Molly-guard is a very useful package which replaces the default halt and reboot (and other related) commands with a version which prompts you to type the hostname of the host you intended to halt/reboot before it continues to do so. For example:
root@testhost:~# reboot
I: molly-guard: reboot is always molly-guarded on this system.
Please type in hostname of the machine to reboot: [type incorrect hostname]
Good thing I asked; I won't reboot testhost ...
W: aborting reboot due to 30-query-hostname exiting with code 1.
This is invaluable if you use a lot of different systems and they are often in use by other users whom you don’t want to anger with accidental reboots…
For Debian-based distros (including Ubuntu), it’s available via a simple apt-get install molly-guard
. On RHEL-based distros, unfortunately, it’s not in the base repositories and I was unable to find a suitably-trustworthy repository which contains it.
So this leads to asking some questions:
What does it do?
Simply put, it copies the existing /sbin/halt
and related commands to a separate directory (by default /lib/molly-guard
), and replaces them with symlinks to /lib/molly-guard/molly-guard
to ensure that the new executable is used.
By default it only requires hostname confirmation when you are logged in via ssh, but this can be changed to always ask for the hostname by setting the ALWAYS_QUERY_HOSTNAME
variable in the /etc/molly-guard/rc
configuration file. Further customisations are possible by adding scripts to run to the /etc/molly-guard/run.d
directory, and if any of these exit with a non-zero exit code then the reboot is aborted. (This is how the hostname check is done, but you can add whatever logic you want via this method)
How can we make this work on RHEL / Why are there no packages for RHEL?
Someone kindly ported a version of molly-guard from Debian to RHEL, and a github repo of this is available here. Unfortunately this doesn’t quite solve the problem, as creating a package from this (having updated it for molly-guard 0.6.2) creates an RPM which gives us errors when we try to install it:
Running Transaction Test
Transaction Check Error:
file /sbin/halt from install of molly-guard-0.6.2-1.1.noarch conflicts with file from package upstart-0.6.5-13.el6_5.3.x86_64
file /sbin/poweroff from install of molly-guard-0.6.2-1.1.noarch conflicts with file from package upstart-0.6.5-13.el6_5.3.x86_64
file /sbin/reboot from install of molly-guard-0.6.2-1.1.noarch conflicts with file from package upstart-0.6.5-13.el6_5.3.x86_64
file /sbin/shutdown from install of molly-guard-0.6.2-1.1.noarch conflicts with file from package upstart-0.6.5-13.el6_5.3.x86_64
RPM really doesn’t like replacing files which are owned by another package, so an alternative (you’ll see what I did there in a minute) strategy is required.
Handily there’s a tool called alternatives
which can handle selecting which of a set of binaries to use, via managing a directory of symlinks. (See!)
If we re-create the RPM without the explicit symlinks and instead use a post-install script snippet which copies the halt/reboot binaries to the molly-guard directory and sets up alternatives to point at them then this might just work!
(There are a bunch more reboot/halt commands which are in /usr/bin/...
on RHEL, so we need to turn those into links as well:
alternatives --install /sbin/halt halt /lib/molly-guard/molly-guard 999 \
--slave /sbin/powreoff poweroff /lib/molly-guard/molly-guard \
--slave /sbin/reboot reboot /lib/molly-guard/molly-guard \
--slave /sbin/shutdown shutdown /lib/molly-guard/molly-guard \
--slave /sbin/coldreboot coldreboot /lib/molly-guard/molly-guard \
--slave /sbin/pm-hibernate pm-hibernate /lib/molly-guard/molly-guard \
--slave /sbin/pm-suspend pm-suspend /lib/molly-guard/molly-guard \
--slave /sbin/pm-suspend-hybrid pm-suspend-hybrid /lib/molly-guard/molly-guard \
\
--slave /usr/bin/reboot usrbinreboot /lib/molly-guard/molly-guard \
--slave /usr/bin/halt usrbinhalt /lib/molly-guard/molly-guard \
--slave /usr/bin/poweroff usrbinpoweroff /lib/molly-guard/molly-guard
# Ensure we're using this by default:
alternatives --set halt /lib/molly-guard/molly-guard
At this point we’ve got a set of alternatives and a post-install RPM scriptlet which copies the required commands into the /lib/molly-guard
directory, but there is still a problem that RPM will clobber these when the clashing packages are updated! So we definitely need to ensure that our alternatives get re-added after any updates. To do this we can do one of the following:
- Have a cron job which runs regularly and enforces the alternatives setting for “halt” (the “slave” entries trigger all the others to update when this is done)
- Use Puppet or some other configuration management to enforce the alternatives setting (will have a small window of the binaries being the new version until the alternatives are reset by Puppet on the next run)
- Scrap the alternatives method and use something else like modifying the
PATH
to ensure our reboot/halt versions are before the system versions (will break if scripts use full paths to the commands, which is pretty common)
- Drop this approach and create a PAM module which does the same as molly-guard, then use consolehelper and PAM instead (untested)
I’ve decided to go for the second of these and have configuration management ensure that the “alternatives” settings are enforced.
Will this have any side-effects?
One side-effect is that on RHEL6 the reboot-related commands in /usr/bin
use “consolehelper” to control access to these commands through PAM. Without some additional jiggery-pokery this functionality will be broken by this update.
Updates to the packages will need to be handled somehow, perhaps by detecting that the binaries have been put back in place and updating the molly-guard-controlled versions. (Eek!)
I’ve not looked at updating the package for RHEL7, where the reboot and related commands all link to systemctl
for systemd control. This is likely to need some different shenanigans to get it to work…
Where can I get the packages?
These are a work in progress but the updated git repoistory is available here. RPMs will be available from http://packages.bris.ac.uk/centos/6/zone_d/ (UoB internal only access) once finalised. It it works well these should be published more widely 🙂
No RHEL7 packages yet I’m afraid — I need to investigate how to get this to work with systemd!
(Bonus Q: Why is it called Molly-guard? See this definition for an explanation)