-
Notifications
You must be signed in to change notification settings - Fork 7
/
Copy pathsecurity-updates.sh
executable file
·122 lines (101 loc) · 3.43 KB
/
security-updates.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
#!/bin/bash
# You may poll for updates by running this script in a cron job, or
# have updates triggerd by piping security announcement emails into this script.
# For example, with a ~/.forward or ~/.qmail-drupal file
# that contains a line reading (without #, and unquoted for qmail):
# "|/path/to/this/script/named/security-updates.sh mailpipe"
# and subscribing $USER-drupal@$HOST to the security email newsletter.
# https://www.drupal.org/security.
# Non-security only updates may be done by passing the "update-all" parameter
# to this script.
# To limit this script to only 1 site, set WEB_ROOT to the Drupal site directory.
# To use on multiple sites, set WEB_ROOT to the directory containing all Drupal sites with a '/*' appended.
WEB_ROOT="/var/www/virtual/${USER}/*"
# Replace with "public_html" if you use a public_html subfolder
PUBLIC_DIR="."
EMAIL="${USER}@${HOST}"
BACKUP_DIR="$HOME/drush-backups" # should be the same place as drush uses
# The drupal (command line) console is required to enable mainenance mode for drupal 8.
if [ -z "$*" ] || [ "$1" == "mailpipe" ] && [ -z "$2" ]
then
DRUSHPARAM="--security-only"
elif [ "$1" == "update-all" ] || [ "$2" == "update-all" ]
then
DRUSHPARAM=""
else
DRUSHPARAM="$*"
fi
# determine available commands
drush=`which drush`
drupal=`which drupal`
# Create a backup folder if it does not exist.
if [[ ! -d "$BACKUP_DIR" ]]
then
echo "Creating new backup directory in $BACKUP_DIR"
mkdir -p "$BACKUP_DIR"
fi
# Capture message piped into this script and send it to $EMAIL.
# This allows to trigger this script by directing security anouncement emails to it.
if [ "$1" == "mailpipe" ]
then
stdin=$(cat)
if [ -n "$stdin" ]
then
echo "$stdin" | mail -s "$WEB_ROOT: security-updates.sh mailpipe triggered" "$EMAIL"
fi
fi
echo "Scanning WEB_ROOT directory $WEB_ROOT for Drupal installations."
for i in $WEB_ROOT/
do
# Handle symlinks
SITE_DIR=$(readlink -f $i)
cd $SITE_DIR
cd $PUBLIC_DIR
# Does the directory have a Drupal site?
SITE_STATUS=$($drush status | grep "Drupal" | wc -l)
if [[ $SITE_STATUS -gt 0 ]]
then
echo "Drupal installation for $i found in $(pwd)."
# Make sure status is up to date
drush pm-refresh
# Check for security updates
OUTPUT="$(drush pm-updatestatus ${DRUSHPARAM})"
if [[ $OUTPUT == *"UPDATE"* ]]
then
# enable maintenance
if [ -z "$drupal" ]
then
if [ -f core/CHANGELOG.txt ] # Drupal 8 or Drupal 7?
then
drush sset system.maintenance_mode 1 # this is drupal 8
else
drush vset maintenance_mode 1 # this is drupal 7
fi
else
drupal site:maintenance ON
fi
# Take a backup and if it succeeds, run the update
SITE_NAME=`basename ${i}`
drush sql-dump | gzip > ${BACKUP_DIR}/${USER}-${SITE_NAME}-pre-sec-update_$(date +%F_%T).sql.gz && drush up ${DRUSHPARAM} -y | mail -s "${USER}-${SITE_NAME} website needs testing" "$EMAIL"
# disable maintenance
if [ -z "$drupal" ]
then
if [ -f core/CHANGELOG.txt ] # Drupal 8 or Drupal 7?
then
drush sset system.maintenance_mode 0 # this is drupal 8
else
drush vset maintenance_mode 0 # this is drupal 7
fi
else
drupal site:maintenance OFF
fi
# Notify stakeholders
echo "A ${DRUSHPARAM} update has been applied to $SITE_NAME. You should test production now."
else
echo "No ${DRUSHPARAM} updates."
fi
else
echo "No Drupal site found in $(pwd)."
fi
done
echo "Done with Drupal ${DRUSHPARAM} updates."