diff options
Diffstat (limited to 'rcynic')
20 files changed, 551 insertions, 835 deletions
diff --git a/rcynic/Makefile.in b/rcynic/Makefile.in index 777fe18f..71f46df2 100644 --- a/rcynic/Makefile.in +++ b/rcynic/Makefile.in @@ -14,22 +14,62 @@ CFLAGS = @CFLAGS@ -Wall -Wshadow -Wmissing-prototypes -Wmissing-declarations -We LDFLAGS = @LDFLAGS@ @LD_STATIC_FLAG@ LIBS = @LIBS@ -AWK = @AWK@ -SORT= @SORT@ -PYTHON = @PYTHON@ -RRDTOOL = @RRDTOOL@ - -abs_top_srcdir = @abs_top_srcdir@ -abs_top_builddir = @abs_top_builddir@ - -host_os = @host_os@ - -SCRIPTS = rcynic-text rcynic-html rcynic-svn validation_status - -all: ${BIN} ${SCRIPTS} +AWK = @AWK@ +SORT = @SORT@ +PYTHON = @PYTHON@ +RRDTOOL = @RRDTOOL@ +INSTALL = @INSTALL@ +SU = @SU@ +SUDO = @SUDO@ +CHROOT = @CHROOT@ +CHROOTUID = @CHROOTUID@ + +abs_top_srcdir = @abs_top_srcdir@ +abs_top_builddir = @abs_top_builddir@ + +prefix = @prefix@ +exec_prefix = @exec_prefix@ +datarootdir = @datarootdir@ +datadir = @datadir@ +localstatedir = @localstatedir@ +sharedstatedir = @sharedstatedir@ +sysconfdir = @sysconfdir@ +bindir = @bindir@ +sbindir = @sbindir@ +libexecdir = @libexecdir@ +sysconfdir = @sysconfdir@ + +abs_builddir = @abs_builddir@ +abs_top_srcdir = @abs_top_srcdir@ +abs_top_builddir = @abs_top_builddir@ +srcdir = @srcdir@ + +RCYNIC_INSTALL_TARGETS = @RCYNIC_INSTALL_TARGETS@ +RCYNIC_DIR = @RCYNIC_DIR@ +RCYNIC_JAIL_DIRS = @RCYNIC_JAIL_DIRS@ +RCYNIC_CONF_FILE = @RCYNIC_CONF_FILE@ +RCYNIC_TA_DIR = @RCYNIC_TA_DIR@ +RCYNIC_BIN_RCYNIC = @RCYNIC_BIN_RCYNIC@ +RCYNIC_DATA_DIR = ${RCYNIC_DIR}/data +RCYNIC_RPKI_RTR_DIR = ${RCYNIC_DIR}/rpki-rtr +RCYNIC_DIRS = ${RCYNIC_TA_DIR} ${RCYNIC_JAIL_DIRS} ${RCYNIC_DATA_DIR} ${RCYNIC_RPKI_RTR_DIR} ${RCYNIC_RPKI_RTR_DIR}/sockets +RCYNIC_CONF_RSYNC = @RCYNIC_CONF_RSYNC@ +RCYNIC_CONF_DATA = @RCYNIC_CONF_DATA@ +RCYNIC_CONF_TA_DIR = @RCYNIC_CONF_TA_DIR@ +RCYNIC_USER = rcynic +RCYNIC_GROUP = rcynic +NOBODY_USER = nobody +RCYNIC_GECOS = RPKI Validation System +RCYNIC_STATIC_RSYNC = @RCYNIC_STATIC_RSYNC@ +RCYNIC_HTML_DIR = @RCYNIC_HTML_DIR@ +RCYNIC_CRON_USER = @RCYNIC_CRON_USER@ + +SCRIPTS = rcynic-text rcynic-html rcynic-svn validation_status rcynic-cron + +all: ${BIN} ${SCRIPTS} ${RCYNIC_STATIC_RSYNC} clean: - cd static-rsync; ${MAKE} $@ + if test -r static-rsync/Makefile; then cd static-rsync; ${MAKE} $@; fi rm -f ${BIN} ${OBJS} ${SCRIPTS} ${OBJ}: ${SRC} ${GEN} @@ -41,36 +81,27 @@ ${GEN}: ${SRC} ${PYTHON} ${abs_top_srcdir}/buildtools/defstack.py ${SRC} >$@.tmp mv $@.tmp $@ -test: ${BIN} - if test -r rcynic.conf; \ - then \ - ./${BIN} -j 0 && \ - test -r rcynic.xml && \ - echo && \ - ./rcynic-text rcynic.xml; \ - else \ - echo No rcynic.conf, skipping test; \ - fi - -install: ${BIN} installation-scripts/install.sh - cd installation-scripts; host_os="${host_os}"; DESTDIR="${DESTDIR}"; AWK="${AWK}"; SORT="${SORT}"; . ./install.sh - -uninstall deinstall: - cd installation-scripts; host_os="${host_os}"; DESTDIR="${DESTDIR}"; . ./deinstall.sh - -installation-manifest: - cd installation-scripts; host_os="${host_os}"; abs_top_builddir="${abs_top_builddir}"; . ./manifest.sh - -distclean: clean - cd static-rsync; ${MAKE} $@ - rm -f Makefile - COMPILE_PYTHON = \ AC_PYTHON_INTERPRETER='${PYTHON}' \ AC_RRDTOOL_BINARY='${RRDTOOL}' \ ${PYTHON} ${abs_top_srcdir}/buildtools/make-rcynic-script.py <$? >$@; \ chmod 755 $@ +COMPILE_PYTHON_CRON = \ + AC_PYTHON_INTERPRETER='${PYTHON}' \ + AC_RCYNIC_USER='${RCYNIC_USER}' \ + AC_RCYNIC_GROUP='${RCYNIC_GROUP}' \ + AC_RCYNIC_DIR='${RCYNIC_DIR}' \ + AC_bindir='${bindir}' \ + AC_sysconfdir='${sysconfdir}' \ + AC_RCYNIC_HTML_DIR='${RCYNIC_HTML_DIR}' \ + AC_SU='${SU}' \ + AC_SUDO='${SUDO}' \ + AC_CHROOT='${CHROOT}' \ + AC_CHROOTUID='${CHROOTUID}' \ + ${PYTHON} ${abs_top_srcdir}/buildtools/make-rcynic-script.py <$? >$@; \ + chmod 755 $@ + rcynic-text: rcynic-text.py ${COMPILE_PYTHON} @@ -83,7 +114,133 @@ rcynic-svn: rcynic-svn.py validation_status: validation_status.py ${COMPILE_PYTHON} +rcynic-cron: rcynic-cron.py + ${COMPILE_PYTHON_CRON} + tags: TAGS TAGS: ${SRC} ${GEN} etags ${SRC} ${GEN} + +test: ${BIN} + if test -r rcynic.conf; \ + then \ + ./${BIN} -j 0 && \ + test -r rcynic.xml && \ + echo && \ + ./rcynic-text rcynic.xml; \ + else \ + echo No rcynic.conf, skipping test; \ + fi + +uninstall deinstall: + @echo Sorry, automated deinstallation of rcynic is not implemented yet + +distclean: clean + if test -r static-rsync/Makefile; then cd static-rsync; ${MAKE} $@; fi + rm -f Makefile + +static-rsync/rsync: + @echo "Building static rsync for use in chroot jail" + cd static-rsync; ${MAKE} all + +install: all ${RCYNIC_INSTALL_TARGETS} + +install-always: \ + install-directories install-scripts install-rcynic install-rcynic-conf + +install-postconf: \ + install-user-and-group install-directory-ownership install-crontab + +install-jailed: \ + install-static-rsync install-shared-libraries install-rc-scripts + +install-directories: ${RCYNIC_DIRS} + +${RCYNIC_DIRS} ${DESTDIR}${bindir} ${DESTDIR}${sysconfdir}: + ${INSTALL} -v -d $@ + +install-directory-ownership: ${RCYNIC_DATA_DIR} ${RCYNIC_RPKI_RTR_DIR} + chown ${RCYNIC_USER}:${RCYNIC_GROUP} ${RCYNIC_DATA_DIR} ${RCYNIC_RPKI_RTR_DIR} + chown ${NOBODY_USER}:${RCYNIC_GROUP} ${RCYNIC_RPKI_RTR_DIR}/sockets + +install-rcynic-conf: ${RCYNIC_CONF_FILE} + +${RCYNIC_CONF_FILE}: + ${INSTALL} -v -d ${RCYNIC_TA_DIR} + @echo Found no ${RCYNIC_CONF_FILE}, creating sample config. You might want to edit this. + @echo > $@.tmp '# Basic rcynic configuration file with default trust anchors.' + @echo >>$@.tmp '# See documentation for details.' + @echo >>$@.tmp '' + @echo >>$@.tmp '[rcynic]' + @echo >>$@.tmp 'rsync-program = ${RCYNIC_CONF_RSYNC}' + @echo >>$@.tmp 'authenticated = ${RCYNIC_CONF_DATA}/authenticated' + @echo >>$@.tmp 'unauthenticated = ${RCYNIC_CONF_DATA}/unauthenticated' + @echo >>$@.tmp 'xml-summary = ${RCYNIC_CONF_DATA}/rcynic.xml' + @echo >>$@.tmp 'jitter = 600' + @echo >>$@.tmp 'use-syslog = true' + @echo >>$@.tmp 'log-level = log_usage_err' + @cd sample-trust-anchors; \ + j=1; \ + for i in *.tal; \ + do \ + ${INSTALL} -p -m 444 "$$i" "${RCYNIC_TA_DIR}/$$i"; \ + echo >>$@.tmp "trust-anchor-locator.