[23552] | 1 | #!/bin/bash |
---|
[23155] | 2 | |
---|
| 3 | # Usage: athena-login-snapshot {login-start|login-end|update-start|update-end} |
---|
| 4 | |
---|
| 5 | # This script contains the logic to manage LVM snapshots of the root |
---|
| 6 | # volume. |
---|
| 7 | |
---|
| 8 | # Requirements: |
---|
| 9 | |
---|
| 10 | # * The root volume is a logical volume |
---|
| 11 | # * The volume group of the root volume has 21GB of free space for us |
---|
| 12 | # to use. |
---|
| 13 | |
---|
| 14 | # Login snapshots will have a 10GB copy-on-write store for |
---|
| 15 | # modifications to the snapshot. This backing store will typically |
---|
| 16 | # only be used if a user installs additional packages in the login |
---|
| 17 | # root. |
---|
| 18 | |
---|
| 19 | # This script may choose to reboot the machine in order to clear |
---|
| 20 | # I/O-bound process entries blocking the unmount of /login, though |
---|
| 21 | # that circumstance should be fairly rare. |
---|
| 22 | |
---|
| 23 | set -e |
---|
[23607] | 24 | exec >>/var/log/athena-reactivate 2>&1 |
---|
[23155] | 25 | |
---|
| 26 | updflag=/var/run/athena-update-in-progress |
---|
| 27 | bootflag=/var/run/athena-reboot-after-update |
---|
| 28 | lockfile=/var/run/athena-snapshot.lock |
---|
| 29 | snapshotsize=10G |
---|
| 30 | event=$1 |
---|
[23467] | 31 | binddirs="/proc /sys /dev /dev/shm /dev/pts /var/run /var/lock /var/tmp /afs /mit /tmp /media /home" |
---|
[23287] | 32 | addgroups="admin lpadmin adm fuse cdrom floppy audio video plugdev scanner dialout" |
---|
[23573] | 33 | daemons="$(/usr/sbin/policy-rc.d --daemons)" |
---|
[23155] | 34 | |
---|
| 35 | rootdev=$(awk '$2 == "/" { dev=$1 } END { print dev }' /proc/mounts) |
---|
| 36 | vgname=$(lvs --noheadings -o vg_name "$rootdev" | awk '{print $1}') |
---|
| 37 | rootlvname=$(lvs --noheadings -o lv_name "$rootdev" | awk '{print $1}') |
---|
| 38 | rootlvpath=/dev/$vgname/$rootlvname |
---|
| 39 | loginlvname=login |
---|
| 40 | loginlvpath=/dev/$vgname/login |
---|
| 41 | uloginlvname=login-update |
---|
| 42 | uloginlvpath=/dev/$vgname/login-update |
---|
| 43 | |
---|
[23607] | 44 | echo "-----" |
---|
| 45 | echo "** Beginning Athena reactivation ($event) session at $(date)" |
---|
| 46 | |
---|
| 47 | finish() { |
---|
| 48 | echo "** Finishing Athena reactivation ($event) at $(date)" |
---|
| 49 | echo "-----" |
---|
| 50 | echo |
---|
| 51 | exit |
---|
| 52 | } |
---|
| 53 | trap finish EXIT |
---|
| 54 | |
---|
| 55 | v() { |
---|
| 56 | echo "** Running:" "$@" |
---|
[23632] | 57 | echo "** $(date)" |
---|
[23609] | 58 | "$@" |
---|
[23607] | 59 | } |
---|
| 60 | |
---|
[23155] | 61 | ( |
---|
| 62 | flock -x 9 |
---|
| 63 | case $event in |
---|
| 64 | login-start) |
---|
| 65 | # Procure a login snapshot and mount it. |
---|
| 66 | |
---|
| 67 | if [ -e "$loginlvpath" ]; then |
---|
| 68 | # A login snapshot already exists; perhaps the machine rebooted |
---|
| 69 | # during a login. Clean it up. |
---|
[23607] | 70 | v lvremove -f "$loginlvpath" |
---|
[23155] | 71 | fi |
---|
| 72 | |
---|
| 73 | if [ -e "$updflag" ]; then |
---|
| 74 | # An update is in progress. If we get here, we expect there to |
---|
| 75 | # be a login-update snapshot created before the update started. |
---|
| 76 | # (If we already used it up, /etc/nologin should prevent us from |
---|
| 77 | # getting here until the update ends.) Rename it to login. |
---|
| 78 | [ -e "$uloginlvpath" ] |
---|
[23607] | 79 | v lvrename "$vgname" "$uloginlvname" "$loginlvname" |
---|
[23155] | 80 | else |
---|
| 81 | # No update is in progress. Create our own snapshot of the root. |
---|
| 82 | sync |
---|
[23607] | 83 | v lvcreate --snapshot --size "$snapshotsize" --name "$loginlvname" \ |
---|
[23155] | 84 | "$rootlvpath" |
---|
| 85 | fi |
---|
| 86 | |
---|
| 87 | # Mount the login snapshot. |
---|
| 88 | mkdir -p /login |
---|
[24051] | 89 | v mount -o noatime "$loginlvpath" /login |
---|
[23155] | 90 | |
---|
[23467] | 91 | # Enable subtree operations on /media by making it a mount point, |
---|
| 92 | # then share it. |
---|
[23607] | 93 | v mount --bind /media /media |
---|
| 94 | v mount --make-shared /media |
---|
[23467] | 95 | |
---|
[23155] | 96 | # Bind-mount a bunch of stuff from the real root into the chroot. |
---|
| 97 | for dir in $binddirs; do |
---|
[23607] | 98 | v mount --bind "$dir" "/login$dir" |
---|
[23155] | 99 | done |
---|
| 100 | |
---|
| 101 | # Add the user to a bunch of groups in the chroot. |
---|
| 102 | for group in $addgroups; do |
---|
[23607] | 103 | v chroot /login gpasswd -a "$USER" "$group" |
---|
[23155] | 104 | done |
---|
| 105 | |
---|
[24081] | 106 | # Remove the su message intended for quickstations and unlock the |
---|
| 107 | # command. |
---|
[24083] | 108 | sed -i "/su-error/d" "/login/etc/pam.d/su.debathena" |
---|
[24078] | 109 | |
---|
[23552] | 110 | # There are some daemons that should be running inside the |
---|
| 111 | # chroot. For example, changes to CUPS config shouldn't persist |
---|
| 112 | # between sessions. |
---|
| 113 | # |
---|
| 114 | # Start those daemons inside the chroot |
---|
| 115 | # |
---|
| 116 | # For extra special bonus points, cupsys was renamed to cups at |
---|
| 117 | # some point, so we have to try both names and catch the error for |
---|
| 118 | # the one that doesn't exist |
---|
| 119 | for daemon in $daemons; do |
---|
[23607] | 120 | v invoke-rc.d $daemon stop || [ $? = 100 ] |
---|
| 121 | v chroot /login invoke-rc.d $daemon start || [ $? = 100 ] |
---|
[23552] | 122 | done |
---|
| 123 | |
---|
[23607] | 124 | v touch /login/ClusterLogin |
---|
| 125 | v touch /var/run/athena-login |
---|
[23552] | 126 | |
---|
[23155] | 127 | # Add an schroot.conf entry for the chroot. |
---|
| 128 | conf=/etc/schroot/schroot.conf |
---|
| 129 | sed -e '/###ATHENA-BEGIN###/,/###ATHENA-END###/d' $conf > $conf.new |
---|
| 130 | cat >> $conf.new <<EOF |
---|
| 131 | ###ATHENA-BEGIN### |
---|
| 132 | [login] |
---|
| 133 | description=Login root snapshot |
---|
| 134 | location=/login |
---|
| 135 | users=$USER |
---|
[23437] | 136 | environment-filter="" |
---|
[23155] | 137 | ###ATHENA-END### |
---|
| 138 | EOF |
---|
| 139 | mv $conf.new $conf |
---|
| 140 | ;; |
---|
| 141 | |
---|
| 142 | login-end) |
---|
[23573] | 143 | # Clean-up the temporary file to indicate the logged in state |
---|
[23607] | 144 | v rm /var/run/athena-login |
---|
[23552] | 145 | |
---|
| 146 | # Stop any daemons that were specifically started inside the |
---|
| 147 | # chroot |
---|
| 148 | for daemon in $daemons; do |
---|
[23607] | 149 | v chroot /login invoke-rc.d $daemon stop || [ $? = 100 ] |
---|
| 150 | v invoke-rc.d $daemon start || [ $? = 100 ] |
---|
[23552] | 151 | done |
---|
| 152 | |
---|
[23458] | 153 | # Clean up any remaining user processes using the bind mounts. |
---|
[23644] | 154 | # Try sending SIGTERM first to give processes a chance to exit |
---|
| 155 | # cleanly. |
---|
[23458] | 156 | if [ -n "$USER" -a "$USER" != root ]; then |
---|
| 157 | for dir in $binddirs; do |
---|
[23644] | 158 | v su -s /bin/sh "$USER" -c "fuser -kmv -TERM /login$dir" || true |
---|
| 159 | done |
---|
| 160 | sleep 3 |
---|
| 161 | for dir in $binddirs; do |
---|
[23640] | 162 | v su -s /bin/sh "$USER" -c "fuser -kmv /login$dir" || true |
---|
[23458] | 163 | done |
---|
| 164 | fi |
---|
| 165 | |
---|
| 166 | # Clean up any processes using the chroot mountpoint. |
---|
[23640] | 167 | v fuser -kvm /login || true |
---|
[23155] | 168 | sleep 2 |
---|
| 169 | |
---|
| 170 | # Clean up the bind mounts we made earlier. |
---|
