v7.1 (#4223)

+ DietPi-Software | Mosquitto: Since the Bullseye suite of the official repository does not yet exist, use Buster instead
+ DietPi-Software | Mosquitto: Restore pre-v2.0 behaviour by explicitly adding the port 1883 listener without IP binding, as by default it now binds to the loopback IP: #4133
+ DietPi-Software | Mosquitto: Instead of restoring pre-v2.0 behaviour on anonymous requests, enable authenticated requests via password file by default, using username "mosquitto" and global software password.
+ DietPi-Software | Mosquitto: Always use our own systemd unit, which allows us to simplify and align it with other units we ship.
+ DietPi-Software | Mosquitto: Disable PID and log file, both not required when using the systemd unit as it can track the service status directly and logs can be viewed via journalctl then. This allows to simplify the systemd unit and start it as mosquitto user directly, instead of having the daemon forking itself as mosquitto user.
+ DietPi-Software | Mosquitto: Do not automatically restart the service on failure. Generally we think that a failed service has a reason that should be recognised and investigated ASAP before starting it again, whether it is OOM failure, filesystem/database corruption or a DDoS attack and such things, where an automatic restart might cause further damage. When services restart automatically (up to five times by default in a certain time), they do not only mess logs, making debugging difficult, but also as the service can stay up, an urgent reason for the crash might be recognised with much delay. When a service is that important that it must stay even when the server is running into troubles that lead to service crashes, then this should be configured only manually by admins that do know what they do.
+ DietPi-Software | MPD: Simplify systemd service runtime directory creation by using the RuntimeDirectory setting
+ DietPi-Software | ownCloud/Nextcloud: Instead of "<omitted>", show "XXXX" as replacement for passwords during CLI install with the amount of Xes matching the length of the password

CHANGELOG.txt

@@ -1,5 +1,5 @@
 v7.1
-(2021-03-XX)
+(2021-04-XX)
 
 Supported SBC changes:
 - For historical reasons, DietPi had internal hardware identifiers for SBCs which are not officially supported anymore for a long time, namely variouos Orange Pi and Banana Pi models, BeagleBone Black and LeMaker Guitar. Since we do not provide a reference image and do not test features on those boards, we have no chance to reasonably use those hardware IDs code-wise to apply tweaks or enable features, which renders them meaningless. To avoid wrong assumptions, we hence removed the identifies for the named SBC models. As a replacement, we added a set of generic SoC identifiers, which can as well be selected from within the DietPi-PREP system converter script. This means that one is e.g. able to select "Generic Allwinner H3" and have an SoC identifier set by this, which is used within the code for conditionals based on the SoC, e.g. regarding GPU acceleration and other SoC-internal hardware features. The removed SBC models are converted automatically to those generic identifiers, so that e.g. after the update an OrangePi PC will be shown in our scripts and banner as "Generic Allwinner H3". While it looks like a degradation, it is a hardening, as it assures that no false assumptions and conditionals are triggered in our scripts but only those which we can know for sure being true, regardless of the initial Debian image you used.
@@ -15,6 +15,7 @@ Changes:
 - DietPi-Drive_Manager | Added support for resizing F2FS and Btrfs filesystems as well as format- and filesystem check & repair support for XFS filesystems.
 - DietPi-Config | Added a safe overclocking profile for RPi 3+ models. Many thanks to @lone for doing long-term stability tests and reporting back the result: https://dietpi.com/phpbb/viewtopic.php?p=32285#p32285
 - DietPi-Config | When disabling the RPi camera feature, the bcm2835_isp kernel module is now additionally blacklisted. Since kernel 5.X it is otherwise loaded automatically and pulls in the whole camera modules stack as dependency, adding some additional memory usage and boot overhead. Many thanks to @ferbar for making us aware of this: https://github.com/MichaIng/DietPi/issues/4203
+- DietPi-Software | Mosquitto: Since v2, by default remote connections and no unauthenticated requests are possible anymore. On fresh installs and reinstalls, we'll enable remote connections, but create a password file, so that MQTT clients need to authenticate with username "mosquitto" and the global software password by default. Many thanks to @mattsmithuk for reporting this change: https://github.com/MichaIng/DietPi/issues/4133
 
 Fixes:
 - DietPi-Config/DietPi-PREP | Resolved an issue on Debian Bullseye, when toggling serial consoles, where /etc/securetty is attempted to be altered even that it is not used and does not exist anymore since Debian Bullseye. Many thanks to @NastyDesertFox for reporting this issue: https://github.com/MichaIng/DietPi/issues/4205

dietpi/dietpi-software

@@ -4522,7 +4522,8 @@ _EOF_
 				INSTALL_URL_ADDRESS='https://repo.mosquitto.org/debian/mosquitto-repo.gpg.key'
 				G_CHECK_URL "$INSTALL_URL_ADDRESS"
 				G_EXEC eval "curl -sSLf '$INSTALL_URL_ADDRESS' | gpg --dearmor -o /etc/apt/trusted.gpg.d/dietpi-mosquitto.gpg --yes"
-				G_EXEC eval "echo 'deb https://repo.mosquitto.org/debian/ $G_DISTRO_NAME main' > /etc/apt/sources.list.d/dietpi-mosquitto.list"
+				# The Bullseye suite does not yet exist: https://repo.mosquitto.org/debian/dists/
+				G_EXEC eval "echo 'deb https://repo.mosquitto.org/debian/ ${G_DISTRO_NAME/bullseye/buster} main' > /etc/apt/sources.list.d/dietpi-mosquitto.list"
 				G_AGUP
 
 			fi
@@ -8037,7 +8038,7 @@ The install script will now exit. After applying one of the the above, rerun die
 				G_EXEC_PRE_FUNC(){ acommand[10]=$oc_password acommand[14]=$GLOBAL_PW; }
 				# - Checking output for stack trace to handle internal errors that do not lead to php error exit code
 				G_EXEC_POST_FUNC(){ grep -qi 'Stack trace' $fp_log && exit_code=255; }
-				G_EXEC occ maintenance:install --no-interaction --database 'mysql' --database-name 'owncloud' --database-user 'tmp_root' --database-pass '<omitted>' --admin-user "$username" --admin-pass '<omitted>' --data-dir "$datadir"
+				G_EXEC occ maintenance:install --no-interaction --database 'mysql' --database-name 'owncloud' --database-user 'tmp_root' --database-pass "${oc_password//?/X}" --admin-user "$username" --admin-pass "${GLOBAL_PW//?/X}" --data-dir "$datadir"
 				G_EXEC mysql -e 'drop user tmp_root@localhost'
 				unset -v oc_password
 
@@ -8292,7 +8293,7 @@ The install script will now exit. After applying one of the the above, rerun die
 					fi
 
 				}
-				G_EXEC ncc maintenance:install --no-interaction --database 'mysql' --database-name 'nextcloud' --database-user 'tmp_root' --database-pass '<omitted>' --admin-user "$username" --admin-pass '<omitted>' --data-dir "$datadir"
+				G_EXEC ncc maintenance:install --no-interaction --database 'mysql' --database-name 'nextcloud' --database-user 'tmp_root' --database-pass "${nc_password//?/X}" --admin-user "$username" --admin-pass "${GLOBAL_PW//?/X}" --data-dir "$datadir"
 				G_EXEC mysql -e 'drop user tmp_root@localhost'
 				unset -v nc_password
 
@@ -8580,9 +8581,7 @@ After=network-online.target sound.target dietpi-boot.service
 [Service]
 Type=notify
 User=mpd
-PermissionsStartOnly=true
-ExecStartPre=$(command -v mkdir) -p /run/mpd
-ExecStartPre=$(command -v chown) -R mpd: /run/mpd
+RuntimeDirectory=mpd
 ExecStart=$(command -v mpd) --no-daemon /etc/mpd.conf
 
 # allow MPD to use real-time priority 50
@@ -8606,7 +8605,7 @@ WantedBy=multi-user.target
 Also=mpd.socket
 _EOF_
 			# - systemd socket activation, not shipped by our custom package
-			[[ -f '/lib/systemd/system/mpd.socket' ]] || cat << _EOF_ > /lib/systemd/system/mpd.socket
+			[[ -f '/lib/systemd/system/mpd.socket' ]] || cat << '_EOF_' > /lib/systemd/system/mpd.socket
 [Socket]
 ListenStream=/run/mpd/socket
 ListenStream=6600
@@ -8642,7 +8641,7 @@ _EOF_
 			Download_Test_Media
 
