From: Norbert Lange <nolange79@gmail.com>
To: buildroot@busybox.net
Subject: [Buildroot] [PATCH 2/4] package/openssh: improve integration for systemd
Date: Sat, 6 Jun 2020 00:59:02 +0200 [thread overview]
Message-ID: <20200605225905.14082-2-nolange79@gmail.com> (raw)
In-Reply-To: <20200605225905.14082-1-nolange79@gmail.com>
the openssh daemon is not suited for systemd's simple
service type. dependend services should only start
when sshd is ready to accept connections.
A patch is added from debian to allow openssh
to communicate this state.
Restarts are prevented if the reason is a faulty
config file (errocode 255).
The "user confinement directory" is changed to
'/run/sshd' which is automatically managed by systemd.
Signed-off-by: Norbert Lange <nolange79@gmail.com>
---
package/openssh/00-systemd-readiness.patch | 84 ++++++++++++++++++++++
package/openssh/openssh.mk | 14 +++-
package/openssh/sshd-sysusers.conf | 2 +-
package/openssh/sshd.service | 13 +++-
4 files changed, 109 insertions(+), 4 deletions(-)
create mode 100644 package/openssh/00-systemd-readiness.patch
diff --git a/package/openssh/00-systemd-readiness.patch b/package/openssh/00-systemd-readiness.patch
new file mode 100644
index 0000000000..be3b6b0074
--- /dev/null
+++ b/package/openssh/00-systemd-readiness.patch
@@ -0,0 +1,84 @@
+From ab765b2bd55062a704f09da8f8c1c4ad1d6630a7 Mon Sep 17 00:00:00 2001
+From: Michael Biebl <biebl@debian.org>
+Date: Mon, 21 Dec 2015 16:08:47 +0000
+Subject: Add systemd readiness notification support
+
+Bug-Debian: https://bugs.debian.org/778913
+Forwarded: no
+Last-Update: 2017-08-22
+
+Patch-Name: systemd-readiness.patch
+---
+ configure.ac | 24 ++++++++++++++++++++++++
+ sshd.c | 9 +++++++++
+ 2 files changed, 33 insertions(+)
+
+diff --git a/configure.ac b/configure.ac
+index e894db9fc..c119d6fd1 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -4499,6 +4499,29 @@ AC_ARG_WITH([kerberos5],
+ AC_SUBST([GSSLIBS])
+ AC_SUBST([K5LIBS])
+
++# Check whether user wants systemd support
++SYSTEMD_MSG="no"
++AC_ARG_WITH(systemd,
++ [ --with-systemd Enable systemd support],
++ [ if test "x$withval" != "xno" ; then
++ AC_PATH_TOOL([PKGCONFIG], [pkg-config], [no])
++ if test "$PKGCONFIG" != "no"; then
++ AC_MSG_CHECKING([for libsystemd])
++ if $PKGCONFIG --exists libsystemd; then
++ SYSTEMD_CFLAGS=`$PKGCONFIG --cflags libsystemd`
++ SYSTEMD_LIBS=`$PKGCONFIG --libs libsystemd`
++ CPPFLAGS="$CPPFLAGS $SYSTEMD_CFLAGS"
++ SSHDLIBS="$SSHDLIBS $SYSTEMD_LIBS"
++ AC_MSG_RESULT([yes])
++ AC_DEFINE(HAVE_SYSTEMD, 1, [Define if you want systemd support.])
++ SYSTEMD_MSG="yes"
++ else
++ AC_MSG_RESULT([no])
++ fi
++ fi
++ fi ]
++)
++
+ # Looking for programs, paths and files
+
+ PRIVSEP_PATH=/var/empty
+@@ -5305,6 +5328,7 @@ echo " libldns support: $LDNS_MSG"
+ echo " Solaris process contract support: $SPC_MSG"
+ echo " Solaris project support: $SP_MSG"
+ echo " Solaris privilege support: $SPP_MSG"
++echo " systemd support: $SYSTEMD_MSG"
+ echo " IP address in \$DISPLAY hack: $DISPLAY_HACK_MSG"
+ echo " Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG"
+ echo " BSD Auth support: $BSD_AUTH_MSG"
+diff --git a/sshd.c b/sshd.c
+index 4e8ff0662..5e7679a33 100644
+--- a/sshd.c
++++ b/sshd.c
+@@ -85,6 +85,10 @@
+ #include <prot.h>
+ #endif
+
++#ifdef HAVE_SYSTEMD
++#include <systemd/sd-daemon.h>
++#endif
++
+ #include "xmalloc.h"
+ #include "ssh.h"
+ #include "ssh2.h"
+@@ -1951,6 +1955,11 @@ main(int ac, char **av)
+ }
+ }
+
++#ifdef HAVE_SYSTEMD
++ /* Signal systemd that we are ready to accept connections */
++ sd_notify(0, "READY=1");
++#endif
++
+ /* Accept a connection and return in a forked child */
+ server_accept_loop(&sock_in, &sock_out,
+ &newsock, config_s);
diff --git a/package/openssh/openssh.mk b/package/openssh/openssh.mk
index 55b917e20a..d425db1428 100644
--- a/package/openssh/openssh.mk
+++ b/package/openssh/openssh.mk
@@ -12,6 +12,7 @@ OPENSSH_CONF_ENV = \
LD="$(TARGET_CC)" \
LDFLAGS="$(TARGET_CFLAGS)" \
LIBS=`$(PKG_CONFIG_HOST_BINARY) --libs openssl`
+OPENSSH_AUTORECONF = YES
OPENSSH_CONF_OPTS = \
--sysconfdir=/etc/ssh \
--with-default-path=$(BR2_SYSTEM_DEFAULT_PATH) \
@@ -22,9 +23,20 @@ OPENSSH_CONF_OPTS = \
--disable-wtmpx \
--disable-strip
+ifeq ($(BR2_PACKAGE_SYSTEMD),y)
+OPENSSH_DEPENDENCIES = systemd
+
+OPENSSH_CONF_OPTS += \
+ --with-privsep-path=/run/sshd \
+ --with-pid-dir=/run \
+ --with-systemd
+
+else
+
define OPENSSH_PERMISSIONS
/var/empty d 755 root root - - - - -
endef
+endif
ifeq ($(BR2_TOOLCHAIN_SUPPORTS_PIE),)
OPENSSH_CONF_OPTS += --without-pie
@@ -72,7 +84,7 @@ define OPENSSH_INSTALL_SYSTEMD_SYSUSERS
endef
else
define OPENSSH_USERS
- sshd -1 sshd -1 * /var/empty - - SSH drop priv user
+ sshd -1 sshd -1 * $(if $(BR2_PACKAGE_SYSTEMD),/run/sshd,/var/empty) - - SSH drop priv user
endef
endif
diff --git a/package/openssh/sshd-sysusers.conf b/package/openssh/sshd-sysusers.conf
index ac77aec065..303d0dbb63 100644
--- a/package/openssh/sshd-sysusers.conf
+++ b/package/openssh/sshd-sysusers.conf
@@ -1 +1 @@
-u sshd - "SSH drop priv user" /var/empty
+u sshd - "SSH drop priv user" /run/sshd
diff --git a/package/openssh/sshd.service b/package/openssh/sshd.service
index b5e96b3a25..715bd3f7eb 100644
--- a/package/openssh/sshd.service
+++ b/package/openssh/sshd.service
@@ -1,11 +1,20 @@
[Unit]
Description=OpenSSH server daemon
-After=syslog.target network.target auditd.service
+Documentation=man:sshd(8) man:sshd_config(5)
+After=network.target auditd.service
[Service]
ExecStartPre=/usr/bin/ssh-keygen -A
-ExecStart=/usr/sbin/sshd -D -e
+ExecStartPre=/usr/sbin/sshd -t
+ExecStart=/usr/sbin/sshd -D
+ExecReload=/usr/sbin/sshd -t
ExecReload=/bin/kill -HUP $MAINPID
+KillMode=process
+Restart=on-failure
+RestartPreventExitStatus=255
+Type=notify
+RuntimeDirectory=sshd
+RuntimeDirectoryMode=0755
[Install]
WantedBy=multi-user.target
--
2.26.2
next prev parent reply other threads:[~2020-06-05 22:59 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-06-05 22:59 [Buildroot] [PATCH 1/4] package/openssh: Depend on libaudit if available Norbert Lange
2020-06-05 22:59 ` Norbert Lange [this message]
2020-06-06 20:31 ` [Buildroot] [PATCH 2/4] package/openssh: improve integration for systemd Thomas Petazzoni
2020-06-07 10:54 ` Jérémy ROSEN
2020-06-07 19:03 ` Norbert Lange
2020-06-07 19:16 ` Jérémy ROSEN
2020-06-07 19:24 ` Norbert Lange
2020-06-07 19:42 ` Jérémy ROSEN
2020-06-11 0:04 ` Norbert Lange
2020-06-11 6:14 ` Jérémy ROSEN
2020-06-05 22:59 ` [Buildroot] [PATCH 3/4] package/openssh: seperate sd service for host key generation Norbert Lange
2020-06-07 10:44 ` Jérémy ROSEN
2020-06-07 18:55 ` Norbert Lange
2020-06-07 19:09 ` Jérémy ROSEN
2020-06-05 22:59 ` [Buildroot] [PATCH 4/4] package/openssh: add sd socket-activated ssh daemon services Norbert Lange
2020-06-07 11:06 ` Jérémy ROSEN
2020-06-07 19:10 ` Norbert Lange
2020-06-07 19:31 ` Jérémy ROSEN
2020-06-07 19:45 ` Norbert Lange
2020-06-07 21:30 ` Norbert Lange
2020-06-07 21:43 ` Jérémy ROSEN
2020-06-06 20:29 ` [Buildroot] [PATCH 1/4] package/openssh: Depend on libaudit if available Thomas Petazzoni
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200605225905.14082-2-nolange79@gmail.com \
--to=nolange79@gmail.com \
--cc=buildroot@busybox.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox