* [Buildroot] [PATCH 1/4] package/openssh: Depend on libaudit if available
@ 2020-06-05 22:59 Norbert Lange
2020-06-05 22:59 ` [Buildroot] [PATCH 2/4] package/openssh: improve integration for systemd Norbert Lange
` (3 more replies)
0 siblings, 4 replies; 22+ messages in thread
From: Norbert Lange @ 2020-06-05 22:59 UTC (permalink / raw)
To: buildroot
Signed-off-by: Norbert Lange <nolange79@gmail.com>
---
package/openssh/openssh.mk | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/package/openssh/openssh.mk b/package/openssh/openssh.mk
index 515eec2c03..55b917e20a 100644
--- a/package/openssh/openssh.mk
+++ b/package/openssh/openssh.mk
@@ -39,6 +39,11 @@ else
OPENSSH_CONF_OPTS += --without-ssl-engine
endif
+ifeq ($(BR2_PACKAGE_AUDIT),y)
+OPENSSH_DEPENDENCIES += audit
+OPENSSH_CONF_OPTS += --with-audit=linux
+endif
+
ifeq ($(BR2_PACKAGE_LINUX_PAM),y)
define OPENSSH_INSTALL_PAM_CONF
$(INSTALL) -D -m 644 $(@D)/contrib/sshd.pam.generic $(TARGET_DIR)/etc/pam.d/sshd
--
2.26.2
^ permalink raw reply related [flat|nested] 22+ messages in thread
* [Buildroot] [PATCH 2/4] package/openssh: improve integration for systemd
2020-06-05 22:59 [Buildroot] [PATCH 1/4] package/openssh: Depend on libaudit if available Norbert Lange
@ 2020-06-05 22:59 ` Norbert Lange
2020-06-06 20:31 ` Thomas Petazzoni
2020-06-07 10:54 ` Jérémy ROSEN
2020-06-05 22:59 ` [Buildroot] [PATCH 3/4] package/openssh: seperate sd service for host key generation Norbert Lange
` (2 subsequent siblings)
3 siblings, 2 replies; 22+ messages in thread
From: Norbert Lange @ 2020-06-05 22:59 UTC (permalink / raw)
To: buildroot
the openssh daemon is not suited for systemd's simple
service type. dependend services should only start
when sshd is ready to accept connections.
A patch is added from debian to allow openssh
to communicate this state.
Restarts are prevented if the reason is a faulty
config file (errocode 255).
The "user confinement directory" is changed to
'/run/sshd' which is automatically managed by systemd.
Signed-off-by: Norbert Lange <nolange79@gmail.com>
---
package/openssh/00-systemd-readiness.patch | 84 ++++++++++++++++++++++
package/openssh/openssh.mk | 14 +++-
package/openssh/sshd-sysusers.conf | 2 +-
package/openssh/sshd.service | 13 +++-
4 files changed, 109 insertions(+), 4 deletions(-)
create mode 100644 package/openssh/00-systemd-readiness.patch
diff --git a/package/openssh/00-systemd-readiness.patch b/package/openssh/00-systemd-readiness.patch
new file mode 100644
index 0000000000..be3b6b0074
--- /dev/null
+++ b/package/openssh/00-systemd-readiness.patch
@@ -0,0 +1,84 @@
+From ab765b2bd55062a704f09da8f8c1c4ad1d6630a7 Mon Sep 17 00:00:00 2001
+From: Michael Biebl <biebl@debian.org>
+Date: Mon, 21 Dec 2015 16:08:47 +0000
+Subject: Add systemd readiness notification support
+
+Bug-Debian: https://bugs.debian.org/778913
+Forwarded: no
+Last-Update: 2017-08-22
+
+Patch-Name: systemd-readiness.patch
+---
+ configure.ac | 24 ++++++++++++++++++++++++
+ sshd.c | 9 +++++++++
+ 2 files changed, 33 insertions(+)
+
+diff --git a/configure.ac b/configure.ac
+index e894db9fc..c119d6fd1 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -4499,6 +4499,29 @@ AC_ARG_WITH([kerberos5],
+ AC_SUBST([GSSLIBS])
+ AC_SUBST([K5LIBS])
+
++# Check whether user wants systemd support
++SYSTEMD_MSG="no"
++AC_ARG_WITH(systemd,
++ [ --with-systemd Enable systemd support],
++ [ if test "x$withval" != "xno" ; then
++ AC_PATH_TOOL([PKGCONFIG], [pkg-config], [no])
++ if test "$PKGCONFIG" != "no"; then
++ AC_MSG_CHECKING([for libsystemd])
++ if $PKGCONFIG --exists libsystemd; then
++ SYSTEMD_CFLAGS=`$PKGCONFIG --cflags libsystemd`
++ SYSTEMD_LIBS=`$PKGCONFIG --libs libsystemd`
++ CPPFLAGS="$CPPFLAGS $SYSTEMD_CFLAGS"
++ SSHDLIBS="$SSHDLIBS $SYSTEMD_LIBS"
++ AC_MSG_RESULT([yes])
++ AC_DEFINE(HAVE_SYSTEMD, 1, [Define if you want systemd support.])
++ SYSTEMD_MSG="yes"
++ else
++ AC_MSG_RESULT([no])
++ fi
++ fi
++ fi ]
++)
++
+ # Looking for programs, paths and files
+
+ PRIVSEP_PATH=/var/empty
+@@ -5305,6 +5328,7 @@ echo " libldns support: $LDNS_MSG"
+ echo " Solaris process contract support: $SPC_MSG"
+ echo " Solaris project support: $SP_MSG"
+ echo " Solaris privilege support: $SPP_MSG"
++echo " systemd support: $SYSTEMD_MSG"
+ echo " IP address in \$DISPLAY hack: $DISPLAY_HACK_MSG"
+ echo " Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG"
+ echo " BSD Auth support: $BSD_AUTH_MSG"
+diff --git a/sshd.c b/sshd.c
+index 4e8ff0662..5e7679a33 100644
+--- a/sshd.c
++++ b/sshd.c
+@@ -85,6 +85,10 @@
+ #include <prot.h>
+ #endif
+
++#ifdef HAVE_SYSTEMD
++#include <systemd/sd-daemon.h>
++#endif
++
+ #include "xmalloc.h"
+ #include "ssh.h"
+ #include "ssh2.h"
+@@ -1951,6 +1955,11 @@ main(int ac, char **av)
+ }
+ }
+
++#ifdef HAVE_SYSTEMD
++ /* Signal systemd that we are ready to accept connections */
++ sd_notify(0, "READY=1");
++#endif
++
+ /* Accept a connection and return in a forked child */
+ server_accept_loop(&sock_in, &sock_out,
+ &newsock, config_s);
diff --git a/package/openssh/openssh.mk b/package/openssh/openssh.mk
index 55b917e20a..d425db1428 100644
--- a/package/openssh/openssh.mk
+++ b/package/openssh/openssh.mk
@@ -12,6 +12,7 @@ OPENSSH_CONF_ENV = \
LD="$(TARGET_CC)" \
LDFLAGS="$(TARGET_CFLAGS)" \
LIBS=`$(PKG_CONFIG_HOST_BINARY) --libs openssl`
+OPENSSH_AUTORECONF = YES
OPENSSH_CONF_OPTS = \
--sysconfdir=/etc/ssh \
--with-default-path=$(BR2_SYSTEM_DEFAULT_PATH) \
@@ -22,9 +23,20 @@ OPENSSH_CONF_OPTS = \
--disable-wtmpx \
--disable-strip
+ifeq ($(BR2_PACKAGE_SYSTEMD),y)
+OPENSSH_DEPENDENCIES = systemd
+
+OPENSSH_CONF_OPTS += \
+ --with-privsep-path=/run/sshd \
+ --with-pid-dir=/run \
+ --with-systemd
+
+else
+
define OPENSSH_PERMISSIONS
/var/empty d 755 root root - - - - -
endef
+endif
ifeq ($(BR2_TOOLCHAIN_SUPPORTS_PIE),)
OPENSSH_CONF_OPTS += --without-pie
@@ -72,7 +84,7 @@ define OPENSSH_INSTALL_SYSTEMD_SYSUSERS
endef
else
define OPENSSH_USERS
- sshd -1 sshd -1 * /var/empty - - SSH drop priv user
+ sshd -1 sshd -1 * $(if $(BR2_PACKAGE_SYSTEMD),/run/sshd,/var/empty) - - SSH drop priv user
endef
endif
diff --git a/package/openssh/sshd-sysusers.conf b/package/openssh/sshd-sysusers.conf
index ac77aec065..303d0dbb63 100644
--- a/package/openssh/sshd-sysusers.conf
+++ b/package/openssh/sshd-sysusers.conf
@@ -1 +1 @@
-u sshd - "SSH drop priv user" /var/empty
+u sshd - "SSH drop priv user" /run/sshd
diff --git a/package/openssh/sshd.service b/package/openssh/sshd.service
index b5e96b3a25..715bd3f7eb 100644
--- a/package/openssh/sshd.service
+++ b/package/openssh/sshd.service
@@ -1,11 +1,20 @@
[Unit]
Description=OpenSSH server daemon
-After=syslog.target network.target auditd.service
+Documentation=man:sshd(8) man:sshd_config(5)
+After=network.target auditd.service
[Service]
ExecStartPre=/usr/bin/ssh-keygen -A
-ExecStart=/usr/sbin/sshd -D -e
+ExecStartPre=/usr/sbin/sshd -t
+ExecStart=/usr/sbin/sshd -D
+ExecReload=/usr/sbin/sshd -t
ExecReload=/bin/kill -HUP $MAINPID
+KillMode=process
+Restart=on-failure
+RestartPreventExitStatus=255
+Type=notify
+RuntimeDirectory=sshd
+RuntimeDirectoryMode=0755
[Install]
WantedBy=multi-user.target
--
2.26.2
^ permalink raw reply related [flat|nested] 22+ messages in thread
* [Buildroot] [PATCH 3/4] package/openssh: seperate sd service for host key generation
2020-06-05 22:59 [Buildroot] [PATCH 1/4] package/openssh: Depend on libaudit if available Norbert Lange
2020-06-05 22:59 ` [Buildroot] [PATCH 2/4] package/openssh: improve integration for systemd Norbert Lange
@ 2020-06-05 22:59 ` Norbert Lange
2020-06-07 10:44 ` Jérémy ROSEN
2020-06-05 22:59 ` [Buildroot] [PATCH 4/4] package/openssh: add sd socket-activated ssh daemon services Norbert Lange
2020-06-06 20:29 ` [Buildroot] [PATCH 1/4] package/openssh: Depend on libaudit if available Thomas Petazzoni
3 siblings, 1 reply; 22+ messages in thread
From: Norbert Lange @ 2020-06-05 22:59 UTC (permalink / raw)
To: buildroot
split out generationg of host keys into an optional service
that can easily be removed or deactivated.
Signed-off-by: Norbert Lange <nolange79@gmail.com>
---
package/openssh/openssh.mk | 5 +++--
package/openssh/sshd-host-keygen.service | 20 ++++++++++++++++++++
package/openssh/sshd.service | 1 -
3 files changed, 23 insertions(+), 3 deletions(-)
create mode 100644 package/openssh/sshd-host-keygen.service
diff --git a/package/openssh/openssh.mk b/package/openssh/openssh.mk
index d425db1428..6b3ee1f5f4 100644
--- a/package/openssh/openssh.mk
+++ b/package/openssh/openssh.mk
@@ -114,8 +114,9 @@ endef
OPENSSH_POST_INSTALL_TARGET_HOOKS += OPENSSH_INSTALL_SERVER_PROGRAMS
define OPENSSH_INSTALL_INIT_SYSTEMD
- $(INSTALL) -D -m 644 package/openssh/sshd.service \
- $(TARGET_DIR)/usr/lib/systemd/system/sshd.service
+ mkdir $(TARGET_DIR)/usr/lib/systemd/system
+ $(INSTALL) -m 644 package/openssh/sshd*.service \
+ $(TARGET_DIR)/usr/lib/systemd/system/
$(OPENSSH_INSTALL_SYSTEMD_SYSUSERS)
endef
diff --git a/package/openssh/sshd-host-keygen.service b/package/openssh/sshd-host-keygen.service
new file mode 100644
index 0000000000..058e671c44
--- /dev/null
+++ b/package/openssh/sshd-host-keygen.service
@@ -0,0 +1,20 @@
+[Unit]
+Description=SSH Key Generation
+Before=sshd.service
+
+ConditionPathExists=|!/etc/ssh/ssh_host_dsa_key
+ConditionPathExists=|!/etc/ssh/ssh_host_dsa_key.pub
+ConditionPathExists=|!/etc/ssh/ssh_host_ecdsa_key
+ConditionPathExists=|!/etc/ssh/ssh_host_ecdsa_key.pub
+ConditionPathExists=|!/etc/ssh/ssh_host_ed25519_key
+ConditionPathExists=|!/etc/ssh/ssh_host_ed25519_key.pub
+ConditionPathExists=|!/etc/ssh/ssh_host_rsa_key
+ConditionPathExists=|!/etc/ssh/ssh_host_rsa_key.pub
+
+[Service]
+ExecStart=/usr/bin/ssh-keygen -A
+Type=oneshot
+RemainAfterExit=yes
+
+[Install]
+WantedBy=sshd.service
diff --git a/package/openssh/sshd.service b/package/openssh/sshd.service
index 715bd3f7eb..797e249d8d 100644
--- a/package/openssh/sshd.service
+++ b/package/openssh/sshd.service
@@ -4,7 +4,6 @@ Documentation=man:sshd(8) man:sshd_config(5)
After=network.target auditd.service
[Service]
-ExecStartPre=/usr/bin/ssh-keygen -A
ExecStartPre=/usr/sbin/sshd -t
ExecStart=/usr/sbin/sshd -D
ExecReload=/usr/sbin/sshd -t
--
2.26.2
^ permalink raw reply related [flat|nested] 22+ messages in thread
* [Buildroot] [PATCH 4/4] package/openssh: add sd socket-activated ssh daemon services
2020-06-05 22:59 [Buildroot] [PATCH 1/4] package/openssh: Depend on libaudit if available Norbert Lange
2020-06-05 22:59 ` [Buildroot] [PATCH 2/4] package/openssh: improve integration for systemd Norbert Lange
2020-06-05 22:59 ` [Buildroot] [PATCH 3/4] package/openssh: seperate sd service for host key generation Norbert Lange
@ 2020-06-05 22:59 ` Norbert Lange
2020-06-07 11:06 ` Jérémy ROSEN
2020-06-06 20:29 ` [Buildroot] [PATCH 1/4] package/openssh: Depend on libaudit if available Thomas Petazzoni
3 siblings, 1 reply; 22+ messages in thread
From: Norbert Lange @ 2020-06-05 22:59 UTC (permalink / raw)
To: buildroot
Signed-off-by: Norbert Lange <nolange79@gmail.com>
---
package/openssh/openssh.mk | 6 +++---
package/openssh/sshd-host-keygen.service | 2 +-
package/openssh/sshd.socket | 11 +++++++++++
package/openssh/sshd at .service | 10 ++++++++++
4 files changed, 25 insertions(+), 4 deletions(-)
create mode 100644 package/openssh/sshd.socket
create mode 100644 package/openssh/sshd at .service
diff --git a/package/openssh/openssh.mk b/package/openssh/openssh.mk
index 6b3ee1f5f4..1f2638e9c9 100644
--- a/package/openssh/openssh.mk
+++ b/package/openssh/openssh.mk
@@ -114,9 +114,9 @@ endef
OPENSSH_POST_INSTALL_TARGET_HOOKS += OPENSSH_INSTALL_SERVER_PROGRAMS
define OPENSSH_INSTALL_INIT_SYSTEMD
- mkdir $(TARGET_DIR)/usr/lib/systemd/system
- $(INSTALL) -m 644 package/openssh/sshd*.service \
- $(TARGET_DIR)/usr/lib/systemd/system/
+ mkdir -p $(TARGET_DIR)/usr/lib/systemd/system
+ $(INSTALL) -m 644 package/openssh/sshd*.service package/openssh/sshd.socket \
+ $(TARGET_DIR)/usr/lib/systemd/system/.
$(OPENSSH_INSTALL_SYSTEMD_SYSUSERS)
endef
diff --git a/package/openssh/sshd-host-keygen.service b/package/openssh/sshd-host-keygen.service
index 058e671c44..ffde622b01 100644
--- a/package/openssh/sshd-host-keygen.service
+++ b/package/openssh/sshd-host-keygen.service
@@ -17,4 +17,4 @@ Type=oneshot
RemainAfterExit=yes
[Install]
-WantedBy=sshd.service
+WantedBy=sshd.service sshd.socket
diff --git a/package/openssh/sshd.socket b/package/openssh/sshd.socket
new file mode 100644
index 0000000000..bbae9ed7aa
--- /dev/null
+++ b/package/openssh/sshd.socket
@@ -0,0 +1,11 @@
+[Unit]
+Description=OpenBSD Secure Shell server socket
+Before=sshd.service
+Conflicts=sshd.service
+
+[Socket]
+ListenStream=22
+Accept=yes
+
+[Install]
+WantedBy=sockets.target
diff --git a/package/openssh/sshd at .service b/package/openssh/sshd at .service
new file mode 100644
index 0000000000..b3a590d9a3
--- /dev/null
+++ b/package/openssh/sshd at .service
@@ -0,0 +1,10 @@
+[Unit]
+Description=OpenBSD Secure Shell server per-connection daemon
+Documentation=man:sshd(8) man:sshd_config(5)
+After=auditd.service
+
+[Service]
+ExecStart=-/usr/sbin/sshd -i
+StandardInput=socket
+RuntimeDirectory=sshd
+RuntimeDirectoryMode=0755
--
2.26.2
^ permalink raw reply related [flat|nested] 22+ messages in thread
* [Buildroot] [PATCH 1/4] package/openssh: Depend on libaudit if available
2020-06-05 22:59 [Buildroot] [PATCH 1/4] package/openssh: Depend on libaudit if available Norbert Lange
` (2 preceding siblings ...)
2020-06-05 22:59 ` [Buildroot] [PATCH 4/4] package/openssh: add sd socket-activated ssh daemon services Norbert Lange
@ 2020-06-06 20:29 ` Thomas Petazzoni
3 siblings, 0 replies; 22+ messages in thread
From: Thomas Petazzoni @ 2020-06-06 20:29 UTC (permalink / raw)
To: buildroot
On Sat, 6 Jun 2020 00:59:01 +0200
Norbert Lange <nolange79@gmail.com> wrote:
> Signed-off-by: Norbert Lange <nolange79@gmail.com>
> ---
> package/openssh/openssh.mk | 5 +++++
> 1 file changed, 5 insertions(+)
>
> diff --git a/package/openssh/openssh.mk b/package/openssh/openssh.mk
> index 515eec2c03..55b917e20a 100644
> --- a/package/openssh/openssh.mk
> +++ b/package/openssh/openssh.mk
> @@ -39,6 +39,11 @@ else
> OPENSSH_CONF_OPTS += --without-ssl-engine
> endif
>
> +ifeq ($(BR2_PACKAGE_AUDIT),y)
> +OPENSSH_DEPENDENCIES += audit
> +OPENSSH_CONF_OPTS += --with-audit=linux
> +endif
We like to have an "else" clause that explicitly disables the feature,
so I've added that, reworked the commit title, and applied. Thanks!
Thomas
--
Thomas Petazzoni, CTO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com
^ permalink raw reply [flat|nested] 22+ messages in thread
* [Buildroot] [PATCH 2/4] package/openssh: improve integration for systemd
2020-06-05 22:59 ` [Buildroot] [PATCH 2/4] package/openssh: improve integration for systemd Norbert Lange
@ 2020-06-06 20:31 ` Thomas Petazzoni
2020-06-07 10:54 ` Jérémy ROSEN
1 sibling, 0 replies; 22+ messages in thread
From: Thomas Petazzoni @ 2020-06-06 20:31 UTC (permalink / raw)
To: buildroot
On Sat, 6 Jun 2020 00:59:02 +0200
Norbert Lange <nolange79@gmail.com> wrote:
> the openssh daemon is not suited for systemd's simple
> service type. dependend services should only start
> when sshd is ready to accept connections.
>
> A patch is added from debian to allow openssh
> to communicate this state.
>
> Restarts are prevented if the reason is a faulty
> config file (errocode 255).
>
> The "user confinement directory" is changed to
> '/run/sshd' which is automatically managed by systemd.
>
> Signed-off-by: Norbert Lange <nolange79@gmail.com>
> ---
> package/openssh/00-systemd-readiness.patch | 84 ++++++++++++++++++++++
> package/openssh/openssh.mk | 14 +++-
> package/openssh/sshd-sysusers.conf | 2 +-
> package/openssh/sshd.service | 13 +++-
> 4 files changed, 109 insertions(+), 4 deletions(-)
> create mode 100644 package/openssh/00-systemd-readiness.patch
On this patch, as well as patches 3/4 and 4/4 in this series, I would
really appreciate some review from people more knowledgeable than I am
in systemd.
Matt ? J?r?my ?
Best regards,
Thomas
--
Thomas Petazzoni, CTO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com
^ permalink raw reply [flat|nested] 22+ messages in thread
* [Buildroot] [PATCH 3/4] package/openssh: seperate sd service for host key generation
2020-06-05 22:59 ` [Buildroot] [PATCH 3/4] package/openssh: seperate sd service for host key generation Norbert Lange
@ 2020-06-07 10:44 ` Jérémy ROSEN
2020-06-07 18:55 ` Norbert Lange
0 siblings, 1 reply; 22+ messages in thread
From: Jérémy ROSEN @ 2020-06-07 10:44 UTC (permalink / raw)
To: buildroot
Why the RemainAfterExit ?
This is a "real oneshot", it doesn't need a state to stay behind.
Moreover it would only stay behind when actually generating the key. in all
followup boot the unit would not be started at all
Appart from that, Looks good to me...
Le sam. 6 juin 2020 ? 00:59, Norbert Lange <nolange79@gmail.com> a ?crit :
> split out generationg of host keys into an optional service
> that can easily be removed or deactivated.
>
> Signed-off-by: Norbert Lange <nolange79@gmail.com>
> ---
> package/openssh/openssh.mk | 5 +++--
> package/openssh/sshd-host-keygen.service | 20 ++++++++++++++++++++
> package/openssh/sshd.service | 1 -
> 3 files changed, 23 insertions(+), 3 deletions(-)
> create mode 100644 package/openssh/sshd-host-keygen.service
>
> diff --git a/package/openssh/openssh.mk b/package/openssh/openssh.mk
> index d425db1428..6b3ee1f5f4 100644
> --- a/package/openssh/openssh.mk
> +++ b/package/openssh/openssh.mk
> @@ -114,8 +114,9 @@ endef
> OPENSSH_POST_INSTALL_TARGET_HOOKS += OPENSSH_INSTALL_SERVER_PROGRAMS
>
> define OPENSSH_INSTALL_INIT_SYSTEMD
> - $(INSTALL) -D -m 644 package/openssh/sshd.service \
> - $(TARGET_DIR)/usr/lib/systemd/system/sshd.service
> + mkdir $(TARGET_DIR)/usr/lib/systemd/system
> + $(INSTALL) -m 644 package/openssh/sshd*.service \
> + $(TARGET_DIR)/usr/lib/systemd/system/
> $(OPENSSH_INSTALL_SYSTEMD_SYSUSERS)
> endef
>
> diff --git a/package/openssh/sshd-host-keygen.service
> b/package/openssh/sshd-host-keygen.service
> new file mode 100644
> index 0000000000..058e671c44
> --- /dev/null
> +++ b/package/openssh/sshd-host-keygen.service
> @@ -0,0 +1,20 @@
> +[Unit]
> +Description=SSH Key Generation
> +Before=sshd.service
> +
> +ConditionPathExists=|!/etc/ssh/ssh_host_dsa_key
> +ConditionPathExists=|!/etc/ssh/ssh_host_dsa_key.pub
> +ConditionPathExists=|!/etc/ssh/ssh_host_ecdsa_key
> +ConditionPathExists=|!/etc/ssh/ssh_host_ecdsa_key.pub
> +ConditionPathExists=|!/etc/ssh/ssh_host_ed25519_key
> +ConditionPathExists=|!/etc/ssh/ssh_host_ed25519_key.pub
> +ConditionPathExists=|!/etc/ssh/ssh_host_rsa_key
> +ConditionPathExists=|!/etc/ssh/ssh_host_rsa_key.pub
> +
> +[Service]
> +ExecStart=/usr/bin/ssh-keygen -A
> +Type=oneshot
> +RemainAfterExit=yes
> +
> +[Install]
> +WantedBy=sshd.service
> diff --git a/package/openssh/sshd.service b/package/openssh/sshd.service
> index 715bd3f7eb..797e249d8d 100644
> --- a/package/openssh/sshd.service
> +++ b/package/openssh/sshd.service
> @@ -4,7 +4,6 @@ Documentation=man:sshd(8) man:sshd_config(5)
> After=network.target auditd.service
>
> [Service]
> -ExecStartPre=/usr/bin/ssh-keygen -A
> ExecStartPre=/usr/sbin/sshd -t
> ExecStart=/usr/sbin/sshd -D
> ExecReload=/usr/sbin/sshd -t
> --
> 2.26.2
>
> _______________________________________________
> buildroot mailing list
> buildroot at busybox.net
> http://lists.busybox.net/mailman/listinfo/buildroot
>
--
[image: SMILE] <http://www.smile.eu/>
20 rue des Jardins
92600 Asni?res-sur-Seine
*J?r?my ROSEN*
Architecte technique
[image: email] jeremy.rosen at smile.fr
[image: phone] +33 6 88 25 87 42
[image: url] http://www.smile.eu
[image: Twitter] <https://twitter.com/GroupeSmile> [image: Facebook]
<https://www.facebook.com/smileopensource> [image: LinkedIn]
<https://www.linkedin.com/company/smile> [image: Github]
<https://github.com/Smile-SA>
[image: D?couvrez l?univers Smile, rendez-vous sur smile.eu]
<https://www.smile.eu/fr/publications/livres-blancs/yocto?utm_source=signature&utm_medium=email&utm_campaign=signature>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.busybox.net/pipermail/buildroot/attachments/20200607/cc602538/attachment.html>
^ permalink raw reply [flat|nested] 22+ messages in thread
* [Buildroot] [PATCH 2/4] package/openssh: improve integration for systemd
2020-06-05 22:59 ` [Buildroot] [PATCH 2/4] package/openssh: improve integration for systemd Norbert Lange
2020-06-06 20:31 ` Thomas Petazzoni
@ 2020-06-07 10:54 ` Jérémy ROSEN
2020-06-07 19:03 ` Norbert Lange
1 sibling, 1 reply; 22+ messages in thread
From: Jérémy ROSEN @ 2020-06-07 10:54 UTC (permalink / raw)
To: buildroot
Le sam. 6 juin 2020 ? 00:59, Norbert Lange <nolange79@gmail.com> a ?crit :
> the openssh daemon is not suited for systemd's simple
> service type. dependend services should only start
> when sshd is ready to accept connections.
>
> A patch is added from debian to allow openssh
> to communicate this state.
>
> Restarts are prevented if the reason is a faulty
> config file (errocode 255).
>
> The "user confinement directory" is changed to
> '/run/sshd' which is automatically managed by systemd.
>
> Signed-off-by: Norbert Lange <nolange79@gmail.com>
> ---
> package/openssh/00-systemd-readiness.patch | 84 ++++++++++++++++++++++
> package/openssh/openssh.mk | 14 +++-
> package/openssh/sshd-sysusers.conf | 2 +-
> package/openssh/sshd.service | 13 +++-
> 4 files changed, 109 insertions(+), 4 deletions(-)
> create mode 100644 package/openssh/00-systemd-readiness.patch
>
> diff --git a/package/openssh/00-systemd-readiness.patch
> b/package/openssh/00-systemd-readiness.patch
> new file mode 100644
> index 0000000000..be3b6b0074
> --- /dev/null
> +++ b/package/openssh/00-systemd-readiness.patch
> @@ -0,0 +1,84 @@
> +From ab765b2bd55062a704f09da8f8c1c4ad1d6630a7 Mon Sep 17 00:00:00 2001
> +From: Michael Biebl <biebl@debian.org>
> +Date: Mon, 21 Dec 2015 16:08:47 +0000
> +Subject: Add systemd readiness notification support
> +
> +Bug-Debian: https://bugs.debian.org/778913
> +Forwarded: no
> +Last-Update: 2017-08-22
> +
> +Patch-Name: systemd-readiness.patch
> +---
> + configure.ac | 24 ++++++++++++++++++++++++
> + sshd.c | 9 +++++++++
> + 2 files changed, 33 insertions(+)
> +
> +diff --git a/configure.ac b/configure.ac
> +index e894db9fc..c119d6fd1 100644
> +--- a/configure.ac
> ++++ b/configure.ac
> +@@ -4499,6 +4499,29 @@ AC_ARG_WITH([kerberos5],
> + AC_SUBST([GSSLIBS])
> + AC_SUBST([K5LIBS])
> +
> ++# Check whether user wants systemd support
> ++SYSTEMD_MSG="no"
> ++AC_ARG_WITH(systemd,
> ++ [ --with-systemd Enable systemd support],
> ++ [ if test "x$withval" != "xno" ; then
> ++ AC_PATH_TOOL([PKGCONFIG], [pkg-config], [no])
> ++ if test "$PKGCONFIG" != "no"; then
> ++ AC_MSG_CHECKING([for libsystemd])
> ++ if $PKGCONFIG --exists libsystemd; then
> ++ SYSTEMD_CFLAGS=`$PKGCONFIG --cflags
> libsystemd`
> ++ SYSTEMD_LIBS=`$PKGCONFIG --libs libsystemd`
> ++ CPPFLAGS="$CPPFLAGS $SYSTEMD_CFLAGS"
> ++ SSHDLIBS="$SSHDLIBS $SYSTEMD_LIBS"
> ++ AC_MSG_RESULT([yes])
> ++ AC_DEFINE(HAVE_SYSTEMD, 1, [Define if you
> want systemd support.])
> ++ SYSTEMD_MSG="yes"
> ++ else
> ++ AC_MSG_RESULT([no])
> ++ fi
> ++ fi
> ++ fi ]
> ++)
> ++
> + # Looking for programs, paths and files
> +
> + PRIVSEP_PATH=/var/empty
> +@@ -5305,6 +5328,7 @@ echo " libldns support: $LDNS_MSG"
> + echo " Solaris process contract support: $SPC_MSG"
> + echo " Solaris project support: $SP_MSG"
> + echo " Solaris privilege support: $SPP_MSG"
> ++echo " systemd support: $SYSTEMD_MSG"
> + echo " IP address in \$DISPLAY hack: $DISPLAY_HACK_MSG"
> + echo " Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG"
> + echo " BSD Auth support: $BSD_AUTH_MSG"
> +diff --git a/sshd.c b/sshd.c
> +index 4e8ff0662..5e7679a33 100644
> +--- a/sshd.c
> ++++ b/sshd.c
> +@@ -85,6 +85,10 @@
> + #include <prot.h>
> + #endif
> +
> ++#ifdef HAVE_SYSTEMD
> ++#include <systemd/sd-daemon.h>
> ++#endif
> ++
> + #include "xmalloc.h"
> + #include "ssh.h"
> + #include "ssh2.h"
> +@@ -1951,6 +1955,11 @@ main(int ac, char **av)
> + }
> + }
> +
> ++#ifdef HAVE_SYSTEMD
> ++ /* Signal systemd that we are ready to accept connections
> */
> ++ sd_notify(0, "READY=1");
> ++#endif
> ++
> + /* Accept a connection and return in a forked child */
> + server_accept_loop(&sock_in, &sock_out,
> + &newsock, config_s);
> diff --git a/package/openssh/openssh.mk b/package/openssh/openssh.mk
> index 55b917e20a..d425db1428 100644
> --- a/package/openssh/openssh.mk
> +++ b/package/openssh/openssh.mk
> @@ -12,6 +12,7 @@ OPENSSH_CONF_ENV = \
> LD="$(TARGET_CC)" \
> LDFLAGS="$(TARGET_CFLAGS)" \
> LIBS=`$(PKG_CONFIG_HOST_BINARY) --libs openssl`
> +OPENSSH_AUTORECONF = YES
> OPENSSH_CONF_OPTS = \
> --sysconfdir=/etc/ssh \
> --with-default-path=$(BR2_SYSTEM_DEFAULT_PATH) \
> @@ -22,9 +23,20 @@ OPENSSH_CONF_OPTS = \
> --disable-wtmpx \
> --disable-strip
>
> +ifeq ($(BR2_PACKAGE_SYSTEMD),y)
> +OPENSSH_DEPENDENCIES = systemd
> +
> +OPENSSH_CONF_OPTS += \
> + --with-privsep-path=/run/sshd \
> + --with-pid-dir=/run \
> + --with-systemd
> +
> +else
> +
> define OPENSSH_PERMISSIONS
> /var/empty d 755 root root - - - - -
> endef
>
Do we still need this when using systemd, or can it be commented out ?
> +endif
>
> ifeq ($(BR2_TOOLCHAIN_SUPPORTS_PIE),)
> OPENSSH_CONF_OPTS += --without-pie
> @@ -72,7 +84,7 @@ define OPENSSH_INSTALL_SYSTEMD_SYSUSERS
> endef
> else
> define OPENSSH_USERS
> - sshd -1 sshd -1 * /var/empty - - SSH drop priv user
> + sshd -1 sshd -1 * $(if
> $(BR2_PACKAGE_SYSTEMD),/run/sshd,/var/empty) - - SSH drop priv user
> endef
> endif
>
> diff --git a/package/openssh/sshd-sysusers.conf
> b/package/openssh/sshd-sysusers.conf
> index ac77aec065..303d0dbb63 100644
> --- a/package/openssh/sshd-sysusers.conf
> +++ b/package/openssh/sshd-sysusers.conf
> @@ -1 +1 @@
> -u sshd - "SSH drop priv user" /var/empty
> +u sshd - "SSH drop priv user" /run/sshd
> diff --git a/package/openssh/sshd.service b/package/openssh/sshd.service
> index b5e96b3a25..715bd3f7eb 100644
> --- a/package/openssh/sshd.service
> +++ b/package/openssh/sshd.service
> @@ -1,11 +1,20 @@
> [Unit]
> Description=OpenSSH server daemon
> -After=syslog.target network.target auditd.service
> +Documentation=man:sshd(8) man:sshd_config(5)
> +After=network.target auditd.service
> [Service]
> ExecStartPre=/usr/bin/ssh-keygen -A
> -ExecStart=/usr/sbin/sshd -D -e
> +ExecStartPre=/usr/sbin/sshd -t
> +ExecStart=/usr/sbin/sshd -D
>
You droped the -e, so you are logging to syslog
However you droped the dependency on syslog.target earlier...
(maybe it should be syslog.socket instead of .target, btw)
how exactly do you want to log ? (I think logging to stdout is better, it
will be
redirected to the journal.
> +ExecReload=/usr/sbin/sshd -t
> ExecReload=/bin/kill -HUP $MAINPID
> +KillMode=process
>
Wouldn't mixed be better here ?
I'm not really sure what the use-case for procss is anyway...
> +Restart=on-failure
> +RestartPreventExitStatus=255
> +Type=notify
> +RuntimeDirectory=sshd
> +RuntimeDirectoryMode=0755
>
> [Install]
> WantedBy=multi-user.target
> --
> 2.26.2
>
> _______________________________________________
> buildroot mailing list
> buildroot at busybox.net
> http://lists.busybox.net/mailman/listinfo/buildroot
>
--
[image: SMILE] <http://www.smile.eu/>
20 rue des Jardins
92600 Asni?res-sur-Seine
*J?r?my ROSEN*
Architecte technique
[image: email] jeremy.rosen at smile.fr
[image: phone] +33 6 88 25 87 42
[image: url] http://www.smile.eu
[image: Twitter] <https://twitter.com/GroupeSmile> [image: Facebook]
<https://www.facebook.com/smileopensource> [image: LinkedIn]
<https://www.linkedin.com/company/smile> [image: Github]
<https://github.com/Smile-SA>
[image: D?couvrez l?univers Smile, rendez-vous sur smile.eu]
<https://www.smile.eu/fr/publications/livres-blancs/yocto?utm_source=signature&utm_medium=email&utm_campaign=signature>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.busybox.net/pipermail/buildroot/attachments/20200607/19becf37/attachment.html>
^ permalink raw reply [flat|nested] 22+ messages in thread
* [Buildroot] [PATCH 4/4] package/openssh: add sd socket-activated ssh daemon services
2020-06-05 22:59 ` [Buildroot] [PATCH 4/4] package/openssh: add sd socket-activated ssh daemon services Norbert Lange
@ 2020-06-07 11:06 ` Jérémy ROSEN
2020-06-07 19:10 ` Norbert Lange
0 siblings, 1 reply; 22+ messages in thread
From: Jérémy ROSEN @ 2020-06-07 11:06 UTC (permalink / raw)
To: buildroot
Le sam. 6 juin 2020 ? 00:59, Norbert Lange <nolange79@gmail.com> a ?crit :
> Signed-off-by: Norbert Lange <nolange79@gmail.com>
> ---
> package/openssh/openssh.mk | 6 +++---
> package/openssh/sshd-host-keygen.service | 2 +-
> package/openssh/sshd.socket | 11 +++++++++++
> package/openssh/sshd at .service | 10 ++++++++++
> 4 files changed, 25 insertions(+), 4 deletions(-)
> create mode 100644 package/openssh/sshd.socket
> create mode 100644 package/openssh/sshd at .service
>
> diff --git a/package/openssh/openssh.mk b/package/openssh/openssh.mk
> index 6b3ee1f5f4..1f2638e9c9 100644
> --- a/package/openssh/openssh.mk
> +++ b/package/openssh/openssh.mk
> @@ -114,9 +114,9 @@ endef
> OPENSSH_POST_INSTALL_TARGET_HOOKS += OPENSSH_INSTALL_SERVER_PROGRAMS
>
> define OPENSSH_INSTALL_INIT_SYSTEMD
> - mkdir $(TARGET_DIR)/usr/lib/systemd/system
> - $(INSTALL) -m 644 package/openssh/sshd*.service \
> - $(TARGET_DIR)/usr/lib/systemd/system/
> + mkdir -p $(TARGET_DIR)/usr/lib/systemd/system
> + $(INSTALL) -m 644 package/openssh/sshd*.service
> package/openssh/sshd.socket \
> + $(TARGET_DIR)/usr/lib/systemd/system/.
> $(OPENSSH_INSTALL_SYSTEMD_SYSUSERS)
> endef
>
> diff --git a/package/openssh/sshd-host-keygen.service
> b/package/openssh/sshd-host-keygen.service
> index 058e671c44..ffde622b01 100644
> --- a/package/openssh/sshd-host-keygen.service
> +++ b/package/openssh/sshd-host-keygen.service
> @@ -17,4 +17,4 @@ Type=oneshot
> RemainAfterExit=yes
>
> [Install]
> -WantedBy=sshd.service
> +WantedBy=sshd.service sshd.socket
> diff --git a/package/openssh/sshd.socket b/package/openssh/sshd.socket
> new file mode 100644
> index 0000000000..bbae9ed7aa
> --- /dev/null
> +++ b/package/openssh/sshd.socket
> @@ -0,0 +1,11 @@
> +[Unit]
> +Description=OpenBSD Secure Shell server socket
> +Before=sshd.service
> +Conflicts=sshd.service
>
No, that would stop the socket when the service is started, and you don't
want that.
If you do that, only one connection would be accepted before the socket is
stoped
and since you have accept=yes no further connections would be accepted
> +
> +[Socket]
> +ListenStream=22
> +Accept=yes
> +
> +[Install]
> +WantedBy=sockets.target
> diff --git a/package/openssh/sshd at .service b/package/openssh/sshd at .service
> new file mode 100644
> index 0000000000..b3a590d9a3
> --- /dev/null
> +++ b/package/openssh/sshd at .service
> @@ -0,0 +1,10 @@
> +[Unit]
> +Description=OpenBSD Secure Shell server per-connection daemon
> +Documentation=man:sshd(8) man:sshd_config(5)
> +After=auditd.service
> +
> +[Service]
> +ExecStart=-/usr/sbin/sshd -i
> +StandardInput=socket
> +RuntimeDirectory=sshd
> +RuntimeDirectoryMode=0755
>
I am a bit confused, you have both an ssh.service and a ssh.socket+ssh@
.service
Wouldn't those two fight over port 22 ?
> --
> 2.26.2
>
> _______________________________________________
> buildroot mailing list
> buildroot at busybox.net
> http://lists.busybox.net/mailman/listinfo/buildroot
>
--
[image: SMILE] <http://www.smile.eu/>
20 rue des Jardins
92600 Asni?res-sur-Seine
*J?r?my ROSEN*
Architecte technique
[image: email] jeremy.rosen at smile.fr
[image: phone] +33 6 88 25 87 42
[image: url] http://www.smile.eu
[image: Twitter] <https://twitter.com/GroupeSmile> [image: Facebook]
<https://www.facebook.com/smileopensource> [image: LinkedIn]
<https://www.linkedin.com/company/smile> [image: Github]
<https://github.com/Smile-SA>
[image: D?couvrez l?univers Smile, rendez-vous sur smile.eu]
<https://www.smile.eu/fr/publications/livres-blancs/yocto?utm_source=signature&utm_medium=email&utm_campaign=signature>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.busybox.net/pipermail/buildroot/attachments/20200607/7c81434a/attachment.html>
^ permalink raw reply [flat|nested] 22+ messages in thread
* [Buildroot] [PATCH 3/4] package/openssh: seperate sd service for host key generation
2020-06-07 10:44 ` Jérémy ROSEN
@ 2020-06-07 18:55 ` Norbert Lange
2020-06-07 19:09 ` Jérémy ROSEN
0 siblings, 1 reply; 22+ messages in thread
From: Norbert Lange @ 2020-06-07 18:55 UTC (permalink / raw)
To: buildroot
Am So., 7. Juni 2020 um 12:44 Uhr schrieb J?r?my ROSEN <jeremy.rosen@smile.fr>:
>
> Why the RemainAfterExit ?
> This is a "real oneshot", it doesn't need a state to stay behind.
> Moreover it would only stay behind when actually generating the key. in all followup boot the unit would not be started at all
Yeah... there is some truth to that, but those one-shots have tricky
sideeffects systemd 245 changed something that completely undermines
my understanding of how they should work,
and make that flag practically a necessity. See:
https://github.com/systemd/systemd/issues/15091
I dont think I am able to correctly describe all pro's and cons but I
added this flag after:
- later services did not care for failures
- starting/stopping *any* service will recheck the condition and
fill the syslog (* depends on other stuff aswell, but that's what
happens for me)
In short: add RemainAfterExit for every one-shot, or there will be
dragons. Doesn't seem upstream is bothered by this.
>
> Appart from that, Looks good to me...
>
> Le sam. 6 juin 2020 ? 00:59, Norbert Lange <nolange79@gmail.com> a ?crit :
>>
>> split out generationg of host keys into an optional service
>> that can easily be removed or deactivated.
>>
>> Signed-off-by: Norbert Lange <nolange79@gmail.com>
>> ---
>> package/openssh/openssh.mk | 5 +++--
>> package/openssh/sshd-host-keygen.service | 20 ++++++++++++++++++++
>> package/openssh/sshd.service | 1 -
>> 3 files changed, 23 insertions(+), 3 deletions(-)
>> create mode 100644 package/openssh/sshd-host-keygen.service
>>
>> diff --git a/package/openssh/openssh.mk b/package/openssh/openssh.mk
>> index d425db1428..6b3ee1f5f4 100644
>> --- a/package/openssh/openssh.mk
>> +++ b/package/openssh/openssh.mk
>> @@ -114,8 +114,9 @@ endef
>> OPENSSH_POST_INSTALL_TARGET_HOOKS += OPENSSH_INSTALL_SERVER_PROGRAMS
>>
>> define OPENSSH_INSTALL_INIT_SYSTEMD
>> - $(INSTALL) -D -m 644 package/openssh/sshd.service \
>> - $(TARGET_DIR)/usr/lib/systemd/system/sshd.service
>> + mkdir $(TARGET_DIR)/usr/lib/systemd/system
>> + $(INSTALL) -m 644 package/openssh/sshd*.service \
>> + $(TARGET_DIR)/usr/lib/systemd/system/
>> $(OPENSSH_INSTALL_SYSTEMD_SYSUSERS)
>> endef
>>
>> diff --git a/package/openssh/sshd-host-keygen.service b/package/openssh/sshd-host-keygen.service
>> new file mode 100644
>> index 0000000000..058e671c44
>> --- /dev/null
>> +++ b/package/openssh/sshd-host-keygen.service
>> @@ -0,0 +1,20 @@
>> +[Unit]
>> +Description=SSH Key Generation
>> +Before=sshd.service
>> +
>> +ConditionPathExists=|!/etc/ssh/ssh_host_dsa_key
>> +ConditionPathExists=|!/etc/ssh/ssh_host_dsa_key.pub
>> +ConditionPathExists=|!/etc/ssh/ssh_host_ecdsa_key
>> +ConditionPathExists=|!/etc/ssh/ssh_host_ecdsa_key.pub
>> +ConditionPathExists=|!/etc/ssh/ssh_host_ed25519_key
>> +ConditionPathExists=|!/etc/ssh/ssh_host_ed25519_key.pub
>> +ConditionPathExists=|!/etc/ssh/ssh_host_rsa_key
>> +ConditionPathExists=|!/etc/ssh/ssh_host_rsa_key.pub
>> +
>> +[Service]
>> +ExecStart=/usr/bin/ssh-keygen -A
>> +Type=oneshot
>> +RemainAfterExit=yes
>> +
>> +[Install]
>> +WantedBy=sshd.service
>> diff --git a/package/openssh/sshd.service b/package/openssh/sshd.service
>> index 715bd3f7eb..797e249d8d 100644
>> --- a/package/openssh/sshd.service
>> +++ b/package/openssh/sshd.service
>> @@ -4,7 +4,6 @@ Documentation=man:sshd(8) man:sshd_config(5)
>> After=network.target auditd.service
>>
>> [Service]
>> -ExecStartPre=/usr/bin/ssh-keygen -A
>> ExecStartPre=/usr/sbin/sshd -t
>> ExecStart=/usr/sbin/sshd -D
>> ExecReload=/usr/sbin/sshd -t
>> --
>> 2.26.2
>>
>> _______________________________________________
>> buildroot mailing list
>> buildroot at busybox.net
>> http://lists.busybox.net/mailman/listinfo/buildroot
>
>
>
> --
>
>
> 20 rue des Jardins
> 92600 Asni?res-sur-Seine
>
> J?r?my ROSEN
> Architecte technique
>
> jeremy.rosen at smile.fr
> +33 6 88 25 87 42
> http://www.smile.eu
>
>
>
^ permalink raw reply [flat|nested] 22+ messages in thread
* [Buildroot] [PATCH 2/4] package/openssh: improve integration for systemd
2020-06-07 10:54 ` Jérémy ROSEN
@ 2020-06-07 19:03 ` Norbert Lange
2020-06-07 19:16 ` Jérémy ROSEN
0 siblings, 1 reply; 22+ messages in thread
From: Norbert Lange @ 2020-06-07 19:03 UTC (permalink / raw)
To: buildroot
Am So., 7. Juni 2020 um 12:54 Uhr schrieb J?r?my ROSEN <jeremy.rosen@smile.fr>:
>
>
>
> Le sam. 6 juin 2020 ? 00:59, Norbert Lange <nolange79@gmail.com> a ?crit :
>>
>> the openssh daemon is not suited for systemd's simple
>> service type. dependend services should only start
>> when sshd is ready to accept connections.
>>
>> A patch is added from debian to allow openssh
>> to communicate this state.
>>
>> Restarts are prevented if the reason is a faulty
>> config file (errocode 255).
>>
>> The "user confinement directory" is changed to
>> '/run/sshd' which is automatically managed by systemd.
>>
>> Signed-off-by: Norbert Lange <nolange79@gmail.com>
>> ---
>> package/openssh/00-systemd-readiness.patch | 84 ++++++++++++++++++++++
>> package/openssh/openssh.mk | 14 +++-
>> package/openssh/sshd-sysusers.conf | 2 +-
>> package/openssh/sshd.service | 13 +++-
>> 4 files changed, 109 insertions(+), 4 deletions(-)
>> create mode 100644 package/openssh/00-systemd-readiness.patch
>>
>> diff --git a/package/openssh/00-systemd-readiness.patch b/package/openssh/00-systemd-readiness.patch
>> new file mode 100644
>> index 0000000000..be3b6b0074
>> --- /dev/null
>> +++ b/package/openssh/00-systemd-readiness.patch
>> @@ -0,0 +1,84 @@
>> +From ab765b2bd55062a704f09da8f8c1c4ad1d6630a7 Mon Sep 17 00:00:00 2001
>> +From: Michael Biebl <biebl@debian.org>
>> +Date: Mon, 21 Dec 2015 16:08:47 +0000
>> +Subject: Add systemd readiness notification support
>> +
>> +Bug-Debian: https://bugs.debian.org/778913
>> +Forwarded: no
>> +Last-Update: 2017-08-22
>> +
>> +Patch-Name: systemd-readiness.patch
>> +---
>> + configure.ac | 24 ++++++++++++++++++++++++
>> + sshd.c | 9 +++++++++
>> + 2 files changed, 33 insertions(+)
>> +
>> +diff --git a/configure.ac b/configure.ac
>> +index e894db9fc..c119d6fd1 100644
>> +--- a/configure.ac
>> ++++ b/configure.ac
>> +@@ -4499,6 +4499,29 @@ AC_ARG_WITH([kerberos5],
>> + AC_SUBST([GSSLIBS])
>> + AC_SUBST([K5LIBS])
>> +
>> ++# Check whether user wants systemd support
>> ++SYSTEMD_MSG="no"
>> ++AC_ARG_WITH(systemd,
>> ++ [ --with-systemd Enable systemd support],
>> ++ [ if test "x$withval" != "xno" ; then
>> ++ AC_PATH_TOOL([PKGCONFIG], [pkg-config], [no])
>> ++ if test "$PKGCONFIG" != "no"; then
>> ++ AC_MSG_CHECKING([for libsystemd])
>> ++ if $PKGCONFIG --exists libsystemd; then
>> ++ SYSTEMD_CFLAGS=`$PKGCONFIG --cflags libsystemd`
>> ++ SYSTEMD_LIBS=`$PKGCONFIG --libs libsystemd`
>> ++ CPPFLAGS="$CPPFLAGS $SYSTEMD_CFLAGS"
>> ++ SSHDLIBS="$SSHDLIBS $SYSTEMD_LIBS"
>> ++ AC_MSG_RESULT([yes])
>> ++ AC_DEFINE(HAVE_SYSTEMD, 1, [Define if you want systemd support.])
>> ++ SYSTEMD_MSG="yes"
>> ++ else
>> ++ AC_MSG_RESULT([no])
>> ++ fi
>> ++ fi
>> ++ fi ]
>> ++)
>> ++
>> + # Looking for programs, paths and files
>> +
>> + PRIVSEP_PATH=/var/empty
>> +@@ -5305,6 +5328,7 @@ echo " libldns support: $LDNS_MSG"
>> + echo " Solaris process contract support: $SPC_MSG"
>> + echo " Solaris project support: $SP_MSG"
>> + echo " Solaris privilege support: $SPP_MSG"
>> ++echo " systemd support: $SYSTEMD_MSG"
>> + echo " IP address in \$DISPLAY hack: $DISPLAY_HACK_MSG"
>> + echo " Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG"
>> + echo " BSD Auth support: $BSD_AUTH_MSG"
>> +diff --git a/sshd.c b/sshd.c
>> +index 4e8ff0662..5e7679a33 100644
>> +--- a/sshd.c
>> ++++ b/sshd.c
>> +@@ -85,6 +85,10 @@
>> + #include <prot.h>
>> + #endif
>> +
>> ++#ifdef HAVE_SYSTEMD
>> ++#include <systemd/sd-daemon.h>
>> ++#endif
>> ++
>> + #include "xmalloc.h"
>> + #include "ssh.h"
>> + #include "ssh2.h"
>> +@@ -1951,6 +1955,11 @@ main(int ac, char **av)
>> + }
>> + }
>> +
>> ++#ifdef HAVE_SYSTEMD
>> ++ /* Signal systemd that we are ready to accept connections */
>> ++ sd_notify(0, "READY=1");
>> ++#endif
>> ++
>> + /* Accept a connection and return in a forked child */
>> + server_accept_loop(&sock_in, &sock_out,
>> + &newsock, config_s);
>> diff --git a/package/openssh/openssh.mk b/package/openssh/openssh.mk
>> index 55b917e20a..d425db1428 100644
>> --- a/package/openssh/openssh.mk
>> +++ b/package/openssh/openssh.mk
>> @@ -12,6 +12,7 @@ OPENSSH_CONF_ENV = \
>> LD="$(TARGET_CC)" \
>> LDFLAGS="$(TARGET_CFLAGS)" \
>> LIBS=`$(PKG_CONFIG_HOST_BINARY) --libs openssl`
>> +OPENSSH_AUTORECONF = YES
>> OPENSSH_CONF_OPTS = \
>> --sysconfdir=/etc/ssh \
>> --with-default-path=$(BR2_SYSTEM_DEFAULT_PATH) \
>> @@ -22,9 +23,20 @@ OPENSSH_CONF_OPTS = \
>> --disable-wtmpx \
>> --disable-strip
>>
>> +ifeq ($(BR2_PACKAGE_SYSTEMD),y)
>> +OPENSSH_DEPENDENCIES = systemd
>> +
>> +OPENSSH_CONF_OPTS += \
>> + --with-privsep-path=/run/sshd \
>> + --with-pid-dir=/run \
>> + --with-systemd
>> +
>> +else
>> +
>> define OPENSSH_PERMISSIONS
>> /var/empty d 755 root root - - - - -
>> endef
>
>
> Do we still need this when using systemd, or can it be commented out ?
Not sure what you mean with "this"?
The OPENSSH_PERMISSIONS block is needed when not using systemd and it
is only active then.
>
>
>>
>> +endif
>>
>> ifeq ($(BR2_TOOLCHAIN_SUPPORTS_PIE),)
>> OPENSSH_CONF_OPTS += --without-pie
>> @@ -72,7 +84,7 @@ define OPENSSH_INSTALL_SYSTEMD_SYSUSERS
>> endef
>> else
>> define OPENSSH_USERS
>> - sshd -1 sshd -1 * /var/empty - - SSH drop priv user
>> + sshd -1 sshd -1 * $(if $(BR2_PACKAGE_SYSTEMD),/run/sshd,/var/empty) - - SSH drop priv user
>> endef
>> endif
>>
>> diff --git a/package/openssh/sshd-sysusers.conf b/package/openssh/sshd-sysusers.conf
>> index ac77aec065..303d0dbb63 100644
>> --- a/package/openssh/sshd-sysusers.conf
>> +++ b/package/openssh/sshd-sysusers.conf
>> @@ -1 +1 @@
>> -u sshd - "SSH drop priv user" /var/empty
>> +u sshd - "SSH drop priv user" /run/sshd
>> diff --git a/package/openssh/sshd.service b/package/openssh/sshd.service
>> index b5e96b3a25..715bd3f7eb 100644
>> --- a/package/openssh/sshd.service
>> +++ b/package/openssh/sshd.service
>> @@ -1,11 +1,20 @@
>> [Unit]
>> Description=OpenSSH server daemon
>> -After=syslog.target network.target auditd.service
>> +Documentation=man:sshd(8) man:sshd_config(5)
>> +After=network.target auditd.service
>>
>>
>> [Service]
>> ExecStartPre=/usr/bin/ssh-keygen -A
>> -ExecStart=/usr/sbin/sshd -D -e
>> +ExecStartPre=/usr/sbin/sshd -t
>> +ExecStart=/usr/sbin/sshd -D
>
> You droped the -e, so you are logging to syslog
> However you droped the dependency on syslog.target earlier...
> (maybe it should be syslog.socket instead of .target, btw)
syslog.target is long long gone, and the syslog will be
unconditionally available
https://www.freedesktop.org/wiki/Software/systemd/syslog/
>
>
> how exactly do you want to log ? (I think logging to stdout is better, it will be
> redirected to the journal.
stdout is not really useful if syslog is supported.
>
>
>>
>> +ExecReload=/usr/sbin/sshd -t
>> ExecReload=/bin/kill -HUP $MAINPID
>> +KillMode=process
>
>
> Wouldn't mixed be better here ?
> I'm not really sure what the use-case for procss is anyway...
I taken that from debian, I could not argue against it (there is a
long discussion which I linked above).
Can you argue *for* mixed?
>
>
>>
>> +Restart=on-failure
>> +RestartPreventExitStatus=255
>> +Type=notify
>> +RuntimeDirectory=sshd
>> +RuntimeDirectoryMode=0755
>>
>> [Install]
>> WantedBy=multi-user.target
>> --
>> 2.26.2
>>
>> _______________________________________________
>> buildroot mailing list
>> buildroot at busybox.net
>> http://lists.busybox.net/mailman/listinfo/buildroot
>
>
>
> --
>
>
> 20 rue des Jardins
> 92600 Asni?res-sur-Seine
>
> J?r?my ROSEN
> Architecte technique
>
> jeremy.rosen at smile.fr
> +33 6 88 25 87 42
> http://www.smile.eu
>
>
>
Regards, Norbert
^ permalink raw reply [flat|nested] 22+ messages in thread
* [Buildroot] [PATCH 3/4] package/openssh: seperate sd service for host key generation
2020-06-07 18:55 ` Norbert Lange
@ 2020-06-07 19:09 ` Jérémy ROSEN
0 siblings, 0 replies; 22+ messages in thread
From: Jérémy ROSEN @ 2020-06-07 19:09 UTC (permalink / raw)
To: buildroot
Le dim. 7 juin 2020 ? 20:56, Norbert Lange <nolange79@gmail.com> a ?crit :
> Am So., 7. Juni 2020 um 12:44 Uhr schrieb J?r?my ROSEN <
> jeremy.rosen at smile.fr>:
> >
> > Why the RemainAfterExit ?
> > This is a "real oneshot", it doesn't need a state to stay behind.
> > Moreover it would only stay behind when actually generating the key. in
> all followup boot the unit would not be started at all
>
> Yeah... there is some truth to that, but those one-shots have tricky
> sideeffects systemd 245 changed something that completely undermines
> my understanding of how they should work,
> and make that flag practically a necessity. See:
> https://github.com/systemd/systemd/issues/15091
>
> I dont think I am able to correctly describe all pro's and cons but I
> added this flag after:
>
> - later services did not care for failures
> - starting/stopping *any* service will recheck the condition and
> fill the syslog (* depends on other stuff aswell, but that's what
> happens for me)
>
> In short: add RemainAfterExit for every one-shot, or there will be
> dragons. Doesn't seem upstream is bothered by this.
>
> ok, I see your point... you are protected by your various Condition= from
this bug, but that would fill the logs with condition checks messages.
Could you please add a comment pointing to that bug report ?
Appart from that
Reviewd-by: J?r?my Rosen <jeremy.rosen@smile.fr>
> >
> > Appart from that, Looks good to me...
> >
> > Le sam. 6 juin 2020 ? 00:59, Norbert Lange <nolange79@gmail.com> a
> ?crit :
> >>
> >> split out generationg of host keys into an optional service
> >> that can easily be removed or deactivated.
