From: Mathieu Baudier Date: Sat, 16 Mar 2024 07:28:49 +0000 (+0100) Subject: Merge tag 'v2.3.6' into testing X-Git-Tag: v2.1.4~1 X-Git-Url: https://git.argeo.org/?a=commitdiff_plain;h=5771ff9775a3acc328d9be08772d38e6f7d77df1;hp=95890ae1fad3f09737f3777bc2889bdd689402eb;p=gpl%2Fargeo-freed.git Merge tag 'v2.3.6' into testing --- diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..16be8f2 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +/output/ diff --git a/Makefile b/Makefile new file mode 100644 index 0000000..0fddb66 --- /dev/null +++ b/Makefile @@ -0,0 +1,57 @@ +# GNU coding standards +prefix ?= /usr/local +exec_prefix ?= $(prefix) +bindir ?= $(exec_prefix)/bin +sbindir ?= $(exec_prefix)/sbin +libdir ?= $(exec_prefix)/lib +libexecdir ?= $(exec_prefix)/libexec +sysconfdir ?= $(prefix)/etc +srcdir ?= $(prefix)/src +datarootdir ?= $(prefix)/share + +## Utilities +# Install to a target directory without executable bit +INSTALL=install -m644 -D --target-directory +# Always try copy-on-write +COPY=cp --reflink=auto + +# TODO use argeo-build +BUILD_BASE ?= output/argeo-freed +all: + mkdir -p $(BUILD_BASE)$(sysconfdir) $(BUILD_BASE)$(bindir) $(BUILD_BASE)$(libdir) $(BUILD_BASE)$(libexecdir) + $(COPY) -r etc/* $(BUILD_BASE)$(sysconfdir) + $(COPY) -r bin/* $(BUILD_BASE)$(bindir) + $(COPY) -r lib/* $(BUILD_BASE)$(libdir) + $(COPY) -r libexec/* $(BUILD_BASE)$(libexecdir) + sed -i 's|/usr/local/etc|$(sysconfdir)|g' $(BUILD_BASE)$(libdir)/systemd/*/argeo*.service + sed -i 's|/usr/local/lib|$(libdir)|g' $(BUILD_BASE)$(libdir)/systemd/*/argeo*.service + sed -i 's|/usr/local/share|$(datarootdir)|g' $(BUILD_BASE)$(libdir)/systemd/*/argeo*.service + sed -i 's|/usr/local/share|$(datarootdir)|g' $(BUILD_BASE)$(bindir)/* + sed -i 's|/usr/local/lib|$(libdir)|g' $(BUILD_BASE)$(libdir)/sysj/jvm.args +# $(MAKE) -C sjbin all + +clean: + $(RM) -r $(BUILD_BASE) +# $(MAKE) -C sjbin clean + +distclean: clean + +install: + mkdir -p $(DESTDIR)$(sysconfdir) $(DESTDIR)$(bindir) $(DESTDIR)$(libdir) $(DESTDIR)$(libexecdir) +# TODO use install and wildcard ? + $(COPY) -v -r --no-clobber $(BUILD_BASE)$(sysconfdir)/* $(DESTDIR)$(sysconfdir) + $(COPY) -v -r $(BUILD_BASE)$(libdir)/* $(DESTDIR)$(libdir) + install -m755 -D --target-directory $(DESTDIR)$(bindir) $(BUILD_BASE)$(bindir)/* + install -m755 -D --target-directory $(DESTDIR)$(libexecdir)/ipsec $(BUILD_BASE)$(libexecdir)/ipsec/* +# systemctl daemon-reload + +uninstall: +# TODO fix warning when directory does not exist + $(foreach f, $(shell cd $(BUILD_BASE)$(bindir) && find . -type f), $(RM) $(DESTDIR)$(bindir)/$(f);) + $(foreach f, $(shell cd $(BUILD_BASE)$(libdir) && find . -type f), $(RM) $(DESTDIR)$(libdir)/$(f);) + $(foreach f, $(shell cd $(BUILD_BASE)$(libexecdir) && find . -type f), $(RM) $(DESTDIR)$(libexecdir)/$(f);) +# TODO remove empty directories +# @if [ -d $(A2_INSTALL_TARGET) ]; then find $(A2_INSTALL_TARGET) -empty -type d -delete; fi + +purge: uninstall + $(foreach f, $(shell cd $(BUILD_BASE)$(sysconfdir) && find . -type f), $(RM) $(DESTDIR)$(sysconfdir)/$(f);) diff --git a/argeo-freed.spec b/argeo-freed.spec index 3535875..38c6c84 100644 --- a/argeo-freed.spec +++ b/argeo-freed.spec @@ -1,5 +1,5 @@ Name: argeo-freed -Version: 2.1.3 +Version: 2.1.4 Release: 1%{?dist} Summary: Utilities for a FREEd compatible domain @@ -19,10 +19,6 @@ BuildRequires: systemd-rpm-macros Summary: FREEd Argeo CMS services Requires: argeo-cms -%package cms-user -Summary: FREEd Argeo CMS user services -Requires: argeo-cms - %description cms %package libreswan @@ -37,75 +33,42 @@ Requires: argeo-freed-libreswan %description roaming-client -%package roaming-host -Summary: FREEd roaming host -Requires: argeo-freed-libreswan - -%description roaming-host - %prep %setup -q %build %install -mkdir -p %{buildroot}%{_bindir} -cp -a ./usr/bin/* %{buildroot}%{_bindir} - -mkdir -p %{buildroot}%{_sysconfdir} -cp -a ./etc/* %{buildroot}%{_sysconfdir} - -mkdir -p %{buildroot}%{_datadir} -cp -a ./usr/share/* %{buildroot}%{_datadir} - -mkdir -p %{buildroot}%{_unitdir} -cp -a ./usr/lib/systemd/system/* %{buildroot}%{_unitdir} - -mkdir -p %{buildroot}%{_userunitdir} -cp -a ./usr/lib/systemd/user/* %{buildroot}%{_userunitdir} - -mkdir -p %{buildroot}%{_libexecdir} -cp -a ./usr/libexec/ipsec %{buildroot}%{_libexecdir} %files cms %attr(755, root, root) %{_bindir}/argeo %attr(755, root, root) %{_bindir}/jshc +%{_sysconfdir}/default/argeo %{_sysconfdir}/argeo.d -%{_datadir}/argeo -%{_unitdir}/argeo@.service - -%files cms-user -%{_sysconfdir}/argeo.user.d -%{_userunitdir}/argeo@.service +%{_sysconfdir}/argeo +%{_unitdir}/argeo*.service +%{_userunitdir}/argeo*.service %files libreswan %attr(755, root, root) %{_libexecdir}/ipsec %files roaming-client -%{_sysconfdir}/ipsec.d/roaming.conf - %{_unitdir}/freed-ipsec-roaming@.service %{_unitdir}/freed-onresume.service %{_unitdir}/freed-onsuspend.service %post cms %systemd_post argeo@.service +%systemd_user_post argeo.service %preun cms %systemd_preun argeo@.service +%systemd_user_preun argeo.service %postun cms %systemd_postun argeo@.service - -%post cms-user -%systemd_user_post argeo@.service - -%preun cms-user -%systemd_user_preun argeo@.service - -%postun cms-user -%systemd_user_postun argeo@.service +%systemd_user_postun argeo.service %post roaming-client %systemd_post freed-ipsec-roaming@.service @@ -121,7 +84,3 @@ cp -a ./usr/libexec/ipsec %{buildroot}%{_libexecdir} %systemd_postun freed-ipsec-roaming@.service %systemd_postun freed-onresume.service %systemd_postun freed-onsuspend.service - -%files roaming-host -%{_sysconfdir}/ipsec.d/roaming-host.conf -%{_sysconfdir}/ipsec.d/roaming-host-domain.conf.template diff --git a/bin/argeo b/bin/argeo new file mode 100755 index 0000000..f3a6d5a --- /dev/null +++ b/bin/argeo @@ -0,0 +1,2 @@ +#!/bin/sh +java -Dorg.argeo.api.cli.rootCommand=$0 -jar /usr/local/share/a2/org.argeo.cms/org.argeo.cms.cli.2.3.jar "$@" \ No newline at end of file diff --git a/bin/jshc b/bin/jshc new file mode 100755 index 0000000..0060646 --- /dev/null +++ b/bin/jshc @@ -0,0 +1,2 @@ +#!/bin/sh +java -Xms32m -Xmx64m -jar /usr/local/share/a2/org.argeo.cms/org.argeo.cms.jshell.2.3.jar "$@" \ No newline at end of file diff --git a/debian/.gitignore b/debian/.gitignore index 3eb1ca1..3319cda 100644 --- a/debian/.gitignore +++ b/debian/.gitignore @@ -1,5 +1,6 @@ files -.debhelper +*.debhelper debhelper* argeo-*/ -*.substvars \ No newline at end of file +*.substvars +/tmp/ diff --git a/debian/argeo-freed-cms-user.install b/debian/argeo-freed-cms-user.install deleted file mode 100644 index 037dcd0..0000000 --- a/debian/argeo-freed-cms-user.install +++ /dev/null @@ -1,2 +0,0 @@ -./etc/argeo.user.d/* ./etc/argeo.user.d -./usr/lib/systemd/user/argeo@.service ./usr/lib/systemd/user diff --git a/debian/argeo-freed-cms.install b/debian/argeo-freed-cms.install index b2195f0..1ada822 100644 --- a/debian/argeo-freed-cms.install +++ b/debian/argeo-freed-cms.install @@ -1,8 +1,9 @@ -./usr/bin/argeo ./usr/bin -./usr/bin/jshc ./usr/bin +/usr/bin/argeo +/usr/bin/jshc -./etc/argeo.d/* ./etc/argeo.d +/etc/default/argeo +/etc/argeo/* +/etc/argeo.d/* -./usr/lib/systemd/system/argeo@.service ./usr/lib/systemd/system - -./usr/share/argeo/* ./usr/share/argeo +/usr/lib/systemd/system/argeo*.service +/usr/lib/systemd/user/argeo*.service diff --git a/debian/argeo-freed-libreswan.install b/debian/argeo-freed-libreswan.install index 57586ba..811f5db 100644 --- a/debian/argeo-freed-libreswan.install +++ b/debian/argeo-freed-libreswan.install @@ -1 +1 @@ -./usr/libexec/ipsec/* ./usr/libexec/ipsec +/usr/libexec/ipsec diff --git a/debian/argeo-freed-roaming-client.install b/debian/argeo-freed-roaming-client.install index 6f0a7ae..b612fb3 100644 --- a/debian/argeo-freed-roaming-client.install +++ b/debian/argeo-freed-roaming-client.install @@ -1,4 +1,3 @@ -./etc/ipsec.d/roaming.conf ./etc/ipsec.d -./usr/lib/systemd/system/freed-ipsec-roaming@.service ./usr/lib/systemd/system -./usr/lib/systemd/system/freed-onresume.service ./usr/lib/systemd/system -./usr/lib/systemd/system/freed-onsuspend.service ./usr/lib/systemd/system +/usr/lib/systemd/system/freed-ipsec-roaming@.service +/usr/lib/systemd/system/freed-onresume.service +/usr/lib/systemd/system/freed-onsuspend.service diff --git a/debian/argeo-freed-roaming-host.install b/debian/argeo-freed-roaming-host.install deleted file mode 100644 index acfec8d..0000000 --- a/debian/argeo-freed-roaming-host.install +++ /dev/null @@ -1,2 +0,0 @@ -./etc/ipsec.d/roaming-host.conf ./etc/ipsec.d -./etc/ipsec.d/roaming-host-domain.conf.template ./etc/ipsec.d diff --git a/debian/changelog b/debian/changelog index a4e47ce..ac895c6 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,5 +1,5 @@ -argeo-freed (2.1.3) testing; urgency=medium +argeo-freed (2.1.4) testing; urgency=medium - * Adapt to changes in Argeo TP + * New directory structure - -- Mathieu Baudier Thu, 14 Dec 2023 05:48:41 +0000 + -- Mathieu Baudier Sat, 16 Mar 2024 07:25:57 +0000 diff --git a/debian/control b/debian/control index 6c4b9d3..7a07f79 100644 --- a/debian/control +++ b/debian/control @@ -13,27 +13,14 @@ Conflicts: argeo-init Description: FREEd Argeo CMS services FREEd Argeo CMS services -Package: argeo-freed-cms-user -Architecture: all -Depends: ${misc:Depends}, argeo-cms -Conflicts: argeo-init -Description: FREEd Argeo CMS user services - FREEd Argeo CMS user services - Package: argeo-freed-libreswan Architecture: all Depends: ${misc:Depends}, libreswan Description: FREEd extensions to libreswan - Argeo FREEd extensions to libreswan + FREEd extensions to libreswan Package: argeo-freed-roaming-client Architecture: all Depends: ${misc:Depends}, argeo-freed-libreswan Description: FREEd roaming client - Argeo FREEd roaming client - -Package: argeo-freed-roaming-host -Architecture: all -Depends: ${misc:Depends}, argeo-freed-libreswan -Description: FREEd roaming host - Argeo FREEd roaming host + FREEd roaming client diff --git a/debian/rules b/debian/rules index 2d33f6a..cd69d93 100755 --- a/debian/rules +++ b/debian/rules @@ -1,4 +1,7 @@ #!/usr/bin/make -f %: - dh $@ + prefix=/usr sysconfdir=/etc dh $@ + +override_dh_missing: + # Ignore missing files diff --git a/etc/argeo.d/jvm.args.debug b/etc/argeo.d/jvm.args.debug deleted file mode 100644 index 4e6b1dc..0000000 --- a/etc/argeo.d/jvm.args.debug +++ /dev/null @@ -1 +0,0 @@ --agentlib:jdwp=transport=dt_socket,server=y,suspend=y,address=127.0.0.1:8000 \ No newline at end of file diff --git a/etc/argeo.d/jvm.args.monitoring b/etc/argeo.d/jvm.args.monitoring deleted file mode 100644 index d7275ee..0000000 --- a/etc/argeo.d/jvm.args.monitoring +++ /dev/null @@ -1 +0,0 @@ --Dcom.sun.management.jmxremote.port=8099 -Dcom.sun.management.jmxremote.rmi.port=8099 -Dcom.sun.management.jmxremote.authenticate=false -Dcom.sun.management.jmxremote.ssl=false -Djava.rmi.server.hostname= \ No newline at end of file diff --git a/etc/argeo.user.d/jvm.args b/etc/argeo.user.d/jvm.args deleted file mode 100644 index e69de29..0000000 diff --git a/etc/argeo/all.policy b/etc/argeo/all.policy new file mode 100644 index 0000000..facb613 --- /dev/null +++ b/etc/argeo/all.policy @@ -0,0 +1,3 @@ +grant { + permission java.security.AllPermission; +}; \ No newline at end of file diff --git a/etc/argeo/jvm.args b/etc/argeo/jvm.args new file mode 100644 index 0000000..fd2c6c0 --- /dev/null +++ b/etc/argeo/jvm.args @@ -0,0 +1,5 @@ +# Force UTF-8 encoding +-Dfile.encoding=UTF-8 + +# Ensure OpenJDK and OpenJ9 are compatible +-XX:+IgnoreUnrecognizedVMOptions diff --git a/etc/argeo/jvm.args.debug b/etc/argeo/jvm.args.debug new file mode 100644 index 0000000..4e6b1dc --- /dev/null +++ b/etc/argeo/jvm.args.debug @@ -0,0 +1 @@ +-agentlib:jdwp=transport=dt_socket,server=y,suspend=y,address=127.0.0.1:8000 \ No newline at end of file diff --git a/etc/argeo/system/jvm.args.monitoring b/etc/argeo/system/jvm.args.monitoring new file mode 100644 index 0000000..86a6e94 --- /dev/null +++ b/etc/argeo/system/jvm.args.monitoring @@ -0,0 +1,5 @@ +-Dcom.sun.management.jmxremote.port=8099 \ +-Dcom.sun.management.jmxremote.rmi.port=8099 \ +-Dcom.sun.management.jmxremote.authenticate=false \ +-Dcom.sun.management.jmxremote.ssl=false \ +#-Djava.rmi.server.hostname= \ No newline at end of file diff --git a/etc/argeo/user/argeo.ini b/etc/argeo/user/argeo.ini new file mode 100644 index 0000000..9f90778 --- /dev/null +++ b/etc/argeo/user/argeo.ini @@ -0,0 +1,9 @@ +## Launch context +osgi.framework.useSystemProperties=false +osgi.frameworkParentClassloader=app +osgi.parentClassLoader=app +osgi.contextClassLoaderParent=app + +# Disable Equinox Jetty autostart +org.eclipse.equinox.http.jetty.autostart=false + diff --git a/etc/argeo/user/jvm.args b/etc/argeo/user/jvm.args new file mode 100644 index 0000000..e69de29 diff --git a/etc/argeo/user/rap/cms.ini b/etc/argeo/user/rap/cms.ini new file mode 100644 index 0000000..ff71b17 --- /dev/null +++ b/etc/argeo/user/rap/cms.ini @@ -0,0 +1,31 @@ +argeo.osgi.sources=\ +a2+reference:///\ +?osgi=equinox\ +&crypto=fips\ +&swt=rap\ + +argeo.osgi.start.2=\ +org.eclipse.equinox.http.servlet,\ +org.apache.felix.scr,\ +org.eclipse.equinox.console,\ +org.eclipse.rap.rwt.osgi,\ + +argeo.osgi.start.3=\ +org.argeo.cms,\ +org.argeo.cms.ee,\ +org.argeo.cms.lib.dbus,\ +org.argeo.cms.lib.sshd,\ +org.argeo.cms.lib.equinox,\ +org.argeo.cms.lib.jetty,\ +org.argeo.cms.swt.rap,\ + +argeo.osgi.start.4=\ +org.argeo.cms.jcr + +argeo.osgi.start.5=\ +org.argeo.app.profile.acr.fs,\ +org.argeo.app.core,\ +org.argeo.app.jcr,\ +org.argeo.app.ui,\ +org.argeo.app.theme.default,\ +org.argeo.app.geo,\ diff --git a/etc/argeo/user/rap/debug.ini b/etc/argeo/user/rap/debug.ini new file mode 100644 index 0000000..9a7f33c --- /dev/null +++ b/etc/argeo/user/rap/debug.ini @@ -0,0 +1 @@ +osgi.clean=true \ No newline at end of file diff --git a/etc/argeo/user/rap/packages.ini b/etc/argeo/user/rap/packages.ini new file mode 100644 index 0000000..b7334fb --- /dev/null +++ b/etc/argeo/user/rap/packages.ini @@ -0,0 +1,18 @@ +org.osgi.framework.system.packages.extra=\ +com.sun.jna,\ +com.sun.jna.internal,\ +com.sun.jna.ptr,\ +com.sun.jna.win32,\ +org.eclipse.angus.mail.mbox,\ +org.apache.tomcat.jni,\ +sun.security.util,\ +sun.security.internal.spec,\ +sun.security.provider,\ +sun.awt.X11,\ +com.sun.net.httpserver,\ +com.sun.jndi.ldap,\ +com.sun.jndi.ldap.sasl,\ +com.sun.jndi.dns,\ +com.sun.security.jgss,\ +com.sun.nio.file,\ +com.sun.nio.sctp diff --git a/etc/argeo/user/rcp/cms.ini b/etc/argeo/user/rcp/cms.ini new file mode 100644 index 0000000..b4a2f96 --- /dev/null +++ b/etc/argeo/user/rcp/cms.ini @@ -0,0 +1,31 @@ +argeo.osgi.sources=\ +a2+reference:///\ +?osgi=equinox\ +&crypto=fips\ +&swt=rcp\ + +argeo.osgi.start.2=\ +org.eclipse.equinox.http.servlet,\ +org.apache.felix.scr,\ +org.eclipse.equinox.console,\ + +argeo.osgi.start.3=\ +org.argeo.cms,\ +org.argeo.cms.ee,\ +org.argeo.cms.jshell,\ +org.argeo.cms.lib.dbus,\ +org.argeo.cms.lib.sshd,\ +org.argeo.cms.lib.equinox,\ +org.argeo.cms.lib.jetty,\ +org.argeo.cms.swt.rcp,\ + +argeo.osgi.start.4=\ +org.argeo.cms.jcr + +argeo.osgi.start.5=\ +org.argeo.app.profile.acr.fs,\ +org.argeo.app.core,\ +org.argeo.app.jcr,\ +org.argeo.app.ui,\ +org.argeo.app.theme.default,\ +org.argeo.app.geo,\ diff --git a/etc/argeo/user/rcp/debug.ini b/etc/argeo/user/rcp/debug.ini new file mode 100644 index 0000000..9a7f33c --- /dev/null +++ b/etc/argeo/user/rcp/debug.ini @@ -0,0 +1 @@ +osgi.clean=true \ No newline at end of file diff --git a/etc/argeo/user/rcp/packages.ini b/etc/argeo/user/rcp/packages.ini new file mode 100644 index 0000000..dff2296 --- /dev/null +++ b/etc/argeo/user/rcp/packages.ini @@ -0,0 +1,27 @@ +org.osgi.framework.system.packages.extra=\ +org.eclipse.swt,\ +org.eclipse.swt.awt,\ +org.eclipse.swt.dnd,\ +org.eclipse.swt.events,\ +org.eclipse.swt.graphics,\ +org.eclipse.swt.layout,\ +org.eclipse.swt.widgets,\ +org.eclipse.swt.browser,\ +org.eclipse.swt.custom,\ +com.sun.jna,\ +com.sun.jna.internal,\ +com.sun.jna.ptr,\ +com.sun.jna.win32,\ +org.eclipse.angus.mail.mbox,\ +org.apache.tomcat.jni,\ +sun.security.util,\ +sun.security.internal.spec,\ +sun.security.provider,\ +sun.awt.X11,\ +com.sun.net.httpserver,\ +com.sun.jndi.ldap,\ +com.sun.jndi.ldap.sasl,\ +com.sun.jndi.dns,\ +com.sun.security.jgss,\ +com.sun.nio.file,\ +com.sun.nio.sctp diff --git a/etc/argeo/user/slc/debug.ini b/etc/argeo/user/slc/debug.ini new file mode 100644 index 0000000..ed7d121 --- /dev/null +++ b/etc/argeo/user/slc/debug.ini @@ -0,0 +1,2 @@ +#osgi.console=localhost:2023 +osgi.clean=true \ No newline at end of file diff --git a/etc/argeo/user/slc/packages.ini b/etc/argeo/user/slc/packages.ini new file mode 100644 index 0000000..1dd6ef1 --- /dev/null +++ b/etc/argeo/user/slc/packages.ini @@ -0,0 +1,15 @@ +org.osgi.framework.system.packages.extra=\ +org.argeo.api.init,\ +org.argeo.api.a2,\ +org.argeo.init.osgi,\ +sun.misc,\ +sun.security.util,\ +sun.security.internal.spec,\ +sun.security.provider,\ +com.sun.net.httpserver,\ +com.sun.jndi.ldap,\ +com.sun.jndi.ldap.sasl,\ +com.sun.jndi.dns,\ +com.sun.security.jgss,\ +com.sun.nio.file,\ +com.sun.nio.sctp diff --git a/etc/argeo/user/slc/slc.ini b/etc/argeo/user/slc/slc.ini new file mode 100644 index 0000000..76ae18e --- /dev/null +++ b/etc/argeo/user/slc/slc.ini @@ -0,0 +1,16 @@ + +argeo.osgi.sources=\ +a2+reference:///\ +?osgi=equinox\ +&swt=rcp\ +&include=org.argeo.tp\ +&include=org.argeo.tp.osgi\ +&include=org.argeo.slc\ +&include=org.argeo.tp.sys\ + +## Active modules +argeo.osgi.start.2=\ +org.eclipse.equinox.console,\ + +argeo.osgi.start.4=\ +org.argeo.slc.runtime,\ diff --git a/etc/default/argeo b/etc/default/argeo new file mode 100644 index 0000000..e69de29 diff --git a/etc/freed/pid1/config.ini b/etc/freed/pid1/config.ini deleted file mode 100644 index 3fd167d..0000000 --- a/etc/freed/pid1/config.ini +++ /dev/null @@ -1,28 +0,0 @@ -osgi.clean=true -#osgi.console=true - -argeo.osgi.start.2=\ -org.eclipse.equinox.http.servlet,\ -org.apache.felix.scr,\ -org.eclipse.rap.rwt.osgi,\ -org.apache.tika.parsers,\ -org.argeo.init - -argeo.osgi.start.3=\ -org.argeo.cms,\ -org.argeo.cms.swt.rap,\ -org.argeo.cms.swt.rcp,\ -org.argeo.cms.ee,\ -org.argeo.cms.lib.sshd,\ -org.argeo.cms.lib.equinox,\ -org.argeo.cms.lib.jetty,\ -org.argeo.cms.jshell,\ - -argeo.http.port=80 -#argeo.sshd.port=22 - -argeo.osgi.sources=\ -a2:///?\ -osgi=equinox&\ -log=syslogger&\ -crypto=fips&\ diff --git a/etc/freed/pid1/jvm.args b/etc/freed/pid1/jvm.args deleted file mode 100644 index 708fab1..0000000 --- a/etc/freed/pid1/jvm.args +++ /dev/null @@ -1,23 +0,0 @@ -#-Xmx64m -#-Xshareclasses:name=pid1 -#-XX:+IdleTuningGcOnIdle - --Dargeo.logging.file=/var/log/freed-pid1.log --Dlog.FreedPid1=DEBUG - --Dosgi.configuration.cascaded=true --Dosgi.sharedConfiguration.area=/usr/local/etc/freed/pid1 --Dosgi.sharedConfiguration.area.readOnly=true --Dosgi.configuration.area=/var/lib/freed/pid1/state/ --Dosgi.instance.area=/var/lib/freed/pid1/data/ - --Dorg.osgi.framework.system.packages.extra=sun.security.utils,sun.security.internal.spec,sun.security.provider,com.sun.net.httpserver,com.sun.jndi.ldap,com.sun.jndi.ldap.sasl,com.sun.jndi.dns,com.sun.security.jgss,com.sun.nio.file,com.sun.nio.sctp --Dorg.eclipse.equinox.http.jetty.autostart=false - --Dfile.encoding=UTF-8 --Dnative.encoding=UTF-8 --Dsun.stdout.encoding=UTF-8 --Dsun.stderr.encoding=UTF-8 --Dsun.jnu.encoding=UTF-8 - --cp /usr/local/share/a2/osgi/equinox/org.argeo.tp.osgi/org.eclipse.osgi.3.18.jar:/usr/local/share/a2/org.argeo.cms/org.argeo.init.2.3.jar \ No newline at end of file diff --git a/etc/freed/pid1/system.properties b/etc/freed/pid1/system.properties deleted file mode 100644 index 5ee8524..0000000 --- a/etc/freed/pid1/system.properties +++ /dev/null @@ -1 +0,0 @@ -log.org.argeo=DEBUG \ No newline at end of file diff --git a/lib/sysj/config.ini b/lib/sysj/config.ini new file mode 100644 index 0000000..3fd167d --- /dev/null +++ b/lib/sysj/config.ini @@ -0,0 +1,28 @@ +osgi.clean=true +#osgi.console=true + +argeo.osgi.start.2=\ +org.eclipse.equinox.http.servlet,\ +org.apache.felix.scr,\ +org.eclipse.rap.rwt.osgi,\ +org.apache.tika.parsers,\ +org.argeo.init + +argeo.osgi.start.3=\ +org.argeo.cms,\ +org.argeo.cms.swt.rap,\ +org.argeo.cms.swt.rcp,\ +org.argeo.cms.ee,\ +org.argeo.cms.lib.sshd,\ +org.argeo.cms.lib.equinox,\ +org.argeo.cms.lib.jetty,\ +org.argeo.cms.jshell,\ + +argeo.http.port=80 +#argeo.sshd.port=22 + +argeo.osgi.sources=\ +a2:///?\ +osgi=equinox&\ +log=syslogger&\ +crypto=fips&\ diff --git a/lib/sysj/jvm.args b/lib/sysj/jvm.args new file mode 100644 index 0000000..a229195 --- /dev/null +++ b/lib/sysj/jvm.args @@ -0,0 +1,25 @@ +#-Xmx64m +#-Xshareclasses:name=sysj +#-XX:+IdleTuningGcOnIdle + +-Dargeo.logging.file=/var/log/sysj.log +-Dlog.org.argeo=DEBUG + +-Dosgi.configuration.cascaded=true +-Dosgi.sharedConfiguration.area=/usr/local/lib/sysj +-Dosgi.sharedConfiguration.area.readOnly=true +-Dosgi.configuration.area=/var/lib/sysj/state/ +-Dosgi.instance.area=/var/lib/sysj/data/ + +-Dorg.osgi.framework.system.packages.extra=sun.security.utils,sun.security.internal.spec,sun.security.provider,com.sun.net.httpserver,com.sun.jndi.ldap,com.sun.jndi.ldap.sasl,com.sun.jndi.dns,com.sun.security.jgss,com.sun.nio.file,com.sun.nio.sctp +-Dorg.eclipse.equinox.http.jetty.autostart=false + +-Dfile.encoding=UTF-8 +-Dnative.encoding=UTF-8 +-Dsun.stdout.encoding=UTF-8 +-Dsun.stderr.encoding=UTF-8 +-Dsun.jnu.encoding=UTF-8 + +-cp \ +/usr/local/share/a2/osgi/equinox/org.argeo.tp.osgi/org.eclipse.osgi.3.18.jar:\ +/usr/local/share/a2/org.argeo.cms/org.argeo.init.2.3.jar \ No newline at end of file diff --git a/lib/sysj/system.properties b/lib/sysj/system.properties new file mode 100644 index 0000000..5ee8524 --- /dev/null +++ b/lib/sysj/system.properties @@ -0,0 +1 @@ +log.org.argeo=DEBUG \ No newline at end of file diff --git a/lib/systemd/system/argeo@.service b/lib/systemd/system/argeo@.service new file mode 100644 index 0000000..c70ea58 --- /dev/null +++ b/lib/systemd/system/argeo@.service @@ -0,0 +1,47 @@ +[Unit] +Description=Argeo node %I +After=network-online.target +Wants=postgresql.service + +[Service] +Type=simple + +User=freed +Group=freed + +StateDirectory=argeo.d/%I +LogsDirectory=argeo.d/%I +ConfigurationDirectory=argeo.d/%I +CacheDirectory=argeo.d/%I +EnvironmentFile=/usr/local/etc/default/argeo +WorkingDirectory=/var/lib/argeo.d/%I + +ExecStart=java \ +-Djava.library.path=/usr/local/lib/a2/org.argeo.slc:/usr/local/lib/a2/org.argeo.tp.sys \ +-Dosgi.configuration.cascaded=true \ +-Dosgi.sharedConfiguration.area=${CONFIGURATION_DIRECTORY} \ +-Dosgi.sharedConfiguration.area.readOnly=true \ +-Dosgi.configuration.area=${STATE_DIRECTORY}/state/ \ +-Dosgi.instance.area=${STATE_DIRECTORY}/data/ \ +-Dargeo.node.repo.indexesBase=${CACHE_DIRECTORY}/indexes \ +-Dorg.osgi.framework.system.packages.extra=sun.security.util,sun.security.internal.spec,sun.security.provider,com.sun.net.httpserver,com.sun.jndi.ldap,com.sun.jndi.ldap.sasl,com.sun.jndi.dns,com.sun.security.jgss,com.sun.nio.file,com.sun.nio.sctp \ +-Dorg.eclipse.equinox.http.jetty.autostart=false \ +-Declipse.ignoreApp=true \ +-Dosgi.noShutdown=true \ +@/usr/local/etc/argeo/jvm.args \ +@${CONFIGURATION_DIRECTORY}/../jvm.args \ +@${CONFIGURATION_DIRECTORY}/jvm.args \ +-cp "/usr/local/share/a2/osgi/equinox/org.argeo.tp.osgi/org.eclipse.osgi.3.18.jar:/usr/local/share/a2/org.argeo.cms/org.argeo.init.2.3.jar" \ +org.argeo.init.ServiceMain + +# Exit codes of the JVM when SIGTERM or SIGINT have been caught: +SuccessExitStatus=143 130 + +CPUAccounting=true +MemoryAccounting=true +TasksAccounting=true +IOAccounting=true +IPAccounting=true + +[Install] +WantedBy=network-online.target diff --git a/lib/systemd/system/freed-ipsec-roaming@.service b/lib/systemd/system/freed-ipsec-roaming@.service new file mode 100644 index 0000000..4318528 --- /dev/null +++ b/lib/systemd/system/freed-ipsec-roaming@.service @@ -0,0 +1,24 @@ +[Unit] +Description=Roaming IPSec to '%i' +After=network-online.target +Wants=network-online.target + +After=ipsec.service +PartOf=ipsec.service +Requires=ipsec.service + +StartLimitIntervalSec=60 +StartLimitBurst=20 + +[Service] +Type=oneshot +RemainAfterExit=yes +ExecStart=ipsec auto --start %i +ExecStop=ipsec auto --delete %i + +Restart=on-failure +RestartSec=3 + +[Install] +WantedBy=multi-user.target +RequiredBy=ipsec.service diff --git a/lib/systemd/system/freed-onresume.service b/lib/systemd/system/freed-onresume.service new file mode 100644 index 0000000..7b7dc54 --- /dev/null +++ b/lib/systemd/system/freed-onresume.service @@ -0,0 +1,14 @@ +[Unit] +Description=On resume actions +After=sleep.target +After=network-online.target +Wants=network-online.target + +[Service] +Type=oneshot +ExecStartPre=sleep 3 +ExecStart=/usr/bin/systemctl restart ipsec + +[Install] +WantedBy=sleep.target + diff --git a/lib/systemd/system/freed-onsuspend.service b/lib/systemd/system/freed-onsuspend.service new file mode 100644 index 0000000..47afcc2 --- /dev/null +++ b/lib/systemd/system/freed-onsuspend.service @@ -0,0 +1,11 @@ +[Unit] +Description=On suspend actions +Before=sleep.target + +[Service] +Type=oneshot +ExecStart=/usr/bin/systemctl stop ipsec +ExecStartPost=/usr/bin/sleep 5 + +[Install] +WantedBy=sleep.target diff --git a/lib/systemd/user/argeo.service b/lib/systemd/user/argeo.service new file mode 100644 index 0000000..f6783f0 --- /dev/null +++ b/lib/systemd/user/argeo.service @@ -0,0 +1,31 @@ +[Unit] +Description=Argeo user runtime + +[Service] +Type=simple +StateDirectory=argeo/slc +LogsDirectory=argeo/slc +ConfigurationDirectory=argeo/slc +CacheDirectory=argeo/slc +EnvironmentFile=/usr/local/etc/default/argeo +WorkingDirectory=/usr/local/ + +# Optional files +ExecStartPre=/usr/bin/mkdir -p ${CONFIGURATION_DIRECTORY} +ExecStartPre=/usr/bin/touch ${CONFIGURATION_DIRECTORY}/jvm.args + +ExecStart=java \ +-Djava.library.path=/usr/local/lib/a2/org.argeo.slc:/usr/local/lib/a2/org.argeo.tp.sys:/usr/local/lib/a2/swt/rcp/org.argeo.tp.swt \ +-Dosgi.framework.useSystemProperties=false \ +@/usr/local/etc/argeo/jvm.args \ +@/usr/local/etc/argeo/user/jvm.args \ +@${CONFIGURATION_DIRECTORY}/jvm.args \ +-cp "/usr/local/share/a2/osgi/equinox/org.argeo.tp.osgi/org.eclipse.osgi.3.18.jar:/usr/local/share/a2/org.argeo.cms/org.argeo.init.2.3.jar:/usr/local/lib/a2/org.argeo.slc/*:/usr/local/lib/a2/org.argeo.tp.sys/*:/usr/local/lib/a2/swt/rcp/org.argeo.tp.swt/*" \ +org.argeo.init.RuntimeManagerMain \ +etc/argeo/user/slc + +# Exit codes of the JVM when SIGTERM or SIGINT have been caught: +SuccessExitStatus=143 130 + +[Install] +WantedBy=multi-user.target diff --git a/libexec/ipsec/_updown.host4client6 b/libexec/ipsec/_updown.host4client6 new file mode 100755 index 0000000..2f748a6 --- /dev/null +++ b/libexec/ipsec/_updown.host4client6 @@ -0,0 +1,977 @@ +#!/bin/sh +# +# default updown script for use with NETKEY(XFRM) +# +# Copyright (C) 2003-2004 Nigel Metheringham +# Copyright (C) 2002-2007 Michael Richardson +# Copyright (C) 2007-2008 Paul Wouters +# Copyright (C) 2003-2020 Tuomo Soini +# Copyright (C) 2011-2016 Paul Wouters +# Copyright (C) 2016 Antony Antony +# +# This program is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by the +# Free Software Foundation; either version 2 of the License, or (at your +# option) any later version. See . +# +# This program is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY +# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License +# for more details. + +# CAUTION: Installing a new version of Libreswan will install a new +# copy of this script, wiping out any custom changes you make. If +# you need changes, make a copy of this under another name, and customize +# that, and use the (left/right)updown= parameters in ipsec.conf to make +# Libreswan use your modified updown script instead of this default one. + +test ${IPSEC_INIT_SCRIPT_DEBUG} && set -v -x + +LC_ALL=C +export LC_ALL + +# Things that this script gets (from ipsec_pluto(8) man page) +# +# +# PLUTO_VERSION +# indicates what version of this interface is being +# used. This document describes version 1.1. This +# is upwardly compatible with version 1.0. +# +# PLUTO_VERB +# specifies the name of the operation to be performed +# (prepare-host, prepare-client, up-host, up-client, +# down-host, or down-client). If the address family +# for security gateway to security gateway +# communications is IPv6, then a suffix of -v6 is added +# to the verb. +# +# PLUTO_CONNECTION +# is the name of the connection for which we are +# routing. +# +# PLUTO_CONN_POLICY +# the policy of the connection, as in: +# RSASIG+ENCRYPT+TUNNEL+PFS+DONTREKEY+OPPORTUNISTIC +# +failureDROP+lKOD+rKOD +# +# PLUTO_NEXT_HOP +# is the next hop to which packets bound for the peer +# must be sent. +# +# PLUTO_INTERFACE +# is the name of the real interface used by encrypted traffic and IKE traffic +# +# PLUTO_ME +# is the IP address of our host. +# +# PLUTO_METRIC +# is the metric to set for the route +# +# PLUTO_MTU +# is the mtu to set for the route +# +# PLUTO_MY_CLIENT +# is the IP address / count of our client subnet. If +# the client is just the host, this will be the +# host's own IP address / mask (where max is 32 for +# IPv4 and 128 for IPv6). +# +# PLUTO_MY_CLIENT_NET +# is the IP address of our client net. If the client +# is just the host, this will be the host's own IP +# address. +# +# PLUTO_MY_CLIENT_MASK +# is the mask for our client net. If the client is +# just the host, this will be 255.255.255.255. +# +# PLUTO_MY_SOURCEIP +# if non-empty, then the source address for the route will be +# set to this IP address. +# +# PLUTO_MY_PROTOCOL +# is the protocol for this connection. Useful for +# firewalling. +# +# PLUTO_MY_PORT +# is the port. Useful for firewalling. +# +# PLUTO_PEER +# is the IP address of our peer. +# +# PLUTO_PEER_CLIENT +# is the IP address / count of the peer's client subnet. +# If the client is just the peer, this will be +# the peer's own IP address / mask (where max is 32 +# for IPv4 and 128 for IPv6). +# +# PLUTO_PEER_CLIENT_NET +# is the IP address of the peer's client net. If the +# client is just the peer, this will be the peer's +# own IP address. +# +# PLUTO_PEER_CLIENT_MASK +# is the mask for the peer's client net. If the +# client is just the peer, this will be +# 255.255.255.255. +# +# PLUTO_PEER_PROTOCOL +# is the protocol set for remote end with port +# selector. +# +# PLUTO_PEER_PORT +# is the peer's port. Useful for firewalling. +# +# PLUTO_CFG_CLIENT=0|1 +# is MODECFG or IKEv2 Config client. +# +# PLUTO_CFG_SERVER=0|1 +# is MODECFG or IKEv2 Config server. +# +# PLUTO_CONNECTION_TYPE +# +# PLUTO_CONN_ADDRFAMILY +# is the family type, "ipv4" or "ipv6" +# +# PLUTO_PROTO_STACK +# is the local IPsec kernel stack used, eg NETKEY, NOSTACK +# +# PLUTO_IS_PEER_CISCO=0|1 +# remote server type is cisco. Add support for cisco extensions +# when used with xauth. +# +# PLUTO_NM_CONFIGURED=0|1 +# is NetworkManager used for resolv.conf update +# +# PLUTO_SA_REQID +# When using KAME or XFRM/NETKEY, the IPsec SA reqid base value. +# ESP/AH out is base, ESP/AH in = base + 1 +# IPCOMP is base + 2 plus for inbound + 1 +# +# PLUTO_SA_TYPE +# The type of IPsec SA (ESP or AH) +# +# PLUTO_USERNAME +# The username (XAUTH or GSSAPI) that was authenticated (if any) +# for this SA +# +# PLUTO_VIRT_INTERFACE +# is the name of ipsec interface used by clear traffic in/out +# +# +# XAUTH_FAILED +# If xauthfail=soft this will be set to 1 if XAUTH authentication +# failed. If xauthfail=hard, the updown scripts never run. +# +# CONNMARK +# If mark= is set on the connection, this variable will be +# set with the value. It can be used for iptables or VTI. +# +# VTI_IFAC=iface +# Name of VTI interface to create +# +# VTI_ROUTING=yes|no +# Whether or not to perform ip rule and ip route commands +# covering the IPsec SA address ranges to route those packets +# into the VTI_IFACE interface. This should be enabled unless +# the IPsec SA covers 0.0.0.0/0 <-> 0.0.0.0/0 +# +# VTI_SHARED=yes|no +# Whether or not more conns (or instances) share a VTI device. +# If not shared, the VTI device is deleted when tunnel goes down. +# +# SPI_IN / SPI_OUT +# The inbound and outbound SPI's of the connection. + +# rpm based systems +if [ -f /etc/sysconfig/pluto_updown ]; then + . /etc/sysconfig/pluto_updown +# deb based systems +elif [ -f /etc/default/pluto_updown ]; then + . /etc/default/pluto_updown +fi + +BACKUP_RESOLV_CONF=/run/pluto/libreswan-resolv-conf-backup +ETC_RESOLV_CONF=/etc/resolv.conf + +case "${PLUTO_CONN_ADDRFAMILY}" in + ipv4) + FAMILY=4 + MAX_CIDR=32 + SCOPE=50 # Use scope 50 to verify ip was added by addsource() + ;; + ipv6) + FAMILY=6 + MAX_CIDR=128 + SCOPE=global + ;; + *) + echo "unknown address family \"${PLUTO_CONN_ADDRFAMILY}\"" >&2 + exit 1 + ;; +esac +export FAMILY MAX_CIDR SCOPE + +# 2022-09-03 - mbaudier : Hack when having an IPv6 subnet +export CLIENT_FAMILY=6 +export CLIENT_MAX_CIDR=128 + +# Ignore parameter custom +if [ "${1}" = "custom" ]; then + shift +fi + +while [ $# -gt 0 ]; do + case ${1} in + --route) + case ${2} in + [Yy]*) + ROUTE=yes + PROXY_ARP_ROUTE=no + ;; + *) + ROUTE= + PROXY_ARP_ROUTE= + ;; + esac + shift; shift + ;; + --iproute) + IPRARGS="${2}" + shift; shift + ;; + *) + echo "$0: Unknown argument \"${1}\"" >&2 + exit 1 + ;; + esac +done + +# utility functions for route manipulation +# Meddling with this stuff should not be necessary and requires great care. +uproute() { + doproxyarp add + doroute replace +} + +downroute() { + doroute del + doproxyarp delete +} + +downrule() { + if [ -n "${PLUTO_MY_SOURCEIP}" -a 0${PLUTO_IS_PEER_CISCO} -eq 1 ]; then + doroute del + fi +} + +updateresolvconf() { + local domain + local nameserver + local new_nameserver + local new_resolv_conf + local new_search + local orig_domain + local orig_nameserver + local rc + rc=0 + if [ 0${PLUTO_CFG_CLIENT} -eq 0 ]; then + return ${rc} + fi + if [ -n "$(pidof unbound)" -a \ + -n "${PLUTO_PEER_DNS_INFO}" -a \ + -n "${PLUTO_PEER_DOMAIN_INFO}" ] + then + for domain in ${PLUTO_PEER_DOMAIN_INFO}; do + echo "updating local nameserver for ${domain} with ${PLUTO_PEER_DNS_INFO}" + unbound-control forward_add ${domain} \ + ${PLUTO_PEER_DNS_INFO} + unbound-control flush_zone ${domain} + unbound-control flush_requestlist + done + rc=$? + elif [ 0${PLUTO_NM_CONFIGURED} -eq 0 -a \ + -n "${PLUTO_PEER_DNS_INFO}" ] + then + echo "updating resolvconf" + + if [ ! -e "${ETC_RESOLV_CONF}" ]; then + echo "resolv.conf does not exist, so doing nothing" + return 0 + fi + + if [ -e "${BACKUP_RESOLV_CONF}" ]; then + if grep -q Libreswan "${ETC_RESOLV_CONF}"; then + echo "Current resolv.conf is generated by Libreswan, and backup resolv.conf already exists, so doing nothing" + return 0 + else + echo "backup resolv.conf exists, but current resolv.conf is not generated by Libreswan" + fi + fi + + rm -f -- "${BACKUP_RESOLV_CONF}" + cp -- "${ETC_RESOLV_CONF}" "${BACKUP_RESOLV_CONF}" + + new_resolv_conf="# Generated by Libreswan (IPsec)" + + orig_domain="$(grep ^domain "${ETC_RESOLV_CONF}" 2>/dev/null | \ + awk '{ print $2 }')" + + orig_search=$(grep ^search "${ETC_RESOLV_CONF}" 2>/dev/null | \ + sed 's/^search[[:space:]]\+//;s/[[:space:]]*\#.*//') + + if [ -n "${orig_domain}" ]; then + new_resolv_conf="${new_resolv_conf} +domain ${orig_domain}" + fi + + if [ -n "${orig_search}" ]; then + new_search="${orig_search}" + elif [ -n "${orig_domain}" ]; then + new_search="${orig_domain}" + fi + + if [ -n "${PLUTO_PEER_DOMAIN_INFO}" ]; then + if [ -n "${new_search}" ]; then + new_search=$(echo $(echo "${new_search} ${PLUTO_PEER_DOMAIN_INFO}" | tr [:space:] '\n' | awk '!a[$0]++')) + else + new_search="${PLUTO_PEER_DOMAIN_INFO}" + fi + fi + + if [ -n "${new_search}" ]; then + new_resolv_conf="${new_resolv_conf} +search ${new_search}" + fi + + orig_nameserver=$(grep -m 1 ^nameserver "${ETC_RESOLV_CONF}" | \ + sed 's/^nameserver[[:space:]]\+//;s/[[:space:]]*\#.*//') + if [ -n "${orig_nameserver}" ]; then + new_nameserver=$(echo $(echo "${PLUTO_PEER_DNS_INFO} ${orig_nameserver}" | tr [:space:] '\n' | awk '!a[$0]++')) + else + new_nameserver="${PLUTO_PEER_DNS_INFO}" + fi + + for nameserver in ${new_nameserver}; do + new_resolv_conf="${new_resolv_conf} +nameserver ${nameserver}" + done + + echo "${new_resolv_conf}" > "${ETC_RESOLV_CONF}" + rc=$? + fi + return ${rc} +} + +restoreresolvconf() { + local domain + local rc + rc=0 + if [ 0${PLUTO_CFG_CLIENT} -eq 0 ]; then + return ${rc} + fi + if [ -n "$(pidof unbound)" -a \ + -n "${PLUTO_PEER_DNS_INFO}" -a \ + -n "${PLUTO_PEER_DOMAIN_INFO}" ] + then + for domain in ${PLUTO_PEER_DOMAIN_INFO}; do + echo "flushing local nameserver of ${domain}" + unbound-control forward_remove ${domain} + unbound-control flush_zone ${domain} + unbound-control flush_requestlist + done + rc=$? + elif [ 0${PLUTO_NM_CONFIGURED} -eq 0 ]; then + # We only restore if current resolv.conf is made by us. + if grep -q Libreswan "${ETC_RESOLV_CONF}" 2>/dev/null; then + # And if there is a backup... + if [ -e "${BACKUP_RESOLV_CONF}" ]; then + echo "restoring resolvconf" + else + return 0 + fi + cp -- "${BACKUP_RESOLV_CONF}" "${ETC_RESOLV_CONF}" + fi + rm -f -- "${BACKUP_RESOLV_CONF}" + rc=0 + fi + return ${rc} +} + +notifyNM() { + # This will be called whenever a connection is established or + # fails to establish (either phase 1, xauth phase, or phase 2) + # or whenever an already established connection is being terminated. + # This will send a signal to NetworkManager over dbus so that NM + # can keep track of the coonnections. + + if [ 0${PLUTO_NM_CONFIGURED} -eq 1 ]; then + echo "sending $1 signal to NetworkManager" + libreswan_reason=$1 + export libreswan_reason + export PLUTO_PEER_DOMAIN_INFO + export PLUTO_PEER_DNS_INFO + export PLUTO_PEER_BANNER + export PLUTO_MY_SOURCEIP + export PLUTO_PEER + [ -x /usr/libexec/nm-libreswan-service-helper ] && \ + /usr/libexec/nm-libreswan-service-helper + fi + return 0 +} + +addsource() { + local interface + local st + interface=lo + st=0 + + if [ -z "${PLUTO_MY_SOURCEIP}" ]; then + return ${st} + fi + # check if given sourceip is local and add as alias if not + if ! ip -${CLIENT_FAMILY} -o route get ${PLUTO_MY_SOURCEIP} | grep -q ^local; then + if [ -n "${VTI_IFACE}" -a "${VTI_ROUTING}" = yes ]; then + interface="${VTI_IFACE}" + elif [ -n "${PLUTO_XFRMI_ROUTE}" ]; then + interface=${PLUTO_VIRT_INTERFACE} + fi + it="ip addr add ${PLUTO_MY_SOURCEIP}/${CLIENT_MAX_CIDR} dev ${interface} scope ${SCOPE}" + oops="$(eval ${it} 2>&1)" + st=$? + if [ -z "${oops}" -a ${st} -ne 0 ]; then + oops="silent error, exit status ${st}" + fi + case "${oops}" in + 'RTNETLINK answers: File exists'*) + # should not happen, but ... ignore if the + # address was already assigned on interface + oops="" + st=0 + ;; + esac + if [ -n "${oops}" -o ${st} -ne 0 ]; then + echo "$0: addsource \"${it}\" failed (${oops})" >&2 + fi + fi + return ${st} +} + +delsource() { + local interface + local oops + local st + interface=lo + st=0 + if [ -z "${PLUTO_MY_SOURCEIP}" ]; then + return ${st} + fi + # Remove source ip if it's not used any more. + if [ -z "$(ip -${CLIENT_FAMILY} -o route list src ${PLUTO_MY_SOURCEIP})" ]; then + if [ -n "${VTI_IFACE}" -a "${VTI_ROUTING}" = yes ]; then + interface="${VTI_IFACE}" + elif [ -n "${PLUTO_XFRMI_ROUTE}" ]; then + interface=${PLUTO_VIRT_INTERFACE} + fi + # If there is no ip we just return + if ! ip -${FAMILY} -o addr list dev ${interface} scope ${SCOPE} | \ + grep -q ${PLUTO_MY_SOURCEIP}/${CLIENT_MAX_CIDR} + then + return ${st} + fi + + if [ -n "${PLUTO_MOBIKE_EVENT}" ] ; then + return ${st} + fi + + it="ip -${CLIENT_FAMILY} addr del ${PLUTO_MY_SOURCEIP}/${CLIENT_MAX_CIDR} dev ${interface}" + oops="$(eval ${it} 2>&1)" + st=$? + if [ -z "${oops}" -a ${st} -ne 0 ]; then + oops="silent error, exit status ${st}" + fi + case "${oops}" in + 'RTNETLINK answers: File exists'*) + # should not happen, but ... ignore if the + # address was already assigned on interface + oops="" + st=0 + ;; + 'RTNETLINK answers: Cannot assign'*) + # Address is not there to remove or is there with different + # netmask and in that case we must not remove it so we ignore + # the error. + oops="" + st=0 + ;; + esac + if [ -n "${oops}" -o ${st} -ne 0 ]; then + echo "$0: delsource \"${it}\" failed (${oops})" >&2 + fi + fi + return ${st} +} + +doproxyarp() { + local cmd + local iface + cmd=${1} + # Check if client has a single ip only client net + if [ ${PLUTO_PEER_CLIENT#*/} = ${MAX_CIDR} ]; then + # Skip OE special connections and direct host-host connections + if [ "${PLUTO_PEER_CLIENT_NET}" = "0.0.0.0" -o \ + "${PLUTO_PEER_CLIENT_NET}" = "::" -o \ + "${PLUTO_PEER_CLIENT_NET}" = "${PLUTO_PEER}" -o \ + "${PLUTO_MY_CLIENT_NET}" = "${PLUTO_ME}" ] + then + return 0 + fi + # check if client is routeable + if ip -${FAMILY} -o route get ${PLUTO_PEER_CLIENT_NET} 2>/dev/null | \ + grep -E -q -s -v " via |^local" + then + iface=$(ip -${FAMILY} -o route get ${PLUTO_PEER_CLIENT_NET} 2>/dev/null | \ + awk '{print $3}') + if [ -r /sys/class/net/${iface}/address ]; then + macaddr=$(cat /sys/class/net/${iface}/address) + fi + # add/remove arp entry for the client on ethernet devices only + if [ -n "${macaddr}" ]; then + if [ "${cmd}" = "add" ]; then + ip -${FAMILY} neigh add proxy ${PLUTO_PEER_CLIENT_NET} dev ${iface} \ + lladdr ${macaddr} nud permanent + # Force routing, required for proxyarp to work + PROXY_ARP_ROUTE=yes + export PROXY_ARP_ROUTE + else + ip -${FAMILY} neigh del proxy ${PLUTO_PEER_CLIENT_NET} dev ${iface} + fi + fi + fi + fi +} + +do_ip() +{ + local cmd="$1" + oops="$(eval ${cmd} 2>&1)" + st=$? + + if [ -z "${oops}" -a ${st} -ne 0 ]; then + oops="silent error, exit status ${st}" + fi + + case "${oops}" in + 'RTNETLINK answers: No such process'*) + # should not happen, but ... ignore if the + # route was already removed + oops="" + st=0 + ;; + esac + + if [ -n "${oops}" -a ${st} -ne 0 ]; then + echo "$0: doroute \"${cmd}\" failed (${oops})" >&2 + fi + + return ${st} +} + +doroute() { + local cmd + local esp_nexthop + local esp_peer_interface + local espipro + local ipru + local route_table + local oops + local parms + local parms2 + local st + local xfrmi_route + local xfrmi_rule + cmd=${1} + route_table=50 + st=0 + xfrmi_route="${PLUTO_XFRMI_ROUTE}" + + if [ ${cmd} != del ]; then + oops="$(ip -${FAMILY} route get ${PLUTO_PEER_CLIENT_NET} 2>&1)" + case "${oops}" in + 'RTNETLINK answers: No route to host'*) + if [ -z "${PLUTO_XFRMI_ROUTE}" ]; then + ROUTE=yes # Routing is mandatory for IPsec + fi + ;; + esac + fi + + if [ -n "${PLUTO_XFRMI_FWMARK}" ]; then + xfrmi_rule=yes # we have to add "ip rules" and "ip route table" + ROUTE=no # xfrmi_route will add the route + fi + + # skip routing if it's not enabled or necessary + if [ -z "${PLUTO_MY_SOURCEIP}" -a \ + -z "${PLUTO_MTU}" -a \ + "${PROXY_ARP_ROUTE}" != yes -a \ + "${cmd}" != "del" ] + then + PROXY_ARP_ROUTE=no + fi + + if [ -n "${PLUTO_MY_SOURCEIP}" -o -n "${PLUTO_MTU}" ]; then + ROUTE=yes + fi + + if [ "${PLUTO_PEER_CLIENT}" = "${PLUTO_MY_CLIENT}" -a \ + "${PLUTO_XFRMI_ROUTE}" = yes ] + then + xfrmi_route="samesubnets"; + echo "leftsubet == rightsubnet = ${PLUTO_PEER_CLIENT} cannot add route" + fi + + parms="${PLUTO_PEER_CLIENT}" + parms2=${IPRARGS} + # nexthop is not needed on ppp interfaces. unset it to make cases + # work, where left is set but no leftnexthop (e.g. left=%defaultroute) + if ip link show "${PLUTO_INTERFACE%:*}" | grep -q POINTOPOINT; then + POINTPOINT=yes + fi + # use nexthop if nexthop is not %direct and POINTPOINT is not set + if [ "${PLUTO_NEXT_HOP}" != "${PLUTO_PEER}" -a -z "${POINTPOINT}" ]; then + # XFRM interface needs no nexthop + if [ -z "${PLUTO_XFRMI_ROUTE}" ]; then + parms2="via ${PLUTO_NEXT_HOP}" + fi + esp_nexthop="via ${PLUTO_NEXT_HOP} " + fi + # route via proper interface according to routing table + if [ "${cmd}" = "del" ]; then + case "${PLUTO_PEER_CLIENT}" in + "0.0.0.0/0") + # in case of default route we use half routes + peer_interface=$(ip -${FAMILY} -o route list exact 0.0.0.0/1 | \ + sed "s/^.*dev \([^ ]*\) .*/\1/") + ;; + "::/0") + # in case of default route we use half routes + peer_interface=$(ip -${FAMILY} -o route list exact 2000::/3 | \ + sed "s/^.*dev \([^ ]*\) .*/\1/") + ;; + *) + peer_interface=$(ip -${CLIENT_FAMILY} -o route get ${PLUTO_PEER_CLIENT_NET} | \ + sed "s/^.*dev \([^ ]*\) .*/\1/") + ;; + esac + else + peer_interface=$(ip -o route get ${PLUTO_NEXT_HOP} | \ + sed "s/^.*dev \([^ ]*\) .*/\1/") + fi + + esp_peer_interface=$(ip -${FAMILY} -o route get ${PLUTO_NEXT_HOP} \ + from ${PLUTO_ME} | sed "s/^.*\(dev [^ ]*\) .*/\1/") + if [ -z "${esp_peer_interface}" ]; then + esp_peer_interface="dev ${PLUTO_INTERFACE}" + fi + + if [ -z "${peer_interface}" ]; then + peer_interface=${PLUTO_INTERFACE} + fi + + if [ "${PLUTO_XFRMI_ROUTE}" = "yes" ]; then + peer_interface=${PLUTO_VIRT_INTERFACE} + fi + + if [ -n "${VTI_IFACE}" ]; then + addsource + peer_interface="${VTI_IFACE}" + fi + + parms2="${parms2}${PLUTO_MTU:+ mtu ${PLUTO_MTU}}" + parms2="${parms2}${PLUTO_METRIC:+ metric ${PLUTO_METRIC}} ${IPROUTEARGS}" + + parms2="${parms2} dev ${peer_interface%:*}" + + # make sure we have sourceip locally in this machine + if [ "${cmd}" = "replace" -a -n "${PLUTO_MY_SOURCEIP}" ]; then + addsource + # use sourceip as route default source + parms2="${parms2} src ${PLUTO_MY_SOURCEIP}" + fi + + case "${PLUTO_PEER_CLIENT}" in + "0.0.0.0/0") + # need to provide route that eclipses default, without + # replacing it. + it="ip -${FAMILY} route ${cmd} 0.0.0.0/1 ${parms2} && \ + ip -${FAMILY} route ${cmd} 128.0.0.0/1 ${parms2}" + ;; + "::/0") + # need to provide route that eclipses default, without + # replacing it. + it="ip -${FAMILY} route ${cmd} 2000::/3 ${parms2}" + ;; + *) + it="ip -${CLIENT_FAMILY} route ${cmd} ${parms} ${parms2}" + ;; + esac + + if [ "${ROUTE}" = yes -o \ + "${xfrmi_route}" = yes -o \ + "${PROXY_ARP_ROUTE}" = yes ] + then + do_ip "${it}" + st=$? + if [ ${st} -ne 0 ]; then + return ${st} + fi + fi + + if [ "${xfrmi_rule}" = "yes" ]; then + espipro="ip -${FAMILY} route ${cmd} ${PLUTO_PEER}/${MAX_CIDR} ${esp_nexthop} ${esp_peer_interface%:*} table ${route_table}" + do_ip "${espipro}" + + st=$? + if [ ${st} -ne 0 ]; then + return ${st} + fi + + iprulecmd="${cmd}" + if [ "${cmd}" = "replace" ]; then + iprulecmd="add" + fi + + ipru="ip -${FAMILY} rule ${iprulecmd} prio 100 to ${parms}" + ipru="${ipru} fwmark ${PLUTO_XFRMI_FWMARK} lookup ${route_table}" + + do_ip "${ipru}" + st=$? + if [ ${st} -ne 0 ]; then + return ${st} + fi + + fi + return 0 +} + +# TODO: We need to specify CIDR mask but our _MASK variables are in old school format +# TODO: Exclude udp 4500 traffic +addnflog() { + if [ -n "${NFLOG}" ]; then + iptables -I OUTPUT -m policy --dir out --pol ipsec \ + -s ${PLUTO_MY_CLIENT} -d ${PLUTO_PEER_CLIENT} \ + -j NFLOG --nflog-group ${NFLOG} --nflog-prefix ${PLUTO_CONNECTION} + iptables -I INPUT -m policy --dir in --pol ipsec \ + -s ${PLUTO_PEER_CLIENT} -d ${PLUTO_MY_CLIENT} \ + -j NFLOG --nflog-group ${NFLOG} --nflog-prefix ${PLUTO_CONNECTION} + fi +} + +delnflog() { + if [ -n "${NFLOG}" ]; then + iptables -D OUTPUT -m policy --dir out --pol ipsec \ + -s ${PLUTO_MY_CLIENT} -d ${PLUTO_PEER_CLIENT} \ + -j NFLOG --nflog-group ${NFLOG} --nflog-prefix ${PLUTO_CONNECTION} + iptables -D INPUT -m policy --dir in --pol ipsec \ + -s ${PLUTO_PEER_CLIENT} -d ${PLUTO_MY_CLIENT} \ + -j NFLOG --nflog-group ${NFLOG} --nflog-prefix ${PLUTO_CONNECTION} + fi +} + +addvtiiface() { + if [ -n "${VTI_IFACE}" ]; then + if [ -z "${CONNMARK_IN}" -o -z "${CONNMARK_OUT}" ]; then + echo "vti-interface option ignored because no mark was configured" + else + if [ ! -d "/proc/sys/net/ipv4/conf/${VTI_IFACE}" ]; then + # echo "creating vti interface" + vtipeer="${PLUTO_PEER}" + if [ "${PLUTO_CONN_KIND}" = CK_INSTANCE -o "${VTI_SHARED}" = "yes" ]; then + vtipeer="0.0.0.0" + fi + ip tunnel add ${VTI_IFACE} mode vti local ${PLUTO_ME} \ + remote ${vtipeer} okey ${CONNMARK_OUT%/*} \ + ikey ${CONNMARK_IN%/*} + sysctl -w net.ipv4.conf.${VTI_IFACE}.disable_policy=1 + sysctl -w net.ipv4.conf.${VTI_IFACE}.rp_filter=0 + sysctl -w net.ipv4.conf.