#!/bin/bash ############################################################################ # # # This file is part of the IPFire Firewall. # # # # IPFire is free software; you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # # the Free Software Foundation; either version 3 of the License, or # # (at your option) any later version. # # # # IPFire is distributed in the hope that it will be useful, # # but WITHOUT ANY WARRANTY; without even the implied warranty of # # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # # GNU General Public License for more details. # # # # You should have received a copy of the GNU General Public License # # along with IPFire; if not, write to the Free Software # # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA # # # # Copyright (C) 2014 IPFire-Team . # # # ############################################################################ # . /opt/pakfire/lib/functions.sh /usr/local/bin/backupctrl exclude >/dev/null 2>&1 function add_to_backup () { # Add path to ROOTFILES but remove old entries to prevent double # files in the tar grep -v "^$1" /opt/pakfire/tmp/ROOTFILES > /opt/pakfire/tmp/ROOTFILES.tmp mv /opt/pakfire/tmp/ROOTFILES.tmp /opt/pakfire/tmp/ROOTFILES echo $1 >> /opt/pakfire/tmp/ROOTFILES } # # Remove old core updates from pakfire cache to save space... core=77 for (( i=1; i<=${core}; i++ )) do rm -f /var/cache/pakfire/core-upgrade-*-$i.ipfire done # # Do some sanity checks. case $(uname -r) in *-ipfire-versatile ) /usr/bin/logger -p syslog.emerg -t ipfire \ "core-update-${core}: ERROR cannot update. versatile support is dropped." # Report no error to pakfire. So it does not try to install it again. exit 0 ;; *-ipfire-xen ) BOOTSIZE=`df /boot -Pk | sed "s| * | |g" | cut -d" " -f2 | tail -n 1` if [ $BOOTSIZE -lt 28000 ]; then /usr/bin/logger -p syslog.emerg -t ipfire \ "core-update-${core}: ERROR cannot update because not enough space on boot." exit 2 fi ;; *-ipfire* ) # Ok. ;; * ) /usr/bin/logger -p syslog.emerg -t ipfire \ "core-update-${core}: ERROR cannot update. No IPFire Kernel." exit 1 ;; esac # # KVER="xxxKVERxxx" MOUNT=`grep "kernel" /boot/grub/grub.conf 2>/dev/null | tail -n 1 ` # Nur den letzten Parameter verwenden echo $MOUNT > /dev/null MOUNT=$_ if [ ! $MOUNT == "rw" ]; then MOUNT="ro" fi # # check if we the backup file already exist if [ -e /var/ipfire/backup/core-upgrade${core}_${KVER}.tar.xz ]; then echo Moving backup to backup-old ... mv -f /var/ipfire/backup/core-upgrade${core}_${KVER}.tar.xz \ /var/ipfire/backup/core-upgrade${core}_${KVER}-old.tar.xz fi echo First we made a backup of all files that was inside of the echo update archive. This may take a while ... # Add some files that are not in the package to backup add_to_backup lib/modules add_to_backup etc/udev add_to_backup lib/udev add_to_backup boot add_to_backup etc/sysconfig/lm_sensors add_to_backup etc/sysconfig/rc.local add_to_backup srv/web/ipfire/html/themes/ipfire add_to_backup usr/lib/engines add_to_backup etc/rc.d/init.d/networking/red.up/22-outgoingfwctrl add_to_backup etc/rc.d/init.d/networking/red.up/25-portfw add_to_backup etc/rc.d/init.d/networking/red.up/26-xtaccess add_to_backup usr/local/bin/setportfw add_to_backup usr/local/bin/setdmzholes add_to_backup usr/local/bin/setxtaccess add_to_backup usr/local/bin/outgoingfwctrl add_to_backup srv/web/ipfire/cgi-bin/{dmzholes,outgoingfw,portfw,xtaccess}.cgi add_to_backup var/ipfire/{dmzholes,portfw,outgoing,xtaccess} add_to_backup etc/inittab add_to_backup etc/fstab add_to_backup usr/share/usb_modeswitch add_to_backup etc/rc.d/init.d/networking/red.down/99-D-dialctrl.pl add_to_backup etc/rc.d/init.d/networking/red.up/99-U-dialctrl.pl add_to_backup usr/local/bin/dialctrl.pl add_to_backup usr/lib/locale/locale-archive # Backup the files tar cJvf /var/ipfire/backup/core-upgrade${core}_${KVER}.tar.xz \ -C / -T /opt/pakfire/tmp/ROOTFILES --exclude='#*' --exclude='/var/cache' > /dev/null 2>&1 # Check diskspace on root ROOTSPACE=`df / -Pk | sed "s| * | |g" | cut -d" " -f4 | tail -n 1` if [ $ROOTSPACE -lt 100000 ]; then /usr/bin/logger -p syslog.emerg -t ipfire \ "core-update-${core}: ERROR cannot update because not enough free space on root." exit 2 fi echo echo Update Kernel to $KVER ... # # Remove old kernel, configs, initrd, modules ... # rm -rf /boot/System.map-* rm -rf /boot/config-* rm -rf /boot/ipfirerd-* rm -rf /boot/vmlinuz-* rm -rf /boot/uImage-ipfire-* rm -rf /boot/uInit-ipfire-* rm -rf /lib/modules # Remove old usb_modeswitch_data rm -rf /usr/share/usb_modeswitch # Remove old tzdata rm -rf /usr/share/zoneinfo # Remoce old locale-archive rm -rf /usr/lib/locale/locale-archive # Remove dialctrl.pl script rm -f \ /etc/rc.d/init.d/networking/red.down/99-D-dialctrl.pl \ /etc/rc.d/init.d/networking/red.up/99-U-dialctrl.pl \ /usr/local/bin/dialctrl.pl # # Remove old udev rules. # if [ -e /etc/udev/rules.d/29-ct-server-network.rules ]; then cp /etc/udev/rules.d/29-ct-server-network.rules /tmp/ fi cp /etc/udev/rules.d/30-persistent-network.rules /tmp/ rm -rf /etc/udev rm -rf /lib/udev mkdir -p /etc/udev/rules.d if [ -e /tmp/rules.d/29-ct-server-network.rules ]; then mv /tmp/29-ct-server-network.rules /etc/udev/rules.d/ fi mv /tmp/30-persistent-network.rules /etc/udev/rules.d/ case $(uname -m) in i?86 ) # # Backup grub.conf # cp -vf /boot/grub/grub.conf /boot/grub/grub.conf.org ;; esac # #Stop services /etc/init.d/snort stop /etc/init.d/squid stop /etc/init.d/ipsec stop /etc/init.d/apache stop # Remove the old default theme rm -rf /srv/web/ipfire/html/themes/ipfire # rename /etc/modprobe.d files for i in $(find /etc/modprobe.d/* | grep -v ".conf"); do mv $i $i.conf done # Move /var/run to /run. if [ -L "/run" ]; then rm -f /run fi mkdir -p /run if mountpoint /var/run; then mount --move /var/run /run rm -rf /var/run fi ln -svf ../run /var/run # Creating directories for new firewall. mkdir -p /var/ipfire/firewall mkdir -p /var/ipfire/fwhosts # Remove old ntp binaries rm -f /usr/sbin/ntp-keygen rm -f /usr/sbin/ntp-wait rm -f /usr/sbin/ntpq rm -f /usr/sbin/ntptime rm -f /usr/sbin/ntptrace rm -f /usr/sbin/tickadj # Remove old firewall helper link rm -f /etc/rc.d/init.d/networking/red.up/22-forwardfwctrl # #Extract files tar xavf /opt/pakfire/tmp/files* --no-overwrite-dir -p --numeric-owner -C / # Check diskspace on boot BOOTSPACE=`df /boot -Pk | sed "s| * | |g" | cut -d" " -f4 | tail -n 1` if [ $BOOTSPACE -lt 1000 ]; then case $(uname -r) in *-ipfire-kirkwood ) # Special handling for old kirkwood images. # (install only kirkwood kernel) rm -rf /boot/* tar xavf /opt/pakfire/tmp/files* --no-overwrite-dir -p \ --numeric-owner -C / --wildcards 'boot/*-kirkwood*' ;; * ) /usr/bin/logger -p syslog.emerg -t ipfire \ "core-update-${core}: FATAL-ERROR space run out on boot. System is not bootable..." /etc/init.d/apache start exit 4 ;; esac fi # #Reload init to close old linker/glibc telinit u # Regenerate ipsec configuration files. /srv/web/ipfire/cgi-bin/vpnmain.cgi # Update Language cache perl -e "require '/var/ipfire/lang.pl'; &Lang::BuildCacheLang" # Remove old openssl engines rm -rf /usr/lib/engines # Remove old initscripts rm -f /etc/rc.d/init.d/networking/red.up/22-outgoingfwctrl rm -f /etc/rc.d/init.d/networking/red.up/25-portfw rm -f /etc/rc.d/init.d/networking/red.up/26-xtaccess rm -f /etc/rc.d/rcsysinit.d/S90sysctl # Remove old firewallscripts rm -f /usr/local/bin/setportfw rm -f /usr/local/bin/setdmzholes rm -f /usr/local/bin/setxtaccess rm -f /usr/local/bin/outgoingfwctrl # Remove old CGI files rm -f /srv/web/ipfire/cgi-bin/{dmzholes,outgoingfw,portfw,xtaccess}.cgi # Generate chains for new firewall /sbin/iptables -N INPUTFW 2>/dev/null /sbin/iptables -N FORWARDFW 2>/dev/null /sbin/iptables -N POLICYFWD 2>/dev/null /sbin/iptables -N POLICYIN 2>/dev/null /sbin/iptables -N POLICYOUT 2>/dev/null /sbin/iptables -t nat -N NAT_SOURCE 2>/dev/null /sbin/iptables -t nat -N NAT_DESTINATION 2>/dev/null /sbin/iptables -t mangle -N NAT_DESTINATION 2>/dev/null # Create config files for firewall and fix permissions. touch /var/ipfire/firewall/config touch /var/ipfire/firewall/input touch /var/ipfire/firewall/outgoing touch /var/ipfire/firewall/settings touch /var/ipfire/fwhosts/customhosts touch /var/ipfire/fwhosts/customnetworks touch /var/ipfire/fwhosts/customgroups touch /var/ipfire/fwhosts/customservices touch /var/ipfire/fwhosts/customservicegrp if [ ! -s "/var/ipfire/fwhosts/customservices" ];then cp /var/ipfire/fwhosts/customservices.default /var/ipfire/fwhosts/customservices fi # Fix ownership. chown -R nobody:nobody /var/ipfire/firewall chown -R nobody:nobody /var/ipfire/fwhosts # Convert firewall configuration /usr/sbin/convert-xtaccess /usr/sbin/convert-outgoingfw /usr/sbin/convert-portfw /usr/sbin/convert-dmz # Remove old firewall configuration files rm -rf /var/ipfire/{dmzholes,portfw,outgoing,xtaccess} # In previously released IPFire versions the DROPOUTPUT and DROPINPUT # option have two identical lines in the optionsfw/settings file as long as # the user hasn't done any changes on the WUI. # # To prevent from any kind of side effects we are going to solve this issue now. # Fix doubble enties of DROPOUTPUT when the default settings are still in use # (the save button on the WUI page never has been clicked) or convert to the # new option name required by the firewall of IPFire 2.15. optionsfw_file="/var/ipfire/optionsfw/settings" if [ $(grep -c "DROPOUTPUT" ${optionsfw_file}) -gt 1 ] ; then # Drop all DROPUTPUT entries. sed -e "/DROPOUTPUT/d" -i ${optionsfw_file} # Add default line for new option. echo "DROPOUTGOING=on" >> ${optionsfw_file} else # Convert option name to new format. sed -e "s/DROPOUTPUT/DROPOUTGOING/g" -i ${optionsfw_file} fi # Fix doubble enties of DROPINPUT when the default settings are still in use # (the save button on the WUI page never has been clicked). if [ $(grep -c "DROPINPUT" ${optionsfw_file}) -gt 1 ] ; then # We only can remove all entries with an defined string. sed -e "/DROPINPUT/d" -i ${optionsfw_file} # Afterwards we have to add the required string with the default # value again. echo "DROPINPUT=on" >> ${optionsfw_file} fi # Add strings and default values for new options of the firewall. echo "DROPFORWARD=on" >> ${optionsfw_file} echo "FWPOLICY=DROP" >> ${optionsfw_file} echo "FWPOLICY1=DROP" >> ${optionsfw_file} echo "FWPOLICY2=DROP" >> ${optionsfw_file} echo "DROPSAMBA=off" >> ${optionsfw_file} echo "DROPPROXY=off" >> ${optionsfw_file} echo "SHOWREMARK=on" >> ${optionsfw_file} echo "SHOWCOLORS=on" >> ${optionsfw_file} echo "SHOWTABLES=off" >> ${optionsfw_file} echo "SHOWDROPDOWN=off" >> ${optionsfw_file} echo "DROPWIRELESSINPUT=on" >> ${optionsfw_file} echo "DROPWIRELESSFORWARD=on" >> ${optionsfw_file} unset optionsfw_file # Convert inittab and fstab sed -i -e "s/tty1 9600$/tty1 9600 --noclear/g" /etc/inittab sed -i -e "s/xvc0 9600$/xvc0 9600 --noclear/g" /etc/inittab sed -i -e "s/^proc/#proc/g" /etc/fstab sed -i -e "s/^sysfs/#sysfs/g" /etc/fstab sed -i -e "s/^devpts/#devpts/g" /etc/fstab sed -i -e "s|^none\s/var/run|#none /var/run|g" /etc/fstab # Convert udev persistent network rules sed -i -e "s/SYSFS{/ATTR{/g" /etc/udev/rules.d/30-persistent-network.rules # Firstsetup was already run touch /var/ipfire/main/firstsetup_ok # # Start services # /etc/init.d/apache start /etc/init.d/squid start /etc/init.d/snort start if [ `grep "ENABLED=on" /var/ipfire/vpn/settings` ]; then /etc/init.d/ipsec start fi # # Rebuild qosscript if enabled # if [ -e /var/ipfire/qos/enable ]; then /usr/local/bin/qosctrl stop /usr/local/bin/qosctrl generate /usr/local/bin/qosctrl start fi chown cron:cron /var/spool/cron # Update crontab grep -q timezone-transition /var/spool/cron/root.orig || cat <> /var/spool/cron/root.orig # Re-read firewall rules every Sunday in March, October and November to take care of daylight saving time 00 3 * 3 0 /usr/local/bin/timezone-transition /usr/local/bin/firewallctrl 00 2 * 10-11 0 /usr/local/bin/timezone-transition /usr/local/bin/firewallctrl EOF # Remove dialctrl script. sed -i /var/spool/cron/root.orig -e "/Dialup/,/dialctrl.pl/d" fcrontab -z &>/dev/null case $(uname -m) in i?86 ) # # Modify grub.conf # echo echo Update grub configuration ... ROOT=`mount | grep " / " | cut -d" " -f1` if [ ! -z $ROOT ]; then ROOTUUID=`blkid -c /dev/null -sUUID $ROOT | cut -d'"' -f2` fi if [ ! -z $ROOTUUID ]; then sed -i "s|ROOT|UUID=$ROOTUUID|g" /boot/grub/grub.conf else sed -i "s|ROOT|$ROOT|g" /boot/grub/grub.conf fi sed -i "s|KVER|$KVER|g" /boot/grub/grub.conf sed -i "s|MOUNT|$MOUNT|g" /boot/grub/grub.conf if [ "$(grep "^serial" /boot/grub/grub.conf.org)" == "" ]; then echo "grub use default console ..." else echo "grub use serial console ..." sed -i -e "s|splashimage|#splashimage|g" /boot/grub/grub.conf