* [Buildroot] [PATCH 1/4] package/openssh: Depend on libaudit if available
@ 2020-06-05 22:59 Norbert Lange
2020-06-05 22:59 ` [Buildroot] [PATCH 2/4] package/openssh: improve integration for systemd Norbert Lange
` (3 more replies)
0 siblings, 4 replies; 22+ messages in thread
From: Norbert Lange @ 2020-06-05 22:59 UTC (permalink / raw)
To: buildroot
Signed-off-by: Norbert Lange <nolange79@gmail.com>
---
package/openssh/openssh.mk | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/package/openssh/openssh.mk b/package/openssh/openssh.mk
index 515eec2c03..55b917e20a 100644
--- a/package/openssh/openssh.mk
+++ b/package/openssh/openssh.mk
@@ -39,6 +39,11 @@ else
OPENSSH_CONF_OPTS += --without-ssl-engine
endif
+ifeq ($(BR2_PACKAGE_AUDIT),y)
+OPENSSH_DEPENDENCIES += audit
+OPENSSH_CONF_OPTS += --with-audit=linux
+endif
+
ifeq ($(BR2_PACKAGE_LINUX_PAM),y)
define OPENSSH_INSTALL_PAM_CONF
$(INSTALL) -D -m 644 $(@D)/contrib/sshd.pam.generic $(TARGET_DIR)/etc/pam.d/sshd
--
2.26.2
^ permalink raw reply related [flat|nested] 22+ messages in thread* [Buildroot] [PATCH 2/4] package/openssh: improve integration for systemd 2020-06-05 22:59 [Buildroot] [PATCH 1/4] package/openssh: Depend on libaudit if available Norbert Lange @ 2020-06-05 22:59 ` Norbert Lange 2020-06-06 20:31 ` Thomas Petazzoni 2020-06-07 10:54 ` Jérémy ROSEN 2020-06-05 22:59 ` [Buildroot] [PATCH 3/4] package/openssh: seperate sd service for host key generation Norbert Lange ` (2 subsequent siblings) 3 siblings, 2 replies; 22+ messages in thread From: Norbert Lange @ 2020-06-05 22:59 UTC (permalink / raw) To: buildroot the openssh daemon is not suited for systemd's simple service type. dependend services should only start when sshd is ready to accept connections. A patch is added from debian to allow openssh to communicate this state. Restarts are prevented if the reason is a faulty config file (errocode 255). The "user confinement directory" is changed to '/run/sshd' which is automatically managed by systemd. Signed-off-by: Norbert Lange <nolange79@gmail.com> --- package/openssh/00-systemd-readiness.patch | 84 ++++++++++++++++++++++ package/openssh/openssh.mk | 14 +++- package/openssh/sshd-sysusers.conf | 2 +- package/openssh/sshd.service | 13 +++- 4 files changed, 109 insertions(+), 4 deletions(-) create mode 100644 package/openssh/00-systemd-readiness.patch diff --git a/package/openssh/00-systemd-readiness.patch b/package/openssh/00-systemd-readiness.patch new file mode 100644 index 0000000000..be3b6b0074 --- /dev/null +++ b/package/openssh/00-systemd-readiness.patch @@ -0,0 +1,84 @@ +From ab765b2bd55062a704f09da8f8c1c4ad1d6630a7 Mon Sep 17 00:00:00 2001 +From: Michael Biebl <biebl@debian.org> +Date: Mon, 21 Dec 2015 16:08:47 +0000 +Subject: Add systemd readiness notification support + +Bug-Debian: https://bugs.debian.org/778913 +Forwarded: no +Last-Update: 2017-08-22 + +Patch-Name: systemd-readiness.patch +--- + configure.ac | 24 ++++++++++++++++++++++++ + sshd.c | 9 +++++++++ + 2 files changed, 33 insertions(+) + +diff --git a/configure.ac b/configure.ac +index e894db9fc..c119d6fd1 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -4499,6 +4499,29 @@ AC_ARG_WITH([kerberos5], + AC_SUBST([GSSLIBS]) + AC_SUBST([K5LIBS]) + ++# Check whether user wants systemd support ++SYSTEMD_MSG="no" ++AC_ARG_WITH(systemd, ++ [ --with-systemd Enable systemd support], ++ [ if test "x$withval" != "xno" ; then ++ AC_PATH_TOOL([PKGCONFIG], [pkg-config], [no]) ++ if test "$PKGCONFIG" != "no"; then ++ AC_MSG_CHECKING([for libsystemd]) ++ if $PKGCONFIG --exists libsystemd; then ++ SYSTEMD_CFLAGS=`$PKGCONFIG --cflags libsystemd` ++ SYSTEMD_LIBS=`$PKGCONFIG --libs libsystemd` ++ CPPFLAGS="$CPPFLAGS $SYSTEMD_CFLAGS" ++ SSHDLIBS="$SSHDLIBS $SYSTEMD_LIBS" ++ AC_MSG_RESULT([yes]) ++ AC_DEFINE(HAVE_SYSTEMD, 1, [Define if you want systemd support.]) ++ SYSTEMD_MSG="yes" ++ else ++ AC_MSG_RESULT([no]) ++ fi ++ fi ++ fi ] ++) ++ + # Looking for programs, paths and files + + PRIVSEP_PATH=/var/empty +@@ -5305,6 +5328,7 @@ echo " libldns support: $LDNS_MSG" + echo " Solaris process contract support: $SPC_MSG" + echo " Solaris project support: $SP_MSG" + echo " Solaris privilege support: $SPP_MSG" ++echo " systemd support: $SYSTEMD_MSG" + echo " IP address in \$DISPLAY hack: $DISPLAY_HACK_MSG" + echo " Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG" + echo " BSD Auth support: $BSD_AUTH_MSG" +diff --git a/sshd.c b/sshd.c +index 4e8ff0662..5e7679a33 100644 +--- a/sshd.c ++++ b/sshd.c +@@ -85,6 +85,10 @@ + #include <prot.h> + #endif + ++#ifdef HAVE_SYSTEMD ++#include <systemd/sd-daemon.h> ++#endif ++ + #include "xmalloc.h" + #include "ssh.h" + #include "ssh2.h" +@@ -1951,6 +1955,11 @@ main(int ac, char **av) + } + } + ++#ifdef HAVE_SYSTEMD ++ /* Signal systemd that we are ready to accept connections */ ++ sd_notify(0, "READY=1"); ++#endif ++ + /* Accept a connection and return in a forked child */ + server_accept_loop(&sock_in, &sock_out, + &newsock, config_s); diff --git a/package/openssh/openssh.mk b/package/openssh/openssh.mk index 55b917e20a..d425db1428 100644 --- a/package/openssh/openssh.mk +++ b/package/openssh/openssh.mk @@ -12,6 +12,7 @@ OPENSSH_CONF_ENV = \ LD="$(TARGET_CC)" \ LDFLAGS="$(TARGET_CFLAGS)" \ LIBS=`$(PKG_CONFIG_HOST_BINARY) --libs openssl` +OPENSSH_AUTORECONF = YES OPENSSH_CONF_OPTS = \ --sysconfdir=/etc/ssh \ --with-default-path=$(BR2_SYSTEM_DEFAULT_PATH) \ @@ -22,9 +23,20 @@ OPENSSH_CONF_OPTS = \ --disable-wtmpx \ --disable-strip +ifeq ($(BR2_PACKAGE_SYSTEMD),y) +OPENSSH_DEPENDENCIES = systemd + +OPENSSH_CONF_OPTS += \ + --with-privsep-path=/run/sshd \ + --with-pid-dir=/run \ + --with-systemd + +else + define OPENSSH_PERMISSIONS /var/empty d 755 root root - - - - - endef +endif ifeq ($(BR2_TOOLCHAIN_SUPPORTS_PIE),) OPENSSH_CONF_OPTS += --without-pie @@ -72,7 +84,7 @@ define OPENSSH_INSTALL_SYSTEMD_SYSUSERS endef else define OPENSSH_USERS - sshd -1 sshd -1 * /var/empty - - SSH drop priv user + sshd -1 sshd -1 * $(if $(BR2_PACKAGE_SYSTEMD),/run/sshd,/var/empty) - - SSH drop priv user endef endif diff --git a/package/openssh/sshd-sysusers.conf b/package/openssh/sshd-sysusers.conf index ac77aec065..303d0dbb63 100644 --- a/package/openssh/sshd-sysusers.conf +++ b/package/openssh/sshd-sysusers.conf @@ -1 +1 @@ -u sshd - "SSH drop priv user" /var/empty +u sshd - "SSH drop priv user" /run/sshd diff --git a/package/openssh/sshd.service b/package/openssh/sshd.service index b5e96b3a25..715bd3f7eb 100644 --- a/package/openssh/sshd.service +++ b/package/openssh/sshd.service @@ -1,11 +1,20 @@ [Unit] Description=OpenSSH server daemon -After=syslog.target network.target auditd.service +Documentation=man:sshd(8) man:sshd_config(5) +After=network.target auditd.service [Service] ExecStartPre=/usr/bin/ssh-keygen -A -ExecStart=/usr/sbin/sshd -D -e +ExecStartPre=/usr/sbin/sshd -t +ExecStart=/usr/sbin/sshd -D +ExecReload=/usr/sbin/sshd -t ExecReload=/bin/kill -HUP $MAINPID +KillMode=process +Restart=on-failure +RestartPreventExitStatus=255 +Type=notify +RuntimeDirectory=sshd +RuntimeDirectoryMode=0755 [Install] WantedBy=multi-user.target -- 2.26.2 ^ permalink raw reply related [flat|nested] 22+ messages in thread
* [Buildroot] [PATCH 2/4] package/openssh: improve integration for systemd 2020-06-05 22:59 ` [Buildroot] [PATCH 2/4] package/openssh: improve integration for systemd Norbert Lange @ 2020-06-06 20:31 ` Thomas Petazzoni 2020-06-07 10:54 ` Jérémy ROSEN 1 sibling, 0 replies; 22+ messages in thread From: Thomas Petazzoni @ 2020-06-06 20:31 UTC (permalink / raw) To: buildroot On Sat, 6 Jun 2020 00:59:02 +0200 Norbert Lange <nolange79@gmail.com> wrote: > the openssh daemon is not suited for systemd's simple > service type. dependend services should only start > when sshd is ready to accept connections. > > A patch is added from debian to allow openssh > to communicate this state. > > Restarts are prevented if the reason is a faulty > config file (errocode 255). > > The "user confinement directory" is changed to > '/run/sshd' which is automatically managed by systemd. > > Signed-off-by: Norbert Lange <nolange79@gmail.com> > --- > package/openssh/00-systemd-readiness.patch | 84 ++++++++++++++++++++++ > package/openssh/openssh.mk | 14 +++- > package/openssh/sshd-sysusers.conf | 2 +- > package/openssh/sshd.service | 13 +++- > 4 files changed, 109 insertions(+), 4 deletions(-) > create mode 100644 package/openssh/00-systemd-readiness.patch On this patch, as well as patches 3/4 and 4/4 in this series, I would really appreciate some review from people more knowledgeable than I am in systemd. Matt ? J?r?my ? Best regards, Thomas -- Thomas Petazzoni, CTO, Bootlin Embedded Linux and Kernel engineering https://bootlin.com ^ permalink raw reply [flat|nested] 22+ messages in thread
* [Buildroot] [PATCH 2/4] package/openssh: improve integration for systemd 2020-06-05 22:59 ` [Buildroot] [PATCH 2/4] package/openssh: improve integration for systemd Norbert Lange 2020-06-06 20:31 ` Thomas Petazzoni @ 2020-06-07 10:54 ` Jérémy ROSEN 2020-06-07 19:03 ` Norbert Lange 1 sibling, 1 reply; 22+ messages in thread From: Jérémy ROSEN @ 2020-06-07 10:54 UTC (permalink / raw) To: buildroot Le sam. 6 juin 2020 ? 00:59, Norbert Lange <nolange79@gmail.com> a ?crit : > the openssh daemon is not suited for systemd's simple > service type. dependend services should only start > when sshd is ready to accept connections. > > A patch is added from debian to allow openssh > to communicate this state. > > Restarts are prevented if the reason is a faulty > config file (errocode 255). > > The "user confinement directory" is changed to > '/run/sshd' which is automatically managed by systemd. > > Signed-off-by: Norbert Lange <nolange79@gmail.com> > --- > package/openssh/00-systemd-readiness.patch | 84 ++++++++++++++++++++++ > package/openssh/openssh.mk | 14 +++- > package/openssh/sshd-sysusers.conf | 2 +- > package/openssh/sshd.service | 13 +++- > 4 files changed, 109 insertions(+), 4 deletions(-) > create mode 100644 package/openssh/00-systemd-readiness.patch > > diff --git a/package/openssh/00-systemd-readiness.patch > b/package/openssh/00-systemd-readiness.patch > new file mode 100644 > index 0000000000..be3b6b0074 > --- /dev/null > +++ b/package/openssh/00-systemd-readiness.patch > @@ -0,0 +1,84 @@ > +From ab765b2bd55062a704f09da8f8c1c4ad1d6630a7 Mon Sep 17 00:00:00 2001 > +From: Michael Biebl <biebl@debian.org> > +Date: Mon, 21 Dec 2015 16:08:47 +0000 > +Subject: Add systemd readiness notification support > + > +Bug-Debian: https://bugs.debian.org/778913 > +Forwarded: no > +Last-Update: 2017-08-22 > + > +Patch-Name: systemd-readiness.patch > +--- > + configure.ac | 24 ++++++++++++++++++++++++ > + sshd.c | 9 +++++++++ > + 2 files changed, 33 insertions(+) > + > +diff --git a/configure.ac b/configure.ac > +index e894db9fc..c119d6fd1 100644 > +--- a/configure.ac > ++++ b/configure.ac > +@@ -4499,6 +4499,29 @@ AC_ARG_WITH([kerberos5], > + AC_SUBST([GSSLIBS]) > + AC_SUBST([K5LIBS]) > + > ++# Check whether user wants systemd support > ++SYSTEMD_MSG="no" > ++AC_ARG_WITH(systemd, > ++ [ --with-systemd Enable systemd support], > ++ [ if test "x$withval" != "xno" ; then > ++ AC_PATH_TOOL([PKGCONFIG], [pkg-config], [no]) > ++ if test "$PKGCONFIG" != "no"; then > ++ AC_MSG_CHECKING([for libsystemd]) > ++ if $PKGCONFIG --exists libsystemd; then > ++ SYSTEMD_CFLAGS=`$PKGCONFIG --cflags > libsystemd` > ++ SYSTEMD_LIBS=`$PKGCONFIG --libs libsystemd` > ++ CPPFLAGS="$CPPFLAGS $SYSTEMD_CFLAGS" > ++ SSHDLIBS="$SSHDLIBS $SYSTEMD_LIBS" > ++ AC_MSG_RESULT([yes]) > ++ AC_DEFINE(HAVE_SYSTEMD, 1, [Define if you > want systemd support.]) > ++ SYSTEMD_MSG="yes" > ++ else > ++ AC_MSG_RESULT([no]) > ++ fi > ++ fi > ++ fi ] > ++) > ++ > + # Looking for programs, paths and files > + > + PRIVSEP_PATH=/var/empty > +@@ -5305,6 +5328,7 @@ echo " libldns support: $LDNS_MSG" > + echo " Solaris process contract support: $SPC_MSG" > + echo " Solaris project support: $SP_MSG" > + echo " Solaris privilege support: $SPP_MSG" > ++echo " systemd support: $SYSTEMD_MSG" > + echo " IP address in \$DISPLAY hack: $DISPLAY_HACK_MSG" > + echo " Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG" > + echo " BSD Auth support: $BSD_AUTH_MSG" > +diff --git a/sshd.c b/sshd.c > +index 4e8ff0662..5e7679a33 100644 > +--- a/sshd.c > ++++ b/sshd.c > +@@ -85,6 +85,10 @@ > + #include <prot.h> > + #endif > + > ++#ifdef HAVE_SYSTEMD > ++#include <systemd/sd-daemon.h> > ++#endif > ++ > + #include "xmalloc.h" > + #include "ssh.h" > + #include "ssh2.h" > +@@ -1951,6 +1955,11 @@ main(int ac, char **av) > + } > + } > + > ++#ifdef HAVE_SYSTEMD > ++ /* Signal systemd that we are ready to accept connections > */ > ++ sd_notify(0, "READY=1"); > ++#endif > ++ > + /* Accept a connection and return in a forked child */ > + server_accept_loop(&sock_in, &sock_out, > + &newsock, config_s); > diff --git a/package/openssh/openssh.mk b/package/openssh/openssh.mk > index 55b917e20a..d425db1428 100644 > --- a/package/openssh/openssh.mk > +++ b/package/openssh/openssh.mk > @@ -12,6 +12,7 @@ OPENSSH_CONF_ENV = \ > LD="$(TARGET_CC)" \ > LDFLAGS="$(TARGET_CFLAGS)" \ > LIBS=`$(PKG_CONFIG_HOST_BINARY) --libs openssl` > +OPENSSH_AUTORECONF = YES > OPENSSH_CONF_OPTS = \ > --sysconfdir=/etc/ssh \ > --with-default-path=$(BR2_SYSTEM_DEFAULT_PATH) \ > @@ -22,9 +23,20 @@ OPENSSH_CONF_OPTS = \ > --disable-wtmpx \ > --disable-strip > > +ifeq ($(BR2_PACKAGE_SYSTEMD),y) > +OPENSSH_DEPENDENCIES = systemd > + > +OPENSSH_CONF_OPTS += \ > + --with-privsep-path=/run/sshd \ > + --with-pid-dir=/run \ > + --with-systemd > + > +else > + > define OPENSSH_PERMISSIONS > /var/empty d 755 root root - - - - - > endef > Do we still need this when using systemd, or can it be commented out ? > +endif > > ifeq ($(BR2_TOOLCHAIN_SUPPORTS_PIE),) > OPENSSH_CONF_OPTS += --without-pie > @@ -72,7 +84,7 @@ define OPENSSH_INSTALL_SYSTEMD_SYSUSERS > endef > else > define OPENSSH_USERS > - sshd -1 sshd -1 * /var/empty - - SSH drop priv user > + sshd -1 sshd -1 * $(if > $(BR2_PACKAGE_SYSTEMD),/run/sshd,/var/empty) - - SSH drop priv user > endef > endif > > diff --git a/package/openssh/sshd-sysusers.conf > b/package/openssh/sshd-sysusers.conf > index ac77aec065..303d0dbb63 100644 > --- a/package/openssh/sshd-sysusers.conf > +++ b/package/openssh/sshd-sysusers.conf > @@ -1 +1 @@ > -u sshd - "SSH drop priv user" /var/empty > +u sshd - "SSH drop priv user" /run/sshd > diff --git a/package/openssh/sshd.service b/package/openssh/sshd.service > index b5e96b3a25..715bd3f7eb 100644 > --- a/package/openssh/sshd.service > +++ b/package/openssh/sshd.service > @@ -1,11 +1,20 @@ > [Unit] > Description=OpenSSH server daemon > -After=syslog.target network.target auditd.service > +Documentation=man:sshd(8) man:sshd_config(5) > +After=network.target auditd.service > [Service] > ExecStartPre=/usr/bin/ssh-keygen -A > -ExecStart=/usr/sbin/sshd -D -e > +ExecStartPre=/usr/sbin/sshd -t > +ExecStart=/usr/sbin/sshd -D > You droped the -e, so you are logging to syslog However you droped the dependency on syslog.target earlier... (maybe it should be syslog.socket instead of .target, btw) how exactly do you want to log ? (I think logging to stdout is better, it will be redirected to the journal. > +ExecReload=/usr/sbin/sshd -t > ExecReload=/bin/kill -HUP $MAINPID > +KillMode=process > Wouldn't mixed be better here ? I'm not really sure what the use-case for procss is anyway... > +Restart=on-failure > +RestartPreventExitStatus=255 > +Type=notify > +RuntimeDirectory=sshd > +RuntimeDirectoryMode=0755 > > [Install] > WantedBy=multi-user.target > -- > 2.26.2 > > _______________________________________________ > buildroot mailing list > buildroot at busybox.net > http://lists.busybox.net/mailman/listinfo/buildroot > -- [image: SMILE] <http://www.smile.eu/> 20 rue des Jardins 92600 Asni?res-sur-Seine *J?r?my ROSEN* Architecte technique [image: email] jeremy.rosen at smile.fr [image: phone] +33 6 88 25 87 42 [image: url] http://www.smile.eu [image: Twitter] <https://twitter.com/GroupeSmile> [image: Facebook] <https://www.facebook.com/smileopensource> [image: LinkedIn] <https://www.linkedin.com/company/smile> [image: Github] <https://github.com/Smile-SA> [image: D?couvrez l?univers Smile, rendez-vous sur smile.eu] <https://www.smile.eu/fr/publications/livres-blancs/yocto?utm_source=signature&utm_medium=email&utm_campaign=signature> -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.busybox.net/pipermail/buildroot/attachments/20200607/19becf37/attachment.html> ^ permalink raw reply [flat|nested] 22+ messages in thread