${VTI_IFACE}.forwarding=1 + if [ -n "${VTI_IP}" ]; then + ip addr add ${VTI_IP} dev ${VTI_IFACE} + fi + ip link set ${VTI_IFACE} up + else + # check there was no conflict if we are sharing - might be sensitive to /sbin/ip differences + if [ "${VTI_SHARED}" = yes ]; then + #test: ip/ip remote 3.4.5.6 local 1.2.3.4 ttl inherit key 5 + cur="$(ip tun show ${VTI_IFACE})" + new="${VTI_IFACE}: ip/ip remote any local ${PLUTO_ME} ttl inherit key ${CONNMARK_OUT%/*}" + if [ "${cur}" != "${new}" ]; then + echo "vti interface \"${VTI_IFACE}\" already exists with conflicting setting" + echo "existing: ${cur}" + echo "wanted : ${new}" + else + # temp debug + echo "vti interface already exists with identical parameters, OK" + fi + else + echo "vti interface \"${VTI_IFACE}\" already exists with conflicting setting (perhaps need vti-sharing=yes ?" + fi + fi + fi + fi +} + +addvti() { + if [ -n "${VTI_IFACE}" ]; then + if [ -z "${CONNMARK_IN}" -o -z "${CONNMARK_OUT}" ]; then + echo "vti-interface option ignored because no mark was configured" + else + if [ "${VTI_ROUTING}" = yes ]; then + # Tuomo should improve this with using ${PLUTO_MY_CLIENT_NET} + # echo "setting up vti routing" + r=add + ip route list | grep -q "${PLUTO_PEER_CLIENT%/*}" && r=change + if [ "${r}" = change ]; then + # resolve LAN conflict by forcing host route for default gw + gw="$(ip ro li | grep ^default | awk '{ print $3;}')" + gwdev="$(ip ro li | grep ^default | awk '{ print $5;}')" + # echo "ip route add ${gw} dev ${gwdev}" + ip route add ${gw} dev ${gwdev} >/dev/null ||: + fi + srcip="" + if [ -n "${PLUTO_MY_SOURCEIP}" ]; then + srcip=" src ${PLUTO_MY_SOURCEIP}" + fi + # echo "ip route ${r} ${PLUTO_PEER_CLIENT} dev ${VTI_IFACE} ${srcip}" + ip route ${r} ${PLUTO_PEER_CLIENT} dev ${VTI_IFACE} ${srcip} + echo "done ip route" + fi + fi + fi +} + +delvti() { + if [ -n "${VTI_IFACE}" -a -d /proc/sys/net/ipv4/conf/${VTI_IFACE} ]; then + if [ "${VTI_ROUTING}" = yes ]; then + ip route del ${PLUTO_PEER_CLIENT} dev ${VTI_IFACE} \ + src ${PLUTO_MY_SOURCEIP} ||: + fi + # TODO: we can't delete vti interface because we don't have proper reference + # counting. + #if [ "${VTI_SHARED}" = no -a "${PLUTO_CONN_KIND}" != CK_INSTANCE ]; then + # ip tun del ${VTI_IFACE} ||: + #fi + fi +} + +# Client Address Translation CAT +addcat() { + if [ -n "${CAT}" ] && [ "${PLUTO_MY_CLIENT_NET}" != "0.0.0.0" ] ; then + iptables -t nat -I POSTROUTING -m policy --dir out --pol ipsec \ + -d ${PLUTO_PEER_CLIENT} -j SNAT --to-source ${PLUTO_MY_CLIENT_NET} + iptables -t nat -I PREROUTING -m policy --dir in --pol ipsec \ + -d ${PLUTO_MY_CLIENT_NET} -s ${PLUTO_PEER_CLIENT} \ + -j DNAT --to-destination ${PLUTO_ME} + fi +} + +delcat() { + if [ -n "${CAT}" ]; then + iptables -t nat -D PREROUTING -m policy --dir in --pol ipsec \ + -d ${PLUTO_MY_CLIENT_NET} -s ${PLUTO_PEER_CLIENT} \ + -j DNAT --to-destination ${PLUTO_ME} + iptables -t nat -D POSTROUTING -m policy --dir out --pol ipsec \ + -d ${PLUTO_PEER_CLIENT} -j SNAT --to-source ${PLUTO_MY_CLIENT_NET} + fi +} + +# the big choice +case "${PLUTO_VERB}" in + prepare-host|prepare-client) + addvtiiface + ;; + route-host|route-client) + # connection to me or my client subnet being routed + addvti + uproute + addnflog + ;; + unroute-host|unroute-client) + # connection to me or my client subnet being unrouted + downroute + delsource + ;; + up-host) + # connection to me coming up + # If you are doing a custom version, firewall commands go here. + ;; + down-host) + # connection to me going down + downrule + delnflog + delcat + delvti + # If you are doing a custom version, firewall commands go here. + ;; + up-client) + # connection to my client subnet coming up + addvtiiface + updateresolvconf + addcat + addsource + notifyNM connect + addvti + # If you are doing a custom version, firewall commands go here. + ;; + down-client) + # connection to my client subnet going down + downrule + delnflog + delcat + delvti + restoreresolvconf + notifyNM disconnect + # If you are doing a custom version, firewall commands go here. + ;; + # + # IPv6 + # + prepare-host-v6|prepare-client-v6) + # prepare client for connection + ;; + route-host-v6|route-client-v6) + # connection to me or my client subnet being routed + uproute + ;; + unroute-host-v6|unroute-client-v6) + # connection to me or my client subnet being unrouted + downroute + delsource + ;; + up-host-v6) + # connection to me coming up + # If you are doing a custom version, firewall commands go here. + ;; + down-host-v6) + # connection to me going down + # If you are doing a custom version, firewall commands go here. + ;; + up-client-v6) + # connection to my client subnet coming up + addsource + updateresolvconf + notifyNM connect + # If you are doing a custom version, firewall commands go here. + ;; + down-client-v6) + # connection to my client subnet going down + restoreresolvconf + notifyNM disconnect + # If you are doing a custom version, firewall commands go here. + ;; + *) echo "$0: unknown verb \"${PLUTO_VERB}\" or parameter \"${1}\"" >&2 + exit 1 + ;; +esac diff --git a/local.mk b/local.mk deleted file mode 100644 index 7095276..0000000 --- a/local.mk +++ /dev/null @@ -1,26 +0,0 @@ -# GNU coding standards -prefix ?= /usr/local -exec_prefix ?= $(prefix) -bindir ?= $(exec_prefix)/bin -sbindir ?= $(exec_prefix)/sbin -libdir ?= $(exec_prefix)/lib -libexecdir ?= $(exec_prefix)/libexec -sysconfdir ?= $(prefix)/etc -srcdir ?= src -datarootdir ?= $(prefix)/share - -COPY=cp --reflink=auto - -all: - $(MAKE) -C sjbin all - -clean: - $(MAKE) -C sjbin clean - -install: - $(COPY) -r --no-clobber etc/* $(DESTDIR)$(sysconfdir) - $(COPY) -r usr/bin/* $(DESTDIR)$(bindir) - $(COPY) -r usr/share/* $(DESTDIR)$(datarootdir) - $(COPY) -r usr/lib/* $(DESTDIR)$(libdir) - $(COPY) -r usr/libexec/* $(DESTDIR)$(libexecdir) - $(MAKE) -C sjbin install diff --git a/sjbin/.gitignore b/sjbin/.gitignore index 01c3b51..957158a 100644 --- a/sjbin/.gitignore +++ b/sjbin/.gitignore @@ -1,4 +1,4 @@ /bin/ /src/* !/src/*.java -/freed-pid1 +/freed-* diff --git a/sjbin/Makefile b/sjbin/Makefile index 959f751..ce25ce8 100644 --- a/sjbin/Makefile +++ b/sjbin/Makefile @@ -19,7 +19,7 @@ clean: install: # TODO generalise - cp -v --preserve=mode freed-pid1 $(DESTDIR)$(sbindir) - sed -i 's|/usr/local|$(prefix)|' $(DESTDIR)$(sbindir)/freed-pid1 + install -D -m755 -t $(DESTDIR)$(sbindir)freed-* + sed -i 's|/usr/local|$(prefix)|' $(DESTDIR)$(sbindir)/* sed -i 's|/usr/local|$(prefix)|' $(DESTDIR)$(sysconfdir)/freed/pid1/jvm.args # cp -v ../../etc/freed/init/* $(DESTDIR)$(sysconfdir)/freed/init diff --git a/sjbin/src/freed-pid1.java b/sjbin/src/freed-pid1.java deleted file mode 100644 index 446cc0e..0000000 --- a/sjbin/src/freed-pid1.java +++ /dev/null @@ -1,309 +0,0 @@ -//#! /usr/bin/java --source 17 @/usr/local/etc/freed/pid1/jvm.args - -import static java.lang.System.Logger.Level.DEBUG; -import static java.lang.System.Logger.Level.ERROR; -import static java.lang.System.Logger.Level.INFO; -import static java.lang.System.Logger.Level.WARNING; - -import java.io.Console; -import java.io.IOException; -import java.lang.System.Logger; -import java.lang.management.ManagementFactory; -import java.net.InetAddress; -import java.net.InterfaceAddress; -import java.net.NetworkInterface; -import java.net.SocketException; -import java.nio.file.Files; -import java.nio.file.Path; -import java.nio.file.Paths; -import java.util.ArrayList; -import java.util.Collections; -import java.util.Enumeration; -import java.util.List; -import java.util.TreeMap; -import java.util.concurrent.atomic.AtomicInteger; - -import org.argeo.init.Service; - -import sun.misc.Signal; - -/** A minimalistic Linux init process. */ -class FreedPid1 { - final static AtomicInteger runLevel = new AtomicInteger(-1); - - private final static Logger logger = System.getLogger(FreedPid1.class.getName()); - - private final static List initDServices = Collections.synchronizedList(new ArrayList<>()); - - public static void main(String... args) { - try { - final long pid = ProcessHandle.current().pid(); - Signal.handle(new Signal("TERM"), (signal) -> { - System.out.println("SIGTERM caught"); - System.exit(0); - }); - Signal.handle(new Signal("INT"), (signal) -> { - System.out.println("SIGINT caught"); - System.exit(0); - }); - Signal.handle(new Signal("HUP"), (signal) -> { - System.out.println("SIGHUP caught"); - System.exit(0); - }); - - boolean isSystemInit = pid == 1 || pid == 2; - - if (isSystemInit && args.length > 0 && ("1".equals(args[0]) // - || "single".equals(args[0]) // - || "emergency".equals(args[0]))) { - runLevel.set(1); - for (Object key : new TreeMap<>(System.getProperties()).keySet()) { - System.out.println(key + "=" + System.getProperty(key.toString())); - } - System.out.println("Single user mode"); - System.out.flush(); - ProcessBuilder pb = new ProcessBuilder("/bin/bash"); - pb.redirectError(ProcessBuilder.Redirect.INHERIT); - pb.redirectOutput(ProcessBuilder.Redirect.INHERIT); - pb.redirectInput(ProcessBuilder.Redirect.INHERIT); - Process singleUserShell = pb.start(); - singleUserShell.waitFor(); - } else { - if (args.length == 0) - runLevel.set(5); - else - runLevel.set(Integer.parseInt(args[0])); - - if (runLevel.get() == 0) {// shutting down the whole system - if (!isSystemInit) { - logger.log(INFO, "Shutting down system..."); - shutdown(false); - System.exit(0); - } else { - logger.log(ERROR, "Cannot start at run level " + runLevel.get()); - System.exit(1); - } - } else if (runLevel.get() == 6) {// reboot the whole system - if (!isSystemInit) { - logger.log(INFO, "Rebooting the system..."); - shutdown(true); - } else { - logger.log(ERROR, "Cannot start at run level " + runLevel.get()); - System.exit(1); - } - } - - logger.log(INFO, "FREEd Init daemon starting with pid " + pid + " after " - + ManagementFactory.getRuntimeMXBean().getUptime() + " ms"); - // hostname - String hostname = Files.readString(Paths.get("/etc/hostname")); - new ProcessBuilder("/usr/bin/hostname", hostname).start(); - logger.log(DEBUG, "Set hostname to " + hostname); - // networking - initSysctl(); - startInitDService("networking", true); -// Thread.sleep(3000);// leave some time for network to start up - if (!waitForNetwork(10 * 1000)) - logger.log(ERROR, "No network available"); - - // OpenSSH - // TODO make it coherent with Java sshd - startInitDService("ssh", true); - - // NSS services - startInitDService("nslcd", false);// Note: nslcd fails to stop - - // login prompt - Service.addPostStart(() -> new LoginThread().start()); - - // init Argeo CMS - logger.log(INFO, "FREEd Init daemon starting Argeo Init after " - + ManagementFactory.getRuntimeMXBean().getUptime() + " ms"); - Service.main(args); - } - } catch (Throwable e) { - logger.log(ERROR, "Unexpected exception in free-pid1 init, shutting down... ", e); - System.exit(1); - } finally { - stopInitDServices(); - } - } - - static void initSysctl() { - try { - Path sysctlD = Paths.get("/etc/sysctl.d/"); - for (Path conf : Files.newDirectoryStream(sysctlD, "*.conf")) { - try { - new ProcessBuilder("/usr/sbin/sysctl", "-p", conf.toString()).start(); - } catch (IOException e) { - e.printStackTrace(); - } - } - } catch (IOException e) { - e.printStackTrace(); - } - } - - static void startInitDService(String serviceName, boolean stopOnShutdown) { - Path serviceInit = Paths.get("/etc/init.d/", serviceName); - if (Files.exists(serviceInit)) - try { - int exitCode = new ProcessBuilder(serviceInit.toString(), "start").start().waitFor(); - if (exitCode != 0) - logger.log(ERROR, "Service " + serviceName + " dit not stop properly"); - else - logger.log(DEBUG, "Service " + serviceName + " started"); - if (stopOnShutdown) - initDServices.add(serviceName); -// Runtime.getRuntime().addShutdownHook(new Thread(() -> { -// try { -// new ProcessBuilder(serviceInit.toString(), "stop").start().waitFor(); -// } catch (IOException | InterruptedException e) { -// e.printStackTrace(); -// } -// }, "FREEd stop service " + serviceName)); - } catch (IOException | InterruptedException e) { - e.printStackTrace(); - } - else - logger.log(WARNING, "Service " + serviceName + " not found and therefore not started"); - } - - static boolean waitForNetwork(long timeout) { - long begin = System.currentTimeMillis(); - long duration = 0; - boolean networkAvailable = false; - try { - networkAvailable: while (!networkAvailable) { - duration = System.currentTimeMillis() - begin; - if (duration > timeout) - break networkAvailable; - Enumeration netInterfaces = null; - try { - netInterfaces = NetworkInterface.getNetworkInterfaces(); - } catch (SocketException e) { - throw new IllegalStateException("Cannot list network interfaces", e); - } - if (netInterfaces != null) { - while (netInterfaces.hasMoreElements()) { - NetworkInterface netInterface = netInterfaces.nextElement(); - logger.log(DEBUG, "Interface:" + netInterface); - for (InterfaceAddress addr : netInterface.getInterfaceAddresses()) { - InetAddress inetAddr = addr.getAddress(); - logger.log(DEBUG, " addr: " + inetAddr); - if (!inetAddr.isLoopbackAddress() && !inetAddr.isLinkLocalAddress()) { - try { - if (inetAddr.isReachable((int) timeout)) { - networkAvailable = true; - duration = System.currentTimeMillis() - begin; - logger.log(DEBUG, - "Network available after " + duration + " ms. IP: " + inetAddr); - break networkAvailable; - } - } catch (IOException e) { - logger.log(ERROR, "Cannot check whether " + inetAddr + " is