This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "IPFire 2.x development tree".
The branch, master has been updated via de5896985ccb3c9c732315ddd17106e5c4b1bafe (commit) via 4f4b7fbc13d3fcc50d0acc93ae20ecef7c4466dc (commit) via 71d53192d37db0d86a9dc04b11aa40016ba09b47 (commit) via 69aac83da960bc89783aa8dc5373b907cccc60f8 (commit) via 8077bacb826bb336d98d90c628ad8fece098dc16 (commit) via b630a9a8a8dab5e558c0929191ee25da2e9d5068 (commit) via 1c1d9fd7bfdf5495069c3119982753a9ddc5fe24 (commit) from bbd4767fcf3086800e96aa449c6fa526ad662288 (commit)
Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below.
- Log ----------------------------------------------------------------- commit de5896985ccb3c9c732315ddd17106e5c4b1bafe Author: Peter Müller peter.mueller@ipfire.org Date: Tue May 31 17:21:54 2022 +0000
intel-microcode: Update rootfile
Reported-by: Jon Murphy jcmurphy26@gmail.com Signed-off-by: Peter Müller peter.mueller@ipfire.org
commit 4f4b7fbc13d3fcc50d0acc93ae20ecef7c4466dc Author: Peter Müller peter.mueller@ipfire.org Date: Mon May 30 20:00:53 2022 +0000
Update contributor list
Signed-off-by: Peter Müller peter.mueller@ipfire.org
commit 71d53192d37db0d86a9dc04b11aa40016ba09b47 Author: Michael Tremer michael.tremer@ipfire.org Date: Thu May 19 08:56:34 2022 +0000
core168: Add script to automatically repair MDRAID arrays
Please see the header of the script for more details.
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 69aac83da960bc89783aa8dc5373b907cccc60f8 Author: Michael Tremer michael.tremer@ipfire.org Date: Thu May 19 08:56:33 2022 +0000
core168: Add rd.auto to kernel command line
This parameter will enable dracut to automatically launch any MDRAID arrays at boot time.
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 8077bacb826bb336d98d90c628ad8fece098dc16 Author: Peter Müller peter.mueller@ipfire.org Date: Wed May 18 17:49:00 2022 +0000
strongSwan: Bring back firewall rules for permitting IP-in-IP, ESP and AH traffic
Fixes: #12866 Signed-off-by: Peter Müller peter.mueller@ipfire.org Reviewed-by: Michael Tremer michael.tremer@ipfire.org
commit b630a9a8a8dab5e558c0929191ee25da2e9d5068 Author: Peter Müller peter.mueller@ipfire.org Date: Wed May 18 17:42:24 2022 +0000
Core Update 168: fcrontab != crontab
Silly me.
Signed-off-by: Peter Müller peter.mueller@ipfire.org
commit 1c1d9fd7bfdf5495069c3119982753a9ddc5fe24 Author: Michael Tremer michael.tremer@ipfire.org Date: Mon May 16 14:48:14 2022 +0000
dracut: Enable automatic assembly of any RAID/LVM devices
This has changed in dracut 24 and we have used various hacks to enable this behaviour again when it would have been so easy to just enable this parameter.
