Merge branch 'master' of dnbd3:openslx-ng/tm-scripts

15 files changed, 140 insertions, 10 deletions

diff --git a/remote/modules/iptables-helper/data/etc/systemd/system/basic.target.wants/openslx-iptables.service b/remote/modules/iptables-helper/data/etc/systemd/system/basic.target.wants/openslx-iptables.service
new file mode 120000
index 00000000..40213361
--- /dev/null
+++ b/remote/modules/iptables-helper/data/etc/systemd/system/basic.target.wants/openslx-iptables.service
@@ -0,0 +1 @@
+../openslx-iptables.service
\ No newline at end of file
diff --git a/remote/modules/iptables-helper/data/etc/systemd/system/openslx-iptables.service b/remote/modules/iptables-helper/data/etc/systemd/system/openslx-iptables.service
new file mode 100644
index 00000000..ef88cf69
--- /dev/null
+++ b/remote/modules/iptables-helper/data/etc/systemd/system/openslx-iptables.service
@@ -0,0 +1,6 @@
+[Unit]
+Description=OpenSLX iptables helper
+
+[Service]
+ExecStart=/opt/openslx/iptables/iptables-reloader
+
diff --git a/remote/modules/iptables-helper/data/opt/openslx/iptables/iptables-reloader b/remote/modules/iptables-helper/data/opt/openslx/iptables/iptables-reloader
new file mode 100755
index 00000000..60ca1e2c
--- /dev/null
+++ b/remote/modules/iptables-helper/data/opt/openslx/iptables/iptables-reloader
@@ -0,0 +1,5 @@
+#!/bin/ash
+
+/opt/openslx/iptables/iptables-reloader-worker
+exec /opt/openslx/sbin/inotifyd /opt/openslx/iptables/iptables-reloader-worker /opt/openslx/iptables/rules.d:cndmy
+
diff --git a/remote/modules/iptables-helper/data/opt/openslx/iptables/iptables-reloader-worker b/remote/modules/iptables-helper/data/opt/openslx/iptables/iptables-reloader-worker
new file mode 100755
index 00000000..350f502c
--- /dev/null
+++ b/remote/modules/iptables-helper/data/opt/openslx/iptables/iptables-reloader-worker
@@ -0,0 +1,79 @@
+#!/bin/ash
+
+# Reloads iptables rules by flushing the tables and applying everything
+# in /opt/openslx/iptables/rules.d again. Actions are delayed by 5 seconds
+# to coalesce changes, since inotifyd can trigger dozens of events in a row.
+#
+# This scriptis triggered by inotifyd, see openslx-iptables_reloader.service
+
+ALL_RULES="/run/iptables-reloader.cache"
+LOCK="/run/iptables-reloader.lock"
+
+# Expects $1 to be the contents of $LOCK
+reload_rules () {
+	if [ -z "$1" -o ! -s "$LOCK" ]; then
+		echo "'$1' empty or lock non-existent"
+		exit 0
+	fi
+	sleep 2
+	if [ "x$(cat "$LOCK")" != "x$1" ]; then
+		echo "Wrong lock, lost race"
+		exit 0
+	fi
+
+	rm -f -- "${ALL_RULES}.new"
+
+	for file in /opt/openslx/iptables/rules.d/*; do
+		cat "$file" >> "${ALL_RULES}.new"
+	done
+
+	# No change? Do nothing...
+	[ -s "${ALL_RULES}" -a -s "${ALL_RULES}.new" ] && diff "${ALL_RULES}" "${ALL_RULES}.new" && exit 0
+
+	# Reset
+	# Filter
+	for chain in INPUT FORWARD OUTPUT; do
+		iptables -t filter -P "$chain" ACCEPT
+	done
+	iptables -t filter -F
+	# NAT
+	for chain in INPUT OUTPUT PREROUTING POSTROUTING; do
+		iptables -t nat -P "$chain" ACCEPT
+	done
+	iptables -t nat -F
+	# Mangle
+	for chain in INPUT FORWARD OUTPUT PREROUTING POSTROUTING; do
+		iptables -t mangle -P "$chain" ACCEPT
+	done
+	iptables -t mangle -F
+
+	# Apply
+	local LOGFILE=$(mktemp)
+	local DISABLED="/opt/openslx/iptables/rules.d/disabled/"
+	for file in /opt/openslx/iptables/rules.d/*; do
+		[ ! -f "$file" ] && continue
+		if [ ! -x "$file" ]; then
+			slxlog "firewall-script-exec" "The firewall script '$file' is not executable (+x), moving to disabled/"
+			mkdir -p "$DISABLED"
+			mv "$file" "$DISABLED"
+			continue
+		fi
+		if ! "$file" > "$LOGFILE" 2>&1; then
+			slxlog "firewall-script-apply" "The firewall script '$file' had nonzero exit code. Moving to disabled/" "$LOGFILE"
+			mkdir -p "$DISABLED"
+			mv "$file" "$DISABLED"
+		fi
+	done
+
+	mv -f -- "${ALL_RULES}.new" "${ALL_RULES}"
+	echo "iptables rules successfully updated."
