--- /dev/null
+# GNU coding standards
+prefix ?= /usr/local
+exec_prefix ?= $(prefix)
+bindir ?= $(exec_prefix)/bin
+sbindir ?= $(exec_prefix)/sbin
+libdir ?= $(exec_prefix)/lib
+libexecdir ?= $(exec_prefix)/libexec
+sysconfdir ?= $(prefix)/etc
+srcdir ?= $(prefix)/src
+datarootdir ?= $(prefix)/share
+
+## Utilities
+# Install to a target directory without executable bit
+INSTALL=install -m644 -D --target-directory
+# Always try copy-on-write
+COPY=cp --reflink=auto
+
+# TODO use argeo-build
+BUILD_BASE ?= output/argeo-freed
+all:
+ mkdir -p $(BUILD_BASE)$(sysconfdir) $(BUILD_BASE)$(bindir) $(BUILD_BASE)$(libdir) $(BUILD_BASE)$(libexecdir)
+ $(COPY) -r etc/* $(BUILD_BASE)$(sysconfdir)
+ $(COPY) -r bin/* $(BUILD_BASE)$(bindir)
+ $(COPY) -r lib/* $(BUILD_BASE)$(libdir)
+ $(COPY) -r libexec/* $(BUILD_BASE)$(libexecdir)
+ sed -i 's|/usr/local/etc|$(sysconfdir)|g' $(BUILD_BASE)$(libdir)/systemd/*/argeo*.service
+ sed -i 's|/usr/local/lib|$(libdir)|g' $(BUILD_BASE)$(libdir)/systemd/*/argeo*.service
+ sed -i 's|/usr/local/share|$(datarootdir)|g' $(BUILD_BASE)$(libdir)/systemd/*/argeo*.service
+ sed -i 's|/usr/local/share|$(datarootdir)|g' $(BUILD_BASE)$(bindir)/*
+ sed -i 's|/usr/local/lib|$(libdir)|g' $(BUILD_BASE)$(libdir)/sysj/jvm.args
+# $(MAKE) -C sjbin all
+
+clean:
+ $(RM) -r $(BUILD_BASE)
+# $(MAKE) -C sjbin clean
+
+distclean: clean
+
+install:
+ mkdir -p $(DESTDIR)$(sysconfdir) $(DESTDIR)$(bindir) $(DESTDIR)$(libdir) $(DESTDIR)$(libexecdir)
+# TODO use install and wildcard ?
+ $(COPY) -v -r --no-clobber $(BUILD_BASE)$(sysconfdir)/* $(DESTDIR)$(sysconfdir)
+ $(COPY) -v -r $(BUILD_BASE)$(libdir)/* $(DESTDIR)$(libdir)
+ install -m755 -D --target-directory $(DESTDIR)$(bindir) $(BUILD_BASE)$(bindir)/*
+ install -m755 -D --target-directory $(DESTDIR)$(libexecdir)/ipsec $(BUILD_BASE)$(libexecdir)/ipsec/*
+# systemctl daemon-reload
+
+uninstall:
+# TODO fix warning when directory does not exist
+ $(foreach f, $(shell cd $(BUILD_BASE)$(bindir) && find . -type f), $(RM) $(DESTDIR)$(bindir)/$(f);)
+ $(foreach f, $(shell cd $(BUILD_BASE)$(libdir) && find . -type f), $(RM) $(DESTDIR)$(libdir)/$(f);)
+ $(foreach f, $(shell cd $(BUILD_BASE)$(libexecdir) && find . -type f), $(RM) $(DESTDIR)$(libexecdir)/$(f);)
+# TODO remove empty directories
+# @if [ -d $(A2_INSTALL_TARGET) ]; then find $(A2_INSTALL_TARGET) -empty -type d -delete; fi
+
+purge: uninstall
+ $(foreach f, $(shell cd $(BUILD_BASE)$(sysconfdir) && find . -type f), $(RM) $(DESTDIR)$(sysconfdir)/$(f);)
Name: argeo-freed
-Version: 2.1.3
+Version: 2.1.4
Release: 1%{?dist}
Summary: Utilities for a FREEd compatible domain
Summary: FREEd Argeo CMS services
Requires: argeo-cms
-%package cms-user
-Summary: FREEd Argeo CMS user services
-Requires: argeo-cms
-
%description cms
%package libreswan
%description roaming-client
-%package roaming-host
-Summary: FREEd roaming host
-Requires: argeo-freed-libreswan
-
-%description roaming-host
-
%prep
%setup -q
%build
%install
-mkdir -p %{buildroot}%{_bindir}
-cp -a ./usr/bin/* %{buildroot}%{_bindir}
-
-mkdir -p %{buildroot}%{_sysconfdir}
-cp -a ./etc/* %{buildroot}%{_sysconfdir}
-
-mkdir -p %{buildroot}%{_datadir}
-cp -a ./usr/share/* %{buildroot}%{_datadir}
-
-mkdir -p %{buildroot}%{_unitdir}
-cp -a ./usr/lib/systemd/system/* %{buildroot}%{_unitdir}
-
-mkdir -p %{buildroot}%{_userunitdir}
-cp -a ./usr/lib/systemd/user/* %{buildroot}%{_userunitdir}
-
-mkdir -p %{buildroot}%{_libexecdir}
-cp -a ./usr/libexec/ipsec %{buildroot}%{_libexecdir}
%files cms
%attr(755, root, root) %{_bindir}/argeo
%attr(755, root, root) %{_bindir}/jshc
+%{_sysconfdir}/default/argeo
%{_sysconfdir}/argeo.d
-%{_datadir}/argeo
-%{_unitdir}/argeo@.service
-
-%files cms-user
-%{_sysconfdir}/argeo.user.d
-%{_userunitdir}/argeo@.service
+%{_sysconfdir}/argeo
+%{_unitdir}/argeo*.service
+%{_userunitdir}/argeo*.service
%files libreswan
%attr(755, root, root) %{_libexecdir}/ipsec
%files roaming-client
-%{_sysconfdir}/ipsec.d/roaming.conf
-
%{_unitdir}/freed-ipsec-roaming@.service
%{_unitdir}/freed-onresume.service
%{_unitdir}/freed-onsuspend.service
%post cms
%systemd_post argeo@.service
+%systemd_user_post argeo.service
%preun cms
%systemd_preun argeo@.service
+%systemd_user_preun argeo.service
%postun cms
%systemd_postun argeo@.service
-
-%post cms-user
-%systemd_user_post argeo@.service
-
-%preun cms-user
-%systemd_user_preun argeo@.service
-
-%postun cms-user
-%systemd_user_postun argeo@.service
+%systemd_user_postun argeo.service
%post roaming-client
%systemd_post freed-ipsec-roaming@.service
%systemd_postun freed-ipsec-roaming@.service
%systemd_postun freed-onresume.service
%systemd_postun freed-onsuspend.service
-
-%files roaming-host
-%{_sysconfdir}/ipsec.d/roaming-host.conf
-%{_sysconfdir}/ipsec.d/roaming-host-domain.conf.template
--- /dev/null
+#!/bin/sh
+java -Dorg.argeo.api.cli.rootCommand=$0 -jar /usr/local/share/a2/org.argeo.cms/org.argeo.cms.cli.2.3.jar "$@"
\ No newline at end of file
--- /dev/null
+#!/bin/sh
+java -Xms32m -Xmx64m -jar /usr/local/share/a2/org.argeo.cms/org.argeo.cms.jshell.2.3.jar "$@"
\ No newline at end of file
files
-.debhelper
+*.debhelper
debhelper*
argeo-*/
-*.substvars
\ No newline at end of file
+*.substvars
+/tmp/
+++ /dev/null
-./etc/argeo.user.d/* ./etc/argeo.user.d
-./usr/lib/systemd/user/argeo@.service ./usr/lib/systemd/user
-./usr/bin/argeo ./usr/bin
-./usr/bin/jshc ./usr/bin
+/usr/bin/argeo
+/usr/bin/jshc
-./etc/argeo.d/* ./etc/argeo.d
+/etc/default/argeo
+/etc/argeo/*
+/etc/argeo.d/*
-./usr/lib/systemd/system/argeo@.service ./usr/lib/systemd/system
-
-./usr/share/argeo/* ./usr/share/argeo
+/usr/lib/systemd/system/argeo*.service
+/usr/lib/systemd/user/argeo*.service
-./usr/libexec/ipsec/* ./usr/libexec/ipsec
+/usr/libexec/ipsec
-./etc/ipsec.d/roaming.conf ./etc/ipsec.d
-./usr/lib/systemd/system/freed-ipsec-roaming@.service ./usr/lib/systemd/system
-./usr/lib/systemd/system/freed-onresume.service ./usr/lib/systemd/system
-./usr/lib/systemd/system/freed-onsuspend.service ./usr/lib/systemd/system
+/usr/lib/systemd/system/freed-ipsec-roaming@.service
+/usr/lib/systemd/system/freed-onresume.service
+/usr/lib/systemd/system/freed-onsuspend.service
+++ /dev/null
-./etc/ipsec.d/roaming-host.conf ./etc/ipsec.d
-./etc/ipsec.d/roaming-host-domain.conf.template ./etc/ipsec.d
-argeo-freed (2.1.3) testing; urgency=medium
+argeo-freed (2.1.4) testing; urgency=medium
- * Adapt to changes in Argeo TP
+ * New directory structure
- -- Mathieu Baudier <mbaudier@argeo.org> Thu, 14 Dec 2023 05:48:41 +0000
+ -- Mathieu Baudier <mbaudier@argeo.org> Sat, 16 Mar 2024 07:25:57 +0000
Description: FREEd Argeo CMS services
FREEd Argeo CMS services
-Package: argeo-freed-cms-user
-Architecture: all
-Depends: ${misc:Depends}, argeo-cms
-Conflicts: argeo-init
-Description: FREEd Argeo CMS user services
- FREEd Argeo CMS user services
-
Package: argeo-freed-libreswan
Architecture: all
Depends: ${misc:Depends}, libreswan
Description: FREEd extensions to libreswan
- Argeo FREEd extensions to libreswan
+ FREEd extensions to libreswan
Package: argeo-freed-roaming-client
Architecture: all
Depends: ${misc:Depends}, argeo-freed-libreswan
Description: FREEd roaming client
- Argeo FREEd roaming client
-
-Package: argeo-freed-roaming-host
-Architecture: all
-Depends: ${misc:Depends}, argeo-freed-libreswan
-Description: FREEd roaming host
- Argeo FREEd roaming host
+ FREEd roaming client
#!/usr/bin/make -f
%:
- dh $@
+ prefix=/usr sysconfdir=/etc dh $@
+
+override_dh_missing:
+ # Ignore missing files
+++ /dev/null
--agentlib:jdwp=transport=dt_socket,server=y,suspend=y,address=127.0.0.1:8000
\ No newline at end of file
+++ /dev/null
--Dcom.sun.management.jmxremote.port=8099 -Dcom.sun.management.jmxremote.rmi.port=8099 -Dcom.sun.management.jmxremote.authenticate=false -Dcom.sun.management.jmxremote.ssl=false -Djava.rmi.server.hostname=<hostname>
\ No newline at end of file
--- /dev/null
+grant {
+ permission java.security.AllPermission;
+};
\ No newline at end of file
--- /dev/null
+# Force UTF-8 encoding
+-Dfile.encoding=UTF-8
+
+# Ensure OpenJDK and OpenJ9 are compatible
+-XX:+IgnoreUnrecognizedVMOptions
--- /dev/null
+-agentlib:jdwp=transport=dt_socket,server=y,suspend=y,address=127.0.0.1:8000
\ No newline at end of file
--- /dev/null
+-Dcom.sun.management.jmxremote.port=8099 \
+-Dcom.sun.management.jmxremote.rmi.port=8099 \
+-Dcom.sun.management.jmxremote.authenticate=false \
+-Dcom.sun.management.jmxremote.ssl=false \
+#-Djava.rmi.server.hostname=<hostname>
\ No newline at end of file
--- /dev/null
+## Launch context
+osgi.framework.useSystemProperties=false
+osgi.frameworkParentClassloader=app
+osgi.parentClassLoader=app
+osgi.contextClassLoaderParent=app
+
+# Disable Equinox Jetty autostart
+org.eclipse.equinox.http.jetty.autostart=false
+
--- /dev/null
+argeo.osgi.sources=\
+a2+reference:///\
+?osgi=equinox\
+&crypto=fips\
+&swt=rap\
+
+argeo.osgi.start.2=\
+org.eclipse.equinox.http.servlet,\
+org.apache.felix.scr,\
+org.eclipse.equinox.console,\
+org.eclipse.rap.rwt.osgi,\
+
+argeo.osgi.start.3=\
+org.argeo.cms,\
+org.argeo.cms.ee,\
+org.argeo.cms.lib.dbus,\
+org.argeo.cms.lib.sshd,\
+org.argeo.cms.lib.equinox,\
+org.argeo.cms.lib.jetty,\
+org.argeo.cms.swt.rap,\
+
+argeo.osgi.start.4=\
+org.argeo.cms.jcr
+
+argeo.osgi.start.5=\
+org.argeo.app.profile.acr.fs,\
+org.argeo.app.core,\
+org.argeo.app.jcr,\
+org.argeo.app.ui,\
+org.argeo.app.theme.default,\
+org.argeo.app.geo,\
--- /dev/null
+osgi.clean=true
\ No newline at end of file
--- /dev/null
+org.osgi.framework.system.packages.extra=\
+com.sun.jna,\
+com.sun.jna.internal,\
+com.sun.jna.ptr,\
+com.sun.jna.win32,\
+org.eclipse.angus.mail.mbox,\
+org.apache.tomcat.jni,\
+sun.security.util,\
+sun.security.internal.spec,\
+sun.security.provider,\
+sun.awt.X11,\
+com.sun.net.httpserver,\
+com.sun.jndi.ldap,\
+com.sun.jndi.ldap.sasl,\
+com.sun.jndi.dns,\
+com.sun.security.jgss,\
+com.sun.nio.file,\
+com.sun.nio.sctp
--- /dev/null
+argeo.osgi.sources=\
+a2+reference:///\
+?osgi=equinox\
+&crypto=fips\
+&swt=rcp\
+
+argeo.osgi.start.2=\
+org.eclipse.equinox.http.servlet,\
+org.apache.felix.scr,\
+org.eclipse.equinox.console,\
+
+argeo.osgi.start.3=\
+org.argeo.cms,\
+org.argeo.cms.ee,\
+org.argeo.cms.jshell,\
+org.argeo.cms.lib.dbus,\
+org.argeo.cms.lib.sshd,\
+org.argeo.cms.lib.equinox,\
+org.argeo.cms.lib.jetty,\
+org.argeo.cms.swt.rcp,\
+
+argeo.osgi.start.4=\
+org.argeo.cms.jcr
+
+argeo.osgi.start.5=\
+org.argeo.app.profile.acr.fs,\
+org.argeo.app.core,\
+org.argeo.app.jcr,\
+org.argeo.app.ui,\
+org.argeo.app.theme.default,\
+org.argeo.app.geo,\
--- /dev/null
+osgi.clean=true
\ No newline at end of file
--- /dev/null
+org.osgi.framework.system.packages.extra=\
+org.eclipse.swt,\
+org.eclipse.swt.awt,\
+org.eclipse.swt.dnd,\
+org.eclipse.swt.events,\
