From 19ef4a12d8de048f3e42e38d9bcdd8aa35fe448a2fcb624745f599ff41c74030 Mon Sep 17 00:00:00 2001 From: Marcus Rueckert Date: Tue, 19 Sep 2017 15:42:45 +0000 Subject: [PATCH] Accepting request 527349 from home:dmolkentin:branches:security:dehydrated - Swap statements in post: installing services requires tmp.d - (Weak) dependency on dehydrated-acmeresponder. - systemd update service: ConditionPathExists goes into [Unit] section - Use timer instead of cron for systemd-enabled distros OBS-URL: https://build.opensuse.org/request/show/527349 OBS-URL: https://build.opensuse.org/package/show/security:dehydrated/dehydrated?expand=0&rev=10 --- dehydrated-update.service.in | 12 +++++++++ dehydrated-update.timer | 10 ++++++++ dehydrated.changes | 20 +++++++++++++++ dehydrated.spec | 47 +++++++++++++++++++++++++++++------- 4 files changed, 80 insertions(+), 9 deletions(-) create mode 100644 dehydrated-update.service.in create mode 100644 dehydrated-update.timer diff --git a/dehydrated-update.service.in b/dehydrated-update.service.in new file mode 100644 index 0000000..783e256 --- /dev/null +++ b/dehydrated-update.service.in @@ -0,0 +1,12 @@ +[Unit] +Description=Certificate Update Runner for Dehydrated +ConditionPathExists=/etc/dehydrated/config +After=network-online.target +Wants=acmeresponder.socket + +[Service] +Type=oneshot +ExecStart=/usr/bin/dehydrated --cron + +User=@USER@ +Group=@USER@ diff --git a/dehydrated-update.timer b/dehydrated-update.timer new file mode 100644 index 0000000..7b03f4a --- /dev/null +++ b/dehydrated-update.timer @@ -0,0 +1,10 @@ +[Unit] +Description=Run Certificate Update Runner for Dehydrated + +[Timer] +OnCalendar=daily +# Two hour window +RandomizedDelaySec=7200 + +[Install] +WantedBy=timers.target diff --git a/dehydrated.changes b/dehydrated.changes index ee3ee9a..e11bbd9 100644 --- a/dehydrated.changes +++ b/dehydrated.changes @@ -1,3 +1,23 @@ +------------------------------------------------------------------- +Tue Sep 19 15:40:46 UTC 2017 - daniel.molkentin@suse.com + +- Swap statements in post: installing services requires tmp.d + +------------------------------------------------------------------- +Tue Sep 19 14:52:25 UTC 2017 - daniel.molkentin@suse.com + +- (Weak) dependency on dehydrated-acmeresponder. + +------------------------------------------------------------------- +Thu Sep 14 13:47:06 UTC 2017 - daniel.molkentin@suse.com + +- systemd update service: ConditionPathExists goes into [Unit] section + +------------------------------------------------------------------- +Wed Sep 13 15:27:08 UTC 2017 - daniel.molkentin@suse.com + +- Use timer instead of cron for systemd-enabled distros + ------------------------------------------------------------------- Tue Feb 21 13:12:19 UTC 2017 - daniel.molkentin@suse.com diff --git a/dehydrated.spec b/dehydrated.spec index a1ea27c..930fa32 100644 --- a/dehydrated.spec +++ b/dehydrated.spec @@ -58,6 +58,8 @@ Source2: acme-challenge.conf.nginx.in Source3: acme-challenge.conf.lighttpd.in Source4: dehydrated.cron.in Source5: dehydrated.tmpfiles.d +Source6: dehydrated-update.service.in +Source7: dehydrated-update.timer BuildRequires: %{_apache} %if %{with lighttpd} BuildRequires: lighttpd @@ -72,9 +74,6 @@ BuildRequires: generic-logos-httpd Requires: coreutils Requires: curl Requires: openssl -%if 0%{?suse_version} -Requires: cron -%endif Requires(pre): /usr/sbin/useradd