Securing CloudPanel on Ubuntu 24.04 Part 12

23/11/2024 23/11/2024 security 5 mins read
Table Of Contents

Part 12: Automated Updates and Patch Management #

This system will manage both CloudPanel-specific updates and system-level security patches while maintaining proper logging in CloudPanel.

Terminal window
# Create update management script
sudo nano /usr/local/bin/cloudpanel-update-manager.sh

# 

#!/bin/bash


# Initialize paths and configuration
CP_HOME="/home/clp"
DB_PATH="${CP_HOME}/htdocs/app/data/db.sq3"
LOG_DIR="${CP_HOME}/logs/updates"
BACKUP_DIR="${CP_HOME}/backups/updates"


mkdir -p "$LOG_DIR" "$BACKUP_DIR"


# Function to get current CloudPanel version
get_cloudpanel_version() {
    sqlite3 "$DB_PATH" "SELECT value FROM config WHERE key = 'app_version';"
}


# Function to check system package updates
check_system_updates() {
    echo "Checking system updates..."


    # Update package lists
    apt-get update -qq


    # Get list of security updates
    local security_updates=$(apt-get -s upgrade | grep -i security | wc -l)


    if [ "$security_updates" -gt 0 ]; then
        log_update_event "security_updates_available" "Security updates available: $security_updates packages"
        return 0
    fi
    return 1
}


# Function to verify PHP versions
check_php_versions() {
    echo "Checking PHP versions..."


    # Get installed PHP versions from database
    sqlite3 "$DB_PATH" "
        SELECT DISTINCT php_version
        FROM php_settings
        WHERE site_id IN (
            SELECT id FROM site WHERE type = 'vhost'
        );" | while read -r version; do


        # Check if this PHP version needs updates
        if php_needs_update "$version"; then
            log_update_event "php_update_required" "PHP version $version needs security updates"
        fi
    done
}


# Function to backup before updates
backup_before_update() {
    local update_type="$1"
    local timestamp=$(date +%Y%m%d_%H%M%S)
    local backup_path="${BACKUP_DIR}/${update_type}_${timestamp}"


    echo "Creating pre-update backup..."


    # Create backup directory
    mkdir -p "$backup_path"


    # Backup CloudPanel database
    sqlite3 "$DB_PATH" ".backup '${backup_path}/cloudpanel.sq3'"


    # Backup configuration files
    tar -czf "${backup_path}/config.tar.gz" \
        "${CP_HOME}/services/nginx/nginx.conf" \
        "${CP_HOME}/services/php-fpm" \
        "${CP_HOME}/services/nginx/sites-enabled" \
        --exclude='*.log'


    echo "$backup_path"
}


# Function to apply system updates
apply_system_updates() {
    echo "Applying system updates..."


    # Create pre-update backup
    local backup_path=$(backup_before_update "system")


    # Apply updates
    if DEBIAN_FRONTEND=noninteractive apt-get -y upgrade; then
        log_update_event "system_update_success" "System updates applied successfully"
    else
        log_update_event "system_update_failed" "System update failed"
        restore_from_backup "$backup_path"
        return 1
    fi
}


# Function to update PHP versions
update_php_version() {
    local version="$1"
    echo "Updating PHP version $version..."


    # Create backup
    local backup_path=$(backup_before_update "php_${version}")


    # Update PHP packages
    if apt-get install -y "php${version}-fpm" "php${version}-common" "php${version}-cli"; then
        log_update_event "php_update_success" "PHP $version updated successfully"


        # Restart PHP-FPM service
        systemctl restart "php${version}-fpm"
    else
        log_update_event "php_update_failed" "PHP $version update failed"
        restore_from_backup "$backup_path"
        return 1
    fi
}


# Function to verify system integrity after updates
verify_system_integrity() {
    echo "Verifying system integrity..."
    local integrity_check=0


    # Check critical services
    local services=("nginx" "mysql")
    for service in "${services[@]}"; do
        if ! systemctl is-active --quiet "$service"; then
            log_update_event "service_check_failed" "Service $service is not running after update"
            integrity_check=1
        fi
    done


    # Check PHP-FPM pools
    sqlite3 "$DB_PATH" "
        SELECT DISTINCT php_version
        FROM php_settings;" | while read -r version; do
        if ! systemctl is-active --quiet "php${version}-fpm"; then
            log_update_event "php_check_failed" "PHP-FPM $version is not running after update"
            integrity_check=1
        fi
    done


    # Verify CloudPanel database
    if ! sqlite3 "$DB_PATH" "PRAGMA integrity_check;"; then
        log_update_event "database_check_failed" "Database integrity check failed after update"
        integrity_check=1
    fi


    return $integrity_check
}


# Function to restore from backup
restore_from_backup() {
    local backup_path="$1"
    echo "Restoring from backup: $backup_path"


    # Restore CloudPanel database
    sqlite3 "$DB_PATH" ".restore '${backup_path}/cloudpanel.sq3'"


    # Restore configuration files
    tar -xzf "${backup_path}/config.tar.gz" -C /


    # Restart services
    systemctl restart nginx php-fpm mysql


    log_update_event "system_restored" "System restored from backup after failed update"
}


# Function to log update events in CloudPanel's database
log_update_event() {
    local event_name="$1"
    local event_data="$2"


    sqlite3 "$DB_PATH" "
        INSERT INTO event (
            created_at,
            user_name,
            event_name,
            event_data
        ) VALUES (
            datetime('now'),
            'system',
            'update_$event_name',
            '$event_data'
        );"
}


# Function to create update report
create_update_report() {
    local report_file="${LOG_DIR}/update_report_$(date +%Y%m%d).txt"


    {
        echo "CloudPanel Update Report - $(date)"
        echo "================================="


        echo -e "\nSystem Updates:"
        sqlite3 "$DB_PATH" "
            SELECT created_at, event_data
            FROM event
            WHERE event_name LIKE 'update_%'
            AND created_at > datetime('now', '-24 hours')
            ORDER BY created_at DESC;"


        echo -e "\nInstalled PHP Versions:"
        sqlite3 "$DB_PATH" "
            SELECT DISTINCT php_version, COUNT(*) as sites
            FROM php_settings
            GROUP BY php_version;"


        echo -e "\nService Status:"
        systemctl status nginx mysql | grep Active


    } > "$report_file"
}


# Main execution
main() {
    echo "Starting update management system..."


    # Check for updates
    if check_system_updates; then
        # Apply system updates
        apply_system_updates
    fi


    # Check PHP versions
    check_php_versions


    # Verify system integrity
    if ! verify_system_integrity; then
        log_update_event "integrity_check_failed" "System integrity check failed after updates"
    fi


    # Create update report
    create_update_report


    echo "Update management completed"
}


main "$@"

This update management system provides:

  1. Automated system updates with pre-update backups
  2. PHP version management integrated with CloudPanel’s configuration
  3. System integrity verification
  4. Automatic rollback capabilities
  5. Detailed update logging in CloudPanel’s event system
  6. Update reporting and monitoring

To implement this update management system:

Terminal window
# Make the script executable
chmod +x /usr/local/bin/cloudpanel-update-manager.sh


# Add to crontab for weekly execution
(crontab -l 2>/dev/null; echo "0 3 * * 0 /usr/local/bin/cloudpanel-update-manager.sh") | crontab -