Message ID | 20200605225905.14082-3-nolange79@gmail.com |
---|---|
State | Superseded |
Headers | show |
Series | [1/4] package/openssh: Depend on libaudit if available | expand |
Why the RemainAfterExit ? This is a "real oneshot", it doesn't need a state to stay behind. Moreover it would only stay behind when actually generating the key. in all followup boot the unit would not be started at all Appart from that, Looks good to me... Le sam. 6 juin 2020 à 00:59, Norbert Lange <nolange79@gmail.com> a écrit : > split out generationg of host keys into an optional service > that can easily be removed or deactivated. > > Signed-off-by: Norbert Lange <nolange79@gmail.com> > --- > package/openssh/openssh.mk | 5 +++-- > package/openssh/sshd-host-keygen.service | 20 ++++++++++++++++++++ > package/openssh/sshd.service | 1 - > 3 files changed, 23 insertions(+), 3 deletions(-) > create mode 100644 package/openssh/sshd-host-keygen.service > > diff --git a/package/openssh/openssh.mk b/package/openssh/openssh.mk > index d425db1428..6b3ee1f5f4 100644 > --- a/package/openssh/openssh.mk > +++ b/package/openssh/openssh.mk > @@ -114,8 +114,9 @@ endef > OPENSSH_POST_INSTALL_TARGET_HOOKS += OPENSSH_INSTALL_SERVER_PROGRAMS > > define OPENSSH_INSTALL_INIT_SYSTEMD > - $(INSTALL) -D -m 644 package/openssh/sshd.service \ > - $(TARGET_DIR)/usr/lib/systemd/system/sshd.service > + mkdir $(TARGET_DIR)/usr/lib/systemd/system > + $(INSTALL) -m 644 package/openssh/sshd*.service \ > + $(TARGET_DIR)/usr/lib/systemd/system/ > $(OPENSSH_INSTALL_SYSTEMD_SYSUSERS) > endef > > diff --git a/package/openssh/sshd-host-keygen.service > b/package/openssh/sshd-host-keygen.service > new file mode 100644 > index 0000000000..058e671c44 > --- /dev/null > +++ b/package/openssh/sshd-host-keygen.service > @@ -0,0 +1,20 @@ > +[Unit] > +Description=SSH Key Generation > +Before=sshd.service > + > +ConditionPathExists=|!/etc/ssh/ssh_host_dsa_key > +ConditionPathExists=|!/etc/ssh/ssh_host_dsa_key.pub > +ConditionPathExists=|!/etc/ssh/ssh_host_ecdsa_key > +ConditionPathExists=|!/etc/ssh/ssh_host_ecdsa_key.pub > +ConditionPathExists=|!/etc/ssh/ssh_host_ed25519_key > +ConditionPathExists=|!/etc/ssh/ssh_host_ed25519_key.pub > +ConditionPathExists=|!/etc/ssh/ssh_host_rsa_key > +ConditionPathExists=|!/etc/ssh/ssh_host_rsa_key.pub > + > +[Service] > +ExecStart=/usr/bin/ssh-keygen -A > +Type=oneshot > +RemainAfterExit=yes > + > +[Install] > +WantedBy=sshd.service > diff --git a/package/openssh/sshd.service b/package/openssh/sshd.service > index 715bd3f7eb..797e249d8d 100644 > --- a/package/openssh/sshd.service > +++ b/package/openssh/sshd.service > @@ -4,7 +4,6 @@ Documentation=man:sshd(8) man:sshd_config(5) > After=network.target auditd.service > > [Service] > -ExecStartPre=/usr/bin/ssh-keygen -A > ExecStartPre=/usr/sbin/sshd -t > ExecStart=/usr/sbin/sshd -D > ExecReload=/usr/sbin/sshd -t > -- > 2.26.2 > > _______________________________________________ > buildroot mailing list > buildroot@busybox.net > http://lists.busybox.net/mailman/listinfo/buildroot >
