rockstor · phillxnet · Feb 12, 2024 · Feb 5, 2024
diff --git a/.env b/.env
@@ -0,0 +1,14 @@
+# NO SECRETS - ENVIRONMENTAL VARIABLES ONLY
+# All entires should be compatible with all of the following uses:
+# - poetry-plugin-dotenv: https://pypi.org/project/poetry-plugin-dotenv/
+# - python-dotenv: https://pypi.org/project/python-dotenv/
+# - systemd: https://www.freedesktop.org/software/systemd/man/latest/systemd.exec.html#EnvironmentFile=
+# - bash `source` command: https://www.gnu.org/software/bash/manual/bash.html#index-source
+
+# password-store working directory: GNUPG/gpg encrypted.
+# https://www.passwordstore.org/
+# https://git.zx2c4.com/password-store/about/
+PASSWORD_STORE_DIR=/root/.password-store
+
+# Django
+DJANGO_SETTINGS_MODULE=settings
diff --git a/build.sh b/build.sh
@@ -4,7 +4,7 @@ set -o errexit
 
 # Install Poetry, a dependency management, packaging, and build system.
 # Uninstall legacy/transitional Poetry version of 1.1.15
-PATH="$HOME/.local/bin:$PATH"  # ensure legacy path.
+PATH="/root/.local/bin:$PATH"  # ensure legacy path.
 if which poetry && poetry --version | grep -q "1.1.15"; then
   echo "Poetry version 1.1.15 found - UNINSTALLING"
   curl -sSL https://install.python-poetry.org | python3 - --uninstall
@@ -33,6 +33,9 @@ export PIPX_MAN_DIR=/usr/local/share/man  # manual page location for pipx-instal
 # https://python-poetry.org/docs/#installing-with-pipx
 pipx ensurepath
 pipx install --python python3.11 poetry==1.7.1
+# https://pypi.org/project/poetry-plugin-dotenv/
+# https://python-poetry.org/docs/master/plugins/#using-plugins
+pipx inject --verbose poetry poetry-plugin-dotenv==0.6.11
 pipx list
 
 # Install project dependencies defined in cwd pyproject.toml using poetry.toml
@@ -43,6 +46,7 @@ pipx list
 # ** --no-ansi avoids special characters **
 env > poetry-install.txt
 poetry --version >> poetry-install.txt
+poetry self show plugins >> poetry-install.txt
 # /usr/local/bin/poetry -> /opt/pipx/venvs/poetry
 poetry install -vvv --no-interaction --no-ansi >> poetry-install.txt 2>&1
 echo
@@ -78,15 +82,17 @@ fi
 
 # Ensure GNUPG is setup for 'pass' (Idempotent)
 /usr/bin/gpg --quick-generate-key --batch --passphrase '' rockstor@localhost || true
-# Init 'pass' in ~ using above GPG key, and generate Django SECRET_KEY
-export Environment="PASSWORD_STORE_DIR=/root/.password-store"
+# Init 'pass' in .env defined PASSWORD_STORE_DIR using above GPG key, and generate Django SECRET_KEY
+set -o allexport
+echo "Sourcing ${pwd}.env"
+source .env  # also read by rockstor-build.service
+set +o allexport
 /usr/bin/pass init rockstor@localhost
 /usr/bin/pass generate --no-symbols --force python-keyring/rockstor/SECRET_KEY 100
 
 # Collect all static files in the STATIC_ROOT subdirectory. See settings.py.
 # /opt/rockstor/static
 # Additional collectstatic options --clear --dry-run
-export DJANGO_SETTINGS_MODULE=settings
 # must be run in project root:
 poetry run django-admin collectstatic --no-input --verbosity 2
 echo
@@ -95,9 +101,8 @@ echo "ROCKSTOR BUILD SCRIPT COMPLETED"
 echo
 echo "If installing from source, from scratch, for development; i.e. NOT via RPM:"
 echo "Note GnuPG & password-store ExecStartPre steps in /opt/rockstor/conf/rockstor-pre.service"
-echo "1. Run 'cd /opt/rockstor'."
-echo "2. Run 'systemctl start postgresql'."
-echo "3. Run 'export DJANGO_SETTINGS_MODULE=settings'."
-echo "4. Run 'export PASSWORD_STORE_DIR=/root/.password-store'."
-echo "5. Run 'poetry run initrock' as root (equivalent to rockstor-pre.service ExecStart)."
-echo "6. Run 'systemctl enable --now rockstor-bootstrap'."
+echo "1. Run 'systemctl start postgresql'."
+echo "2. Run 'cd /opt/rockstor'."
+echo "3. Run './build.sh'."
+echo "4. Run 'poetry run initrock' as root (equivalent to rockstor-pre.service ExecStart)."
+echo "5. Run 'systemctl enable --now rockstor-bootstrap'."
diff --git a/conf/rockstor-bootstrap.service b/conf/rockstor-bootstrap.service
@@ -4,10 +4,9 @@ After=rockstor.service
 Requires=rockstor.service
 
 [Service]
-Environment="DJANGO_SETTINGS_MODULE=settings"
-Environment="PASSWORD_STORE_DIR=/root/.password-store"
 WorkingDirectory=/opt/rockstor
-ExecStart=/opt/rockstor/.venv/bin/bootstrap
+EnvironmentFile=/opt/rockstor/.env
+ExecStart=/usr/local/bin/poetry run bootstrap
 Type=oneshot
 RemainAfterExit=yes
 

diff --git a/conf/rockstor-build.service b/conf/rockstor-build.service
@@ -10,9 +10,8 @@ Requires=NetworkManager.service
 Requires=NetworkManager-wait-online.service
 
 [Service]
-Environment="DJANGO_SETTINGS_MODULE=settings"
-Environment="PASSWORD_STORE_DIR=/root/.password-store"
 WorkingDirectory=/opt/rockstor
+EnvironmentFile=/opt/rockstor/.env
 ExecStart=/opt/rockstor/build.sh
 Type=oneshot
 RemainAfterExit=yes

diff --git a/conf/rockstor-pre.service b/conf/rockstor-pre.service
@@ -8,9 +8,8 @@ Requires=postgresql.service
 Requires=NetworkManager.service
 
 [Service]
-Environment="DJANGO_SETTINGS_MODULE=settings"
-Environment="PASSWORD_STORE_DIR=/root/.password-store"
 WorkingDirectory=/opt/rockstor
+EnvironmentFile=/opt/rockstor/.env
 # Avoid `pass` stdout leaking generated passwords (N.B. 2>&1 >/dev/null failed).
 StandardOutput=null
 # Idempotent: failure tolerated for pgp as key likely already exists (rc 2).

diff --git a/conf/rockstor.service b/conf/rockstor.service
@@ -4,9 +4,8 @@ After=rockstor-pre.service
 Requires=rockstor-pre.service
 
 [Service]
-Environment="DJANGO_SETTINGS_MODULE=settings"
-Environment="PASSWORD_STORE_DIR=/root/.password-store"
 WorkingDirectory=/opt/rockstor
+EnvironmentFile=/opt/rockstor/.env
 ExecStart=/usr/local/bin/poetry run supervisord -c /opt/rockstor/etc/supervisord.conf
 ExecStop=/usr/local/bin/poetry run supervisorctl shutdown
 ExecReload=/usr/local/bin/poetry run supervisorctl reload

diff --git a/pyproject.toml b/pyproject.toml
@@ -33,6 +33,7 @@ include = [
     "build.sh",  # master build script
     "poetry.toml",  # poetry config
     "poetry.lock",  # current poetry established dependency lock file.
+    ".env",  # poetry-plugin-dotenv default source file.
     { path = "conf" },  # Configuration directories
     { path = "etc" },
     { path = "var" },  # Some processes depend on this tree existing.