Fixes: #12862 - Upgrade from Core 166 to 167 does not use RAID anymore Reported-by: Dirk Sihling dsihling@web.de Reported-by: Adolf Belka adolf.belka@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org Reviewed-by: Peter Müller peter.mueller@ipfire.org
-----------------------------------------------------------------------
Summary of changes: config/grub2/default | 2 +- config/rootfiles/common/aarch64/stage2 | 1 + config/rootfiles/common/armv6l/stage2 | 1 + config/rootfiles/common/x86_64/intel-microcode | 6 + config/rootfiles/common/x86_64/stage2 | 1 + config/rootfiles/core/168/filelists/files | 1 - config/rootfiles/core/168/update.sh | 7 + html/cgi-bin/credits.cgi | 2 +- src/patches/strongswan-ipfire.patch | 54 ++++++-- src/scripts/repair-mdraid | 169 +++++++++++++++++++++++++ 10 files changed, 227 insertions(+), 17 deletions(-) create mode 100644 src/scripts/repair-mdraid
Difference in files: diff --git a/config/grub2/default b/config/grub2/default index c1b78237e..127d33445 100644 --- a/config/grub2/default +++ b/config/grub2/default @@ -1,6 +1,6 @@ GRUB_TIMEOUT=5 GRUB_DISTRIBUTOR="$(sed 's, release .*$,,g' /etc/system-release)" GRUB_DEFAULT=saved -GRUB_CMDLINE_LINUX="panic=10" +GRUB_CMDLINE_LINUX="rd.auto panic=10" GRUB_DISABLE_RECOVERY="true" GRUB_BACKGROUND="/boot/grub/splash.png" diff --git a/config/rootfiles/common/aarch64/stage2 b/config/rootfiles/common/aarch64/stage2 index 352c704d4..e328a4526 100644 --- a/config/rootfiles/common/aarch64/stage2 +++ b/config/rootfiles/common/aarch64/stage2 @@ -99,6 +99,7 @@ usr/local/bin/ipsec-interfaces usr/local/bin/makegraphs usr/local/bin/qosd usr/local/bin/readhash +usr/local/bin/repair-mdraid usr/local/bin/run-parts usr/local/bin/scanhd usr/local/bin/settime diff --git a/config/rootfiles/common/armv6l/stage2 b/config/rootfiles/common/armv6l/stage2 index 198461a01..2bd00d968 100644 --- a/config/rootfiles/common/armv6l/stage2 +++ b/config/rootfiles/common/armv6l/stage2 @@ -97,6 +97,7 @@ usr/local/bin/ipsec-interfaces usr/local/bin/makegraphs usr/local/bin/qosd usr/local/bin/readhash +usr/local/bin/repair-mdraid usr/local/bin/run-parts usr/local/bin/scanhd usr/local/bin/settime diff --git a/config/rootfiles/common/x86_64/intel-microcode b/config/rootfiles/common/x86_64/intel-microcode index 068cc36d3..568e9d481 100644 --- a/config/rootfiles/common/x86_64/intel-microcode +++ b/config/rootfiles/common/x86_64/intel-microcode @@ -95,6 +95,10 @@ lib/firmware/intel-ucode/06-8e-0a lib/firmware/intel-ucode/06-8e-0b lib/firmware/intel-ucode/06-8e-0c lib/firmware/intel-ucode/06-96-01 +lib/firmware/intel-ucode/06-97-02 +lib/firmware/intel-ucode/06-97-05 +lib/firmware/intel-ucode/06-9a-03 +lib/firmware/intel-ucode/06-9a-04 lib/firmware/intel-ucode/06-9c-00 lib/firmware/intel-ucode/06-9e-09 lib/firmware/intel-ucode/06-9e-0a @@ -107,6 +111,8 @@ lib/firmware/intel-ucode/06-a5-05 lib/firmware/intel-ucode/06-a6-00 lib/firmware/intel-ucode/06-a6-01 lib/firmware/intel-ucode/06-a7-01 +lib/firmware/intel-ucode/06-bf-02 +lib/firmware/intel-ucode/06-bf-05 lib/firmware/intel-ucode/0f-00-07 lib/firmware/intel-ucode/0f-00-0a lib/firmware/intel-ucode/0f-01-02 diff --git a/config/rootfiles/common/x86_64/stage2 b/config/rootfiles/common/x86_64/stage2 index b03a7fecf..586b88e3d 100644 --- a/config/rootfiles/common/x86_64/stage2 +++ b/config/rootfiles/common/x86_64/stage2 @@ -99,6 +99,7 @@ usr/local/bin/ipsec-interfaces usr/local/bin/makegraphs usr/local/bin/qosd usr/local/bin/readhash +usr/local/bin/repair-mdraid usr/local/bin/run-parts usr/local/bin/scanhd usr/local/bin/settime diff --git a/config/rootfiles/core/168/filelists/files