diff options
| author | Christian Rößler | 2014-01-21 14:09:29 +0100 |
|---|---|---|
| committer | Christian Rößler | 2014-01-21 14:09:29 +0100 |
| commit | c0bcaf2abac83507c39d518ef1a35c374e3cc299 (patch) | |
| tree | 2977059901b72f2810fdbf3e35f70a00a2a4ff15 /remote/modules | |
| parent | [smartctl] conf file for opensuse (diff) | |
| parent | <freiburg config> Add nslcd startup (diff) | |
| download | tm-scripts-c0bcaf2abac83507c39d518ef1a35c374e3cc299.tar.gz tm-scripts-c0bcaf2abac83507c39d518ef1a35c374e3cc299.tar.xz tm-scripts-c0bcaf2abac83507c39d518ef1a35c374e3cc299.zip | |
Merge branch 'master' of git.openslx.org:openslx-ng/tm-scripts
Diffstat (limited to 'remote/modules')
22 files changed, 176 insertions, 24 deletions
diff --git a/remote/modules/cron/cron.build b/remote/modules/cron/cron.build index fc364347..932c3e85 100644 --- a/remote/modules/cron/cron.build +++ b/remote/modules/cron/cron.build @@ -18,8 +18,8 @@ build() { make cron || perror "Could not compile cron using 'make'." # copy to build dir, since there are no shared libs linked in - mkdir -p "${MODULE_BUILD_DIR}/usr/sbin" - cp "$MODULE_DIR/src/cron" "$MODULE_BUILD_DIR/usr/sbin/" || perror "Could copy cron binary to ${MODULE_BUILD_DIR}" + mkdir -p "${MODULE_BUILD_DIR}/opt/openslx/sbin" + cp "${MODULE_DIR}/src/cron" "${MODULE_BUILD_DIR}/opt/openslx/sbin/" || perror "Could copy cron binary to ${MODULE_BUILD_DIR}" cd - &>/dev/null } diff --git a/remote/modules/cron/data/etc/systemd/system/cron.service b/remote/modules/cron/data/etc/systemd/system/cron.service index 2c5b832a..fbf17b27 100644 --- a/remote/modules/cron/data/etc/systemd/system/cron.service +++ b/remote/modules/cron/data/etc/systemd/system/cron.service @@ -1,7 +1,7 @@ [Unit] -Description=CRON +Description=Cron Daemon [Service] Type=forking -ExecStart=/usr/sbin/cron +ExecStart=/opt/openslx/sbin/cron ExecStop=/opt/openslx/bin/kill -TERM $MAINPID diff --git a/remote/modules/dhcpc-busybox/data/opt/openslx/scripts/udhcpc-openslx b/remote/modules/dhcpc-busybox/data/opt/openslx/scripts/udhcpc-openslx index fe2fa252..00d22ba5 100755 --- a/remote/modules/dhcpc-busybox/data/opt/openslx/scripts/udhcpc-openslx +++ b/remote/modules/dhcpc-busybox/data/opt/openslx/scripts/udhcpc-openslx @@ -163,10 +163,10 @@ case "$1" in # Mark network target as reached systemctl start network.target & - # Port redirection for printing - iptables -A INPUT -i br0 -p tcp --dport 515 -j DROP - iptables -A INPUT -i br0 -p tcp --dport 5515 -j DROP - iptables -t nat -A PREROUTING -p tcp --dport 515 -j REDIRECT --to-port 5515 + # Port redirection for printing happens in printergui modules (iptables-helper rule) + ####iptables -A INPUT -i br0 -p tcp --dport 515 -j DROP + ####iptables -A INPUT -i br0 -p tcp --dport 5515 -j DROP + ####iptables -t nat -A PREROUTING -s 192.168.0.0/16 -p tcp --dport 515 -j REDIRECT --to-port 5515 fi ;; diff --git a/remote/modules/iptables-helper/data/etc/systemd/system/basic.target.wants/openslx-iptables.service b/remote/modules/iptables-helper/data/etc/systemd/system/basic.target.wants/openslx-iptables.service new file mode 120000 index 00000000..40213361 --- /dev/null +++ b/remote/modules/iptables-helper/data/etc/systemd/system/basic.target.wants/openslx-iptables.service @@ -0,0 +1 @@ +../openslx-iptables.service