 			# Permissions
-			chown -R mpd: /var/log/mpd /mnt/dietpi_userdata/.mpd_cache /etc/mpd.conf
+			G_EXEC chown -R mpd: /var/log/mpd /mnt/dietpi_userdata/.mpd_cache /etc/mpd.conf
 
 		fi
 
@@ -11661,8 +11660,28 @@ _EOF_
 
 			Remove_SysV mosquitto
 
-			# Add systemd unit if missing, since Buster and with official repo it is part of the DEB package: https://github.com/eclipse/mosquitto/tree/master/service/systemd
-			[[ -f '/lib/systemd/system/mosquitto.service' ]] || cat << '_EOF_' > /etc/systemd/system/mosquitto.service
+			# Password file
+			if [[ ! -f '/etc/mosquitto/passwd' ]]
+			then
+				G_EXEC umask 0037
+				G_EXEC_PRE_FUNC(){ acommand[5]=$GLOBAL_PW; }
+				G_EXEC mosquitto_passwd -c -b /etc/mosquitto/passwd mosquitto "${GLOBAL_PW//?/X}"
+				G_EXEC chown root:mosquitto /etc/mosquitto/passwd
+				G_EXEC umask 0022
+			fi
+
+			# Config: /etc/mosquitto/conf.d exists, but doubled settings do not override each other and lead to a startup failure instead, which breaks the purpose we want to use it for.
+			# - Disable PID file, not required for systemd handling
+			G_EXEC sed -i '/^[[:blank:]]*pid_file[[:blank:]]/d' /etc/mosquitto/mosquitto.conf
+			# - Log to default STDERR > systemd-journald
+			G_EXEC sed -i '/^[[:blank:]]*log_dest[[:blank:]]/d' /etc/mosquitto/mosquitto.conf
+			# - Add default password file for authenticated requests: https://github.com/MichaIng/DietPi/issues/4133
+			G_PRESERVE=1 G_CONFIG_INJECT 'password_file[[:blank:]]' 'password_file /etc/mosquitto/passwd' /etc/mosquitto/mosquitto.conf
+			# - Add default listener at port 1883 not bound to loopback IP: https://github.com/MichaIng/DietPi/issues/4133
+			G_PRESERVE=1 G_CONFIG_INJECT 'listener[[:blank:]]' 'listener 1883' /etc/mosquitto/mosquitto.conf
+
+			# Add/override default systemd unit: https://github.com/eclipse/mosquitto/tree/master/service/systemd
+			cat << '_EOF_' > /etc/systemd/system/mosquitto.service
 [Unit]
 Description=Mosquitto MQTT Broker (DietPi)
 Documentation=man:mosquitto.conf(5) man:mosquitto(8)
@@ -11672,11 +11691,9 @@ After=network-online.target dietpi-boot.service
 [Service]
 Type=notify
 NotifyAccess=main
-ExecStartPre=/bin/mkdir -m 740 -p /var/log/mosquitto
-ExecStartPre=/bin/chown mosquitto: /var/log/mosquitto
+User=mosquitto
 ExecStart=/usr/sbin/mosquitto -c /etc/mosquitto/mosquitto.conf
 ExecReload=/bin/kill -HUP $MAINPID
-Restart=on-failure
 
 [Install]
 WantedBy=multi-user.target
@@ -13706,6 +13723,7 @@ _EOF_
 			[[ -d '/etc/systemd/system/mosquitto.service.d' ]] && rm -R /etc/systemd/system/mosquitto.service.d
 			G_AGP mosquitto
 
+			[[ -d '/etc/mosquitto' ]] && rm -R /etc/mosquitto
 			[[ -f '/etc/apt/sources.list.d/dietpi-mosquitto.list' ]] && rm -v /etc/apt/sources.list.d/dietpi-mosquitto.list
 			[[ -f '/etc/apt/trusted.gpg.d/dietpi-mosquitto.gpg' ]] && rm -v /etc/apt/trusted.gpg.d/dietpi-mosquitto.gpg