diff options
| author | Rob Austein <sra@hactrn.net> | 2016-02-15 07:51:40 +0000 |
|---|---|---|
| committer | Rob Austein <sra@hactrn.net> | 2016-02-15 07:51:40 +0000 |
| commit | def95e42fda9a9e45bdf4f40a6ecb93b644dbf0b (patch) | |
| tree | 1505c5859484053e8a120acaef60869389d3d901 | |
| parent | 21527a93bf51875473bc29698189e9e9540aee1b (diff) | |
Checkpoint while shuffling stuff around for new installation scheme.
Installation of everything but Debian packages is probably broken, and
Debian packages are too at the moment due to (probably) minor errors
in buildtools/debian-skeleton, but enough has changed that this really
needs a snapshot checked in for backup.
svn path=/branches/tk705/; revision=6257
32 files changed, 412 insertions, 465 deletions
diff --git a/Makefile.in b/Makefile.in index 8f53c2f4..a85cc6a4 100644 --- a/Makefile.in +++ b/Makefile.in @@ -7,6 +7,7 @@ LIBS = @LIBS@ PYTHON = @PYTHON@ INSTALL = @INSTALL@ -m 555 TRANG = @TRANG@ +SUDO = @SUDO@ prefix = @prefix@ exec_prefix = @exec_prefix@ @@ -32,8 +33,8 @@ CA_TARGET = @CA_TARGET@ WSGI_DAEMON_PROCESS = @WSGI_DAEMON_PROCESS@ WSGI_PROCESS_GROUP = @WSGI_PROCESS_GROUP@ RCYNIC_DIR = @RCYNIC_DIR@ -RCYNIC_USER = @RCYNIC_USER@ -RCYNIC_GROUP = @RCYNIC_GROUP@ +RPKI_USER = @RPKI_USER@ +RPKI_GROUP = @RPKI_GROUP@ RCYNIC_HTML_DIR = @RCYNIC_HTML_DIR@ RRDTOOL = @RRDTOOL@ APACHE_VERSION = @APACHE_VERSION@ @@ -127,38 +128,39 @@ VERSION: .FORCE ${PYTHON} buildtools/make-version.py rpki/autoconf.py: Makefile - @echo 'Generating $@'; \ - (echo '# Automatically generated. DO NOT EDIT.'; \ - echo ; \ - echo 'bindir = "${bindir}"'; \ - echo 'datarootdir = "${datarootdir}"'; \ - echo 'localstatedir = "${localstatedir}"'; \ - echo 'sbindir = "${sbindir}"'; \ - echo 'sharedstatedir = "${sharedstatedir}"'; \ - echo 'sysconfdir = "${sysconfdir}"'; \ - echo 'libexecdir = "${libexecdir}"'; \ - echo ; \ - echo 'WSGI_DAEMON_PROCESS = "${WSGI_DAEMON_PROCESS}"'; \ - echo 'WSGI_PROCESS_GROUP = "${WSGI_PROCESS_GROUP}"'; \ - echo 'RCYNIC_DIR = "${RCYNIC_DIR}"'; \ - echo 'RCYNIC_USER = "${RCYNIC_USER}"'; \ - echo 'RCYNIC_GROUP = "${RCYNIC_GROUP}"'; \ - echo 'RCYNIC_HTML_DIR = "${RCYNIC_HTML_DIR}"'; \ - echo 'RRDTOOL = "${RRDTOOL}"'; \ - echo 'APACHE_VERSION = "${APACHE_VERSION}"'; \ - echo 'WSGI_PYTHON_EGG_CACHE_DIR = "${WSGI_PYTHON_EGG_CACHE_DIR}"'; \ - echo 'WSGI_PYTHON_EGG_CACHE_USER = "${WSGI_PYTHON_EGG_CACHE_USER}"'; \ + @echo 'Generating $@'; \ + (echo '# Automatically generated. DO NOT EDIT.'; \ + echo ; \ + echo 'bindir = "${bindir}"'; \ + echo 'datarootdir = "${datarootdir}"'; \ + echo 'localstatedir = "${localstatedir}"'; \ + echo 'sbindir = "${sbindir}"'; \ + echo 'sharedstatedir = "${sharedstatedir}"'; \ + echo 'sysconfdir = "${sysconfdir}"'; \ + echo 'libexecdir = "${libexecdir}"'; \ + echo ; \ + echo 'WSGI_DAEMON_PROCESS = "${WSGI_DAEMON_PROCESS}"'; \ + echo 'WSGI_PROCESS_GROUP = "${WSGI_PROCESS_GROUP}"'; \ + echo 'RCYNIC_DIR = "${RCYNIC_DIR}"'; \ + echo 'RPKI_USER = "${RPKI_USER}"'; \ + echo 'RPKI_GROUP = "${RPKI_GROUP}"'; \ + echo 'RCYNIC_HTML_DIR = "${RCYNIC_HTML_DIR}"'; \ + echo 'RRDTOOL = "${RRDTOOL}"'; \ + echo 'APACHE_VERSION = "${APACHE_VERSION}"'; \ + echo 'WSGI_PYTHON_EGG_CACHE_DIR = "${WSGI_PYTHON_EGG_CACHE_DIR}"'; \ + echo 'WSGI_PYTHON_EGG_CACHE_USER = "${WSGI_PYTHON_EGG_CACHE_USER}"'; \ + echo 'SUDO = "${SUDO}"'; \ ) > $@ setup_autoconf.py: rpki/autoconf.py - @echo 'Generating $@'; \ - (cat rpki/autoconf.py; \ - echo ; \ + @echo 'Generating $@'; \ + (cat rpki/autoconf.py; \ + echo ; \ echo 'CFLAGS = """${CFLAGS}"""'; \ echo 'LDFLAGS = """${LDFLAGS}"""'; \ echo 'LIBS = """${LIBS}"""'; \ - echo 'RP_TARGET = """${RP_TARGET}"""'; \ - echo 'CA_TARGET = """${CA_TARGET}"""'; \ + echo 'RP_TARGET = """${RP_TARGET}"""'; \ + echo 'CA_TARGET = """${CA_TARGET}"""'; \ ) > $@ .FORCE: diff --git a/buildtools/build-ubuntu-ports.py b/buildtools/build-debian-packages.py index 19f61f6d..19f61f6d 100644 --- a/buildtools/build-ubuntu-ports.py +++ b/buildtools/build-debian-packages.py diff --git a/buildtools/debian-skeleton/rpki-ca.install b/buildtools/debian-skeleton/rpki-ca.install index ffae5103..90f4eecf 100644 --- a/buildtools/debian-skeleton/rpki-ca.install +++ b/buildtools/debian-skeleton/rpki-ca.install @@ -1,4 +1,3 @@ -etc/rpki/rpki-confgen.xml usr/lib/rpki usr/sbin usr/share/rpki diff --git a/buildtools/debian-skeleton/rpki-ca.postinst b/buildtools/debian-skeleton/rpki-ca.postinst index 18fef863..9bd1f96d 100644 --- a/buildtools/debian-skeleton/rpki-ca.postinst +++ b/buildtools/debian-skeleton/rpki-ca.postinst @@ -5,51 +5,25 @@ set -e -setup_rpkid_user() { - if ! getent passwd rpkid >/dev/null - then - useradd -g rpkid -M -N -d /nonexistent -s /sbin/nologin -c "RPKI certification authority engine(s)" rpkid - fi -} - -setup_rpkid_group() { - if ! getent group rpkid >/dev/null - then - groupadd rpkid - fi -} - setup_apache() { /usr/lib/rpki/rpkigui-apache-conf-gen --install --verbose } -setup_rpki_conf() { - # Update /etc/rpki.conf.sample for this system, and copy it to - # /etc/rpki.conf if no configuration file exists yet. - - # We don't (yet) have the ability to merge in settings from an - # existing rpki.conf, so we generate a new secret_key and a new - # SQL password every time, but that's harmless so long as we're - # careful not to overwrite an existing configuration. - - rpki-confgen --read-xml /etc/rpki/rpki-confgen.xml \ - --autoconf \ - --set myrpki::handle=`hostname -f | sed 's/[.]/_/g'` \ - --set myrpki::rpkid_server_host=`hostname -f` \ - --set myrpki::pubd_server_host=`hostname -f` \ - --set myrpki::shared_sql_engine=postgresql \ - --pwgen myrpki::shared_sql_password \ - --pwgen web_portal::secret-key \ - --write-conf /etc/rpki.conf.sample - - if test ! -f /etc/rpki.conf +setup_config() { + + rpki-confgen --read-xml /etc/rpki/rpki.rp.xml \ + --set myrpki::run_rpkid=yes \ + --set myrpki::run_pubd=yes \ + --write-xml /etc/rpki/rpki.ca.xml \ + --write-conf /etc/rpki/rpki.ca.sample.conf + + if test ! -f /etc/rpki.conf || cmp -s /etc/rpki.conf /etc/rpki/rpki.rp.sample.conf then - cp -p /etc/rpki.conf.sample /etc/rpki.conf + cp -p /etc/rpki/rpki.ca.conf.sample /etc/rpki.conf fi } setup_sql() { - #rpki-sql-setup --mysql-defaults /etc/mysql/debian.cnf create rpki-sql-setup --debug --verbose --postgresql-root-username postgres create } @@ -66,12 +40,7 @@ setup_cron() { t=$(hexdump -n 1 -e '"%u"' /dev/urandom) && echo "$(($t % 60)) */2 * * * nobody /usr/lib/rpki/rpkigui-import-routes" > /etc/cron.d/rpkigui-routeviews chmod 644 /etc/cron.d/rpkigui-routeviews ln -sf /usr/lib/rpki/rpkigui-check-expired /etc/cron.daily/rpkigui-check-expired - - # This should be user rpkid, but I don't have permissions set up - # properly for that yet. Arguably this should be integrated with - # rpkigui-check-expired anyway, not there yet either. - - echo "30 3 * * * root /usr/sbin/rpkic update_bpki" >/etc/cron.d/rpki-update-bpki + echo "30 3 * * * rpki /usr/sbin/rpkic update_bpki" >/etc/cron.d/rpki-update-bpki chmod 644 /etc/cron.d/rpki-update-bpki } @@ -90,10 +59,8 @@ setup_cron() { case "$1" in configure) - setup_rpkid_group - setup_rpkid_user setup_apache - setup_rpki_conf + setup_config setup_sql setup_bpki setup_django diff --git a/buildtools/debian-skeleton/rpki-ca.postrm b/buildtools/debian-skeleton/rpki-ca.postrm index 372847f2..c49492fe 100644 --- a/buildtools/debian-skeleton/rpki-ca.postrm +++ b/buildtools/debian-skeleton/rpki-ca.postrm @@ -22,13 +22,11 @@ set -e case "$1" in purge) - sql=/etc/rpki/drop_databases.sql - if test -f $sql + if cmp -s /etc/rpki.conf /etc/rpki/rpki.ca.sample.conf then - #mysql --defaults-file=/etc/mysql/debian.cnf --execute "source $sql" - sudo -u postgres psql -f $sql + cp -p /etc/rpki/rpki.rp.sample.conf /etc/rpki.conf fi - rm -f /etc/rpki.conf /etc/rpki.conf.sample $sql + rm -f /etc/rpki/rpki.ca.sample.conf /etc/rpki/rpki.ca.xml rm -f /etc/rpki/apache.conf /etc/rpki/apache.cer /etc/rpki/apache.key ;; diff --git a/buildtools/debian-skeleton/rpki-ca.prerm b/buildtools/debian-skeleton/rpki-ca.prerm index 2754ed43..3f44ea4d 100644 --- a/buildtools/debian-skeleton/rpki-ca.prerm +++ b/buildtools/debian-skeleton/rpki-ca.prerm @@ -31,53 +31,13 @@ case "$1" in rm -f /usr/share/rpki/rpkid.cer rm -f /usr/share/rpki/rpkid.key - # Record what will be needed to drop the databases completely, - # while we still have the necessary configuration data, but - # postpone dropping the databases until the postrm script, - # since that's where we find out whether this is a purge. - - #rpki-sql-setup --mysql-defaults /etc/mysql/debian.cnf script-drop /etc/rpki/drop_databases.sql - rpki-sql-setup --debug --verbose --postgresql-root-username postgres script-drop /etc/rpki/drop_databases.sql - # Clean up our cron jobs. rm -f /etc/cron.d/rpkigui-routeviews rm -f /etc/cron.daily/rpkigui-check-expired rm -f /etc/cron.d/rpki-update-bpki - # Clean up what we did to Apache. Modern version of this is - # just invocation of a Python script, but for now we also - # retain code needed to clean up nasty mess we created in the - # past, to avoid breaking old installations on upgrade. - - # Remove the old stuff first, if the containing file even exists. - - f=/etc/apache2/sites-available/default-ssl - if test -r $f - then - awk < $f > ${f}.tmp ' - BEGIN { - conf_file = "/etc/rpki/apache.conf"; - conf_regexp = "^[ \t]*Include[ \t]+" conf_file "[ \t]*$"; - } - $0 !~ conf_regexp { - print; - }' - - if cmp -s ${f}.tmp ${f}.orig - then - mv -f ${f}.orig $f - rm -f ${f}.tmp - else - mv -f ${f}.tmp $f - fi - fi - - # At this point we've cleaned up our Apache config mess. - # Not sure whether we should do "service apache2 reload" - # here, one could make a case either way. Skip for now. - - # Now remove the new stuff. + # Clean up what we did to Apache. /usr/lib/rpki/rpkigui-apache-conf-gen --remove --verbose diff --git a/buildtools/debian-skeleton/rpki-rp.install b/buildtools/debian-skeleton/rpki-rp.install index ce17bb14..fe0073a2 100644 --- a/buildtools/debian-skeleton/rpki-rp.install +++ b/buildtools/debian-skeleton/rpki-rp.install @@ -1,4 +1,4 @@ -etc/rcynic.conf +etc/rpki/rpki-confgen.xml etc/rpki/trust-anchors etc/xinetd.d/rpki-rtr usr/bin diff --git a/buildtools/debian-skeleton/rpki-rp.postinst b/buildtools/debian-skeleton/rpki-rp.postinst index b9f666a2..ae95e7b2 100644 --- a/buildtools/debian-skeleton/rpki-rp.postinst +++ b/buildtools/debian-skeleton/rpki-rp.postinst @@ -5,54 +5,63 @@ set -e -setup_groups() { - if ! getent group rcynic >/dev/null +setup_user() { + if ! getent group rpki >/dev/null then - groupadd rcynic + groupadd rpki fi - if ! getent group rpkirtr >/dev/null + if ! getent passwd rpki >/dev/null then - groupadd rpkirtr + useradd -g rpki -M -N -d /var/rcynic -s /sbin/nologin -c "RPKI system software" rpki fi } -setup_users() { - if ! getent passwd rcynic >/dev/null - then - useradd -g rcynic -M -N -d /var/rcynic -s /sbin/nologin -c "RPKI validation system" rcynic - fi - if ! getent passwd rpkirtr >/dev/null - then - useradd -g rpkirtr -M -N -d /var/rcynic/rpki-rtr -s /sbin/nologin -c "RPKI router server" rpkirtr - fi - usermod -a -G rpkirtr rcynic +setup_directories() { + install -o rpki -g rpki -d /var/rcynic/data /var/rcynic/rpki-rtr /var/rcynic/rpki-rtr/sockets /var/www/html/rcynic } -setup_directories() { - install -o rcynic -g rcynic -d /var/rcynic/data /var/rcynic/rpki-rtr - if test -d /var/www/html && test -d /var/www/rcynic && test ! -d /var/www/html/rcynic - then - mv /var/www/rcynic /var/www/html/rcynic - elif test -d /var/www/html +setup_config() { + + rpki-confgen --read-xml /etc/rpki/rpki-confgen.xml \ + --autoconf \ + --set myrpki::handle=`hostname -f | sed 's/[.]/_/g'` \ + --set myrpki::rpkid_server_host=`hostname -f` \ + --set myrpki::pubd_server_host=`hostname -f` \ + --set myrpki::shared_sql_engine=postgresql \ + --set myrpki::rcynic_sql_database=rpki \ + --set myrpki::rpkid_sql_database=rpki \ + --set myrpki::irdbd_sql_database=rpki \ + --set myrpki::pubd_sql_database=rpki \ + --pwgen myrpki::shared_sql_password \ + --pwgen web_portal::secret-key \ + --set myrpki::run_rpkid=no \ + --set myrpki::run_pubd=no \ + --write-xml /etc/rpki/rpki.rp.xml \ + --write-conf /etc/rpki/rpki.rp.sample.conf + + if test ! -f /etc/rpki.conf then - install -o rcynic -g rcynic -d /var/www/html/rcynic + cp -p /etc/rpki/rpki.rp.sample.conf /etc/rpki.conf fi - install -o rpkirtr -g rcynic -m 775 -d /var/rcynic/rpki-rtr/sockets +} + +setup_sql() { + rpki-sql-setup --debug --verbose --postgresql-root-username postgres create } # We want to pick a *random* minute for rcynic to run, to spread load # on repositories, which is why we don't just use a package crontab. -setup_rcynic_cron() { - if test "X`crontab -l -u rcynic 2>/dev/null`" = "X" +setup_cron() { + if test "X`crontab -l -u rpki 2>/dev/null`" = "X" then awk -v t=`hexdump -n 2 -e '"%u\n"' /dev/urandom` ' BEGIN {printf "MAILTO=root\n%u * * * *\texec /usr/bin/rcynic-cron\n", t % 60}' | - crontab -u rcynic - + crontab -u rpki - fi } -setup_rpkirtr_listener() { +setup_xinetd() { if test -f /var/run/xinetd.pid then kill -HUP `cat /var/run/xinetd.pid` @@ -74,11 +83,12 @@ setup_rpkirtr_listener() { case "$1" in configure) - setup_groups - setup_users + setup_user setup_directories - setup_rcynic_cron - setup_rpkirtr_listener + setup_config + setup_sql + setup_cron + setup_xinetd ;; abort-upgrade|abort-remove|abort-deconfigure) diff --git a/buildtools/debian-skeleton/rpki-rp.postrm b/buildtools/debian-skeleton/rpki-rp.postrm index ad4ed1b9..7236d7a5 100644 --- a/buildtools/debian-skeleton/rpki-rp.postrm +++ b/buildtools/debian-skeleton/rpki-rp.postrm @@ -23,6 +23,13 @@ case "$1" in purge) rm -rf /var/rcynic + sql=/etc/rpki/drop_databases.sql + if test -f $sql + then + sudo -u postgres psql -f $sql + rm -f $sql + fi + rm -f /etc/rpki/rpki.rp.sample.conf /etc/rpki/rpki.rp.xml /etc/rpki.conf ;; remove|upgrade|failed-upgrade|abort-install|abort-upgrade|disappear) diff --git a/buildtools/debian-skeleton/rpki-rp.prerm b/buildtools/debian-skeleton/rpki-rp.prerm index 37b111f2..b7e7cbde 100644 --- a/buildtools/debian-skeleton/rpki-rp.prerm +++ b/buildtools/debian-skeleton/rpki-rp.prerm @@ -20,16 +20,25 @@ set -e case "$1" in remove) - crontab -l -u rcynic 2>/dev/null | awk ' + # Record what will be needed to drop the databases completely, + # while we still have the necessary configuration data, but + # postpone dropping the databases until the postrm script, + # since that's where we find out whether this is a purge. + + rpki-sql-setup --debug --verbose --postgresql-root-username postgres script-drop /etc/rpki/drop_databases.sql + + # Clean up our cron job. + + crontab -l -u rpki 2>/dev/null | awk ' $0 !~ "exec /usr/bin/rcynic-cron" { line[++n] = $0; } END { if (n) for (i = 1; i <= n; i++) - print line[i] | "crontab -u rcynic -"; + print line[i] | "crontab -u rpki -"; else - system("crontab -u rcynic -r"); + system("crontab -u rpki -r"); }' ;; diff --git a/buildtools/freebsd-skeleton/rpki-rp/files/pkg-install.in b/buildtools/freebsd-skeleton/rpki-rp/files/pkg-install.in index 4c687f38..8942fd1a 100644 --- a/buildtools/freebsd-skeleton/rpki-rp/files/pkg-install.in +++ b/buildtools/freebsd-skeleton/rpki-rp/files/pkg-install.in @@ -3,47 +3,25 @@ case $2 in PRE-INSTALL) - if /usr/sbin/pw groupshow "rcynic" 2>/dev/null + if /usr/sbin/pw groupshow "rpki" 2>/dev/null then - echo "You already have a group \"rcynic\", so I will use it." - elif /usr/sbin/pw groupadd rcynic + echo "You already have a group \"rpki\", so I will use it." + elif /usr/sbin/pw groupadd rpki then - echo "Added group \"rcynic\"." + echo "Added group \"rpki\"." else - echo "Adding group \"rcynic\" failed..." + echo "Adding group \"rpki\" failed..." echo "Please create it, then try again." exit 1 fi - if /usr/sbin/pw usershow "rcynic" 2>/dev/null + if /usr/sbin/pw usershow "rpki" 2>/dev/null then - echo "You already have a user \"rcynic\", so I will use it." - elif /usr/sbin/pw useradd rcynic -g rcynic -h - -d /nonexistant -s /usr/sbin/nologin -c "RPKI validation system" + echo "You already have a user \"rpki\", so I will use it." + elif /usr/sbin/pw useradd rpki -g rpki -h - -d /nonexistant -s /usr/sbin/nologin -c "RPKI system daemons" then - echo "Added user \"rcynic\"." + echo "Added user \"rpki\"." else - echo "Adding user \"rcynic\" failed..." - echo "Please create it, then try again." - exit 1 - fi - if /usr/sbin/pw groupshow "rpkirtr" 2>/dev/null - then - echo "You already have a group \"rpkirtr\", so I will use it." - elif /usr/sbin/pw groupadd rpkirtr - then - echo "Added group \"rpkirtr\"." - else - echo "Adding group \"rpkirtr\" failed..." - echo "Please create it, then try again." - exit 1 - fi - if /usr/sbin/pw usershow "rpkirtr" 2>/dev/null - then - echo "You already have a user \"rpkirtr\", so I will use it." - elif /usr/sbin/pw useradd rpkirtr -g rpkirtr -h - -d /nonexistant -s /usr/sbin/nologin -c "RPKI router server" - then - echo "Added user \"rpkirtr\"." - else - echo "Adding user \"rpkirtr\" failed..." + echo "Adding user \"rpki\" failed..." echo "Please create it, then try again." exit 1 fi @@ -55,25 +33,24 @@ POST-INSTALL) echo "Creating /var/rcynic" /usr/bin/install -o root -g wheel -d /var/rcynic fi - for dir in /var/rcynic/data /var/rcynic/rpki-rtr + for dir in /var/rcynic/data /var/rcynic/rpki-rtr /var/rcynic/rpki-rtr/sockets do - /usr/bin/install -o rcynic -g rcynic -d $dir + /usr/bin/install -o rpki -g rpki -d $dir done - /usr/bin/install -o rpkirtr -g rcynic -m 775 -d /var/rcynic/rpki-rtr/sockets - if test ! -f /usr/local/etc/rcynic.conf + if test ! -f /usr/local/etc/rpki.conf then - /bin/cp -p /usr/local/etc/rcynic.conf.sample /usr/local/etc/rcynic.conf + /bin/cp -p /usr/local/etc/rpki.conf.sample /usr/local/etc/rpki.conf fi htmldir=/usr/local/www/apache%%APACHE_VERSION%%/data/rcynic - /usr/bin/install -o rcynic -g rcynic -d $htmldir - if test "X`/usr/bin/crontab -l -u rcynic 2>/dev/null`" != "X" + /usr/bin/install -o rpki -g rpki -d $htmldir + if test "X`/usr/bin/crontab -l -u rpki 2>/dev/null`" != "X" then - echo "rcynic user already has a crontab, leaving it alone" + echo "rpki user already has a crontab, leaving it alone" else - echo "Setting up rcynic's crontab to run rcynic-cron script" + echo "Setting up rpki's crontab to run rcynic-cron script" /usr/bin/awk -v t=`/usr/bin/hexdump -n 2 -e '"%u\n"' /dev/random` ' BEGIN {printf "MAILTO=root\n%u * * * *\texec /usr/local/bin/rcynic-cron\n", t % 60}' | - /usr/bin/crontab -u rcynic - + /usr/bin/crontab -u rpki - fi echo "Setting up rpki-rtr listener under inetd" if /usr/bin/egrep -q '^rpki-rtr' /etc/services @@ -101,7 +78,7 @@ POST-INSTALL) if /usr/bin/egrep -q "rpki-rtr[ ]+stream[ ]+tcp[ ]" /etc/inetd.conf then echo "You already have an /etc/inetd.conf entry for rpki-rtr on TCPv4, so I will use it." - elif echo >>/etc/inetd.conf "rpki-rtr stream tcp nowait rpkirtr /usr/local/bin/rpki-rtr rpki-rtr server /var/rcynic/rpki-rtr" + elif echo >>/etc/inetd.conf "rpki-rtr stream tcp nowait rpki /usr/local/bin/rpki-rtr rpki-rtr server /var/rcynic/rpki-rtr" then echo "Added rpki-rtr for TCPv4 to /etc/inetd.conf." else @@ -111,7 +88,7 @@ POST-INSTALL) if /usr/bin/egrep -q "rpki-rtr[ ]+stream[ ]+tcp6[ ]" /etc/inetd.conf then echo "You already have an /etc/inetd.conf entry for rpki-rtr on TCPv6, so I will use it." - elif echo >>/etc/inetd.conf "rpki-rtr stream tcp6 nowait rpkirtr /usr/local/bin/rpki-rtr rpki-rtr server /var/rcynic/rpki-rtr" + elif echo >>/etc/inetd.conf "rpki-rtr stream tcp6 nowait rpki /usr/local/bin/rpki-rtr rpki-rtr server /var/rcynic/rpki-rtr" then echo "Added rpki-rtr for TCPv6 to /etc/inetd.conf." else diff --git a/buildtools/rpki-pbuilder.py b/buildtools/rpki-pbuilder.py index 32247ff8..1d45e862 100644 --- a/buildtools/rpki-pbuilder.py +++ b/buildtools/rpki-pbuilder.py @@ -201,7 +201,7 @@ class Release(object): os.unlink(os.path.join(dsc_dir, fn)) run("rm", "-rf", "debian", cwd = args.svn_tree) run(sys.executable, "buildtools/make-version.py", cwd = args.svn_tree) - run(sys.executable, "buildtools/build-ubuntu-ports.py", "--version-suffix", self.release, cwd = args.svn_tree) + run(sys.executable, "buildtools/build-debian-packages.py", "--version-suffix", self.release, cwd = args.svn_tree) run("dpkg-buildpackage", "-S", "-us", "-uc", "-rfakeroot", cwd = args.svn_tree) if not os.path.exists(self.basefile): diff --git a/ca/Makefile.in b/ca/Makefile.in index e6081238..27425766 100644 --- a/ca/Makefile.in +++ b/ca/Makefile.in @@ -35,7 +35,11 @@ WSGI_PYTHON_EGG_CACHE_USER = @WSGI_PYTHON_EGG_CACHE_USER@ CA_INSTALL_TARGETS = @CA_INSTALL_TARGETS@ -all:: examples/rpki.conf +# Apache configuration may end up moving to common runtime config, but +# that yak will have to wait for another day to get its shave. + +all:: + @true clean:: cd tests; $(MAKE) $@ @@ -43,11 +47,8 @@ clean:: install:: ${CA_INSTALL_TARGETS} install-always:: all - @echo - @echo "== Default configuration file location is ${sysconfdir}/rpki.conf ==" - @echo - ${INSTALL} examples/rpki.conf ${DESTDIR}${sysconfdir}/rpki.conf.sample ${INSTALL} -d ${DESTDIR}${datarootdir}/rpki/publication + ${INSTALL} -d ${DESTDIR}${datarootdir}/rpki/rrdp-publication uninstall deinstall:: -${libexecdir}/rpkigui-apache-conf-gen --remove --verbose @@ -62,30 +63,8 @@ distclean:: clean cd tests; ${MAKE} $@ rm -f Makefile -examples/rpki.conf: ${abs_top_srcdir}/rpki/autoconf.py rpki-confgen rpki-confgen.xml - ${PYTHON} rpki-confgen \ - --read-xml rpki-confgen.xml \ - --autoconf \ - --set myrpki::handle=`hostname -f | sed 's/[.]/_/g'` \ - --set myrpki::rpkid_server_host=`hostname -f` \ - --set myrpki::pubd_server_host=`hostname -f` \ - --pwgen myrpki::shared_sql_password \ - --pwgen web_portal::secret-key \ - --write-conf $@ - -clean:: - rm -f examples/rpki.conf - install-postconf: \ - install-user install-egg-cache install-conf install-apache install-mysql install-django install-bpki install-cron - -# This should create user "rpkid" and group "rpkid", but as we have -# not yet tested our ability to run in such a configuration, this -# would be a little premature. Can steal Makefile code for this from -# rcynic when we're ready to do something with it. - -install-user: - @true + install-egg-cache install-conf install-apache install-bpki install-cron # This is only necessary on some platforms (currently FreeBSD, # due to shortcomings in the way that Python eggs are installed @@ -99,37 +78,25 @@ install-egg-cache: fi; \ fi -# We used to play the FreeBSD game of copying rpki.conf.sample to -# rpki.conf on install and removing rpki.conf if it's identical to -# rpki.conf.sample in uninstall, but that turns out to work poorly -# with generated passwords. So now we copy rpki.conf.sample if and -# only if rpki.conf does not exist, and we leave removal of rpki.conf -# for the user to deal with. This in turn leaves us with a different -# problem of how to upgrade rpki.conf, but at least in the FreeBSD -# universe we're supposed to leave that problem for the user. - install-conf: - if test -f ${DESTDIR}${sysconfdir}/rpki.conf; \ + ${sbindir}/rpki-confgen \ + --read-xml ${DESTDIR}${sysconfdir}/rpki/rpki.rp.xml \ + --set myrpki::run_rpkid=yes \ + --set myrpki::run_pubd=yes \ + --write-xml ${DESTDIR}${sysconfdir}/rpki/rpki.ca.xml \ + --write-conf ${DESTDIR}${sysconfdir}/rpki/rpki.ca.sample.conf + if test ! -f ${DESTDIR}${sysconfdir}/rpki.conf ||\ + cmp -s ${DESTDIR}${sysconfdir}/rpki.conf ${DESTDIR}${sysconfdir}/rpki/rpki.rp.sample.conf;\ then \ - true; \ - else \ - cp -p ${DESTDIR}${sysconfdir}/rpki.conf.sample ${DESTDIR}${sysconfdir}/rpki.conf; \ + cp -p ${DESTDIR}${sysconfdir}/rpki/rpki.ca.sample.conf ${DESTDIR}${sysconfdir}/rpki.conf fi -uninstall deinstall:: -# if cmp -s ${DESTDIR}${sysconfdir}/rpki.conf ${DESTDIR}${sysconfdir}/rpki.conf.sample; then rm -f ${DESTDIR}${sysconfdir}/rpki.conf; else true; fi - rm -f ${DESTDIR}${sysconfdir}/rpki.conf.sample +#uninstall deinstall:: +# rm -f ${DESTDIR}${sysconfdir}/rpki/rpki.ca.xml ${DESTDIR}${sysconfdir}/rpki/rpki.ca.sample.conf install-apache: ${libexecdir}/rpkigui-apache-conf-gen --install --verbose -install-mysql: - ${sbindir}/rpki-sql-setup create - -install-django: - ${sbindir}/rpki-manage syncdb --noinput - ${sbindir}/rpki-manage migrate app - install-bpki: ${sbindir}/rpkic initialize_server_bpki @@ -150,11 +117,8 @@ uninstall deinstall:: uninstall-cron-using-crontab # Code for setting up and tearing down cron jobs using the crontab(1) # program. We don't use this on all platforms, but we do use it on # more than one, so it's broken out here as common code. -# -# CRONTAB_USER really should be rpkid, but we don't have the rest of -# the package set up for that yet, so run it as root for now. -CRONTAB_USER = root +CRONTAB_USER = rpki install-cron-using-crontab: @crontab -l -u ${CRONTAB_USER} 2>/dev/null | \ diff --git a/ca/rpki-start-servers b/ca/rpki-start-servers index 9bf47d0c..26068bc7 100755 --- a/ca/rpki-start-servers +++ b/ca/rpki-start-servers @@ -69,7 +69,8 @@ cfg = rpki.config.parser(set_filename = args.config, section = "myrpki") def run(name, old_flag = None): if cfg.getboolean("start_" + name, cfg.getboolean("run_" + name if old_flag is None else old_flag, False)): log_file = os.path.join(args.log_directory, name + ".log") - cmd = (os.path.join(rpki.autoconf.libexecdir, name), "--log-level", args.log_level) + cmd = (rpki.autoconf.SUDO, "-u", rpki.autoconf.RPKI_USER, + os.path.join(rpki.autoconf.libexecdir, name), "--log-level", args.log_level) if args.log_file: cmd += ("--log-file", log_file) elif args.log_rotating_file_kbytes: @@ -1,21 +1,25 @@ #!