From 467f296ca8b1ea482b70e12152b6513cb03f7f31 Mon Sep 17 00:00:00 2001 From: Simon Rettberg Date: Fri, 17 Jan 2014 17:20:34 +0100 Subject: [xorg] Forgot to remove xprintidle from REQUIRED_CONTENT_PACKAGES when idleaction was introduced --- remote/modules/xorg/xorg.conf.debian | 1 - remote/modules/xorg/xorg.conf.opensuse | 1 - remote/modules/xorg/xorg.conf.ubuntu | 1 - 3 files changed, 3 deletions(-) diff --git a/remote/modules/xorg/xorg.conf.debian b/remote/modules/xorg/xorg.conf.debian index b1c26ae9..1ce74939 100644 --- a/remote/modules/xorg/xorg.conf.debian +++ b/remote/modules/xorg/xorg.conf.debian @@ -34,7 +34,6 @@ REQUIRED_CONTENT_PACKAGES=" @xserver-xorg-video-geode$UBUNTU_XORG_PKG_SUFFIX @xserver-xorg-video-s3$UBUNTU_XORG_PKG_SUFFIX @xserver-xorg-video-tdfx$UBUNTU_XORG_PKG_SUFFIX - xprintidle " REQUIRED_DIRECTORIES+=" /usr/lib diff --git a/remote/modules/xorg/xorg.conf.opensuse b/remote/modules/xorg/xorg.conf.opensuse index ef353a4c..1e6f5ff1 100644 --- a/remote/modules/xorg/xorg.conf.opensuse +++ b/remote/modules/xorg/xorg.conf.opensuse @@ -37,7 +37,6 @@ REQUIRED_CONTENT_PACKAGES=" libpixman-1-0 xrandr vaapi-intel-driver - xprintidle " REQUIRED_LIBRARIES=" libI810XvMC diff --git a/remote/modules/xorg/xorg.conf.ubuntu b/remote/modules/xorg/xorg.conf.ubuntu index e62a50f8..69c3e64c 100644 --- a/remote/modules/xorg/xorg.conf.ubuntu +++ b/remote/modules/xorg/xorg.conf.ubuntu @@ -33,7 +33,6 @@ REQUIRED_CONTENT_PACKAGES=" @xserver-xorg-video-geode$UBUNTU_XORG_PKG_SUFFIX @xserver-xorg-video-s3$UBUNTU_XORG_PKG_SUFFIX @xserver-xorg-video-tdfx$UBUNTU_XORG_PKG_SUFFIX - xprintidle " REQUIRED_DIRECTORIES+=" /usr/lib -- cgit v1.2.3-55-g7522 From bf3c32b4aebb520b4aad270ed024821b0387ea5d Mon Sep 17 00:00:00 2001 From: Simon Rettberg Date: Fri, 17 Jan 2014 17:54:56 +0100 Subject: [iptables-helper] Simple helper scripts/service for handling iptables rules This adds no fancy features or new syntax or anything, but merely helps to manage a *.d directory for iptables scripts. You simply write simple shell scripts where you issue your iptables calls and place them in /opt/openslx/iptables/rules.d On bootup, and whenever the contents of the directory change, all tables will be reset and the scripts from rules.d are run. They're run in alphabetical order, so it's wise to adhere to the XX-* naming scheme. Also you can place any kind of script there doing really complicated things, it's advised you keep them as simple as possible and use proper names, that tell what the script does. The default behaviour is set to ACCEPT on all tables/chains, but nothing stops you from doing 'iptables -P' in one of the scripts. --- .../basic.target.wants/openslx-iptables.service | 1 + .../etc/systemd/system/openslx-iptables.service | 6 ++ .../data/opt/openslx/iptables/iptables-reloader | 5 ++ .../opt/openslx/iptables/iptables-reloader-worker | 79 ++++++++++++++++++++++ .../data/opt/openslx/iptables/rules.d/.placeholder | 1 + .../modules/iptables-helper/iptables-helper.build | 13 ++++ .../modules/iptables-helper/iptables-helper.conf | 1 + remote/targets/stage32-bwlp/iptables-helper | 1 + 8 files changed, 107 insertions(+) create mode 120000 remote/modules/iptables-helper/data/etc/systemd/system/basic.target.wants/openslx-iptables.service create mode 100644 remote/modules/iptables-helper/data/etc/systemd/system/openslx-iptables.service create mode 100755 remote/modules/iptables-helper/data/opt/openslx/iptables/iptables-reloader create mode 100755 remote/modules/iptables-helper/data/opt/openslx/iptables/iptables-reloader-worker create mode 100644 remote/modules/iptables-helper/data/opt/openslx/iptables/rules.d/.placeholder create mode 100644 remote/modules/iptables-helper/iptables-helper.build create mode 100644 remote/modules/iptables-helper/iptables-helper.conf create mode 120000 remote/targets/stage32-bwlp/iptables-helper diff --git a/remote/modules/iptables-helper/data/etc/systemd/system/basic.target.wants/openslx-iptables.service b/remote/modules/iptables-helper/data/etc/systemd/system/basic.target.wants/openslx-iptables.service new file mode 120000 index 00000000..40213361 --- /dev/null +++ b/remote/modules/iptables-helper/data/etc/systemd/system/basic.target.wants/openslx-iptables.service @@ -0,0 +1 @@ +../openslx-iptables.service \ No newline at end of file diff --git a/remote/modules/iptables-helper/data/etc/systemd/system/openslx-iptables.service b/remote/modules/iptables-helper/data/etc/systemd/system/openslx-iptables.service new file mode 100644 index 00000000..ef88cf69 --- /dev/null +++ b/remote/modules/iptables-helper/data/etc/systemd/system/openslx-iptables.service @@ -0,0 +1,6 @@ +[Unit] +Description=OpenSLX iptables helper + +[Service] +ExecStart=/opt/openslx/iptables/iptables-reloader + diff --git a/remote/modules/iptables-helper/data/opt/openslx/iptables/iptables-reloader b/remote/modules/iptables-helper/data/opt/openslx/iptables/iptables-reloader new file mode 100755 index 00000000..60ca1e2c --- /dev/null +++ b/remote/modules/iptables-helper/data/opt/openslx/iptables/iptables-reloader @@ -0,0 +1,5 @@ +#!/bin/ash + +/opt/openslx/iptables/iptables-reloader-worker +exec /opt/openslx/sbin/inotifyd /opt/openslx/iptables/iptables-reloader-worker /opt/openslx/iptables/rules.d:cndmy + diff --git a/remote/modules/iptables-helper/data/opt/openslx/iptables/iptables-reloader-worker b/remote/modules/iptables-helper/data/opt/openslx/iptables/iptables-reloader-worker new file mode 100755 index 00000000..350f502c --- /dev/null +++ b/remote/modules/iptables-helper/data/opt/openslx/iptables/iptables-reloader-worker @@ -0,0 +1,79 @@ +#!