X-Git-Url: https://git.rapsys.eu/ihttpd/blobdiff_plain/b00783264a01cc52ca38d64a458e07e110512de5..104f1dbe2d20ab8e4e49b75856edf5549f7616b6:/SOURCES/ihttpd.module-setup diff --git a/SOURCES/ihttpd.module-setup b/SOURCES/ihttpd.module-setup index 947d0c1..3829829 100644 --- a/SOURCES/ihttpd.module-setup +++ b/SOURCES/ihttpd.module-setup @@ -1,46 +1,44 @@ -#!/bin/bash +#!/usr/bin/bash # called by dracut check() { - local fs - - # Fix tmpfiledir - #XXX: fix installation of /usr/lib/tmpfileS.d/{dracut-tmpfiles,systemd}.conf - #XXX: should be removed when bug 18642 (mageia) or 1343230 (fedora) will be fixed in /usr/bin/dracut +1262-1282 - [ -z "$tmpfilesdir" -o ! -d "$tmpfilesdir" -a -d /usr/lib/tmpfiles.d ] && tmpfilesdir=/usr/lib/tmpfiles.d - [ -z "$tmpfilesdir" -o ! -d "$tmpfilesdir" -a -d /etc/tmpfiles.d ] && tmpfilesdir=/etc/tmpfiles.d - [ -z "$tmpfilesdir" -o ! -d "$tmpfilesdir" -a -d /lib/tmpfiles.d ] && tmpfilesdir=/lib/tmpfiles.d + local _fs # if cryptsetup is not installed, then we cannot support encrypted devices. require_binaries cryptsetup || return 1 - # if hostonly or mount_needs include if required by other module - # if one of fs types is crypto_LUKS include it - [[ $hostonly ]] || [[ $mount_needs ]] && { - for fs in "${host_fs_types[@]}"; do - [[ $fs = "crypto_LUKS" ]] && return 0 + # hostonly mode check + [[ $hostonly ]] && { + for _fs in "${host_fs_types[@]}"; do + # include when a crypto_LUKS fs is present + [[ $_fs = "crypto_LUKS" ]] && return 0 done + + # include if required by other module return 255 } + # include by default return 0 } # called by dracut depends() { # depend on crypt for /etc/crypttab - # depend on systemd-networkd for ip=dhcp and rd.neednet=1 - # depend on dracut-systemd for appending to $tmpfilesdir/dracut-tmpfiles.conf - echo crypt systemd-networkd dracut-systemd + # depend on systemd-networkd for rd.neednet=1 + echo crypt systemd-networkd + return 0 } # called by dracut cmdline() { - local fs - for fs in "${host_fs_types[@]}"; do - if [[ "$fs" == "crypto_LUKS" ]]; then - printf "%s" " ip=dhcp rd.neednet=1" + local _fs + + for _fs in "${host_fs_types[@]}"; do + if [[ "$_fs" == "crypto_LUKS" ]]; then + #XXX we used to include ip=dhcp as well (replaced by systemd-networkd configuration) + printf "%s" " rd.neednet=1" break fi done @@ -49,190 +47,36 @@ cmdline() { # called by dracut install() { local _ihttpdconf=$(cmdline) - local fs - [[ $_ihttpdconf ]] && printf "%s\n" "$_ihttpdconf" >> "${initdir}/etc/cmdline.d/99ihttpd.conf" - - # Install cert dirs - inst_dir /etc/pki/tls/certs - inst_dir /etc/pki/tls/private - inst_dir /etc/systemd/network - inst_dir /var/www/html - inst_dir $systemdsystemunitdir/ihttpd.service.wants - - # Install favicon - inst_simple -o /var/www/html/favicon.ico - - # Install network - for nc in `ls /etc/systemd/network/`; do - inst_simple /etc/systemd/network/$nc - done - # Install index.bin - inst_simple /usr/lib/ihttpd/index.bin /var/www/html/index.bin + #XXX: rd.neednet=1 is mandatory to have active network in initrd + [[ $_ihttpdconf ]] && printf "%s\n" "$_ihttpdconf" >> "${initdir}/etc/cmdline.d/99ihttpd.conf" - # Install reboot.bin - inst_simple /usr/lib/ihttpd/reboot.bin /var/www/html/reboot.bin + # Install required dirs + inst_dir \ + /etc/pki/tls/certs \ + /etc/pki/tls/private \ + /etc/systemd/network \ + $systemdsystemunitdir/ihttpd.service.wants \ + $systemdsystemunitdir/sysinit.target.wants \ + /var/www/html # Install all files + #XXX: force cryptsetup install until systemd-cryptsetup implement a method that don't rely on password ending with \0 inst_multiple \ /etc/hosts \ - /etc/mime.types \ /etc/localtime \ + /etc/mime.types \ /etc/nsswitch.conf \ - /etc/ihttpd.conf \ /etc/pki/tls/certs/ihttpd.pem \ /etc/pki/tls/private/ihttpd.pem \ - $tmpfilesdir/ihttpd.conf \ - $systemdsystemunitdir/ihttpd.path \ - $systemdsystemunitdir/ihttpd.service \ $systemdsystemunitdir/systemd-networkd.service \ - $systemdsystemunitdir/systemd-tmpfiles-setup.service \ + '/sbin/cryptsetup' \ '/usr/bin/false' \ '/usr/bin/reboot' \ - /usr/sbin/ihttpd - - # Install sshd dirs - inst_dir \ - /etc/pam.d \ - /etc/profile.d \ - /etc/security \ - /etc/ssh \ - /etc/sysconfig \ - $systemdsystemunitdir/basic.target.wants \ - $systemdsystemunitdir/emergency.target.wants \ - $systemdsystemunitdir/rescue.target.wants \ - $systemdsystemunitdir/sysinit.target.wants \ - /usr/lib64/security \ - /usr/share/terminfo/x \ - /var/empty - - # Install sshd files - inst_multiple \ - /etc/bashrc \ - /etc/environment \ - /etc/gshadow \ - /etc/pam.d/sshd \ - /etc/pam.d/system-auth \ - /etc/profile.d/*.sh \ - /etc/security/limits.conf \ - /etc/security/pam_env.conf \ - /etc/shadow \ - /etc/ssh/denyusers \ - /etc/ssh/moduli \ - /etc/ssh/ssh_config \ - /etc/ssh/sshd_config \ - /etc/ssh/ssh_host_* \ - /root/.bash_profile \ - /root/.bashrc \ - /usr/bin/cat \ - /usr/bin/id \ - '/usr/bin/kill' \ - /usr/bin/ps \ - /usr/lib64/security/pam_cracklib.so \ - /usr/lib64/security/pam_deny.so \ - /usr/lib64/security/pam_env.so \ - /usr/lib64/security/pam_keyinit.so \ - /usr/lib64/security/pam_limits.so \ - /usr/lib64/security/pam_listfile.so \ - /usr/lib64/security/pam_nologin.so \ - /usr/lib64/security/pam_succeed_if.so \ - /usr/lib64/security/pam_systemd.so \ - /usr/lib64/security/pam_tcb.so \ - /usr/sbin/sshd \ - /usr/share/terminfo/x/* - - # Disable pam - #perl -pne 's%^UsePAM yes$%UsePAM no%;s%^PermitRootLogin .*$%PermitRootLogin yes%' -i "$initdir/etc/ssh/sshd_config" - perl -pne 's%^PermitRootLogin .*$%PermitRootLogin yes%' -i "$initdir/etc/ssh/sshd_config" - - # Sshd shell service - #XXX: KillMode=none is required to avoid sshd process getting killed in control group after parent fork - cat << EOF > $initdir$systemdsystemunitdir/debug-sshd.service -# Based on /usr/lib/systemd/system/debug-shell.service -[Unit] -Description=Early sshd shell FOR DEBUGGING ONLY -DefaultDependencies=no -AllowIsolate=no -IgnoreOnIsolate=yes - -[Service] -Type=simple -KillMode=none -ExecStart=@/usr/sbin/sshd /usr/sbin/sshd -e - -[Install] -WantedBy=sysinit.target -EOF - - # Install in sysinit.target.wants - ln -fs ../debug-sshd.service $initdir$systemdsystemunitdir/sysinit.target.wants/ - - # Install sshd user and group - `grep -Eq '^sshd:' $initdir/etc/passwd` || grep -E '^sshd:' /etc/passwd >> "$initdir/etc/passwd" - `grep -Eq '^sshd:' $initdir/etc/group` || grep -E '^sshd:' /etc/group >> "$initdir/etc/group" - - # Install ihttpd.path - ln -fs ../ihttpd.path $initdir$systemdsystemunitdir/sysinit.target.wants/ - - # Install resolv.conf as resolved service - #TODO: change this to have a content or depend on systemd-resolved - if [ -L /etc/resolv.conf ]; then - - # Install systemd-resolved - if [ `readlink /etc/resolv.conf` = '/run/systemd/resolve/resolv.conf' ]; then + '/usr/sbin/ihttpd' - # Install resolv.conf as symlink - ln -fs '/run/systemd/resolve/resolv.conf' $initdir/etc/resolv.conf - - # Install systemd-resolved - inst_multiple \ - $systemdsystemunitdir/systemd-resolved.service \ - $systemdutildir/systemd-resolved \ - /etc/systemd/resolved.conf - - # Require systemd-resolve user and group for our ihttpd process - `egrep -q '^systemd-resolve:' $initdir/etc/group` || egrep '^systemd-resolve:' /etc/group >> "$initdir/etc/group" - `egrep -q '^systemd-resolve:' $initdir/etc/passwd` || egrep '^systemd-resolve:' /etc/passwd >> "$initdir/etc/passwd" - - # Install in ihttpd.service.wants - ln -fs ../systemd-resolved.service $initdir$systemdsystemunitdir/ihttpd.service.wants/ - - # Cleanup resolved.conf - perl -pne 'undef $_ if /^(?:#.*|Domains=|FallbackDNS=|DNS=(?:127.0.0.1|::1)$|$)/;/^DNS=/ && $_ =~ s/(?:127.0.0.1|::1)[ \t]*//g' \ - -i "$initdir/etc/systemd/resolved.conf" - - # Cleanup systemd-resolved.service - perl -pne 'undef $_ if /^(?:#|(?:Wants|After)=org\.freedesktop\.resolve1\.busname)/' \ - -i "$initdir$systemdsystemunitdir/systemd-resolved.service" - - # Try install the target file - else - inst_simple /etc/resolv.conf - fi - - # Install resolv.conf as file - elif [ -e /etc/resolv.conf ]; then - - # Install resolv.conf as file - inst_simple /etc/resolv.conf - - # Cleanup resolv.conf - #XXX: strip search, localhost and ipv6 - perl -pne 'undef $_ if /^(?:#.*|search\s+|nameserver\s+127.0.0.1|nameserver\s+[^:\s]+:[^\s]+|$)/' \ - -i "$initdir/etc/resolv.conf" - - # Touch resolv.conf file - else - # We did what we could - touch "$initdir/etc/resolv.conf" - fi - - # Install ihttpd log - ln -fs ../../../run/ihttpd/log/{http,https,child.{askpassword,ihttpd},error}.log $initdir/var/www/html/ - - # Install in ihttpd.service.wants - ln -fs ../systemd-networkd.service $initdir$systemdsystemunitdir/ihttpd.service.wants/ - ln -fs ../systemd-tmpfiles-setup.service $initdir$systemdsystemunitdir/ihttpd.service.wants/ + # Install favicon + inst_simple -o /var/www/html/favicon.ico # Include all ihttpd deps inst_libdir_file \ @@ -257,27 +101,101 @@ EOF "libnss_myhostname.so.*" \ {"tls/$_arch/",tls/,"$_arch/",}"libssl.so.*" - # Cleanup nsswitch.conf - if [ -f "$initdir/etc/nsswitch.conf" ]; then - perl -pne 'undef $_ if /^(?:#|$)/;s/compat/files/;s/ ?(?:nis|wins|mdns4_minimal |mdns4)( )?/\1/g' \ - -i "$initdir/etc/nsswitch.conf" - fi + # Install ihttpd.conf index.bin reboot.bin ihttpd.service + for nc in /etc/ihttpd.conf /var/www/html/index.bin /var/www/html/reboot.bin $systemdsystemunitdir/ihttpd.service; do + inst_simple /usr/lib/ihttpd/${nc##*/} $nc + done - # Cleanup systemd-networkd.service - if [ -f "$initdir$systemdsystemunitdir/systemd-networkd.service" ]; then - perl -pne 'undef $_ if /^(?:#|(?:Wants|After)=org\.freedesktop\.network1\.busname)/;s/^After=(systemd-udevd.service )dbus.service network-pre.target systemd-sysusers.service /After=\1/' \ - -i "$initdir$systemdsystemunitdir/systemd-networkd.service" - fi + # Force load of ihttpd.service + ln -fs ../ihttpd.service $initdir$systemdsystemunitdir/sysinit.target.wants/ - # Cleanup systemd-tmpfiles-setup.service - if [ -f "$initdir$systemdsystemunitdir/systemd-tmpfiles-setup.service" ]; then - perl -pne 'undef $_ if /^#/;s/After=(.