Checkpoint while shuffling stuff around for new installation scheme.

Installation of everything but Debian packages is probably broken, and
Debian packages are too at the moment due to (probably) minor errors
in buildtools/debian-skeleton, but enough has changed that this really
needs a snapshot checked in for backup.

svn path=/branches/tk705/; revision=6257

11 files changed, 99 insertions, 172 deletions

diff --git a/buildtools/build-ubuntu-ports.py b/buildtools/build-debian-packages.py
index 19f61f6d..19f61f6d 100644
--- a/buildtools/build-ubuntu-ports.py
+++ b/buildtools/build-debian-packages.py
diff --git a/buildtools/debian-skeleton/rpki-ca.install b/buildtools/debian-skeleton/rpki-ca.install
index ffae5103..90f4eecf 100644
--- a/buildtools/debian-skeleton/rpki-ca.install
+++ b/buildtools/debian-skeleton/rpki-ca.install
@@ -1,4 +1,3 @@
-etc/rpki/rpki-confgen.xml
 usr/lib/rpki
 usr/sbin
 usr/share/rpki
diff --git a/buildtools/debian-skeleton/rpki-ca.postinst b/buildtools/debian-skeleton/rpki-ca.postinst
index 18fef863..9bd1f96d 100644
--- a/buildtools/debian-skeleton/rpki-ca.postinst
+++ b/buildtools/debian-skeleton/rpki-ca.postinst
@@ -5,51 +5,25 @@
 
 set -e
 
-setup_rpkid_user() {
-    if ! getent passwd rpkid >/dev/null
-    then
-	useradd -g rpkid -M -N -d /nonexistent -s /sbin/nologin -c "RPKI certification authority engine(s)" rpkid
-    fi
-}
-
-setup_rpkid_group() {
-    if ! getent group rpkid >/dev/null
-    then
-	groupadd rpkid
-    fi
-}
-
 setup_apache() {
     /usr/lib/rpki/rpkigui-apache-conf-gen --install --verbose
 }
 
-setup_rpki_conf() {
-    # Update /etc/rpki.conf.sample for this system, and copy it to
-    # /etc/rpki.conf if no configuration file exists yet.
-
-    # We don't (yet) have the ability to merge in settings from an
-    # existing rpki.conf, so we generate a new secret_key and a new
-    # SQL password every time, but that's harmless so long as we're
-    # careful not to overwrite an existing configuration.
-
-    rpki-confgen --read-xml /etc/rpki/rpki-confgen.xml			\
-	--autoconf							\
-	--set myrpki::handle=`hostname -f | sed 's/[.]/_/g'`		\
-	--set myrpki::rpkid_server_host=`hostname -f`			\
-	--set myrpki::pubd_server_host=`hostname -f`			\
-	--set myrpki::shared_sql_engine=postgresql			\
-	--pwgen myrpki::shared_sql_password				\
-	--pwgen web_portal::secret-key					\
-	--write-conf /etc/rpki.conf.sample
-
-    if test ! -f /etc/rpki.conf
+setup_config() {
+
+    rpki-confgen --read-xml /etc/rpki/rpki.rp.xml			\
+	--set myrpki::run_rpkid=yes					\
+	--set myrpki::run_pubd=yes					\
+	--write-xml  /etc/rpki/rpki.ca.xml				\
+	--write-conf /etc/rpki/rpki.ca.sample.conf
+
+    if test ! -f /etc/rpki.conf || cmp -s /etc/rpki.conf /etc/rpki/rpki.rp.sample.conf
     then
-	cp -p /etc/rpki.conf.sample /etc/rpki.conf
+	cp -p /etc/rpki/rpki.ca.conf.sample /etc/rpki.conf
     fi
 }
 
 setup_sql() {
-    #rpki-sql-setup --mysql-defaults /etc/mysql/debian.cnf create
     rpki-sql-setup --debug --verbose --postgresql-root-username postgres create
 }
 
