From a9297bdaad681a5013a0810187727d34842e052f Mon Sep 17 00:00:00 2001 From: Silvio Rhatto Date: Sat, 24 Feb 2024 13:57:00 -0300 Subject: Fix: hydractl: sync-media: tell why it's not allowed to run as the root user --- share/hydractl/provision | 6 +++--- share/hydractl/sync-backups | 40 +++++++++++++++++++++++----------------- share/hydractl/sync-media | 2 +- 3 files changed, 27 insertions(+), 21 deletions(-) diff --git a/share/hydractl/provision b/share/hydractl/provision index 783f2ae..d318aaf 100755 --- a/share/hydractl/provision +++ b/share/hydractl/provision @@ -54,13 +54,13 @@ function hydra_cryptsetup { # Run cryptsetup with custom parameters #hydra_sudo_run cryptsetup --cipher aes-xts-plain64:sha256 --key-size 512 --hash sha512 --iter-time 5000 --use-random -y -q luksFormat $1 - # GRUB2 from bullseye (or even older) does not support LUKS2, which seems + # GRUB2 from bookworm (or even older) still does not support LUKS2, which seems # the default type for luksFormat since bullseye at least # See https://cryptsetup-team.pages.debian.net/cryptsetup/encrypted-boot.html - #hydra_sudo_run cryptsetup --use-random -y -q luksFormat --type luks1 $1 + hydra_sudo_run cryptsetup --use-random -y -q luksFormat --type luks1 $1 # Run cryptsetup mostly with defaults - hydra_sudo_run cryptsetup --use-random -y -q luksFormat $1 + #hydra_sudo_run cryptsetup --use-random -y -q luksFormat $1 fi } diff --git a/share/hydractl/sync-backups b/share/hydractl/sync-backups index cb905a3..844d630 100755 --- a/share/hydractl/sync-backups +++ b/share/hydractl/sync-backups @@ -11,62 +11,68 @@ BWLIMIT=${BWLIMIT:=32000} IMAGES="/var/data/crypt/" RSYNC="ionice -c 3 nice -n 19 rsync -avH --delete --bwlimit=$BWLIMIT" CP="ionice -c 3 nice -n 19 cp" +WHOAMI="`whoami`" # Sync backups for a node. function sync_backups_node { if [ ! -z "$NODE" ]; then # Get full node hostname. - NODE_HOSTNAME="`cat /var/vservers/$NODE/etc/hostname`" + NODE_HOSTNAME="`$SUDO cat /var/vservers/$NODE/etc/hostname`" if [ -z "$NODE_HOSTNAME" ]; then NODE_HOSTNAME="$NODE" fi # Sync local encrypted backup. echo "Syncing /var/vservers/$NODE/var/backups/duplicity/..." - mkdir -p /$MEDIA/$NODE_HOSTNAME/duplicity - $RSYNC /var/vservers/$NODE/var/backups/duplicity/ /$MEDIA/$NODE_HOSTNAME/duplicity/ + $SUDO mkdir -p /$MEDIA/$NODE_HOSTNAME/duplicity + $SUDO $RSYNC /var/vservers/$NODE/var/backups/duplicity/ /$MEDIA/$NODE_HOSTNAME/duplicity/ # Sync remote backups. - for node in `ls /var/vservers/$NODE/var/backups/remote/`; do + for node in `$SUDO ls /var/vservers/$NODE/var/backups/remote/`; do echo "Syncing /var/vservers/$NODE/var/backups/remote/$node/..." - mkdir -p /$MEDIA/$NODE_HOSTNAME/remote/$node - $RSYNC /var/vservers/$NODE/var/backups/remote/$node/ /$MEDIA/$NODE_HOSTNAME/remote/$node/ + $SUDO mkdir -p /$MEDIA/$NODE_HOSTNAME/remote/$node + $SUDO $RSYNC /var/vservers/$NODE/var/backups/remote/$node/ /$MEDIA/$NODE_HOSTNAME/remote/$node/ done else # Sync local encrypted backup. echo "Syncing /var/backups/duplicity/..." - mkdir -p /$MEDIA/$HOSTNAME/duplicity - $RSYNC /var/backups/duplicity/ /$MEDIA/$HOSTNAME/duplicity/ + $SUDO mkdir -p /$MEDIA/$HOSTNAME/duplicity + $SUDO $RSYNC /var/backups/duplicity/ /$MEDIA/$HOSTNAME/duplicity/ # Sync remote backups. - for node in `ls /var/backups/remote/`; do + for node in `$SUDO ls /var/backups/remote/`; do echo "Syncing /var/backups/remote/$node/..." - mkdir -p /$MEDIA/$HOSTNAME/remote/$node/ - $RSYNC /var/backups/remote/$node/ /$MEDIA/$HOSTNAME/remote/$node/ + $SUDO mkdir -p /$MEDIA/$HOSTNAME/remote/$node/ + $SUDO $RSYNC /var/backups/remote/$node/ /$MEDIA/$HOSTNAME/remote/$node/ done # Copy encrypted images. if [ -d "$IMAGES" ]; then for image in `find $IMAGES -name '*.img' -type f`; do echo "Copying image to /$MEDIA/$HOSTNAME/images/`dirname $image`" - mkdir -p /$MEDIA/$HOSTNAME/images/`dirname $image` - $CP $image /$MEDIA/$HOSTNAME/images/`dirname $image` + $SUDO mkdir -p /$MEDIA/$HOSTNAME/images/`dirname $image` + $SUDO $CP $image /$MEDIA/$HOSTNAME/images/`dirname $image` done fi fi } -# Parsing. +# Parsing if [ -z "$VOLUME" ]; then echo "usage: $BASENAME [nodes]" exit 1 -elif [ "$WHOAMI" == 'root' ]; then - echo "Please run this command as the root user" - exit 1 +#elif [ "$WHOAMI" != 'root' ]; then +# echo "Please run this command as the root user" +# exit 1 else shift fi +# Set sudo config +if [ "$WHOAMI" != 'root' ]; then + SUDO="sudo" +fi + # Check volume name if [ "$VOLUME" == "`hostname -f`" ]; then echo "volume is the hostname, cannot sync to myself" diff --git a/share/hydractl/sync-media b/share/hydractl/sync-media index c4e27d4..88c8901 100755 --- a/share/hydractl/sync-media +++ b/share/hydractl/sync-media @@ -156,7 +156,7 @@ function sync_media_ensure_remote { if [ "$WHOAMI" != 'root' ]; then sudo="sudo" else - echo "Sorry, cannot run as root" + echo "Sorry, cannot run as root, since archives are usually user-managed" exit 1 fi -- cgit v1.2.3