+org.eclipse.swt.graphics,\
+org.eclipse.swt.layout,\
+org.eclipse.swt.widgets,\
+org.eclipse.swt.browser,\
+org.eclipse.swt.custom,\
+com.sun.jna,\
+com.sun.jna.internal,\
+com.sun.jna.ptr,\
+com.sun.jna.win32,\
+org.eclipse.angus.mail.mbox,\
+org.apache.tomcat.jni,\
+sun.security.util,\
+sun.security.internal.spec,\
+sun.security.provider,\
+sun.awt.X11,\
+com.sun.net.httpserver,\
+com.sun.jndi.ldap,\
+com.sun.jndi.ldap.sasl,\
+com.sun.jndi.dns,\
+com.sun.security.jgss,\
+com.sun.nio.file,\
+com.sun.nio.sctp
--- /dev/null
+#osgi.console=localhost:2023
+osgi.clean=true
\ No newline at end of file
--- /dev/null
+org.osgi.framework.system.packages.extra=\
+org.argeo.api.init,\
+org.argeo.api.a2,\
+org.argeo.init.osgi,\
+sun.misc,\
+sun.security.util,\
+sun.security.internal.spec,\
+sun.security.provider,\
+com.sun.net.httpserver,\
+com.sun.jndi.ldap,\
+com.sun.jndi.ldap.sasl,\
+com.sun.jndi.dns,\
+com.sun.security.jgss,\
+com.sun.nio.file,\
+com.sun.nio.sctp
--- /dev/null
+
+argeo.osgi.sources=\
+a2+reference:///\
+?osgi=equinox\
+&swt=rcp\
+&include=org.argeo.tp\
+&include=org.argeo.tp.osgi\
+&include=org.argeo.slc\
+&include=org.argeo.tp.sys\
+
+## Active modules
+argeo.osgi.start.2=\
+org.eclipse.equinox.console,\
+
+argeo.osgi.start.4=\
+org.argeo.slc.runtime,\
+++ /dev/null
-osgi.clean=true
-#osgi.console=true
-
-argeo.osgi.start.2=\
-org.eclipse.equinox.http.servlet,\
-org.apache.felix.scr,\
-org.eclipse.rap.rwt.osgi,\
-org.apache.tika.parsers,\
-org.argeo.init
-
-argeo.osgi.start.3=\
-org.argeo.cms,\
-org.argeo.cms.swt.rap,\
-org.argeo.cms.swt.rcp,\
-org.argeo.cms.ee,\
-org.argeo.cms.lib.sshd,\
-org.argeo.cms.lib.equinox,\
-org.argeo.cms.lib.jetty,\
-org.argeo.cms.jshell,\
-
-argeo.http.port=80
-#argeo.sshd.port=22
-
-argeo.osgi.sources=\
-a2:///?\
-osgi=equinox&\
-log=syslogger&\
-crypto=fips&\
+++ /dev/null
-#-Xmx64m
-#-Xshareclasses:name=pid1
-#-XX:+IdleTuningGcOnIdle
-
--Dargeo.logging.file=/var/log/freed-pid1.log
--Dlog.FreedPid1=DEBUG
-
--Dosgi.configuration.cascaded=true
--Dosgi.sharedConfiguration.area=/usr/local/etc/freed/pid1
--Dosgi.sharedConfiguration.area.readOnly=true
--Dosgi.configuration.area=/var/lib/freed/pid1/state/
--Dosgi.instance.area=/var/lib/freed/pid1/data/
-
--Dorg.osgi.framework.system.packages.extra=sun.security.utils,sun.security.internal.spec,sun.security.provider,com.sun.net.httpserver,com.sun.jndi.ldap,com.sun.jndi.ldap.sasl,com.sun.jndi.dns,com.sun.security.jgss,com.sun.nio.file,com.sun.nio.sctp
--Dorg.eclipse.equinox.http.jetty.autostart=false
-
--Dfile.encoding=UTF-8
--Dnative.encoding=UTF-8
--Dsun.stdout.encoding=UTF-8
--Dsun.stderr.encoding=UTF-8
--Dsun.jnu.encoding=UTF-8
-
--cp /usr/local/share/a2/osgi/equinox/org.argeo.tp.osgi/org.eclipse.osgi.3.18.jar:/usr/local/share/a2/org.argeo.cms/org.argeo.init.2.3.jar
\ No newline at end of file
+++ /dev/null
-log.org.argeo=DEBUG
\ No newline at end of file
--- /dev/null
+osgi.clean=true
+#osgi.console=true
+
+argeo.osgi.start.2=\
+org.eclipse.equinox.http.servlet,\
+org.apache.felix.scr,\
+org.eclipse.rap.rwt.osgi,\
+org.apache.tika.parsers,\
+org.argeo.init
+
+argeo.osgi.start.3=\
+org.argeo.cms,\
+org.argeo.cms.swt.rap,\
+org.argeo.cms.swt.rcp,\
+org.argeo.cms.ee,\
+org.argeo.cms.lib.sshd,\
+org.argeo.cms.lib.equinox,\
+org.argeo.cms.lib.jetty,\
+org.argeo.cms.jshell,\
+
+argeo.http.port=80
+#argeo.sshd.port=22
+
+argeo.osgi.sources=\
+a2:///?\
+osgi=equinox&\
+log=syslogger&\
+crypto=fips&\
--- /dev/null
+#-Xmx64m
+#-Xshareclasses:name=sysj
+#-XX:+IdleTuningGcOnIdle
+
+-Dargeo.logging.file=/var/log/sysj.log
+-Dlog.org.argeo=DEBUG
+
+-Dosgi.configuration.cascaded=true
+-Dosgi.sharedConfiguration.area=/usr/local/lib/sysj
+-Dosgi.sharedConfiguration.area.readOnly=true
+-Dosgi.configuration.area=/var/lib/sysj/state/
+-Dosgi.instance.area=/var/lib/sysj/data/
+
+-Dorg.osgi.framework.system.packages.extra=sun.security.utils,sun.security.internal.spec,sun.security.provider,com.sun.net.httpserver,com.sun.jndi.ldap,com.sun.jndi.ldap.sasl,com.sun.jndi.dns,com.sun.security.jgss,com.sun.nio.file,com.sun.nio.sctp
+-Dorg.eclipse.equinox.http.jetty.autostart=false
+
+-Dfile.encoding=UTF-8
+-Dnative.encoding=UTF-8
+-Dsun.stdout.encoding=UTF-8
+-Dsun.stderr.encoding=UTF-8
+-Dsun.jnu.encoding=UTF-8
+
+-cp \
+/usr/local/share/a2/osgi/equinox/org.argeo.tp.osgi/org.eclipse.osgi.3.18.jar:\
+/usr/local/share/a2/org.argeo.cms/org.argeo.init.2.3.jar
\ No newline at end of file
--- /dev/null
+log.org.argeo=DEBUG
\ No newline at end of file
--- /dev/null
+[Unit]
+Description=Argeo node %I
+After=network-online.target
+Wants=postgresql.service
+
+[Service]
+Type=simple
+
+User=freed
+Group=freed
+
+StateDirectory=argeo.d/%I
+LogsDirectory=argeo.d/%I
+ConfigurationDirectory=argeo.d/%I
+CacheDirectory=argeo.d/%I
+EnvironmentFile=/usr/local/etc/default/argeo
+WorkingDirectory=/var/lib/argeo.d/%I
+
+ExecStart=java \
+-Djava.library.path=/usr/local/lib/a2/org.argeo.slc:/usr/local/lib/a2/org.argeo.tp.sys \
+-Dosgi.configuration.cascaded=true \
+-Dosgi.sharedConfiguration.area=${CONFIGURATION_DIRECTORY} \
+-Dosgi.sharedConfiguration.area.readOnly=true \
+-Dosgi.configuration.area=${STATE_DIRECTORY}/state/ \
+-Dosgi.instance.area=${STATE_DIRECTORY}/data/ \
+-Dargeo.node.repo.indexesBase=${CACHE_DIRECTORY}/indexes \
+-Dorg.osgi.framework.system.packages.extra=sun.security.util,sun.security.internal.spec,sun.security.provider,com.sun.net.httpserver,com.sun.jndi.ldap,com.sun.jndi.ldap.sasl,com.sun.jndi.dns,com.sun.security.jgss,com.sun.nio.file,com.sun.nio.sctp \
+-Dorg.eclipse.equinox.http.jetty.autostart=false \
+-Declipse.ignoreApp=true \
+-Dosgi.noShutdown=true \
+@/usr/local/etc/argeo/jvm.args \
+@${CONFIGURATION_DIRECTORY}/../jvm.args \
+@${CONFIGURATION_DIRECTORY}/jvm.args \
+-cp "/usr/local/share/a2/osgi/equinox/org.argeo.tp.osgi/org.eclipse.osgi.3.18.jar:/usr/local/share/a2/org.argeo.cms/org.argeo.init.2.3.jar" \
+org.argeo.init.ServiceMain
+
+# Exit codes of the JVM when SIGTERM or SIGINT have been caught:
+SuccessExitStatus=143 130
+
+CPUAccounting=true
+MemoryAccounting=true
+TasksAccounting=true
+IOAccounting=true
+IPAccounting=true
+
+[Install]
+WantedBy=network-online.target
--- /dev/null
+[Unit]
+Description=Roaming IPSec to '%i'
+After=network-online.target
+Wants=network-online.target
+
+After=ipsec.service
+PartOf=ipsec.service
+Requires=ipsec.service
+
+StartLimitIntervalSec=60
+StartLimitBurst=20
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+ExecStart=ipsec auto --start %i
+ExecStop=ipsec auto --delete %i
+
+Restart=on-failure
+RestartSec=3
+
+[Install]
+WantedBy=multi-user.target
+RequiredBy=ipsec.service
--- /dev/null
+[Unit]
+Description=On resume actions
+After=sleep.target
+After=network-online.target
+Wants=network-online.target
+
+[Service]
+Type=oneshot
+ExecStartPre=sleep 3
+ExecStart=/usr/bin/systemctl restart ipsec
+
+[Install]
+WantedBy=sleep.target
+
--- /dev/null
+[Unit]
+Description=On suspend actions
+Before=sleep.target
+
+[Service]
+Type=oneshot
+ExecStart=/usr/bin/systemctl stop ipsec
+ExecStartPost=/usr/bin/sleep 5
+
+[Install]
+WantedBy=sleep.target
--- /dev/null
+[Unit]
+Description=Argeo user runtime
+
+[Service]
+Type=simple
+StateDirectory=argeo/slc
+LogsDirectory=argeo/slc
+ConfigurationDirectory=argeo/slc
+CacheDirectory=argeo/slc
+EnvironmentFile=/usr/local/etc/default/argeo
+WorkingDirectory=/usr/local/
+
+# Optional files
+ExecStartPre=/usr/bin/mkdir -p ${CONFIGURATION_DIRECTORY}
+ExecStartPre=/usr/bin/touch ${CONFIGURATION_DIRECTORY}/jvm.args
+
+ExecStart=java \
+-Djava.library.path=/usr/local/lib/a2/org.argeo.slc:/usr/local/lib/a2/org.argeo.tp.sys:/usr/local/lib/a2/swt/rcp/org.argeo.tp.swt \
+-Dosgi.framework.useSystemProperties=false \
+@/usr/local/etc/argeo/jvm.args \
+@/usr/local/etc/argeo/user/jvm.args \
+@${CONFIGURATION_DIRECTORY}/jvm.args \
+-cp "/usr/local/share/a2/osgi/equinox/org.argeo.tp.osgi/org.eclipse.osgi.3.18.jar:/usr/local/share/a2/org.argeo.cms/org.argeo.init.2.3.jar:/usr/local/lib/a2/org.argeo.slc/*:/usr/local/lib/a2/org.argeo.tp.sys/*:/usr/local/lib/a2/swt/rcp/org.argeo.tp.swt/*" \
+org.argeo.init.RuntimeManagerMain \
+etc/argeo/user/slc
+
+# Exit codes of the JVM when SIGTERM or SIGINT have been caught:
+SuccessExitStatus=143 130
+
+[Install]
+WantedBy=multi-user.target
--- /dev/null
+#!/bin/sh
+#
+# default updown script for use with NETKEY(XFRM)
+#
+# Copyright (C) 2003-2004 Nigel Metheringham
+# Copyright (C) 2002-2007 Michael Richardson <mcr@xelerance.com>
+# Copyright (C) 2007-2008 Paul Wouters <paul@xelerance.com>
+# Copyright (C) 2003-2020 Tuomo Soini <tis@foobar.fi>
+# Copyright (C) 2011-2016 Paul Wouters <pwouters@redhat.com>
+# Copyright (C) 2016 Antony Antony <antony@phenome.org>
+#
+# This program is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by the
+# Free Software Foundation; either version 2 of the License, or (at your
+# option) any later version. See <https://www.gnu.org/licenses/gpl2.txt>.
+#
+# This program is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+# for more details.
+
+# CAUTION: Installing a new version of Libreswan will install a new
+# copy of this script, wiping out any custom changes you make. If
+# you need changes, make a copy of this under another name, and customize
+# that, and use the (left/right)updown= parameters in ipsec.conf to make
+# Libreswan use your modified updown script instead of this default one.
+
+test ${IPSEC_INIT_SCRIPT_DEBUG} && set -v -x
+
+LC_ALL=C
+export LC_ALL
+
+# Things that this script gets (from ipsec_pluto(8) man page)
+#
+#
+# PLUTO_VERSION
+# indicates what version of this interface is being
+# used. This document describes version 1.1. This
+# is upwardly compatible with version 1.0.
+#
+# PLUTO_VERB
+# specifies the name of the operation to be performed
+# (prepare-host, prepare-client, up-host, up-client,
+# down-host, or down-client). If the address family
+# for security gateway to security gateway
+# communications is IPv6, then a suffix of -v6 is added
+# to the verb.
+#
+# PLUTO_CONNECTION
+# is the name of the connection for which we are
+# routing.
+#
+# PLUTO_CONN_POLICY
+# the policy of the connection, as in:
+# RSASIG+ENCRYPT+TUNNEL+PFS+DONTREKEY+OPPORTUNISTIC
+# +failureDROP+lKOD+rKOD
+#
+# PLUTO_NEXT_HOP
+# is the next hop to which packets bound for the peer
+# must be sent.
+#
+# PLUTO_INTERFACE
+# is the name of the real interface used by encrypted traffic and IKE traffic
+#
+# PLUTO_ME
+# is the IP address of our host.
+#
+# PLUTO_METRIC
+# is the metric to set for the route
+#
+# PLUTO_MTU
+# is the mtu to set for the route
+#
+# PLUTO_MY_CLIENT
+# is the IP address / count of our client subnet. If
+# the client is just the host, this will be the
+# host's own IP address / mask (where max is 32 for
+# IPv4 and 128 for IPv6).
+#
+# PLUTO_MY_CLIENT_NET
+# is the IP address of our client net. If the client
+# is just the host, this will be the host's own IP
+# address.
+#
+# PLUTO_MY_CLIENT_MASK
+# is the mask for our client net. If the client is
+# just the host, this will be 255.255.255.255.
+#
+# PLUTO_MY_SOURCEIP
+# if non-empty, then the source address for the route will be
+# set to this IP address.
+#
+# PLUTO_MY_PROTOCOL
+# is the protocol for this connection. Useful for
+# firewalling.
+#
+# PLUTO_MY_PORT
+# is the port. Useful for firewalling.
+#
+# PLUTO_PEER
+# is the IP address of our peer.
+#
+# PLUTO_PEER_CLIENT
+# is the IP address / count of the peer's client subnet.
+# If the client is just the peer, this will be
+# the peer's own IP address / mask (where max is 32
+# for IPv4 and 128 for IPv6).
+#
+# PLUTO_PEER_CLIENT_NET
+# is the IP address of the peer's client net. If the
+# client is just the peer, this will be the peer's
+# own IP address.
+#
+# PLUTO_PEER_CLIENT_MASK
+# is the mask for the peer's client net. If the
+# client is just the peer, this will be
+# 255.255.255.255.
+#
+# PLUTO_PEER_PROTOCOL
+# is the protocol set for remote end with port
+# selector.
+#
+# PLUTO_PEER_PORT
+# is the peer's port. Useful for firewalling.
+#
+# PLUTO_CFG_CLIENT=0|1
+# is MODECFG or IKEv2 Config client.
+#
+# PLUTO_CFG_SERVER=0|1
+# is MODECFG or IKEv2 Config server.
+#
+# PLUTO_CONNECTION_TYPE
+#
+# PLUTO_CONN_ADDRFAMILY
+# is the family type, "ipv4" or "ipv6"
+#
+# PLUTO_PROTO_STACK
+# is the local IPsec kernel stack used, eg NETKEY, NOSTACK
+#
+# PLUTO_IS_PEER_CISCO=0|1
+# remote server type is cisco. Add support for cisco extensions
+# when used with xauth.
+#
+# PLUTO_NM_CONFIGURED=0|1
+# is NetworkManager used for resolv.conf update
+#
+# PLUTO_SA_REQID
+# When using KAME or XFRM/NETKEY, the IPsec SA reqid base value.
+# ESP/AH out is base, ESP/AH in = base + 1
+# IPCOMP is base + 2 plus for inbound + 1
+#
+# PLUTO_SA_TYPE
+# The type of IPsec SA (ESP or AH)
+#
+# PLUTO_USERNAME
+# The username (XAUTH or GSSAPI) that was authenticated (if any)
+# for this SA
+#
+# PLUTO_VIRT_INTERFACE
+# is the name of ipsec interface used by clear traffic in/out
+#
+#
+# XAUTH_FAILED
+# If xauthfail=soft this will be set to 1 if XAUTH authentication
+# failed. If xauthfail=hard, the updown scripts never run.
+#
+# CONNMARK
+# If mark= is set on the connection, this variable will be
+# set with the value. It can be used for iptables or VTI.
+#
+# VTI_IFAC=iface
+# Name of VTI interface to create
+#
+# VTI_ROUTING=yes|no
+# Whether or not to perform ip rule and ip route commands
+# covering the IPsec SA address ranges to route those packets
+# into the VTI_IFACE interface. This should be enabled unless
+# the IPsec SA covers 0.0.0.0/0 <-> 0.0.0.0/0
+#
+# VTI_SHARED=yes|no
+# Whether or not more conns (or instances) share a VTI device.
+# If not shared, the VTI device is deleted when tunnel goes down.
+#
+# SPI_IN / SPI_OUT
+# The inbound and outbound SPI's of the connection.
+
+# rpm based systems
+if [ -f /etc/sysconfig/pluto_updown ]; then
+ . /etc/sysconfig/pluto_updown
+# deb based systems
+elif [ -f /etc/default/pluto_updown ]; then
+ . /etc/default/pluto_updown
+fi
+
+BACKUP_RESOLV_CONF=/run/pluto/libreswan-resolv-conf-backup
+ETC_RESOLV_CONF=/etc/resolv.conf
+
+case "${PLUTO_CONN_ADDRFAMILY}" in
+ ipv4)
+ FAMILY=4
+ MAX_CIDR=32
+ SCOPE=50 # Use scope 50 to verify ip was added by addsource()
+ ;;
+ ipv6)
+ FAMILY=6
+ MAX_CIDR=128
+ SCOPE=global
+ ;;
+ *)
+ echo "unknown address family \"${PLUTO_CONN_ADDRFAMILY}\"" >&2
+ exit 1
+ ;;
+esac
+export FAMILY MAX_CIDR SCOPE
+
+# 2022-09-03 - mbaudier : Hack when having an IPv6 subnet
+export CLIENT_FAMILY=6
+export CLIENT_MAX_CIDR=128
+
+# Ignore parameter custom
+if [ "${1}" = "custom" ]; then
+ shift
+fi
+
+while [ $# -gt 0 ]; do
+ case ${1} in
+ --route)
+ case ${2} in
+ [Yy]*)
+ ROUTE=yes
+ PROXY_ARP_ROUTE=no
+ ;;
+ *)
+ ROUTE=
+ PROXY_ARP_ROUTE=
+ ;;
+ esac
+ shift; shift
+ ;;
+ --iproute)
+ IPRARGS="${2}"
+ shift; shift
+ ;;
+ *)
+ echo "$0: Unknown argument \"${1}\"" >&2
+ exit 1
+ ;;
+ esac
+done
+
+# utility functions for route manipulation
+# Meddling with this stuff should not be necessary and requires great care.
+uproute() {
+ doproxyarp add
+ doroute replace
+}
+
+downroute() {
+ doroute del
+ doproxyarp delete
+}
+
+downrule() {
+ if [ -n "${PLUTO_MY_SOURCEIP}" -a 0${PLUTO_IS_PEER_CISCO} -eq 1 ]; then
+ doroute del
+ fi
+}
+
+updateresolvconf() {
+ local domain
+ local nameserver
+ local new_nameserver
+ local new_resolv_conf
+ local new_search
+ local orig_domain
+ local orig_nameserver
+ local rc
+ rc=0
+ if [ 0${PLUTO_CFG_CLIENT} -eq 0 ]; then
+ return ${rc}
+ fi
+ if [ -n "$(pidof unbound)" -a \
+ -n "${PLUTO_PEER_DNS_INFO}" -a \
+ -n "${PLUTO_PEER_DOMAIN_INFO}" ]
+ then
+ for domain in ${PLUTO_PEER_DOMAIN_INFO}; do
+ echo "updating local nameserver for ${domain} with ${PLUTO_PEER_DNS_INFO}"
+ unbound-control forward_add ${domain} \
+ ${PLUTO_PEER_DNS_INFO}
+ unbound-control flush_zone ${domain}
+ unbound-control flush_requestlist
+ done
+ rc=$?
+ elif [ 0${PLUTO_NM_CONFIGURED} -eq 0 -a \
+ -n "${PLUTO_PEER_DNS_INFO}" ]
+ then
+ echo "updating resolvconf"
+
+ if [ ! -e "${ETC_RESOLV_CONF}" ]; then
+ echo "resolv.conf does not exist, so doing nothing"
+ return 0
+ fi
+
+ if [ -e "${BACKUP_RESOLV_CONF}" ]; then
+ if grep -q Libreswan "${ETC_RESOLV_CONF}"; then
+ echo "Current resolv.conf is generated by Libreswan, and backup resolv.conf already exists, so doing nothing"
+ return 0
+ else
+ echo "backup resolv.conf exists, but current resolv.conf is not generated by Libreswan"
+ fi
+ fi
+
+ rm -f -- "${BACKUP_RESOLV_CONF}"
+ cp -- "${ETC_RESOLV_CONF}" "${BACKUP_RESOLV_CONF}"
+
+ new_resolv_conf="# Generated by Libreswan (IPsec)"
+
+ orig_domain="$(grep ^domain "${ETC_RESOLV_CONF}" 2>/dev/null | \
+ awk '{ print $2 }')"
+
+ orig_search=$(grep ^search "${ETC_RESOLV_CONF}" 2>/dev/null | \
+ sed 's/^search[[:space:]]\+//;s/[[:space:]]*\#.*//')
+
+ if [ -n "${orig_domain}" ]; then
+ new_resolv_conf="${new_resolv_conf}
+domain ${orig_domain}"
+ fi
+
+ if [ -n "${orig_search}" ]; then
+ new_search="${orig_search}"
+ elif [ -n "${orig_domain}" ]; then
+ new_search="${orig_domain}"
+ fi
+
+ if [ -n "${PLUTO_PEER_DOMAIN_INFO}" ]; then
+ if [ -n "${new_search}" ]; then
+ new_search=$(echo $(echo "${new_search} ${PLUTO_PEER_DOMAIN_INFO}" | tr [:space:] '\n' | awk '!a[$0]++'))
+ else
+ new_search="${PLUTO_PEER_DOMAIN_INFO}"
+ fi
+ fi
+
+ if [ -n "${new_search}" ]; then
+ new_resolv_conf="${new_resolv_conf}
+search ${new_search}"
+ fi
+
+ orig_nameserver=$(grep -m 1 ^nameserver "${ETC_RESOLV_CONF}" | \
+ sed 's/^nameserver[[:space:]]\+//;s/[[:space:]]*\#.*//')
+ if [ -n "${orig_nameserver}" ]; then
+ new_nameserver=$(echo $(echo "${PLUTO_PEER_DNS_INFO} ${orig_nameserver}" | tr [:space:] '\n' | awk '!a[$0]++'))
+ else
+ new_nameserver="${PLUTO_PEER_DNS_INFO}"
+ fi
+
+ for nameserver in ${new_nameserver}; do
+ new_resolv_conf="${new_resolv_conf}
+nameserver ${nameserver}"
+ done
+
+ echo "${new_resolv_conf}" > "${ETC_RESOLV_CONF}"
+ rc=$?
+ fi
+ return ${rc}
+}
+
+restoreresolvconf() {
+ local domain
+ local rc
+ rc=0
+ if [ 0${PLUTO_CFG_CLIENT} -eq 0 ]; then
+ return ${rc}
+ fi
+ if [ -n "$(pidof unbound)" -a \
+ -n "${PLUTO_PEER_DNS_INFO}" -a \
+ -n "${PLUTO_PEER_DOMAIN_INFO}" ]
+ then
+ for domain in ${PLUTO_PEER_DOMAIN_INFO}; do
+ echo "flushing local nameserver of ${domain}"
+ unbound-control forward_remove ${domain}
+ unbound-control flush_zone ${domain}
+ unbound-control flush_requestlist
+ done
+ rc=$?
+ elif [ 0${PLUTO_NM_CONFIGURED} -eq 0 ]; then
+ # We only restore if current resolv.conf is made by us.
+ if grep -q Libreswan "${ETC_RESOLV_CONF}" 2>/dev/null; then
+ # And if there is a backup...
+ if [ -e "${BACKUP_RESOLV_CONF}" ]; then
+ echo "restoring resolvconf"
+ else
+ return 0
+ fi
+ cp -- "${BACKUP_RESOLV_CONF}" "${ETC_RESOLV_CONF}"
+ fi
+ rm -f -- "${BACKUP_RESOLV_CONF}"
+ rc=0
+ fi
+ return ${rc}
+}
+
+notifyNM() {
+ # This will be called whenever a connection is established or
+ # fails to establish (either phase 1, xauth phase, or phase 2)
+ # or whenever an already established connection is being terminated.
+ # This will send a signal to NetworkManager over dbus so that NM
+ # can keep track of the coonnections.
+
+ if [ 0${PLUTO_NM_CONFIGURED} -eq 1 ]; then
+ echo "sending $1 signal to NetworkManager"
+ libreswan_reason=$1
+ export libreswan_reason
+ export PLUTO_PEER_DOMAIN_INFO
+ export PLUTO_PEER_DNS_INFO
+ export PLUTO_PEER_BANNER
+ export PLUTO_MY_SOURCEIP
+ export PLUTO_PEER
+ [ -x /usr/libexec/nm-libreswan-service-helper ] && \
+ /usr/libexec/nm-libreswan-service-helper
+ fi
+ return 0
+}
+
+addsource() {
+ local interface
+ local st
+ interface=lo
+ st=0
+
+ if [ -z "${PLUTO_MY_SOURCEIP}" ]; then
+ return ${st}
+ fi
+ # check if given sourceip is local and add as alias if not
+ if ! ip -${CLIENT_FAMILY} -o route get ${PLUTO_MY_SOURCEIP} | grep -q ^local; then
+ if [ -n "${VTI_IFACE}" -a "${VTI_ROUTING}" = yes ]; then
+ interface="${VTI_IFACE}"
+ elif [ -n "${PLUTO_XFRMI_ROUTE}" ]; then
+ interface=${PLUTO_VIRT_INTERFACE}
+ fi
+ it="ip addr add ${PLUTO_MY_SOURCEIP}/${CLIENT_MAX_CIDR} dev ${interface} scope ${SCOPE}"
+ oops="$(eval ${it} 2>&1)"
+ st=$?
+ if [ -z "${oops}" -a ${st} -ne 0 ]; then
+ oops="silent error, exit status ${st}"
+ fi
+ case "${oops}" in
+ 'RTNETLINK answers: File exists'*)
+ # should not happen, but ... ignore if the
+ # address was already assigned on interface
+ oops=""
+ st=0
+ ;;
+ esac
+ if [ -n "${oops}" -o ${st} -ne 0 ]; then
+ echo "$0: addsource \"${it}\" failed (${oops})" >&2
+ fi
+ fi
+ return ${st}
+}
+
+delsource() {
+ local interface
+ local oops
+ local st
+ interface=lo
+ st=0
+ if [ -z "${PLUTO_MY_SOURCEIP}" ]; then
+ return ${st}
+ fi
+ # Remove source ip if it's not used any more.
+ if [ -z "$(ip -${CLIENT_FAMILY} -o route list src ${PLUTO_MY_SOURCEIP})" ]; then
+ if [ -n "${VTI_IFACE}" -a "${VTI_ROUTING}" = yes ]; then
+ interface="${VTI_IFACE}"
+ elif [ -n "${PLUTO_XFRMI_ROUTE}" ]; then
+ interface=${PLUTO_VIRT_INTERFACE}
+ fi
+ # If there is no ip we just return
+ if ! ip -${FAMILY} -o addr list dev ${interface} scope ${SCOPE} | \
+ grep -q ${PLUTO_MY_SOURCEIP}/${CLIENT_MAX_CIDR}
+ then
+ return ${st}
+ fi
+
+ if [ -n "${PLUTO_MOBIKE_EVENT}" ] ; then
+ return ${st}
+ fi
+
+ it="ip -${CLIENT_FAMILY} addr del ${PLUTO_MY_SOURCEIP}/${CLIENT_MAX_CIDR} dev ${interface}"
+ oops="$(eval ${it} 2>&1)"
+ st=$?
+ if [ -z "${oops}" -a ${st} -ne 0 ]; then
+ oops="silent error, exit status ${st}"
+ fi
+ case "${oops}" in
+ 'RTNETLINK answers: File exists'*)
+ # should not happen, but ... ignore if the
+ # address was already assigned on interface
+ oops=""
+ st=0
+ ;;
+ 'RTNETLINK answers: Cannot assign'*)
+ # Address is not there to remove or is there with different
+ # netmask and in that case we must not remove it so we ignore
+ # the error.
+ oops=""
+ st=0
+ ;;
+ esac
+ if [ -n "${oops}" -o ${st} -ne 0 ]; then
+ echo "$0: delsource \"${it}\" failed (${oops})" >&2
+ fi
+ fi
+ return ${st}
+}
+
+doproxyarp() {
+ local cmd
+ local iface
+ cmd=${1}
+ # Check if client has a single ip only client net
+ if [ ${PLUTO_PEER_CLIENT#*/} = ${MAX_CIDR} ]; then
+ # Skip OE special connections and direct host-host connections
+ if [ "${PLUTO_PEER_CLIENT_NET}" = "0.0.0.0" -o \
+ "${PLUTO_PEER_CLIENT_NET}" = "::" -o \
+ "${PLUTO_PEER_CLIENT_NET}" = "${PLUTO_PEER}" -o \
+ "${PLUTO_MY_CLIENT_NET}" = "${PLUTO_ME}" ]
+ then
+ return 0
+ fi
+ # check if client is routeable
+ if ip -${FAMILY} -o route get ${PLUTO_PEER_CLIENT_NET} 2>/dev/null | \
+ grep -E -q -s -v " via |^local"
+ then
+ iface=$(ip -${FAMILY} -o route get ${PLUTO_PEER_CLIENT_NET} 2>/dev/null | \
+ awk '{print $3}')
+ if [ -r /sys/class/net/${iface}/address ]; then
+ macaddr=$(cat /sys/class/net/${iface}/address)
+ fi
+ # add/remove arp entry for the client on ethernet devices only
+ if [ -n "${macaddr}" ]; then
+ if [ "${cmd}" = "add" ]; then
+ ip -${FAMILY} neigh add proxy ${PLUTO_PEER_CLIENT_NET} dev ${iface} \
+ lladdr ${macaddr} nud permanent
+ # Force routing, required for proxyarp to work
+ PROXY_ARP_ROUTE=yes
+ export PROXY_ARP_ROUTE
+ else
+ ip -${FAMILY} neigh del proxy ${PLUTO_PEER_CLIENT_NET} dev ${iface}
+ fi
+ fi
+ fi
+ fi
+}
+
+do_ip()
+{
+ local cmd="$1"
+ oops="$(eval ${cmd} 2>&1)"
+ st=$?
+
+ if [ -z "${oops}" -a ${st} -ne 0 ]; then
+ oops="silent error, exit status ${st}"
+ fi
+
+ case "${oops}" in
+ 'RTNETLINK answers: No such process'*)
+ # should not happen, but ... ignore if the
+ # route was already removed
+ oops=""
+ st=0
+ ;;
+ esac
+
+ if [ -n "${oops}" -a ${st} -ne 0 ]; then
+ echo "$0: doroute \"${cmd}\" failed (${oops})" >&2
+ fi
+
+ return ${st}
+}
+
+doroute() {
+ local cmd
+ local esp_nexthop
+ local esp_peer_interface
+ local espipro
+ local ipru
+ local route_table
+ local oops
+ local parms
+ local parms2
+ local st
+ local xfrmi_route
+ local xfrmi_rule
+ cmd=${1}
+ route_table=50
+ st=0
+ xfrmi_route="${PLUTO_XFRMI_ROUTE}"
+
+ if [ ${cmd} != del ]; then
+ oops="$(ip -${FAMILY} route get ${PLUTO_PEER_CLIENT_NET} 2>&1)"
+ case "${oops}" in
+ 'RTNETLINK answers: No route to host'*)
+ if [ -z "${PLUTO_XFRMI_ROUTE}" ]; then
+ ROUTE=yes # Routing is mandatory for IPsec
+ fi
+ ;;
+ esac
+ fi
+
+ if [ -n "${PLUTO_XFRMI_FWMARK}" ]; then
+ xfrmi_rule=yes # we have to add "ip rules" and "ip route table"
+ ROUTE=no # xfrmi_route will add the route
+ fi
+
+ # skip routing if it's not enabled or necessary
+ if [ -z "${PLUTO_MY_SOURCEIP}" -a \
+ -z "${PLUTO_MTU}" -a \
+ "${PROXY_ARP_ROUTE}" != yes -a \
+ "${cmd}" != "del" ]
+ then
+ PROXY_ARP_ROUTE=no
+ fi
+
+ if [ -n "${PLUTO_MY_SOURCEIP}" -o -n "${PLUTO_MTU}" ]; then
+ ROUTE=yes
+ fi
+
+ if [ "${PLUTO_PEER_CLIENT}" = "${PLUTO_MY_CLIENT}" -a \
+ "${PLUTO_XFRMI_ROUTE}" = yes ]
+ then
+ xfrmi_route="samesubnets";
+ echo "leftsubet == rightsubnet = ${PLUTO_PEER_CLIENT} cannot add route"
+ fi
+
+ parms="${PLUTO_PEER_CLIENT}"
+ parms2=${IPRARGS}
+ # nexthop is not needed on ppp interfaces. unset it to make cases
+ # work, where left is set but no leftnexthop (e.g. left=%defaultroute)
+ if ip link show "${PLUTO_INTERFACE%:*}" | grep -q POINTOPOINT; then
+ POINTPOINT=yes
+ fi
+ # use nexthop if nexthop is not %direct and POINTPOINT is not set
+ if [ "${PLUTO_NEXT_HOP}" != "${PLUTO_PEER}" -a -z "${POINTPOINT}" ]; then
+ # XFRM interface needs no nexthop
+ if [ -z "${PLUTO_XFRMI_ROUTE}" ]; then
+ parms2="via ${PLUTO_NEXT_HOP}"
+ fi
+ esp_nexthop="via ${PLUTO_NEXT_HOP} "
+ fi
+ # route via proper interface according to routing table
+ if [ "${cmd}" = "del" ]; then
+ case "${PLUTO_PEER_CLIENT}" in
+ "0.0.0.0/0")
+ # in case of default route we use half routes
+ peer_interface=$(ip -${FAMILY} -o route list exact 0.0.0.0/1 | \
+ sed "s/^.*dev \([^ ]*\) .*/\1/")
+ ;;
+ "::/0")
+ # in case of default route we use half routes
+ peer_interface=$(ip -${FAMILY} -o route list exact 2000::/3 | \
+ sed "s/^.*dev \([^ ]*\) .*/\1/")
+ ;;
+ *)
+ peer_interface=$(ip -${CLIENT_FAMILY} -o route get ${PLUTO_PEER_CLIENT_NET} | \
+ sed "s/^.*dev \([^ ]*\) .*/\1/")
+ ;;
+ esac
+ else
+ peer_interface=$(ip -o route get ${PLUTO_NEXT_HOP} | \
+ sed "s/^.*dev \([^ ]*\) .*/\1/")
+ fi
+
+ esp_peer_interface=$(ip -${FAMILY} -o route get ${PLUTO_NEXT_HOP} \
+ from ${PLUTO_ME} | sed "s/^.*\(dev [^ ]*\) .*/\1/")
+ if [ -z "${esp_peer_interface}" ]; then
+ esp_peer_interface="dev ${PLUTO_INTERFACE}"
+ fi
+
+ if [ -z "${peer_interface}" ]; then
+ peer_interface=${PLUTO_INTERFACE}
+ fi
+
+ if [ "${PLUTO_XFRMI_ROUTE}" = "yes" ]; then
+ peer_interface=${PLUTO_VIRT_INTERFACE}
+ fi
+
+ if [ -n "${VTI_IFACE}" ]; then
+ addsource
+ peer_interface="${VTI_IFACE}"
+ fi
+
+ parms2="${parms2}${PLUTO_MTU:+ mtu ${PLUTO_MTU}}"
+ parms2="${parms2}${PLUTO_METRIC:+ metric ${PLUTO_METRIC}} ${IPROUTEARGS}"
+
+ parms2="${parms2} dev ${peer_interface%:*}"
+
+ # make sure we have sourceip locally in this machine
+ if [ "${cmd}" = "replace" -a -n "${PLUTO_MY_SOURCEIP}" ]; then
+ addsource
+ # use sourceip as route default source
+ parms2="${parms2} src ${PLUTO_MY_SOURCEIP}"
+ fi
+
+ case "${PLUTO_PEER_CLIENT}" in
+ "0.0.0.0/0")
+ # need to provide route that eclipses default, without
+ # replacing it.
+ it="ip -${FAMILY} route ${cmd} 0.0.0.0/1 ${parms2} && \
+ ip -${FAMILY} route ${cmd} 128.0.0.0/1 ${parms2}"
+ ;;
+ "::/0")
+ # need to provide route that eclipses default, without
+ # replacing it.
+ it="ip -${FAMILY} route ${cmd} 2000::/3 ${parms2}"
+ ;;
+ *)
+ it="ip -${CLIENT_FAMILY} route ${cmd} ${parms} ${parms2}"
+ ;;
+ esac
+
+ if [ "${ROUTE}" = yes -o \
+ "${xfrmi_route}" = yes -o \
+ "${PROXY_ARP_ROUTE}" = yes ]
+ then
+ do_ip "${it}"
+ st=$?
+ if [ ${st} -ne 0 ]; then
+ return ${st}
+ fi
+ fi
+
+ if [ "${xfrmi_rule}" = "yes" ]; then
+ espipro="ip -${FAMILY} route ${cmd} ${PLUTO_PEER}/${MAX_CIDR} ${esp_nexthop} ${esp_peer_interface%:*} table ${route_table}"
+ do_ip "${espipro}"
+
+ st=$?
+ if [ ${st} -ne 0 ]; then
+ return ${st}
+ fi
+
+ iprulecmd="${cmd}"
+ if [ "${cmd}" = "replace" ]; then
+ iprulecmd="add"
+ fi
+
+ ipru="ip -${FAMILY} rule ${iprulecmd} prio 100 to ${parms}"
+ ipru="${ipru} fwmark ${PLUTO_XFRMI_FWMARK} lookup ${route_table}"
+
+ do_ip "${ipru}"
+ st=$?
+ if [ ${st} -ne 0 ]; then
+ return ${st}
+ fi
+
+ fi
+ return 0
+}
+
+# TODO: We need to specify CIDR mask but our _MASK variables are in old school format
+# TODO: Exclude udp 4500 traffic
+addnflog() {
+ if [ -n "${NFLOG}" ]; then
+ iptables -I OUTPUT -m policy --dir out --pol ipsec \
+ -s ${PLUTO_MY_CLIENT} -d ${PLUTO_PEER_CLIENT} \
+ -j NFLOG --nflog-group ${NFLOG} --nflog-prefix ${PLUTO_CONNECTION}
+ iptables -I INPUT -m policy --dir in --pol ipsec \
+ -s ${PLUTO_PEER_CLIENT} -d ${PLUTO_MY_CLIENT} \
+ -j NFLOG --nflog-group ${NFLOG} --nflog-prefix ${PLUTO_CONNECTION}
+ fi
+}
+
+delnflog() {
+ if [ -n "${NFLOG}" ]; then
+ iptables -D OUTPUT -m policy --dir out --pol ipsec \
+ -s ${PLUTO_MY_CLIENT} -d ${PLUTO_PEER_CLIENT} \
+ -j NFLOG --nflog-group ${NFLOG} --nflog-prefix ${PLUTO_CONNECTION}
+ iptables -D INPUT -m policy --dir in --pol ipsec \
+ -s ${PLUTO_PEER_CLIENT} -d ${PLUTO_MY_CLIENT} \
+ -j NFLOG --nflog-group ${NFLOG} --nflog-prefix ${PLUTO_CONNECTION}
+ fi
+}
+
+addvtiiface() {
+ if [ -n "${VTI_IFACE}" ]; then
+ if [ -z "${CONNMARK_IN}" -o -z "${CONNMARK_OUT}" ]; then
+ echo "vti-interface option ignored because no mark was configured"
+ else
+ if [ ! -d "/proc/sys/net/ipv4/conf/${VTI_IFACE}" ]; then
+ # echo "creating vti interface"
+ vtipeer="${PLUTO_PEER}"
+ if [ "${PLUTO_CONN_KIND}" = CK_INSTANCE -o "${VTI_SHARED}" = "yes" ]; then
+ vtipeer="0.0.0.0"
+ fi
+ ip tunnel add ${VTI_IFACE} mode vti local ${PLUTO_ME} \
+ remote ${vtipeer} okey ${CONNMARK_OUT%/*} \
+ ikey ${CONNMARK_IN%/*}
+ sysctl -w net.ipv4.conf.${VTI_IFACE}.disable_policy=1
+ sysctl -w net.ipv4.conf.${VTI_IFACE}.rp_filter=0
+ sysctl -w net.ipv4.conf.${VTI_IFACE}.forwarding=1
+ if [ -n "${VTI_IP}" ]; then
+ ip addr add ${VTI_IP} dev ${VTI_IFACE}
+ fi
+ ip link set ${VTI_IFACE} up
+ else
+ # check there was no conflict if we are sharing - might be sensitive to /sbin/ip differences
+ if [ "${VTI_SHARED}" = yes ]; then
+ #test: ip/ip remote 3.4.5.6 local 1.2.3.4 ttl inherit key 5
+ cur="$(ip tun show ${VTI_IFACE})"
+ new="${VTI_IFACE}: ip/ip remote any local ${PLUTO_ME} ttl inherit key ${CONNMARK_OUT%/*}"
+ if [ "${cur}" != "${new}" ]; then
+ echo "vti interface \"${VTI_IFACE}\" already exists with conflicting setting"
+ echo "existing: ${cur}"
+ echo "wanted : ${new}"
+ else
+ # temp debug
+ echo "vti interface already exists with identical parameters, OK"
+ fi
+ else
+ echo "vti interface \"${VTI_IFACE}\" already exists with conflicting setting (perhaps need vti-sharing=yes ?"
