Git-Mirrors/qusal
1
0
Fork 0
mirror of https://github.com/ben-grande/qusal.git synced 2025-03-22 23:26:46 -04:00
Code Issues Packages Projects Releases Wiki Activity

fix: cacher: restrict install to supported clients

Browse Source 
- Enforce uninstall in Fedora, it has been too problematic due to zchunk
  checksum mismatch errors;
- Skip tagging and installing on unsupported qubes, before it tagged
  every template that did not have the tag 'whonix-updatevm', this is
  error prone as it would fail the installation on unsupported clients
  such as Gentoo, Mirage.

Fixes: https://github.com/ben-grande/qusal/issues/54
This commit is contained in:
Ben Grande 2024-05-29 16:16:03 +02:00
parent 9cb7d72044
commit bb4dcbbe8f
No known key found for this signature in database
GPG Key ID: 00C64E14F51F9E56
11 changed files with 136 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
salt/sys-cacher/README.md
View File

@ -31,6 +31,10 @@ This change will be done automatically for every template that exists and is
not Whonix based. No changes are made to Whonix templates, and updates to not Whonix based. No changes are made to Whonix templates, and updates to
those templates will not be cached. those templates will not be cached.
The caching proxy supports Debian derivatives (not Whonix) and Arch Linux.
Fedora support was dropped due to unreliability of the mirror mechanism of
zchunk checksums when caching packages.
## Installation ## Installation
Installation may take a long time as it will target all templates unless you Installation may take a long time as it will target all templates unless you
@ -174,6 +178,13 @@ sudo qubesctl --skip-dom0 --targets=QUBE state.apply sys-cacher.uninstall-client
qvm-tags del QUBE updatevm-sys-cacher qvm-tags del QUBE updatevm-sys-cacher
``` ```
If you tagged manually a qube that is unsupported, updates for that qube will
fail. Get a full list of unsupported qubes (**warning**: there may be false
positives of supported qubes being listed):
```sh
sudo qubesctl --show-output state.apply sys-cacher.list-extra-tag
```
## Credits ## Credits
- [Unman](https://github.com/unman/shaker/tree/main/cacher) - [Unman](https://github.com/unman/shaker/tree/main/cacher)

60
salt/sys-cacher/files/admin/list-extra-tag.sh Executable file
View File

@ -0,0 +1,60 @@
#!/bin/sh
# SPDX-FileCopyrightText: 2023 - 2024 Benjamin Grande M. S. <ben.grande.b@gmail.com>
#
# SPDX-License-Identifier: AGPL-3.0-or-later
set -eu
get_os_distro(){
distro_qube="${1}"
os_distro="$(qvm-features "${distro_qube}" os-distribution || true)"
}
tagged="$(qvm-ls --no-spinner --raw-list --tags updatevm-sys-cacher | tr "\n" " ")"
wanted=""
for qube in ${tagged}; do
get_os_distro "${qube}"
case "${os_distro}" in
debian|ubuntu|linuxmint|kali|kicksecure|arch)
continue
;;
"")
## AppVMs and DispVMs do not report the features, discover from
## their templates.
klass="$(qvm-prefs "${qube}" klass)"
case "${klass}" in
TemplateVM|StandaloneVM)
## WARN: creates false positives in case qube never did an update to
## report the OS ID, thus reporting both supported qubes that are
## not updated yet and unsupported that didn't update yet also.
wanted="${wanted:+"${wanted} "}${qube}"
;;
AppVM|DispVM)
case "${klass}" in
AppVM)
template="$(qvm-prefs "${qube}" template)"
;;
DispVM)
app="$(qvm-prefs "${qube}" template)"
template="$(qvm-prefs "${app}" template)"
;;
esac
get_os_distro "${template}"
case "${os_distro}" in
debian|ubuntu|linuxmint|kali|kicksecure|arch)
continue
;;
## Qube is not supported.
*) wanted="${wanted:+"${wanted} "}${qube}";;
esac
;;
esac
;;
## Qube is not supported.
*) wanted="${wanted:+"${wanted} "}${qube}";;
esac
done
echo "${wanted}" | tr " " "\n"

18
salt/sys-cacher/files/admin/tag.sh
View File

@ -10,7 +10,19 @@ exclude="$(qvm-ls --no-spinner --raw-list --tags whonix-updatevm \
| sed "s/^./--exclude &/" | tr "\n" " ")" | sed "s/^./--exclude &/" | tr "\n" " ")"
# shellcheck disable=SC2086 # shellcheck disable=SC2086
wanted="$(qvm-ls --no-spinner --raw-data --fields=NAME,CLASS --all ${exclude} \ templates="$(qvm-ls --no-spinner --raw-data --fields=NAME,CLASS --all ${exclude} \
| awk -v class="TemplateVM" -F "|" '$2 ~ class {print $1}')" | awk -v class="TemplateVM" -F "|" '$2 ~ class {print $1}' \
| tr "\n" " ")"
echo "${wanted}" wanted=""
for qube in ${templates}; do
os_distro="$(qvm-features "${qube}" os-distribution || true)"
case "${os_distro}" in
debian|ubuntu|linuxmint|kali|arch)
wanted="${wanted:+"${wanted} "}${qube}"
;;
*) continue
esac
done
echo "${wanted}" | tr " " "\n"

18
salt/sys-cacher/files/client/bin/apt-cacher-ng-repo
View File

@ -85,15 +85,23 @@ check_netvm_cacher(){
proxy_conf="proxy=${proxy_addr}" proxy_conf="proxy=${proxy_addr}"
} }
reject_os(){
echo "${0##*/} does not support your Operating System distribution." >&2
exit 1
}
# shellcheck disable=SC2317
set_proxy_os(){ set_proxy_os(){
if test -e /etc/fedora-release; then if test -e /etc/fedora-release; then
## Fedora ## Fedora
## Uninstall because it leads to many zchunk checksum mismatch problems.
action="uninstall"
echo "${0##*/} doesn't work well on Fedora, uninstalling." >&2
if test -w /etc/dnf/dnf.conf; then if test -w /etc/dnf/dnf.conf; then
set_proxy_marker /etc/dnf/dnf.conf "zchunk=False set_proxy_marker /etc/dnf/dnf.conf "zchunk=False
${proxy_conf}" ${proxy_conf}"
fi fi
if test -n "${proxy_addr}"; then if test -n "${proxy_addr}"; then
cat >/etc/yum.conf.d/qubes-proxy.conf <<EOF cat >/etc/yum.conf.d/qubes-proxy.conf <<EOF
${proxy_conf} ${proxy_conf}
@ -162,7 +170,7 @@ EOF
esac esac
elif test -e /etc/debian_version && test ! -e /usr/share/whonix/marker; then elif test -e /etc/debian_version && test ! -e /usr/share/whonix/marker; then
## Debian but not Whonix. ## Debian and derivatives but not Whonix.
if test -n "${proxy_addr}"; then if test -n "${proxy_addr}"; then
cat >/etc/apt/apt.conf.d/50cacher-proxy <<EOF cat >/etc/apt/apt.conf.d/50cacher-proxy <<EOF
@ -250,9 +258,9 @@ EOF
esac esac
else else
## TODO: Gentoo. ## Gentoo: upstream does not have a good solution:
echo "Cacher does not support your Operating System distribution." >&2 ## https://wiki.gentoo.org/wiki/Local_distfiles_cache#Configuring_for_Gentoo
exit 1 reject_os
fi fi
} }

4
salt/sys-cacher/install-client.top
View File

@ -1,10 +1,10 @@
{# {#
SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. <ben.grande.b@gmail.com> SPDX-FileCopyrightText: 2023 - 2024 Benjamin Grande M. S. <ben.grande.b@gmail.com>
SPDX-License-Identifier: AGPL-3.0-or-later SPDX-License-Identifier: AGPL-3.0-or-later
#} #}
base: base:
'I@qubes:type:template and not P@nodename:host and not P@nodename:whonix.*': 'I@qubes:type:template and ( ( G@os_family:Debian and not P@nodename:host and not P@nodename:whonix.* ) or G@os_family:Arch )':
