From db24c4e8c06c5562283539c0a4b4cce086d70600 Mon Sep 17 00:00:00 2001 From: Lucas Werkmeister Date: Tue, 30 Aug 2016 14:35:05 +0200 Subject: [PATCH] Replace init scripts with systemd unit files The package installs four unit files. gigi-standalone.service works just like the old cacert-gigi service: gigi will start as root, manage its own ports, then drop privileges. gigi-proxy.service and .socket let systemd manage the port and start gigi as its dedicated user. These services need different configuration for gigi: for the proxy version, the configuration must contain proxy=true and http.bindPort=stdin, while for the standalone version the configuration must have proxy=false and specify real ports. For this reason, we also disable Debian's policy to automatically start services upon package installation. (gigi-simple-signer.service is a direct conversion of cacert-gigi-signer.init.) Very simple init scripts for gigi-standalone and gigi-simple-signer are provided, so that running /etc/init.d/gigi-standalone start will still work. The scripts simply redirect to systemctl; the LSB header is not included, since the scripts are useless on their own. Change-Id: I53f0c825880d1b8c082496106a018957d6128392 --- ...acert-gigi-testing.cacert-gigi-signer.init | 175 ------------------ debian/cacert-gigi-testing.cacert-gigi.init | 175 ------------------ ...acert-gigi-testing.gigi-simple-signer.init | 4 + .../cacert-gigi-testing.gigi-standalone.init | 4 + debian/cacert-gigi-testing.install | 4 + debian/cacert-gigi-testing.postinst | 10 +- debian/cacert-gigi.cacert-gigi-signer.init | 171 ----------------- debian/cacert-gigi.cacert-gigi.init | 170 ----------------- debian/cacert-gigi.gigi-simple-signer.init | 4 + debian/cacert-gigi.gigi-standalone.init | 4 + debian/cacert-gigi.install | 4 + debian/cacert-gigi.postinst | 10 +- debian/control | 2 +- debian/gigi-proxy.service | 21 +++ debian/gigi-proxy.socket | 8 + debian/gigi-simple-signer.service | 15 ++ debian/gigi-standalone.service | 14 ++ debian/rules | 2 +- 18 files changed, 96 insertions(+), 701 deletions(-) delete mode 100644 debian/cacert-gigi-testing.cacert-gigi-signer.init delete mode 100644 debian/cacert-gigi-testing.cacert-gigi.init create mode 100644 debian/cacert-gigi-testing.gigi-simple-signer.init create mode 100644 debian/cacert-gigi-testing.gigi-standalone.init create mode 100644 debian/cacert-gigi-testing.install delete mode 100644 debian/cacert-gigi.cacert-gigi-signer.init delete mode 100644 debian/cacert-gigi.cacert-gigi.init create mode 100644 debian/cacert-gigi.gigi-simple-signer.init create mode 100644 debian/cacert-gigi.gigi-standalone.init create mode 100644 debian/cacert-gigi.install create mode 100644 debian/gigi-proxy.service create mode 100644 debian/gigi-proxy.socket create mode 100644 debian/gigi-simple-signer.service create mode 100644 debian/gigi-standalone.service diff --git a/debian/cacert-gigi-testing.cacert-gigi-signer.init b/debian/cacert-gigi-testing.cacert-gigi-signer.init deleted file mode 100644 index 25194174..00000000 --- a/debian/cacert-gigi-testing.cacert-gigi-signer.init +++ /dev/null @@ -1,175 +0,0 @@ -#!/bin/sh -### BEGIN INIT INFO -# Provides: cacert-gigi-signer -# Required-Start: $local_fs $network $remote_fs $syslog postgresql -# Required-Stop: $local_fs $network $remote_fs $syslog postgresql -# Default-Start: 2 3 4 5 -# Default-Stop: 0 1 6 -# Short-Description: -# Description: -# <...> -# <...> -### END INIT INFO - -# Author: unknown - -# Do NOT "set -e" - -# PATH should only include /usr/* if it runs after the mountnfs.sh script -PATH=/sbin:/usr/sbin:/bin:/usr/bin -DESC="cacert-gigi-signer" -NAME=cacert-gigi-signer -DAEMON=`which java` -DAEMON_ARGS="-cp /usr/share/java/postgresql-jdbc4.jar:/usr/share/java/gigi.jar org.cacert.gigi.util.SimpleSigner" -PIDFILE=/var/run/$NAME.pid -SCRIPTNAME=/etc/init.d/$NAME -DIR=/var/lib/cacert-gigi - -# Exit if the package is not installed -[ -r "/usr/share/java/gigi.jar" ] || exit 0 - -# Read configuration variable file if it is present -[ -r /etc/default/$NAME ] && . /etc/default/$NAME -if [ "$START_DAEMON" = "0" ]; then - echo "Not starting $NAME (as configured in /etc/default/$NAME)"; - exit 0; -fi - -# Load the VERBOSE setting and other rcS variables -. /lib/init/vars.sh - -# Define LSB log_* functions. -# Depend on lsb-base (>= 3.2-14) to ensure that this file is present -# and status_of_proc is working. -. /lib/lsb/init-functions - -# -# Function that starts the daemon/service -# -do_start() -{ - if [ ! -f /var/lib/cacert-gigi/config/gigi.properties ]; then - echo Missing signer-configfile - return 2 - fi - # Return - # 0 if daemon has been started - # 1 if daemon was already running - # 2 if daemon could not be started - start-stop-daemon --start --quiet --pidfile $PIDFILE -d $DIR --startas $DAEMON --test > /dev/null \ - || return 1 - start-stop-daemon -b --start --quiet --pidfile $PIDFILE --make-pidfile -d $DIR --startas $DAEMON -- \ - $DAEMON_ARGS \ - || return 2 - # The above code will not work for interpreted scripts, use the next - # six lines below instead (Ref: #643337, start-stop-daemon(8) ) - #start-stop-daemon --start --quiet --pidfile $PIDFILE --startas $DAEMON \ - # --name $NAME --test > /dev/null \ - # || return 1 - #start-stop-daemon -b --start --quiet --pidfile $PIDFILE --startas $DAEMON \ - # --name $NAME -- $DAEMON_ARGS \ - # || return 2 - - # Add code here, if necessary, that waits for the process to be ready - # to handle requests from services started subsequently which depend - # on this one. As a last resort, sleep for some time. -} - -# -# Function that stops the daemon/service -# -do_stop() -{ - # Return - # 0 if daemon has been stopped - # 1 if daemon was already stopped - # 2 if daemon could not be stopped - # other if a failure occurred - start-stop-daemon --stop --quiet --retry=TERM/30/KILL/5 --pidfile $PIDFILE - RETVAL="$?" - [ "$RETVAL" = 2 ] && return 2 - # Wait for children to finish too if this is a daemon that forks - # and if the daemon is only ever run from this initscript. - # If the above conditions are not satisfied then add some other code - # that waits for the process to drop all resources that could be - # needed by services started subsequently. A last resort is to - # sleep for some time. - start-stop-daemon --stop --quiet --oknodo --retry=0/30/KILL/5 --pidfile $PIDFILE - [ "$?" = 2 ] && return 2 - # Many daemons don't delete their pidfiles when they exit. - rm -f $PIDFILE - return "$RETVAL" -} - -# -# Function that sends a SIGHUP to the daemon/service -# -do_reload() { - # - # If the daemon can reload its configuration without - # restarting (for example, when it is sent a SIGHUP), - # then implement that here. - # - start-stop-daemon --stop --signal 1 --quiet --pidfile $PIDFILE --name $NAME - return 0 -} - -case "$1" in - start) - [ "$VERBOSE" != no ] && log_daemon_msg "Starting $DESC" "$NAME" - do_start - case "$?" in - 0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;; - 2) [ "$VERBOSE" != no ] && log_end_msg 1 ;; - esac - ;; - stop) - [ "$VERBOSE" != no ] && log_daemon_msg "Stopping $DESC" "$NAME" - do_stop - case "$?" in - 0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;; - 2) [ "$VERBOSE" != no ] && log_end_msg 1 ;; - esac - ;; - status) - status_of_proc "$DAEMON" "$NAME" && exit 0 || exit $? - ;; - #reload|force-reload) - # - # If do_reload() is not implemented then leave this commented out - # and leave 'force-reload' as an alias for 'restart'. - # - #log_daemon_msg "Reloading $DESC" "$NAME" - #do_reload - #log_end_msg $? - #;; - restart|force-reload) - # - # If the "reload" option is implemented then remove the - # 'force-reload' alias - # - log_daemon_msg "Restarting $DESC" "$NAME" - do_stop - case "$?" in - 0|1) - do_start - case "$?" in - 0) log_end_msg 0 ;; - 1) log_end_msg 1 ;; # Old process is still running - *) log_end_msg 1 ;; # Failed to start - esac - ;; - *) - # Failed to stop - log_end_msg 1 - ;; - esac - ;; - *) - #echo "Usage: $SCRIPTNAME {start|stop|restart|reload|force-reload}" >&2 - echo "Usage: $SCRIPTNAME {start|stop|status|restart|force-reload}" >&2 - exit 3 - ;; -esac - -: diff --git a/debian/cacert-gigi-testing.cacert-gigi.init b/debian/cacert-gigi-testing.cacert-gigi.init deleted file mode 100644 index d22dbbfa..00000000 --- a/debian/cacert-gigi-testing.cacert-gigi.init +++ /dev/null @@ -1,175 +0,0 @@ -#!/bin/sh -### BEGIN INIT INFO -# Provides: cacert-gigi -# Required-Start: $local_fs $network $remote_fs $syslog postgresql -# Required-Stop: $local_fs $network $remote_fs $syslog postgresql -# Default-Start: 2 3 4 5 -# Default-Stop: 0 1 6 -# Short-Description: -# Description: -# <...> -# <...> -### END INIT INFO - -# Author: unknown - -# Do NOT "set -e" - -# PATH should only include /usr/* if it runs after the mountnfs.sh script -PATH=/sbin:/usr/sbin:/bin:/usr/bin -DESC="cacert-gigi" -NAME=cacert-gigi -DAEMON=`which java` -DAEMON_ARGS="-cp /usr/share/java/postgresql-jdbc4.jar:/usr/share/java/gigi.jar org.cacert.gigi.Launcher" -PIDFILE=/var/run/$NAME.pid -SCRIPTNAME=/etc/init.d/$NAME -DIR=/var/lib/cacert-gigi - -# Exit if the package is not installed -[ -r "/usr/share/java/gigi.jar" ] || exit 0 - -# Read configuration variable file if it is present -[ -r /etc/default/$NAME ] && . /etc/default/$NAME -if [ "$START_DAEMON" = "0" ]; then - echo "Not starting $NAME (as configured in /etc/default/$NAME)"; - exit 0; -fi - - -# Load the VERBOSE setting and other rcS variables -. /lib/init/vars.sh - -# Define LSB log_* functions. -# Depend on lsb-base (>= 3.2-14) to ensure that this file is present -# and status_of_proc is working. -. /lib/lsb/init-functions - -# -# Function that starts the daemon/service -# -do_start() -{ - if [ ! -f /etc/cacert/gigi/conf.tar ]; then - echo Missing gigi-configfile - exit 2 - fi - # Return - # 0 if daemon has been started - # 1 if daemon was already running - # 2 if daemon could not be started - start-stop-daemon --start --quiet --pidfile $PIDFILE -d $DIR --exec $DAEMON --test > /dev/null \ - || return 1 - start-stop-daemon -b --start --quiet --pidfile $PIDFILE -d $DIR --exec /usr/bin/gigi -- start-daemon \ - || return 2 - # The above code will not work for interpreted scripts, use the next - # six lines below instead (Ref: #643337, start-stop-daemon(8) ) - # start-stop-daemon --start --quiet --pidfile $PIDFILE --startas $DAEMON \ - # --name $NAME --test > /dev/null \ - # || return 1 - # start-stop-daemon --start --quiet --pidfile $PIDFILE --startas $DAEMON \ - # --name $NAME -- $DAEMON_ARGS \ - # || return 2 - - # Add code here, if necessary, that waits for the process to be ready - # to handle requests from services started subsequently which depend - # on this one. As a last resort, sleep for some time. -} - -# -# Function that stops the daemon/service -# -do_stop() -{ - # Return - # 0 if daemon has been stopped - # 1 if daemon was already stopped - # 2 if daemon could not be stopped - # other if a failure occurred - start-stop-daemon --stop --quiet --retry=TERM/30/KILL/5 --pidfile $PIDFILE - RETVAL="$?" - [ "$RETVAL" = 2 ] && return 2 - # Wait for children to finish too if this is a daemon that forks - # and if the daemon is only ever run from this initscript. - # If the above conditions are not satisfied