Refresh Systemd config on update

Systemd units are templates: automatize their expansion on each update, to ease the current upgrade and future ones. Restart both crowdsec and bouncer services.
NethServer · Apr 4, 2024 · f8da055 · f8da055
1 parent 3d812a6
commit f8da055
Show file tree

Hide file tree

Showing 8 changed files with 53 additions and 49 deletions.
diff --git a/imageroot/actions/create-module/10initialize b/imageroot/actions/create-module/10initialize
@@ -8,41 +8,8 @@
 set -e
 exec 1>&2 # Send any output to stderr, to not alter the action response protocol
 
-install -m 644 "${AGENT_INSTALL_DIR}/crowdsec.service" "/etc/systemd/system/${MODULE_ID}.service"
+install-systemd-units
 
-# create the service to update the crowdsec hub for collections
-tmpfile=$(mktemp)
-trap "rm -f \${tmpfile}" EXIT
-cat <<EOF >${tmpfile}
-[Unit]
-Description=Update the crowdsec HUB
-Requisite=${MODULE_ID}.service
-
-[Service]
-Type=oneshot
-ExecStart=/usr/bin/podman exec -i ${MODULE_ID} cscli hub update
-ExecStart=/usr/bin/podman exec -i ${MODULE_ID} cscli hub upgrade
-SyslogIdentifier=%N
-EOF
-install -v -m 644 "${tmpfile}" /etc/systemd/system/${MODULE_ID}-upgrade-hub.service
-
-# create the timer to update the crowdsec hub for collections
-tmpfile=$(mktemp)
-trap "rm -f \${tmpfile}" EXIT
-cat <<EOF >${tmpfile}
-[Unit]
-Description=Timer of crowdsec hub update
-
-[Timer]
-OnActiveSec=15 minutes
-OnUnitInactiveSec=15 days
-
-[Install]
-WantedBy=timers.target
-EOF
-install -v -m 644 "${tmpfile}" /etc/systemd/system/${MODULE_ID}-upgrade-hub.timer
-
-systemctl daemon-reload
 systemctl enable --now "${MODULE_ID}.service"
 systemctl enable --now "${MODULE_ID}-upgrade-hub.timer"
 

diff --git a/imageroot/actions/create-module/50start-bouncer b/imageroot/actions/create-module/50start-bouncer
@@ -8,13 +8,6 @@
 set -e
 exec 1>&2 # Send any output to stderr, to not alter the action response protocol
 
-tmpfile=$(mktemp)
-trap "rm -f \${tmpfile}" EXIT
-envsubst >${tmpfile} <"${AGENT_INSTALL_DIR}/crowdsec-firewall-bouncer.service"
-install -m 644 "${tmpfile}" "/etc/systemd/system/${MODULE_ID}-firewall-bouncer.service"
-# reload and start service
-systemctl daemon-reload
-
 # API server could be slow to start:
 # ignore  bouncer connect error if it fails to start on first run
 systemctl enable --now ${MODULE_ID}-firewall-bouncer.service
diff --git a/imageroot/bin/install-systemd-units b/imageroot/bin/install-systemd-units
@@ -0,0 +1,21 @@
+#!/bin/bash
+
+#
+# Copyright (C) 2022 Nethesis S.r.l.
+# SPDX-License-Identifier: GPL-3.0-or-later
+#
+
+# install the main controller service
+install -m 644 "${AGENT_INSTALL_DIR}/crowdsec.service" "/etc/systemd/system/${MODULE_ID}.service"
+
+# install the firewall bouncer service
+envsubst <"${AGENT_INSTALL_DIR}/crowdsec-firewall-bouncer.service" >"/etc/systemd/system/${MODULE_ID}-firewall-bouncer.service"
+
+# create the service to update the crowdsec hub for collections
+envsubst <"${AGENT_INSTALL_DIR}/crowdsec-upgrade-hub.service" >"/etc/systemd/system/${MODULE_ID}-upgrade-hub.service"
+
+# create the timer to update the crowdsec hub for collections
+envsubst <"${AGENT_INSTALL_DIR}/crowdsec-upgrade-hub.timer" >"/etc/systemd/system/${MODULE_ID}-upgrade-hub.timer"
+
+# reload and start service
+systemctl daemon-reload
diff --git a/imageroot/crowdsec-upgrade-hub.service b/imageroot/crowdsec-upgrade-hub.service
@@ -0,0 +1,9 @@
+[Unit]
+Description=Update the crowdsec HUB
+Requisite=${MODULE_ID}.service
+
+[Service]
+Type=oneshot
+ExecStart=/usr/bin/podman exec -i ${MODULE_ID} cscli hub update
+ExecStart=/usr/bin/podman exec -i ${MODULE_ID} cscli hub upgrade
+SyslogIdentifier=%N
diff --git a/imageroot/crowdsec-upgrade-hub.timer b/imageroot/crowdsec-upgrade-hub.timer
@@ -0,0 +1,9 @@
+[Unit]
+Description=Timer of crowdsec hub update
+
+[Timer]
+OnActiveSec=15 minutes
+OnUnitInactiveSec=15 days
+
+[Install]
+WantedBy=timers.target
diff --git a/imageroot/update-module.d/10install_systemd_units b/imageroot/update-module.d/10install_systemd_units
@@ -0,0 +1,8 @@
+#!/bin/bash
+
+#
+# Copyright (C) 2022 Nethesis S.r.l.
+# SPDX-License-Identifier: GPL-3.0-or-later
+#
+
+install-systemd-units
diff --git a/...te-module.d/10update-bouncer-to-container → imageroot/update-module.d/15fix_6900 b/...te-module.d/10update-bouncer-to-container → imageroot/update-module.d/15fix_6900
@@ -1,4 +1,5 @@
 #!/bin/bash
+
 #
 # Copyright (C) 2024 Nethesis S.r.l.
 # SPDX-License-Identifier: GPL-3.0-or-later
@@ -7,10 +8,8 @@
 # Needed to upgrade from crowdsec:1.0.6
 
 if systemctl is-active -q crowdsec-firewall-bouncer.service; then
-    # stop the bouncer
-    echo "Stop the crowdsec bouncer and disable it, removal of firewalld rules and bouncer binary can be done manually"
+    echo "Uninstall the old crowdsec binary bouncer"
+    echo "Check the app README for manual clean up instructions"
     systemctl disable --now crowdsec-firewall-bouncer.service
-    # start the bouncer
-    echo "Enable and start the systemd service of the crowdsec bouncer container"
-    ../actions/create-module/50start-bouncer
+    systemctl enable --now "${MODULE_ID}-firewall-bouncer.service"
 fi
diff --git a/imageroot/update-module.d/20restart b/imageroot/update-module.d/20restart
@@ -7,7 +7,5 @@
 
 set -e
 
-exec 1>&2 # Send any output to stderr, to not alter the action response protocol
-
 # we need to start again to expand configuration
-systemctl restart "${MODULE_ID}.service"
+systemctl try-restart "${MODULE_ID}.service" "${MODULE_ID}-firewall-bouncer.service"