/bin/ash + +# Reloads iptables rules by flushing the tables and applying everything +# in /opt/openslx/iptables/rules.d again. Actions are delayed by 5 seconds +# to coalesce changes, since inotifyd can trigger dozens of events in a row. +# +# This scriptis triggered by inotifyd, see openslx-iptables_reloader.service + +ALL_RULES="/run/iptables-reloader.cache" +LOCK="/run/iptables-reloader.lock" + +# Expects $1 to be the contents of $LOCK +reload_rules () { + if [ -z "$1" -o ! -s "$LOCK" ]; then + echo "'$1' empty or lock non-existent" + exit 0 + fi + sleep 2 + if [ "x$(cat "$LOCK")" != "x$1" ]; then + echo "Wrong lock, lost race" + exit 0 + fi + + rm -f -- "${ALL_RULES}.new" + + for file in /opt/openslx/iptables/rules.d/*; do + cat "$file" >> "${ALL_RULES}.new" + done + + # No change? Do nothing... + [ -s "${ALL_RULES}" -a -s "${ALL_RULES}.new" ] && diff "${ALL_RULES}" "${ALL_RULES}.new" && exit 0 + + # Reset + # Filter + for chain in INPUT FORWARD OUTPUT; do + iptables -t filter -P "$chain" ACCEPT + done + iptables -t filter -F + # NAT + for chain in INPUT OUTPUT PREROUTING POSTROUTING; do + iptables -t nat -P "$chain" ACCEPT + done + iptables -t nat -F + # Mangle + for chain in INPUT FORWARD OUTPUT PREROUTING POSTROUTING; do + iptables -t mangle -P "$chain" ACCEPT + done + iptables -t mangle -F + + # Apply + local LOGFILE=$(mktemp) + local DISABLED="/opt/openslx/iptables/rules.d/disabled/" + for file in /opt/openslx/iptables/rules.d/*; do + [ ! -f "$file" ] && continue + if [ ! -x "$file" ]; then + slxlog "firewall-script-exec" "The firewall script '$file' is not executable (+x), moving to disabled/" + mkdir -p "$DISABLED" + mv "$file" "$DISABLED" + continue + fi + if ! "$file" > "$LOGFILE" 2>&1; then + slxlog "firewall-script-apply" "The firewall script '$file' had nonzero exit code. Moving to disabled/" "$LOGFILE" + mkdir -p "$DISABLED" + mv "$file" "$DISABLED" + fi + done + + mv -f -- "${ALL_RULES}.new" "${ALL_RULES}" + echo "iptables rules successfully updated." + exit 0 +} + + +ID="$$+$RANDOM" +echo "$ID" > "$LOCK" +reload_rules "$ID" & + +exit 0 + diff --git a/remote/modules/iptables-helper/data/opt/openslx/iptables/rules.d/.placeholder b/remote/modules/iptables-helper/data/opt/openslx/iptables/rules.d/.placeholder new file mode 100644 index 00000000..11b30bcc --- /dev/null +++ b/remote/modules/iptables-helper/data/opt/openslx/iptables/rules.d/.placeholder @@ -0,0 +1 @@ +# Put your iptables rules here. Full command, like "iptables ...." diff --git a/remote/modules/iptables-helper/iptables-helper.build b/remote/modules/iptables-helper/iptables-helper.build new file mode 100644 index 00000000..d8804784 --- /dev/null +++ b/remote/modules/iptables-helper/iptables-helper.build @@ -0,0 +1,13 @@ + +fetch_source() { + : +} + +build() { + : +} + +post_copy() { + : +} + diff --git a/remote/modules/iptables-helper/iptables-helper.conf b/remote/modules/iptables-helper/iptables-helper.conf new file mode 100644 index 00000000..34103f5b --- /dev/null +++ b/remote/modules/iptables-helper/iptables-helper.conf @@ -0,0 +1 @@ +# requires some rootfs that provies iptables diff --git a/remote/targets/stage32-bwlp/iptables-helper b/remote/targets/stage32-bwlp/iptables-helper