sed -i -e "s|#serial|serial|g" /boot/grub/grub.conf sed -i -e "s|#terminal|terminal|g" /boot/grub/grub.conf sed -i -e "s| panic=10 | console=ttyS0,115200n8 panic=10 |g" /boot/grub/grub.conf fi # # ReInstall grub # echo "(hd0) ${ROOT::`expr length $ROOT`-1}" > /boot/grub/device.map grub-install --no-floppy ${ROOT::`expr length $ROOT`-1} ;; esac # # Delete old lm-sensor modullist to force search at next boot # rm -rf /etc/sysconfig/lm_sensors # Force (re)install pae kernel if pae is supported rm -rf /opt/pakfire/db/*/meta-linux-pae if [ ! "$(grep "^flags.* pae " /proc/cpuinfo)" == "" ]; then ROOTSPACE=`df / -Pk | sed "s| * | |g" | cut -d" " -f4 | tail -n 1` BOOTSPACE=`df /boot -Pk | sed "s| * | |g" | cut -d" " -f4 | tail -n 1` if [ $BOOTSPACE -lt 12000 -o $ROOTSPACE -lt 90000 ]; then /usr/bin/logger -p syslog.emerg -t ipfire \ "core-update-${core}: WARNING not enough space for pae kernel." else echo "Name: linux-pae" > /opt/pakfire/db/installed/meta-linux-pae echo "ProgVersion: 0" >> /opt/pakfire/db/installed/meta-linux-pae echo "Release: 0" >> /opt/pakfire/db/installed/meta-linux-pae echo "Name: linux-pae" > /opt/pakfire/db/meta/meta-linux-pae echo "ProgVersion: 0" >> /opt/pakfire/db/meta/meta-linux-pae echo "Release: 0" >> /opt/pakfire/db/meta/meta-linux-pae fi fi # Force reinstall xen kernel if it was installed if [ -e "/opt/pakfire/db/installed/meta-linux-xen" ]; then echo "Name: linux-xen" > /opt/pakfire/db/installed/meta-linux-xen echo "ProgVersion: 0" >> /opt/pakfire/db/installed/meta-linux-xen echo "Release: 0" >> /opt/pakfire/db/installed/meta-linux-xen echo "Name: linux-xen" > /opt/pakfire/db/meta/meta-linux-xen echo "ProgVersion: 0" >> /opt/pakfire/db/meta/meta-linux-xen echo "Release: 0" >> /opt/pakfire/db/meta/meta-linux-xen # Add xvc0 to /etc/securetty echo "xvc0" >> /etc/securetty fi # # After pakfire has ended run it again and update the lists and do upgrade # echo '#!/bin/bash' > /tmp/pak_update echo 'while [ "$(ps -A | grep " update.sh")" != "" ]; do' >> /tmp/pak_update echo ' sleep 1' >> /tmp/pak_update echo 'done' >> /tmp/pak_update echo 'while [ "$(ps -A | grep " pakfire")" != "" ]; do' >> /tmp/pak_update echo ' sleep 1' >> /tmp/pak_update echo 'done' >> /tmp/pak_update echo '/opt/pakfire/pakfire update -y --force' >> /tmp/pak_update echo '/opt/pakfire/pakfire upgrade -y' >> /tmp/pak_update echo '/opt/pakfire/pakfire upgrade -y' >> /tmp/pak_update echo '/opt/pakfire/pakfire upgrade -y' >> /tmp/pak_update echo '/usr/bin/logger -p syslog.emerg -t ipfire "Core-upgrade finished. If you use a customized grub.cfg"' >> /tmp/pak_update echo '/usr/bin/logger -p syslog.emerg -t ipfire "Check it before reboot !!!"' >> /tmp/pak_update echo '/usr/bin/logger -p syslog.emerg -t ipfire " *** Please reboot... *** "' >> /tmp/pak_update echo 'touch /var/run/need_reboot ' >> /tmp/pak_update # killall -KILL pak_update chmod +x /tmp/pak_update /tmp/pak_update & sync # #Finish ( /etc/init.d/fireinfo start sendprofile ) >/dev/null 2>&1 & # Update Package list for addon installation /opt/pakfire/pakfire update -y --force echo echo Please wait until pakfire has ended... echo #Don't report the exitcode last command exit 0