$$j = ${RCYNIC_CONF_TA_DIR}/$$i"; \ + j=$$((j+1)); \ + done + @chmod 444 $@.tmp + @mv -f $@.tmp $@ + +install-rcynic: ${RCYNIC_BIN_RCYNIC} + +${RCYNIC_BIN_RCYNIC}: ${BIN} + ${INSTALL} -p -m 555 ${BIN} $@ + +install-static-rsync: ${RCYNIC_DIR}/bin/rsync + +${RCYNIC_DIR}/bin/rsync: static-rsync/rsync + ${INSTALL} -p -m 555 static-rsync/rsync $@ + +install-scripts: \ + ${DESTDIR}${bindir} \ + ${DESTDIR}${bindir}/rcynic-text \ + ${DESTDIR}${bindir}/rcynic-html \ + ${DESTDIR}${bindir}/rcynic-svn \ + ${DESTDIR}${bindir}/rcynic-cron \ + ${DESTDIR}${bindir}/validation_status + +${DESTDIR}${bindir}/rcynic-text: rcynic-text + ${INSTALL} -p -m 555 rcynic-text $@ + +${DESTDIR}${bindir}/rcynic-html: rcynic-html + ${INSTALL} -p -m 555 rcynic-html $@ + +${DESTDIR}${bindir}/rcynic-svn: rcynic-svn + ${INSTALL} -p -m 555 rcynic-svn $@ + +${DESTDIR}${bindir}/rcynic-cron: rcynic-cron + ${INSTALL} -p -m 555 rcynic-cron $@ + +${DESTDIR}${bindir}/validation_status: validation_status + ${INSTALL} -p -m 555 validation_status $@ + +.FORCE: + +install-crontab: .FORCE + @echo "Setting up ${RCYNIC_CRON_USER}'s crontab to run rcynic-cron script + @crontab -l -u ${RCYNIC_CRON_USER} 2>/dev/null | \ + ${AWK} -v t=`hexdump -n 2 -e '"%u\n"' /dev/random` '\ + BEGIN { \ + cmd = "exec ${bindir}/rcynic-cron"; \ + } \ + $$0 !~ cmd { \ + print; \ + } \ + END { \ + printf "%u * * * *\t%s\n", t % 60, cmd; \ + }' | \ + /usr/bin/crontab -u ${RCYNIC_CRON_USER} - + +# Platform-specific rules below here. + +@RCYNIC_MAKE_RULES@ diff --git a/rcynic/installation-scripts/darwin/RCynic/RCynic b/rcynic/installation-scripts/darwin/RCynic/RCynic deleted file mode 100755 index 0237f926..00000000 --- a/rcynic/installation-scripts/darwin/RCynic/RCynic +++ /dev/null @@ -1,80 +0,0 @@ -#!/bin/sh - -# -# $Id$ -# -. /etc/rc.common - -name="rcynic" -start_cmd="rcynic_start" -stop_cmd="rcynic_stop" - -: ${rcynic_jaildir="/var/rcynic"} -: ${rcynic_user="rcynic"} -: ${rcynic_group="rcynic"} - -StartService() -{ - /bin/test -d "${rcynic_jaildir}" || /bin/mkdir "${rcynic_jaildir}" - /sbin/umount "${rcynic_jaildir}/dev" 2>/dev/null - - /usr/sbin/mtree -deU -p "${rcynic_jaildir}" <<EOF - - /set type=dir uname=root gname=wheel mode=0555 - . - bin - .. - dev - .. - etc - trust-anchors - .. - .. - usr - lib - system - .. - .. - .. - var - run - .. - .. - data uname=${rcynic_user} gname=${rcynic_group} mode=0755 - .. - .. -EOF - - /bin/chmod -R a-w "${rcynic_jaildir}/bin" "${rcynic_jaildir}/etc" - /usr/sbin/chown -R root:wheel "${rcynic_jaildir}/bin" "${rcynic_jaildir}/etc" - - if /bin/test -f "${rcynic_jaildir}/etc/rsa_key"; then - /bin/chmod 400 "${rcynic_jaildir}/etc/rsa_key" - /usr/sbin/chown "${rcynic_user}" "${rcynic_jaildir}/etc/rsa_key" - fi - - if ! /sbin/mount_devfs devfs "${rcynic_jaildir}/dev"; then - echo "Mounting devfs on ${rcynic_jaildir}/dev failed..." - exit 1 - fi - - for i in /etc/localtime /etc/resolv.conf; do - j="${rcynic_jaildir}${i}" - if /bin/test -r "$i" && ! /usr/bin/cmp -s "$i" "$j"; then - /usr/bin/install -m 444 -o root -g wheel -p "$i" "$j" - fi - done - - /bin/ln -f /var/run/mDNSResponder "${rcynic_jaildir}/var/run/mDNSResponder" -} - -StopService() -{ - /sbin/umount "${rcynic_jaildir}/dev" 2>/dev/null -} - -RestartService() -{ - StartService -} - -RunService "$1" diff --git a/rcynic/installation-scripts/darwin/install.sh b/rcynic/installation-scripts/darwin/install.sh deleted file mode 100644 index 1af4a6f0..00000000 --- a/rcynic/installation-scripts/darwin/install.sh +++ /dev/null @@ -1,193 +0,0 @@ -#!/bin/sh - -# $Id$ -# -# Create a chroot jail for rcynic. -# -# This is approximately what a pkg-install script might do if this were -# a FreeBSD port. Perhaps some day it will be. - -: ${jaildir="${DESTDIR}/var/rcynic"} -: ${jailuser="rcynic"} -: ${jailgroup="rcynic"} -: ${jailname="RPKI Validation System"} -: ${setupcron="NO"} - -echo "Setting up \"${jaildir}\" as a chroot jail for rcynic." - -if /usr/bin/dscl . -read "/Groups/${jailgroup}" >/dev/null 2>&1 -then - echo "You already have a group \"${jailgroup}\", so I will use it." -elif gid="$(/usr/bin/dscl . -list /Groups PrimaryGroupID | /usr/bin/awk 'BEGIN {gid = 501} $2 >= gid {gid = 1 + $2} END {print gid}')" && - /usr/bin/dscl . -create "/Groups/${jailgroup}" && - /usr/bin/dscl . -create "/Groups/${jailgroup}" RealName "${jailname}" && - /usr/bin/dscl . -create "/Groups/${jailgroup}" PrimaryGroupID "$gid" && - /usr/bin/dscl . -create "/Groups/${jailgroup}" GeneratedUID "$(/usr/bin/uuidgen)" && - /usr/bin/dscl . -create "/Groups/${jailgroup}" Password "*" -then - echo "Added group \"${jailgroup}\"." -else - echo "Adding group \"${jailgroup}\" failed..." - echo "Please create it, then try again." - exit 1 -fi - -if /usr/bin/dscl . -read "/Users/${jailuser}" >/dev/null 2>&1 -then - echo "You already have a user \"${jailuser}\", so I will use it." -elif uid="$(/usr/bin/dscl . -list /Users UniqueID | /usr/bin/awk 'BEGIN {uid = 501} $2 >= uid {uid = 1 + $2} END {print uid}')" && - /usr/bin/dscl . -create "/Users/${jailuser}" && - /usr/bin/dscl . -create "/Users/${jailuser}" UserShell "/usr/bin/false" && - /usr/bin/dscl . -create "/Users/${jailuser}" RealName "${jailname}" && - /usr/bin/dscl . -create "/Users/${jailuser}" UniqueID "$uid" && - /usr/bin/dscl . -create "/Users/${jailuser}" PrimaryGroupID "$gid" && - /usr/bin/dscl . -create "/Users/${jailuser}" NFSHomeDirectory "/var/empty" && - /usr/bin/dscl . -create "/Users/${jailuser}" GeneratedUID "$(/usr/bin/uuidgen)" && - /usr/bin/dscl . -create "/Users/${jailuser}" Password "*" -then - echo "Added user \"${jailuser}\"." -else - echo "Adding user \"${jailuser}\" failed..." - echo "Please create it, then try again." - exit 1 -fi - -if ! /bin/test -d "${jaildir}"; then - /bin/mkdir "${jaildir}" -fi - -if /usr/bin/install -o root -g wheel -d ${DESTDIR}/Library/StartupItems/RCynic && - /usr/bin/install -o root -g wheel -m 555 RCynic/RCynic RCynic/StartupParameters.plist ${DESTDIR}/Library/StartupItems/RCynic; then - echo "Installed ${DESTDIR}/Library/StartupItems/RCynic" -else - echo "Installing ${DESTDIR}/Library/StartupItems/RCynic failed" - exit 1 -fi - -echo "Running ${DESTDIR}/Library/StartupItems/RCynic/RCynic to set up directories" - -if ! rcynic_jaildir="$jaildir" rcynic_user="$jailuser" rcynic_group="$jailgroup" /Library/StartupItems/RCynic/RCynic start; then - echo "Directory setup failed" - exit 1 -fi - -if /bin/test -r "$jaildir/etc/rcynic.conf"; then - echo "You already have config file \"${jaildir}/etc/rcynic.conf\", so I will use it." -elif /usr/bin/install -m 444 -o root -g wheel -p ../sample-rcynic.conf "${jaildir}/etc/rcynic.conf"; then - echo "Installed minimal ${jaildir}/etc/rcynic.conf, adding SAMPLE trust anchors" - for i in ../../sample-trust-anchors/*.tal; do - j="$jaildir/etc/trust-anchors/${i##*/}" - /bin/test -r "$i" || continue - /bin/test -r "$j" && continue - echo "Installing $i as $j" - /usr/bin/install -m 444 -o root -g wheel -p "$i" "$j" - done - j=1 - for i in $jaildir/etc/trust-anchors/*.tal; do - echo >>"${jaildir}/etc/rcynic.conf" "trust-anchor-locator.$j = /etc/trust-anchors/${i##*/}" - j=$((j+1)) - done -else - echo "Installing minimal ${jaildir}/etc/rcynic.conf failed" - exit 1 -fi - -echo "Installing rcynic as ${jaildir}/bin/rcynic" - -/usr/bin/install -m 555 -o root -g wheel -p ../../rcynic "${jaildir}/bin/rcynic" - -if /bin/test -x "$jaildir/bin/rsync"; then - echo "You already have an executable \"$jaildir/bin/rsync\", so I will use it" -elif /usr/bin/install -m 555 -o root -g wheel -p /usr/bin/rsync "${jaildir}/bin/rsync"; then - echo "Installed ${jaildir}/bin/rsync" -else - echo "Installing ${jaildir}/bin/rsync failed" - exit 1 -fi - -echo "Copying required shared libraries" - -shared_libraries="${jaildir}/bin/rcynic ${jaildir}/bin/rsync" -while true -do - closure="$(/usr/bin/otool -L ${shared_libraries} | /usr/bin/awk '/:$/ {next} {print $1}' | /usr/bin/sort -u)" - if test "x$shared_libraries" = "x$closure" - then - break - else - shared_libraries="$closure" - fi -done - -for shared in /usr/lib/dyld $shared_libraries -do - if /bin/test -r "${jaildir}/${shared}" - then - echo "You already have a \"${jaildir}/${shared}\", so I will use it" - elif /usr/bin/install -m 555 -o root -g wheel -p "${shared}" "${jaildir}/${shared}" - then - echo "Copied ${shared} into ${jaildir}" - else - echo "Unable to copy ${shared} into ${jaildir}" - exit 1 - fi -done - -if /usr/bin/install -m 555 -o root -g wheel -p ../../rcynic-html "${jaildir}/bin/rcynic-html"; then - echo "Installed rcynic.py as \"${jaildir}/bin/rcynic-html\"" -else - echo "Installing rcynic-html failed" - exit 1 -fi - -echo "Setting up root's crontab to run jailed rcynic" - -case "$setupcron" in -YES|yes) - /usr/bin/crontab -l -u root 2>/dev/null | - /usr/bin/awk -v "jailuser=$jailuser" -v "jailgroup=$jailgroup" -v "jaildir=$jaildir" ' - BEGIN { - cmd = "exec /usr/sbin/chroot -u " jailuser " -g " jailgroup " " jaildir; - cmd = cmd " /bin/rcynic -c /etc/rcynic.conf"; - } - $0 !~ cmd { - print; - } - END { - "/usr/bin/hexdump -n 2 -e \"\\\"%u\\\\\\n\\\"\" /dev/random" | getline; - printf "%u * * * *\t%s\n", $1 % 60, cmd; - }' | - /usr/bin/crontab -u root - - /bin/cat <<EOF - - crontab is set up to run rcynic hourly, at a randomly selected - minute (to spread load on the rsync servers). Please do NOT - adjust this to run on the hour. In particular please do NOT - adjust this to run at midnight UTC. -EOF - ;; - -*) - /bin/cat <<EOF - - You'll need to add a crontab entry running the following command as root: - - /usr/sbin/chroot -u $jailuser -g $jailgroup $jaildir /bin/rcynic -c /etc/rcynic.conf - - Please try to pick a random time for this, don't just run it on the hour, - or at local midnight, or, worst of all, at midnight UTC. - -EOF - ;; - -esac - -/bin/cat <<EOF - - Jail set up. You may need to customize $jaildir/etc/rcynic.conf. - If you did not install your own trust anchors, a default set - of SAMPLE trust anchors may have been installed for you, but - you, the relying party, are the only one who can decide - whether you trust those anchors. rcynic will not do anything - useful without good trust anchors. - -EOF diff --git a/rcynic/installation-scripts/deinstall.sh b/rcynic/installation-scripts/deinstall.sh deleted file mode 100644 index 113794a4..00000000 --- a/rcynic/installation-scripts/deinstall.sh +++ /dev/null @@ -1,5 +0,0 @@ -#!/bin/sh - -# $Id$ - -echo Sorry, automated deinstallation of rcynic is not implemented yet -exit 1 diff --git a/rcynic/installation-scripts/freebsd/install.sh b/rcynic/installation-scripts/freebsd/install.sh deleted file mode 100644 index 105de21b..00000000 --- a/rcynic/installation-scripts/freebsd/install.sh +++ /dev/null @@ -1,151 +0,0 @@ -#!