* [Buildroot] [PATCH 2/4] package/openssh: improve integration for systemd 2020-06-07 10:54 ` Jérémy ROSEN @ 2020-06-07 19:03 ` Norbert Lange 2020-06-07 19:16 ` Jérémy ROSEN 0 siblings, 1 reply; 22+ messages in thread From: Norbert Lange @ 2020-06-07 19:03 UTC (permalink / raw) To: buildroot Am So., 7. Juni 2020 um 12:54 Uhr schrieb J?r?my ROSEN <jeremy.rosen@smile.fr>: > > > > Le sam. 6 juin 2020 ? 00:59, Norbert Lange <nolange79@gmail.com> a ?crit : >> >> the openssh daemon is not suited for systemd's simple >> service type. dependend services should only start >> when sshd is ready to accept connections. >> >> A patch is added from debian to allow openssh >> to communicate this state. >> >> Restarts are prevented if the reason is a faulty >> config file (errocode 255). >> >> The "user confinement directory" is changed to >> '/run/sshd' which is automatically managed by systemd. >> >> Signed-off-by: Norbert Lange <nolange79@gmail.com> >> --- >> package/openssh/00-systemd-readiness.patch | 84 ++++++++++++++++++++++ >> package/openssh/openssh.mk | 14 +++- >> package/openssh/sshd-sysusers.conf | 2 +- >> package/openssh/sshd.service | 13 +++- >> 4 files changed, 109 insertions(+), 4 deletions(-) >> create mode 100644 package/openssh/00-systemd-readiness.patch >> >> diff --git a/package/openssh/00-systemd-readiness.patch b/package/openssh/00-systemd-readiness.patch >> new file mode 100644 >> index 0000000000..be3b6b0074 >> --- /dev/null >> +++ b/package/openssh/00-systemd-readiness.patch >> @@ -0,0 +1,84 @@ >> +From ab765b2bd55062a704f09da8f8c1c4ad1d6630a7 Mon Sep 17 00:00:00 2001 >> +From: Michael Biebl <biebl@debian.org> >> +Date: Mon, 21 Dec 2015 16:08:47 +0000 >> +Subject: Add systemd readiness notification support >> + >> +Bug-Debian: https://bugs.debian.org/778913 >> +Forwarded: no >> +Last-Update: 2017-08-22 >> + >> +Patch-Name: systemd-readiness.patch >> +--- >> + configure.ac | 24 ++++++++++++++++++++++++ >> + sshd.c | 9 +++++++++ >> + 2 files changed, 33 insertions(+) >> + >> +diff --git a/configure.ac b/configure.ac >> +index e894db9fc..c119d6fd1 100644 >> +--- a/configure.ac >> ++++ b/configure.ac >> +@@ -4499,6 +4499,29 @@ AC_ARG_WITH([kerberos5], >> + AC_SUBST([GSSLIBS]) >> + AC_SUBST([K5LIBS]) >> + >> ++# Check whether user wants systemd support >> ++SYSTEMD_MSG="no" >> ++AC_ARG_WITH(systemd, >> ++ [ --with-systemd Enable systemd support], >> ++ [ if test "x$withval" != "xno" ; then >> ++ AC_PATH_TOOL([PKGCONFIG], [pkg-config], [no]) >> ++ if test "$PKGCONFIG" != "no"; then >> ++ AC_MSG_CHECKING([for libsystemd]) >> ++ if $PKGCONFIG --exists libsystemd; then >> ++ SYSTEMD_CFLAGS=`$PKGCONFIG --cflags libsystemd` >> ++ SYSTEMD_LIBS=`$PKGCONFIG --libs libsystemd` >> ++ CPPFLAGS="$CPPFLAGS $SYSTEMD_CFLAGS" >> ++ SSHDLIBS="$SSHDLIBS $SYSTEMD_LIBS" >> ++ AC_MSG_RESULT([yes]) >> ++ AC_DEFINE(HAVE_SYSTEMD, 1, [Define if you want systemd support.]) >> ++ SYSTEMD_MSG="yes" >> ++ else >> ++ AC_MSG_RESULT([no]) >> ++ fi >> ++ fi >> ++ fi ] >> ++) >> ++ >> + # Looking for programs, paths and files >> + >> + PRIVSEP_PATH=/var/empty >> +@@ -5305,6 +5328,7 @@ echo " libldns support: $LDNS_MSG" >> + echo " Solaris process contract support: $SPC_MSG" >> + echo " Solaris project support: $SP_MSG" >> + echo " Solaris privilege support: $SPP_MSG" >> ++echo " systemd support: $SYSTEMD_MSG" >> + echo " IP address in \$DISPLAY hack: $DISPLAY_HACK_MSG" >> + echo " Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG" >> + echo " BSD Auth support: $BSD_AUTH_MSG" >> +diff --git a/sshd.c b/sshd.c >> +index 4e8ff0662..5e7679a33 100644 >> +--- a/sshd.c >> ++++ b/sshd.c >> +@@ -85,6 +85,10 @@ >> + #include <prot.h> >> + #endif >> + >> ++#ifdef HAVE_SYSTEMD >> ++#include <systemd/sd-daemon.h> >> ++#endif >> ++ >> + #include "xmalloc.h" >> + #include "ssh.h" >> + #include "ssh2.h" >> +@@ -1951,6 +1955,11 @@ main(int ac, char **av) >> + } >> + } >> + >> ++#ifdef HAVE_SYSTEMD >> ++ /* Signal systemd that we are ready to accept connections */ >> ++ sd_notify(0, "READY=1"); >> ++#endif >> ++ >> + /* Accept a connection and return in a forked child */ >> + server_accept_loop(&sock_in, &sock_out, >> + &newsock, config_s); >> diff --git a/package/openssh/openssh.mk b/package/openssh/openssh.mk >> index 55b917e20a..d425db1428 100644 >> --- a/package/openssh/openssh.mk >> +++ b/package/openssh/openssh.mk >> @@ -12,6 +12,7 @@ OPENSSH_CONF_ENV = \ >> LD="$(TARGET_CC)" \ >> LDFLAGS="$(TARGET_CFLAGS)" \ >> LIBS=`$(PKG_CONFIG_HOST_BINARY) --libs openssl` >> +OPENSSH_AUTORECONF = YES >> OPENSSH_CONF_OPTS = \ >> --sysconfdir=/etc/ssh \ >> --with-default-path=$(BR2_SYSTEM_DEFAULT_PATH) \ >> @@ -22,9 +23,20 @@ OPENSSH_CONF_OPTS = \ >> --disable-wtmpx \ >> --disable-strip >> >> +ifeq ($(BR2_PACKAGE_SYSTEMD),y) >> +OPENSSH_DEPENDENCIES = systemd >> + >> +OPENSSH_CONF_OPTS += \ >> + --with-privsep-path=/run/sshd \ >> + --with-pid-dir=/run \ >> + --with-systemd >> + >> +else >> + >> define OPENSSH_PERMISSIONS >> /var/empty d 755 root root - - - - - >> endef > > > Do we still need this when using systemd, or can it be commented out ? Not sure what you mean with "this"? The OPENSSH_PERMISSIONS block is needed when not using systemd and it is only active then. > > >> >> +endif >> >> ifeq ($(BR2_TOOLCHAIN_SUPPORTS_PIE),) >> OPENSSH_CONF_OPTS += --without-pie >> @@ -72,7 +84,7 @@ define OPENSSH_INSTALL_SYSTEMD_SYSUSERS >> endef >> else >> define OPENSSH_USERS >> - sshd -1 sshd -1 * /var/empty - - SSH drop priv user >> + sshd -1 sshd -1 * $(if $(BR2_PACKAGE_SYSTEMD),/run/sshd,/var/empty) - - SSH drop priv user >> endef >> endif >> >> diff --git a/package/openssh/sshd-sysusers.conf b/package/openssh/sshd-sysusers.conf >> index ac77aec065..303d0dbb63 100644 >> --- a/package/openssh/sshd-sysusers.conf >> +++ b/package/openssh/sshd-sysusers.conf >> @@ -1 +1 @@ >> -u sshd - "SSH drop priv user" /var/empty >> +u sshd - "SSH drop priv user" /run/sshd >> diff --git a/package/openssh/sshd.service b/package/openssh/sshd.service >> index b5e96b3a25..715bd3f7eb 100644 >> --- a/package/openssh/sshd.service >> +++ b/package/openssh/sshd.service >> @@ -1,11 +1,20 @@ >> [Unit] >> Description=OpenSSH server daemon >> -After=syslog.target network.target auditd.service >> +Documentation=man:sshd(8) man:sshd_config(5) >> +After=network.target auditd.service >> >> >> [Service] >> ExecStartPre=/usr/bin/ssh-keygen -A >> -ExecStart=/usr/sbin/sshd -D -e >> +ExecStartPre=/usr/sbin/sshd -t >> +ExecStart=/usr/sbin/sshd -D > > You droped the -e, so you are logging to syslog > However you droped the dependency on syslog.target earlier... > (maybe it should be syslog.socket instead of .target, btw) syslog.target is long long gone, and the syslog will be unconditionally available https://www.freedesktop.org/wiki/Software/systemd/syslog/ > > > how exactly do you want to log ? (I think logging to stdout is better, it will be > redirected to the journal. stdout is not really useful if syslog is supported. > > >> >> +ExecReload=/usr/sbin/sshd -t >> ExecReload=/bin/kill -HUP $MAINPID >> +KillMode=process > > > Wouldn't mixed be better here ? > I'm not really sure what the use-case for procss is anyway... I taken that from debian, I could not argue against it (there is a long discussion which I linked above). Can you argue *for* mixed? > > >> >> +Restart=on-failure >> +RestartPreventExitStatus=255 >> +Type=notify >> +RuntimeDirectory=sshd >> +RuntimeDirectoryMode=0755 >> >> [Install] >> WantedBy=multi-user.target >> -- >> 2.26.2 >> >> _______________________________________________ >> buildroot mailing list >> buildroot at busybox.net >> http://lists.busybox.net/mailman/listinfo/buildroot > > > > -- > > > 20 rue des Jardins > 92600 Asni?res-sur-Seine > > J?r?my ROSEN > Architecte technique > > jeremy.rosen at smile.fr > +33 6 88 25 87 42 > http://www.smile.eu > > > Regards, Norbert ^ permalink raw reply [flat|nested] 22+ messages in thread
* [Buildroot] [PATCH 2/4] package/openssh: improve integration for systemd 2020-06-07 19:03 ` Norbert Lange @ 2020-06-07 19:16 ` Jérémy ROSEN 2020-06-07 19:24 ` Norbert Lange 0 siblings, 1 reply; 22+ messages in thread From: Jérémy ROSEN @ 2020-06-07 19:16 UTC (permalink / raw) To: buildroot Le dim. 7 juin 2020 ? 21:03, Norbert Lange <nolange79@gmail.com> a ?crit : > Am So., 7. Juni 2020 um 12:54 Uhr schrieb J?r?my ROSEN < > jeremy.rosen at smile.fr>: > > > > > > > > Le sam. 6 juin 2020 ? 00:59, Norbert Lange <nolange79@gmail.com> a > ?crit : > >> > >> the openssh daemon is not suited for systemd's simple > >> service type. dependend services should only start > >> when sshd is ready to accept connections. > >> > >> A patch is added from debian to allow openssh > >> to communicate this state. > >> > >> Restarts are prevented if the reason is a faulty > >> config file (errocode 255). > >> > >> The "user confinement directory" is changed to > >> '/run/sshd' which is automatically managed by systemd. > >> > >> Signed-off-by: Norbert Lange <nolange79@gmail.com> > >> --- > >> package/openssh/00-systemd-readiness.patch | 84 ++++++++++++++++++++++ > >> package/openssh/openssh.mk | 14 +++- > >> package/openssh/sshd-sysusers.conf | 2 +- > >> package/openssh/sshd.service | 13 +++- > >> 4 files changed, 109 insertions(+), 4 deletions(-) > >> create mode 100644 package/openssh/00-systemd-readiness.patch > >> > >> diff --git a/package/openssh/00-systemd-readiness.patch > b/package/openssh/00-systemd-readiness.patch > >> new file mode 100644 > >> index 0000000000..be3b6b0074 > >> --- /dev/null > >> +++ b/package/openssh/00-systemd-readiness.patch > >> @@ -0,0 +1,84 @@ > >> +From ab765b2bd55062a704f09da8f8c1c4ad1d6630a7 Mon Sep 17 00:00:00 2001 > >> +From: Michael Biebl <biebl@debian.org> > >> +Date: Mon, 21 Dec 2015 16:08:47 +0000 > >> +Subject: Add systemd readiness notification support > >> + > >> +Bug-Debian: https://bugs.debian.org/778913 > >> +Forwarded: no > >> +Last-Update: 2017-08-22 > >> + > >> +Patch-Name: systemd-readiness.patch > >> +--- > >> + configure.ac | 24 ++++++++++++++++++++++++ > >> + sshd.c | 9 +++++++++ > >> + 2 files changed, 33 insertions(+) > >> + > >> +diff --git a/configure.ac b/configure.ac > >> +index e894db9fc..c119d6fd1 100644 > >> +--- a/configure.ac > >> ++++ b/configure.ac > >> +@@ -4499,6 +4499,29 @@ AC_ARG_WITH([kerberos5], > >> + AC_SUBST([GSSLIBS]) > >> + AC_SUBST([K5LIBS]) > >> + > >> ++# Check whether user wants systemd support > >> ++SYSTEMD_MSG="no" > >> ++AC_ARG_WITH(systemd, > >> ++ [ --with-systemd Enable systemd support], > >> ++ [ if test "x$withval" != "xno" ; then > >> ++ AC_PATH_TOOL([PKGCONFIG], [pkg-config], [no]) > >> ++ if test "$PKGCONFIG" != "no"; then > >> ++ AC_MSG_CHECKING([for libsystemd]) > >> ++ if $PKGCONFIG --exists libsystemd; then > >> ++ SYSTEMD_CFLAGS=`$PKGCONFIG --cflags > libsystemd` > >> ++ SYSTEMD_LIBS=`$PKGCONFIG --libs > libsystemd` > >> ++ CPPFLAGS="$CPPFLAGS $SYSTEMD_CFLAGS" > >> ++ SSHDLIBS="$SSHDLIBS $SYSTEMD_LIBS" > >> ++ AC_MSG_RESULT([yes]) > >> ++ AC_DEFINE(HAVE_SYSTEMD, 1, [Define if > you want systemd support.]) > >> ++ SYSTEMD_MSG="yes" > >> ++ else > >> ++ AC_MSG_RESULT([no]) > >> ++ fi > >> ++ fi > >> ++ fi ] > >> ++) > >> ++ > >> + # Looking for programs, paths and files > >> + > >> + PRIVSEP_PATH=/var/empty > >> +@@ -5305,6 +5328,7 @@ echo " libldns support: > $LDNS_MSG" > >> + echo " Solaris process contract support: $SPC_MSG" > >> + echo " Solaris project support: $SP_MSG" > >> + echo " Solaris privilege support: $SPP_MSG" > >> ++echo " systemd support: $SYSTEMD_MSG" > >> + echo " IP address in \$DISPLAY hack: $DISPLAY_HACK_MSG" > >> + echo " Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG" > >> + echo " BSD Auth support: $BSD_AUTH_MSG" > >> +diff --git a/sshd.c b/sshd.c > >> +index 4e8ff0662..5e7679a33 100644 > >> +--- a/sshd.c > >> ++++ b/sshd.c > >> +@@ -85,6 +85,10 @@ > >> + #include <prot.h> > >> + #endif > >> + > >> ++#ifdef HAVE_SYSTEMD > >> ++#include <systemd/sd-daemon.h> > >> ++#endif > >> ++ > >> + #include "xmalloc.h" > >> + #include "ssh.h" > >> + #include "ssh2.h" > >> +@@ -1951,6 +1955,11 @@ main(int ac, char **av) > >> + } > >> + } > >> + > >> ++#ifdef HAVE_SYSTEMD > >> ++ /* Signal systemd that we are ready to accept > connections */ > >> ++ sd_notify(0, "READY=1"); > >> ++#endif > >> ++ > >> + /* Accept a connection and return in a forked child */ > >> + server_accept_loop(&sock_in, &sock_out, > >> + &newsock, config_s); > >> diff --git a/package/openssh/openssh.mk b/package/openssh/openssh.mk > >> index 55b917e20a..d425db1428 100644 > >> --- a/package/openssh/openssh.mk > >> +++ b/package/openssh/openssh.mk > >> @@ -12,6 +12,7 @@ OPENSSH_CONF_ENV = \ > >> LD="$(TARGET_CC)" \ > >> LDFLAGS="$(TARGET_CFLAGS)" \ > >> LIBS=`$(PKG_CONFIG_HOST_BINARY) --libs openssl` > >> +OPENSSH_AUTORECONF = YES > >> OPENSSH_CONF_OPTS = \ > >> --sysconfdir=/etc/ssh \ > >> --with-default-path=$(BR2_SYSTEM_DEFAULT_PATH) \ > >> @@ -22,9 +23,20 @@ OPENSSH_CONF_OPTS = \ > >> --disable-wtmpx \ > >> --disable-strip > >> > >> +ifeq ($(BR2_PACKAGE_SYSTEMD),y) > >> +OPENSSH_DEPENDENCIES = systemd > >> + > >> +OPENSSH_CONF_OPTS += \ > >> + --with-privsep-path=/run/sshd \ > >> + --with-pid-dir=/run \ > >> + --with-systemd > >> + > >> +else > >> + > >> define OPENSSH_PERMISSIONS > >> /var/empty d 755 root root - - - - - > >> endef > > > > > > Do we still need this when using systemd, or can it be commented out ? > > Not sure what you mean with "this"? > The OPENSSH_PERMISSIONS block is needed when not using systemd and it > is only active then. > > my bad, I missed the enclosing ifeq() > > > > > >> > >> +endif > >> > >> ifeq ($(BR2_TOOLCHAIN_SUPPORTS_PIE),) > >> OPENSSH_CONF_OPTS += --without-pie > >> @@ -72,7 +84,7 @@ define OPENSSH_INSTALL_SYSTEMD_SYSUSERS > >> endef > >> else > >> define OPENSSH_USERS > >> - sshd -1 sshd -1 * /var/empty - - SSH drop priv user > >> + sshd -1 sshd -1 * $(if > $(BR2_PACKAGE_SYSTEMD),/run/sshd,/var/empty) - - SSH drop priv user > >> endef > >> endif > >> > >> diff --git a/package/openssh/sshd-sysusers.conf > b/package/openssh/sshd-sysusers.conf > >> index ac77aec065..303d0dbb63 100644 > >> --- a/package/openssh/sshd-sysusers.conf > >> +++ b/package/openssh/sshd-sysusers.conf > >> @@ -1 +1 @@ > >> -u sshd - "SSH drop priv user" /var/empty > >> +u sshd - "SSH drop priv user" /run/sshd > >> diff --git a/package/openssh/sshd.service b/package/openssh/sshd.service > >> index b5e96b3a25..715bd3f7eb 100644 > >> --- a/package/openssh/sshd.service > >> +++ b/package/openssh/sshd.service > >> @@ -1,11 +1,20 @@ > >> [Unit] > >> Description=OpenSSH server daemon > >> -After=syslog.target network.target auditd.service > >> +Documentation=man:sshd(8) man:sshd_config(5) > >> +After=network.target auditd.service > >> > >> > >> [Service] > >> ExecStartPre=/usr/bin/ssh-keygen -A > >> -ExecStart=/usr/sbin/sshd -D -e > >> +ExecStartPre=/usr/sbin/sshd -t > >> +ExecStart=/usr/sbin/sshd -D > > > > You droped the -e, so you are logging to syslog > > However you droped the dependency on syslog.target earlier... > > (maybe it should be syslog.socket instead of .target, btw) > > > syslog.target is long long gone, and the syslog will be > unconditionally available > https://www.freedesktop.org/wiki/Software/systemd/syslog/ > > > > > > > > how exactly do you want to log ? (I think logging to stdout is better, > it will be > > redirected to the journal. > > > stdout is not really useful if syslog is supported. > > i'd go the other way round syslog is not really necessary if stdout is available, but it's a matter of taste :P so let's go your way. > > > > > >> > >> +ExecReload=/usr/sbin/sshd -t > >> ExecReload=/bin/kill -HUP $MAINPID > >> +KillMode=process > > > > > > Wouldn't mixed be better here ? > > I'm not really sure what the use-case for procss is anyway... > > > I taken that from debian, I could not argue against it (there is a > long discussion which I linked above). > Can you argue *for* mixed? > > I didn't see any link * process : SIGTERM and SIGKILL is sent only to MainPID * mixed : SIGTERM is sent to MainPID, SIGKILL is sent to every process in the service cgroup. This means that if all works well, they do the same thing in case the MainPID fails to properly terminate its children, process would leave children alive but mixed woul kill everybody Since we are trying to terminate the service, it makes sense to me to make sur all child process are killed. but I don't see your link so I may be missing something > > > > > >> > >> +Restart=on-failure > >> +RestartPreventExitStatus=255 > >> +Type=notify > >> +RuntimeDirectory=sshd > >> +RuntimeDirectoryMode=0755 > >> > >> [Install] > >> WantedBy=multi-user.target > >> -- > >> 2.26.2 > >> > >> _______________________________________________ > >> buildroot mailing list > >> buildroot at busybox.net > >> http://lists.busybox.net/mailman/listinfo/buildroot > > > > > > > > -- > > > > > > 20 rue des Jardins > > 92600 Asni?res-sur-Seine > > > > J?r?my ROSEN > > Architecte technique > > > > jeremy.rosen at smile.fr > > +33 6 88 25 87 42 > > http://www.smile.eu > > > > > > > > Regards, Norbert > -- [image: SMILE] <http://www.smile.eu/> 20 rue des Jardins 92600 Asni?res-sur-Seine *J?r?my ROSEN* Architecte technique [image: email] jeremy.rosen at smile.fr [image: phone] +33 6 88 25 87 42 [image: url] http://www.smile.eu [image: Twitter] <https://twitter.com/GroupeSmile> [image: Facebook] <https://www.facebook.com/smileopensource> [image: LinkedIn] <https://www.linkedin.com/company/smile> [image: Github] <https://github.com/Smile-SA> [image: D?couvrez l?univers Smile, rendez-vous sur smile.eu] <https://www.smile.eu/fr/publications/livres-blancs/yocto?utm_source=signature&utm_medium=email&utm_campaign=signature> -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.busybox.net/pipermail/buildroot/attachments/20200607/1ef4b42e/attachment.html> ^ permalink raw reply [flat|nested] 22+ messages in thread
* [Buildroot] [PATCH 2/4] package/openssh: improve integration for systemd 2020-06-07 19:16 ` Jérémy ROSEN @ 2020-06-07 19:24 ` Norbert Lange 2020-06-07 19:42 ` Jérémy ROSEN 0 siblings, 1 reply; 22+ messages in thread From: Norbert Lange @ 2020-06-07 19:24 UTC (permalink / raw) To: buildroot Am So., 7. Juni 2020 um 21:16 Uhr schrieb J?r?my ROSEN <jeremy.rosen@smile.fr>: > > > > Le dim. 7 juin 2020 ? 21:03, Norbert Lange <nolange79@gmail.com> a ?crit : >> >> Am So., 7. Juni 2020 um 12:54 Uhr schrieb J?r?my ROSEN <jeremy.rosen@smile.fr>: >> > >> > >> > >> > Le sam. 6 juin 2020 ? 00:59, Norbert Lange <nolange79@gmail.com> a ?crit : >> >> >> >> the openssh daemon is not suited for systemd's simple >> >> service type. dependend services should only start >> >> when sshd is ready to accept connections. >> >> >> >> A patch is added from debian to allow openssh >> >> to communicate this state. >> >> >> >> Restarts are prevented if the reason is a faulty >> >> config file (errocode 255). >> >> >> >> The "user confinement directory" is changed to >> >> '/run/sshd' which is automatically managed by systemd. >> >> >> >> Signed-off-by: Norbert Lange <nolange79@gmail.com> >> >> --- >> >> package/openssh/00-systemd-readiness.patch | 84 ++++++++++++++++++++++ >> >> package/openssh/openssh.mk | 14 +++- >> >> package/openssh/sshd-sysusers.conf | 2 +- >> >> package/openssh/sshd.service | 13 +++- >> >> 4 files changed, 109 insertions(+), 4 deletions(-) >> >> create mode 100644 package/openssh/00-systemd-readiness.patch >> >> >> >> diff --git a/package/openssh/00-systemd-readiness.patch b/package/openssh/00-systemd-readiness.patch >> >> new file mode 100644 >> >> index 0000000000..be3b6b0074 >> >> --- /dev/null >> >> +++ b/package/openssh/00-systemd-readiness.patch >> >> @@ -0,0 +1,84 @@ >> >> +From ab765b2bd55062a704f09da8f8c1c4ad1d6630a7 Mon Sep 17 00:00:00 2001 >> >> +From: Michael Biebl <biebl@debian.org> >> >> +Date: Mon, 21 Dec 2015 16:08:47 +0000 >> >> +Subject: Add systemd readiness notification support >> >> + >> >> +Bug-Debian: https://bugs.debian.org/778913 >> >> +Forwarded: no >> >> +Last-Update: 2017-08-22 >> >> + >> >> +Patch-Name: systemd-readiness.patch >> >> +--- >> >> + configure.ac | 24 ++++++++++++++++++++++++ >> >> + sshd.c | 9 +++++++++ >> >> + 2 files changed, 33 insertions(+) >> >> + >> >> +diff --git a/configure.ac b/configure.ac >> >> +index e894db9fc..c119d6fd1 100644 >> >> +--- a/configure.ac >> >> ++++ b/configure.ac >> >> +@@ -4499,6 +4499,29 @@ AC_ARG_WITH([kerberos5], >> >> + AC_SUBST([GSSLIBS]) >> >> + AC_SUBST([K5LIBS]) >> >> + >> >> ++# Check whether user wants systemd support >> >> ++SYSTEMD_MSG="no" >> >> ++AC_ARG_WITH(systemd, >> >> ++ [ --with-systemd Enable systemd support], >> >> ++ [ if test "x$withval" != "xno" ; then >> >> ++ AC_PATH_TOOL([PKGCONFIG], [pkg-config], [no]) >> >> ++ if test "$PKGCONFIG" != "no"; then >> >> ++ AC_MSG_CHECKING([for libsystemd]) >> >> ++ if $PKGCONFIG --exists libsystemd; then >> >> ++ SYSTEMD_CFLAGS=`$PKGCONFIG --cflags libsystemd` >> >> ++ SYSTEMD_LIBS=`$PKGCONFIG --libs libsystemd` >> >> ++ CPPFLAGS="$CPPFLAGS $SYSTEMD_CFLAGS" >> >> ++ SSHDLIBS="$SSHDLIBS $SYSTEMD_LIBS" >> >> ++ AC_MSG_RESULT([yes]) >> >> ++ AC_DEFINE(HAVE_SYSTEMD, 1, [Define if you want systemd support.]) >> >> ++ SYSTEMD_MSG="yes" >> >> ++ else >> >> ++ AC_MSG_RESULT([no]) >> >> ++ fi >> >> ++ fi >> >> ++ fi ] >> >> ++) >> >> ++ >> >> + # Looking for programs, paths and files >> >> + >> >> + PRIVSEP_PATH=/var/empty >> >> +@@ -5305,6 +5328,7 @@ echo " libldns support: $LDNS_MSG" >> >> + echo " Solaris process contract support: $SPC_MSG" >> >> + echo " Solaris project support: $SP_MSG" >> >> + echo " Solaris privilege support: $SPP_MSG" >> >> ++echo " systemd support: $SYSTEMD_MSG" >> >> + echo " IP address in \$DISPLAY hack: $DISPLAY_HACK_MSG" >> >> + echo " Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG" >> >> + echo " BSD Auth support: $BSD_AUTH_MSG" >> >> +diff --git a/sshd.c b/sshd.c >> >> +index 4e8ff0662..5e7679a33 100644 >> >> +--- a/sshd.c >> >> ++++ b/sshd.c >> >> +@@ -85,6 +85,10 @@ >> >> + #include <prot.h> >> >> + #endif >> >> + >> >> ++#ifdef HAVE_SYSTEMD >> >> ++#include <systemd/sd-daemon.h> >> >> ++#endif >> >> ++ >> >> + #include "xmalloc.h" >> >> + #include "ssh.h" >> >> + #include "ssh2.h" >> >> +@@ -1951,6 +1955,11 @@ main(int ac, char **av) >> >> + } >> >> + } >> >> + >> >> ++#ifdef HAVE_SYSTEMD >> >> ++ /* Signal systemd that we are ready to accept connections */ >> >> ++ sd_notify(0, "READY=1"); >> >> ++#endif >> >> ++ >> >> + /* Accept a connection and return in a forked child */ >> >> + server_accept_loop(&sock_in, &sock_out, >> >> + &newsock, config_s); >> >> diff --git a/package/openssh/openssh.mk b/package/openssh/openssh.mk >> >> index 55b917e20a..d425db1428 100644 >> >> --- a/package/openssh/openssh.mk >> >> +++ b/package/openssh/openssh.mk >> >> @@ -12,6 +12,7 @@ OPENSSH_CONF_ENV = \ >> >> LD="$(TARGET_CC)" \ >> >> LDFLAGS="$(TARGET_CFLAGS)" \ >> >> LIBS=`$(PKG_CONFIG_HOST_BINARY) --libs openssl` >> >> +OPENSSH_AUTORECONF = YES >> >> OPENSSH_CONF_OPTS = \ >> >> --sysconfdir=/etc/ssh \ >> >> --with-default-path=$(BR2_SYSTEM_DEFAULT_PATH) \ >> >> @@ -22,9 +23,20 @@ OPENSSH_CONF_OPTS = \ >> >> --disable-wtmpx \ >> >> --disable-strip >> >> >> >> +ifeq ($(BR2_PACKAGE_SYSTEMD),y) >> >> +OPENSSH_DEPENDENCIES = systemd >> >> + >> >> +OPENSSH_CONF_OPTS += \ >> >> + --with-privsep-path=/run/sshd \ >> >> + --with-pid-dir=/run \ >> >> + --with-systemd >> >> + >> >> +else >> >> + >> >> define OPENSSH_PERMISSIONS >> >> /var/empty d 755 root root - - - - - >> >> endef >> > >> > >> > Do we still need this when using systemd, or can it be commented out ? >> >> Not sure what you mean with "this"? >> The OPENSSH_PERMISSIONS block is needed when not using systemd and it >> is only active then. >> > > my bad, I missed the enclosing ifeq() > >> >> > >> > >> >> >> >> +endif >> >> >> >> ifeq ($(BR2_TOOLCHAIN_SUPPORTS_PIE),) >> >> OPENSSH_CONF_OPTS += --without-pie >> >> @@ -72,7 +84,7 @@ define OPENSSH_INSTALL_SYSTEMD_SYSUSERS >> >> endef >> >> else >> >> define OPENSSH_USERS >> >> - sshd -1 sshd -1 * /var/empty - - SSH drop priv user >> >> + sshd -1 sshd -1 * $(if $(BR2_PACKAGE_SYSTEMD),/run/sshd,/var/empty) - - SSH drop priv user >> >> endef >> >> endif >> >> >> >> diff --git a/package/openssh/sshd-sysusers.conf b/package/openssh/sshd-sysusers.conf >> >> index ac77aec065..303d0dbb63 100644 >> >> --- a/package/openssh/sshd-sysusers.conf >> >> +++ b/package/openssh/sshd-sysusers.conf >> >> @@ -1 +1 @@ >> >> -u sshd - "SSH drop priv user" /var/empty >> >> +u sshd - "SSH drop priv user" /run/sshd >> >> diff --git a/package/openssh/sshd.service b/package/openssh/sshd.service >> >> index b5e96b3a25..715bd3f7eb 100644 >> >> --- a/package/openssh/sshd.service >> >> +++ b/package/openssh/sshd.service >> >> @@ -1,11 +1,20 @@ >> >> [Unit] >> >> Description=OpenSSH server daemon >> >> -After=syslog.target network.target auditd.service >> >> +Documentation=man:sshd(8) man:sshd_config(5) >> >> +After=network.target auditd.service >> >> >> >> >> >> [Service] >> >> ExecStartPre=/usr/bin/ssh-keygen -A >> >> -ExecStart=/usr/sbin/sshd -D -e >> >> +ExecStartPre=/usr/sbin/sshd -t >> >> +ExecStart=/usr/sbin/sshd -D >> > >> > You droped the -e, so you are logging to syslog >> > However you droped the dependency on syslog.target earlier... >> > (maybe it should be syslog.socket instead of .target, btw) >> >> >> syslog.target is long long gone, and the syslog will be >> unconditionally available >> https://www.freedesktop.org/wiki/Software/systemd/syslog/ >> >> >> > >> > >> > how exactly do you want to log ? (I think logging to stdout is better, it will be >> > redirected to the journal. >> >> >> stdout is not really useful if syslog is supported. >> > i'd go the other way round > > syslog is not really necessary if stdout is available, > but it's a matter of taste :P so let's go your way. Its more the point, that Openssh already implemented syslog, and thats a clear functional superset of listening to stdout. > >> >> > >> > >> >> >> >> +ExecReload=/usr/sbin/sshd -t >> >> ExecReload=/bin/kill -HUP $MAINPID >> >> +KillMode=process >> > >> > >> > Wouldn't mixed be better here ? >> > I'm not really sure what the use-case for procss is anyway... >> >> >> I taken that from debian, I could not argue against it (there is a >> long discussion which I linked above). >> Can you argue *for* mixed? >> > > > I didn't see any link > * process : SIGTERM and SIGKILL is sent only to MainPID > * mixed : SIGTERM is sent to MainPID, SIGKILL is sent to every process in the service cgroup. > > This means that if all works well, they do the same thing > > in case the MainPID fails to properly terminate its children, process would leave children alive > but mixed woul kill everybody > > Since we are trying to terminate the service, it makes sense to me to make sur all child process > are killed. > > but I don't see your link so I may be missing something The link is in the added patch: https://bugs.debian.org/778913 As said, I could not argue either way, but I got some respect for the debian guys ;) Norbert ^ permalink raw reply [flat|nested] 22+ messages in thread
* [Buildroot] [PATCH 2/4] package/openssh: improve integration for systemd 2020-06-07 19:24 ` Norbert Lange @ 2020-06-07 19:42 ` Jérémy ROSEN 2020-06-11 0:04 ` Norbert Lange 0 siblings, 1 reply; 22+ messages in thread From: Jérémy ROSEN @ 2020-06-07 19:42 UTC (permalink / raw) To: buildroot Le dim. 7 juin 2020 ? 21:24, Norbert Lange <nolange79@gmail.com> a ?crit : > Am So., 7. Juni 2020 um 21:16 Uhr schrieb J?r?my ROSEN < > jeremy.rosen at smile.fr>: > > > > > > > > Le dim. 7 juin 2020 ? 21:03, Norbert Lange <nolange79@gmail.com> a > ?crit : > >> > >> Am So., 7. Juni 2020 um 12:54 Uhr schrieb J?r?my ROSEN < > jeremy.rosen at smile.fr>: > >> > > >> > > >> > > >> > Le sam. 6 juin 2020 ? 00:59, Norbert Lange <nolange79@gmail.com> a > ?crit : > >> >> > >> >> the openssh daemon is not suited for systemd's simple > >> >> service type. dependend services should only start > >> >> when sshd is ready to accept connections. > >> >> > >> >> A patch is added from debian to allow openssh > >> >> to communicate this state. > >> >> > >> >> Restarts are prevented if the reason is a faulty > >> >> config file (errocode 255). > >> >> > >> >> The "user confinement directory" is changed to > >> >> '/run/sshd' which is automatically managed by systemd. > >> >> > >> >> Signed-off-by: Norbert Lange <nolange79@gmail.com> > >> >> --- > >> >> package/openssh/00-systemd-readiness.patch | 84 > ++++++++++++++++++++++ > >> >> package/openssh/openssh.mk | 14 +++- > >> >> package/openssh/sshd-sysusers.conf | 2 +- > >> >> package/openssh/sshd.service | 13 +++- > >> >> 4 files changed, 109 insertions(+), 4 deletions(-) > >> >> create mode 100644 package/openssh/00-systemd-readiness.patch > >> >> > >> >> diff --git a/package/openssh/00-systemd-readiness.patch > b/package/openssh/00-systemd-readiness.patch > >> >> new file mode 100644 > >> >> index 0000000000..be3b6b0074 > >> >> --- /dev/null > >> >> +++ b/package/openssh/00-systemd-readiness.patch > >> >> @@ -0,0 +1,84 @@ > >> >> +From ab765b2bd55062a704f09da8f8c1c4ad1d6630a7 Mon Sep 17 00:00:00 > 2001 > >> >> +From: Michael Biebl <biebl@debian.org> > >> >> +Date: Mon, 21 Dec 2015 16:08:47 +0000 > >> >> +Subject: Add systemd readiness notification support > >> >> + > >> >> +Bug-Debian: https://bugs.debian.org/778913 > >> >> +Forwarded: no > >> >> +Last-Update: 2017-08-22 > >> >> + > >> >> +Patch-Name: systemd-readiness.patch > >> >> +--- > >> >> + configure.ac | 24 ++++++++++++++++++++++++ > >> >> + sshd.c | 9 +++++++++ > >> >> + 2 files changed, 33 insertions(+) > >> >> + > >> >> +diff --git a/configure.ac b/configure.ac > >> >> +index e894db9fc..c119d6fd1 100644 > >> >> +--- a/configure.ac > >> >> ++++ b/configure.ac > >> >> +@@ -4499,6 +4499,29 @@ AC_ARG_WITH([kerberos5], > >> >> + AC_SUBST([GSSLIBS]) > >> >> + AC_SUBST([K5LIBS]) > >> >> + > >> >> ++# Check whether user wants systemd support > >> >> ++SYSTEMD_MSG="no" > >> >> ++AC_ARG_WITH(systemd, > >> >> ++ [ --with-systemd Enable systemd support], > >> >> ++ [ if test "x$withval" != "xno" ; then > >> >> ++ AC_PATH_TOOL([PKGCONFIG], [pkg-config], [no]) > >> >> ++ if test "$PKGCONFIG" != "no"; then > >> >> ++ AC_MSG_CHECKING([for libsystemd]) > >> >> ++ if $PKGCONFIG --exists libsystemd; then > >> >> ++ SYSTEMD_CFLAGS=`$PKGCONFIG --cflags > libsystemd` > >> >> ++ SYSTEMD_LIBS=`$PKGCONFIG --libs > libsystemd` > >> >> ++ CPPFLAGS="$CPPFLAGS $SYSTEMD_CFLAGS" > >> >> ++ SSHDLIBS="$SSHDLIBS $SYSTEMD_LIBS" > >> >> ++ AC_MSG_RESULT([yes]) > >> >> ++ AC_DEFINE(HAVE_SYSTEMD, 1, [Define > if you want systemd support.]) > >> >> ++ SYSTEMD_MSG="yes" > >> >> ++ else > >> >> ++ AC_MSG_RESULT([no]) > >> >> ++ fi > >> >> ++ fi > >> >> ++ fi ] > >> >> ++) > >> >> ++ > >> >> + # Looking for programs, paths and files > >> >> + > >> >> + PRIVSEP_PATH=/var/empty > >> >> +@@ -5305,6 +5328,7 @@ echo " libldns support: > $LDNS_MSG" > >> >> + echo " Solaris process contract support: $SPC_MSG" > >> >> + echo " Solaris project support: $SP_MSG" > >> >> + echo " Solaris privilege support: $SPP_MSG" > >> >> ++echo " systemd support: $SYSTEMD_MSG" > >> >> + echo " IP address in \$DISPLAY hack: $DISPLAY_HACK_MSG" > >> >> + echo " Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG" > >> >> + echo " BSD Auth support: $BSD_AUTH_MSG" > >> >> +diff --git a/sshd.c b/sshd.c > >> >> +index 4e8ff0662..5e7679a33 100644 > >> >> +--- a/sshd.c > >> >> ++++ b/sshd.c > >> >> +@@ -85,6 +85,10 @@ > >> >> + #include <prot.h> > >> >> + #endif > >> >> + > >> >> ++#ifdef HAVE_SYSTEMD > >> >> ++#include <systemd/sd-daemon.h> > >> >> ++#endif > >> >> ++ > >> >> + #include "xmalloc.h" > >> >> + #include "ssh.h" > >> >> + #include "ssh2.h" > >> >> +@@ -1951,6 +1955,11 @@ main(int ac, char **av) > >> >> + } > >> >> + } > >> >> + > >> >> ++#ifdef HAVE_SYSTEMD > >> >> ++ /* Signal systemd that we are ready to accept > connections */ > >> >> ++ sd_notify(0, "READY=1"); > >> >> ++#endif > >> >> ++ > >> >> + /* Accept a connection and return in a forked child > */ > >> >> + server_accept_loop(&sock_in, &sock_out, > >> >> + &newsock, config_s); > >> >> diff --git a/package/openssh/openssh.mk b/package/openssh/openssh.mk > >> >> index 55b917e20a..d425db1428 100644 > >> >> --- a/package/openssh/openssh.mk > >> >> +++ b/package/openssh/openssh.mk > >> >> @@ -12,6 +12,7 @@ OPENSSH_CONF_ENV = \ > >> >> LD="$(TARGET_CC)" \ > >> >> LDFLAGS="$(TARGET_CFLAGS)" \ > >> >> LIBS=`$(PKG_CONFIG_HOST_BINARY) --libs openssl` > >> >> +OPENSSH_AUTORECONF = YES > >> >> OPENSSH_CONF_OPTS = \ > >> >> --sysconfdir=/etc/ssh \ > >> >> --with-default-path=$(BR2_SYSTEM_DEFAULT_PATH) \ > >> >> @@ -22,9 +23,20 @@ OPENSSH_CONF_OPTS = \ > >> >> --disable-wtmpx \ > >> >> --disable-strip > >> >> > >> >> +ifeq ($(BR2_PACKAGE_SYSTEMD),y) > >> >> +OPENSSH_DEPENDENCIES = systemd > >> >> + > >> >> +OPENSSH_CONF_OPTS += \ > >> >> + --with-privsep-path=/run/sshd \ > >> >> + --with-pid-dir=/run \ > >> >> + --with-systemd > >> >> + > >> >> +else > >> >> + > >> >> define OPENSSH_PERMISSIONS > >> >> /var/empty d 755 root root - - - - - > >> >> endef > >> > > >> > > >> > Do we still need this when using systemd, or can it be commented out ? > >> > >> Not sure what you mean with "this"? > >> The OPENSSH_PERMISSIONS block is needed when not using systemd and it > >> is only active then. > >> > > > > my bad, I missed the enclosing ifeq() > > > >> > >> > > >> > > >> >> > >> >> +endif > >> >> > >> >> ifeq ($(BR2_TOOLCHAIN_SUPPORTS_PIE),) > >> >> OPENSSH_CONF_OPTS += --without-pie > >> >> @@ -72,7 +84,7 @@ define OPENSSH_INSTALL_SYSTEMD_SYSUSERS > >> >> endef > >> >> else > >> >> define OPENSSH_USERS > >> >> - sshd -1 sshd -1 * /var/empty - - SSH drop priv user > >> >> + sshd -1 sshd -1 * $(if > $(BR2_PACKAGE_SYSTEMD),/run/sshd,/var/empty) - - SSH drop priv user > >> >> endef > >> >> endif > >> >> > >> >> diff --git a/package/openssh/sshd-sysusers.conf > b/package/openssh/sshd-sysusers.conf > >> >> index ac77aec065..303d0dbb63 100644 > >> >> --- a/package/openssh/sshd-sysusers.conf > >> >> +++ b/package/openssh/sshd-sysusers.conf > >> >> @@ -1 +1 @@ > >> >> -u sshd - "SSH drop priv user" /var/empty > >> >> +u sshd - "SSH drop priv user" /run/sshd > >> >> diff --git a/package/openssh/sshd.service > b/package/openssh/sshd.service > >> >> index b5e96b3a25..715bd3f7eb 100644 > >> >> --- a/package/openssh/sshd.service > >> >> +++ b/package/openssh/sshd.service > >> >> @@ -1,11 +1,20 @@ > >> >> [Unit] > >> >> Description=OpenSSH server daemon > >> >> -After=syslog.target network.target auditd.service > >> >> +Documentation=man:sshd(8) man:sshd_config(5) > >> >> +After=network.target auditd.service > >> >> > >> >> > >> >> [Service] > >> >> ExecStartPre=/usr/bin/ssh-keygen -A > >> >> -ExecStart=/usr/sbin/sshd -D -e > >> >> +ExecStartPre=/usr/sbin/sshd -t > >> >> +ExecStart=/usr/sbin/sshd -D > >> > > >> > You droped the -e, so you are logging to syslog > >> > However you droped the dependency on syslog.target earlier... > >> > (maybe it should be syslog.socket instead of .target, btw) > >> > >> > >> syslog.target is long long gone, and the syslog will be > >> unconditionally available > >> https://www.freedesktop.org/wiki/Software/systemd/syslog/ > >> > >> > >> > > >> > > >> > how exactly do you want to log ? (I think logging to stdout is > better, it will be > >> > redirected to the journal. > >> > >> > >> stdout is not really useful if syslog is supported. > >> > > i'd go the other way round > > > > syslog is not really necessary if stdout is available, > > but it's a matter of taste :P so let's go your way. > > Its more the point, that Openssh already implemented syslog, and thats > a clear functional superset of listening to stdout. > > > > >> > >> > > >> > > >> >> > >> >> +ExecReload=/usr/sbin/sshd -t > >> >> ExecReload=/bin/kill -HUP $MAINPID > >> >> +KillMode=process > >> > > >> > > >> > Wouldn't mixed be better here ? > >> > I'm not really sure what the use-case for procss is anyway... > >> > >> > >> I taken that from debian, I could not argue against it (there is a > >> long discussion which I linked above). > >> Can you argue *for* mixed? > >> > > > > > > I didn't see any link > > * process : SIGTERM and SIGKILL is sent only to MainPID > > * mixed : SIGTERM is sent to MainPID, SIGKILL is sent to every process > in the service cgroup. > > > > This means that if all works well, they do the same thing > > > > in case the MainPID fails to properly terminate its children, process > would leave children alive > > but mixed woul kill everybody > > > > Since we are trying to terminate the service, it makes sense to me to > make sur all child process > > are killed. > > > > but I don't see your link so I may be missing something > > The link is in the added patch: https://bugs.debian.org/778913 > > As said, I could not argue either way, but I got some respect for the > debian guys ;) > > The thread does not actually discuss process vs mixed... so doesn't really help here. OTOH, the debian version has been vetted by mbiel which is a systemc core-maintainer. so i would go with mixed if I were to write the service from scratch, but since I don't have an explanation for the choice of process, I'm not entirely sure... A possibility is that ssh creates a process per connection. in that case * process would not kill all ongoing connections * mixed would maybe it was chosen to protect existing connection. that would make some sense. > Norbert > -- [image: SMILE] <http://www.smile.eu/> 20 rue des Jardins 92600 Asni?res-sur-Seine *J?r?my ROSEN* Architecte technique [image: email] jeremy.rosen at smile.fr [image: phone] +33 6 88 25 87 42 [image: url] http://www.smile.eu [image: Twitter] <https://twitter.com/GroupeSmile> [image: Facebook] <https://www.facebook.com/smileopensource> [image: LinkedIn] <https://www.linkedin.com/company/smile> [image: Github] <https://github.com/Smile-SA> [image: D?couvrez l?univers Smile, rendez-vous sur smile.eu] <https://www.smile.eu/fr/publications/livres-blancs/yocto?utm_source=signature&utm_medium=email&utm_campaign=signature> -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.busybox.net/pipermail/buildroot/attachments/20200607/119b2c8e/attachment.html> ^ permalink raw reply [flat|nested] 22+ messages in thread
* [Buildroot] [PATCH 2/4] package/openssh: improve integration for systemd 2020-06-07 19:42 ` Jérémy ROSEN @ 2020-06-11 0:04 ` Norbert Lange 2020-06-11 6:14 ` Jérémy ROSEN 0 siblings, 1 reply; 22+ messages in thread From: Norbert Lange @ 2020-06-11 0:04 UTC (permalink / raw) To: buildroot Am So., 7. Juni 2020 um 21:42 Uhr schrieb J?r?my ROSEN <jeremy.rosen@smile.fr>: > > > > Le dim. 7 juin 2020 ? 21:24, Norbert Lange <nolange79@gmail.com> a ?crit : >> >> Am So., 7. Juni 2020 um 21:16 Uhr schrieb J?r?my ROSEN <jeremy.rosen@smile.fr>: >> > >> > >> > >> > Le dim. 7 juin 2020 ? 21:03, Norbert Lange <nolange79@gmail.com> a ?crit : >> >> >> >> Am So., 7. Juni 2020 um 12:54 Uhr schrieb J?r?my ROSEN <jeremy.rosen@smile.fr>: >> >> > >> >> > >> >> > >> >> > Le sam. 6 juin 2020 ? 00:59, Norbert Lange <nolange79@gmail.com> a ?crit : >> >> >> >> >> >> the openssh daemon is not suited for systemd's simple >> >> >> service type. dependend services should only start >> >> >> when sshd is ready to accept connections. >> >> >> >> >> >> A patch is added from debian to allow openssh >> >> >> to communicate this state. >> >> >> >> >> >> Restarts are prevented if the reason is a faulty >> >> >> config file (errocode 255). >> >> >> >> >> >> The "user confinement directory" is changed to >> >> >> '/run/sshd' which is automatically managed by systemd. >> >> >> >> >> >> Signed-off-by: Norbert Lange <nolange79@gmail.com> >> >> >> --- >> >> >> package/openssh/00-systemd-readiness.patch | 84 ++++++++++++++++++++++ >> >> >> package/openssh/openssh.mk | 14 +++- >> >> >> package/openssh/sshd-sysusers.conf | 2 +- >> >> >> package/openssh/sshd.service | 13 +++- >> >> >> 4 files changed, 109 insertions(+), 4 deletions(-) >> >> >> create mode 100644 package/openssh/00-systemd-readiness.patch >> >> >> >> >> >> diff --git a/package/openssh/00-systemd-readiness.patch b/package/openssh/00-systemd-readiness.patch >> >> >> new file mode 100644 >> >> >> index 0000000000..be3b6b0074 >> >> >> --- /dev/null >> >> >> +++ b/package/openssh/00-systemd-readiness.patch >> >> >> @@ -0,0 +1,84 @@ >> >> >> +From ab765b2bd55062a704f09da8f8c1c4ad1d6630a7 Mon Sep 17 00:00:00 2001 >> >> >> +From: Michael Biebl <biebl@debian.org> >> >> >> +Date: Mon, 21 Dec 2015 16:08:47 +0000 >> >> >> +Subject: Add systemd readiness notification support >> >> >> + >> >> >> +Bug-Debian: https://bugs.debian.org/778913 >> >> >> +Forwarded: no >> >> >> +Last-Update: 2017-08-22 >> >> >> + >> >> >> +Patch-Name: systemd-readiness.patch >> >> >> +--- >> >> >> + configure.ac | 24 ++++++++++++++++++++++++ >> >> >> + sshd.c | 9 +++++++++ >> >> >> + 2 files changed, 33 insertions(+) >> >> >> + >> >> >> +diff --git a/configure.ac b/configure.ac >> >> >> +index e894db9fc..c119d6fd1 100644 >> >> >> +--- a/configure.ac >> >> >> ++++ b/configure.ac >> >> >> +@@ -4499,6 +4499,29 @@ AC_ARG_WITH([kerberos5], >> >> >> + AC_SUBST([GSSLIBS]) >> >> >> + AC_SUBST([K5LIBS]) >> >> >> + >> >> >> ++# Check whether user wants systemd support >> >> >> ++SYSTEMD_MSG="no" >> >> >> ++AC_ARG_WITH(systemd, >> >> >> ++ [ --with-systemd Enable systemd support], >> >> >> ++ [ if test "x$withval" != "xno" ; then >> >> >> ++ AC_PATH_TOOL([PKGCONFIG], [pkg-config], [no]) >> >> >> ++ if test "$PKGCONFIG" != "no"; then >> >> >> ++ AC_MSG_CHECKING([for libsystemd]) >> >> >> ++ if $PKGCONFIG --exists libsystemd; then >> >> >> ++ SYSTEMD_CFLAGS=`$PKGCONFIG --cflags libsystemd` >> >> >> ++ SYSTEMD_LIBS=`$PKGCONFIG --libs libsystemd` >> >> >> ++ CPPFLAGS="$CPPFLAGS $SYSTEMD_CFLAGS" >> >> >> ++ SSHDLIBS="$SSHDLIBS $SYSTEMD_LIBS" >> >> >> ++ AC_MSG_RESULT([yes]) >> >> >> ++ AC_DEFINE(HAVE_SYSTEMD, 1, [Define if you want systemd support.]) >> >> >> ++ SYSTEMD_MSG="yes" >> >> >> ++ else >> >> >> ++ AC_MSG_RESULT([no]) >> >> >> ++ fi >> >> >> ++ fi >> >> >> ++ fi ] >> >> >> ++) >> >> >> ++ >> >> >> + # Looking for programs, paths and files >> >> >> + >> >> >> + PRIVSEP_PATH=/var/empty >> >> >> +@@ -5305,6 +5328,7 @@ echo " libldns support: $LDNS_MSG" >> >> >> + echo " Solaris process contract support: $SPC_MSG" >> >> >> + echo " Solaris project support: $SP_MSG" >> >> >> + echo " Solaris privilege support: $SPP_MSG" >> >> >> ++echo " systemd support: $SYSTEMD_MSG" >> >> >> + echo " IP address in \$DISPLAY hack: $DISPLAY_HACK_MSG" >> >> >> + echo " Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG" >> >> >> + echo " BSD Auth support: $BSD_AUTH_MSG" >> >> >> +diff --git a/sshd.c b/sshd.c >> >> >> +index 4e8ff0662..5e7679a33 100644 >> >> >> +--- a/sshd.c >> >> >> ++++ b/sshd.c >> >> >> +@@ -85,6 +85,10 @@ >> >> >> + #include <prot.h> >> >> >> + #endif >> >> >> + >> >> >> ++#ifdef HAVE_SYSTEMD >> >> >> ++#include <systemd/sd-daemon.h> >> >> >> ++#endif >> >> >> ++ >> >> >> + #include "xmalloc.h" >> >> >> + #include "ssh.h" >> >> >> + #include "ssh2.h" >> >> >> +@@ -1951,6 +1955,11 @@ main(int ac, char **av) >> >> >> + } >> >> >> + } >> >> >> + >> >> >> ++#ifdef HAVE_SYSTEMD >> >> >> ++ /* Signal systemd that we are ready to accept connections */ >> >> >> ++ sd_notify(0, "READY=1"); >> >> >> ++#endif >> >> >> ++ >> >> >> + /* Accept a connection and return in a forked child */ >> >> >> + server_accept_loop(&sock_in, &sock_out, >> >> >> + &newsock, config_s); >> >> >> diff --git a/package/openssh/openssh.mk b/package/openssh/openssh.mk >> >> >> index 55b917e20a..d425db1428 100644 >> >> >> --- a/package/openssh/openssh.mk >> >> >> +++ b/package/openssh/openssh.mk >> >> >> @@ -12,6 +12,7 @@ OPENSSH_CONF_ENV = \ >> >> >> LD="$(TARGET_CC)" \ >> >> >> LDFLAGS="$(TARGET_CFLAGS)" \ >> >> >> LIBS=`$(PKG_CONFIG_HOST_BINARY) --libs openssl` >> >> >> +OPENSSH_AUTORECONF = YES >> >> >> OPENSSH_CONF_OPTS = \ >> >> >> --sysconfdir=/etc/ssh \ >> >> >> --with-default-path=$(BR2_SYSTEM_DEFAULT_PATH) \ >> >> >> @@ -22,9 +23,20 @@ OPENSSH_CONF_OPTS = \ >> >> >> --disable-wtmpx \ >> >> >> --disable-strip >> >> >> >> >> >> +ifeq ($(BR2_PACKAGE_SYSTEMD),y) >> >> >> +OPENSSH_DEPENDENCIES = systemd >> >> >> + >> >> >> +OPENSSH_CONF_OPTS += \ >> >> >> + --with-privsep-path=/run/sshd \ >> >> >> + --with-pid-dir=/run \ >> >> >> + --with-systemd >> >> >> + >> >> >> +else >> >> >> + >> >> >> define OPENSSH_PERMISSIONS >> >> >> /var/empty d 755 root root - - - - - >> >> >> endef >> >> > >> >> > >> >> > Do we still need this when using systemd, or can it be commented out ? >> >> >> >> Not sure what you mean with "this"? >> >> The OPENSSH_PERMISSIONS block is needed when not using systemd and it >> >> is only active then. >> >> >> > >> > my bad, I missed the enclosing ifeq() >> > >> >> >> >> > >> >> > >> >> >> >> >> >> +endif >> >> >> >> >> >> ifeq ($(BR2_TOOLCHAIN_SUPPORTS_PIE),) >> >> >> OPENSSH_CONF_OPTS += --without-pie >> >> >> @@ -72,7 +84,7 @@ define OPENSSH_INSTALL_SYSTEMD_SYSUSERS >> >> >> endef >> >> >> else >> >> >> define OPENSSH_USERS >> >> >> - sshd -1 sshd -1 * /var/empty - - SSH drop priv user >> >> >> + sshd -1 sshd -1 * $(if $(BR2_PACKAGE_SYSTEMD),/run/sshd,/var/empty) - - SSH drop priv user >> >> >> endef >> >> >> endif >> >> >> >> >> >> diff --git a/package/openssh/sshd-sysusers.conf b/package/openssh/sshd-sysusers.conf >> >> >> index ac77aec065..303d0dbb63 100644 >> >> >> --- a/package/openssh/sshd-sysusers.conf >> >> >> +++ b/package/openssh/sshd-sysusers.conf >> >> >> @@ -1 +1 @@ >> >> >> -u sshd - "SSH drop priv user" /var/empty >> >> >> +u sshd - "SSH drop priv user" /run/sshd >> >> >> diff --git a/package/openssh/sshd.service b/package/openssh/sshd.service >> >> >> index b5e96b3a25..715bd3f7eb 100644 >> >> >> --- a/package/openssh/sshd.service >> >> >> +++ b/package/openssh/sshd.service >> >> >> @@ -1,11 +1,20 @@ >> >> >> [Unit] >> >> >> Description=OpenSSH server daemon >> >> >> -After=syslog.target network.target auditd.service >> >> >> +Documentation=man:sshd(8) man:sshd_config(5) >> >> >> +After=network.target auditd.service >> >> >> >> >> >> >> >> >> [Service] >> >> >> ExecStartPre=/usr/bin/ssh-keygen -A >> >> >> -ExecStart=/usr/sbin/sshd -D -e >> >> >> +ExecStartPre=/usr/sbin/sshd -t >> >> >> +ExecStart=/usr/sbin/sshd -D >> >> > >> >> > You droped the -e, so you are logging to syslog >> >> > However you droped the dependency on syslog.target earlier... >> >> > (maybe it should be syslog.socket instead of .target, btw) >> >> >> >> >> >> syslog.target is long long gone, and the syslog will be >> >> unconditionally available >> >> https://www.freedesktop.org/wiki/Software/systemd/syslog/ >> >> >> >> >> >> > >> >> > >> >> > how exactly do you want to log ? (I think logging to stdout is better, it will be >> >> > redirected to the journal. >> >> >> >> >> >> stdout is not really useful if syslog is supported. >> >> >> > i'd go the other way round >> > >> > syslog is not really necessary if stdout is available, >> > but it's a matter of taste :P so let's go your way. >> >> Its more the point, that Openssh already implemented syslog, and thats >> a clear functional superset of listening to stdout. >> >> > >> >> >> >> > >> >> > >> >> >> >> >> >> +ExecReload=/usr/sbin/sshd -t >> >> >> ExecReload=/bin/kill -HUP $MAINPID >> >> >> +KillMode=process >> >> > >> >> > >> >> > Wouldn't mixed be better here ? >> >> > I'm not really sure what the use-case for procss is anyway... >> >> >> >> >> >> I taken that from debian, I could not argue against it (there is a >> >> long discussion which I linked above). >> >> Can you argue *for* mixed? >> >> >> > >> > >> > I didn't see any link >> > * process : SIGTERM and SIGKILL is sent only to MainPID >> > * mixed : SIGTERM is sent to MainPID, SIGKILL is sent to every process in the service cgroup. >> > >> > This means that if all works well, they do the same thing >> > >> > in case the MainPID fails to properly terminate its children, process would leave children alive >> > but mixed woul kill everybody >> > >> > Since we are trying to terminate the service, it makes sense to me to make sur all child process >> > are killed. >> > >> > but I don't see your link so I may be missing something >> >> The link is in the added patch: https://bugs.debian.org/778913 >> >> As said, I could not argue either way, but I got some respect for the >> debian guys ;) >> > > The thread does not actually discuss process vs mixed... > > so doesn't really help here. > OTOH, the debian version has been vetted by mbiel which is a systemc core-maintainer. > > so i would go with mixed if I were to write the service from scratch, but since I don't have an > explanation for the choice of process, I'm not entirely sure... > > A possibility is that ssh creates a process per connection. in that case > * process would not kill all ongoing connections > * mixed would > > maybe it was chosen to protect existing connection. that would make some sense. Well, debian and arch seem to agree on using "process", I guess it means to just prevent new connections and not kill existing ones? Can I get a "reviewed-by" for this patch, so this and #3 can be merged? Norbert ^ permalink raw reply [flat|nested] 22+ messages in thread
* [Buildroot] [PATCH 2/4] package/openssh: improve integration for systemd 2020-06-11 0:04 ` Norbert Lange @ 2020-06-11 6:14 ` Jérémy ROSEN 0 siblings, 0 replies; 22+ messages in thread From: Jérémy ROSEN @ 2020-06-11 6:14 UTC (permalink / raw) To: buildroot sure Reviewed-by J?r?my Rosen <jeremy.rosen@smile.fr> Sorry for noticing that everything was adressed Le jeu. 11 juin 2020 ? 02:04, Norbert Lange <nolange79@gmail.com> a ?crit : > Am So., 7. Juni 2020 um 21:42 Uhr schrieb J?r?my ROSEN < > jeremy.rosen at smile.fr>: > > > > > > > > Le dim. 7 juin 2020 ? 21:24, Norbert Lange <nolange79@gmail.com> a > ?crit : > >> > >> Am So., 7. Juni 2020 um 21:16 Uhr schrieb J?r?my ROSEN < > jeremy.rosen at smile.fr>: > >> > > >> > > >> > > >> > Le dim. 7 juin 2020 ? 21:03, Norbert Lange <nolange79@gmail.com> a > ?crit : > >> >> > >> >> Am So., 7. Juni 2020 um 12:54 Uhr schrieb J?r?my ROSEN < > jeremy.rosen at smile.fr>: > >> >> > > >> >> > > >> >> > > >> >> > Le sam. 6 juin 2020 ? 00:59, Norbert Lange <nolange79@gmail.com> > a ?crit : > >> >> >> > >> >> >> the openssh daemon is not suited for systemd's simple > >> >> >> service type. dependend services should only start > >> >> >> when sshd is ready to accept connections. > >> >> >> > >> >> >> A patch is added from debian to allow openssh > >> >> >> to communicate this state. > >> >> >> > >> >> >> Restarts are prevented if the reason is a faulty > >> >> >> config file (errocode 255). > >> >> >> > >> >> >> The "user confinement directory" is changed to > >> >> >> '/run/sshd' which is automatically managed by systemd. > >> >> >> > >> >> >> Signed-off-by: Norbert Lange <nolange79@gmail.com> > >> >> >> --- > >> >> >> package/openssh/00-systemd-readiness.patch | 84 > ++++++++++++++++++++++ > >> >> >> package/openssh/openssh.mk | 14 +++- > >> >> >> package/openssh/sshd-sysusers.conf | 2 +- > >> >> >> package/openssh/sshd.service | 13 +++- > >> >> >> 4 files changed, 109 insertions(+), 4 deletions(-) > >> >> >> create mode 100644 package/openssh/00-systemd-readiness.patch > >> >> >> > >> >> >> diff --git a/package/openssh/00-systemd-readiness.patch > b/package/openssh/00-systemd-readiness.patch > >> >> >> new file mode 100644 > >> >> >> index 0000000000..be3b6b0074 > >> >> >> --- /dev/null > >> >> >> +++ b/package/openssh/00-systemd-readiness.patch > >> >> >> @@ -0,0 +1,84 @@ > >> >> >> +From ab765b2bd55062a704f09da8f8c1c4ad1d6630a7 Mon Sep 17 > 00:00:00 2001 > >> >> >> +From: Michael Biebl <biebl@debian.org> > >> >> >> +Date: Mon, 21 Dec 2015 16:08:47 +0000 > >> >> >> +Subject: Add systemd readiness notification support > >> >> >> + > >> >> >> +Bug-Debian: https://bugs.debian.org/778913 > >> >> >> +Forwarded: no > >> >> >> +Last-Update: 2017-08-22 > >> >> >> + > >> >> >> +Patch-Name: systemd-readiness.patch > >> >> >> +--- > >> >> >> + configure.ac | 24 ++++++++++++++++++++++++ > >> >> >> + sshd.c | 9 +++++++++ > >> >> >> + 2 files changed, 33 insertions(+) > >> >> >> + > >> >> >> +diff --git a/configure.ac b/configure.ac > >> >> >> +index e894db9fc..c119d6fd1 100644 > >> >> >> +--- a/configure.ac > >> >> >> ++++ b/configure.ac > >> >> >> +@@ -4499,6 +4499,29 @@ AC_ARG_WITH([kerberos5], > >> >> >> + AC_SUBST([GSSLIBS]) > >> >> >> + AC_SUBST([K5LIBS]) > >> >> >> + > >> >> >> ++# Check whether user wants systemd support > >> >> >> ++SYSTEMD_MSG="no" > >> >> >> ++AC_ARG_WITH(systemd, > >> >> >> ++ [ --with-systemd Enable systemd support], > >> >> >> ++ [ if test "x$withval" != "xno" ; then > >> >> >> ++ AC_PATH_TOOL([PKGCONFIG], [pkg-config], [no]) > >> >> >> ++ if test "$PKGCONFIG" != "no"; then > >> >> >> ++ AC_MSG_CHECKING([for libsystemd]) > >> >> >> ++ if $PKGCONFIG --exists libsystemd; then > >> >> >> ++ SYSTEMD_CFLAGS=`$PKGCONFIG > --cflags libsystemd` > >> >> >> ++ SYSTEMD_LIBS=`$PKGCONFIG --libs > libsystemd` > >> >> >> ++ CPPFLAGS="$CPPFLAGS > $SYSTEMD_CFLAGS" > >> >> >> ++ SSHDLIBS="$SSHDLIBS $SYSTEMD_LIBS" > >> >> >> ++ AC_MSG_RESULT([yes]) > >> >> >> ++ AC_DEFINE(HAVE_SYSTEMD, 1, > [Define if you want systemd support.]) > >> >> >> ++ SYSTEMD_MSG="yes" > >> >> >> ++ else > >> >> >> ++ AC_MSG_RESULT([no]) > >> >> >> ++ fi > >> >> >> ++ fi > >> >> >> ++ fi ] > >> >> >> ++) > >> >> >> ++ > >> >> >> + # Looking for programs, paths and files > >> >> >> + > >> >> >> + PRIVSEP_PATH=/var/empty > >> >> >> +@@ -5305,6 +5328,7 @@ echo " libldns support: > $LDNS_MSG" > >> >> >> + echo " Solaris process contract support: $SPC_MSG" > >> >> >> + echo " Solaris project support: $SP_MSG" > >> >> >> + echo " Solaris privilege support: $SPP_MSG" > >> >> >> ++echo " systemd support: $SYSTEMD_MSG" > >> >> >> + echo " IP address in \$DISPLAY hack: $DISPLAY_HACK_MSG" > >> >> >> + echo " Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG" > >> >> >> + echo " BSD Auth support: $BSD_AUTH_MSG" > >> >> >> +diff --git a/sshd.c b/sshd.c > >> >> >> +index 4e8ff0662..5e7679a33 100644 > >> >> >> +--- a/sshd.c > >> >> >> ++++ b/sshd.c > >> >> >> +@@ -85,6 +85,10 @@ > >> >> >> + #include <prot.h> > >> >> >> + #endif > >> >> >> + > >> >> >> ++#ifdef HAVE_SYSTEMD > >> >> >> ++#include <systemd/sd-daemon.h> > >> >> >> ++#endif > >> >> >> ++ > >> >> >> + #include "xmalloc.h" > >> >> >> + #include "ssh.h" > >> >> >> + #include "ssh2.h" > >> >> >> +@@ -1951,6 +1955,11 @@ main(int ac, char **av) > >> >> >> + } > >> >> >> + } > >> >> >> + > >> >> >> ++#ifdef HAVE_SYSTEMD > >> >> >> ++ /* Signal systemd that we are ready to accept > connections */ > >> >> >> ++ sd_notify(0, "READY=1"); > >> >> >> ++#endif > >> >> >> ++ > >> >> >> + /* Accept a connection and return in a forked > child */ > >> >> >> + server_accept_loop(&sock_in, &sock_out, > >> >> >> + &newsock, config_s); > >> >> >> diff --git a/package/openssh/openssh.mk b/package/openssh/ > openssh.mk > >> >> >> index 55b917e20a..d425db1428 100644 > >> >> >> --- a/package/openssh/openssh.mk > >> >> >> +++ b/package/openssh/openssh.mk > >> >> >> @@ -12,6 +12,7 @@ OPENSSH_CONF_ENV = \ > >> >> >> LD="$(TARGET_CC)" \ > >> >> >> LDFLAGS="$(TARGET_CFLAGS)" \ > >> >> >> LIBS=`$(PKG_CONFIG_HOST_BINARY) --libs openssl` > >> >> >> +OPENSSH_AUTORECONF = YES > >> >> >> OPENSSH_CONF_OPTS = \ > >> >> >> --sysconfdir=/etc/ssh \ > >> >> >> --with-default-path=$(BR2_SYSTEM_DEFAULT_PATH) \ > >> >> >> @@ -22,9 +23,20 @@ OPENSSH_CONF_OPTS = \ > >> >> >> --disable-wtmpx \ > >> >> >> --disable-strip > >> >> >> > >> >> >> +ifeq ($(BR2_PACKAGE_SYSTEMD),y) > >> >> >> +OPENSSH_DEPENDENCIES = systemd > >> >> >> + > >> >> >> +OPENSSH_CONF_OPTS += \ > >> >> >> + --with-privsep-path=/run/sshd \ > >> >> >> + --with-pid-dir=/run \ > >> >> >> + --with-systemd > >> >> >> + > >> >> >> +else > >> >> >> + > >> >> >> define OPENSSH_PERMISSIONS > >> >> >> /var/empty d 755 root root - - - - - > >> >> >> endef > >> >> > > >> >> > > >> >> > Do we still need this when using systemd, or can it be commented > out ? > >> >> > >> >> Not sure what you mean with "this"? > >> >> The OPENSSH_PERMISSIONS block is needed when not using systemd and it > >> >> is only active then. > >> >> > >> > > >> > my bad, I missed the enclosing ifeq() > >> > > >> >> > >> >> > > >> >> > > >> >> >> > >> >> >> +endif > >> >> >> > >> >> >> ifeq ($(BR2_TOOLCHAIN_SUPPORTS_PIE),) > >> >> >> OPENSSH_CONF_OPTS += --without-pie > >> >> >> @@ -72,7 +84,7 @@ define OPENSSH_INSTALL_SYSTEMD_SYSUSERS > >> >> >> endef > >> >> >> else > >> >> >> define OPENSSH_USERS > >> >> >> - sshd -1 sshd -1 * /var/empty - - SSH drop priv user > >> >> >> + sshd -1 sshd -1 * $(if > $(BR2_PACKAGE_SYSTEMD),/run/sshd,/var/empty) - - SSH drop priv user > >> >> >> endef > >> >> >> endif > >> >> >> > >> >> >> diff --git a/package/openssh/sshd-sysusers.conf > b/package/openssh/sshd-sysusers.conf > >> >> >> index ac77aec065..303d0dbb63 100644 > >> >> >> --- a/package/openssh/sshd-sysusers.conf > >> >> >> +++ b/package/openssh/sshd-sysusers.conf > >> >> >> @@ -1 +1 @@ > >> >> >> -u sshd - "SSH drop priv user" /var/empty > >> >> >> +u sshd - "SSH drop priv user" /run/sshd > >> >> >> diff --git a/package/openssh/sshd.service > b/package/openssh/sshd.service > >> >> >> index b5e96b3a25..715bd3f7eb 100644 > >> >> >> --- a/package/openssh/sshd.service > >> >> >> +++ b/package/openssh/sshd.service > >> >> >> @@ -1,11 +1,20 @@ > >> >> >> [Unit] > >> >> >> Description=OpenSSH server daemon > >> >> >> -After=syslog.target network.target auditd.service > >> >> >> +Documentation=man:sshd(8) man:sshd_config(5) > >> >> >> +After=network.target auditd.service > >> >> >> > >> >> >> > >> >> >> [Service] > >> >> >> ExecStartPre=/usr/bin/ssh-keygen -A > >> >> >> -ExecStart=/usr/sbin/sshd -D -e > >> >> >> +ExecStartPre=/usr/sbin/sshd -t > >> >> >> +ExecStart=/usr/sbin/sshd -D > >> >> > > >> >> > You droped the -e, so you are logging to syslog > >> >> > However you droped the dependency on syslog.target earlier... > >> >> > (maybe it should be syslog.socket instead of .target, btw) > >> >> > >> >> > >> >> syslog.target is long long gone, and the syslog will be > >> >> unconditionally available > >> >> https://www.freedesktop.org/wiki/Software/systemd/syslog/ > >> >> > >> >> > >> >> > > >> >> > > >> >> > how exactly do you want to log ? (I think logging to stdout is > better, it will be > >> >> > redirected to the journal. > >> >> > >> >> > >> >> stdout is not really useful if syslog is supported. > >> >> > >> > i'd go the other way round > >> > > >> > syslog is not really necessary if stdout is available, > >> > but it's a matter of taste :P so let's go your way. > >> > >> Its more the point, that Openssh already implemented syslog, and thats > >> a clear functional superset of listening to stdout. > >> > >> > > >> >> > >> >> > > >> >> > > >> >> >> > >> >> >> +ExecReload=/usr/sbin/sshd -t > >> >> >> ExecReload=/bin/kill -HUP $MAINPID > >> >> >> +KillMode=process > >> >> > > >> >> > > >> >> > Wouldn't mixed be better here ? > >> >> > I'm not really sure what the use-case for procss is anyway... > >> >> > >> >> > >> >> I taken that from debian, I could not argue against it (there is a > >> >> long discussion which I linked above). > >> >> Can you argue *for* mixed? > >> >> > >> > > >> > > >> > I didn't see any link > >> > * process : SIGTERM and SIGKILL is sent only to MainPID > >> > * mixed : SIGTERM is sent to MainPID, SIGKILL is sent to every > process in the service cgroup. > >> > > >> > This means that if all works well, they do the same thing > >> > > >> > in case the MainPID fails to properly terminate its children, process > would leave children alive > >> > but mixed woul kill everybody > >> > > >> > Since we are trying to terminate the service, it makes sense to me to > make sur all child process > >> > are killed. > >> > > >> > but I don't see your link so I may be missing something > >> > >> The link is in the added patch: https://bugs.debian.org/778913 > >> > >> As said, I could not argue either way, but I got some respect for the > >> debian guys ;) > >> > > > > The thread does not actually discuss process vs mixed... > > > > so doesn't really help here. > > OTOH, the debian version has been vetted by mbiel which is a systemc > core-maintainer. > > > > so i would go with mixed if I were to write the service from scratch, > but since I don't have an > > explanation for the choice of process, I'm not entirely sure... > > > > A possibility is that ssh creates a process per connection. in that case > > * process would not kill all ongoing connections > > * mixed would > > > > maybe it was chosen to protect existing connection. that would make some > sense. > > Well, debian and arch seem to agree on using "process", I guess it > means to just prevent > new connections and not kill existing ones? > > Can I get a "reviewed-by" for this patch, so this and #3 can be merged? > > Norbert > -- [image: SMILE] <http://www.smile.eu/> 20 rue des Jardins 92600 Asni?res-sur-Seine *J?r?my ROSEN* Architecte technique [image: email] jeremy.rosen at smile.fr [image: phone] +33 6 88 25 87 42 [image: url] http://www.smile.eu [image: Twitter] <https://twitter.com/GroupeSmile> [image: Facebook] <https://www.facebook.com/smileopensource> [image: LinkedIn] <https://www.linkedin.com/company/smile> [image: Github] <https://github.com/Smile-SA> [image: D?couvrez l?univers Smile, rendez-vous sur smile.eu] <https://www.smile.eu/fr/publications/livres-blancs/yocto?utm_source=signature&utm_medium=email&utm_campaign=signature> -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.busybox.net/pipermail/buildroot/attachments/20200611/4fb1bac3/attachment.html> ^ permalink raw reply [flat|nested] 22+ messages in thread
* [Buildroot] [PATCH 3/4] package/openssh: seperate sd service for host key generation 2020-06-05 22:59 [Buildroot] [PATCH 1/4] package/openssh: Depend on libaudit if available Norbert Lange 2020-06-05 22:59 ` [Buildroot] [PATCH 2/4] package/openssh: improve integration for systemd Norbert Lange @ 2020-06-05 22:59 ` Norbert Lange 2020-06-07 10:44 ` Jérémy ROSEN 2020-06-05 22:59 ` [Buildroot] [PATCH 4/4] package/openssh: add sd socket-activated ssh daemon services Norbert Lange 2020-06-06 20:29 ` [Buildroot] [PATCH 1/4] package/openssh: Depend on libaudit if available Thomas Petazzoni 3 siblings, 1 reply; 22+ messages in thread From: Norbert Lange @ 2020-06-05 22:59 UTC (permalink / raw) To: buildroot split out generationg of host keys into an optional service that can easily be removed or deactivated. Signed-off-by: Norbert Lange <nolange79@gmail.com> --- package/openssh/openssh.mk | 5 +++-- package/openssh/sshd-host-keygen.service | 20 ++++++++++++++++++++ package/openssh/sshd.service | 1 - 3 files changed, 23 insertions(+), 3 deletions(-) create mode 100644 package/openssh/sshd-host-keygen.service diff --git a/package/openssh/openssh.mk b/package/openssh/openssh.mk index d425db1428..6b3ee1f5f4 100644 --- a/package/openssh/openssh.mk +++ b/package/openssh/openssh.mk @@ -114,8 +114,9 @@ endef OPENSSH_POST_INSTALL_TARGET_HOOKS += OPENSSH_INSTALL_SERVER_PROGRAMS define OPENSSH_INSTALL_INIT_SYSTEMD - $(INSTALL) -D -m 644 package/openssh/sshd.service \ - $(TARGET_DIR)/usr/lib/systemd/system/sshd.service + mkdir $(TARGET_DIR)/usr/lib/systemd/system + $(INSTALL) -m 644 package/openssh/sshd*.service \ + $(TARGET_DIR)/usr/lib/systemd/system/ $(OPENSSH_INSTALL_SYSTEMD_SYSUSERS) endef diff --git a/package/openssh/sshd-host-keygen.service b/package/openssh/sshd-host-keygen.service new file mode 100644 index 0000000000..058e671c44 --- /dev/null +++ b/package/openssh/sshd-host-keygen.service @@ -0,0 +1,20 @@ +[Unit] +Description=SSH Key Generation +Before=sshd.service + +ConditionPathExists=|!/etc/ssh/ssh_host_dsa_key +ConditionPathExists=|!/etc/ssh/ssh_host_dsa_key.pub +ConditionPathExists=|!/etc/ssh/ssh_host_ecdsa_key +ConditionPathExists=|!/etc/ssh/ssh_host_ecdsa_key.pub +ConditionPathExists=|!/etc/ssh/ssh_host_ed25519_key +ConditionPathExists=|!/etc/ssh/ssh_host_ed25519_key.pub +ConditionPathExists=|!/etc/ssh/ssh_host_rsa_key +ConditionPathExists=|!/etc/ssh/ssh_host_rsa_key.pub + +[Service] +ExecStart=/usr/bin/ssh-keygen -A +Type=oneshot +RemainAfterExit=yes + +[Install] +WantedBy=sshd.service diff --git a/package/openssh/sshd.service b/package/openssh/sshd.service index 715bd3f7eb..797e249d8d 100644 --- a/package/openssh/sshd.service +++ b/package/openssh/sshd.service @@ -4,7 +4,6 @@ Documentation=man:sshd(8) man:sshd_config(5) After=network.target auditd.service [Service] -ExecStartPre=/usr/bin/ssh-keygen -A ExecStartPre=/usr/sbin/sshd -t ExecStart=/usr/sbin/sshd -D ExecReload=/usr/sbin/sshd -t -- 2.26.2 ^ permalink raw reply related [flat|nested] 22+ messages in thread
* [Buildroot] [PATCH 3/4] package/openssh: seperate sd service for host key generation 2020-06-05 22:59 ` [Buildroot] [PATCH 3/4] package/openssh: seperate sd service for host key generation Norbert Lange @ 2020-06-07 10:44 ` Jérémy ROSEN 2020-06-07 18:55 ` Norbert Lange 0 siblings, 1 reply; 22+ messages in thread From: Jérémy ROSEN @ 2020-06-07 10:44 UTC (permalink / raw) To: buildroot Why the RemainAfterExit ? This is a "real oneshot", it doesn't need a state to stay behind. Moreover it would only stay behind when actually generating the key. in all followup boot the unit would not be started at all Appart from that, Looks good to me... Le sam. 6 juin 2020 ? 00:59, Norbert Lange <nolange79@gmail.com> a ?crit : > split out generationg of host keys into an optional service > that can easily be removed or deactivated. > > Signed-off-by: Norbert Lange <nolange79@gmail.com> > --- > package/openssh/openssh.mk | 5 +++-- > package/openssh/sshd-host-keygen.service | 20 ++++++++++++++++++++ > package/openssh/sshd.service | 1 - > 3 files changed, 23 insertions(+), 3 deletions(-) > create mode 100644 package/openssh/sshd-host-keygen.service > > diff --git a/package/openssh/openssh.mk b/package/openssh/openssh.mk > index d425db1428..6b3ee1f5f4 100644 > --- a/package/openssh/openssh.mk > +++ b/package/openssh/openssh.mk > @@ -114,8 +114,9 @@ endef > OPENSSH_POST_INSTALL_TARGET_HOOKS += OPENSSH_INSTALL_SERVER_PROGRAMS > > define OPENSSH_INSTALL_INIT_SYSTEMD > - $(INSTALL) -D -m 644 package/openssh/sshd.service \ > - $(TARGET_DIR)/usr/lib/systemd/system/sshd.service > + mkdir $(TARGET_DIR)/usr/lib/systemd/system > + $(INSTALL) -m 644 package/openssh/sshd*.service \ > + $(TARGET_DIR)/usr/lib/systemd/system/ > $(OPENSSH_INSTALL_SYSTEMD_SYSUSERS) > endef > > diff --git a/package/openssh/sshd-host-keygen.service > b/package/openssh/sshd-host-keygen.service > new file mode 100644 > index 0000000000..058e671c44 > --- /dev/null > +++ b/package/openssh/sshd-host-keygen.service > @@ -0,0 +1,20 @@ > +[Unit] > +Description=SSH Key Generation > +Before=sshd.service > + > +ConditionPathExists=|!/etc/ssh/ssh_host_dsa_key > +ConditionPathExists=|!/etc/ssh/ssh_host_dsa_key.pub > +ConditionPathExists=|!/etc/ssh/ssh_host_ecdsa_key > +ConditionPathExists=|!/etc/ssh/ssh_host_ecdsa_key.pub > +ConditionPathExists=|!/etc/ssh/ssh_host_ed25519_key > +ConditionPathExists=|!/etc/ssh/ssh_host_ed25519_key.pub > +ConditionPathExists=|!/etc/ssh/ssh_host_rsa_key > +ConditionPathExists=|!/etc/ssh/ssh_host_rsa_key.pub > + > +[Service] > +ExecStart=/usr/bin/ssh-keygen -A > +Type=oneshot > +RemainAfterExit=yes > + > +[Install] > +WantedBy=sshd.service > diff --git a/package/openssh/sshd.service b/package/openssh/sshd.service > index 715bd3f7eb..797e249d8d 100644 > --- a/package/openssh/sshd.service > +++ b/package/openssh/sshd.service > @@ -4,7 +4,6 @@ Documentation=man:sshd(8) man:sshd_config(5) > After=network.target auditd.service > > [Service] > -ExecStartPre=/usr/bin/ssh-keygen -A > ExecStartPre=/usr/sbin/sshd -t > ExecStart=/usr/sbin/sshd -D > ExecReload=/usr/sbin/sshd -t > -- > 2.26.2 > > _______________________________________________ > buildroot mailing list > buildroot at busybox.net > http://lists.busybox.net/mailman/listinfo/buildroot > -- [image: SMILE] <http://www.smile.eu/> 20 rue des Jardins 92600 Asni?res-sur-Seine *J?r?my ROSEN* Architecte technique [image: email] jeremy.rosen at smile.fr [image: phone] +33 6 88 25 87 42 [image: url] http://www.smile.eu [image: Twitter] <https://twitter.com/GroupeSmile> [image: Facebook] <https://www.facebook.com/smileopensource> [image: LinkedIn] <https://www.linkedin.com/company/smile> [image: Github] <https://github.com/Smile-SA> [image: D?couvrez l?univers Smile, rendez-vous sur smile.eu] <https://www.smile.eu/fr/publications/livres-blancs/yocto?utm_source=signature&utm_medium=email&utm_campaign=signature> -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.busybox.net/pipermail/buildroot/attachments/20200607/cc602538/attachment.html> ^ permalink raw reply [flat|nested] 22+ messages in thread
* [Buildroot] [PATCH 3/4] package/openssh: seperate sd service for host key generation 2020-06-07 10:44 ` Jérémy ROSEN @ 2020-06-07 18:55 ` Norbert Lange 2020-06-07 19:09 ` Jérémy ROSEN 0 siblings, 1 reply; 22+ messages in thread From: Norbert Lange @ 2020-06-07 18:55 UTC (permalink / raw) To: buildroot Am So., 7. Juni 2020 um 12:44 Uhr schrieb J?r?my ROSEN <jeremy.rosen@smile.fr>: > > Why the RemainAfterExit ? > This is a "real oneshot", it doesn't need a state to stay behind. > Moreover it would only stay behind when actually generating the key. in all followup boot the unit would not be started at all Yeah... there is some truth to that, but those one-shots have tricky sideeffects systemd 245 changed something that completely undermines my understanding of how they should work, and make that flag practically a necessity. See: https://github.com/systemd/systemd/issues/15091 I dont think I am able to correctly describe all pro's and cons but I added this flag after: - later services did not care for failures - starting/stopping *any* service will recheck the condition and fill the syslog (* depends on other stuff aswell, but that's what happens for me) In short: add RemainAfterExit for every one-shot, or there will be dragons. Doesn't seem upstream is bothered by this. > > Appart from that, Looks good to me... > > Le sam. 6 juin 2020 ? 00:59, Norbert Lange <nolange79@gmail.com> a ?crit : >> >> split out generationg of host keys into an optional service >> that can easily be removed or deactivated. >> >> Signed-off-by: Norbert Lange <nolange79@gmail.com> >> --- >> package/openssh/openssh.mk | 5 +++-- >> package/openssh/sshd-host-keygen.service | 20 ++++++++++++++++++++ >> package/openssh/sshd.service | 1 - >> 3 files changed, 23 insertions(+), 3 deletions(-) >> create mode 100644 package/openssh/sshd-host-keygen.service >> >> diff --git a/package/openssh/openssh.mk b/package/openssh/openssh.mk >> index d425db1428..6b3ee1f5f4 100644 >> --- a/package/openssh/openssh.mk >> +++ b/package/openssh/openssh.mk >> @@ -114,8 +114,9 @@ endef >> OPENSSH_POST_INSTALL_TARGET_HOOKS += OPENSSH_INSTALL_SERVER_PROGRAMS >> >> define OPENSSH_INSTALL_INIT_SYSTEMD >> - $(INSTALL) -D -m 644 package/openssh/sshd.service \ >> - $(TARGET_DIR)/usr/lib/systemd/system/sshd.service >> + mkdir $(TARGET_DIR)/usr/lib/systemd/system >> + $(INSTALL) -m 644 package/openssh/sshd*.service \ >> + $(TARGET_DIR)/usr/lib/systemd/system/ >> $(OPENSSH_INSTALL_SYSTEMD_SYSUSERS) >> endef >> >> diff --git a/package/openssh/sshd-host-keygen.service b/package/openssh/sshd-host-keygen.service >> new file mode 100644 >> index 0000000000..058e671c44 >> --- /dev/null >> +++ b/package/openssh/sshd-host-keygen.service >> @@ -0,0 +1,20 @@ >> +[Unit] >> +Description=SSH Key Generation >> +Before=sshd.service >> + >> +ConditionPathExists=|!/etc/ssh/ssh_host_dsa_key >> +ConditionPathExists=|!/etc/ssh/ssh_host_dsa_key.pub >> +ConditionPathExists=|!/etc/ssh/ssh_host_ecdsa_key >> +ConditionPathExists=|!/etc/ssh/ssh_host_ecdsa_key.pub >> +ConditionPathExists=|!/etc/ssh/ssh_host_ed25519_key >> +ConditionPathExists=|!/etc/ssh/ssh_host_ed25519_key.pub >> +ConditionPathExists=|!/etc/ssh/ssh_host_rsa_key >> +ConditionPathExists=|!/etc/ssh/ssh_host_rsa_key.pub >> + >> +[Service] >> +ExecStart=/usr/bin/ssh-keygen -A >> +Type=oneshot >> +RemainAfterExit=yes >> + >> +[Install] >> +WantedBy=sshd.service >> diff --git a/package/openssh/sshd.service b/package/openssh/sshd.service >> index 715bd3f7eb..797e249d8d 100644 >> --- a/package/openssh/sshd.service >> +++ b/package/openssh/sshd.service >> @@ -4,7 +4,6 @@ Documentation=man:sshd(8) man:sshd_config(5) >> After=network.target auditd.service >> >> [Service] >> -ExecStartPre=/usr/bin/ssh-keygen -A >> ExecStartPre=/usr/sbin/sshd -t >> ExecStart=/usr/sbin/sshd -D >> ExecReload=/usr/sbin/sshd -t >> -- >> 2.26.2 >> >> _______________________________________________ >> buildroot mailing list >> buildroot at busybox.net >> http://lists.busybox.net/mailman/listinfo/buildroot > > > > -- > > > 20 rue des Jardins > 92600 Asni?res-sur-Seine > > J?r?my ROSEN > Architecte technique > > jeremy.rosen at smile.fr > +33 6 88 25 87 42 > http://www.smile.eu > > > ^ permalink raw reply [flat|nested] 22+ messages in thread
* [Buildroot] [PATCH 3/4] package/openssh: seperate sd service for host key generation 2020-06-07 18:55 ` Norbert Lange @ 2020-06-07 19:09 ` Jérémy ROSEN 0 siblings, 0 replies; 22+ messages in thread From: Jérémy ROSEN @ 2020-06-07 19:09 UTC (permalink / raw) To: buildroot Le dim. 7 juin 2020 ? 20:56, Norbert Lange <nolange79@gmail.com> a ?crit : > Am So., 7. Juni 2020 um 12:44 Uhr schrieb J?r?my ROSEN < > jeremy.rosen at smile.fr>: > > > > Why the RemainAfterExit ? > > This is a "real oneshot", it doesn't need a state to stay behind. > > Moreover it would only stay behind when actually generating the key. in > all followup boot the unit would not be started at all > > Yeah... there is some truth to that, but those one-shots have tricky > sideeffects systemd 245 changed something that completely undermines > my understanding of how they should work, > and make that flag practically a necessity. See: > https://github.com/systemd/systemd/issues/15091 > > I dont think I am able to correctly describe all pro's and cons but I > added this flag after: > > - later services did not care for failures > - starting/stopping *any* service will recheck the condition and > fill the syslog (* depends on other stuff aswell, but that's what > happens for me) > > In short: add RemainAfterExit for every one-shot, or there will be > dragons. Doesn't seem upstream is bothered by this. > > ok, I see your point... you are protected by your various Condition= from this bug, but that would fill the logs with condition checks messages. Could you please add a comment pointing to that bug report ? Appart from that Reviewd-by: J?r?my Rosen <jeremy.rosen@smile.fr> > > > > Appart from that, Looks good to me... > > > > Le sam. 6 juin 2020 ? 00:59, Norbert Lange <nolange79@gmail.com> a > ?crit : > >> > >> split out generationg of host keys into an optional service > >> that can easily be removed or deactivated. > >> > >> Signed-off-by: Norbert Lange <nolange79@gmail.com> > >> --- > >> package/openssh/openssh.mk | 5 +++-- > >> package/openssh/sshd-host-keygen.service | 20 ++++++++++++++++++++ > >> package/openssh/sshd.service | 1 - > >> 3 files changed, 23 insertions(+), 3 deletions(-) > >> create mode 100644 package/openssh/sshd-host-keygen.service > >> > >> diff --git a/package/openssh/openssh.mk b/package/openssh/openssh.mk > >> index d425db1428..6b3ee1f5f4 100644 > >> --- a/package/openssh/openssh.mk > >> +++ b/package/openssh/openssh.mk > >> @@ -114,8 +114,9 @@ endef > >> OPENSSH_POST_INSTALL_TARGET_HOOKS += OPENSSH_INSTALL_SERVER_PROGRAMS > >> > >> define OPENSSH_INSTALL_INIT_SYSTEMD > >> - $(INSTALL) -D -m 644 package/openssh/sshd.service \ > >> - $(TARGET_DIR)/usr/lib/systemd/system/sshd.service > >> + mkdir $(TARGET_DIR)/usr/lib/systemd/system > >> + $(INSTALL) -m 644 package/openssh/sshd*.service \ > >> + $(TARGET_DIR)/usr/lib/systemd/system/ > >> $(OPENSSH_INSTALL_SYSTEMD_SYSUSERS) > >> endef > >> > >> diff --git a/package/openssh/sshd-host-keygen.service > b/package/openssh/sshd-host-keygen.service > >> new file mode 100644 > >> index 0000000000..058e671c44 > >> --- /dev/null > >> +++ b/package/openssh/sshd-host-keygen.service > >> @@ -0,0 +1,20 @@ > >> +[Unit] > >> +Description=SSH Key Generation > >> +Before=sshd.service > >> + > >> +ConditionPathExists=|!/etc/ssh/ssh_host_dsa_key > >> +ConditionPathExists=|!/etc/ssh/ssh_host_dsa_key.pub > >> +ConditionPathExists=|!/etc/ssh/ssh_host_ecdsa_key > >> +ConditionPathExists=|!/etc/ssh/ssh_host_ecdsa_key.pub > >> +ConditionPathExists=|!/etc/ssh/ssh_host_ed25519_key > >> +ConditionPathExists=|!/etc/ssh/ssh_host_ed25519_key.pub > >> +ConditionPathExists=|!/etc/ssh/ssh_host_rsa_key > >> +ConditionPathExists=|!/etc/ssh/ssh_host_rsa_key.pub > >> + > >> +[Service] > >> +ExecStart=/usr/bin/ssh-keygen -A > >> +Type=oneshot > >> +RemainAfterExit=yes > >> + > >> +[Install] > >> +WantedBy=sshd.service > >> diff --git a/package/openssh/sshd.service b/package/openssh/sshd.service > >> index 715bd3f7eb..797e249d8d 100644 > >> --- a/package/openssh/sshd.service > >> +++ b/package/openssh/sshd.service > >> @@ -4,7 +4,6 @@ Documentation=man:sshd(8) man:sshd_config(5) > >> After=network.target auditd.service > >> > >> [Service] > >> -ExecStartPre=/usr/bin/ssh-keygen -A > >> ExecStartPre=/usr/sbin/sshd -t > >> ExecStart=/usr/sbin/sshd -D > >> ExecReload=/usr/sbin/sshd -t > >> -- > >> 2.26.2 > >> > >> _______________________________________________ > >> buildroot mailing list > >> buildroot at busybox.net > >> http://lists.busybox.net/mailman/listinfo/buildroot > > > > > > > > -- > > > > > > 20 rue des Jardins > > 92600 Asni?res-sur-Seine > > > > J?r?my ROSEN > > Architecte technique > > > > jeremy.rosen at smile.fr > > +33 6 88 25 87 42 > > http://www.smile.eu > > > > > > > -- [image: SMILE] <http://www.smile.eu/> 20 rue des Jardins 92600 Asni?res-sur-Seine *J?r?my ROSEN* Architecte technique [image: email] jeremy.rosen at smile.fr [image: phone] +33 6 88 25 87 42 [image: url] http://www.smile.eu [image: Twitter] <https://twitter.com/GroupeSmile> [image: Facebook] <https://www.facebook.com/smileopensource> [image: LinkedIn] <https://www.linkedin.com/company/smile> [image: Github] <https://github.com/Smile-SA> [image: D?couvrez l?univers Smile, rendez-vous sur smile.eu] <https://www.smile.eu/fr/publications/livres-blancs/yocto?utm_source=signature&utm_medium=email&utm_campaign=signature> -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.busybox.net/pipermail/buildroot/attachments/20200607/68875fbe/attachment.html> ^ permalink raw reply [flat|nested] 22+ messages in thread
* [Buildroot] [PATCH 4/4] package/openssh: add sd socket-activated ssh daemon services 2020-06-05 22:59 [Buildroot] [PATCH 1/4] package/openssh: Depend on libaudit if available Norbert Lange 2020-06-05 22:59 ` [Buildroot] [PATCH 2/4] package/openssh: improve integration for systemd Norbert Lange 2020-06-05 22:59 ` [Buildroot] [PATCH 3/4] package/openssh: seperate sd service for host key generation Norbert Lange @ 2020-06-05 22:59 ` Norbert Lange 2020-06-07 11:06 ` Jérémy ROSEN 2020-06-06 20:29 ` [Buildroot] [PATCH 1/4] package/openssh: Depend on libaudit if available Thomas Petazzoni 3 siblings, 1 reply; 22+ messages in thread From: Norbert Lange @ 2020-06-05 22:59 UTC (permalink / raw) To: buildroot Signed-off-by: Norbert Lange <nolange79@gmail.com> --- package/openssh/openssh.mk | 6 +++--- package/openssh/sshd-host-keygen.service | 2 +- package/openssh/sshd.socket | 11 +++++++++++ package/openssh/sshd at .service | 10 ++++++++++ 4 files changed, 25 insertions(+), 4 deletions(-) create mode 100644 package/openssh/sshd.socket create mode 100644 package/openssh/sshd at .service diff --git a/package/openssh/openssh.mk b/package/openssh/openssh.mk index 6b3ee1f5f4..1f2638e9c9 100644 --- a/package/openssh/openssh.mk +++ b/package/openssh/openssh.mk @@ -114,9 +114,9 @@ endef OPENSSH_POST_INSTALL_TARGET_HOOKS += OPENSSH_INSTALL_SERVER_PROGRAMS define OPENSSH_INSTALL_INIT_SYSTEMD - mkdir $(TARGET_DIR)/usr/lib/systemd/system - $(INSTALL) -m 644 package/openssh/sshd*.service \ - $(TARGET_DIR)/usr/lib/systemd/system/ + mkdir -p $(TARGET_DIR)/usr/lib/systemd/system + $(INSTALL) -m 644 package/openssh/sshd*.service package/openssh/sshd.socket \ + $(TARGET_DIR)/usr/lib/systemd/system/. $(OPENSSH_INSTALL_SYSTEMD_SYSUSERS) endef diff --git a/package/openssh/sshd-host-keygen.service b/package/openssh/sshd-host-keygen.service index 058e671c44..ffde622b01 100644 --- a/package/openssh/sshd-host-keygen.service +++ b/package/openssh/sshd-host-keygen.service @@ -17,4 +17,4 @@ Type=oneshot RemainAfterExit=yes [Install] -WantedBy=sshd.service +WantedBy=sshd.service sshd.socket diff --git a/package/openssh/sshd.socket b/package/openssh/sshd.socket new file mode 100644 index 0000000000..bbae9ed7aa --- /dev/null +++ b/package/openssh/sshd.socket @@ -0,0 +1,11 @@ +[Unit] +Description=OpenBSD Secure Shell server socket +Before=sshd.service +Conflicts=sshd.service + +[Socket] +ListenStream=22 +Accept=yes + +[Install] +WantedBy=sockets.target diff --git a/package/openssh/sshd at .service b/package/openssh/sshd at .service new file mode 100644 index 0000000000..b3a590d9a3 --- /dev/null +++ b/package/openssh/sshd at .service @@ -0,0 +1,10 @@ +[Unit] +Description=OpenBSD Secure Shell server per-connection daemon +Documentation=man:sshd(8) man:sshd_config(5) +After=auditd.service + +[Service] +ExecStart=-/usr/sbin/sshd -i +StandardInput=socket +RuntimeDirectory=sshd +RuntimeDirectoryMode=0755 -- 2.26.2 ^ permalink raw reply related [flat|nested] 22+ messages in thread
* [Buildroot] [PATCH 4/4] package/openssh: add sd socket-activated ssh daemon services 2020-06-05 22:59 ` [Buildroot] [PATCH 4/4] package/openssh: add sd socket-activated ssh daemon services Norbert Lange @ 2020-06-07 11:06 ` Jérémy ROSEN 2020-06-07 19:10 ` Norbert Lange 0 siblings, 1 reply; 22+ messages in thread From: Jérémy ROSEN @ 2020-06-07 11:06 UTC (permalink / raw) To: buildroot Le sam. 6 juin 2020 ? 00:59, Norbert Lange <nolange79@gmail.com> a ?crit : > Signed-off-by: Norbert Lange <nolange79@gmail.com> > --- > package/openssh/openssh.mk | 6 +++--- > package/openssh/sshd-host-keygen.service | 2 +- > package/openssh/sshd.socket | 11 +++++++++++ > package/openssh/sshd at .service | 10 ++++++++++ > 4 files changed, 25 insertions(+), 4 deletions(-) > create mode 100644 package/openssh/sshd.socket > create mode 100644 package/openssh/sshd at .service > > diff --git a/package/openssh/openssh.mk b/package/openssh/openssh.mk > index 6b3ee1f5f4..1f2638e9c9 100644 > --- a/package/openssh/openssh.mk > +++ b/package/openssh/openssh.mk > @@ -114,9 +114,9 @@ endef > OPENSSH_POST_INSTALL_TARGET_HOOKS += OPENSSH_INSTALL_SERVER_PROGRAMS > > define OPENSSH_INSTALL_INIT_SYSTEMD > - mkdir $(TARGET_DIR)/usr/lib/systemd/system > - $(INSTALL) -m 644 package/openssh/sshd*.service \ > - $(TARGET_DIR)/usr/lib/systemd/system/ > + mkdir -p $(TARGET_DIR)/usr/lib/systemd/system > + $(INSTALL) -m 644 package/openssh/sshd*.service > package/openssh/sshd.socket \ > + $(TARGET_DIR)/usr/lib/systemd/system/. > $(OPENSSH_INSTALL_SYSTEMD_SYSUSERS) > endef > > diff --git a/package/openssh/sshd-host-keygen.service > b/package/openssh/sshd-host-keygen.service > index 058e671c44..ffde622b01 100644 > --- a/package/openssh/sshd-host-keygen.service > +++ b/package/openssh/sshd-host-keygen.service > @@ -17,4 +17,4 @@ Type=oneshot > RemainAfterExit=yes > > [Install] > -WantedBy=sshd.service > +WantedBy=sshd.service sshd.socket > diff --git a/package/openssh/sshd.socket b/package/openssh/sshd.socket > new file mode 100644 > index 0000000000..bbae9ed7aa > --- /dev/null > +++ b/package/openssh/sshd.socket > @@ -0,0 +1,11 @@ > +[Unit] > +Description=OpenBSD Secure Shell server socket > +Before=sshd.service > +Conflicts=sshd.service > No, that would stop the socket when the service is started, and you don't want that. If you do that, only one connection would be accepted before the socket is stoped and since you have accept=yes no further connections would be accepted > + > +[Socket] > +ListenStream=22 > +Accept=yes > + > +[Install] > +WantedBy=sockets.target > diff --git a/package/openssh/sshd at .service b/package/openssh/sshd at .service > new file mode 100644 > index 0000000000..b3a590d9a3 > --- /dev/null > +++ b/package/openssh/sshd at .service > @@ -0,0 +1,10 @@ > +[Unit] > +Description=OpenBSD Secure Shell server per-connection daemon > +Documentation=man:sshd(8) man:sshd_config(5) > +After=auditd.service > + > +[Service] > +ExecStart=-/usr/sbin/sshd -i > +StandardInput=socket > +RuntimeDirectory=sshd > +RuntimeDirectoryMode=0755 > I am a bit confused, you have both an ssh.service and a ssh.socket+ssh@ .service Wouldn't those two fight over port 22 ? > -- > 2.26.2 > > _______________________________________________ > buildroot mailing list > buildroot at busybox.net > http://lists.busybox.net/mailman/listinfo/buildroot > -- [image: SMILE] <http://www.smile.eu/> 20 rue des Jardins 92600 Asni?res-sur-Seine *J?r?my ROSEN* Architecte technique [image: email] jeremy.rosen at smile.fr [image: phone] +33 6 88 25 87 42 [image: url] http://www.smile.eu [image: Twitter] <https://twitter.com/GroupeSmile> [image: Facebook] <https://www.facebook.com/smileopensource> [image: LinkedIn] <https://www.linkedin.com/company/smile> [image: Github] <https://github.com/Smile-SA> [image: D?couvrez l?univers Smile, rendez-vous sur smile.eu] <https://www.smile.eu/fr/publications/livres-blancs/yocto?utm_source=signature&utm_medium=email&utm_campaign=signature> -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.busybox.net/pipermail/buildroot/attachments/20200607/7c81434a/attachment.html> ^ permalink raw reply [flat|nested] 22+ messages in thread
* [Buildroot] [PATCH 4/4] package/openssh: add sd socket-activated ssh daemon services 2020-06-07 11:06 ` Jérémy ROSEN @ 2020-06-07 19:10 ` Norbert Lange 2020-06-07 19:31 ` Jérémy ROSEN 0 siblings, 1 reply; 22+ messages in thread From: Norbert Lange @ 2020-06-07 19:10 UTC (permalink / raw) To: buildroot Am So., 7. Juni 2020 um 13:07 Uhr schrieb J?r?my ROSEN <jeremy.rosen@smile.fr>: > > > > Le sam. 6 juin 2020 ? 00:59, Norbert Lange <nolange79@gmail.com> a ?crit : >> >> Signed-off-by: Norbert Lange <nolange79@gmail.com> >> --- >> package/openssh/openssh.mk | 6 +++--- >> package/openssh/sshd-host-keygen.service | 2 +- >> package/openssh/sshd.socket | 11 +++++++++++ >> package/openssh/sshd at .service | 10 ++++++++++ >> 4 files changed, 25 insertions(+), 4 deletions(-) >> create mode 100644 package/openssh/sshd.socket >> create mode 100644 package/openssh/sshd at .service >> >> diff --git a/package/openssh/openssh.mk b/package/openssh/openssh.mk >> index 6b3ee1f5f4..1f2638e9c9 100644 >> --- a/package/openssh/openssh.mk >> +++ b/package/openssh/openssh.mk >> @@ -114,9 +114,9 @@ endef >> OPENSSH_POST_INSTALL_TARGET_HOOKS += OPENSSH_INSTALL_SERVER_PROGRAMS >> >> define OPENSSH_INSTALL_INIT_SYSTEMD >> - mkdir $(TARGET_DIR)/usr/lib/systemd/system >> - $(INSTALL) -m 644 package/openssh/sshd*.service \ >> - $(TARGET_DIR)/usr/lib/systemd/system/ >> + mkdir -p $(TARGET_DIR)/usr/lib/systemd/system >> + $(INSTALL) -m 644 package/openssh/sshd*.service package/openssh/sshd.socket \ >> + $(TARGET_DIR)/usr/lib/systemd/system/. >> $(OPENSSH_INSTALL_SYSTEMD_SYSUSERS) >> endef >> >> diff --git a/package/openssh/sshd-host-keygen.service b/package/openssh/sshd-host-keygen.service >> index 058e671c44..ffde622b01 100644 >> --- a/package/openssh/sshd-host-keygen.service >> +++ b/package/openssh/sshd-host-keygen.service >> @@ -17,4 +17,4 @@ Type=oneshot >> RemainAfterExit=yes >> >> [Install] >> -WantedBy=sshd.service >> +WantedBy=sshd.service sshd.socket >> diff --git a/package/openssh/sshd.socket b/package/openssh/sshd.socket >> new file mode 100644 >> index 0000000000..bbae9ed7aa >> --- /dev/null >> +++ b/package/openssh/sshd.socket >> @@ -0,0 +1,11 @@ >> +[Unit] >> +Description=OpenBSD Secure Shell server socket >> +Before=sshd.service >> +Conflicts=sshd.service > > No, that would stop the socket when the service is started, and you don't want that. > If you do that, only one connection would be accepted before the socket is stoped > and since you have accept=yes no further connections would be accepted there is the singular sshd service and the sshd.socket which spawns sshd@ instance services. Those are mutually exclusive (because of the "Conflicts"), the "Before" line just ensures that the sshd.socket wins out by default. > >> >> + >> +[Socket] >> +ListenStream=22 >> +Accept=yes >> + >> +[Install] >> +WantedBy=sockets.target >> diff --git a/package/openssh/sshd at .service b/package/openssh/sshd at .service >> new file mode 100644 >> index 0000000000..b3a590d9a3 >> --- /dev/null >> +++ b/package/openssh/sshd at .service >> @@ -0,0 +1,10 @@ >> +[Unit] >> +Description=OpenBSD Secure Shell server per-connection daemon >> +Documentation=man:sshd(8) man:sshd_config(5) >> +After=auditd.service >> + >> +[Service] >> +ExecStart=-/usr/sbin/sshd -i >> +StandardInput=socket >> +RuntimeDirectory=sshd >> +RuntimeDirectoryMode=0755 > > > I am a bit confused, you have both an ssh.service and a ssh.socket+ssh at .service > Wouldn't those two fight over port 22 ? No, on a fresh installation, the socket will be started, the sshd service will not because of the "Conflicts". if you manually enable/start the sshd.service then the socket will be shutdown first. > > > >> >> -- >> 2.26.2 >> >> _______________________________________________ >> buildroot mailing list >> buildroot at busybox.net >> http://lists.busybox.net/mailman/listinfo/buildroot > > > > -- > > > 20 rue des Jardins > 92600 Asni?res-sur-Seine > > J?r?my ROSEN > Architecte technique > > jeremy.rosen at smile.fr > +33 6 88 25 87 42 > http://www.smile.eu Norbert ^ permalink raw reply [flat|nested] 22+ messages in thread
* [Buildroot] [PATCH 4/4] package/openssh: add sd socket-activated ssh daemon services 2020-06-07 19:10 ` Norbert Lange @ 2020-06-07 19:31 ` Jérémy ROSEN 2020-06-07 19:45 ` Norbert Lange 0 siblings, 1 reply; 22+ messages in thread From: Jérémy ROSEN @ 2020-06-07 19:31 UTC (permalink / raw) To: buildroot Le dim. 7 juin 2020 ? 21:11, Norbert Lange <nolange79@gmail.com> a ?crit : > Am So., 7. Juni 2020 um 13:07 Uhr schrieb J?r?my ROSEN < > jeremy.rosen at smile.fr>: > > > > > > > > Le sam. 6 juin 2020 ? 00:59, Norbert Lange <nolange79@gmail.com> a > ?crit : > >> > >> Signed-off-by: Norbert Lange <nolange79@gmail.com> > >> --- > >> package/openssh/openssh.mk | 6 +++--- > >> package/openssh/sshd-host-keygen.service | 2 +- > >> package/openssh/sshd.socket | 11 +++++++++++ > >> package/openssh/sshd at .service | 10 ++++++++++ > >> 4 files changed, 25 insertions(+), 4 deletions(-) > >> create mode 100644 package/openssh/sshd.socket > >> create mode 100644 package/openssh/sshd at .service > >> > >> diff --git a/package/openssh/openssh.mk b/package/openssh/openssh.mk > >> index 6b3ee1f5f4..1f2638e9c9 100644 > >> --- a/package/openssh/openssh.mk > >> +++ b/package/openssh/openssh.mk > >> @@ -114,9 +114,9 @@ endef > >> OPENSSH_POST_INSTALL_TARGET_HOOKS += OPENSSH_INSTALL_SERVER_PROGRAMS > >> > >> define OPENSSH_INSTALL_INIT_SYSTEMD > >> - mkdir $(TARGET_DIR)/usr/lib/systemd/system > >> - $(INSTALL) -m 644 package/openssh/sshd*.service \ > >> - $(TARGET_DIR)/usr/lib/systemd/system/ > >> + mkdir -p $(TARGET_DIR)/usr/lib/systemd/system > >> + $(INSTALL) -m 644 package/openssh/sshd*.service > package/openssh/sshd.socket \ > >> + $(TARGET_DIR)/usr/lib/systemd/system/. > >> $(OPENSSH_INSTALL_SYSTEMD_SYSUSERS) > >> endef > >> > >> diff --git a/package/openssh/sshd-host-keygen.service > b/package/openssh/sshd-host-keygen.service > >> index 058e671c44..ffde622b01 100644 > >> --- a/package/openssh/sshd-host-keygen.service > >> +++ b/package/openssh/sshd-host-keygen.service > >> @@ -17,4 +17,4 @@ Type=oneshot > >> RemainAfterExit=yes > >> > >> [Install] > >> -WantedBy=sshd.service > >> +WantedBy=sshd.service sshd.socket > >> diff --git a/package/openssh/sshd.socket b/package/openssh/sshd.socket > >> new file mode 100644 > >> index 0000000000..bbae9ed7aa > >> --- /dev/null > >> +++ b/package/openssh/sshd.socket > >> @@ -0,0 +1,11 @@ > >> +[Unit] > >> +Description=OpenBSD Secure Shell server socket > >> +Before=sshd.service > >> +Conflicts=sshd.service > > > > No, that would stop the socket when the service is started, and you > don't want that. > > If you do that, only one connection would be accepted before the socket > is stoped > > and since you have accept=yes no further connections would be accepted > > there is the singular sshd service > and the sshd.socket which spawns sshd@ instance services. > Those are mutually exclusive (because of the "Conflicts"), the > "Before" line just ensures that the sshd.socket wins out by default. > > aah right, I messed up sshd.service and sshd at .service in my head. my bad. I personally think we shouldn't install both methods. either choose a distro-wide decision or provide a config option Anyway, I see what you are doing now, and that should work, AFAICT. I still think that it's cool that openssh supports all those startup methods, but I'm not convinced we need to support all of them in BR. Thoughts ? Regards Jeremy > > > >> > >> + > >> +[Socket] > >> +ListenStream=22 > >> +Accept=yes > >> + > >> +[Install] > >> +WantedBy=sockets.target > >> diff --git a/package/openssh/sshd at .service b/package/openssh/sshd@ > .service > >> new file mode 100644 > >> index 0000000000..b3a590d9a3 > >> --- /dev/null > >> +++ b/package/openssh/sshd at .service > >> @@ -0,0 +1,10 @@ > >> +[Unit] > >> +Description=OpenBSD Secure Shell server per-connection daemon > >> +Documentation=man:sshd(8) man:sshd_config(5) > >> +After=auditd.service > >> + > >> +[Service] > >> +ExecStart=-/usr/sbin/sshd -i > >> +StandardInput=socket > >> +RuntimeDirectory=sshd > >> +RuntimeDirectoryMode=0755 > > > > > > I am a bit confused, you have both an ssh.service and a ssh.socket+ssh@ > .service > > Wouldn't those two fight over port 22 ? > > No, on a fresh installation, the socket will be started, the sshd > service will not because of the "Conflicts". > if you manually enable/start the sshd.service then the socket will be > shutdown first. > > > > > > > > >> > >> -- > >> 2.26.2 > >> > >> _______________________________________________ > >> buildroot mailing list > >> buildroot at busybox.net > >> http://lists.busybox.net/mailman/listinfo/buildroot > > > > > > > > -- > > > > > > 20 rue des Jardins > > 92600 Asni?res-sur-Seine > > > > J?r?my ROSEN > > Architecte technique > > > > jeremy.rosen at smile.fr > > +33 6 88 25 87 42 > > http://www.smile.eu > > Norbert > -- [image: SMILE] <http://www.smile.eu/> 20 rue des Jardins 92600 Asni?res-sur-Seine *J?r?my ROSEN* Architecte technique [image: email] jeremy.rosen at smile.fr [image: phone] +33 6 88 25 87 42 [image: url] http://www.smile.eu [image: Twitter] <https://twitter.com/GroupeSmile> [image: Facebook] <https://www.facebook.com/smileopensource> [image: LinkedIn] <https://www.linkedin.com/company/smile> [image: Github] <https://github.com/Smile-SA> [image: D?couvrez l?univers Smile, rendez-vous sur smile.eu] <https://www.smile.eu/fr/publications/livres-blancs/yocto?utm_source=signature&utm_medium=email&utm_campaign=signature> -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.busybox.net/pipermail/buildroot/attachments/20200607/a3eff4e2/attachment.html> ^ permalink raw reply [flat|nested] 22+ messages in thread
* [Buildroot] [PATCH 4/4] package/openssh: add sd socket-activated ssh daemon services 2020-06-07 19:31 ` Jérémy ROSEN @ 2020-06-07 19:45 ` Norbert Lange 2020-06-07 21:30 ` Norbert Lange 0 siblings, 1 reply; 22+ messages in thread From: Norbert Lange @ 2020-06-07 19:45 UTC (permalink / raw) To: buildroot Am So., 7. Juni 2020 um 21:32 Uhr schrieb J?r?my ROSEN <jeremy.rosen@smile.fr>: > > > > Le dim. 7 juin 2020 ? 21:11, Norbert Lange <nolange79@gmail.com> a ?crit : >> >> Am So., 7. Juni 2020 um 13:07 Uhr schrieb J?r?my ROSEN <jeremy.rosen@smile.fr>: >> > >> > >> > >> > Le sam. 6 juin 2020 ? 00:59, Norbert Lange <nolange79@gmail.com> a ?crit : >> >> >> >> Signed-off-by: Norbert Lange <nolange79@gmail.com> >> >> --- >> >> package/openssh/openssh.mk | 6 +++--- >> >> package/openssh/sshd-host-keygen.service | 2 +- >> >> package/openssh/sshd.socket | 11 +++++++++++ >> >> package/openssh/sshd at .service | 10 ++++++++++ >> >> 4 files changed, 25 insertions(+), 4 deletions(-) >> >> create mode 100644 package/openssh/sshd.socket >> >> create mode 100644 package/openssh/sshd at .service >> >> >> >> diff --git a/package/openssh/openssh.mk b/package/openssh/openssh.mk >> >> index 6b3ee1f5f4..1f2638e9c9 100644 >> >> --- a/package/openssh/openssh.mk >> >> +++ b/package/openssh/openssh.mk >> >> @@ -114,9 +114,9 @@ endef >> >> OPENSSH_POST_INSTALL_TARGET_HOOKS += OPENSSH_INSTALL_SERVER_PROGRAMS >> >> >> >> define OPENSSH_INSTALL_INIT_SYSTEMD >> >> - mkdir $(TARGET_DIR)/usr/lib/systemd/system >> >> - $(INSTALL) -m 644 package/openssh/sshd*.service \ >> >> - $(TARGET_DIR)/usr/lib/systemd/system/ >> >> + mkdir -p $(TARGET_DIR)/usr/lib/systemd/system >> >> + $(INSTALL) -m 644 package/openssh/sshd*.service package/openssh/sshd.socket \ >> >> + $(TARGET_DIR)/usr/lib/systemd/system/. >> >> $(OPENSSH_INSTALL_SYSTEMD_SYSUSERS) >> >> endef >> >> >> >> diff --git a/package/openssh/sshd-host-keygen.service b/package/openssh/sshd-host-keygen.service >> >> index 058e671c44..ffde622b01 100644 >> >> --- a/package/openssh/sshd-host-keygen.service >> >> +++ b/package/openssh/sshd-host-keygen.service >> >> @@ -17,4 +17,4 @@ Type=oneshot >> >> RemainAfterExit=yes >> >> >> >> [Install] >> >> -WantedBy=sshd.service >> >> +WantedBy=sshd.service sshd.socket >> >> diff --git a/package/openssh/sshd.socket b/package/openssh/sshd.socket >> >> new file mode 100644 >> >> index 0000000000..bbae9ed7aa >> >> --- /dev/null >> >> +++ b/package/openssh/sshd.socket >> >> @@ -0,0 +1,11 @@ >> >> +[Unit] >> >> +Description=OpenBSD Secure Shell server socket >> >> +Before=sshd.service >> >> +Conflicts=sshd.service >> > >> > No, that would stop the socket when the service is started, and you don't want that. >> > If you do that, only one connection would be accepted before the socket is stoped >> > and since you have accept=yes no further connections would be accepted >> >> there is the singular sshd service >> and the sshd.socket which spawns sshd@ instance services. >> Those are mutually exclusive (because of the "Conflicts"), the >> "Before" line just ensures that the sshd.socket wins out by default. >> > > aah right, I messed up sshd.service and sshd at .service in my head. > my bad. > > I personally think we shouldn't install both methods. > either choose a distro-wide decision or provide a config option > > Anyway, I see what you are doing now, and that should work, AFAICT. > > I still think that it's cool that openssh supports all those startup methods, > but I'm not convinced we need to support all of them in BR. sshd is better for throughput/efficiency if you have alot connections, the socket option saves memory if you rarely have connections (and is actually a simpler service file). I would support both, but let users pick. Norbert ^ permalink raw reply [flat|nested] 22+ messages in thread
* [Buildroot] [PATCH 4/4] package/openssh: add sd socket-activated ssh daemon services 2020-06-07 19:45 ` Norbert Lange @ 2020-06-07 21:30 ` Norbert Lange 2020-06-07 21:43 ` Jérémy ROSEN 0 siblings, 1 reply; 22+ messages in thread From: Norbert Lange @ 2020-06-07 21:30 UTC (permalink / raw) To: buildroot Am So., 7. Juni 2020 um 21:45 Uhr schrieb Norbert Lange <nolange79@gmail.com>: > > Am So., 7. Juni 2020 um 21:32 Uhr schrieb J?r?my ROSEN <jeremy.rosen@smile.fr>: > > > > > > > > Le dim. 7 juin 2020 ? 21:11, Norbert Lange <nolange79@gmail.com> a ?crit : > >> > >> Am So., 7. Juni 2020 um 13:07 Uhr schrieb J?r?my ROSEN <jeremy.rosen@smile.fr>: > >> > > >> > > >> > > >> > Le sam. 6 juin 2020 ? 00:59, Norbert Lange <nolange79@gmail.com> a ?crit : > >> >> > >> >> Signed-off-by: Norbert Lange <nolange79@gmail.com> > >> >> --- > >> >> package/openssh/openssh.mk | 6 +++--- > >> >> package/openssh/sshd-host-keygen.service | 2 +- > >> >> package/openssh/sshd.socket | 11 +++++++++++ > >> >> package/openssh/sshd at .service | 10 ++++++++++ > >> >> 4 files changed, 25 insertions(+), 4 deletions(-) > >> >> create mode 100644 package/openssh/sshd.socket > >> >> create mode 100644 package/openssh/sshd at .service > >> >> > >> >> diff --git a/package/openssh/openssh.mk b/package/openssh/openssh.mk > >> >> index 6b3ee1f5f4..1f2638e9c9 100644 > >> >> --- a/package/openssh/openssh.mk > >> >> +++ b/package/openssh/openssh.mk > >> >> @@ -114,9 +114,9 @@ endef > >> >> OPENSSH_POST_INSTALL_TARGET_HOOKS += OPENSSH_INSTALL_SERVER_PROGRAMS > >> >> > >> >> define OPENSSH_INSTALL_INIT_SYSTEMD > >> >> - mkdir $(TARGET_DIR)/usr/lib/systemd/system > >> >> - $(INSTALL) -m 644 package/openssh/sshd*.service \ > >> >> - $(TARGET_DIR)/usr/lib/systemd/system/ > >> >> + mkdir -p $(TARGET_DIR)/usr/lib/systemd/system > >> >> + $(INSTALL) -m 644 package/openssh/sshd*.service package/openssh/sshd.socket \ > >> >> + $(TARGET_DIR)/usr/lib/systemd/system/. > >> >> $(OPENSSH_INSTALL_SYSTEMD_SYSUSERS) > >> >> endef > >> >> > >> >> diff --git a/package/openssh/sshd-host-keygen.service b/package/openssh/sshd-host-keygen.service > >> >> index 058e671c44..ffde622b01 100644 > >> >> --- a/package/openssh/sshd-host-keygen.service > >> >> +++ b/package/openssh/sshd-host-keygen.service > >> >> @@ -17,4 +17,4 @@ Type=oneshot > >> >> RemainAfterExit=yes > >> >> > >> >> [Install] > >> >> -WantedBy=sshd.service > >> >> +WantedBy=sshd.service sshd.socket > >> >> diff --git a/package/openssh/sshd.socket b/package/openssh/sshd.socket > >> >> new file mode 100644 > >> >> index 0000000000..bbae9ed7aa > >> >> --- /dev/null > >> >> +++ b/package/openssh/sshd.socket > >> >> @@ -0,0 +1,11 @@ > >> >> +[Unit] > >> >> +Description=OpenBSD Secure Shell server socket > >> >> +Before=sshd.service > >> >> +Conflicts=sshd.service > >> > > >> > No, that would stop the socket when the service is started, and you don't want that. > >> > If you do that, only one connection would be accepted before the socket is stoped > >> > and since you have accept=yes no further connections would be accepted > >> > >> there is the singular sshd service > >> and the sshd.socket which spawns sshd@ instance services. > >> Those are mutually exclusive (because of the "Conflicts"), the > >> "Before" line just ensures that the sshd.socket wins out by default. > >> > > > > aah right, I messed up sshd.service and sshd at .service in my head. > > my bad. > > > > I personally think we shouldn't install both methods. > > either choose a distro-wide decision or provide a config option > > > > Anyway, I see what you are doing now, and that should work, AFAICT. > > > > I still think that it's cool that openssh supports all those startup methods, > > but I'm not convinced we need to support all of them in BR. > > sshd is better for throughput/efficiency if you have alot connections, > > the socket option saves memory if you rarely have connections (and is > actually a simpler service file). > > I would support both, but let users pick. > > Norbert How about this option: config BR2_PACKAGE_OPENSSH_SERVER_SOCKET bool "server socket" depends on BR2_INIT_SYSTEMD help Systemd socket activation server. makefile gonna get allota ifdefs, right now it's a bit naive anyway, as you could pick server and not key_utils and then the services (sys and systemd) would fail when trying to verify/generate the host keys. Norbert ^ permalink raw reply [flat|nested] 22+ messages in thread
* [Buildroot] [PATCH 4/4] package/openssh: add sd socket-activated ssh daemon services 2020-06-07 21:30 ` Norbert Lange @ 2020-06-07 21:43 ` Jérémy ROSEN 0 siblings, 0 replies; 22+ messages in thread From: Jérémy ROSEN @ 2020-06-07 21:43 UTC (permalink / raw) To: buildroot Sounds good... the help text might need a little work, but I like the idea itself... Le dim. 7 juin 2020 ? 23:30, Norbert Lange <nolange79@gmail.com> a ?crit : > Am So., 7. Juni 2020 um 21:45 Uhr schrieb Norbert Lange < > nolange79 at gmail.com>: > > > > Am So., 7. Juni 2020 um 21:32 Uhr schrieb J?r?my ROSEN < > jeremy.rosen at smile.fr>: > > > > > > > > > > > > Le dim. 7 juin 2020 ? 21:11, Norbert Lange <nolange79@gmail.com> a > ?crit : > > >> > > >> Am So., 7. Juni 2020 um 13:07 Uhr schrieb J?r?my ROSEN < > jeremy.rosen at smile.fr>: > > >> > > > >> > > > >> > > > >> > Le sam. 6 juin 2020 ? 00:59, Norbert Lange <nolange79@gmail.com> a > ?crit : > > >> >> > > >> >> Signed-off-by: Norbert Lange <nolange79@gmail.com> > > >> >> --- > > >> >> package/openssh/openssh.mk | 6 +++--- > > >> >> package/openssh/sshd-host-keygen.service | 2 +- > > >> >> package/openssh/sshd.socket | 11 +++++++++++ > > >> >> package/openssh/sshd at .service | 10 ++++++++++ > > >> >> 4 files changed, 25 insertions(+), 4 deletions(-) > > >> >> create mode 100644 package/openssh/sshd.socket > > >> >> create mode 100644 package/openssh/sshd at .service > > >> >> > > >> >> diff --git a/package/openssh/openssh.mk b/package/openssh/ > openssh.mk > > >> >> index 6b3ee1f5f4..1f2638e9c9 100644 > > >> >> --- a/package/openssh/openssh.mk > > >> >> +++ b/package/openssh/openssh.mk > > >> >> @@ -114,9 +114,9 @@ endef > > >> >> OPENSSH_POST_INSTALL_TARGET_HOOKS += > OPENSSH_INSTALL_SERVER_PROGRAMS > > >> >> > > >> >> define OPENSSH_INSTALL_INIT_SYSTEMD > > >> >> - mkdir $(TARGET_DIR)/usr/lib/systemd/system > > >> >> - $(INSTALL) -m 644 package/openssh/sshd*.service \ > > >> >> - $(TARGET_DIR)/usr/lib/systemd/system/ > > >> >> + mkdir -p $(TARGET_DIR)/usr/lib/systemd/system > > >> >> + $(INSTALL) -m 644 package/openssh/sshd*.service > package/openssh/sshd.socket \ > > >> >> + $(TARGET_DIR)/usr/lib/systemd/system/. > > >> >> $(OPENSSH_INSTALL_SYSTEMD_SYSUSERS) > > >> >> endef > > >> >> > > >> >> diff --git a/package/openssh/sshd-host-keygen.service > b/package/openssh/sshd-host-keygen.service > > >> >> index 058e671c44..ffde622b01 100644 > > >> >> --- a/package/openssh/sshd-host-keygen.service > > >> >> +++ b/package/openssh/sshd-host-keygen.service > > >> >> @@ -17,4 +17,4 @@ Type=oneshot > > >> >> RemainAfterExit=yes > > >> >> > > >> >> [Install] > > >> >> -WantedBy=sshd.service > > >> >> +WantedBy=sshd.service sshd.socket > > >> >> diff --git a/package/openssh/sshd.socket > b/package/openssh/sshd.socket > > >> >> new file mode 100644 > > >> >> index 0000000000..bbae9ed7aa > > >> >> --- /dev/null > > >> >> +++ b/package/openssh/sshd.socket > > >> >> @@ -0,0 +1,11 @@ > > >> >> +[Unit] > > >> >> +Description=OpenBSD Secure Shell server socket > > >> >> +Before=sshd.service > > >> >> +Conflicts=sshd.service > > >> > > > >> > No, that would stop the socket when the service is started, and you > don't want that. > > >> > If you do that, only one connection would be accepted before the > socket is stoped > > >> > and since you have accept=yes no further connections would be > accepted > > >> > > >> there is the singular sshd service > > >> and the sshd.socket which spawns sshd@ instance services. > > >> Those are mutually exclusive (because of the "Conflicts"), the > > >> "Before" line just ensures that the sshd.socket wins out by default. > > >> > > > > > > aah right, I messed up sshd.service and sshd at .service in my head. > > > my bad. > > > > > > I personally think we shouldn't install both methods. > > > either choose a distro-wide decision or provide a config option > > > > > > Anyway, I see what you are doing now, and that should work, AFAICT. > > > > > > I still think that it's cool that openssh supports all those startup > methods, > > > but I'm not convinced we need to support all of them in BR. > > > > sshd is better for throughput/efficiency if you have alot connections, > > > > the socket option saves memory if you rarely have connections (and is > > actually a simpler service file). > > > > I would support both, but let users pick. > > > > Norbert > > How about this option: > > config BR2_PACKAGE_OPENSSH_SERVER_SOCKET > bool "server socket" > depends on BR2_INIT_SYSTEMD > help > Systemd socket activation server. > > makefile gonna get allota ifdefs, right now it's a bit naive anyway, > as you could pick server and not key_utils and then the services (sys > and systemd) would fail when trying to verify/generate the host keys. > > Norbert > -- [image: SMILE] <http://www.smile.eu/> 20 rue des Jardins 92600 Asni?res-sur-Seine *J?r?my ROSEN* Architecte technique [image: email] jeremy.rosen at smile.fr [image: phone] +33 6 88 25 87 42 [image: url] http://www.smile.eu [image: Twitter] <https://twitter.com/GroupeSmile> [image: Facebook] <https://www.facebook.com/smileopensource> [image: LinkedIn] <https://www.linkedin.com/company/smile> [image: Github] <https://github.com/Smile-SA> [image: D?couvrez l?univers Smile, rendez-vous sur smile.eu] <https://www.smile.eu/fr/publications/livres-blancs/yocto?utm_source=signature&utm_medium=email&utm_campaign=signature> -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.busybox.net/pipermail/buildroot/attachments/20200607/b76f928e/attachment.html> ^ permalink raw reply [flat|nested] 22+ messages in thread
* [Buildroot] [PATCH 1/4] package/openssh: Depend on libaudit if available 2020-06-05 22:59 [Buildroot] [PATCH 1/4] package/openssh: Depend on libaudit if available Norbert Lange ` (2 preceding siblings ...) 2020-06-05 22:59 ` [Buildroot] [PATCH 4/4] package/openssh: add sd socket-activated ssh daemon services Norbert Lange @ 2020-06-06 20:29 ` Thomas Petazzoni 3 siblings, 0 replies; 22+ messages in thread From: Thomas Petazzoni @ 2020-06-06 20:29 UTC (permalink / raw) To: buildroot On Sat, 6 Jun 2020 00:59:01 +0200 Norbert Lange <nolange79@gmail.com> wrote: > Signed-off-by: Norbert Lange <nolange79@gmail.com> > --- > package/openssh/openssh.mk | 5 +++++ > 1 file changed, 5 insertions(+) > > diff --git a/package/openssh/openssh.mk b/package/openssh/openssh.mk > index 515eec2c03..55b917e20a 100644 > --- a/package/openssh/openssh.mk > +++ b/package/openssh/openssh.mk > @@ -39,6 +39,11 @@ else > OPENSSH_CONF_OPTS += --without-ssl-engine > endif > > +ifeq ($(BR2_PACKAGE_AUDIT),y) > +OPENSSH_DEPENDENCIES += audit > +OPENSSH_CONF_OPTS += --with-audit=linux > +endif We like to have an "else" clause that explicitly disables the feature, so I've added that, reworked the commit title, and applied. Thanks! Thomas -- Thomas Petazzoni, CTO, Bootlin Embedded Linux and Kernel engineering https://bootlin.com ^ permalink raw reply [flat|nested] 22+ messages in thread
end of thread, other threads:[~2020-06-11 6:14 UTC | newest] Thread overview: 22+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2020-06-05 22:59 [Buildroot] [PATCH 1/4] package/openssh: Depend on libaudit if available Norbert Lange 2020-06-05 22:59 ` [Buildroot] [PATCH 2/4] package/openssh: improve integration for systemd Norbert Lange 2020-06-06 20:31 ` Thomas Petazzoni 2020-06-07 10:54 ` Jérémy ROSEN 2020-06-07 19:03 ` Norbert Lange 2020-06-07 19:16 ` Jérémy ROSEN 2020-06-07 19:24 ` Norbert Lange 2020-06-07 19:42 ` Jérémy ROSEN 2020-06-11 0:04 ` Norbert Lange 2020-06-11 6:14 ` Jérémy ROSEN 2020-06-05 22:59 ` [Buildroot] [PATCH 3/4] package/openssh: seperate sd service for host key generation Norbert Lange 2020-06-07 10:44 ` Jérémy ROSEN 2020-06-07 18:55 ` Norbert Lange 2020-06-07 19:09 ` Jérémy ROSEN 2020-06-05 22:59 ` [Buildroot] [PATCH 4/4] package/openssh: add sd socket-activated ssh daemon services Norbert Lange 2020-06-07 11:06 ` Jérémy ROSEN 2020-06-07 19:10 ` Norbert Lange 2020-06-07 19:31 ` Jérémy ROSEN 2020-06-07 19:45 ` Norbert Lange 2020-06-07 21:30 ` Norbert Lange 2020-06-07 21:43 ` Jérémy ROSEN 2020-06-06 20:29 ` [Buildroot] [PATCH 1/4] package/openssh: Depend on libaudit if available Thomas Petazzoni
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox