Message ID | 20200611091407.12688-2-nolange79@gmail.com |
---|---|
State | Awaiting Upstream |
Delegated to: | Thomas Petazzoni |
Headers | show |
Series | [v2,1/3] package/openssh: improve integration for systemd | expand |
This one is missing from v1 (was not changed): Reviewed-by: Jérémy ROSEN <jeremy.rosen@smile.fr> Am Do., 11. Juni 2020 um 11:14 Uhr schrieb Norbert Lange <nolange79@gmail.com>: > > the openssh daemon is not suited for systemd's simple > service type. dependend services should only start > when sshd is ready to accept connections. > > A patch is added from debian to allow openssh > to communicate this state. > > Restarts are prevented if the reason is a faulty > config file (errocode 255). > > The "user confinement directory" is changed to > '/run/sshd' which is automatically managed by systemd. > > Signed-off-by: Norbert Lange <nolange79@gmail.com> > --- > package/openssh/00-systemd-readiness.patch | 84 ++++++++++++++++++++++ > package/openssh/openssh.mk | 14 +++- > package/openssh/sshd-sysusers.conf | 2 +- > package/openssh/sshd.service | 13 +++- > 4 files changed, 109 insertions(+), 4 deletions(-) > create mode 100644 package/openssh/00-systemd-readiness.patch > > diff --git a/package/openssh/00-systemd-readiness.patch b/package/openssh/00-systemd-readiness.patch > new file mode 100644 > index 0000000000..be3b6b0074 > --- /dev/null > +++ b/package/openssh/00-systemd-readiness.patch > @@ -0,0 +1,84 @@ > +From ab765b2bd55062a704f09da8f8c1c4ad1d6630a7 Mon Sep 17 00:00:00 2001 > +From: Michael Biebl <biebl@debian.org> > +Date: Mon, 21 Dec 2015 16:08:47 +0000 > +Subject: Add systemd readiness notification support > + > +Bug-Debian: https://bugs.debian.org/778913 > +Forwarded: no > +Last-Update: 2017-08-22 > + > +Patch-Name: systemd-readiness.patch > +--- > + configure.ac | 24 ++++++++++++++++++++++++ > + sshd.c | 9 +++++++++ > + 2 files changed, 33 insertions(+) > + > +diff --git a/configure.ac b/configure.ac > +index e894db9fc..c119d6fd1 100644 > +--- a/configure.ac > ++++ b/configure.ac > +@@ -4499,6 +4499,29 @@ AC_ARG_WITH([kerberos5], > + AC_SUBST([GSSLIBS]) > + AC_SUBST([K5LIBS]) > + > ++# Check whether user wants systemd support > ++SYSTEMD_MSG="no" > ++AC_ARG_WITH(systemd, > ++ [ --with-systemd Enable systemd support], > ++ [ if test "x$withval" != "xno" ; then > ++ AC_PATH_TOOL([PKGCONFIG], [pkg-config], [no]) > ++ if test "$PKGCONFIG" != "no"; then > ++ AC_MSG_CHECKING([for libsystemd]) > ++ if $PKGCONFIG --exists libsystemd; then > ++ SYSTEMD_CFLAGS=`$PKGCONFIG --cflags libsystemd` > ++ SYSTEMD_LIBS=`$PKGCONFIG --libs libsystemd` > ++ CPPFLAGS="$CPPFLAGS $SYSTEMD_CFLAGS" > ++ SSHDLIBS="$SSHDLIBS $SYSTEMD_LIBS" > ++ AC_MSG_RESULT([yes]) > ++ AC_DEFINE(HAVE_SYSTEMD, 1, [Define if you want systemd support.]) > ++ SYSTEMD_MSG="yes" > ++ else > ++ AC_MSG_RESULT([no]) > ++ fi > ++ fi > ++ fi ] > ++) > ++ > + # Looking for programs, paths and files > + > + PRIVSEP_PATH=/var/empty > +@@ -5305,6 +5328,7 @@ echo " libldns support: $LDNS_MSG" > + echo " Solaris process contract support: $SPC_MSG" > + echo " Solaris project support: $SP_MSG" > + echo " Solaris privilege support: $SPP_MSG" > ++echo " systemd support: $SYSTEMD_MSG" > + echo " IP address in \$DISPLAY hack: $DISPLAY_HACK_MSG" > + echo " Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG" > + echo " BSD Auth support: $BSD_AUTH_MSG" > +diff --git a/sshd.c b/sshd.c > +index 4e8ff0662..5e7679a33 100644 > +--- a/sshd.c > ++++ b/sshd.c > +@@ -85,6 +85,10 @@ > + #include <prot.h> > + #endif > + > ++#ifdef HAVE_SYSTEMD > ++#include <systemd/sd-daemon.h> > ++#endif > ++ > + #include "xmalloc.h" > + #include "ssh.h" > + #include "ssh2.h" > +@@ -1951,6 +1955,11 @@ main(int ac, char **av) > + } > + } > + > ++#ifdef HAVE_SYSTEMD > ++ /* Signal systemd that we are ready to accept connections */ > ++ sd_notify(0, "READY=1"); > ++#endif > ++ > + /* Accept a connection and return in a forked child */ > + server_accept_loop(&sock_in, &sock_out, > + &newsock, config_s); > diff --git a/package/openssh/openssh.mk b/package/openssh/openssh.mk > index 64ac22181b..3e0a85ae2e 100644 > --- a/package/openssh/openssh.mk > +++ b/package/openssh/openssh.mk > @@ -12,6 +12,7 @@ OPENSSH_CONF_ENV = \ > LD="$(TARGET_CC)" \ > LDFLAGS="$(TARGET_CFLAGS)" \ > LIBS=`$(PKG_CONFIG_HOST_BINARY) --libs openssl` > +OPENSSH_AUTORECONF = YES > OPENSSH_CONF_OPTS = \ > --sysconfdir=/etc/ssh \ > --with-default-path=$(BR2_SYSTEM_DEFAULT_PATH) \ > @@ -22,9 +23,20 @@ OPENSSH_CONF_OPTS = \ > --disable-wtmpx \ > --disable-strip > > +ifeq ($(BR2_PACKAGE_SYSTEMD),y) > +OPENSSH_DEPENDENCIES = systemd > + > +OPENSSH_CONF_OPTS += \ > + --with-privsep-path=/run/sshd \ > + --with-pid-dir=/run \ > + --with-systemd > + > +else > + > define OPENSSH_PERMISSIONS > /var/empty d 755 root root - - - - - > endef > +endif > > ifeq ($(BR2_TOOLCHAIN_SUPPORTS_PIE),) > OPENSSH_CONF_OPTS += --without-pie > @@ -74,7 +86,7 @@ define OPENSSH_INSTALL_SYSTEMD_SYSUSERS > endef > else > define OPENSSH_USERS > - sshd -1 sshd -1 * /var/empty - - SSH drop priv user > + sshd -1 sshd -1 * $(if $(BR2_PACKAGE_SYSTEMD),/run/sshd,/var/empty) - - SSH drop priv user > endef > endif > > diff --git a/package/openssh/sshd-sysusers.conf b/package/openssh/sshd-sysusers.conf > index ac77aec065..303d0dbb63 100644 > --- a/package/openssh/sshd-sysusers.conf > +++ b/package/openssh/sshd-sysusers.conf > @@ -1 +1 @@ > -u sshd - "SSH drop priv user" /var/empty > +u sshd - "SSH drop priv user" /run/sshd > diff --git a/package/openssh/sshd.service b/package/openssh/sshd.service > index b5e96b3a25..715bd3f7eb 100644 > --- a/package/openssh/sshd.service > +++ b/package/openssh/sshd.service > @@ -1,11 +1,20 @@ > [Unit] > Description=OpenSSH server daemon > -After=syslog.target network.target auditd.service > +Documentation=man:sshd(8) man:sshd_config(5) > +After=network.target auditd.service > > [Service] > ExecStartPre=/usr/bin/ssh-keygen -A > -ExecStart=/usr/sbin/sshd -D -e > +ExecStartPre=/usr/sbin/sshd -t > +ExecStart=/usr/sbin/sshd -D > +ExecReload=/usr/sbin/sshd -t > ExecReload=/bin/kill -HUP $MAINPID > +KillMode=process > +Restart=on-failure > +RestartPreventExitStatus=255 > +Type=notify > +RuntimeDirectory=sshd > +RuntimeDirectoryMode=0755 > > [Install] > WantedBy=multi-user.target > -- > 2.26.2 >