new file mode 120000 index 00000000..e449282d --- /dev/null +++ b/remote/targets/stage32-bwlp/iptables-helper @@ -0,0 +1 @@ +../../modules/iptables-helper \ No newline at end of file -- cgit v1.2.3-55-g7522 From 9409ebe3c37ccdad1380e5c5e56802e09f62d00b Mon Sep 17 00:00:00 2001 From: Simon Rettberg Date: Fri, 17 Jan 2014 18:00:17 +0100 Subject: [pam] nss-ldap -> nss-ldapd --- remote/modules/pam/pam.build | 14 +++++++++----- remote/modules/pam/pam.conf | 4 ++++ remote/modules/pam/pam.conf.debian | 6 ++++-- remote/modules/pam/pam.conf.opensuse | 2 +- remote/modules/pam/pam.conf.ubuntu | 6 ++++-- remote/modules/pam/templates/nslcd-systemd.service | 8 ++++++++ 6 files changed, 30 insertions(+), 10 deletions(-) create mode 100644 remote/modules/pam/templates/nslcd-systemd.service diff --git a/remote/modules/pam/pam.build b/remote/modules/pam/pam.build index 34319ce8..48baf8b9 100644 --- a/remote/modules/pam/pam.build +++ b/remote/modules/pam/pam.build @@ -13,15 +13,19 @@ build() { # build pam-script separatly since we use a source tarball # HACK: find pam_unix.so in MODULE_BUILD_DIR to see where to put pam_script at - cd $MODULE_BUILD_DIR + cd "$MODULE_BUILD_DIR" local PAM_UNIX_LOCATION=$(find . -name pam_unix.so) - cd - > /dev/null cd "${MODULE_DIR}/src/pam-script-${REQUIRED_PAM_SCRIPT_VERSION}" || perror "Could not cd to ${MODULE_DIR}/src/pam-script-${REQUIRED_PAM_SCRIPT_VERSION}." - ./configure --prefix=/ --sysconfdir=/etc/pam-script --libdir=$(dirname ${PAM_UNIX_LOCATION:1}) || perror "pam-script: ./configure failed." + ./configure --prefix=/ --sysconfdir=/etc/pam-script --libdir="$(dirname ${PAM_UNIX_LOCATION:1})" || perror "pam-script: ./configure failed." make DESTDIR="${MODULE_BUILD_DIR}" install || perror "pam-script: make install to ${MODULE_BUILD_DIR} failed." - cd - > /dev/null + # Build nslcd service file + cd "$MODULE_BUILD_DIR" + local NSLCD_PATH=$(which nslcd) + [ -z "$NSLCD_PATH" ] && perror "Could not 'which nslcd'" + mkdir -p "etc/systemd/system" + sed "s,%PATH%,$NSLCD_PATH,g" "$MODULE_DIR/templates/nslcd-systemd.service" > "etc/systemd/system/nslcd.service" || perror "Could not fill nslcd.service template" } -post_copy() { +post_copy() { : } diff --git a/remote/modules/pam/pam.conf b/remote/modules/pam/pam.conf index 4e2e01a1..c0a21a79 100644 --- a/remote/modules/pam/pam.conf +++ b/remote/modules/pam/pam.conf @@ -1,5 +1,6 @@ REQUIRED_BINARIES=" ldapsearch + nslcd rpc.gssd rpc.idmapd sslconnect @@ -14,6 +15,9 @@ REQUIRED_LIBRARIES=" REQUIRED_DIRECTORIES=" /etc/security " +REQUIRED_FILES=" + /etc/systemd/system/nslcd.service +" REQUIRED_SYSTEM_FILES=" /etc/login.defs /etc/securetty diff --git a/remote/modules/pam/pam.conf.debian b/remote/modules/pam/pam.conf.debian index 278c36be..d424f1f7 100644 --- a/remote/modules/pam/pam.conf.debian +++ b/remote/modules/pam/pam.conf.debian @@ -1,6 +1,7 @@ REQUIRED_INSTALLED_PACKAGES=" libpam-ldap - libnss-ldap + libnss-ldapd + nslcd