diff options
author | Jakub Jirutka <jakub@jirutka.cz> | 2018-05-06 13:30:31 +0200 |
---|---|---|
committer | Jakub Jirutka <jakub@jirutka.cz> | 2018-05-06 21:30:15 +0200 |
commit | 4a66978dd949d571fdd984d800b3121c3a1a297f (patch) | |
tree | 092710f775605e67d812537cff9b5289de2c9c2e /main | |
parent | 39995d882d8edc530b3cfa2752fce19e74bbcfdf (diff) | |
download | aports-4a66978dd949d571fdd984d800b3121c3a1a297f.tar.bz2 aports-4a66978dd949d571fdd984d800b3121c3a1a297f.tar.xz |
main/openvpn: rewrite init script
Diffstat (limited to 'main')
-rw-r--r-- | main/openvpn/APKBUILD | 4 | ||||
-rw-r--r-- | main/openvpn/openvpn.confd | 34 | ||||
-rw-r--r-- | main/openvpn/openvpn.initd | 147 |
3 files changed, 99 insertions, 86 deletions
diff --git a/main/openvpn/APKBUILD b/main/openvpn/APKBUILD index 9ccda4511d..098ba81349 100644 --- a/main/openvpn/APKBUILD +++ b/main/openvpn/APKBUILD @@ -60,7 +60,7 @@ pam() { sha512sums="cdd70bfd03177bc6cb70d0d614e40389df00816b7097740b4cda9d7bee094d1463fdb5afeaf604c52c7b3167d1edb098a2e095e131a8b9fed0ed8b29da90cbe8 openvpn-2.4.6.tar.gz 5a083cdf8216db5e6e4577c00ccfe8e03ca318935ec9daa2018a8a6d4d7fd2b04fe395d7b329f16108101d69a6c0b70690883fda2cb552db7abf2f8246cc561f libressl.patch -a45753e26182bc88bc68ea6bfd50bc9f7494c43a9a5050bde450d558f38196bff88b2c4f85e5e5a4d7b798d15f201f204977e75a9b360a9f778d3c66bb3281b1 openvpn.initd -982ade883afbe2e656a9cbbe36c31c0e8b4f7bbbe5b63df9f7b834f02a9153032fb7445c85d3e91f62c68a7ddd13c3afbf420fb71cdd13d9c4b69f867bdd9f37 openvpn.confd +7403beec406261d7d8b7b011f5be1bb30a55cd1e743f87cc907fc4824d44fd223010550159d3a7e450d8567fdec52558137021cc8f0782e8486a17a2d4b07e1b openvpn.initd +643b5ee3f23b1634c12488f6de2d42cdc5c49618d5291a25963fb1516156273b0308a46b6623905fd441753cb5ae1b08c0e29bc5543e287847bb41f73fd357f0 openvpn.confd cdb73c9a5b1eb56e9cbd29955d94297ce5a87079419cd626d6a0b6680d88cbf310735a53f794886df02030b687eaea553c7c569a8ea1282a149441add1c65760 openvpn.up 4456880d5c2db061219ba94e4052786700efa5e685f03b0d12d75a6023e3c0fc7b5242cc3d2bd3988e42fcd99701ab13a6257b1a0943b812318d30c64843ad27 openvpn.down" diff --git a/main/openvpn/openvpn.confd b/main/openvpn/openvpn.confd index 72510c34ae..4359ef8cd5 100644 --- a/main/openvpn/openvpn.confd +++ b/main/openvpn/openvpn.confd @@ -1,18 +1,20 @@ -# OpenVPN automatically creates an /etc/resolv.conf (or sends it to -# resolvconf) if given DNS information by the OpenVPN server. -# Set PEER_DNS="no" to stop this. -PEER_DNS="yes" +# Configuration for /etc/init.d/openvpn{,.*} + +# Run in client mode. If this is a server, set to "no". +client_mode="yes" + +# Path of the OpenVPN configuration file to load. +# Default is /etc/openvpn/openvpn.conf, or /etc/openvpn/<vpn>.conf if +# the runscript is symlinked to openvpn.<vpn> or <vpn>. +#cfgfile= -# OpenVPN can run in many modes. Most people will want the init script -# to automatically detect the mode and try and apply a good default -# configuration and setup scripts. However, there are cases where the -# OpenVPN configuration looks like a client, but it's really a peer or -# something else. DETECT_CLIENT controls this behaviour. -DETECT_CLIENT="yes" +# The script to run after successful TUN/TAP device open. +#up_script="/etc/openvpn/up.sh" -# If DETECT_CLIENT is no and you have your own scripts to re-enter the openvpn -# init script (ie, it first becomes "inactive" and the script then starts the -# script again to make it "started") then you can state this below. -# In other words, unless you understand service dependencies and are a -# competent shell scripter, don't set this. -RE_ENTER="no" +# The script to run after TUN/TAP device close. +#down_script="/etc/openvpn/down.sh" + +# OpenVPN automatically creates an /etc/resolv.conf (or sends it to +# resolvconf) if given DNS information by the OpenVPN server. +# Set to "no" to stop this. +#peer_dns="yes" diff --git a/main/openvpn/openvpn.initd b/main/openvpn/openvpn.initd index 2b6ddacbfa..33cb01ddae 100644 --- a/main/openvpn/openvpn.initd +++ b/main/openvpn/openvpn.initd @@ -1,17 +1,60 @@ #!/sbin/openrc-run -# Copyright 1999-2007 Gentoo Foundation -# Distributed under the terms of the GNU General Public License v2 -description="VPN service" +extra_commands="checkconfig" -VPNDIR=${VPNDIR:-/etc/openvpn} -VPN=${RC_SVCNAME#*.} -if [ -n "${VPN}" ] && [ ${RC_SVCNAME} != "openvpn" ]; then - VPNPID="/var/run/openvpn.${VPN}.pid" -else - VPNPID="/var/run/openvpn.pid" +instance_name=${RC_SVCNAME#*.} +[ "$instance_name" != "openvpn" ] \ + && name="OpenVPN ($instance_name)" \ + || name="OpenVPN" + +# Upper case variables are for backward compatibility with Alpine < v3.8. +: ${cfgdir:=${VPNDIR:-"/etc/openvpn"}} +: ${cfgfile:="$cfgdir/$instance_name.conf"} +: ${up_script:="$cfgdir/up.sh"} +: ${down_script:="$cfgdir/down.sh"} +: ${peer_dns:=${PEER_DNS:-"yes"}} + +pidfile="/run/$RC_SVCNAME.pid" +command="/usr/sbin/openvpn" +command_args=" + --daemon + --config $cfgfile + --writepid $pidfile + --setenv RC_SVCNAME $RC_SVCNAME + --setenv PEER_DNS $peer_dns" + +required_dirs="$cfgdir" +required_files="$cfgfile" + +# If client_mode is not specified (user has old config), infer it from the +# cfgfile as in old version of this runscript. Eventually we try to fix the +# config when checkconfig() is run. +# This is for backward compatibility with Alpine < v3.8. +if [ -z "$client_mode" ]; then + yesno "${DETECT_CLIENT:-yes}" && grep -q '^\s*remote\s' "$cfgfile" \ + && client_mode=yes \ + || client_mode=no + client_mode_not_set=yes +fi + +if yesno "$client_mode"; then + command_args="$command_args + --up-delay + --up-restart + --down-pre + --script-security 2 + --up $up_script + --down $down_script" + + required_files="$required_files $up_script $down_script" + + # If env. variable IN_BACKGROUND is set, fake start and stop commands + # (i.e. don't run them). We do this so we can "start" ourselves from + # inactive (from OpenVPN's up.sh script) which then triggers other + # services to start which depend on us. See openrc-run(8). + in_background_fake="start stop" + start_inactive="yes" fi -VPNCONF="${VPNDIR}/${VPN}.conf" depend() { need localmount net @@ -22,8 +65,7 @@ depend() { checkconfig() { if [ ! -e /dev/net/tun ]; then if ! modprobe tun; then - eerror "TUN/TAP support is not available" \ - "in this kernel" + eerror "TUN/TAP support is not available in this kernel" return 1 fi fi @@ -33,80 +75,49 @@ checkconfig() { ln -s /dev/misc/net/tun /dev/net/tun eend $? fi - return 0 -} - -start() { - # If we are re-called by the openvpn gentoo-up.sh script - # then we don't actually want to start openvpn - [ "${IN_BACKGROUND}" = "true" ] && return 0 - - ebegin "Starting ${RC_SVCNAME}" - - checkconfig || return 1 - - local args="" reenter=${RE_ENTER:-no} - # If the config file does not specify the cd option, we do - # But if we specify it, we override the config option which we do not want - if ! grep -q "^[ ]*cd[ ].*" "${VPNCONF}" ; then - args="${args} --cd ${VPNDIR}" - fi - - # We mark the service as inactive and then start it. - # When we get an authenticated packet from the peer then we run our script - # which configures our DNS if any and marks us as up. - if [ "${DETECT_CLIENT:-yes}" = "yes" ] && \ - grep -q "^[ ]*remote[ ].*" "${VPNCONF}" ; then - reenter="yes" - args="${args} --up-delay --up-restart" - args="${args} --script-security 2" - args="${args} --up /etc/openvpn/up.sh" - args="${args} --down-pre --down /etc/openvpn/down.sh" + if yesno "$client_mode"; then # Warn about setting scripts as we override them - if grep -Eq "^[ ]*(up|down)[ ].*" "${VPNCONF}" ; then + if cfgfile_has_option "(up|down)"; then ewarn "WARNING: You have defined your own up/down scripts" ewarn "As you're running as a client, we now force Alpine specific" ewarn "scripts to be run for up and down events." - ewarn "These scripts will call /etc/openvpn/${RC_SVCNAME}-{up,down}.sh" + ewarn "These scripts will call /etc/openvpn/$RC_SVCNAME-{up,down}.sh" ewarn "where you can put your own code." fi - # Warn about the inability to change ip/route/dns information when # dropping privs - if grep -q "^[ ]*user[ ].*" "${VPNCONF}" ; then + if cfgfile_has_option "user"; then ewarn "WARNING: You are dropping root privileges!" ewarn "As such openvpn may not be able to change ip, routing" ewarn "or DNS configuration." fi - else - # So we're a server. Run as openvpn unless otherwise specified - grep -q "^[ ]*user[ ].*" "${VPNCONF}" || args="${args} --user openvpn" - grep -q "^[ ]*group[ ].*" "${VPNCONF}" || args="${args} --group openvpn" fi - # Ensure that our scripts get the PEER_DNS variable - [ -n "${PEER_DNS}" ] && args="${args} --setenv PEER_DNS ${PEER_DNS}" - - [ "${reenter}" = "yes" ] && mark_service_inactive "${RC_SVCNAME}" - start-stop-daemon --start --exec /usr/sbin/openvpn --pidfile "${VPNPID}" \ - -- --config "${VPNCONF}" --writepid "${VPNPID}" --daemon \ - --setenv RC_SVCNAME "${RC_SVCNAME}" ${args} - eend $? "Check your logs to see why startup failed" + # This is for backward compatibility with Alpine < v3.8. + if yesno "$client_mode_not_set"; then + ewarn "client_mode is not specified in /etc/conf.d/$RC_SVCNAME, fixing..." + echo "client_mode=$client_mode" >> /etc/conf.d/$RC_SVCNAME 2>/dev/null + eend $? + fi } -stop() { - # If we are re-called by the openvpn gentoo-down.sh script - # then we don't actually want to stop openvpn - if [ "${IN_BACKGROUND}" = "true" ] ; then - mark_service_inactive "${RC_SVCNAME}" - return 0 +start_pre() { + checkconfig || return 1 + + # If the config file does not specify the cd option, we do. + # But if we specify it, we override the config option which we do not want. + if cfgfile_has_option "cd"; then + command_args="$command_args --cd $cfgdir" fi - ebegin "Stopping ${RC_SVCNAME}" - start-stop-daemon --stop --quiet \ - --exec /usr/sbin/openvpn --pidfile "${VPNPID}" - eend $? + if ! yesno "$client_mode"; then + # Run as openvpn unless otherwise specified. + cfgfile_has_option "user" || command_args="$command_args --user openvpn" + cfgfile_has_option "group" || command_args="$command_args --group openvpn" + fi } -# vim: set ts=4 : +cfgfile_has_option() { + grep -Eq '^\s*$1\s' "$cfgfile" +} |