diff options
author | José Bollo <jose.bollo@iot.bzh> | 2019-12-12 18:10:48 +0100 |
---|---|---|
committer | José Bollo <jose.bollo@iot.bzh> | 2019-12-13 16:00:27 +0100 |
commit | c29761cd1628960ee2b11a469763479ac5ef1dfa (patch) | |
tree | 5bca3e838d04fc87814dcf9ce476679d15ab4f86 | |
parent | 23bc1035a51fe54600db691981f8ed1537cbe125 (diff) |
Improve integration of cynagoraicefish_8.99.4icefish/8.99.48.99.4
Allow to be more flexible when starting with or without
systemd. At end this change will allows to start within
systemd with socket activation or not and by sending
notification without need of option.
Make setting of the sockets more accurate. The admin and
agent socket are now accessible only to clients of the
expected group, cynagora by default.
Bug-AGL: SPEC-3230
Bug-AGL: SPEC-2968
Change-Id: I3e5c7c00dfa0494628c18ffc016cfc8599a5bf9b
Signed-off-by: José Bollo <jose.bollo@iot.bzh>
-rw-r--r-- | CMakeLists.txt | 3 | ||||
-rw-r--r-- | src/CMakeLists.txt | 2 | ||||
-rw-r--r-- | src/cyn-server.c | 8 | ||||
-rw-r--r-- | src/main-cynagorad.c | 57 | ||||
-rw-r--r-- | src/meson.build | 2 | ||||
-rw-r--r-- | src/socket.c | 4 | ||||
-rw-r--r-- | systemd/CMakeLists.txt | 3 | ||||
-rw-r--r-- | systemd/cynagora-admin.socket.in | 4 | ||||
-rw-r--r-- | systemd/cynagora-agent.socket.in | 4 | ||||
-rw-r--r-- | systemd/cynagora-check.socket.in | 2 | ||||
-rw-r--r-- | systemd/cynagora.service.in (renamed from systemd/cynagora.service) | 6 |
11 files changed, 51 insertions, 44 deletions
diff --git a/CMakeLists.txt b/CMakeLists.txt index 26942d6..3a508bb 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -44,6 +44,9 @@ set(CYNAGORA_SOVERSION ${PROJECT_VERSION_MAJOR}) option(WITH_SYSTEMD "should include systemd compatibility" ON) option(WITH_CYNARA_COMPAT "produce artifacts for compatibility with cynara" OFF) +set(USER cynagora CACHE STRING "user of the daemon") +set(GROUP cynagora CACHE STRING "group of the daemon") + set(DEFAULT_DB_DIR "${CMAKE_INSTALL_FULL_LOCALSTATEDIR}/lib/cynagora" CACHE PATH "directory path of the database") set(DEFAULT_SOCKET_DIR "${CMAKE_INSTALL_FULL_RUNSTATEDIR}/cynagora" diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt index f9034de..6de796d 100644 --- a/src/CMakeLists.txt +++ b/src/CMakeLists.txt @@ -96,7 +96,7 @@ target_compile_definitions(cynagorad PRIVATE DEFAULT_INIT_FILE="${DEFAULT_INIT_FILE}" ) if(WITH_SYSTEMD) - target_compile_definitions(cynagorad PRIVATE WITH_SYSTEMD_ACTIVATION) + target_compile_definitions(cynagorad PRIVATE WITH_SYSTEMD) target_link_libraries(cynagorad ${libsystemd_LDFLAGS} ${libsystemd_LINK_LIBRARIES}) target_include_directories(cynagorad PRIVATE ${libsystemd_INCLUDE_DIRS}) target_compile_options(cynagorad PRIVATE ${libsystemd_CFLAGS}) diff --git a/src/cyn-server.c b/src/cyn-server.c index abf37d7..fbef41b 100644 --- a/src/cyn-server.c +++ b/src/cyn-server.c @@ -35,6 +35,7 @@ #include <sys/epoll.h> #include <sys/types.h> #include <sys/socket.h> +#include <sys/stat.h> #include "data.h" #include "prot.h" @@ -1008,6 +1009,7 @@ cyn_server_create( const char *check_socket_spec, const char *agent_socket_spec ) { + mode_t um; cyn_server_t *srv; int rc; @@ -1030,7 +1032,9 @@ cyn_server_create( /* create the admin server socket */ admin_socket_spec = cyn_get_socket_admin(admin_socket_spec); + um = umask(017); srv->admin.fd = socket_open(admin_socket_spec, 1); + umask(um); if (srv->admin.fd < 0) { rc = -errno; fprintf(stderr, "can't create admin server socket %s: %m\n", admin_socket_spec); @@ -1049,7 +1053,9 @@ cyn_server_create( /* create the check server socket */ check_socket_spec = cyn_get_socket_check(check_socket_spec); + um = umask(011); srv->check.fd = socket_open(check_socket_spec, 1); + umask(um); if (srv->check.fd < 0) { rc = -errno; fprintf(stderr, "can't create check server socket %s: %m\n", check_socket_spec); @@ -1068,7 +1074,9 @@ cyn_server_create( /* create the agent server socket */ agent_socket_spec = cyn_get_socket_agent(agent_socket_spec); + um = umask(017); srv->agent.fd = socket_open(agent_socket_spec, 1); + umask(um); if (srv->agent.fd < 0) { rc = -errno; fprintf(stderr, "can't create agent server socket %s: %m\n", agent_socket_spec); diff --git a/src/main-cynagorad.c b/src/main-cynagorad.c index 0af145c..836e7c8 100644 --- a/src/main-cynagorad.c +++ b/src/main-cynagorad.c @@ -38,7 +38,7 @@ #include <sys/file.h> #include <sys/capability.h> -#if defined(WITH_SYSTEMD_ACTIVATION) +#if defined(WITH_SYSTEMD) #include <systemd/sd-daemon.h> #endif @@ -82,11 +82,7 @@ static const char -shortopts[] = "d:g:hi:lmMOoS:u:v" -#if defined(WITH_SYSTEMD_ACTIVATION) - "s" -#endif -; +shortopts[] = "d:g:hi:lmMOoS:u:v"; static const struct option @@ -101,9 +97,6 @@ longopts[] = { { "own-db-dir", 0, NULL, _OWNDBDIR_ }, { "own-socket-dir", 0, NULL, _OWNSOCKDIR_ }, { "socketdir", 1, NULL, _SOCKETDIR_ }, -#if defined(WITH_SYSTEMD_ACTIVATION) - { "systemd", 0, NULL, _SYSTEMD_ }, -#endif { "user", 1, NULL, _USER_ }, { "version", 0, NULL, _VERSION_ }, { NULL, 0, NULL, 0 } @@ -116,9 +109,6 @@ helptxt[] = "usage: cynagorad [options]...\n" "\n" "otpions:\n" -#if defined(WITH_SYSTEMD_ACTIVATION) - " -s, --systemd socket activation by systemd\n" -#endif " -u, --user xxx set the user\n" " -g, --group xxx set the group\n" " -i, --init xxx initialize if needed the database with file xxx\n" @@ -161,7 +151,6 @@ int main(int ac, char **av) int help = 0; int version = 0; int error = 0; - int systemd = 0; int uid = -1; int gid = -1; const char *init = NULL; @@ -215,11 +204,6 @@ int main(int ac, char **av) case _SOCKETDIR_: socketdir = optarg; break; -#if defined(WITH_SYSTEMD_ACTIVATION) - case _SYSTEMD_: - systemd = 1; - break; -#endif case _USER_: user = optarg; break; @@ -243,11 +227,6 @@ int main(int ac, char **av) } if (error) return 1; - if (systemd && (socketdir || makesockdir)) { - fprintf(stderr, "can't set options --systemd and --%s together\n", - socketdir ? "socketdir" : "make-socket-dir"); - return 1; - } /* set the defaults */ dbdir = dbdir ?: DEFAULT_DB_DIR; @@ -261,15 +240,30 @@ int main(int ac, char **av) /* compute socket specs */ spec_socket_admin = spec_socket_check = spec_socket_agent = 0; - if (systemd) { - spec_socket_admin = strdup("sd:admin"); - spec_socket_check = strdup("sd:check"); - spec_socket_agent = strdup("sd:agent"); - } else { +#if defined(WITH_SYSTEMD) + { + char **names = 0; + rc = sd_listen_fds_with_names(0, &names); + if (rc >= 0 && names) { + for (rc = 0 ; names[rc] ; rc++) { + if (!strcmp(names[rc], "admin")) + spec_socket_admin = strdup("sd:admin"); + else if (!strcmp(names[rc], "check")) + spec_socket_check = strdup("sd:check"); + else if (!strcmp(names[rc], "agent")) + spec_socket_agent = strdup("sd:agent"); + free(names[rc]); + } + free(names); + } + } +#endif + if (!spec_socket_admin) rc = asprintf(&spec_socket_admin, "%s:%s/%s", cyn_default_socket_scheme, socketdir, cyn_default_admin_socket_base); + if (!spec_socket_check) rc = asprintf(&spec_socket_check, "%s:%s/%s", cyn_default_socket_scheme, socketdir, cyn_default_check_socket_base); + if (!spec_socket_agent) rc = asprintf(&spec_socket_agent, "%s:%s/%s", cyn_default_socket_scheme, socketdir, cyn_default_agent_socket_base); - } if (!spec_socket_admin || !spec_socket_check || !spec_socket_agent) { fprintf(stderr, "can't make socket paths\n"); return 1; @@ -361,9 +355,8 @@ int main(int ac, char **av) } /* ready ! */ -#if defined(WITH_SYSTEMD_ACTIVATION) - if (systemd) - sd_notify(0, "READY=1"); +#if