diff --git a/VERSION b/VERSION index b649b91..970b756 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -1.0.53 +1.0.54 diff --git a/cmd/edgeguard-api/main.go b/cmd/edgeguard-api/main.go index d1f0895..7ec41ea 100644 --- a/cmd/edgeguard-api/main.go +++ b/cmd/edgeguard-api/main.go @@ -48,7 +48,7 @@ import ( wgsvc "git.netcell-it.de/projekte/edgeguard-native/internal/services/wireguard" ) -var version = "1.0.53" +var version = "1.0.54" func main() { addr := os.Getenv("EDGEGUARD_API_ADDR") diff --git a/cmd/edgeguard-ctl/main.go b/cmd/edgeguard-ctl/main.go index ad85df3..2d8e5ca 100644 --- a/cmd/edgeguard-ctl/main.go +++ b/cmd/edgeguard-ctl/main.go @@ -9,7 +9,7 @@ import ( "os" ) -var version = "1.0.53" +var version = "1.0.54" const usage = `edgeguard-ctl — EdgeGuard CLI diff --git a/cmd/edgeguard-scheduler/main.go b/cmd/edgeguard-scheduler/main.go index 9c24aa4..9b41318 100644 --- a/cmd/edgeguard-scheduler/main.go +++ b/cmd/edgeguard-scheduler/main.go @@ -24,7 +24,7 @@ import ( "git.netcell-it.de/projekte/edgeguard-native/internal/services/tlscerts" ) -var version = "1.0.53" +var version = "1.0.54" const ( // renewTickInterval — how often we re-evaluate expiring certs. diff --git a/internal/handlers/system.go b/internal/handlers/system.go index 2dc5155..1ae0184 100644 --- a/internal/handlers/system.go +++ b/internal/handlers/system.go @@ -242,6 +242,12 @@ func (h *SystemHandler) PackageVersions(c *gin.Context) { func (h *SystemHandler) Upgrade(c *gin.Context) { slog.Info("starting package upgrade (detached)") + // Skript landet NICHT in /tmp — edgeguard-api.service hat + // PrivateTmp=true und sieht damit ein eigenes /tmp, das die + // per `sudo systemd-run` gestartete Transient-Unit nicht sieht. + // /var/lib/edgeguard ist edgeguard-owned + persistent + von + // beiden Namespaces aus zugänglich. + const scriptPath = "/var/lib/edgeguard/upgrade.sh" const script = `#!/bin/bash set -e sleep 2 @@ -253,9 +259,9 @@ apt-get update -qq echo "[upgrade] apt-get install -y edgeguard-api edgeguard-ui edgeguard" apt-get install -y -qq -o Dpkg::Options::=--force-confold edgeguard-api edgeguard-ui edgeguard echo "[upgrade] complete" -rm -f /tmp/edgeguard-upgrade.sh +rm -f /var/lib/edgeguard/upgrade.sh ` - if err := os.WriteFile("/tmp/edgeguard-upgrade.sh", []byte(script), 0o755); err != nil { + if err := os.WriteFile(scriptPath, []byte(script), 0o755); err != nil { response.Internal(c, err) return } @@ -272,12 +278,12 @@ rm -f /tmp/edgeguard-upgrade.sh "--unit="+unitName, "--description=EdgeGuard self-upgrade", "--collect", - "bash", "/tmp/edgeguard-upgrade.sh") + "bash", scriptPath) if err := cmd.Run(); err != nil { // systemd-run unavailable (dev env without sudo) — fall back // to setsid. In Prod sollte das nie greifen. slog.Warn("upgrade: sudo systemd-run failed, falling back to setsid", "error", err) - fallback := exec.Command("setsid", "bash", "/tmp/edgeguard-upgrade.sh") + fallback := exec.Command("setsid", "bash", scriptPath) fallback.SysProcAttr = &syscall.SysProcAttr{Setpgid: true} if err2 := fallback.Start(); err2 != nil { response.Internal(c, err2) diff --git a/management-ui/src/components/Layout/Sidebar.tsx b/management-ui/src/components/Layout/Sidebar.tsx index 1a3a744..3b629f3 100644 --- a/management-ui/src/components/Layout/Sidebar.tsx +++ b/management-ui/src/components/Layout/Sidebar.tsx @@ -77,7 +77,7 @@ const NAV: NavSection[] = [ }, ] -const VERSION = '1.0.53' +const VERSION = '1.0.54' export default function Sidebar({ isOpen, onClose }: SidebarProps) { const { t } = useTranslation() diff --git a/packaging/debian/edgeguard-api/DEBIAN/postinst b/packaging/debian/edgeguard-api/DEBIAN/postinst index 8189a39..ad5e127 100755 --- a/packaging/debian/edgeguard-api/DEBIAN/postinst +++ b/packaging/debian/edgeguard-api/DEBIAN/postinst @@ -79,7 +79,7 @@ edgeguard ALL=(root) NOPASSWD: /usr/bin/apt-get update # nur die exakte Unit-Form, damit edgeguard NICHT beliebige systemd- # Units anlegen darf. edgeguard ALL=(root) NOPASSWD: /usr/bin/systemctl reset-failed edgeguard-upgrade.service -edgeguard ALL=(root) NOPASSWD: /usr/bin/systemd-run --unit=edgeguard-upgrade.service --description=EdgeGuard self-upgrade --collect bash /tmp/edgeguard-upgrade.sh +edgeguard ALL=(root) NOPASSWD: /usr/bin/systemd-run --unit=edgeguard-upgrade.service --description=EdgeGuard self-upgrade --collect bash /var/lib/edgeguard/upgrade.sh SUDOERS # ── Distro-Conf-Includes für die per-Service Renderer ─────────