@@ -66,12 +40,7 @@ setup_cron() {
     t=$(hexdump -n 1 -e '"%u"' /dev/urandom) && echo "$(($t % 60)) */2 * * * nobody /usr/lib/rpki/rpkigui-import-routes" > /etc/cron.d/rpkigui-routeviews
     chmod 644 /etc/cron.d/rpkigui-routeviews
     ln -sf /usr/lib/rpki/rpkigui-check-expired /etc/cron.daily/rpkigui-check-expired
-
-    # This should be user rpkid, but I don't have permissions set up
-    # properly for that yet.  Arguably this should be integrated with
-    # rpkigui-check-expired anyway, not there yet either.
-
-    echo "30 3 * * * root /usr/sbin/rpkic update_bpki" >/etc/cron.d/rpki-update-bpki
+    echo "30 3 * * * rpki /usr/sbin/rpkic update_bpki" >/etc/cron.d/rpki-update-bpki
     chmod 644 /etc/cron.d/rpki-update-bpki
 }
 
@@ -90,10 +59,8 @@ setup_cron() {
 
 case "$1" in
     configure)
-	setup_rpkid_group
-	setup_rpkid_user
 	setup_apache
-	setup_rpki_conf
+	setup_config
 	setup_sql
 	setup_bpki
 	setup_django
diff --git a/buildtools/debian-skeleton/rpki-ca.postrm b/buildtools/debian-skeleton/rpki-ca.postrm
index 372847f2..c49492fe 100644
--- a/buildtools/debian-skeleton/rpki-ca.postrm
+++ b/buildtools/debian-skeleton/rpki-ca.postrm
@@ -22,13 +22,11 @@ set -e
 case "$1" in
 
     purge)
-	sql=/etc/rpki/drop_databases.sql
-	if test -f $sql
+	if cmp -s /etc/rpki.conf /etc/rpki/rpki.ca.sample.conf
 	then
-	    #mysql --defaults-file=/etc/mysql/debian.cnf --execute "source $sql"
-	    sudo -u postgres psql -f $sql
+	    cp -p /etc/rpki/rpki.rp.sample.conf /etc/rpki.conf
 	fi
-	rm -f /etc/rpki.conf /etc/rpki.conf.sample $sql
+	rm -f /etc/rpki/rpki.ca.sample.conf /etc/rpki/rpki.ca.xml
 	rm -f /etc/rpki/apache.conf /etc/rpki/apache.cer /etc/rpki/apache.key
     ;;
 
diff --git a/buildtools/debian-skeleton/rpki-ca.prerm b/buildtools/debian-skeleton/rpki-ca.prerm
index 2754ed43..3f44ea4d 100644
--- a/buildtools/debian-skeleton/rpki-ca.prerm
+++ b/buildtools/debian-skeleton/rpki-ca.prerm
@@ -31,53 +31,13 @@ case "$1" in
 	rm -f /usr/share/rpki/rpkid.cer
 	rm -f /usr/share/rpki/rpkid.key
 
-	# Record what will be needed to drop the databases completely,
-	# while we still have the necessary configuration data, but
-	# postpone dropping the databases until the postrm script,
-	# since that's where we find out whether this is a purge.
-
-	#rpki-sql-setup --mysql-defaults /etc/mysql/debian.cnf script-drop /etc/rpki/drop_databases.sql
-	rpki-sql-setup --debug --verbose --postgresql-root-username postgres script-drop /etc/rpki/drop_databases.sql
-
 	# Clean up our cron jobs.
 
 	rm -f /etc/cron.d/rpkigui-routeviews
 	rm -f /etc/cron.daily/rpkigui-check-expired
 	rm -f /etc/cron.d/rpki-update-bpki
 
-	# Clean up what we did to Apache.  Modern version of this is
-	# just invocation of a Python script, but for now we also
-	# retain code needed to clean up nasty mess we created in the
-	# past, to avoid breaking old installations on upgrade.
-
-	# Remove the old stuff first, if the containing file even exists.
-
-	f=/etc/apache2/sites-available/default-ssl
-	if test -r $f
-	then
-	    awk < $f > ${f}.tmp '
-		BEGIN {
-		    conf_file = "/etc/rpki/apache.conf";
-		    conf_regexp = "^[ \t]*Include[ \t]+" conf_file "[ \t]*$";
-		}
-		$0 !~ conf_regexp {
-		    print;
-		}'
-
-	    if cmp -s ${f}.tmp ${f}.orig
-	    then
-		mv -f ${f}.orig $f
-		rm -f ${f}.tmp
-	    else
-		mv -f ${f}.tmp $f
-	    fi
-	fi
-
-	# At this point we've cleaned up our Apache config mess.
-	# Not sure whether we should do "service apache2 reload"
-	# here, one could make a case either way.  Skip for now.
-
-	# Now remove the new stuff.
+	# Clean up what we did to Apache.
 
 	/usr/lib/rpki/rpkigui-apache-conf-gen --remove --verbose
 
diff --git a/buildtools/debian-skeleton/rpki-rp.install b/buildtools/debian-skeleton/rpki-rp.install
index ce17bb14..fe0073a2 100644
--- a/buildtools/debian-skeleton/rpki-rp.install
+++ b/buildtools/debian-skeleton/rpki-rp.install
@@ -1,4 +1,4 @@
-etc/rcynic.conf
+etc/rpki/rpki-confgen.xml
 etc/rpki/trust-anchors
 etc/xinetd.d/rpki-rtr
 usr/bin
diff --git a/buildtools/debian-skeleton/rpki-rp.postinst b/buildtools/debian-skeleton/rpki-rp.postinst
index b9f666a2..ae95e7b2 100644
--- a/buildtools/debian-skeleton/rpki-rp.postinst
+++ b/buildtools/debian-skeleton/rpki-rp.postinst
@@ -5,54 +5,63 @@
 
 set -e
 
-setup_groups() {
-    if ! getent group rcynic >/dev/null
+setup_user() {
+    if ! getent group rpki >/dev/null
     then
-	groupadd rcynic
+	groupadd rpki
     fi
-    if ! getent group rpkirtr >/dev/null
+    if ! getent passwd rpki >/dev/null
     then
-	groupadd rpkirtr
+	useradd -g rpki -M -N -d /var/rcynic -s /sbin/nologin -c "RPKI system software" rpki
     fi
 }
 
-setup_users() {
-    if ! getent passwd rcynic >/dev/null
-    then
-	useradd -g rcynic -M -N -d /var/rcynic -s /sbin/nologin -c "RPKI validation system" rcynic
-    fi
-    if ! getent passwd rpkirtr >/dev/null
-    then
-	useradd -g rpkirtr -M -N -d /var/rcynic/rpki-rtr -s /sbin/nologin -c "RPKI router server" rpkirtr
-    fi
-    usermod -a -G rpkirtr rcynic
+setup_directories() {
+    install -o rpki -g rpki -d /var/rcynic/data /var/rcynic/rpki-rtr /var/rcynic/rpki-rtr/sockets /var/www/html/rcynic
 }
 
-setup_directories() {
-    install -o rcynic -g rcynic -d /var/rcynic/data /var/rcynic/rpki-rtr
-    if test -d /var/www/html && test -d /var/www/rcynic && test ! -d /var/www/html/rcynic
-    then
-	mv /var/www/rcynic /var/www/html/rcynic
-    elif test -d /var/www/html
+setup_config() {
+
+    rpki-confgen --read-xml /etc/rpki/rpki-confgen.xml		\
+	--autoconf						\
+	--set myrpki::handle=`hostname -f | sed 's/[.]/_/g'`	\
+	--set myrpki::rpkid_server_host=`hostname -f`		\
+	--set myrpki::pubd_server_host=`hostname -f`		\
+	--set myrpki::shared_sql_engine=postgresql		\
+	--set myrpki::rcynic_sql_database=rpki			\
+	--set myrpki::rpkid_sql_database=rpki			\
+	--set myrpki::irdbd_sql_database=rpki			\
+	--set myrpki::pubd_sql_database=rpki			\
+	--pwgen myrpki::shared_sql_password			\
+	--pwgen web_portal::secret-key				\
+	--set myrpki::run_rpkid=no				\
+	--set myrpki::run_pubd=no				\
+	--write-xml  /etc/rpki/rpki.rp.xml			\
+	--write-conf /etc/rpki/rpki.rp.sample.conf
+
+    if test ! -f /etc/rpki.conf
     then
-	install -o rcynic -g rcynic -d /var/www/html/rcynic
+	cp -p /etc/rpki/rpki.rp.sample.conf /etc/rpki.conf
     fi
-    install -o rpkirtr -g rcynic -m 775 -d /var/rcynic/rpki-rtr/sockets
+}
+
+setup_sql() {
+    rpki-sql-setup --debug --verbose --postgresql-root-username postgres create
 }
 
 # We want to pick a *random* minute for rcynic to run, to spread load
 # on repositories, which is why we don't just use a package crontab.
 
-setup_rcynic_cron() {
-    if test "X`crontab -l -u rcynic 2>/dev/null`" = "X"
+setup_cron() {
+    if test "X`crontab -l -u rpki 2>/dev/null`" = "X"
     then
 	awk -v t=`hexdump -n 2 -e '"%u\n"' /dev/urandom` '
             BEGIN {printf "MAILTO=root\n%u * * * *\texec /usr/bin/rcynic-cron\n", t % 60}' |
-	crontab -u rcynic -
+	crontab -u rpki -
     fi
 }
 
-setup_rpkirtr_listener() {
+setup_xinetd() {
     if test -f /var/run/xinetd.pid
     then
 	kill -HUP `cat /var/run/xinetd.pid`
@@ -74,11 +83,12 @@ setup_rpkirtr_listener() {
 
 case "$1" in
     configure)
-	setup_groups
-	setup_users
+	setup_user
 	setup_directories
-	setup_rcynic_cron
-	setup_rpkirtr_listener
+	setup_config
+	setup_sql
+	setup_cron
+	setup_xinetd
     ;;
 
     abort-upgrade|abort-remove|abort-deconfigure)
diff --git a/buildtools/debian-skeleton/rpki-rp.postrm b/buildtools/debian-skeleton/rpki-rp.postrm
index ad4ed1b9..7236d7a5 100644
--- a/buildtools/debian-skeleton/rpki-rp.postrm
+++ b/buildtools/debian-skeleton/rpki-rp.postrm
@@ -23,6 +23,13 @@ case "$1" in
 
     purge)
 	rm -rf /var/rcynic
+	sql=/etc/rpki/drop_databases.sql
+	if test -f $sql
+	then
+	    sudo -u postgres psql -f $sql
+	    rm -f $sql
+	fi
+	rm -f /etc/rpki/rpki.rp.sample.conf /etc/rpki/rpki.rp.xml /etc/rpki.conf
     ;;
 
     remove|upgrade|failed-upgrade|abort-install|abort-upgrade|disappear)
diff --git a/buildtools/debian-skeleton/rpki-rp.prerm b/buildtools/debian-skeleton/rpki-rp.prerm
index 37b111f2..b7e7cbde 100644
--- a/buildtools/debian-skeleton/rpki-rp.prerm
+++ b/buildtools/debian-skeleton/rpki-rp.prerm
@@ -20,16 +20,25 @@ set -e
 case "$1" in
     remove)
 
-	crontab -l -u rcynic 2>/dev/null | awk '
+	# Record what will be needed to drop the databases completely,
+	# while we still have the necessary configuration data, but
+	# postpone dropping the databases until the postrm script,
+	# since that's where we find out whether this is a purge.
+
+	rpki-sql-setup --debug --verbose --postgresql-root-username postgres script-drop /etc/rpki/drop_databases.sql
+
+	# Clean up our cron job.
+
+	crontab -l -u rpki 2>/dev/null | awk '
 	    $0 !~ "exec /usr/bin/rcynic-cron" {
 		line[++n] = $0;
 	    }
 	    END {
 		if (n)
 		    for (i = 1; i <= n; i++)
-			print line[i] | "crontab -u rcynic -";
+			print line[i] | "crontab -u rpki -";
 		else
-		    system("crontab -u rcynic -r");
+		    system("crontab -u rpki -r");
 	    }'
 	;;
 