diff --git a/package/openssh/00-systemd-readiness.patch b/package/openssh/00-systemd-readiness.patch new file mode 100644 index 0000000000..be3b6b0074 --- /dev/null +++ b/package/openssh/00-systemd-readiness.patch @@ -0,0 +1,84 @@ +From ab765b2bd55062a704f09da8f8c1c4ad1d6630a7 Mon Sep 17 00:00:00 2001 +From: Michael Biebl <biebl@debian.org> +Date: Mon, 21 Dec 2015 16:08:47 +0000 +Subject: Add systemd readiness notification support + +Bug-Debian: https://bugs.debian.org/778913 +Forwarded: no +Last-Update: 2017-08-22 + +Patch-Name: systemd-readiness.patch +--- + configure.ac | 24 ++++++++++++++++++++++++ + sshd.c | 9 +++++++++ + 2 files changed, 33 insertions(+) + +diff --git a/configure.ac b/configure.ac +index e894db9fc..c119d6fd1 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -4499,6 +4499,29 @@ AC_ARG_WITH([kerberos5], + AC_SUBST([GSSLIBS]) + AC_SUBST([K5LIBS]) + ++# Check whether user wants systemd support ++SYSTEMD_MSG="no" ++AC_ARG_WITH(systemd, ++ [ --with-systemd Enable systemd support], ++ [ if test "x$withval" != "xno" ; then ++ AC_PATH_TOOL([PKGCONFIG], [pkg-config], [no]) ++ if test "$PKGCONFIG" != "no"; then ++ AC_MSG_CHECKING([for libsystemd]) ++ if $PKGCONFIG --exists libsystemd; then ++ SYSTEMD_CFLAGS=`$PKGCONFIG --cflags libsystemd` ++ SYSTEMD_LIBS=`$PKGCONFIG --libs libsystemd` ++ CPPFLAGS="$CPPFLAGS $SYSTEMD_CFLAGS" ++ SSHDLIBS="$SSHDLIBS $SYSTEMD_LIBS" ++ AC_MSG_RESULT([yes]) ++ AC_DEFINE(HAVE_SYSTEMD, 1, [Define if you want systemd support.]) ++ SYSTEMD_MSG="yes" ++ else ++ AC_MSG_RESULT([no]) ++ fi ++ fi ++ fi ] ++) ++ + # Looking for programs, paths and files + + PRIVSEP_PATH=/var/empty +@@ -5305,6 +5328,7 @@ echo " libldns support: $LDNS_MSG" + echo " Solaris process contract support: $SPC_MSG" + echo " Solaris project support: $SP_MSG" + echo " Solaris privilege support: $SPP_MSG" ++echo " systemd support: $SYSTEMD_MSG" + echo " IP address in \$DISPLAY hack: $DISPLAY_HACK_MSG" + echo " Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG" + echo " BSD Auth support: $BSD_AUTH_MSG" +diff --git a/sshd.c b/sshd.c +index 4e8ff0662..5e7679a33 100644 +--- a/sshd.c ++++ b/sshd.c +@@ -85,6 +85,10 @@ + #include <prot.h> + #endif + ++#ifdef HAVE_SYSTEMD ++#include <systemd/sd-daemon.h> ++#endif ++ + #include "xmalloc.h" + #include "ssh.h" + #include "ssh2.h" +@@ -1951,6 +1955,11 @@ main(int ac, char **av) + } + } + ++#ifdef HAVE_SYSTEMD ++ /* Signal systemd that we are ready to accept connections */ ++ sd_notify(0, "READY=1"); ++#endif ++ + /* Accept a connection and return in a forked