diff --git a/src/rockstor/scripts/initrock.py b/src/rockstor/scripts/initrock.py
@@ -116,9 +116,10 @@
 #       use None to use the current mask of the target file defined at <path>.
 # services: Python List of service(s) to restart, if any, after modifying the file.
 LocalFile = namedtuple("LocalFile", "path mask services")
+# samba_config's "root preexec = ..." migrations do not required service restarts.
 LOCAL_FILES = {
     "samba_config": LocalFile(
-        path="/etc/samba/smb.conf", mask=None, services=["nmb", "smb"]
+        path="/etc/samba/smb.conf", mask=None, services=None
     ),
     "rockstor_crontab": LocalFile(
         path="/etc/cron.d/rockstortab", mask=stat.S_IRUSR | stat.S_IWUSR, services=None
@@ -463,6 +464,33 @@ def establish_poetry_paths():
     logger.info("### DONE establishing poetry path to binaries in local files.")
 
 
+def update_smb_conf_preexec():
+    """
+    5.0.8-0 onwards adopts a new smb.conf preexec command for all new Samba exports.
+    Modify existing shares accordingly. Example for test_share01:
+        root preexec = "/opt/rockstor/.venv/bin/mnt-share test_share01"
+        root preexec = sh -c "cd /opt/rockstor/ && poetry run mnt-share test_share01"
+    Avoids premature DB requirement re:
+    - refresh_smb_config(list(SambaShare.objects.all()))
+    - refresh_smb_discovery(list(SambaShare.objects.all()))
+    """
+    logger.info("### BEGIN Establishing SMB config preexec update...")
+    smb_conf = LOCAL_FILES["samba_config"]
+    pattern = f'"{BASE_DIR}.venv/bin/'
+    replacement = f'sh -c "cd {BASE_DIR} && poetry run '
+    if os.path.isfile(smb_conf.path):
+        fh, npath = mkstemp()
+        altered = replace_pattern_inline(smb_conf.path, npath, pattern, replacement)
+        if altered:  # smb_conf.mask assumed None
+            shutil.copystat(smb_conf.path, npath)
+            shutil.move(npath, smb_conf.path)
+            logger.info("smb.conf preexec format updated")
+        else:
+            os.remove(npath)
+            logger.info("smb.conf preexec already updated")
+    logger.info("### DONE Establishing SMB config preexec update...")
+
+
 def set_api_client_secret():
     """
     Set/reset the API client secret which is used internally by OAUTH_INTERNAL_APP = "cliapp",
@@ -649,6 +677,8 @@ def main():
 
     establish_poetry_paths()
 
+    update_smb_conf_preexec()
+
 
 if __name__ == "__main__":
     main()
diff --git a/src/rockstor/system/samba.py b/src/rockstor/system/samba.py
@@ -49,14 +49,15 @@ def test_parm(config="/etc/samba/smb.conf"):
 
 
 def rockstor_smb_config(fo, exports):
-    mnt_helper = os.path.join(settings.ROOT_DIR, ".venv/bin/mnt-share")
+    mnt_helper = "poetry run mnt-share"
     fo.write("{}\n".format(RS_SHARES_HEADER))
     for e in exports:
         admin_users = ""
         for au in e.admin_users.all():
             admin_users = "{}{} ".format(admin_users, au.username)
         fo.write("[{}]\n".format(e.share.name))
-        fo.write('    root preexec = "{} {}"\n'.format(mnt_helper, e.share.name))
+        # Requires `poetry run` in ROOT_DIR to gain .env defined environment.
+        fo.write(f"    root preexec = sh -c \"cd {settings.ROOT_DIR} && {mnt_helper} {e.share.name}\"\n")
         fo.write("    root preexec close = yes\n")
         fo.write("    comment = {}\n".format(e.comment.encode("utf-8")))
         fo.write("    path = {}\n".format(e.path))