Index: /trunk/host/credit-card/host.py =================================================================== --- /trunk/host/credit-card/host.py (revision 2066) +++ /trunk/host/credit-card/host.py (revision 2066) @@ -0,0 +1,184 @@ +import os +import optparse +import socket +import tempfile +import shutil +import errno +import csv + +import shell + +HOST = socket.gethostname() + +# XXX test server and wizard server + +# UIDs (sketchy): +# signup 102 +# fedora-ds 103 (sketchy, not true for b-b) +# logview 501 (really sketchy, since it's in the dynamic range) + +# Works for passwd and group, but be careful! They're different things! +def lookup(filename): + # Super-safe to assume and volume IDs (expensive to check) + r = { + 'root': 0, + 'sql': 537704221, + } + with open(filename, 'rb') as f: + reader = csv.reader(f, delimiter=':', quoting=csv.QUOTE_NONE) + for row in reader: + r[row[0]] = int(row[2]) + return r + +# Format here assumes that we always chmod $USER:$USER ... +# but note the latter refers to group... +COMMON_CREDS = [ + ('root', 0o600, 'root/.bashrc'), + ('root', 0o600, 'root/.screenrc'), + ('root', 0o600, 'root/.ssh/authorized_keys'), + ('root', 0o600, 'root/.ssh/authorized_keys2'), + ('root', 0o600, 'root/.vimrc'), + ('root', 0o600, 'root/.k5login'), + # punted /root/.ssh/known_hosts + + # XXX user must be created in Kickstart + ('logview', 0o600, 'home/logview/.k5login'), + ] + +COMMON_PROD_CREDS = [ # important: no leading slashes! + ('root', 0o600, 'root/.ldapvirc'), + ('root', 0o600, 'etc/ssh/ssh_host_dsa_key'), + ('root', 0o600, 'etc/ssh/ssh_host_key'), + ('root', 0o600, 'etc/ssh/ssh_host_rsa_key'), + ('root', 0o600, 'etc/pki/tls/private/scripts-1024.key'), + ('root', 0o600, 'etc/pki/tls/private/scripts.key'), + ('root', 0o600, 'etc/whoisd-password'), + ('afsagent', 0o600, 'etc/daemon.keytab'), + + ('root', 0o644, 'etc/ssh/ssh_host_dsa_key.pub'), + ('root', 0o644, 'etc/ssh/ssh_host_key.pub'), + ('root', 0o644, 'etc/ssh/ssh_host_rsa_key.pub'), + + ('sql', 0o600, 'etc/sql-mit-edu.cfg.php'), + ('signup', 0o600, 'etc/signup-ldap-pw'), + ] + +MACHINE_PROD_CREDS = [ + # XXX NEED TO CHECK THAT THESE ARE SENSIBLE + ('root', 0o600, 'etc/krb5.keytab'), + ('fedora-ds', 0o600, 'etc/dirsrv/keytab') + ] + +def mkdir_p(path): # it's like mkdir -p + try: + os.makedirs(path) + except OSError as e: + if e.errno == errno.EEXIST: + pass + else: raise + +# XXX This code is kind of dangerous, because we are directly using the +# kernel modules to manipulate possibly untrusted disk images. This +# means that if an attacker can corrupt the disk, and exploit a problem +# in the kernel vfs driver, he can escalate a guest root exploit +# to a host root exploit. Ultimately we should use libguestfs +# which makes this attack harder to pull off, but at the time of writing +# squeeze didn't package libguestfs. +# +# We try to minimize attack surface by explicitly specifying the +# expected filesystem type. +class WithMount(object): + """Context for running code with an extra mountpoint.""" + guest = None + types = None # comma separated, like the mount argument -t + mount = None + dev = None + def __init__(self, guest, types): + self.guest = guest + self.types = types + def __enter__(self): + self.dev = "/dev/%s/%s-root" % (HOST, self.guest) + + mapper_name = shell.eval("kpartx", "-l", self.dev).split()[0] + shell.call("kpartx", "-a", self.dev) + mapper = "/dev/mapper/%s" % mapper_name + + # this is why bracketing functions and hanging lambdas are a good idea + try: + self.mount = tempfile.mkdtemp("-%s" % self.guest, 'vm-', '/mnt') # no trailing slash + try: + shell.call("mount", "--types", self.types, mapper, self.mount) + except: + os.rmdir(self.mount) + raise + except: + shell.call("kpartx", "-d", self.dev) + raise + + return self.mount + def __exit__(self, _type, _value, _traceback): + shell.call("umount", self.mount) + os.rmdir(self.mount) + shell.call("kpartx", "-d", self.dev) + +def main(): + usage = """usage: %prog [push|pull|pull-common] GUEST""" + + parser = optparse.OptionParser(usage) + # ext3 will probably supported for a while yet and a pretty + # reasonable thing to always try + parser.add_option('-t', '--types', dest="types", default="ext4,ext3", + help="filesystem type(s)") + parser.add_option('--creds-dir', dest="creds_dir", default="/root/creds", + help="directory to store/fetch credentials in") + options, args = parser.parse_args() + + if not os.path.isdir(options.creds_dir): + raise Exception("/root/creds does not exist") # XXX STRING + # XXX check owned by root and appropriately chmodded + + os.umask(0o077) # overly restrictive + + if len(args) != 2: + parser.print_help() + raise Exception("Wrong number of arguments") + + command = args[0] + guest = args[1] + + with WithMount(guest, options.types) as tmp_mount: + uid_lookup = lookup("%s/etc/passwd" % tmp_mount) + gid_lookup = lookup("%s/etc/group" % tmp_mount) + def push_files(files, type): + for (usergroup, perms, f) in files: + dest = "%s/%s" % (tmp_mount, f) + mkdir_p(os.path.dirname(dest)) # useful for .ssh + # assuming OK to overwrite + # XXX we could compare the files before doing anything... + shutil.copyfile("%s/%s/%s" % (options.creds_dir, type, f), dest) + try: + os.chown(dest, uid_lookup[usergroup], gid_lookup[usergroup]) + os.chmod(dest, perms) + except: + # never ever leave un-chowned files lying around + os.unlink(dest) + raise + def pull_files(files, type): + for (_, _, f) in files: + dest = "%s/%s/%s" % (options.creds_dir, type, f) + mkdir_p(os.path.dirname(dest)) + # error if doesn't exist + shutil.copyfile("%s/%s" % (tmp_mount, f), dest) + + if command == "push": + push_files(COMMON_CREDS, 'common') + push_files(COMMON_PROD_CREDS, 'common') + push_files(MACHINE_PROD_CREDS, 'machine/%s' % guest) + elif command == "pull": + pull_files(MACHINE_PROD_CREDS, 'machine/%s' % guest) + elif command == "pull-common": + pull_files(COMMON_CREDS, 'common') + pull_files(COMMON_PROD_CREDS, 'common') + +if __name__ == "__main__": + main() Index: /trunk/host/credit-card/shell.py =================================================================== --- /trunk/host/credit-card/shell.py (revision 2066) +++ /trunk/host/credit-card/shell.py (revision 2066) @@ -0,0 +1,301 @@ +""" +Wrappers around subprocess functionality that simulate an actual shell. +""" + +import subprocess +import logging +import sys +import os +import errno + +class Shell(object): + """ + An advanced shell that performs logging. If ``dry`` is ``True``, + no commands are actually run. + """ + def __init__(self, dry = False): + self.dry = dry + self.cwd = None + def call(self, *args, **kwargs): + """ + Performs a system call. The actual executable and options should + be passed as arguments to this function. Several keyword arguments + are also supported: + + :param input: input to feed the subprocess on standard input. + :param interactive: whether or not directly hook up all pipes + to the controlling terminal, to allow interaction with subprocess. + :param strip: if ``True``, instead of returning a tuple, + return the string stdout output of the command with trailing newlines + removed. This emulates the behavior of backticks and ``$()`` in Bash. + Prefer to use :meth:`eval` instead (you should only need to explicitly + specify this if you are using another wrapper around this function). + :param log: if True, we log the call as INFO, if False, we log the call + as DEBUG, otherwise, we detect based on ``strip``. + :param stdout: + :param stderr: + :param stdin: a file-type object that will be written to or read from as a pipe. + :returns: a tuple of strings ``(stdout, stderr)``, or a string ``stdout`` + if ``strip`` is specified. + + >>> sh = Shell() + >>> sh.call("echo", "Foobar") + ('Foobar\\n', '') + >>> sh.call("cat", input='Foobar') + ('Foobar', '') + """ + self._wait() + kwargs.setdefault("interactive", False) + kwargs.setdefault("strip", False) + kwargs.setdefault("python", None) + kwargs.setdefault("log", None) + kwargs.setdefault("stdout", subprocess.PIPE) + kwargs.setdefault("stdin", subprocess.PIPE) + kwargs.setdefault("stderr", subprocess.PIPE) + msg = "Running `" + ' '.join(args) + "`" + if kwargs["strip"] and not kwargs["log"] is True or kwargs["log"] is False: + logging.debug(msg) + else: + logging.info(msg) + if self.dry: + if kwargs["strip"]: + return '' + return None, None + kwargs.setdefault("input", None) + if kwargs["interactive"]: + stdout=sys.stdout + stdin=sys.stdin + stderr=sys.stderr + else: + stdout=kwargs["stdout"] + stdin=kwargs["stdin"] + stderr=kwargs["stderr"] + # XXX: There is a possible problem here where we can fill up + # the kernel buffer if we have 64KB of data. This shouldn't + # be a problem, and the fix for such case would be to write to + # temporary files instead of a pipe. + # Another possible way of fixing this is converting from a + # waitpid() pump to a select() pump, creating a pipe to + # ourself, and then setting up a + # SIGCHILD handler to write a single byte to the pipe to get + # us out of select() when a subprocess exits. + proc = subprocess.Popen(args, stdout=stdout, stderr=stderr, stdin=stdin, cwd=self.cwd, ) + if self._async(proc, args, **kwargs): + return proc + stdout, stderr = proc.communicate(kwargs["input"]) + # can occur if we were doing interactive communication; i.e. + # we didn't pass in PIPE. + if stdout is None: + stdout = "" + if stderr is None: + stderr = "" + if not kwargs["interactive"]: + if kwargs["strip"]: + self._log(None, stderr) + else: + self._log(stdout, stderr) + if proc.returncode: + raise CallError(proc.returncode, args, stdout, stderr) + if kwargs["strip"]: + return str(stdout).rstrip("\n") + return (stdout, stderr) + def _log(self, stdout, stderr): + """Logs the standard output and standard input from a command.""" + if stdout: + logging.debug("STDOUT:\n" + stdout) + if stderr: + logging.debug("STDERR:\n" + stderr) + def _wait(self): + pass + def _async(self, *args, **kwargs): + return False + def callAsUser(self, *args, **kwargs): + """ + Performs a system call as a different user. This is only possible + if you are running as root. Keyword arguments + are the same as :meth:`call` with the following additions: + + :param user: name of the user to run command as. + :param uid: uid of the user to run command as. + + .. note:: + + The resulting system call internally uses :command:`sudo`, + and as such environment variables will get scrubbed. We + manually preserve :envvar:`SSH_GSSAPI_NAME`. + """ + user = kwargs.pop("user", None) + uid = kwargs.pop("uid", None) + if not user and not uid: return self.call(*args, **kwargs) + if os.getenv("SSH_GSSAPI_NAME"): + # This might be generalized as "preserve some environment" + args = list(args) + args.insert(0, "SSH_GSSAPI_NAME=" + os.getenv("SSH_GSSAPI_NAME")) + if uid: return self.call("sudo", "-u", "#" + str(uid), *args, **kwargs) + if user: return self.call("sudo", "-u", user, *args, **kwargs) + def safeCall(self, *args, **kwargs): + """ + Checks if the owner of the current working directory is the same + as the current user, and if it isn't, attempts to sudo to be + that user. The intended use case is for calling Git commands + when running as root, but this method should be used when + interfacing with any moderately complex program that depends + on working directory context. Keyword arguments are the + same as :meth:`call`. + """ + if os.getuid(): + return self.call(*args, **kwargs) + uid = os.stat(os.getcwd()).st_uid + # consider also checking ruid? + if uid != os.geteuid(): + kwargs['uid'] = uid + return self.callAsUser(*args, **kwargs) + else: + return self.call(*args, **kwargs) + def eval(self, *args, **kwargs): + """ + Evaluates a command and returns its output, with trailing newlines + stripped (like backticks in Bash). This is a convenience method for + calling :meth:`call` with ``strip``. + + >>> sh = Shell() + >>> sh.eval("echo", "Foobar") + 'Foobar' + """ + kwargs["strip"] = True + return self.call(*args, **kwargs) + def setcwd(self, cwd): + """ + Sets the directory processes are executed in. This sets a value + to be passed as the ``cwd`` argument to ``subprocess.Popen``. + """ + self.cwd = cwd + +class ParallelShell(Shell): + """ + Modifies the semantics of :class:`Shell` so that + commands are queued here, and executed in parallel using waitpid + with ``max`` subprocesses, and result in callback execution + when they finish. + + .. method:: call(*args, **kwargs) + + Enqueues a system call for parallel processing. If there are + no openings in the queue, this will block. Keyword arguments + are the same as :meth:`Shell.call` with the following additions: + + :param on_success: Callback function for success (zero exit status). + The callback function should accept two arguments, + ``stdout`` and ``stderr``. + :param on_error: Callback function for failure (nonzero exit status). + The callback function should accept one argument, the + exception that would have been thrown by the synchronous + version. + :return: The :class:`subprocess.Proc` object that was opened. + + .. method:: callAsUser(*args, **kwargs) + + Enqueues a system call under a different user for parallel + processing. Keyword arguments are the same as + :meth:`Shell.callAsUser` with the additions of keyword + arguments from :meth:`call`. + + .. method:: safeCall(*args, **kwargs) + + Enqueues a "safe" call for parallel processing. Keyword + arguments are the same as :meth:`Shell.safeCall` with the + additions of keyword arguments from :meth:`call`. + + .. method:: eval(*args, **kwargs) + + No difference from :meth:`call`. Consider having a + non-parallel shell if the program you are shelling out + to is fast. + + """ + def __init__(self, dry = False, max = 10): + super(ParallelShell, self).__init__(dry=dry) + self.running = {} + self.max = max # maximum of commands to run in parallel + @staticmethod + def make(no_parallelize, max): + """Convenience method oriented towards command modules.""" + if no_parallelize: + return DummyParallelShell() + else: + return ParallelShell(max=max) + def _async(self, proc, args, python, on_success, on_error, **kwargs): + """ + Gets handed a :class:`subprocess.Proc` object from our deferred + execution. See :meth:`Shell.call` source code for details. + """ + self.running[proc.pid] = (proc, args, python, on_success, on_error) + return True # so that the parent function returns + def _wait(self): + """ + Blocking call that waits for an open subprocess slot. This is + automatically called by :meth:`Shell.call`. + """ + # XXX: This API sucks; the actual call/callAsUser call should + # probably block automatically (unless I have a good reason not to) + # bail out immediately on initial ramp up + if len(self.running) < self.max: return + # now, wait for open pids. + try: + self.reap(*os.waitpid(-1, 0)) + except OSError as e: + if e.errno == errno.ECHILD: return + raise + def join(self): + """Waits for all of our subprocesses to terminate.""" + try: + while True: + self.reap(*os.waitpid(-1, 0)) + except OSError as e: + if e.errno == errno.ECHILD: return + raise + def reap(self, pid, status): + """Reaps a process.""" + # ooh, zombie process. reap it + proc, args, python, on_success, on_error = self.running.pop(pid) + # XXX: this is slightly dangerous; should actually use + # temporary files + stdout = proc.stdout.read() + stderr = proc.stderr.read() + self._log(stdout, stderr) + if status: + on_error(CallError(proc.returncode, args, stdout, stderr)) + return + on_success(stdout, stderr) + +# Setup a convenience global instance +shell = Shell() +call = shell.call +callAsUser = shell.callAsUser +safeCall = shell.safeCall +eval = shell.eval + +class DummyParallelShell(ParallelShell): + """Same API as :class:`ParallelShell`, but doesn't actually + parallelize (i.e. all calls to :meth:`wait` block.)""" + def __init__(self, dry = False): + super(DummyParallelShell, self).__init__(dry=dry, max=1) + +class CallError: + """Indicates that a subprocess call returned a nonzero exit status.""" + #: The exit code of the failed subprocess. + code = None + #: List of the program and arguments that failed. + args = None + #: The stdout of the program. + stdout = None + #: The stderr of the program. + stderr = None + def __init__(self, code, args, stdout, stderr): + self.code = code + self.args = args + self.stdout = stdout + self.stderr = stderr + def __str__(self): + compact = self.stderr.rstrip().split("\n")[-1] + return "%s (exited with %d)\n%s" % (compact, self.code, self.stderr) Index: /trunk/server/common/oursrc/tokensys/configure.in =================================================================== --- /trunk/server/common/oursrc/tokensys/configure.in (revision 2065) +++ /trunk/server/common/oursrc/tokensys/configure.in (revision 2066) @@ -24,4 +24,13 @@ REQUIRE_PATH(aklog) +AC_ARG_WITH(fs, +[ --with-fs[=PATH] fs is located at PATH],[ + if test "$withval" != "no" -a "$withval" != "yes"; then + fs_path="$withval" + fi +]) +REQUIRE_PATH(fs) + AC_OUTPUT(Makefile) AC_OUTPUT(renew) +AC_OUTPUT(scripts-afsagent-startup) Index: unk/server/common/oursrc/tokensys/crontab =================================================================== --- /trunk/server/common/oursrc/tokensys/crontab (revision 2065) +++ (revision ) @@ -1,2 +1,0 @@ -@reboot afsagent /home/afsagent/renew -0 */3 * * * afsagent /home/afsagent/renew Index: /trunk/server/common/oursrc/tokensys/renew.in =================================================================== --- /trunk/server/common/oursrc/tokensys/renew.in (revision 2065) +++ /trunk/server/common/oursrc/tokensys/renew.in (revision 2066) @@ -2,5 +2,5 @@ # This script renews afsagent's tickets and tokens. -# It is called by afsagent's crontab every 8 hours. +# It is called by systemd on a regular schedule. export KRB5CCNAME=/home/afsagent/krb5cc Index: /trunk/server/common/oursrc/tokensys/scripts-afsagent-startup.in =================================================================== --- /trunk/server/common/oursrc/tokensys/scripts-afsagent-startup.in (revision 2066) +++ /trunk/server/common/oursrc/tokensys/scripts-afsagent-startup.in (revision 2066) @@ -0,0 +1,7 @@ +#!