/bin/sh - -# $Id$ -# -# Create a chroot jail for rcynic. -# -# This is approximately what a pkg-install script might do if this were -# a FreeBSD port. Perhaps some day it will be. - -: ${jaildir="${DESTDIR}/var/rcynic"} -: ${jailuser="rcynic"} -: ${jailgroup="rcynic"} -: ${setupcron="NO"} - -echo "Setting up \"${jaildir}\" as a chroot jail for rcynic." - -if /usr/sbin/pw groupshow "${jailgroup}" 2>/dev/null; then - echo "You already have a group \"${jailgroup}\", so I will use it." -elif /usr/sbin/pw groupadd ${jailgroup}; then - echo "Added group \"${jailgroup}\"." -else - echo "Adding group \"${jailgroup}\" failed..." - echo "Please create it, then try again." - exit 1 -fi - -if /usr/sbin/pw usershow "${jailuser}" 2>/dev/null; then - echo "You already have a user \"${jailuser}\", so I will use it." -elif /usr/sbin/pw useradd ${jailuser} -g ${jailgroup} -h - -d /nonexistant -s /usr/sbin/nologin -c "RPKI validation system"; then - echo "Added user \"${jailuser}\"." -else - echo "Adding user \"${jailuser}\" failed..." - echo "Please create it, then try again." - exit 1 -fi - -if ! /bin/test -d "${jaildir}"; then - /bin/mkdir "${jaildir}" -fi - -if /usr/bin/install -m 555 -o root -g wheel -p rc.d.rcynic ${DESTDIR}/usr/local/etc/rc.d/rcynic; then - echo "Installed rc.d.rcynic as ${DESTDIR}/usr/local/etc/rc.d/rcynic" -else - echo "Installing ${DESTDIR}/usr/local/etc/rc.d/rcynic failed" - exit 1 -fi - -echo "Running /usr/local/etc/rc.d/rcynic to set up directories" - -if ! rcynic_jaildir="$jaildir" rcynic_user="$jailuser" rcynic_group="$jailgroup" /bin/sh /usr/local/etc/rc.d/rcynic start; then - echo "Directory setup failed" - exit 1 -fi - -if /bin/test -r "$jaildir/etc/rcynic.conf"; then - echo "You already have config file \"${jaildir}/etc/rcynic.conf\", so I will use it." -elif /usr/bin/install -m 444 -o root -g wheel -p ../sample-rcynic.conf "${jaildir}/etc/rcynic.conf"; then - echo "Installed minimal ${jaildir}/etc/rcynic.conf, adding SAMPLE trust anchors" - for i in ../../sample-trust-anchors/*.tal; do - j="$jaildir/etc/trust-anchors/${i##*/}" - /bin/test -r "$i" || continue - /bin/test -r "$j" && continue - echo "Installing $i as $j" - /usr/bin/install -m 444 -o root -g wheel -p "$i" "$j" - done - j=1 - for i in $jaildir/etc/trust-anchors/*.tal; do - echo >>"${jaildir}/etc/rcynic.conf" "trust-anchor-locator.$j = /etc/trust-anchors/${i##*/}" - j=$((j+1)) - done -else - echo "Installing minimal ${jaildir}/etc/rcynic.conf failed" - exit 1 -fi - -echo "Installing rcynic as ${jaildir}/bin/rcynic" - -/usr/bin/install -m 555 -o root -g wheel -p ../../rcynic "${jaildir}/bin/rcynic" - -if /bin/test ! -x "$jaildir/bin/rsync" -a ! -x ../../static-rsync/rsync; then - echo "Building static rsync for jail, this may take a little while" - (cd ../../static-rsync && exec make) -fi - -if /bin/test -x "$jaildir/bin/rsync"; then - echo "You already have an executable \"$jaildir/bin/rsync\", so I will use it" -elif /usr/bin/install -m 555 -o root -g wheel -p ../../static-rsync/rsync "${jaildir}/bin/rsync"; then - echo "Installed static rsync as \"${jaildir}/bin/rsync\"" -else - echo "Installing static rsync failed" - exit 1 -fi - -if /usr/bin/install -m 555 -o root -g wheel -p ../../rcynic-html "${jaildir}/bin/rcynic-html"; then - echo "Installed rcynic.py as \"${jaildir}/bin/rcynic-html\"" -else - echo "Installing rcynic-html failed" - exit 1 -fi - -echo "Setting up root's crontab to run jailed rcynic" - -case "$setupcron" in -YES|yes) - /usr/bin/crontab -l -u root 2>/dev/null | - /usr/bin/awk -v "jailuser=$jailuser" -v "jailgroup=$jailgroup" -v "jaildir=$jaildir" ' - BEGIN { - cmd = "exec /usr/sbin/chroot -u " jailuser " -g " jailgroup " " jaildir; - cmd = cmd " /bin/rcynic -c /etc/rcynic.conf"; - } - $0 !~ cmd { - print; - } - END { - "/usr/bin/hexdump -n 2 -e \"\\\"%u\\\\\\n\\\"\" /dev/random" | getline; - printf "%u * * * *\t%s\n", $1 % 60, cmd; - }' | - /usr/bin/crontab -u root - - /bin/cat <<EOF - - crontab is set up to run rcynic hourly, at a randomly selected - minute (to spread load on the rsync servers). Please do NOT - adjust this to run on the hour. In particular please do NOT - adjust this to run at midnight UTC. -EOF - ;; - -*) - /bin/cat <<EOF - - You'll need to add a crontab entry running the following command as root: - - /usr/sbin/chroot -u $jailuser -g $jailgroup $jaildir /bin/rcynic -c /etc/rcynic.conf - - Please try to pick a random time for this, don't just run it on the hour, - or at local midnight, or, worst of all, at midnight UTC. - -EOF - ;; - -esac - -/bin/cat <<EOF - - Jail set up. You may need to customize $jaildir/etc/rcynic.conf. - If you did not install your own trust anchors, a default set - of SAMPLE trust anchors may have been installed for you, but - you, the relying party, are the only one who can decide - whether you trust those anchors. rcynic will not do anything - useful without good trust anchors. - -EOF diff --git a/rcynic/installation-scripts/freebsd/rc.d.rcynic b/rcynic/installation-scripts/freebsd/rc.d.rcynic deleted file mode 100755 index 73e6efda..00000000 --- a/rcynic/installation-scripts/freebsd/rc.d.rcynic +++ /dev/null @@ -1,76 +0,0 @@ -#!/bin/sh - -# -# $Id$ -# -# PROVIDE: rcynic -# REQUIRE: DAEMON -# KEYWORD: nojail - -. /etc/rc.subr - -name="rcynic" -start_cmd="rcynic_start" -stop_cmd="rcynic_stop" - -: ${rcynic_jaildir="/var/rcynic"} -: ${rcynic_user="rcynic"} -: ${rcynic_group="rcynic"} - -rcynic_start() -{ - /bin/test -d "${rcynic_jaildir}" || /bin/mkdir "${rcynic_jaildir}" - /sbin/umount "${rcynic_jaildir}/dev" 2>/dev/null - - /usr/sbin/mtree -deU -p "${rcynic_jaildir}" <<EOF - - /set type=dir uname=root gname=wheel mode=0555 - . - bin - .. - dev - .. - etc - trust-anchors - .. - .. - var - run - .. - .. - data uname=${rcynic_user} gname=${rcynic_group} mode=0755 - .. - .. -EOF - - /bin/chmod -R a-w "${rcynic_jaildir}/bin" "${rcynic_jaildir}/etc" - /usr/sbin/chown -R root:wheel "${rcynic_jaildir}/bin" "${rcynic_jaildir}/etc" - - if /bin/test -f "${rcynic_jaildir}/etc/rsa_key"; then - /bin/chmod 400 "${rcynic_jaildir}/etc/rsa_key" - /usr/sbin/chown "${rcynic_user}" "${rcynic_jaildir}/etc/rsa_key" - fi - - if ! /sbin/mount -t devfs dev "${rcynic_jaildir}/dev"; then - echo "Mounting devfs on ${rcynic_jaildir}/dev failed..." - exit 1 - fi - - /sbin/devfs -m "${rcynic_jaildir}/dev" rule apply hide - /sbin/devfs -m "${rcynic_jaildir}/dev" rule apply path null unhide - /sbin/devfs -m "${rcynic_jaildir}/dev" rule apply path random unhide - - for i in /etc/localtime /etc/resolv.conf; do - j="${rcynic_jaildir}${i}" - if /bin/test -r "$i" && ! /usr/bin/cmp -s "$i" "$j"; then - /usr/bin/install -m 444 -o root -g wheel -p "$i" "$j" - fi - done -} - -rcynic_stop() -{ - /sbin/umount "${rcynic_jaildir}/dev" 2>/dev/null -} - -load_rc_config $name -run_rc_command "$1" diff --git a/rcynic/installation-scripts/install.sh b/rcynic/installation-scripts/install.sh deleted file mode 100644 index 8c708a28..00000000 --- a/rcynic/installation-scripts/install.sh +++ /dev/null @@ -1,14 +0,0 @@ -#!