From f46ecca487dac7b9300e8ded73299d81a7c524a4ebd73ea04ddd8fb50b9de780 Mon Sep 17 00:00:00 2001 From: Marcus Rueckert Date: Wed, 29 Jun 2011 12:26:44 +0000 Subject: [PATCH] Accepting request 67020 from server:http OBS-URL: https://build.opensuse.org/request/show/67020 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/varnish?expand=0&rev=3 --- upstream-config.tar.bz2 | 3 - varnish.changes | 15 +++++ varnish.init | 105 +++++++------------------------ varnish.logrotate | 9 +++ varnish.spec | 136 ++++++++++++++++++---------------------- varnish.sysconfig | 14 ++++- vcl.conf | 30 +++++++++ 7 files changed, 149 insertions(+), 163 deletions(-) delete mode 100644 upstream-config.tar.bz2 create mode 100644 varnish.logrotate create mode 100644 vcl.conf diff --git a/upstream-config.tar.bz2 b/upstream-config.tar.bz2 deleted file mode 100644 index 69ad588..0000000 --- a/upstream-config.tar.bz2 +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:56d9ed708430038d6a0192443fdba23a9005ea38f40598d498175ca8954cc498 -size 3955 diff --git a/varnish.changes b/varnish.changes index a22f8b0..11ce118 100644 --- a/varnish.changes +++ b/varnish.changes @@ -1,3 +1,18 @@ +------------------------------------------------------------------- +Sun Apr 3 23:38:24 UTC 2011 - jengelh@medozas.de + +- Fix security-problematic ownership of /etc/varnish files +- Run spec-beautifier over it +- Replace default shipped vcl.conf by something working +- Run as varnish user +- Start varnishlog together with varnishd +- Properly use PID files in init script + +------------------------------------------------------------------- +Sat Oct 9 04:31:06 UTC 2010 - jengelh@medozas.de + +- Create and package /var/log/varnish + ------------------------------------------------------------------- Thu Aug 5 22:11:24 UTC 2010 - jengelh@medozas.de diff --git a/varnish.init b/varnish.init index 7e94015..7dca46c 100644 --- a/varnish.init +++ b/varnish.init @@ -1,16 +1,5 @@ #!/bin/sh # -# /etc/init.d/varnish -# and its symbolic link -# /(usr/)sbin/rcvarnish -# -# Note: This template uses functions rc_XXX defined in /etc/rc.status on -# UnitedLinux/SUSE/Novell based Linux distributions. If you want to base your -# script on this template and ensure that it works on non UL based LSB -# compliant Linux distributions, you either have to provide the rc.status -# functions from UL or change the script to work without them. -# See skeleton.compat for a template that works with other distros as well. -# ### BEGIN INIT INFO # Provides: varnish # Required-Start: $syslog $remote_fs @@ -22,73 +11,6 @@ # Short-Description: varnish HTTP accelerator # Description: varnish HTTP accelerator ### END INIT INFO -# -# Any extensions to the keywords given above should be preceeded by -# X-VendorTag- (X-UnitedLinux- X-SuSE- for us) according to LSB. -# -# Notes on Required-Start/Should-Start: -# * There are two different issues that are solved by Required-Start -# and Should-Start -# (a) Hard dependencies: This is used by the runlevel editor to determine -# which services absolutely need to be started to make the start of -# this service make sense. Example: nfsserver should have -# Required-Start: $portmap -# Also, required services are started before the dependent ones. -# The runlevel editor will warn about such missing hard dependencies -# and suggest enabling. During system startup, you may expect an error, -# if the dependency is not fulfilled. -# (b) Specifying the init script ordering, not real (hard) dependencies. -# This is needed by insserv to determine which service should be -# started first (and at a later stage what services can be started -# in parallel). The tag Should-Start: is used for this. -# It tells, that if a service is available, it should be started -# before. If not, never mind. -# * When specifying hard dependencies or ordering requirements, you can -# use names of services (contents of their Provides: section) -# or pseudo names starting with a $. The following ones are available -# according to LSB (1.1): -# $local_fs all local file systems are mounted -# (most services should need this!) -# $remote_fs all remote file systems are mounted -# (note that /usr may be remote, so -# many services should Require this!) -# $syslog system logging facility up -# $network low level networking (eth card, ...) -# $named hostname resolution available -# $netdaemons all network daemons are running -# The $netdaemons pseudo service has been removed in LSB 1.2. -# For now, we still offer it for backward compatibility. -# These are new (LSB 1.2): -# $time the system time has been set correctly -# $portmap SunRPC portmapping service available -# UnitedLinux extensions: -# $ALL indicates that a script should be inserted -# at the end -# * The services specified in the stop tags -# (Required-Stop/Should-Stop) -# specify which services need to be still running when this service -# is shut down. Often the entries there are just copies or a subset -# from the respective start tag. -# * Should-Start/Stop are now part of LSB as of 2.0, -# formerly SUSE/Unitedlinux used X-UnitedLinux-Should-Start/-Stop. -# insserv does support both variants. -# * X-UnitedLinux-Default-Enabled: yes/no is used at installation time -# (%fillup_and_insserv macro in %post of many RPMs) to specify whether -# a startup script should default to be enabled after installation. -# It's not used by insserv. -# -# Note on runlevels: -# 0 - halt/poweroff 6 - reboot -# 1 - single user 2 - multiuser without network exported -# 3 - multiuser w/ network (text mode) 5 - multiuser w/ network and X11 (xdm) -# -# Note on script names: -# http://www.linuxbase.org/spec/refspecs/LSB_1.3.0/gLSB/gLSB/scrptnames.html -# A registry has been set up to manage the init script namespace. -# http://www.lanana.org/ -# Please use the names already registered or register one or use a -# vendor prefix. - # Check for missing binaries (stale symlinks should not happen) # Note: Special treatment of stop for LSB conformance @@ -103,6 +25,11 @@ test -r $VARNISH_CONFIG || { echo "$VARNISH_CONFIG not existing"; if [ "$1" = "stop" ]; then exit 0; else exit 6; fi; } +VARNISHD_BIN="$VARNISH_BIN" +VARNISHD_PID=/var/run/varnishd.pid +VARNISHLOG_BIN=/usr/sbin/varnishncsa +VARNISHLOG_PID=/var/run/varnishlog.pid + # Read config . $VARNISH_CONFIG @@ -152,20 +79,25 @@ case "$1" in echo -n "Starting varnish " ## Start daemon with startproc(8). If this fails ## the return value is set appropriately by startproc. - /sbin/startproc $VARNISH_BIN ${VARNISHD_PARAMS:--f /etc/varnish/vcl.conf -T127.0.0.1:6082 -s file,/var/cache/varnish} + /sbin/startproc "$VARNISHD_BIN" -P "$VARNISHD_PID" ${VARNISHD_PARAMS:--f /etc/varnish/vcl.conf -T:6082 -s file,/var/cache/varnish,524288 -u varnish} # Remember status and be verbose rc_status -v + echo -n "Starting varnishlog " + /sbin/startproc "$VARNISHLOG_BIN" -P "$VARNISHLOG_PID" ${VARNISHLOG_PARAMS:--a -w /var/log/varnish/varnish.log} + rc_status -v ;; stop) echo -n "Shutting down varnish " ## Stop daemon with killproc(8) and if this fails ## killproc sets the return value according to LSB. - /sbin/killproc -TERM $VARNISH_BIN + /sbin/killproc -p "$VARNISHD_PID" "$VARNISHD_BIN" # Remember status and be verbose rc_status -v + echo -n "Shutting down varnishlog " + /sbin/killproc -p "$VARNISHLOG_PID" "$VARNISHLOG_BIN" ;; try-restart|condrestart) ## Do a restart only if the service was active before. @@ -214,9 +146,11 @@ case "$1" in # If it supports signaling: echo -n "Reload service varnish " - /sbin/killproc -HUP $VARNISH_BIN + /sbin/killproc -p "$VARNISHD_PID" -HUP "$VARNISHD_BIN" #touch /var/run/varnish.pid rc_status -v + echo -n "Reload service varnishlog " + /sbin/killproc -p "$VARNISHLOG_PID" -HUP "$VARNISHLOG_BIN" ## Otherwise if it does not support reload: #rc_failed 3 @@ -236,17 +170,22 @@ case "$1" in # 5--199 reserved (5--99 LSB, 100--149 distro, 150--199 appl.) # NOTE: checkproc returns LSB compliant status values. - /sbin/checkproc $VARNISH_BIN + /sbin/checkproc -p "$VARNISHD_PID" "$VARNISHD_BIN" # NOTE: rc_status knows that we called this init script with # "status" option and adapts its messages accordingly. rc_status -v + echo -n "Checking for service varnishlog " + /sbin/checkproc -p "$VARNISHLOG_PID" "$VARNISHLOG_BIN" + rc_status -v ;; probe) ## Optional: Probe for the necessity of a reload, print out the ## argument to this init script which is required for a reload. ## Note: probe is not (yet) part of LSB (as of 1.9) - test /etc/sysconfig/varnish -nt /var/run/varnish.pid && test -f /etc/varnish/default.vcl.net -nt /var/run/varnish.pid && echo reload + test /etc/sysconfig/varnish -nt "$VARNISHD_PID" && \ + test -f /etc/varnish/default.vcl.net -nt "$VARNISHD_PID" && \ + echo reload ;; *) echo "Usage: $0 {start|stop|status|try-restart|restart|force-reload|reload|probe}" diff --git a/varnish.logrotate b/varnish.logrotate new file mode 100644 index 0000000..1164a24 --- /dev/null +++ b/varnish.logrotate @@ -0,0 +1,9 @@ +/var/log/varnish/*.log { + missingok + notifempty + sharedscripts + delaycompress + postrotate + /etc/init.d/varnish reload + endscript +} diff --git a/varnish.spec b/varnish.spec index e12b99b..4e4bc2f 100644 --- a/varnish.spec +++ b/varnish.spec @@ -1,7 +1,7 @@ # -# spec file for package varnish (Version 2.1.3) +# spec file for package varnish (Version 2.0.5) # -# Copyright (c) 2010 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2009 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -20,32 +20,30 @@ Name: varnish Version: 2.1.3 -Release: 1 +Release: 0 # License: BSD Group: Productivity/Networking/Web/Proxy # -BuildRoot: %{_tmppath}/%{name}-%{version}-build -BuildRequires: libxslt ncurses-devel pcre-devel pkg-config -Prereq(post): /usr/sbin/useradd /usr/sbin/groupadd +BuildRoot: %_tmppath/%name-%version-build +BuildRequires: libxslt, ncurses-devel, pcre-devel, pkg-config +Prereq(post): %_sbindir/useradd %_sbindir/groupadd %if 0%{?suse_version} Recommends: logrotate %endif -%define _bindir %{_sbindir} -%define pkg_home %{_var}/lib/%{name} -%define pkg_logdir %{_var}/log/%{name} -%define pkg_cachedir %{_var}/cache/%{name} -%define pkg_name %{name} +%define pkg_home %_localstatedir/lib/%name +%define pkg_logdir %_localstatedir/log/%name +%define pkg_cachedir %_localstatedir/cache/%name # -Url: http://www.varnish-cache.org/ -Source0: http://downloads.sourceforge.net/varnish/varnish-%{version}.tar.gz -# http://downloads.sourceforge.net/varnish/varnish-%{version}.tar.bz2 -Source1: upstream-config.tar.bz2 +URL: http://www.varnish-cache.org/ +Source0: http://downloads.sourceforge.net/varnish/varnish-%version.tar.gz +# http://downloads.sourceforge.net/varnish/varnish-%version.tar.bz2 Source2: varnish.init Source3: varnish.sysconfig +Source4: vcl.conf +Source5: varnish.logrotate # Summary: Varnish is a high-performance HTTP accelerator - %description Varnish is an HTTP accelerator. An HTTP accelerator (often called Reverse Proxy) is an application that stores (caches) documents that have been @@ -62,14 +60,11 @@ Authors: Poul-Henning Kamp %define library_name libvarnish1 - -%package -n %{library_name} - +%package -n %library_name Group: Productivity/Networking/Web/Proxy # Summary: Shared libraries for Varnish - -%description -n %{library_name} +%description -n %library_name Varnish is an HTTP accelerator. An HTTP accelerator (often called Reverse Proxy) is an application that stores (caches) documents that have been requested over the HTTP protocol. @@ -89,12 +84,10 @@ Authors: %package devel -License: BSD Group: Development/Libraries/C and C++ -Requires: %{name} = %{version} +Requires: %name = %version # Summary: Development files for Varnish - %description devel Varnish is an HTTP accelerator. An HTTP accelerator (often called Reverse Proxy) is an application that stores (caches) documents that have been @@ -115,91 +108,81 @@ Authors: %prep -%setup -qa1 -#sed -e ' s/8080/80/g ' etc/vcl.conf > redhat/vcl.conf +%setup -q %build %if 0%{?suse_version} > 1000 -export CFLAGS="%{optflags} -fstack-protector" +export CFLAGS="%optflags -fstack-protector" %endif -%configure --disable-static --localstatedir=%{_var}/cache/ \ +%configure --disable-static --localstatedir=%_localstatedir/cache/ \ --enable-debugging-symbols \ --enable-developer-warnings -%{__make} +make %{?_smp_mflags} %install %makeinstall -find %{buildroot} -ls +find %buildroot -ls +# There is no use for them to normal users +mv %buildroot/%_bindir/* %buildroot/%_sbindir/ # # remove unneeded files # libvarnish.la has -lrt as dependency lib -#%{__rm} -fv %{buildroot}%{_libdir}/*.la +#rm -fv %buildroot%_libdir/*.la # ##missing directories -%{__install} -d -m 0755 %{buildroot}{%{pkg_logdir},%{pkg_home}} -%{__install} -D -m 0644 redhat/varnish.logrotate %{buildroot}/etc/logrotate.d/varnish -%if 0%{?suse_version} +install -d -m 0755 %buildroot{%pkg_logdir,%pkg_home} +install -D -m 0644 %{S:5} %buildroot%_sysconfdir/logrotate.d/varnish # ##init scripts -%{__install} -D -m 0644 %{S:3} %{buildroot}/var/adm/fillup-templates/sysconfig.%{name} -%{__install} -D -m 0755 %{S:2} %{buildroot}%{_sysconfdir}/init.d/%{name} -%{__ln_s} -f %{_sysconfdir}/init.d/%{name} %{buildroot}%{_sbindir}/rc%{name} +install -D -m 0644 %{S:3} %buildroot/var/adm/fillup-templates/sysconfig.%name +install -D -m 0755 %{S:2} %buildroot%_sysconfdir/init.d/%name +ln -s -f %_sysconfdir/init.d/%name %buildroot%_sbindir/rc%name # ##config files -%{__install} -D -m 0644 etc/vcl.conf %{buildroot}%{_sysconfdir}/%{name}/vcl.conf -%{__install} -D -m 0644 etc/vcl.conf %{buildroot}%{_sysconfdir}/%{name}/vcl.conf.example -%else -# -##init scripts -%{__install} -D -m 0644 redhat/varnish.sysconfig %{buildroot}%{_sysconfdir}/sysconfig/%{name} -%{__install} -D -m 0755 redhat/varnish.initrc %{buildroot}%{_sysconfdir}/init.d/%{name} -# -##config files -%{__install} -D -m 0644 redhat/vcl.conf %{buildroot}%{_sysconfdir}/%{name}/vcl.conf -%{__install} -D -m 0644 redhat/vcl.conf %{buildroot}%{_sysconfdir}/%{name}/vcl.conf.example -%endif +install -D -m 0644 %{S:4} %buildroot%_sysconfdir/%name/vcl.conf +install -D -m 0644 %{S:4} %buildroot%_sysconfdir/%name/vcl.conf.example find "%buildroot" -type f -name "*.la" -delete - -%clean -%{__rm} -rf %{buildroot} +mkdir -p "%buildroot/%_localstatedir/log/varnish" %pre -/usr/sbin/groupadd -r %{pkg_name} 2>/dev/null || : -/usr/sbin/useradd -g %{pkg_name} -s /bin/false -r -c "user for %{pkg_name}" -d %{pkg_home} %{pkg_name} 2>/dev/null || : +%_bindir/getent group varnish >/dev/null || \ + %_sbindir/groupadd -r varnish || : +%_bindir/getent passwd varnish >/dev/null || \ + %_sbindir/useradd -g varnish -s /bin/false -r -c "user for Varnish" \ + -d %pkg_home varnish || : %if 0%{?suse_version} %post -%fillup_and_insserv %{pkg_name} +%fillup_and_insserv %name %preun -%stop_on_removal %{pkg_name} +%stop_on_removal %name %postun -%restart_on_update %{pkg_name} -%{insserv_cleanup} +%restart_on_update %name +%insserv_cleanup %else # how to do the same for RH/mandriva? %endif -%post -n %{library_name} -p /sbin/ldconfig - -%postun -n %{library_name} -p /sbin/ldconfig +%post -n %library_name -p /sbin/ldconfig +%postun -n %library_name -p /sbin/ldconfig %files %defattr(-,root,root,-) %if 0%{?suse_version} -%{_sbindir}/rc%{name} -/var/adm/fillup-templates/sysconfig.%{name} +%_sbindir/rc%name +/var/adm/fillup-templates/sysconfig.%name %else -%config(noreplace) %{_sysconfdir}/sysconfig/%{name} +%config(noreplace) %_sysconfdir/sysconfig/%name %endif -%config(noreplace) %{_sysconfdir}/init.d/%{name} +%config(noreplace) %_sysconfdir/init.d/%name # -%dir %attr(750,%{pkg_name},%{pkg_name}) %{_sysconfdir}/%{name}/ -%config(noreplace) %attr(640,%{pkg_name},%{pkg_name}) %{_sysconfdir}/%{name}/vcl.conf -%config %attr(640,%{pkg_name},%{pkg_name}) %{_sysconfdir}/%{name}/vcl.conf.example -%config(noreplace) %attr(640,%{pkg_name},%{pkg_name}) %{_sysconfdir}/%{name}/default.vcl +%dir %attr(750,root,varnish) %_sysconfdir/%name/ +%config(noreplace) %attr(640,root,varnish) %_sysconfdir/%name/vcl.conf +%config %attr(640,root,varnish) %_sysconfdir/%name/vcl.conf.example +%config(noreplace) %attr(640,root,varnish) %_sysconfdir/%name/default.vcl # %_sbindir/* %doc %_mandir/*/* @@ -207,18 +190,19 @@ find "%buildroot" -type f -name "*.la" -delete %if ! 0%{?suse_version} %doc redhat/README.redhat %endif -%dir %attr(750,%{pkg_name},%{pkg_name}) %{pkg_home} -%dir %attr(750,%{pkg_name},%{pkg_name}) %{pkg_cachedir} -%config(noreplace) /etc/logrotate.d/varnish +%dir %attr(750,varnish,varnish) %pkg_home +%dir %attr(750,varnish,varnish) %pkg_cachedir +%config(noreplace) %_sysconfdir/logrotate.d/varnish +%dir %attr(750,varnish,varnish) %_localstatedir/log/varnish -%files -n %{library_name} +%files -n %library_name %defattr(-,root,root,-) %_libdir/*.so.* %files devel %defattr(-,root,root,-) -%{_includedir}/varnish/ -%{_libdir}/pkgconfig/* -%{_libdir}/*.so +%_includedir/varnish/ +%_libdir/pkgconfig/* +%_libdir/*.so %changelog diff --git a/varnish.sysconfig b/varnish.sysconfig index be96443..f3b0bbb 100644 --- a/varnish.sysconfig +++ b/varnish.sysconfig @@ -10,4 +10,16 @@ # # You might want to keep "/var/cache/varnish" when using the file backend. # -VARNISHD_PARAMS="-f /etc/varnish/vcl.conf -T127.0.0.1:6082 -s file,/var/cache/varnish,524288" +VARNISHD_PARAMS="-f /etc/varnish/vcl.conf -T:6082 -s file,/var/cache/varnish,524288 -u varnish" + +## Path: Network/WWW/Varnishd +## Description: Start parameters for varnishlog +## Type: string +## Default: "-a -w /var/log/varnish.log" +## Config: varnishd +# +# start parameters for varnishlog/varnishncsa +# +# see man 1 varnishlog for more +# +VARNISHLOG_PARAMS="-a -w /var/log/varnish/varnish.log" diff --git a/vcl.conf b/vcl.conf new file mode 100644 index 0000000..a4e9dcd --- /dev/null +++ b/vcl.conf @@ -0,0 +1,30 @@ +# +# This is a basic VCL configuration file for varnish. See the vcl(7) +# man page for details on VCL syntax and semantics. +# +# $Id: vcl.conf 1200 2006-10-19 09:21:42Z des $ +# + +backend default { + .host = "127.0.0.1"; + .port = "8080"; +} + +sub vcl_recv { + # pass mode can't handle POST (yet) + if (req.request == "POST") { + return(pipe); + } + + # don't bother caching large files + if(req.url ~ "\.(pdf|mp3|flv|mov|mp4|mpg|mpeg|avi|dmg)") { + return(pipe); + } + + # force lookup even when cookies are present + if (req.request == "GET" && req.http.cookie) { + return(lookup); + } + + +}