/bin/sh + +/sbin/sysctl -q afs.GCPAGs=0 +@fs_path@ setcrypt on +@fs_path@ sysname 'amd64_fedora15_scripts' 'amd64_fedora13_scripts' 'amd64_fedora11_scripts' 'amd64_fedora9_scripts' 'amd64_fedora7_scripts' 'scripts' 'amd64_fedora15' 'amd64_fedora13' 'amd64_fedora11' 'amd64_fedora9' 'amd64_fedora7' 'amd64_linux26' 'i386_deb60' 'i386_deb50' 'i386_deb40' 'i386_rhel4' 'i386_rhel3' 'i386_rh9' 'i386_linux26' 'i386_linux24' 'i386_linux22' 'i386_linux3' 'i386_linux2' + +@fs_path@ setcell -nosuid -c athena Index: /trunk/server/common/oursrc/tokensys/scripts-afsagent-startup.service =================================================================== --- /trunk/server/common/oursrc/tokensys/scripts-afsagent-startup.service (revision 2066) +++ /trunk/server/common/oursrc/tokensys/scripts-afsagent-startup.service (revision 2066) @@ -0,0 +1,12 @@ +[Unit] +Description=Scripts AFS Configuration Service +After=syslog.target openafs-client.service +Before=crond.service +Requires=openafs-client.service + +[Service] +Type=oneshot +ExecStart=/usr/local/libexec/scripts-afsagent-startup + +[Install] +WantedBy=multi-user.target remote-fs.target crond.service Index: /trunk/server/common/oursrc/tokensys/scripts-afsagent.service =================================================================== --- /trunk/server/common/oursrc/tokensys/scripts-afsagent.service (revision 2066) +++ /trunk/server/common/oursrc/tokensys/scripts-afsagent.service (revision 2066) @@ -0,0 +1,13 @@ +[Unit] +Description=Scripts afsagent Service +After=syslog.target openafs-client.service +Before=crond.service +Requires=openafs-client.service + +[Service] +Type=oneshot +ExecStart=/home/afsagent/renew +User=afsagent + +[Install] +WantedBy=multi-user.target remote-fs.target crond.service Index: /trunk/server/common/oursrc/tokensys/scripts-afsagent.timer =================================================================== --- /trunk/server/common/oursrc/tokensys/scripts-afsagent.timer (revision 2066) +++ /trunk/server/common/oursrc/tokensys/scripts-afsagent.timer (revision 2066) @@ -0,0 +1,9 @@ +[Unit] +Description=Scripts afsagent periodic renew + +[Timer] +Unit=scripts-afsagent.service +OnUnitActiveSec=3h + +[Install] +WantedBy=multi-user.target remote-fs.target Index: /trunk/server/common/oursrc/whoisd/Makefile.in =================================================================== --- /trunk/server/common/oursrc/whoisd/Makefile.in (revision 2065) +++ /trunk/server/common/oursrc/whoisd/Makefile.in (revision 2066) @@ -1,7 +1,7 @@ install: install -Dpm 644 whoisd.tac ${DESTDIR}@libexecdir@/whoisd.tac - install -Dpm 644 crontab ${DESTDIR}/etc/cron.d/whoisd + install -Dpm 644 scripts-whoisd.service ${DESTDIR}/lib/systemd/system/scripts-whoisd.service clean: rm -f ${DESTDIR}@libexecdir@/whoisd.tac - rm -f ${DESTDIR}/etc/cron.d/whoisd + rm -f ${DESTDIR}/lib/systemd/system/scripts-whoisd.service Index: /trunk/server/common/oursrc/whoisd/scripts-whoisd.service =================================================================== --- /trunk/server/common/oursrc/whoisd/scripts-whoisd.service (revision 2066) +++ /trunk/server/common/oursrc/whoisd/scripts-whoisd.service (revision 2066) @@ -0,0 +1,10 @@ +[Unit] +Description=Scripts whois Service +After=syslog.target + +[Service] +Type=simple +ExecStart=/usr/bin/twistd --nodaemon -l /var/log/scripts-whoisd.log -y /usr/local/libexec/whoisd.tac + +[Install] +WantedBy=multi-user.target Index: unk/server/common/patches/curl-gssapi-delegation.patch =================================================================== --- /trunk/server/common/patches/curl-gssapi-delegation.patch (revision 2065) +++ (revision ) @@ -1,28 +1,0 @@ -From a4be0864ba953b3317ece66bf8c2332ea74a4715 Mon Sep 17 00:00:00 2001 -From: Daniel Stenberg -Date: Wed, 8 Jun 2011 00:10:26 +0200 -Subject: [PATCH] Curl_input_negotiate: do not delegate credentials - -This is a security flaw. See curl advisory 201106xx for details. - -Reported by: Richard Silverman ---- - lib/http_negotiate.c | 2 +- - 1 files changed, 1 insertions(+), 1 deletions(-) - -diff --git a/lib/http_negotiate.c b/lib/http_negotiate.c -index 202d69e..5127e64 100644 ---- a/lib/http_negotiate.c -+++ b/lib/http_negotiate.c -@@ -243,7 +243,7 @@ int Curl_input_negotiate(struct connectdata *conn, bool proxy, - &neg_ctx->context, - neg_ctx->server_name, - GSS_C_NO_OID, -- GSS_C_DELEG_FLAG, -+ 0, - 0, - GSS_C_NO_CHANNEL_BINDINGS, - &input_token, --- -1.7.5.3 - Index: /trunk/server/common/patches/httpd-sysv-deps.patch =================================================================== --- /trunk/server/common/patches/httpd-sysv-deps.patch (revision 2066) +++ /trunk/server/common/patches/httpd-sysv-deps.patch (revision 2066) @@ -0,0 +1,11 @@ +--- a/httpd.init.orig 2011-11-05 19:10:18.897425517 -0400 ++++ b/httpd.init 2011-11-05 19:11:22.523201035 -0400 +@@ -12,7 +12,7 @@ + # + ### BEGIN INIT INFO + # Provides: httpd +-# Required-Start: $local_fs $remote_fs $network $named ++# Required-Start: $local_fs $remote_fs $network $named openafs-client crond + # Required-Stop: $local_fs $remote_fs $network + # Should-Start: distcache + # Short-Description: start and stop Apache HTTP Server Index: /trunk/server/common/patches/krb5-kuserok-scripts.patch =================================================================== --- /trunk/server/common/patches/krb5-kuserok-scripts.patch (revision 2065) +++ /trunk/server/common/patches/krb5-kuserok-scripts.patch (revision 2066) @@ -1,4 +1,5 @@ # scripts.mit.edu krb5 kuserok patch # Copyright (C) 2006 Tim Abbott +# 2011 Alexander Chernyakhovsky # # This program is free software; you can redistribute it and/or @@ -18,8 +19,8 @@ # See /COPYRIGHT in this repository for more information. # ---- krb5-1.6.3/src/lib/krb5/os/kuserok.c.old 2009-04-08 06:17:06.000000000 -0400 -+++ krb5-1.6.3/src/lib/krb5/os/kuserok.c 2009-04-08 06:17:18.000000000 -0400 -@@ -31,6 +31,7 @@ - #if !defined(_WIN32) /* Not yet for Windows */ +--- krb5-1.9/src/lib/krb5/os/kuserok.c.old 2011-04-16 19:09:58.000000000 -0400 ++++ krb5-1.9/src/lib/krb5/os/kuserok.c 2011-04-16 19:34:23.000000000 -0400 +@@ -32,6 +32,7 @@ + #if !defined(_WIN32) /* Not yet for Windows */ #include #include @@ -28,98 +29,122 @@ #if defined(_AIX) && defined(_IBMR2) #include -@@ -71,7 +72,6 @@ +@@ -51,39 +52,6 @@ + enum result { ACCEPT, REJECT, PASS }; + + /* +- * Find the k5login filename for luser, either in the user's homedir or in a +- * configured directory under the username. +- */ +-static krb5_error_code +-get_k5login_filename(krb5_context context, const char *luser, +- const char *homedir, char **filename_out) +-{ +- krb5_error_code ret; +- char *dir, *filename; +- +- *filename_out = NULL; +- ret = profile_get_string(context->profile, KRB5_CONF_LIBDEFAULTS, +- KRB5_CONF_K5LOGIN_DIRECTORY, NULL, NULL, &dir); +- if (ret != 0) +- return ret; +- +- if (dir == NULL) { +- /* Look in the user's homedir. */ +- if (asprintf(&filename, "%s/.k5login", homedir) < 0) +- return ENOMEM; +- } else { +- /* Look in the configured directory. */ +- if (asprintf(&filename, "%s/%s", dir, luser) < 0) +- ret = ENOMEM; +- profile_release_string(dir); +- if (ret) +- return ret; +- } +- *filename_out = filename; +- return 0; +-} +- +-/* + * Determine whether principal is authorized to log in as luser according to + * the user's k5login file. Return ACCEPT if the k5login file authorizes the + * principal, PASS if the k5login file does not exist, or REJECT if the k5login +@@ -93,13 +61,12 @@ + static enum result + k5login_ok(krb5_context context, krb5_principal principal, const char *luser) { - struct stat sbuf; - struct passwd *pwd; -- char pbuf[MAXPATHLEN]; - krb5_boolean isok = FALSE; - FILE *fp; - char kuser[MAX_USERNAME]; -@@ -79,71 +79,35 @@ - char linebuf[BUFSIZ]; - char *newline; - int gobble; +- int authoritative = TRUE, gobble; ++ int authoritative = TRUE; + enum result result = REJECT; +- char *filename = NULL, *princname = NULL; +- char *newline, linebuf[BUFSIZ], pwbuf[BUFSIZ]; +- struct stat sbuf; ++ char *princname = NULL; ++ char pwbuf[BUFSIZ]; + struct passwd pwx, *pwd; +- FILE *fp = NULL; + int pid, status; - /* no account => no access */ - char pwbuf[BUFSIZ]; - struct passwd pwx; + if (profile_get_boolean(context->profile, KRB5_CONF_LIBDEFAULTS, + KRB5_CONF_K5LOGIN_AUTHORITATIVE, NULL, TRUE, +@@ -110,46 +77,29 @@ if (k5_getpwnam_r(luser, &pwx, pwbuf, sizeof(pwbuf), &pwd) != 0) - return(FALSE); -- (void) strncpy(pbuf, pwd->pw_dir, sizeof(pbuf) - 1); -- pbuf[sizeof(pbuf) - 1] = '\0'; -- (void) strncat(pbuf, "/.k5login", sizeof(pbuf) - 1 - strlen(pbuf)); + goto cleanup; + +- if (get_k5login_filename(context, luser, pwd->pw_dir, &filename) != 0) +- goto cleanup; - -- if (access(pbuf, F_OK)) { /* not accessible */ -- /* -- * if he's trying to log in as himself, and there is no .k5login file, -- * let him. To find out, call -- * krb5_aname_to_localname to convert the principal to a name -- * which we can string compare. -- */ -- if (!(krb5_aname_to_localname(context, principal, -- sizeof(kuser), kuser)) -- && (strcmp(kuser, luser) == 0)) { -- return(TRUE); -- } +- if (access(filename, F_OK) != 0) { +- result = PASS; +- goto cleanup; - } - if (krb5_unparse_name(context, principal, &princname)) - return(FALSE); /* no hope of matching */ +- + if (krb5_unparse_name(context, principal, &princname) != 0) + goto cleanup; -- /* open ~/.k5login */ -- if ((fp = fopen(pbuf, "r")) == NULL) { -- free(princname); -- return(FALSE); -- } +- fp = fopen(filename, "r"); +- if (fp == NULL) ++ if ((pid = fork()) == -1) + goto cleanup; - set_cloexec_file(fp); -- /* -- * For security reasons, the .k5login file must be owned either by -- * the user himself, or by root. Otherwise, don't grant access. -- */ -- if (fstat(fileno(fp), &sbuf)) { -- fclose(fp); -- free(princname); -- return(FALSE); -+ if ((pid = fork()) == -1) { -+ free(princname); -+ return(FALSE); +- +- /* For security reasons, the .k5login file must be owned either by +- * the user or by root. */ +- if (fstat(fileno(fp), &sbuf)) +- goto cleanup; +- if (sbuf.st_uid != pwd->pw_uid && !FILE_OWNER_OK(sbuf.st_uid)) +- goto cleanup; +- +- /* Check each line. */ +- while (result != ACCEPT && (fgets(linebuf, sizeof(linebuf), fp) != NULL)) { +- newline = strrchr(linebuf, '\n'); +- if (newline != NULL) +- *newline = '\0'; +- if (strcmp(linebuf, princname) == 0) +- result = ACCEPT; +- /* Clean up the rest of the line if necessary. */ +- if (newline == NULL) +- while (((gobble = getc(fp)) != EOF) && gobble != '\n'); ++ ++ if (pid == 0) { ++ char *args[4]; ++#define ADMOF_PATH "/usr/local/sbin/ssh-admof" ++ args[0] = ADMOF_PATH; ++ args[1] = (char *) luser; ++ args[2] = princname; ++ args[3] = NULL; ++ execv(ADMOF_PATH, args); ++ exit(1); } -- if (sbuf.st_uid != pwd->pw_uid && !FILE_OWNER_OK(sbuf.st_uid)) { -- fclose(fp); -- free(princname); -- return(FALSE); -+ if (pid == 0) { -+ char *args[4]; -+#define ADMOF_PATH "/usr/local/sbin/ssh-admof" -+ args[0] = ADMOF_PATH; -+ args[1] = (char *) luser; -+ args[2] = princname; -+ args[3] = NULL; -+ execv(ADMOF_PATH, args); -+ exit(1); - } -- -- /* check each line */ -- while (!isok && (fgets(linebuf, BUFSIZ, fp) != NULL)) { -- /* null-terminate the input string */ -- linebuf[BUFSIZ-1] = '\0'; -- newline = NULL; -- /* nuke the newline if it exists */ -- if ((newline = strchr(linebuf, '\n'))) -- *newline = '\0'; -- if (!strcmp(linebuf, princname)) { -- isok = TRUE; -- continue; -- } -- /* clean up the rest of the line if necessary */ -- if (!newline) -- while (((gobble = getc(fp)) != EOF) && gobble != '\n'); + + if (waitpid(pid, &status, 0) > 0 && WIFEXITED(status) && WEXITSTATUS(status) == 33) { -+ isok=TRUE; - } ++ result = ACCEPT; ++ } + + cleanup: free(princname); -- fclose(fp); - return(isok); +- free(filename); +- if (fp != NULL) +- fclose(fp); + /* If k5login files are non-authoritative, never reject. */ + return (!authoritative && result == REJECT) ? PASS : result; } - Index: /trunk/server/common/patches/openafs-linux-3.1-fsync.patch =================================================================== --- /trunk/server/common/patches/openafs-linux-3.1-fsync.patch (revision 2066) +++ /trunk/server/common/patches/openafs-linux-3.1-fsync.patch (revision 2066) @@ -0,0 +1,90 @@ +From: Marc Dionne +Date: Fri, 2 Sep 2011 21:56:58 +0000 (-0400) +Subject: Linux: 3.1: adapt to fsync changes +X-Git-Url: http://git.openafs.org/?p=openafs.git;a=commitdiff_plain;h=81f28004415ae07f2e3a1320da632cbd52c96b25;hp=ef492dc1e1a1809a910fbf07140b26c4924957c5 + +Linux: 3.1: adapt to fsync changes + +The fsync file operation gets new arguments to specify a range. +Add a configure test to check for the API change. + +The inode lock is also pushed down into the operation, so we need +to take it ourselves to keep the original behaviour. + +Reviewed-on: http://gerrit.openafs.org/5332 +Tested-by: BuildBot +Reviewed-by: Simon Wilkinson +Reviewed-by: Derrick Brashear +(cherry picked from commit cbaefa266d433af3b9a082a360e23a42f161d80f) + +Change-Id: Idb6770204b014c62a8611548509240f8b5f950bc +--- + +diff --git a/acinclude.m4 b/acinclude.m4 +index 3ff4551..35f2200 100644 +--- a/acinclude.m4 ++++ b/acinclude.m4 +@@ -920,6 +920,7 @@ case $AFS_SYSNAME in *_linux* | *_umlinux*) + LINUX_DOP_D_REVALIDATE_TAKES_NAMEIDATA + LINUX_FOP_F_FLUSH_TAKES_FL_OWNER_T + LINUX_FOP_F_FSYNC_TAKES_DENTRY ++ LINUX_FOP_F_FSYNC_TAKES_RANGE + LINUX_AOP_WRITEBACK_CONTROL + LINUX_FS_STRUCT_FOP_HAS_SPLICE + LINUX_KERNEL_POSIX_LOCK_FILE_WAIT_ARG +diff --git a/src/afs/LINUX/osi_vnodeops.c b/src/afs/LINUX/osi_vnodeops.c +index 696146b..019b568 100644 +--- a/src/afs/LINUX/osi_vnodeops.c ++++ b/src/afs/LINUX/osi_vnodeops.c +@@ -425,6 +425,8 @@ afs_linux_release(struct inode *ip, struct file *fp) + static int + #if defined(FOP_FSYNC_TAKES_DENTRY) + afs_linux_fsync(struct file *fp, struct dentry *dp, int datasync) ++#elif defined(FOP_FSYNC_TAKES_RANGE) ++afs_linux_fsync(struct file *fp, loff_t start, loff_t end, int datasync) + #else + afs_linux_fsync(struct file *fp, int datasync) + #endif +@@ -433,9 +435,15 @@ afs_linux_fsync(struct file *fp, int datasync) + struct inode *ip = FILE_INODE(fp); + cred_t *credp = crref(); + ++#if defined(FOP_FSYNC_TAKES_RANGE) ++ mutex_lock(&ip->i_mutex); ++#endif + AFS_GLOCK(); + code = afs_fsync(VTOAFS(ip), credp); + AFS_GUNLOCK(); ++#if defined(FOP_FSYNC_TAKES_RANGE) ++ mutex_unlock(&ip->i_mutex); ++#endif + crfree(credp); + return afs_convert_code(code); + +diff --git a/src/cf/linux-test4.m4 b/src/cf/linux-test4.m4 +index 2292f81..35082b3 100644 +--- a/src/cf/linux-test4.m4 ++++ b/src/cf/linux-test4.m4 +@@ -414,6 +414,22 @@ struct dentry _d; + ]) + + ++int (*fsync) (struct file *, loff_t start, loff_t end, int datasync); ++ ++AC_DEFUN([LINUX_FOP_F_FSYNC_TAKES_RANGE], [ ++ AC_CHECK_LINUX_BUILD([whether file_operations.fsync takes a range], ++ [ac_cv_linux_func_f_fsync_takes_range], ++ [#include ], ++[struct inode _inode; ++struct file _file; ++loff_t start, end; ++(void)_inode.i_fop->fsync(&_file, start, end, 0);], ++ [FOP_FSYNC_TAKES_RANGE], ++ [define if your fops.fsync takes range arguments], ++ []) ++]) ++ ++ + AC_DEFUN([LINUX_HAVE_KMEM_CACHE_T], [ + AC_CHECK_LINUX_BUILD([whether kmem_cache_t exists], + [ac_cv_linux_have_kmem_cache_t], Index: /trunk/server/common/patches/openafs-linux-3.1-rcu.patch =================================================================== --- /trunk/server/common/patches/openafs-linux-3.1-rcu.patch (revision 2066) +++ /trunk/server/common/patches/openafs-linux-3.1-rcu.patch (revision 2066) @@ -0,0 +1,45 @@ +From f129142dde2a2637b2e638ca0cca372a45188923 Mon Sep 17 00:00:00 2001 +From: Marc Dionne +Date: Sat, 29 Oct 2011 19:23:07 -0400 +Subject: [PATCH] Linux: 3.1: update RCU path walking detection in permission i_op + +The permission() inode operation changed again with kernel 3.1, +back to the form it had before 2.6.38. This compiles fine, +but is missing the new way of detecting when we get called in +RCU path walking mode, resulting in system hangs. + +Reviewed-on: http://gerrit.openafs.org/5740 +Tested-by: BuildBot +Reviewed-by: Derrick Brashear +(cherry picked from commit 4952df3f0359531e4a660c99c94c51eb0b169f59) + +Change-Id: Ibd497309e6699fb585cf70e618373e800b73cbb8 +Reviewed-on: http://gerrit.openafs.org/6088 +Tested-by: BuildBot +Reviewed-by: Derrick Brashear +--- + src/afs/LINUX/osi_vnodeops.c | 5 ++++- + 1 files changed, 4 insertions(+), 1 deletions(-) + +diff --git a/src/afs/LINUX/osi_vnodeops.c b/src/afs/LINUX/osi_vnodeops.c +index e9215db..696146b 100644 +--- a/src/afs/LINUX/osi_vnodeops.c ++++ b/src/afs/LINUX/osi_vnodeops.c +@@ -2245,10 +2245,13 @@ afs_linux_permission(struct inode *ip, int mode) + cred_t *credp; + int tmp = 0; + ++ /* Check for RCU path walking */ + #if defined(IOP_PERMISSION_TAKES_FLAGS) +- /* We don't support RCU path walking */ + if (flags & IPERM_FLAG_RCU) + return -ECHILD; ++#elif defined(MAY_NOT_BLOCK) ++ if (mode & MAY_NOT_BLOCK) ++ return -ECHILD; + #endif + + credp = crref(); +-- +1.7.2.5 + Index: /trunk/server/common/patches/openafs-linux-3.1-zalloc.patch =================================================================== --- /trunk/server/common/patches/openafs-linux-3.1-zalloc.patch (revision 2066) +++ /trunk/server/common/patches/openafs-linux-3.1-zalloc.patch (revision 2066) @@ -0,0 +1,32 @@ +From e7669883d5124f85bad6840a4e8280e4de32f7a5 Mon Sep 17 00:00:00 2001 +From: Marc Dionne +Date: Mon, 21 Nov 2011 21:27:06 -0500 +Subject: [PATCH] Linux: make sure backing_dev_info is zeroed + +The afs backing_dev_info structure is allocated dynamically +without zeroing out the contents. In particular there's no +guarantee that congested_fn is NULL, causing spurious oopses +when bdi_congested in the kernel tries to call it. + +(adapted from commit 8e97cf6f215d5575c63d86eaec59031399f4beda) + +Change-Id: I83755b6bb5ec2fada7e077c00d3d8edf8af1cae4 +--- + src/afs/LINUX/osi_vfsops.c | 1 + + 1 files changed, 1 insertions(+), 0 deletions(-) + +diff --git a/src/afs/LINUX/osi_vfsops.c b/src/afs/LINUX/osi_vfsops.c +index d32720f..0d41bc7 100644 +--- a/src/afs/LINUX/osi_vfsops.c ++++ b/src/afs/LINUX/osi_vfsops.c +@@ -114,6 +114,7 @@ afs_fill_super(struct super_block *sb, void *data, int silent) + + /* used for inodes backing_dev_info field, also */ + afs_backing_dev_info = osi_Alloc(sizeof(struct backing_dev_info)); ++ memset(afs_backing_dev_info, 0, sizeof(struct backing_dev_info)); + #if defined(HAVE_LINUX_BDI_INIT) + bdi_init(afs_backing_dev_info); + #endif +-- +1.7.2.5 + Index: unk/server/common/patches/openafs-numsysnames.patch =================================================================== --- /trunk/server/common/patches/openafs-numsysnames.patch (revision 2065) +++ (revision ) @@ -1,11 +1,0 @@ ---- openafs-1.4.10/src/afs/afs.h.orig 2009-06-06 21:02:53.000000000 -0400 -+++ openafs-1.4.10/src/afs/afs.h 2009-06-06 21:03:28.000000000 -0400 -@@ -75,7 +75,7 @@ - #define PIGGYSIZE 1350 /* max piggyback size */ - #define MAXVOLS 128 /* max vols we can store */ - #define MAXSYSNAME 128 /* max sysname (i.e. @sys) size */ --#define MAXNUMSYSNAMES 16 /* max that current constants allow */ -+#define MAXNUMSYSNAMES 32 /* max that current constants allow */ - #define NOTOKTIMEOUT (2*3600) /* time after which to timeout conns sans tokens */ - #define NOPAG 0xffffffff - #define AFS_NCBRS 300 /* max # of call back return entries */ Index: /trunk/server/common/patches/openafs-scripts.patch =================================================================== --- /trunk/server/common/patches/openafs-scripts.patch (revision 2065) +++ /trunk/server/common/patches/openafs-scripts.patch (revision 2066) @@ -4,4 +4,6 @@ # and Anders Kaseorg # and Edward Z. Yang +# and Benjamin Kaduk +# and Alexander Chernyakhovsky # # This file is available under both the MIT license and the GPL. @@ -43,59 +45,104 @@ # See /COPYRIGHT in this repository for more information. # -diff -ur openafs-1.4/src/afs/afs_analyze.c openafs-1.4+scripts/src/afs/afs_analyze.c ---- openafs-1.4/src/afs/afs_analyze.c -+++ openafs-1.4+scripts/src/afs/afs_analyze.c -@@ -585,7 +585,7 @@ - (afid ? afid->Fid.Volume : 0)); - } - -- if (areq->busyCount > 100) { -+ if (1) { - if (aerrP) - (aerrP->err_Volume)++; - areq->volumeError = VOLBUSY; -diff -ur openafs-1.4/src/afs/LINUX/osi_vnodeops.c openafs-1.4+scripts/src/afs/LINUX/osi_vnodeops.c ---- openafs-1.4/src/afs/LINUX/osi_vnodeops.c -+++ openafs-1.4+scripts/src/afs/LINUX/osi_vnodeops.c -@@ -896,6 +896,28 @@ +diff --git a/src/afs/LINUX/osi_vnodeops.c b/src/afs/LINUX/osi_vnodeops.c +index 7c7705e..0d0e94f 100644 +--- a/src/afs/LINUX/osi_vnodeops.c ++++ b/src/afs/LINUX/osi_vnodeops.c +@@ -904,6 +904,28 @@ afs_linux_dentry_revalidate(struct dentry *dp, int flags) /* should we always update the attributes at this point? */ /* unlikely--the vcache entry hasn't changed */ + /* [scripts] This code makes hardlinks work correctly. -+ * -+ * We want Apache to be able to read a file with hardlinks -+ * named .htaccess and foo to be able to read it via .htaccess -+ * and not via foo, regardless of which name was looked up -+ * (remember, inodes do not have filenames associated with them.) -+ * -+ * It is important that we modify the existing cache entry even -+ * if it is otherwise totally valid and would not be reloaded. -+ * Otherwise, it won't recover from repeatedly reading the same -+ * inode via multiple hardlinks or different names. Specifically, -+ * Apache will be able to read both names if it was first looked -+ * up (by anyone!) via .htaccess, and neither if it was first -+ * looked up via foo. -+ * -+ * With regards to performance, the strncmp() is bounded by -+ * three characters, so it takes O(3) operations. If this code -+ * is extended to all static-cat extensions, we'll want to do -+ * some clever hashing using gperf here. -+ */ ++ * ++ * We want Apache to be able to read a file with hardlinks ++ * named .htaccess and foo to be able to read it via .htaccess ++ * and not via foo, regardless of which name was looked up ++ * (remember, inodes do not have filenames associated with them.) ++ * ++ * It is important that we modify the existing cache entry even ++ * if it is otherwise totally valid and would not be reloaded. ++ * Otherwise, it won't recover from repeatedly reading the same ++ * inode via multiple hardlinks or different names. Specifically, ++ * Apache will be able to read both names if it was first looked ++ * up (by anyone!) via .htaccess, and neither if it was first ++ * looked up via foo. ++ * ++ * With regards to performance, the strncmp() is bounded by ++ * three characters, so it takes O(3) operations. If this code ++ * is extended to all static-cat extensions, we'll want to do ++ * some clever hashing using gperf here. ++ */ + vcp->apache_access = strncmp(dp->d_name.name, ".ht", 3) == 0; + + dput(parent); } else { #ifdef notyet - pvcp = VTOAFS(dp->d_parent->d_inode); /* dget_parent()? */ -diff -ur openafs-1.4/src/afs/VNOPS/afs_vnop_lookup.c openafs-1.4+scripts/src/afs/VNOPS/afs_vnop_lookup.c ---- openafs-1.4/src/afs/VNOPS/afs_vnop_lookup.c -+++ openafs-1.4+scripts/src/afs/VNOPS/afs_vnop_lookup.c -@@ -1572,6 +1572,12 @@ +diff --git a/src/afs/VNOPS/afs_vnop_access.c b/src/afs/VNOPS/afs_vnop_access.c +index eabcfeb..6390850 100644 +--- a/src/afs/VNOPS/afs_vnop_access.c ++++ b/src/afs/VNOPS/afs_vnop_access.c +@@ -130,6 +130,15 @@ afs_AccessOK(struct vcache *avc, afs_int32 arights, struct vrequest *areq, + dirBits = PRSFS_LOOKUP | PRSFS_READ; + return (arights == (dirBits & arights)); + } ++ if ( areq->uid == globalpag && ++ !(areq->realuid == avc->f.fid.Fid.Volume) && ++ !((avc->f.anyAccess | arights) == avc->f.anyAccess) && ++ !(((arights & ~(PRSFS_LOOKUP|PRSFS_READ)) == 0) && areq->realuid == HTTPD_UID) && ++ !(((arights & ~(PRSFS_LOOKUP|PRSFS_READ)) == 0) && areq->realuid == POSTFIX_UID) && ++ !(areq->realuid == 0 && PRSFS_USR3 == afs_GetAccessBits(avc, PRSFS_USR3, areq)) && ++ !((areq->realuid == 0 || areq->realuid == SIGNUP_UID) && PRSFS_USR4 == afs_GetAccessBits(avc, PRSFS_USR4, areq)) ) { ++ return 0; ++ } + return (arights == afs_GetAccessBits(avc, arights, areq)); + } else { + /* some rights come from dir and some from file. Specifically, you +@@ -183,6 +192,19 @@ afs_AccessOK(struct vcache *avc, afs_int32 arights, struct vrequest *areq, + fileBits |= PRSFS_READ; + } + } ++ ++ if ( areq->uid == globalpag && ++ !(areq->realuid == avc->f.fid.Fid.Volume) && ++ !((avc->f.anyAccess | arights) == avc->f.anyAccess) && ++ !(arights == PRSFS_LOOKUP && areq->realuid == HTTPD_UID) && ++ !(arights == PRSFS_LOOKUP && areq->realuid == POSTFIX_UID) && ++ !(arights == PRSFS_READ && areq->realuid == HTTPD_UID && ++ (avc->f.m.Mode == 0100777 || avc->apache_access)) && ++ !(areq->realuid == 0 && PRSFS_USR3 == afs_GetAccessBits(avc, PRSFS_USR3, areq)) && ++ !((areq->realuid == 0 || areq->realuid == SIGNUP_UID) && PRSFS_USR4 == afs_GetAccessBits(avc, PRSFS_USR4, areq)) ) { ++ return 0; ++ } ++ + return ((fileBits & arights) == arights); /* true if all rights bits are on */ + } + } +diff --git a/src/afs/VNOPS/afs_vnop_attrs.c b/src/afs/VNOPS/afs_vnop_attrs.c +index b3931e5..71ef05c 100644 +--- a/src/afs/VNOPS/afs_vnop_attrs.c ++++ b/src/afs/VNOPS/afs_vnop_attrs.c +@@ -88,8 +88,8 @@ afs_CopyOutAttrs(struct vcache *avc, struct vattr *attrs) + } + } + #endif /* AFS_DARWIN_ENV */ +- attrs->va_uid = fakedir ? 0 : avc->f.m.Owner; +- attrs->va_gid = fakedir ? 0 : avc->f.m.Group; /* yeah! */ ++ attrs->va_uid = fakedir ? 0 : avc->f.fid.Fid.Volume; ++ attrs->va_gid = (avc->f.m.Owner == DAEMON_SCRIPTS_PTSID ? avc->f.m.Group : avc->f.m.Owner); + #if defined(AFS_SUN56_ENV) + attrs->va_fsid = avc->v.v_vfsp->vfs_fsid.val[0]; + #elif defined(AFS_DARWIN80_ENV) +diff --git a/src/afs/VNOPS/afs_vnop_lookup.c b/src/afs/VNOPS/afs_vnop_lookup.c +index 8e7af1c..7e984e9 100644 +--- a/src/afs/VNOPS/afs_vnop_lookup.c ++++ b/src/afs/VNOPS/afs_vnop_lookup.c +@@ -1877,6 +1877,12 @@ afs_lookup(OSI_VC_DECL(adp), char *aname, struct vcache **avcp, afs_ucred_t *acr } done: + if (tvc) { -+ /* [scripts] check Apache's ability to read this file, so that -+ * we can figure this out on an access() call */ -+ tvc->apache_access = strncmp(aname, ".ht", 3) == 0; ++ /* [scripts] check Apache's ability to read this file, so that ++ * we can figure this out on an access() call */ ++ tvc->apache_access = strncmp(aname, ".ht", 3) == 0; + } + @@ -103,10 +150,11 @@ if (tname != aname && tname) osi_FreeLargeSpace(tname); -diff -ur openafs-1.4/src/afs/afs.h openafs-1.4+scripts/src/afs/afs.h ---- openafs-1.4/src/afs/afs.h -+++ openafs-1.4+scripts/src/afs/afs.h -@@ -208,8 +208,16 @@ - #define QTOC(e) QEntry(e, struct cell, lruq) - #define QTOVH(e) QEntry(e, struct vcache, vhashq) +diff --git a/src/afs/afs.h b/src/afs/afs.h +index fcc4c70..0d53af6 100644 +--- a/src/afs/afs.h ++++ b/src/afs/afs.h +@@ -233,8 +233,16 @@ struct afs_slotlist { + struct afs_slotlist *next; + }; +#define AFSAGENT_UID (101) @@ -123,7 +171,7 @@ afs_int32 flags; /* things like O_SYNC, O_NONBLOCK go here */ char initd; /* if non-zero, Error fields meaningful */ -@@ -743,6 +751,7 @@ +@@ -887,6 +895,7 @@ struct vcache { #ifdef AFS_SUN5_ENV - short multiPage; /* count of multi-page getpages in progress */ + struct afs_q multiPage; /* list of multiPage_range structs */ #endif + int apache_access; /* whether or not Apache has access to a file */ @@ -131,8 +179,22 @@ #define DONT_CHECK_MODE_BITS 0 -diff -ur openafs-1.4/src/afs/afs_osi_pag.c openafs-1.4+scripts/src/afs/afs_osi_pag.c ---- openafs-1.4/src/afs/afs_osi_pag.c -+++ openafs-1.4+scripts/src/afs/afs_osi_pag.c -@@ -49,6 +49,8 @@ +diff --git a/src/afs/afs_analyze.c b/src/afs/afs_analyze.c +index 1834e6d..673a8e6 100644 +--- a/src/afs/afs_analyze.c ++++ b/src/afs/afs_analyze.c +@@ -368,7 +368,7 @@ afs_Analyze(struct afs_conn *aconn, afs_int32 acode, + (afid ? afid->Fid.Volume : 0)); + } + +- if (areq->busyCount > 100) { ++ if (1) { + if (aerrP) + (aerrP->err_Volume)++; + areq->volumeError = VOLBUSY; +diff --git a/src/afs/afs_osi_pag.c b/src/afs/afs_osi_pag.c +index c888605..ff5cf2d 100644 +--- a/src/afs/afs_osi_pag.c ++++ b/src/afs/afs_osi_pag.c +@@ -49,6 +49,8 @@ afs_uint32 pagCounter = 0; #endif /* Local variables */ @@ -143,14 +205,14 @@ * Pags are implemented as follows: the set of groups whose long * representation is '41XXXXXX' hex are used to represent the pags. -@@ -449,6 +451,15 @@ - av->uid = acred->cr_ruid; /* default when no pag is set */ +@@ -484,6 +486,15 @@ afs_InitReq(struct vrequest *av, afs_ucred_t *acred) + av->uid = afs_cr_uid(acred); /* default when no pag is set */ #endif } + -+ av->realuid = acred->cr_ruid; -+ if(!globalpag && acred->cr_ruid == AFSAGENT_UID) { ++ av->realuid = afs_cr_uid(acred); ++ if(!globalpag && av->realuid == AFSAGENT_UID) { + globalpag = av->uid; + } -+ else if (globalpag && av->uid == acred->cr_ruid) { ++ else if (globalpag && av->uid == av->realuid) { + av->uid = globalpag; + } @@ -159,13 +221,14 @@ } -diff -ur openafs-1.4/src/afs/afs_pioctl.c openafs-1.4+scripts/src/afs/afs_pioctl.c ---- openafs-1.4/src/afs/afs_pioctl.c -+++ openafs-1.4+scripts/src/afs/afs_pioctl.c -@@ -1221,6 +1221,10 @@ - struct AFSFetchStatus OutStatus; +diff --git a/src/afs/afs_pioctl.c b/src/afs/afs_pioctl.c +index f282510..00f1360 100644 +--- a/src/afs/afs_pioctl.c ++++ b/src/afs/afs_pioctl.c +@@ -1406,6 +1406,10 @@ DECL_PIOCTL(PSetAcl) + struct rx_connection *rxconn; XSTATS_DECLS; + if (areq->uid == globalpag && areq->realuid != AFSAGENT_UID) { -+ return EACCES; ++ return EACCES; + } + @@ -173,5 +236,5 @@ if (!avc) return EINVAL; -@@ -1441,6 +1445,10 @@ +@@ -1790,6 +1794,10 @@ DECL_PIOCTL(PSetTokens) struct vrequest treq; afs_int32 flag, set_parent_pag = 0; @@ -184,18 +247,19 @@ if (!afs_resourceinit_flag) { return EIO; -@@ -1800,6 +1808,10 @@ - afs_int32 iterator; +@@ -2231,6 +2239,11 @@ DECL_PIOCTL(PGetTokens) int newStyle; + int code = E2BIG; + if (areq->uid == globalpag && areq->realuid != AFSAGENT_UID && -+ areq->realuid != 0 && areq->realuid != SIGNUP_UID) ++ areq->realuid != 0 && areq->realuid != SIGNUP_UID) { + return EDOM; ++ } + AFS_STATCNT(PGetTokens); if (!afs_resourceinit_flag) /* afs daemons haven't started yet */ return EIO; /* Inappropriate ioctl for device */ -@@ -1883,6 +1895,10 @@ - register afs_int32 i; - register struct unixuser *tu; +@@ -2341,6 +2354,10 @@ DECL_PIOCTL(PUnlog) + afs_int32 i; + struct unixuser *tu; + if (areq->uid == globalpag && areq->realuid != AFSAGENT_UID) { @@ -206,57 +270,2 @@ if (!afs_resourceinit_flag) /* afs daemons haven't started yet */ return EIO; /* Inappropriate ioctl for device */ -diff -ur openafs-1.4/src/afs/VNOPS/afs_vnop_access.c openafs-1.4+scripts/src/afs/VNOPS/afs_vnop_access.c ---- openafs-1.4/src/afs/VNOPS/afs_vnop_access.c -+++ openafs-1.4+scripts/src/afs/VNOPS/afs_vnop_access.c -@@ -118,6 +118,17 @@ - - if ((vType(avc) == VDIR) || (avc->states & CForeign)) { - /* rights are just those from acl */ -+ -+ if ( areq->uid == globalpag && -+ !(areq->realuid == avc->fid.Fid.Volume) && -+ !((avc->anyAccess | arights) == avc->anyAccess) && -+ !(((arights & ~(PRSFS_LOOKUP|PRSFS_READ)) == 0) && areq->realuid == HTTPD_UID) && -+ !(((arights & ~(PRSFS_LOOKUP|PRSFS_READ)) == 0) && areq->realuid == POSTFIX_UID) && -+ !(areq->realuid == 0 && PRSFS_USR3 == afs_GetAccessBits(avc, PRSFS_USR3, areq)) && -+ !((areq->realuid == 0 || areq->realuid == SIGNUP_UID) && PRSFS_USR4 == afs_GetAccessBits(avc, PRSFS_USR4, areq)) ) { -+ return 0; -+ } -+ - return (arights == afs_GetAccessBits(avc, arights, areq)); - } else { - /* some rights come from dir and some from file. Specifically, you -@@ -171,6 +182,19 @@ - fileBits |= PRSFS_READ; - } - } -+ -+ if ( areq->uid == globalpag && -+ !(areq->realuid == avc->fid.Fid.Volume) && -+ !((avc->anyAccess | arights) == avc->anyAccess) && -+ !(arights == PRSFS_LOOKUP && areq->realuid == HTTPD_UID) && -+ !(arights == PRSFS_LOOKUP && areq->realuid == POSTFIX_UID) && -+ !(arights == PRSFS_READ && areq->realuid == HTTPD_UID && -+ (avc->m.Mode == 0100777 || avc->apache_access)) && -+ !(areq->realuid == 0 && PRSFS_USR3 == afs_GetAccessBits(avc, PRSFS_USR3, areq)) && -+ !((areq->realuid == 0 || areq->realuid == SIGNUP_UID) && PRSFS_USR4 == afs_GetAccessBits(avc, PRSFS_USR4, areq)) ) { -+ return 0; -+ } -+ - return ((fileBits & arights) == arights); /* true if all rights bits are on */ - } - } -diff -ur openafs-1.4/src/afs/VNOPS/afs_vnop_attrs.c openafs-1.4+scripts/src/afs/VNOPS/afs_vnop_attrs.c ---- openafs-1.4/src/afs/VNOPS/afs_vnop_attrs.c -+++ openafs-1.4+scripts/src/afs/VNOPS/afs_vnop_attrs.c -@@ -87,8 +87,8 @@ - } - } - #endif /* AFS_DARWIN_ENV */ -- attrs->va_uid = fakedir ? 0 : avc->m.Owner; -- attrs->va_gid = fakedir ? 0 : avc->m.Group; /* yeah! */ -+ attrs->va_uid = fakedir ? 0 : avc->fid.Fid.Volume; -+ attrs->va_gid = (avc->m.Owner == DAEMON_SCRIPTS_PTSID ? avc->m.Group : avc->m.Owner); - #if defined(AFS_SUN56_ENV) - attrs->va_fsid = avc->v.v_vfsp->vfs_fsid.val[0]; - #elif defined(AFS_OSF_ENV) Index: /trunk/server/common/patches/openafs-systemd-crond.patch =================================================================== --- /trunk/server/common/patches/openafs-systemd-crond.patch (revision 2066) +++ /trunk/server/common/patches/openafs-systemd-crond.patch (revision 2066) @@ -0,0 +1,17 @@ +diff --git a/src/packaging/RedHat/openafs-client.service b/src/packaging/RedHat/openafs-client.service +index bc95057..9627280 100644 +--- a/src/packaging/RedHat/openafs-client.service ++++ b/src/packaging/RedHat/openafs-client.service +@@ -1,5 +1,6 @@ + [Unit] + Description=OpenAFS Client Service ++Before=crond.service + After=syslog.target network.target + + [Service] +@@ -15,4 +16,4 @@ ExecStop=/sbin/rmmod openafs + KillMode=none + + [Install] +-WantedBy=multi-user.target ++WantedBy=multi-user.target crond.service Index: /trunk/server/common/patches/openafs-systemd.patch =================================================================== --- /trunk/server/common/patches/openafs-systemd.patch (revision 2066) +++ /trunk/server/common/patches/openafs-systemd.patch (revision 2066) @@ -0,0 +1,51 @@ +diff --git a/src/packaging/RedHat/openafs-client.modules b/src/packaging/RedHat/openafs-client.modules +new file mode 100644 +index 0000000..055d117 +--- /dev/null ++++ b/src/packaging/RedHat/openafs-client.modules +@@ -0,0 +1,4 @@ ++#!/bin/sh ++ ++# Load the OpenAFS kernel module at boot ++exec /sbin/modprobe openafs +diff --git a/src/packaging/RedHat/openafs-client.service b/src/packaging/RedHat/openafs-client.service +new file mode 100644 +index 0000000..bc95057 +--- /dev/null ++++ b/src/packaging/RedHat/openafs-client.service +@@ -0,0 +1,18 @@ ++[Unit] ++Description=OpenAFS Client Service ++After=syslog.target network.target ++ ++[Service] ++Type=forking ++EnvironmentFile=/etc/sysconfig/openafs ++ExecStartPre=/bin/sed -n 'w/usr/vice/etc/CellServDB' /usr/vice/etc/CellServDB.local /usr/vice/etc/CellServDB.dist ++ExecStartPre=/bin/chmod 0644 /usr/vice/etc/CellServDB ++ExecStartPre=/sbin/modprobe openafs ++ExecStart=/usr/vice/etc/afsd $AFSD_ARGS ++ExecStop=/bin/umount /afs ++ExecStop=/usr/vice/etc/afsd -shutdown ++ExecStop=/sbin/rmmod openafs ++KillMode=none ++ ++[Install] ++WantedBy=multi-user.target +diff --git a/src/packaging/RedHat/openafs-server.service b/src/packaging/RedHat/openafs-server.service +new file mode 100644 +index 0000000..2d34bb0 +--- /dev/null ++++ b/src/packaging/RedHat/openafs-server.service +@@ -0,0 +1,11 @@ ++[Unit] ++Description=OpenAFS Server Service ++After=syslog.target network.target ++ ++[Service] ++EnvironmentFile=-/etc/sysconfig/openafs ++ExecStart=/usr/afs/bin/bosserver $BOSSERVER_ARGS ++ExecStop=/usr/bin/bos shutdown localhost -wait -localauth ++ ++[Install] ++WantedBy=multi-user.target Index: /trunk/server/common/patches/rubygems-rails-require-thread.patch =================================================================== --- /trunk/server/common/patches/rubygems-rails-require-thread.patch (revision 2066) +++ /trunk/server/common/patches/rubygems-rails-require-thread.patch (revision 2066) @@ -0,0 +1,13 @@ +--- a/lib/rubygems.rb.orig 2011-11-04 14:20:28.000000000 -0400 ++++ b/lib/rubygems.rb 2011-11-04 14:22:00.000000000 -0400 +@@ -30,6 +30,10 @@ + require 'rbconfig' + require "rubygems/deprecate" + ++# HACK: this is here just for rails, see ++# http://stackoverflow.com/questions/5176782/uninitialized-constant-activesupportdependenciesmutex-nameerror ++require "thread" ++ + ## + # RubyGems is the Ruby standard for publishing and managing third party + # libraries. Index: /trunk/server/doc/install-fedora =================================================================== --- /trunk/server/doc/install-fedora (revision 2065) +++ /trunk/server/doc/install-fedora (revision 2066) @@ -6,4 +6,42 @@ lvcreate -n $MACHINE-root --size 50.00G $HOST lvcreate -n $MACHINE-swap --size 10.00G $HOST + lvcreate -n $MACHINE-cache --size 11.00G $HOST + +/-------------------------------------------------------------------\ + Note: If you need to manually format the the swap and cache + partitions (for example, you are migrating a host from 'migrate'), + these commands should work. If in doubt, consult the kickstart. + + # Use fdisk to generate a DOS partition table, and a single + # partition extending the entire volume. + fdisk /dev/$HOST/$MACHINE-swap + fdisk /dev/$HOST/$MACHINE-cache + # Figure out what kpartx is going to make the devices as + # (e.g. $SWAP_DEV and $CACHE_DEV) + kpartx -l /dev/$HOST/$MACHINE-swap + kpartx -l /dev/$HOST/$MACHINE-cache + # Read out the partition tables + kpartx -a /dev/$HOST/$MACHINE-swap + kpartx -a /dev/$HOST/$MACHINE-cache + + # FORMAT! + mkswap $SWAP_DEV + mkfs.ext4 -O ^has_journal -m 0 -N 1000000 $CACHE_DEV + + # Remove the devices + kpartx -d /dev/$HOST/$MACHINE-swap + kpartx -d /dev/$HOST/$MACHINE-cache +\-------------------------------------------------------------------/ + +Make sure that the console has an entry for this host: + + vim /etc/conserver/conserver.cf + +If it doesn't, add: + + console $MACHINE { + master $HOST; + include xen; + } We use Kickstart to to initial Fedora configuration. Installing a new Index: /trunk/server/doc/install-howto.sh =================================================================== --- /trunk/server/doc/install-howto.sh (revision 2065) +++ /trunk/server/doc/install-howto.sh (revision 2066) @@ -7,22 +7,6 @@ # [WIZARD] Semi-production server that will only have # daemon.scripts-security-upd bits, among other -# restricted permissions bits, among other -# restricted permissions bits, among other -# restricted permissions bits, among other # restricted permissions # [TESTSERVER] Completely untrusted server - -set -e -x - -# Some commands should be run as the scripts-build user, not root. - -alias asbuild="sudo -u scripts-build" - -# Old versions of this install document advised setting -# NSS_NONLOCAL_IGNORE=1 anytime you're setting up anything, e.g. using -# yum, warning that useradd will query LDAP in a stupid way that makes -# it hang forever. As of Fedora 13, this does not seem to be a problem, -# so it's been removed from the instructions. If an install is hanging, -# though, try adding NSS_NONLOCAL_IGNORE. # This is actually just "pick an active scripts server". It can't be @@ -41,64 +25,7 @@ server=YOUR-SERVER-NAME-HERE -# Start with a Scripts kickstarted install of Fedora (install-fedora) - -# Take updates, reboot if there's a kernel update. - yum update -y - -# Get rid of network manager - yum remove NetworkManager - -# Copy over root's dotfiles from one of the other machines. -# Perhaps a useful change is to remove the default aliases - cd /root - ls -l .bashrc - ls -l .screenrc - ls -l .ssh - ls -l .vimrc - ls -l .k5login - # [PRODUCTION] This rc file has sensitive data on it and should only - # be pushed onto production servers. - ls -l .ldapvirc - # Trying to scp from server to server won't work, as scp - # will attempt to negotiate a server-to-server connection. - # Instead, scp to your trusted machine as a temporary file, - # and then push to the other server -scp -r root@$source_server:~/{.bashrc,.screenrc,.ssh,.vimrc,.k5login} . -scp -r {.bashrc,.screenrc,.ssh,.vimrc,.k5login} root@$server:~ -# [PRODUCTION] -scp root@$source_server:~/.ldapvirc . -scp .ldapvirc root@$server:~ - -# Install the initial set of credentials (to get Kerberized logins once -# krb5 is installed). Otherwise, SCP'ing things in will be annoying. -# o Install the machine keytab. - ls -l /etc/krb5.keytab -# Use ktutil to combine the host/scripts.mit.edu and -# host/scripts-vhosts.mit.edu keys with host/this-server.mit.edu in -# the keytab. Do not use 'k5srvutil change' on the combined keytab -# or you'll break the other servers. (real servers only). Be -# careful about writing out the keytab: if you write it to an -# existing file the keys will just get appended. The correct -# credential list should look like: -# ktutil: l -# slot KVNO Principal -# ---- ---- --------------------------------------------------------------------- -# 1 5 host/old-faithful.mit.edu@ATHENA.MIT.EDU -# 2 3 host/scripts-vhosts.mit.edu@ATHENA.MIT.EDU -# 3 2 host/scripts.mit.edu@ATHENA.MIT.EDU -# o [PRODUCTION] Replace the ssh host keys with the ones common to all -# scripts servers (real servers only) - ls -l /etc/ssh/*key* -# You can do that with: -scp root@$source_server:/etc/ssh/*key* . -scp *key* root@$server:/etc/ssh/ - service sshd reload - -# Check out the scripts /etc configuration - # backslash to make us not use the alias - cd /root - \cp -a etc / - chmod 0440 /etc/sudoers - +# ----------------------------->8-------------------------------------- +# FIRST TIME INSTRUCTIONS +# # [PRODUCTION] If this is the first time you've installed this hostname, # you will need to update a bunch of files to add support for it. These @@ -120,24 +47,49 @@ # o Set up Nagios monitoring on sipb-noc for the host # o Set up the host as in the pool on r-b/r-b /etc/heartbeat/ldirectord.cf - XXX TODO COMMANDS - -# NOTE: You will have just lost DNS resolution and the ability -# to do password SSH in. If you managed to botch this step without -# having named setup, you can do a quick fix by frobbing /etc/resolv.conf -# with a non 127.0.0.1 address for the DNS server. Be sure to revert it once -# you have named. - -# NOTE: You can get password SSH back by editing /etc/ssh/sshd_config (allow -# password auth) and /etc/pam.d/sshd (comment out the first three auth -# lines). However, you should have the Kerberos credentials in place -# so as soon as you install the full set of Scripts packages, you'll get -# Kerberized logins. - -# Make sure network is working. If this is a new server name, you'll -# need to add it to /etc/hosts and -# /etc/sysconfig/network-scripts/route-eth1. Kickstart should have +# o Update locker/etc/known_hosts +# +# You will also need to prepare the keytabs for credit-card. In particular, +# use ktutil to combine the host/scripts.mit.edu and +# host/scripts-vhosts.mit.edu keys with host/this-server.mit.edu in +# the keytab. Do not use 'k5srvutil change' on the combined keytab +# or you'll break the other servers. (real servers only). Be +# careful about writing out the keytab: if you write it to an +# existing file the keys will just get appended. The correct +# credential list should look like: +# ktutil: l +# slot KVNO Principal +# ---- ---- --------------------------------------------------------------------- +# 1 5 host/old-faithful.mit.edu@ATHENA.MIT.EDU +# 2 3 host/scripts-vhosts.mit.edu@ATHENA.MIT.EDU +# 3 2 host/scripts.mit.edu@ATHENA.MIT.EDU +# +# The LDAP keytab should be by itself, so be sure to delete it and +# put it in its own file. + +# ----------------------------->8-------------------------------------- +# INFINITE INSTALLATION + +# Start with a Scripts kickstarted install of Fedora (install-fedora) + +# Take updates, reboot if there's a kernel update. + yum update -y + +# Get rid of network manager (XXX figure out to make kickstarter do +# this for us) + yum remove NetworkManager + +# Make sure sendmail isn't installed + yum remove sendmail + +# Check out the scripts /etc configuration + cd /root + \cp -a etc / + chmod 0440 /etc/sudoers + +# Make sure network is working. Kickstart should have # configured eth0 and eth1 correctly; use service network restart -# to add the new routes in route-eth1. - service network restart +# to add the new routes from etc in route-eth1. + systemctl restart network.service + # Check everything worked: route ifconfig @@ -151,28 +103,10 @@ # Some of these packages are naughty and clobber some of our files cd /etc - svn revert resolv.conf hosts sysconfig/openafs + svn revert resolv.conf hosts sysconfig/openafs nsswitch.conf # Replace rsyslog with syslog-ng by doing: rpm -e --nodeps rsyslog yum install -y syslog-ng - chkconfig syslog-ng on - -# [PRODUCTION/WIZARD] Fix the openafs /usr/vice/etc <-> /etc/openafs -# mapping. - echo "/afs:/usr/vice/cache:10000000" > /usr/vice/etc/cacheinfo - echo "athena.mit.edu" > /usr/vice/etc/ThisCell - -# [TESTSERVER] If you're installing a test server, this needs to be -# much smaller; the max filesize on XVM is 10GB. Pick something like -# 500000. Also, some of the AFS parameters are kind of retarded (and if -# you're low on disk space, will actually exhaust our inodes). Edit -# these parameters in /etc/sysconfig/openafs - echo "/afs:/usr/vice/cache:500000" > /usr/vice/etc/cacheinfo - XXX TODO COMMANDS - -# Test that zephyr is working - chkconfig zhm on - service zhm start - echo 'Test!' | zwrite -d -c scripts -i test + systemctl enable syslog-ng.service # Install the full list of RPMs that users expect to be on the @@ -184,7 +118,4 @@ # it can't install /one/ package. yum install -y --skip-broken $(cat packages.txt) - -# Make sure sendmail isn't installed - yum remove sendmail # Check which packages are installed on your new server that are not @@ -204,5 +135,5 @@ # explicit versions. So temporarily rpm -e the package, and then # install it again after you install haskell-platform. [Note: You -# probably won't need this in Fedora 15 or something, when the Haskell +# probably won't need this in Fedora 17 or something, when the Haskell # Platform gets updated.] rpm -e ghc-cgi-devel ghc-cgi @@ -212,7 +143,14 @@ rpm -i ghc-cgi*1.8.1*.rpm -# Check out the scripts /usr/vice/etc configuration - cd /root/vice - \cp -a etc /usr/vice +# ----------------------------->8-------------------------------------- +# SPHEROID SHENANIGANS + +# Note: Since ultimately we'd like to move away from using per-language +# package manager and all of these be RPMs, it is of questionable +# importance how much /good/ automation for these is necessary. + +# Warning: For a new release, we're supposed to check if Fedora has +# packaged up the RPM. Unfortunately we don't really have good incants +# for this. # Install the full list of perl modules that users expect to be on the @@ -242,12 +180,18 @@ # want to be able to write to ~/.python-eggs. (Also makes sourcediving # easier.) -cat /usr/lib/python2.6/site-packages/easy-install.pth | grep "^./" | cut -c3- | cut -f1 -d- > egg.txt +# 'easy_install AuthKit jsonlib2 pygit' +cat /usr/lib/python2.7/site-packages/easy-install.pth | grep "^./" | cut -c3- | cut -f1 -d- > egg.txt cat egg.txt | xargs easy_install -Z + # - Look at `gem list` for Ruby gems. # Again, use 'yum search' and prefer RPMs, but failing that, 'gem install'. # ezyang: rspec-rails depends on rspec, and will override the Yum # package, so... don't use that RPM yet +# XXX This doesn't do the right thing for old version gems gem list --no-version > gem.txt gem install $(gem list --no-version | grep -Fxvf - gem.txt) + # Also, we need to install the old rails version + gem install -v=2.3.5 rails + # - Look at `pear list` for Pear fruits (or whatever they're called). # Yet again, 'yum search' for RPMs before resorting to 'pear install'. Note @@ -258,4 +202,5 @@ pear channel-update pear.php.net pear install $(pear list | tail -n +4 | cut -f 1 -d " " | grep -Fxvf - pear.txt) + # - Look at `pecl list` for PECL things. 'yum search', and if you must, # 'pecl install' needed items. If it doesn't work, try 'pear install @@ -264,43 +209,121 @@ pecl install --nodeps $(pecl list | tail -n +4 | cut -f 1 -d " " | grep -Fxvf - pecl.txt) -# Setup some Python config - echo 'import site, os.path; site.addsitedir(os.path.expanduser("~/lib/python2.6/site-packages"))' > /usr/lib/python2.6/site-packages/00scripts-home.pth - -# [PRODUCTION] Install the credentials. There are a lot of things to -# remember here. Be sure to make sure the permissions match up (ls -l -# on an existing server!). -scp root@$source_server:{/etc/{sql-mit-edu.cfg.php,pki/tls/private/scripts.key,signup-ldap-pw,whoisd-password},/home/logview/.k5login} . -scp signup-ldap-pw whoisd-password sql-mit-edu.cfg.php root@$server:/etc -scp scripts.key root@$server:/etc/pki/tls/private -scp .k5login root@$server:/home/logview -# o The SSL cert private key (real servers only) - ls -l /etc/pki/tls/private/scripts.key -# o The LDAP password for the signup process (real servers only) - ls -l /etc/signup-ldap-pw -# o The whoisd password (real servers only) - ls -l /etc/whoisd-password -# o Make sure logview's .k5login is correct (real servers only) - cat /home/logview/.k5login - -# All types of servers will have an /etc/daemon.keytab file, however, -# different types of server will have different credentials in this -# keytab. -# [PRODUCTION] daemon.scripts -# [WIZARD] daemon.scripts-security-upd -# [TESTSERVER] daemon.scripts-test -k5srvutil list -f daemon.keytab -scp daemon.keytab root@$server:/etc - chown afsagent:afsagent /etc/daemon.keytab -# o The daemon.scripts keytab (will be daemon.scripts-test for test) - ls -l /etc/daemon.keytab - -# Spin up OpenAFS. This will fail if there's been a new kernel since -# when you last tried. In that case, you can hold on till later to -# start OpenAFS. This will take a little bit of time; - service openafs-client start -# Then, check that fs sysname is correct. You should see, among others, -# 'amd64_fedoraX_scripts' (vary X) and 'scripts'. If it's not, you -# probably did a distro upgrade and should update /etc/sysconfig/openafs. +# ----------------------------->8-------------------------------------- +# INFINITE CONFIGURATION + +# Create fedora-ds user (needed for credit-card) +useradd -u 103 -r -d /var/lib/dirsrv fedora-ds + +# Run credit-card to clone in credentials and make things runabble +python host.py push $server + +# This is superseded by credit-card, but only for [PRODUCTION] +# Don't use credit-card on [WIZARD]: it will put in the wrong creds! +# +# # All types of servers will have an /etc/daemon.keytab file, however, +# # different types of server will have different credentials in this +# # keytab. +# # [PRODUCTION] daemon.scripts +# # [WIZARD] daemon.scripts-security-upd +# # [TESTSERVER] daemon.scripts-test + +# [PRODUCTION/WIZARD] Fix the openafs /usr/vice/etc <-> /etc/openafs +# mapping. + echo "/afs:/usr/vice/cache:10000000" > /usr/vice/etc/cacheinfo + echo "athena.mit.edu" > /usr/vice/etc/ThisCell +# [TESTSERVER] If you're installing a test server, this needs to be +# much smaller; the max filesize on XVM is 10GB. Pick something like +# 500000. Also, some of the AFS parameters are kind of retarded (and if +# you're low on disk space, will actually exhaust our inodes). Edit +# these parameters in /etc/sysconfig/openafs (but wait, that won't +# work, will it...) + echo "/afs:/usr/vice/cache:500000" > /usr/vice/etc/cacheinfo + vim /etc/sysconfig/openafs + +# Test that zephyr is working + systemctl enable zhm.service + systemctl start zhm.service + echo 'Test!' | zwrite -d -c scripts -i test + +# Check out the scripts /usr/vice/etc configuration + cd /root/vice + \cp -a etc /usr/vice + +# [PRODUCTION] Set up replication (see ./install-ldap). +# You'll need the LDAP keytab for this server: be sure to chown it +# fedora-ds after you create the fedora-ds user + ls -l /etc/dirsrv/keytab + cat install-ldap + +# Enable lots of services + systemctl enable openafs-client.service + systemctl enable dirsrv.service + systemctl enable nslcd.service + systemctl enable nscd.service + systemctl enable postfix.service + systemctl enable nrpe.service + systemctl enable httpd.service # not for [WIZARD] + + systemctl start openafs-client.service + systemctl start dirsrv.service + systemctl start nslcd.service + systemctl start nscd.service + systemctl start postfix.service + systemctl start nrpe.service + systemctl start httpd.service # not for [WIZARD] + +# Note about OpenAFS: Check that fs sysname is correct. You should see, +# among others, 'amd64_fedoraX_scripts' (vary X) and 'scripts'. If it's +# not, you probably did a distro upgrade and should update +# /etc/sysconfig/openafs (XXX this is wrong: figuring out new +# systemd world order). fs sysname + +# Postfix doesn't actually deliver mail; fix this + cd /etc/postfix + postmap virtual + +# Munin might not be monitoring packages that were installed after it + munin-node-configure --suggest --shell | sh + +# Run fmtutil-sys --all, which does something that makes TeX work. +# (Note: this errors on XeTeX which is ok.) + fmtutil-sys --all + +# Ensure that PHP isn't broken: + mkdir /tmp/sessions + chmod 01777 /tmp/sessions + # XXX: this seems to get deleted if tmp gets cleaned up, so we + # might need something a little better (maybe init script.) + +# Fix etc by making sure none of our config files got overwritten + cd /etc + svn status -q + # Some usual candidates for clobbering include nsswitch.conf, + # resolv.conf and sysconfig/openafs + # [WIZARD/TEST] Remember that changes you made should not get + # reverted! + +# Reboot the machine to restore a consistent state, in case you +# changed anything. (Note: Starting kdump fails (this is ok)) + +# When all is said and done, fix up the Subversion checkouts + cd /etc + svn switch --relocate svn://$source_server/ svn://scripts.mit.edu/ + cd /usr/vice/etc + svn switch --relocate svn://$source_server/ svn://scripts.mit.edu/ + cd /srv/repository + # Some commands should be run as the scripts-build user, not root. + alias asbuild="sudo -u scripts-build" + asbuild svn switch --relocate svn://$source_server/ svn://scripts.mit.edu/ + asbuild svn up # verify scripts.mit.edu works + +# ------------------------------->8------------------------------- +# ADDENDA AND MISCELLANEOUS THINGS + +# [OPTIONAL] Your machine's hostname is baked in at install time; +# in the rare case you need to change it: it appears to be in: +# o /etc/sysconfig/network +# o your lvm thingies; probably don't need to edit # [WIZARD/TESTSERVER] If you are setting up a non-production server, @@ -337,75 +360,4 @@ vim /home/afsagent/renew # replace all mentions of daemon.scripts.mit.edu -# [PRODUCTION] Set up replication (see ./install-ldap). -# You'll need the LDAP keytab for this server: be sure to chown it -# fedora-ds after you create the fedora-ds user - ls -l /etc/dirsrv/keytab - cat install-ldap - -# Make the services dirsrv, nslcd, nscd, postfix, and httpd start at -# boot. Run chkconfig to make sure the set of services to be run is -# correct. - service nslcd start - service nscd start - service postfix start - chkconfig nslcd on - chkconfig nscd on - chkconfig postfix on - -# [PRODUCTION] - chkconfig dirsrv on - -# [PRODUCTION/TESTSERVER] -# (Maybe WIZARD too once we start doing strange things to autoupgrade -# installs behind firewalls.) - service httpd start # will fail if AFS is not running - chkconfig httpd on - -# nrpe is required for nagios alerts - chkconfig nrpe on - -# [PRODUCTION] Check sql user credentials (needs to be done after LDAP -# is setup) - chown sql /etc/sql-mit-edu.cfg.php - -# Postfix doesn't actually deliver mail; fix this - cd /etc/postfix - postmap virtual - -# Munin might not be monitoring packages that were installed after it - munin-node-configure --suggest --shell | sh - -# Run fmtutil-sys --all, which does something that makes TeX work. -# (Note: this errors on XeTeX which is ok.) - fmtutil-sys --all - -# Ensure that PHP isn't broken: - mkdir /tmp/sessions - chmod 01777 /tmp/sessions - # XXX: this seems to get deleted if tmp gets cleaned up, so we - # might need something a little better (maybe init script.) - -# Ensure fcgid isn't broken (should be 755) - ls -ld /var/run/mod_fcgid - -# Fix etc by making sure none of our config files got overwritten - cd /etc - svn status -q - # Some usual candidates for clobbering include nsswitch.conf and - # sysconfig/openafs - # [WIZARD/TEST] Remember that changes you made should not get - # reverted! - -# ThisCell got clobbered, replace it with athena.mit.edu - echo "athena.mit.edu" > /usr/vice/etc/ThisCell - -# Reboot the machine to restore a consistent state, in case you -# changed anything. (Note: Starting kdump fails (this is ok)) - -# [OPTIONAL] Your machine's hostname is baked in at install time; -# in the rare case you need to change it: it appears to be in: -# o /etc/sysconfig/network -# o your lvm thingies; probably don't need to edit - # [TESTERVER] # - You need a self-signed SSL cert or Apache will refuse to start @@ -420,12 +372,2 @@ # be an accepted vhost name # - Look at the old test server and see what config changes are floating around - -# XXX: our SVN checkout should be updated to use scripts.mit.edu -# (repository and etc) once serving actually works. - cd /etc - svn switch --relocate svn://$source_server/ svn://scripts.mit.edu/ - cd /usr/vice/etc - svn switch --relocate svn://$source_server/ svn://scripts.mit.edu/ - cd /srv/repository - asbuild svn switch --relocate svn://$source_server/ svn://scripts.mit.edu/ - asbuild svn up # verify scripts.mit.edu works Index: /trunk/server/doc/install-ldap =================================================================== --- /trunk/server/doc/install-ldap (revision 2065) +++ /trunk/server/doc/install-ldap (revision 2066) @@ -1,34 +1,38 @@ -To set up a new LDAP server: - -- Install the RPM 389-ds-base with yum (these are installed by kickstart - these days, so these two steps are probably not necessary) - root# yum install -y 389-ds-base - root# yum install -y policycoreutils-python - root# yum install -y ldapvi -- We want to run the directory server as its own user, so create fedora-ds - root# useradd -r -d /var/lib/dirsrv fedora-ds -- Temporarily move