\ No newline at end of file diff --git a/remote/modules/iptables-helper/data/etc/systemd/system/openslx-iptables.service b/remote/modules/iptables-helper/data/etc/systemd/system/openslx-iptables.service new file mode 100644 index 00000000..ef88cf69 --- /dev/null +++ b/remote/modules/iptables-helper/data/etc/systemd/system/openslx-iptables.service @@ -0,0 +1,6 @@ +[Unit] +Description=OpenSLX iptables helper + +[Service] +ExecStart=/opt/openslx/iptables/iptables-reloader + diff --git a/remote/modules/iptables-helper/data/opt/openslx/iptables/iptables-reloader b/remote/modules/iptables-helper/data/opt/openslx/iptables/iptables-reloader new file mode 100755 index 00000000..60ca1e2c --- /dev/null +++ b/remote/modules/iptables-helper/data/opt/openslx/iptables/iptables-reloader @@ -0,0 +1,5 @@ +#!/bin/ash + +/opt/openslx/iptables/iptables-reloader-worker +exec /opt/openslx/sbin/inotifyd /opt/openslx/iptables/iptables-reloader-worker /opt/openslx/iptables/rules.d:cndmy + diff --git a/remote/modules/iptables-helper/data/opt/openslx/iptables/iptables-reloader-worker b/remote/modules/iptables-helper/data/opt/openslx/iptables/iptables-reloader-worker new file mode 100755 index 00000000..350f502c --- /dev/null +++ b/remote/modules/iptables-helper/data/opt/openslx/iptables/iptables-reloader-worker @@ -0,0 +1,79 @@ +#!/bin/ash + +# Reloads iptables rules by flushing the tables and applying everything +# in /opt/openslx/iptables/rules.d again. Actions are delayed by 5 seconds +# to coalesce changes, since inotifyd can trigger dozens of events in a row. +# +# This scriptis triggered by inotifyd, see openslx-iptables_reloader.service + +ALL_RULES="/run/iptables-reloader.cache" +LOCK="/run/iptables-reloader.lock" + +# Expects $1 to be the contents of $LOCK +reload_rules () { + if [ -z "$1" -o ! -s "$LOCK" ]; then + echo "'$1' empty or lock non-existent" + exit 0 + fi + sleep 2 + if [ "x$(cat "$LOCK")" != "x$1" ]; then + echo "Wrong lock, lost race" + exit 0 + fi + + rm -f -- "${ALL_RULES}.new" + + for file in /opt/openslx/iptables/rules.d/*; do + cat "$file" >> "${ALL_RULES}.new" + done + + # No change? Do nothing... + [ -s "${ALL_RULES}" -a -s "${ALL_RULES}.new" ] && diff "${ALL_RULES}" "${ALL_RULES}.new" && exit 0 + + # Reset + # Filter + for chain in INPUT FORWARD OUTPUT; do + iptables -t filter -P "$chain" ACCEPT + done + iptables -t filter -F + # NAT + for chain in INPUT OUTPUT PREROUTING POSTROUTING; do + iptables -t nat -P "$chain" ACCEPT + done + iptables -t nat -F + # Mangle + for chain in INPUT FORWARD OUTPUT PREROUTING POSTROUTING; do + iptables -t mangle -P "$chain" ACCEPT + done + iptables -t mangle -F + + # Apply + local LOGFILE=$(mktemp) + local DISABLED="/opt/openslx/iptables/rules.d/disabled/" + for file in /opt/openslx/iptables/rules.d/*; do + [ ! -f "$file" ] && continue + if [ ! -x "$file" ]; then + slxlog "firewall-script-exec" "The firewall script '$file' is not executable (+x), moving to disabled/" + mkdir -p "$DISABLED" + mv "$file" "$DISABLED" + continue + fi + if ! "$file" > "$LOGFILE" 2>&1; then + slxlog "firewall-script-apply" "The firewall script '$file' had nonzero exit code. Moving to disabled/" "$LOGFILE" + mkdir -p "$DISABLED" + mv "$file" "$DISABLED" + fi + done + + mv -f -- "${ALL_RULES}.new" "${ALL_RULES}" + echo "iptables rules successfully updated." + exit 0 +} + + +ID="$$+$RANDOM" +echo "$ID" > "$LOCK" +reload_rules "$ID" & + +exit 0 + diff --git a/remote/modules/iptables-helper/data/opt/openslx/iptables/rules.d/.placeholder b/remote/modules/iptables-helper/data/opt/openslx/iptables/rules.d/.placeholder new file mode 100644 index 00000000..11b30bcc --- /dev/null +++ b/remote/modules/iptables-helper/data/opt/openslx/iptables/rules.d/.placeholder @@ -0,0 +1 @@ +# Put your iptables rules here. Full command, like "iptables ...." diff --git a/remote/modules/iptables-helper/iptables-helper.build b/remote/modules/iptables-helper/iptables-helper.build new file mode 100644 index 00000000..d8804784 --- /dev/null +++ b/remote/modules/iptables-helper/iptables-helper.build @@ -0,0 +1,13 @@ + +fetch_source() { + : +} + +build() { + : +} + +post_copy() { + : +} + diff --git a/remote/modules/iptables-helper/iptables-helper.conf b/remote/modules/iptables-helper/iptables-helper.conf new file mode 100644 index 00000000..34103f5b --- /dev/null +++ b/remote/modules/iptables-helper/iptables-helper.conf @@ -0,0 +1 @@ +# requires some rootfs that provies iptables diff --git a/remote/modules/pam/pam.build b/remote/modules/pam/pam.build index 34319ce8..48baf8b9 100644 --- a/remote/modules/pam/pam.build +++ b/remote/modules/pam/pam.build @@ -13,15 +13,19 @@ build() { # build pam-script separatly since we use a source tarball # HACK: find pam_unix.so in MODULE_BUILD_DIR to see where to put pam_script at - cd $MODULE_BUILD_DIR + cd "$MODULE_BUILD_DIR" local PAM_UNIX_LOCATION=$(find . -name pam_unix.so) - cd - > /dev/null cd "${MODULE_DIR}/src/pam-script-${REQUIRED_PAM_SCRIPT_VERSION}" || perror "Could not cd to ${MODULE_DIR}/src/pam-script-${REQUIRED_PAM_SCRIPT_VERSION}." - ./configure --prefix=/ --sysconfdir=/etc/pam-script --libdir=$(dirname ${PAM_UNIX_LOCATION:1}) || perror "pam-script: ./configure failed." + ./configure --prefix=/ --sysconfdir=/etc/pam-script --libdir="$(dirname ${PAM_UNIX_LOCATION:1})" || perror "pam-script: ./configure failed." make DESTDIR="${MODULE_BUILD_DIR}" install || perror "pam-script: make install to ${MODULE_BUILD_DIR} failed." - cd - > /dev/null + # Build nslcd service file + cd "$MODULE_BUILD_DIR" + local NSLCD_PATH=$(which nslcd) + [ -z "$NSLCD_PATH" ] && perror "Could not 'which nslcd'" + mkdir -p "etc/systemd/system" + sed "s,%PATH%,$NSLCD_PATH,g" "$MODULE_DIR/templates/nslcd-systemd.service" > "etc/systemd/system/nslcd.service" || perror "Could not fill nslcd.service template" } -post_copy() { +post_copy() { : } diff --git a/remote/modules/pam/pam.conf b/remote/modules/pam/pam.conf index 4e2e01a1..c0a21a79 100644 --- a/remote/modules/pam/pam.conf +++ b/remote/modules/pam/pam.conf @@ -1,5 +1,6 @@ REQUIRED_BINARIES=" ldapsearch + nslcd rpc.gssd rpc.idmapd sslconnect @@ -14,6 +15,9 @@ REQUIRED_LIBRARIES=" REQUIRED_DIRECTORIES=" /etc/security " +REQUIRED_FILES=" + /etc/systemd/system/nslcd.service +" REQUIRED_SYSTEM_FILES=" /etc/login.defs /etc/securetty diff --git a/remote/modules/pam/pam.conf.debian b/remote/modules/pam/pam.conf.debian index 278c36be..d424f1f7 100644 --- a/remote/modules/pam/pam.conf.debian +++ b/remote/modules/pam/pam.conf.debian @@ -1,6 +1,7 @@ REQUIRED_INSTALLED_PACKAGES=" libpam-ldap - libnss-ldap + libnss-ldapd + nslcd libpam-ck-connector libpam-cap krb5-user @@ -20,7 +21,8 @@ REQUIRED_CONTENT_PACKAGES=" libpam-cap libldap-2.4-2 libpam-ldap - libnss-ldap + libnss-ldapd + nslcd krb5-user krb5-config libpam-krb5 diff --git a/remote/modules/pam/pam.conf.opensuse b/remote/modules/pam/pam.conf.opensuse index 9b3d3247..fe6199ea 100644 --- a/remote/modules/pam/pam.conf.opensuse +++ b/remote/modules/pam/pam.conf.opensuse @@ -3,7 +3,7 @@ REQUIRED_INSTALLED_PACKAGES=" pam pam_krb5 pam-devel - nss_ldap + nss-pam-ldapd pam-modules libopenssl-devel openldap2-client diff --git a/remote/modules/pam/pam.conf.ubuntu b/remote/modules/pam/pam.conf.ubuntu index fe034225..5f6435f0 100644 --- a/remote/modules/pam/pam.conf.ubuntu +++ b/remote/modules/pam/pam.conf.ubuntu @@ -1,6 +1,7 @@ REQUIRED_INSTALLED_PACKAGES=" libpam-ldap - libnss-ldap + libnss-ldapd + nslcd krb5-user krb5-config libpam-krb5 @@ -17,7 +18,8 @@ REQUIRED_CONTENT_PACKAGES=" libpam-cap libldap-2.4-2 libpam-ldap - libnss-ldap + libnss-ldapd + nslcd krb5-user krb5-config libpam-krb5 diff --git a/remote/modules/pam/templates/nslcd-systemd.service b/remote/modules/pam/templates/nslcd-systemd.service new file mode 100644 index 00000000..540e67cd --- /dev/null +++ b/remote/modules/pam/templates/nslcd-systemd.service @@ -0,0 +1,8 @@ +[Unit] +Description=Naming services LDAP client daemon +After=network.target + +[Service] +Type=forking +PIDFile=/var/run/nslcd/nslcd.pid +ExecStart=%PATH% diff --git a/remote/modules/printergui/data/opt/openslx/iptables/rules.d/50-lpd-redirect-and-fw b/remote/modules/printergui/data/opt/openslx/iptables/rules.d/50-lpd-redirect-and-fw new file mode 100755 index 00000000..c0b724a2 --- /dev/null +++ b/remote/modules/printergui/data/opt/openslx/iptables/rules.d/50-lpd-redirect-and-fw @@ -0,0 +1,8 @@ +#!/bin/ash + +# Close from outside +iptables -A INPUT -i br0 -p tcp --dport 515 -j DROP +iptables -A INPUT -i br0 -p tcp --dport 5515 -j DROP +# Redirect from VM to lpd +iptables -t nat -A PREROUTING -s 192.168.0.0/16 -p tcp --dport 515 -j REDIRECT --to-port 5515 + diff --git a/remote/modules/redsocks/data/etc/systemd/system/redsocks.service b/remote/modules/redsocks/data/etc/systemd/system/redsocks.service index ab10aa55..a1c2b089 100644 --- a/remote/modules/redsocks/data/etc/systemd/system/redsocks.service +++ b/remote/modules/redsocks/data/etc/systemd/system/redsocks.service @@ -7,5 +7,6 @@ Type=forking User=redsocks PIDFile=/run/redsocks/redsocks.pid ExecStart=/sbin/redsocks -c /etc/redsocks.conf -p /run/redsocks/redsocks.pid -ExecStopPost=/bin/rm /run/redsocks/redsocks.pid +ExecStopPost=/bin/rm -f /run/redsocks/redsocks.pid +ExecStopPost=/bin/rm -f /opt/openslx/iptables/rules.d/10-redoscks-proxy Restart=on-abort diff --git a/remote/modules/redsocks/data/opt/openslx/scripts/systemd-setup_proxy b/remote/modules/redsocks/data/opt/openslx/scripts/systemd-setup_proxy index 4f802f53..94cb7688 100755 --- a/remote/modules/redsocks/data/opt/openslx/scripts/systemd-setup_proxy +++ b/remote/modules/redsocks/data/opt/openslx/scripts/systemd-setup_proxy @@ -29,8 +29,12 @@ mkdir -p /run/redsocks chown redsocks:redsocks /run/redsocks systemctl start redsocks +cat > "/opt/openslx/iptables/rules.d/10-redoscks-proxy" <<HEREDOCBROWN +#!