+ fi
+ fi
+ fi
+ fi
+}
+
+addvti() {
+ if [ -n "${VTI_IFACE}" ]; then
+ if [ -z "${CONNMARK_IN}" -o -z "${CONNMARK_OUT}" ]; then
+ echo "vti-interface option ignored because no mark was configured"
+ else
+ if [ "${VTI_ROUTING}" = yes ]; then
+ # Tuomo should improve this with using ${PLUTO_MY_CLIENT_NET}
+ # echo "setting up vti routing"
+ r=add
+ ip route list | grep -q "${PLUTO_PEER_CLIENT%/*}" && r=change
+ if [ "${r}" = change ]; then
+ # resolve LAN conflict by forcing host route for default gw
+ gw="$(ip ro li | grep ^default | awk '{ print $3;}')"
+ gwdev="$(ip ro li | grep ^default | awk '{ print $5;}')"
+ # echo "ip route add ${gw} dev ${gwdev}"
+ ip route add ${gw} dev ${gwdev} >/dev/null ||:
+ fi
+ srcip=""
+ if [ -n "${PLUTO_MY_SOURCEIP}" ]; then
+ srcip=" src ${PLUTO_MY_SOURCEIP}"
+ fi
+ # echo "ip route ${r} ${PLUTO_PEER_CLIENT} dev ${VTI_IFACE} ${srcip}"
+ ip route ${r} ${PLUTO_PEER_CLIENT} dev ${VTI_IFACE} ${srcip}
+ echo "done ip route"
+ fi
+ fi
+ fi
+}
+
+delvti() {
+ if [ -n "${VTI_IFACE}" -a -d /proc/sys/net/ipv4/conf/${VTI_IFACE} ]; then
+ if [ "${VTI_ROUTING}" = yes ]; then
+ ip route del ${PLUTO_PEER_CLIENT} dev ${VTI_IFACE} \
+ src ${PLUTO_MY_SOURCEIP} ||:
+ fi
+ # TODO: we can't delete vti interface because we don't have proper reference
+ # counting.
+ #if [ "${VTI_SHARED}" = no -a "${PLUTO_CONN_KIND}" != CK_INSTANCE ]; then
+ # ip tun del ${VTI_IFACE} ||:
+ #fi
+ fi
+}
+
+# Client Address Translation CAT
+addcat() {
+ if [ -n "${CAT}" ] && [ "${PLUTO_MY_CLIENT_NET}" != "0.0.0.0" ] ; then
+ iptables -t nat -I POSTROUTING -m policy --dir out --pol ipsec \
+ -d ${PLUTO_PEER_CLIENT} -j SNAT --to-source ${PLUTO_MY_CLIENT_NET}
+ iptables -t nat -I PREROUTING -m policy --dir in --pol ipsec \
+ -d ${PLUTO_MY_CLIENT_NET} -s ${PLUTO_PEER_CLIENT} \
+ -j DNAT --to-destination ${PLUTO_ME}
+ fi
+}
+
+delcat() {
+ if [ -n "${CAT}" ]; then
+ iptables -t nat -D PREROUTING -m policy --dir in --pol ipsec \
+ -d ${PLUTO_MY_CLIENT_NET} -s ${PLUTO_PEER_CLIENT} \
+ -j DNAT --to-destination ${PLUTO_ME}
+ iptables -t nat -D POSTROUTING -m policy --dir out --pol ipsec \
+ -d ${PLUTO_PEER_CLIENT} -j SNAT --to-source ${PLUTO_MY_CLIENT_NET}
+ fi
+}
+
+# the big choice
+case "${PLUTO_VERB}" in
+ prepare-host|prepare-client)
+ addvtiiface
+ ;;
+ route-host|route-client)
+ # connection to me or my client subnet being routed
+ addvti
+ uproute
+ addnflog
+ ;;
+ unroute-host|unroute-client)
+ # connection to me or my client subnet being unrouted
+ downroute
+ delsource
+ ;;
+ up-host)
+ # connection to me coming up
+ # If you are doing a custom version, firewall commands go here.
+ ;;
+ down-host)
+ # connection to me going down
+ downrule
+ delnflog
+ delcat
+ delvti
+ # If you are doing a custom version, firewall commands go here.
+ ;;
+ up-client)
+ # connection to my client subnet coming up
+ addvtiiface
+ updateresolvconf
+ addcat
+ addsource
+ notifyNM connect
+ addvti
+ # If you are doing a custom version, firewall commands go here.
+ ;;
+ down-client)
+ # connection to my client subnet going down
+ downrule
+ delnflog
+ delcat
+ delvti
+ restoreresolvconf
+ notifyNM disconnect
+ # If you are doing a custom version, firewall commands go here.
+ ;;
+ #
+ # IPv6
+ #
+ prepare-host-v6|prepare-client-v6)
+ # prepare client for connection
+ ;;
+ route-host-v6|route-client-v6)
+ # connection to me or my client subnet being routed
+ uproute
+ ;;
+ unroute-host-v6|unroute-client-v6)
+ # connection to me or my client subnet being unrouted
+ downroute
+ delsource
+ ;;
+ up-host-v6)
+ # connection to me coming up
+ # If you are doing a custom version, firewall commands go here.
+ ;;
+ down-host-v6)
+ # connection to me going down
+ # If you are doing a custom version, firewall commands go here.
+ ;;
+ up-client-v6)
+ # connection to my client subnet coming up
+ addsource
+ updateresolvconf
+ notifyNM connect
+ # If you are doing a custom version, firewall commands go here.
+ ;;
+ down-client-v6)
+ # connection to my client subnet going down
+ restoreresolvconf
+ notifyNM disconnect
+ # If you are doing a custom version, firewall commands go here.
+ ;;
+ *) echo "$0: unknown verb \"${PLUTO_VERB}\" or parameter \"${1}\"" >&2
+ exit 1
+ ;;
+esac
+++ /dev/null
-# GNU coding standards
-prefix ?= /usr/local
-exec_prefix ?= $(prefix)
-bindir ?= $(exec_prefix)/bin
-sbindir ?= $(exec_prefix)/sbin
-libdir ?= $(exec_prefix)/lib
-libexecdir ?= $(exec_prefix)/libexec
-sysconfdir ?= $(prefix)/etc
-srcdir ?= src
-datarootdir ?= $(prefix)/share
-
-COPY=cp --reflink=auto
-
-all:
- $(MAKE) -C sjbin all
-
-clean:
- $(MAKE) -C sjbin clean
-
-install:
- $(COPY) -r --no-clobber etc/* $(DESTDIR)$(sysconfdir)
- $(COPY) -r usr/bin/* $(DESTDIR)$(bindir)
- $(COPY) -r usr/share/* $(DESTDIR)$(datarootdir)
- $(COPY) -r usr/lib/* $(DESTDIR)$(libdir)
- $(COPY) -r usr/libexec/* $(DESTDIR)$(libexecdir)
- $(MAKE) -C sjbin install
/bin/
/src/*
!/src/*.java
-/freed-pid1
+/freed-*
install:
# TODO generalise
- cp -v --preserve=mode freed-pid1 $(DESTDIR)$(sbindir)
- sed -i 's|/usr/local|$(prefix)|' $(DESTDIR)$(sbindir)/freed-pid1
+ install -D -m755 -t $(DESTDIR)$(sbindir)freed-*
+ sed -i 's|/usr/local|$(prefix)|' $(DESTDIR)$(sbindir)/*
sed -i 's|/usr/local|$(prefix)|' $(DESTDIR)$(sysconfdir)/freed/pid1/jvm.args
# cp -v ../../etc/freed/init/* $(DESTDIR)$(sysconfdir)/freed/init
+++ /dev/null
-//#! /usr/bin/java --source 17 @/usr/local/etc/freed/pid1/jvm.args
-
-import static java.lang.System.Logger.Level.DEBUG;
-import static java.lang.System.Logger.Level.ERROR;
-import static java.lang.System.Logger.Level.INFO;
-import static java.lang.System.Logger.Level.WARNING;
-
-import java.io.Console;
-import java.io.IOException;
-import java.lang.System.Logger;
-import java.lang.management.ManagementFactory;
-import java.net.InetAddress;
-import java.net.InterfaceAddress;
-import java.net.NetworkInterface;
-import java.net.SocketException;
-import java.nio.file.Files;
-import java.nio.file.Path;
-import java.nio.file.Paths;
-import java.util.ArrayList;
-import java.util.Collections;
-import java.util.Enumeration;
-import java.util.List;
-import java.util.TreeMap;
-import java.util.concurrent.atomic.AtomicInteger;
-
-import org.argeo.init.Service;
-
-import sun.misc.Signal;
-
-/** A minimalistic Linux init process. */
-class FreedPid1 {
- final static AtomicInteger runLevel = new AtomicInteger(-1);
-
- private final static Logger logger = System.getLogger(FreedPid1.class.getName());
-
- private final static List<String> initDServices = Collections.synchronizedList(new ArrayList<>());
-
- public static void main(String... args) {
- try {
- final long pid = ProcessHandle.current().pid();
- Signal.handle(new Signal("TERM"), (signal) -> {
- System.out.println("SIGTERM caught");
- System.exit(0);
- });
- Signal.handle(new Signal("INT"), (signal) -> {
- System.out.println("SIGINT caught");
- System.exit(0);
- });
- Signal.handle(new Signal("HUP"), (signal) -> {
- System.out.println("SIGHUP caught");
- System.exit(0);
- });
-
- boolean isSystemInit = pid == 1 || pid == 2;
-
- if (isSystemInit && args.length > 0 && ("1".equals(args[0]) //
- || "single".equals(args[0]) //
- || "emergency".equals(args[0]))) {
- runLevel.set(1);
- for (Object key : new TreeMap<>(System.getProperties()).keySet()) {
- System.out.println(key + "=" + System.getProperty(key.toString()));
- }
- System.out.println("Single user mode");
- System.out.flush();
- ProcessBuilder pb = new ProcessBuilder("/bin/bash");
- pb.redirectError(ProcessBuilder.Redirect.INHERIT);
- pb.redirectOutput(ProcessBuilder.Redirect.INHERIT);
- pb.redirectInput(ProcessBuilder.Redirect.INHERIT);
- Process singleUserShell = pb.start();
- singleUserShell.waitFor();
- } else {
- if (args.length == 0)
- runLevel.set(5);
- else
- runLevel.set(Integer.parseInt(args[0]));
-
- if (runLevel.get() == 0) {// shutting down the whole system
- if (!isSystemInit) {
- logger.log(INFO, "Shutting down system...");
- shutdown(false);
- System.exit(0);
- } else {
- logger.log(ERROR, "Cannot start at run level " + runLevel.get());
- System.exit(1);
- }
- } else if (runLevel.get() == 6) {// reboot the whole system
- if (!isSystemInit) {
- logger.log(INFO, "Rebooting the system...");
- shutdown(true);
- } else {
- logger.log(ERROR, "Cannot start at run level " + runLevel.get());
- System.exit(1);
- }
- }
-
- logger.log(INFO, "FREEd Init daemon starting with pid " + pid + " after "
- + ManagementFactory.getRuntimeMXBean().getUptime() + " ms");
- // hostname
- String hostname = Files.readString(Paths.get("/etc/hostname"));
- new ProcessBuilder("/usr/bin/hostname", hostname).start();
- logger.log(DEBUG, "Set hostname to " + hostname);
- // networking
- initSysctl();
- startInitDService("networking", true);
-// Thread.sleep(3000);// leave some time for network to start up
- if (!waitForNetwork(10 * 1000))
- logger.log(ERROR, "No network available");
-
- // OpenSSH
- // TODO make it coherent with Java sshd
- startInitDService("ssh", true);
-
- // NSS services
- startInitDService("nslcd", false);// Note: nslcd fails to stop
-
- // login prompt
- Service.addPostStart(() -> new LoginThread().start());
-
- // init Argeo CMS
- logger.log(INFO, "FREEd Init daemon starting Argeo Init after "
- + ManagementFactory.getRuntimeMXBean().getUptime() + " ms");
- Service.main(args);
- }
- } catch (Throwable e) {
- logger.log(ERROR, "Unexpected exception in free-pid1 init, shutting down... ", e);
- System.exit(1);
- } finally {
- stopInitDServices();
- }
- }
-
- static void initSysctl() {
- try {
- Path sysctlD = Paths.get("/etc/sysctl.d/");
- for (Path conf : Files.newDirectoryStream(sysctlD, "*.conf")) {
- try {
- new ProcessBuilder("/usr/sbin/sysctl", "-p", conf.toString()).start();
- } catch (IOException e) {
- e.printStackTrace();
- }
- }
- } catch (IOException e) {
- e.printStackTrace();
- }
- }
-
- static void startInitDService(String serviceName, boolean stopOnShutdown) {
- Path serviceInit = Paths.get("/etc/init.d/", serviceName);
- if (Files.exists(serviceInit))
- try {
- int exitCode = new ProcessBuilder(serviceInit.toString(), "start").start().waitFor();
- if (exitCode != 0)
- logger.log(ERROR, "Service " + serviceName + " dit not stop properly");
- else
- logger.log(DEBUG, "Service " + serviceName + " started");
- if (stopOnShutdown)
- initDServices.add(serviceName);
-// Runtime.getRuntime().addShutdownHook(new Thread(() -> {
-// try {
-// new ProcessBuilder(serviceInit.toString(), "stop").start().waitFor();
-// } catch (IOException | InterruptedException e) {
-// e.printStackTrace();
-// }
-// }, "FREEd stop service " + serviceName));
- } catch (IOException | InterruptedException e) {
- e.printStackTrace();
- }
- else
- logger.log(WARNING, "Service " + serviceName + " not found and therefore not started");
- }
-
- static boolean waitForNetwork(long timeout) {
- long begin = System.currentTimeMillis();
- long duration = 0;
- boolean networkAvailable = false;
- try {
- networkAvailable: while (!networkAvailable) {
- duration = System.currentTimeMillis() - begin;
- if (duration > timeout)
- break networkAvailable;
- Enumeration<NetworkInterface> netInterfaces = null;
- try {
- netInterfaces = NetworkInterface.getNetworkInterfaces();
- } catch (SocketException e) {
- throw new IllegalStateException("Cannot list network interfaces", e);
- }
- if (netInterfaces != null) {
- while (netInterfaces.hasMoreElements()) {
- NetworkInterface netInterface = netInterfaces.nextElement();
- logger.log(DEBUG, "Interface:" + netInterface);
- for (InterfaceAddress addr : netInterface.getInterfaceAddresses()) {
- InetAddress inetAddr = addr.getAddress();
- logger.log(DEBUG, " addr: " + inetAddr);
- if (!inetAddr.isLoopbackAddress() && !inetAddr.isLinkLocalAddress()) {
- try {
- if (inetAddr.isReachable((int) timeout)) {
- networkAvailable = true;
- duration = System.currentTimeMillis() - begin;
- logger.log(DEBUG,
- "Network available after " + duration + " ms. IP: " + inetAddr);
- break networkAvailable;
- }
- } catch (IOException e) {
- logger.log(ERROR, "Cannot check whether " + inetAddr + " is reachable", e);
- }
- }
- }
- }
- } else {
- throw new IllegalStateException("No network interface has been found");
- }
- try {
- Thread.sleep(1000);
- } catch (InterruptedException e) {
- // silent
- }
- }
- } catch (Exception e) {
- logger.log(ERROR, "Cannot check whether network is available", e);
- }
- return networkAvailable;
- }
-
- static void shutdown(boolean reboot) {
- try {
- stopInitDServices();
- Path sysrqP = Paths.get("/proc/sys/kernel/sysrq");
- Files.writeString(sysrqP, "1");
- Path sysrqTriggerP = Paths.get("/proc/sysrq-trigger");
- Files.writeString(sysrqTriggerP, "e");// send SIGTERM to all processes
- // Files.writeString(sysrqTriggerP, "i");// send SIGKILL to all processes
- Files.writeString(sysrqTriggerP, "e");// flush data to disk
- Files.writeString(sysrqTriggerP, "u");// unmount
- if (reboot)
- Files.writeString(sysrqTriggerP, "b");
- else
- Files.writeString(sysrqTriggerP, "o");
- } catch (IOException e) {
- logger.log(ERROR, "Cannot shut down system", e);
- }
- }
-
- static void stopInitDServices() {
- for (int i = initDServices.size() - 1; i >= 0; i--) {
- String serviceName = initDServices.get(i);
- Path serviceInit = Paths.get("/etc/init.d/", serviceName);
- try {
- int exitCode = new ProcessBuilder(serviceInit.toString(), "stop").start().waitFor();
- if (exitCode != 0)
- logger.log(ERROR, "Service " + serviceName + " dit not stop properly");
- } catch (InterruptedException | IOException e) {
- logger.log(ERROR, "Cannot stop service " + serviceName, e);
- }
- }
- }
-
- /** A thread watching the login prompt. */
- static class LoginThread extends Thread {
- private boolean systemShuttingDown = false;
- private Process process = null;
-
- public LoginThread() {
- super("FREEd login prompt");
- setDaemon(true);
- Runtime.getRuntime().addShutdownHook(new Thread(() -> {
- systemShuttingDown = true;
- if (process != null)
- process.destroy();
- }));
- }
-
- @Override
- public void run() {
- boolean getty = true;
- prompt: while (!systemShuttingDown) {
- try {
- if (getty) {
- ProcessBuilder pb = new ProcessBuilder("/usr/sbin/getty", "38400", "tty2");
- process = pb.start();
- } else {
- Console console = System.console();
- console.readLine(); // type return once to activate login prompt
- console.printf("login: ");
- String username = console.readLine();
- username = username.trim();
- if ("".equals(username))
- continue prompt;
- ProcessBuilder pb = new ProcessBuilder("su", "--login", username);
- pb.redirectError(ProcessBuilder.Redirect.INHERIT);
- pb.redirectOutput(ProcessBuilder.Redirect.INHERIT);
- pb.redirectInput(ProcessBuilder.Redirect.INHERIT);
- process = pb.start();
- }
- Runtime.getRuntime().addShutdownHook(new Thread(() -> process.destroy()));
- try {
- process.waitFor();
- } catch (InterruptedException e) {
- process.destroy();
- }
- } catch (Exception e) {
- e.printStackTrace();
- } finally {
- process = null;
- }
- }
- }
-
- }
-}
--- /dev/null
+//#! /usr/bin/java --source 17 @/usr/local/etc/freed/pid1/jvm.args
+
+/** Register to a FREEd-compatible infrastructure. */
+class FreedPid1 {
+
+ public static void main(String... args) {
+ }
+}
+++ /dev/null
-#!/bin/sh
-java -Dorg.argeo.api.cli.rootCommand=$0 -jar /usr/share/a2/org.argeo.cms/org.argeo.cms.cli.2.1.jar "$@"
\ No newline at end of file
+++ /dev/null
-#!/bin/sh
-java -Xms32m -Xmx64m -jar /usr/share/a2/org.argeo.cms/org.argeo.cms.jshell.2.1.jar "$@"
\ No newline at end of file
+++ /dev/null
-[Unit]
-Description=Argeo node %I
-After=network-online.target
-Wants=postgresql.service
-
-[Service]
-Type=simple
-
-User=freed
-Group=freed
-
-StateDirectory=argeo.d/%I
-LogsDirectory=argeo.d/%I
-ConfigurationDirectory=argeo.d/%I
-CacheDirectory=argeo.d/%I
-WorkingDirectory=/var/lib/argeo.d/%I
-
-ExecStart=java \
--Dfile.encoding=UTF-8 \
--Dosgi.configuration.cascaded=true \
--Dosgi.sharedConfiguration.area=/etc/argeo.d/%I/ \
--Dosgi.sharedConfiguration.area.readOnly=true \
--Dosgi.configuration.area=${STATE_DIRECTORY}/state/ \
--Dosgi.instance.area=${STATE_DIRECTORY}/data/ \
--Dargeo.node.repo.indexesBase=${CACHE_DIRECTORY}/indexes \
--Dorg.osgi.framework.system.packages.extra=sun.security.util,sun.security.internal.spec,sun.security.provider,com.sun.net.httpserver,com.sun.jndi.ldap,com.sun.jndi.ldap.sasl,com.sun.jndi.dns,com.sun.security.jgss,com.sun.nio.file,com.sun.nio.sctp \
--Declipse.ignoreApp=true \
--Dosgi.noShutdown=true \
--Dorg.eclipse.equinox.http.jetty.autostart=false \
-@/etc/argeo.d/jvm.args \
-@${CONFIGURATION_DIRECTORY}/jvm.args \
-@/usr/share/argeo/jvm.args
-
-# Exit codes of the JVM when SIGTERM or SIGINT have been caught:
-SuccessExitStatus=143 130
-
-CPUAccounting=true
-MemoryAccounting=true
-TasksAccounting=true
-IOAccounting=true
-IPAccounting=true
-
-[Install]
-WantedBy=multi-user.target
+++ /dev/null
-[Unit]
-Description=Roaming IPSec to '%i'
-After=network-online.target
-Wants=network-online.target
-
-After=ipsec.service
-PartOf=ipsec.service
-Requires=ipsec.service
-
-StartLimitIntervalSec=60
-StartLimitBurst=20
-
-[Service]
-Type=oneshot
-RemainAfterExit=yes
-ExecStart=ipsec auto --start %i
-ExecStop=ipsec auto --delete %i
-
-Restart=on-failure
-RestartSec=3
-
-[Install]
-WantedBy=multi-user.target
-RequiredBy=ipsec.service
+++ /dev/null
-[Unit]
-Description=On resume actions
-After=sleep.target
-After=network-online.target
-Wants=network-online.target
-
-[Service]
-Type=oneshot
-ExecStartPre=sleep 3
-ExecStart=/usr/bin/systemctl restart ipsec
-
-[Install]
-WantedBy=sleep.target
-
+++ /dev/null
-[Unit]
-Description=On suspend actions
-Before=sleep.target
-
-[Service]
-Type=oneshot
-ExecStart=/usr/bin/systemctl stop ipsec
-ExecStartPost=/usr/bin/sleep 5
-
-[Install]
-WantedBy=sleep.target
+++ /dev/null
-[Unit]
-Description=Argeo user node %I
-
-[Service]
-Type=simple
-StateDirectory=argeo.d/%I
-LogsDirectory=argeo.d/%I
-ConfigurationDirectory=argeo.d/%I
-CacheDirectory=argeo.d/%I
-#WorkingDirectory=
-
-ExecStart=java \
--Dfile.encoding=UTF-8 \
--Dosgi.configuration.cascaded=true \
--Dosgi.sharedConfiguration.area=/etc/argeo.user.d/%I/ \
--Dosgi.sharedConfiguration.area.readOnly=true \
--Dosgi.configuration.area=${STATE_DIRECTORY}/state/ \
--Dosgi.instance.area=${STATE_DIRECTORY}/data/ \
--Dargeo.node.repo.indexesBase=${CACHE_DIRECTORY}/indexes \
--Dorg.osgi.framework.system.packages.extra=sun.security.util,sun.security.internal.spec,sun.security.provider,com.sun.net.httpserver,com.sun.jndi.ldap,com.sun.jndi.ldap.sasl,com.sun.jndi.dns,com.sun.security.jgss,com.sun.nio.file,com.sun.nio.sctp \
--Declipse.ignoreApp=true \
--Dosgi.noShutdown=true \
--Dorg.eclipse.equinox.http.jetty.autostart=false \
--Djava.library.path=/usr/lib/a2/swt/rcp/org.argeo.tp.swt/ \
-@/etc/argeo.user.d/jvm.args \
-@/etc/argeo.user.d/%I/jvm.args \
-@/usr/share/argeo/jvm.args
-# Exit codes of the JVM when SIGTERM or SIGINT have been caught:
-SuccessExitStatus=143 130
-
-[Install]
-WantedBy=multi-user.target
+++ /dev/null
-#!/bin/sh
-#
-# default updown script for use with NETKEY(XFRM)
-#
-# Copyright (C) 2003-2004 Nigel Metheringham
-# Copyright (C) 2002-2007 Michael Richardson <mcr@xelerance.com>
-# Copyright (C) 2007-2008 Paul Wouters <paul@xelerance.com>
-# Copyright (C) 2003-2020 Tuomo Soini <tis@foobar.fi>
-# Copyright (C) 2011-2016 Paul Wouters <pwouters@redhat.com>
-# Copyright (C) 2016 Antony Antony <antony@phenome.org>
-#
-# This program is free software; you can redistribute it and/or modify it
-# under the terms of the GNU General Public License as published by the
-# Free Software Foundation; either version 2 of the License, or (at your
-# option) any later version. See <https://www.gnu.org/licenses/gpl2.txt>.
-#
-# This program is distributed in the hope that it will be useful, but
-# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
-# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
-# for more details.
-
-# CAUTION: Installing a new version of Libreswan will install a new
-# copy of this script, wiping out any custom changes you make. If
-# you need changes, make a copy of this under another name, and customize
-# that, and use the (left/right)updown= parameters in ipsec.conf to make
-# Libreswan use your modified updown script instead of this default one.
-
-test ${IPSEC_INIT_SCRIPT_DEBUG} && set -v -x
-
-LC_ALL=C
-export LC_ALL
-
-# Things that this script gets (from ipsec_pluto(8) man page)
-#
-#
-# PLUTO_VERSION
-# indicates what version of this interface is being
-# used. This document describes version 1.1. This
-# is upwardly compatible with version 1.0.
-#
-# PLUTO_VERB
-# specifies the name of the operation to be performed
-# (prepare-host, prepare-client, up-host, up-client,
-# down-host, or down-client). If the address family
-# for security gateway to security gateway
-# communications is IPv6, then a suffix of -v6 is added
-# to the verb.
-#
-# PLUTO_CONNECTION
-# is the name of the connection for which we are
-# routing.
-#
-# PLUTO_CONN_POLICY
-# the policy of the connection, as in:
-# RSASIG+ENCRYPT+TUNNEL+PFS+DONTREKEY+OPPORTUNISTIC
-# +failureDROP+lKOD+rKOD
-#
-# PLUTO_NEXT_HOP
-# is the next hop to which packets bound for the peer
-# must be sent.
-#
-# PLUTO_INTERFACE
-# is the name of the real interface used by encrypted traffic and IKE traffic
-#
-# PLUTO_ME
-# is the IP address of our host.
-#
-# PLUTO_METRIC
-# is the metric to set for the route
-#
-# PLUTO_MTU
-# is the mtu to set for the route
-#
-# PLUTO_MY_CLIENT
-# is the IP address / count of our client subnet. If
-# the client is just the host, this will be the
-# host's own IP address / mask (where max is 32 for
-# IPv4 and 128 for IPv6).
-#
-# PLUTO_MY_CLIENT_NET
-# is the IP address of our client net. If the client
-# is just the host, this will be the host's own IP
-# address.
-#
-# PLUTO_MY_CLIENT_MASK
-# is the mask for our client net. If the client is
-# just the host, this will be 255.255.255.255.
-#
-# PLUTO_MY_SOURCEIP
-# if non-empty, then the source address for the route will be
-# set to this IP address.
-#
-# PLUTO_MY_PROTOCOL
-# is the protocol for this connection. Useful for
-# firewalling.
-#
-# PLUTO_MY_PORT
-# is the port. Useful for firewalling.
-#
-# PLUTO_PEER
-# is the IP address of our peer.
-#
-# PLUTO_PEER_CLIENT
-# is the IP address / count of the peer's client subnet.
-# If the client is just the peer, this will be
-# the peer's own IP address / mask (where max is 32
-# for IPv4 and 128 for IPv6).
-#
-# PLUTO_PEER_CLIENT_NET
-# is the IP address of the peer's client net. If the
-# client is just the peer, this will be the peer's
-# own IP address.
-#
-# PLUTO_PEER_CLIENT_MASK
-# is the mask for the peer's client net. If the
-# client is just the peer, this will be
-# 255.255.255.255.
-#
-# PLUTO_PEER_PROTOCOL
-# is the protocol set for remote end with port
-# selector.
-#
-# PLUTO_PEER_PORT
-# is the peer's port. Useful for firewalling.
-#
-# PLUTO_CFG_CLIENT=0|1
-# is MODECFG or IKEv2 Config client.
-#
-# PLUTO_CFG_SERVER=0|1
-# is MODECFG or IKEv2 Config server.
-#
-# PLUTO_CONNECTION_TYPE
-#
-# PLUTO_CONN_ADDRFAMILY
-# is the family type, "ipv4" or "ipv6"
-#
-# PLUTO_PROTO_STACK
-# is the local IPsec kernel stack used, eg NETKEY, NOSTACK
-#
-# PLUTO_IS_PEER_CISCO=0|1
-# remote server type is cisco. Add support for cisco extensions
-# when used with xauth.
-#
-# PLUTO_NM_CONFIGURED=0|1
-# is NetworkManager used for resolv.conf update
-#
-# PLUTO_SA_REQID
-# When using KAME or XFRM/NETKEY, the IPsec SA reqid base value.
-# ESP/AH out is base, ESP/AH in = base + 1
-# IPCOMP is base + 2 plus for inbound + 1
-#
-# PLUTO_SA_TYPE
-# The type of IPsec SA (ESP or AH)
-#
-# PLUTO_USERNAME
-# The username (XAUTH or GSSAPI) that was authenticated (if any)
-# for this SA
-#
-# PLUTO_VIRT_INTERFACE
-# is the name of ipsec interface used by clear traffic in/out
-#
-#
-# XAUTH_FAILED
-# If xauthfail=soft this will be set to 1 if XAUTH authentication
-# failed. If xauthfail=hard, the updown scripts never run.
-#
-# CONNMARK
-# If mark= is set on the connection, this variable will be
-# set with the value. It can be used for iptables or VTI.
-#
-# VTI_IFAC=iface
-# Name of VTI interface to create
-#
-# VTI_ROUTING=yes|no
-# Whether or not to perform ip rule and ip route commands
-# covering the IPsec SA address ranges to route those packets
-# into the VTI_IFACE interface. This should be enabled unless
-# the IPsec SA covers 0.0.0.0/0 <-> 0.0.0.0/0
-#
-# VTI_SHARED=yes|no
-# Whether or not more conns (or instances) share a VTI device.
-# If not shared, the VTI device is deleted when tunnel goes down.
-#
-# SPI_IN / SPI_OUT
-# The inbound and outbound SPI's of the connection.
-
-# rpm based systems
-if [ -f /etc/sysconfig/pluto_updown ]; then
- . /etc/sysconfig/pluto_updown
-# deb based systems
-elif [ -f /etc/default/pluto_updown ]; then
- . /etc/default/pluto_updown
-fi
-
-BACKUP_RESOLV_CONF=/run/pluto/libreswan-resolv-conf-backup
-ETC_RESOLV_CONF=/etc/resolv.conf
-
-case "${PLUTO_CONN_ADDRFAMILY}" in
- ipv4)
- FAMILY=4
- MAX_CIDR=32
- SCOPE=50 # Use scope 50 to verify ip was added by addsource()
- ;;
- ipv6)
- FAMILY=6
- MAX_CIDR=128
- SCOPE=global
- ;;
- *)
- echo "unknown address family \"${PLUTO_CONN_ADDRFAMILY}\"" >&2
- exit 1
- ;;
-esac
-export FAMILY MAX_CIDR SCOPE
-
-# 2022-09-03 - mbaudier : Hack when having an IPv6 subnet
-export CLIENT_FAMILY=6
-export CLIENT_MAX_CIDR=128
-
-# Ignore parameter custom
-if [ "${1}" = "custom" ]; then
- shift
-fi
-
-while [ $# -gt 0 ]; do
- case ${1} in
- --route)
- case ${2} in
- [Yy]*)
- ROUTE=yes
- PROXY_ARP_ROUTE=no
- ;;
- *)
- ROUTE=
- PROXY_ARP_ROUTE=
- ;;
- esac
- shift; shift
- ;;
- --iproute)
- IPRARGS="${2}"
- shift; shift
- ;;
- *)
- echo "$0: Unknown argument \"${1}\"" >&2
- exit 1
- ;;
- esac
-done
-
-# utility functions for route manipulation
-# Meddling with this stuff should not be necessary and requires great care.
-uproute() {
- doproxyarp add
- doroute replace
-}
-
-downroute() {
- doroute del
- doproxyarp delete
-}
-
-downrule() {
- if [ -n "${PLUTO_MY_SOURCEIP}" -a 0${PLUTO_IS_PEER_CISCO} -eq 1 ]; then
- doroute del
- fi
-}
-
-updateresolvconf() {
- local domain
- local nameserver
- local new_nameserver
- local new_resolv_conf
- local new_search
- local orig_domain
- local orig_nameserver
- local rc
- rc=0
- if [ 0${PLUTO_CFG_CLIENT} -eq 0 ]; then
- return ${rc}
- fi
- if [ -n "$(pidof unbound)" -a \
- -n "${PLUTO_PEER_DNS_INFO}" -a \
- -n "${PLUTO_PEER_DOMAIN_INFO}" ]
- then
- for domain in ${PLUTO_PEER_DOMAIN_INFO}; do
- echo "updating local nameserver for ${domain} with ${PLUTO_PEER_DNS_INFO}"
- unbound-control forward_add ${domain} \
- ${PLUTO_PEER_DNS_INFO}
- unbound-control flush_zone ${domain}
- unbound-control flush_requestlist
- done
- rc=$?
- elif [ 0${PLUTO_NM_CONFIGURED} -eq 0 -a \
- -n "${PLUTO_PEER_DNS_INFO}" ]
- then
- echo "updating resolvconf"
-
- if [ ! -e "${ETC_RESOLV_CONF}" ]; then
- echo "resolv.conf does not exist, so doing nothing"
- return 0
- fi
-
- if [ -e "${BACKUP_RESOLV_CONF}" ]; then
- if grep -q Libreswan "${ETC_RESOLV_CONF}"; then
- echo "Current resolv.conf is generated by Libreswan, and backup resolv.conf already exists, so doing nothing"
- return 0
- else
- echo "backup resolv.conf exists, but current resolv.conf is not generated by Libreswan"
- fi
- fi
-
- rm -f -- "${BACKUP_RESOLV_CONF}"
- cp -- "${ETC_RESOLV_CONF}" "${BACKUP_RESOLV_CONF}"
-
- new_resolv_conf="# Generated by Libreswan (IPsec)"
-
- orig_domain="$(grep ^domain "${ETC_RESOLV_CONF}" 2>/dev/null | \
- awk '{ print $2 }')"
-
- orig_search=$(grep ^search "${ETC_RESOLV_CONF}" 2>/dev/null | \
- sed 's/^search[[:space:]]\+//;s/[[:space:]]*\#.*//')
-
- if [ -n "${orig_domain}" ]; then
- new_resolv_conf="${new_resolv_conf}
-domain ${orig_domain}"
- fi
-
- if [ -n "${orig_search}" ]; then
- new_search="${orig_search}"
- elif [ -n "${orig_domain}" ]; then
- new_search="${orig_domain}"
- fi
-
- if [ -n "${PLUTO_PEER_DOMAIN_INFO}" ]; then
- if [ -n "${new_search}" ]; then
- new_search=$(echo $(echo "${new_search} ${PLUTO_PEER_DOMAIN_INFO}" | tr [:space:] '\n' | awk '!a[$0]++'))
- else
- new_search="${PLUTO_PEER_DOMAIN_INFO}"
- fi
- fi
-
- if [ -n "${new_search}" ]; then
- new_resolv_conf="${new_resolv_conf}
-search ${new_search}"
- fi
-
- orig_nameserver=$(grep -m 1 ^nameserver "${ETC_RESOLV_CONF}" | \
- sed 's/^nameserver[[:space:]]\+//;s/[[:space:]]*\#.*//')
- if [ -n "${orig_nameserver}" ]; then
- new_nameserver=$(echo $(echo "${PLUTO_PEER_DNS_INFO} ${orig_nameserver}" | tr [:space:] '\n' | awk '!a[$0]++'))
- else
- new_nameserver="${PLUTO_PEER_DNS_INFO}"
- fi
-
- for nameserver in ${new_nameserver}; do
- new_resolv_conf="${new_resolv_conf}
-nameserver ${nameserver}"
- done
-
- echo "${new_resolv_conf}" > "${ETC_RESOLV_CONF}"
- rc=$?
- fi
- return ${rc}
-}
-
-restoreresolvconf() {
- local domain
- local rc
- rc=0
- if [ 0${PLUTO_CFG_CLIENT} -eq 0 ]; then
- return ${rc}
- fi
- if [ -n "$(pidof unbound)" -a \
- -n "${PLUTO_PEER_DNS_INFO}" -a \
- -n "${PLUTO_PEER_DOMAIN_INFO}" ]
- then
- for domain in ${PLUTO_PEER_DOMAIN_INFO}; do
- echo "flushing local nameserver of ${domain}"
- unbound-control forward_remove ${domain}
- unbound-control flush_zone ${domain}
- unbound-control flush_requestlist
- done
- rc=$?
- elif [ 0${PLUTO_NM_CONFIGURED} -eq 0 ]; then
- # We only restore if current resolv.conf is made by us.
- if grep -q Libreswan "${ETC_RESOLV_CONF}" 2>/dev/null; then
- # And if there is a backup...
- if [ -e "${BACKUP_RESOLV_CONF}" ]; then
- echo "restoring resolvconf"
- else
- return 0
- fi
- cp -- "${BACKUP_RESOLV_CONF}" "${ETC_RESOLV_CONF}"
- fi
- rm -f -- "${BACKUP_RESOLV_CONF}"
- rc=0
- fi
- return ${rc}
-}
-
-notifyNM() {
- # This will be called whenever a connection is established or
- # fails to establish (either phase 1, xauth phase, or phase 2)
- # or whenever an already established connection is being terminated.
- # This will send a signal to NetworkManager over dbus so that NM
- # can keep track of the coonnections.
-
- if [ 0${PLUTO_NM_CONFIGURED} -eq 1 ]; then
- echo "sending $1 signal to NetworkManager"
- libreswan_reason=$1
- export libreswan_reason
- export PLUTO_PEER_DOMAIN_INFO
- export PLUTO_PEER_DNS_INFO
- export PLUTO_PEER_BANNER
- export PLUTO_MY_SOURCEIP
- export PLUTO_PEER
- [ -x /usr/libexec/nm-libreswan-service-helper ] && \
- /usr/libexec/nm-libreswan-service-helper
- fi
- return 0
-}
-
-addsource() {
- local interface
- local st
- interface=lo
- st=0
-
- if [ -z "${PLUTO_MY_SOURCEIP}" ]; then
- return ${st}
- fi
- # check if given sourceip is local and add as alias if not
- if ! ip -${CLIENT_FAMILY} -o route get ${PLUTO_MY_SOURCEIP} | grep -q ^local; then
- if [ -n "${VTI_IFACE}" -a "${VTI_ROUTING}" = yes ]; then
- interface="${VTI_IFACE}"
- elif [ -n "${PLUTO_XFRMI_ROUTE}" ]; then
- interface=${PLUTO_VIRT_INTERFACE}
- fi
- it="ip addr add ${PLUTO_MY_SOURCEIP}/${CLIENT_MAX_CIDR} dev ${interface} scope ${SCOPE}"
- oops="$(eval ${it} 2>&1)"
- st=$?
- if [ -z "${oops}" -a ${st} -ne 0 ]; then
- oops="silent error, exit status ${st}"
- fi
- case "${oops}" in
- 'RTNETLINK answers: File exists'*)
- # should not happen, but ... ignore if the
- # address was already assigned on interface
- oops=""
- st=0
- ;;
- esac
- if [ -n "${oops}" -o ${st} -ne 0 ]; then
- echo "$0: addsource \"${it}\" failed (${oops})" >&2
- fi
- fi
- return ${st}
-}
-
-delsource() {
- local interface
- local oops
- local st
- interface=lo
- st=0
- if [ -z "${PLUTO_MY_SOURCEIP}" ]; then
- return ${st}
- fi
- # Remove source ip if it's not used any more.
- if [ -z "$(ip -${CLIENT_FAMILY} -o route list src ${PLUTO_MY_SOURCEIP})" ]; then
- if [ -n "${VTI_IFACE}" -a "${VTI_ROUTING}" = yes ]; then
- interface="${VTI_IFACE}"
- elif [ -n "${PLUTO_XFRMI_ROUTE}" ]; then
- interface=${PLUTO_VIRT_INTERFACE}
- fi
- # If there is no ip we just return
- if ! ip -${FAMILY} -o addr list dev ${interface} scope ${SCOPE} | \
- grep -q ${PLUTO_MY_SOURCEIP}/${CLIENT_MAX_CIDR}
- then
- return ${st}
- fi
-
- if [ -n "${PLUTO_MOBIKE_EVENT}" ] ; then
- return ${st}
- fi
-
- it="ip -${CLIENT_FAMILY} addr del ${PLUTO_MY_SOURCEIP}/${CLIENT_MAX_CIDR} dev ${interface}"
- oops="$(eval ${it} 2>&1)"
- st=$?
- if [ -z "${oops}" -a ${st} -ne 0 ]; then
- oops="silent error, exit status ${st}"
- fi
- case "${oops}" in
- 'RTNETLINK answers: File exists'*)
- # should not happen, but ... ignore if the
- # address was already assigned on interface
- oops=""
- st=0
- ;;
- 'RTNETLINK answers: Cannot assign'*)
- # Address is not there to remove or is there with different
- # netmask and in that case we must not remove it so we ignore
- # the error.
- oops=""
- st=0
- ;;
- esac
- if [ -n "${oops}" -o ${st} -ne 0 ]; then
- echo "$0: delsource \"${it}\" failed (${oops})" >&2
- fi
- fi
- return ${st}
-}
-
-doproxyarp() {
- local cmd
- local iface
- cmd=${1}
- # Check if client has a single ip only client net
- if [ ${PLUTO_PEER_CLIENT#*/} = ${MAX_CIDR} ]; then
- # Skip OE special connections and direct host-host connections
- if [ "${PLUTO_PEER_CLIENT_NET}" = "0.0.0.0" -o \
- "${PLUTO_PEER_CLIENT_NET}" = "::" -o \
- "${PLUTO_PEER_CLIENT_NET}" = "${PLUTO_PEER}" -o \
- "${PLUTO_MY_CLIENT_NET}" = "${PLUTO_ME}" ]
- then
- return 0
- fi
- # check if client is routeable
- if ip -${FAMILY} -o route get ${PLUTO_PEER_CLIENT_NET} 2>/dev/null | \
- grep -E -q -s -v " via |^local"
- then
- iface=$(ip -${FAMILY} -o route get ${PLUTO_PEER_CLIENT_NET} 2>/dev/null | \
- awk '{print $3}')
- if [ -r /sys/class/net/${iface}/address ]; then
- macaddr=$(cat /sys/class/net/${iface}/address)
- fi
- # add/remove arp entry for the client on ethernet devices only
- if [ -n "${macaddr}" ]; then
- if [ "${cmd}" = "add" ]; then
- ip -${FAMILY} neigh add proxy ${PLUTO_PEER_CLIENT_NET} dev ${iface} \
- lladdr ${macaddr} nud permanent
- # Force routing, required for proxyarp to work
- PROXY_ARP_ROUTE=yes
- export PROXY_ARP_ROUTE
- else
- ip -${FAMILY} neigh del proxy ${PLUTO_PEER_CLIENT_NET} dev ${iface}
- fi
- fi
- fi
- fi
-}
-
-do_ip()
-{
- local cmd="$1"
- oops="$(eval ${cmd} 2>&1)"
- st=$?
-
- if [ -z "${oops}" -a ${st} -ne 0 ]; then
- oops="silent error, exit status ${st}"
- fi
-
- case "${oops}" in
- 'RTNETLINK answers: No such process'*)
- # should not happen, but ... ignore if the
- # route was already removed
- oops=""
- st=0
- ;;
- esac
-
- if [ -n "${oops}" -a ${st} -ne 0 ]; then
- echo "$0: doroute \"${cmd}\" failed (${oops})" >&2
- fi
-
- return ${st}
-}
-
-doroute() {
- local cmd
- local esp_nexthop
- local esp_peer_interface
- local espipro
- local ipru
- local route_table
- local oops
- local parms
- local parms2
- local st
- local xfrmi_route
- local xfrmi_rule
- cmd=${1}
- route_table=50
- st=0
- xfrmi_route="${PLUTO_XFRMI_ROUTE}"
-
- if [ ${cmd} != del ]; then
- oops="$(ip -${FAMILY} route get ${PLUTO_PEER_CLIENT_NET} 2>&1)"
- case "${oops}" in
- 'RTNETLINK answers: No route to host'*)
- if [ -z "${PLUTO_XFRMI_ROUTE}" ]; then
- ROUTE=yes # Routing is mandatory for IPsec
- fi
- ;;
- esac
- fi
-
- if [ -n "${PLUTO_XFRMI_FWMARK}" ]; then
- xfrmi_rule=yes # we have to add "ip rules" and "ip route table"
- ROUTE=no # xfrmi_route will add the route
- fi
-
- # skip routing if it's not enabled or necessary
- if [ -z "${PLUTO_MY_SOURCEIP}" -a \
- -z "${PLUTO_MTU}" -a \
- "${PROXY_ARP_ROUTE}" != yes -a \
- "${cmd}" != "del" ]
- then
- PROXY_ARP_ROUTE=no
- fi
-
- if [ -n "${PLUTO_MY_SOURCEIP}" -o -n "${PLUTO_MTU}" ]; then
- ROUTE=yes
- fi
-
- if [ "${PLUTO_PEER_CLIENT}" = "${PLUTO_MY_CLIENT}" -a \
- "${PLUTO_XFRMI_ROUTE}" = yes ]
- then
- xfrmi_route="samesubnets";
- echo "leftsubet == rightsubnet = ${PLUTO_PEER_CLIENT} cannot add route"
- fi
-
- parms="${PLUTO_PEER_CLIENT}"
- parms2=${IPRARGS}
- # nexthop is not needed on ppp interfaces. unset it to make cases
- # work, where left is set but no leftnexthop (e.g. left=%defaultroute)
- if ip link show "${PLUTO_INTERFACE%:*}" | grep -q POINTOPOINT; then
- POINTPOINT=yes
- fi
- # use nexthop if nexthop is not %direct and POINTPOINT is not set
- if [ "${PLUTO_NEXT_HOP}" != "${PLUTO_PEER}" -a -z "${POINTPOINT}" ]; then
- # XFRM interface needs no nexthop
- if [ -z "${PLUTO_XFRMI_ROUTE}" ]; then
- parms2="via ${PLUTO_NEXT_HOP}"
- fi
- esp_nexthop="via ${PLUTO_NEXT_HOP} "
- fi
- # route via proper interface according to routing table
- if [ "${cmd}" = "del" ]; then
- case "${PLUTO_PEER_CLIENT}" in
- "0.0.0.0/0")
- # in case of default route we use half routes
- peer_interface=$(ip -${FAMILY} -o route list exact 0.0.0.0/1 | \
- sed "s/^.*dev \([^ ]*\) .*/\1/")
- ;;
- "::/0")
- # in case of default route we use half routes
- peer_interface=$(ip -${FAMILY} -o route list exact 2000::/3 | \
- sed "s/^.*dev \([^ ]*\) .*/\1/")
- ;;
- *)
- peer_interface=$(ip -${CLIENT_FAMILY} -o route get ${PLUTO_PEER_CLIENT_NET} | \
- sed "s/^.*dev \([^ ]*\) .*/\1/")
- ;;
- esac
- else
- peer_interface=$(ip -o route get ${PLUTO_NEXT_HOP} | \
- sed "s/^.*dev \([^ ]*\) .*/\1/")
- fi
-
- esp_peer_interface=$(ip -${FAMILY} -o route get ${PLUTO_NEXT_HOP} \
- from ${PLUTO_ME} | sed "s/^.*\(dev [^ ]*\) .*/\1/")
- if [ -z "${esp_peer_interface}" ]; then
- esp_peer_interface="dev ${PLUTO_INTERFACE}"
- fi
-
- if [ -z "${peer_interface}" ]; then
- peer_interface=${PLUTO_INTERFACE}
- fi
-
- if [ "${PLUTO_XFRMI_ROUTE}" = "yes" ]; then
- peer_interface=${PLUTO_VIRT_INTERFACE}
- fi
-
- if [ -n "${VTI_IFACE}" ]; then
- addsource
- peer_interface="${VTI_IFACE}"
- fi
-
- parms2="${parms2}${PLUTO_MTU:+ mtu ${PLUTO_MTU}}"
- parms2="${parms2}${PLUTO_METRIC:+ metric ${PLUTO_METRIC}} ${IPROUTEARGS}"
-
- parms2="${parms2} dev ${peer_interface%:*}"
-
- # make sure we have sourceip locally in this machine
- if [ "${cmd}" = "replace" -a -n "${PLUTO_MY_SOURCEIP}" ]; then
- addsource
- # use sourceip as route default source
- parms2="${parms2} src ${PLUTO_MY_SOURCEIP}"
- fi
-
- case "${PLUTO_PEER_CLIENT}" in
- "0.0.0.0/0")
- # need to provide route that eclipses default, without
- # replacing it.
- it="ip -${FAMILY} route ${cmd} 0.0.0.0/1 ${parms2} && \
- ip -${FAMILY} route ${cmd} 128.0.0.0/1 ${parms2}"
- ;;
- "::/0")
- # need to provide route that eclipses default, without
- # replacing it.
- it="ip -${FAMILY} route ${cmd} 2000::/3 ${parms2}"
- ;;
- *)
- it="ip -${CLIENT_FAMILY} route ${cmd} ${parms} ${parms2}"
- ;;
- esac
-
- if [ "${ROUTE}" = yes -o \
- "${xfrmi_route}" = yes -o \
- "${PROXY_ARP_ROUTE}" = yes ]
- then
- do_ip "${it}"
- st=$?
- if [ ${st} -ne 0 ]; then
- return ${st}
- fi
- fi
-
- if [ "${xfrmi_rule}" = "yes" ]; then
- espipro="ip -${FAMILY} route ${cmd} ${PLUTO_PEER}/${MAX_CIDR} ${esp_nexthop} ${esp_peer_interface%:*} table ${route_table}"
- do_ip "${espipro}"
-
- st=$?
- if [ ${st} -ne 0 ]; then
- return ${st}
- fi
-
- iprulecmd="${cmd}"
- if [ "${cmd}" = "replace" ]; then
- iprulecmd="add"
- fi
-
- ipru="ip -${FAMILY} rule ${iprulecmd} prio 100 to ${parms}"
- ipru="${ipru} fwmark ${PLUTO_XFRMI_FWMARK} lookup ${route_table}"
-
- do_ip "${ipru}"
- st=$?
- if [ ${st} -ne 0 ]; then
- return ${st}
- fi
-
- fi
- return 0
-}
-
-# TODO: We need to specify CIDR mask but our _MASK variables are in old school format
-# TODO: Exclude udp 4500 traffic
-addnflog() {
- if [ -n "${NFLOG}" ]; then
- iptables -I OUTPUT -m policy --dir out --pol ipsec \
- -s ${PLUTO_MY_CLIENT} -d ${PLUTO_PEER_CLIENT} \
- -j NFLOG --nflog-group ${NFLOG} --nflog-prefix ${PLUTO_CONNECTION}
- iptables -I INPUT -m policy --dir in --pol ipsec \
- -s ${PLUTO_PEER_CLIENT} -d ${PLUTO_MY_CLIENT} \
- -j NFLOG --nflog-group ${NFLOG} --nflog-prefix ${PLUTO_CONNECTION}
- fi
-}
-
-delnflog() {
- if [ -n "${NFLOG}" ]; then
- iptables -D OUTPUT -m policy --dir out --pol ipsec \
- -s ${PLUTO_MY_CLIENT} -d ${PLUTO_PEER_CLIENT} \
- -j NFLOG --nflog-group ${NFLOG} --nflog-prefix ${PLUTO_CONNECTION}
- iptables -D INPUT -m policy --dir in --pol ipsec \
- -s ${PLUTO_PEER_CLIENT} -d ${PLUTO_MY_CLIENT} \
- -j NFLOG --nflog-group ${NFLOG} --nflog-prefix ${PLUTO_CONNECTION}
- fi
-}
-
-addvtiiface() {
- if [ -n "${VTI_IFACE}" ]; then
- if [ -z "${CONNMARK_IN}" -o -z "${CONNMARK_OUT}" ]; then
- echo "vti-interface option ignored because no mark was configured"
- else
- if [ ! -d "/proc/sys/net/ipv4/conf/${VTI_IFACE}" ]; then
- # echo "creating vti interface"
- vtipeer="${PLUTO_PEER}"
- if [ "${PLUTO_CONN_KIND}" = CK_INSTANCE -o "${VTI_SHARED}" = "yes" ]; then
- vtipeer="0.0.0.0"
- fi
- ip tunnel add ${VTI_IFACE} mode vti local ${PLUTO_ME} \
- remote ${vtipeer} okey ${CONNMARK_OUT%/*} \
- ikey ${CONNMARK_IN%/*}
- sysctl -w net.ipv4.conf.${VTI_IFACE}.disable_policy=1
- sysctl -w net.ipv4.conf.${VTI_IFACE}.rp_filter=0
- sysctl -w net.ipv4.conf.${VTI_IFACE}.forwarding=1
- if [ -n "${VTI_IP}" ]; then
- ip addr add ${VTI_IP} dev ${VTI_IFACE}
- fi
- ip link set ${VTI_IFACE} up
- else
- # check there was no conflict if we are sharing - might be sensitive to /sbin/ip differences
- if [ "${VTI_SHARED}" = yes ]; then
- #test: ip/ip remote 3.4.5.6 local 1.2.3.4 ttl inherit key 5
- cur="$(ip tun show ${VTI_IFACE})"
- new="${VTI_IFACE}: ip/ip remote any local ${PLUTO_ME} ttl inherit key ${CONNMARK_OUT%/*}"
- if [ "${cur}" != "${new}" ]; then
- echo "vti interface \"${VTI_IFACE}\" already exists with conflicting setting"
- echo "existing: ${cur}"
- echo "wanted : ${new}"
- else
- # temp debug
- echo "vti interface already exists with identical parameters, OK"
- fi
- else
- echo "vti interface \"${VTI_IFACE}\" already exists with conflicting setting (perhaps need vti-sharing=yes ?"
- fi
- fi
- fi
- fi
-}
-
-addvti() {
- if [ -n "${VTI_IFACE}" ]; then
- if [ -z "${CONNMARK_IN}" -o -z "${CONNMARK_OUT}" ]; then
- echo "vti-interface option ignored because no mark was configured"
- else
- if [ "${VTI_ROUTING}" = yes ]; then
- # Tuomo should improve this with using ${PLUTO_MY_CLIENT_NET}
- # echo "setting up vti routing"
- r=add
- ip route list | grep -q "${PLUTO_PEER_CLIENT%/*}" && r=change
- if [ "${r}" = change ]; then
- # resolve LAN conflict by forcing host route for default gw
- gw="$(ip ro li | grep ^default | awk '{ print $3;}')"
- gwdev="$(ip ro li | grep ^default | awk '{ print $5;}')"
- # echo "ip route add ${gw} dev ${gwdev}"
- ip route add ${gw} dev ${gwdev} >/dev/null ||:
- fi
- srcip=""
- if [ -n "${PLUTO_MY_SOURCEIP}" ]; then
- srcip=" src ${PLUTO_MY_SOURCEIP}"
- fi
- # echo "ip route ${r} ${PLUTO_PEER_CLIENT} dev ${VTI_IFACE} ${srcip}"
- ip route ${r} ${PLUTO_PEER_CLIENT} dev ${VTI_IFACE} ${srcip}
- echo "done ip route"
- fi
- fi
- fi
-}
-
-delvti() {
- if [ -n "${VTI_IFACE}" -a -d /proc/sys/net/ipv4/conf/${VTI_IFACE} ]; then
- if [ "${VTI_ROUTING}" = yes ]; then
- ip route del ${PLUTO_PEER_CLIENT} dev ${VTI_IFACE} \
- src ${PLUTO_MY_SOURCEIP} ||:
- fi
- # TODO: we can't delete vti interface because we don't have proper reference
- # counting.
- #if [ "${VTI_SHARED}" = no -a "${PLUTO_CONN_KIND}" != CK_INSTANCE ]; then
- # ip tun del ${VTI_IFACE} ||:
- #fi
- fi
-}
-
-# Client Address Translation CAT
-addcat() {
- if [ -n "${CAT}" ] && [ "${PLUTO_MY_CLIENT_NET}" != "0.0.0.0" ] ; then
- iptables -t nat -I POSTROUTING -m policy --dir out --pol ipsec \
- -d ${PLUTO_PEER_CLIENT} -j SNAT --to-source ${PLUTO_MY_CLIENT_NET}
- iptables -t nat -I PREROUTING -m policy --dir in --pol ipsec \
- -d ${PLUTO_MY_CLIENT_NET} -s ${PLUTO_PEER_CLIENT} \
- -j DNAT --to-destination ${PLUTO_ME}
- fi
-}
-
-delcat() {
- if [ -n "${CAT}" ]; then
- iptables -t nat -D PREROUTING -m policy --dir in --pol ipsec \
- -d ${PLUTO_MY_CLIENT_NET} -s ${PLUTO_PEER_CLIENT} \
- -j DNAT --to-destination ${PLUTO_ME}
- iptables -t nat -D POSTROUTING -m policy --dir out --pol ipsec \
- -d ${PLUTO_PEER_CLIENT} -j SNAT --to-source ${PLUTO_MY_CLIENT_NET}
- fi
-}
-
-# the big choice
-case "${PLUTO_VERB}" in
- prepare-host|prepare-client)
- addvtiiface
- ;;
- route-host|route-client)
- # connection to me or my client subnet being routed
- addvti
- uproute
- addnflog
- ;;
- unroute-host|unroute-client)
- # connection to me or my client subnet being unrouted
- downroute
- delsource
- ;;
- up-host)
- # connection to me coming up
- # If you are doing a custom version, firewall commands go here.
- ;;
- down-host)
- # connection to me going down
- downrule
- delnflog
- delcat
- delvti
- # If you are doing a custom version, firewall commands go here.
- ;;
- up-client)
- # connection to my client subnet coming up
- addvtiiface
- updateresolvconf
- addcat
- addsource
- notifyNM connect
- addvti
- # If you are doing a custom version, firewall commands go here.
- ;;
- down-client)
- # connection to my client subnet going down
- downrule
- delnflog
- delcat
- delvti
- restoreresolvconf
- notifyNM disconnect
- # If you are doing a custom version, firewall commands go here.
- ;;
- #
- # IPv6
- #
- prepare-host-v6|prepare-client-v6)
- # prepare client for connection
- ;;
- route-host-v6|route-client-v6)
- # connection to me or my client subnet being routed
- uproute
- ;;
- unroute-host-v6|unroute-client-v6)
- # connection to me or my client subnet being unrouted
- downroute
- delsource
- ;;
- up-host-v6)
- # connection to me coming up
- # If you are doing a custom version, firewall commands go here.
- ;;
- down-host-v6)
- # connection to me going down
- # If you are doing a custom version, firewall commands go here.
- ;;
- up-client-v6)
- # connection to my client subnet coming up
- addsource
- updateresolvconf
- notifyNM connect
- # If you are doing a custom version, firewall commands go here.
- ;;
- down-client-v6)
- # connection to my client subnet going down
- restoreresolvconf
- notifyNM disconnect
- # If you are doing a custom version, firewall commands go here.
- ;;
- *) echo "$0: unknown verb \"${PLUTO_VERB}\" or parameter \"${1}\"" >&2
- exit 1
- ;;
-esac
+++ /dev/null
-
-# 389 Directory Server
-sudo dscreate from-file argeo-slapd.inf
-sudo dsconf -D "cn=Directory Manager" ldap://localhost backend import <backend> <path to LDIF file>
-
-# PostgreSQL
-sudo postgresql-setup initdb
-sudo systemctl start postgresql
-sudo -u postgres psql < argeo-pgsql-setup.sql
+++ /dev/null
-grant {
- permission java.security.AllPermission;
-};
\ No newline at end of file
+++ /dev/null
-CREATE USER argeo WITH PASSWORD 'argeo';
-CREATE DATABASE argeo WITH OWNER argeo;
+++ /dev/null
-[general]
-[slapd]
-instance_name = argeo
-root_dn = cn=Directory Manager
-root_password = argeoargeo
-
-[backend-userroot]
-create_suffix_entry = True
-suffix = dc=example,dc=com
\ No newline at end of file
+++ /dev/null
--cp /usr/share/a2/osgi/equinox/org.argeo.tp.osgi/org.eclipse.osgi.3.18.jar:/usr/share/a2/org.argeo.cms/org.argeo.init.2.1.jar org.argeo.init.Service
\ No newline at end of file