away the existing slapd-scripts folder - root# mv /etc/dirsrv/slapd-scripts{,.bak} -- root# /usr/sbin/setup-ds.pl - - Choose a typical install - - Tell it to use the fedora-ds user and group - - Directory server identifier: scripts - Needed to remove this from the config file first - - Suffix: dc=scripts,dc=mit,dc=edu - - Input directory manager password - (this can be found in ~/.ldapvirc) -- Move the schema back - root# cp -R /etc/dirsrv/slapd-scripts.bak/{.svn,*} /etc/dirsrv/slapd-scripts - root# rm -Rf /etc/dirsrv/slapd-scripts.bak -- Turn dirsrv off: service dirsrv stop -- Apply the following configuration changes. If you're editing - dse.ldif, you don't want dirsrv to be on, otherwise it will - overwrite your changes. [XXX: show how to do these changes with - dsconf, which is the "blessed" method] +# To set up a new LDAP server: + +# Temporarily move away the existing slapd-scripts folder +mv /etc/dirsrv/slapd-scripts{,.bak} + +# Setup directory server +/usr/sbin/setup-ds.pl +# - Choose a typical install +# - Tell it to use the fedora-ds user and group +# - Directory server identifier: scripts +# - Suffix: dc=scripts,dc=mit,dc=edu +# - Input directory manager password +# (this can be found in ~/.ldapvirc) + +# Move the schema back +cp -R /etc/dirsrv/slapd-scripts.bak/{.svn,*} /etc/dirsrv/slapd-scripts +rm -Rf /etc/dirsrv/slapd-scripts.bak + +# Turn dirsrv off: +systemctl stop dirsrv.service + +# Apply the following configuration changes. If you're editing +# dse.ldif, you don't want dirsrv to be on, otherwise it will +# overwrite your changes. [XXX: show how to do these changes with +# dsconf, which is the "blessed" method, although it seems +# dsconf only exists for Red Hat] + +vim /etc/dirsrv/slapd-scripts/dse.ldif +<< - + SetHandler none Index: /trunk/server/fedora/config/etc/httpd/conf.d/scripts-vhost-names.conf =================================================================== --- /trunk/server/fedora/config/etc/httpd/conf.d/scripts-vhost-names.conf (revision 2065) +++ /trunk/server/fedora/config/etc/httpd/conf.d/scripts-vhost-names.conf (revision 2066) @@ -1,2 +1,16 @@ ServerName scripts.mit.edu -ServerAlias scripts 18.181.0.43 scripts-vhosts.mit.edu scripts-vhosts 18.181.0.46 scripts-test.mit.edu scripts-test 18.181.0.229 better-mousetrap.mit.edu better-mousetrap b-m.mit.edu b-m scripts1.mit.edu scripts1 18.181.0.57 old-faithful.mit.edu old-faithful o-f.mit.edu o-f scripts2.mit.edu scripts2 18.181.0.53 bees-knees.mit.edu bees-knees b-k.mit.edu b-k sx-blade-4.mit.edu sx-blade-4 scripts3.mit.edu scripts3 18.181.0.167 cats-whiskers.mit.edu cats-whiskers c-w.mit.edu c-w scripts4.mit.edu scripts4 18.181.0.228 whole-enchilada.mit.edu whole-enchilada w-e.mit.edu w-e scripts5.mit.edu scripts5 18.181.0.236 pancake-bunny.mit.edu pancake-bunny p-b.mit.edu p-b scripts6.mit.edu scripts6 18.181.0.237 busy-beaver.mit.edu busy-beaver b-b.mit.edu b-b scripts7.mit.edu scripts7 18.181.0.234 real-mccoy.mit.edu real-mccoy r-m.mit.edu r-m scripts8.mit.edu scripts8 18.181.0.235 shining-armor.mit.edu shining-armor s-a.mit.edu s-a scripts9.mit.edu scripts9 18.181.0.135 localhost 127.0.0.1 ::1 +ServerAlias \ + scripts 18.181.0.43 \ + scripts-vhosts.mit.edu scripts-vhosts 18.181.0.46 \ + scripts-test.mit.edu scripts-test 18.181.0.229 \ + better-mousetrap.mit.edu better-mousetrap b-m.mit.edu b-m scripts1.mit.edu scripts1 18.181.0.57 \ + old-faithful.mit.edu old-faithful o-f.mit.edu o-f scripts2.mit.edu scripts2 18.181.0.53 \ + bees-knees.mit.edu bees-knees b-k.mit.edu b-k sx-blade-4.mit.edu sx-blade-4 scripts3.mit.edu scripts3 18.181.0.167 \ + cats-whiskers.mit.edu cats-whiskers c-w.mit.edu c-w scripts4.mit.edu scripts4 18.181.0.228 \ + whole-enchilada.mit.edu whole-enchilada w-e.mit.edu w-e scripts5.mit.edu scripts5 18.181.0.236 \ + pancake-bunny.mit.edu pancake-bunny p-b.mit.edu p-b scripts6.mit.edu scripts6 18.181.0.237 \ + busy-beaver.mit.edu busy-beaver b-b.mit.edu b-b scripts7.mit.edu scripts7 18.181.0.234 \ + real-mccoy.mit.edu real-mccoy r-m.mit.edu r-m scripts8.mit.edu scripts8 18.181.0.235 \ + shining-armor.mit.edu shining-armor s-a.mit.edu s-a scripts9.mit.edu scripts9 18.181.0.135 \ + golden-egg.mit.edu golden-egg g-e.mit.edu g-e scripts10.mit.edu scripts10 18.181.0.141 \ + localhost 127.0.0.1 ::1 Index: /trunk/server/fedora/config/etc/httpd/conf.d/scripts-vhost.conf =================================================================== --- /trunk/server/fedora/config/etc/httpd/conf.d/scripts-vhost.conf (revision 2065) +++ /trunk/server/fedora/config/etc/httpd/conf.d/scripts-vhost.conf (revision 2066) @@ -1,4 +1,5 @@ DocumentRoot /afs/athena.mit.edu/contrib/scripts/web_scripts/home SuExecUserGroup scripts users +UserDir enabled UserDir web_scripts # Comment the following line out to take the machine out of the LVS pool Index: unk/server/fedora/config/etc/krb.conf =================================================================== --- /trunk/server/fedora/config/etc/krb.conf (revision 2065) +++ (revision ) @@ -1,5 +1,0 @@ -ATHENA.MIT.EDU -ATHENA.MIT.EDU KERBEROS.MIT.EDU admin server -ATHENA.MIT.EDU KERBEROS-1.MIT.EDU -ATHENA.MIT.EDU KERBEROS-2.MIT.EDU -ATHENA.MIT.EDU KERBEROS-3.MIT.EDU Index: unk/server/fedora/config/etc/krb.realms =================================================================== --- /trunk/server/fedora/config/etc/krb.realms (revision 2065) +++ (revision ) @@ -1,54 +1,0 @@ -sics.se SICS.SE -.sics.se SICS.SE -nada.kth.se NADA.KTH.SE -pdc.kth.se NADA.KTH.SE -.hydro.kth.se NADA.KTH.SE -.mech.kth.se MECH.KTH.SE -.nada.kth.se NADA.KTH.SE -.pdc.kth.se NADA.KTH.SE -.sans.kth.se NADA.KTH.SE -.admin.kth.se ADMIN.KTH.SE -.e.kth.se E.KTH.SE -.s3.kth.se E.KTH.SE -.radio.kth.se E.KTH.SE -.ttt.kth.se E.KTH.SE -.electrum.kth.se IT.KTH.SE -.math.kth.se MATH.KTH.SE -.it.kth.se IT.KTH.SE -.sth.sunet.se SUNET.SE -.pilsnet.sunet.se SUNET.SE -.sunet.se SUNET.SE -.ml.kva.se ML.KVA.SE -pi.se PI.SE -.pi.se PI.SE -.adm.pi.se PI.SE -.stacken.kth.se STACKEN.KTH.SE -kth.se KTH.SE -.kth.se KTH.SE -.bion.kth.se BION.KTH.SE -.lib.kth.se LIB.KTH.SE -.dsv.su.se DSV.SU.SE -.MIT.EDU ATHENA.MIT.EDU -.MIT.EDU. ATHENA.MIT.EDU -MIT.EDU ATHENA.MIT.EDU -DODO.MIT.EDU SMS_TEST.MIT.EDU -.UCSC.EDU CATS.UCSC.EDU -.UCSC.EDU. CATS.UCSC.EDU -CYGNUS.COM CYGNUS.COM -.CYGNUS.COM CYGNUS.COM -MIRKWOOD.CYGNUS.COM MIRKWOOD.CYGNUS.COM -KITHRUP.COM KITHRUP.COM -.KITHRUP.COM KITHRUP.COM -.berkeley.edu EECS.BERKELEY.EDU -.CS.berkeley.edu EECS.BERKELEY.EDU -.MIT.EDU ATHENA.MIT.EDU -.mit.edu ATHENA.MIT.EDU -.BSDI.COM BSDI.COM -ARMADILLO.COM ARMADILLO.COM -.ARMADILLO.COM ARMADILLO.COM -ZEN.ORG ZEN.ORG -.ZEN.ORG ZEN.ORG -toad.com TOAD.COM -.toad.com TOAD.COM -lloyd.com LLOYD.COM -.lloyd.com LLOYD.COM Index: /trunk/server/fedora/config/etc/krb5.conf =================================================================== --- /trunk/server/fedora/config/etc/krb5.conf (revision 2065) +++ /trunk/server/fedora/config/etc/krb5.conf (revision 2066) @@ -1,3 +1,4 @@ [libdefaults] + allow_weak_crypto = true default_realm = ATHENA.MIT.EDU # The following krb5.conf variables are only for MIT Kerberos. Index: unk/server/fedora/config/etc/ldap.conf =================================================================== --- /trunk/server/fedora/config/etc/ldap.conf (revision 2065) +++ (revision ) @@ -1,296 +1,0 @@ -# @(#)$Id: ldap.conf,v 1.38 2006/05/15 08:13:31 lukeh Exp $ -# -# This is the configuration file for the LDAP nameservice -# switch library and the LDAP PAM module. -# -# The man pages for this file are nss_ldap(5) and pam_ldap(5) -# -# PADL Software -# http://www.padl.com -# - -# Your LDAP server. Must be resolvable without using LDAP. -# Multiple hosts may be specified, each separated by a -# space. How long nss_ldap takes to failover depends on -# whether your LDAP client library supports configurable -# network or connect timeouts (see bind_timelimit). -#host 127.0.0.1 - -# The distinguished name of the search base. -base dc=scripts,dc=mit,dc=edu - -# Another way to specify your LDAP server is to provide an -# uri with the server name. This allows to use -# Unix Domain Sockets to connect to a local LDAP Server. -#uri ldap://127.0.0.1/ -#uri ldaps://127.0.0.1/ -#uri ldapi://%2fvar%2frun%2fldapi_sock/ -# Note: %2f encodes the '/' used as directory separator -uri ldapi://%2fvar%2frun%2fslapd-scripts.socket/ - -# The LDAP version to use (defaults to 3 -# if supported by client library) -#ldap_version 3 - -# The distinguished name to bind to the server with. -# Optional: default is to bind anonymously. -#binddn cn=proxyuser,dc=example,dc=com - -# The credentials to bind with. -# Optional: default is no credential. -#bindpw secret - -# The distinguished name to bind to the server with -# if the effective user ID is root. Password is -# stored in /etc/ldap.secret (mode 600) -#rootbinddn cn=manager,dc=example,dc=com - -# The port. -# Optional: default is 389. -#port 389 - -# The search scope. -#scope sub -#scope one -#scope base - -# Search timelimit -#timelimit 30 -timelimit 120 - -# Bind/connect timelimit -#bind_timelimit 30 -bind_timelimit 120 - -# Reconnect policy: hard (default) will retry connecting to -# the software with exponential backoff, soft will fail -# immediately. -#bind_policy hard - -# Idle timelimit; client will close connections -# (nss_ldap only) if the server has not been contacted -# for the number of seconds specified below. -#idle_timelimit 3600 -idle_timelimit 3600 - -# Filter to AND with uid=%s -#pam_filter objectclass=account - -# The user ID attribute (defaults to uid) -#pam_login_attribute uid - -# Search the root DSE for the password policy (works -# with Netscape Directory Server) -#pam_lookup_policy yes - -# Check the 'host' attribute for access control -# Default is no; if set to yes, and user has no -# value for the host attribute, and pam_ldap is -# configured for account management (authorization) -# then the user will not be allowed to login. -#pam_check_host_attr yes - -# Check the 'authorizedService' attribute for access -# control -# Default is no; if set to yes, and the user has no -# value for the authorizedService attribute, and -# pam_ldap is configured for account management -# (authorization) then the user will not be allowed -# to login. -#pam_check_service_attr yes - -# Group to enforce membership of -#pam_groupdn cn=PAM,ou=Groups,dc=example,dc=com - -# Group member attribute -#pam_member_attribute uniquemember - -# Specify a minium or maximum UID number allowed -#pam_min_uid 0 -#pam_max_uid 0 - -# Template login attribute, default template user -# (can be overriden by value of former attribute -# in user's entry) -#pam_login_attribute userPrincipalName -#pam_template_login_attribute uid -#pam_template_login nobody - -# HEADS UP: the pam_crypt, pam_nds_passwd, -# and pam_ad_passwd options are no -# longer supported. -# -# Do not hash the password at all; presume -# the directory server will do it, if -# necessary. This is the default. -#pam_password clear - -# Hash password locally; required for University of -# Michigan LDAP server, and works with Netscape -# Directory Server if you're using the UNIX-Crypt -# hash mechanism and not using the NT Synchronization -# service. -#pam_password crypt - -# Remove old password first, then update in -# cleartext. Necessary for use with Novell -# Directory Services (NDS) -#pam_password clear_remove_old -#pam_password nds - -# RACF is an alias for the above. For use with -# IBM RACF -#pam_password racf - -# Update Active Directory password, by -# creating Unicode password and updating -# unicodePwd attribute. -#pam_password ad - -# Use the OpenLDAP password change -# extended operation to update the password. -#pam_password exop - -# Redirect users to a URL or somesuch on password -# changes. -#pam_password_prohibit_message Please visit http://internal to change your password. - -# RFC2307bis naming contexts -# Syntax: -# nss_base_XXX base?scope?filter -# where scope is {base,one,sub} -# and filter is a filter to be &'d with the -# default filter. -# You can omit the suffix eg: -# nss_base_passwd ou=People, -# to append the default base DN but this -# may incur a small performance impact. -nss_base_passwd ou=People,dc=scripts,dc=mit,dc=edu?one -#nss_base_shadow ou=People,dc=example,dc=com?one -nss_base_group ou=Groups,dc=scripts,dc=mit,dc=edu?one -#nss_base_hosts ou=Hosts,dc=example,dc=com?one -#nss_base_services ou=Services,dc=example,dc=com?one -#nss_base_networks ou=Networks,dc=example,dc=com?one -#nss_base_protocols ou=Protocols,dc=example,dc=com?one -#nss_base_rpc ou=Rpc,dc=example,dc=com?one -#nss_base_ethers ou=Ethers,dc=example,dc=com?one -#nss_base_netmasks ou=Networks,dc=example,dc=com?ne -#nss_base_bootparams ou=Ethers,dc=example,dc=com?one -#nss_base_aliases ou=Aliases,dc=example,dc=com?one -#nss_base_netgroup ou=Netgroup,dc=example,dc=com?one - -# Just assume that there are no supplemental groups for these named users -nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman,nscd - -# attribute/objectclass mapping -# Syntax: -#nss_map_attribute rfc2307attribute mapped_attribute -#nss_map_objectclass rfc2307objectclass mapped_objectclass - -# configure --enable-nds is no longer supported. -# NDS mappings -#nss_map_attribute uniqueMember member - -# Services for UNIX 3.5 mappings -#nss_map_objectclass posixAccount User -#nss_map_objectclass shadowAccount User -#nss_map_attribute uid msSFU30Name -#nss_map_attribute uniqueMember msSFU30PosixMember -#nss_map_attribute userPassword msSFU30Password -#nss_map_attribute homeDirectory msSFU30HomeDirectory -#nss_map_attribute homeDirectory msSFUHomeDirectory -#nss_map_objectclass posixGroup Group -#pam_login_attribute msSFU30Name -#pam_filter objectclass=User -#pam_password ad - -# configure --enable-mssfu-schema is no longer supported. -# Services for UNIX 2.0 mappings -#nss_map_objectclass posixAccount User -#nss_map_objectclass shadowAccount user -#nss_map_attribute uid msSFUName -#nss_map_attribute uniqueMember posixMember -#nss_map_attribute userPassword msSFUPassword -#nss_map_attribute homeDirectory msSFUHomeDirectory -#nss_map_attribute shadowLastChange pwdLastSet -#nss_map_objectclass posixGroup Group -#nss_map_attribute cn msSFUName -#pam_login_attribute msSFUName -#pam_filter objectclass=User -#pam_password ad - -# RFC 2307 (AD) mappings -#nss_map_objectclass posixAccount user -#nss_map_objectclass shadowAccount user -#nss_map_attribute uid sAMAccountName -#nss_map_attribute homeDirectory unixHomeDirectory -#nss_map_attribute shadowLastChange pwdLastSet -#nss_map_objectclass posixGroup group -#nss_map_attribute uniqueMember member -#pam_login_attribute sAMAccountName -#pam_filter objectclass=User -#pam_password ad - -# configure --enable-authpassword is no longer supported -# AuthPassword mappings -#nss_map_attribute userPassword authPassword - -# AIX SecureWay mappings -#nss_map_objectclass posixAccount aixAccount -#nss_base_passwd ou=aixaccount,?one -#nss_map_attribute uid userName -#nss_map_attribute gidNumber gid -#nss_map_attribute uidNumber uid -#nss_map_attribute userPassword passwordChar -#nss_map_objectclass posixGroup aixAccessGroup -#nss_base_group ou=aixgroup,?one -#nss_map_attribute cn groupName -#nss_map_attribute uniqueMember member -#pam_login_attribute userName -#pam_filter objectclass=aixAccount -#pam_password clear - -# Netscape SDK LDAPS -#ssl on - -# Netscape SDK SSL options -#sslpath /etc/ssl/certs - -# OpenLDAP SSL mechanism -# start_tls mechanism uses the normal LDAP port, LDAPS typically 636 -#ssl start_tls -#ssl on - -# OpenLDAP SSL options -# Require and verify server certificate (yes/no) -# Default is to use libldap's default behavior, which can be configured in -# /etc/openldap/ldap.conf using the TLS_REQCERT setting. The default for -# OpenLDAP 2.0 and earlier is "no", for 2.1 and later is "yes". -#tls_checkpeer yes - -# CA certificates for server certificate verification -# At least one of these are required if tls_checkpeer is "yes" -#tls_cacertfile /etc/ssl/ca.cert -#tls_cacertdir /etc/ssl/certs - -# Seed the PRNG if /dev/urandom is not provided -#tls_randfile /var/run/egd-pool - -# SSL cipher suite -# See man ciphers for syntax -#tls_ciphers TLSv1 - -# Client certificate and key -# Use these, if your server requires client authentication. -#tls_cert -#tls_key - -# Disable SASL security layers. This is needed for AD. -#sasl_secprops maxssf=0 - -# Override the default Kerberos ticket cache location. -#krb5_ccname FILE:/etc/.ldapcache - -# SASL mechanism for PAM authentication - use is experimental -# at present and does not support password policy control -#pam_sasl_mech DIGEST-MD5 Index: /trunk/server/fedora/config/etc/mock/scripts-fc15-i386.cfg =================================================================== --- /trunk/server/fedora/config/etc/mock/scripts-fc15-i386.cfg (revision 2066) +++ /trunk/server/fedora/config/etc/mock/scripts-fc15-i386.cfg (revision 2066) @@ -0,0 +1,44 @@ +config_opts['root'] = 'fedora-15-i386' +config_opts['target_arch'] = 'i686' +config_opts['legal_host_arches'] = ('i386', 'i586', 'i686', 'x86_64') +config_opts['chroot_setup_cmd'] = 'groupinstall buildsys-build' +config_opts['dist'] = 'fc15' # only useful for --resultdir variable subst + +config_opts['yum.conf'] = """ +[main] +cachedir=/var/cache/yum +debuglevel=1 +reposdir=/dev/null +logfile=/var/log/yum.log +retries=20 +obsoletes=1 +gpgcheck=0 +assumeyes=1 +syslog_ident=mock +syslog_device= + +# repos + +[fedora] +name=fedora +mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=fedora-15&arch=i386 +failovermethod=priority + +[updates-released] +name=updates +#mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=updates-released-f15&arch=i386 +baseurl=http://download3.fedora.redhat.com/pub/fedora/linux/updates/15/i386/ +failovermethod=priority + +[local] +name=local +baseurl=file:///home/scripts-build/mock-local/ +cost=2000 +enabled=1 + +[scripts] +name=Scripts +baseurl=http://web.mit.edu/scripts/yum-repos/rpm-fc15/ +enabled=0 +gpgcheck=0 +""" Index: /trunk/server/fedora/config/etc/mock/scripts-fc15-x86_64.cfg =================================================================== --- /trunk/server/fedora/config/etc/mock/scripts-fc15-x86_64.cfg (revision 2066) +++ /trunk/server/fedora/config/etc/mock/scripts-fc15-x86_64.cfg (revision 2066) @@ -0,0 +1,48 @@ +config_opts['root'] = 'fedora-15-x86_64' +config_opts['target_arch'] = 'x86_64' +config_opts['legal_host_arches'] = ('x86_64') +config_opts['chroot_setup_cmd'] = 'groupinstall buildsys-build' +config_opts['dist'] = 'fc15' # only useful for --resultdir variable subst + +config_opts['yum.conf'] = """ +[main] +cachedir=/var/cache/yum +debuglevel=1 +reposdir=/dev/null +logfile=/var/log/yum.log +retries=20 +obsoletes=1 +gpgcheck=0 +assumeyes=1 +syslog_ident=mock +syslog_device= +# grub/syslinux on x86_64 need glibc-devel.i386 which pulls in glibc.i386, need to exclude all +# .i?86 packages except these. +#exclude=[0-9A-Za-fh-z]*.i?86 g[0-9A-Za-km-z]*.i?86 gl[0-9A-Za-hj-z]*.i?86 gli[0-9A-Zac-z]*.i?86 glib[0-9A-Za-bd-z]*.i?86 +# The above is not needed anymore with yum multilib policy of "best" which is the default in Fedora. + +# repos + +[fedora] +name=fedora +mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=fedora-15&arch=x86_64 +failovermethod=priority + +[updates-released] +name=updates +#mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=updates-released-f15&arch=x86_64 +baseurl=http://download3.fedora.redhat.com/pub/fedora/linux/updates/15/x86_64/ +failovermethod=priority + +[local] +name=local +baseurl=file:///home/scripts-build/mock-local/ +cost=2000 +enabled=1 + +[scripts] +name=Scripts +baseurl=http://web.mit.edu/scripts/yum-repos/rpm-fc15/ +enabled=0 +gpgcheck=0 +""" Index: /trunk/server/fedora/config/etc/php.d/_scripts.ini =================================================================== --- /trunk/server/fedora/config/etc/php.d/_scripts.ini (revision 2065) +++ /trunk/server/fedora/config/etc/php.d/_scripts.ini (revision 2066) @@ -3,2 +3,3 @@ cgi.force_redirect = 0 memory_limit = 1024M +date.timezone = America/New_York Index: /trunk/server/fedora/config/etc/php.d/tidy.ini =================================================================== --- /trunk/server/fedora/config/etc/php.d/tidy.ini (revision 2065) +++ /trunk/server/fedora/config/etc/php.d/tidy.ini (revision 2066) @@ -1,1 +1,0 @@ - Index: /trunk/server/fedora/config/etc/postfix/main.cf =================================================================== --- /trunk/server/fedora/config/etc/postfix/main.cf (revision 2065) +++ /trunk/server/fedora/config/etc/postfix/main.cf (revision 2066) @@ -17,6 +17,6 @@ recipient_delimiter = + inet_interfaces = all -readme_directory = /usr/share/doc/postfix-2.7.4/README_FILES -sample_directory = /usr/share/doc/postfix-2.7.4/samples +readme_directory = /usr/share/doc/postfix-2.8.5/README_FILES +sample_directory = /usr/share/doc/postfix-2.8.5/samples sendmail_path = /usr/sbin/sendmail html_directory = no Index: /trunk/server/fedora/config/etc/rc.d/rc.local =================================================================== --- /trunk/server/fedora/config/etc/rc.d/rc.local (revision 2065) +++ /trunk/server/fedora/config/etc/rc.d/rc.local (revision 2066) @@ -3,7 +3,3 @@ touch /var/lock/subsys/local -if [ -r "/afs/athena.mit.edu" ]; then - /sbin/service postfix start -fi - /bin/mkdir -pm 1773 /tmp/sessions Index: /trunk/server/fedora/config/etc/scripts/allowed-filecaps.list =================================================================== --- /trunk/server/fedora/config/etc/scripts/allowed-filecaps.list (revision 2066) +++ /trunk/server/fedora/config/etc/scripts/allowed-filecaps.list (revision 2066) @@ -0,0 +1,2 @@ +/bin/ping +/bin/ping6 Index: /trunk/server/fedora/config/etc/scripts/allowed-setugid.list =================================================================== --- /trunk/server/fedora/config/etc/scripts/allowed-setugid.list (revision 2065) +++ /trunk/server/fedora/config/etc/scripts/allowed-setugid.list (revision 2066) @@ -1,4 +1,2 @@ -/bin/ping -/bin/ping6 /sbin/pam_timestamp_check /sbin/unix_chkpwd Index: /trunk/server/fedora/config/etc/ssh/shosts.equiv =================================================================== --- /trunk/server/fedora/config/etc/ssh/shosts.equiv (revision 2065) +++ /trunk/server/fedora/config/etc/ssh/shosts.equiv (revision 2066) @@ -8,4 +8,5 @@ shining-armor.mit.edu whole-enchilada.mit.edu +golden-egg.mit.edu 172.21.0.53 172.21.0.57 @@ -17,2 +18,3 @@ 172.21.0.135 172.21.0.236 +172.21.0.141 Index: /trunk/server/fedora/config/etc/ssh/ssh_known_hosts =================================================================== --- /trunk/server/fedora/config/etc/ssh/ssh_known_hosts (revision 2065) +++ /trunk/server/fedora/config/etc/ssh/ssh_known_hosts (revision 2066) @@ -8,2 +8,3 @@ whole-enchilada.mit.edu,whole-enchilada,w-e.mit.edu,w-e,scripts5.mit.edu,scripts5,18.181.0.236,172.21.0.236 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAuEpkEgaIgjK7F1gV81lLSYTwSqIZX/9IJs37VaJCsJFv3D86uuJSdfI3Y94fPn2OH6AxfdaqGNksVdi27mKQfzvCB4ogjQgxmM391MIDLd+izZDY0YvCb4DqJLMJUpX49cNUMkj+/rJg1O0K2w/lb8DGr7wdoLSPKCUJNJv5WMMDxpFL253lPELsmnds4T+R6LpTt6W9+FalHl84me51sEjV9PbmhcTaNwuoJStAjhrKPfgHHDIKNyCUvaVkoHPXEsdzz00yY7i57djyZlzPV/jM7LKar+Xw2LB0Z3098IQcdbD8zmz2DdakPTlShxavNPC6kZDZ3WVqziC+bszaSQ== shining-armor.mit.edu,shining-armor,s-a.mit.edu,s-a,scripts9.mit.edu,scripts9,18.181.0.135,172.21.0.135 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAuEpkEgaIgjK7F1gV81lLSYTwSqIZX/9IJs37VaJCsJFv3D86uuJSdfI3Y94fPn2OH6AxfdaqGNksVdi27mKQfzvCB4ogjQgxmM391MIDLd+izZDY0YvCb4DqJLMJUpX49cNUMkj+/rJg1O0K2w/lb8DGr7wdoLSPKCUJNJv5WMMDxpFL253lPELsmnds4T+R6LpTt6W9+FalHl84me51sEjV9PbmhcTaNwuoJStAjhrKPfgHHDIKNyCUvaVkoHPXEsdzz00yY7i57djyZlzPV/jM7LKar+Xw2LB0Z3098IQcdbD8zmz2DdakPTlShxavNPC6kZDZ3WVqziC+bszaSQ== +golden-egg.mit.edu.golden-egg,g-e.mit.edu,g-e,scripts10.mit.edu,scripts10,18.181.0.141,172.21.0.141 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAuEpkEgaIgjK7F1gV81lLSYTwSqIZX/9IJs37VaJCsJFv3D86uuJSdfI3Y94fPn2OH6AxfdaqGNksVdi27mKQfzvCB4ogjQgxmM391MIDLd+izZDY0YvCb4DqJLMJUpX49cNUMkj+/rJg1O0K2w/lb8DGr7wdoLSPKCUJNJv5WMMDxpFL253lPELsmnds4T+R6LpTt6W9+FalHl84me51sEjV9PbmhcTaNwuoJStAjhrKPfgHHDIKNyCUvaVkoHPXEsdzz00yY7i57djyZlzPV/jM7LKar+Xw2LB0Z3098IQcdbD8zmz2DdakPTlShxavNPC6kZDZ3WVqziC+bszaSQ== Index: /trunk/server/fedora/config/etc/ssh/sshd_config =================================================================== --- /trunk/server/fedora/config/etc/ssh/sshd_config (revision 2065) +++ /trunk/server/fedora/config/etc/ssh/sshd_config (revision 2066) @@ -20,3 +20,3 @@ IgnoreRhosts yes IgnoreUserKnownHosts yes -DenyUsers root@old-faithful.mit.edu root@better-mousetrap.mit.edu root@bees-knees.mit.edu root@cats-whiskers.mit.edu root@pancake-bunny.mit.edu root@busy-beaver.mit.edu root@real-mccoy.mit.edu root@whole-enchilada.mit.edu root@shining-armor.mit.edu +DenyUsers root@old-faithful.mit.edu root@better-mousetrap.mit.edu root@bees-knees.mit.edu root@cats-whiskers.mit.edu root@pancake-bunny.mit.edu root@busy-beaver.mit.edu root@real-mccoy.mit.edu root@whole-enchilada.mit.edu root@shining-armor.mit.edu root@golden-egg.mit.edu Index: /trunk/server/fedora/config/etc/sysconfig/dirsrv =================================================================== --- /trunk/server/fedora/config/etc/sysconfig/dirsrv (revision 2065) +++ /trunk/server/fedora/config/etc/sysconfig/dirsrv (revision 2066) @@ -32,5 +32,5 @@ # slapdagent cronjob) -- geofft 30 October 2010 KRB5CCNAME=/var/run/dirsrv/krb5cc; export KRB5CCNAME -/usr/kerberos/bin/kinit -k -t "$KRB5_KTNAME" ldap/"$(hostname)" +/usr/bin/kinit -k -t "$KRB5_KTNAME" ldap/"$(hostname)" chown --reference="$KRB5_KTNAME" "$KRB5CCNAME" Index: /trunk/server/fedora/config/etc/sysconfig/httpd =================================================================== --- /trunk/server/fedora/config/etc/sysconfig/httpd (revision 2065) +++ /trunk/server/fedora/config/etc/sysconfig/httpd (revision 2066) @@ -21,2 +21,10 @@ # #HTTPD_LANG=C + +# +# When stopping the server a 10 second timeout is allowed before +# forcibly terminating the parent process (with a SIGKILL signal). +# To allow a longer delay, set the STOP_TIMEOUT variable. +# +#STOP_TIMEOUT=10 +# Index: /trunk/server/fedora/config/etc/sysconfig/network-scripts/route-eth1 =================================================================== --- /trunk/server/fedora/config/etc/sysconfig/network-scripts/route-eth1 (revision 2065) +++ /trunk/server/fedora/config/etc/sysconfig/network-scripts/route-eth1 (revision 2066) @@ -12,2 +12,3 @@ 18.181.0.235 via 172.21.0.235 18.181.0.135 via 172.21.0.135 +18.181.0.141 via 172.21.0.141 Index: /trunk/server/fedora/config/etc/sysconfig/openafs =================================================================== --- /trunk/server/fedora/config/etc/sysconfig/openafs (revision 2065) +++ /trunk/server/fedora/config/etc/sysconfig/openafs (revision 2066) @@ -1,21 +1,2 @@ AFSD_ARGS="-afsdb -dynroot -fakestat-all -stat 25000 -daemons 100 -volumes 4000 -files 400000 -chunksize 19" BOSSERVER_ARGS= - -postinit () { - /sbin/sysctl -q afs.GCPAGs=0 - /usr/bin/fs setcrypt on - case "$(lsb_release -cs)" in - Moonshine) - /usr/bin/fs sysname 'amd64_fedora7_scripts' 'scripts' 'amd64_fedora7' 'amd64_linux26' 'i386_rhel4' 'i386_rhel3' 'i386_rh9' 'i386_linux26' 'i386_linux24' 'i386_linux22' 'i386_linux3' 'i386_linux2' 'i386_linux1' ;; - Sulphur) - /usr/bin/fs sysname 'amd64_fedora9_scripts' 'amd64_fedora7_scripts' 'scripts' 'amd64_fedora9' 'amd64_fedora7' 'amd64_linux26' 'i386_deb40' 'i386_rhel4' 'i386_rhel3' 'i386_rh9' 'i386_linux26' 'i386_linux24' 'i386_linux22' 'i386_linux3' 'i386_linux2' ;; - Leonidas) - /usr/bin/fs sysname 'amd64_fedora11_scripts' 'amd64_fedora9_scripts' 'amd64_fedora7_scripts' 'scripts' 'amd64_fedora11' 'amd64_fedora9' 'amd64_fedora7' 'amd64_linux26' 'i386_deb50' 'i386_deb40' 'i386_rhel4' 'i386_rhel3' 'i386_rh9' 'i386_linux26' 'i386_linux24' 'i386_linux22' 'i386_linux3' 'i386_linux2' ;; - Goddard) - /usr/bin/fs sysname 'amd64_fedora13_scripts' 'amd64_fedora11_scripts' 'amd64_fedora9_scripts' 'amd64_fedora7_scripts' 'scripts' 'amd64_fedora13' 'amd64_fedora11' 'amd64_fedora9' 'amd64_fedora7' 'amd64_linux26' 'i386_deb50' 'i386_deb40' 'i386_rhel4' 'i386_rhel3' 'i386_rh9' 'i386_linux26' 'i386_linux24' 'i386_linux22' 'i386_linux3' 'i386_linux2' ;; - *) - echo "Warning: unknown platform. AFS sysname not set." - esac - /usr/bin/fs setcell -nosuid -c athena -} -AFS_POST_INIT=postinit Index: /trunk/server/fedora/config/etc/sysconfig/sysstat =================================================================== --- /trunk/server/fedora/config/etc/sysconfig/sysstat (revision 2065) +++ /trunk/server/fedora/config/etc/sysconfig/sysstat (revision 2066) @@ -1,2 +1,13 @@ -# How long to keep log files (days), maximum is a month +# sysstat-9.0.6.1 configuration file. + +# How long to keep log files (in days). +# If value is greater than 28, then log files are kept in +# multiple directories, one for each month. HISTORY=30 + +# Compress (using gzip or bzip2) sa and sar files older than (in days): +COMPRESSAFTER=10 + +# Parameters for system activity collector (see sadc man-page) which +# are used for the generation of log files +SADC_OPTIONS="-S DISK" Index: /trunk/server/fedora/config/etc/syslog-ng/d_zroot.pl =================================================================== --- /trunk/server/fedora/config/etc/syslog-ng/d_zroot.pl (revision 2065) +++ /trunk/server/fedora/config/etc/syslog-ng/d_zroot.pl (revision 2066) @@ -32,5 +32,5 @@ sub buildKeyMap($) { my ($file) = @_; - open (KEYS, $file) or warn "Couldn't open $file: $!"; + open (KEYS, $file) or (warn "Couldn't open $file: $!\n" and return); while () { chomp; @@ -58,6 +58,8 @@ buildKeyMap("/root/.ssh/authorized_keys2"); -while (1) { - my @message = scalar(<>); +my @message; + +while (my $line = <>) { + @message = $line; eval { local $SIG{ALRM} = sub { die "alarm\n" }; # NB: \n required @@ -80,6 +82,6 @@ } elsif ($message =~ m|Root (\S+) shell|) { sendmsg($message); - } elsif ($message =~ m|session \S+ for user (\S+)|) { - sendmsg($message) if exists $USERS{$1}; + } elsif ($message =~ m|pam_unix\(([^:]+):session\): session \S+ for user (\S+)|) { + sendmsg($message) if $1 ne "cron" and exists $USERS{$2}; } elsif ($message =~ m|^Found matching (\w+) key: (\S+)|) { if ($sshkeys{$2}) { @@ -117,4 +119,5 @@ } elsif ($message =~ m|^ *root : TTY=|) { } elsif ($message =~ m|^Set /proc/self/oom_adj to |) { + } elsif ($message =~ m|^fatal: mm_request_receive: read: Connection reset by peer$|) { } else { sendmsg($message, "scripts-spew"); Index: /trunk/server/fedora/config/etc/syslog-ng/syslog-ng.conf =================================================================== --- /trunk/server/fedora/config/etc/syslog-ng/syslog-ng.conf (revision 2065) +++ /trunk/server/fedora/config/etc/syslog-ng/syslog-ng.conf (revision 2066) @@ -1,2 +1,4 @@ +@version:3.2 + # syslog-ng configuration file. # @@ -8,5 +10,5 @@ options { - sync (0); + flush_lines (0); time_reopen (10); log_fifo_size (1000); @@ -16,8 +18,9 @@ create_dirs (no); keep_hostname (yes); + stats_freq (0); }; source s_sys { - file ("/proc/kmsg" log_prefix("kernel: ")); + file ("/proc/kmsg" program_override("kernel: ")); unix-stream ("/dev/log"); internal(); @@ -28,5 +31,5 @@ destination d_mesg { file("/var/log/messages"); }; destination d_auth { file("/var/log/secure"); }; -destination d_mail { file("/var/log/maillog" sync(10)); }; +destination d_mail { file("/var/log/maillog" flush_lines(10)); }; destination d_spol { file("/var/log/spooler"); }; destination d_boot { file("/var/log/boot.log"); }; Index: /trunk/server/fedora/config/etc/yum.conf =================================================================== --- /trunk/server/fedora/config/etc/yum.conf (revision 2065) +++ /trunk/server/fedora/config/etc/yum.conf (revision 2066) @@ -9,5 +9,5 @@ plugins=1 metadata_expire=1800 -installonlypkgs=kernel kernel-devel kmod-openafs +installonlypkgs=kernel kernel-devel kmod-openafs ghc-cgi ghc-cgi-devel # PUT YOUR REPOS HERE OR IN separate files named file.repo Index: /trunk/server/fedora/config/etc/yum.repos.d/scripts.repo =================================================================== --- /trunk/server/fedora/config/etc/yum.repos.d/scripts.repo (revision 2065) +++ /trunk/server/fedora/config/etc/yum.repos.d/scripts.repo (revision 2066) @@ -1,5 +1,5 @@ [scripts] name=Scripts -baseurl=http://web.mit.edu/scripts/yum-repos/rpm-fc13/ +baseurl=http://web.mit.edu/scripts/yum-repos/rpm-fc15/ enabled=1 gpgcheck=0 @@ -7,5 +7,5 @@ [scripts-testing] name=Scripts Testing -baseurl=http://web.mit.edu/scripts/yum-repos/rpm-fc13-testing/ +baseurl=http://web.mit.edu/scripts/yum-repos/rpm-fc15-testing/ enabled=0 gpgcheck=0 Index: /trunk/server/fedora/config/etc/yum/post-actions/capoverride.action =================================================================== --- /trunk/server/fedora/config/etc/yum/post-actions/capoverride.action (revision 2066) +++ /trunk/server/fedora/config/etc/yum/post-actions/capoverride.action (revision 2066) @@ -0,0 +1,7 @@ +/usr/sbin/mtr:install:setcap -r /usr/sbin/mtr +/usr/bin/rsh:install:setcap -r /usr/bin/rsh +/usr/bin/rcp:install:setcap -r /usr/bin/rcp +/usr/bin/gnome-keyring-daemon:install:setcap -r /usr/bin/gnome-keyring-daemon +/usr/bin/newrole:install:setcap -r /usr/bin/newrole +/usr/bin/rlogin:install:setcap -r /usr/bin/rlogin +/usr/libexec/pt_chown:install:setcap -r /usr/libexec/pt_chown Index: /trunk/server/fedora/config/etc/yum/post-actions/statoverride.action =================================================================== --- /trunk/server/fedora/config/etc/yum/post-actions/statoverride.action (revision 2065) +++ /trunk/server/fedora/config/etc/yum/post-actions/statoverride.action (revision 2066) @@ -22,8 +22,10 @@ /usr/bin/write:install:chmod ug-s /usr/bin/write /usr/bin/Xorg:install:chmod ug-s /usr/bin/Xorg -/usr/kerberos/bin/ksu:install:chmod ug-s /usr/kerberos/bin/ksu +/usr/bin/ksu:install:chmod ug-s /usr/bin/ksu /usr/lib64/nspluginwrapper/plugin-config:install:chmod ug-s /usr/lib64/nspluginwrapper/plugin-config /usr/lib64/vte/gnome-pty-helper:install:chmod ug-s /usr/lib64/vte/gnome-pty-helper +/usr/libexec/kde4/kpac_dhcp_helper:install:chmod ug-s /usr/libexec/kde4/kpac_dhcp_helper /usr/sbin/ccreds_chkpwd:install:chmod ug-s /usr/sbin/ccreds_chkpwd /usr/sbin/userisdnctl:install:chmod ug-s /usr/sbin/userisdnctl /usr/sbin/usernetctl:install:chmod ug-s /usr/sbin/usernetctl +/usr/bin/pkexec:install:chmod ug-s /usr/bin/pkexec Index: unk/server/fedora/specs/curl.spec.patch =================================================================== --- /trunk/server/fedora/specs/curl.spec.patch (revision 2065) +++ (revision ) @@ -1,57 +1,0 @@ ---- curl.spec.orig 2011-07-01 16:31:16.000000000 -0400 -+++ curl.spec 2011-07-01 16:30:24.000000000 -0400 -@@ -1,7 +1,7 @@ - Summary: A utility for getting files from remote servers (FTP, HTTP, and others) - Name: curl - Version: 7.20.1 --Release: 5%{?dist} -+Release: 5.scripts.%{scriptsversion}%{?dist} - License: MIT - Group: Applications/Internet - Source: http://curl.haxx.se/download/%{name}-%{version}.tar.lzma -@@ -90,6 +90,9 @@ - # workaround for broken applications using curl multi (#599340) - Patch108: 0108-curl-7.20.1-threaded-dns-multi.patch - -+# disable credential delegation over Negotiate (CVE-2011-2192) -+Patch1000: curl-gssapi-delegation.patch -+ - Provides: webclient - URL: http://curl.haxx.se/ - BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) -@@ -190,6 +193,7 @@ - %patch105 -p1 - %patch106 -p1 - %patch108 -p1 -+%patch1000 -p1 - - # other patches - %patch15 -p1 -@@ -225,16 +229,6 @@ - - make %{?_smp_mflags} - --%check --LD_LIBRARY_PATH=$RPM_BUILD_ROOT%{_libdir} --export LD_LIBRARY_PATH --cd tests --make %{?_smp_mflags} -- --# use different port range for 32bit and 64bit build, thus make it possible --# to run both in parallel on the same machine --./runtests.pl -a -b%{?__isa_bits}90 -p -v -- - %install - rm -rf $RPM_BUILD_ROOT - -@@ -289,6 +283,10 @@ - %{_datadir}/aclocal/libcurl.m4 - - %changelog -+* Fri Jul 01 2011 Geoffrey Thomas 7.20.1-5.scripts -+- disable credential delegation over Negotiate (CVE-2011-2192) -+ Patch from upstream: http://curl.haxx.se/docs/adv_20110623.html -+ - * Fri Nov 26 2010 Kamil Dudka 7.20.1-5 - - do not send QUIT to a dead FTP control connection (#650255) - - prevent FTP client from hanging on unrecognized ABOR response (#649347) Index: /trunk/server/fedora/specs/ghc-MonadCatchIO-mtl.spec =================================================================== --- /trunk/server/fedora/specs/ghc-MonadCatchIO-mtl.spec (revision 2065) +++ /trunk/server/fedora/specs/ghc-MonadCatchIO-mtl.spec (revision 2066) @@ -1,21 +1,22 @@ +# For Haskell Packaging Guidelines see: +# - https://fedoraproject.org/wiki/Packaging:Haskell +# - https://fedoraproject.org/wiki/PackagingDrafts/Haskell + %global pkg_name MonadCatchIO-mtl +# common part of summary for all the subpackages %global common_summary Haskell %{pkg_name} library +# main description used for all the subpackages %global common_description A %{pkg_name} library for Haskell. -# add any Haskell library dependencies here: +# Haskell library dependencies (used for buildrequires and devel/prof subpkg requires) %global ghc_pkg_deps ghc-mtl-devel -# add any foreign library dependencies here: +# foreign library dependencies (used for buildrequires and devel subpkg requires) #%%global ghc_pkg_c_deps @CDEP1@-devel -%bcond_without shared - -# debuginfo is not useful for ghc -%global debug_package %{nil} - Name: ghc-%{pkg_name} -Version: 0.3.0.1 +Version: 0.3.0.2 Release: 0.%{scriptsversion}%{?dist} Summary: %{common_summary} @@ -23,11 +24,12 @@ Group: System Environment/Libraries License: BSD -URL: http://hackage.haskell.org/cgi-bin/hackage-scripts/package/%{pkg_name} +URL: http://hackage.haskell.org/package/%{pkg_name} Source0: http://hackage.haskell.org/packages/archive/%{pkg_name}/%{version}/%{pkg_name}-%{version}.tar.gz -BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) # fedora ghc archs: -ExclusiveArch: %{ix86} x86_64 ppc alpha +ExclusiveArch: %{ix86} x86_64 ppc alpha sparcv9 BuildRequires: ghc, ghc-doc, ghc-prof -BuildRequires: ghc-rpm-macros >= 0.7.0 +# macros for building haskell packages +BuildRequires: ghc-rpm-macros >= 0.7.3 +BuildRequires: hscolour %{?ghc_pkg_deps:BuildRequires: %{ghc_pkg_deps}, %(echo %{ghc_pkg_deps} | sed -e "s/\(ghc-[^, ]\+\)-devel/\1-doc,\1-prof/g")} %{?ghc_pkg_c_deps:BuildRequires: %{ghc_pkg_c_deps}} @@ -35,10 +37,4 @@ %description %{common_description} -%if %{with shared} -This package provides the shared library. -%endif - - -%{?ghc_lib_package} @@ -52,13 +48,16 @@ %install -rm -rf $RPM_BUILD_ROOT %ghc_lib_install -%clean -rm -rf $RPM_BUILD_ROOT +# define the devel and prof subpkgs, devel post[un] scripts, and filelists: +# ghc-%pkg_name{,devel,prof}.files +%ghc_lib_package %changelog +* Mon May 2 2011 Alexander Chernyakhovsky - 0.3.0.2-0 +- regenerated packaging with cabal2spec-0.22.5 + * Thu Sep 9 2010 Anders Kaseorg - 0.3.0.1-0 - initial packaging for Fedora automatically generated by cabal2spec-0.22.1 Index: /trunk/server/fedora/specs/ghc-cgi.spec =================================================================== --- /trunk/server/fedora/specs/ghc-cgi.spec (revision 2065) +++ /trunk/server/fedora/specs/ghc-cgi.spec (revision 2066) @@ -1,21 +1,22 @@ +# For Haskell Packaging Guidelines see: +# - https://fedoraproject.org/wiki/Packaging:Haskell +# - https://fedoraproject.org/wiki/PackagingDrafts/Haskell + %global pkg_name cgi +# common part of summary for all the subpackages %global common_summary Haskell %{pkg_name} library +# main description used for all the subpackages %global common_description A %{pkg_name} library for Haskell. -# add any Haskell library dependencies here: +# Haskell library dependencies (used for buildrequires and devel/prof subpkg requires) %global ghc_pkg_deps ghc-network-devel, ghc-parsec-devel, ghc-mtl-devel, ghc-MonadCatchIO-mtl-devel, ghc-xhtml-devel -# add any foreign library dependencies here: +# foreign library dependencies (used for buildrequires and devel subpkg requires) #%%global ghc_pkg_c_deps @CDEP1@-devel -%bcond_without shared - -# debuginfo is not useful for ghc -%global debug_package %{nil} - Name: ghc-%{pkg_name} -Version: 3001.1.8.1 +Version: 3001.1.8.2 Release: 0.%{scriptsversion}%{?dist} Summary: %{common_summary} @@ -23,11 +24,12 @@ Group: System Environment/Libraries License: BSD -URL: http://hackage.haskell.org/cgi-bin/hackage-scripts/package/%{pkg_name} +URL: http://hackage.haskell.org/package/%{pkg_name} Source0: http://hackage.haskell.org/packages/archive/%{pkg_name}/%{version}/%{pkg_name}-%{version}.tar.gz -BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) # fedora ghc archs: -ExclusiveArch: %{ix86} x86_64 ppc alpha +ExclusiveArch: %{ix86} x86_64 ppc alpha sparcv9 BuildRequires: ghc, ghc-doc, ghc-prof -BuildRequires: ghc-rpm-macros >= 0.7.0 +# macros for building haskell packages +BuildRequires: ghc-rpm-macros >= 0.7.3 +BuildRequires: hscolour %{?ghc_pkg_deps:BuildRequires: %{ghc_pkg_deps}, %(echo %{ghc_pkg_deps} | sed -e "s/\(ghc-[^, ]\+\)-devel/\1-doc,\1-prof/g")} %{?ghc_pkg_c_deps:BuildRequires: %{ghc_pkg_c_deps}} @@ -35,10 +37,4 @@ %description %{common_description} -%if %{with shared} -This package provides the shared library. -%endif - - -%{?ghc_lib_package} @@ -52,13 +48,16 @@ %install -rm -rf $RPM_BUILD_ROOT %ghc_lib_install -%clean -rm -rf $RPM_BUILD_ROOT +# define the devel and prof subpkgs, devel post[un] scripts, and filelists: +# ghc-%pkg_name{,devel,prof}.files +%ghc_lib_package %changelog +* Mon May 2 2011 Alexander Chernyakhovsky - 3001.1.8.2-0 +- regenerated packaging with cabal2spec-0.22.5 + * Thu Sep 9 2010 Anders Kaseorg - 3001.1.8.1-0 - initial packaging for Fedora automatically generated by cabal2spec-0.22.1 Index: /trunk/server/fedora/specs/ghc-unix-handle.spec =================================================================== --- /trunk/server/fedora/specs/ghc-unix-handle.spec (revision 2065) +++ /trunk/server/fedora/specs/ghc-unix-handle.spec (revision 2066) @@ -1,18 +1,19 @@ +# For Haskell Packaging Guidelines see: +# - https://fedoraproject.org/wiki/Packaging:Haskell +# - https://fedoraproject.org/wiki/PackagingDrafts/Haskell + %global pkg_name unix-handle +# common part of summary for all the subpackages %global common_summary Haskell %{pkg_name} library +# main description used for all the subpackages %global common_description A %{pkg_name} library for Haskell. -# add any Haskell library dependencies here: +# Haskell library dependencies (used for buildrequires and devel/prof subpkg requires) #%%global ghc_pkg_deps ghc-@DEP1@-devel, ghc-@DEP2@-devel -# add any foreign library dependencies here: +# foreign library dependencies (used for buildrequires and devel subpkg requires) #%%global ghc_pkg_c_deps @CDEP1@-devel - -%bcond_without shared - -# debuginfo is not useful for ghc -%global debug_package %{nil} Name: ghc-%{pkg_name} @@ -23,11 +24,12 @@ Group: System Environment/Libraries License: BSD -URL: http://hackage.haskell.org/cgi-bin/hackage-scripts/package/%{pkg_name} +URL: http://hackage.haskell.org/package/%{pkg_name} Source0: http://hackage.haskell.org/packages/archive/%{pkg_name}/%{version}/%{pkg_name}-%{version}.tar.gz -BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) # fedora ghc archs: -ExclusiveArch: %{ix86} x86_64 ppc alpha +ExclusiveArch: %{ix86} x86_64 ppc alpha sparcv9 BuildRequires: ghc, ghc-doc, ghc-prof -BuildRequires: ghc-rpm-macros >= 0.7.0 +# macros for building haskell packages +BuildRequires: ghc-rpm-macros >= 0.7.3 +BuildRequires: hscolour %{?ghc_pkg_deps:BuildRequires: %{ghc_pkg_deps}, %(echo %{ghc_pkg_deps} | sed -e "s/\(ghc-[^, ]\+\)-devel/\1-doc,\1-prof/g")} %{?ghc_pkg_c_deps:BuildRequires: %{ghc_pkg_c_deps}} @@ -35,10 +37,4 @@ %description %{common_description} -%if %{with shared} -This package provides the shared library. -%endif - - -%{?ghc_lib_package} @@ -52,13 +48,16 @@ %install -rm -rf $RPM_BUILD_ROOT %ghc_lib_install -%clean -rm -rf $RPM_BUILD_ROOT +# define the devel and prof subpkgs, devel post[un] scripts, and filelists: +# ghc-%pkg_name{,devel,prof}.files +%ghc_lib_package %changelog +* Mon May 2 2011 Alexander Chernyakhovsky - 0.0.0-0 +- regenerated packaging with cabal2spec-0.22.5 + * Thu Sep 9 2010 Anders Kaseorg - 0.0.0-0 - initial packaging for Fedora automatically generated by cabal2spec-0.22.1 Index: /trunk/server/fedora/specs/httpd.spec.patch =================================================================== --- /trunk/server/fedora/specs/httpd.spec.patch (revision 2065) +++ /trunk/server/fedora/specs/httpd.spec.patch (revision 2066) @@ -1,18 +1,18 @@ ---- httpd.spec.orig 2010-10-27 08:26:15.000000000 -0400 -+++ httpd.spec 2010-11-18 18:20:43.000000000 -0500 -@@ -7,7 +7,7 @@ +--- httpd.spec.orig 2011-09-13 09:43:36.000000000 -0400 ++++ httpd.spec 2011-11-05 20:57:13.910145847 -0400 +@@ -8,7 +8,7 @@ Summary: Apache HTTP Server Name: httpd - Version: 2.2.17 --Release: 1%{?dist}.1 -+Release: 1%{?dist}.1.scripts.%{scriptsversion} + Version: 2.2.21 +-Release: 1%{?dist} ++Release: 1%{?dist}.scripts.%{scriptsversion} URL: http://httpd.apache.org/ Source0: http://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2 Source1: index.html -@@ -55,6 +55,14 @@ - Conflicts: pcre < 4.0 - Requires: httpd-tools = %{version}-%{release}, apr-util-ldap +@@ -54,6 +54,15 @@ + Provides: httpd-mmn = %{mmn}, httpd-mmn = %{mmnisa} + Requires: httpd-tools = %{version}-%{release}, apr-util-ldap, systemd-units -+Provides: scripts-httpd ++Provides: scripts-httpd = %{version}-%{release} +Patch1000: httpd-suexec-scripts.patch +Patch1003: httpd-2.2.x-mod_status-security.patch @@ -21,25 +21,38 @@ +Patch1006: httpd-suexec-cloexec.patch +Patch1007: httpd-fixup-vhost.patch ++Patch1008: httpd-sysv-deps.patch + %description The Apache HTTP Server is a powerful, efficient, and extensible web server. -@@ -65,6 +73,7 @@ +@@ -64,6 +73,7 @@ Obsoletes: secureweb-devel, apache-devel, stronghold-apache-devel Requires: apr-devel, apr-util-devel, pkgconfig Requires: httpd = %{version}-%{release} -+Provides: scripts-httpd-devel ++Provides: scripts-httpd-devel = %{version}-%{release} %description devel The httpd-devel package contains the APXS binary and other files -@@ -103,6 +112,7 @@ - Requires(post): openssl >= 0.9.7f-4, /bin/cat +@@ -102,6 +112,7 @@ + Requires(post): openssl, /bin/cat Requires(pre): httpd - Requires: httpd = 0:%{version}-%{release}, httpd-mmn = %{mmn} + Requires: httpd = 0:%{version}-%{release}, httpd-mmn = %{mmnisa} +Provides: scripts-mod_ssl Obsoletes: stronghold-mod_ssl %description -n mod_ssl -@@ -130,6 +140,13 @@ +@@ -110,6 +121,11 @@ + Security (TLS) protocols. + + %prep ++ ++# Horrible hack to patch the httpd.init file ++cd $RPM_SOURCE_DIR ++%patch1008 -p1 -b .sysv-deps ++ + %setup -q + %patch1 -p1 -b .apctl + %patch2 -p1 -b .apxs +@@ -128,6 +144,13 @@ # Patch in vendor/release string sed "s/@RELEASE@/%{vstring}/" < %{PATCH20} | patch -p1 @@ -55,5 +68,5 @@ vmmn=`echo MODULE_MAGIC_NUMBER_MAJOR | cpp -include include/ap_mmn.h | sed -n '/^2/p'` if test "x${vmmn}" != "x%{mmn}"; then -@@ -177,10 +194,12 @@ +@@ -175,10 +198,12 @@ --with-apr=%{_prefix} --with-apr-util=%{_prefix} \ --enable-suexec --with-suexec \ Index: /trunk/server/fedora/specs/krb5.spec.patch =================================================================== --- /trunk/server/fedora/specs/krb5.spec.patch (revision 2065) +++ /trunk/server/fedora/specs/krb5.spec.patch (revision 2066) @@ -1,16 +1,16 @@ ---- krb5.spec.orig 2011-04-13 14:56:35.000000000 -0400 -+++ krb5.spec 2011-04-27 02:52:07.000000000 -0400 -@@ -10,7 +10,7 @@ +--- krb5.spec.orig 2011-11-16 12:37:32.246736120 -0500 ++++ krb5.spec 2011-11-16 12:42:47.134740975 -0500 +@@ -6,7 +6,7 @@ Summary: The Kerberos network authentication system Name: krb5 - Version: 1.7.1 --Release: 19%{?dist} -+Release: 19%{?dist}.scripts.%{scriptsversion} + Version: 1.9.1 +-Release: 14%{?dist} ++Release: 14%{?dist}.scripts.%{scriptsversion} # Maybe we should explode from the now-available-to-everybody tarball instead? - # http://web.mit.edu/kerberos/dist/krb5/1.7/krb5-1.7.1-signed.tar + # http://web.mit.edu/kerberos/dist/krb5/1.9/krb5-1.9.1-signed.tar Source0: krb5-%{version}.tar.gz -@@ -98,6 +98,8 @@ - Patch109: krb5-1.7.1-paren.patch - Patch110: 2011-004-patch-r18.txt +@@ -65,6 +65,8 @@ + Patch89: krb5-1.9.1-sendto_poll3.patch + Patch90: krb5-1.9-MITKRB5-SA-2011-006.patch +Patch1000: krb5-kuserok-scripts.patch @@ -19,5 +19,5 @@ URL: http://web.mit.edu/kerberos/www/ Group: System Environment/Libraries -@@ -142,6 +144,7 @@ +@@ -114,6 +116,7 @@ %package libs Summary: The shared libraries used by Kerberos 5 @@ -27,8 +27,8 @@ %description libs Kerberos is a network authentication system. The krb5-libs package -@@ -1696,6 +1699,7 @@ - %patch108 -p1 -b .2011-003 - %patch109 -p1 -b .paren - %patch110 -p1 -b .2011-004 +@@ -221,6 +224,7 @@ + %patch88 -p1 -b .crossrealm + %patch89 -p1 -b .sendto_poll3 + %patch90 -p1 -b .2011-006 +%patch1000 -p1 -b .kuserok gzip doc/*.ps Index: /trunk/server/fedora/specs/openafs-include-xstat.spec.patch =================================================================== --- /trunk/server/fedora/specs/openafs-include-xstat.spec.patch (revision 2065) +++ /trunk/server/fedora/specs/openafs-include-xstat.spec.patch (revision 2066) @@ -1,14 +1,14 @@ ---- openafs.spec.orig 2011-10-19 16:05:41.000000000 -0400 -+++ openafs.spec 2011-10-19 16:10:06.000000000 -0400 -@@ -1115,7 +1115,7 @@ +--- openafs.spec.orig 2011-11-04 23:50:34.842221577 -0400 ++++ openafs.spec 2011-11-04 23:52:00.538590290 -0400 +@@ -1103,7 +1103,7 @@ # create list of man pages that go in the 'openafs' package /bin/ls $RPM_BUILD_ROOT%{_mandir}/man1 \ -- |egrep '^afs|^fs|^kas|^klog|kapasswd|pagsh|^pts|^rxdebug|scout|^sys|tokens|translate|udebug|unlog|^uss|^vos' \ -+ |egrep '^afs|^fs|^kas|^klog|kapasswd|pagsh|^pts|^rxdebug|scout|^sys|tokens|translate|^xstat|udebug|unlog|^uss|^vos' \ +- |egrep '^afs|^fs|^kas|^klog|kapasswd|pagsh|^pts|^restorevol|^rxdebug|scout|^sys|tokens|translate|udebug|unlog|^uss|^vos' \ ++ |egrep '^afs|^fs|^kas|^klog|kapasswd|pagsh|^pts|^restorevol|^rxdebug|scout|^sys|tokens|translate|^xstat|udebug|unlog|^uss|^vos' \ + |egrep -v '^afs_compile_et' \ >openafs-man1files - /bin/ls $RPM_BUILD_ROOT%{_mandir}/man5 \ -@@ -1145,6 +1145,8 @@ +@@ -1134,6 +1134,8 @@ %{_bindir}/tokens %{_bindir}/tokens.krb @@ -19,5 +19,5 @@ %{_bindir}/unlog %{_sbindir}/backup -@@ -1196,7 +1198,7 @@ +@@ -1184,7 +1186,7 @@ done @@ -28,5 +28,5 @@ done -@@ -1208,7 +1210,7 @@ +@@ -1196,7 +1198,7 @@ rm -rf $RPM_BUILD_ROOT%{_sbindir}/kdump* Index: /trunk/server/fedora/specs/openafs-systemd.spec.patch =================================================================== --- /trunk/server/fedora/specs/openafs-systemd.spec.patch (revision 2066) +++ /trunk/server/fedora/specs/openafs-systemd.spec.patch (revision 2066) @@ -0,0 +1,202 @@ +--- rpmbuild/SPECS/openafs.spec.orig 2011-10-17 23:46:35.000000000 -0400 ++++ rpmbuild/SPECS/openafs.spec 2011-10-17 23:48:41.000000000 -0400 +@@ -224,7 +224,7 @@ + BuildRoot: %{_tmppath}/%{name}-%{version}-root + Packager: OpenAFS Gatekeepers + Group: Networking/Filesystems +-BuildRequires: %{?kdepend:%{kdepend}, } pam-devel, ncurses-devel, flex, bison ++BuildRequires: %{?kdepend:%{kdepend}, } pam-devel, ncurses-devel, flex, bison, systemd-units + %if 0%{?fedora} + BuildRequires: perl-devel perl-ExtUtils-Embed + %endif +@@ -323,6 +323,12 @@ + %package client + Provides: scripts-openafs-client + Requires: binutils, openafs = %{version} ++%if 0%{?fedora} >= 15 ++Requires: systemd-units ++Requires(post): systemd-units, systemd-sysv ++Requires(preun): systemd-units ++Requires(postun): systemd-units ++%endif + + %if %{fedorakmod} + Requires: %{name}-kmod >= %{version} +@@ -347,6 +353,12 @@ + Requires: openafs = %{version} + Summary: OpenAFS Filesystem Server + Group: Networking/Filesystems ++%if 0%{?fedora} >= 15 ++Requires: systemd-units ++Requires(post): systemd-units, systemd-sysv ++Requires(preun): systemd-units ++Requires(postun): systemd-units ++%endif + + %description server + The AFS distributed filesystem. AFS is a distributed filesystem +@@ -999,7 +1011,12 @@ + mkdir -p $RPM_BUILD_ROOT%{_sbindir} + mkdir -p $RPM_BUILD_ROOT%{_libdir} + mkdir -p $RPM_BUILD_ROOT/etc/sysconfig ++%if 0%{?fedora} < 15 + mkdir -p $RPM_BUILD_ROOT%{initdir} ++%else ++mkdir -p $RPM_BUILD_ROOT%{_unitdir} ++mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/sysconfig/modules ++%endif + mkdir -p $RPM_BUILD_ROOT/etc/openafs + mkdir -p $RPM_BUILD_ROOT%{pamdir} + mkdir -p $RPM_BUILD_ROOT%{_prefix}/afs/etc +@@ -1029,8 +1046,14 @@ + + # Copy root.client config files + install -m 755 src/packaging/RedHat/openafs.sysconfig $RPM_BUILD_ROOT/etc/sysconfig/openafs ++%if 0%{?fedora} < 15 + install -m 755 src/packaging/RedHat/openafs-client.init $RPM_BUILD_ROOT%{initdir}/openafs-client + install -m 755 src/packaging/RedHat/openafs-server.init $RPM_BUILD_ROOT%{initdir}/openafs-server ++%else ++install -m 755 src/packaging/RedHat/openafs-client.service $RPM_BUILD_ROOT%{_unitdir}/openafs-client.service ++install -m 755 src/packaging/RedHat/openafs-client.modules $RPM_BUILD_ROOT%{_sysconfdir}/sysconfig/modules/openafs-client.modules ++install -m 755 src/packaging/RedHat/openafs-server.service $RPM_BUILD_ROOT%{_unitdir}/openafs-server.service ++%endif + + # Copy PAM modules + install -m 755 ${sysname}/dest/lib/pam* $RPM_BUILD_ROOT%{pamdir} +@@ -1310,7 +1333,14 @@ + fi + + %post client ++%if 0%{?fedora} < 15 + chkconfig --add openafs-client ++%else ++if [ $1 -eq 1 ] ; then ++ # Initial installation ++ /bin/systemctl daemon-reload >/dev/null 2>&1 || : ++fi ++%endif + if [ ! -d /afs ]; then + mkdir /afs + chown root.root /afs +@@ -1327,10 +1357,17 @@ + + %post server + #on an upgrade, don't enable if we were disabled ++%if 0%{?fedora} < 15 + if [ $1 = 1 ] ; then + chkconfig --add openafs-server + fi + %{initdir}/openafs-server condrestart ++%else ++if [ $1 -eq 1 ] ; then ++ # Initial installation ++ /bin/systemctl daemon-reload >/dev/null 2>&1 || : ++fi ++%endif + + %if %{build_authlibs} + %post authlibs +@@ -1346,16 +1383,45 @@ + fi + + %preun client ++%if 0%{?fedora} < 15 + if [ $1 = 0 ] ; then + %{initdir}/openafs-client stop + chkconfig --del openafs-client + fi ++%else ++if [ $1 -eq 0 ] ; then ++ # Package removal, not upgrade ++ /bin/systemctl --no-reload disable openafs-client.service > /dev/null 2>&1 || : ++ /bin/systemctl stop openafs-client.service > /dev/null 2>&1 || : ++fi ++%endif + + %preun server ++%if 0%{?fedora} < 15 + if [ $1 = 0 ] ; then + %{initdir}/openafs-server stop + chkconfig --del openafs-server + fi ++%else ++if [ $1 -eq 0 ] ; then ++ /bin/systemctl --no-reload disable openafs-server.service > /dev/null 2>&1 || : ++ /bin/systemctl stop openafs-server.service > /dev/null 2>&1 || : ++fi ++%endif ++ ++%postun client ++/bin/systemctl daemon-reload >/dev/null 2>&1 || : ++if [ $1 -ge 1 ] ; then ++ # Package upgrade, not uninstall ++ /bin/systemctl try-restart openafs-client.service >/dev/null 2>&1 || : ++fi ++ ++%postun server ++/bin/systemctl daemon-reload >/dev/null 2>&1 || : ++if [ $1 -ge 1 ] ; then ++ # Package upgrade, not uninstall ++ /bin/systemctl try-restart openafs-server.service >/dev/null 2>&1 || : ++fi + + %if %{build_dkmspkg} + %post -n dkms-%{name} +@@ -1413,6 +1479,32 @@ + %endif + %endif + ++%triggerun -- openafs-client < 1.6.0-1 ++# Save the current service runlevel info ++# User must manually run systemd-sysv-convert --apply httpd ++# to migrate them to systemd targets ++/usr/bin/systemd-sysv-convert --save openafs-client >/dev/null 2>&1 ||: ++ ++# If the package is allowed to autostart: ++/bin/systemctl --no-reload enable openafs-client.service >/dev/null 2>&1 ||: ++ ++# Run these because the SysV package being removed won't do them ++/sbin/chkconfig --del openafs-client >/dev/null 2>&1 || : ++/bin/systemctl try-restart openafs-client.service >/dev/null 2>&1 || : ++ ++%triggerun -- openafs-server < 1.6.0-1 ++# Save the current service runlevel info ++# User must manually run systemd-sysv-convert --apply httpd ++# to migrate them to systemd targets ++/usr/bin/systemd-sysv-convert --save openafs-server >/dev/null 2>&1 ||: ++ ++# If the package is allowed to autostart: ++/bin/systemctl --no-reload enable openafs-server.service >/dev/null 2>&1 ||: ++ ++# Run these because the SysV package being removed won't do them ++/sbin/chkconfig --del openafs-server >/dev/null 2>&1 || : ++/bin/systemctl try-restart openafs-server.service >/dev/null 2>&1 || : ++ + ############################################################################## + ### + ### file lists +@@ -1450,7 +1542,12 @@ + %{pamdir}/pam_afs.krb.so + %{pamdir}/pam_afs.so.1 + %{pamdir}/pam_afs.so ++%if 0%{?fedora} < 15 + %{initdir}/openafs-client ++%else ++%{_unitdir}/openafs-client.service ++%{_sysconfdir}/sysconfig/modules/openafs-client.modules ++%endif + %{_mandir}/man1/cmdebug.* + %{_mandir}/man1/copyauth.* + %{_mandir}/man1/up.* +@@ -1498,7 +1595,11 @@ + %{_sbindir}/vldb_check + %{_sbindir}/vldb_convert + %{_sbindir}/voldump ++%if 0%{?fedora} < 15 + %{initdir}/openafs-server ++%else ++%{_unitdir}/openafs-server.service ++%endif + %{_mandir}/man5/AuthLog.* + %{_mandir}/man5/BackupLog.* + %{_mandir}/man5/BosConfig.* Index: /trunk/server/fedora/specs/openafs.spec.patch =================================================================== --- /trunk/server/fedora/specs/openafs.spec.patch (revision 2065) +++ /trunk/server/fedora/specs/openafs.spec.patch (revision 2066) @@ -1,25 +1,29 @@ ---- openafs.spec.orig 2010-09-10 18:21:53.000000000 -0400 -+++ openafs.spec 2010-09-10 18:34:30.000000000 -0400 -@@ -8,7 +8,7 @@ - # for beta/rc releases make pkgrel 0.X. +--- rpmbuild/SPECS/openafs.spec ++++ rpmbuild/SPECS/openafs.spec.~3~ 2011-11-20 20:13:52.211673609 -0500 +@@ -4,7 +4,7 @@ + %define pkgvers 1.6.0 + # for beta/rc releases make pkgrel 0. # for real releases make pkgrel 1 (or more for extra releases) - #%define pkgrel 0.1.rc1 --%define pkgrel 0.pre3 -+%define pkgrel 0.pre3.99scripts.%{scriptsversion} +-%define pkgrel 1 ++%define pkgrel 1.99.scripts.%{scriptsversion} - %if %{?osvers:0}%{!?osvers:1} - %define osvers 1 -@@ -261,6 +261,10 @@ - %endif + %{!?fedorakmod: %define fedorakmod 1} + %{!?build_dkmspkg: %define build_dkmspkg 1} +@@ -237,6 +237,14 @@ + ExclusiveArch: %{ix86} x86_64 ia64 s390 s390x sparc64 ppc ppc64 +Patch1000: openafs-scripts.patch -+Patch1003: openafs-localcsdb.patch -+Patch1005: openafs-numsysnames.patch ++Patch1001: openafs-localcsdb.patch ++Patch1002: openafs-systemd.patch ++Patch1003: openafs-systemd-crond.patch ++Patch1004: openafs-linux-3.1-rcu.patch ++Patch1005: openafs-linux-3.1-fsync.patch ++Patch1006: openafs-linux-3.1-zalloc.patch + # http://dl.openafs.org/dl/openafs/candidate/%{afsvers}/... Source0: http://www.openafs.org/dl/openafs/%{afsvers}/openafs-%{afsvers}-src.tar.bz2 Source1: http://www.openafs.org/dl/openafs/%{afsvers}/openafs-%{afsvers}-doc.tar.bz2 -@@ -343,6 +347,7 @@ +@@ -316,6 +324,7 @@ %if %{build_userspace} @@ -29,5 +33,5 @@ %if %{fedorakmod} -@@ -403,6 +408,7 @@ +@@ -376,6 +385,7 @@ %if %{build_authlibs} @@ -37,5 +41,5 @@ Group: Networking/Filesystems -@@ -419,6 +425,7 @@ +@@ -392,6 +402,7 @@ %endif @@ -43,7 +47,7 @@ +Provides: scripts-openafs-authlibs-devel %if %{build_authlibs} - Requires: openafs-authlibs = %{version} + Requires: openafs-authlibs = %{version}-%{release} %endif -@@ -437,6 +444,7 @@ +@@ -410,6 +421,7 @@ libraries. @@ -52,6 +56,6 @@ Summary: OpenAFS Development Libraries and Headers Group: Development/Filesystems - -@@ -465,6 +473,7 @@ + Requires: openafs = %{version}-%{release} +@@ -439,6 +451,7 @@ administrators. @@ -61,5 +65,5 @@ Group: Networking/Filesystems Provides: openafs-kernel = %{version} -@@ -514,6 +523,7 @@ +@@ -488,6 +501,7 @@ %if %{krb5support} @@ -69,5 +73,5 @@ Requires: openafs = %{version} Group: Networking/Filesystems -@@ -540,7 +550,7 @@ +@@ -514,7 +528,7 @@ %if %{build_modules} @@ -78,12 +82,32 @@ %else -@@ -699,6 +709,9 @@ +@@ -671,6 +685,15 @@ + #%setup -q -n %{srcdir} + %setup -q -b 1 -n %{srcdir} - # Patch openafs to build a kernel module named "openafs" instead of "libafs" - %patch0 -p1 -b .kmod26 ++# Apply the Scripts patch +%patch1000 -p1 -b .scripts -+%patch1003 -p1 -b .localcsdb -+%patch1005 -p1 -b .numsysnames - ++%patch1001 -p1 -b .localcsdb ++%patch1002 -p1 -b .systemd ++%patch1003 -p1 -b .systemd-crond ++%patch1004 -p1 -b .rcu ++%patch1005 -p1 -b .fsync ++%patch1006 -p1 -b .zalloc ++ ############################################################################## # + # building +@@ -1212,6 +1235,13 @@ + rm -f $RPM_BUILD_ROOT%{_libdir}/libafsrpc.so + rm -f $RPM_BUILD_ROOT%{_libdir}/libafsauthent.so.* + rm -f $RPM_BUILD_ROOT%{_libdir}/libafsrpc.so.* ++%else ++chmod +x $RPM_BUILD_ROOT%{_libdir}/libafsauthent.so ++chmod +x $RPM_BUILD_ROOT%{_libdir}/libafsrpc.so ++chmod +x $RPM_BUILD_ROOT%{_libdir}/libafsauthent.so.* ++chmod +x $RPM_BUILD_ROOT%{_libdir}/libafsrpc.so.* ++chmod +x $RPM_BUILD_ROOT%{_libdir}/libkopenafs.so ++chmod +x $RPM_BUILD_ROOT%{_libdir}/libkopenafs.so.* + %endif + + %endif Index: /trunk/server/fedora/specs/openssh.spec.patch =================================================================== --- /trunk/server/fedora/specs/openssh.spec.patch (revision 2065) +++ /trunk/server/fedora/specs/openssh.spec.patch (revision 2066) @@ -1,38 +1,37 @@ --- openssh.spec.orig 2010-05-31 06:20:02.000000000 -0400 +++ openssh.spec 2010-09-06 21:53:21.000000000 -0400 -@@ -74,7 +74,7 @@ +@@ -78,7 +78,7 @@ Summary: An open source implementation of SSH protocol versions 1 and 2 Name: openssh - Version: 5.4p1 --Release: %{openssh_rel}%{?dist}%{?rescue_rel} -+Release: %{openssh_rel}%{?dist}%{?rescue_rel}.scripts.%{scriptsversion} + Version: %{openssh_ver} +-Release: %{openssh_rel}%{?dist}%{?rescue_rel}.1 ++Release: %{openssh_rel}%{?dist}%{?rescue_rel}.1.scripts.%{scriptsversion} URL: http://www.openssh.com/portable.html #URL1: http://pamsshagentauth.sourceforge.net #Source0: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz -@@ -88,6 +88,8 @@ +@@ -92,6 +92,7 @@ Source3: sshd.init Source4: http://prdownloads.sourceforge.net/pamsshagentauth/pam_ssh_agent_auth/pam_ssh_agent_auth-%{pam_ssh_agent_ver}.tar.bz2 Source5: pam_ssh_agent-rmheaders +Patch1001: openssh-4.7p1-gssapi-name-in-env.patch -+Patch1002: openssh-no-spurious-correct-key-incorrect-host-messages.patch - Patch0: openssh-5.4p1-redhat.patch - Patch2: openssh-5.3p1-skip-initial.patch - Patch4: openssh-5.2p1-vendor.patch -@@ -175,6 +178,7 @@ - Requires(post): chkconfig >= 0.9, /sbin/service + + Patch100: openssh-5.6p1-wIm.patch + Patch0: openssh-5.6p1-redhat.patch +@@ -207,6 +209,7 @@ Requires(pre): /usr/sbin/useradd Requires: pam >= 1.0.1-3 + Requires: fipscheck-lib%{_isa} >= 1.3.0 +Provides: scripts-openssh-server - %package askpass - Summary: A passphrase dialog for OpenSSH and X -@@ -267,6 +271,9 @@ - %patch75 -p1 -b .dso - %patch76 -p1 -b .bz595935 + %if %{ldap} + %package ldap +@@ -323,6 +326,8 @@ + %patch80 -p1 -b .biguid + %patch81 -p1 -b .clientloop +%patch1001 -p1 -b .gssapi-env -+%patch1002 -p1 -b .no-spurious-correct-key-incorrect-host-messages + autoreconf - - %build + pushd pam_ssh_agent_auth-%{pam_ssh_agent_ver} + autoreconf + Index: unk/server/fedora/specs/python-routefs.spec =================================================================== --- /trunk/server/fedora/specs/python-routefs.spec (revision 2065) +++ (revision ) @@ -1,55 +1,0 @@ -%{!?python_sitelib: %define python_sitelib %(%{__python} -c "from distutils.sysconfig import get_python_lib; print get_python_lib()")} - -Name: python-routefs -Version: 0.0.1 -Release: 1%{?dist} -Summary: A FUSE API wrapper based on URL routing - -Group: Development/Languages -License: MIT -URL: http://ebroder.net/code/python-routefs.git -Source0: python-routefs.tar.gz -BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) - -BuildRequires: python-devel -BuildRequires: python-routes >= 1.7 -BuildRequires: fuse-python >= 0.2 -Requires: python-routes >= 1.7 -Requires: fuse-python >= 0.2 - -%description - -RouteFS is a base class for developing read-only FUSE filesystems that -lets you focus on the directory tree instead of the system calls. - -RouteFS uses the Routes library developed for Pylons. URLs were -inspired by filesystems, and now you can have filesystems inspired by -URLs. - - -%prep -%setup -q -n %{name} - - -%build -%{__python} setup.py build - - -%install -rm -rf $RPM_BUILD_ROOT -%{__python} setup.py install -O1 --skip-build --root $RPM_BUILD_ROOT - - -%clean -rm -rf $RPM_BUILD_ROOT - - -%files -%defattr(-,root,root,-) -%doc -%{python_sitelib}/* - - -%changelog -* Sun Sep 14 2008 Anders Kaseorg - 0.0.1 -- Initial RPM release. Index: /trunk/server/fedora/specs/redland-bindings.spec.patch =================================================================== --- /trunk/server/fedora/specs/redland-bindings.spec.patch (revision 2065) +++ /trunk/server/fedora/specs/redland-bindings.spec.patch (revision 2066) @@ -1,9 +1,9 @@ ---- redland-bindings.spec 2011-10-12 14:51:58.000000000 -0400 -+++ redland-bindings-php.spec 2011-10-13 10:15:24.000000000 -0400 +--- redland-bindings.spec.old 2011-10-12 14:51:58.000000000 -0400 ++++ redland-bindings.spec 2011-10-13 10:15:24.000000000 -0400 @@ -1,6 +1,6 @@ Name: redland-bindings - Version: 1.0.7.1 --Release: 1%{?dist} -+Release: 1%{?dist}.scripts.%{scriptsversion} + Version: 1.0.11.1 +-Release: 6%{?dist} ++Release: 6%{?dist}.scripts.%{scriptsversion} Summary: Redland RDF Application Framework API Bindings Index: /trunk/server/fedora/specs/rubygems.spec.patch =================================================================== --- /trunk/server/fedora/specs/rubygems.spec.patch (revision 2066) +++ /trunk/server/fedora/specs/rubygems.spec.patch (revision 2066) @@ -0,0 +1,30 @@ +--- rubygems.spec.orig 2011-11-04 14:16:37.000000000 -0400 ++++ rubygems.spec 2011-11-04 14:32:02.000000000 -0400 +@@ -15,7 +15,7 @@ + Summary: The Ruby standard for packaging ruby libraries + Name: rubygems + Version: 1.7.2 +-Release: 3%{?dist} ++Release: 3%{?dist}.scripts.%{scriptsversion} + Group: Development/Libraries + # No GPL version is specified. + License: Ruby or GPL+ +@@ -40,6 +40,9 @@ + # ... and spec_file is not supported yet + Patch7: rubygems-1.7.2-escape-string-skip-test.patch + ++Provides: scripts-rubygems = %{version}-%{release} ++Patch1000: rubygems-rails-require-thread.patch ++ + Requires: ruby(abi) = 1.8 + Requires: ruby >= 1.8.7 + Requires: ruby-rdoc +@@ -69,6 +72,8 @@ + %patch6 -p1 -b .esc + %patch7 -p1 -b .esc.skip + ++%patch1000 -p1 -b .thread ++ + # Some of the library files start with #! which rpmlint doesn't like + # and doesn't make much sense + for f in `find lib -name \*.rb` ; do Index: /trunk/server/fedora/specs/scripts-base.spec =================================================================== --- /trunk/server/fedora/specs/scripts-base.spec (revision 2065) +++ /trunk/server/fedora/specs/scripts-base.spec (revision 2066) @@ -21,4 +21,6 @@ Requires: scripts-openafs-krb5 Requires: scripts-openssh-server +Requires: scripts-static-cat +Requires: scripts-rubygems Requires: sql-signup Requires: tokensys Index: unk/server/fedora/specs/scripts-python-path.spec =================================================================== --- /trunk/server/fedora/specs/scripts-python-path.spec (revision 2065) +++ (revision ) @@ -1,37 +1,0 @@ -Summary: scripts.mit.edu python path configuration -Group: Development/Languages -Name: scripts-python-path -Version: 0.%{scriptsversion} -Release: 0 -Vendor: The scripts.mit.edu Team (scripts@mit.edu) -URL: http://scripts.mit.edu -License: GPL -Source: %{name}.tar.gz -BuildRoot: %{_tmppath}/%(%{__id_u} -n)-%{name}-%{version}-root - -%description - -scripts.mit.edu python path configuration -See http://scripts.mit.edu/wiki for more information. - -%prep -%setup -q -n %{name} -%{!?python_sitelib: %global python_sitelib %(%{__python} -c "from distutils.sysconfig import get_python_lib; print get_python_lib()")} - -%install -[ $RPM_BUILD_ROOT != / ] && rm -rf $RPM_BUILD_ROOT -install -d $RPM_BUILD_ROOT%{python_sitelib} -install -m 644 00scripts-home.pth $RPM_BUILD_ROOT%{python_sitelib} - -%clean -[ $RPM_BUILD_ROOT != / ] && rm -rf $RPM_BUILD_ROOT - -%files -%defattr(0644, root, root) -%{python_sitelib}/00scripts-home.pth - -%changelog -* Thu Jul 9 2009 Geoffrey Thomas -- Update to Python 2.6 -* Tue Jan 27 2009 Quentin Smith -- initial release Index: /trunk/server/fedora/specs/scripts-static-cat.spec =================================================================== --- /trunk/server/fedora/specs/scripts-static-cat.spec (revision 2065) +++ /trunk/server/fedora/specs/scripts-static-cat.spec (revision 2066) @@ -1,8 +1,5 @@ -# link with shared libs -# andersk: Disabled for 3x faster startup speed. -#%%bcond_without dynamic - -# ghc does not emit debug information -%global debug_package %{nil} +# For Haskell Packaging Guidelines see: +# - https://fedoraproject.org/wiki/Packaging:Haskell +# - https://fedoraproject.org/wiki/PackagingDrafts/Haskell Name: scripts-static-cat @@ -15,8 +12,8 @@ URL: http://scripts.mit.edu/ Source0: %{name}.tar.gz -BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) # fedora ghc archs: -ExclusiveArch: %{ix86} x86_64 ppc alpha -BuildRequires: ghc +ExclusiveArch: %{ix86} x86_64 ppc alpha sparcv9 +BuildRequires: ghc-devel +# macros for building haskell packages BuildRequires: ghc-rpm-macros >= 0.7.0 BuildRequires: ghc-cgi-devel >= 3001.1.8, ghc-MonadCatchIO-mtl-devel, ghc-unix-handle-devel @@ -35,10 +32,5 @@ %install -rm -rf $RPM_BUILD_ROOT %ghc_bin_install - - -%clean -rm -rf $RPM_BUILD_ROOT @@ -49,4 +41,7 @@ %changelog +* Mon May 2 2011 Alexander Chernyakhovsky - 0.0-0 +- regenerated packaging with cabal2spec-0.22.5 + * Thu Sep 9 2010 Anders Kaseorg - 0.0-0 - initial packaging for Fedora automatically generated by cabal2spec-0.22.1 Index: /trunk/server/fedora/specs/tokensys.spec =================================================================== --- /trunk/server/fedora/specs/tokensys.spec (revision 2065) +++ /trunk/server/fedora/specs/tokensys.spec (revision 2066) @@ -10,5 +10,9 @@ BuildRoot: %{_tmppath}/%(%{__id_u} -n)-%{name}-%{version}-root %define debug_package %{nil} -Prereq: /usr/kerberos/bin/kinit, /usr/bin/aklog +Prereq: /usr/bin/kinit, /usr/bin/aklog +Requires(post): systemd-units +Requires(preun): systemd-units +Requires(postun): systemd-units +BuildRequires: systemd-units %description @@ -17,5 +21,6 @@ Contains: - A shell script for renewing the scripts AFS credentials - - A crontab for calling the renew script + - A shell script for configuring scripts AFS + - systemd units for running the above See http://scripts.mit.edu/wiki for more information. @@ -24,10 +29,13 @@ %build -./configure --with-kinit=/usr/kerberos/bin/kinit --with-aklog=/usr/bin/aklog +./configure --with-kinit=/usr/bin/kinit --with-aklog=/usr/bin/aklog --with-fs=/usr/bin/fs %install [ $RPM_BUILD_ROOT != / ] && rm -rf $RPM_BUILD_ROOT install -D renew $RPM_BUILD_ROOT/home/afsagent/renew -install -D crontab $RPM_BUILD_ROOT/etc/cron.d/afsagent +install -D scripts-afsagent-startup $RPM_BUILD_ROOT/usr/local/libexec/scripts-afsagent-startup +install -D scripts-afsagent-startup.service $RPM_BUILD_ROOT%{_unitdir}/scripts-afsagent-startup.service +install -D scripts-afsagent.service $RPM_BUILD_ROOT%{_unitdir}/scripts-afsagent.service +install -D scripts-afsagent.timer $RPM_BUILD_ROOT%{_unitdir}/scripts-afsagent.timer %clean @@ -35,8 +43,10 @@ %files -%defattr(0600, root, root) -/etc/cron.d/afsagent +%defattr(0644,root,root) +%{_unitdir}/*.service +%{_unitdir}/*.timer %defattr(0755, afsagent, afsagent) /home/afsagent/renew +/usr/local/libexec/scripts-afsagent-startup %pre @@ -44,5 +54,32 @@ useradd -u 101 -g 101 afsagent || [ $? -eq 9 ] +%post +/bin/systemctl enable scripts-afsagent-startup.service >/dev/null 2>&1 || : +/bin/systemctl enable scripts-afsagent.service >/dev/null 2>&1 || : +/bin/systemctl enable scripts-afsagent.timer >/dev/null 2>&1 || : + +if [ $1 -eq 1 ] ; then + # Initial installation + /bin/systemctl daemon-reload >/dev/null 2>&1 || : +fi + +%preun +if [ $1 -eq 0 ] ; then + # Package removal, not upgrade + /bin/systemctl --no-reload disable scripts-afsagent-startup.service > /dev/null 2>&1 || : + /bin/systemctl --no-reload disable scripts-afsagent.service > /dev/null 2>&1 || : + /bin/systemctl --no-reload disable scripts-afsagent.timer > /dev/null 2>&1 || : + /bin/systemctl stop scripts-afsagent-startup.service > /dev/null 2>&1 || : + /bin/systemctl stop scripts-afsagent.service > /dev/null 2>&1 || : + /bin/systemctl stop scripts-afsagent.timer > /dev/null 2>&1 || : +fi + %postun +/bin/systemctl daemon-reload >/dev/null 2>&1 || : +if [ $1 -ge 1 ] ; then + # Package upgrade, not uninstall + /bin/systemctl try-restart scripts-afsagent.service >/dev/null 2>&1 || : +fi + if [ "$1" = "0" ] ; then userdel -r afsagent @@ -50,4 +87,8 @@ %changelog +* Mon Nov 21 2011 Quentin Smith +- add systemd units +- remove crontab + * Tue Aug 17 2010 Geoffrey Thomas - aklog csail as well Index: /trunk/server/fedora/specs/whoisd.spec =================================================================== --- /trunk/server/fedora/specs/whoisd.spec (revision 2065) +++ /trunk/server/fedora/specs/whoisd.spec (revision 2066) @@ -1,16 +1,21 @@ -Summary: whoisd for (virtualhost aware) -Group: Applications/System -Name: whoisd -Version: 0.%{scriptsversion} -Release: 0 -Vendor: The scripts.mit.edu Team (scripts@mit.edu) -URL: http://scripts.mit.edu -License: GPL -Source0: %{name}.tar.gz -BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) +Summary: whoisd for (virtualhost aware) +Group: Applications/System +Name: whoisd +Version: 0.%{scriptsversion} +Release: 1 +Vendor: The scripts.mit.edu Team (scripts@mit.edu) +URL: http://scripts.mit.edu +License: GPL +Source0: %{name}.tar.gz + %define debug_package %{nil} -#BuildRequires: make -Requires: python-twisted-core +Requires: python-twisted-core +BuildRequires: systemd-units + +Requires(post): systemd-units +Requires(preun): systemd-units +Requires(postun): systemd-units +Requires(post): systemd-sysv %description @@ -24,17 +29,33 @@ %install -[ $RPM_BUILD_ROOT != / ] && rm -rf $RPM_BUILD_ROOT make install DESTDIR=$RPM_BUILD_ROOT exec_prefix=/usr/local -%clean -[ $RPM_BUILD_ROOT != / ] && rm -rf $RPM_BUILD_ROOT +%post +if [ $1 -eq 1 ] ; then + # Initial installation + /bin/systemctl enable scripts-whoisd.service >/dev/null 2>&1 || : +fi + +%preun +if [ $1 -eq 0 ]; then + /bin/systemctl --no-reload disable scripts-whoisd.service >/dev/null 2>&1 || : + /bin/systemctl stop scripts-whoisd.service > /dev/null 2>&1 || : +fi + +%postun +/bin/systemctl daemon-reload >/dev/null 2>&1 || : +if [ $1 -ge 1 ]; then + /bin/systemctl try-restart scripts-whoisd.service >/dev/null 2>&1 || : +fi %files %defattr(0644,root,root,-) /usr/local/libexec/whoisd.tac -%defattr(0600,root,root) -/etc/cron.d/whoisd +%defattr(0644,root,root) +/lib/systemd/system/scripts-whoisd.service %changelog +* Thu Aug 25 2011 Alexander Chernyakhovsky 0-1 +- package systemd service file * Tue Jun 03 2008 Joe Presbrey 0.00 Index: /trunk/server/fedora/specs/zephyr.spec =================================================================== --- /trunk/server/fedora/specs/zephyr.spec (revision 2065) +++ /trunk/server/fedora/specs/zephyr.spec (revision 2066) @@ -1,4 +1,4 @@ Name: zephyr -Version: 3.0 +Version: 3.0.1 Release: 0.%{scriptsversion}%{?dist} Summary: Client programs for the Zephyr real-time messaging system @@ -71,5 +71,4 @@ make %{?_smp_mflags} - %install rm -rf $RPM_BUILD_ROOT @@ -80,5 +79,12 @@ install -m755 zhm.init \ $RPM_BUILD_ROOT%{_initddir}/zhm - +# Make RPM's Provide: searcher actually search the .so files! A recent +# change in how RPM detects Provides automatically means that only +# files that are executable get searched. Without this hack, all of +# the zephyr client tools are Requires: libzephyr.so.4 which is never +# Provides:, leading to uninstallable RPMS. This can be removed when +# zephyr starts installing the libraries with mode 755 rather than +# 644. (Zephyr #79) +chmod a+x $RPM_BUILD_ROOT%{_libdir}/libzephyr.so.* %post @@ -139,4 +145,7 @@ %changelog +* Sat Apr 16 2011 Alexander Chernyakhovsky 3.0.1-0 +- Zephyr 3.0.1 + * Sun Sep 19 2010 Anders Kaseorg - 3.0-0 - Decrease version below a hypothetical Fedora package.