then add some other code - # that waits for the process to drop all resources that could be - # needed by services started subsequently. A last resort is to - # sleep for some time. - start-stop-daemon --stop --quiet --oknodo --retry=0/30/KILL/5 --pidfile $PIDFILE - [ "$?" = 2 ] && return 2 - # Many daemons don't delete their pidfiles when they exit. - rm -f $PIDFILE - return "$RETVAL" -} - -# -# Function that sends a SIGHUP to the daemon/service -# -do_reload() { - # - # If the daemon can reload its configuration without - # restarting (for example, when it is sent a SIGHUP), - # then implement that here. - # - start-stop-daemon --stop --signal 1 --quiet --pidfile $PIDFILE --name $NAME - return 0 -} - -case "$1" in - start) - [ "$VERBOSE" != no ] && log_daemon_msg "Starting $DESC" "$NAME" - do_start - case "$?" in - 0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;; - 2) [ "$VERBOSE" != no ] && log_end_msg 1 ;; - esac - ;; - stop) - [ "$VERBOSE" != no ] && log_daemon_msg "Stopping $DESC" "$NAME" - do_stop - case "$?" in - 0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;; - 2) [ "$VERBOSE" != no ] && log_end_msg 1 ;; - esac - ;; - status) - status_of_proc "$DAEMON" "$NAME" && exit 0 || exit $? - ;; - #reload|force-reload) - # - # If do_reload() is not implemented then leave this commented out - # and leave 'force-reload' as an alias for 'restart'. - # - #log_daemon_msg "Reloading $DESC" "$NAME" - #do_reload - #log_end_msg $? - #;; - restart|force-reload) - # - # If the "reload" option is implemented then remove the - # 'force-reload' alias - # - log_daemon_msg "Restarting $DESC" "$NAME" - do_stop - case "$?" in - 0|1) - do_start - case "$?" in - 0) log_end_msg 0 ;; - 1) log_end_msg 1 ;; # Old process is still running - *) log_end_msg 1 ;; # Failed to start - esac - ;; - *) - # Failed to stop - log_end_msg 1 - ;; - esac - ;; - *) - #echo "Usage: $SCRIPTNAME {start|stop|restart|reload|force-reload}" >&2 - echo "Usage: $SCRIPTNAME {start|stop|status|restart|force-reload}" >&2 - exit 3 - ;; -esac - -: diff --git a/debian/cacert-gigi-testing.gigi-simple-signer.init b/debian/cacert-gigi-testing.gigi-simple-signer.init new file mode 100644 index 00000000..4d8614be --- /dev/null +++ b/debian/cacert-gigi-testing.gigi-simple-signer.init @@ -0,0 +1,4 @@ +#!/bin/sh +. /lib/lsb/init-functions +printf >&2 'systemctl redirect failed\n' +exit 1 diff --git a/debian/cacert-gigi-testing.gigi-standalone.init b/debian/cacert-gigi-testing.gigi-standalone.init new file mode 100644 index 00000000..4d8614be --- /dev/null +++ b/debian/cacert-gigi-testing.gigi-standalone.init @@ -0,0 +1,4 @@ +#!/bin/sh +. /lib/lsb/init-functions +printf >&2 'systemctl redirect failed\n' +exit 1 diff --git a/debian/cacert-gigi-testing.install b/debian/cacert-gigi-testing.install new file mode 100644 index 00000000..d61b049f --- /dev/null +++ b/debian/cacert-gigi-testing.install @@ -0,0 +1,4 @@ +debian/gigi-proxy.service /lib/systemd/system +debian/gigi-proxy.socket /lib/systemd/system +debian/gigi-standalone.service /lib/systemd/system +debian/gigi-simple-signer.service /lib/systemd/system diff --git a/debian/cacert-gigi-testing.postinst b/debian/cacert-gigi-testing.postinst index 6ed6758d..e5654e36 100644 --- a/debian/cacert-gigi-testing.postinst +++ b/debian/cacert-gigi-testing.postinst @@ -27,6 +27,7 @@ case "$1" in else gigi fetch-locales fi + adduser --system gigi ;; abort-upgrade|abort-remove|abort-deconfigure) @@ -38,9 +39,10 @@ case "$1" in ;; esac -# dh_installdeb will replace this with shell code automatically -# generated by other debhelper scripts. - -#DEBHELPER# +# The "hash DEBHELPER hash" special token is deliberately *not* included; +# gigi cannot start out of the box, +# and this package installs multiple services that cannot be used simultaneously, +# so we really don't want dh_installdeb to add code by +# dh_systemd_enable, dh_installinit and dh_systemd_start here. exit 0 diff --git a/debian/cacert-gigi.cacert-gigi-signer.init b/debian/cacert-gigi.cacert-gigi-signer.init deleted file mode 100644 index 21c7296a..00000000 --- a/debian/cacert-gigi.cacert-gigi-signer.init +++ /dev/null @@ -1,171 +0,0 @@ -#!