qusal/salt/sys-cacher/files/client/bin/apt-cacher-ng-repo
Ben Grande bb4dcbbe8f
fix: cacher: restrict install to supported clients
- Enforce uninstall in Fedora, it has been too problematic due to zchunk
  checksum mismatch errors;
- Skip tagging and installing on unsupported qubes, before it tagged
  every template that did not have the tag 'whonix-updatevm', this is
  error prone as it would fail the installation on unsupported clients
  such as Gentoo, Mirage.

Fixes: https://github.com/ben-grande/qusal/issues/54
2024-05-29 18:29:27 +02:00

313 lines
8.9 KiB
Bash
Executable File

#!/bin/sh
# SPDX-FileCopyrightText: 2015 - 2020 Marek Marczykowski-Gorecki <marmarek@invisiblethingslab.com>
# SPDX-FileCopyrightText: 2024 Benjamin Grande M. S. <ben.grande.b@gmail.com>
#
# SPDX-License-Identifier: GPL-2.0-only
## Description: rewrite repositories definitions to be used with the cacher.
## It works for qubes that should be configured to use the cacher via Qrexec
## or Netvm (direct networking).
##
## Looping through files and testing their permissions (read, write) is better
## than finding a file and trying to sed it without knowledge, it is also
## beneficial as 'find' fails if file is not existent and sending all 'find'
## output to /dev/stderr is not great.
##
## Assigning the repositories files to '$@' avoids having to parse their names
## in case they contain spaces, newlines and other dangerous characters to the
## shell, it is also an easy way to use an array for /bin/sh.
set -eu
set_proxy_marker(){
marker_begin_text="QUBES BEGIN"
marker_end_text="QUBES END"
marker_begin="### ${marker_begin_text} ###"
marker_end="### ${marker_end_text} ###"
proxy_file="${1}"
proxy_options="${2}"
if ! grep -q "^${marker_begin}$" "${proxy_file}"; then
if grep -q "^${marker_end}$" "${proxy_file}"; then
echo "Error: found marker ${marker_end_text} but not ${marker_begin_text} in ${proxy_file}" >&2
echo "Fix the file by either removing both markers or adding missing ones and retry" >&2
exit 1
fi
cp "${proxy_file}" "${proxy_file}.qubes-orig"
echo "${marker_begin}" | tee -a "${proxy_file}" >/dev/null
echo "${marker_end}" | tee -a "${proxy_file}" >/dev/null
elif ! grep -q "^${marker_end}$" "${proxy_file}"; then
echo "Error: found marker ${marker_begin_text} but not ${marker_end_text} in ${proxy_file}" >&2
echo "Fix the file by either removing both markers or adding missing ones and retry" >&2
exit 1
fi
proxy_tmp_file="$(mktemp)"
cat >"${proxy_tmp_file}" <<EOF
# The text between ${marker_begin_text} and ${marker_end_text} is automatically
# generated by $0. All changes here will be overriden.
# You can override options after the ${marker_end_text}.
${proxy_options}
EOF
## Couldn't figure out how to write only changes on the next sed.
if ! grep -q "${proxy_options}" "${proxy_file}"; then
tee -a "${changes_file}" <"${proxy_tmp_file}" >/dev/null
fi
## GNU Sed, only reliable while we don't support BSD.
sed -i -e "/^${marker_begin}$/,/^${marker_end}$/{
/^${marker_end}$/b
/^${marker_begin}$/!d
r ${proxy_tmp_file}
}" "${proxy_file}"
rm -f "${proxy_tmp_file}"
}
check_netvm_cacher(){
proxy_host="127.0.0.1"
proxy_port="8082"
proxy_addr=""
proxy_url=""
proxy_conf=""
if ! test -f /var/run/qubes-service/updates-proxy-setup; then
return 0
fi
if test -f /var/run/qubes-service/netvm-cacher; then
proxy_host="$(qubesdb-read /qubes-gateway)"
if test -z "${proxy_host}"; then
echo "Error: service netvm-cacher enabled but netvm IP was not found" >&2
return 1
fi
fi
proxy_addr="${proxy_host}:${proxy_port}"
proxy_url="http://${proxy_addr}"
proxy_conf="proxy=${proxy_addr}"
}
reject_os(){
echo "${0##*/} does not support your Operating System distribution." >&2
exit 1
}
# shellcheck disable=SC2317
set_proxy_os(){
if test -e /etc/fedora-release; then
## Fedora
## Uninstall because it leads to many zchunk checksum mismatch problems.
action="uninstall"
echo "${0##*/} doesn't work well on Fedora, uninstalling." >&2
if test -w /etc/dnf/dnf.conf; then
set_proxy_marker /etc/dnf/dnf.conf "zchunk=False
${proxy_conf}"
fi
if test -n "${proxy_addr}"; then
cat >/etc/yum.conf.d/qubes-proxy.conf <<EOF
${proxy_conf}
EOF
else
rm -f /etc/yum.conf.d/qubes-proxy.conf
fi
set --
for repo in \
/etc/yum.repos.d/*.repo
do
test -f "${repo}" || continue
test -r "${repo}" || continue
test -w "${repo}" || continue
