Accepting request 882188 from home:darix:playground

- Enable instantiated services (boo#1184165)

- Prepare instantiated service/timer support but not enable it:
  This seems to fail due to missing systemd support right now.
  So the only option at the moment is to copy the timer and unit
  file for a 2nd instance. Mark all files as part of dehydrated.target

- Rework support for /etc/dehydrated/postrun-hooks.d/:
  dehydrated.service nolonger starts them directly, the support was
  moved to a separate unit file. Please run:
  systemctl enable dehydrated-postrun-hooks.service
  to restore this functionality
- Run dehydrated as dehydrated user again

OBS-URL: https://build.opensuse.org/request/show/882188
OBS-URL: https://build.opensuse.org/package/show/security:dehydrated/dehydrated?expand=0&rev=74
This commit is contained in:
Daniel Molkentin 2021-03-30 14:53:39 +00:00 committed by Git OBS Bridge
parent 5b368e02a5
commit abdad1b762
9 changed files with 126 additions and 18 deletions

View File

@ -0,0 +1,14 @@
[Unit]
Description=Postrun Hooks Runner for Dehydrated
ConditionPathExists=/etc/dehydrated/postrun-hooks.d
After=dehydrated.service
PartOf=dehydrated.target
[Service]
Type=oneshot
ExecStart=-/usr/bin/find -L /etc/dehydrated/postrun-hooks.d -maxdepth 1 -executable -type f -exec {} \;
User=root
Group=root
[Install]
RequiredBy=dehydrated.service

View File

@ -0,0 +1,14 @@
[Unit]
Description=Postrun Hooks Runner for Dehydrated: %i
ConditionPathExists=/etc/dehydrated-%i/postrun-hooks.d/
After=dehydrated@%i.service
PartOf=dehydrated.target
[Service]
Type=oneshot
ExecStart=-/usr/bin/find -L /etc/dehydrated-%i/postrun-hooks.d/ -maxdepth 1 -executable -type f -exec {} \;
User=root
Group=root
[Install]
RequiredBy=dehydrated@%i.service

View File

@ -1,3 +1,28 @@
-------------------------------------------------------------------
Tue Mar 30 14:20:42 UTC 2021 - Marcus Rueckert <mrueckert@suse.de>
- Enable instantiated services (boo#1184165)
-------------------------------------------------------------------
Mon Mar 29 16:18:57 UTC 2021 - Marcus Rueckert <mrueckert@suse.de>
- Prepare instantiated service/timer support but not enable it:
This seems to fail due to missing systemd support right now.
So the only option at the moment is to copy the timer and unit
file for a 2nd instance. Mark all files as part of dehydrated.target
-------------------------------------------------------------------
Mon Mar 29 16:18:27 UTC 2021 - Marcus Rueckert <mrueckert@suse.de>
- Rework support for /etc/dehydrated/postrun-hooks.d/:
dehydrated.service nolonger starts them directly, the support was
moved to a separate unit file. Please run:
systemctl enable dehydrated-postrun-hooks.service
to restore this functionality
- Run dehydrated as dehydrated user again
-------------------------------------------------------------------
Mon Mar 29 16:08:09 UTC 2021 - Marcus Rueckert <mrueckert@suse.de>

View File

@ -3,12 +3,12 @@ Description=Certificate Update Runner for Dehydrated
ConditionPathExists=/etc/dehydrated/config
After=network-online.target
Wants=acmeresponder.socket
PartOf=dehydrated.target
[Service]
Type=oneshot
ExecStartPost=-/usr/bin/find -L @POSTRUNHOOKS_DIR@ -maxdepth 1 -executable -type f -exec {} \;
ExecStart=/usr/bin/dehydrated --cron
# dehydrated --cron will drop permissions and run critical code as dehydrated user.
User=root
Group=root
User=dehydrated
Group=dehydrated