reachable", e); - } - } - } - } - } else { - throw new IllegalStateException("No network interface has been found"); - } - try { - Thread.sleep(1000); - } catch (InterruptedException e) { - // silent - } - } - } catch (Exception e) { - logger.log(ERROR, "Cannot check whether network is available", e); - } - return networkAvailable; - } - - static void shutdown(boolean reboot) { - try { - stopInitDServices(); - Path sysrqP = Paths.get("/proc/sys/kernel/sysrq"); - Files.writeString(sysrqP, "1"); - Path sysrqTriggerP = Paths.get("/proc/sysrq-trigger"); - Files.writeString(sysrqTriggerP, "e");// send SIGTERM to all processes - // Files.writeString(sysrqTriggerP, "i");// send SIGKILL to all processes - Files.writeString(sysrqTriggerP, "e");// flush data to disk - Files.writeString(sysrqTriggerP, "u");// unmount - if (reboot) - Files.writeString(sysrqTriggerP, "b"); - else - Files.writeString(sysrqTriggerP, "o"); - } catch (IOException e) { - logger.log(ERROR, "Cannot shut down system", e); - } - } - - static void stopInitDServices() { - for (int i = initDServices.size() - 1; i >= 0; i--) { - String serviceName = initDServices.get(i); - Path serviceInit = Paths.get("/etc/init.d/", serviceName); - try { - int exitCode = new ProcessBuilder(serviceInit.toString(), "stop").start().waitFor(); - if (exitCode != 0) - logger.log(ERROR, "Service " + serviceName + " dit not stop properly"); - } catch (InterruptedException | IOException e) { - logger.log(ERROR, "Cannot stop service " + serviceName, e); - } - } - } - - /** A thread watching the login prompt. */ - static class LoginThread extends Thread { - private boolean systemShuttingDown = false; - private Process process = null; - - public LoginThread() { - super("FREEd login prompt"); - setDaemon(true); - Runtime.getRuntime().addShutdownHook(new Thread(() -> { - systemShuttingDown = true; - if (process != null) - process.destroy(); - })); - } - - @Override - public void run() { - boolean getty = true; - prompt: while (!systemShuttingDown) { - try { - if (getty) { - ProcessBuilder pb = new ProcessBuilder("/usr/sbin/getty", "38400", "tty2"); - process = pb.start(); - } else { - Console console = System.console(); - console.readLine(); // type return once to activate login prompt - console.printf("login: "); - String username = console.readLine(); - username = username.trim(); - if ("".equals(username)) - continue prompt; - ProcessBuilder pb = new ProcessBuilder("su", "--login", username); - pb.redirectError(ProcessBuilder.Redirect.INHERIT); - pb.redirectOutput(ProcessBuilder.Redirect.INHERIT); - pb.redirectInput(ProcessBuilder.Redirect.INHERIT); - process = pb.start(); - } - Runtime.getRuntime().addShutdownHook(new Thread(() -> process.destroy())); - try { - process.waitFor(); - } catch (InterruptedException e) { - process.destroy(); - } - } catch (Exception e) { - e.printStackTrace(); - } finally { - process = null; - } - } - } - - } -} diff --git a/sjbin/src/freed-register.java b/sjbin/src/freed-register.java new file mode 100644 index 0000000..37d63c2 --- /dev/null +++ b/sjbin/src/freed-register.java @@ -0,0 +1,8 @@ +//#! /usr/bin/java --source 17 @/usr/local/etc/freed/pid1/jvm.args + +/** Register to a FREEd-compatible infrastructure. */ +class FreedPid1 { + + public static void main(String... args) { + } +} diff --git a/usr/bin/argeo b/usr/bin/argeo deleted file mode 100755 index 9ba9150..0000000 --- a/usr/bin/argeo +++ /dev/null @@ -1,2 +0,0 @@ -#!/bin/sh -java -Dorg.argeo.api.cli.rootCommand=$0 -jar /usr/share/a2/org.argeo.cms/org.argeo.cms.cli.2.1.jar "$@" \ No newline at end of file diff --git a/usr/bin/jshc b/usr/bin/jshc deleted file mode 100755 index c1320d4..0000000 --- a/usr/bin/jshc +++ /dev/null @@ -1,2 +0,0 @@ -#!/bin/sh -java -Xms32m -Xmx64m -jar /usr/share/a2/org.argeo.cms/org.argeo.cms.jshell.2.1.jar "$@" \ No newline at end of file diff --git a/usr/lib/systemd/system/argeo@.service b/usr/lib/systemd/system/argeo@.service deleted file mode 100644 index f3654cd..0000000 --- a/usr/lib/systemd/system/argeo@.service +++ /dev/null @@ -1,44 +0,0 @@ -[Unit] -Description=Argeo node %I -After=network-online.target -Wants=postgresql.service - -[Service] -Type=simple - -User=freed -Group=freed - -StateDirectory=argeo.d/%I -LogsDirectory=argeo.d/%I -ConfigurationDirectory=argeo.d/%I -CacheDirectory=argeo.d/%I -WorkingDirectory=/var/lib/argeo.d/%I - -ExecStart=java \ --Dfile.encoding=UTF-8 \ --Dosgi.configuration.cascaded=true \ --Dosgi.sharedConfiguration.area=/etc/argeo.d/%I/ \ --Dosgi.sharedConfiguration.area.readOnly=true \ --Dosgi.configuration.area=${STATE_DIRECTORY}/state/ \ --Dosgi.instance.area=${STATE_DIRECTORY}/data/ \ --Dargeo.node.repo.indexesBase=${CACHE_DIRECTORY}/indexes \ --Dorg.osgi.framework.system.packages.extra=sun.security.util,sun.security.internal.spec,sun.security.provider,com.sun.net.httpserver,com.sun.jndi.ldap,com.sun.jndi.ldap.sasl,com.sun.jndi.dns,com.sun.security.jgss,com.sun.nio.file,com.sun.nio.sctp \ --Declipse.ignoreApp=true \ --Dosgi.noShutdown=true \ --Dorg.eclipse.equinox.http.jetty.autostart=false \ -@/etc/argeo.d/jvm.args \ -@${CONFIGURATION_DIRECTORY}/jvm.args \ -@/usr/share/argeo/jvm.args - -# Exit codes of the JVM when SIGTERM or SIGINT have been caught: -SuccessExitStatus=143 130 - -CPUAccounting=true -MemoryAccounting=true -TasksAccounting=true -IOAccounting=true -IPAccounting=true - -[Install] -WantedBy=multi-user.target diff --git a/usr/lib/systemd/system/freed-ipsec-roaming@.service b/usr/lib/systemd/system/freed-ipsec-roaming@.service deleted file mode 100644 index 4318528..0000000 --- a/usr/lib/systemd/system/freed-ipsec-roaming@.service +++ /dev/null @@ -1,24 +0,0 @@ -[Unit] -Description=Roaming IPSec to '%i' -After=network-online.target -Wants=network-online.target - -After=ipsec.service -PartOf=ipsec.service -Requires=ipsec.service - -StartLimitIntervalSec=60 -StartLimitBurst=20 - -[Service] -Type=oneshot -RemainAfterExit=yes -ExecStart=ipsec auto --start %i -ExecStop=ipsec auto --delete %i - -Restart=on-failure -RestartSec=3 - -[Install] -WantedBy=multi-user.target -RequiredBy=ipsec.service diff --git a/usr/lib/systemd/system/freed-onresume.service b/usr/lib/systemd/system/freed-onresume.service deleted file mode 100644 index 7b7dc54..0000000 --- a/usr/lib/systemd/system/freed-onresume.service +++ /dev/null @@ -1,14 +0,0 @@ -[Unit] -Description=On resume actions -After=sleep.target -After=network-online.target -Wants=network-online.target - -[Service] -Type=oneshot -ExecStartPre=sleep 3 -ExecStart=/usr/bin/systemctl restart ipsec - -[Install] -WantedBy=sleep.target - diff --git a/usr/lib/systemd/system/freed-onsuspend.service b/usr/lib/systemd/system/freed-onsuspend.service deleted file mode 100644 index 47afcc2..0000000 --- a/usr/lib/systemd/system/freed-onsuspend.service +++ /dev/null @@ -1,11 +0,0 @@ -[Unit] -Description=On suspend actions -Before=sleep.target - -[Service] -Type=oneshot -ExecStart=/usr/bin/systemctl stop ipsec -ExecStartPost=/usr/bin/sleep 5 - -[Install] -WantedBy=sleep.target diff --git a/usr/lib/systemd/user/argeo@.service b/usr/lib/systemd/user/argeo@.service deleted file mode 100644 index 6704c8f..0000000 --- a/usr/lib/systemd/user/argeo@.service +++ /dev/null @@ -1,32 +0,0 @@ -[Unit] -Description=Argeo user node %I - -[Service] -Type=simple -StateDirectory=argeo.d/%I -LogsDirectory=argeo.d/%I -ConfigurationDirectory=argeo.d/%I -CacheDirectory=argeo.d/%I -#WorkingDirectory= - -ExecStart=java \ --Dfile.encoding=UTF-8 \ --Dosgi.configuration.cascaded=true \ --Dosgi.sharedConfiguration.area=/etc/argeo.user.d/%I/ \ --Dosgi.sharedConfiguration.area.readOnly=true \ --Dosgi.configuration.area=${STATE_DIRECTORY}/state/ \ --Dosgi.instance.area=${STATE_DIRECTORY}/data/ \ --Dargeo.node.repo.indexesBase=${CACHE_DIRECTORY}/indexes \ --Dorg.osgi.framework.system.packages.extra=sun.security.util,sun.security.internal.spec,sun.security.provider,com.sun.net.httpserver,com.sun.jndi.ldap,com.sun.jndi.ldap.sasl,com.sun.jndi.dns,com.sun.security.jgss,com.sun.nio.file,com.sun.nio.sctp \ --Declipse.ignoreApp=true \ --Dosgi.noShutdown=true \ --Dorg.eclipse.equinox.http.jetty.autostart=false \ --Djava.library.path=/usr/lib/a2/swt/rcp/org.argeo.tp.swt/ \ -@/etc/argeo.user.d/jvm.args \ -@/etc/argeo.user.d/%I/jvm.args \ -@/usr/share/argeo/jvm.args -# Exit codes of the JVM when SIGTERM or SIGINT have been caught: -SuccessExitStatus=143 130 - -[Install] -WantedBy=multi-user.target diff --git a/usr/libexec/ipsec/_updown.host4client6 b/usr/libexec/ipsec/_updown.host4client6 deleted file mode 100755 index 2f748a6..0000000 --- a/usr/libexec/ipsec/_updown.host4client6 +++ /dev/null @@ -1,977 +0,0 @@ -#!/bin/sh -# -# default updown script for use with NETKEY(XFRM) -# -# Copyright (C) 2003-2004 Nigel Metheringham -# Copyright (C) 2002-2007 Michael Richardson -# Copyright (C) 2007-2008 Paul Wouters -# Copyright (C) 2003-2020 Tuomo Soini -# Copyright (C) 2011-2016 Paul Wouters -# Copyright (C) 2016 Antony Antony -# -# This program is free software; you can redistribute it and/or modify it -# under the terms of the GNU General Public License as published by the -# Free Software Foundation; either version 2 of the License, or (at your -# option) any later version. See . -# -# This program is distributed in the hope that it will be useful, but -# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY -# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License -# for more details. - -# CAUTION: Installing a new version of Libreswan will install a new -# copy of this script, wiping out any custom changes you make. If -# you need changes, make a copy of this under another name, and customize -# that, and use the (left/right)updown= parameters in ipsec.conf to make -# Libreswan use your modified updown script instead of this default one. - -test ${IPSEC_INIT_SCRIPT_DEBUG} && set -v -x - -LC_ALL=C -export LC_ALL - -# Things that this script gets (from ipsec_pluto(8) man page) -# -# -# PLUTO_VERSION -# indicates what version of this interface is being -# used. This document describes version 1.1. This -# is upwardly compatible with version 1.0. -# -# PLUTO_VERB -# specifies the name of the operation to be performed -# (prepare-host, prepare-client, up-host, up-client, -# down-host, or down-client). If the address family -# for security gateway to security gateway -# communications is IPv6, then a suffix of -v6 is added -# to the verb. -# -# PLUTO_CONNECTION -# is the name of the connection for which we are -# routing. -# -# PLUTO_CONN_POLICY -# the policy of the connection, as in: -# RSASIG+ENCRYPT+TUNNEL+PFS+DONTREKEY+OPPORTUNISTIC -# +failureDROP+lKOD+rKOD -# -# PLUTO_NEXT_HOP -# is the next hop to which packets bound for the peer -# must be sent. -# -# PLUTO_INTERFACE -# is the name of the real interface used by encrypted traffic and IKE traffic -# -# PLUTO_ME -# is the IP address of our host. -# -# PLUTO_METRIC -# is the metric to set for the route -# -# PLUTO_MTU -# is the mtu to set for the route -# -# PLUTO_MY_CLIENT -# is the IP address / count of our client subnet. If -# the client is just the host, this will be the -# host's own IP address / mask (where max is 32 for -# IPv4 and 128 for IPv6). -# -# PLUTO_MY_CLIENT_NET -# is the IP address of our client net. If the client -# is just the host, this will be the host's own IP -# address. -# -# PLUTO_MY_CLIENT_MASK -# is the mask for our client net. If the client is -# just the host, this will be 255.255.255.255. -# -# PLUTO_MY_SOURCEIP -# if non-empty, then the source address for the route will be -# set to this IP address. -# -# PLUTO_MY_PROTOCOL -# is the protocol for this connection. Useful for -# firewalling. -# -# PLUTO_MY_PORT -# is the port. Useful for firewalling. -# -# PLUTO_PEER -# is the IP address of our peer. -# -# PLUTO_PEER_CLIENT -# is the IP address / count of the peer's client subnet. -# If the client is just the peer, this will be -# the peer's own IP address / mask (where max is 32 -# for IPv4 and 128 for IPv6). -# -# PLUTO_PEER_CLIENT_NET -# is the IP address of the peer's client net. If the -# client is just the peer, this will be the peer's -# own IP address. -# -# PLUTO_PEER_CLIENT_MASK -# is the mask for the peer's client net. If the -# client is just the peer, this will be -# 255.255.255.255. -# -# PLUTO_PEER_PROTOCOL -# is the protocol set for remote end with port -# selector. -# -# PLUTO_PEER_PORT -# is the peer's port. Useful for firewalling. -# -# PLUTO_CFG_CLIENT=0|1 -# is MODECFG or IKEv2 Config client. -# -# PLUTO_CFG_SERVER=0|1 -# is MODECFG or IKEv2 Config server. -# -# PLUTO_CONNECTION_TYPE -# -# PLUTO_CONN_ADDRFAMILY -# is the family type, "ipv4" or "ipv6" -# -# PLUTO_PROTO_STACK -# is the local IPsec kernel stack used, eg NETKEY, NOSTACK -# -# PLUTO_IS_PEER_CISCO=0|1 -# remote server type is cisco. Add support for cisco extensions -# when used with xauth. -# -# PLUTO_NM_CONFIGURED=0|1 -# is NetworkManager used for resolv.conf update -# -# PLUTO_SA_REQID -# When using KAME or XFRM/NETKEY, the IPsec SA reqid base value. -# ESP/AH out is base, ESP/AH in = base + 1 -# IPCOMP is base + 2 plus for inbound + 1 -# -# PLUTO_SA_TYPE -# The type of IPsec SA (ESP or AH) -# -# PLUTO_USERNAME -# The username (XAUTH or GSSAPI) that was authenticated (if any) -# for this SA -# -# PLUTO_VIRT_INTERFACE -# is the name of ipsec interface used by clear traffic in/out -# -# -# XAUTH_FAILED -# If xauthfail=soft this will be set to 1 if XAUTH authentication -# failed. If xauthfail=hard, the updown scripts never run. -# -# CONNMARK -# If mark= is set on the connection, this variable will be -# set with the value. It can be used for iptables or VTI. -# -# VTI_IFAC=iface -# Name of VTI interface to create -# -# VTI_ROUTING=yes|no -# Whether or not to perform ip rule and ip route commands -# covering the IPsec SA address ranges to route those packets -# into the VTI_IFACE interface. This should be enabled unless -# the IPsec SA covers 0.0.0.0/0 <-> 0.0.0.0/0 -# -# VTI_SHARED=yes|no -# Whether or not more conns (or instances) share a VTI device. -# If not shared, the VTI device is deleted when tunnel goes down. -# -# SPI_IN / SPI_OUT -# The inbound and outbound SPI's of the connection. - -# rpm based systems -if [ -f /etc/sysconfig/pluto_updown ]; then - . /etc/sysconfig/pluto_updown -# deb based systems -elif [ -f /etc/default/pluto_updown ]; then - . /etc/default/pluto_updown -fi - -BACKUP_RESOLV_CONF=/run/pluto/libreswan-resolv-conf-backup -ETC_RESOLV_CONF=/etc/resolv.conf - -case "${PLUTO_CONN_ADDRFAMILY}" in - ipv4) - FAMILY=4 - MAX_CIDR=32 - SCOPE=50 # Use scope 50 to verify ip was added by addsource() - ;; - ipv6) - FAMILY=6 - MAX_CIDR=128 - SCOPE=global - ;; - *) - echo "unknown address family \"${PLUTO_CONN_ADDRFAMILY}\"" >&2 - exit 1 - ;; -esac -export FAMILY MAX_CIDR SCOPE - -# 2022-09-03 - mbaudier : Hack when having an IPv6 subnet -export CLIENT_FAMILY=6 -export CLIENT_MAX_CIDR=128 - -# Ignore parameter custom -if [ "${1}" = "custom" ]; then - shift -fi - -while [ $# -gt 0 ]; do - case ${1} in - --route) - case ${2} in - [Yy]*) - ROUTE=yes - PROXY_ARP_ROUTE=no - ;; - *) - ROUTE= - PROXY_ARP_ROUTE= - ;; - esac - shift; shift - ;; - --iproute) - IPRARGS="${2}" - shift; shift - ;; - *) - echo "$0: Unknown argument \"${1}\"" >&2 - exit 1 - ;; - esac -done - -# utility functions for route manipulation -# Meddling with this stuff should not be necessary and requires great care. -uproute() { - doproxyarp add - doroute replace -} - -downroute() { - doroute del - doproxyarp delete -} - -downrule() { - if [ -n "${PLUTO_MY_SOURCEIP}" -a 0${PLUTO_IS_PEER_CISCO} -eq 1 ]; then - doroute del - fi -} - -updateresolvconf() { - local domain - local nameserver - local new_nameserver - local new_resolv_conf - local new_search - local orig_domain - local orig_nameserver - local rc - rc=0 - if [ 0${PLUTO_CFG_CLIENT} -eq 0 ]; then - return ${rc} - fi - if [ -n "$(pidof unbound)" -a \ - -n "${PLUTO_PEER_DNS_INFO}" -a \ - -n "${PLUTO_PEER_DOMAIN_INFO}" ] - then - for domain in ${PLUTO_PEER_DOMAIN_INFO}; do - echo "updating local nameserver for ${domain} with ${PLUTO_PEER_DNS_INFO}" - unbound-control forward_add ${domain} \ - ${PLUTO_PEER_DNS_INFO} - unbound-control flush_zone ${domain} - unbound-control flush_requestlist - done - rc=$? - elif [ 0${PLUTO_NM_CONFIGURED} -eq 0 -a \ - -n "${PLUTO_PEER_DNS_INFO}" ] - then - echo "updating resolvconf" - - if [ ! -e "${ETC_RESOLV_CONF}" ]; then - echo "resolv.conf does not exist, so doing nothing" - return 0 - fi - - if [ -e "${BACKUP_RESOLV_CONF}" ]; then - if grep -q Libreswan "${ETC_RESOLV_CONF}"; then - echo "Current resolv.conf is generated by Libreswan, and backup resolv.conf already exists, so doing nothing" - return 0 - else - echo "backup resolv.conf exists, but current resolv.conf is not generated by Libreswan" - fi - fi - - rm -f -- "${BACKUP_RESOLV_CONF}" - cp -- "${ETC_RESOLV_CONF}" "${BACKUP_RESOLV_CONF}" - - new_resolv_conf="# Generated by Libreswan (IPsec)" - - orig_domain="$(grep ^domain "${ETC_RESOLV_CONF}" 2>/dev/null | \ - awk '{ print $2 }')" - - orig_search=$(grep ^search "${ETC_RESOLV_CONF}" 2>/dev/null | \ - sed 's/^search[[:space:]]\+//;s/[[:space:]]*\#.*//') - - if [ -n "${orig_domain}" ]; then - new_resolv_conf="${new_resolv_conf} -domain ${orig_domain}" - fi - - if [ -n "${orig_search}" ]; then - new_search="${orig_search}" - elif [ -n "${orig_domain}" ]; then - new_search="${orig_domain}" - fi - - if [ -n "${PLUTO_PEER_DOMAIN_INFO}" ]; then - if [ -n "${new_search}" ]; then - new_search=$(echo $(echo "${new_search} ${PLUTO_PEER_DOMAIN_INFO}" | tr [:space:] '\n' | awk '!a[$0]++')) - else - new_search="${PLUTO_PEER_DOMAIN_INFO}" - fi - fi - - if [ -n "${new_search}" ]; then - new_resolv_conf="${new_resolv_conf} -search ${new_search}" - fi - - orig_nameserver=$(grep -m 1 ^nameserver "${ETC_RESOLV_CONF}" | \ - sed 's/^nameserver[[:space:]]\+//;s/[[:space:]]*\#.*//') - if [ -n "${orig_nameserver}" ]; then - new_nameserver=$(echo $(echo "${PLUTO_PEER_DNS_INFO} ${orig_nameserver}" | tr [:space:] '\n' | awk '!a[$0]++')) - else - new_nameserver="${PLUTO_PEER_DNS_INFO}" - fi - - for nameserver in ${new_nameserver}; do - new_resolv_conf="${new_resolv_conf} -nameserver ${nameserver}" - done - - echo "${new_resolv_conf}" > "${ETC_RESOLV_CONF}" - rc=$? - fi - return ${rc} -} - -restoreresolvconf() { - local domain - local rc - rc=0 - if [ 0${PLUTO_CFG_CLIENT} -eq 0 ]; then - return ${rc} - fi - if [ -n "$(pidof unbound)" -a \ - -n "${PLUTO_PEER_DNS_INFO}" -a \ - -n "${PLUTO_PEER_DOMAIN_INFO}" ] - then - for domain in ${PLUTO_PEER_DOMAIN_INFO}; do - echo "flushing local nameserver of ${domain}" - unbound-control forward_remove ${domain} - unbound-control flush_zone ${domain} - unbound-control flush_requestlist - done - rc=$? - elif [ 0${PLUTO_NM_CONFIGURED} -eq 0 ]; then - # We only restore if current resolv.conf is made by us. - if grep -q Libreswan "${ETC_RESOLV_CONF}" 2>/dev/null; then - # And if there is a backup... - if [ -e "${BACKUP_RESOLV_CONF}" ]; then - echo "restoring resolvconf" - else - return 0 - fi - cp -- "${BACKUP_RESOLV_CONF}" "${ETC_RESOLV_CONF}" - fi - rm -f -- "${BACKUP_RESOLV_CONF}" - rc=0 - fi - return ${rc} -} - -notifyNM() { - # This will be called whenever a connection is established or - # fails to establish (either phase 1, xauth phase, or phase 2) - # or whenever an already established connection is being terminated. - # This will send a signal to NetworkManager over dbus so that NM - # can keep track of the coonnections. - - if [ 0${PLUTO_NM_CONFIGURED} -eq 1 ]; then - echo "sending $1 signal to NetworkManager" - libreswan_reason=$1 - export libreswan_reason - export PLUTO_PEER_DOMAIN_INFO - export PLUTO_PEER_DNS_INFO - export PLUTO_PEER_BANNER - export PLUTO_MY_SOURCEIP - export PLUTO_PEER - [ -x /usr/libexec/nm-libreswan-service-helper ] && \ - /usr/libexec/nm-libreswan-service-helper - fi - return 0 -} - -addsource() { - local interface - local st - interface=lo - st=0 - - if [ -z "${PLUTO_MY_SOURCEIP}" ]; then - return ${st} - fi - # check if given sourceip is local and add as alias if not - if ! ip -${CLIENT_FAMILY} -o route get ${PLUTO_MY_SOURCEIP} | grep -q ^local; then - if [ -n "${VTI_IFACE}" -a "${VTI_ROUTING}" = yes ]; then - interface="${VTI_IFACE}" - elif [ -n "${PLUTO_XFRMI_ROUTE}" ]; then - interface=${PLUTO_VIRT_INTERFACE} - fi - it="ip addr add ${PLUTO_MY_SOURCEIP}/${CLIENT_MAX_CIDR} dev ${interface} scope ${SCOPE}" - oops="$(eval ${it} 2>&1)" - st=$? - if [ -z "${oops}" -a ${st} -ne 0 ]; then - oops="silent error, exit status ${st}" - fi - case "${oops}" in - 'RTNETLINK answers: File exists'*) - # should not happen, but ... ignore if the - # address was already assigned on interface - oops="" - st=0 - ;; - esac - if [ -n "${oops}" -o ${st} -ne 0 ]; then - echo "$0: addsource \"${it}\" failed (${oops})" >&2 - fi - fi - return ${st} -} - -delsource() { - local interface - local oops - local st - interface=lo - st=0 - if [ -z "${PLUTO_MY_SOURCEIP}" ]; then - return ${st} - fi - # Remove source ip if it's not used any more. - if [ -z "$(ip -${CLIENT_FAMILY} -o route list src ${PLUTO_MY_SOURCEIP})" ]; then - if [ -n "${VTI_IFACE}" -a "${VTI_ROUTING}" = yes ]; then - interface="${VTI_IFACE}" - elif [ -n "${PLUTO_XFRMI_ROUTE}" ]; then - interface=${PLUTO_VIRT_INTERFACE} - fi - # If there is no ip we just return - if ! ip -${FAMILY} -o addr list dev ${interface} scope ${SCOPE} | \ - grep -q ${PLUTO_MY_SOURCEIP}/${CLIENT_MAX_CIDR} - then - return ${st} - fi - - if [ -n "${PLUTO_MOBIKE_EVENT}" ] ; then - return ${st} - fi - - it="ip -${CLIENT_FAMILY} addr del ${PLUTO_MY_SOURCEIP}/${CLIENT_MAX_CIDR} dev ${interface}" - oops="$(eval ${it} 2>&1)" - st=$? - if [ -z "${oops}" -a ${st} -ne 0 ]; then - oops="silent error, exit status ${st}" - fi - case "${oops}" in - 'RTNETLINK answers: File exists'*) - # should not happen, but ... ignore if the - # address was already assigned on interface - oops="" - st=0 - ;; - 'RTNETLINK answers: Cannot assign'*) - # Address is not there to remove or is there with different - # netmask and in that case we must not remove it so we ignore - # the error. - oops="" - st=0 - ;; - esac - if [ -n "${oops}" -o ${st} -ne 0 ]; then - echo "$0: delsource \"${it}\" failed (${oops})" >&2 - fi - fi - return ${st} -} - -doproxyarp() { - local cmd - local iface - cmd=${1} - # Check if client has a single ip only client net - if [ ${PLUTO_PEER_CLIENT#*/} = ${MAX_CIDR} ]; then - # Skip OE special connections and direct host-host connections - if [ "${PLUTO_PEER_CLIENT_NET}" = "0.0.0.0" -o \ - "${PLUTO_PEER_CLIENT_NET}" = "::" -o \ - "${PLUTO_PEER_CLIENT_NET}" = "${PLUTO_PEER}" -o \ - "${PLUTO_MY_CLIENT_NET}" = "${PLUTO_ME}" ] - then - return 0 - fi - # check if client is routeable - if ip -${FAMILY} -o route get ${PLUTO_PEER_CLIENT_NET} 2>/dev/null | \ - grep -E -q -s -v " via |^local" - then - iface=$(ip -${FAMILY} -o route get ${PLUTO_PEER_CLIENT_NET} 2>/dev/null | \ - awk '{print $3}') - if [ -r /sys/class/net/${iface}/address ]; then - macaddr=$(cat /sys/class/net/${iface}/address) - fi - # add/remove arp entry for the client on ethernet devices only - if [ -n "${macaddr}" ]; then - if [ "${cmd}" = "add" ]; then - ip -${FAMILY} neigh add proxy ${PLUTO_PEER_CLIENT_NET} dev ${iface} \ - lladdr ${macaddr} nud permanent - # Force routing, required for proxyarp to work - PROXY_ARP_ROUTE=yes - export PROXY_ARP_ROUTE - else - ip -${FAMILY} neigh del proxy ${PLUTO_PEER_CLIENT_NET} dev ${iface} - fi - fi - fi - fi -} - -do_ip() -{ - local cmd="$1" - oops="$(eval ${cmd} 2>&1)" - st=$? - - if [ -z "${oops}" -a ${st} -ne 0 ]; then - oops="silent error, exit status ${st}" - fi - - case "${oops}" in - 'RTNETLINK answers: No such process'*) - # should not happen, but ... ignore if the - # route was already removed - oops="" - st=0 - ;; - esac - - if [ -n "${oops}" -a ${st} -ne 0 ]; then - echo "$0: doroute \"${cmd}\" failed (${oops})" >&2 - fi - - return ${st} -} - -doroute() { - local cmd - local esp_nexthop - local esp_peer_interface - local espipro - local ipru - local route_table - local oops - local parms - local parms2 - local st - local xfrmi_route - local xfrmi_rule - cmd=${1} - route_table=50 - st=0 - xfrmi_route="${PLUTO_XFRMI_ROUTE}" - - if [ ${cmd} != del ]; then - oops="$(ip -${FAMILY} route get ${PLUTO_PEER_CLIENT_NET} 2>&1)" - case "${oops}" in - 'RTNETLINK answers: No route to host'*) - if [ -z "${PLUTO_XFRMI_ROUTE}" ]; then - ROUTE=yes # Routing is mandatory for IPsec - fi - ;; - esac - fi - - if [ -n "${PLUTO_XFRMI_FWMARK}" ]; then - xfrmi_rule=yes # we have to add "ip rules" and "ip route table" - ROUTE=no # xfrmi_route will add the route - fi - - # skip routing if it's not enabled or necessary - if [ -z "${PLUTO_MY_SOURCEIP}" -a \ - -z "${PLUTO_MTU}" -a \ - "${PROXY_ARP_ROUTE}" != yes -a \ - "${cmd}" != "del" ] - then - PROXY_ARP_ROUTE=no - fi - - if [ -n "${PLUTO_MY_SOURCEIP}" -o -n "${PLUTO_MTU}" ]; then - ROUTE=yes - fi - - if [ "${PLUTO_PEER_CLIENT}" = "${PLUTO_MY_CLIENT}" -a \ - "${PLUTO_XFRMI_ROUTE}" = yes ] - then - xfrmi_route="samesubnets"; - echo "leftsubet == rightsubnet = ${PLUTO_PEER_CLIENT} cannot add route" - fi - - parms="${PLUTO_PEER_CLIENT}" - parms2=${IPRARGS} - # nexthop is not needed on ppp interfaces. unset it to make cases - # work, where left is set but no leftnexthop (e.g. left=%defaultroute) - if ip link show "${PLUTO_INTERFACE%:*}" | grep -q POINTOPOINT; then - POINTPOINT=yes - fi - # use nexthop if nexthop is not %direct and POINTPOINT is not set - if [ "${PLUTO_NEXT_HOP}" != "${PLUTO_PEER}" -a -z "${POINTPOINT}" ]; then - # XFRM interface needs no nexthop - if [ -z "${PLUTO_XFRMI_ROUTE}" ]; then - parms2="via ${PLUTO_NEXT_HOP}" - fi - esp_nexthop="via ${PLUTO_NEXT_HOP} " - fi - # route via proper interface according to routing table - if [ "${cmd}" = "del" ]; then - case "${PLUTO_PEER_CLIENT}" in - "0.0.0.0/0") - # in case of default route we use half routes - peer_interface=$(ip -${FAMILY} -o route list exact 0.0.0.0/1 | \ - sed "s/^.*dev \([^ ]*\) .*/\1/") - ;; - "::/0") - # in case of default route we use half routes - peer_interface=$(ip -${FAMILY} -o route list exact 2000::/3 | \ - sed "s/^.*dev \([^ ]*\) .*/\1/") - ;; - *) - peer_interface=$(ip -${CLIENT_FAMILY} -o route get ${PLUTO_PEER_CLIENT_NET} | \ - sed "s/^.*dev \([^ ]*\) .*/\1/") - ;; - esac - else - peer_interface=$(ip -o route get ${PLUTO_NEXT_HOP} | \ - sed "s/^.*dev \([^ ]*\) .*/\1/") - fi - - esp_peer_interface=$(ip -${FAMILY} -o route get ${PLUTO_NEXT_HOP} \ - from ${PLUTO_ME} | sed "s/^.*\(dev [^ ]*\) .*/\1/") - if [ -z "${esp_peer_interface}" ]; then - esp_peer_interface="dev ${PLUTO_INTERFACE}" - fi - - if [ -z "${peer_interface}" ]; then - peer_interface=${PLUTO_INTERFACE} - fi - - if [ "${PLUTO_XFRMI_ROUTE}" = "yes" ]; then - peer_interface=${PLUTO_VIRT_INTERFACE} - fi - - if [ -n "${VTI_IFACE}" ]; then - addsource - peer_interface="${VTI_IFACE}" - fi - - parms2="${parms2}${PLUTO_MTU:+ mtu ${PLUTO_MTU}}" - parms2="${parms2}${PLUTO_METRIC:+ metric ${PLUTO_METRIC}} ${IPROUTEARGS}" - - parms2="${parms2} dev ${peer_interface%:*}" - - # make sure we have sourceip locally in this machine - if [ "${cmd}" = "replace" -a -n "${PLUTO_MY_SOURCEIP}" ]; then - addsource - # use sourceip as route default source - parms2="${parms2} src ${PLUTO_MY_SOURCEIP}" - fi - - case "${PLUTO_PEER_CLIENT}" in - "0.0.0.0/0") - # need to provide route that eclipses default, without - # replacing it. - it="ip -${FAMILY} route ${cmd} 0.0.0.0/1 ${parms2} && \ - ip -${FAMILY} route ${cmd} 128.0.0.0/1 ${parms2}" - ;; - "::/0") - # need to provide route that eclipses default, without - # replacing it. - it="ip -${FAMILY} route ${cmd} 2000::/3 ${parms2}" - ;; - *) - it="ip -${CLIENT_FAMILY} route ${cmd} ${parms} ${parms2}" - ;; - esac - - if [ "${ROUTE}" = yes -o \ - "${xfrmi_route}" = yes -o \ - "${PROXY_ARP_ROUTE}" = yes ] - then - do_ip "${it}" - st=$? - if [ ${st} -ne 0 ]; then - return ${st} - fi - fi - - if [ "${xfrmi_rule}" = "yes" ]; then - espipro="ip -${FAMILY} route ${cmd} ${PLUTO_PEER}/${MAX_CIDR} ${esp_nexthop} ${esp_peer_interface%:*} table ${route_table}" - do_ip "${espipro}" - - st=$? - if [ ${st} -ne 0 ]; then - return ${st} - fi - - iprulecmd="${cmd}" - if [ "${cmd}" = "replace" ]; then - iprulecmd="add" - fi - - ipru="ip -${FAMILY} rule ${iprulecmd} prio 100 to ${parms}" - ipru="${ipru} fwmark ${PLUTO_XFRMI_FWMARK} lookup ${route_table}" - - do_ip "${ipru}" - st=$? - if [ ${st} -ne 0 ]; then - return ${st} - fi - - fi - return 0 -} - -# TODO: We need to specify CIDR mask but our _MASK variables are in old school format -# TODO: Exclude udp 4500 traffic -addnflog() { - if [ -n "${NFLOG}" ]; then - iptables -I OUTPUT -m policy --dir out --pol ipsec \ - -s ${PLUTO_MY_CLIENT} -d ${PLUTO_PEER_CLIENT} \ - -j NFLOG --nflog-group ${NFLOG} --nflog-prefix ${PLUTO_CONNECTION} - iptables -I INPUT -m policy --dir in --pol ipsec \ - -s ${PLUTO_PEER_CLIENT} -d ${PLUTO_MY_CLIENT} \ - -j NFLOG --nflog-group ${NFLOG} --nflog-prefix ${PLUTO_CONNECTION} - fi -} - -delnflog() { - if [ -n "${NFLOG}" ]; then - iptables -D OUTPUT -m policy --dir out --pol ipsec \ - -s ${PLUTO_MY_CLIENT} -d ${PLUTO_PEER_CLIENT} \ - -j NFLOG --nflog-group ${NFLOG} --nflog-prefix ${PLUTO_CONNECTION} - iptables -D INPUT -m policy --dir in --pol ipsec \ - -s ${PLUTO_PEER_CLIENT} -d ${PLUTO_MY_CLIENT} \ - -j NFLOG --nflog-group ${NFLOG} --nflog-prefix ${PLUTO_CONNECTION} - fi -} - -addvtiiface() { - if [ -n "${VTI_IFACE}" ]; then - if [ -z "${CONNMARK_IN}" -o -z "${CONNMARK_OUT}" ]; then - echo "vti-interface option ignored because no mark was configured" - else - if [ ! -d "/proc/sys/net/ipv4/conf/${VTI_IFACE}" ]; then - # echo "creating vti interface" - vtipeer="${PLUTO_PEER}" - if [ "${PLUTO_CONN_KIND}" = CK_INSTANCE -o "${VTI_SHARED}" = "yes" ]; then - vtipeer="0.0.0.0" - fi - ip tunnel add ${VTI_IFACE} mode vti local ${PLUTO_ME} \ - remote ${vtipeer} okey ${CONNMARK_OUT%/*} \ - ikey ${CONNMARK_IN%/*} - sysctl -w net.ipv4.conf.${VTI_IFACE}.disable_policy=1 - sysctl -w net.ipv4.conf.${VTI_IFACE}.rp_filter=0 - sysctl -w net.ipv4.conf.${VTI_IFACE}.forwarding=1 - if [ -n "${VTI_IP}" ]; then - ip addr add ${VTI_IP} dev ${VTI_IFACE} - fi - ip link set ${VTI_IFACE} up - else - # check there was no conflict if we are sharing - might be sensitive to /sbin/ip differences - if [ "${VTI_SHARED}" = yes ]; then - #test: ip/ip remote 3.4.5.6 local 1.2.3.4 ttl inherit key 5 - cur="$(ip tun show ${VTI_IFACE})" - new="${VTI_IFACE}: ip/ip remote any local ${PLUTO_ME} ttl inherit key ${CONNMARK_OUT%/*}" - if [ "${cur}" != "${new}" ]; then - echo "vti interface \"${VTI_IFACE}\" already exists with conflicting setting" - echo "existing: ${cur}" - echo "wanted : ${new}" - else - # temp debug - echo "vti interface already exists with identical parameters, OK" - fi - else - echo "vti interface \"${VTI_IFACE}\" already exists with conflicting setting (perhaps need vti-sharing=yes ?" - fi - fi - fi - fi -} - -addvti() { - if [ -n "${VTI_IFACE}" ]; then - if [ -z "${CONNMARK_IN}" -o -z "${CONNMARK_OUT}" ]; then - echo "vti-interface option ignored because no mark was configured" - else - if [ "${VTI_ROUTING}" = yes ]; then - # Tuomo should improve this with using ${PLUTO_MY_CLIENT_NET} - # echo "setting up vti routing" - r=add - ip route list | grep -q "${PLUTO_PEER_CLIENT%/*}" && r=change - if [ "${r}" = change ]; then - # resolve LAN conflict by forcing host route for default gw - gw="$(ip ro li | grep ^default | awk '{ print $3;}')" - gwdev="$(ip ro li | grep ^default | awk '{ print $5;}')" - # echo "ip route add ${gw} dev ${gwdev}" - ip route add ${gw} dev ${gwdev} >/dev/null ||: - fi - srcip="" - if [ -n "${PLUTO_MY_SOURCEIP}" ]; then - srcip=" src ${PLUTO_MY_SOURCEIP}" - fi - # echo "ip route ${r} ${PLUTO_PEER_CLIENT} dev ${VTI_IFACE} ${srcip}" - ip route ${r} ${PLUTO_PEER_CLIENT} dev ${VTI_IFACE} ${srcip} - echo "done ip route" - fi - fi - fi -} - -delvti() { - if [ -n "${VTI_IFACE}" -a -d /proc/sys/net/ipv4/conf/${VTI_IFACE} ]; then - if [ "${VTI_ROUTING}" = yes ]; then - ip route del ${PLUTO_PEER_CLIENT} dev ${VTI_IFACE} \ - src ${PLUTO_MY_SOURCEIP} ||: - fi - # TODO: we can't delete vti interface because we don't have proper reference - # counting. - #if [ "${VTI_SHARED}" = no -a "${PLUTO_CONN_KIND}" != CK_INSTANCE ]; then - # ip tun del ${VTI_IFACE} ||: - #fi - fi -} - -# Client Address Translation CAT -addcat() { - if [ -n "${CAT}" ] && [ "${PLUTO_MY_CLIENT_NET}" != "0.0.0.0" ] ; then - iptables -t nat -I POSTROUTING -m policy --dir out --pol ipsec \ - -d ${PLUTO_PEER_CLIENT} -j SNAT --to-source ${PLUTO_MY_CLIENT_NET} - iptables -t nat -I PREROUTING -m policy --dir in --pol ipsec \ - -d ${PLUTO_MY_CLIENT_NET} -s ${PLUTO_PEER_CLIENT} \ - -j DNAT --to-destination ${PLUTO_ME} - fi -} - -delcat() { - if [ -n "${CAT}" ]; then - iptables -t nat -D PREROUTING -m policy --dir in --pol ipsec \ - -d ${PLUTO_MY_CLIENT_NET} -s ${PLUTO_PEER_CLIENT} \ - -j DNAT --to-destination ${PLUTO_ME} - iptables -t nat -D POSTROUTING -m policy --dir out --pol ipsec \ - -d ${PLUTO_PEER_CLIENT} -j SNAT --to-source ${PLUTO_MY_CLIENT_NET} - fi -} - -# the big choice -case "${PLUTO_VERB}" in - prepare-host|prepare-client) - addvtiiface - ;; - route-host|route-client) - # connection to me or my client subnet being routed - addvti - uproute - addnflog - ;; - unroute-host|unroute-client) - # connection to me or my client subnet being unrouted - downroute - delsource - ;; - up-host) - # connection to me coming up - # If you are doing a custom version, firewall commands go here. - ;; - down-host) - # connection to me going down - downrule - delnflog - delcat - delvti - # If you are doing a custom version, firewall commands go here. - ;; - up-client) - # connection to my client subnet coming up - addvtiiface - updateresolvconf - addcat - addsource - notifyNM connect - addvti - # If you are doing a custom version, firewall commands go here. - ;; - down-client) - # connection to my client subnet going down - downrule - delnflog - delcat - delvti - restoreresolvconf - notifyNM disconnect - # If you are doing a custom version, firewall commands go here. - ;; - # - # IPv6 - # - prepare-host-v6|prepare-client-v6) - # prepare client for connection - ;; - route-host-v6|route-client-v6) - # connection to me or my client subnet being routed - uproute - ;; - unroute-host-v6|unroute-client-v6) - # connection to me or my client subnet being unrouted - downroute - delsource - ;; - up-host-v6) - # connection to me coming up - # If you are doing a custom version, firewall commands go here. - ;; - down-host-v6) - # connection to me going down - # If you are doing a custom version, firewall commands go here. - ;; - up-client-v6) - # connection to my client subnet coming up - addsource - updateresolvconf - notifyNM connect - # If you are doing a custom version, firewall commands go here. - ;; - down-client-v6) - # connection to my client subnet going down - restoreresolvconf - notifyNM disconnect - # If you are doing a custom version, firewall commands go here. - ;; - *) echo "$0: unknown verb \"${PLUTO_VERB}\" or parameter \"${1}\"" >&2 - exit 1 - ;; -esac diff --git a/usr/share/argeo/SETUP.txt b/usr/share/argeo/SETUP.txt deleted file mode 100644 index 708e587..0000000 --- a/usr/share/argeo/SETUP.txt +++ /dev/null @@ -1,9 +0,0 @@ - -# 389 Directory Server -sudo dscreate from-file argeo-slapd.inf -sudo dsconf -D "cn=Directory Manager" ldap://localhost backend import - -# PostgreSQL -sudo postgresql-setup initdb -sudo systemctl start postgresql -sudo -u postgres psql < argeo-pgsql-setup.sql diff --git a/usr/share/argeo/all.policy b/usr/share/argeo/all.policy deleted file mode 100644 index facb613..0000000 --- a/usr/share/argeo/all.policy +++ /dev/null @@ -1,3 +0,0 @@ -grant { - permission java.security.AllPermission; -}; \ No newline at end of file diff --git a/usr/share/argeo/argeo-pgsql-setup.sql b/usr/share/argeo/argeo-pgsql-setup.sql deleted file mode 100644 index 886f60a..0000000 --- a/usr/share/argeo/argeo-pgsql-setup.sql +++ /dev/null @@ -1,2 +0,0 @@ -CREATE USER argeo WITH PASSWORD 'argeo'; -CREATE DATABASE argeo WITH OWNER argeo; diff --git a/usr/share/argeo/argeo-slapd-setup.inf b/usr/share/argeo/argeo-slapd-setup.inf deleted file mode 100644 index 98ad97a..0000000 --- a/usr/share/argeo/argeo-slapd-setup.inf +++ /dev/null @@ -1,9 +0,0 @@ -[general] -[slapd] -instance_name = argeo -root_dn = cn=Directory Manager -root_password = argeoargeo - -[backend-userroot] -create_suffix_entry = True -suffix = dc=example,dc=com \ No newline at end of file diff --git a/usr/share/argeo/jvm.args b/usr/share/argeo/jvm.args deleted file mode 100644 index ca3cd0b..0000000 --- a/usr/share/argeo/jvm.args +++ /dev/null @@ -1 +0,0 @@ --cp /usr/share/a2/osgi/equinox/org.argeo.tp.osgi/org.eclipse.osgi.3.18.jar:/usr/share/a2/org.argeo.cms/org.argeo.init.2.1.jar org.argeo.init.Service \ No newline at end of file