Am So., 7. Juni 2020 um 12:44 Uhr schrieb Jérémy ROSEN <jeremy.rosen@smile.fr>: > > Why the RemainAfterExit ? > This is a "real oneshot", it doesn't need a state to stay behind. > Moreover it would only stay behind when actually generating the key. in all followup boot the unit would not be started at all Yeah... there is some truth to that, but those one-shots have tricky sideeffects systemd 245 changed something that completely undermines my understanding of how they should work, and make that flag practically a necessity. See: https://github.com/systemd/systemd/issues/15091 I dont think I am able to correctly describe all pro's and cons but I added this flag after: - later services did not care for failures - starting/stopping *any* service will recheck the condition and fill the syslog (* depends on other stuff aswell, but that's what happens for me) In short: add RemainAfterExit for every one-shot, or there will be dragons. Doesn't seem upstream is bothered by this. > > Appart from that, Looks good to me... > > Le sam. 6 juin 2020 à 00:59, Norbert Lange <nolange79@gmail.com> a écrit : >> >> split out generationg of host keys into an optional service >> that can easily be removed or deactivated. >> >> Signed-off-by: Norbert Lange <nolange79@gmail.com> >> --- >> package/openssh/openssh.mk | 5 +++-- >> package/openssh/sshd-host-keygen.service | 20 ++++++++++++++++++++ >> package/openssh/sshd.service | 1 - >> 3 files changed, 23 insertions(+), 3 deletions(-) >> create mode 100644 package/openssh/sshd-host-keygen.service >> >> diff --git a/package/openssh/openssh.mk b/package/openssh/openssh.mk >> index d425db1428..6b3ee1f5f4 100644 >> --- a/package/openssh/openssh.mk >> +++ b/package/openssh/openssh.mk >> @@ -114,8 +114,9 @@ endef >> OPENSSH_POST_INSTALL_TARGET_HOOKS += OPENSSH_INSTALL_SERVER_PROGRAMS >> >> define OPENSSH_INSTALL_INIT_SYSTEMD >> - $(INSTALL) -D -m 644 package/openssh/sshd.service \ >> - $(TARGET_DIR)/usr/lib/systemd/system/sshd.service >> + mkdir $(TARGET_DIR)/usr/lib/systemd/system >> + $(INSTALL) -m 644 package/openssh/sshd*.service \ >> + $(TARGET_DIR)/usr/lib/systemd/system/ >> $(OPENSSH_INSTALL_SYSTEMD_SYSUSERS) >> endef >> >> diff --git a/package/openssh/sshd-host-keygen.service b/package/openssh/sshd-host-keygen.service >> new file mode 100644 >> index 0000000000..058e671c44 >> --- /dev/null >> +++ b/package/openssh/sshd-host-keygen.service >> @@ -0,0 +1,20 @@ >> +[Unit] >> +Description=SSH Key Generation >> +Before=sshd.service >> + >> +ConditionPathExists=|!/etc/ssh/ssh_host_dsa_key >> +ConditionPathExists=|!/etc/ssh/ssh_host_dsa_key.pub >> +ConditionPathExists=|!/etc/ssh/ssh_host_ecdsa_key >> +ConditionPathExists=|!/etc/ssh/ssh_host_ecdsa_key.pub >> +ConditionPathExists=|!/etc/ssh/ssh_host_ed25519_key >> +ConditionPathExists=|!/etc/ssh/ssh_host_ed25519_key.pub >> +ConditionPathExists=|!/etc/ssh/ssh_host_rsa_key >> +ConditionPathExists=|!/etc/ssh/ssh_host_rsa_key.pub >> + >> +[Service] >> +ExecStart=/usr/bin/ssh-keygen -A >> +Type=oneshot >> +RemainAfterExit=yes >> + >> +[Install] >> +WantedBy=sshd.service >> diff --git a/package/openssh/sshd.service b/package/openssh/sshd.service >> index 715bd3f7eb..797e249d8d 100644 >> --- a/package/openssh/sshd.service >> +++ b/package/openssh/sshd.service >> @@ -4,7 +4,6 @@ Documentation=man:sshd(8) man:sshd_config(5) >> After=network.target auditd.service >> >> [Service] >> -ExecStartPre=/usr/bin/ssh-keygen -A >> ExecStartPre=/usr/sbin/sshd -t >> ExecStart=/usr/sbin/sshd -D >> ExecReload=/usr/sbin/sshd -t >> -- >> 2.26.2 >> >> _______________________________________________ >> buildroot mailing list >> buildroot@busybox.net >> http://lists.busybox.net/mailman/listinfo/buildroot > > > > -- > > > 20 rue des Jardins > 92600 Asnières-sur-Seine > > Jérémy ROSEN > Architecte technique > > jeremy.rosen@smile.fr > +33 6 88 25 87 42 > http://www.smile.eu > > >
Le dim. 7 juin 2020 à 20:56, Norbert Lange <nolange79@gmail.com> a écrit : > Am So., 7. Juni 2020 um 12:44 Uhr schrieb Jérémy ROSEN < > jeremy.rosen@smile.fr>: > > > > Why the RemainAfterExit ? > > This is a "real oneshot", it doesn't need a state to stay behind. > > Moreover it would only stay behind when actually generating the key. in > all followup boot the unit would not be started at all > > Yeah... there is some truth to that, but those one-shots have tricky > sideeffects systemd 245 changed something that completely undermines > my understanding of how they should work, > and make that flag practically a necessity. See: > https://github.com/systemd/systemd/issues/15091 > > I dont think I am able to correctly describe all pro's and cons but I > added this flag after: > > - later services did not care for failures > - starting/stopping *any* service will recheck the condition and > fill the syslog (* depends on other stuff aswell, but that's what > happens for me) > > In short: add RemainAfterExit for every one-shot, or there will be > dragons. Doesn't seem upstream is bothered by this. > > ok, I see your point... you are protected by your various Condition= from this bug, but that would fill the logs with condition checks messages. Could you please add a comment pointing to that bug report ? Appart from that Reviewd-by: Jérémy Rosen <jeremy.rosen@smile.fr> > > > > Appart from that, Looks good to me... > > > > Le sam. 6 juin 2020 à 00:59, Norbert Lange <nolange79@gmail.com> a > écrit : > >> > >> split out generationg of host keys into an optional service > >> that can easily be removed or deactivated. > >> > >> Signed-off-by: Norbert Lange <nolange79@gmail.com> > >> --- > >> package/openssh/openssh.mk | 5 +++-- > >> package/openssh/sshd-host-keygen.service | 20 ++++++++++++++++++++ > >> package/openssh/sshd.service | 1 - > >> 3 files changed, 23 insertions(+), 3 deletions(-) > >> create mode 100644 package/openssh/sshd-host-keygen.service > >> > >> diff --git a/package/openssh/openssh.mk b/package/openssh/openssh.mk > >> index d425db1428..6b3ee1f5f4 100644 > >> --- a/package/openssh/openssh.mk > >> +++ b/package/openssh/openssh.mk > >> @@ -114,8 +114,9 @@ endef > >> OPENSSH_POST_INSTALL_TARGET_HOOKS += OPENSSH_INSTALL_SERVER_PROGRAMS > >> > >> define OPENSSH_INSTALL_INIT_SYSTEMD > >> - $(INSTALL) -D -m 644 package/openssh/sshd.service \ > >> - $(TARGET_DIR)/usr/lib/systemd/system/sshd.service > >> + mkdir $(TARGET_DIR)/usr/lib/systemd/system > >> + $(INSTALL) -m 644 package/openssh/sshd*.service \ > >> + $(TARGET_DIR)/usr/lib/systemd/system/ > >> $(OPENSSH_INSTALL_SYSTEMD_SYSUSERS) > >> endef > >> > >> diff --git a/package/openssh/sshd-host-keygen.service > b/package/openssh/sshd-host-keygen.service > >> new file mode 100644 > >> index 0000000000..058e671c44 > >> --- /dev/null > >> +++ b/package/openssh/sshd-host-keygen.service > >> @@ -0,0 +1,20 @@ > >> +[Unit] > >> +Description=SSH Key Generation > >> +Before=sshd.service > >> + > >> +ConditionPathExists=|!/etc/ssh/ssh_host_dsa_key > >> +ConditionPathExists=|!/etc/ssh/ssh_host_dsa_key.pub > >> +ConditionPathExists=|!/etc/ssh/ssh_host_ecdsa_key > >> +ConditionPathExists=|!/etc/ssh/ssh_host_ecdsa_key.pub > >> +ConditionPathExists=|!/etc/ssh/ssh_host_ed25519_key > >> +ConditionPathExists=|!