Improve service security and functionality#1
Conversation
|
Hi. Appreciate you found this project useful. And thanks for contributing back. I love the idea of having a simple tool to ease managing the hosts record even further! The script you've proposed is seemed to only support the specific use-case. Though I see it as a natural part, when composed with a bunch of other simple commands to manipulate the hosts records in a simple front-end, so it has a little bit more prospect of being reused. Something like this: $ systemd-hosts.d [-c, --create] my.domain(s) <some ip> # The target directory is likely to be the default one
$ systemd-hosts.d -d [--delete] my.domain # Delete the record
$ systemd-hosts.d -r [--resolve] my.domain # Perform a domain resolution?
$ systemd-hosts.d -t [--target-dir] /other/host.d my.domain ... # Use custom hosts.d location
$ sustemd-hosts.d -l [--list] # List the records for each fileAnd also the error handling... We probably want to notify the user if there's an issue with domain resolution, for example, and then abort. And also have some check not to accidentally destroy the data while overwriting/deleting the host record, if the file is actually contain anything apart of the our target host. I know this surpasses a fair bit what you originally proposed 😅 But does this addition sound worthwhile to you? Thanks for you time again. |
|
Sounds good, thanks! |
ghost
closed this
|
Eh.. Didn't expect to get such a response.. so quickly.. By closing PR, do you intent to abandon your effort? 😢 |
one-d-wide
left a comment
one-d-wide
left a comment
There was a problem hiding this comment.
Judging from the scope of this project, you're already using systemd, so why bother with crontab? 😄
I don't recall a way to create a persistent service+timer in one line from the top of my head, but you can use systemd-run --on-calendar <schedule> ... to quickly start a transient service to run a schedule, and systemd-analyze calendar <schedule> to verbosely parse and validate time description, which is a more descriptive than what crontab takes, right?
contrib/scripts/hosts-file-update.sh
Outdated
| EXIT_STATUS=$1 | ||
| fi | ||
|
|
||
| echo -e "Usage: ${0##*/} <hostname> <destination path>\n\nMaintain a hosts file record using DNS, the host command, and grep.\n\nExample with crontab: 0 5 * * * $0 remote.host.name /etc/hosts.d/remote.host.name.conf\nProduces: 127.0.0.1 remote.host.name\n" |
There was a problem hiding this comment.
I think this could be better expressed with EOF syntax to avoid creating an unbearably long line. Or even better, just using a bunch of echos, for each output line, so that the indentation is preserved.
systemd-hosts.d.service
Outdated
| ExecStart=/bin/sh -c 'echo -e "## Generated by systemd-hosts.d ##\\n" > $HOSTS_FILE' | ||
| ExecStart=/bin/sh -c 'echo -e "## All changes in this file will be ignored ##\\n" >> $HOSTS_FILE' | ||
| ExecStart=/bin/sh -c 'cat $HOSTS_DIRECTORY/*.conf | grep \'^[[:blank:]]*[^[:blank:]#;]\' >> $HOSTS_FILE' | ||
| ExecStart=/bin/sh -c 'cat $HOSTS_DIRECTORY/*.conf | grep \'^[[:blank:]]*[^[:blank:]#;]\' >> $HOSTS_FILE; exit 0' |
There was a problem hiding this comment.
Good catch. Though I'd generally express this by explicitly ignoring the exit code with ... || true, rather than trying to terminate right away.
contrib/scripts/hosts-file-update.sh
Outdated
| @@ -0,0 +1,38 @@ | |||
| #!/bin/bash | |||
| # | |||
| # Author: Self Denial <selfdenial@pm.me> | |||
There was a problem hiding this comment.
Oh, and, if you wish to keep a authorship notice, could you also include a license identifier?
Otherwise this might look like I just took your possibly copyright-reserved work.
There was a problem hiding this comment.
Probably a good idea but not code that I care about personally.
Yeah, I happened to be playing around with other projects and saw the notification (or am I a... BOT???) 🤖
Not necessarily but it sounds like you've a good idea already planned. I've also been re-considering my own deployment of I think that the functionality provided by the |
Hah, old habits. I've planned to get a timer working.
Thanks! |
It wasn't really. And it might be a while till I can get to it. So motivated contributions are always welcome)
It kinda already is a system(d) utility, in a way, though unofficially. 😄 |
I'll try to spend some time on the idea in the future if I can.
I agree! I've reopened with the branch reverted and to include new changes. |
ghost
reopened this
ghost
marked this pull request as draft
|
The proposed changes: Improve service security and functionality
|
|
Forgot to add:
It results hosts file output like: |
ghost
changed the title
|
Hi. Apology for late response. I left some comments to your latest changes. Sorry if it feels like I turn down too many of your proposals, I tried to elaborate as much as I could.
Just force push it 😄 That's fine to do if the branch is only yours. And it doesn't pollute commit history with meaningless changes after the PR is merged.
I don't really see an expected way for any script here to fail, so the failure label is probably an appropriate one. Am I overlooking anything? |
It's your project so it's fine. Just close it if you're unwilling to compromise. If we can't agree I can always maintain my own fork or entirely new vision.
Guilty.
It's problematic as is any failing red service. IMO, it's also incorrect when it fails for a valid configuration (empty hosts). |
* Add `[Service]` security directives like `ProtectSystem`
* Tighten regular expression to match beginning of IPv4 or IPv6 address followed by a hostname and hostaliases
* Add `ExecStartPre` backup feature enabled by default
* Introduce environment variables to control hosts file backup and inclusion of source comment lines (`^#`) in output
* Use `ExecCondition` to validate *$HOSTS_DIRECTORY* before overwriting *$HOSTS_FILE*
* Move `chmod` command to `ExecStartPost`
* Use `-` for commands modifying *$HOSTS_FILE* so that the service will report a failure without using the failure for the service state.
* Incorporate suggestions to system call filter and `if` logic
|
I've made some changes per your feedback. Let me know your thoughts. Thanks! |
|
Hi. I finally upstreamed e836aa3 some of your suggestions regarding the service unit! Notably these:
Also, I implemented your original proposal about the cli tool to resolve hosts entries in #2 (and added a bunch of other functions manipulating host entries I could think of too). Testing would be very much appreciated (both for the service and the tool). And many thanks for contributing back and staying through this process 😄 |
1 participant
; exit 0toExecStartexecution of grep. This allows configurations with empty /etc/hosts files to function without error in the systemd execution.bashscript intended for use with crontab executes thehostandgrepcommands to resole a host, parse it, and output to a file (like /etc/hosts.d/).Thanks, this is a useful mechanism!