> >>
> >> Signed-off-by: Norbert Lange <nolange79@gmail.com>
> >> ---
> >> package/openssh/openssh.mk | 5 +++--
> >> package/openssh/sshd-host-keygen.service | 20 ++++++++++++++++++++
> >> package/openssh/sshd.service | 1 -
> >> 3 files changed, 23 insertions(+), 3 deletions(-)
> >> create mode 100644 package/openssh/sshd-host-keygen.service
> >>
> >> diff --git a/package/openssh/openssh.mk b/package/openssh/openssh.mk
> >> index d425db1428..6b3ee1f5f4 100644
> >> --- a/package/openssh/openssh.mk
> >> +++ b/package/openssh/openssh.mk
> >> @@ -114,8 +114,9 @@ endef
> >> OPENSSH_POST_INSTALL_TARGET_HOOKS += OPENSSH_INSTALL_SERVER_PROGRAMS
> >>
> >> define OPENSSH_INSTALL_INIT_SYSTEMD
> >> - $(INSTALL) -D -m 644 package/openssh/sshd.service \
> >> - $(TARGET_DIR)/usr/lib/systemd/system/sshd.service
> >> + mkdir $(TARGET_DIR)/usr/lib/systemd/system
> >> + $(INSTALL) -m 644 package/openssh/sshd*.service \
> >> + $(TARGET_DIR)/usr/lib/systemd/system/
> >> $(OPENSSH_INSTALL_SYSTEMD_SYSUSERS)
> >> endef
> >>
> >> diff --git a/package/openssh/sshd-host-keygen.service
> b/package/openssh/sshd-host-keygen.service
> >> new file mode 100644
> >> index 0000000000..058e671c44
> >> --- /dev/null
> >> +++ b/package/openssh/sshd-host-keygen.service
> >> @@ -0,0 +1,20 @@
> >> +[Unit]
> >> +Description=SSH Key Generation
> >> +Before=sshd.service
> >> +
> >> +ConditionPathExists=|!/etc/ssh/ssh_host_dsa_key
> >> +ConditionPathExists=|!/etc/ssh/ssh_host_dsa_key.pub
> >> +ConditionPathExists=|!/etc/ssh/ssh_host_ecdsa_key
> >> +ConditionPathExists=|!/etc/ssh/ssh_host_ecdsa_key.pub
> >> +ConditionPathExists=|!/etc/ssh/ssh_host_ed25519_key
> >> +ConditionPathExists=|!/etc/ssh/ssh_host_ed25519_key.pub
> >> +ConditionPathExists=|!/etc/ssh/ssh_host_rsa_key
> >> +ConditionPathExists=|!/etc/ssh/ssh_host_rsa_key.pub
> >> +
> >> +[Service]
> >> +ExecStart=/usr/bin/ssh-keygen -A
> >> +Type=oneshot
> >> +RemainAfterExit=yes
> >> +
> >> +[Install]
> >> +WantedBy=sshd.service
> >> diff --git a/package/openssh/sshd.service b/package/openssh/sshd.service
> >> index 715bd3f7eb..797e249d8d 100644
> >> --- a/package/openssh/sshd.service
> >> +++ b/package/openssh/sshd.service
> >> @@ -4,7 +4,6 @@ Documentation=man:sshd(8) man:sshd_config(5)
> >> After=network.target auditd.service
> >>
> >> [Service]
> >> -ExecStartPre=/usr/bin/ssh-keygen -A
> >> ExecStartPre=/usr/sbin/sshd -t
> >> ExecStart=/usr/sbin/sshd -D
> >> ExecReload=/usr/sbin/sshd -t
> >> --
> >> 2.26.2
> >>
> >> _______________________________________________
> >> buildroot mailing list
> >> buildroot at busybox.net
> >> http://lists.busybox.net/mailman/listinfo/buildroot
> >
> >
> >
> > --
> >
> >
> > 20 rue des Jardins
> > 92600 Asni?res-sur-Seine
> >
> > J?r?my ROSEN
> > Architecte technique
> >
> > jeremy.rosen at smile.fr
> > +33 6 88 25 87 42
> > http://www.smile.eu
> >
> >
> >
>
--
[image: SMILE] <http://www.smile.eu/>
20 rue des Jardins
92600 Asni?res-sur-Seine
*J?r?my ROSEN*
Architecte technique
[image: email] jeremy.rosen at smile.fr
[image: phone] +33 6 88 25 87 42
[image: url] http://www.smile.eu
[image: Twitter] <https://twitter.com/GroupeSmile> [image: Facebook]
<https://www.facebook.com/smileopensource> [image: LinkedIn]
<https://www.linkedin.com/company/smile> [image: Github]
<https://github.com/Smile-SA>
[image: D?couvrez l?univers Smile, rendez-vous sur smile.eu]
<https://www.smile.eu/fr/publications/livres-blancs/yocto?utm_source=signature&utm_medium=email&utm_campaign=signature>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.busybox.net/pipermail/buildroot/attachments/20200607/68875fbe/attachment.html>
^ permalink raw reply [flat|nested] 22+ messages in thread
* [Buildroot] [PATCH 4/4] package/openssh: add sd socket-activated ssh daemon services
2020-06-07 11:06 ` Jérémy ROSEN
@ 2020-06-07 19:10 ` Norbert Lange
2020-06-07 19:31 ` Jérémy ROSEN
0 siblings, 1 reply; 22+ messages in thread
From: Norbert Lange @ 2020-06-07 19:10 UTC (permalink / raw)
To: buildroot
Am So., 7. Juni 2020 um 13:07 Uhr schrieb J?r?my ROSEN <jeremy.rosen@smile.fr>:
>
>
>
> Le sam. 6 juin 2020 ? 00:59, Norbert Lange <nolange79@gmail.com> a ?crit :
>>
>> Signed-off-by: Norbert Lange <nolange79@gmail.com>
>> ---
>> package/openssh/openssh.mk | 6 +++---
>> package/openssh/sshd-host-keygen.service | 2 +-
>> package/openssh/sshd.socket | 11 +++++++++++
>> package/openssh/sshd at .service | 10 ++++++++++
>> 4 files changed, 25 insertions(+), 4 deletions(-)
>> create mode 100644 package/openssh/sshd.socket
>> create mode 100644 package/openssh/sshd at .service
>>
>> diff --git a/package/openssh/openssh.mk b/package/openssh/openssh.mk
>> index 6b3ee1f5f4..1f2638e9c9 100644
>> --- a/package/openssh/openssh.mk
>> +++ b/package/openssh/openssh.mk
>> @@ -114,9 +114,9 @@ endef
>> OPENSSH_POST_INSTALL_TARGET_HOOKS += OPENSSH_INSTALL_SERVER_PROGRAMS
>>
>> define OPENSSH_INSTALL_INIT_SYSTEMD
>> - mkdir $(TARGET_DIR)/usr/lib/systemd/system
>> - $(INSTALL) -m 644 package/openssh/sshd*.service \
>> - $(TARGET_DIR)/usr/lib/systemd/system/
>> + mkdir -p $(TARGET_DIR)/usr/lib/systemd/system
>> + $(INSTALL) -m 644 package/openssh/sshd*.service package/openssh/sshd.socket \
>> + $(TARGET_DIR)/usr/lib/systemd/system/.
>> $(OPENSSH_INSTALL_SYSTEMD_SYSUSERS)
>> endef
>>
>> diff --git a/package/openssh/sshd-host-keygen.service b/package/openssh/sshd-host-keygen.service
>> index 058e671c44..ffde622b01 100644
>> --- a/package/openssh/sshd-host-keygen.service
>> +++ b/package/openssh/sshd-host-keygen.service
>> @@ -17,4 +17,4 @@ Type=oneshot
>> RemainAfterExit=yes
>>
>> [Install]
>> -WantedBy=sshd.service
>> +WantedBy=sshd.service sshd.socket
>> diff --git a/package/openssh/sshd.socket b/package/openssh/sshd.socket
>> new file mode 100644
>> index 0000000000..bbae9ed7aa
>> --- /dev/null
>> +++ b/package/openssh/sshd.socket
>> @@ -0,0 +1,11 @@
>> +[Unit]
>> +Description=OpenBSD Secure Shell server socket
>> +Before=sshd.service
>> +Conflicts=sshd.service
>
> No, that would stop the socket when the service is started, and you don't want that.
> If you do that, only one connection would be accepted before the socket is stoped
> and since you have accept=yes no further connections would be accepted
there is the singular sshd service
and the sshd.socket which spawns sshd@ instance services.
Those are mutually exclusive (because of the "Conflicts"), the
"Before" line just ensures that the sshd.socket wins out by default.
>
>>
>> +
>> +[Socket]
>> +ListenStream=22
>> +Accept=yes
>> +
>> +[Install]
>> +WantedBy=sockets.target
>> diff --git a/package/openssh/sshd at .service b/package/openssh/sshd at .service
>> new file mode 100644
>> index 0000000000..b3a590d9a3
>> --- /dev/null
>> +++ b/package/openssh/sshd at .service
>> @@ -0,0 +1,10 @@
>> +[Unit]
>> +Description=OpenBSD Secure Shell server per-connection daemon
>> +Documentation=man:sshd(8) man:sshd_config(5)
>> +After=auditd.service
>> +
>> +[Service]
>> +ExecStart=-/usr/sbin/sshd -i
>> +StandardInput=socket
>> +RuntimeDirectory=sshd
>> +RuntimeDirectoryMode=0755
>
>
> I am a bit confused, you have both an ssh.service and a ssh.socket+ssh at .service
> Wouldn't those two fight over port 22 ?
No, on a fresh installation, the socket will be started, the sshd
service will not because of the "Conflicts".
if you manually enable/start the sshd.service then the socket will be
shutdown first.
>
>
>
>>
>> --
>> 2.26.2
>>
>> _______________________________________________
>> buildroot mailing list
>> buildroot at busybox.net
>> http://lists.busybox.net/mailman/listinfo/buildroot
>
>
>
> --
>
>
> 20 rue des Jardins
> 92600 Asni?res-sur-Seine
>
> J?r?my ROSEN
> Architecte technique
>
> jeremy.rosen at smile.fr
> +33 6 88 25 87 42
> http://www.smile.eu
Norbert
^ permalink raw reply [flat|nested] 22+ messages in thread
* [Buildroot] [PATCH 2/4] package/openssh: improve integration for systemd
2020-06-07 19:03 ` Norbert Lange
@ 2020-06-07 19:16 ` Jérémy ROSEN
2020-06-07 19:24 ` Norbert Lange
0 siblings, 1 reply; 22+ messages in thread
From: Jérémy ROSEN @ 2020-06-07 19:16 UTC (permalink / raw)
To: buildroot
Le dim. 7 juin 2020 ? 21:03, Norbert Lange <nolange79@gmail.com> a ?crit :
> Am So., 7. Juni 2020 um 12:54 Uhr schrieb J?r?my ROSEN <
> jeremy.rosen at smile.fr>:
> >
> >
> >
> > Le sam. 6 juin 2020 ? 00:59, Norbert Lange <nolange79@gmail.com> a
> ?crit :
> >>
> >> the openssh daemon is not suited for systemd's simple
> >> service type. dependend services should only start
> >> when sshd is ready to accept connections.
> >>
> >> A patch is added from debian to allow openssh
> >> to communicate this state.
> >>
> >> Restarts are prevented if the reason is a faulty
> >> config file (errocode 255).
> >>
> >> The "user confinement directory" is changed to
> >> '/run/sshd' which is automatically managed by systemd.
> >>
> >> Signed-off-by: Norbert Lange <nolange79@gmail.com>
> >> ---
> >> package/openssh/00-systemd-readiness.patch | 84 ++++++++++++++++++++++
> >> package/openssh/openssh.mk | 14 +++-
> >> package/openssh/sshd-sysusers.conf | 2 +-
> >> package/openssh/sshd.service | 13 +++-
> >> 4 files changed, 109 insertions(+), 4 deletions(-)
> >> create mode 100644 package/openssh/00-systemd-readiness.patch
> >>
> >> diff --git a/package/openssh/00-systemd-readiness.patch
> b/package/openssh/00-systemd-readiness.patch
> >> new file mode 100644
> >> index 0000000000..be3b6b0074
> >> --- /dev/null
> >> +++ b/package/openssh/00-systemd-readiness.patch
> >> @@ -0,0 +1,84 @@
> >> +From ab765b2bd55062a704f09da8f8c1c4ad1d6630a7 Mon Sep 17 00:00:00 2001
> >> +From: Michael Biebl <biebl@debian.org>
> >> +Date: Mon, 21 Dec 2015 16:08:47 +0000
> >> +Subject: Add systemd readiness notification support
> >> +
> >> +Bug-Debian: https://bugs.debian.org/778913
> >> +Forwarded: no
> >> +Last-Update: 2017-08-22
> >> +
> >> +Patch-Name: systemd-readiness.patch
> >> +---
> >> + configure.ac | 24 ++++++++++++++++++++++++
> >> + sshd.c | 9 +++++++++
> >> + 2 files changed, 33 insertions(+)
> >> +
> >> +diff --git a/configure.ac b/configure.ac
> >> +index e894db9fc..c119d6fd1 100644
> >> +--- a/configure.ac
> >> ++++ b/configure.ac
> >> +@@ -4499,6 +4499,29 @@ AC_ARG_WITH([kerberos5],
> >> + AC_SUBST([GSSLIBS])
> >> + AC_SUBST([K5LIBS])
> >> +
> >> ++# Check whether user wants systemd support
> >> ++SYSTEMD_MSG="no"
> >> ++AC_ARG_WITH(systemd,
> >> ++ [ --with-systemd Enable systemd support],
> >> ++ [ if test "x$withval" != "xno" ; then
> >> ++ AC_PATH_TOOL([PKGCONFIG], [pkg-config], [no])
> >> ++ if test "$PKGCONFIG" != "no"; then
> >> ++ AC_MSG_CHECKING([for libsystemd])
> >> ++ if $PKGCONFIG --exists libsystemd; then
> >> ++ SYSTEMD_CFLAGS=`$PKGCONFIG --cflags
> libsystemd`
> >> ++ SYSTEMD_LIBS=`$PKGCONFIG --libs
> libsystemd`
> >> ++ CPPFLAGS="$CPPFLAGS $SYSTEMD_CFLAGS"
> >> ++ SSHDLIBS="$SSHDLIBS $SYSTEMD_LIBS"
> >> ++ AC_MSG_RESULT([yes])
> >> ++ AC_DEFINE(HAVE_SYSTEMD, 1, [Define if
> you want systemd support.])
> >> ++ SYSTEMD_MSG="yes"
> >> ++ else
> >> ++ AC_MSG_RESULT([no])
> >> ++ fi
> >> ++ fi
> >> ++ fi ]
> >> ++)
> >> ++
> >> + # Looking for programs, paths and files
> >> +
> >> + PRIVSEP_PATH=/var/empty
> >> +@@ -5305,6 +5328,7 @@ echo " libldns support:
> $LDNS_MSG"
> >> + echo " Solaris process contract support: $SPC_MSG"
> >> + echo " Solaris project support: $SP_MSG"
> >> + echo " Solaris privilege support: $SPP_MSG"
> >> ++echo " systemd support: $SYSTEMD_MSG"
> >> + echo " IP address in \$DISPLAY hack: $DISPLAY_HACK_MSG"
> >> + echo " Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG"
> >> + echo " BSD Auth support: $BSD_AUTH_MSG"
> >> +diff --git a/sshd.c b/sshd.c
> >> +index 4e8ff0662..5e7679a33 100644
> >> +--- a/sshd.c
> >> ++++ b/sshd.c
> >> +@@ -85,6 +85,10 @@
> >> + #include <prot.h>
> >> + #endif
> >> +
> >> ++#ifdef HAVE_SYSTEMD
> >> ++#include <systemd/sd-daemon.h>
> >> ++#endif
> >> ++
> >> + #include "xmalloc.h"
> >> + #include "ssh.h"
> >> + #include "ssh2.h"
> >> +@@ -1951,6 +1955,11 @@ main(int ac, char **av)
> >> + }
> >> + }
> >> +
> >> ++#ifdef HAVE_SYSTEMD
> >> ++ /* Signal systemd that we are ready to accept
> connections */
> >> ++ sd_notify(0, "READY=1");
> >> ++#endif
> >> ++
> >> + /* Accept a connection and return in a forked child */
> >> + server_accept_loop(&sock_in, &sock_out,
> >> + &newsock, config_s);
> >> diff --git a/package/openssh/openssh.mk b/package/openssh/openssh.mk
> >> index 55b917e20a..d425db1428 100644
> >> --- a/package/openssh/openssh.mk
> >> +++ b/package/openssh/openssh.mk
> >> @@ -12,6 +12,7 @@ OPENSSH_CONF_ENV = \
> >> LD="$(TARGET_CC)" \
> >> LDFLAGS="$(TARGET_CFLAGS)" \
> >> LIBS=`$(PKG_CONFIG_HOST_BINARY) --libs openssl`
> >> +OPENSSH_AUTORECONF = YES
> >> OPENSSH_CONF_OPTS = \
> >> --sysconfdir=/etc/ssh \
> >> --with-default-path=$(BR2_SYSTEM_DEFAULT_PATH) \
> >> @@ -22,9 +23,20 @@ OPENSSH_CONF_OPTS = \
> >> --disable-wtmpx \
> >> --disable-strip
> >>
> >> +ifeq ($(BR2_PACKAGE_SYSTEMD),y)
> >> +OPENSSH_DEPENDENCIES = systemd
> >> +
> >> +OPENSSH_CONF_OPTS += \
> >> + --with-privsep-path=/run/sshd \
> >> + --with-pid-dir=/run \
> >> + --with-systemd
> >> +
> >> +else
> >> +
> >> define OPENSSH_PERMISSIONS
> >> /var/empty d 755 root root - - - - -
> >> endef
> >
> >
> > Do we still need this when using systemd, or can it be commented out ?
>
> Not sure what you mean with "this"?
> The OPENSSH_PERMISSIONS block is needed when not using systemd and it
> is only active then.
>
>
my bad, I missed the enclosing ifeq()
> >
> >
> >>
> >> +endif
> >>
> >> ifeq ($(BR2_TOOLCHAIN_SUPPORTS_PIE),)
> >> OPENSSH_CONF_OPTS += --without-pie
> >> @@ -72,7 +84,7 @@ define OPENSSH_INSTALL_SYSTEMD_SYSUSERS
> >> endef
> >> else
> >> define OPENSSH_USERS
> >> - sshd -1 sshd -1 * /var/empty - - SSH drop priv user
> >> + sshd -1 sshd -1 * $(if
> $(BR2_PACKAGE_SYSTEMD),/run/sshd,/var/empty) - - SSH drop priv user
> >> endef
> >> endif
> >>
> >> diff --git a/package/openssh/sshd-sysusers.conf
> b/package/openssh/sshd-sysusers.conf
> >> index ac77aec065..303d0dbb63 100644
> >> --- a/package/openssh/sshd-sysusers.conf
> >> +++ b/package/openssh/sshd-sysusers.conf
> >> @@ -1 +1 @@
> >> -u sshd - "SSH drop priv user" /var/empty
> >> +u sshd - "SSH drop priv user" /run/sshd
> >> diff --git a/package/openssh/sshd.service b/package/openssh/sshd.service
> >> index b5e96b3a25..715bd3f7eb 100644
> >> --- a/package/openssh/sshd.service
> >> +++ b/package/openssh/sshd.service
> >> @@ -1,11 +1,20 @@
> >> [Unit]
> >> Description=OpenSSH server daemon
> >> -After=syslog.target network.target auditd.service
> >> +Documentation=man:sshd(8) man:sshd_config(5)
> >> +After=network.target auditd.service
> >>
> >>
> >> [Service]
> >> ExecStartPre=/usr/bin/ssh-keygen -A
> >> -ExecStart=/usr/sbin/sshd -D -e
> >> +ExecStartPre=/usr/sbin/sshd -t
> >> +ExecStart=/usr/sbin/sshd -D
> >
> > You droped the -e, so you are logging to syslog
> > However you droped the dependency on syslog.target earlier...
> > (maybe it should be syslog.socket instead of .target, btw)
>
>
> syslog.target is long long gone, and the syslog will be
> unconditionally available
> https://www.freedesktop.org/wiki/Software/systemd/syslog/
>
>
> >
> >
> > how exactly do you want to log ? (I think logging to stdout is better,
> it will be
> > redirected to the journal.
>
>
> stdout is not really useful if syslog is supported.
>
> i'd go the other way round
syslog is not really necessary if stdout is available,
but it's a matter of taste :P so let's go your way.
> >
> >
> >>
> >> +ExecReload=/usr/sbin/sshd -t
> >> ExecReload=/bin/kill -HUP $MAINPID
> >> +KillMode=process
> >
> >
> > Wouldn't mixed be better here ?
> > I'm not really sure what the use-case for procss is anyway...
>
>
> I taken that from debian, I could not argue against it (there is a
> long discussion which I linked above).
> Can you argue *for* mixed?
>
>
I didn't see any link
* process : SIGTERM and SIGKILL is sent only to MainPID
* mixed : SIGTERM is sent to MainPID, SIGKILL is sent to every process in
the service cgroup.
This means that if all works well, they do the same thing
in case the MainPID fails to properly terminate its children, process would
leave children alive
but mixed woul kill everybody
Since we are trying to terminate the service, it makes sense to me to make
sur all child process
are killed.
but I don't see your link so I may be missing something
> >
> >
> >>
> >> +Restart=on-failure
> >> +RestartPreventExitStatus=255
> >> +Type=notify
> >> +RuntimeDirectory=sshd
> >> +RuntimeDirectoryMode=0755
> >>
> >> [Install]
> >> WantedBy=multi-user.target
> >> --
> >> 2.26.2
> >>
> >> _______________________________________________
> >> buildroot mailing list
> >> buildroot at busybox.net
> >> http://lists.busybox.net/mailman/listinfo/buildroot
> >
> >
> >
> > --
> >
> >
> > 20 rue des Jardins
> > 92600 Asni?res-sur-Seine
> >
> > J?r?my ROSEN
> > Architecte technique
> >
> > jeremy.rosen at smile.fr
> > +33 6 88 25 87 42
> > http://www.smile.eu
> >
> >
> >
>
> Regards, Norbert
>
--
[image: SMILE] <http://www.smile.eu/>
20 rue des Jardins
92600 Asni?res-sur-Seine
*J?r?my ROSEN*
Architecte technique
[image: email] jeremy.rosen at smile.fr
[image: phone] +33 6 88 25 87 42
[image: url] http://www.smile.eu
[image: Twitter] <https://twitter.com/GroupeSmile> [image: Facebook]
<https://www.facebook.com/smileopensource> [image: LinkedIn]
<https://www.linkedin.com/company/smile> [image: Github]
<https://github.com/Smile-SA>
[image: D?couvrez l?univers Smile, rendez-vous sur smile.eu]
<https://www.smile.eu/fr/publications/livres-blancs/yocto?utm_source=signature&utm_medium=email&utm_campaign=signature>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.busybox.net/pipermail/buildroot/attachments/20200607/1ef4b42e/attachment.html>
^ permalink raw reply [flat|nested] 22+ messages in thread
* [Buildroot] [PATCH 2/4] package/openssh: improve integration for systemd
2020-06-07 19:16 ` Jérémy ROSEN
@ 2020-06-07 19:24 ` Norbert Lange
2020-06-07 19:42 ` Jérémy ROSEN
0 siblings, 1 reply; 22+ messages in thread
From: Norbert Lange @ 2020-06-07 19:24 UTC (permalink / raw)
To: buildroot
Am So., 7. Juni 2020 um 21:16 Uhr schrieb J?r?my ROSEN <jeremy.rosen@smile.fr>:
>
>
>
> Le dim. 7 juin 2020 ? 21:03, Norbert Lange <nolange79@gmail.com> a ?crit :
>>
>> Am So., 7. Juni 2020 um 12:54 Uhr schrieb J?r?my ROSEN <jeremy.rosen@smile.fr>:
>> >
>> >
>> >
>> > Le sam. 6 juin 2020 ? 00:59, Norbert Lange <nolange79@gmail.com> a ?crit :
>> >>
>> >> the openssh daemon is not suited for systemd's simple
>> >> service type. dependend services should only start
>> >> when sshd is ready to accept connections.
>> >>
>> >> A patch is added from debian to allow openssh
>> >> to communicate this state.
>> >>
>> >> Restarts are prevented if the reason is a faulty
>> >> config file (errocode 255).
>> >>
>> >> The "user confinement directory" is changed to
>> >> '/run/sshd' which is automatically managed by systemd.
>> >>
>> >> Signed-off-by: Norbert Lange <nolange79@gmail.com>
>> >> ---
>> >> package/openssh/00-systemd-readiness.patch | 84 ++++++++++++++++++++++
>> >> package/openssh/openssh.mk | 14 +++-
>> >> package/openssh/sshd-sysusers.conf | 2 +-
>> >> package/openssh/sshd.service | 13 +++-
>> >> 4 files changed, 109 insertions(+), 4 deletions(-)
>> >> create mode 100644 package/openssh/00-systemd-readiness.patch
>> >>
>> >> diff --git a/package/openssh/00-systemd-readiness.patch b/package/openssh/00-systemd-readiness.patch
>> >> new file mode 100644
>> >> index 0000000000..be3b6b0074
>> >> --- /dev/null
>> >> +++ b/package/openssh/00-systemd-readiness.patch
>> >> @@ -0,0 +1,84 @@
>> >> +From ab765b2bd55062a704f09da8f8c1c4ad1d6630a7 Mon Sep 17 00:00:00 2001
>> >> +From: Michael Biebl <biebl@debian.org>
>> >> +Date: Mon, 21 Dec 2015 16:08:47 +0000
>> >> +Subject: Add systemd readiness notification support
>> >> +
>> >> +Bug-Debian: https://bugs.debian.org/778913
>> >> +Forwarded: no
>> >> +Last-Update: 2017-08-22
>> >> +
>> >> +Patch-Name: systemd-readiness.patch
>> >> +---
>> >> + configure.ac | 24 ++++++++++++++++++++++++
>> >> + sshd.c | 9 +++++++++
>> >> + 2 files changed, 33 insertions(+)
>> >> +
>> >> +diff --git a/configure.ac b/configure.ac
>> >> +index e894db9fc..c119d6fd1 100644
>> >> +--- a/configure.ac
>> >> ++++ b/configure.ac
>> >> +@@ -4499,6 +4499,29 @@ AC_ARG_WITH([kerberos5],
>> >> + AC_SUBST([GSSLIBS])
>> >> + AC_SUBST([K5LIBS])
>> >> +
>> >> ++# Check whether user wants systemd support
>> >> ++SYSTEMD_MSG="no"
>> >> ++AC_ARG_WITH(systemd,
>> >> ++ [ --with-systemd Enable systemd support],
>> >> ++ [ if test "x$withval" != "xno" ; then
>> >> ++ AC_PATH_TOOL([PKGCONFIG], [pkg-config], [no])
>> >> ++ if test "$PKGCONFIG" != "no"; then
>> >> ++ AC_MSG_CHECKING([for libsystemd])
>> >> ++ if $PKGCONFIG --exists libsystemd; then
>> >> ++ SYSTEMD_CFLAGS=`$PKGCONFIG --cflags libsystemd`
>> >> ++ SYSTEMD_LIBS=`$PKGCONFIG --libs libsystemd`
>> >> ++ CPPFLAGS="$CPPFLAGS $SYSTEMD_CFLAGS"
>> >> ++ SSHDLIBS="$SSHDLIBS $SYSTEMD_LIBS"
>> >> ++ AC_MSG_RESULT([yes])
>> >> ++ AC_DEFINE(HAVE_SYSTEMD, 1, [Define if you want systemd support.])
>> >> ++ SYSTEMD_MSG="yes"
>> >> ++ else
>> >> ++ AC_MSG_RESULT([no])
>> >> ++ fi
>> >> ++ fi
>> >> ++ fi ]
>> >> ++)
>> >> ++
>> >> + # Looking for programs, paths and files
>> >> +
>> >> + PRIVSEP_PATH=/var/empty
>> >> +@@ -5305,6 +5328,7 @@ echo " libldns support: $LDNS_MSG"
>> >> + echo " Solaris process contract support: $SPC_MSG"
>> >> + echo " Solaris project support: $SP_MSG"
>> >> + echo " Solaris privilege support: $SPP_MSG"
>> >> ++echo " systemd support: $SYSTEMD_MSG"
>> >> + echo " IP address in \$DISPLAY hack: $DISPLAY_HACK_MSG"
>> >> + echo " Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG"
>> >> + echo " BSD Auth support: $BSD_AUTH_MSG"
>> >> +diff --git a/sshd.c b/sshd.c
>> >> +index 4e8ff0662..5e7679a33 100644
>> >> +--- a/sshd.c
>> >> ++++ b/sshd.c
>> >> +@@ -85,6 +85,10 @@
>> >> + #include <prot.h>
>> >> + #endif
>> >> +
>> >> ++#ifdef HAVE_SYSTEMD
>> >> ++#include <systemd/sd-daemon.h>
>> >> ++#endif
>> >> ++
>> >> + #include "xmalloc.h"
>> >> + #include "ssh.h"
>> >> + #include "ssh2.h"
>> >> +@@ -1951,6 +1955,11 @@ main(int ac, char **av)
>> >> + }
>> >> + }
>> >> +
>> >> ++#ifdef HAVE_SYSTEMD
>> >> ++ /* Signal systemd that we are ready to accept connections */
>> >> ++ sd_notify(0, "READY=1");
>> >> ++#endif
>> >> ++
>> >> + /* Accept a connection and return in a forked child */
>> >> + server_accept_loop(&sock_in, &sock_out,
>> >> + &newsock, config_s);
>> >> diff --git a/package/openssh/openssh.mk b/package/openssh/openssh.mk
>> >> index 55b917e20a..d425db1428 100644
>> >> --- a/package/openssh/openssh.mk
>> >> +++ b/package/openssh/openssh.mk
>> >> @@ -12,6 +12,7 @@ OPENSSH_CONF_ENV = \
>> >> LD="$(TARGET_CC)" \
>> >> LDFLAGS="$(TARGET_CFLAGS)" \
>> >> LIBS=`$(PKG_CONFIG_HOST_BINARY) --libs openssl`
>> >> +OPENSSH_AUTORECONF = YES
>> >> OPENSSH_CONF_OPTS = \
>> >> --sysconfdir=/etc/ssh \
>> >> --with-default-path=$(BR2_SYSTEM_DEFAULT_PATH) \
>> >> @@ -22,9 +23,20 @@ OPENSSH_CONF_OPTS = \
>> >> --disable-wtmpx \
>> >> --disable-strip
>> >>
>> >> +ifeq ($(BR2_PACKAGE_SYSTEMD),y)
>> >> +OPENSSH_DEPENDENCIES = systemd
>> >> +
>> >> +OPENSSH_CONF_OPTS += \
>> >> + --with-privsep-path=/run/sshd \
>> >> + --with-pid-dir=/run \
>> >> + --with-systemd
>> >> +
>> >> +else
>> >> +
>> >> define OPENSSH_PERMISSIONS
>> >> /var/empty d 755 root root - - - - -
>> >> endef
>> >
>> >
>> > Do we still need this when using systemd, or can it be commented out ?
>>
>> Not sure what you mean with "this"?
>> The OPENSSH_PERMISSIONS block is needed when not using systemd and it
>> is only active then.
>>
>
> my bad, I missed the enclosing ifeq()
>
>>
>> >
>> >
>> >>
>> >> +endif
>> >>
>> >> ifeq ($(BR2_TOOLCHAIN_SUPPORTS_PIE),)
>> >> OPENSSH_CONF_OPTS += --without-pie
>> >> @@ -72,7 +84,7 @@ define OPENSSH_INSTALL_SYSTEMD_SYSUSERS
>> >> endef
>> >> else
>> >> define OPENSSH_USERS
>> >> - sshd -1 sshd -1 * /var/empty - - SSH drop priv user
>> >> + sshd -1 sshd -1 * $(if $(BR2_PACKAGE_SYSTEMD),/run/sshd,/var/empty) - - SSH drop priv user
>> >> endef
>> >> endif
>> >>
>> >> diff --git a/package/openssh/sshd-sysusers.conf b/package/openssh/sshd-sysusers.conf
>> >> index ac77aec065..303d0dbb63 100644
>> >> --- a/package/openssh/sshd-sysusers.conf
>> >> +++ b/package/openssh/sshd-sysusers.conf
>> >> @@ -1 +1 @@
>> >> -u sshd - "SSH drop priv user" /var/empty
>> >> +u sshd - "SSH drop priv user" /run/sshd
>> >> diff --git a/package/openssh/sshd.service b/package/openssh/sshd.service
>> >> index b5e96b3a25..715bd3f7eb 100644
>> >> --- a/package/openssh/sshd.service
>> >> +++ b/package/openssh/sshd.service
>> >> @@ -1,11 +1,20 @@
>> >> [Unit]
>> >> Description=OpenSSH server daemon
>> >> -After=syslog.target network.target auditd.service
>> >> +Documentation=man:sshd(8) man:sshd_config(5)
>> >> +After=network.target auditd.service
>> >>
>> >>
>> >> [Service]
>> >> ExecStartPre=/usr/bin/ssh-keygen -A
>> >> -ExecStart=/usr/sbin/sshd -D -e
>> >> +ExecStartPre=/usr/sbin/sshd -t
>> >> +ExecStart=/usr/sbin/sshd -D
>> >
>> > You droped the -e, so you are logging to syslog
>> > However you droped the dependency on syslog.target earlier...
>> > (maybe it should be syslog.socket instead of .target, btw)
>>
>>
>> syslog.target is long long gone, and the syslog will be
>> unconditionally available
>> https://www.freedesktop.org/wiki/Software/systemd/syslog/
>>
>>
>> >
>> >
>> > how exactly do you want to log ? (I think logging to stdout is better, it will be
>> > redirected to the journal.
>>
>>
>> stdout is not really useful if syslog is supported.
>>
> i'd go the other way round
>
> syslog is not really necessary if stdout is available,
> but it's a matter of taste :P so let's go your way.
Its more the point, that Openssh already implemented syslog, and thats
a clear functional superset of listening to stdout.
>
>>
>> >
>> >
>> >>
>> >> +ExecReload=/usr/sbin/sshd -t
>> >> ExecReload=/bin/kill -HUP $MAINPID
>> >> +KillMode=process
>> >
>> >
>> > Wouldn't mixed be better here ?
>> > I'm not really sure what the use-case for procss is anyway...
>>
>>
>> I taken that from debian, I could not argue against it (there is a
>> long discussion which I linked above).
>> Can you argue *for* mixed?
>>
>
>
> I didn't see any link
> * process : SIGTERM and SIGKILL is sent only to MainPID
> * mixed : SIGTERM is sent to MainPID, SIGKILL is sent to every process in the service cgroup.
>
> This means that if all works well, they do the same thing
>
> in case the MainPID fails to properly terminate its children, process would leave children alive
> but mixed woul kill everybody
>
> Since we are trying to terminate the service, it makes sense to me to make sur all child process
> are killed.
>
> but I don't see your link so I may be missing something
The link is in the added patch: https://bugs.debian.org/778913
As said, I could not argue either way, but I got some respect for the
debian guys ;)
Norbert
^ permalink raw reply [flat|nested] 22+ messages in thread
* [Buildroot] [PATCH 4/4] package/openssh: add sd socket-activated ssh daemon services
2020-06-07 19:10 ` Norbert Lange
@ 2020-06-07 19:31 ` Jérémy ROSEN
2020-06-07 19:45 ` Norbert Lange
0 siblings, 1 reply; 22+ messages in thread
From: Jérémy ROSEN @ 2020-06-07 19:31 UTC (permalink / raw)
To: buildroot
Le dim. 7 juin 2020 ? 21:11, Norbert Lange <nolange79@gmail.com> a ?crit :
> Am So., 7. Juni 2020 um 13:07 Uhr schrieb J?r?my ROSEN <
> jeremy.rosen at smile.fr>:
> >
> >
> >
> > Le sam. 6 juin 2020 ? 00:59, Norbert Lange <nolange79@gmail.com> a
> ?crit :
> >>
> >> Signed-off-by: Norbert Lange <nolange79@gmail.com>
> >> ---
> >> package/openssh/openssh.mk | 6 +++---
> >> package/openssh/sshd-host-keygen.service | 2 +-
> >> package/openssh/sshd.socket | 11 +++++++++++
> >> package/openssh/sshd at .service | 10 ++++++++++
> >> 4 files changed, 25 insertions(+), 4 deletions(-)
> >> create mode 100644 package/openssh/sshd.socket
> >> create mode 100644 package/openssh/sshd at .service
> >>
> >> diff --git a/package/openssh/openssh.mk b/package/openssh/openssh.mk
> >> index 6b3ee1f5f4..1f2638e9c9 100644
> >> --- a/package/openssh/openssh.mk
> >> +++ b/package/openssh/openssh.mk
> >> @@ -114,9 +114,9 @@ endef
> >> OPENSSH_POST_INSTALL_TARGET_HOOKS += OPENSSH_INSTALL_SERVER_PROGRAMS
> >>
> >> define OPENSSH_INSTALL_INIT_SYSTEMD
> >> - mkdir $(TARGET_DIR)/usr/lib/systemd/system
> >> - $(INSTALL) -m 644 package/openssh/sshd*.service \
> >> - $(TARGET_DIR)/usr/lib/systemd/system/
> >> + mkdir -p $(TARGET_DIR)/usr/lib/systemd/system
> >> + $(INSTALL) -m 644 package/openssh/sshd*.service
> package/openssh/sshd.socket \
> >> + $(TARGET_DIR)/usr/lib/systemd/system/.
> >> $(OPENSSH_INSTALL_SYSTEMD_SYSUSERS)
> >> endef
> >>
> >> diff --git a/package/openssh/sshd-host-keygen.service
> b/package/openssh/sshd-host-keygen.service
> >> index 058e671c44..ffde622b01 100644
> >> --- a/package/openssh/sshd-host-keygen.service
> >> +++ b/package/openssh/sshd-host-keygen.service
> >> @@ -17,4 +17,4 @@ Type=oneshot
> >> RemainAfterExit=yes
> >>
> >> [Install]
> >> -WantedBy=sshd.service
> >> +WantedBy=sshd.service sshd.socket
> >> diff --git a/package/openssh/sshd.socket b/package/openssh/sshd.socket
> >> new file mode 100644
> >> index 0000000000..bbae9ed7aa
> >> --- /dev/null
> >> +++ b/package/openssh/sshd.socket
> >> @@ -0,0 +1,11 @@
> >> +[Unit]
> >> +Description=OpenBSD Secure Shell server socket
> >> +Before=sshd.service
> >> +Conflicts=sshd.service
> >
> > No, that would stop the socket when the service is started, and you
> don't want that.
> > If you do that, only one connection would be accepted before the socket
> is stoped
> > and since you have accept=yes no further connections would be accepted
>
> there is the singular sshd service
> and the sshd.socket which spawns sshd@ instance services.
> Those are mutually exclusive (because of the "Conflicts"), the
> "Before" line just ensures that the sshd.socket wins out by default.
>
>
aah right, I messed up sshd.service and sshd at .service in my head.
my bad.
I personally think we shouldn't install both methods.
either choose a distro-wide decision or provide a config option
Anyway, I see what you are doing now, and that should work, AFAICT.
I still think that it's cool that openssh supports all those startup
methods,
but I'm not convinced we need to support all of them in BR.
Thoughts ?
Regards
Jeremy
> >
> >>
> >> +
> >> +[Socket]
> >> +ListenStream=22
> >> +Accept=yes
> >> +
> >> +[Install]
> >> +WantedBy=sockets.target
> >> diff --git a/package/openssh/sshd at .service b/package/openssh/sshd@
> .service
> >> new file mode 100644
> >> index 0000000000..b3a590d9a3
> >> --- /dev/null
> >> +++ b/package/openssh/sshd at .service
> >> @@ -0,0 +1,10 @@
> >> +[Unit]
> >> +Description=OpenBSD Secure Shell server per-connection daemon
> >> +Documentation=man:sshd(8) man:sshd_config(5)
> >> +After=auditd.service
> >> +
> >> +[Service]
> >> +ExecStart=-/usr/sbin/sshd -i
> >> +StandardInput=socket
> >> +RuntimeDirectory=sshd
> >> +RuntimeDirectoryMode=0755
> >
> >
> > I am a bit confused, you have both an ssh.service and a ssh.socket+ssh@
> .service
> > Wouldn't those two fight over port 22 ?
>
> No, on a fresh installation, the socket will be started, the sshd
> service will not because of the "Conflicts".
> if you manually enable/start the sshd.service then the socket will be
> shutdown first.
>
> >
> >
> >
> >>
> >> --
> >> 2.26.2
> >>
> >> _______________________________________________
> >> buildroot mailing list
> >> buildroot at busybox.net
> >> http://lists.busybox.net/mailman/listinfo/buildroot
> >
> >
> >
> > --
> >
> >
> > 20 rue des Jardins
> > 92600 Asni?res-sur-Seine
> >
> > J?r?my ROSEN
> > Architecte technique
> >
> > jeremy.rosen at smile.fr
> > +33 6 88 25 87 42
> > http://www.smile.eu
>
> Norbert
>
--
[image: SMILE] <http://www.smile.eu/>
20 rue des Jardins
92600 Asni?res-sur-Seine
*J?r?my ROSEN*
Architecte technique
[image: email] jeremy.rosen at smile.fr
[image: phone] +33 6 88 25 87 42
[image: url] http://www.smile.eu
[image: Twitter] <https://twitter.com/GroupeSmile> [image: Facebook]
<https://www.facebook.com/smileopensource> [image: LinkedIn]
<https://www.linkedin.com/company/smile> [image: Github]
<https://github.com/Smile-SA>
[image: D?couvrez l?univers Smile, rendez-vous sur smile.eu]
<https://www.smile.eu/fr/publications/livres-blancs/yocto?utm_source=signature&utm_medium=email&utm_campaign=signature>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.busybox.net/pipermail/buildroot/attachments/20200607/a3eff4e2/attachment.html>
^ permalink raw reply [flat|nested] 22+ messages in thread
* [Buildroot] [PATCH 2/4] package/openssh: improve integration for systemd
2020-06-07 19:24 ` Norbert Lange
@ 2020-06-07 19:42 ` Jérémy ROSEN
2020-06-11 0:04 ` Norbert Lange
0 siblings, 1 reply; 22+ messages in thread
From: Jérémy ROSEN @ 2020-06-07 19:42 UTC (permalink / raw)
To: buildroot
Le dim. 7 juin 2020 ? 21:24, Norbert Lange <nolange79@gmail.com> a ?crit :
> Am So., 7. Juni 2020 um 21:16 Uhr schrieb J?r?my ROSEN <
> jeremy.rosen at smile.fr>:
> >
> >
> >
> > Le dim. 7 juin 2020 ? 21:03, Norbert Lange <nolange79@gmail.com> a
> ?crit :
> >>
> >> Am So., 7. Juni 2020 um 12:54 Uhr schrieb J?r?my ROSEN <
> jeremy.rosen at smile.fr>:
> >> >
> >> >
> >> >
> >> > Le sam. 6 juin 2020 ? 00:59, Norbert Lange <nolange79@gmail.com> a
> ?crit :
> >> >>
> >> >> the openssh daemon is not suited for systemd's simple
> >> >> service type. dependend services should only start
> >> >> when sshd is ready to accept connections.
> >> >>
> >> >> A patch is added from debian to allow openssh
> >> >> to communicate this state.
> >> >>
> >> >> Restarts are prevented if the reason is a faulty
> >> >> config file (errocode 255).
> >> >>
> >> >> The "user confinement directory" is changed to
> >> >> '/run/sshd' which is automatically managed by systemd.
> >> >>
> >> >> Signed-off-by: Norbert Lange <nolange79@gmail.com>
> >> >> ---
> >> >> package/openssh/00-systemd-readiness.patch | 84
> ++++++++++++++++++++++
> >> >> package/openssh/openssh.mk | 14 +++-
> >> >> package/openssh/sshd-sysusers.conf | 2 +-
> >> >> package/openssh/sshd.service | 13 +++-
> >> >> 4 files changed, 109 insertions(+), 4 deletions(-)
> >> >> create mode 100644 package/openssh/00-systemd-readiness.patch
> >> >>
> >> >> diff --git a/package/openssh/00-systemd-readiness.patch
> b/package/openssh/00-systemd-readiness.patch
> >> >> new file mode 100644
> >> >> index 0000000000..be3b6b0074
> >> >> --- /dev/null
> >> >> +++ b/package/openssh/00-systemd-readiness.patch
> >> >> @@ -0,0 +1,84 @@
> >> >> +From ab765b2bd55062a704f09da8f8c1c4ad1d6630a7 Mon Sep 17 00:00:00
> 2001
> >> >> +From: Michael Biebl <biebl@debian.org>
> >> >> +Date: Mon, 21 Dec 2015 16:08:47 +0000
> >> >> +Subject: Add systemd readiness notification support
> >> >> +
> >> >> +Bug-Debian: https://bugs.debian.org/778913
> >> >> +Forwarded: no
> >> >> +Last-Update: 2017-08-22
> >> >> +
> >> >> +Patch-Name: systemd-readiness.patch
> >> >> +---
> >> >> + configure.ac | 24 ++++++++++++++++++++++++
> >> >> + sshd.c | 9 +++++++++
> >> >> + 2 files changed, 33 insertions(+)
> >> >> +
> >> >> +diff --git a/configure.ac b/configure.ac
> >> >> +index e894db9fc..c119d6fd1 100644
> >> >> +--- a/configure.ac
> >> >> ++++ b/configure.ac
> >> >> +@@ -4499,6 +4499,29 @@ AC_ARG_WITH([kerberos5],
> >> >> + AC_SUBST([GSSLIBS])
> >> >> + AC_SUBST([K5LIBS])
> >> >> +
> >> >> ++# Check whether user wants systemd support
> >> >> ++SYSTEMD_MSG="no"
> >> >> ++AC_ARG_WITH(systemd,
> >> >> ++ [ --with-systemd Enable systemd support],
> >> >> ++ [ if test "x$withval" != "xno" ; then
> >> >> ++ AC_PATH_TOOL([PKGCONFIG], [pkg-config], [no])
> >> >> ++ if test "$PKGCONFIG" != "no"; then
> >> >> ++ AC_MSG_CHECKING([for libsystemd])
> >> >> ++ if $PKGCONFIG --exists libsystemd; then
> >> >> ++ SYSTEMD_CFLAGS=`$PKGCONFIG --cflags
> libsystemd`
> >> >> ++ SYSTEMD_LIBS=`$PKGCONFIG --libs
> libsystemd`
> >> >> ++ CPPFLAGS="$CPPFLAGS $SYSTEMD_CFLAGS"
> >> >> ++ SSHDLIBS="$SSHDLIBS $SYSTEMD_LIBS"
> >> >> ++ AC_MSG_RESULT([yes])
> >> >> ++ AC_DEFINE(HAVE_SYSTEMD, 1, [Define
> if you want systemd support.])
> >> >> ++ SYSTEMD_MSG="yes"
> >> >> ++ else
> >> >> ++ AC_MSG_RESULT([no])
> >> >> ++ fi
> >> >> ++ fi
> >> >> ++ fi ]
> >> >> ++)
> >> >> ++
> >> >> + # Looking for programs, paths and files
> >> >> +
> >> >> + PRIVSEP_PATH=/var/empty
> >> >> +@@ -5305,6 +5328,7 @@ echo " libldns support:
> $LDNS_MSG"
> >> >> + echo " Solaris process contract support: $SPC_MSG"
> >> >> + echo " Solaris project support: $SP_MSG"
> >> >> + echo " Solaris privilege support: $SPP_MSG"
> >> >> ++echo " systemd support: $SYSTEMD_MSG"
> >> >> + echo " IP address in \$DISPLAY hack: $DISPLAY_HACK_MSG"
> >> >> + echo " Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG"
> >> >> + echo " BSD Auth support: $BSD_AUTH_MSG"
> >> >> +diff --git a/sshd.c b/sshd.c
> >> >> +index 4e8ff0662..5e7679a33 100644
> >> >> +--- a/sshd.c
> >> >> ++++ b/sshd.c
> >> >> +@@ -85,6 +85,10 @@
> >> >> + #include <prot.h>
> >> >> + #endif
> >> >> +
> >> >> ++#ifdef HAVE_SYSTEMD
> >> >> ++#include <systemd/sd-daemon.h>
> >> >> ++#endif
> >> >> ++
> >> >> + #include "xmalloc.h"
> >> >> + #include "ssh.h"
> >> >> + #include "ssh2.h"
> >> >> +@@ -1951,6 +1955,11 @@ main(int ac, char **av)
> >> >> + }
> >> >> + }
> >> >> +
> >> >> ++#ifdef HAVE_SYSTEMD
> >> >> ++ /* Signal systemd that we are ready to accept
> connections */
> >> >> ++ sd_notify(0, "READY=1");
> >> >> ++#endif
> >> >> ++
> >> >> + /* Accept a connection and return in a forked child
> */
> >> >> + server_accept_loop(&sock_in, &sock_out,
> >> >> + &newsock, config_s);
> >> >> diff --git a/package/openssh/openssh.mk b/package/openssh/openssh.mk
> >> >> index 55b917e20a..d425db1428 100644
> >> >> --- a/package/openssh/openssh.mk
> >> >> +++ b/package/openssh/openssh.mk
> >> >> @@ -12,6 +12,7 @@ OPENSSH_CONF_ENV = \
> >> >> LD="$(TARGET_CC)" \
> >> >> LDFLAGS="$(TARGET_CFLAGS)" \
> >> >> LIBS=`$(PKG_CONFIG_HOST_BINARY) --libs openssl`
> >> >> +OPENSSH_AUTORECONF = YES
> >> >> OPENSSH_CONF_OPTS = \
> >> >> --sysconfdir=/etc/ssh \
> >> >> --with-default-path=$(BR2_SYSTEM_DEFAULT_PATH) \
> >> >> @@ -22,9 +23,20 @@ OPENSSH_CONF_OPTS = \
> >> >> --disable-wtmpx \
> >> >> --disable-strip
> >> >>
> >> >> +ifeq ($(BR2_PACKAGE_SYSTEMD),y)
> >> >> +OPENSSH_DEPENDENCIES = systemd
> >> >> +
> >> >> +OPENSSH_CONF_OPTS += \
> >> >> + --with-privsep-path=/run/sshd \
> >> >> + --with-pid-dir=/run \
> >> >> + --with-systemd
> >> >> +
> >> >> +else
> >> >> +
> >> >> define OPENSSH_PERMISSIONS
> >> >> /var/empty d 755 root root - - - - -
> >> >> endef
> >> >
> >> >
> >> > Do we still need this when using systemd, or can it be commented out ?
