Merge branch 'master' of git:openslx-ng/tm-scripts

5 files changed, 89 insertions, 22 deletions

diff --git a/remote/modules/pam/data/etc/nsswitch.conf b/remote/modules/pam/data/etc/nsswitch.conf
index c3ac1076..d270cbac 100644
--- a/remote/modules/pam/data/etc/nsswitch.conf
+++ b/remote/modules/pam/data/etc/nsswitch.conf
@@ -4,7 +4,7 @@
 # If you have the `glibc-doc-reference' and `info' packages installed, try:
 # `info libc "Name Service Switch"' for information about this file.
 
-passwd:		files ldap
+passwd:		files
 group:		files
 shadow:         files
 
diff --git a/remote/modules/systemd/data/usr/lib/sysctl.d/50-default.conf b/remote/modules/systemd/data/usr/lib/sysctl.d/50-default.conf
new file mode 100644
index 00000000..6ece04ce
--- /dev/null
+++ b/remote/modules/systemd/data/usr/lib/sysctl.d/50-default.conf
@@ -0,0 +1,39 @@
+#  This file is part of systemd.
+#
+#  systemd is free software; you can redistribute it and/or modify it
+#  under the terms of the GNU Lesser General Public License as published by
+#  the Free Software Foundation; either version 2.1 of the License, or
+#  (at your option) any later version.
+
+# See sysctl.d(5) and core(5) for for details.
+
+# System Request functionality of the kernel (SYNC)
+kernel.sysrq = 1
+
+# Append the PID to the core filename
+kernel.core_uses_pid = 1
+
+# Source route verification
+net.ipv4.conf.all.rp_filter = 1
+# Do not accept source routing
+net.ipv4.conf.all.accept_source_route = 0
+# protection from the SYN flood attack
+net.ipv4.tcp_syncookies = 1
+# timestamps add a little overhead but are recommended for gbit links
+net.ipv4.tcp_timestamps = 1
+# ignore echo broadcast requests to prevent being part of smurf attacks
+net.ipv4.icmp_echo_ignore_broadcasts = 1
+# ignore bogus icmp errors
+net.ipv4.icmp_ignore_bogus_error_responses = 1
+# send redirects (not a router, disable it)
+net.ipv4.conf.all.send_redirects = 0
+# ICMP routing redirects (only secure)
+net.ipv4.conf.all.accept_redirects = 0
+net.ipv4.conf.all.secure_redirects = 1
+
+# Enable hard and soft link protection
+fs.protected_hardlinks = 1
+fs.protected_symlinks = 1
+
+# A little extra security for local exploits
+kernel.kptr_restrict = 1
diff --git a/remote/modules/systemd/systemd.build b/remote/modules/systemd/systemd.build
index fb56f231..48bd68d1 100644
--- a/remote/modules/systemd/systemd.build
+++ b/remote/modules/systemd/systemd.build
@@ -1,27 +1,35 @@
 #tool/distro specific functions for fetching, building and installing dependencies
 
 fetch_source () {
-	download_untar "$URL" "src/"
-	download_untar "$LIBKMOD_URL" "src/"
+	download_untar "$REQUIRED_URL" "src/"
+	download_untar "$REQUIRED_LIBKMOD_URL" "src/"
 }	
 
 build () {
 	#build libkmod
-	cd "${MODULE_DIR}/src/$LIBKMOD_VERSION"
+	pinfo "Building libkmod"
+	cd "${MODULE_DIR}/src/$REQUIRED_LIBKMOD_VERSION"
 	./configure || perror "./configure kmod failed."
 	make || perror "kmod make failed."
 	make install || perror "kmod make install failed."
 	cd - &> /dev/null
 
 	#build systemd
-	cd "${MODULE_DIR}/src/$VERSION"
+	pinfo "Building systemd"
+	cd "${MODULE_DIR}/src/$REQUIRED_VERSION"
 	pinfo "calling configure"
-	./configure --disable-manpages --enable-split-usr --sysconfdir="/etc" --enable-gtk-doc-html=no || perror "configure failed."
+	./configure --disable-manpages --enable-split-usr --sysconfdir="/etc" --enable-gtk-doc-html=no --disable-nls --disable-microhttpd --disable-bootchart --disable-quotacheck --disable-logind --disable-hostnamed --disable-timedated --disable-localed --disable-coredump --disable-keymap --without-python || perror "configure failed."
 	pinfo "calling make"
 	make || perror "make failed."
 	pinfo "calling make install"
 	DESTDIR="${MODULE_BUILD_DIR}" make install || perror "make install failed."
 	cd - &> /dev/null
+	# Delete unneeded services
+	pinfo "Deleting unneeded services"
+	local SERVICE=
+	for SERVICE in $REQUIRED_DISABLED_SERVICES; do
+		find "${MODULE_BUILD_DIR}" -name "$SERVICE" -delete
+	done
 }
 
 post_copy() {
diff --git a/remote/modules/systemd/systemd.conf b/remote/modules/systemd/systemd.conf
index b5e8370d..7f469be6 100644
--- a/remote/modules/systemd/systemd.conf
+++ b/remote/modules/systemd/systemd.conf
@@ -1,7 +1,29 @@
-VERSION=systemd-197
-URL=http://www.freedesktop.org/software/systemd/${VERSION}.tar.xz
-LIBKMOD_VERSION="kmod-12"
-LIBKMOD_URL="http://www.kernel.org/pub/linux/utils/kernel/kmod/${LIBKMOD_VERSION}.tar.gz"
+REQUIRED_VERSION="systemd-204"
+REQUIRED_URL="http://www.freedesktop.org/software/systemd/${REQUIRED_VERSION}.tar.xz"
+REQUIRED_LIBKMOD_VERSION="kmod-12"
+REQUIRED_LIBKMOD_URL="http://www.kernel.org/pub/linux/utils/kernel/kmod/${REQUIRED_LIBKMOD_VERSION}.tar.gz"
+REQUIRED_DISABLED_SERVICES="
+	tmp.mount
+	time-sync.target
+	systemd-random-seed-save.service
+	systemd-random-seed-load.service
+	local-fs-pre.target
+	local-fs.target
+	local-fs.target.wants
+	systemd-remount-fs.service
+	remote-fs.target
+	remote-fs-pre.target
+	initrd-root-fs.target
+	initrd-fs.target
+	systemd-fsck-root.service
+	systemd-fsck@.service
+	sys-kernel-debug.mount
+	nss-lookup.target
+	nss-user-lookup.target
+	systemd-initctl.service
+	systemd-initctl.socket
+	swap.target
+"
 REQUIRED_INSTALLED_PACKAGES="	intltool
 			gperf
 			dbus
@@ -73,13 +95,13 @@ REQUIRED_BINARIES="	hostnamectl
 			mtd_probe
 			scsi_id
 			v4l_id"
-REQUIRED_DIRECTORIES="	/etc
-			/usr/lib
-			/usr/include
-			/usr/share/dbus-1
-			/usr/share/polkit-1
-			/usr/lib/udev/rules.d"
-REQUIRED_FILES="	/usr/bin/systemd-analyze
-			/usr/share/systemd/kbd-model-map
-			/usr/lib/udev/findkeyboards
-			/usr/lib/udev/keyboard-force-release.sh"
+REQUIRED_DIRECTORIES="
+	/etc
+	/usr/include
+	/usr/share/dbus-1
+	/usr/share/polkit-1
+	/usr/lib/udev
+	/usr/lib/systemd
+	/usr/lib/tmpfiles.d
+"
+
diff --git a/remote/modules/systemd/systemd.conf.zypper b/remote/modules/systemd/systemd.conf.zypper
index de89399e..60038937 100644
--- a/remote/modules/systemd/systemd.conf.zypper
+++ b/remote/modules/systemd/systemd.conf.zypper
@@ -1,5 +1,3 @@
-VERSION=systemd-201
-URL=http://www.freedesktop.org/software/systemd/${VERSION}.tar.xz
 REQUIRED_INSTALLED_PACKAGES="	intltool
 			gperf
 			pkg-config