/bin/ash +. /opt/openslx/config + iptables -t nat -N REDSOCKS -iptables -t nat -A REDSOCKS -d "$SLX_PROXY_IP" -j RETURN +iptables -t nat -A REDSOCKS -d "\$SLX_PROXY_IP" -j RETURN iptables -t nat -A REDSOCKS -d 0.0.0.0/8 -j RETURN iptables -t nat -A REDSOCKS -d 10.0.0.0/8 -j RETURN iptables -t nat -A REDSOCKS -d 127.0.0.0/8 -j RETURN @@ -39,9 +43,9 @@ iptables -t nat -A REDSOCKS -d 172.16.0.0/12 -j RETURN iptables -t nat -A REDSOCKS -d 192.168.0.0/16 -j RETURN iptables -t nat -A REDSOCKS -d 224.0.0.0/4 -j RETURN iptables -t nat -A REDSOCKS -d 240.0.0.0/4 -j RETURN -if [ -n "$SLX_PROXY_BLACKLIST" ]; then - for ADDR in $SLX_PROXY_BLACKLIST; do - iptables -t nat -A REDSOCKS -d "$ADDR" -j RETURN +if [ -n "\$SLX_PROXY_BLACKLIST" ]; then + for ADDR in \$SLX_PROXY_BLACKLIST; do + iptables -t nat -A REDSOCKS -d "\$ADDR" -j RETURN done fi iptables -t nat -A REDSOCKS -p tcp -j REDIRECT --to-port 12345 @@ -49,4 +53,6 @@ iptables -t nat -A PREROUTING -p tcp -j REDSOCKS iptables -t nat -A OUTPUT -p tcp -j REDSOCKS iptables -t nat -A POSTROUTING -o br0 -j MASQUERADE iptables -A INPUT -i br0 -p tcp --dport 12345 -j DROP +HEREDOCBROWN +chmod +x "/opt/openslx/iptables/rules.d/10-redoscks-proxy" diff --git a/remote/modules/vmchooser/data/opt/openslx/iptables/rules.d/50-virt-nat1-masquerading b/remote/modules/vmchooser/data/opt/openslx/iptables/rules.d/50-virt-nat1-masquerading new file mode 100755 index 00000000..b0909760 --- /dev/null +++ b/remote/modules/vmchooser/data/opt/openslx/iptables/rules.d/50-virt-nat1-masquerading @@ -0,0 +1,3 @@ +#!/bin/ash + +iptables -t nat -A POSTROUTING -o br0 -s 192.168.101.0/24 -j MASQUERADE diff --git a/remote/modules/vmchooser/data/opt/openslx/scripts/systemd-vmchooser_env b/remote/modules/vmchooser/data/opt/openslx/scripts/systemd-vmchooser_env index 3358a85f..04ea4b0d 100755 --- a/remote/modules/vmchooser/data/opt/openslx/scripts/systemd-vmchooser_env +++ b/remote/modules/vmchooser/data/opt/openslx/scripts/systemd-vmchooser_env @@ -150,12 +150,15 @@ done # kvmnet2* for Qemu/KVM # creating and configuring nat0 +# 192.168.101.0/24 is vm nat. If you ever change this there are a couple of other files +# where you'd need to make changes, so think twice before doing so. ;) brctl addbr nat1 ip link set dev nat1 up ip addr add 192.168.101.1/24 dev nat1 echo "1" >/proc/sys/net/ipv4/conf/nat1/forwarding echo "1" >/proc/sys/net/ipv4/conf/br0/forwarding 2>/dev/null -iptables -t nat -A POSTROUTING -o br0 -s 192.168.0.0/16 -j MASQUERADE +# iptables masquerade rule is now inserted by /opt/openslx/iptables/rules.d/50-virt-nat1-masquerading +### iptables -t nat -A POSTROUTING -o br0 -s 192.168.0.0/16 -j MASQUERADE for wait in 1 1 2 2 3 end; do grep '^SLX_DNS' "/opt/openslx/config" > /dev/null && break diff --git a/remote/modules/vmware/data/etc/vmware/config b/remote/modules/vmware/data/etc/vmware/config index eb5d01c0..c76cc885 100644 --- a/remote/modules/vmware/data/etc/vmware/config +++ b/remote/modules/vmware/data/etc/vmware/config @@ -2,3 +2,8 @@ prefvmx.minVmMemPct = "100" prefvmx.useRecommendedLockedMemSize = "TRUE" libdir = "/usr/lib/vmware" +mks.ctlAltDel.ignore = "TRUE" +mks.fullscreen.allowScreenSaver = "TRUE" +fullScreenSwitch.onSeparateDesktop = "TRUE" +msg.autoAnswer = "TRUE" + |