/bin/sh -### BEGIN INIT INFO -# Provides: cacert-gigi-signer -# Required-Start: $local_fs $network $remote_fs $syslog postgresql -# Required-Stop: $local_fs $network $remote_fs $syslog postgresql -# Default-Start: 2 3 4 5 -# Default-Stop: 0 1 6 -# Short-Description: -# Description: -# <...> -# <...> -### END INIT INFO - -# Author: unknown - -# Do NOT "set -e" - -# PATH should only include /usr/* if it runs after the mountnfs.sh script -PATH=/sbin:/usr/sbin:/bin:/usr/bin -DESC="cacert-gigi-signer" -NAME=cacert-gigi-signer -DAEMON=`which java` -DAEMON_ARGS="-cp /usr/share/java/postgresql-jdbc4.jar:/usr/share/java/gigi.jar org.cacert.gigi.util.SimpleSigner" -PIDFILE=/var/run/$NAME.pid -SCRIPTNAME=/etc/init.d/$NAME -DIR=/var/lib/cacert-gigi - -# Exit if the package is not installed -[ -x "$DAEMON" ] || exit 0 - -# Read configuration variable file if it is present -[ -r /etc/default/$NAME ] && . /etc/default/$NAME - -# Load the VERBOSE setting and other rcS variables -. /lib/init/vars.sh - -# Define LSB log_* functions. -# Depend on lsb-base (>= 3.2-14) to ensure that this file is present -# and status_of_proc is working. -. /lib/lsb/init-functions - -# -# Function that starts the daemon/service -# -do_start() -{ - if [ ! -f /var/lib/cacert-gigi/config/gigi.properties ]; then - echo Missing signer-configfile - return 0 - fi - # Return - # 0 if daemon has been started - # 1 if daemon was already running - # 2 if daemon could not be started - start-stop-daemon --start --quiet --pidfile $PIDFILE -d $DIR --startas $DAEMON --test > /dev/null \ - || return 1 - start-stop-daemon -b --start --quiet --pidfile $PIDFILE --make-pidfile -d $DIR --startas $DAEMON -- \ - $DAEMON_ARGS \ - || return 2 - # The above code will not work for interpreted scripts, use the next - # six lines below instead (Ref: #643337, start-stop-daemon(8) ) - #start-stop-daemon --start --quiet --pidfile $PIDFILE --startas $DAEMON \ - # --name $NAME --test > /dev/null \ - # || return 1 - #start-stop-daemon -b --start --quiet --pidfile $PIDFILE --startas $DAEMON \ - # --name $NAME -- $DAEMON_ARGS \ - # || return 2 - - # Add code here, if necessary, that waits for the process to be ready - # to handle requests from services started subsequently which depend - # on this one. As a last resort, sleep for some time. -} - -# -# Function that stops the daemon/service -# -do_stop() -{ - # Return - # 0 if daemon has been stopped - # 1 if daemon was already stopped - # 2 if daemon could not be stopped - # other if a failure occurred - start-stop-daemon --stop --quiet --retry=TERM/30/KILL/5 --pidfile $PIDFILE - RETVAL="$?" - [ "$RETVAL" = 2 ] && return 2 - # Wait for children to finish too if this is a daemon that forks - # and if the daemon is only ever run from this initscript. - # If the above conditions are not satisfied then add some other code - # that waits for the process to drop all resources that could be - # needed by services started subsequently. A last resort is to - # sleep for some time. - start-stop-daemon --stop --quiet --oknodo --retry=0/30/KILL/5 --pidfile $PIDFILE - [ "$?" = 2 ] && return 2 - # Many daemons don't delete their pidfiles when they exit. - rm -f $PIDFILE - return "$RETVAL" -} - -# -# Function that sends a SIGHUP to the daemon/service -# -do_reload() { - # - # If the daemon can reload its configuration without - # restarting (for example, when it is sent a SIGHUP), - # then implement that here. - # - start-stop-daemon --stop --signal 1 --quiet --pidfile $PIDFILE --name $NAME - return 0 -} - -case "$1" in - start) - [ "$VERBOSE" != no ] && log_daemon_msg "Starting $DESC" "$NAME" - do_start - case "$?" in - 0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;; - 2) [ "$VERBOSE" != no ] && log_end_msg 1 ;; - esac - ;; - stop) - [ "$VERBOSE" != no ] && log_daemon_msg "Stopping $DESC" "$NAME" - do_stop - case "$?" in - 0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;; - 2) [ "$VERBOSE" != no ] && log_end_msg 1 ;; - esac - ;; - status) - status_of_proc "$DAEMON" "$NAME" && exit 0 || exit $? - ;; - #reload|force-reload) - # - # If do_reload() is not implemented then leave this commented out - # and leave 'force-reload' as an alias for 'restart'. - # - #log_daemon_msg "Reloading $DESC" "$NAME" - #do_reload - #log_end_msg $? - #;; - restart|force-reload) - # - # If the "reload" option is implemented then remove the - # 'force-reload' alias - # - log_daemon_msg "Restarting $DESC" "$NAME" - do_stop - case "$?" in - 0|1) - do_start - case "$?" in - 0) log_end_msg 0 ;; - 1) log_end_msg 1 ;; # Old process is still running - *) log_end_msg 1 ;; # Failed to start - esac - ;; - *) - # Failed to stop - log_end_msg 1 - ;; - esac - ;; - *) - #echo "Usage: $SCRIPTNAME {start|stop|restart|reload|force-reload}" >&2 - echo "Usage: $SCRIPTNAME {start|stop|status|restart|force-reload}" >&2 - exit 3 - ;; -esac - -: diff --git a/debian/cacert-gigi.cacert-gigi.init b/debian/cacert-gigi.cacert-gigi.init deleted file mode 100644 index 8d81a74f..00000000 --- a/debian/cacert-gigi.cacert-gigi.init +++ /dev/null @@ -1,170 +0,0 @@ -#!/bin/sh -### BEGIN INIT INFO -# Provides: cacert-gigi -# Required-Start: $local_fs $network $remote_fs $syslog postgresql -# Required-Stop: $local_fs $network $remote_fs $syslog postgresql -# Default-Start: 2 3 4 5 -# Default-Stop: 0 1 6 -# Short-Description: -# Description: -# <...> -# <...> -### END INIT INFO - -# Author: unknown - -# Do NOT "set -e" - -# PATH should only include /usr/* if it runs after the mountnfs.sh script -PATH=/sbin:/usr/sbin:/bin:/usr/bin -DESC="cacert-gigi" -NAME=cacert-gigi -DAEMON=`which java` -DAEMON_ARGS="-cp /usr/share/java/postgresql-jdbc4.jar:/usr/share/java/gigi.jar org.cacert.gigi.Launcher" -PIDFILE=/var/run/$NAME.pid -SCRIPTNAME=/etc/init.d/$NAME -DIR=/var/lib/cacert-gigi - -# Exit if the package is not installed -[ -x "$DAEMON" ] || exit 0 - -# Read configuration variable file if it is present -[ -r /etc/default/$NAME ] && . /etc/default/$NAME - -# Load the VERBOSE setting and other rcS variables -. /lib/init/vars.sh - -# Define LSB log_* functions. -# Depend on lsb-base (>= 3.2-14) to ensure that this file is present -# and status_of_proc is working. -. /lib/lsb/init-functions - -# -# Function that starts the daemon/service -# -do_start() -{ - if [ ! -f /etc/cacert-gigi/conf.tar ]; then - echo Missing gigi-configfile - exit 0 - fi - # Return - # 0 if daemon has been started - # 1 if daemon was already running - # 2 if daemon could not be started - start-stop-daemon --start --quiet --pidfile $PIDFILE -d $DIR --exec $DAEMON --test > /dev/null \ - || return 1 - start-stop-daemon -b --start --quiet --pidfile $PIDFILE -d $DIR --exec /usr/bin/gigi -- start-daemon \ - || return 2 - # The above code will not work for interpreted scripts, use the next - # six lines below instead (Ref: #643337, start-stop-daemon(8) ) - # start-stop-daemon --start --quiet --pidfile $PIDFILE --startas $DAEMON \ - # --name $NAME --test > /dev/null \ - # || return 1 - # start-stop-daemon --start --quiet --pidfile $PIDFILE --startas $DAEMON \ - # --name $NAME -- $DAEMON_ARGS \ - # || return 2 - - # Add code here, if necessary, that waits for the process to be ready - # to handle requests from services started subsequently which depend - # on this one. As a last resort, sleep for some time. -} - -# -# Function that stops the daemon/service -# -do_stop() -{ - # Return - # 0 if daemon has been stopped - # 1 if daemon was already stopped - # 2 if daemon could not be stopped - # other if a failure occurred - start-stop-daemon --stop --quiet --retry=TERM/30/KILL/5 --pidfile $PIDFILE - RETVAL="$?" - [ "$RETVAL" = 2 ] && return 2 - # Wait for children to finish too if this is a daemon that forks - # and if the daemon is only ever run from this initscript. - # If the above conditions are not satisfied then add some other code - # that waits for the process to drop all resources that could be - # needed by services started subsequently. A last resort is to - # sleep for some time. - start-stop-daemon --stop --quiet --oknodo --retry=0/30/KILL/5 --pidfile $PIDFILE - [ "$?" = 2 ] && return 2 - # Many daemons don't delete their pidfiles when they exit. - rm -f $PIDFILE - return "$RETVAL" -} - -# -# Function that sends a SIGHUP to the daemon/service -# -do_reload() { - # - # If the daemon can reload its configuration without - # restarting (for example, when it is sent a SIGHUP), - # then implement that here. - # - start-stop-daemon --stop --signal 1 --quiet --pidfile $PIDFILE --name $NAME - return 0 -} - -case "$1" in - start) - [ "$VERBOSE" != no ] && log_daemon_msg "Starting $DESC" "$NAME" - do_start - case "$?" in - 0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;; - 2) [ "$VERBOSE" != no ] && log_end_msg 1 ;; - esac - ;; - stop) - [ "$VERBOSE" != no ] && log_daemon_msg "Stopping $DESC" "$NAME" - do_stop - case "$?" in - 0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;; - 2) [ "$VERBOSE" != no ] && log_end_msg 1 ;; - esac - ;; - status) - status_of_proc "$DAEMON" "$NAME" && exit 0 || exit $? - ;; - #reload|force-reload) - # - # If do_reload() is not implemented then leave this commented out - # and leave 'force-reload' as an alias for 'restart'. - # - #log_daemon_msg "Reloading $DESC" "$NAME" - #do_reload - #log_end_msg $? - #;; - restart|force-reload) - # - # If the "reload" option is implemented then remove the - # 'force-reload' alias - # - log_daemon_msg "Restarting $DESC" "$NAME" - do_stop - case "$?" in - 0|1) - do_start - case "$?" in - 0) log_end_msg 0 ;; - 1) log_end_msg 1 ;; # Old process is still running - *) log_end_msg 1 ;; # Failed to start - esac - ;; - *) - # Failed to stop - log_end_msg 1 - ;; - esac - ;; - *) - #echo "Usage: $SCRIPTNAME {start|stop|restart|reload|force-reload}" >&2 - echo "Usage: $SCRIPTNAME {start|stop|status|restart|force-reload}" >&2 - exit 3 - ;; -esac - -: diff --git a/debian/cacert-gigi.gigi-simple-signer.init b/debian/cacert-gigi.gigi-simple-signer.init new file mode 100644 index 00000000..4d8614be --- /dev/null +++ b/debian/cacert-gigi.gigi-simple-signer.init @@ -0,0 +1,4 @@ +#!/bin/sh +. /lib/lsb/init-functions +printf >&2 'systemctl redirect failed\n' +exit 1 diff --git a/debian/cacert-gigi.gigi-standalone.init b/debian/cacert-gigi.gigi-standalone.init new file mode 100644 index 00000000..4d8614be --- /dev/null +++ b/debian/cacert-gigi.gigi-standalone.init @@ -0,0 +1,4 @@ +#!