/etc/ssh/ssh_host_ed25519_key.pub > >> +ConditionPathExists=|!/etc/ssh/ssh_host_rsa_key > >> +ConditionPathExists=|!/etc/ssh/ssh_host_rsa_key.pub > >> + > >> +[Service] > >> +ExecStart=/usr/bin/ssh-keygen -A > >> +Type=oneshot > >> +RemainAfterExit=yes > >> + > >> +[Install] > >> +WantedBy=sshd.service > >> diff --git a/package/openssh/sshd.service b/package/openssh/sshd.service > >> index 715bd3f7eb..797e249d8d 100644 > >> --- a/package/openssh/sshd.service > >> +++ b/package/openssh/sshd.service > >> @@ -4,7 +4,6 @@ Documentation=man:sshd(8) man:sshd_config(5) > >> After=network.target auditd.service > >> > >> [Service] > >> -ExecStartPre=/usr/bin/ssh-keygen -A > >> ExecStartPre=/usr/sbin/sshd -t > >> ExecStart=/usr/sbin/sshd -D > >> ExecReload=/usr/sbin/sshd -t > >> -- > >> 2.26.2 > >> > >> _______________________________________________ > >> buildroot mailing list > >> buildroot@busybox.net > >> http://lists.busybox.net/mailman/listinfo/buildroot > > > > > > > > -- > > > > > > 20 rue des Jardins > > 92600 Asnières-sur-Seine > > > > Jérémy ROSEN > > Architecte technique > > > > jeremy.rosen@smile.fr > > +33 6 88 25 87 42 > > http://www.smile.eu > > > > > > >
diff --git a/package/openssh/openssh.mk b/package/openssh/openssh.mk index d425db1428..6b3ee1f5f4 100644 --- a/package/openssh/openssh.mk +++ b/package/openssh/openssh.mk @@ -114,8 +114,9 @@ endef OPENSSH_POST_INSTALL_TARGET_HOOKS += OPENSSH_INSTALL_SERVER_PROGRAMS define OPENSSH_INSTALL_INIT_SYSTEMD - $(INSTALL) -D -m 644 package/openssh/sshd.service \ - $(TARGET_DIR)/usr/lib/systemd/system/sshd.service + mkdir $(TARGET_DIR)/usr/lib/systemd/system + $(INSTALL) -m 644 package/openssh/sshd*.service \ + $(TARGET_DIR)/usr/lib/systemd/system/ $(OPENSSH_INSTALL_SYSTEMD_SYSUSERS) endef diff --git a/package/openssh/sshd-host-keygen.service b/package/openssh/sshd-host-keygen.service new file mode 100644 index 0000000000..058e671c44 --- /dev/null +++ b/package/openssh/sshd-host-keygen.service @@ -0,0 +1,20 @@ +[Unit] +Description=SSH Key Generation +Before=sshd.service + +ConditionPathExists=|!/etc/ssh/ssh_host_dsa_key +ConditionPathExists=|!/etc/ssh/ssh_host_dsa_key.pub +ConditionPathExists=|!/etc/ssh/ssh_host_ecdsa_key +ConditionPathExists=|!/etc/ssh/ssh_host_ecdsa_key.pub +ConditionPathExists=|!/etc/ssh/ssh_host_ed25519_key +ConditionPathExists=|!/etc/ssh/ssh_host_ed25519_key.pub +ConditionPathExists=|!/etc/ssh/ssh_host_rsa_key +ConditionPathExists=|!/etc/ssh/ssh_host_rsa_key.pub + +[Service] +ExecStart=/usr/bin/ssh-keygen -A +Type=oneshot +RemainAfterExit=yes + +[Install] +WantedBy=sshd.service diff --git a/package/openssh/sshd.service b/package/openssh/sshd.service index 715bd3f7eb..797e249d8d 100644 --- a/package/openssh/sshd.service +++ b/package/openssh/sshd.service @@ -4,7 +4,6 @@ Documentation=man:sshd(8) man:sshd_config(5) After=network.target auditd.service [Service] -ExecStartPre=/usr/bin/ssh-keygen -A ExecStartPre=/usr/sbin/sshd -t ExecStart=/usr/sbin/sshd -D ExecReload=/usr/sbin/sshd -t
split out generationg of host keys into an optional service that can easily be removed or deactivated. Signed-off-by: Norbert Lange <nolange79@gmail.com> --- package/openssh/openssh.mk | 5 +++-- package/openssh/sshd-host-keygen.service | 20 ++++++++++++++++++++ package/openssh/sshd.service | 1 - 3 files changed, 23 insertions(+), 3 deletions(-) create mode 100644 package/openssh/sshd-host-keygen.service