set -- "${@}" "${repo}"
done
test -n "${*}" || return 0
case "${action}" in
install)
find "${@}" -type f -exec sed -i \
-e "s|baseurl\s*=\s*https://|baseurl=http://HTTPS///|w ${changes_file}" \
-e "s|metalink\s*=\s*https://|metalink=http://HTTPS///|w ${changes_file}" \
{} \+
set --
for repo in \
/etc/yum.repos.d/rpmfusion*.repo
do
test -f "${repo}" || continue
test -r "${repo}" || continue
test -w "${repo}" || continue
set -- "${@}" "${repo}"
done
test -n "${*}" || return 0
find "${@}" -type f -exec sed -i \
-e "s|^\s*#.*baseurl|baseurl|w ${changes_file}" \
-e "s|^\s*metalink\s*=\s*|#metalink=|w ${changes_file}" \
{} \+
;;
uninstall)
find "${@}" -type f -exec sed -i \
-e "s|baseurl\s*=\s*http://HTTPS///|baseurl=https://|w ${changes_file}" \
-e "s|metalink\s*=\s*http://HTTPS///|metalink=https://|w ${changes_file}" \
{} \+
set --
for repo in \
/etc/yum.repos.d/rpmfusion*.repo
do
test -f "${repo}" || continue
test -r "${repo}" || continue
test -w "${repo}" || continue
set -- "${@}" "${repo}"
done
test -n "${*}" || return 0
find "${@}" -type f -exec sed -i \
-e "s|^\s*baseurl|#baseurl|w ${changes_file}" \
-e "s|^\s*#.*metalink\s*=|metalink=|w ${changes_file}" \
{} \+ 2>/dev/null || true
;;
esac
elif test -e /etc/debian_version && test ! -e /usr/share/whonix/marker; then
## Debian and derivatives but not Whonix.
if test -n "${proxy_addr}"; then
cat >/etc/apt/apt.conf.d/50cacher-proxy <<EOF
# Use Cacher NetVM Update Proxy
Acquire::http::Proxy "${proxy_url}";
Acquire::tor::proxy "${proxy_url}";
EOF
else
rm -f /etc/apt/apt.conf.d/50cacher-proxy
fi
set --
for repo in \
/etc/apt/sources.list \
/etc/apt/sources.list.d/*.list \
/etc/apt/sources.list.d/*.sources
do
test -f "${repo}" || continue
test -r "${repo}" || continue
test -w "${repo}" || continue
set -- "${@}" "${repo}"
done
test -n "${*}" || return 0
case "${action}" in
install)
find "${@}" -type f -exec sed -i \
-e "s|URIs:\s*https://|URIs: http://HTTPS///|w ${changes_file}" \
-e "s|^\s*\(#*\)\s*deb\(.*\)https://|\1deb\2http://HTTPS///|w ${changes_file}" \
{} \+
;;
uninstall)
find "${@}" -type f -exec sed -i \
-e "s|URIs:\s*http://HTTPS///|URIs: https://|w ${changes_file}" \
-e "s|^\s*\(#*\)\s*deb\(.*\)http://HTTPS///|\1deb\2https://|w ${changes_file}" \
{} \+
;;
esac
elif test -e /etc/arch-release; then
## Archlinux
if test -n "${proxy_addr}"; then
if ! test -d /run/qubes/bin; then
mkdir -p /run/qubes/bin
fi
cat >/run/qubes/bin/pacman <<EOF
#!/bin/sh
exec env ALL_PROXY="${proxy_url}" /usr/bin/pacman "\$@"
EOF
chmod +x /run/qubes/bin/pacman
cat >/etc/profile.d/qubes-proxy.sh << EOF
export PATH=/run/qubes/bin:\$PATH
EOF
else
rm -f /run/qubes/bin/pacman /etc/profile.d/qubes-proxy.sh
fi
set --
for repo in \
/etc/pacman.d/mirrorlist \
/etc/pacman.d/*.conf \
/etc/pacman.d/*.conf.disabled
do
test -f "${repo}" || continue
test -r "${repo}" || continue
test -w "${repo}" || continue
set -- "${@}" "${repo}"
done
test -n "${*}" || return 0
case "${action}" in
install)
find "${@}" -type f -exec sed -i \
-e "s|Server\s*=\s*https://|Server = http://HTTPS///|w ${changes_file}" \
{} \+
;;
uninstall)
find "${@}" -type f -exec sed -i \
-e "s|Server\s*=\s*http://HTTPS///|Server = https://|w ${changes_file}" \
{} \+
;;
esac
else
## Gentoo: upstream does not have a good solution:
## https://wiki.gentoo.org/wiki/Local_distfiles_cache#Configuring_for_Gentoo
reject_os
fi
}
set_proxy_unspecific_os(){
if test -w /etc/PackageKit/PackageKit.conf; then
set_proxy_marker /etc/PackageKit/PackageKit.conf "ProxyHTTP=${proxy_url}"
fi
}
usage(){
echo "Usage: ${0##*/} [install|uninstall]"
echo "Note: autodetection occurs if not argument is specified"
exit 1
}
changes_file="$(mktemp)"
trap 'rm -f "${changes_file}"' HUP INT QUIT ABRT EXIT
if test -f /var/run/qubes-service/updates-proxy-setup ||
test -f /var/run/qubes-service/netvm-cacher
then
action="install"
else
action="uninstall"
fi
case "${1-}" in
install|uninstall) action="${1}";;
"") ;;
*) usage;;
esac
if test "$(id -u)" != "0"; then
echo "Error: Permission denied, action requires root privileges."
exit 1
fi
check_netvm_cacher
set_proxy_os
set_proxy_unspecific_os
## Stateful Salt cmd Module.
echo
if test -s "${changes_file}"; then
echo "changed=yes comment='configuration was modified'"
else
echo "changed=no comment='configuration remained untouched'"
fi
exit