From 82c9f336492ba63df9887ad027ef4ae431607389 Mon Sep 17 00:00:00 2001 From: Christian Rößler Date: Fri, 17 Jan 2014 17:06:27 +0100 Subject: [rootfs-stage32] openSuse: Added cdrom module (REQUIRED_KERNEL_MODULES+=) --- remote/rootfs/rootfs-stage32/rootfs-stage32.conf.opensuse | 3 +++ 1 file changed, 3 insertions(+) (limited to 'remote') diff --git a/remote/rootfs/rootfs-stage32/rootfs-stage32.conf.opensuse b/remote/rootfs/rootfs-stage32/rootfs-stage32.conf.opensuse index b5630284..4b11529b 100644 --- a/remote/rootfs/rootfs-stage32/rootfs-stage32.conf.opensuse +++ b/remote/rootfs/rootfs-stage32/rootfs-stage32.conf.opensuse @@ -17,3 +17,6 @@ REQUIRED_DIRECTORIES=" REQUIRED_FILES+=" /usr/share/X11/app-defaults/Xvidtune " +REQUIRED_KERNEL_MODULES+=" + kernel/drivers/cdrom +" -- cgit v1.2.3-55-g7522 From 467f296ca8b1ea482b70e12152b6513cb03f7f31 Mon Sep 17 00:00:00 2001 From: Simon Rettberg Date: Fri, 17 Jan 2014 17:20:34 +0100 Subject: [xorg] Forgot to remove xprintidle from REQUIRED_CONTENT_PACKAGES when idleaction was introduced --- remote/modules/xorg/xorg.conf.debian | 1 - remote/modules/xorg/xorg.conf.opensuse | 1 - remote/modules/xorg/xorg.conf.ubuntu | 1 - 3 files changed, 3 deletions(-) (limited to 'remote') diff --git a/remote/modules/xorg/xorg.conf.debian b/remote/modules/xorg/xorg.conf.debian index b1c26ae9..1ce74939 100644 --- a/remote/modules/xorg/xorg.conf.debian +++ b/remote/modules/xorg/xorg.conf.debian @@ -34,7 +34,6 @@ REQUIRED_CONTENT_PACKAGES=" @xserver-xorg-video-geode$UBUNTU_XORG_PKG_SUFFIX @xserver-xorg-video-s3$UBUNTU_XORG_PKG_SUFFIX @xserver-xorg-video-tdfx$UBUNTU_XORG_PKG_SUFFIX - xprintidle " REQUIRED_DIRECTORIES+=" /usr/lib diff --git a/remote/modules/xorg/xorg.conf.opensuse b/remote/modules/xorg/xorg.conf.opensuse index ef353a4c..1e6f5ff1 100644 --- a/remote/modules/xorg/xorg.conf.opensuse +++ b/remote/modules/xorg/xorg.conf.opensuse @@ -37,7 +37,6 @@ REQUIRED_CONTENT_PACKAGES=" libpixman-1-0 xrandr vaapi-intel-driver - xprintidle " REQUIRED_LIBRARIES=" libI810XvMC diff --git a/remote/modules/xorg/xorg.conf.ubuntu b/remote/modules/xorg/xorg.conf.ubuntu index e62a50f8..69c3e64c 100644 --- a/remote/modules/xorg/xorg.conf.ubuntu +++ b/remote/modules/xorg/xorg.conf.ubuntu @@ -33,7 +33,6 @@ REQUIRED_CONTENT_PACKAGES=" @xserver-xorg-video-geode$UBUNTU_XORG_PKG_SUFFIX @xserver-xorg-video-s3$UBUNTU_XORG_PKG_SUFFIX @xserver-xorg-video-tdfx$UBUNTU_XORG_PKG_SUFFIX - xprintidle " REQUIRED_DIRECTORIES+=" /usr/lib -- cgit v1.2.3-55-g7522 From bf3c32b4aebb520b4aad270ed024821b0387ea5d Mon Sep 17 00:00:00 2001 From: Simon Rettberg Date: Fri, 17 Jan 2014 17:54:56 +0100 Subject: [iptables-helper] Simple helper scripts/service for handling iptables rules This adds no fancy features or new syntax or anything, but merely helps to manage a *.d directory for iptables scripts. You simply write simple shell scripts where you issue your iptables calls and place them in /opt/openslx/iptables/rules.d On bootup, and whenever the contents of the directory change, all tables will be reset and the scripts from rules.d are run. They're run in alphabetical order, so it's wise to adhere to the XX-* naming scheme. Also you can place any kind of script there doing really complicated things, it's advised you keep them as simple as possible and use proper names, that tell what the script does. The default behaviour is set to ACCEPT on all tables/chains, but nothing stops you from doing 'iptables -P' in one of the scripts. --- .../basic.target.wants/openslx-iptables.service | 1 + .../etc/systemd/system/openslx-iptables.service | 6 ++ .../data/opt/openslx/iptables/iptables-reloader | 5 ++ .../opt/openslx/iptables/iptables-reloader-worker | 79 ++++++++++++++++++++++ .../data/opt/openslx/iptables/rules.d/.placeholder | 1 + .../modules/iptables-helper/iptables-helper.build | 13 ++++ .../modules/iptables-helper/iptables-helper.conf | 1 + remote/targets/stage32-bwlp/iptables-helper | 1 + 8 files changed, 107 insertions(+) create mode 120000 remote/modules/iptables-helper/data/etc/systemd/system/basic.target.wants/openslx-iptables.service create mode 100644 remote/modules/iptables-helper/data/etc/systemd/system/openslx-iptables.service create mode 100755 remote/modules/iptables-helper/data/opt/openslx/iptables/iptables-reloader create mode 100755 remote/modules/iptables-helper/data/opt/openslx/iptables/iptables-reloader-worker create mode 100644 remote/modules/iptables-helper/data/opt/openslx/iptables/rules.d/.placeholder create mode 100644 remote/modules/iptables-helper/iptables-helper.build create mode 100644 remote/modules/iptables-helper/iptables-helper.conf create mode 120000 remote/targets/stage32-bwlp/iptables-helper (limited to 'remote') diff --git a/remote/modules/iptables-helper/data/etc/systemd/system/basic.target.wants/openslx-iptables.service b/remote/modules/iptables-helper/data/etc/systemd/system/basic.target.wants/openslx-iptables.service new file mode 120000 index 00000000..40213361 --- /dev/null +++ b/remote/modules/iptables-helper/data/etc/systemd/system/basic.target.wants/openslx-iptables.service @@ -0,0 +1 @@ +../openslx-iptables.service \ No newline at end of file diff --git a/remote/modules/iptables-helper/data/etc/systemd/system/openslx-iptables.service b/remote/modules/iptables-helper/data/etc/systemd/system/openslx-iptables.service new file mode 100644 index 00000000..ef88cf69 --- /dev/null +++ b/remote/modules/iptables-helper/data/etc/systemd/system/openslx-iptables.service @@ -0,0 +1,6 @@ +[Unit] +Description=OpenSLX iptables helper + +[Service] +ExecStart=/opt/openslx/iptables/iptables-reloader + diff --git a/remote/modules/iptables-helper/data/opt/openslx/iptables/iptables-reloader b/remote/modules/iptables-helper/data/opt/openslx/iptables/iptables-reloader new file mode 100755 index 00000000..60ca1e2c --- /dev/null +++ b/remote/modules/iptables-helper/data/opt/openslx/iptables/iptables-reloader @@ -0,0 +1,5 @@ +#!/bin/ash + +/opt/openslx/iptables/iptables-reloader-worker +exec /opt/openslx/sbin/inotifyd /opt/openslx/iptables/iptables-reloader-worker /opt/openslx/iptables/rules.d:cndmy + diff --git a/remote/modules/iptables-helper/data/opt/openslx/iptables/iptables-reloader-worker b/remote/modules/iptables-helper/data/opt/openslx/iptables/iptables-reloader-worker new file mode 100755 index 00000000..350f502c --- /dev/null +++ b/remote/modules/iptables-helper/data/opt/openslx/iptables/iptables-reloader-worker @@ -0,0 +1,79 @@ +#!/bin/ash + +# Reloads iptables rules by flushing the tables and applying everything +# in /opt/openslx/iptables/rules.d again. Actions are delayed by 5 seconds +# to coalesce changes, since inotifyd can trigger dozens of events in a row. +# +# This scriptis triggered by inotifyd, see openslx-iptables_reloader.service + +ALL_RULES="/run/iptables-reloader.cache" +LOCK="/run/iptables-reloader.lock" + +# Expects $1 to be the contents of $LOCK +reload_rules () { + if [ -z "$1" -o ! -s "$LOCK" ]; then + echo "'$1' empty or lock non-existent" + exit 0 + fi + sleep 2 + if [ "x$(cat "$LOCK")" != "x$1" ]; then + echo "Wrong lock, lost race" + exit 0 + fi + + rm -f -- "${ALL_RULES}.new" + + for file in /opt/openslx/iptables/rules.d/*; do + cat "$file" >> "${ALL_RULES}.new" + done + + # No change? Do nothing... + [ -s "${ALL_RULES}" -a -s "${ALL_RULES}.new" ] && diff "${ALL_RULES}" "${ALL_RULES}.new" && exit 0 + + # Reset + # Filter + for chain in INPUT FORWARD OUTPUT; do + iptables -t filter -P "$chain" ACCEPT + done + iptables -t filter -F + # NAT + for chain in INPUT OUTPUT PREROUTING POSTROUTING; do + iptables -t nat -P "$chain" ACCEPT + done + iptables -t nat -F + # Mangle + for chain in INPUT FORWARD OUTPUT PREROUTING POSTROUTING; do + iptables -t mangle -P "$chain" ACCEPT + done + iptables -t mangle -F + + # Apply + local LOGFILE=$(mktemp) + local DISABLED="/opt/openslx/iptables/rules.d/disabled/" + for file in /opt/openslx/iptables/rules.d/*; do + [ ! -f "$file" ] && continue + if [ ! -x "$file" ]; then + slxlog "firewall-script-exec" "The firewall script '$file' is not executable (+x), moving to disabled/" + mkdir -p "$DISABLED" + mv "$file" "$DISABLED" + continue + fi + if ! "$file" > "$LOGFILE" 2>&1; then + slxlog "firewall-script-apply" "The firewall script '$file' had nonzero exit code. Moving to disabled/" "$LOGFILE" + mkdir -p "$DISABLED" + mv "$file" "$DISABLED" + fi + done + + mv -f -- "${ALL_RULES}.new" "${ALL_RULES}" + echo "iptables rules successfully updated." + exit 0 +} + + +ID="$$+$RANDOM" +echo "$ID" > "$LOCK" +reload_rules "$ID" & + +exit 0 + diff --git a/remote/modules/iptables-helper/data/opt/openslx/iptables/rules.d/.placeholder b/remote/modules/iptables-helper/data/opt/openslx/iptables/rules.d/.placeholder new file mode 100644 index 00000000..11b30bcc --- /dev/null +++ b/remote/modules/iptables-helper/data/opt/openslx/iptables/rules.d/.placeholder @@ -0,0 +1 @@ +# Put your iptables rules here. Full command, like "iptables ...." diff --git a/remote/modules/iptables-helper/iptables-helper.build b/remote/modules/iptables-helper/iptables-helper.build new file mode 100644 index 00000000..d8804784 --- /dev/null +++ b/remote/modules/iptables-helper/iptables-helper.build @@ -0,0 +1,13 @@ + +fetch_source() { + : +} + +build() { + : +} + +post_copy() { + : +} + diff --git a/remote/modules/iptables-helper/iptables-helper.conf b/remote/modules/iptables-helper/iptables-helper.conf new file mode 100644 index 00000000..34103f5b --- /dev/null +++ b/remote/modules/iptables-helper/iptables-helper.conf @@ -0,0 +1 @@ +# requires some rootfs that provies iptables diff --git a/remote/targets/stage32-bwlp/iptables-helper b/remote/targets/stage32-bwlp/iptables-helper new file mode 120000 index 00000000..e449282d --- /dev/null +++ b/remote/targets/stage32-bwlp/iptables-helper @@ -0,0 +1 @@ +../../modules/iptables-helper \ No newline at end of file -- cgit v1.2.3-55-g7522 From 9409ebe3c37ccdad1380e5c5e56802e09f62d00b Mon Sep 17 00:00:00 2001 From: Simon Rettberg Date: Fri, 17 Jan 2014 18:00:17 +0100 Subject: [pam] nss-ldap -> nss-ldapd --- remote/modules/pam/pam.build | 14 +++++++++----- remote/modules/pam/pam.conf | 4 ++++ remote/modules/pam/pam.conf.debian | 6 ++++-- remote/modules/pam/pam.conf.opensuse | 2 +- remote/modules/pam/pam.conf.ubuntu | 6 ++++-- remote/modules/pam/templates/nslcd-systemd.service | 8 ++++++++ 6 files changed, 30 insertions(+), 10 deletions(-) create mode 100644 remote/modules/pam/templates/nslcd-systemd.service (limited to 'remote') diff --git a/remote/modules/pam/pam.build b/remote/modules/pam/pam.build index 34319ce8..48baf8b9 100644 --- a/remote/modules/pam/pam.build +++ b/remote/modules/pam/pam.build @@ -13,15 +13,19 @@ build() { # build pam-script separatly since we use a source tarball # HACK: find pam_unix.so in MODULE_BUILD_DIR to see where to put pam_script at - cd $MODULE_BUILD_DIR + cd "$MODULE_BUILD_DIR" local PAM_UNIX_LOCATION=$(find . -name pam_unix.so) - cd - > /dev/null cd "${MODULE_DIR}/src/pam-script-${REQUIRED_PAM_SCRIPT_VERSION}" || perror "Could not cd to ${MODULE_DIR}/src/pam-script-${REQUIRED_PAM_SCRIPT_VERSION}." - ./configure --prefix=/ --sysconfdir=/etc/pam-script --libdir=$(dirname ${PAM_UNIX_LOCATION:1}) || perror "pam-script: ./configure failed." + ./configure --prefix=/ --sysconfdir=/etc/pam-script --libdir="$(dirname ${PAM_UNIX_LOCATION:1})" || perror "pam-script: ./configure failed." make DESTDIR="${MODULE_BUILD_DIR}" install || perror "pam-script: make install to ${MODULE_BUILD_DIR} failed." - cd - > /dev/null + # Build nslcd service file + cd "$MODULE_BUILD_DIR" + local NSLCD_PATH=$(which nslcd) + [ -z "$NSLCD_PATH" ] && perror "Could not 'which nslcd'" + mkdir -p "etc/systemd/system" + sed "s,%PATH%,$NSLCD_PATH,g" "$MODULE_DIR/templates/nslcd-systemd.service" > "etc/systemd/system/nslcd.service" || perror "Could not fill nslcd.service template" } -post_copy() { +post_copy() { : } diff --git a/remote/modules/pam/pam.conf b/remote/modules/pam/pam.conf index 4e2e01a1..c0a21a79 100644 --- a/remote/modules/pam/pam.conf +++ b/remote/modules/pam/pam.conf @@ -1,5 +1,6 @@ REQUIRED_BINARIES=" ldapsearch + nslcd rpc.gssd rpc.idmapd sslconnect @@ -14,6 +15,9 @@ REQUIRED_LIBRARIES=" REQUIRED_DIRECTORIES=" /etc/security " +REQUIRED_FILES=" + /etc/systemd/system/nslcd.service +" REQUIRED_SYSTEM_FILES=" /etc/login.defs /etc/securetty diff --git a/remote/modules/pam/pam.conf.debian b/remote/modules/pam/pam.conf.debian index 278c36be..d424f1f7 100644 --- a/remote/modules/pam/pam.conf.debian +++ b/remote/modules/pam/pam.conf.debian @@ -1,6 +1,7 @@ REQUIRED_INSTALLED_PACKAGES=" libpam-ldap - libnss-ldap + libnss-ldapd + nslcd libpam-ck-connector libpam-cap krb5-user @@ -20,7 +21,8 @@ REQUIRED_CONTENT_PACKAGES=" libpam-cap libldap-2.4-2 libpam-ldap - libnss-ldap + libnss-ldapd + nslcd krb5-user krb5-config libpam-krb5 diff --git a/remote/modules/pam/pam.conf.opensuse b/remote/modules/pam/pam.conf.opensuse index 9b3d3247..fe6199ea 100644 --- a/remote/modules/pam/pam.conf.opensuse +++ b/remote/modules/pam/pam.conf.opensuse @@ -3,7 +3,7 @@ REQUIRED_INSTALLED_PACKAGES=" pam pam_krb5 pam-devel - nss_ldap + nss-pam-ldapd pam-modules libopenssl-devel openldap2-client diff --git a/remote/modules/pam/pam.conf.ubuntu b/remote/modules/pam/pam.conf.ubuntu index fe034225..5f6435f0 100644 --- a/remote/modules/pam/pam.conf.ubuntu +++ b/remote/modules/pam/pam.conf.ubuntu @@ -1,6 +1,7 @@ REQUIRED_INSTALLED_PACKAGES=" libpam-ldap - libnss-ldap + libnss-ldapd + nslcd krb5-user krb5-config libpam-krb5 @@ -17,7 +18,8 @@ REQUIRED_CONTENT_PACKAGES=" libpam-cap libldap-2.4-2 libpam-ldap - libnss-ldap + libnss-ldapd + nslcd krb5-user krb5-config libpam-krb5 diff --git a/remote/modules/pam/templates/nslcd-systemd.service b/remote/modules/pam/templates/nslcd-systemd.service new file mode 100644 index 00000000..540e67cd --- /dev/null +++ b/remote/modules/pam/templates/nslcd-systemd.service @@ -0,0 +1,8 @@ +[Unit] +Description=Naming services LDAP client daemon +After=network.target + +[Service] +Type=forking +PIDFile=/var/run/nslcd/nslcd.pid +ExecStart=%PATH% -- cgit v1.2.3-55-g7522