*) systemd-sysusers.service/After=\1/' \ - -i "$initdir$systemdsystemunitdir/systemd-tmpfiles-setup.service" - fi + # Copy systemd-networkd config + for nc in `ls /etc/systemd/network/`; do + inst_simple /etc/systemd/network/$nc + done + + # Install resolv.conf as symlink + grep -vE '^($|#|nameserver 127.0.0.1|nameserver ::1)' /etc/resolv.conf > $initdir/etc/resolv.conf + + # Install in ihttpd.service.wants + ln -fs \ + ../systemd-networkd.service \ + $initdir$systemdsystemunitdir/ihttpd.service.wants/ + + # Cleanup nsswitch.conf + perl -pne 'undef $_ if /^(?:#|$)/;s/compat/files/;s/ ?(?:nis|wins|mdns4_minimal |mdns4)( )?/\1/g' \ + -i "$initdir/etc/nsswitch.conf" - #XXX: bug: fix /usr/lib/tmpfiles.d/{systemd,dracut-tmpfiles}.conf missing user and group - `egrep -q '^utmp:' $initdir/etc/group` || egrep '^utmp:' /etc/group >> "$initdir/etc/group" # Require root user and group for our ihttpd process - `egrep -q '^root:' $initdir/etc/group` || egrep '^root:' /etc/group >> "$initdir/etc/group" - `egrep -q '^root:' $initdir/etc/passwd` || egrep '^root:' /etc/passwd >> "$initdir/etc/passwd" + `grep -Eq '^root:' $initdir/etc/group` || grep -E '^root:' /etc/group >> "$initdir/etc/group" + `grep -Eq '^root:' $initdir/etc/passwd` || grep -E '^root:' /etc/passwd >> "$initdir/etc/passwd" + + # For debug only + if false; then + # Install ihttpd log + ln -fs ../../../run/ihttpd/log/{http,https,child.{askpassword,ihttpd},error}.log $initdir/var/www/html/ + + # Install sshd dirs + inst_dir \ + /etc/pam.d \ + /etc/profile.d \ + /etc/security \ + /etc/ssh \ + /etc/sysconfig \ + $systemdsystemunitdir/basic.target.wants \ + $systemdsystemunitdir/emergency.target.wants \ + $systemdsystemunitdir/rescue.target.wants \ + /usr/lib64/security \ + /usr/share/terminfo/x \ + /var/empty + + # Install sshd files + inst_multiple \ + /etc/bashrc \ + /etc/environment \ + /etc/gshadow \ + /etc/pam.d/sshd \ + /etc/pam.d/system-auth \ + /etc/profile.d/*.sh \ + /etc/security/limits.conf \ + /etc/security/pam_env.conf \ + /etc/shadow \ + /etc/ssh/denyusers \ + /etc/ssh/moduli \ + /etc/ssh/ssh_config \ + /etc/ssh/sshd_config \ + /etc/ssh/ssh_host_* \ + /root/.bash_profile \ + /root/.bashrc \ + /usr/bin/cat \ + /usr/bin/id \ + '/usr/bin/kill' \ + /usr/bin/ps \ + /usr/lib64/security/pam_cracklib.so \ + /usr/lib64/security/pam_deny.so \ + /usr/lib64/security/pam_env.so \ + /usr/lib64/security/pam_keyinit.so \ + /usr/lib64/security/pam_limits.so \ + /usr/lib64/security/pam_listfile.so \ + /usr/lib64/security/pam_nologin.so \ + /usr/lib64/security/pam_succeed_if.so \ + /usr/lib64/security/pam_systemd.so \ + /usr/lib64/security/pam_tcb.so \ + /usr/sbin/sshd \ + /usr/share/terminfo/x/* + + # Disable pam + #perl -pne 's%^UsePAM yes$%UsePAM no%;s%^PermitRootLogin .*$%PermitRootLogin yes%' -i "$initdir/etc/ssh/sshd_config" + perl -pne 's%^PermitRootLogin .*$%PermitRootLogin yes%' -i "$initdir/etc/ssh/sshd_config" + + # Install debug sshd service + inst_simple /usr/lib/ihttpd/debug-sshd.service $initdir$systemdsystemunitdir/debug-sshd.service + + # Install in sysinit.target.wants + ln -fs ../debug-sshd.service $initdir$systemdsystemunitdir/sysinit.target.wants/ + + # Install sshd user and group + `grep -Eq '^sshd:' $initdir/etc/passwd` || grep -E '^sshd:' /etc/passwd >> "$initdir/etc/passwd" + `grep -Eq '^sshd:' $initdir/etc/group` || grep -E '^sshd:' /etc/group >> "$initdir/etc/group" + fi }