+	exit 0
+}
+
+
+ID="$$+$RANDOM"
+echo "$ID" > "$LOCK"
+reload_rules "$ID" &
+
+exit 0
+
diff --git a/remote/modules/iptables-helper/data/opt/openslx/iptables/rules.d/.placeholder b/remote/modules/iptables-helper/data/opt/openslx/iptables/rules.d/.placeholder
new file mode 100644
index 00000000..11b30bcc
--- /dev/null
+++ b/remote/modules/iptables-helper/data/opt/openslx/iptables/rules.d/.placeholder
@@ -0,0 +1 @@
+# Put your iptables rules here. Full command, like "iptables ...."
diff --git a/remote/modules/iptables-helper/iptables-helper.build b/remote/modules/iptables-helper/iptables-helper.build
new file mode 100644
index 00000000..d8804784
--- /dev/null
+++ b/remote/modules/iptables-helper/iptables-helper.build
@@ -0,0 +1,13 @@
+
+fetch_source() {
+	:
+}
+
+build() {
+	:
+}
+
+post_copy() {
+	:
+}
+
diff --git a/remote/modules/iptables-helper/iptables-helper.conf b/remote/modules/iptables-helper/iptables-helper.conf
new file mode 100644
index 00000000..34103f5b
--- /dev/null
+++ b/remote/modules/iptables-helper/iptables-helper.conf
@@ -0,0 +1 @@
+# requires some rootfs that provies iptables
diff --git a/remote/modules/pam/pam.build b/remote/modules/pam/pam.build
index 34319ce8..48baf8b9 100644
--- a/remote/modules/pam/pam.build
+++ b/remote/modules/pam/pam.build
@@ -13,15 +13,19 @@ build() {
 
 	# build pam-script separatly since we use a source tarball
 	# HACK: find pam_unix.so in MODULE_BUILD_DIR to see where to put pam_script at
-	cd $MODULE_BUILD_DIR
+	cd "$MODULE_BUILD_DIR"
 	local PAM_UNIX_LOCATION=$(find . -name pam_unix.so)
-	cd - > /dev/null
 	cd "${MODULE_DIR}/src/pam-script-${REQUIRED_PAM_SCRIPT_VERSION}" || perror "Could not cd to ${MODULE_DIR}/src/pam-script-${REQUIRED_PAM_SCRIPT_VERSION}."
-	./configure --prefix=/ --sysconfdir=/etc/pam-script --libdir=$(dirname ${PAM_UNIX_LOCATION:1}) || perror "pam-script: ./configure failed."
+	./configure --prefix=/ --sysconfdir=/etc/pam-script --libdir="$(dirname ${PAM_UNIX_LOCATION:1})" || perror "pam-script: ./configure failed."
 	make DESTDIR="${MODULE_BUILD_DIR}" install || perror "pam-script: make install to ${MODULE_BUILD_DIR} failed."
-	cd - > /dev/null
+	# Build nslcd service file
+	cd "$MODULE_BUILD_DIR"
+	local NSLCD_PATH=$(which nslcd)
+	[ -z "$NSLCD_PATH" ] && perror "Could not 'which nslcd'"
+	mkdir -p "etc/systemd/system"
+	sed "s,%PATH%,$NSLCD_PATH,g" "$MODULE_DIR/templates/nslcd-systemd.service" > "etc/systemd/system/nslcd.service" || perror "Could not fill nslcd.service template"
 }
 
-post_copy() {	
+post_copy() {
 	:
 }
diff --git a/remote/modules/pam/pam.conf b/remote/modules/pam/pam.conf
index 4e2e01a1..c0a21a79 100644
--- a/remote/modules/pam/pam.conf
+++ b/remote/modules/pam/pam.conf
@@ -1,5 +1,6 @@
 REQUIRED_BINARIES="
 	ldapsearch
+	nslcd
 	rpc.gssd
 	rpc.idmapd
 	sslconnect
@@ -14,6 +15,9 @@ REQUIRED_LIBRARIES="
 REQUIRED_DIRECTORIES="
 	/etc/security
 "
+REQUIRED_FILES="
+	/etc/systemd/system/nslcd.service
+"
 REQUIRED_SYSTEM_FILES="
 	/etc/login.defs
 	/etc/securetty
diff --git a/remote/modules/pam/pam.conf.debian b/remote/modules/pam/pam.conf.debian
index 278c36be..d424f1f7 100644
--- a/remote/modules/pam/pam.conf.debian
+++ b/remote/modules/pam/pam.conf.debian
@@ -1,6 +1,7 @@
 REQUIRED_INSTALLED_PACKAGES="
 	libpam-ldap
-	libnss-ldap
+	libnss-ldapd
+	nslcd
 	libpam-ck-connector
 	libpam-cap
 	krb5-user
@@ -20,7 +21,8 @@ REQUIRED_CONTENT_PACKAGES="
 	libpam-cap
 	libldap-2.4-2
 	libpam-ldap
-	libnss-ldap
+	libnss-ldapd
+	nslcd
 	krb5-user
 	krb5-config
 	libpam-krb5
diff --git a/remote/modules/pam/pam.conf.opensuse b/remote/modules/pam/pam.conf.opensuse
index 9b3d3247..fe6199ea 100644
--- a/remote/modules/pam/pam.conf.opensuse
+++ b/remote/modules/pam/pam.conf.opensuse
@@ -3,7 +3,7 @@ REQUIRED_INSTALLED_PACKAGES="
 	pam
 	pam_krb5
 	pam-devel
-	nss_ldap
+	nss-pam-ldapd
 	pam-modules
 	libopenssl-devel
 	openldap2-client
diff --git a/remote/modules/pam/pam.conf.ubuntu b/remote/modules/pam/pam.conf.ubuntu
index fe034225..5f6435f0 100644
--- a/remote/modules/pam/pam.conf.ubuntu
+++ b/remote/modules/pam/pam.conf.ubuntu
@@ -1,6 +1,7 @@
 REQUIRED_INSTALLED_PACKAGES="
 	libpam-ldap
-	libnss-ldap
+	libnss-ldapd
+	nslcd
 	krb5-user
 	krb5-config
 	libpam-krb5
@@ -17,7 +18,8 @@ REQUIRED_CONTENT_PACKAGES="
 	libpam-cap
 	libldap-2.4-2
 	libpam-ldap
-	libnss-ldap
+	libnss-ldapd
+	nslcd
 	krb5-user
 	krb5-config
 	libpam-krb5
diff --git a/remote/modules/pam/templates/nslcd-systemd.service b/remote/modules/pam/templates/nslcd-systemd.service
new file mode 100644
index 00000000..540e67cd
--- /dev/null
+++ b/remote/modules/pam/templates/nslcd-systemd.service
@@ -0,0 +1,8 @@
+[Unit]
+Description=Naming services LDAP client daemon
+After=network.target
+
+[Service]
+Type=forking
+PIDFile=/var/run/nslcd/nslcd.pid
+ExecStart=%PATH%
diff --git a/remote/rootfs/rootfs-stage32/rootfs-stage32.conf.opensuse b/remote/rootfs/rootfs-stage32/rootfs-stage32.conf.opensuse
index b5630284..4b11529b 100644
--- a/remote/rootfs/rootfs-stage32/rootfs-stage32.conf.opensuse
+++ b/remote/rootfs/rootfs-stage32/rootfs-stage32.conf.opensuse
@@ -17,3 +17,6 @@ REQUIRED_DIRECTORIES="
 REQUIRED_FILES+="
 			/usr/share/X11/app-defaults/Xvidtune
 "
+REQUIRED_KERNEL_MODULES+="
+			kernel/drivers/cdrom
+"
diff --git a/remote/targets/stage32-bwlp/iptables-helper b/remote/targets/stage32-bwlp/iptables-helper
new file mode 120000
index 00000000..e449282d
--- /dev/null
+++ b/remote/targets/stage32-bwlp/iptables-helper
@@ -0,0 +1 @@
+../../modules/iptables-helper
\ No newline at end of file