I’ve the same problem after upgrade core 168 (but I had seen the notification and had planned a backup )
Did anyone finally manage to run custom cron lines ?
Because from what I understood below you can do it by creating a user (and giving him sudoers rights if you want to do admin tasks) but after that…where do you put the scripts or cron lines that call on them ?
Please…If someone has managed to make this work, can he please detail the steps to follow ?
(it would also be interesting to add the steps on the Ipfire Wiki )
My Ipfire:
IPFire version
IPFire 2.27 (x86_64) - core168
Pakfire version
2.27-x86_64
Kernel version
Linux 5.15.35-ipfire #1 SMP Tue Apr 26 10:56:57 GMT 2022 x86_64 Intel(R) Atom™ CPU C3758 @ 2.20GHz GenuineIntel GNU/Linux
Just had a look through CU169 and fcron or fcrontab was not modified in this update. It was also not touched by the update script, had a look through to confirm.
So the fcrontab should not have been touched at all.
Here is a quick run down of how I set up a separate user fcrontab and use it for running scripts, including those that require root permissions.
Create a non-login system user useradd -r -U -d / -s /bin/false -c "non root fcrontab user" fcronuser
-r specifies that it is a system user
-U tells it to also create a group with the same name
-d defines the home directory as /, although no home directory is created for system users it is specified in the passwd file
-s defines the login shell, in this case /bin/false means the user cannot log in
-c is a comment about the user. It can be any string you want.
fcronuser is the name I used but it can be whatever you want, as long as it is not already in use
The entry in the passwd file should look something like fcronuser:x:998:998:non root fcrontab user:/:/bin/false
The uid and gid will be dependent on what other users are already created on your system.
Create a sudoers file for the fcronuser in /etc/sudoers.d/
It can be called whatever you want but the simplest is to name it the same as the user so fcronuser
Contents should be
## Allow fcronuser to use sudo without a password
fcronuser ALL=(ALL) NOPASSWD:ALL
This will allow the fcronuser to run scripts that require root permissions by using sudo without needing to use a password
Then you need to add the new user to the fcron.allow list. Edit /etc/fcron./allow to add fcronuser to the list which will only include root unless you have already added another user to it.
After editing it should contain at lease the following lines
root
fcronuser
Create the fcrontab for your new user fcrontab -u fcronuser -e
-u fcronuser tells fcrontab to use the user fcronuser
-e says to edit the fcronuser fcrontab
Enter whatever scripts you want run with fcron and save the file.
Most scripts will be able to run successfully with the native rights of the fcronuser.
For those that don’t run successfully due to permissions you will need to add sudo at the front.
Below is my fcronuser fcrontab. Three entries run fine as they are. One has to have sudo to execute.
#
# crontab for fcronuser
#
# Restart rhea at 07:30 each day
30 7 * * * /home/fcronuser/scripts/wol_rhea.sh
# Run iapetus backup each Saturday at 21:00
0 21 * * 6 "sudo /home/fcronuser/scripts/iapetus_backup.sh"
# Run speedtest at 06:10, 10:10, 14:10, 18:10 & 22:10
10 2,6,10,14,18,22 * * * /home/fcronuser/scripts/speed_test.sh
# Run the DNS SERVFAIL count script on each Sunday at 01:10
10 1 * * 0 /home/fcronuser/scripts/DNS-SERVFAIL-count.sh
I cannot currently guarantee that this will work without any problems as when I carried it out some while ago I may have had to change some other things that I have forgotten about.
My plan is to take a vm clone of my testbed and run the same commands on that and confirm everything works as expected with a vanilla install but I currently don’t have the time to do that.
If you find any problems flag them up and I will have a look at them.
For information the fcrontabs are stored under /var/spool/cron/ and you should find fcronuser and after some editing fcronuser.orig in that directory.
To ensure that you backup those files in your IPFire backup routine add the line var/spool/cron/fcronuser*
to the /var/ipfire/backup/include.user file
I don’t have the time to do it now as I am having to work on my mail server as the main disk is starting to fail but I know how to approach it now, when I get round to it.
I followed your tutorial almost to the to the letter, with the purpose to execute a script that sets RPF to 2 and then after 15 minutes it reverts to the default. During that window, my webserver is free to issue a certbot renew command.
#!/bin/bash
###########################################################
# set strictness of Reverse Path Filtering; see RFC 3704, #
# section 2.2: 1, RPF strict; 2, RPF relaxed #
###########################################################
###### Initialization steps ######
LOG="/home/cfusco/bin/log_RPF.txt"
exec 1>>$LOG 2>&1 # write stdout to $LOG, stderr goes to stdout
level=$1 # 1 for strict or 2 for relaxed
##### Functions ######
function run() { # wrapper call for error handling, spins a subshell
cmd_output=$(eval $1)
return_value=$?
[[ $return_value != 0 ]] && echo "Command $1 failed" && echo -e "${cmd_output}" \
|| echo -e "* $1 Output:\n${cmd_output}" "\nCommand $1 succeeded."
return $return_value
}
function logDate() { # log a time stamped message
date=$(date '+%Y-%m-%d %H:%M:%S')
echo -e "\n---\n" "$date" ": $1 \n---"
}
function changeRPF() { # change RPF value
if [[ $level == 1 || $level == 2 ]]; then
sysctl net.ipv4.conf.default.rp_filter=$level
sysctl net.ipv4.conf.all.rp_filter=$level
else
echo "either 1 or 2, instead you entered: "$level
return -1
fi
}
##### Main Routine ######
logDate "Changing RPF strictness"
run "changeRPF"
The error I got in the logs is:
---
2022-09-11 00:00:00 : Changing RPF strictness
---
/home/cfusco/bin/rpf.sh: line 29: sysctl: command not found
/home/cfusco/bin/rpf.sh: line 30: sysctl: command not found
* changeRPF Output:
Command changeRPF failed.
---
2022-09-11 00:15:00 : Changing RPF strictness
---
/home/cfusco/bin/rpf.sh: line 29: sysctl: command not found
/home/cfusco/bin/rpf.sh: line 30: sysctl: command not found
* changeRPF Output:
Command changeRPF failed.
do you have any idea why executing the script, fcronuser cannot find sysctl? It’s not a matter of permission, becase if I run the command as user cfusco, i get
In this case I may be able to help. When a system user is created, without a home directory then sometimes the path environment variable for that user does not cover what you want to access. Also I have sometimes found that no matter what I do with a path environment variable cron or fcron refuse to be able to find a binary.
Therefore I always write the cron/fcron binary command with a full path specified.
I would give that a try and see if it solves your issue.
If it doesn’t solve the issue then I will need to test out your script and commands in my vm testbed to obtain a better idea.
Incidentally, I am also using letsencrypt on my network but I currently don’t have a webserver running so I am doing the http-01 challenge with the certbot standalone command and it starts up a webserver just for the challenge and afterwards shuts it down. I don’t have any issues with RPF. My certificates were successfully updated about 10 days ago.
I will eventually put a web server in place for a webmail system and will then be doing the same as you. Will let you know how that goes when I get round to it and if I see the same issue as you have been experiencing.
@bonnietwin I hope you do not mind that I did it. The procedure is correct as I have tested it myself. The text is only occasionally modified just for minor adjustments to a wiki entry style, but feel free to change it as you deem necessary. Thank you for the great tutorial.
)