/bin/sh - -# $Id$ - -set -e - -case "${host_os}" in - -freebsd*) cd freebsd; . ./install.sh;; -darwin*) cd darwin; . ./install.sh;; -linux*) cd linux; . ./install.sh;; - -*) echo 1>&2 "Don't know how to install rcynic jail on platform ${host_os}" - exit 1;; -esac diff --git a/rcynic/installation-scripts/linux/install.sh b/rcynic/installation-scripts/linux/install.sh deleted file mode 100644 index 3c9a6412..00000000 --- a/rcynic/installation-scripts/linux/install.sh +++ /dev/null @@ -1,255 +0,0 @@ -#!/bin/sh - -# $Id$ -# -# Create a chroot jail for rcynic. -# -# This is approximately what a package installation script might do. - -: ${jaildir="${DESTDIR}/var/rcynic"} -: ${jailuser="rcynic"} -: ${jailgroup="rcynic"} -: ${setupcron="NO"} - -echo "Setting up \"${jaildir}\" as a chroot jail for rcynic." - -if ${AWK} -F: -v jailgroup="${jailgroup}" 'BEGIN {status = 1} $1 == jailgroup {status = 0} END {exit status}' /etc/group -then - echo "You already have a group \"${jailgroup}\", so I will use it." -elif /usr/sbin/groupadd ${jailgroup} -then - echo "Added group \"${jailgroup}\"." -else - echo "Adding group \"${jailgroup}\" failed..." - echo "Please create it, then try again." - exit 1 -fi - -# The adduser program on CentOS 5.x uses the -n flag instead of -N to -# avoid creating the associated group. -nogroup='-N' -if test -f /etc/redhat-release; then - read vendor release version < /etc/redhat-release - if test $vendor = CentOS; then - nogroup='-n' - fi -fi - -if ${AWK} -F: -v jailuser="${jailuser}" 'BEGIN {status = 1} $1 == jailuser {status = 0} END {exit status}' /etc/passwd -then - echo "You already have a user \"${jailuser}\", so I will use it." -elif /usr/sbin/useradd -g ${jailgroup} -M $nogroup -d "${jaildir}" -s /sbin/nologin -c "RPKI validation system" ${jailuser} -then - echo "Added user \"${jailuser}\"." -else - echo "Adding user \"${jailuser}\" failed..." - echo "Please create it, then try again." - exit 1 -fi - -# test for x86_64 target -if test -d /lib64; then - libdir=/lib64 -else - libdir=/lib -fi - -echo "Building directories" - -if ! /bin/mkdir -p -v -m 555 \ - "${jaildir}/bin" \ - "${jaildir}/dev" \ - "${jaildir}/etc/trust-anchors" \ - "${jaildir}/${libdir}" \ - "${jaildir}/usr/lib" \ - "${jaildir}/data" -then - echo "Unable to build directories under \"${jaildir}\", please fix this then try again." - exit 1 -fi - -echo "Installing device inodes" - -if ! (cd /dev; /bin/ls null zero random urandom | /bin/cpio -puv "${jaildir}/dev") -then - echo "Unable to install device inodes in ${jaildir}/dev/, please fix this then try again" - exit 1 -fi - -echo "Copying files from /etc" - -for i in /etc/localtime /etc/resolv.conf /etc/passwd /etc/group -do - j="${jaildir}${i}" - if test -r "$i" && - ! /usr/bin/cmp -s "$i" "$j" && - ! /bin/cp -p "$i" "$j" - then - echo "Unable to copy $i to ${jaildir}, please fix this then try again" - exit 1 - fi -done - -echo "Whacking file permissions" - -if ! /bin/chmod -R a-w "${jaildir}/bin" "${jaildir}/etc" || - ! /bin/chmod -R 755 "${jaildir}/data" || - ! /bin/chown -R root:root "${jaildir}/bin" "${jaildir}/etc" || - ! /bin/chown -R "${jailuser}:${jailgroup}" "${jaildir}/data" -then - echo "Unable to set file permissions and ownerships correctly, please fix this and try again" - exit 1 -fi - -if test -f "${jaildir}/etc/rsa_key" -then - /bin/chmod 400 "${jaildir}/etc/rsa_key" - /bin/chown "${jailuser}" "${jaildir}/etc/rsa_key" -fi - -if test -r "$jaildir/etc/rcynic.conf"; then - echo "You already have config file \"${jaildir}/etc/rcynic.conf\", so I will use it." -elif /usr/bin/install -m 444 -o root -g root -p ../sample-rcynic.conf "${jaildir}/etc/rcynic.conf"; then - echo "Installed minimal ${jaildir}/etc/rcynic.conf, adding SAMPLE trust anchors" - for i in ../../sample-trust-anchors/*.tal; do - j="$jaildir/etc/trust-anchors/${i##*/}" - test -r "$i" || continue - test -r "$j" && continue - echo "Installing $i as $j" - /usr/bin/install -m 444 -o root -g root -p "$i" "$j" - done - j=1 - for i in $jaildir/etc/trust-anchors/*.tal; do - echo >>"${jaildir}/etc/rcynic.conf" "trust-anchor-locator.$j = /etc/trust-anchors/${i##*/}" - j=$((j+1)) - done -else - echo "Installing minimal ${jaildir}/etc/rcynic.conf failed" - exit 1 -fi - -echo "Installing rcynic as ${jaildir}/bin/rcynic" - -/usr/bin/install -m 555 -o root -g root -p ../../rcynic "${jaildir}/bin/rcynic" - -if test -x "$jaildir/bin/rsync"; then - echo "You already have an executable \"$jaildir/bin/rsync\", so I will use it" -elif /usr/bin/install -m 555 -o root -g root -p /usr/bin/rsync "${jaildir}/bin/rsync"; then - echo "Installed ${jaildir}/bin/rsync" -else - echo "Installing ${jaildir}/bin/rsync failed" - exit 1 -fi - -echo "Copying required shared libraries" - -shared_libraries="${jaildir}/bin/rcynic ${jaildir}/bin/rsync $(/usr/bin/find ${libdir} -name 'libnss*.so*' -print)" -while true -do - closure="$(/usr/bin/ldd ${shared_libraries} | - ${AWK} -v "rcynic=${jaildir}/bin/rcynic" -v "rsync=${jaildir}/bin/rsync" ' - { - sub(/:$/, ""); - } - $0 == rcynic || $0 == rsync || $1 ~ /\/ld-linux\.so/ { - next; - } - { - for (i = 1; i <= NF; i++) - if ($i ~ /^\//) - print $i; - } - ' | - ${SORT} -u)" - if test "x$shared_libraries" = "x$closure" - then - break - else - shared_libraries="$closure" - fi -done - -# Under CentOS 5.5, rsync requires libresolv, but ldd doesn't show -# it. -if test -f ${libdir}/libresolv.so.2; then - shared_libraries="${shared_libraries} ${libdir}/libresolv.so.2" -fi - -for shared in ${libdir}/*ld*.so* $shared_libraries -do - if test -r "${jaildir}/${shared}" - then - echo "You already have a \"${jaildir}${shared}\", so I will use it" - elif /usr/bin/install -m 555 -o root -g root -d "${jaildir}${shared%/*}" && - /usr/bin/install -m 555 -o root -g root -p "${shared}" "${jaildir}${shared}" - then - echo "Copied ${shared} into ${jaildir}" - else - echo "Unable to copy ${shared} into ${jaildir}" - exit 1 - fi -done - -if /usr/bin/install -m 555 -o root -g root -p ../../rcynic-html "${jaildir}/bin/rcynic-html"; then - echo "Installed rcynic.py as \"${jaildir}/bin/rcynic-html\"" -else - echo "Installing rcynic-html failed" - exit 1 -fi - -echo "Setting up root's crontab to run jailed rcynic" - -case "$setupcron" in -YES|yes) - /usr/bin/crontab -l -u root 2>/dev/null | - ${AWK} -v "jailuser=$jailuser" -v "jailgroup=$jailgroup" -v "jaildir=$jaildir" ' - BEGIN { - cmd = "exec /usr/sbin/chroot --userspec=" jailuser ":" jailgroup " " jaildir; - cmd = cmd " /bin/rcynic -c /etc/rcynic.conf"; - } - $0 !~ cmd { - print; - } - END { - "/usr/bin/hexdump -n 2 -e \"\\\"%u\\\\\\n\\\"\" /dev/random" | getline; - printf "%u * * * *\t%s\n", $1 % 60, cmd; - }' | - /usr/bin/crontab -u root - - /bin/cat <<EOF - - crontab is set up to run rcynic hourly, at a randomly selected - minute (to spread load on the rsync servers). Please do NOT - adjust this to run on the hour. In particular please do NOT - adjust this to run at midnight UTC. -EOF - ;; - -*) - /bin/cat <<EOF - - You'll need to add a crontab entry running one of the the following command as root: - - /usr/sbin/chroot --userspec $jailuser:$jailgroup $jaildir /bin/rcynic -c /etc/rcynic.conf - - /usr/bin/chrootuid $jaildir rcynic /bin/rcynic -c /etc/rcynic.conf - - We recommend the latter, as chrootuid has proven more reliable for us than the chroot - program that is included on some GNU/Linux platforms. - - Please try to pick a random time for this, don't just run it on the hour, - or at local midnight, or, worst of all, at midnight UTC. - -EOF - ;; - -esac - -/bin/cat <<EOF - - Jail set up. You may need to customize $jaildir/etc/rcynic.conf. - If you did not install your own trust anchors, a default set - of SAMPLE trust anchors may have been installed for you, but - you, the relying party, are the only one who can decide - whether you trust those anchors. rcynic will not do anything - useful without good trust anchors. - -EOF diff --git a/rcynic/installation-scripts/manifest.sh b/rcynic/installation-scripts/manifest.sh deleted file mode 100644 index 26872b1a..00000000 --- a/rcynic/installation-scripts/manifest.sh +++ /dev/null @@ -1,23 +0,0 @@ -#!/bin/sh - -# $Id$ - -echo >>${abs_top_builddir}/installation-manifest D %%RCYNICJAILDIR%% -echo >>${abs_top_builddir}/installation-manifest D %%RCYNICJAILDIR%%/bin -echo >>${abs_top_builddir}/installation-manifest D %%RCYNICJAILDIR%%/dev -echo >>${abs_top_builddir}/installation-manifest D %%RCYNICJAILDIR%%/etc -echo >>${abs_top_builddir}/installation-manifest D %%RCYNICJAILDIR%%/etc/trust-anchors -echo >>${abs_top_builddir}/installation-manifest D %%RCYNICJAILDIR%%/var -echo >>${abs_top_builddir}/installation-manifest D %%RCYNICJAILDIR%%/data - -echo >>${abs_top_builddir}/installation-manifest F %%RCYNICJAILDIR%%/bin/rcynic -echo >>${abs_top_builddir}/installation-manifest F %%RCYNICJAILDIR%%/bin/rsync -echo >>${abs_top_builddir}/installation-manifest F %%RCYNICJAILDIR%%/bin/rcynic-html - -# Not sure what to do about %%RCYNICJAILDIR%%/${libdir}/* on Linux, as we -# don't know what goes there until we compute the transitive closure -# of ldd dependencies. Ick. Ignore for now. - -case "${host_os}" in -freebsd*) echo >>${abs_top_builddir}/installation-manifest F %%RCDIR%%/rcynic;; -darwin*) echo >>${abs_top_builddir}/installation-manifest F /Library/StartupItems/RCynic;; -esac diff --git a/rcynic/rc-scripts/darwin/RCynic b/rcynic/rc-scripts/darwin/RCynic new file mode 100755 index 00000000..d486a3c3 --- /dev/null +++ b/rcynic/rc-scripts/darwin/RCynic @@ -0,0 +1,42 @@ +#!/bin/sh - +# +# $Id$ +# +. /etc/rc.common + +name="rcynic" +start_cmd="rcynic_start" +stop_cmd="rcynic_stop" + +: ${rcynic_dir="/var/rcynic"} + +StartService() +{ + /sbin/umount "${rcynic_dir}/dev" 2>/dev/null + + if ! /sbin/mount_devfs devfs "${rcynic_dir}/dev"; then + echo "Mounting devfs on ${rcynic_dir}/dev failed..." + exit 1 + fi + + for i in /etc/localtime /etc/resolv.conf; do + j="${rcynic_dir}${i}" + if /bin/test -r "$i" && ! /usr/bin/cmp -s "$i" "$j"; then + /usr/bin/install -m 444 -o root -g wheel -p "$i" "$j" + fi + done + + /bin/ln -f /var/run/mDNSResponder "${rcynic_dir}/var/run/mDNSResponder" +} + +StopService() +{ + /sbin/umount "${rcynic_dir}/dev" 2>/dev/null +} + +RestartService() +{ + StartService +} + +RunService "$1" diff --git a/rcynic/installation-scripts/darwin/RCynic/StartupParameters.plist b/rcynic/rc-scripts/darwin/StartupParameters.plist index ca46b676..ca46b676 100644 --- a/rcynic/installation-scripts/darwin/RCynic/StartupParameters.plist +++ b/rcynic/rc-scripts/darwin/StartupParameters.plist diff --git a/rcynic/rc-scripts/freebsd/rc.d.rcynic b/rcynic/rc-scripts/freebsd/rc.d.rcynic new file mode 100755 index 00000000..9b7aa545 --- /dev/null +++ b/rcynic/rc-scripts/freebsd/rc.d.rcynic @@ -0,0 +1,44 @@ +#!