b/config/rootfiles/core/168/filelists/files index 159d43d86..5f5e172df 100644 --- a/config/rootfiles/core/168/filelists/files +++ b/config/rootfiles/core/168/filelists/files @@ -391,7 +391,6 @@ lib/firmware/rtw88/rtw8821c_fw.bin lib/firmware/rtw88/rtw8822c_fw.bin lib/firmware/rtw89/rtw8852a_fw.bin lib/firmware/wfx/wfm_wf200_C0.sec -usr/bin/fcrontab usr/lib/firewall/rules.pl usr/local/bin/update-ids-ruleset usr/sbin/convert-ids-backend-files diff --git a/config/rootfiles/core/168/update.sh b/config/rootfiles/core/168/update.sh index e11e08b7f..84dec941c 100644 --- a/config/rootfiles/core/168/update.sh +++ b/config/rootfiles/core/168/update.sh @@ -120,6 +120,13 @@ case "$(uname -m)" in ;; esac
+# Add rd.auto to kernel command line +if ! grep -q rd.auto /etc/default/grub; then + sed -e "s/panic=10/& rd.auto/" -i /etc/default/grub +fi + +# Repair any broken MDRAID arrays +/usr/local/bin/repair-mdraid
# Start services /etc/init.d/fcron restart diff --git a/html/cgi-bin/credits.cgi b/html/cgi-bin/credits.cgi index 26cbc4f6d..bfb792540 100644 --- a/html/cgi-bin/credits.cgi +++ b/html/cgi-bin/credits.cgi @@ -73,8 +73,8 @@ Jan Paul Tücking, Jonatan Schlag, Dirk Wagner, Marcel Lorenz, -Alf Høgemark, Leo-Andres Hofmann, +Alf Høgemark, Ben Schweikert, Daniel Weismüller, Peter Pfeiffer, diff --git a/src/patches/strongswan-ipfire.patch b/src/patches/strongswan-ipfire.patch index 0f2be7483..d8e35cd52 100644 --- a/src/patches/strongswan-ipfire.patch +++ b/src/patches/strongswan-ipfire.patch @@ -1,13 +1,13 @@ -commit 654e2b7688c5fbd4e1fc46648bc1864301fb6027 -Author: Michael Tremer michael.tremer@ipfire.org -Date: Mon Mar 21 19:49:02 2022 +0000 +commit b439f74361d393bcb85109b6c41a905cf613a296 +Author: Peter Müller peter.mueller@ipfire.org +Date: Wed May 18 17:46:57 2022 +0000
IPFire modifications to _updown script
- Signed-off-by: Michael Tremer michael.tremer@ipfire.org + Signed-off-by: Peter Müller peter.mueller@ipfire.org
diff --git a/src/_updown/_updown.in b/src/_updown/_updown.in -index 34eaf68c7..514ecb578 100644 +index 34eaf68c7..9ed387a0a 100644 --- a/src/_updown/_updown.in +++ b/src/_updown/_updown.in @@ -242,10 +242,10 @@ up-host:iptables) @@ -98,7 +98,7 @@ index 34eaf68c7..514ecb578 100644 -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT fi # -@@ -342,10 +324,10 @@ up-client:iptables) +@@ -342,47 +324,37 @@ up-client:iptables) if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] then logger -t $TAG -p $FAC_PRIO \ @@ -110,8 +110,20 @@ index 34eaf68c7..514ecb578 100644 + "client+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" fi fi ++ ++ # Open Firewall for IPinIP + AH + ESP Traffic ++ iptables --wait -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p IPIP \ ++ -s $PLUTO_PEER $S_PEER_PORT \ ++ -d $PLUTO_ME $D_MY_PORT -j ACCEPT ++ iptables --wait -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p AH \ ++ -s $PLUTO_PEER $S_PEER_PORT \ ++ -d $PLUTO_ME $D_MY_PORT -j ACCEPT ++ iptables --wait -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p ESP \ ++ -s $PLUTO_PEER $S_PEER_PORT \ ++ -d $PLUTO_ME $D_MY_PORT -j ACCEPT ++ ;; -@@ -353,36 +335,14 @@ down-client:iptables) + down-client:iptables) # connection to client subnet, with (left/right)firewall=yes, going down # This is used only by the default updown script, not by your custom # ones, so do not mess with it; see CAUTION comment up at top. @@ -149,7 +161,7 @@ index 34eaf68c7..514ecb578 100644 -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT fi # -@@ -392,10 +352,10 @@ down-client:iptables) +@@ -392,12 +364,24 @@ down-client:iptables) if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] then logger -t $TAG -p $FAC_PRIO -- \ @@ -161,8 +173,22 @@ index 34eaf68c7..514ecb578 100644 + "client- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" fi fi ++ ++ # Close Firewall for IPinIP + AH + ESP Traffic ++ iptables --wait -D IPSECINPUT -i $PLUTO_INTERFACE -p IPIP \ ++ -s $PLUTO_PEER $S_PEER_PORT \ ++ -d $PLUTO_ME $D_MY_PORT -j ACCEPT ++ iptables --wait -D IPSECINPUT -i $PLUTO_INTERFACE -p AH \ ++ -s $PLUTO_PEER $S_PEER_PORT \ ++ -d $PLUTO_ME $D_MY_PORT -j ACCEPT ++ iptables --wait -D IPSECINPUT -i $PLUTO_INTERFACE -p ESP \ ++ -s $PLUTO_PEER $S_PEER_PORT \ ++ -d $PLUTO_ME $D_MY_PORT -j ACCEPT ++ ;; -@@ -422,10 +382,10 @@ up-host-v6:iptables) + # + # IPv6 +@@ -422,10 +406,10 @@ up-host-v6:iptables) # connection to me, with (left/right)firewall=yes, coming up # This is used only by the default updown script, not by your custom # ones, so do not mess with it; see CAUTION comment up at top. @@ -175,7 +201,7 @@ index 34eaf68c7..514ecb578 100644 -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT # -@@ -454,10 +414,10 @@ down-host-v6:iptables) +@@ -454,10 +438,10 @@ down-host-v6:iptables) # connection to me, with (left/right)firewall=yes, going down # This is used only by the default updown script, not by your custom # ones, so do not mess with it; see CAUTION comment up at top. @@ -188,7 +214,7 @@ index 34eaf68c7..514ecb578 100644 -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT # -@@ -487,10 +447,10 @@ up-client-v6:iptables) +@@ -487,10 +471,10 @@ up-client-v6:iptables) # ones, so do not mess with it; see CAUTION comment up at top. if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ] then @@ -201,7 +227,7 @@ index 34eaf68c7..514ecb578 100644 -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT fi -@@ -499,10 +459,10 @@ up-client-v6:iptables) +@@ -499,10 +483,10 @@ up-client-v6:iptables) # or sometimes host access via the internal IP is needed if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] then @@ -214,7 +240,7 @@ index 34eaf68c7..514ecb578 100644 -s $PLUTO_MY_CLIENT $S_MY_PORT \ -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT fi -@@ -535,11 +495,11 @@ down-client-v6:iptables) +@@ -535,11 +519,11 @@ down-client-v6:iptables) # ones, so do not mess with it; see CAUTION comment up at top. if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ] then @@ -228,7 +254,7 @@ index 34eaf68c7..514ecb578 100644 -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ -d $PLUTO_MY_CLIENT $D_MY_PORT \ $IPSEC_POLICY_IN -j ACCEPT -@@ -549,11 +509,11 @@ down-client-v6:iptables) +@@ -549,11 +533,11 @@ down-client-v6:iptables) # or sometimes host access via the internal IP is needed if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] then diff --git a/src/scripts/repair-mdraid b/src/scripts/repair-mdraid new file mode 100644 index 000000000..a622ff71d --- /dev/null +++ b/src/scripts/repair-mdraid @@ -0,0 +1,169 @@ +#!/bin/bash +############################################################################### +# # +# IPFire.org - A linux based firewall # +# Copyright (C) 2022 IPFire Team info@ipfire.org # +# # +# This program is free software: you can redistribute it and/or modify # +# it under the terms of the GNU General Public License as published by # +# the Free Software Foundation, either version 3 of the License, or # +# (at your option) any later version. # +# # +# This program is distributed in the hope that it will be useful, # +# but WITHOUT ANY WARRANTY; without even the implied warranty of # +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # +# GNU General