, app, domain, path): env_dict["YNH_APP_ID"] = app_id env_dict["YNH_APP_INSTANCE_NAME"] = app env_dict["YNH_APP_INSTANCE_NUMBER"] = str(app_instance_nb) - env_dict["YNH_DEFAULT_PHP_VERSION"] = APPS_DEFAULT_PHP_VERSION env_dict["YNH_APP_OLD_DOMAIN"] = old_domain env_dict["YNH_APP_OLD_PATH"] = old_path @@ -485,7 +483,6 @@ def app_upgrade(app=[], url=None, file=None): env_dict["YNH_APP_ID"] = app_id env_dict["YNH_APP_INSTANCE_NAME"] = app_instance_name env_dict["YNH_APP_INSTANCE_NUMBER"] = str(app_instance_nb) - env_dict["YNH_DEFAULT_PHP_VERSION"] = APPS_DEFAULT_PHP_VERSION # Start register change on system related_to = [('app', app_instance_name)] @@ -698,7 +695,6 @@ def app_install(operation_logger, app, label=None, args=None, no_remove_on_failu env_dict["YNH_APP_ID"] = app_id env_dict["YNH_APP_INSTANCE_NAME"] = app_instance_name env_dict["YNH_APP_INSTANCE_NUMBER"] = str(instance_number) - env_dict["YNH_DEFAULT_PHP_VERSION"] = APPS_DEFAULT_PHP_VERSION # Start register change on system operation_logger.extra.update({'env': env_dict}) @@ -807,7 +803,6 @@ def app_install(operation_logger, app, label=None, args=None, no_remove_on_failu env_dict_remove["YNH_APP_ID"] = app_id env_dict_remove["YNH_APP_INSTANCE_NAME"] = app_instance_name env_dict_remove["YNH_APP_INSTANCE_NUMBER"] = str(instance_number) - env_dict_remove["YNH_DEFAULT_PHP_VERSION"] = APPS_DEFAULT_PHP_VERSION # Execute remove script operation_logger_remove = OperationLogger('remove_on_failed_install', @@ -985,7 +980,6 @@ def app_remove(operation_logger, app): env_dict["YNH_APP_ID"] = app_id env_dict["YNH_APP_INSTANCE_NAME"] = app env_dict["YNH_APP_INSTANCE_NUMBER"] = str(app_instance_nb) - env_dict["YNH_DEFAULT_PHP_VERSION"] = APPS_DEFAULT_PHP_VERSION operation_logger.extra.update({'env': env_dict}) operation_logger.flush() @@ -1410,7 +1404,6 @@ def app_action_run(operation_logger, app, action, args=None): env_dict["YNH_APP_ID"] = app_id env_dict["YNH_APP_INSTANCE_NAME"] = app env_dict["YNH_APP_INSTANCE_NUMBER"] = str(app_instance_nb) - env_dict["YNH_DEFAULT_PHP_VERSION"] = APPS_DEFAULT_PHP_VERSION env_dict["YNH_ACTION"] = action _, path = tempfile.mkstemp() @@ -1474,7 +1467,6 @@ def app_config_show_panel(operation_logger, app): "YNH_APP_ID": app_id, "YNH_APP_INSTANCE_NAME": app, "YNH_APP_INSTANCE_NUMBER": str(app_instance_nb), - "YNH_DEFAULT_PHP_VERSION": APPS_DEFAULT_PHP_VERSION, } return_code, parsed_values = hook_exec(config_script, @@ -1548,7 +1540,6 @@ def app_config_apply(operation_logger, app, args): "YNH_APP_ID": app_id, "YNH_APP_INSTANCE_NAME": app, "YNH_APP_INSTANCE_NUMBER": str(app_instance_nb), - "YNH_DEFAULT_PHP_VERSION": APPS_DEFAULT_PHP_VERSION, } args = dict(urlparse.parse_qsl(args, keep_blank_values=True)) if args else {} diff --git a/src/yunohost/backup.py b/src/yunohost/backup.py index 7ae6069e3..8408e7fa3 100644 --- a/src/yunohost/backup.py +++ b/src/yunohost/backup.py @@ -51,7 +51,6 @@ from yunohost.hook import ( from yunohost.tools import tools_postinstall from yunohost.regenconf import regen_conf from yunohost.log import OperationLogger -from yunohost.app import APPS_DEFAULT_PHP_VERSION from functools import reduce BACKUP_PATH = '/home/yunohost.backup' @@ -562,7 +561,6 @@ class BackupManager(): env_var["YNH_APP_ID"] = app_id env_var["YNH_APP_INSTANCE_NAME"] = app env_var["YNH_APP_INSTANCE_NUMBER"] = str(app_instance_nb) - env_var["YNH_DEFAULT_PHP_VERSION"] = APPS_DEFAULT_PHP_VERSION tmp_app_dir = os.path.join('apps/', app) tmp_app_bkp_dir = os.path.join(self.work_dir, tmp_app_dir, 'backup') env_var["YNH_APP_BACKUP_DIR"] = tmp_app_bkp_dir @@ -1413,7 +1411,6 @@ class RestoreManager(): env_dict_remove["YNH_APP_ID"] = app_id env_dict_remove["YNH_APP_INSTANCE_NAME"] = app_instance_name env_dict_remove["YNH_APP_INSTANCE_NUMBER"] = str(app_instance_nb) - env_dict_remove["YNH_DEFAULT_PHP_VERSION"] = APPS_DEFAULT_PHP_VERSION operation_logger = OperationLogger('remove_on_failed_restore', [('app', app_instance_name)], @@ -1461,7 +1458,6 @@ class RestoreManager(): env_var["YNH_APP_ID"] = app_id env_var["YNH_APP_INSTANCE_NAME"] = app env_var["YNH_APP_INSTANCE_NUMBER"] = str(app_instance_nb) - env_var["YNH_DEFAULT_PHP_VERSION"] = APPS_DEFAULT_PHP_VERSION env_var["YNH_APP_BACKUP_DIR"] = app_backup_in_archive return env_var From 71743d211bc9e95f4bdaca77199aa9c891892495 Mon Sep 17 00:00:00 2001 From: Maniack Crudelis Date: Mon, 13 Apr 2020 10:44:56 +0200 Subject: [PATCH 92/94] Update data/helpers.d/php --- data/helpers.d/php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/data/helpers.d/php b/data/helpers.d/php index eaeee23ed..beaa01f14 100644 --- a/data/helpers.d/php +++ b/data/helpers.d/php @@ -2,7 +2,7 @@ # Declare the actual php version to use. # A packager willing to use another version of php can override the variable into its _common.sh. -YNH_DEFAULT_PHP_VERSION=${YNH_DEFAULT_PHP_VERSION:-7.0} +YNH_DEFAULT_PHP_VERSION=7.0 YNH_PHP_VERSION=${YNH_PHP_VERSION:-YNH_DEFAULT_PHP_VERSION} # Create a dedicated php-fpm config From 4b3f7a1ddd13f0ce7a5f0c807d5069a692ed6024 Mon Sep 17 00:00:00 2001 From: Maniack Crudelis Date: Mon, 13 Apr 2020 10:45:42 +0200 Subject: [PATCH 93/94] Move YNH_DEFAULT_PHP_VERSION before the comment for YNH_DEFAULT_PHP_VERSION --- data/helpers.d/php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/data/helpers.d/php b/data/helpers.d/php index beaa01f14..0bef2ad13 100644 --- a/data/helpers.d/php +++ b/data/helpers.d/php @@ -1,8 +1,8 @@ #!/bin/bash +YNH_DEFAULT_PHP_VERSION=7.0 # Declare the actual php version to use. # A packager willing to use another version of php can override the variable into its _common.sh. -YNH_DEFAULT_PHP_VERSION=7.0 YNH_PHP_VERSION=${YNH_PHP_VERSION:-YNH_DEFAULT_PHP_VERSION} # Create a dedicated php-fpm config From ab2f918a8c5d0eee66fefd852ca43b05b5c1ec6f Mon Sep 17 00:00:00 2001 From: Maniack Crudelis Date: Mon, 13 Apr 2020 10:46:37 +0200 Subject: [PATCH 94/94] Missing $ --- data/helpers.d/php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/data/helpers.d/php b/data/helpers.d/php index 0bef2ad13..e70302912 100644 --- a/data/helpers.d/php +++ b/data/helpers.d/php @@ -3,7 +3,7 @@ YNH_DEFAULT_PHP_VERSION=7.0 # Declare the actual php version to use. # A packager willing to use another version of php can override the variable into its _common.sh. -YNH_PHP_VERSION=${YNH_PHP_VERSION:-YNH_DEFAULT_PHP_VERSION} +YNH_PHP_VERSION=${YNH_PHP_VERSION:-$YNH_DEFAULT_PHP_VERSION} # Create a dedicated php-fpm config #