projects / feed / packages.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 035cc09)
amce: use procd to restart services
authorGlen Huang <i@glenhuang.com>
Sat, 22 Oct 2022 14:17:08 +0000 (22:17 +0800)
committerGlen Huang <i@glenhuang.com>
Mon, 24 Oct 2022 02:07:06 +0000 (10:07 +0800)
Directly calling `/etc/init.d/<service> reload` in a hotplug script can
inadvertently start a stopped service.

Signed-off-by: Glen Huang <i@glenhuang.com>
net/acme-acmesh/files/hook.sh patch | blob | history
net/acme-common/Makefile patch | blob | history
net/acme-common/files/acme-notify.sh [new file with mode: 0644] patch | blob
net/haproxy/files/acme.hotplug patch | blob | history
net/haproxy/files/haproxy.init patch | blob | history
net/nginx/Makefile patch | blob | history
net/nginx/files/acme.hotplug [deleted file] patch | blob | history
net/nginx/files/nginx.init patch | blob | history

diff --git a/net/acme-acmesh/files/hook.sh b/net/acme-acmesh/files/hook.sh
index cd92cec9d63308ff719f90fd5e005092f708aaa9..bbe23b4a1fcc5ac9dffb1c225ad7e851079635c8 100644 (file)
--- a/net/acme-acmesh/files/hook.sh
+++ b/net/acme-acmesh/files/hook.sh
@@ -4,6 +4,7 @@ ACME=/usr/lib/acme/client/acme.sh
 LOG_TAG=acme-acmesh
 # webroot option deprecated, use the hardcoded value directly in the next major version
 WEBROOT=${webroot:-/var/run/acme/challenge}
+NOTIFY=/usr/lib/acme/notify
 
 # shellcheck source=net/acme/files/functions.sh
 . /usr/lib/acme/functions.sh
@@ -12,9 +13,7 @@ WEBROOT=${webroot:-/var/run/acme/challenge}
 export CURL_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt
 export NO_TIMESTAMP=1
 
-cmd="$1"
-
-case $cmd in
+case $1 in
 get)
        set --
        [ "$debug" = 1 ] && set -- "$@" --debug
@@ -38,20 +37,25 @@ get)
                        staging_moved=1
                else
                        set -- "$@" --renew --home "$state_dir" -d "$main_domain"
-                       log info "$*"
-                       trap 'ACTION=renewed-failed hotplug-call acme;exit 1' INT
-                       "$ACME" "$@"
+                       log info "$ACME $*"
+                       trap '$NOTIFY renew-failed;exit 1' INT
+                       $ACME "$@"
                        status=$?
                        trap - INT
 
                        case $status in
-                       0) ;; # renewed ok, handled by acme.sh hook, ignore.
-                       2) ;; # renew skipped, ignore.
+                       0)
+                               $NOTIFY renewed
+                               exit;;
+                       2)
+                               # renew skipped, ignore.
+                               exit
+                               ;;
                        *)
-                               ACTION=renew-failed hotplug-call acme
+                               $NOTIFY renew-failed
+                               exit 1
                                ;;
                        esac
-                       return 0
                fi
        fi
 
@@ -92,11 +96,11 @@ get)
 
        set -- "$@" --issue --home "$state_dir"
 
-       log info "$*"
-       trap 'ACTION=issue-failed hotplug-call acme;exit 1' INT
+       log info "$ACME $*"
+       trap '$NOTIFY issue-failed;exit 1' INT
        "$ACME" "$@" \
-               --pre-hook 'ACTION=prepare hotplug-call acme' \
-               --renew-hook 'ACTION=renewed hotplug-call acme'
+               --pre-hook "$NOTIFY prepare" \
+               --renew-hook "$NOTIFY renewed"
        status=$?
        trap - INT
 
@@ -106,7 +110,7 @@ get)
                ln -s "$domain_dir/$main_domain.key" /etc/ssl/acme
                ln -s "$domain_dir/fullchain.cer" "/etc/ssl/acme/$main_domain.fullchain.cer"
                ln -s "$domain_dir/ca.cer" "/etc/ssl/acme/$main_domain.chain.cer"
-               ACTION=issued hotplug-call acme
+               $NOTIFY issued
                ;;
        *)
                if [ "$staging_moved" = 1 ]; then
@@ -117,8 +121,7 @@ get)
                        mv "$domain_dir" "$failed_dir"
                        log err "State moved to $failed_dir"
                fi
-               ACTION=issue-failed hotplug-call acme
-               return 0
+               $NOTIFY issue-failed
                ;;
        esac
        ;;
diff --git a/net/acme-common/Makefile b/net/acme-common/Makefile
index 997c31e31336d0b539b431dc8996820a5a5bd404..a279641c2223442262728102f9f87f623e64091f 100644 (file)
--- a/net/acme-common/Makefile
+++ b/net/acme-common/Makefile
@@ -41,10 +41,12 @@ define Package/acme-common/install
        $(INSTALL_BIN) ./files/acme.sh $(1)/usr/bin/acme
        $(INSTALL_DIR) $(1)/usr/lib/acme
        $(INSTALL_DATA) ./files/functions.sh $(1)/usr/lib/acme
+       $(INSTALL_BIN) ./files/acme-notify.sh $(1)/usr/lib/acme/notify
        $(INSTALL_DIR) $(1)/etc/init.d
        $(INSTALL_BIN) ./files/acme.init $(1)/etc/init.d/acme
        $(INSTALL_DIR) $(1)/etc/uci-defaults
        $(INSTALL_DATA) ./files/acme.uci-defaults $(1)/etc/uci-defaults/acme
+       $(INSTALL_DIR) $(1)/etc/hotplug.d/acme
 endef
 
