Update inithook services

bin/restart-getty

@@ -0,0 +1,59 @@
+#!/bin/bash -e
+
+# This script is intended to be automatically triggered by
+# inithooks-restart-getty.service, which in turn is intended to be started
+# when inithooks.service exits (regardless of exit status)
+#
+# Assuming this script _was_ triggered by inithooks.service exit, on most
+# systems this loop should only run once. Even on low power systems it should
+# only loop 1 additional times. However to ensure that it is as robust as
+# possible, it will wait up to 10 secs for inithooks.service to stop.
+
+fatal() { echo "$*" >&2; exit 1; }
+
+if [[ "$_STARTED_BY_SYSTEMD" == yes ]]; then
+    echo "$(basename "$0") running"
+else
+    fatal "$(basename "$0") not started by systemd - exiting"
+fi
+
+getty1_services=([email protected] [email protected])
+getty_target=/etc/systemd/system/getty.target.wants
+getty1_service=
+
+for _getty1 in "${getty1_services[@]}"; do
+    _getty_target="$getty_target/$_getty1"
+    if [[ -L "$_getty_target" ]]; then
+        if [[ -f "$_getty_target" ]]; then
+            getty1_service="$_getty1"
+            echo "system getty service is '$getty1_service'"
+            break
+        fi
+    fi
+done
+if [[ -z "$getty1_service" ]]; then
+    fatal "Could not find valid getty1 service (tried ${getty1_services[*]})"
+fi
+
+for i in {10..0}; do
+    if systemctl is-active -q inithooks.service; then
+        msg="inithooks.service running"
+        if [[ $1 -gt 0 ]]; then
+            echo "$msg - waiting $i more seconds for it to stop" >&2
+        else
+            fatal "$msg - giving up..."
+        fi
+        sleep 1
+    else
+        echo "inithooks service is not running"
+        if systemctl is-active -q "$getty1_service"; then
+            echo "$getty1_service already running, nothing to do"
+        else
+            echo "starting $getty1_service"
+            if ! systemctl start ; then
+                fatal "failed to start $getty1_service"
+            fi
+        fi
+        exit 0
+    fi
+done

bin/turnkey-init-fence

@@ -0,0 +1,80 @@
+#!/bin/bash -eu
+
+# TurnKey web interface fence - blocks access to web app until system is
+# initialized (admin password configure, etc)
+
+iptables_delete_redirect() {
+    local dport=$1
+    local to_port=$2
+
+    while true; do
+        (2>&1 iptables -t nat -D PREROUTING -p tcp --dport "$dport" -j REDIRECT --to-port "$to_port") > /dev/null || break
+    done
+}
+
+iptables_add_redirect() {
+    local dport=$1
+    local to_port=$2
+
+    iptables_delete_redirect "$dport" "$to_port"
+    iptables -t nat -A PREROUTING -p tcp --dport "$dport" -j REDIRECT --to-port "$to_port"
+}
+
+iptables_unensure_accept() {
+    # remove ACCEPT line for fence ports (used in appliances that have a
+    # `filter` policy of `DROP`)
+    local dport=$1
+    while true; do
+        (2>&1 iptables -t filter -D INPUT -p tcp -m tcp --dport "$dport" -j ACCEPT) > /dev/null || break
+    done
+}
+
+iptables_ensure_accept() {
+    # add ACCEPT line for fence ports (used in appliances that have a
+    # `filter` policy of `DROP`)
+    local dport=$1
+    iptables_unensure_accept "$dport"
+    iptables -t filter -A INPUT -p tcp -m tcp --dport "$dport" -j ACCEPT
+}
+
+iptables_redirect() {
+    local op
+    local mop
+    local port
+    case "$1" in
+      start)
+          op=iptables_add_redirect
+          mop=iptables_ensure_accept
+        ;;
+      stop)
+          op=iptables_delete_redirect
+          mop=iptables_unensure_accept
+        ;;
+    esac
+
+    for port in "${HTTP_PORTS[@]}"; do
+        $op "$port" "$HTTP_FENCE_PORT"
+    done
+
+    for port in "${HTTPS_PORTS[@]}"; do
+        $op "$port" "$HTTPS_FENCE_PORT"
+    done
+
+    $mop "$HTTP_FENCE_PORT"
+    $mop "$HTTPS_FENCE_PORT"
+}
+
+case "$1" in
+    start)
+	    echo "Starting turnkey-init-fence"
+        iptables_redirect start
+	    ;;
+    stop)
+	    echo "Stopping turnkey-init-fence"
+        iptables_redirect stop
+	    ;;
+	*)
+		echo "Unknown command: $1" >&2
+        exit 1
+		;;
+esac

debian/inithooks.install

@@ -5,8 +5,8 @@ everyboot.d/*                           /usr/lib/inithooks/everyboot.d
 run                                     /usr/lib/inithooks
 rsyslog.d/*                             /etc/rsyslog.d
 
-turnkey-init-fence/turnkey-init-fence   /etc/init.d
-turnkey-init-fence/htdocs               /var/lib/inithooks/turnkey-init-fence
+turnkey-init-fence/turnkey-init-fence.service   /usr/lib/systemd/system
+turnkey-init-fence/htdocs               /usr/lib/inithooks/turnkey-init-fence
 
 turnkey-init                            /usr/sbin
 turnkey-sudoadmin                       /usr/sbin

default/turnkey-init-fence

@@ -1,6 +1,6 @@
-WEBROOT=/var/lib/inithooks/turnkey-init-fence/htdocs
-HTTP_PORTS=80
-HTTPS_PORTS="443 12321 12320"
+WEBROOT=/usr/lib/inithooks/turnkey-init-fence/htdocs
+HTTP_PORTS=(80)
+HTTPS_PORTS=(443 12321 12322)
 
 RUNAS=nobody
 

systemd/system/inithooks-restart-getty.service

@@ -0,0 +1,7 @@
+[Unit]
+Description=Restart getty1 - triggered when inithooks.service exits
+
+[Service]
+Type=exec
+Environment="_STARTED_BY_SYSTEMD=yes"
+ExecStart=/usr/lib/inithooks/bin/restart-getty

systemd/system/inithooks.service

@@ -0,0 +1,26 @@
+[Unit]
+Description=Run boot scripts and start confconsole on tty1
+# ensure inithooks only runs once per boot
+ConditionPathExists=!/run/inithooks-complete
+# kill getty service if it's running
+[email protected] [email protected]
+After=getty.target [email protected] [email protected]
+
+# (re)start getty1 if inithooks.service exits non-zero
+OnFailure=test-inithooks-restart-getty1.service
+
+[Service]
+Type=exec
+ExecStart=/usr/lib/inithooks/run
+# ensure inithooks only runs once per boot
+ExecStartPost=/usr/bin/touch /run/inithooks-complete
+# (re)start getty1 if inithooks.service exits cleanly
+ExecStopPost=/bin/systemctl start inithooks-restart-getty1.service
+
+StandardInput=tty
+StandardOutput=tty
+StandardError=journal
+TTYPath=/dev/tty1
+
+[Install]
+WantedBy=multi-user.target