child */ + server_accept_loop(&sock_in, &sock_out, + &newsock, config_s); diff --git a/package/openssh/openssh.mk b/package/openssh/openssh.mk index 64ac22181b..3e0a85ae2e 100644 --- a/package/openssh/openssh.mk +++ b/package/openssh/openssh.mk @@ -12,6 +12,7 @@ OPENSSH_CONF_ENV = \ LD="$(TARGET_CC)" \ LDFLAGS="$(TARGET_CFLAGS)" \ LIBS=`$(PKG_CONFIG_HOST_BINARY) --libs openssl` +OPENSSH_AUTORECONF = YES OPENSSH_CONF_OPTS = \ --sysconfdir=/etc/ssh \ --with-default-path=$(BR2_SYSTEM_DEFAULT_PATH) \ @@ -22,9 +23,20 @@ OPENSSH_CONF_OPTS = \ --disable-wtmpx \ --disable-strip +ifeq ($(BR2_PACKAGE_SYSTEMD),y) +OPENSSH_DEPENDENCIES = systemd + +OPENSSH_CONF_OPTS += \ + --with-privsep-path=/run/sshd \ + --with-pid-dir=/run \ + --with-systemd + +else + define OPENSSH_PERMISSIONS /var/empty d 755 root root - - - - - endef +endif ifeq ($(BR2_TOOLCHAIN_SUPPORTS_PIE),) OPENSSH_CONF_OPTS += --without-pie @@ -74,7 +86,7 @@ define OPENSSH_INSTALL_SYSTEMD_SYSUSERS endef else define OPENSSH_USERS - sshd -1 sshd -1 * /var/empty - - SSH drop priv user + sshd -1 sshd -1 * $(if $(BR2_PACKAGE_SYSTEMD),/run/sshd,/var/empty) - - SSH drop priv user endef endif diff --git a/package/openssh/sshd-sysusers.conf b/package/openssh/sshd-sysusers.conf index ac77aec065..303d0dbb63 100644 --- a/package/openssh/sshd-sysusers.conf +++ b/package/openssh/sshd-sysusers.conf @@ -1 +1 @@ -u sshd - "SSH drop priv user" /var/empty +u sshd - "SSH drop priv user" /run/sshd diff --git a/package/openssh/sshd.service b/package/openssh/sshd.service index b5e96b3a25..715bd3f7eb 100644 --- a/package/openssh/sshd.service +++ b/package/openssh/sshd.service @@ -1,11 +1,20 @@ [Unit] Description=OpenSSH server daemon -After=syslog.target network.target auditd.service +Documentation=man:sshd(8) man:sshd_config(5) +After=network.target auditd.service [Service] ExecStartPre=/usr/bin/ssh-keygen -A -ExecStart=/usr/sbin/sshd -D -e +ExecStartPre=/usr/sbin/sshd -t +ExecStart=/usr/sbin/sshd -D +ExecReload=/usr/sbin/sshd -t ExecReload=/bin/kill -HUP $MAINPID +KillMode=process +Restart=on-failure +RestartPreventExitStatus=255 +Type=notify +RuntimeDirectory=sshd +RuntimeDirectoryMode=0755 [Install] WantedBy=multi-user.target
the openssh daemon is not suited for systemd's simple service type. dependend services should only start when sshd is ready to accept connections. A patch is added from debian to allow openssh to communicate this state. Restarts are prevented if the reason is a faulty config file (errocode 255). The "user confinement directory" is changed to '/run/sshd' which is automatically managed by systemd. Signed-off-by: Norbert Lange <nolange79@gmail.com> --- package/openssh/00-systemd-readiness.patch | 84 ++++++++++++++++++++++ package/openssh/openssh.mk | 14 +++- package/openssh/sshd-sysusers.conf | 2 +- package/openssh/sshd.service | 13 +++- 4 files changed, 109 insertions(+), 4 deletions(-) create mode 100644 package/openssh/00-systemd-readiness.patch