#!/usr/local/cpanel/3rdparty/bin/perl
# cpanel - scripts/maintenance Copyright 2022 cPanel, L.L.C.
# All rights reserved.
# copyright@cpanel.net http://cpanel.net
# This code is subject to the cPanel license. Unauthorized copying is prohibited
package scripts::maintenance;
use strict;
use warnings;
use Try::Tiny;
use Cpanel::iContact::Class::Update::EndOfLife ();
use Cpanel::AccessIds ();
use Cpanel::Binaries ();
use Cpanel::TimeHiRes ();
use Cpanel::Config::LoadCpConf ();
use Cpanel::ConfigFiles ();
use Cpanel::Cron::Utils ();
use Cpanel::Crypt::GPG::Settings ();
use Cpanel::Crypt::GPG::VendorKeys::TimestampCache ();
use Cpanel::Env ();
use Cpanel::IOCallbackWriteLine ();
use Cpanel::MysqlUtils::Version ();
use Cpanel::Notify ();
use Cpanel::OS ();
use Cpanel::Rand::Get ();
use Cpanel::RPM::Versions::Directory ();
use Cpanel::SafeRun::Object ();
use Cpanel::SafeRun::BG ();
use Cpanel::Server::Type ();
use Cpanel::ServerTasks ();
use Cpanel::Services::Enabled ();
use Cpanel::Sync::CheckRestore ();
use Cpanel::Update::Config ();
use Cpanel::Config::Crontab ();
use Cpanel::Update::Logger ();
use IO::Handle ();
use IO::Select ();
# hash we'll use to process each request
our $RPM_IS_BROKEN = 0;
our $_UPGRADE_IN_PROGRESS_FILE = '/usr/local/cpanel/upgrade_in_progress.txt';
my $DRY_RUN;
our $SQLITE_AUTO_REBUILD_LAST_RAN_FILE = '/var/cpanel/.last_ran_sqlite_auto_rebuild_from_maintenance';
# Internal documentation: https://cpanel.wiki/x/zwwFAw
sub script {
my ( $class, @args ) = @_;
if ( $> != 0 ) {
print "This cPanel maintenance script must be run as root, not uid $>.\n";
return 2;
}
umask(0022);
my $security_token = $ENV{'cp_security_token'} || '';
# default pcent when none are defined
my $starting_pbar = 0;
my $finishing_pbar = 100;
# in case we are called before and outside of upcp
setupenv();
my $only_run;
# create a default logfile path, if called from upcp, use the log it passes
my $now = time();
my $logfile_path = '/var/cpanel/updatelogs/maintenance' . $now . '.log';
my $custom_pbar;
foreach my $arg (@args) {
if ( $arg =~ m/^--log\=(.*)/ ) {
$logfile_path = $1;
}
elsif ( $arg =~ m/^--pbar-start=([0-9]+)/ ) {
$custom_pbar = 1;
$starting_pbar = int($1);
}
elsif ( $arg =~ m/^--pbar-stop=([0-9]+)/ ) {
$custom_pbar = 1;
$finishing_pbar = int($1);
}
elsif ( $arg =~ m/^--dry-run$/ ) { # no doc required: dev only
$DRY_RUN = 1;
}
elsif ( $arg =~ m/^--pre$/ ) { # no doc required: upcp only
$only_run = 'pre';
}
elsif ( $arg =~ m/^--post$/ ) { # no doc required: upcp only
$only_run = 'post';
}
elsif ( $arg =~ m/^--help/ ) {
return usage();
}
}
open( STDERR, ">&STDOUT" );
$| = 1;
# when start pbar is unset progress bar is not displayed
setup_logger( $logfile_path, $custom_pbar ? $starting_pbar : undef );
# helper which normalize all percentage to be in [ $starting_pbar .. $finishing_pbar ]
# the only thing that we should care are the capping values which should be between [ 0..100 ]
my $increment_pbar; # initialize later as we can count how many tasks to run
my $do_progress_bar = sub {
my (@args) = @_;
return bless sub { $increment_pbar->(@args) }, 'PBAR';
};
#############################################################################
# maintenance actions are split in 2 groups: pre and post
# by default maintenance is going to run both groups: pre than post
# /scripts/maintenance is similar to run
# 1. ~maintenance --pre
# 2. ~maintenance --post
# but we can now run only one of these groups, this allow to run post_sync_cleanup earlier during upcp
# /scripts/upcp is going to use maintenance script using 2 different calls
# 1. update.now
# 2. maintenance --pre
# 3. post_sync_cleanup
# 4. maintenance --post
my $blocks = { pre => [], post => [] };
# This is the only pre block in this script. Only things that MUST happen before post_sync_cleanup should live here.
push @{ $blocks->{'pre'} }, (
show_status('Assuring needed symlinks in 3rdparty/bin are in place.'),
'/usr/local/cpanel/scripts/link_3rdparty_binaries',
show_status('Setting clock'),
'/usr/local/cpanel/scripts/rdate',
# Process any possibly pending PHP PEAR updates from cpanel-php pear RPMs in the background,
# as they should have already been installed during update.now
action_update_pear_registry_in_the_background(),
action_set_up_dns_resolver_workarounds(),
action_background_refresh_dkim_validity_cache(),
action_find_and_fix_rpm_issues(), # set RPM_IS_BROKEN (at run time): used by sysup and check_cpanel_pkgs
action_install_els(),
action_update_packages(),
action_ensure_mysql_upgrade_hook(),
);
push @{ $blocks->{'post'} }, (
show_status('Purging cpupdate.conf of invalid entries'),
\&purge_cpupdate_conf,
\&purge_upcp_logs,
action_updatesigningkey(),
action_sysup(),
#We do it right after post sync cleanup and sysup
#to ensure cPanel services have been restarted before we
#do any system ones so that they can access cPanel
#and monitor the system while the system services are
#being restarted.