/usr/bin/env python -# $Id$ +# Using a Python script to run sudo to run a Python script is a bit +# silly, but it lets us use rpki.autoconf to locate sudo, lets us +# avoid needing a custom setuid wrapper, lets us avoid another pass +# through the adventures of shell quoting and tokenization, and +# generally is just a lot simpler to implement correctly. # -# Copyright (C) 2010-2011 Internet Systems Consortium ("ISC") -# -# Permission to use, copy, modify, and distribute this software for any -# purpose with or without fee is hereby granted, provided that the above -# copyright notice and this permission notice appear in all copies. -# -# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH -# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY -# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, -# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM -# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE -# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR -# PERFORMANCE OF THIS SOFTWARE. +# OK, it's probably a few milliseconds slower. Big deal. if __name__ == "__main__": - import rpki.rpkic - rpki.rpkic.main() + + try: + import os + import sys + import rpki.autoconf + + argv = [rpki.autoconf.SUDO, "-u", rpki.autoconf.RPKI_USER, + sys.executable, "-c", "import rpki.rpkic; rpki.rpkic.main()"] + + os.execv(rpki.autoconf.SUDO, argv + sys.argv[1:]) + sys.exit("rpkic startup failure, no exception so don't know why, sorry") + + except Exception as e: + sys.exit("Couldn't exec sudo python rpkic: {!s}".format(e)) diff --git a/ca/upgrade-scripts/upgrade-rpkid-to-0.5709.py b/ca/upgrade-scripts/upgrade-rpkid-to-0.5709.py deleted file mode 100644 index 0cea5671..00000000 --- a/ca/upgrade-scripts/upgrade-rpkid-to-0.5709.py +++ /dev/null @@ -1,40 +0,0 @@ -# $Id$ -# -# Copyright (C) 2014 Dragon Research Labs ("DRL") -# -# Permission to use, copy, modify, and distribute this software for any -# purpose with or without fee is hereby granted, provided that the above -# copyright notice and this permission notice appear in all copies. -# -# THE SOFTWARE IS PROVIDED "AS IS" AND DRL DISCLAIMS ALL WARRANTIES WITH -# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY -# AND FITNESS. IN NO EVENT SHALL DRL BE LIABLE FOR ANY SPECIAL, DIRECT, -# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM -# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE -# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR -# PERFORMANCE OF THIS SOFTWARE. - -# pylint: disable=E0602 - -""" -Upgrade RPKI SQL databases to schema expected by 0.5709. - -This code is evaluated in the context of rpki-sql-setup's -do_apply_upgrades() function and has access to its variables. -""" - -db.cur.execute(""" - CREATE TABLE ee_cert ( - ee_cert_id SERIAL NOT NULL, - ski BINARY(20) NOT NULL, - cert LONGBLOB NOT NULL, - published DATETIME, - self_id BIGINT UNSIGNED NOT NULL, - ca_detail_id BIGINT UNSIGNED NOT NULL, - PRIMARY KEY (ee_cert_id), - CONSTRAINT ee_cert_self_id - FOREIGN KEY (self_id) REFERENCES self (self_id) ON DELETE CASCADE, - CONSTRAINT ee_cert_ca_detail_id - FOREIGN KEY (ca_detail_id) REFERENCES ca_detail (ca_detail_id) ON DELETE CASCADE - ) ENGINE=InnoDB -""") diff --git a/configure.ac b/configure.ac index 0d06dd5d..23f92564 100644 --- a/configure.ac +++ b/configure.ac @@ -138,6 +138,7 @@ AC_PATH_PROG([SORT], [sort]) AC_PATH_PROG([RRDTOOL], [rrdtool]) AC_PATH_PROG([TRANG], [trang], [\${abs_top_srcdir}/buildtools/trang-not-found]) AC_PATH_PROG([RSYNC], [rsync]) +AC_PATH_PROG([SUDO], [sudo]) # See whether we need to check for dependencies that we only need at # runtime. We do this by default when compiling from source to avoid @@ -384,7 +385,7 @@ case $enable_rcynic_jail in RCYNIC_CONF_RSYNC="${RSYNC}" RCYNIC_CONF_DATA="${rcynic_base_dir}/data" RCYNIC_CONF_TA_DIR='${sysconfdir}/rpki/trust-anchors' - RCYNIC_CRON_USER='${RCYNIC_USER}' + RCYNIC_CRON_USER='${RPKI_USER}' RCYNIC_JAIL_DIRS='' ;; *) @@ -406,8 +407,8 @@ AC_MSG_RESULT([$use_rcynic_jail]) # Perhaps there should be a way to set these, but for now just # wire them in here so at least they're consistent in all Makefiles. -AC_SUBST(RCYNIC_USER, [rcynic]) -AC_SUBST(RCYNIC_GROUP, [rcynic]) +AC_SUBST(RPKI_USER, [rpki]) +AC_SUBST(RPKI_GROUP, [rpki]) if test $use_rcynic_jail = yes && test "X$LD_STATIC_FLAG" != "X" then @@ -487,10 +488,13 @@ AC_SUBST(RCYNIC_HTML_DIR) # Sort out which things to install, depending on rcynic jail status and whether # we're doing final target installation. +# +# As things have evolved, this a bit repetitive. Simplify someday, maybe. RCYNIC_INSTALL_TARGETS='install-always' RTR_ORIGIN_INSTALL_TARGETS='install-always' CA_INSTALL_TARGETS='install-always' +CFG_INSTALL_TARGETS='install-always' if test $use_rcynic_jail = yes then @@ -502,11 +506,13 @@ then RCYNIC_INSTALL_TARGETS="$RCYNIC_INSTALL_TARGETS install-postconf" RTR_ORIGIN_INSTALL_TARGETS="$RTR_ORIGIN_INSTALL_TARGETS install-postconf" CA_INSTALL_TARGETS="$CA_INSTALL_TARGETS install-postconf" + CFG_INSTALL_TARGETS="$CFG_INSTALL_TARGETS install-postconf" fi AC_SUBST(RCYNIC_INSTALL_TARGETS) AC_SUBST(RTR_ORIGIN_INSTALL_TARGETS) AC_SUBST(CA_INSTALL_TARGETS) +AC_SUBST(CFG_INSTALL_TARGETS) # Now a bunch of checks to figure out what we can do with Python. If # we don't have Python at all, none of the rest of this matters. If diff --git a/rp/Makefile.in b/rp/Makefile.in index 2c770a46..d22ddbcb 100644 --- a/rp/Makefile.in +++ b/rp/Makefile.in @@ -1,6 +1,6 @@ # $Id$ -SUBDIRS = rcynic rpki-rtr utils +SUBDIRS = config rcynic rpki-rtr utils all clean test distclean install deinstall uninstall:: @for i in ${SUBDIRS}; do echo "Making $@ in $$i"; (cd $$i && ${MAKE} $@); done diff --git a/rp/config/Makefile.in b/rp/config/Makefile.in new file mode 100644 index 00000000..40d0a882 --- /dev/null +++ b/rp/config/Makefile.in @@ -0,0 +1,88 @@ +# $Id$ + +PYTHON = @PYTHON@ + +INSTALL = @INSTALL@ -m 555 + +prefix = @prefix@ +exec_prefix = @exec_prefix@ +datarootdir = @datarootdir@ +datadir = @datadir@ +localstatedir = @localstatedir@ +sharedstatedir = @sharedstatedir@ +sysconfdir = @sysconfdir@ +bindir = @bindir@ +sbindir = @sbindir@ +libexecdir = @libexecdir@ +sysconfdir = @sysconfdir@ + +abs_builddir = @abs_builddir@ +abs_top_srcdir = @abs_top_srcdir@ +abs_top_builddir= @abs_top_builddir@ +srcdir = @srcdir@ + +CFG_INSTALL_TARGETS = @CFG_INSTALL_TARGETS@ + +all:: rpki.rp.xml rpki.rp.sample.conf + +clean:: + cd tests; $(MAKE) $@ + +install:: ${CFG_INSTALL_TARGETS} + +install-always:: all + @echo + @echo "== Default configuration file location is ${sysconfdir}/rpki.conf ==" + @echo + ${INSTALL} -d ${DESTDIR}${sysconfdir}/rpki + ${INSTALL} rpki.rp.xml rpki.rp.sample.conf ${DESTDIR}${sysconfdir}/rpki + +test uninstall deinstall:: + @true + +distclean:: clean + rm -f Makefile + +rpki.rp.xml: ${abs_top_srcdir}/rpki/autoconf.py rpki-confgen rpki-confgen.xml + ${PYTHON} rpki-confgen \ + --read-xml rpki-confgen.xml \ + --autoconf \ + --set myrpki::handle=`hostname -f | sed 's/[.]