libpam-ck-connector libpam-cap krb5-user @@ -20,7 +21,8 @@ REQUIRED_CONTENT_PACKAGES=" libpam-cap libldap-2.4-2 libpam-ldap - libnss-ldap + libnss-ldapd + nslcd krb5-user krb5-config libpam-krb5 diff --git a/remote/modules/pam/pam.conf.opensuse b/remote/modules/pam/pam.conf.opensuse index 9b3d3247..fe6199ea 100644 --- a/remote/modules/pam/pam.conf.opensuse +++ b/remote/modules/pam/pam.conf.opensuse @@ -3,7 +3,7 @@ REQUIRED_INSTALLED_PACKAGES=" pam pam_krb5 pam-devel - nss_ldap + nss-pam-ldapd pam-modules libopenssl-devel openldap2-client diff --git a/remote/modules/pam/pam.conf.ubuntu b/remote/modules/pam/pam.conf.ubuntu index fe034225..5f6435f0 100644 --- a/remote/modules/pam/pam.conf.ubuntu +++ b/remote/modules/pam/pam.conf.ubuntu @@ -1,6 +1,7 @@ REQUIRED_INSTALLED_PACKAGES=" libpam-ldap - libnss-ldap + libnss-ldapd + nslcd krb5-user krb5-config libpam-krb5 @@ -17,7 +18,8 @@ REQUIRED_CONTENT_PACKAGES=" libpam-cap libldap-2.4-2 libpam-ldap - libnss-ldap + libnss-ldapd + nslcd krb5-user krb5-config libpam-krb5 diff --git a/remote/modules/pam/templates/nslcd-systemd.service b/remote/modules/pam/templates/nslcd-systemd.service new file mode 100644 index 00000000..540e67cd --- /dev/null +++ b/remote/modules/pam/templates/nslcd-systemd.service @@ -0,0 +1,8 @@ +[Unit] +Description=Naming services LDAP client daemon +After=network.target + +[Service] +Type=forking +PIDFile=/var/run/nslcd/nslcd.pid +ExecStart=%PATH% -- cgit v1.2.3-55-g7522 From b87e912005f2bf986601f600d25fdd28d88c76e0 Mon Sep 17 00:00:00 2001 From: Simon Rettberg Date: Fri, 17 Jan 2014 18:40:40 +0100 Subject: [cron] Place our own cron in /opt/openslx/... --- remote/modules/cron/cron.build | 4 ++-- remote/modules/cron/data/etc/systemd/system/cron.service | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/remote/modules/cron/cron.build b/remote/modules/cron/cron.build index fc364347..932c3e85 100644 --- a/remote/modules/cron/cron.build +++ b/remote/modules/cron/cron.build @@ -18,8 +18,8 @@ build() { make cron || perror "Could not compile cron using 'make'." # copy to build dir, since there are no shared libs linked in - mkdir -p "${MODULE_BUILD_DIR}/usr/sbin" - cp "$MODULE_DIR/src/cron" "$MODULE_BUILD_DIR/usr/sbin/" || perror "Could copy cron binary to ${MODULE_BUILD_DIR}" + mkdir -p "${MODULE_BUILD_DIR}/opt/openslx/sbin" + cp "${MODULE_DIR}/src/cron" "${MODULE_BUILD_DIR}/opt/openslx/sbin/" || perror "Could copy cron binary to ${MODULE_BUILD_DIR}" cd - &>/dev/null } diff --git a/remote/modules/cron/data/etc/systemd/system/cron.service b/remote/modules/cron/data/etc/systemd/system/cron.service index 2c5b832a..fbf17b27 100644 --- a/remote/modules/cron/data/etc/systemd/system/cron.service +++ b/remote/modules/cron/data/etc/systemd/system/cron.service @@ -1,7 +1,7 @@ [Unit] -Description=CRON +Description=Cron Daemon [Service] Type=forking -ExecStart=/usr/sbin/cron +ExecStart=/opt/openslx/sbin/cron ExecStop=/opt/openslx/bin/kill -TERM $MAINPID -- cgit v1.2.3-55-g7522 From bb0282a103944c6e81d43bc09151b8510e6482ce Mon Sep 17 00:00:00 2001 From: Simon Rettberg Date: Fri, 17 Jan 2014 19:39:39 +0100 Subject: Make some modules use iptables-helper --- .../dhcpc-busybox/data/opt/openslx/scripts/udhcpc-openslx | 8 ++++---- .../opt/openslx/iptables/rules.d/50-lpd-redirect-and-fw | 8 ++++++++ .../redsocks/data/etc/systemd/system/redsocks.service | 3 ++- .../redsocks/data/opt/openslx/scripts/systemd-setup_proxy | 14 ++++++++++---- .../opt/openslx/iptables/rules.d/50-virt-nat1-masquerading | 3 +++ .../data/opt/openslx/scripts/systemd-vmchooser_env | 5 ++++- 6 files changed, 31 insertions(+), 10 deletions(-) create mode 100755 remote/modules/printergui/data/opt/openslx/iptables/rules.d/50-lpd-redirect-and-fw create mode 100755 remote/modules/vmchooser/data/opt/openslx/iptables/rules.d/50-virt-nat1-masquerading diff --git a/remote/modules/dhcpc-busybox/data/opt/openslx/scripts/udhcpc-openslx b/remote/modules/dhcpc-busybox/data/opt/openslx/scripts/udhcpc-openslx index fe2fa252..00d22ba5 100755 --- a/remote/modules/dhcpc-busybox/data/opt/openslx/scripts/udhcpc-openslx +++ b/remote/modules/dhcpc-busybox/data/opt/openslx/scripts/udhcpc-openslx @@ -163,10 +163,10 @@ case "$1" in # Mark network target as reached systemctl start network.target & - # Port redirection for printing - iptables -A INPUT -i br0 -p tcp --dport 515 -j DROP - iptables -A INPUT -i br0 -p tcp --dport 5515 -j DROP - iptables -t nat -A PREROUTING -p tcp --dport 515 -j REDIRECT --to-port 5515 + # Port redirection for printing happens in printergui modules (iptables-helper rule) + ####iptables -A INPUT -i br0 -p tcp --dport 515 -j DROP + ####iptables -A INPUT -i br0 -p tcp --dport 5515 -j DROP + ####iptables -t nat -A PREROUTING -s 192.168.0.0/16 -p tcp --dport 515 -j REDIRECT --to-port 5515 fi ;; diff --git a/remote/modules/printergui/data/opt/openslx/iptables/rules.d/50-lpd-redirect-and-fw b/remote/modules/printergui/data/opt/openslx/iptables/rules.d/50-lpd-redirect-and-fw new file mode 100755 index 00000000..c0b724a2 --- /dev/null +++ b/remote/modules/printergui/data/opt/openslx/iptables/rules.d/50-lpd-redirect-and-fw @@ -0,0 +1,8 @@ +#!/bin/ash + +# Close from outside +iptables -A INPUT -i br0 -p tcp --dport 515 -j DROP +iptables -A INPUT -i br0 -p tcp --dport 5515 -j DROP +# Redirect from VM to lpd +iptables -t nat -A PREROUTING -s 192.168.0.0/16 -p tcp --dport 515 -j REDIRECT --to-port 5515 + diff --git a/remote/modules/redsocks/data/etc/systemd/system/redsocks.service b/remote/modules/redsocks/data/etc/systemd/system/redsocks.service index ab10aa55..a1c2b089 100644 --- a/remote/modules/redsocks/data/etc/systemd/system/redsocks.service +++ b/remote/modules/redsocks/data/etc/systemd/system/redsocks.service @@ -7,5 +7,6 @@ Type=forking User=redsocks PIDFile=/run/redsocks/redsocks.pid ExecStart=/sbin/redsocks -c /etc/redsocks.conf -p /run/redsocks/redsocks.pid -ExecStopPost=/bin/rm /run/redsocks/redsocks.pid +ExecStopPost=/bin/rm -f /run/redsocks/redsocks.pid +ExecStopPost=/bin/rm -f /opt/openslx/iptables/rules.d/10-redoscks-proxy Restart=on-abort diff --git a/remote/modules/redsocks/data/opt/openslx/scripts/systemd-setup_proxy b/remote/modules/redsocks/data/opt/openslx/scripts/systemd-setup_proxy index 4f802f53..94cb7688 100755 --- a/remote/modules/redsocks/data/opt/openslx/scripts/systemd-setup_proxy +++ b/remote/modules/redsocks/data/opt/openslx/scripts/systemd-setup_proxy @@ -29,8 +29,12 @@ mkdir -p /run/redsocks chown redsocks:redsocks /run/redsocks systemctl start redsocks +cat > "/opt/openslx/iptables/rules.d/10-redoscks-proxy" </proc/sys/net/ipv4/conf/nat1/forwarding echo "1" >/proc/sys/net/ipv4/conf/br0/forwarding 2>/dev/null -iptables -t nat -A POSTROUTING -o br0 -s 192.168.0.0/16 -j MASQUERADE +# iptables masquerade rule is now inserted by /opt/openslx/iptables/rules.d/50-virt-nat1-masquerading +### iptables -t nat -A POSTROUTING -o br0 -s 192.168.0.0/16 -j MASQUERADE for wait in 1 1 2 2 3 end; do grep '^SLX_DNS' "/opt/openslx/config" > /dev/null && break -- cgit v1.2.3-55-g7522 From 5801781515a81edaca06a66bfe4ada2444be3efb Mon Sep 17 00:00:00 2001 From: Simon Rettberg Date: Mon, 20 Jan 2014 17:42:36 +0100 Subject: [vmware] Extend some vmware config --- remote/modules/vmware/data/etc/vmware/config | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/remote/modules/vmware/data/etc/vmware/config b/remote/modules/vmware/data/etc/vmware/config index eb5d01c0..c76cc885 100644 --- a/remote/modules/vmware/data/etc/vmware/config +++ b/remote/modules/vmware/data/etc/vmware/config @@ -2,3 +2,8 @@ prefvmx.minVmMemPct = "100" prefvmx.useRecommendedLockedMemSize = "TRUE" libdir = "/usr/lib/vmware" +mks.ctlAltDel.ignore = "TRUE" +mks.fullscreen.allowScreenSaver = "TRUE" +fullScreenSwitch.onSeparateDesktop = "TRUE" +msg.autoAnswer = "TRUE" + -- cgit v1.2.3-55-g7522 From 5291a12e65a0bb5b09fef4f273b1a76c2d427ca3 Mon Sep 17 00:00:00 2001 From: Simon Rettberg Date: Mon, 20 Jan 2014 17:43:06 +0100 Subject: [rfs-stage32] Append stage4 at the end of the aufs stack again and just copy the ld-config after mounting --- .../rootfs-stage32/data/opt/openslx/scripts/systemd-mount_stage4 | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/remote/rootfs/rootfs-stage32/data/opt/openslx/scripts/systemd-mount_stage4 b/remote/rootfs/rootfs-stage32/data/opt/openslx/scripts/systemd-mount_stage4 index abc28f73..d0a3bc29 100755 --- a/remote/rootfs/rootfs-stage32/data/opt/openslx/scripts/systemd-mount_stage4 +++ b/remote/rootfs/rootfs-stage32/data/opt/openslx/scripts/systemd-mount_stage4 @@ -50,7 +50,9 @@ else fi echo "Appending $MOUNTPOINT to /" -if ! mount -o "remount,add:1:$MOUNTPOINT=ro" /; then +if mount -o "remount,append:$MOUNTPOINT=ro" /; then + cp -r "${MOUNTPOINT}/"etc/ld.