diff options
15 files changed, 140 insertions, 10 deletions
diff --git a/remote/modules/iptables-helper/data/etc/systemd/system/basic.target.wants/openslx-iptables.service b/remote/modules/iptables-helper/data/etc/systemd/system/basic.target.wants/openslx-iptables.service new file mode 120000 index 00000000..40213361 --- /dev/null +++ b/remote/modules/iptables-helper/data/etc/systemd/system/basic.target.wants/openslx-iptables.service @@ -0,0 +1 @@ +../openslx-iptables.service
\ No newline at end of file diff --git a/remote/modules/iptables-helper/data/etc/systemd/system/openslx-iptables.service b/remote/modules/iptables-helper/data/etc/systemd/system/openslx-iptables.service new file mode 100644 index 00000000..ef88cf69 --- /dev/null +++ b/remote/modules/iptables-helper/data/etc/systemd/system/openslx-iptables.service @@ -0,0 +1,6 @@ +[Unit] +Description=OpenSLX iptables helper + +[Service] +ExecStart=/opt/openslx/iptables/iptables-reloader + diff --git a/remote/modules/iptables-helper/data/opt/openslx/iptables/iptables-reloader b/remote/modules/iptables-helper/data/opt/openslx/iptables/iptables-reloader new file mode 100755 index 00000000..60ca1e2c --- /dev/null +++ b/remote/modules/iptables-helper/data/opt/openslx/iptables/iptables-reloader @@ -0,0 +1,5 @@ +#!/bin/ash + +/opt/openslx/iptables/iptables-reloader-worker +exec /opt/openslx/sbin/inotifyd /opt/openslx/iptables/iptables-reloader-worker /opt/openslx/iptables/rules.d:cndmy + diff --git a/remote/modules/iptables-helper/data/opt/openslx/iptables/iptables-reloader-worker b/remote/modules/iptables-helper/data/opt/openslx/iptables/iptables-reloader-worker new file mode 100755 index 00000000..350f502c --- /dev/null +++ b/remote/modules/iptables-helper/data/opt/openslx/iptables/iptables-reloader-worker @@ -0,0 +1,79 @@ +#!/bin/ash + +# Reloads iptables rules by flushing the tables and applying everything +# in /opt/openslx/iptables/rules.d again. Actions are delayed by 5 seconds +# to coalesce changes, since inotifyd can trigger dozens of events in a row. +# +# This scriptis triggered by inotifyd, see openslx-iptables_reloader.service + +ALL_RULES="/run/iptables-reloader.cache" +LOCK="/run/iptables-reloader.lock" + +# Expects $1 to be the contents of $LOCK +reload_rules () { + if [ -z "$1" -o ! -s "$LOCK" ]; then + echo "'$1' empty or lock non-existent" + exit 0 + fi + sleep 2 + if [ "x$(cat "$LOCK")" != "x$1" ]; then + echo "Wrong lock, lost race" + exit 0 + fi + + rm -f -- "${ALL_RULES}.new" + + for file in /opt/openslx/iptables/rules.d/*; do + cat "$file" >> "${ALL_RULES}.new" + done + + # No change? Do nothing... + [ -s "${ALL_RULES}" -a -s "${ALL_RULES}.new" ] && diff "${ALL_RULES}" "${ALL_RULES}.new" && exit 0 + + # Reset + # Filter + for chain in INPUT FORWARD OUTPUT; do + iptables -t filter -P "$chain" ACCEPT + done + iptables -t filter -F + # NAT + for chain in INPUT OUTPUT PREROUTING POSTROUTING; do + iptables -t nat -P "$chain" ACCEPT + done + iptables -t nat -F + # Mangle + for chain in INPUT FORWARD OUTPUT PREROUTING POSTROUTING; do + iptables -t mangle -P "$chain" ACCEPT + done + iptables -t mangle -F + + # Apply + local LOGFILE=$(mktemp) + local DISABLED="/opt/openslx/iptables/rules.d/disabled/" + for file in /opt/openslx/iptables/rules.d/*; do + [ ! -f "$file" ] && continue + if [ ! -x "$file" ]; then + slxlog "firewall-script-exec" "The firewall script '$file' is not executable (+x), moving to disabled/" + mkdir -p "$DISABLED" + mv "$file" "$DISABLED" + continue + fi + if ! "$file" > "$LOGFILE" 2>&1; then + slxlog "firewall-script-apply" "The firewall script '$file' had nonzero exit code. Moving to disabled/" "$LOGFILE" + mkdir -p "$DISABLED" + mv "$file" "$DISABLED" + fi + done + + mv -f -- "${ALL_RULES}.new" "${ALL_RULES}" + echo "iptables rules successfully updated." + exit 0 +} + + +ID="$$+$RANDOM" +echo "$ID" > "$LOCK" +reload_rules "$ID" & + +exit 0 + diff --git a/remote/modules/iptables-helper/data/opt/openslx/iptables/rules.d/.placeholder b/remote/modules/iptables-helper/data/opt/openslx/iptables/rules.d/.placeholder new file mode 100644 index 00000000..11b30bcc --- /dev/null +++ b/remote/modules/iptables-helper/data/opt/openslx/iptables/rules.d/.placeholder @@ -0,0 +1 @@ +# Put your iptables rules here. Full command, like "iptables ...." diff --git a/remote/modules/iptables-helper/iptables-helper.build b/remote/modules/iptables-helper/iptables-helper.build new file mode 100644 index 00000000..d8804784 --- /dev/null +++ b/remote/modules/iptables-helper/iptables-helper.build @@ -0,0 +1,13 @@ + +fetch_source() { + : +} + +build() { + : +} + +post_copy() { + : +} + diff --git a/remote/modules/iptables-helper/iptables-helper.conf b/remote/modules/iptables-helper/iptables-helper.conf new file mode 100644 index 00000000..34103f5b --- /dev/null +++ b/remote/modules/iptables-helper/iptables-helper.conf @@ -0,0 +1 @@ +# requires some rootfs that provies iptables diff --git a/remote/modules/pam/pam.build b/remote/modules/pam/pam.build index 34319ce8..48baf8b9 100644 --- a/remote/modules/pam/pam.build +++ b/remote/modules/pam/pam.build @@ -13,15 +13,19 @@ build() { # build pam-script separatly since we use a source tarball # HACK: find pam_unix.so in MODULE_BUILD_DIR to see where to put pam_script at - cd $MODULE_BUILD_DIR + cd "$MODULE_BUILD_DIR" local PAM_UNIX_LOCATION=$(find . -name pam_unix.so) - cd - > /dev/null cd "${MODULE_DIR}/src/pam-script-${REQUIRED_PAM_SCRIPT_VERSION}" || perror "Could not cd to ${MODULE_DIR}/src/pam-script-${REQUIRED_PAM_SCRIPT_VERSION}." - ./configure --prefix=/ --sysconfdir=/etc/pam-script --libdir=$(dirname ${PAM_UNIX_LOCATION:1}) || perror "pam-script: ./configure failed." + ./configure --prefix=/ --sysconfdir=/etc/pam-script --libdir="$(dirname ${PAM_UNIX_LOCATION:1})" || perror "pam-script: ./configure failed." make DESTDIR="${MODULE_BUILD_DIR}" install || perror "pam-script: make install to ${MODULE_BUILD_DIR} failed." - cd - > /dev/null + # Build nslcd service file + cd "$MODULE_BUILD_DIR" + local NSLCD_PATH=$(which nslcd) + [ -z "$NSLCD_PATH" ] && perror "Could not 'which nslcd'" + mkdir -p "etc/systemd/system" + sed "s,%PATH%,$NSLCD_PATH,g" "$MODULE_DIR/templates/nslcd-systemd.service" > "etc/systemd/system/nslcd.service" || perror "Could not fill nslcd.service template" } -post_copy() { +post_copy() { : } diff --git a/remote/modules/pam/pam.conf b/remote/modules/pam/pam.conf index 4e2e01a1..c0a21a79 100644 --- a/remote/modules/pam/pam.conf +++ b/remote/modules/pam/pam.conf @@ -1,5 +1,6 @@ REQUIRED_BINARIES=" ldapsearch + nslcd rpc.gssd rpc.idmapd sslconnect @@ -14,6 +15,9 @@ REQUIRED_LIBRARIES=" REQUIRED_DIRECTORIES=" /etc/security " +REQUIRED_FILES=" + /etc/systemd/system/nslcd.service +" REQUIRED_SYSTEM_FILES=" /etc/login.defs /etc/securetty diff --git a/remote/modules/pam/pam.conf.debian b/remote/modules/pam/pam.conf.debian index 278c36be..d424f1f7 100644 --- a/remote/modules/pam/pam.conf.debian +++ b/remote/modules/pam/pam.conf.debian @@ -1,6 +1,7 @@ REQUIRED_INSTALLED_PACKAGES=" libpam-ldap - libnss-ldap + libnss-ldapd + nslcd libpam-ck-connector libpam-cap krb5-user @@ -20,7 +21,8 @@ REQUIRED_CONTENT_PACKAGES=" libpam-cap libldap-2.4-2 libpam-ldap - libnss-ldap + libnss-ldapd + nslcd krb5-user krb5-config libpam-krb5 diff --git a/remote/modules/pam/pam.conf.opensuse b/remote/modules/pam/pam.conf.opensuse index 9b3d3247..fe6199ea 100644 --- a/remote/modules/pam/pam.conf.opensuse +++ b/remote/modules/pam/pam.conf.opensuse @@ -3,7 +3,7 @@ REQUIRED_INSTALLED_PACKAGES=" pam pam_krb5 pam-devel - nss_ldap + nss-pam-ldapd pam-modules libopenssl-devel openldap2-client diff --git a/remote/modules/pam/pam.conf.ubuntu b/remote/modules/pam/pam.conf.ubuntu index fe034225..5f6435f0 100644 --- a/remote/modules/pam/pam.conf.ubuntu +++ b/remote/modules/pam/pam.conf.ubuntu @@ -1,6 +1,7 @@ REQUIRED_INSTALLED_PACKAGES=" libpam-ldap - libnss-ldap + libnss-ldapd + nslcd krb5-user krb5-config libpam-krb5 @@ -17,7 +18,8 @@ REQUIRED_CONTENT_PACKAGES=" libpam-cap libldap-2.4-2 libpam-ldap - libnss-ldap + libnss-ldapd + nslcd krb5-user krb5-config libpam-krb5 diff --git a/remote/modules/pam/templates/nslcd-systemd.service b/remote/modules/pam/templates/nslcd-systemd.service new file mode 100644 index 00000000..540e67cd --- /dev/null +++ b/remote/modules/pam/templates/nslcd-systemd.service @@ -0,0 +1,8 @@ +[Unit] +Description=Naming services LDAP client daemon +After=network.target + +[Service] +Type=forking +PIDFile=/var/run/nslcd/nslcd.pid +ExecStart=%PATH% diff --git a/remote/rootfs/rootfs-stage32/rootfs-stage32.conf.opensuse b/remote/rootfs/rootfs-stage32/rootfs-stage32.conf.opensuse index b5630284..4b11529b 100644 --- a/remote/rootfs/rootfs-stage32/rootfs-stage32.conf.opensuse +++ b/remote/rootfs/rootfs-stage32/rootfs-stage32.conf.opensuse @@ -17,3 +17,6 @@ REQUIRED_DIRECTORIES=" REQUIRED_FILES+=" /usr/share/X11/app-defaults/Xvidtune " +REQUIRED_KERNEL_MODULES+=" + kernel/drivers/cdrom +" diff --git a/remote/targets/stage32-bwlp/iptables-helper b/remote/targets/stage32-bwlp/iptables-helper new file mode 120000 index 00000000..e449282d --- /dev/null +++ b/remote/targets/stage32-bwlp/iptables-helper @@ -0,0 +1 @@ +../../modules/iptables-helper
\ No newline at end of file |