/_/g'` \ + --set myrpki::rpkid_server_host=`hostname -f` \ + --set myrpki::pubd_server_host=`hostname -f` \ + --pwgen myrpki::shared_sql_password \ + --pwgen web_portal::secret-key \ + --set myrpki::run_rpkid=no \ + --set myrpki::run_pubd=no \ + --write-xml $@ + +rpki.rp.sample.conf: rpki.rp.xml + ${PYTHON} rpki-confgen \ + --read-xml rpki.rp.xml \ + --write-conf $@ + +clean:: + rm -f rpki.rp.xml rpki.rp.sample.conf + +install-postconf: \ + install-user install-conf install-sql install-django + +# This should create user "rpki" and group "rpki", but rcynic already +# does that...but we probably need to do it here instead, bother. + +install-user: + @true + +install-conf: + test -f ${DESTDIR}${sysconfdir}/rpki.conf ||\ + cp -p ${DESTDIR}${sysconfdir}/rpki/rpki.rp.sample.conf ${DESTDIR}${sysconfdir}/rpki.conf + +#uninstall deinstall:: +# rm -f ${DESTDIR}${sysconfdir}/rpki/rpki.rp.xml ${DESTDIR}${sysconfdir}/rpki/rpki.rp.sample.conf + +install-sql: + ${sbindir}/rpki-sql-setup create + +install-django: + ${sbindir}/rpki-manage syncdb --noinput + ${sbindir}/rpki-manage migrate app diff --git a/ca/rpki-confgen b/rp/config/rpki-confgen index e6780446..e6780446 100755 --- a/ca/rpki-confgen +++ b/rp/config/rpki-confgen diff --git a/ca/rpki-confgen.xml b/rp/config/rpki-confgen.xml index ba33c7c9..1b86a140 100644 --- a/ca/rpki-confgen.xml +++ b/rp/config/rpki-confgen.xml @@ -299,7 +299,8 @@ </doc> <doc> Current supported values are "mysql" (the default), "sqlite3", - and "postgresql". + and "postgresql". In theory it should be straightforward to + add support for any SQL engine Django supports. </doc> </option> @@ -323,6 +324,38 @@ </doc> </option> + <option name = "rcynic_sql_engine" + value = "${myrpki::shared_sql_engine}"> + <doc> + SQL engine to use for rcynic's database. The default setting + of this variable should be fine. + </doc> + </option> + + <option name = "rcynic_sql_database" + value = "rcynic"> + <doc> + SQL database name for rcynic's database. The default setting of + this variable should be fine. + </doc> + </option> + + <option name = "rcynic_sql_username" + value = "${myrpki::shared_sql_username}"> + <doc> + If you want to use a separate SQL username for rcynic's database, + set it here. + </doc> + </option> + + <option name = "rcynic_sql_password" + value = "${myrpki::shared_sql_password}"> + <doc> + If you want to use a separate SQL password for rcynic's database, + set it here. + </doc> + </option> + <option name = "rpkid_sql_engine" value = "${myrpki::shared_sql_engine}"> <doc> @@ -421,6 +454,53 @@ </section> + <section name = "rcynic"> + + <doc> + rcynicng, unlike it's predecessor, uses the same `rpki.conf` + file as all the other programs in the RPKI toolkit. Start + rcynicng with "`-c filename`" to choose a different + configuration file. All options are in the "`[rcynic]`" + section. + </doc> + + <doc> + This section isn't really fleshed out yet, and just contains the + settings needed for the new SQL code to work. This will change + as the stuff that's currently only configurable on rcynicng's + command line becomes integrated with the configuration file. + </doc> + + <option name = "sql-engine" + value = "${myrpki::rcynic_sql_engine}"> + <doc> + SQL engine for rcynic. + </doc> + </option> + + <option name = "sql-database" + value = "${myrpki::rcynic_sql_database}"> + <doc> + SQL database name for rcynic. + </doc> + </option> + + <option name = "sql-username" + value = "${myrpki::rcynic_sql_username}"> + <doc> + SQL user name for rcynic. + </doc> + </option> + + <option name = "sql-password" + value = "${myrpki::rcynic_sql_password}"> + <doc> + SQL password for rcynic. + </doc> + </option> + + </section> + <section name = "rpkid"> <doc> diff --git a/ca/rpki-manage b/rp/config/rpki-manage index 16d0990d..16d0990d 100755 --- a/ca/rpki-manage +++ b/rp/config/rpki-manage diff --git a/ca/rpki-sql-backup b/rp/config/rpki-sql-backup index 986e10b1..986e10b1 100755 --- a/ca/rpki-sql-backup +++ b/rp/config/rpki-sql-backup diff --git a/ca/rpki-sql-setup b/rp/config/rpki-sql-setup index c72c97c5..c72c97c5 100755 --- a/ca/rpki-sql-setup +++ b/rp/config/rpki-sql-setup diff --git a/rp/rcynic/Makefile.in b/rp/rcynic/Makefile.in index a2d844bd..ce19ab81 100644 --- a/rp/rcynic/Makefile.in +++ b/rp/rcynic/Makefile.in @@ -49,19 +49,15 @@ RCYNIC_CRON_USER = @RCYNIC_CRON_USER@ RCYNIC_DATA_DIR = ${RCYNIC_DIR}/data RCYNIC_DIR = @RCYNIC_DIR@ RCYNIC_DIRS = ${RCYNIC_TA_DIR} ${RCYNIC_JAIL_DIRS} ${RCYNIC_DATA_DIR} ${RPKIRTR_DIR} ${RPKIRTR_DIR}/sockets -RCYNIC_GECOS = RPKI Validation System -RCYNIC_GROUP = @RCYNIC_GROUP@ +RPKI_GECOS = RPKI System Software +RPKI_GROUP = @RPKI_GROUP@ RCYNIC_HTML_DIR = @RCYNIC_HTML_DIR@ RCYNIC_INSTALL_TARGETS = @RCYNIC_INSTALL_TARGETS@ RCYNIC_JAIL_DIRS = @RCYNIC_JAIL_DIRS@ RCYNIC_STATIC_RSYNC = @RCYNIC_STATIC_RSYNC@ RCYNIC_TA_DIR = @RCYNIC_TA_DIR@ -RCYNIC_USER = @RCYNIC_USER@ +RPKI_USER = @RPKI_USER@ RPKIRTR_DIR = ${RCYNIC_DIR}/rpki-rtr -RPKIRTR_GECOS = RPKI router server -RPKIRTR_GROUP = rpkirtr -RPKIRTR_MODE = 775 -RPKIRTR_USER = rpkirtr all: ${BIN} ${RCYNIC_STATIC_RSYNC} @@ -122,9 +118,7 @@ ${RCYNIC_DIRS} ${DESTDIR}${bindir} ${DESTDIR}${sysconfdir}: ${INSTALL} -v -d $@ install-directory-ownership: ${RCYNIC_DATA_DIR} ${RPKIRTR_DIR} ${RPKIRTR_DIR}/sockets - chown ${RCYNIC_USER}:${RCYNIC_GROUP} ${RCYNIC_DATA_DIR} ${RPKIRTR_DIR} - chown ${RPKIRTR_USER}:${RCYNIC_GROUP} ${RPKIRTR_DIR}/sockets - chmod ${RPKIRTR_MODE} ${RPKIRTR_DIR}/sockets + chown ${RPKI_USER}:${RPKI_GROUP} ${RCYNIC_DATA_DIR} ${RPKIRTR_DIR} ${RPKIRTR_DIR}/sockets install-rcynic-conf: ${RCYNIC_CONF_FILE} diff --git a/rp/rcynic/rcynic-cron b/rp/rcynic/rcynic-cron index d1f96422..fcf38e53 100755 --- a/rp/rcynic/rcynic-cron +++ b/rp/rcynic/rcynic-cron @@ -74,9 +74,9 @@ if args.chroot and not we_are_root: sys.exit("Only root can --chroot") try: - pw = pwd.getpwnam(rpki.autoconf.RCYNIC_USER) + pw = pwd.getpwnam(rpki.autoconf.RPKI_USER) except KeyError: - sys.exit("Could not find passwd entry for user %s" % rpki.autoconf.RCYNIC_USER) + sys.exit("Could not find passwd entry for user %s" % rpki.autoconf.RPKI_USER) try: lock = os.open(os.path.join(rpki.autoconf.RCYNIC_DIR, "data/lock"), diff --git a/rp/rcynic/rules.darwin.mk b/rp/rcynic/rules.darwin.mk index d37b0e75..b5979979 100644 --- a/rp/rcynic/rules.darwin.mk +++ b/rp/rcynic/rules.darwin.mk @@ -1,77 +1,41 @@ # $Id$ install-user-and-group: .FORCE - @if /usr/bin/dscl . -read "/Groups/${RCYNIC_GROUP}" >/dev/null 2>&1; \ + @if /usr/bin/dscl . -read "/Groups/${RPKI_GROUP}" >/dev/null 2>&1; \ then \ - echo "You already have a group \"${RCYNIC_GROUP}\", so I will use it."; \ + echo "You already have a group \"${RPKI_GROUP}\", so I will use it."; \ elif gid="$$(/usr/bin/dscl . -list /Groups PrimaryGroupID | /usr/bin/awk 'BEGIN {gid = 501} $$2 >= gid {gid = 1 + $$2} END {print gid}')" && \ - /usr/bin/dscl . -create "/Groups/${RCYNIC_GROUP}" && \ - /usr/bin/dscl . -create "/Groups/${RCYNIC_GROUP}" RealName "${RCYNIC_GECOS}" && \ - /usr/bin/dscl . -create "/Groups/${RCYNIC_GROUP}" PrimaryGroupID "$$gid" && \ - /usr/bin/dscl . -create "/Groups/${RCYNIC_GROUP}" GeneratedUID "$$(/usr/bin/uuidgen)" && \ - /usr/bin/dscl . -create "/Groups/${RCYNIC_GROUP}" Password "*"; \ + /usr/bin/dscl . -create "/Groups/${RPKI_GROUP}" && \ + /usr/bin/dscl . -create "/Groups/${RPKI_GROUP}" RealName "${RPKI_GECOS}" && \ + /usr/bin/dscl . -create "/Groups/${RPKI_GROUP}" PrimaryGroupID "$$gid" && \ + /usr/bin/dscl . -create "/Groups/${RPKI_GROUP}" GeneratedUID "$$(/usr/bin/uuidgen)" && \ + /usr/bin/dscl . -create "/Groups/${RPKI_GROUP}" Password "*"; \ then \ - echo "Added group \"${RCYNIC_GROUP}\"."; \ + echo "Added group \"${RPKI_GROUP}\"."; \ else \ - echo "Adding group \"${RCYNIC_GROUP}\" failed..."; \ + echo "Adding group \"${RPKI_GROUP}\" failed..."; \ echo "Please create it, then try again."; \ exit 1; \ fi; \ - if /usr/bin/dscl . -read "/Users/${RCYNIC_USER}" >/dev/null 2>&1; \ + if /usr/bin/dscl . -read "/Users/${RPKI_USER}" >/dev/null 2>&1; \ then \ - echo "You already have a user \"${RCYNIC_USER}\", so I will use it."; \ + echo "You already have a user \"${RPKI_USER}\", so I will use it."; \ elif uid="$$(/usr/bin/dscl . -list /Users UniqueID | /usr/bin/awk 'BEGIN {uid = 501} $$2 >= uid {uid = 1 + $$2} END {print uid}')" && \ - /usr/bin/dscl . -create "/Users/${RCYNIC_USER}" && \ - /usr/bin/dscl . -create "/Users/${RCYNIC_USER}" UserShell "/usr/bin/false" && \ - /usr/bin/dscl . -create "/Users/${RCYNIC_USER}" RealName "${RCYNIC_GECOS}" && \ - /usr/bin/dscl . -create "/Users/${RCYNIC_USER}" UniqueID "$$uid" && \ - /usr/bin/dscl . -create "/Users/${RCYNIC_USER}" PrimaryGroupID "$$gid" && \ - /usr/bin/dscl . -create "/Users/${RCYNIC_USER}" NFSHomeDirectory "/var/empty" && \ - /usr/bin/dscl . -create "/Users/${RCYNIC_USER}" GeneratedUID "$$(/usr/bin/uuidgen)" && \ - /usr/bin/dscl . -create "/Users/${RCYNIC_USER}" Password "*"; \ + /usr/bin/dscl . -create "/Users/${RPKI_USER}" && \ + /usr/bin/dscl . -create "/Users/${RPKI_USER}" UserShell "/usr/bin/false" && \ + /usr/bin/dscl . -create "/Users/${RPKI_USER}" RealName "${RPKI_GECOS}" && \ + /usr/bin/dscl . -create "/Users/${RPKI_USER}" UniqueID "$$uid" && \ + /usr/bin/dscl . -create "/Users/${RPKI_USER}" PrimaryGroupID "$$gid" && \ + /usr/bin/dscl . -create "/Users/${RPKI_USER}" NFSHomeDirectory "/var/empty" && \ + /usr/bin/dscl . -create "/Users/${RPKI_USER}" GeneratedUID "$$(/usr/bin/uuidgen)" && \ + /usr/bin/dscl . -create "/Users/${RPKI_USER}" Password "*"; \ then \ - echo "Added user \"${RCYNIC_USER}\"."; \ + echo "Added user \"${RPKI_USER}\"."; \ else \ - echo "Adding user \"${RCYNIC_USER}\" failed..."; \ + echo "Adding user \"${RPKI_USER}\" failed..."; \ echo "Please create it, then try again."; \ exit 1; \ fi - @if /usr/bin/dscl . -read "/Groups/${RPKIRTR_GROUP}" >/dev/null 2>&1; \ - then \ - echo "You already have a group \"${RPKIRTR_GROUP}\", so I will use it."; \ - elif gid="$$(/usr/bin/dscl . -list /Groups PrimaryGroupID | /usr/bin/awk 'BEGIN {gid = 501} $$2 >= gid {gid = 1 + $$2} END {print gid}')" && \ - /usr/bin/dscl . -create "/Groups/${RPKIRTR_GROUP}" && \ - /usr/bin/dscl . -create "/Groups/${RPKIRTR_GROUP}" RealName "${RPKIRTR_GECOS}" && \ - /usr/bin/dscl . -create "/Groups/${RPKIRTR_GROUP}" PrimaryGroupID "$$gid" && \ - /usr/bin/dscl . -create "/Groups/${RPKIRTR_GROUP}" GeneratedUID "$$(/usr/bin/uuidgen)" && \ - /usr/bin/dscl . -create "/Groups/${RPKIRTR_GROUP}" Password "*"; \ - then \ - echo "Added group \"${RPKIRTR_GROUP}\"."; \ - else \ - echo "Adding group \"${RPKIRTR_GROUP}\" failed..."; \ - echo "Please create it, then try again."; \ - exit 1; \ - fi; \ - if /usr/bin/dscl . -read "/Users/${RPKIRTR_USER}" >/dev/null 2>&1; \ - then \ - echo "You already have a user \"${RPKIRTR_USER}\", so I will use it."; \ - elif uid="$$(/usr/bin/dscl . -list /Users UniqueID | /usr/bin/awk 'BEGIN {uid = 501} $$2 >= uid {uid = 1 + $$2} END {print uid}')" && \ - /usr/bin/dscl . -create "/Users/${RPKIRTR_USER}" && \ - /usr/bin/dscl . -create "/Users/${RPKIRTR_USER}" UserShell "/usr/bin/false" && \ - /usr/bin/dscl . -create "/Users/${RPKIRTR_USER}" RealName "${RPKIRTR_GECOS}" && \ - /usr/bin/dscl . -create "/Users/${RPKIRTR_USER}" UniqueID "$$uid" && \ - /usr/bin/dscl . -create "/Users/${RPKIRTR_USER}" PrimaryGroupID "$$gid" && \ - /usr/bin/dscl . -create "/Users/${RPKIRTR_USER}" NFSHomeDirectory "/var/empty" && \ - /usr/bin/dscl . -create "/Users/${RPKIRTR_USER}" GeneratedUID "$$(/usr/bin/uuidgen)" && \ - /usr/bin/dscl . -create "/Users/${RPKIRTR_USER}" Password "*"; \ - then \ - echo "Added user \"${RPKIRTR_USER}\"."; \ - else \ - echo "Adding user \"${RPKIRTR_USER}\" failed..."; \ - echo "Please create it, then try again."; \ - exit 1; \ - fi - install-shared-libraries: .FORCE @echo "Copying required shared libraries" diff --git a/rp/rcynic/rules.freebsd.mk b/rp/rcynic/rules.freebsd.mk index 5233386e..880ce3f4 100644 --- a/rp/rcynic/rules.freebsd.mk +++ b/rp/rcynic/rules.freebsd.mk @@ -1,51 +1,28 @@ # $Id$ install-user-and-group: .FORCE - @if /usr/sbin/pw groupshow "${RCYNIC_GROUP}" 2>/dev/null; \ + @if /usr/sbin/pw groupshow "${RPKI_GROUP}" 2>/dev/null; \ then \ - echo "You already have a group \"${RCYNIC_GROUP}\", so I will use it."; \ - elif /usr/sbin/pw groupadd ${RCYNIC_GROUP}; \ + echo "You already have a group \"${RPKI_GROUP}\", so I will use it."; \ + elif /usr/sbin/pw groupadd ${RPKI_GROUP}; \ then \ - echo "Added group \"${RCYNIC_GROUP}\"."; \ + echo "Added group \"${RPKI_GROUP}\"."; \ else \ - echo "Adding group \"${RCYNIC_GROUP}\" failed..."; \ + echo "Adding group \"${RPKI_GROUP}\" failed..."; \ echo "Please create it, then try again."; \ exit 1; \ fi - @if /usr/sbin/pw groupshow "${RPKIRTR_GROUP}" 2>/dev/null; \ + @if /usr/sbin/pw usershow "${RPKI_USER}" 2>/dev/null; \ then \ - echo "You already have a group \"${RPKIRTR_GROUP}\", so I will use it."; \ - elif /usr/sbin/pw groupadd ${RPKIRTR_GROUP}; \ + echo "You already have a user \"${RPKI_USER}\", so I will use it."; \ + elif /usr/sbin/pw useradd ${RPKI_USER} -g ${RPKI_GROUP} -h - -d /nonexistant -s /usr/sbin/nologin -c "${RPKI_GECOS}"; \ then \ - echo "Added group \"${RPKIRTR_GROUP}\"."; \ + echo "Added user \"${RPKI_USER}\"."; \ else \ - echo "Adding group \"${RPKIRTR_GROUP}\" failed..."; \ + echo "Adding user \"${RPKI_USER}\" failed..."; \ echo "Please create it, then try again."; \ exit 1; \ fi - @if /usr/sbin/pw usershow "${RCYNIC_USER}" 2>/dev/null; \ - then \ - echo "You already have a user \"${RCYNIC_USER}\", so I will use it."; \ - elif /usr/sbin/pw useradd ${RCYNIC_USER} -g ${RCYNIC_GROUP} -h - -d /nonexistant -s /usr/sbin/nologin -c "${RCYNIC_GECOS}" -G "${RPKIRTR_GROUP}"; \ - then \ - echo "Added user \"${RCYNIC_USER}\"."; \ - else \ - echo "Adding user \"${RCYNIC_USER}\" failed..."; \ - echo "Please create it, then try again."; \ - exit 1; \ - fi - @if /usr/sbin/pw usershow "${RPKIRTR_USER}" 2>/dev/null; \ - then \ - echo "You already have a user \"${RPKIRTR_USER}\", so I will use it."; \ - elif /usr/sbin/pw useradd ${RPKIRTR_USER} -g ${RPKIRTR_GROUP} -h - -d /nonexistant -s /usr/sbin/nologin -c "${RPKIRTR_GECOS}"; \ - then \ - echo "Added user \"${RPKIRTR_USER}\"."; \ - else \ - echo "Adding user \"${RPKIRTR_USER}\" failed..."; \ - echo "Please create it, then try again."; \ - exit 1; \ - fi - # We use static compilation on FreeBSD, so no need for shared libraries diff --git a/rp/rcynic/rules.linux.mk b/rp/rcynic/rules.linux.mk index 6a962cef..016b0582 100644 --- a/rp/rcynic/rules.linux.mk +++ b/rp/rcynic/rules.linux.mk @@ -1,55 +1,36 @@ # $Id$ install-user-and-group: .FORCE - @if getent group ${RCYNIC_GROUP} >/dev/null; \ + @if getent group ${RPKI_GROUP} >/dev/null; \ then \ - echo "You already have a group \"${RCYNIC_GROUP}\", so I will use it."; \ - elif /usr/sbin/groupadd ${RCYNIC_GROUP}; \ + echo "You already have a group \"${RPKI_GROUP}\", so I will use it."; \ + elif /usr/sbin/groupadd ${RPKI_GROUP}; \ then \ - echo "Added group \"${RCYNIC_GROUP}\"."; \ + echo "Added group \"${RPKI_GROUP}\"."; \ else \ - echo "Adding group \"${RCYNIC_GROUP}\" failed..."; \ + echo "Adding group \"${RPKI_GROUP}\" failed..."; \ echo "Please create it, then try again."; \ exit 1; \ fi @nogroup='-N'; \ if test -f /etc/redhat-release; then read vendor release version < /etc/redhat-release; if test $$vendor = CentOS; then nogroup='-n'; fi; fi; \ - if getent passwd ${RCYNIC_USER} >/dev/null; \ + if getent passwd ${RPKI_USER} >/dev/null; \ then \ - echo "You already have a user \"${RCYNIC_USER}\", so I will use it."; \ - elif /usr/sbin/useradd -g ${RCYNIC_GROUP} -M $$nogroup -d "${RCYNIC_DIR}" -s /sbin/nologin -c "${RCYNIC_GECOS}" ${RCYNIC_USER}; \ + echo "You already have a user \"${RPKI_USER}\", so I will use it."; \ + elif /usr/sbin/useradd -g ${RPKI_GROUP} -M $$nogroup -d "${RCYNIC_DIR}" -s /sbin/nologin -c "${RPKI_GECOS}" ${RPKI_USER}; \ then \ - echo "Added user \"${RCYNIC_USER}\"."; \ + echo "Added user \"${RPKI_USER}\"."; \ else \ - echo "Adding user \"${RCYNIC_USER}\" failed..."; \ + echo "Adding user \"${RPKI_USER}\" failed..."; \ echo "Please create it, then try again."; \ exit 1; \ fi - @if getent group ${RPKIRTR_GROUP} >/dev/null; \ - then \ - echo "You already have a group \"${RPKIRTR_GROUP}\", so I will use it."; \ - elif /usr/sbin/groupadd ${RPKIRTR_GROUP}; \ - then \ - echo "Added group \"${RPKIRTR_GROUP}\"."; \ - else \ - echo "Adding group \"${RPKIRTR_GROUP}\" failed..."; \ - echo "Please create it, then try again."; \ - exit 1; \ - fi - @nogroup='-N'; \ - if test -f /etc/redhat-release; then read vendor release version < /etc/redhat-release; if test $$vendor = CentOS; then nogroup='-n'; fi; fi; \ - if getent passwd ${RPKIRTR_USER} >/dev/null; \ - then \ - echo "You already have a user \"${RPKIRTR_USER}\", so I will use it."; \ - elif /usr/sbin/useradd -g ${RPKIRTR_GROUP} -M $$nogroup -d "${RPKIRTR_DIR}" -s /sbin/nologin -c "${RPKIRTR_GECOS}" ${RPKIRTR_USER}; \ - then \ - echo "Added user \"${RPKIRTR_USER}\"."; \ - else \ - echo "Adding user \"${RPKIRTR_USER}\" failed..."; \ - echo "Please create it, then try again."; \ - exit 1; \ - fi - usermod -a -G ${RPKIRTR_GROUP} ${RCYNIC_USER} + +# This all looks like a relic of the days when we still tried to support rcynic running in a chroot jail, which +# never really worked properly except on FreeBSD, and has since been overtaken by many other events. Do we +# still need this, even assuming anybody uses this installation instead of Debian packaging? +# +# Cleanup left for another day, but this looks pretty iffy. install-shared-libraries: .FORCE @echo "Copying required shared libraries" diff --git a/rp/rpki-rtr/rules.freebsd.mk b/rp/rpki-rtr/rules.freebsd.mk index f4d214a3..0f1546b2 100644 --- a/rp/rpki-rtr/rules.freebsd.mk +++ b/rp/rpki-rtr/rules.freebsd.mk @@ -18,7 +18,7 @@ install-listener: .FORCE @if /usr/bin/egrep -q "rpki-rtr[ ]+stream[ ]+tcp[ ]" /etc/inetd.conf; \ then \ echo "You already have an inetd.conf entry for rpki-rtr on TCPv4, so I will use it."; \ - elif echo >>/etc/inetd.conf "rpki-rtr stream tcp nowait rpkirtr /usr/local/bin/rpki-rtr rpki-rtr server /var/rcynic/rpki-rtr"; \ + elif echo >>/etc/inetd.conf "rpki-rtr stream tcp nowait rpki /usr/local/bin/rpki-rtr rpki-rtr server /var/rcynic/rpki-rtr"; \ then \ echo "Added rpki-rtr for TCPv4 to /etc/inetd.conf."; \ else \ @@ -28,7 +28,7 @@ install-listener: .FORCE @if /usr/bin/egrep -q "rpki-rtr[ ]+stream[ ]+tcp6[ ]" /etc/inetd.conf; \ then \ echo "You already have an inetd.conf entry for rpki-rtr on TCPv6, so I will use it."; \ - elif echo >>/etc/inetd.conf "rpki-rtr stream tcp6 nowait rpkirtr /usr/local/bin/rpki-rtr rpki-rtr server /var/rcynic/rpki-rtr"; \ + elif echo >>/etc/inetd.conf "rpki-rtr stream tcp6 nowait rpki /usr/local/bin/rpki-rtr rpki-rtr server /var/rcynic/rpki-rtr"; \ then \ echo "Added rpki-rtr for TCPv6 to /etc/inetd.conf."; \ else \ diff --git a/rp/rpki-rtr/rules.linux.mk b/rp/rpki-rtr/rules.linux.mk index d9b21590..bad35ace 100644 --- a/rp/rpki-rtr/rules.linux.mk +++ b/rp/rpki-rtr/rules.linux.mk @@ -19,7 +19,7 @@ ${DESTDIR}/etc/xinetd.d/rpki-rtr: print " protocol = tcp"; \ print " port = ${RPKI_RTR_PORT}"; \ print " wait = no"; \ - print " user = rpkirtr"; \ + print " user = rpki"; \ print " server = ${bindir}/${BIN}"; \ print " server_args = server /var/rcynic/rpki-rtr"; \ print "}"; \ @@ -96,7 +96,12 @@ if autoconf.RP_TARGET == "rp": "rp/utils/print_rpki_manifest", "rp/utils/scan_roas", "rp/utils/scan_routercerts", - "rp/utils/uri"])] + "rp/utils/uri"]), + (autoconf.sbindir, + ["rp/config/rpki-confgen", + "rp/config/rpki-sql-backup", + "rp/config/rpki-sql-setup", + "rp/config/rpki-manage"])] if autoconf.CA_TARGET == "ca": setup_args.update( @@ -109,17 +114,11 @@ if autoconf.CA_TARGET == "ca": (autoconf.datarootdir + "/rpki/media/js", glob("rpki/gui/app/static/js/*")), (autoconf.datarootdir + "/rpki/media/img", - glob("rpki/gui/app/static/img/*")), - (autoconf.datarootdir + "/rpki/upgrade-scripts", - glob("ca/upgrade-scripts/*"))]) + glob("rpki/gui/app/static/img/*"))]) scripts += [(autoconf.sbindir, ["ca/rpkic", - "ca/rpki-confgen", "ca/rpki-start-servers", - "ca/rpki-sql-backup", - "ca/rpki-sql-setup", - "ca/rpki-manage", "ca/rpkigui-query-routes", "ca/irbe_cli"]), (autoconf.libexecdir, |