diff --git a/90-traefik.conf b/90-traefik.conf new file mode 100644 index 0000000..f1804e5 --- /dev/null +++ b/90-traefik.conf @@ -0,0 +1,9 @@ +# +# Increase the maximum UDP Buffer size to prevent dropping +# incoming packaets by the kernel +# +# https://github.com/quic-go/quic-go/wiki/UDP-Buffer-Sizes +# + +net.core.rmem_max=7500000 +net.core.wmem_max=7500000 diff --git a/traefik.changes b/traefik.changes index aa8f510..79d676c 100644 --- a/traefik.changes +++ b/traefik.changes @@ -1,3 +1,15 @@ +------------------------------------------------------------------- +Thu Sep 12 14:50:28 UTC 2024 - Johannes Weberhofer + +- Moved /etc/traefik/acme.json to /var/lib/traefik/acme.json to allow traefik + running with "ProtectSystem=full" write access to the certificate store. + + The acme.json file will be automatically moved and the configuration will be + updated accordingly. + +- Added /usr/lib/sysctl.d/90-itraefik.conf to increase UDP Buffer sizes as explained + at https://github.com/quic-go/quic-go/wiki/UDP-Buffer-Sizes + ------------------------------------------------------------------- Wed Aug 7 08:03:10 UTC 2024 - Johannes Weberhofer diff --git a/traefik.spec b/traefik.spec index bf79acb..53f7b35 100644 --- a/traefik.spec +++ b/traefik.spec @@ -36,6 +36,7 @@ Source1: vendor.tar.gz Source2: %{name}.service Source3: %{name}.yml Source4: %{name}-user.conf +Source5: 90-%{name}.conf BuildRequires: go-bindata BuildRequires: golang-packaging BuildRequires: systemd-rpm-macros @@ -94,6 +95,13 @@ ln -sf %{_sbindir}/service %{buildroot}%{_sbindir}/rc%{name} install -D -p -m 0644 %{SOURCE3} %{buildroot}%{_sysconfdir}/%{name}/%{name}.yml mkdir -p %{buildroot}%{_sysconfdir}/%{name}/conf.d +# install configuration to increase UDP buffer sizes +install -D -p -m 0644 %{SOURCE5} %{buildroot}%{_prefix}/lib/sysctl.d/90-%{name}.conf + +# acme storage +install -d -m 0700 %{buildroot}%{_localstatedir}/lib/%{name} +touch %{buildroot}%{_localstatedir}/lib/%{name}/acme.json + # logging mkdir -p %{buildroot}%{_localstatedir}/log/%{name} @@ -106,6 +114,30 @@ mkdir -p %{buildroot}%{_localstatedir}/log/%{name} # fix ownership for config and logging directory chown -R traefik: %{_sysconfdir}/%{name} %{_localstatedir}/log/%{name} +# try to move acme.json file from old directory to new +if [ -e "%{_sysconfdir}/%{name}/acme.json" ] ; then + if [ -s "%{_sysconfdir}/%{name}/acme.json" ] ; then + if [ -s "%{_localstatedir}/lib/%{name}/acme.json" ] ; then + # if not-empty acme.json files exists on old and new location, write warning + echo "A non-empty acme.json file exists in:" 1>&2 + echo "%{_sysconfdir}/%{name} and %{_localstatedir}/lib/%{name}" 1>&2 + echo "Please clean up this situation and place the correct file in %{_localstatedir}/lib/%{name}" 1>&2 + else + # if not-empty acme.json exists on old location and no file or empty file exists on new location + # move it to the new location + mv "%{_sysconfdir}/%{name}/acme.json" "%{_localstatedir}/lib/%{name}/acme.json" + sed -i -e 's|%{_sysconfdir}/traefik/acme.json|%{_localstatedir}/lib/traefik/acme.json|' %{_sysconfdir}/%{name}/%{name}.yml + fi + else + # remove empty acme.json file from old location + rm "%{_sysconfdir}/%{name}/acme.json" + sed -i -e 's|%{_sysconfdir}/traefik/acme.json|%{_localstatedir}/lib/traefik/acme.json|' %{_sysconfdir}/%{name}/%{name}.yml + fi +fi + +# fix ownership for acme file +chown -R traefik: %{_localstatedir}/lib/%{name}/* + %preun %service_del_preun %{name}.service @@ -121,11 +153,15 @@ chown -R traefik: %{_sysconfdir}/%{name} %{_localstatedir}/log/%{name} %{_unitdir}/%{name}.service %{_sbindir}/rc%{name} +%{_prefix}/lib/sysctl.d/90-%{name}.conf -%defattr(0660, traefik, traefik, 0750) +%defattr(0600, traefik, traefik, 0700) %dir %{_sysconfdir}/%{name} %dir %{_sysconfdir}/%{name}/conf.d +%dir %{_localstatedir}/lib/%{name} +%config(noreplace) %{_localstatedir}/lib/%{name}/acme.json + %config(noreplace) %{_sysconfdir}/%{name}/%{name}.yml %dir %{_localstatedir}/log/%{name} diff --git a/traefik.yml b/traefik.yml index f1818dc..dc593d7 100644 --- a/traefik.yml +++ b/traefik.yml @@ -147,7 +147,7 @@ providers: # letsencryptResolver: # acme: # email: your@email -# storage: /etc/traefik/acme.json +# storage: /var/lib/traefik/acme.json # httpChallenge: # entryPoint: web