Accepting request 840337 from home:hpjansson:sle-14821

- Work around %service_add_post disabling sshd on upgrade with
  package name change (bsc#1177039).

- Use of DISABLE_RESTART_ON_UPDATE is deprecated.
  Replace it with %service_del_postun_without_restart

OBS-URL: https://build.opensuse.org/request/show/840337
OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=218
This commit is contained in:
Hans Petter Jansson 2020-10-15 14:25:21 +00:00 committed by Git OBS Bridge
parent 633a41eb24
commit f0e7b033d5
2 changed files with 55 additions and 9 deletions

View File

@ -1,3 +1,9 @@
-------------------------------------------------------------------
Thu Oct 8 21:38:27 UTC 2020 - Hans Petter Jansson <hpj@suse.com>
- Work around %service_add_post disabling sshd on upgrade with
package name change (bsc#1177039).
-------------------------------------------------------------------
Fri Sep 25 13:40:51 UTC 2020 - Dominique Leuenberger <dimstar@opensuse.org>
@ -8,6 +14,13 @@ Fri Sep 25 13:40:51 UTC 2020 - Dominique Leuenberger <dimstar@opensuse.org>
client-relevant sysconfig file present. The naming of the
sysconfig file (ssh instead of sshd) is unfortunate.
-------------------------------------------------------------------
Fri Sep 25 10:59:50 UTC 2020 - Franck Bui <fbui@suse.com>
- Use of DISABLE_RESTART_ON_UPDATE is deprecated.
Replace it with %service_del_postun_without_restart
-------------------------------------------------------------------
Thu Sep 17 20:41:39 UTC 2020 - Jan Engelhardt <jengelh@inai.de>

View File

@ -30,6 +30,9 @@
%define _appdefdir %( grep "configdirspec=" $( which xmkmf ) | sed -r 's,^[^=]+=.*-I(.*)/config.*$,\\1/app-defaults,' )
%define CHECKSUM_SUFFIX .hmac
%define CHECKSUM_HMAC_KEY "HMAC_KEY:OpenSSH-FIPS@SLE"
%define _tmpenableddir %{_localstatedir}/lib/sshd
%define _tmpenabledfile %{_tmpenableddir}/is-enabled.rpmtmp
#Compat macro for new _fillupdir macro introduced in Nov 2017
%if ! %{defined _fillupdir}
%define _fillupdir %{_localstatedir}/adm/fillup-templates
@ -127,7 +130,7 @@ BuildRequires: krb5-mini-devel
%description
SSH (Secure Shell) is a program for logging into and executing commands
on a remote machine. It replaces rsh (rlogin and rsh) and
provides a secure encrypted communication between two untrusted
provides secure encrypted communication between two untrusted
hosts over an insecure network.
xorg-x11 (X Window System) connections and arbitrary TCP/IP ports can
@ -146,7 +149,7 @@ Conflicts: %{name}-fips > %{version}-%{release}
%description common
SSH (Secure Shell) is a program for logging into and executing commands
on a remote machine. It replaces rsh (rlogin and rsh) and
provides a secure encrypted communication between two untrusted
provides secure encrypted communication between two untrusted
hosts over an insecure network.
xorg-x11 (X Window System) connections and arbitrary TCP/IP ports can
@ -168,7 +171,7 @@ Provides: openssh:%{_sbindir}/sshd
%description server
SSH (Secure Shell) is a program for logging into and executing commands
on a remote machine. It replaces rsh (rlogin and rsh) and
provides a secure encrypted communication between two untrusted
provides secure encrypted communication between two untrusted
hosts over an insecure network.
xorg-x11 (X Window System) connections and arbitrary TCP/IP ports can
@ -186,7 +189,7 @@ Provides: openssh:%{_bindir}/ssh
%description clients
SSH (Secure Shell) is a program for logging into and executing commands
on a remote machine. It replaces rsh (rlogin and rsh) and
provides a secure encrypted communication between two untrusted
provides secure encrypted communication between two untrusted
hosts over an insecure network.
xorg-x11 (X Window System) connections and arbitrary TCP/IP ports can
@ -203,7 +206,7 @@ Requires: %{name}-common = %{version}-%{release}
%description helpers
SSH (Secure Shell) is a program for logging into and executing commands
on a remote machine. It replaces rsh (rlogin and rsh) and
provides a secure encrypted communication between two untrusted
provides secure encrypted communication between two untrusted
hosts over an insecure network.
xorg-x11 (X Window System) connections and arbitrary TCP/IP ports can
@ -230,7 +233,7 @@ Group: Productivity/Networking/SSH
Requires: %{name}-common = %{version}-%{release}
%description cavs
This package contains the FIPS140 CAVS (Cryptographic Algorithm
This package contains the FIPS-140 CAVS (Cryptographic Algorithm
Validation Program/Suite) related tests of OpenSSH.
%prep
@ -330,9 +333,27 @@ done
}}
%pre
# Remember whether the sshd service was enabled prior to an upgrade. This
# is needed when upgrading to a split-off openssh-server package. The
# %%service_add_post scriptlet (in %%post server) will see it as a new service
# and apply the preset, disabling it. We need to reenable it afterwards if
# necessary.
if [ -x %{_bindir}/systemctl ]; then
mkdir -p %{_tmpenableddir} || :
%{_bindir}/systemctl is-enabled sshd > %{_tmpenabledfile} || :
fi
%pre server
getent group sshd >/dev/null || %{_sbindir}/groupadd -r sshd
getent passwd sshd >/dev/null || %{_sbindir}/useradd -r -g sshd -d %{_localstatedir}/lib/sshd -s /bin/false -c "SSH daemon" sshd
# See %%pre.
if [ -x %{_bindir}/systemctl ]; then
mkdir -p %{_tmpenableddir} || :
%{_bindir}/systemctl is-enabled sshd > %{_tmpenabledfile} || :
fi
%service_add_pre sshd.service
%post server
@ -340,15 +361,27 @@ getent passwd sshd >/dev/null || %{_sbindir}/useradd -r -g sshd -d %{_localstate
%service_add_post sshd.service
%set_permissions %{_sysconfdir}/ssh/sshd_config
# Work around %%service_add_post disabling the service on upgrades where
# the package name changed.
if [ -x %{_bindir}/systemctl ] && [ -f %{_tmpenabledfile} ] \
&& [ x$(cat %{_tmpenabledfile} || :) == "xenabled" ]; then
systemctl enable sshd || :
fi
rm -f %{_tmpenabledfile}
%preun server
%service_del_preun sshd.service
%postun server
# The openssh-fips trigger script for openssh will normally restart sshd once
# it gets installed, so only restart the service here is openssh-fips is not
# present
rpm -q openssh-fips >/dev/null 2>/dev/null && DISABLE_RESTART_ON_UPDATE=yes
# it gets installed, so only restart the service here if openssh-fips is not
# present.
if rpm -q openssh-fips >/dev/null 2>/dev/null; then
%service_del_postun_without_restart sshd.service
else
%service_del_postun sshd.service
fi
%triggerin -n openssh-fips -- %{name} = %{version}-%{release}
%restart_on_update sshd