Configure fully automated ownCloud security updates by default.

ypid · ypid · commit 02e3d25725f4 · 2016-07-09T17:06:34.000+02:00
Closes: debops#28 Requires: debops/ansible-unattended_upgrades#6 (Test should pass even without this patch.)
diff --git a/CHANGES.rst b/CHANGES.rst
@@ -40,6 +40,8 @@ Added
   by default according to the `official ownCloud Dokumentation
   <https://doc.owncloud.org/server/9.0/admin_manual/configuration_server/caching_configuration.html>`_. [ypid]
 
+- Configure fully automated ownCloud security updates by default. [ypid]
+
 Changed
 ~~~~~~~
 
diff --git a/defaults/main.yml b/defaults/main.yml
@@ -93,6 +93,69 @@ owncloud__packages_host: []
 owncloud__deploy_state: 'present'
 
 
+# .. ownCloud upgrades [[[1
+#
+# ---------------------
+#   ownCloud upgrades
+# ---------------------
+
+# .. envvar:: owncloud__auto_database_upgrade_enabled
+#
+# On each update of ownCloud, a database update must be performed before
+# ownCloud can be used again.
+# The ownCloud package maintainers have not automated this setup so that even
+# security upgrades can not be installed unattended.
+#
+# Refer to the `official ownCloud Dokumentation <https://doc.owncloud.org/server/9.0/admin_manual/maintenance/package_upgrade.html#upgrade-quickstart>`__ for details.
+#
+# When this option is set to ``True``, the role enables a hook script for
+# ``dpkg`` so that when ``dpkg`` upgrades ownCloud, the database upgrade is
+# automatically performed.
+#
+# Change to ``False`` when you want to do database upgrades manually after upgrading the ownCloud packages.
+#
+# .. note:: :envvar:`owncloud__auto_database_upgrade_enabled` depends on
+#    automatic database upgrades to be enabled.
+#
+owncloud__auto_database_upgrade_enabled: True
+
+
+# .. envvar:: owncloud__auto_database_upgrade_hook_script
+#
+# File path where the package manager hook script is stored.
+owncloud__auto_database_upgrade_hook_script: '{{ (ansible_local.root.lib
+                                  if (ansible_local|d() and ansible_local.root|d() and
+                                      ansible_local.root.lib|d())
+                                  else "/usr/local/lib") + "/owncloud_db_upgrade_hook" }}'
+
+
+# .. envvar:: owncloud__auto_database_upgrade_migration_test
+#
+# Whether database schema migration should be simulated before upgrading the production database.
+# Refer to the `official ownCloud Dokumentation <https://doc.owncloud.org/server/9.0/admin_manual/maintenance/package_upgrade.html#migration-test>`__ for details.
+owncloud__auto_database_upgrade_migration_test: True
+
+
+# .. envvar:: owncloud__auto_database_upgrade_hook_script_packages_trigger
+#
+# List of packages for which the package manager hook script should attempt to
+# do a database upgrade when :envvar:`owncloud__auto_database_upgrade_enabled`
+# is ``True``.
+#
+# This variable is currently not being used.
+# The check if ownCloud needs an upgrade is performed for each
+# installed/upgraded package but in an very efficient way.
+owncloud__auto_database_upgrade_hook_script_packages_trigger:
+  - 'owncloud'
+
+
+# .. envvar:: owncloud__auto_security_updates_enabled
+#
+# Whether automatic ownCloud upgrades should be performed by
+# ``unattended_upgrades``.
+owncloud__auto_security_updates_enabled: True
+
+
 # .. Basic options [[[1
 #
 # -----------------
@@ -536,9 +599,10 @@ owncloud__config_host: {}
 # It can be used to enable apps, add users and more which can be useful when
 # deploying ownCloud.
 #
-# Refer to the `official ownCloud Dokumentation <https://doc.owncloud.org/server/9.0/admin_manual/configuration_server/occ_command.html>`__ for details.
+# Examples:
 #
-# Examples::
+# .. code-block:: yaml
+#   :linenos:
 #
 #   owncloud__run_occ_global_commands
 #
@@ -568,6 +632,7 @@ owncloud__config_host: {}
 #                      ansible_fqdn + '/owncloud/users/' + 'user' +
 #                      '/password length=' + owncloud__password_length) }}"
 #
+# Refer to the `official ownCloud Dokumentation <https://doc.owncloud.org/server/9.0/admin_manual/configuration_server/occ_command.html>`__ for details.
 owncloud__run_occ_global_commands:
   ## Disable the updater because it does not work anyway with the way ownCloud
   ## is setup by this role using packages.
@@ -594,7 +659,10 @@ owncloud__run_occ_host_commands: []
 # .. envvar:: owncloud__occ_bin_file_path
 #
 # Where the :command:`occ` wrapper script should be installed.
-owncloud__occ_bin_file_path: '/usr/local/bin/occ'
+owncloud__occ_bin_file_path: '{{ (ansible_local.root.bin
+                                  if (ansible_local|d() and ansible_local.root|d() and
+                                      ansible_local.root.bin|d())
+                                  else "/usr/local/bin") + "/occ" }}'
 
 
 # .. ownCloud applications [[[1
@@ -1265,3 +1333,12 @@ owncloud__php5__pool:
     ## Fixes warning (ownCloud 8.1): "The test with getenv('PATH') only returns an empty response"
     PATH: '/usr/local/bin:/usr/bin:/bin'
 
+
+# .. envvar:: owncloud__unattended_upgrades__dependent_origins
+#
+# List of List of origin patterns managed by the ``debops.unattended_upgrades``
+# role.
+owncloud__unattended_upgrades__dependent_origins:
+  - origin: 'site=download.owncloud.org'
+    state: '{{ "present" if (owncloud__auto_security_updates_enabled | bool) else "absent" }}'
+
diff --git a/docs/getting-started.rst b/docs/getting-started.rst
@@ -81,6 +81,9 @@ Available role tags:
 ``role::owncloud:occ``
   Run tasks related to the :command:`occ` command.
 
+``role::owncloud:auto_upgrade``
+  Run tasks related preparing ownCloud auto upgrade.
+
 ``role::owncloud:ldap``
   Run tasks related to the LDAP configuration.
 
diff --git a/docs/playbooks/owncloud.yml b/docs/playbooks/owncloud.yml
@@ -44,6 +44,10 @@
       when: (owncloud__database == 'postgresql')
       tags: [ 'role::postgresql' ]
 
+    - role: debops.unattended_upgrades
+      tags: [ 'role::unattended_upgrades' ]
+      unattended_upgrades__dependent_origins: '{{ owncloud__unattended_upgrades__dependent_origins }}'
+
     - role: debops.php5
       tags: [ 'role::php5' ]
       php5_pools:
diff --git a/tasks/setup_owncloud.yml b/tasks/setup_owncloud.yml
@@ -165,3 +165,32 @@
     cron_file: 'owncloud'
 
 # .. ]]]
+
+# ownCloud upgrades [[[
+
+- name: Install the package manager hook script for auto ownCloud DB upgrades
+  template:
+    src: 'usr/local/bin/owncloud_db_upgrade_hook.j2'
+    dest: '{{ owncloud__auto_database_upgrade_hook_script }}'
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
+  tags: [ 'role::owncloud:auto_upgrade' ]
+
+- name: Enable the package manager hook for auto ownCloud DB upgrades
+  template:
+    src: 'etc/apt/apt.conf.d/db_upgrade.j2'
+    dest: '/etc/apt/apt.conf.d/80ownCloud-db-upgrade'
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
+  tags: [ 'role::owncloud:auto_upgrade' ]
+  when: (owncloud__auto_database_upgrade_enabled | bool)
+
+- name: Disable the package manager hook for auto ownCloud DB upgrades
+  file:
+    path: '/etc/apt/apt.conf.d/80ownCloud-db-upgrade'
+    state: 'absent'
+  when: not (owncloud__auto_database_upgrade_enabled | bool)
+
+# .. ]]]
diff --git a/templates/etc/apt/apt.conf.d/db_upgrade.j2 b/templates/etc/apt/apt.conf.d/db_upgrade.j2
@@ -0,0 +1,3 @@
+# {{ ansible_managed }}
+
+DPkg::Post-Invoke {"test -x '{{ owncloud__auto_database_upgrade_hook_script }}' && '{{ owncloud__auto_database_upgrade_hook_script }}' || true";};
diff --git a/templates/usr/local/bin/owncloud_db_upgrade_hook.j2 b/templates/usr/local/bin/owncloud_db_upgrade_hook.j2
@@ -0,0 +1,34 @@
+#!/bin/bash
+# {{ ansible_managed }}
+#
+# Package manager hook script for auto ownCloud DB upgrades.
+# This script is run for each single package being installed or upgraded.
+#
+# https://unix.stackexchange.com/questions/226993/whats-the-difference-between-dpkgpost-invoke-and-dpkgpost-invoke-success
+# https://unix.stackexchange.com/questions/236833/apt-hook-to-check-for-specific-package-changes
+
+set -e
+
+## Check if one of the trigger packages was touched by `dpkg`.
+## The script might not be executed as `dpkg` hook.
+## Unfortunately, checking against `$SUDO_COMMAND` does not work when the upgrade is done by `unattended-upgrades`.
+# echo "$SUDO_COMMAND" | egrep -q '\<(:?{{ owncloud__auto_database_upgrade_hook_script_packages_trigger | join("|") }})\>' || exit 0
+
+## Check if ownCloud is installed.
+test -r '{{ owncloud__deploy_path }}/config/config.php' || exit 0
+grep -q 'installed.*true' '{{ owncloud__deploy_path }}/config/config.php' || exit 0
+
+## Performance optimization. Check if ownCloud is in maintenance mode (package upgrades put ownCloud in maintenance mode).
+grep -q 'maintenance.*true' '{{ owncloud__deploy_path }}/config/config.php' || exit 0
+
+## Check if ownCloud requires an upgrade.
+'{{ owncloud__occ_bin_file_path }}' status | egrep -q 'require upgrade' || exit 0
+
+## The ownCloud system package puts ownCloud into maintenance mode as of ownCloud 9.0. Ensure it anyway.
+'{{ owncloud__occ_bin_file_path }}' maintenance:mode --on
+
+## Do the upgrade.
+'{{ owncloud__occ_bin_file_path }}' upgrade{{ "" if (owncloud__auto_database_upgrade_migration_test | bool) else " --skip-migration-test" }}
+
+## Turn maintenance mode off.
+'{{ owncloud__occ_bin_file_path }}' maintenance:mode --off

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+# {{ ansible_managed }}`
	`2`	`+`
	`3`	`+DPkg::Post-Invoke {"test -x '{{ owncloud__auto_database_upgrade_hook_script }}' && '{{ owncloud__auto_database_upgrade_hook_script }}' \|\| true";};`