/bin/sh +. /lib/lsb/init-functions +printf >&2 'systemctl redirect failed\n' +exit 1 diff --git a/debian/cacert-gigi.install b/debian/cacert-gigi.install new file mode 100644 index 00000000..d61b049f --- /dev/null +++ b/debian/cacert-gigi.install @@ -0,0 +1,4 @@ +debian/gigi-proxy.service /lib/systemd/system +debian/gigi-proxy.socket /lib/systemd/system +debian/gigi-standalone.service /lib/systemd/system +debian/gigi-simple-signer.service /lib/systemd/system diff --git a/debian/cacert-gigi.postinst b/debian/cacert-gigi.postinst index d2882e44..519ecc48 100644 --- a/debian/cacert-gigi.postinst +++ b/debian/cacert-gigi.postinst @@ -27,6 +27,7 @@ case "$1" in else gigi fetch-locales fi + adduser --system gigi ;; abort-upgrade|abort-remove|abort-deconfigure) @@ -38,9 +39,10 @@ case "$1" in ;; esac -# dh_installdeb will replace this with shell code automatically -# generated by other debhelper scripts. - -#DEBHELPER# +# The "hash DEBHELPER hash" special token is deliberately *not* included; +# gigi cannot start out of the box, +# and this package installs multiple services that cannot be used simultaneously, +# so we really don't want dh_installdeb to add code by +# dh_systemd_enable, dh_installinit and dh_systemd_start here. exit 0 diff --git a/debian/control b/debian/control index b52f2043..8f932faa 100644 --- a/debian/control +++ b/debian/control @@ -2,7 +2,7 @@ Source: cacert-gigi Section: java Priority: optional Maintainer: unknown -Build-Depends: debhelper (>= 8.0.0), java7-sdk-headless +Build-Depends: debhelper (>= 8.0.0), dh-systemd, java7-sdk-headless Standards-Version: 3.9.4 Homepage: http://cacert.org #Vcs-Git: git://git.debian.org/collab-maint/cacert-gigi.git diff --git a/debian/gigi-proxy.service b/debian/gigi-proxy.service new file mode 100644 index 00000000..3708845d --- /dev/null +++ b/debian/gigi-proxy.service @@ -0,0 +1,21 @@ +[Unit] +Description=Gigi Webserver module for ET +Wants=postgresql@9.4-main.service +After=postgresql@9.4-main.service +Conflicts=gigi-standalone.service + +[Service] +ExecStart=/usr/bin/java -cp /usr/share/java/postgresql-jdbc4.jar:/usr/share/java/gigi.jar org.cacert.gigi.Launcher /etc/cacert/gigi/conf.tar +StandardInput=socket +StandardOutput=journal +StandardError=journal +WorkingDirectory=/var/lib/cacert-gigi +User=gigi +PrivateTmp=yes +PrivateDevices=yes +ProtectSystem=full +ProtectHome=yes +NoNewPrivileges=yes + +[Install] +WantedBy=multi-user.target diff --git a/debian/gigi-proxy.socket b/debian/gigi-proxy.socket new file mode 100644 index 00000000..ae86a333 --- /dev/null +++ b/debian/gigi-proxy.socket @@ -0,0 +1,8 @@ +[Unit] +Description=Gigi Webserver module socket + +[Socket] +ListenStream=80 + +[Install] +WantedBy=sockets.target diff --git a/debian/gigi-simple-signer.service b/debian/gigi-simple-signer.service new file mode 100644 index 00000000..fe0a7f49 --- /dev/null +++ b/debian/gigi-simple-signer.service @@ -0,0 +1,15 @@ +[Unit] +Description=Gigi simple signer for ET + +[Service] +ExecStart=/usr/bin/java -cp /usr/share/java/postgresql-jdbc4.jar:/usr/share/java/gigi.jar org.cacert.gigi.util.SimpleSigner +WorkingDirectory=/var/lib/cacert-gigi +User=gigi +PrivateTmp=yes +PrivateDevices=yes +ProtectSystem=full +ProtectHome=yes +NoNewPrivileges=yes + +[Install] +WantedBy=multi-user.target diff --git a/debian/gigi-standalone.service b/debian/gigi-standalone.service new file mode 100644 index 00000000..e60e2eed --- /dev/null +++ b/debian/gigi-standalone.service @@ -0,0 +1,14 @@ +[Unit] +Description=Gigi Webserver module for ET, stand-alone +Wants=postgresql@9.4-main.service +After=postgresql@9.4-main.service +Conflicts=gigi-proxy.service + +[Service] +ExecStart=/usr/bin/java -cp /usr/share/java/postgresql-jdbc4.jar:/usr/share/java/gigi.jar org.cacert.gigi.Launcher /etc/cacert/gigi/conf.tar +CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_SETUID +WorkingDirectory=/var/lib/cacert-gigi +PrivateTmp=yes +PrivateDevices=yes +ProtectSystem=full +ProtectHome=yes diff --git a/debian/rules b/debian/rules index 23dbd661..c384f79f 100755 --- a/debian/rules +++ b/debian/rules @@ -5,7 +5,7 @@ #export DH_VERBOSE=1 %: - dh $@ + dh $@ --with=systemd build: ant pack pack-testing -- 2.39.2