diff --git a/buildtools/freebsd-skeleton/rpki-rp/files/pkg-install.in b/buildtools/freebsd-skeleton/rpki-rp/files/pkg-install.in
index 4c687f38..8942fd1a 100644
--- a/buildtools/freebsd-skeleton/rpki-rp/files/pkg-install.in
+++ b/buildtools/freebsd-skeleton/rpki-rp/files/pkg-install.in
@@ -3,47 +3,25 @@
 case $2 in
 
 PRE-INSTALL)
-    if /usr/sbin/pw groupshow "rcynic" 2>/dev/null
+    if /usr/sbin/pw groupshow "rpki" 2>/dev/null
     then
-        echo "You already have a group \"rcynic\", so I will use it."
-    elif /usr/sbin/pw groupadd rcynic
+        echo "You already have a group \"rpki\", so I will use it."
+    elif /usr/sbin/pw groupadd rpki
     then
-        echo "Added group \"rcynic\"."
+        echo "Added group \"rpki\"."
     else
-        echo "Adding group \"rcynic\" failed..."
+        echo "Adding group \"rpki\" failed..."
         echo "Please create it, then try again."
         exit 1
     fi
-    if /usr/sbin/pw usershow "rcynic" 2>/dev/null
+    if /usr/sbin/pw usershow "rpki" 2>/dev/null
     then
-        echo "You already have a user \"rcynic\", so I will use it."
-    elif /usr/sbin/pw useradd rcynic -g rcynic -h - -d /nonexistant -s /usr/sbin/nologin -c "RPKI validation system"
+        echo "You already have a user \"rpki\", so I will use it."
+    elif /usr/sbin/pw useradd rpki -g rpki -h - -d /nonexistant -s /usr/sbin/nologin -c "RPKI system daemons"
     then
-        echo "Added user \"rcynic\"."
+        echo "Added user \"rpki\"."
     else
-        echo "Adding user \"rcynic\" failed..."
-        echo "Please create it, then try again."
-        exit 1
-    fi
-    if /usr/sbin/pw groupshow "rpkirtr" 2>/dev/null
-    then
-        echo "You already have a group \"rpkirtr\", so I will use it."
-    elif /usr/sbin/pw groupadd rpkirtr
-    then
-        echo "Added group \"rpkirtr\"."
-    else
-        echo "Adding group \"rpkirtr\" failed..."
-        echo "Please create it, then try again."
-        exit 1
-    fi
-    if /usr/sbin/pw usershow "rpkirtr" 2>/dev/null
-    then
-        echo "You already have a user \"rpkirtr\", so I will use it."
-    elif /usr/sbin/pw useradd rpkirtr -g rpkirtr -h - -d /nonexistant -s /usr/sbin/nologin -c "RPKI router server"
-    then
-        echo "Added user \"rpkirtr\"."
-    else
-        echo "Adding user \"rpkirtr\" failed..."
+        echo "Adding user \"rpki\" failed..."
         echo "Please create it, then try again."
         exit 1
     fi
@@ -55,25 +33,24 @@ POST-INSTALL)
 	echo "Creating /var/rcynic"
 	/usr/bin/install -o root -g wheel -d /var/rcynic
     fi
-    for dir in /var/rcynic/data /var/rcynic/rpki-rtr
+    for dir in /var/rcynic/data /var/rcynic/rpki-rtr /var/rcynic/rpki-rtr/sockets
     do
-	/usr/bin/install -o rcynic -g rcynic -d $dir
+	/usr/bin/install -o rpki -g rpki -d $dir
     done
-    /usr/bin/install -o rpkirtr -g rcynic -m 775 -d /var/rcynic/rpki-rtr/sockets
-    if test ! -f /usr/local/etc/rcynic.conf
+    if test ! -f /usr/local/etc/rpki.conf
     then
-	/bin/cp -p /usr/local/etc/rcynic.conf.sample /usr/local/etc/rcynic.conf
+	/bin/cp -p /usr/local/etc/rpki.conf.sample /usr/local/etc/rpki.conf
     fi
     htmldir=/usr/local/www/apache%%APACHE_VERSION%%/data/rcynic
-    /usr/bin/install -o rcynic -g rcynic -d $htmldir
-    if test "X`/usr/bin/crontab -l -u rcynic 2>/dev/null`" != "X"
+    /usr/bin/install -o rpki -g rpki -d $htmldir
+    if test "X`/usr/bin/crontab -l -u rpki 2>/dev/null`" != "X"
     then
-	echo "rcynic user already has a crontab, leaving it alone"
+	echo "rpki user already has a crontab, leaving it alone"
     else
-	echo "Setting up rcynic's crontab to run rcynic-cron script"
+	echo "Setting up rpki's crontab to run rcynic-cron script"
 	/usr/bin/awk -v t=`/usr/bin/hexdump -n 2 -e '"%u\n"' /dev/random` '
             BEGIN {printf "MAILTO=root\n%u * * * *\texec  /usr/local/bin/rcynic-cron\n", t % 60}' |
-	/usr/bin/crontab -u rcynic -
+	/usr/bin/crontab -u rpki -
     fi
     echo "Setting up rpki-rtr listener under inetd"
     if /usr/bin/egrep -q '^rpki-rtr' /etc/services
@@ -101,7 +78,7 @@ POST-INSTALL)
     if /usr/bin/egrep -q "rpki-rtr[ 	]+stream[ 	]+tcp[ 	]" /etc/inetd.conf
     then
         echo "You already have an /etc/inetd.conf entry for rpki-rtr on TCPv4, so I will use it."
-    elif echo >>/etc/inetd.conf "rpki-rtr	stream	tcp	nowait	rpkirtr	/usr/local/bin/rpki-rtr	rpki-rtr server /var/rcynic/rpki-rtr"
+    elif echo >>/etc/inetd.conf "rpki-rtr	stream	tcp	nowait	rpki	/usr/local/bin/rpki-rtr	rpki-rtr server /var/rcynic/rpki-rtr"
     then
         echo "Added rpki-rtr for TCPv4 to /etc/inetd.conf."
     else
@@ -111,7 +88,7 @@ POST-INSTALL)
     if /usr/bin/egrep -q "rpki-rtr[ 	]+stream[ 	]+tcp6[ 	]" /etc/inetd.conf
     then
         echo "You already have an /etc/inetd.conf entry for rpki-rtr on TCPv6, so I will use it."
-    elif echo >>/etc/inetd.conf "rpki-rtr	stream	tcp6	nowait	rpkirtr	/usr/local/bin/rpki-rtr	rpki-rtr server /var/rcynic/rpki-rtr"
+    elif echo >>/etc/inetd.conf "rpki-rtr	stream	tcp6	nowait	rpki	/usr/local/bin/rpki-rtr	rpki-rtr server /var/rcynic/rpki-rtr"
     then
         echo "Added rpki-rtr for TCPv6 to /etc/inetd.conf."
     else
diff --git a/buildtools/rpki-pbuilder.py b/buildtools/rpki-pbuilder.py
index 32247ff8..1d45e862 100644
--- a/buildtools/rpki-pbuilder.py
+++ b/buildtools/rpki-pbuilder.py
@@ -201,7 +201,7 @@ class Release(object):
                     os.unlink(os.path.join(dsc_dir, fn))
             run("rm", "-rf", "debian", cwd = args.svn_tree)
             run(sys.executable, "buildtools/make-version.py", cwd = args.svn_tree)
-            run(sys.executable, "buildtools/build-ubuntu-ports.py", "--version-suffix", self.release, cwd = args.svn_tree)
+            run(sys.executable, "buildtools/build-debian-packages.py", "--version-suffix", self.release, cwd = args.svn_tree)
             run("dpkg-buildpackage", "-S", "-us", "-uc", "-rfakeroot", cwd = args.svn_tree)
 
         if not os.path.exists(self.basefile):