/bin/sh - +# +# $Id$ +# +# PROVIDE: rcynic +# REQUIRE: DAEMON +# KEYWORD: nojail + +. /etc/rc.subr + +name="rcynic" +start_cmd="rcynic_start" +stop_cmd="rcynic_stop" + +: ${rcynic_dir="/var/rcynic"} + +rcynic_start() +{ + /sbin/umount "${rcynic_dir}/dev" 2>/dev/null + + if ! /sbin/mount -t devfs dev "${rcynic_dir}/dev"; then + echo "Mounting devfs on ${rcynic_dir}/dev failed..." + exit 1 + fi + + /sbin/devfs -m "${rcynic_dir}/dev" rule apply hide + /sbin/devfs -m "${rcynic_dir}/dev" rule apply path null unhide + /sbin/devfs -m "${rcynic_dir}/dev" rule apply path random unhide + + for i in /etc/localtime /etc/resolv.conf; do + j="${rcynic_dir}${i}" + if /bin/test -r "$i" && ! /usr/bin/cmp -s "$i" "$j"; then + /usr/bin/install -m 444 -o root -g wheel -p "$i" "$j" + fi + done +} + +rcynic_stop() +{ + /sbin/umount "${rcynic_dir}/dev" 2>/dev/null +} + +load_rc_config $name +run_rc_command "$1" diff --git a/rcynic/rcynic-cron.py b/rcynic/rcynic-cron.py new file mode 100644 index 00000000..d985d7e3 --- /dev/null +++ b/rcynic/rcynic-cron.py @@ -0,0 +1,85 @@ +""" +Cron job for rcynic and rtr-origin in stock configuration. + +$Id$ + +Copyright (C) 2013 Internet Systems Consortium, Inc. ("ISC") + +Permission to use, copy, modify, and/or distribute this software for any +purpose with or without fee is hereby granted, provided that the above +copyright notice and this permission notice appear in all copies. + +THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +PERFORMANCE OF THIS SOFTWARE. +""" + +# Locking code here works like FreeBSD's lockf(1) utility given -k and +# -t 0 options, which is both the sanest and simplest combination for +# our purposes. In theory this is portable to any Unix-like system. +# +# At some point we might want to implement the chroot() and setuid() +# functionality here rather than using this mess of platform-specific +# external programs. I don't have time to write and debug that today, +# but it might well be simpler and more portable. + +import subprocess +import sys +import fcntl +import os +import pwd +import errno + +we_are_root = os.getuid() == 0 + +beastie = sys.platform.startswith("freebsd") or sys.platform.startswith("darwin") + +def bin(name, chroot = False): + return os.path.join("/bin" if chroot and we_are_root else ac_bindir, name) + +def etc(name, chroot = False): + return os.path.join("/etc" if chroot and we_are_root else ac_sysconfdir, name) + +def rcy(name): + return os.path.join(ac_rcynic_dir, name) + +def run(*cmd, **kwargs): + chroot = kwargs.pop("chroot", False) and we_are_root + if we_are_root: + if chroot and beastie: + cmd = (ac_chroot, "-u", ac_rcynic_user, "-g", ac_rcynic_group, ac_rcynic_dir) + cmd + elif chroot and not beastie: + cmd = (ac_chrootuid, ac_rcynic_dir, ac_rcynic_user) + cmd + elif not chroot and beastie: + cmd = (ac_su, "-m", ac_rcynic_user, "-c", " ".join(cmd)) + elif not chroot and not beastie: + cmd = (ac_sudo, "-u", ac_rcynic_user) + cmd + else: + raise RuntimeError("How the frell did I get here?") + try: + subprocess.check_call(cmd, **kwargs) + except subprocess.CalledProcessError, e: + sys.exit(str(e)) + +try: + lock = os.open(os.path.join(ac_rcynic_dir, "data/lock"), os.O_RDONLY | os.O_CREAT | os.O_NONBLOCK, 0666) + fcntl.flock(lock, fcntl.LOCK_EX | fcntl.LOCK_NB) + if we_are_root: + pw = pwd.getpwnam(ac_rcynic_user) + os.fchown(lock, pw.pw_uid, pw.pw_gid) +except (IOError, OSError), e: + if e.errno == errno.EAGAIN: + sys.exit(0) # Another instance of this script is already running, exit silently + else: + sys.exit("Error %r opening lock %r" % (e.strerror, os.path.join(ac_rcynic_dir, "data/lock"))) + +run(bin("rcynic", chroot = True), "-c", etc("rcynic.conf", chroot = True), chroot = True) + +if ac_rcynic_html_dir and os.path.exists(os.path.dirname(ac_rcynic_html_dir)): + run(bin("rcynic-html"), rcy("data/rcynic.xml"), ac_rcynic_html_dir) + +run(bin("rtr-origin"), "--cronjob", rcy("data/authenticated"), cwd = rcy("rpki-rtr")) diff --git a/rcynic/rcynic-html.py b/rcynic/rcynic-html.py index d86c84f3..46e2e634 100644 --- a/rcynic/rcynic-html.py +++ b/rcynic/rcynic-html.py @@ -323,6 +323,9 @@ class Host(Problem_Mixin): except OSError, e: usage("Problem running %s, perhaps you need to set --rrdtool-binary? (%s)" % ( opt["rrdtool-binary"], e)) + except subprocess.CalledProcessError, e: + sys.exit("Failure running %s: %s" % ( + opt["rrdtool-binary"], e)) def rrd_update(self): filename = os.path.join(opt["output_directory"], self.hostname) + ".rrd" diff --git a/rcynic/rules.darwin.mk b/rcynic/rules.darwin.mk new file mode 100644 index 00000000..998b5f54 --- /dev/null +++ b/rcynic/rules.darwin.mk @@ -0,0 +1,73 @@ +# $Id$ + +install-user-and-group: .FORCE + @if /usr/bin/dscl . -read "/Groups/${RCYNIC_GROUP}" >/dev/null 2>&1; \ + then \ + echo "You already have a group \"${RCYNIC_GROUP}\", so I will use it."; \ + elif gid="$$(/usr/bin/dscl . -list /Groups PrimaryGroupID | /usr/bin/awk 'BEGIN {gid = 501} $$2 >= gid {gid = 1 + $$2} END {print gid}')" && \ + /usr/bin/dscl . -create "/Groups/${RCYNIC_GROUP}" && \ + /usr/bin/dscl . -create "/Groups/${RCYNIC_GROUP}" RealName "${RCYNIC_GECOS}" && \ + /usr/bin/dscl . -create "/Groups/${RCYNIC_GROUP}" PrimaryGroupID "$$gid" && \ + /usr/bin/dscl . -create "/Groups/${RCYNIC_GROUP}" GeneratedUID "$$(/usr/bin/uuidgen)" && \ + /usr/bin/dscl . -create "/Groups/${RCYNIC_GROUP}" Password "*"; \ + then \ + echo "Added group \"${RCYNIC_GROUP}\"."; \ + else \ + echo "Adding group \"${RCYNIC_GROUP}\" failed..."; \ + echo "Please create it, then try again."; \ + exit 1; \ + fi; \ + if /usr/bin/dscl . -read "/Users/${RCYNIC_USER}" >/dev/null 2>&1; \ + then \ + echo "You already have a user \"${RCYNIC_USER}\", so I will use it."; \ + elif uid="$$(/usr/bin/dscl . -list /Users UniqueID | /usr/bin/awk 'BEGIN {uid = 501} $$2 >= uid {uid = 1 + $$2} END {print uid}')" && \ + /usr/bin/dscl . -create "/Users/${RCYNIC_USER}" && \ + /usr/bin/dscl . -create "/Users/${RCYNIC_USER}" UserShell "/usr/bin/false" && \ + /usr/bin/dscl . -create "/Users/${RCYNIC_USER}" RealName "${RCYNIC_GECOS}" && \ + /usr/bin/dscl . -create "/Users/${RCYNIC_USER}" UniqueID "$$uid" && \ + /usr/bin/dscl . -create "/Users/${RCYNIC_USER}" PrimaryGroupID "$$gid" && \ + /usr/bin/dscl . -create "/Users/${RCYNIC_USER}" NFSHomeDirectory "/var/empty" && \ + /usr/bin/dscl . -create "/Users/${RCYNIC_USER}" GeneratedUID "$$(/usr/bin/uuidgen)" && \ + /usr/bin/dscl . -create "/Users/${RCYNIC_USER}" Password "*"; \ + then \ + echo "Added user \"${RCYNIC_USER}\"."; \ + else \ + echo "Adding user \"${RCYNIC_USER}\" failed..."; \ + echo "Please create it, then try again."; \ + exit 1; \ + fi + + +install-shared-libraries: .FORCE + @echo "Copying required shared libraries" + @shared_libraries="${RCYNIC_DIR}/bin/rcynic ${RCYNIC_DIR}/bin/rsync"; \ + while true; \ + do \ + closure="$$(/usr/bin/otool -L $${shared_libraries} | /usr/bin/awk '/:$$/ {next} {print $$1}' | /usr/bin/sort -u)"; \ + if test "x$$shared_libraries" = "x$$closure"; + then \ + break; \ + else \ + shared_libraries="$$closure"; \ + fi; \ + done; \ + for shared in /usr/lib/dyld $$shared_libraries; \ + do \ + if /bin/test -r "${RCYNIC_DIR}/$${shared}"; \ + then \ + echo "You already have a \"${RCYNIC_DIR}/$${shared}\", so I will use it"; \ + elif /usr/bin/install -m 555 -o root -g wheel -p "$${shared}" "${RCYNIC_DIR}/$${shared}"; \ + then \ + echo "Copied $${shared} into ${RCYNIC_DIR}"; \ + else \ + echo "Unable to copy $${shared} into ${RCYNIC_DIR}"; \ + exit 1; \ + fi; \ + done + +install-rc-scripts: + ${INSTALL} -o root -g wheel -d ${DESTDIR}/Library/StartupItems/RCynic + ${INSTALL} -o root -g wheel -m 555 \ + rc-scripts/darwin/RCynic \ + rc-scripts/darwin/StartupParameters.plist \ + ${DESTDIR}/Library/Startup/RCynic diff --git a/rcynic/rules.freebsd.mk b/rcynic/rules.freebsd.mk new file mode 100644 index 00000000..f5391ce8 --- /dev/null +++ b/rcynic/rules.freebsd.mk @@ -0,0 +1,34 @@ +# $Id$ + +install-user-and-group: .FORCE + @if /usr/sbin/pw groupshow "${RCYNIC_GROUP}" 2>/dev/null; \ + then \ + echo "You already have a group \"${RCYNIC_GROUP}\", so I will use it."; \ + elif /usr/sbin/pw groupadd ${RCYNIC_GROUP}; \ + then \ + echo "Added group \"${RCYNIC_GROUP}\"."; \ + else \ + echo "Adding group \"${RCYNIC_GROUP}\" failed..."; \ + echo "Please create it, then try again."; \ + exit 1; \ + fi + @if /usr/sbin/pw usershow "${RCYNIC_USER}" 2>/dev/null; \ + then \ + echo "You already have a user \"${RCYNIC_USER}\", so I will use it."; \ + elif /usr/sbin/pw useradd ${RCYNIC_USER} -g ${RCYNIC_GROUP} -h - -d /nonexistant -s /usr/sbin/nologin -c "${RCYNIC_GECOS}"; \ + then \ + echo "Added user \"${RCYNIC_USER}\"."; \ + else \ + echo "Adding user \"${RCYNIC_USER}\" failed..."; \ + echo "Please create it, then try again."; \ + exit 1; \ + fi + + +# We use static compilation on FreeBSD, so no need for shared libraries + +install-shared-libraries: + @true + +install-rc-scripts: + ${INSTALL} -m 555 -o root -g wheel -p rc-scripts/freebsd/rc.d.rcynic ${DESTDIR}/usr/local/etc/rc.d/rcynic diff --git a/rcynic/rules.linux.mk b/rcynic/rules.linux.mk new file mode 100644 index 00000000..abb9db64 --- /dev/null +++ b/rcynic/rules.linux.mk @@ -0,0 +1,68 @@ +# $Id$ + +install-user-and-group: .FORCE + @if ${AWK} -F: 'BEGIN {status = 1} $$1 == ${RCYNIC_GROUP} {status = 0} END {exit status}' /etc/group; \ + then \ + echo "You already have a group \"${RCYNIC_GROUP}\", so I will use it."; \ + elif /usr/sbin/groupadd ${RCYNIC_GROUP}; \ + then \ + echo "Added group \"${RCYNIC_GROUP}\"."; \ + else \ + echo "Adding group \"${RCYNIC_GROUP}\" failed..."; \ + echo "Please create it, then try again."; \ + exit 1; \ + fi + @nogroup='-N'; \ + if test -f /etc/redhat-release; then; read vendor release version < /etc/redhat-release; if test $$vendor = CentOS; then; nogroup='-n'; fi; fi; \ + if ${AWK} -F: 'BEGIN {status = 1} $$1 == ${RCYNIC_USER} {status = 0} END {exit status}' /etc/passwd; \ + then \ + echo "You already have a user \"${RCYNIC_USER}\", so I will use it." \ + elif /usr/sbin/useradd -g ${RCYNIC_GROUP} -M $$nogroup -d "${RCYNIC_DIR}" -s /sbin/nologin -c "${RCYNIC_GECOS}" ${RCYNIC_USER}; \ + then \ + echo "Added user \"${RCYNIC_USER}\"."; \ + else \ + echo "Adding user \"${RCYNIC_USER}\" failed..."; \ + echo "Please create it, then try again."; \ + exit 1; \ + fi + + +install-shared-libraries: .FORCE + @echo "Copying required shared libraries" + @if test -d /lib64; then libdir=/lib64; else libdir=/lib; fi; \ + shared_libraries="${RCYNIC_DIR}/bin/rcynic ${RCYNIC_DIR}/bin/rsync $$(/usr/bin/find $${libdir} -name 'libnss*.so*' -print)"; \ + while true; \ + do \ + closure="$$(/usr/bin/ldd $${shared_libraries} | \ + ${AWK} ' \ + { sub(/:$/, "") } \ + $$0 == "${RCYNIC_DIR}/bin/rcynic" { next } \ + $$0 == "${RCYNIC_DIR}/bin/rsync" { next } \ + $$1 ~ /\/ld-linux\.so/ { next } \ + { for (i = 1; i <= NF; i++) if ($$i ~ /^\//) print $$i } \ + ' | \ + ${SORT} -u)"; \ + if test "X$$shared_libraries" = "X$$closure"; \ + then \ + break; \ + else \ + shared_libraries="$$closure"; \ + fi; \ + done; \ + if test -f $${libdir}/libresolv.so.2; \ + then \ + shared_libraries="$${shared_libraries} $${libdir}/libresolv.so.2"; + fi; \ + for shared in $${libdir}/*ld*.so* $$shared_libraries; \ + do \ + if test ! -r "${RCYNIC_DIR}/$${shared}"; \ + then \ + ${INSTALL} -m 555 -d `dirname "${RCYNIC_DIR}$${shared}"` && \ + ${INSTALL} -m 555 -p "$${shared}" "${RCYNIC_DIR}$${shared}"; \ + fi; \ + done + +# No devfs, so no rc script + +install-rc-scripts: + @true diff --git a/rcynic/rules.unknown.mk b/rcynic/rules.unknown.mk new file mode 100644 index 00000000..6ce3ea18 --- /dev/null +++ b/rcynic/rules.unknown.mk @@ -0,0 +1,4 @@ +# $Id$ + +install-user-and-group install-shared-libraries install-rc-scripts: .FORCE + @echo "Don't know how to make $@ on this platform"; exit 1 diff --git a/rcynic/installation-scripts/sample-rcynic.conf b/rcynic/sample-rcynic.conf index 23a39373..23a39373 100644 --- a/rcynic/installation-scripts/sample-rcynic.conf +++ b/rcynic/sample-rcynic.conf diff --git a/rcynic/static-rsync/Makefile.in b/rcynic/static-rsync/Makefile.in index 9c8556e0..8a433c7b 100644 --- a/rcynic/static-rsync/Makefile.in +++ b/rcynic/static-rsync/Makefile.in @@ -13,6 +13,9 @@ BIN_LOG = > ../build.log 2>&1 BIN = rsync +abs_top_srcdir = @abs_top_srcdir@ +abs_top_builddir = @abs_top_builddir@ + all: ${BIN} ${BIN}: ${DIRNAME}/${BIN} |