View File

@ -16,6 +16,14 @@
#
%bcond_without instantiated_service
%define base_services dehydrated.timer dehydrated.service dehydrated-postrun-hooks.service
%if %{with instantiated_service}
%define services dehydrated.target %{base_services} dehydrated@.timer dehydrated@.service dehydrated-postrun-hooks@.service
%else
%define services %{base_services}
%endif
%define _challengedir %{_localstatedir}/lib/acme-challenge
%define _user dehydrated
%define _home %{_sysconfdir}/dehydrated
@ -55,7 +63,7 @@ Source1: acme-challenge.conf.apache.in
Source2: acme-challenge.conf.nginx.in
Source4: dehydrated.cron.in
Source5: dehydrated.tmpfiles.d
Source6: dehydrated.service.in
Source6: dehydrated.service
Source7: dehydrated.timer
Source9: README.maintainer
Source10: README.Fedora
@ -63,6 +71,11 @@ Source11: README.hooks
Source12: %{name}-%{version}.tar.gz.asc
Source13: %{name}.keyring
Source14: %{name}-rpmlintrc
Source15: dehydrated@.service
Source16: dehydrated@.timer
Source17: dehydrated.target
Source18: dehydrated-postrun-hooks.service
Source19: dehydrated-postrun-hooks@.service
Patch: more-examples.patch
BuildRequires: %{_apache}
Requires: coreutils
@ -143,17 +156,17 @@ getent passwd %{_user} >/dev/null || %{_sbindir}/useradd -g %{_user} \
if [ -e %{_sysconfdir}/dehydrated/config.sh ]; then mv %{_sysconfdir}/dehydrated/config.sh %{_sysconfdir}/dehydrated/config; fi
%if %{with systemd}
%service_add_pre dehydrated.service dehydrated.timer
%service_add_pre %{services}
%post
systemd-tmpfiles --create %{_tmpfilesdir}/%{name}.conf ||:
%service_add_post dehydrated.service dehydrated.timer
%tmpfiles_create %{_tmpfilesdir}/%{name}.conf ||:
%service_add_post %{services}
%preun
%service_del_preun dehydrated.service dehydrated.timer
%service_del_preun %{services}
%postun
%service_del_postun dehydrated.service dehydrated.timer
%service_del_postun %{services}
%endif
%prep
@ -197,12 +210,23 @@ install -m 0644 acme-challenge %{buildroot}%{_sysconfdir}/nginx
%if %{with systemd}
install -D -m 0644 %{SOURCE5} %{buildroot}%{_tmpfilesdir}/%{name}.conf
# Use timer
sed "s,@POSTRUNHOOKS_DIR@,%{_postrunhooks},g" %{SOURCE6} > dehydrated.service
install -D -m 644 dehydrated.service %{buildroot}%{_unitdir}/dehydrated.service
install -D -m 644 %{SOURCE7} %{buildroot}%{_unitdir}/dehydrated.timer
install -D -m 644 %{SOURCE6} %{buildroot}%{_unitdir}/dehydrated.service
install -D -m 644 %{SOURCE7} %{buildroot}%{_unitdir}/dehydrated.timer
install -D -m 644 %{SOURCE18} %{buildroot}%{_unitdir}/dehydrated-postrun-hooks.service
%if %{with instantiated_service}
install -D -m 644 %{SOURCE15} %{buildroot}%{_unitdir}/dehydrated@.service
install -D -m 644 %{SOURCE16} %{buildroot}%{_unitdir}/dehydrated@.timer
install -D -m 644 %{SOURCE19} %{buildroot}%{_unitdir}/dehydrated-postrun-hooks@.service
install -D -m 644 %{SOURCE17} %{buildroot}%{_unitdir}/dehydrated.target
%else
perl -p -i -e 's|PartOf=dehydrated.target\n||g' %{buildroot}%{_unitdir}/*
%endif
if [ $(rpm -q --queryformat='%{VERSION}' systemd) -lt 229 ]; then
# No support for this attribute in systemd < v229
sed -i 's/^RandomizedDelaySec/#&/' %{buildroot}%{_unitdir}/dehydrated.timer
sed -i 's/^RandomizedDelaySec/#&/' %{buildroot}%{_unitdir}/dehydrated.timer
fi
%if 0%{?suse_version}
ln -s %{_sbindir}/service %{buildroot}%{_sbindir}/rcdehydrated
@ -225,7 +249,7 @@ diff -urN docs/examples/config %{buildroot}%{_home}/config ||:
# Rename existing config file config files fror nginx
%if %{with nginx}
%pre nginx
%pre nginx
[ -f %{_sysconfdir}/nginx/conf.d/acme-challenge ] && \
mv %{_sysconfdir}/nginx/conf.d/acme-challenge %{_sysconfdir}/nginx/conf.d/acme-challenge.conf || :
%endif
@ -253,8 +277,11 @@ diff -urN docs/examples/config %{buildroot}%{_home}/config ||:
%endif
%if %{with systemd}
%{_tmpfilesdir}/%{name}.conf
%{_unitdir}/dehydrated.service
%{_unitdir}/dehydrated.timer
%{_unitdir}/dehydrated*.service
%{_unitdir}/dehydrated*.timer
%if %{with instantiated_service}
%{_unitdir}/dehydrated.target
%endif
%if 0%{?suse_version}
%{_sbindir}/rcdehydrated
%endif

4
dehydrated.target Normal file
View File

@ -0,0 +1,4 @@
[Unit]
Description=Target to allow restarting and stopping of all parts of dehydrated
PartOf=dehydrated.target

View File

@ -1,10 +1,11 @@
[Unit]
Description=Run Certificate Update Runner for Dehydrated
Description=Timer for Certificate Update Runner for Dehydrated
PartOf=dehydrated.target
[Timer]
OnCalendar=daily
# Two hour window
RandomizedDelaySec=7200
[Install]
WantedBy=timers.target

12
dehydrated@.service Normal file
View File

@ -0,0 +1,12 @@
[Unit]
Description=Certificate Update Runner for Dehydrated
ConditionPathExists=/etc/dehydrated/config
After=network-online.target
Wants=acmeresponder.socket
PartOf=dehydrated.target
[Service]
Type=oneshot
ExecStart=/usr/bin/dehydrated --cron --config /etc/dehydrated-%i/config
User=dehydrated
Group=dehydrated

11
dehydrated@.timer Normal file
View File

@ -0,0 +1,11 @@
[Unit]
Description=Timer for Certificate Update Runner for Dehydrated
PartOf=dehydrated.target
[Timer]
OnCalendar=daily
# Two hour window
RandomizedDelaySec=7200
[Install]
WantedBy=timers.target