main/openvpn: rewrite init script

3 files changed, 99 insertions, 86 deletions

diff --git a/main/openvpn/APKBUILD b/main/openvpn/APKBUILD
index 9ccda4511d..098ba81349 100644
--- a/main/openvpn/APKBUILD
+++ b/main/openvpn/APKBUILD
@@ -60,7 +60,7 @@ pam() {
 
 sha512sums="cdd70bfd03177bc6cb70d0d614e40389df00816b7097740b4cda9d7bee094d1463fdb5afeaf604c52c7b3167d1edb098a2e095e131a8b9fed0ed8b29da90cbe8  openvpn-2.4.6.tar.gz
 5a083cdf8216db5e6e4577c00ccfe8e03ca318935ec9daa2018a8a6d4d7fd2b04fe395d7b329f16108101d69a6c0b70690883fda2cb552db7abf2f8246cc561f  libressl.patch
-a45753e26182bc88bc68ea6bfd50bc9f7494c43a9a5050bde450d558f38196bff88b2c4f85e5e5a4d7b798d15f201f204977e75a9b360a9f778d3c66bb3281b1  openvpn.initd
-982ade883afbe2e656a9cbbe36c31c0e8b4f7bbbe5b63df9f7b834f02a9153032fb7445c85d3e91f62c68a7ddd13c3afbf420fb71cdd13d9c4b69f867bdd9f37  openvpn.confd
+7403beec406261d7d8b7b011f5be1bb30a55cd1e743f87cc907fc4824d44fd223010550159d3a7e450d8567fdec52558137021cc8f0782e8486a17a2d4b07e1b  openvpn.initd
+643b5ee3f23b1634c12488f6de2d42cdc5c49618d5291a25963fb1516156273b0308a46b6623905fd441753cb5ae1b08c0e29bc5543e287847bb41f73fd357f0  openvpn.confd
 cdb73c9a5b1eb56e9cbd29955d94297ce5a87079419cd626d6a0b6680d88cbf310735a53f794886df02030b687eaea553c7c569a8ea1282a149441add1c65760  openvpn.up
 4456880d5c2db061219ba94e4052786700efa5e685f03b0d12d75a6023e3c0fc7b5242cc3d2bd3988e42fcd99701ab13a6257b1a0943b812318d30c64843ad27  openvpn.down"
diff --git a/main/openvpn/openvpn.confd b/main/openvpn/openvpn.confd
index 72510c34ae..4359ef8cd5 100644
--- a/main/openvpn/openvpn.confd
+++ b/main/openvpn/openvpn.confd
@@ -1,18 +1,20 @@
-# OpenVPN automatically creates an /etc/resolv.conf (or sends it to
-# resolvconf) if given DNS information by the OpenVPN server.
-# Set PEER_DNS="no" to stop this.
-PEER_DNS="yes"
+# Configuration for /etc/init.d/openvpn{,.*}
+
+# Run in client mode. If this is a server, set to "no".
+client_mode="yes"
+
+# Path of the OpenVPN configuration file to load.
+# Default is /etc/openvpn/openvpn.conf, or /etc/openvpn/<vpn>.conf if
+# the runscript is symlinked to openvpn.<vpn> or <vpn>.
+#cfgfile=
 
-# OpenVPN can run in many modes. Most people will want the init script
-# to automatically detect the mode and try and apply a good default
-# configuration and setup scripts. However, there are cases where the
-# OpenVPN configuration looks like a client, but it's really a peer or
-# something else. DETECT_CLIENT controls this behaviour.
-DETECT_CLIENT="yes"
+# The script to run after successful TUN/TAP device open.
+#up_script="/etc/openvpn/up.sh"
 
-# If DETECT_CLIENT is no and you have your own scripts to re-enter the openvpn
-# init script (ie, it first becomes "inactive" and the script then starts the
-# script again to make it "started") then you can state this below.
-# In other words, unless you understand service dependencies and are a
-# competent shell scripter, don't set this.
-RE_ENTER="no"
+# The script to run after TUN/TAP device close.
+#down_script="/etc/openvpn/down.sh"
+
+# OpenVPN automatically creates an /etc/resolv.conf (or sends it to
+# resolvconf) if given DNS information by the OpenVPN server.
+# Set to "no" to stop this.
+#peer_dns="yes"
diff --git a/main/openvpn/openvpn.initd b/main/openvpn/openvpn.initd
index 2b6ddacbfa..33cb01ddae 100644
--- a/main/openvpn/openvpn.initd
+++ b/main/openvpn/openvpn.initd
@@ -1,17 +1,60 @@
 #!/sbin/openrc-run
-# Copyright 1999-2007 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
 
-description="VPN service"
+extra_commands="checkconfig"
 
-VPNDIR=${VPNDIR:-/etc/openvpn}
-VPN=${RC_SVCNAME#*.}
-if [ -n "${VPN}" ] && [ ${RC_SVCNAME} != "openvpn" ]; then
-	VPNPID="/var/run/openvpn.${VPN}.pid"
-else
-	VPNPID="/var/run/openvpn.pid"
+instance_name=${RC_SVCNAME#*.}
+[ "$instance_name" != "openvpn" ] \
+	&& name="OpenVPN ($instance_name)" \
+	|| name="OpenVPN"
+
+# Upper case variables are for backward compatibility with Alpine < v3.8.
+: ${cfgdir:=${VPNDIR:-"/etc/openvpn"}}
+: ${cfgfile:="$cfgdir/$instance_name.conf"}
+: ${up_script:="$cfgdir/up.sh"}
+: ${down_script:="$cfgdir/down.sh"}
+: ${peer_dns:=${PEER_DNS:-"yes"}}
+
+pidfile="/run/$RC_SVCNAME.pid"
+command="/usr/sbin/openvpn"
+command_args="
+	--daemon
+	--config $cfgfile
+	--writepid $pidfile
+	--setenv RC_SVCNAME $RC_SVCNAME
+	--setenv PEER_DNS $peer_dns"
+
+required_dirs="$cfgdir"
+required_files="$cfgfile"
+
+# If client_mode is not specified (user has old config), infer it from the
+# cfgfile as in old version of this runscript. Eventually we try to fix the
+# config when checkconfig() is run.
+# This is for backward compatibility with Alpine < v3.8.
+if [ -z "$client_mode" ]; then
+	yesno "${DETECT_CLIENT:-yes}" && grep -q '^\s*remote\s' "$cfgfile" \
+		&& client_mode=yes \
+		|| client_mode=no
+	client_mode_not_set=yes
+fi
+
+if yesno "$client_mode"; then
+	command_args="$command_args
+		--up-delay
+		--up-restart
+		--down-pre
+		--script-security 2
+		--up $up_script
+		--down $down_script"
+
+	required_files="$required_files $up_script $down_script"
+
+	# If env. variable IN_BACKGROUND is set, fake start and stop commands
+	# (i.e. don't run them). We do this so we can "start" ourselves from
+	# inactive (from OpenVPN's up.sh script) which then triggers other
+	# services to start which depend on us. See openrc-run(8).
+	in_background_fake="start stop"
+	start_inactive="yes"
 fi
-VPNCONF="${VPNDIR}/${VPN}.conf"
 
 depend() {
 	need localmount net
@@ -22,8 +65,7 @@ depend() {
 checkconfig() {
 	if [ ! -e /dev/net/tun ]; then
 		if ! modprobe tun; then
-			eerror "TUN/TAP support is not available" \
-				"in this kernel"
+			eerror "TUN/TAP support is not available in this kernel"
 			return 1
 		fi
 	fi
@@ -33,80 +75,49 @@ checkconfig() {
 		ln -s /dev/misc/net/tun /dev/net/tun
 		eend $?
 	fi
-	return 0
-}
-
-start() {
-	# If we are re-called by the openvpn gentoo-up.sh script
-	# then we don't actually want to start openvpn
-	[ "${IN_BACKGROUND}" = "true" ] && return 0
-	
-	ebegin "Starting ${RC_SVCNAME}"
-
-	checkconfig || return 1
-
-	local args="" reenter=${RE_ENTER:-no}
-	# If the config file does not specify the cd option, we do
-	# But if we specify it, we override the config option which we do not want
-	if ! grep -q "^[ 	]*cd[ 	].*" "${VPNCONF}" ; then
-		args="${args} --cd ${VPNDIR}"
-	fi
-	
-	# We mark the service as inactive and then start it.
-	# When we get an authenticated packet from the peer then we run our script
-	# which configures our DNS if any and marks us as up.
-	if [ "${DETECT_CLIENT:-yes}" = "yes" ] && \
-	grep -q "^[ 	]*remote[ 	].*" "${VPNCONF}" ; then
-		reenter="yes"
-		args="${args} --up-delay --up-restart"
-		args="${args} --script-security 2"
-		args="${args} --up /etc/openvpn/up.sh"
-		args="${args} --down-pre --down /etc/openvpn/down.sh"
 
+	if yesno "$client_mode"; then
 		# Warn about setting scripts as we override them
-		if grep -Eq "^[ 	]*(up|down)[ 	].*" "${VPNCONF}" ; then
+		if cfgfile_has_option "(up|down)"; then
 			ewarn "WARNING: You have defined your own up/down scripts"
 			ewarn "As you're running as a client, we now force Alpine specific"
 			ewarn "scripts to be run for up and down events."
-			ewarn "These scripts will call /etc/openvpn/${RC_SVCNAME}-{up,down}.sh"
+			ewarn "These scripts will call /etc/openvpn/$RC_SVCNAME-{up,down}.sh"
 			ewarn "where you can put your own code."
 		fi
-
 		# Warn about the inability to change ip/route/dns information when
 		# dropping privs
-		if grep -q "^[ 	]*user[ 	].*" "${VPNCONF}" ; then
+		if cfgfile_has_option "user"; then
 			ewarn "WARNING: You are dropping root privileges!"
 			ewarn "As such openvpn may not be able to change ip, routing"
 			ewarn "or DNS configuration."
 		fi
-	else
-		# So we're a server. Run as openvpn unless otherwise specified
-		grep -q "^[ 	]*user[ 	].*" "${VPNCONF}" || args="${args} --user openvpn"
-		grep -q "^[ 	]*group[ 	].*" "${VPNCONF}" || args="${args} --group openvpn"
 	fi
 
-	# Ensure that our scripts get the PEER_DNS variable
-	[ -n "${PEER_DNS}" ] && args="${args} --setenv PEER_DNS ${PEER_DNS}"
-
-	[ "${reenter}" = "yes" ] && mark_service_inactive "${RC_SVCNAME}"
-	start-stop-daemon --start --exec /usr/sbin/openvpn --pidfile "${VPNPID}" \
-		-- --config "${VPNCONF}" --writepid "${VPNPID}" --daemon \
-		--setenv RC_SVCNAME "${RC_SVCNAME}" ${args}
-	eend $? "Check your logs to see why startup failed"
+	# This is for backward compatibility with Alpine < v3.8.
+	if yesno "$client_mode_not_set"; then
+		ewarn "client_mode is not specified in /etc/conf.d/$RC_SVCNAME, fixing..."
+		echo "client_mode=$client_mode" >> /etc/conf.d/$RC_SVCNAME 2>/dev/null
+		eend $?
+	fi
 }
 
-stop() {
-	# If we are re-called by the openvpn gentoo-down.sh script
-	# then we don't actually want to stop openvpn
-	if [ "${IN_BACKGROUND}" = "true" ] ; then
-		mark_service_inactive "${RC_SVCNAME}"
-		return 0
+start_pre() {
+	checkconfig || return 1
+
+	# If the config file does not specify the cd option, we do.
+	# But if we specify it, we override the config option which we do not want.
+	if cfgfile_has_option "cd"; then
+		command_args="$command_args --cd $cfgdir"
 	fi
 
-	ebegin "Stopping ${RC_SVCNAME}"
-	start-stop-daemon --stop --quiet \
-		--exec /usr/sbin/openvpn --pidfile "${VPNPID}"
-	eend $?
+	if ! yesno "$client_mode"; then
+		# Run as openvpn unless otherwise specified.
+		cfgfile_has_option "user" || command_args="$command_args --user openvpn"
+		cfgfile_has_option "group" || command_args="$command_args --group openvpn"
+	fi
 }
 
-# vim: set ts=4 :
+cfgfile_has_option() {
+	grep -Eq '^\s*$1\s' "$cfgfile"
+}