defined(WITH_SYSTEMD) + sd_notify(0, "READY=1"); #endif /* serve */ diff --git a/src/meson.build b/src/meson.build index bb0f4d7..c9778e8 100644 --- a/src/meson.build +++ b/src/meson.build @@ -79,7 +79,7 @@ executable('cynagorad', srvsrcs, '-DDEFAULT_DB_DIR="' + dbdir + '"', '-DDEFAULT_SOCKET_DIR="' + socketdir + '"', '-DDEFAULT_INIT_FILE="' + init_file + '"', - get_option('with-cynara-compat') ? '-DWITH_SYSTEMD_ACTIVATION' : '-DWITHOUT_SYSTEMD_ACTIVATION' + get_option('with-systemd') ? '-DWITH_SYSTEMD' : '-DWITHOUT_SYSTEMD' ], dependencies: [ sysd, cap ], link_with: corelib, diff --git a/src/socket.c b/src/socket.c index fde9648..6f8a060 100644 --- a/src/socket.c +++ b/src/socket.c @@ -32,7 +32,7 @@ #include <sys/socket.h> #include <sys/un.h> -#if defined(WITH_SYSTEMD_ACTIVATION) +#if defined(WITH_SYSTEMD) #include <systemd/sd-daemon.h> #endif @@ -212,7 +212,7 @@ static int open_tcp(const char *spec, int server) */ static int open_systemd(const char *spec) { -#if defined(WITH_SYSTEMD_ACTIVATION) +#if defined(WITH_SYSTEMD) char **names; int fd = -1; int c = sd_listen_fds_with_names(0, &names); diff --git a/systemd/CMakeLists.txt b/systemd/CMakeLists.txt index c68f7f5..bb9d059 100644 --- a/systemd/CMakeLists.txt +++ b/systemd/CMakeLists.txt @@ -19,12 +19,13 @@ set(SYSTEMD_UNIT_DIR "${CMAKE_INSTALL_FULL_LIBDIR}/systemd/system" CACHE PATH "Path to systemd system unit files") +CONFIGURE_FILE(cynagora.service.in cynagora.service @ONLY) CONFIGURE_FILE(cynagora-admin.socket.in cynagora-admin.socket @ONLY) CONFIGURE_FILE(cynagora-check.socket.in cynagora-check.socket @ONLY) CONFIGURE_FILE(cynagora-agent.socket.in cynagora-agent.socket @ONLY) INSTALL(FILES - ${CMAKE_CURRENT_SOURCE_DIR}/cynagora.service + ${CMAKE_CURRENT_BINARY_DIR}/cynagora.service ${CMAKE_CURRENT_SOURCE_DIR}/cynagora.target ${CMAKE_CURRENT_BINARY_DIR}/cynagora-admin.socket ${CMAKE_CURRENT_BINARY_DIR}/cynagora-check.socket diff --git a/systemd/cynagora-admin.socket.in b/systemd/cynagora-admin.socket.in index 622c023..b2f5874 100644 --- a/systemd/cynagora-admin.socket.in +++ b/systemd/cynagora-admin.socket.in @@ -1,7 +1,9 @@ [Socket] FileDescriptorName=admin ListenStream=@DEFAULT_SOCKET_DIR@/cynagora.admin -SocketMode=0600 +SocketUser=@USER@ +SocketGroup=@GROUP@ +SocketMode=0660 SmackLabelIPIn=@ SmackLabelIPOut=@ diff --git a/systemd/cynagora-agent.socket.in b/systemd/cynagora-agent.socket.in index a5e66b8..3671113 100644 --- a/systemd/cynagora-agent.socket.in +++ b/systemd/cynagora-agent.socket.in @@ -1,7 +1,9 @@ [Socket] FileDescriptorName=agent ListenStream=@DEFAULT_SOCKET_DIR@/cynagora.agent -SocketMode=0600 +SocketUser=@USER@ +SocketGroup=@GROUP@ +SocketMode=0660 SmackLabelIPIn=@ SmackLabelIPOut=@ diff --git a/systemd/cynagora-check.socket.in b/systemd/cynagora-check.socket.in index fcd6ed1..0eeae57 100644 --- a/systemd/cynagora-check.socket.in +++ b/systemd/cynagora-check.socket.in @@ -1,6 +1,8 @@ [Socket] FileDescriptorName=check ListenStream=@DEFAULT_SOCKET_DIR@/cynagora.check +SocketUser=@USER@ +SocketGroup=@GROUP@ SocketMode=0666 SmackLabelIPIn=* SmackLabelIPOut=@ diff --git a/systemd/cynagora.service b/systemd/cynagora.service.in index 97a0f36..9035d00 100644 --- a/systemd/cynagora.service +++ b/systemd/cynagora.service.in @@ -4,7 +4,7 @@ Requires=afm-system-setup.service After=afm-system-setup.service [Service] -ExecStart=/usr/bin/cynagorad --systemd --user cynagora --group cynagora --make-db-dir --own-db-dir +ExecStart=/usr/bin/cynagorad --user @USER@ --group @GROUP@ --make-db-dir --own-db-dir Type=notify @@ -15,11 +15,7 @@ Restart=always Sockets=cynagora-admin.socket Sockets=cynagora-check.socket Sockets=cynagora-agent.socket -SmackProcessLabel=System -#UMask=0000 -#User=cynagora -#Group=cynagora #NoNewPrivileges=true [Install] |