show_status('Restarting any outdated services'),
$ENV{'CPANEL_BASE_INSTALL'} ? () : ( run( '/usr/local/cpanel/scripts/find_outdated_services --auto', { exit_ok => [1] } ) ), # Base install does this in the background before upcp
action_vps_optimizer(), # not on dnsonly
show_status('Checking for a valid C Compiler.'),
'/usr/local/cpanel/scripts/checkccompiler',
action_build_locale_databases(),
show_status('Migrating feature lists to current version (if needed)'),
'/usr/local/cpanel/bin/migrate_all_feature_lists_to_current',
show_status('Checking for main IP changes'),
'/usr/local/cpanel/scripts/mainipcheck',
show_status('Updating neighbor netblocks'),
'/usr/local/cpanel/scripts/update_neighbor_netblocks',
show_status('Updating known proxy ips'),
'/usr/local/cpanel/scripts/update_known_proxy_ips',
show_status('Validating server hostname'),
# No need to check this on a fresh install since we already validate in the installer
( $ENV{'CPANEL_BASE_INSTALL'} ? () : ('/usr/local/cpanel/scripts/check_valid_server_hostname --notify') ),
show_status('Validating cPanel system users'),
'/usr/local/cpanel/scripts/checkusers',
action_fixrndc(),
action_init_wwwacct_conf(),
action_ipaliases(),
action_check_cpanel_pkgs(),
show_status('Running env auto repair'),
'/usr/local/cpanel/scripts/vzzo-fixer',
'/usr/local/cpanel/scripts/quota_auto_fix',
'/usr/local/cpanel/scripts/clear_orphaned_virtfs_mounts --inactiveonly',
'/usr/local/cpanel/scripts/disable_prelink',
show_status('Cleaning up orphaned filesystem quotas'),
'/usr/local/cpanel/scripts/cleanquotas',
( $ENV{'CPANEL_BASE_INSTALL'} ? () : ('/usr/local/cpanel/scripts/autorepair autorepair') ),
'/usr/local/cpanel/scripts/purge_old_config_caches',
'/usr/local/cpanel/scripts/cleansessions',
'/usr/local/cpanel/scripts/checkbashshell',
action_passwd(),
\&setupcrontab,
'/usr/local/cpanel/scripts/dnsqueuecron',
show_status('Rebuild WHM chrome cache'),
'/usr/local/cpanel/scripts/rebuild_whm_chrome',
# checkallsslcerts needs to run on DNSONLY
# because we need an ssl cert for dovecot for it to startup
# Ensure /var/cpanel/ssl/*-SIGNATURE_CHAIN_VERIFIED and
# /var/cpanel/ssl/*-NO_AFTER is updated so Cpanel::Redirect
# can make good descisions. This also ensures that
# admins get timely notice of the expire time being
# reached on their ssl certificates.
action_checkallsslcerts(),
show_status('Purging invalid or soon-to-expire Domain TLS entries for service domains'),
'/usr/local/cpanel/scripts/check_domain_tls_service_domains.pl --prune',
show_status('Cleaning up temporary wheel/sudo users'),
'/usr/local/cpanel/scripts/clean_up_temp_wheel_users',
);
if ( !Cpanel::Server::Type::is_dnsonly() ) {
push @{ $blocks->{'post'} }, (
action_sprite_generator(),
action_update_rdns_ips_cache(),
show_status('Updating services and databases'),
'/usr/local/cpanel/scripts/listcheck',
action_purge_modsec(),
( $ENV{'CPANEL_BASE_INSTALL'} ? () : ( action_ftpquotacheck() ) ),
'/usr/local/cpanel/scripts/updateuserdomains',
'/usr/local/cpanel/bin/empty_user_trash --quiet --all',
'/usr/local/cpanel/bin/empty_user_horde_temp_files --quiet --all',
'/usr/local/cpanel/scripts/build_maxemails_config',
'/usr/local/cpanel/scripts/updateuserdatacache --force',
show_status('Checking system maxmem setting'),
'/usr/local/cpanel/scripts/check_maxmem_against_domains_count --always-fix',
show_status('Running various cleanup scripts'),
'/usr/local/cpanel/scripts/resetmailmanurls',
show_status('Checking MySQL to ensure we can connect'),
( # Base install does this in the background before upcp
$ENV{'CPANEL_BASE_INSTALL'} ? () : (
'/usr/local/cpanel/scripts/mysqlconnectioncheck' # POST or leave it there ??
# We must update the rules before we compile them
)
),
action_update_spamassassin_rules(),
show_status('Checking PostgreSQL to ensure we can connect'),
'/usr/local/cpanel/bin/postgrescheck --check-auth --reset-pass-on-fail', # POST or leave it there ??
action_repair_mailman(),
action_repair_mysql(),
show_status('Running sanity checks and notifications'), # status update
'/usr/local/cpanel/scripts/chkpaths',
'/usr/local/cpanel/scripts/hackcheck',
'/usr/local/cpanel/scripts/oopscheck',
'/usr/local/cpanel/scripts/fixetchosts',
'/usr/local/cpanel/scripts/check_unreliable_resolvers --notify',
'/usr/local/cpanel/bin/is_script_stuck --script=autossl_check --time=3h --kill --notify=root',
( $ENV{'CPANEL_BASE_INSTALL'} ? () : ('/usr/local/cpanel/scripts/quotacheck') ),
'/usr/local/cpanel/scripts/email_archive_maintenance',
'/usr/local/cpanel/scripts/email_hold_maintenance',
'/usr/local/cpanel/scripts/expunge_expired_certificates_from_sslstorage',
'/usr/local/cpanel/scripts/notify_expiring_certificates',
'/usr/local/cpanel/scripts/notify_expiring_certificates_on_linked_nodes',
'/usr/local/cpanel/scripts/expunge_expired_transfer_sessions',
'/usr/local/cpanel/scripts/expunge_expired_pkgacct_sessions',
'/usr/local/cpanel/scripts/smartcheck',
'/usr/local/cpanel/scripts/compilerscheck',
'/usr/local/cpanel/scripts/check_mount_procfs',
sqlite_auto_rebuild_if_needed(),
'/usr/local/cpanel/scripts/setup_modsec_db',
'/usr/local/cpanel/scripts/modsec_vendor update --auto',
'/usr/local/cpanel/bin/check_cpstore_in_sync_with_local_storage',
action_purge_dead_comet_files(),
action_update_freshclam(),
show_status('Restoring compiler permissions'),
'/usr/local/cpanel/scripts/compilers restore',
show_status('Cleaning up mailbox trash'),
'/usr/local/cpanel/scripts/dovecot_maintenance --background',
show_status('Checking MySQL Version'),
sub { check_mysql_version() },
show_status('Cleaning up root datastores and caches'),
'/usr/local/cpanel/bin/clean-datastores --background root',
);
} # end !dnsonly
push @{ $blocks->{'post'} }, (
action_buildexim(),
action_eximstats(),
action_exim_purge_old_tracker_files(),
sub { Cpanel::Sync::CheckRestore::check_and_restore("img-sys/powered_by_cpanel.svg") },
action_cleanup_signature(),
action_enable_onboot_handler(),
);
if ( !Cpanel::Server::Type::is_dnsonly() ) { # not dnsonly
push @{ $blocks->{'post'} }, (
(
$ENV{'CPANEL_BASE_INSTALL'} ? () : (
show_status('Cleaning SpamAssassin DBM files'),
'/usr/local/cpanel/scripts/spamassassin_dbm_cleaner'
)
),
show_status('Cleaning Roundcube attachment directory'),
\&clean_roundcube_attachment_directory,
(
# This was causing an OOM on fresh install on the
# $5/mo DO instance
# There will be no one to notify on a fresh install
# and this will run a few hours after the install
# anyways
$ENV{'CPANEL_BASE_INSTALL'} ? () : (
show_status('Checking for new security advice'),
'/usr/local/cpanel/scripts/check_security_advice_changes --notify --background',
)
),
show_status('Running former postinstall scripts'),
'/usr/local/cpanel/bin/dcpumon --killproc',
'/usr/local/cpanel/bin/setupdbmap',
'/usr/local/cpanel/bin/fix_userdata_perms',
'/usr/local/cpanel/scripts/detect_env_capabilities',
( # Base install does this in the background before upcp
$ENV{'CPANEL_BASE_INSTALL'} ? () : (
show_status('Updating cPGreyList Common Mail Providers'),
'/usr/local/cpanel/scripts/manage_greylisting --init --update_common_mail_providers'
)
),
show_status('Checking for deprecated PHP local.ini'),
'/usr/local/cpanel/scripts/migrate_local_ini_to_php_ini --run --verbose',
show_status('Ensuring an "Active" MySQL profile is set'),
\&ensure_active_mysql_profile_is_present,
run( '/usr/local/cpanel/scripts/check_mysql', { 'exit_ok' => [ 2, 255 ] } ),
action_cloudlinux_update(),
show_status('Updating plugins data cache'),
'/usr/local/cpanel/bin/refresh_plugin_cache',
show_status('Ensuring SSL certificate information for CCS is up to date.'),
'/usr/local/cpanel/scripts/ccs-check --run --ssl',
show_status('Ensure cpanel-plugins yum repo exists'),
\&_create_cpanel_plugins_repo,
show_status('Checking Addon Licenses'),
check_addon_licenses(),
show_status('Updating Public Suffix List'),
update_public_suffix_list(),
show_status('Ensure required cpanel-plugins are installed and updated.'),
\&_install_or_upgrade_plugin_packages,
);
}
push @{ $blocks->{'post'} }, (
show_status('Checking End Of Life for current version.'),
\&check_end_of_life,
);
my $maintenance_complete = Cpanel::Server::Type::is_dnsonly() ? q{DNSONLY maintenance complete.} : q{Maintenance complete.};
# build the todo list depending which block we want to run
# default = pre + post
my @todo = ( @{ $blocks->{'pre'} }, @{ $blocks->{'post'} } ); # Remove the todo once done
if ( $only_run && ref $blocks->{$only_run} ) {
@todo = @{ $blocks->{$only_run} };
$maintenance_complete .= " [state=$only_run]";
}
# we have now reach 100%, move the progress bar
push @todo, (
$do_progress_bar->( complete => 1 ),
show_status("\n\n$maintenance_complete\n"),
);
# how many actions do we have to run which are neither a status nor a pbar item
my $total_actions = grep { my $ref = ref $_; $ref ne 'PBAR' && $ref !~ /Action::(?:Status|Command)/ } @todo;
# initialize progress bar with: from % to % and number of elements
$increment_pbar = increment_pbar( $starting_pbar, $finishing_pbar, $total_actions );
run_actions( \@todo, $increment_pbar );
return logger()->get_need_notify() ? 1 : 0;
}
sub check_end_of_life { # EOL
# Send a notification if this version is nearing end of life
local $@;
eval {
open my $mainip_fh, '<', '/var/cpanel/mainip' or die "Can't open < /var/cpanel/mainip: $!";
my $ip = <$mainip_fh>;
close $mainip_fh;
chomp $ip;
my $icontact_class = 'Update::EndOfLife';
Cpanel::Notify::notification_class(
constructor_args => [ origin => 'upcp', source_ip_address => $ip ],
map { $_ => $icontact_class } qw(class application),
);
1;
} or logger()->warning("Error while checking end of life: $@");
return;
}
sub sqlite_auto_rebuild_if_needed {
return if !_is_saturday_or_sunday();
#If the touch file is newer than the current time
#we assume the system had a clock issue and run.
my $now = time();
my $last_ran = ( stat $SQLITE_AUTO_REBUILD_LAST_RAN_FILE )[9] || 0;
return if $last_ran < $now && $now < ( $last_ran + ( 5 * 86400 ) );
do { open( my $fh, '>', $SQLITE_AUTO_REBUILD_LAST_RAN_FILE ) or warn "open($SQLITE_AUTO_REBUILD_LAST_RAN_FILE): $!" };
#This gets a longer timeout because on heavily populated
#servers it can take over an hour to finish.
return run(
'/usr/local/cpanel/scripts/perform_sqlite_auto_rebuild_db_maintenance',
{
timeout => 10000,
},
);
}
#mocked in tests
sub _is_saturday_or_sunday {
#Only run on Saturday or Sunday
my $wday = (localtime)[6];
return ( ( $wday == 0 ) || ( $wday == 6 ) );
}
our %touch_file_mock; # Used to fake if touch files are present.
sub touch_file_exists {
my ($file) = @_;
$file or return;
# Provide an easy way to mock file existance.
return $touch_file_mock{$file} if exists $touch_file_mock{$file};
return -e $file;
}
sub file_is_executable {
my $file = shift;
# for now use the same mock hash
return $touch_file_mock{$file} if exists $touch_file_mock{$file};
return -x $file;
}
sub populated_touch_file_exists {
my ($file) = @_;
$file or return;
# Provide an easy way to mock file existance.
return $touch_file_mock{$file} if exists $touch_file_mock{$file};
return -e $file && !-z _;
}
################################################################
####[ Subroutines ]#############################################
################################################################
sub run_action { # avoid to use array ref when using it from a single action
my (@todo) = @_;
return run_actions( \@todo );
}
sub run_actions {
my ( $todo, $increment_pbar ) = @_;
die unless ref $todo;
foreach my $cmd (@$todo) {
my $start_time = Cpanel::TimeHiRes::time();
my $type = ref $cmd;
my $action = {};
if ( $type eq 'Action::Command' ) {
$action = {%$cmd};
$cmd = $action->{'cmd'};
}
elsif ( $type eq 'Action::Status' ) {
$action = { status => $cmd->[0] };
$cmd = undef;
}
elsif ($type) {
if ( $type eq 'CODE' ) {
if ($DRY_RUN) {
print "[dry-run mode] CodeRef\n";
}
else {
# custom cases with some extra code around the action
# let them do what they want
local $@;
# Ensure that we do not allow a single action to
# cause the entire script to fail.
eval { $cmd->(); };
warn if $@;
}
$increment_pbar->() if ref $increment_pbar;
my $runtime = sprintf( "%0.3f", Cpanel::TimeHiRes::time() - $start_time );
logger()->info(" - Finished in $runtime seconds");
}
elsif ( $type eq 'PBAR' ) {
$cmd->();
}
next;
}
$action->{cmd} = [ split( /\s+/, $cmd ) ] if $cmd;
process($action);
my $runtime = sprintf( "%0.3f", Cpanel::TimeHiRes::time() - $start_time );
logger()->info(" - Finished command `$cmd` in $runtime seconds") if $cmd;
$increment_pbar->() if ref $increment_pbar;
}
return;
}
sub show_status {
my $msg = shift;
return unless defined $msg or length $msg;
my $status = [$msg];
bless $status, 'Action::Status';
return $status;
}
sub run {
my ( $cmd, $options ) = @_;
my $status = { %$options, cmd => $cmd };
bless $status, 'Action::Command';
return $status;
}
sub process {
my ($action) = @_;
$action->{'status'} = '' if !defined $action->{'status'};
if ( length( $action->{'status'} ) ) {
logger()->info("Processing: $action->{'status'}");
return;
}
my @cmd = @{ $action->{'cmd'} };
if ($DRY_RUN) {
print "[dry-run mode] " . join( ' ', @cmd, "\n" );
return;
}
logger()->info(" - Processing command `@cmd`");
my ( $program, @args ) = @cmd;
my $logger = logger();
my $run = eval {
Cpanel::SafeRun::Object->new(
'program' => $program,
'args' => \@args,
'stdout' => Cpanel::IOCallbackWriteLine->new(
sub {
$logger->info(" [$program] $_[0]");
}
)
);
};
$? = -1; ## no critic qw(Variables::RequireLocalizedPunctuationVars) -- needed for compat
if ($@) {
logger()->error( " [$program] $@", 1 );
logger()->set_need_notify();
return;
}
$? = $run->CHILD_ERROR(); ## no critic qw(Variables::RequireLocalizedPunctuationVars) -- needed for compat
if ( my $exit = $run->CHILD_ERROR() ) {
$exit >>= 8;
return if $exit && $action->{'exit_ok'} && grep { $exit == $_ } @{ $action->{'exit_ok'} };
if ( my $stderr = $run->stderr() ) {
foreach my $line ( split( m{\n}, $stderr ) ) {
logger()->error( " [$program] " . $line );
}
}
logger()->error( " [$program] " . $run->autopsy(), 1 );
logger()->set_need_notify();
return;
}
}
# list of actions which need some extra logic or being postponed
sub action_vps_optimizer {
return if Cpanel::Server::Type::is_dnsonly(); # idea move this check to the script itself
return (
show_status('Running platform specific optimizations'),
'/usr/local/cpanel/scripts/vps_optimizer'
);
}
sub action_update_spamassassin_rules {
return if $ENV{'CPANEL_BASE_INSTALL'};
return unless Cpanel::Update::Config::is_permitted( 'SARULESUP', get_update_conf() );
return sub {
return run_action(
show_status('Updating Apache SpamAssassin™ rules'),
background_update_spamassassin_rules(),
);
};
}
sub action_update_rdns_ips_cache {
return sub {
return run_action(
show_status('Updating Reverse DNS Cache'),
background_update_rdns_ips_cache(),
);
};
}
sub background_update_rdns_ips_cache {
return sub {
warn if !eval { Cpanel::ServerTasks::queue_task( ['DNSTasks'], "update_reverse_dns_cache" ); 1; };
warn if !eval { Cpanel::ServerTasks::schedule_task( ['CpDBTasks'], 600, "update_userdomains" ); 1; };
};
}
sub background_update_spamassassin_rules {
return sub {
warn if !eval { Cpanel::ServerTasks::queue_task( ['SpamassassinTasks'], 'update_spamassassin_rules' ); 1 };
};
}
sub background_sprite_generator {
return sub {
eval { Cpanel::ServerTasks::queue_task( ['SpriteTasks'], 'sprite_generator' ); };
};
}
sub action_set_up_dns_resolver_workarounds {
return sub {
return run_action(
show_status('Setting up resolver workarounds'),
background_set_up_dns_resolver_workarounds(),
);
};
}
sub background_set_up_dns_resolver_workarounds {
return sub {
warn if !eval { Cpanel::ServerTasks::queue_task( ['DNSTasks'], "set_up_dns_resolver_workarounds" ); 1; };
};
}
sub action_sprite_generator {
return sub {
return run_action(
show_status('Rebuilding sprites'),
background_sprite_generator(),
);
};
}
sub background_freshclam {
return sub {
eval { Cpanel::ServerTasks::queue_task( ['ClamTasks'], 'freshclam --quiet -l /var/log/clam-update.log' ); };
};
}
sub action_background_refresh_dkim_validity_cache {
return sub {
eval { Cpanel::ServerTasks::queue_task( ['DKIMTasks'], 'refresh_entire_dkim_validity_cache' ); };
};
}
sub action_update_freshclam {
return sub { # postpone the check if the binary is restored by RPM transaction
my $freshclam_bin = Cpanel::Binaries::path('freshclam');
return unless file_is_executable($freshclam_bin);
return run_action(
show_status('Updating virus patterns'),
background_freshclam(),
);
}
}
sub action_purge_dead_comet_files {
return (
show_status('Purging old comet files'),
'/usr/local/cpanel/bin/purge_dead_comet_files --quiet',
);
}
sub action_update_packages {
return sub { # need RPM_IS_BROKEN to be set
return unless Cpanel::Update::Config::is_permitted( 'RPMUP', get_update_conf() );
return if $RPM_IS_BROKEN;
return run_action(
show_status('Running update-packages'),
'/usr/local/cpanel/scripts/update-packages'
);
};
}
sub action_ensure_mysql_upgrade_hook {
return sub {
require Cpanel::MariaDB;
my $config = scalar Cpanel::Config::LoadCpConf::loadcpconf();
my $set_version = $config->{'mysql-version'};
return if $set_version < 5.7;
if ( Cpanel::MariaDB::version_is_mariadb($set_version) ) {
require Cpanel::MariaDB::Install;
my $mysql_install_obj = Cpanel::MariaDB::Install->new( 'output_obj' => logger() );
$mysql_install_obj->install_upgrade_hook();
return 1;
}
require Cpanel::Mysql::Install;
my $mysql_install_obj = Cpanel::Mysql::Install->new( 'output_obj' => logger() );
$mysql_install_obj->install_upgrade_hook();
return 1;
}
}
sub action_update_pear_registry_in_the_background {
return sub {
return Cpanel::SafeRun::BG::nooutputsystembg('/usr/local/cpanel/scripts/process_pending_cpanel_php_pear_registration');
};
}
sub _create_cpanel_plugins_repo {
warn if !eval {
require Cpanel::Plugins::Repo;
Cpanel::Plugins::Repo::install();
1;
};
return;
}
sub _install_or_upgrade_plugin_packages {
my @plugin_pkgs = ( 'cpanel-koality-plugin', 'cpanel-sitejet-plugin' );
logger()->info("Checking for required cPanel & WHM plugins to install...");
require Cpanel::Plugins;
for my $pkg (@plugin_pkgs) {
next if Cpanel::Plugins::is_plugin_installed($pkg);
logger()->info("Installing the cPanel & WHM plugin $pkg.");
eval { Cpanel::Plugins::install_plugins($pkg); };
logger()->info($@) if $@;
}
return;
}
sub action_sysup {
return if $ENV{'CPANEL_BASE_INSTALL'}; # This will already have been run on initial install
return sub { # need RPM_IS_BROKEN to be set
if ($RPM_IS_BROKEN) {
logger()->error('RPM is not functioning. Skipping sysup.');
return;
}
return run_action(
show_status('Updating system packages: sysup'),
'/usr/local/cpanel/scripts/sysup'
);
};
}
sub _find_and_fix_rpm_issue_script { # for testing purpose
return '/usr/local/cpanel/scripts/find_and_fix_rpm_issues';
}
sub background_install_els {
return sub {
Cpanel::ServerTasks::schedule_task( ['ELS'], 3600, 'install_els' );
};
}
sub action_install_els {
return sub {
return if -e '/etc/els-release'; # ELS is already installed
return if $RPM_IS_BROKEN;
return unless Cpanel::OS::needs_els();
return unless Cpanel::Server::Type::has_els();
return run_action(
show_status('Installing ELS'),
background_install_els(),
);
};
}
sub action_find_and_fix_rpm_issues {
return unless Cpanel::OS::is_rpm_based();
return if $ENV{'CPANEL_BASE_INSTALL'}; # we will not get here if rpm is broken
return sub {
local $?;
process( { 'status' => 'Checking RPM DB for corruption' } );
process( { 'cmd' => [ _find_and_fix_rpm_issue_script() ] } );
if ( ( $? >> 8 ) > 0 ) {
logger()->error('RPM is not functioning and automatic repair failed.');
logger()->error('Tasks for update-packages, sysup, and check_cpanel_pkgs will be skipped.');
$RPM_IS_BROKEN = 1;
}
return;
};
}
sub action_updatesigningkey {
# Update signing keys, if enabled.
return unless Cpanel::Crypt::GPG::Settings::signature_validation_enabled();
return (
show_status('Updating cPanel signing keys.'),
'/usr/local/cpanel/scripts/updatesigningkey'
);
}
sub action_cloudlinux_update {
return unless Cpanel::OS::supports_or_can_become_cloudlinux();
return (
show_status('Checking CloudLinux installation'),
'/usr/local/cpanel/bin/cloudlinux_update',
);
}
sub action_checkallsslcerts {
# Base install does this in the background before upcp
return if $ENV{'CPANEL_BASE_INSTALL'};
my $max_delay_seconds = 18 * 60 * 60; # 18 hours
my $bytes_to_get = length($max_delay_seconds) + 1;
my $rand_int = Cpanel::Rand::Get::getranddata( $bytes_to_get, [ 0 .. 9 ] );
my $delay_seconds = $rand_int % $max_delay_seconds;
# Should be between 1 and $max_delay_seconds
# scheduling a task for 0 seconds will cause queueprocd to throw an error
$delay_seconds++;
return (
show_status('Scheduling task to check service default SSL/TLS certificates'),
sub {
Cpanel::ServerTasks::schedule_task(
['ScriptTasks'],
$delay_seconds,
'run_script /usr/local/cpanel/bin/checkallsslcerts --allow-retry --verbose'
);
}
);
}
sub action_build_locale_databases {
return if $ENV{'CPANEL_BASE_INSTALL'};
return (
show_status('Ensuring locale databases are up to date'),
sub {
Cpanel::ServerTasks::schedule_task( ['LocaleTasks'], 300, "build_locale_databases" );
}
);
}
sub action_init_wwwacct_conf {
return if touch_file_exists('/etc/wwwacct.conf');
return (
show_status('Creating account configuration file /etc/wwwacct.conf'),
'/usr/local/cpanel/scripts/mkwwwacctconf',
);
}
sub _var_named_path { return '/var/named' } # for unit tests purpose
sub action_fixrndc {
return if touch_file_exists('/etc/nameddisable') or touch_file_exists('/etc/binddisable');
return if $ENV{'CPANEL_BASE_INSTALL'}; # Base install does this in the background before upcp
my $status = 'Checking and repairing nameserver config';
if ( !touch_file_exists( _var_named_path() ) ) {
return sub {
mkdir( _var_named_path(), 0755 ); # probably safe to do it earlier and simplify this code
return run_action(
show_status($status),
'/usr/local/cpanel/scripts/fixrndc -f',
);
};
}
return (
show_status($status),
'/usr/local/cpanel/scripts/fixrndc'
);
}
sub action_ipaliases {
return (
show_status('Setting up IP aliases startup'),
'/usr/local/cpanel/whostmgr/bin/setupipaliases',
);
}
sub action_check_cpanel_pkgs {
return if $ENV{'CPANEL_BASE_INSTALL'};
return sub { # need RPM_IS_BROKEN to be set
my $cpconf = get_cpconf();
if ($RPM_IS_BROKEN) {
logger()->error('RPM is not functional. Skipping check_cpanel_pkgs.');
}
elsif ( $cpconf->{'maintenance_rpm_version_check'} ) {
my $status = 'Checking cPanel packages';
my @rpmcheck_args = (qw{ --list-only --long-list --notify });
my $its_a_weekday = _is_saturday_or_sunday() ? 0 : 1;
if ( !$cpconf->{'maintenance_rpm_version_digest_check'} || $ENV{'CPANEL_BASE_INSTALL'} || $its_a_weekday ) {
# the user doesn't want a digest check and we're not being forced into it #
# In order to minimize server load and reduce install times we only do
# a full digest check on the weekends if the user hasn't disabled it.
$status .= ' (with no digest check or broken check)';
push @rpmcheck_args, '--no-digest';
push @rpmcheck_args, '--no-broken';
}
return run_action(
show_status($status),
join( ' ', '/usr/local/cpanel/scripts/check_cpanel_pkgs', @rpmcheck_args ),
);
}
else {
logger()->info('Skipping cPanel package check due to configuration');
}
return;
};
}
sub action_ftpquotacheck {
return unless Cpanel::Services::Enabled::is_enabled('ftp');
return '/usr/local/cpanel/scripts/ftpquotacheck';
}
sub action_repair_mailman {
return sub { # postpone it as can binary can be there only once RPM is fixed
my $cpconf = get_cpconf();
return unless ( !$cpconf->{'skipmailman'} && file_is_executable("$Cpanel::ConfigFiles::MAILMAN_ROOT/bin/check_perms") );
chdir("$Cpanel::ConfigFiles::MAILMAN_ROOT/bin");
my $ok = run_action(
show_status('Repairing Mailman Permissions'),
'./check_perms -f --noarchives',
);
chdir('/usr/local/cpanel'); # return where we should be ?