Requires(pre): /usr/sbin/groupadd Requires(pre): /usr/bin/getent @@ -85,6 +84,15 @@ BuildRequires: shadow %if %{with systemd} BuildRequires: pkgconfig(systemd) %{?systemd_requires} +%else #with_systemd +%if 0%{?suse_version} +Requires: cron +%endif +%endif #with_systemd +%if 0%{?suse_version} +Recommends: dehydrated-acmeresponder +%else +Requires: dehydrated-acmeresponder %endif BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildArch: noarch @@ -156,8 +164,17 @@ if [ -d /etc/letsencrypt.sh ]; then mv /etc/letsencrypt.sh /etc/dehydrated; chow if [ -e /etc/dehydrated/config.sh ]; then mv /etc/dehydrated/config.sh /etc/dehydrated/config; fi %if %{with systemd} +%service_add_pre dehydrated-update.service dehydrated-update.timer + %post systemd-tmpfiles --create %{_tmpfilesdir}/%{name}.conf ||: +%service_add_post dehydrated-update.service dehydrated-update.timer + +%preun +%service_del_preun dehydrated-update.service dehydrated-update.timer + +%postun +%service_del_postun dehydrated-update.service dehydrated-update.timer %endif %prep @@ -168,6 +185,7 @@ systemd-tmpfiles --create %{_tmpfilesdir}/%{name}.conf ||: %install # sensitive keys mkdir -p %{buildroot}%{_home}/{accounts,certs} +mkdir -p %{buildroot}%{_sbindir} sed -i "s,#WELLKNOWN=.*,WELLKNOWN=%{_challengedir},g" docs/examples/config install -m 0644 docs/examples/* %{buildroot}%{_home} @@ -191,14 +209,22 @@ sed "s,@CHALLENGEDIR@,%{_challengedir},g" %{SOURCE3} > acme-challenge install -m 0644 acme-challenge %{buildroot}/etc/lighttpd/conf.d %endif #with lighttpd +%if %{with systemd} +install -D -m 0644 %{S:5} %{buildroot}%{_tmpfilesdir}/%{name}.conf +sed "s,@USER@,%{_user},g" %{S:6} > dehydrated-update.service +# Use timer +install -D -m 644 dehydrated-update.service %{buildroot}%{_unitdir}/dehydrated-update.service +install -D -m 644 %{S:7} %{buildroot}%{_unitdir}/dehydrated-update.timer +%if 0%{?suse_version} +ln -s /usr/sbin/service %{buildroot}%{_sbindir}/rcdehydrated-update +%endif +%else #with systemd +install -D -d -m 0750 %{buildroot}%{_lock_dir} +# Use cron install -m 0755 -d %{buildroot}/etc/cron.d sed "s,@USER@,%{_user},g" %{SOURCE4} > dehydrated.cron install -m 0644 dehydrated.cron %{buildroot}/etc/cron.d/dehydrated -%if %{with systemd} -install -D -m 0644 %{S:5} %{buildroot}%{_tmpfilesdir}/%{name}.conf -%else -install -D -d -m 0750 %{buildroot}%{_lock_dir} -%endif +%endif #with systemd perl -p -i -e 's|#LOCKFILE="\${BASEDIR}/lock"|LOCKFILE="%{_lock_dir}/lock"|' %{buildroot}%{_home}/config diff -urN docs/examples/config %{buildroot}%{_home}/config ||: @@ -210,14 +236,17 @@ diff -urN docs/examples/config %{buildroot}%{_home}/config ||: %config(noreplace) %attr(640,root,%{_user}) %{_sysconfdir}/dehydrated/config %config(noreplace) %attr(640,root,%{_user}) %{_sysconfdir}/dehydrated/domains.txt %config(noreplace) %attr(750,root,%{_user}) %{_sysconfdir}/dehydrated/hook.sh -%config %{_sysconfdir}/cron.d/dehydrated %{_bindir}/dehydrated %attr(-,%{_user},root) %dir %{_localstatedir}/lib/acme-challenge %doc LICENSE README.md docs/*.md docs/*.jpg %if %{with systemd} %{_tmpfilesdir}/%{name}.conf +%{_unitdir}/dehydrated-update.service +%{_unitdir}/dehydrated-update.timer +%{_sbindir}/rcdehydrated-update %ghost %attr(700,%{_user},%{_user}) %dir %{_lock_dir} %else +%config %{_sysconfdir}/cron.d/dehydrated %attr(700,%{_user},%{_user}) %dir %{_lock_dir} %endif