- match: compound - match: compound
- sys-cacher.install-client - sys-cacher.install-client

10
salt/sys-cacher/list-extra-tag.sls Normal file
View File

@ -0,0 +1,10 @@
{#
SPDX-FileCopyrightText: 2023 - 2024 Benjamin Grande M. S. <ben.grande.b@gmail.com>
SPDX-License-Identifier: AGPL-3.0-or-later
#}
{% set extraneous = salt['cmd.script']('salt://' ~ slsdotpath ~ '/files/admin/list-extra-tag.sh') -%}
"{{ slsdotpath }}-list-extra-tag":
cmd.run:
- name: echo {{ extraneous.stdout.split("\n") }}

10
salt/sys-cacher/list-extra-tag.top Normal file
View File

@ -0,0 +1,10 @@
{#
SPDX-FileCopyrightText: 2023 - 2024 Benjamin Grande M. S. <ben.grande.b@gmail.com>
SPDX-License-Identifier: AGPL-3.0-or-later
#}
base:
'dom0':
- match: nodegroup
- sys-cacher.list-extra-tag

2
salt/sys-cacher/tag.sls
View File

@ -6,7 +6,7 @@ SPDX-License-Identifier: AGPL-3.0-or-later
{% set templates = salt['cmd.script']('salt://' ~ slsdotpath ~ '/files/admin/tag.sh') -%} {% set templates = salt['cmd.script']('salt://' ~ slsdotpath ~ '/files/admin/tag.sh') -%}
{% for tpl in templates.stdout.split("\n") -%} {% for tpl in templates.stdout.split("\n") -%}
"{{ slsdotpath }}-tag-for-{{ tpl }}": "{{ slsdotpath }}-add-tag-of-{{ tpl }}":
qvm.tags: qvm.tags:
- name: {{ tpl }} - name: {{ tpl }}
- add: - add:

13
salt/sys-cacher/uninstall-client.sls
View File

@ -4,13 +4,22 @@ SPDX-FileCopyrightText: 2023 - 2024 Benjamin Grande M. S. <ben.grande.b@gmail.co
SPDX-License-Identifier: AGPL-3.0-or-later SPDX-License-Identifier: AGPL-3.0-or-later
#} #}
{% if salt['cmd.shell']('command -v apt-cacher-ng-repo >/dev/null') -%} "{{ slsdotpath }}-install-client-scripts":
file.recurse:
- name: /usr/bin/
- source: salt://{{ slsdotpath }}/files/client/bin/
- file_mode: "0755"
- group: root
- user: root
- makedirs: True
"{{ slsdotpath }}-uninstall-client-repository-modifications": "{{ slsdotpath }}-uninstall-client-repository-modifications":
cmd.run: cmd.run:
- require:
- file: "{{ slsdotpath }}-install-client-scripts"
- name: apt-cacher-ng-repo uninstall - name: apt-cacher-ng-repo uninstall
- stateful: True - stateful: True
- runas: root - runas: root
{% endif -%}
"{{ slsdotpath }}-uninstall-client-scripts": "{{ slsdotpath }}-uninstall-client-scripts":
file.absent: file.absent:

4
salt/sys-cacher/uninstall-client.top
View File

@ -5,6 +5,6 @@ SPDX-License-Identifier: AGPL-3.0-or-later
#} #}
base: base:
'qubes:type:template': 'I@qubes:type:template and ( ( G@os_family:Debian and not P@nodename:host and not P@nodename:whonix.* ) or G@os_family:Arch )':
- match: pillar - match: compound
- sys-cacher.uninstall-client - sys-cacher.uninstall-client

2
salt/sys-cacher/untag.sls
View File

@ -8,7 +8,7 @@ SPDX-License-Identifier: AGPL-3.0-or-later
{% if wanted -%} {% if wanted -%}
{% for tpl in wanted.split("\n") %} {% for tpl in wanted.split("\n") %}
"{{ tpl }}-cacher-untag": "{{ slsdotpath }}-del-tag-of-{{ tpl }}":
qvm.tags: qvm.tags:
- name: {{ tpl }} - name: {{ tpl }}
- del: - del: