#!/usr/local/cpanel/3rdparty/bin/perl # cpanel - scripts/maintenance Copyright 2022 cPanel, L.L.C. # All rights reserved. # copyright@cpanel.net http://cpanel.net # This code is subject to the cPanel license. Unauthorized copying is prohibited package scripts::maintenance; use strict; use warnings; use Try::Tiny; use Cpanel::iContact::Class::Update::EndOfLife (); use Cpanel::AccessIds (); use Cpanel::Binaries (); use Cpanel::TimeHiRes (); use Cpanel::Config::LoadCpConf (); use Cpanel::ConfigFiles (); use Cpanel::Cron::Utils (); use Cpanel::Crypt::GPG::Settings (); use Cpanel::Crypt::GPG::VendorKeys::TimestampCache (); use Cpanel::Env (); use Cpanel::IOCallbackWriteLine (); use Cpanel::MysqlUtils::Version (); use Cpanel::Notify (); use Cpanel::OS (); use Cpanel::Rand::Get (); use Cpanel::RPM::Versions::Directory (); use Cpanel::SafeRun::Object (); use Cpanel::SafeRun::BG (); use Cpanel::Server::Type (); use Cpanel::ServerTasks (); use Cpanel::Services::Enabled (); use Cpanel::Sync::CheckRestore (); use Cpanel::Update::Config (); use Cpanel::Config::Crontab (); use Cpanel::Update::Logger (); use IO::Handle (); use IO::Select (); # hash we'll use to process each request our $RPM_IS_BROKEN = 0; our $_UPGRADE_IN_PROGRESS_FILE = '/usr/local/cpanel/upgrade_in_progress.txt'; my $DRY_RUN; our $SQLITE_AUTO_REBUILD_LAST_RAN_FILE = '/var/cpanel/.last_ran_sqlite_auto_rebuild_from_maintenance'; # Internal documentation: https://cpanel.wiki/x/zwwFAw sub script { my ( $class, @args ) = @_; if ( $> != 0 ) { print "This cPanel maintenance script must be run as root, not uid $>.\n"; return 2; } umask(0022); my $security_token = $ENV{'cp_security_token'} || ''; # default pcent when none are defined my $starting_pbar = 0; my $finishing_pbar = 100; # in case we are called before and outside of upcp setupenv(); my $only_run; # create a default logfile path, if called from upcp, use the log it passes my $now = time(); my $logfile_path = '/var/cpanel/updatelogs/maintenance' . $now . '.log'; my $custom_pbar; foreach my $arg (@args) { if ( $arg =~ m/^--log\=(.*)/ ) { $logfile_path = $1; } elsif ( $arg =~ m/^--pbar-start=([0-9]+)/ ) { $custom_pbar = 1; $starting_pbar = int($1); } elsif ( $arg =~ m/^--pbar-stop=([0-9]+)/ ) { $custom_pbar = 1; $finishing_pbar = int($1); } elsif ( $arg =~ m/^--dry-run$/ ) { # no doc required: dev only $DRY_RUN = 1; } elsif ( $arg =~ m/^--pre$/ ) { # no doc required: upcp only $only_run = 'pre'; } elsif ( $arg =~ m/^--post$/ ) { # no doc required: upcp only $only_run = 'post'; } elsif ( $arg =~ m/^--help/ ) { return usage(); } } open( STDERR, ">&STDOUT" ); $| = 1; # when start pbar is unset progress bar is not displayed setup_logger( $logfile_path, $custom_pbar ? $starting_pbar : undef ); # helper which normalize all percentage to be in [ $starting_pbar .. $finishing_pbar ] # the only thing that we should care are the capping values which should be between [ 0..100 ] my $increment_pbar; # initialize later as we can count how many tasks to run my $do_progress_bar = sub { my (@args) = @_; return bless sub { $increment_pbar->(@args) }, 'PBAR'; }; ############################################################################# # maintenance actions are split in 2 groups: pre and post # by default maintenance is going to run both groups: pre than post # /scripts/maintenance is similar to run # 1. ~maintenance --pre # 2. ~maintenance --post # but we can now run only one of these groups, this allow to run post_sync_cleanup earlier during upcp # /scripts/upcp is going to use maintenance script using 2 different calls # 1. update.now # 2. maintenance --pre # 3. post_sync_cleanup # 4. maintenance --post my $blocks = { pre => [], post => [] }; # This is the only pre block in this script. Only things that MUST happen before post_sync_cleanup should live here. push @{ $blocks->{'pre'} }, ( show_status('Assuring needed symlinks in 3rdparty/bin are in place.'), '/usr/local/cpanel/scripts/link_3rdparty_binaries', show_status('Setting clock'), '/usr/local/cpanel/scripts/rdate', # Process any possibly pending PHP PEAR updates from cpanel-php pear RPMs in the background, # as they should have already been installed during update.now action_update_pear_registry_in_the_background(), action_set_up_dns_resolver_workarounds(), action_background_refresh_dkim_validity_cache(), action_find_and_fix_rpm_issues(), # set RPM_IS_BROKEN (at run time): used by sysup and check_cpanel_pkgs action_install_els(), action_update_packages(), action_ensure_mysql_upgrade_hook(), ); push @{ $blocks->{'post'} }, ( show_status('Purging cpupdate.conf of invalid entries'), \&purge_cpupdate_conf, \&purge_upcp_logs, action_updatesigningkey(), action_sysup(), #We do it right after post sync cleanup and sysup #to ensure cPanel services have been restarted before we #do any system ones so that they can access cPanel #and monitor the system while the system services are #being restarted. show_status('Restarting any outdated services'), $ENV{'CPANEL_BASE_INSTALL'} ? () : ( run( '/usr/local/cpanel/scripts/find_outdated_services --auto', { exit_ok => [1] } ) ), # Base install does this in the background before upcp action_vps_optimizer(), # not on dnsonly show_status('Checking for a valid C Compiler.'), '/usr/local/cpanel/scripts/checkccompiler', action_build_locale_databases(), show_status('Migrating feature lists to current version (if needed)'), '/usr/local/cpanel/bin/migrate_all_feature_lists_to_current', show_status('Checking for main IP changes'), '/usr/local/cpanel/scripts/mainipcheck', show_status('Updating neighbor netblocks'), '/usr/local/cpanel/scripts/update_neighbor_netblocks', show_status('Updating known proxy ips'), '/usr/local/cpanel/scripts/update_known_proxy_ips', show_status('Validating server hostname'), # No need to check this on a fresh install since we already validate in the installer ( $ENV{'CPANEL_BASE_INSTALL'} ? () : ('/usr/local/cpanel/scripts/check_valid_server_hostname --notify') ), show_status('Validating cPanel system users'), '/usr/local/cpanel/scripts/checkusers', action_fixrndc(), action_init_wwwacct_conf(), action_ipaliases(), action_check_cpanel_pkgs(), show_status('Running env auto repair'), '/usr/local/cpanel/scripts/vzzo-fixer', '/usr/local/cpanel/scripts/quota_auto_fix', '/usr/local/cpanel/scripts/clear_orphaned_virtfs_mounts --inactiveonly', '/usr/local/cpanel/scripts/disable_prelink', show_status('Cleaning up orphaned filesystem quotas'), '/usr/local/cpanel/scripts/cleanquotas', ( $ENV{'CPANEL_BASE_INSTALL'} ? () : ('/usr/local/cpanel/scripts/autorepair autorepair') ), '/usr/local/cpanel/scripts/purge_old_config_caches', '/usr/local/cpanel/scripts/cleansessions', '/usr/local/cpanel/scripts/checkbashshell', action_passwd(), \&setupcrontab, '/usr/local/cpanel/scripts/dnsqueuecron', show_status('Rebuild WHM chrome cache'), '/usr/local/cpanel/scripts/rebuild_whm_chrome', # checkallsslcerts needs to run on DNSONLY # because we need an ssl cert for dovecot for it to startup # Ensure /var/cpanel/ssl/*-SIGNATURE_CHAIN_VERIFIED and # /var/cpanel/ssl/*-NO_AFTER is updated so Cpanel::Redirect # can make good descisions. This also ensures that # admins get timely notice of the expire time being # reached on their ssl certificates. action_checkallsslcerts(), show_status('Purging invalid or soon-to-expire Domain TLS entries for service domains'), '/usr/local/cpanel/scripts/check_domain_tls_service_domains.pl --prune', show_status('Cleaning up temporary wheel/sudo users'), '/usr/local/cpanel/scripts/clean_up_temp_wheel_users', ); if ( !Cpanel::Server::Type::is_dnsonly() ) { push @{ $blocks->{'post'} }, ( action_sprite_generator(), action_update_rdns_ips_cache(), show_status('Updating services and databases'), '/usr/local/cpanel/scripts/listcheck', action_purge_modsec(), ( $ENV{'CPANEL_BASE_INSTALL'} ? () : ( action_ftpquotacheck() ) ), '/usr/local/cpanel/scripts/updateuserdomains', '/usr/local/cpanel/bin/empty_user_trash --quiet --all', '/usr/local/cpanel/bin/empty_user_horde_temp_files --quiet --all', '/usr/local/cpanel/scripts/build_maxemails_config', '/usr/local/cpanel/scripts/updateuserdatacache --force', show_status('Checking system maxmem setting'), '/usr/local/cpanel/scripts/check_maxmem_against_domains_count --always-fix', show_status('Running various cleanup scripts'), '/usr/local/cpanel/scripts/resetmailmanurls', show_status('Checking MySQL to ensure we can connect'), ( # Base install does this in the background before upcp $ENV{'CPANEL_BASE_INSTALL'} ? () : ( '/usr/local/cpanel/scripts/mysqlconnectioncheck' # POST or leave it there ?? # We must update the rules before we compile them ) ), action_update_spamassassin_rules(), show_status('Checking PostgreSQL to ensure we can connect'), '/usr/local/cpanel/bin/postgrescheck --check-auth --reset-pass-on-fail', # POST or leave it there ?? action_repair_mailman(), action_repair_mysql(), show_status('Running sanity checks and notifications'), # status update '/usr/local/cpanel/scripts/chkpaths', '/usr/local/cpanel/scripts/hackcheck', '/usr/local/cpanel/scripts/oopscheck', '/usr/local/cpanel/scripts/fixetchosts', '/usr/local/cpanel/scripts/check_unreliable_resolvers --notify', '/usr/local/cpanel/bin/is_script_stuck --script=autossl_check --time=3h --kill --notify=root', ( $ENV{'CPANEL_BASE_INSTALL'} ? () : ('/usr/local/cpanel/scripts/quotacheck') ), '/usr/local/cpanel/scripts/email_archive_maintenance', '/usr/local/cpanel/scripts/email_hold_maintenance', '/usr/local/cpanel/scripts/expunge_expired_certificates_from_sslstorage', '/usr/local/cpanel/scripts/notify_expiring_certificates', '/usr/local/cpanel/scripts/notify_expiring_certificates_on_linked_nodes', '/usr/local/cpanel/scripts/expunge_expired_transfer_sessions', '/usr/local/cpanel/scripts/expunge_expired_pkgacct_sessions', '/usr/local/cpanel/scripts/smartcheck', '/usr/local/cpanel/scripts/compilerscheck', '/usr/local/cpanel/scripts/check_mount_procfs', sqlite_auto_rebuild_if_needed(), '/usr/local/cpanel/scripts/setup_modsec_db', '/usr/local/cpanel/scripts/modsec_vendor update --auto', '/usr/local/cpanel/bin/check_cpstore_in_sync_with_local_storage', action_purge_dead_comet_files(), action_update_freshclam(), show_status('Restoring compiler permissions'), '/usr/local/cpanel/scripts/compilers restore', show_status('Cleaning up mailbox trash'), '/usr/local/cpanel/scripts/dovecot_maintenance --background', show_status('Checking MySQL Version'), sub { check_mysql_version() }, show_status('Cleaning up root datastores and caches'), '/usr/local/cpanel/bin/clean-datastores --background root', ); } # end !dnsonly push @{ $blocks->{'post'} }, ( action_buildexim(), action_eximstats(), action_exim_purge_old_tracker_files(), sub { Cpanel::Sync::CheckRestore::check_and_restore("img-sys/powered_by_cpanel.svg") }, action_cleanup_signature(), action_enable_onboot_handler(), ); if ( !Cpanel::Server::Type::is_dnsonly() ) { # not dnsonly push @{ $blocks->{'post'} }, ( ( $ENV{'CPANEL_BASE_INSTALL'} ? () : ( show_status('Cleaning SpamAssassin DBM files'), '/usr/local/cpanel/scripts/spamassassin_dbm_cleaner' ) ), show_status('Cleaning Roundcube attachment directory'), \&clean_roundcube_attachment_directory, ( # This was causing an OOM on fresh install on the # $5/mo DO instance # There will be no one to notify on a fresh install # and this will run a few hours after the install # anyways $ENV{'CPANEL_BASE_INSTALL'} ? () : ( show_status('Checking for new security advice'), '/usr/local/cpanel/scripts/check_security_advice_changes --notify --background', ) ), show_status('Running former postinstall scripts'), '/usr/local/cpanel/bin/dcpumon --killproc', '/usr/local/cpanel/bin/setupdbmap', '/usr/local/cpanel/bin/fix_userdata_perms', '/usr/local/cpanel/scripts/detect_env_capabilities', ( # Base install does this in the background before upcp $ENV{'CPANEL_BASE_INSTALL'} ? () : ( show_status('Updating cPGreyList Common Mail Providers'), '/usr/local/cpanel/scripts/manage_greylisting --init --update_common_mail_providers' ) ), show_status('Checking for deprecated PHP local.ini'), '/usr/local/cpanel/scripts/migrate_local_ini_to_php_ini --run --verbose', show_status('Ensuring an "Active" MySQL profile is set'), \&ensure_active_mysql_profile_is_present, run( '/usr/local/cpanel/scripts/check_mysql', { 'exit_ok' => [ 2, 255 ] } ), action_cloudlinux_update(), show_status('Updating plugins data cache'), '/usr/local/cpanel/bin/refresh_plugin_cache', show_status('Ensuring SSL certificate information for CCS is up to date.'), '/usr/local/cpanel/scripts/ccs-check --run --ssl', show_status('Ensure cpanel-plugins yum repo exists'), \&_create_cpanel_plugins_repo, show_status('Checking Addon Licenses'), check_addon_licenses(), show_status('Updating Public Suffix List'), update_public_suffix_list(), show_status('Ensure required cpanel-plugins are installed and updated.'), \&_install_or_upgrade_plugin_packages, ); } push @{ $blocks->{'post'} }, ( show_status('Checking End Of Life for current version.'), \&check_end_of_life, ); my $maintenance_complete = Cpanel::Server::Type::is_dnsonly() ? q{DNSONLY maintenance complete.} : q{Maintenance complete.}; # build the todo list depending which block we want to run # default = pre + post my @todo = ( @{ $blocks->{'pre'} }, @{ $blocks->{'post'} } ); # Remove the todo once done if ( $only_run && ref $blocks->{$only_run} ) { @todo = @{ $blocks->{$only_run} }; $maintenance_complete .= " [state=$only_run]"; } # we have now reach 100%, move the progress bar push @todo, ( $do_progress_bar->( complete => 1 ), show_status("\n\n$maintenance_complete\n"), ); # how many actions do we have to run which are neither a status nor a pbar item my $total_actions = grep { my $ref = ref $_; $ref ne 'PBAR' && $ref !~ /Action::(?:Status|Command)/ } @todo; # initialize progress bar with: from % to % and number of elements $increment_pbar = increment_pbar( $starting_pbar, $finishing_pbar, $total_actions ); run_actions( \@todo, $increment_pbar ); return logger()->get_need_notify() ? 1 : 0; } sub check_end_of_life { # EOL # Send a notification if this version is nearing end of life local $@; eval { open my $mainip_fh, '<', '/var/cpanel/mainip' or die "Can't open < /var/cpanel/mainip: $!"; my $ip = <$mainip_fh>; close $mainip_fh; chomp $ip; my $icontact_class = 'Update::EndOfLife'; Cpanel::Notify::notification_class( constructor_args => [ origin => 'upcp', source_ip_address => $ip ], map { $_ => $icontact_class } qw(class application), ); 1; } or logger()->warning("Error while checking end of life: $@"); return; } sub sqlite_auto_rebuild_if_needed { return if !_is_saturday_or_sunday(); #If the touch file is newer than the current time #we assume the system had a clock issue and run. my $now = time(); my $last_ran = ( stat $SQLITE_AUTO_REBUILD_LAST_RAN_FILE )[9] || 0; return if $last_ran < $now && $now < ( $last_ran + ( 5 * 86400 ) ); do { open( my $fh, '>', $SQLITE_AUTO_REBUILD_LAST_RAN_FILE ) or warn "open($SQLITE_AUTO_REBUILD_LAST_RAN_FILE): $!" }; #This gets a longer timeout because on heavily populated #servers it can take over an hour to finish. return run( '/usr/local/cpanel/scripts/perform_sqlite_auto_rebuild_db_maintenance', { timeout => 10000, }, ); } #mocked in tests sub _is_saturday_or_sunday { #Only run on Saturday or Sunday my $wday = (localtime)[6]; return ( ( $wday == 0 ) || ( $wday == 6 ) ); } our %touch_file_mock; # Used to fake if touch files are present. sub touch_file_exists { my ($file) = @_; $file or return; # Provide an easy way to mock file existance. return $touch_file_mock{$file} if exists $touch_file_mock{$file}; return -e $file; } sub file_is_executable { my $file = shift; # for now use the same mock hash return $touch_file_mock{$file} if exists $touch_file_mock{$file}; return -x $file; } sub populated_touch_file_exists { my ($file) = @_; $file or return; # Provide an easy way to mock file existance. return $touch_file_mock{$file} if exists $touch_file_mock{$file}; return -e $file && !-z _; } ################################################################ ####[ Subroutines ]############################################# ################################################################ sub run_action { # avoid to use array ref when using it from a single action my (@todo) = @_; return run_actions( \@todo ); } sub run_actions { my ( $todo, $increment_pbar ) = @_; die unless ref $todo; foreach my $cmd (@$todo) { my $start_time = Cpanel::TimeHiRes::time(); my $type = ref $cmd; my $action = {}; if ( $type eq 'Action::Command' ) { $action = {%$cmd}; $cmd = $action->{'cmd'}; } elsif ( $type eq 'Action::Status' ) { $action = { status => $cmd->[0] }; $cmd = undef; } elsif ($type) { if ( $type eq 'CODE' ) { if ($DRY_RUN) { print "[dry-run mode] CodeRef\n"; } else { # custom cases with some extra code around the action # let them do what they want local $@; # Ensure that we do not allow a single action to # cause the entire script to fail. eval { $cmd->(); }; warn if $@; } $increment_pbar->() if ref $increment_pbar; my $runtime = sprintf( "%0.3f", Cpanel::TimeHiRes::time() - $start_time ); logger()->info(" - Finished in $runtime seconds"); } elsif ( $type eq 'PBAR' ) { $cmd->(); } next; } $action->{cmd} = [ split( /\s+/, $cmd ) ] if $cmd; process($action); my $runtime = sprintf( "%0.3f", Cpanel::TimeHiRes::time() - $start_time ); logger()->info(" - Finished command `$cmd` in $runtime seconds") if $cmd; $increment_pbar->() if ref $increment_pbar; } return; } sub show_status { my $msg = shift; return unless defined $msg or length $msg; my $status = [$msg]; bless $status, 'Action::Status'; return $status; } sub run { my ( $cmd, $options ) = @_; my $status = { %$options, cmd => $cmd }; bless $status, 'Action::Command'; return $status; } sub process { my ($action) = @_; $action->{'status'} = '' if !defined $action->{'status'}; if ( length( $action->{'status'} ) ) { logger()->info("Processing: $action->{'status'}"); return; } my @cmd = @{ $action->{'cmd'} }; if ($DRY_RUN) { print "[dry-run mode] " . join( ' ', @cmd, "\n" ); return; } logger()->info(" - Processing command `@cmd`"); my ( $program, @args ) = @cmd; my $logger = logger(); my $run = eval { Cpanel::SafeRun::Object->new( 'program' => $program, 'args' => \@args, 'stdout' => Cpanel::IOCallbackWriteLine->new( sub { $logger->info(" [$program] $_[0]"); } ) ); }; $? = -1; ## no critic qw(Variables::RequireLocalizedPunctuationVars) -- needed for compat if ($@) { logger()->error( " [$program] $@", 1 ); logger()->set_need_notify(); return; } $? = $run->CHILD_ERROR(); ## no critic qw(Variables::RequireLocalizedPunctuationVars) -- needed for compat if ( my $exit = $run->CHILD_ERROR() ) { $exit >>= 8; return if $exit && $action->{'exit_ok'} && grep { $exit == $_ } @{ $action->{'exit_ok'} }; if ( my $stderr = $run->stderr() ) { foreach my $line ( split( m{\n}, $stderr ) ) { logger()->error( " [$program] " . $line ); } } logger()->error( " [$program] " . $run->autopsy(), 1 ); logger()->set_need_notify(); return; } } # list of actions which need some extra logic or being postponed sub action_vps_optimizer { return if Cpanel::Server::Type::is_dnsonly(); # idea move this check to the script itself return ( show_status('Running platform specific optimizations'), '/usr/local/cpanel/scripts/vps_optimizer' ); } sub action_update_spamassassin_rules { return if $ENV{'CPANEL_BASE_INSTALL'}; return unless Cpanel::Update::Config::is_permitted( 'SARULESUP', get_update_conf() ); return sub { return run_action( show_status('Updating Apache SpamAssassin™ rules'), background_update_spamassassin_rules(), ); }; } sub action_update_rdns_ips_cache { return sub { return run_action( show_status('Updating Reverse DNS Cache'), background_update_rdns_ips_cache(), ); }; } sub background_update_rdns_ips_cache { return sub { warn if !eval { Cpanel::ServerTasks::queue_task( ['DNSTasks'], "update_reverse_dns_cache" ); 1; }; warn if !eval { Cpanel::ServerTasks::schedule_task( ['CpDBTasks'], 600, "update_userdomains" ); 1; }; }; } sub background_update_spamassassin_rules { return sub { warn if !eval { Cpanel::ServerTasks::queue_task( ['SpamassassinTasks'], 'update_spamassassin_rules' ); 1 }; }; } sub background_sprite_generator { return sub { eval { Cpanel::ServerTasks::queue_task( ['SpriteTasks'], 'sprite_generator' ); }; }; } sub action_set_up_dns_resolver_workarounds { return sub { return run_action( show_status('Setting up resolver workarounds'), background_set_up_dns_resolver_workarounds(), ); }; } sub background_set_up_dns_resolver_workarounds { return sub { warn if !eval { Cpanel::ServerTasks::queue_task( ['DNSTasks'], "set_up_dns_resolver_workarounds" ); 1; }; }; } sub action_sprite_generator { return sub { return run_action( show_status('Rebuilding sprites'), background_sprite_generator(), ); }; } sub background_freshclam { return sub { eval { Cpanel::ServerTasks::queue_task( ['ClamTasks'], 'freshclam --quiet -l /var/log/clam-update.log' ); }; }; } sub action_background_refresh_dkim_validity_cache { return sub { eval { Cpanel::ServerTasks::queue_task( ['DKIMTasks'], 'refresh_entire_dkim_validity_cache' ); }; }; } sub action_update_freshclam { return sub { # postpone the check if the binary is restored by RPM transaction my $freshclam_bin = Cpanel::Binaries::path('freshclam'); return unless file_is_executable($freshclam_bin); return run_action( show_status('Updating virus patterns'), background_freshclam(), ); } } sub action_purge_dead_comet_files { return ( show_status('Purging old comet files'), '/usr/local/cpanel/bin/purge_dead_comet_files --quiet', ); } sub action_update_packages { return sub { # need RPM_IS_BROKEN to be set return unless Cpanel::Update::Config::is_permitted( 'RPMUP', get_update_conf() ); return if $RPM_IS_BROKEN; return run_action( show_status('Running update-packages'), '/usr/local/cpanel/scripts/update-packages' ); }; } sub action_ensure_mysql_upgrade_hook { return sub { require Cpanel::MariaDB; my $config = scalar Cpanel::Config::LoadCpConf::loadcpconf(); my $set_version = $config->{'mysql-version'}; return if $set_version < 5.7; if ( Cpanel::MariaDB::version_is_mariadb($set_version) ) { require Cpanel::MariaDB::Install; my $mysql_install_obj = Cpanel::MariaDB::Install->new( 'output_obj' => logger() ); $mysql_install_obj->install_upgrade_hook(); return 1; } require Cpanel::Mysql::Install; my $mysql_install_obj = Cpanel::Mysql::Install->new( 'output_obj' => logger() ); $mysql_install_obj->install_upgrade_hook(); return 1; } } sub action_update_pear_registry_in_the_background { return sub { return Cpanel::SafeRun::BG::nooutputsystembg('/usr/local/cpanel/scripts/process_pending_cpanel_php_pear_registration'); }; } sub _create_cpanel_plugins_repo { warn if !eval { require Cpanel::Plugins::Repo; Cpanel::Plugins::Repo::install(); 1; }; return; } sub _install_or_upgrade_plugin_packages { my @plugin_pkgs = ( 'cpanel-koality-plugin', 'cpanel-sitejet-plugin' ); logger()->info("Checking for required cPanel & WHM plugins to install..."); require Cpanel::Plugins; for my $pkg (@plugin_pkgs) { next if Cpanel::Plugins::is_plugin_installed($pkg); logger()->info("Installing the cPanel & WHM plugin $pkg."); eval { Cpanel::Plugins::install_plugins($pkg); }; logger()->info($@) if $@; } return; } sub action_sysup { return if $ENV{'CPANEL_BASE_INSTALL'}; # This will already have been run on initial install return sub { # need RPM_IS_BROKEN to be set if ($RPM_IS_BROKEN) { logger()->error('RPM is not functioning. Skipping sysup.'); return; } return run_action( show_status('Updating system packages: sysup'), '/usr/local/cpanel/scripts/sysup' ); }; } sub _find_and_fix_rpm_issue_script { # for testing purpose return '/usr/local/cpanel/scripts/find_and_fix_rpm_issues'; } sub background_install_els { return sub { Cpanel::ServerTasks::schedule_task( ['ELS'], 3600, 'install_els' ); }; } sub action_install_els { return sub { return if -e '/etc/els-release'; # ELS is already installed return if $RPM_IS_BROKEN; return unless Cpanel::OS::needs_els(); return unless Cpanel::Server::Type::has_els(); return run_action( show_status('Installing ELS'), background_install_els(), ); }; } sub action_find_and_fix_rpm_issues { return unless Cpanel::OS::is_rpm_based(); return if $ENV{'CPANEL_BASE_INSTALL'}; # we will not get here if rpm is broken return sub { local $?; process( { 'status' => 'Checking RPM DB for corruption' } ); process( { 'cmd' => [ _find_and_fix_rpm_issue_script() ] } ); if ( ( $? >> 8 ) > 0 ) { logger()->error('RPM is not functioning and automatic repair failed.'); logger()->error('Tasks for update-packages, sysup, and check_cpanel_pkgs will be skipped.'); $RPM_IS_BROKEN = 1; } return; }; } sub action_updatesigningkey { # Update signing keys, if enabled. return unless Cpanel::Crypt::GPG::Settings::signature_validation_enabled(); return ( show_status('Updating cPanel signing keys.'), '/usr/local/cpanel/scripts/updatesigningkey' ); } sub action_cloudlinux_update { return unless Cpanel::OS::supports_or_can_become_cloudlinux(); return ( show_status('Checking CloudLinux installation'), '/usr/local/cpanel/bin/cloudlinux_update', ); } sub action_checkallsslcerts { # Base install does this in the background before upcp return if $ENV{'CPANEL_BASE_INSTALL'}; my $max_delay_seconds = 18 * 60 * 60; # 18 hours my $bytes_to_get = length($max_delay_seconds) + 1; my $rand_int = Cpanel::Rand::Get::getranddata( $bytes_to_get, [ 0 .. 9 ] ); my $delay_seconds = $rand_int % $max_delay_seconds; # Should be between 1 and $max_delay_seconds # scheduling a task for 0 seconds will cause queueprocd to throw an error $delay_seconds++; return ( show_status('Scheduling task to check service default SSL/TLS certificates'), sub { Cpanel::ServerTasks::schedule_task( ['ScriptTasks'], $delay_seconds, 'run_script /usr/local/cpanel/bin/checkallsslcerts --allow-retry --verbose' ); } ); } sub action_build_locale_databases { return if $ENV{'CPANEL_BASE_INSTALL'}; return ( show_status('Ensuring locale databases are up to date'), sub { Cpanel::ServerTasks::schedule_task( ['LocaleTasks'], 300, "build_locale_databases" ); } ); } sub action_init_wwwacct_conf { return if touch_file_exists('/etc/wwwacct.conf'); return ( show_status('Creating account configuration file /etc/wwwacct.conf'), '/usr/local/cpanel/scripts/mkwwwacctconf', ); } sub _var_named_path { return '/var/named' } # for unit tests purpose sub action_fixrndc { return if touch_file_exists('/etc/nameddisable') or touch_file_exists('/etc/binddisable'); return if $ENV{'CPANEL_BASE_INSTALL'}; # Base install does this in the background before upcp my $status = 'Checking and repairing nameserver config'; if ( !touch_file_exists( _var_named_path() ) ) { return sub { mkdir( _var_named_path(), 0755 ); # probably safe to do it earlier and simplify this code return run_action( show_status($status), '/usr/local/cpanel/scripts/fixrndc -f', ); }; } return ( show_status($status), '/usr/local/cpanel/scripts/fixrndc' ); } sub action_ipaliases { return ( show_status('Setting up IP aliases startup'), '/usr/local/cpanel/whostmgr/bin/setupipaliases', ); } sub action_check_cpanel_pkgs { return if $ENV{'CPANEL_BASE_INSTALL'}; return sub { # need RPM_IS_BROKEN to be set my $cpconf = get_cpconf(); if ($RPM_IS_BROKEN) { logger()->error('RPM is not functional. Skipping check_cpanel_pkgs.'); } elsif ( $cpconf->{'maintenance_rpm_version_check'} ) { my $status = 'Checking cPanel packages'; my @rpmcheck_args = (qw{ --list-only --long-list --notify }); my $its_a_weekday = _is_saturday_or_sunday() ? 0 : 1; if ( !$cpconf->{'maintenance_rpm_version_digest_check'} || $ENV{'CPANEL_BASE_INSTALL'} || $its_a_weekday ) { # the user doesn't want a digest check and we're not being forced into it # # In order to minimize server load and reduce install times we only do # a full digest check on the weekends if the user hasn't disabled it. $status .= ' (with no digest check or broken check)'; push @rpmcheck_args, '--no-digest'; push @rpmcheck_args, '--no-broken'; } return run_action( show_status($status), join( ' ', '/usr/local/cpanel/scripts/check_cpanel_pkgs', @rpmcheck_args ), ); } else { logger()->info('Skipping cPanel package check due to configuration'); } return; }; } sub action_ftpquotacheck { return unless Cpanel::Services::Enabled::is_enabled('ftp'); return '/usr/local/cpanel/scripts/ftpquotacheck'; } sub action_repair_mailman { return sub { # postpone it as can binary can be there only once RPM is fixed my $cpconf = get_cpconf(); return unless ( !$cpconf->{'skipmailman'} && file_is_executable("$Cpanel::ConfigFiles::MAILMAN_ROOT/bin/check_perms") ); chdir("$Cpanel::ConfigFiles::MAILMAN_ROOT/bin"); my $ok = run_action( show_status('Repairing Mailman Permissions'), './check_perms -f --noarchives', ); chdir('/usr/local/cpanel'); # return where we should be ? return $ok; }; } sub _mysqld_sh_path { return '/usr/local/etc/rc.d/mysqld.sh' } # for unit test purpose only sub action_repair_mysql { return unless touch_file_exists( _mysqld_sh_path() ); return sub { unlink _mysqld_sh_path(); return run_action( show_status('Repairing MySQL startup'), '/usr/local/cpanel/scripts/restartsrv mysql', ); }; } sub action_purge_modsec { return if $ENV{'CPANEL_BASE_INSTALL'}; return '/usr/local/cpanel/scripts/purge_modsec_log'; } # for unit test purpose only sub _passwd_files_to_chmod { return [ '/etc/shadow.tmpeditlib', '/etc/master.passwd.tmpeditlib' ]; } sub action_passwd { return sub { my $files = _passwd_files_to_chmod(); # Quick security check on the tmpeditlib files in case they are there foreach my $f (@$files) { chmod( 0600, $f ) if touch_file_exists($f); } return; }; } sub action_buildexim { return sub { # postponed if the file is created/touched by one rpm (hook)... to preserve original behavior return if populated_touch_file_exists('/etc/exim.conf') and populated_touch_file_exists('/etc/exim.pl.local'); # run only if one of the file is missing / empty return run_action( show_status('EXIM sanity checking'), '/usr/local/cpanel/scripts/buildeximconf --no_chown_spool', ); }; } sub action_eximstats { return sub { # Eximstats recover of /var/cpanel/sql/eximstats.sql, if it exists return unless touch_file_exists('/var/cpanel/sql/eximstats.sql'); return run_action( show_status('Recovering data stored in /var/cpanel/sql/eximstats.sql'), '/usr/local/cpanel/scripts/restartsrv_eximstats' ); }; } # If eximstats is disabled, we need to handle clearing of old tracker files here. sub action_exim_purge_old_tracker_files { return sub { my $cpconf = get_cpconf(); return unless $cpconf->{'skipeximstats'} && $cpconf->{'skipeximstats'} eq '1'; require Cpanel::EmailTracker::Purge; logger()->info('Purging old email tracker files'); Cpanel::EmailTracker::Purge::purge_old_tracker_files(); return; }; } sub action_cleanup_signature { return ( show_status('Cleaning Signature Timestamp Cache'), sub { my $sig_cache = Cpanel::Crypt::GPG::VendorKeys::TimestampCache->new(); $sig_cache->cleanup_signature_cache(); return; }, ); } sub action_enable_onboot_handler { return sub { # Ensure that the handler for code on reboot is enabled my $root_crontab = Cpanel::Cron::Utils::fetch_user_crontab('root'); # Already enabled. return if $root_crontab =~ /\@reboot\s+\/usr\/local\/cpanel\/bin\/onboot_handler/; logger()->info("Enabling onboot_handler for root in cron"); $root_crontab .= "\@reboot /usr/local/cpanel/bin/onboot_handler\n"; Cpanel::Cron::Utils::save_root_crontab($root_crontab); } } # # local cache configuration to be able to use them { my $conf; # state like variable sub get_update_conf { $conf = { Cpanel::Update::Config::load() } if !defined $conf; return $conf; } sub reset_update_conf { # for testing purpose undef($conf); return; } } # loadcpconf already caches this so we don't need to re-cache it here. *get_cpconf = \&Cpanel::Config::LoadCpConf::loadcpconf; { my $logger; sub setup_logger { my ( $logfile_path, $starting_pbar ) = @_; return $logger = Cpanel::Update::Logger->new( { 'logfile' => $logfile_path, 'stdout' => 1, 'log_level' => 'info', defined $starting_pbar ? ( 'pbar' => $starting_pbar ) : () } ); } sub logger { $logger = setup_logger() unless defined $logger; # mainly for mocking return $logger; } } sub increment_pbar { my ( $start, $end, $items ) = @_; my $_current_ratio = $start; my $_last_update = 0; # do a -1 to the total to leave it to the end my $points = ( $end - $start - 1 ) || 1; $items ||= $points; # number of elements in our array my $w = $points / $items; # default points to increase +1 return sub { my (%opts) = @_; if ( $opts{complete} ) { # we reach the end we can now use the final result $_last_update = $_current_ratio = $end; logger()->update_pbar($end); return; } my $previous = $_current_ratio; $_current_ratio += $w; $_current_ratio = $end if $_current_ratio > $end; my $normalize = int($_current_ratio); # includes a protection to avoid displaying duplicates logger()->update_pbar($normalize); return; } } sub setupenv { Cpanel::Env::clean_env(); delete $ENV{'DOCUMENT_ROOT'}; delete $ENV{'SERVER_SOFTWARE'}; if ( $ENV{'WHM50'} ) { $ENV{'GATEWAY_INTERFACE'} = 'CGI/1.1'; } ( $ENV{'USER'}, $ENV{'HOME'} ) = ( getpwuid($>) )[ 0, 7 ]; $ENV{'PATH'} .= ':/sbin:/usr/sbin:/usr/bin:/bin:/usr/local/bin'; $ENV{'LANG'} = 'C'; $ENV{'LC_ALL'} = 'C'; return; } sub setupcrontab { logger()->info('Setting up cronjobs'); logger()->info('Setting Up update_db_cache Crontab'); logger()->info('Setting Up update_maiman_cache Crontab'); logger()->info('Setting Up dcpumon Crontab'); try { Cpanel::Config::Crontab::sync_root_crontab(); } catch { warn "Failed to sync root crontab: $_"; }; return; } sub clean_roundcube_attachment_directory { my $roundcube_tmp = '/var/cpanel/roundcube/tmp'; opendir my $dh, $roundcube_tmp or return; my @old_files = grep { -M $_ > 7.0 } map { "$roundcube_tmp/$_" } grep { !m/^\.