Public License for more details. # +# # +# You should have received a copy of the GNU General Public License # +# along with this program. If not, see http://www.gnu.org/licenses/. # +# # +############################################################################### +# +# This script is supposed to repair any broken RAID installations +# where the system has been booted from only one of the RAID devices +# without the software RAID being activated first. +# +# This script does as follows: +# +# * It tries to find an inactive RAID called "ipfire:0" +# * It will then destroy any devices that are still part of this RAID. +# This is required because if the RAID is being assembled correctly, +# data from the disk that has NOT been mounted will be replicated +# back to the device that has been changed. That causes that any +# data that has been written to the mounted disk will be lost. +# To avoid this, we will partially destroy the RAID. +# * We will then erase any partition tables and destroy any filesystems +# on the devices so that they do not get accidentially mounted again. +# * The system will then need to be rebooted where the RAID will be +# mounted again in a degraded state which might take some extra +# time at boot (the system stands still for about a minute). +# * After the system has been booted up correctly, we will re-add +# the devices back to the RAID which will resync and the system +# will be back to its intended configuration. + +find_inactive_raid() { + local status + local device + local arg + local args + + while read -r status device args; do + if [ "${status}" = "INACTIVE-ARRAY" ]; then + for arg in ${args}; do + case "${arg}" in + name=ipfire:0) + echo "${device}" + return 0 + ;; + esac + done + fi + done <<< "$(mdadm --detail --scan)" + + return 1 +} + +find_root() { + local device + local mp + local fs + local args + + while read -r device mp fs args; do + if [ "${mp}" = "/" ]; then + echo "${device:0:-1}" + return 0 + fi + done < /proc/mounts + + return 1 +} + +find_raid_devices() { + local raid="${1}" + + local IFS=, + + local device + for device in $(mdadm -v --detail --scan "${raid}" | awk -F= '/^[ ]+devices/ { print $2 }'); do + echo "${device}" + done + + return 0 +} + +destroy_everything() { + local device="${1}" + local part + + # Destroy the RAID superblock + mdadm --zero-superblock "${device}" + + # Wipe the partition table + wipefs -a "${device}" + + # Wipe any partition signatures + for part in ${device}*; do + wipefs -a "${part}" + done +} + +raid_rebuild() { + local devices=( "$@" ) + + cat > /etc/rc.d/rcsysinit.d/S99fix-raid <<EOF +#!/bin/bash + +case "${1}" in + start) + if [ -e "/dev/md/ipfire:0" ]; then + for device in ${devices[@]}; do + mdadm --add "/dev/md/ipfire:0" "${device}" + done + + # Delete this script + rm "${0}" + fi + ;; +esac +EOF + + chmod a+x /etc/rc.d/rcsysinit.d/S99fix-raid +} + +main() { + local raid="$(find_inactive_raid)" + + # Nothing to do if no RAID device found + if [ -z "${raid}" ]; then + return 0 + fi + + echo "Fixing RAID ${raid}..." + + local root="$(find_root)" + + # Finding any devices in this RAID + local devices=( + $(find_raid_devices "${raid}") + ) + + # Stop the RAID + mdadm --stop "${raid}" &>/dev/null + + # Destroy any useful data on all remaining RAID devices + local device + for device in ${devices[@]}; do + # Skip root + [ "${device}" = "${root}" ] && continue + + destroy_everything "${device}" + done &>/dev/null + + # Re-add devices to the RAID + raid_rebuild "${device}" + + return 0 +} + +main "$@" || return $?
hooks/post-receive -- IPFire 2.x development tree