return $ok;
};
}
sub _mysqld_sh_path { return '/usr/local/etc/rc.d/mysqld.sh' } # for unit test purpose only
sub action_repair_mysql {
return unless touch_file_exists( _mysqld_sh_path() );
return sub {
unlink _mysqld_sh_path();
return run_action(
show_status('Repairing MySQL startup'),
'/usr/local/cpanel/scripts/restartsrv mysql',
);
};
}
sub action_purge_modsec {
return if $ENV{'CPANEL_BASE_INSTALL'};
return '/usr/local/cpanel/scripts/purge_modsec_log';
}
# for unit test purpose only
sub _passwd_files_to_chmod {
return [ '/etc/shadow.tmpeditlib', '/etc/master.passwd.tmpeditlib' ];
}
sub action_passwd {
return sub {
my $files = _passwd_files_to_chmod();
# Quick security check on the tmpeditlib files in case they are there
foreach my $f (@$files) {
chmod( 0600, $f ) if touch_file_exists($f);
}
return;
};
}
sub action_buildexim {
return sub { # postponed if the file is created/touched by one rpm (hook)... to preserve original behavior
return
if populated_touch_file_exists('/etc/exim.conf')
and populated_touch_file_exists('/etc/exim.pl.local');
# run only if one of the file is missing / empty
return run_action(
show_status('EXIM sanity checking'),
'/usr/local/cpanel/scripts/buildeximconf --no_chown_spool',
);
};
}
sub action_eximstats {
return sub {
# Eximstats recover of /var/cpanel/sql/eximstats.sql, if it exists
return unless touch_file_exists('/var/cpanel/sql/eximstats.sql');
return run_action(
show_status('Recovering data stored in /var/cpanel/sql/eximstats.sql'),
'/usr/local/cpanel/scripts/restartsrv_eximstats'
);
};
}
# If eximstats is disabled, we need to handle clearing of old tracker files here.
sub action_exim_purge_old_tracker_files {
return sub {
my $cpconf = get_cpconf();
return unless $cpconf->{'skipeximstats'} && $cpconf->{'skipeximstats'} eq '1';
require Cpanel::EmailTracker::Purge;
logger()->info('Purging old email tracker files');
Cpanel::EmailTracker::Purge::purge_old_tracker_files();
return;
};
}
sub action_cleanup_signature {
return (
show_status('Cleaning Signature Timestamp Cache'),
sub {
my $sig_cache = Cpanel::Crypt::GPG::VendorKeys::TimestampCache->new();
$sig_cache->cleanup_signature_cache();
return;
},
);
}
sub action_enable_onboot_handler {
return sub {
# Ensure that the handler for code on reboot is enabled
my $root_crontab = Cpanel::Cron::Utils::fetch_user_crontab('root');
# Already enabled.
return if $root_crontab =~ /\@reboot\s+\/usr\/local\/cpanel\/bin\/onboot_handler/;
logger()->info("Enabling onboot_handler for root in cron");
$root_crontab .= "\@reboot /usr/local/cpanel/bin/onboot_handler\n";
Cpanel::Cron::Utils::save_root_crontab($root_crontab);
}
}
# </end of actions>
# local cache configuration to be able to use them
{
my $conf; # state like variable
sub get_update_conf {
$conf = { Cpanel::Update::Config::load() } if !defined $conf;
return $conf;
}
sub reset_update_conf { # for testing purpose
undef($conf);
return;
}
}
# loadcpconf already caches this so we don't need to re-cache it here.
*get_cpconf = \&Cpanel::Config::LoadCpConf::loadcpconf;
{
my $logger;
sub setup_logger {
my ( $logfile_path, $starting_pbar ) = @_;
return $logger = Cpanel::Update::Logger->new( { 'logfile' => $logfile_path, 'stdout' => 1, 'log_level' => 'info', defined $starting_pbar ? ( 'pbar' => $starting_pbar ) : () } );
}
sub logger {
$logger = setup_logger() unless defined $logger; # mainly for mocking
return $logger;
}
}
sub increment_pbar {
my ( $start, $end, $items ) = @_;
my $_current_ratio = $start;
my $_last_update = 0;
# do a -1 to the total to leave it to the end
my $points = ( $end - $start - 1 ) || 1;
$items ||= $points; # number of elements in our array
my $w = $points / $items; # default points to increase +1
return sub {
my (%opts) = @_;
if ( $opts{complete} ) {
# we reach the end we can now use the final result
$_last_update = $_current_ratio = $end;
logger()->update_pbar($end);
return;
}
my $previous = $_current_ratio;
$_current_ratio += $w;
$_current_ratio = $end if $_current_ratio > $end;
my $normalize = int($_current_ratio);
# includes a protection to avoid displaying duplicates
logger()->update_pbar($normalize);
return;
}
}
sub setupenv {
Cpanel::Env::clean_env();
delete $ENV{'DOCUMENT_ROOT'};
delete $ENV{'SERVER_SOFTWARE'};
if ( $ENV{'WHM50'} ) {
$ENV{'GATEWAY_INTERFACE'} = 'CGI/1.1';
}
( $ENV{'USER'}, $ENV{'HOME'} ) = ( getpwuid($>) )[ 0, 7 ];
$ENV{'PATH'} .= ':/sbin:/usr/sbin:/usr/bin:/bin:/usr/local/bin';
$ENV{'LANG'} = 'C';
$ENV{'LC_ALL'} = 'C';
return;
}
sub setupcrontab {
logger()->info('Setting up cronjobs');
logger()->info('Setting Up update_db_cache Crontab');
logger()->info('Setting Up update_maiman_cache Crontab');
logger()->info('Setting Up dcpumon Crontab');
try {
Cpanel::Config::Crontab::sync_root_crontab();
}
catch {
warn "Failed to sync root crontab: $_";
};
return;
}
sub clean_roundcube_attachment_directory {
my $roundcube_tmp = '/var/cpanel/roundcube/tmp';
opendir my $dh, $roundcube_tmp or return;
my @old_files = grep { -M $_ > 7.0 } map { "$roundcube_tmp/$_" } grep { !m/^\.{1,2}$/ } readdir $dh;
closedir $dh;
my $clean = sub { unlink @old_files };
return Cpanel::AccessIds::do_as_user( 'cpanelroundcube', $clean );
}
sub check_mysql_version {
# no need to check on first install
return if $ENV{'CPANEL_BASE_INSTALL'};
my ( $reco_version, $current_version, $version_is_mysql, $display_name, $err );
try {
$current_version = Cpanel::MysqlUtils::Version::current_mysql_version();
}
catch {
$err = $_;
};
if ($err) {
logger()->info("Unable to determine MySQL version because of an error: $err. Skipping MySQL version check...");
return;
}
elsif ( !$current_version->{'short'} ) {
logger()->info("Unable to determine MySQL version. Skipping MySQL version check...");
return;
}
# We check the remote mysql version in Install::CheckRemoteMySQLVersion,
# so we'll skip the check here
return if $current_version->{'is_remote'};
$current_version = $current_version->{'short'};
$version_is_mysql = Cpanel::MysqlUtils::Version::version_is_mysql();
$display_name = $version_is_mysql ? "MySQL" : "MariaDB";
$reco_version = $version_is_mysql ? $Cpanel::MysqlUtils::Version::MINIMUM_RECOMMENDED_MYSQL_RELEASE : $Cpanel::MysqlUtils::Version::MINIMUM_RECOMMENDED_MARIADB_RELEASE;
# if less than the minimum recommended version, recommend an update.
if ( Cpanel::MysqlUtils::Version::is_at_least( $current_version, $reco_version ) ) {
logger()->info("“$display_name” version “$current_version” is greater than or equal to the recommended minimum version, “$reco_version”.");
}
else {
logger()->info("“$display_name” version “$current_version” is less than the recommended minimum version, “$reco_version”.");
my @outdated = ();
push @outdated,
{
'label' => $display_name,
'current_version' => $current_version,
'min_reco_version' => $reco_version,
'upgrade_url' => 'https://go.cpanel.net/mysqlup',
};
require Cpanel::Notify;
Cpanel::Notify::notification_class(
'class' => 'OutdatedSoftware::Notify',
'application' => 'OutdatedSoftware::Notify',
'constructor_args' => [
'origin' => 'scripts/maintenance',
'outdated_software' => \@outdated,
]
);
}
return;
}
sub ensure_active_mysql_profile_is_present {
eval {
require Cpanel::MysqlUtils::RemoteMySQL::ProfileManager;
Cpanel::MysqlUtils::RemoteMySQL::ProfileManager->new()->generate_active_profile_if_none_set();
};
return 1;
}
#############################################################################
## Goes through cpupdate.conf and purge entries invalid since 11.36
sub purge_cpupdate_conf {
my $dir = Cpanel::RPM::Versions::Directory->new( { 'directory' => '/var/cpanel/rpm.versions.d', 'logger' => logger() } );
if ( $dir->config_changed() ) {
$dir->save();
}
return;
}
our $upcp_log_dir = '/var/cpanel/updatelogs';
sub purge_upcp_logs {
my ($days) = @_;
if ( !defined $days ) {
my $cpconf = get_cpconf();
$days = $cpconf->{'upcp_log_retention_days'};
}
# On initial upgrade, upcp_log_retention_days isn't set yet. We'll enforce the default here.
if ( $days < 3 ) {
logger()->warning("upcp_log_retention_days unexpectedly set to $days. Temporarily setting to 45 days.");
$days = 45;
}
logger()->info("Purging upcp logs older than $days days.");
my $purge_older_than = time - ( 86400 * $days );
opendir( my $dir_fh, $upcp_log_dir ) or do {
logger()->warning("Cannot read '$upcp_log_dir' for purging.");
};
while ( my $file = readdir($dir_fh) ) {
# Special files we don't purge
next if ( $file eq '.' or $file eq '..' or $file eq 'summary.log' );
# Skip if the file is new enough.
my @stats = lstat("$upcp_log_dir/$file");
next unless ( @stats && $stats[9] < $purge_older_than );
# The file can be removed.
unlink "$upcp_log_dir/$file";
}
closedir($dir_fh);
return;
}
sub check_addon_licenses {
return sub {
# Base install does this in the background before upcp
if ( !$ENV{'CPANEL_BASE_INSTALL'} ) {
# Fire these off in a taskqueue so as not to hold up the rest of the script
eval { Cpanel::ServerTasks::queue_task( ['ScriptTasks'], 'run_script /usr/local/cpanel/scripts/litespeed-check --run' ); };
eval { Cpanel::ServerTasks::queue_task( ['ScriptTasks'], 'run_script /usr/local/cpanel/scripts/jetbackup-check --run' ); };
}
# Check for WordPress Toolkit license (regardless of whether in initial install or post-upcp maintenance)
eval { Cpanel::ServerTasks::queue_task( ['ScriptTasks'], 'run_script /usr/local/cpanel/bin/wpt_license --download' ); };
};
}
sub update_public_suffix_list {
try {
require IO::Socket::SSL::PublicSuffix;
IO::Socket::SSL::PublicSuffix::update_self_from_url();
require Cpanel::PublicSuffix;
Cpanel::PublicSuffix::clear_cache();
}
catch {
logger()->info('Unable to update the Pubic Suffix list');
};
return;
}
sub usage {
print <<EOM;
Usage: $0 [options]
Perform cPanel nightly maintenance tasks for upcp.
Where the supported options are:
--help
Display this screen and exit
--log={logfile path}
Log program output to the file named by {logfile path}
EOM
return 0;
}
exit( __PACKAGE__->script(@ARGV) || 0 ) if !caller();
1;