{1,2}$/ } readdir $dh; closedir $dh; my $clean = sub { unlink @old_files }; return Cpanel::AccessIds::do_as_user( 'cpanelroundcube', $clean ); } sub check_mysql_version { # no need to check on first install return if $ENV{'CPANEL_BASE_INSTALL'}; my ( $reco_version, $current_version, $version_is_mysql, $display_name, $err ); try { $current_version = Cpanel::MysqlUtils::Version::current_mysql_version(); } catch { $err = $_; }; if ($err) { logger()->info("Unable to determine MySQL version because of an error: $err. Skipping MySQL version check..."); return; } elsif ( !$current_version->{'short'} ) { logger()->info("Unable to determine MySQL version. Skipping MySQL version check..."); return; } # We check the remote mysql version in Install::CheckRemoteMySQLVersion, # so we'll skip the check here return if $current_version->{'is_remote'}; $current_version = $current_version->{'short'}; $version_is_mysql = Cpanel::MysqlUtils::Version::version_is_mysql(); $display_name = $version_is_mysql ? "MySQL" : "MariaDB"; $reco_version = $version_is_mysql ? $Cpanel::MysqlUtils::Version::MINIMUM_RECOMMENDED_MYSQL_RELEASE : $Cpanel::MysqlUtils::Version::MINIMUM_RECOMMENDED_MARIADB_RELEASE; # if less than the minimum recommended version, recommend an update. if ( Cpanel::MysqlUtils::Version::is_at_least( $current_version, $reco_version ) ) { logger()->info("“$display_name” version “$current_version” is greater than or equal to the recommended minimum version, “$reco_version”."); } else { logger()->info("“$display_name” version “$current_version” is less than the recommended minimum version, “$reco_version”."); my @outdated = (); push @outdated, { 'label' => $display_name, 'current_version' => $current_version, 'min_reco_version' => $reco_version, 'upgrade_url' => 'https://go.cpanel.net/mysqlup', }; require Cpanel::Notify; Cpanel::Notify::notification_class( 'class' => 'OutdatedSoftware::Notify', 'application' => 'OutdatedSoftware::Notify', 'constructor_args' => [ 'origin' => 'scripts/maintenance', 'outdated_software' => \@outdated, ] ); } return; } sub ensure_active_mysql_profile_is_present { eval { require Cpanel::MysqlUtils::RemoteMySQL::ProfileManager; Cpanel::MysqlUtils::RemoteMySQL::ProfileManager->new()->generate_active_profile_if_none_set(); }; return 1; } ############################################################################# ## Goes through cpupdate.conf and purge entries invalid since 11.36 sub purge_cpupdate_conf { my $dir = Cpanel::RPM::Versions::Directory->new( { 'directory' => '/var/cpanel/rpm.versions.d', 'logger' => logger() } ); if ( $dir->config_changed() ) { $dir->save(); } return; } our $upcp_log_dir = '/var/cpanel/updatelogs'; sub purge_upcp_logs { my ($days) = @_; if ( !defined $days ) { my $cpconf = get_cpconf(); $days = $cpconf->{'upcp_log_retention_days'}; } # On initial upgrade, upcp_log_retention_days isn't set yet. We'll enforce the default here. if ( $days < 3 ) { logger()->warning("upcp_log_retention_days unexpectedly set to $days. Temporarily setting to 45 days."); $days = 45; } logger()->info("Purging upcp logs older than $days days."); my $purge_older_than = time - ( 86400 * $days ); opendir( my $dir_fh, $upcp_log_dir ) or do { logger()->warning("Cannot read '$upcp_log_dir' for purging."); }; while ( my $file = readdir($dir_fh) ) { # Special files we don't purge next if ( $file eq '.' or $file eq '..' or $file eq 'summary.log' ); # Skip if the file is new enough. my @stats = lstat("$upcp_log_dir/$file"); next unless ( @stats && $stats[9] < $purge_older_than ); # The file can be removed. unlink "$upcp_log_dir/$file"; } closedir($dir_fh); return; } sub check_addon_licenses { return sub { # Base install does this in the background before upcp if ( !$ENV{'CPANEL_BASE_INSTALL'} ) { # Fire these off in a taskqueue so as not to hold up the rest of the script eval { Cpanel::ServerTasks::queue_task( ['ScriptTasks'], 'run_script /usr/local/cpanel/scripts/litespeed-check --run' ); }; eval { Cpanel::ServerTasks::queue_task( ['ScriptTasks'], 'run_script /usr/local/cpanel/scripts/jetbackup-check --run' ); }; } # Check for WordPress Toolkit license (regardless of whether in initial install or post-upcp maintenance) eval { Cpanel::ServerTasks::queue_task( ['ScriptTasks'], 'run_script /usr/local/cpanel/bin/wpt_license --download' ); }; }; } sub update_public_suffix_list { try { require IO::Socket::SSL::PublicSuffix; IO::Socket::SSL::PublicSuffix::update_self_from_url(); require Cpanel::PublicSuffix; Cpanel::PublicSuffix::clear_cache(); } catch { logger()->info('Unable to update the Pubic Suffix list'); }; return; } sub usage { print <script(@ARGV) || 0 ) if !caller(); 1;