[23458] | 171 | # If any of these fail, the umount of /login will fail below, |
---|
| 172 | # and we will reboot. |
---|
[23467] | 173 | for dir in $(echo $binddirs|tac -s\ ); do |
---|
[23607] | 174 | v umount "/login$dir" || true |
---|
[23155] | 175 | done |
---|
| 176 | |
---|
[23472] | 177 | # Unmount /media, which we bind-mounted to itself earlier so it |
---|
| 178 | # could be shared and then bind-mounted. |
---|
[23607] | 179 | v umount /media || true |
---|
[23467] | 180 | |
---|
[23155] | 181 | # Attempt to unmount /login. |
---|
[23607] | 182 | if ! v umount /login; then |
---|
[23155] | 183 | # There may be an unkillable process in I/O wait keeping the |
---|
| 184 | # mountpoint busy. We need to reboot the machine. |
---|
| 185 | if [ -e "$updflag" ]; then |
---|
| 186 | # ... but we don't want to reboot during an update. Schedule it |
---|
| 187 | # for the end of the update. |
---|
| 188 | if [ ! -e /etc/nologin ]; then |
---|
| 189 | echo "An update and reboot is in progress, please try again later." \ |
---|
| 190 | > /etc/nologin.update |
---|
[23607] | 191 | v ln /etc/nologin.update /etc/nologin |
---|
[23155] | 192 | fi |
---|
[23607] | 193 | v touch "$bootflag" |
---|
[23155] | 194 | else |
---|
| 195 | # We can just reboot now. |
---|
[23607] | 196 | echo "** Rebooting because of umount /login failure" |
---|
| 197 | v reboot |
---|
[23155] | 198 | fi |
---|
| 199 | fi |
---|
[23607] | 200 | v lvremove -f "$loginlvpath" |
---|
[23155] | 201 | |
---|
| 202 | if [ -e "$updflag" -a ! -e "$uloginlvpath" ]; then |
---|
| 203 | # An update is in progress and we just used up its snapshot. We |
---|
| 204 | # must block further logins until the update completes. |
---|
| 205 | if [ ! -e /etc/nologin ]; then |
---|
| 206 | echo "An update is in progress, please try again later." \ |
---|
| 207 | > /etc/nologin.update |
---|
| 208 | ln /etc/nologin.update /etc/nologin |
---|
| 209 | fi |
---|
| 210 | fi |
---|
| 211 | ;; |
---|
| 212 | |
---|
| 213 | update-start) |
---|
| 214 | # Before starting the update, create a root snapshot for use by |
---|
| 215 | # the next login. We give this snapshot a different name in case |
---|
| 216 | # there is already a login in process. |
---|
| 217 | if [ -e "$uloginlvpath" ]; then |
---|
| 218 | # It already exists; perhaps the machine rebooted during an |
---|
| 219 | # update. Clean it up. |
---|
[23607] | 220 | v lvremove -f "$uloginlvpath" |
---|
[23155] | 221 | fi |
---|
| 222 | sync |
---|
[23607] | 223 | v lvcreate --snapshot --size "$snapshotsize" --name "$uloginlvname" \ |
---|
[23155] | 224 | "$rootlvpath" |
---|
| 225 | |
---|
| 226 | # Touch the flag file signifying an update in progress. |
---|
[23607] | 227 | v touch "$updflag" |
---|
[23155] | 228 | ;; |
---|
| 229 | |
---|
| 230 | update-end) |
---|
| 231 | if [ -e "$uloginlvpath" ]; then |
---|
| 232 | # It appears our login snapshot was never used. Clean it up. |
---|
[23607] | 233 | v lvremove -f "$uloginlvpath" |
---|
[23155] | 234 | fi |
---|
| 235 | |
---|
| 236 | if [ -e /etc/nologin.update ]; then |
---|
| 237 | # Our login snapshot was used and that login ended before we |
---|
| 238 | # did, causing further logins to block. Now that the update has |
---|
| 239 | # ended, we can unblock logins. |
---|
[23607] | 240 | v rm -f /etc/nologin.update /etc/nologin |
---|
[23155] | 241 | fi |
---|
| 242 | |
---|
| 243 | if [ -e "$bootflag" ]; then |
---|
| 244 | # We need to reboot in order to unmount /login. |
---|
| 245 | echo "Rebooting in order to unmount /login." |
---|
[23607] | 246 | v reboot |
---|
[23155] | 247 | fi |
---|
| 248 | |
---|
| 249 | # Remove the flag file signifying an update in progress. |
---|
[23607] | 250 | v rm -f "$updflag" |
---|
[23155] | 251 | ;; |
---|
| 252 | esac |
---|
| 253 | ) 9> $lockfile |
---|