* [git.ipfire.org] IPFire 2.x development tree branch, master, updated. de5896985ccb3c9c732315ddd17106e5c4b1bafe
@ 2022-06-01 9:38 Michael Tremer
0 siblings, 0 replies; only message in thread
From: Michael Tremer @ 2022-06-01 9:38 UTC (permalink / raw)
To: ipfire-scm
[-- Attachment #1: Type: text/plain, Size: 19551 bytes --]
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "IPFire 2.x development tree".
The branch, master has been updated
via de5896985ccb3c9c732315ddd17106e5c4b1bafe (commit)
via 4f4b7fbc13d3fcc50d0acc93ae20ecef7c4466dc (commit)
via 71d53192d37db0d86a9dc04b11aa40016ba09b47 (commit)
via 69aac83da960bc89783aa8dc5373b907cccc60f8 (commit)
via 8077bacb826bb336d98d90c628ad8fece098dc16 (commit)
via b630a9a8a8dab5e558c0929191ee25da2e9d5068 (commit)
via 1c1d9fd7bfdf5495069c3119982753a9ddc5fe24 (commit)
from bbd4767fcf3086800e96aa449c6fa526ad662288 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit de5896985ccb3c9c732315ddd17106e5c4b1bafe
Author: Peter Müller <peter.mueller(a)ipfire.org>
Date: Tue May 31 17:21:54 2022 +0000
intel-microcode: Update rootfile
Reported-by: Jon Murphy <jcmurphy26(a)gmail.com>
Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
commit 4f4b7fbc13d3fcc50d0acc93ae20ecef7c4466dc
Author: Peter Müller <peter.mueller(a)ipfire.org>
Date: Mon May 30 20:00:53 2022 +0000
Update contributor list
Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
commit 71d53192d37db0d86a9dc04b11aa40016ba09b47
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Thu May 19 08:56:34 2022 +0000
core168: Add script to automatically repair MDRAID arrays
Please see the header of the script for more details.
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit 69aac83da960bc89783aa8dc5373b907cccc60f8
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Thu May 19 08:56:33 2022 +0000
core168: Add rd.auto to kernel command line
This parameter will enable dracut to automatically launch any MDRAID
arrays at boot time.
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit 8077bacb826bb336d98d90c628ad8fece098dc16
Author: Peter Müller <peter.mueller(a)ipfire.org>
Date: Wed May 18 17:49:00 2022 +0000
strongSwan: Bring back firewall rules for permitting IP-in-IP, ESP and AH traffic
Fixes: #12866
Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit b630a9a8a8dab5e558c0929191ee25da2e9d5068
Author: Peter Müller <peter.mueller(a)ipfire.org>
Date: Wed May 18 17:42:24 2022 +0000
Core Update 168: fcrontab != crontab
Silly me.
Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
commit 1c1d9fd7bfdf5495069c3119982753a9ddc5fe24
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Mon May 16 14:48:14 2022 +0000
dracut: Enable automatic assembly of any RAID/LVM devices
This has changed in dracut 24 and we have used various hacks to enable
this behaviour again when it would have been so easy to just enable this
parameter.
Fixes: #12862 - Upgrade from Core 166 to 167 does not use RAID anymore
Reported-by: Dirk Sihling <dsihling(a)web.de>
Reported-by: Adolf Belka <adolf.belka(a)ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
Reviewed-by: Peter Müller <peter.mueller(a)ipfire.org>
-----------------------------------------------------------------------
Summary of changes:
config/grub2/default | 2 +-
config/rootfiles/common/aarch64/stage2 | 1 +
config/rootfiles/common/armv6l/stage2 | 1 +
config/rootfiles/common/x86_64/intel-microcode | 6 +
config/rootfiles/common/x86_64/stage2 | 1 +
config/rootfiles/core/168/filelists/files | 1 -
config/rootfiles/core/168/update.sh | 7 +
html/cgi-bin/credits.cgi | 2 +-
src/patches/strongswan-ipfire.patch | 54 ++++++--
src/scripts/repair-mdraid | 169 +++++++++++++++++++++++++
10 files changed, 227 insertions(+), 17 deletions(-)
create mode 100644 src/scripts/repair-mdraid
Difference in files:
diff --git a/config/grub2/default b/config/grub2/default
index c1b78237e..127d33445 100644
--- a/config/grub2/default
+++ b/config/grub2/default
@@ -1,6 +1,6 @@
GRUB_TIMEOUT=5
GRUB_DISTRIBUTOR="$(sed 's, release .*$,,g' /etc/system-release)"
GRUB_DEFAULT=saved
-GRUB_CMDLINE_LINUX="panic=10"
+GRUB_CMDLINE_LINUX="rd.auto panic=10"
GRUB_DISABLE_RECOVERY="true"
GRUB_BACKGROUND="/boot/grub/splash.png"
diff --git a/config/rootfiles/common/aarch64/stage2 b/config/rootfiles/common/aarch64/stage2
index 352c704d4..e328a4526 100644
--- a/config/rootfiles/common/aarch64/stage2
+++ b/config/rootfiles/common/aarch64/stage2
@@ -99,6 +99,7 @@ usr/local/bin/ipsec-interfaces
usr/local/bin/makegraphs
usr/local/bin/qosd
usr/local/bin/readhash
+usr/local/bin/repair-mdraid
usr/local/bin/run-parts
usr/local/bin/scanhd
usr/local/bin/settime
diff --git a/config/rootfiles/common/armv6l/stage2 b/config/rootfiles/common/armv6l/stage2
index 198461a01..2bd00d968 100644
--- a/config/rootfiles/common/armv6l/stage2
+++ b/config/rootfiles/common/armv6l/stage2
@@ -97,6 +97,7 @@ usr/local/bin/ipsec-interfaces
usr/local/bin/makegraphs
usr/local/bin/qosd
usr/local/bin/readhash
+usr/local/bin/repair-mdraid
usr/local/bin/run-parts
usr/local/bin/scanhd
usr/local/bin/settime
diff --git a/config/rootfiles/common/x86_64/intel-microcode b/config/rootfiles/common/x86_64/intel-microcode
index 068cc36d3..568e9d481 100644
--- a/config/rootfiles/common/x86_64/intel-microcode
+++ b/config/rootfiles/common/x86_64/intel-microcode
@@ -95,6 +95,10 @@ lib/firmware/intel-ucode/06-8e-0a
lib/firmware/intel-ucode/06-8e-0b
lib/firmware/intel-ucode/06-8e-0c
lib/firmware/intel-ucode/06-96-01
+lib/firmware/intel-ucode/06-97-02
+lib/firmware/intel-ucode/06-97-05
+lib/firmware/intel-ucode/06-9a-03
+lib/firmware/intel-ucode/06-9a-04
lib/firmware/intel-ucode/06-9c-00
lib/firmware/intel-ucode/06-9e-09
lib/firmware/intel-ucode/06-9e-0a
@@ -107,6 +111,8 @@ lib/firmware/intel-ucode/06-a5-05
lib/firmware/intel-ucode/06-a6-00
lib/firmware/intel-ucode/06-a6-01
lib/firmware/intel-ucode/06-a7-01
+lib/firmware/intel-ucode/06-bf-02
+lib/firmware/intel-ucode/06-bf-05
lib/firmware/intel-ucode/0f-00-07
lib/firmware/intel-ucode/0f-00-0a
lib/firmware/intel-ucode/0f-01-02
diff --git a/config/rootfiles/common/x86_64/stage2 b/config/rootfiles/common/x86_64/stage2
index b03a7fecf..586b88e3d 100644
--- a/config/rootfiles/common/x86_64/stage2
+++ b/config/rootfiles/common/x86_64/stage2
@@ -99,6 +99,7 @@ usr/local/bin/ipsec-interfaces
usr/local/bin/makegraphs
usr/local/bin/qosd
usr/local/bin/readhash
+usr/local/bin/repair-mdraid
usr/local/bin/run-parts
usr/local/bin/scanhd
usr/local/bin/settime
diff --git a/config/rootfiles/core/168/filelists/files b/config/rootfiles/core/168/filelists/files
index 159d43d86..5f5e172df 100644
--- a/config/rootfiles/core/168/filelists/files
+++ b/config/rootfiles/core/168/filelists/files
@@ -391,7 +391,6 @@ lib/firmware/rtw88/rtw8821c_fw.bin
lib/firmware/rtw88/rtw8822c_fw.bin
lib/firmware/rtw89/rtw8852a_fw.bin
lib/firmware/wfx/wfm_wf200_C0.sec
-usr/bin/fcrontab
usr/lib/firewall/rules.pl
usr/local/bin/update-ids-ruleset
usr/sbin/convert-ids-backend-files
diff --git a/config/rootfiles/core/168/update.sh b/config/rootfiles/core/168/update.sh
index e11e08b7f..84dec941c 100644
--- a/config/rootfiles/core/168/update.sh
+++ b/config/rootfiles/core/168/update.sh
@@ -120,6 +120,13 @@ case "$(uname -m)" in
;;
esac
+# Add rd.auto to kernel command line
+if ! grep -q rd.auto /etc/default/grub; then
+ sed -e "s/panic=10/& rd.auto/" -i /etc/default/grub
+fi
+
+# Repair any broken MDRAID arrays
+/usr/local/bin/repair-mdraid
# Start services
/etc/init.d/fcron restart
diff --git a/html/cgi-bin/credits.cgi b/html/cgi-bin/credits.cgi
index 26cbc4f6d..bfb792540 100644
--- a/html/cgi-bin/credits.cgi
+++ b/html/cgi-bin/credits.cgi
@@ -73,8 +73,8 @@ Jan Paul Tücking,
Jonatan Schlag,
Dirk Wagner,
Marcel Lorenz,
-Alf Høgemark,
Leo-Andres Hofmann,
+Alf Høgemark,
Ben Schweikert,
Daniel Weismüller,
Peter Pfeiffer,
diff --git a/src/patches/strongswan-ipfire.patch b/src/patches/strongswan-ipfire.patch
index 0f2be7483..d8e35cd52 100644
--- a/src/patches/strongswan-ipfire.patch
+++ b/src/patches/strongswan-ipfire.patch
@@ -1,13 +1,13 @@
-commit 654e2b7688c5fbd4e1fc46648bc1864301fb6027
-Author: Michael Tremer <michael.tremer(a)ipfire.org>
-Date: Mon Mar 21 19:49:02 2022 +0000
+commit b439f74361d393bcb85109b6c41a905cf613a296
+Author: Peter Müller <peter.mueller(a)ipfire.org>
+Date: Wed May 18 17:46:57 2022 +0000
IPFire modifications to _updown script
- Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
+ Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
diff --git a/src/_updown/_updown.in b/src/_updown/_updown.in
-index 34eaf68c7..514ecb578 100644
+index 34eaf68c7..9ed387a0a 100644
--- a/src/_updown/_updown.in
+++ b/src/_updown/_updown.in
@@ -242,10 +242,10 @@ up-host:iptables)
@@ -98,7 +98,7 @@ index 34eaf68c7..514ecb578 100644
-s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
fi
#
-@@ -342,10 +324,10 @@ up-client:iptables)
+@@ -342,47 +324,37 @@ up-client:iptables)
if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
then
logger -t $TAG -p $FAC_PRIO \
@@ -110,8 +110,20 @@ index 34eaf68c7..514ecb578 100644
+ "client+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
fi
fi
++
++ # Open Firewall for IPinIP + AH + ESP Traffic
++ iptables --wait -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p IPIP \
++ -s $PLUTO_PEER $S_PEER_PORT \
++ -d $PLUTO_ME $D_MY_PORT -j ACCEPT
++ iptables --wait -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p AH \
++ -s $PLUTO_PEER $S_PEER_PORT \
++ -d $PLUTO_ME $D_MY_PORT -j ACCEPT
++ iptables --wait -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p ESP \
++ -s $PLUTO_PEER $S_PEER_PORT \
++ -d $PLUTO_ME $D_MY_PORT -j ACCEPT
++
;;
-@@ -353,36 +335,14 @@ down-client:iptables)
+ down-client:iptables)
# connection to client subnet, with (left/right)firewall=yes, going down
# This is used only by the default updown script, not by your custom
# ones, so do not mess with it; see CAUTION comment up at top.
@@ -149,7 +161,7 @@ index 34eaf68c7..514ecb578 100644
-s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
fi
#
-@@ -392,10 +352,10 @@ down-client:iptables)
+@@ -392,12 +364,24 @@ down-client:iptables)
if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
then
logger -t $TAG -p $FAC_PRIO -- \
@@ -161,8 +173,22 @@ index 34eaf68c7..514ecb578 100644
+ "client- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
fi
fi
++
++ # Close Firewall for IPinIP + AH + ESP Traffic
++ iptables --wait -D IPSECINPUT -i $PLUTO_INTERFACE -p IPIP \
++ -s $PLUTO_PEER $S_PEER_PORT \
++ -d $PLUTO_ME $D_MY_PORT -j ACCEPT
++ iptables --wait -D IPSECINPUT -i $PLUTO_INTERFACE -p AH \
++ -s $PLUTO_PEER $S_PEER_PORT \
++ -d $PLUTO_ME $D_MY_PORT -j ACCEPT
++ iptables --wait -D IPSECINPUT -i $PLUTO_INTERFACE -p ESP \
++ -s $PLUTO_PEER $S_PEER_PORT \
++ -d $PLUTO_ME $D_MY_PORT -j ACCEPT
++
;;
-@@ -422,10 +382,10 @@ up-host-v6:iptables)
+ #
+ # IPv6
+@@ -422,10 +406,10 @@ up-host-v6:iptables)
# connection to me, with (left/right)firewall=yes, coming up
# This is used only by the default updown script, not by your custom
# ones, so do not mess with it; see CAUTION comment up at top.
@@ -175,7 +201,7 @@ index 34eaf68c7..514ecb578 100644
-s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
-d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
#
-@@ -454,10 +414,10 @@ down-host-v6:iptables)
+@@ -454,10 +438,10 @@ down-host-v6:iptables)
# connection to me, with (left/right)firewall=yes, going down
# This is used only by the default updown script, not by your custom
# ones, so do not mess with it; see CAUTION comment up at top.
@@ -188,7 +214,7 @@ index 34eaf68c7..514ecb578 100644
-s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
-d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
#
-@@ -487,10 +447,10 @@ up-client-v6:iptables)
+@@ -487,10 +471,10 @@ up-client-v6:iptables)
# ones, so do not mess with it; see CAUTION comment up at top.
if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ]
then
@@ -201,7 +227,7 @@ index 34eaf68c7..514ecb578 100644
-s $PLUTO_PEER_CLIENT $S_PEER_PORT \
-d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
fi
-@@ -499,10 +459,10 @@ up-client-v6:iptables)
+@@ -499,10 +483,10 @@ up-client-v6:iptables)
# or sometimes host access via the internal IP is needed
if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
then
@@ -214,7 +240,7 @@ index 34eaf68c7..514ecb578 100644
-s $PLUTO_MY_CLIENT $S_MY_PORT \
-d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
fi
-@@ -535,11 +495,11 @@ down-client-v6:iptables)
+@@ -535,11 +519,11 @@ down-client-v6:iptables)
# ones, so do not mess with it; see CAUTION comment up at top.
if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ]
then
@@ -228,7 +254,7 @@ index 34eaf68c7..514ecb578 100644
-s $PLUTO_PEER_CLIENT $S_PEER_PORT \
-d $PLUTO_MY_CLIENT $D_MY_PORT \
$IPSEC_POLICY_IN -j ACCEPT
-@@ -549,11 +509,11 @@ down-client-v6:iptables)
+@@ -549,11 +533,11 @@ down-client-v6:iptables)
# or sometimes host access via the internal IP is needed
if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
then
diff --git a/src/scripts/repair-mdraid b/src/scripts/repair-mdraid
new file mode 100644
index 000000000..a622ff71d
--- /dev/null
+++ b/src/scripts/repair-mdraid
@@ -0,0 +1,169 @@
+#!/bin/bash
+###############################################################################
+# #
+# IPFire.org - A linux based firewall #
+# Copyright (C) 2022 IPFire Team <info(a)ipfire.org> #
+# #
+# This program is free software: you can redistribute it and/or modify #
+# it under the terms of the GNU General Public License as published by #
+# the Free Software Foundation, either version 3 of the License, or #
+# (at your option) any later version. #
+# #
+# This program is distributed in the hope that it will be useful, #
+# but WITHOUT ANY WARRANTY; without even the implied warranty of #
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
+# GNU General Public License for more details. #
+# #
+# You should have received a copy of the GNU General Public License #
+# along with this program. If not, see <http://www.gnu.org/licenses/>. #
+# #
+###############################################################################
+#
+# This script is supposed to repair any broken RAID installations
+# where the system has been booted from only one of the RAID devices
+# without the software RAID being activated first.
+#
+# This script does as follows:
+#
+# * It tries to find an inactive RAID called "ipfire:0"
+# * It will then destroy any devices that are still part of this RAID.
+# This is required because if the RAID is being assembled correctly,
+# data from the disk that has NOT been mounted will be replicated
+# back to the device that has been changed. That causes that any
+# data that has been written to the mounted disk will be lost.
+# To avoid this, we will partially destroy the RAID.
+# * We will then erase any partition tables and destroy any filesystems
+# on the devices so that they do not get accidentially mounted again.
+# * The system will then need to be rebooted where the RAID will be
+# mounted again in a degraded state which might take some extra
+# time at boot (the system stands still for about a minute).
+# * After the system has been booted up correctly, we will re-add
+# the devices back to the RAID which will resync and the system
+# will be back to its intended configuration.
+
+find_inactive_raid() {
+ local status
+ local device
+ local arg
+ local args
+
+ while read -r status device args; do
+ if [ "${status}" = "INACTIVE-ARRAY" ]; then
+ for arg in ${args}; do
+ case "${arg}" in
+ name=ipfire:0)
+ echo "${device}"
+ return 0
+ ;;
+ esac
+ done
+ fi
+ done <<< "$(mdadm --detail --scan)"
+
+ return 1
+}
+
+find_root() {
+ local device
+ local mp
+ local fs
+ local args
+
+ while read -r device mp fs args; do
+ if [ "${mp}" = "/" ]; then
+ echo "${device:0:-1}"
+ return 0
+ fi
+ done < /proc/mounts
+
+ return 1
+}
+
+find_raid_devices() {
+ local raid="${1}"
+
+ local IFS=,
+
+ local device
+ for device in $(mdadm -v --detail --scan "${raid}" | awk -F= '/^[ ]+devices/ { print $2 }'); do
+ echo "${device}"
+ done
+
+ return 0
+}
+
+destroy_everything() {
+ local device="${1}"
+ local part
+
+ # Destroy the RAID superblock
+ mdadm --zero-superblock "${device}"
+
+ # Wipe the partition table
+ wipefs -a "${device}"
+
+ # Wipe any partition signatures
+ for part in ${device}*; do
+ wipefs -a "${part}"
+ done
+}
+
+raid_rebuild() {
+ local devices=( "$@" )
+
+ cat > /etc/rc.d/rcsysinit.d/S99fix-raid <<EOF
+#!/bin/bash
+
+case "\${1}" in
+ start)
+ if [ -e "/dev/md/ipfire:0" ]; then
+ for device in ${devices[@]}; do
+ mdadm --add "/dev/md/ipfire:0" "\${device}"
+ done
+
+ # Delete this script
+ rm "\${0}"
+ fi
+ ;;
+esac
+EOF
+
+ chmod a+x /etc/rc.d/rcsysinit.d/S99fix-raid
+}
+
+main() {
+ local raid="$(find_inactive_raid)"
+
+ # Nothing to do if no RAID device found
+ if [ -z "${raid}" ]; then
+ return 0
+ fi
+
+ echo "Fixing RAID ${raid}..."
+
+ local root="$(find_root)"
+
+ # Finding any devices in this RAID
+ local devices=(
+ $(find_raid_devices "${raid}")
+ )
+
+ # Stop the RAID
+ mdadm --stop "${raid}" &>/dev/null
+
+ # Destroy any useful data on all remaining RAID devices
+ local device
+ for device in ${devices[@]}; do
+ # Skip root
+ [ "${device}" = "${root}" ] && continue
+
+ destroy_everything "${device}"
+ done &>/dev/null
+
+ # Re-add devices to the RAID
+ raid_rebuild "${device}"
+
+ return 0
+}
+
+main "$@" || return $?
hooks/post-receive
--
IPFire 2.x development tree
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2022-06-01 9:38 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-06-01 9:38 [git.ipfire.org] IPFire 2.x development tree branch, master, updated. de5896985ccb3c9c732315ddd17106e5c4b1bafe Michael Tremer
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox