From 849b71f09c20e6788a2974dea7b216e43551c90a Mon Sep 17 00:00:00 2001 From: Kyle Harding Date: Wed, 22 Nov 2023 15:09:37 -0500 Subject: [PATCH] Create update locks for logged in sessions Change-type: patch Signed-off-by: Kyle Harding --- README.md | 9 ++--- .../s6-rc.d/lock-manager/dependencies.d/base | 0 .../s6-overlay/s6-rc.d/lock-manager/finish | 3 ++ .../s6-overlay/s6-rc.d/lock-manager/run | 39 +++++++++++++++++++ .../s6-overlay/s6-rc.d/lock-manager/type | 1 + .../s6-rc.d/user/contents.d/lock-manager | 0 6 files changed, 46 insertions(+), 6 deletions(-) create mode 100644 yocto-build-env/s6-overlay/s6-rc.d/lock-manager/dependencies.d/base create mode 100644 yocto-build-env/s6-overlay/s6-rc.d/lock-manager/finish create mode 100644 yocto-build-env/s6-overlay/s6-rc.d/lock-manager/run create mode 100644 yocto-build-env/s6-overlay/s6-rc.d/lock-manager/type create mode 100644 yocto-build-env/s6-overlay/s6-rc.d/user/contents.d/lock-manager diff --git a/README.md b/README.md index d45bae6..064f9ce 100644 --- a/README.md +++ b/README.md @@ -5,15 +5,12 @@ Shared Yocto development environment ## Features - Yocto and OpenEmbedded build dependencies based on Ubuntu 18.04 -- SSH daemon background service w/ rotating logs +- SSH daemon service w/ rotating logs - Fail2ban blocking IPs after failed login attempts -- Docker daemon background service +- Docker daemon service - Per-user home directories - Per-user SSH authorized keys synced with GitHub profiles - -## Planned Features - -- Update locking +- Supervisor update locking for active SSH sessions ## Administration diff --git a/yocto-build-env/s6-overlay/s6-rc.d/lock-manager/dependencies.d/base b/yocto-build-env/s6-overlay/s6-rc.d/lock-manager/dependencies.d/base new file mode 100644 index 0000000..e69de29 diff --git a/yocto-build-env/s6-overlay/s6-rc.d/lock-manager/finish b/yocto-build-env/s6-overlay/s6-rc.d/lock-manager/finish new file mode 100644 index 0000000..7e61a05 --- /dev/null +++ b/yocto-build-env/s6-overlay/s6-rc.d/lock-manager/finish @@ -0,0 +1,3 @@ +#!/usr/bin/env bash + +rm -f /tmp/balena/updates.lock diff --git a/yocto-build-env/s6-overlay/s6-rc.d/lock-manager/run b/yocto-build-env/s6-overlay/s6-rc.d/lock-manager/run new file mode 100644 index 0000000..5cf947e --- /dev/null +++ b/yocto-build-env/s6-overlay/s6-rc.d/lock-manager/run @@ -0,0 +1,39 @@ +#!/usr/bin/env bash + +set -euo pipefail + +[[ ${VERBOSE:-,,} =~ true|yes|on|1 ]] && set -x + +LOCKFILE=/tmp/balena/updates.lock + +while true; do + ( + # check for active sessions + while last | grep -q "still logged in"; do + + # create the lockfile + touch $LOCKFILE + + # create a file descriptor over the given lockfile + exec {fd}<>${LOCKFILE} + + # request an exclusive lock in non-blocking mode + flock -n $fd || exit 0 + + echo "Updates are locked while sessions are active..." + last | grep "still logged in" + + # wait 30 seconds before checking again + # updates are locked during this time + sleep 30 + + done + ) >/dev/null 2>&1 + + # remove the lockfile (this should be unecessary?) + rm -f $LOCKFILE + + # wait 5 seconds before checking again + # updates are unlocked during this time + sleep 5 +done diff --git a/yocto-build-env/s6-overlay/s6-rc.d/lock-manager/type b/yocto-build-env/s6-overlay/s6-rc.d/lock-manager/type new file mode 100644 index 0000000..5883cff --- /dev/null +++ b/yocto-build-env/s6-overlay/s6-rc.d/lock-manager/type @@ -0,0 +1 @@ +longrun diff --git a/yocto-build-env/s6-overlay/s6-rc.d/user/contents.d/lock-manager b/yocto-build-env/s6-overlay/s6-rc.d/user/contents.d/lock-manager new file mode 100644 index 0000000..e69de29