 define Package/acme/postinst
diff --git a/net/acme-common/files/acme-notify.sh b/net/acme-common/files/acme-notify.sh
new file mode 100644 (file)
index 0000000..4f06f94
--- /dev/null
+++ b/net/acme-common/files/acme-notify.sh
@@ -0,0 +1,17 @@
+#!/bin/sh
+set -u
+
+event="$1"
+
+# Call hotplug first, giving scripts a chance to modify certificates before
+# reloadaing the services
+ACTION=$event hotplug-call acme
+
+case $event in
+renewed)
+    ubus call service event '{"type":"acme.renew","data":{}}'
+    ;;
+issued)
+    ubus call service event '{"type":"acme.issue","data":{}}'
+    ;;
+esac
diff --git a/net/haproxy/files/acme.hotplug b/net/haproxy/files/acme.hotplug
index 5a4dc5cdd37eda51d2aeef2cad338fa77f2a5b3c..726d2b216b434d590a8135a5157ba9648ab6d868 100644 (file)
--- a/net/haproxy/files/acme.hotplug
+++ b/net/haproxy/files/acme.hotplug
@@ -6,7 +6,3 @@ issued|renewed)
                >"/etc/ssl/acme/$main_domain.combined.cer"
        ;;
 esac
-
-if [ "$ACTION" = renewed ]; then
-       /etc/init.d/haproxy reload
-fi
diff --git a/net/haproxy/files/haproxy.init b/net/haproxy/files/haproxy.init
index 01d80d781b31495647904518e7072b487f1d937a..51c0ebb659c994d373d685ddc6531f9a9bbd9bba 100644 (file)
--- a/net/haproxy/files/haproxy.init
+++ b/net/haproxy/files/haproxy.init
@@ -18,6 +18,10 @@ start_service() {
        procd_close_instance
 }
 
+service_triggers() {
+       procd_add_raw_trigger acme.renew 5000 /etc/init.d/haproxy reload
+}
+
 extra_command "check" "Check haproxy config"
 check() {
        $HAPROXY_BIN -c -q -V -f $HAPROXY_CONFIG
diff --git a/net/nginx/Makefile b/net/nginx/Makefile
index 41436aa39676a5c150514c566cab7ebab974b273..0cb8c65b0e261852e569f5a9543e2b5db5561540 100644 (file)
--- a/net/nginx/Makefile
+++ b/net/nginx/Makefile
@@ -376,9 +376,6 @@ ifeq ($(CONFIG_NGINX_NAXSI),y)
 endif
        $(if $(CONFIG_NGINX_NAXSI),$($(INSTALL_BIN) $(PKG_BUILD_DIR)/nginx-naxsi/naxsi_config/naxsi_core.rules $(1)/etc/nginx))
        $(if $(CONFIG_NGINX_NAXSI),$(chmod 0640 $(1)/etc/nginx/naxsi_core.rules))
-
-       $(INSTALL_DIR) $(1)/etc/hotplug.d/acme
-       $(INSTALL_DATA) ./files/acme.hotplug $(1)/etc/hotplug.d/acme/00-nginx
 endef
 
 Package/nginx-all-module/install = $(Package/nginx-ssl/install)
diff --git a/net/nginx/files/acme.hotplug b/net/nginx/files/acme.hotplug
deleted file mode 100644 (file)
index 74f1448..0000000
--- a/net/nginx/files/acme.hotplug
+++ /dev/null
@@ -1,3 +0,0 @@
-if [ "$ACTION" = renewed ]; then
-       /etc/init.d/nginx reload
-fi
diff --git a/net/nginx/files/nginx.init b/net/nginx/files/nginx.init
index 300a8c657f15a2473a7a2fa5434e0a27237b7c09..632a3f10a7ec6e7cce12f04948c16517795c4190 100644 (file)
--- a/net/nginx/files/nginx.init
+++ b/net/nginx/files/nginx.init
@@ -66,6 +66,11 @@ reload_service() {
 }
 
 
+service_triggers() {
+       procd_add_raw_trigger acme.renew 5000 /etc/init.d/nginx reload
+}
+
+
 extra_command "relog" "Reopen log files (without reloading)"
 relog() {
        [ -d /var/log/nginx ] || mkdir -p /var/log/nginx
Mirror of packages feed