* /etc/ || echo "Could not really copy full blown ldconfig from stage4 to live system" +else slxlog --echo "mount-stage4" "Could not append mounted stage4 at '$MOUNTPOINT' to aufs at /" exit 1 fi @@ -62,3 +64,4 @@ systemctl reload dbus.service systemctl start stage4.target & exit 0 + -- cgit v1.2.3-55-g7522 From 35393114bfc88490aaf8e9eac4f6808dc849844e Mon Sep 17 00:00:00 2001 From: Simon Rettberg Date: Tue, 21 Jan 2014 13:39:26 +0100 Subject: Add nslcd startup --- server/modules/pam-freiburg/etc/ldap/ldap.conf | 8 +------- server/modules/pam-freiburg/etc/nslcd.conf | 8 ++++++++ .../etc/systemd/system/getty.target.wants/nslcd.service | 1 + 3 files changed, 10 insertions(+), 7 deletions(-) mode change 100644 => 120000 server/modules/pam-freiburg/etc/ldap/ldap.conf create mode 100644 server/modules/pam-freiburg/etc/nslcd.conf create mode 120000 server/modules/pam-freiburg/etc/systemd/system/getty.target.wants/nslcd.service diff --git a/server/modules/pam-freiburg/etc/ldap/ldap.conf b/server/modules/pam-freiburg/etc/ldap/ldap.conf deleted file mode 100644 index 809065cc..00000000 --- a/server/modules/pam-freiburg/etc/ldap/ldap.conf +++ /dev/null @@ -1,7 +0,0 @@ -URI ldaps://bv1.ruf.uni-freiburg.de ldaps://bv2.ruf.uni-freiburg.de ldaps://bv3.ruf.uni-freiburg.de -BASE ou=people,dc=uni-freiburg,dc=de -TLS_REQCERT allow -nss_base_passwd ou=people,dc=uni-freiburg,dc=de?one?rufdienst=ldap*)(&(rufclienthome=*)(rufstatus=enabled) -nss_base_group ou=group,dc=uni-freiburg,dc=de?one -nss_map_attribute homeDirectory rufClientHome - diff --git a/server/modules/pam-freiburg/etc/ldap/ldap.conf b/server/modules/pam-freiburg/etc/ldap/ldap.conf new file mode 120000 index 00000000..6050948a --- /dev/null +++ b/server/modules/pam-freiburg/etc/ldap/ldap.conf @@ -0,0 +1 @@ +../ldap.conf \ No newline at end of file diff --git a/server/modules/pam-freiburg/etc/nslcd.conf b/server/modules/pam-freiburg/etc/nslcd.conf new file mode 100644 index 00000000..e98e1675 --- /dev/null +++ b/server/modules/pam-freiburg/etc/nslcd.conf @@ -0,0 +1,8 @@ +# Cannot be a symlink to ldap.conf, as nslcd refuses to start if there are unknown options in this file... +URI ldaps://bv1.ruf.uni-freiburg.de ldaps://bv2.ruf.uni-freiburg.de ldaps://bv3.ruf.uni-freiburg.de +BASE ou=people,dc=uni-freiburg,dc=de +BIND_TIMELIMIT 5 +TIMELIMIT 10 +TLS_REQCERT allow + +nss_initgroups_ignoreusers avahi,avahi-autoipd,backup,bin,colord,daemon,distccd,games,git,gnats,hplip,irc,kdm,kernoops,libuuid,lightdm,list,lp,mail,man,messagebus,news,ntp,proxy,pulse,root,rtkit,saned,speech-dispatcher,sshd,statd,sync,sys,syslog,usbmux,uucp,whoopsie,www-data diff --git a/server/modules/pam-freiburg/etc/systemd/system/getty.target.wants/nslcd.service b/server/modules/pam-freiburg/etc/systemd/system/getty.target.wants/nslcd.service new file mode 120000 index 00000000..17c13d96 --- /dev/null +++ b/server/modules/pam-freiburg/etc/systemd/system/getty.target.wants/nslcd.service @@ -0,0 +1 @@ +../nslcd.service \ No newline at end of file -- cgit v1.2.3-55-g7522