> >>
> >> Not sure what you mean with "this"?
> >> The OPENSSH_PERMISSIONS block is needed when not using systemd and it
> >> is only active then.
> >>
> >
> > my bad, I missed the enclosing ifeq()
> >
> >>
> >> >
> >> >
> >> >>
> >> >> +endif
> >> >>
> >> >> ifeq ($(BR2_TOOLCHAIN_SUPPORTS_PIE),)
> >> >> OPENSSH_CONF_OPTS += --without-pie
> >> >> @@ -72,7 +84,7 @@ define OPENSSH_INSTALL_SYSTEMD_SYSUSERS
> >> >> endef
> >> >> else
> >> >> define OPENSSH_USERS
> >> >> - sshd -1 sshd -1 * /var/empty - - SSH drop priv user
> >> >> + sshd -1 sshd -1 * $(if
> $(BR2_PACKAGE_SYSTEMD),/run/sshd,/var/empty) - - SSH drop priv user
> >> >> endef
> >> >> endif
> >> >>
> >> >> diff --git a/package/openssh/sshd-sysusers.conf
> b/package/openssh/sshd-sysusers.conf
> >> >> index ac77aec065..303d0dbb63 100644
> >> >> --- a/package/openssh/sshd-sysusers.conf
> >> >> +++ b/package/openssh/sshd-sysusers.conf
> >> >> @@ -1 +1 @@
> >> >> -u sshd - "SSH drop priv user" /var/empty
> >> >> +u sshd - "SSH drop priv user" /run/sshd
> >> >> diff --git a/package/openssh/sshd.service
> b/package/openssh/sshd.service
> >> >> index b5e96b3a25..715bd3f7eb 100644
> >> >> --- a/package/openssh/sshd.service
> >> >> +++ b/package/openssh/sshd.service
> >> >> @@ -1,11 +1,20 @@
> >> >> [Unit]
> >> >> Description=OpenSSH server daemon
> >> >> -After=syslog.target network.target auditd.service
> >> >> +Documentation=man:sshd(8) man:sshd_config(5)
> >> >> +After=network.target auditd.service
> >> >>
> >> >>
> >> >> [Service]
> >> >> ExecStartPre=/usr/bin/ssh-keygen -A
> >> >> -ExecStart=/usr/sbin/sshd -D -e
> >> >> +ExecStartPre=/usr/sbin/sshd -t
> >> >> +ExecStart=/usr/sbin/sshd -D
> >> >
> >> > You droped the -e, so you are logging to syslog
> >> > However you droped the dependency on syslog.target earlier...
> >> > (maybe it should be syslog.socket instead of .target, btw)
> >>
> >>
> >> syslog.target is long long gone, and the syslog will be
> >> unconditionally available
> >> https://www.freedesktop.org/wiki/Software/systemd/syslog/
> >>
> >>
> >> >
> >> >
> >> > how exactly do you want to log ? (I think logging to stdout is
> better, it will be
> >> > redirected to the journal.
> >>
> >>
> >> stdout is not really useful if syslog is supported.
> >>
> > i'd go the other way round
> >
> > syslog is not really necessary if stdout is available,
> > but it's a matter of taste :P so let's go your way.
>
> Its more the point, that Openssh already implemented syslog, and thats
> a clear functional superset of listening to stdout.
>
> >
> >>
> >> >
> >> >
> >> >>
> >> >> +ExecReload=/usr/sbin/sshd -t
> >> >> ExecReload=/bin/kill -HUP $MAINPID
> >> >> +KillMode=process
> >> >
> >> >
> >> > Wouldn't mixed be better here ?
> >> > I'm not really sure what the use-case for procss is anyway...
> >>
> >>
> >> I taken that from debian, I could not argue against it (there is a
> >> long discussion which I linked above).
> >> Can you argue *for* mixed?
> >>
> >
> >
> > I didn't see any link
> > * process : SIGTERM and SIGKILL is sent only to MainPID
> > * mixed : SIGTERM is sent to MainPID, SIGKILL is sent to every process
> in the service cgroup.
> >
> > This means that if all works well, they do the same thing
> >
> > in case the MainPID fails to properly terminate its children, process
> would leave children alive
> > but mixed woul kill everybody
> >
> > Since we are trying to terminate the service, it makes sense to me to
> make sur all child process
> > are killed.
> >
> > but I don't see your link so I may be missing something
>
> The link is in the added patch: https://bugs.debian.org/778913
>
> As said, I could not argue either way, but I got some respect for the
> debian guys ;)
>
>
The thread does not actually discuss process vs mixed...
so doesn't really help here.
OTOH, the debian version has been vetted by mbiel which is a systemc
core-maintainer.
so i would go with mixed if I were to write the service from scratch, but
since I don't have an
explanation for the choice of process, I'm not entirely sure...
A possibility is that ssh creates a process per connection. in that case
* process would not kill all ongoing connections
* mixed would
maybe it was chosen to protect existing connection. that would make some
sense.
> Norbert
>
--
[image: SMILE] <http://www.smile.eu/>
20 rue des Jardins
92600 Asni?res-sur-Seine
*J?r?my ROSEN*
Architecte technique
[image: email] jeremy.rosen at smile.fr
[image: phone] +33 6 88 25 87 42
[image: url] http://www.smile.eu
[image: Twitter] <https://twitter.com/GroupeSmile> [image: Facebook]
<https://www.facebook.com/smileopensource> [image: LinkedIn]
<https://www.linkedin.com/company/smile> [image: Github]
<https://github.com/Smile-SA>
[image: D?couvrez l?univers Smile, rendez-vous sur smile.eu]
<https://www.smile.eu/fr/publications/livres-blancs/yocto?utm_source=signature&utm_medium=email&utm_campaign=signature>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.busybox.net/pipermail/buildroot/attachments/20200607/119b2c8e/attachment.html>
^ permalink raw reply [flat|nested] 22+ messages in thread
* [Buildroot] [PATCH 4/4] package/openssh: add sd socket-activated ssh daemon services
2020-06-07 19:31 ` Jérémy ROSEN
@ 2020-06-07 19:45 ` Norbert Lange
2020-06-07 21:30 ` Norbert Lange
0 siblings, 1 reply; 22+ messages in thread
From: Norbert Lange @ 2020-06-07 19:45 UTC (permalink / raw)
To: buildroot
Am So., 7. Juni 2020 um 21:32 Uhr schrieb J?r?my ROSEN <jeremy.rosen@smile.fr>:
>
>
>
> Le dim. 7 juin 2020 ? 21:11, Norbert Lange <nolange79@gmail.com> a ?crit :
>>
>> Am So., 7. Juni 2020 um 13:07 Uhr schrieb J?r?my ROSEN <jeremy.rosen@smile.fr>:
>> >
>> >
>> >
>> > Le sam. 6 juin 2020 ? 00:59, Norbert Lange <nolange79@gmail.com> a ?crit :
>> >>
>> >> Signed-off-by: Norbert Lange <nolange79@gmail.com>
>> >> ---
>> >> package/openssh/openssh.mk | 6 +++---
>> >> package/openssh/sshd-host-keygen.service | 2 +-
>> >> package/openssh/sshd.socket | 11 +++++++++++
>> >> package/openssh/sshd at .service | 10 ++++++++++
>> >> 4 files changed, 25 insertions(+), 4 deletions(-)
>> >> create mode 100644 package/openssh/sshd.socket
>> >> create mode 100644 package/openssh/sshd at .service
>> >>
>> >> diff --git a/package/openssh/openssh.mk b/package/openssh/openssh.mk
>> >> index 6b3ee1f5f4..1f2638e9c9 100644
>> >> --- a/package/openssh/openssh.mk
>> >> +++ b/package/openssh/openssh.mk
>> >> @@ -114,9 +114,9 @@ endef
>> >> OPENSSH_POST_INSTALL_TARGET_HOOKS += OPENSSH_INSTALL_SERVER_PROGRAMS
>> >>
>> >> define OPENSSH_INSTALL_INIT_SYSTEMD
>> >> - mkdir $(TARGET_DIR)/usr/lib/systemd/system
>> >> - $(INSTALL) -m 644 package/openssh/sshd*.service \
>> >> - $(TARGET_DIR)/usr/lib/systemd/system/
>> >> + mkdir -p $(TARGET_DIR)/usr/lib/systemd/system
>> >> + $(INSTALL) -m 644 package/openssh/sshd*.service package/openssh/sshd.socket \
>> >> + $(TARGET_DIR)/usr/lib/systemd/system/.
>> >> $(OPENSSH_INSTALL_SYSTEMD_SYSUSERS)
>> >> endef
>> >>
>> >> diff --git a/package/openssh/sshd-host-keygen.service b/package/openssh/sshd-host-keygen.service
>> >> index 058e671c44..ffde622b01 100644
>> >> --- a/package/openssh/sshd-host-keygen.service
>> >> +++ b/package/openssh/sshd-host-keygen.service
>> >> @@ -17,4 +17,4 @@ Type=oneshot
>> >> RemainAfterExit=yes
>> >>
>> >> [Install]
>> >> -WantedBy=sshd.service
>> >> +WantedBy=sshd.service sshd.socket
>> >> diff --git a/package/openssh/sshd.socket b/package/openssh/sshd.socket
>> >> new file mode 100644
>> >> index 0000000000..bbae9ed7aa
>> >> --- /dev/null
>> >> +++ b/package/openssh/sshd.socket
>> >> @@ -0,0 +1,11 @@
>> >> +[Unit]
>> >> +Description=OpenBSD Secure Shell server socket
>> >> +Before=sshd.service
>> >> +Conflicts=sshd.service
>> >
>> > No, that would stop the socket when the service is started, and you don't want that.
>> > If you do that, only one connection would be accepted before the socket is stoped
>> > and since you have accept=yes no further connections would be accepted
>>
>> there is the singular sshd service
>> and the sshd.socket which spawns sshd@ instance services.
>> Those are mutually exclusive (because of the "Conflicts"), the
>> "Before" line just ensures that the sshd.socket wins out by default.
>>
>
> aah right, I messed up sshd.service and sshd at .service in my head.
> my bad.
>
> I personally think we shouldn't install both methods.
> either choose a distro-wide decision or provide a config option
>
> Anyway, I see what you are doing now, and that should work, AFAICT.
>
> I still think that it's cool that openssh supports all those startup methods,
> but I'm not convinced we need to support all of them in BR.
sshd is better for throughput/efficiency if you have alot connections,
the socket option saves memory if you rarely have connections (and is
actually a simpler service file).
I would support both, but let users pick.
Norbert
^ permalink raw reply [flat|nested] 22+ messages in thread
* [Buildroot] [PATCH 4/4] package/openssh: add sd socket-activated ssh daemon services
2020-06-07 19:45 ` Norbert Lange
@ 2020-06-07 21:30 ` Norbert Lange
2020-06-07 21:43 ` Jérémy ROSEN
0 siblings, 1 reply; 22+ messages in thread
From: Norbert Lange @ 2020-06-07 21:30 UTC (permalink / raw)
To: buildroot
Am So., 7. Juni 2020 um 21:45 Uhr schrieb Norbert Lange <nolange79@gmail.com>:
>
> Am So., 7. Juni 2020 um 21:32 Uhr schrieb J?r?my ROSEN <jeremy.rosen@smile.fr>:
> >
> >
> >
> > Le dim. 7 juin 2020 ? 21:11, Norbert Lange <nolange79@gmail.com> a ?crit :
> >>
> >> Am So., 7. Juni 2020 um 13:07 Uhr schrieb J?r?my ROSEN <jeremy.rosen@smile.fr>:
> >> >
> >> >
> >> >
> >> > Le sam. 6 juin 2020 ? 00:59, Norbert Lange <nolange79@gmail.com> a ?crit :
> >> >>
> >> >> Signed-off-by: Norbert Lange <nolange79@gmail.com>
> >> >> ---
> >> >> package/openssh/openssh.mk | 6 +++---
> >> >> package/openssh/sshd-host-keygen.service | 2 +-
> >> >> package/openssh/sshd.socket | 11 +++++++++++
> >> >> package/openssh/sshd at .service | 10 ++++++++++
> >> >> 4 files changed, 25 insertions(+), 4 deletions(-)
> >> >> create mode 100644 package/openssh/sshd.socket
> >> >> create mode 100644 package/openssh/sshd at .service
> >> >>
> >> >> diff --git a/package/openssh/openssh.mk b/package/openssh/openssh.mk
> >> >> index 6b3ee1f5f4..1f2638e9c9 100644
> >> >> --- a/package/openssh/openssh.mk
> >> >> +++ b/package/openssh/openssh.mk
> >> >> @@ -114,9 +114,9 @@ endef
> >> >> OPENSSH_POST_INSTALL_TARGET_HOOKS += OPENSSH_INSTALL_SERVER_PROGRAMS
> >> >>
> >> >> define OPENSSH_INSTALL_INIT_SYSTEMD
> >> >> - mkdir $(TARGET_DIR)/usr/lib/systemd/system
> >> >> - $(INSTALL) -m 644 package/openssh/sshd*.service \
> >> >> - $(TARGET_DIR)/usr/lib/systemd/system/
> >> >> + mkdir -p $(TARGET_DIR)/usr/lib/systemd/system
> >> >> + $(INSTALL) -m 644 package/openssh/sshd*.service package/openssh/sshd.socket \
> >> >> + $(TARGET_DIR)/usr/lib/systemd/system/.
> >> >> $(OPENSSH_INSTALL_SYSTEMD_SYSUSERS)
> >> >> endef
> >> >>
> >> >> diff --git a/package/openssh/sshd-host-keygen.service b/package/openssh/sshd-host-keygen.service
> >> >> index 058e671c44..ffde622b01 100644
> >> >> --- a/package/openssh/sshd-host-keygen.service
> >> >> +++ b/package/openssh/sshd-host-keygen.service
> >> >> @@ -17,4 +17,4 @@ Type=oneshot
> >> >> RemainAfterExit=yes
> >> >>
> >> >> [Install]
> >> >> -WantedBy=sshd.service
> >> >> +WantedBy=sshd.service sshd.socket
> >> >> diff --git a/package/openssh/sshd.socket b/package/openssh/sshd.socket
> >> >> new file mode 100644
> >> >> index 0000000000..bbae9ed7aa
> >> >> --- /dev/null
> >> >> +++ b/package/openssh/sshd.socket
> >> >> @@ -0,0 +1,11 @@
> >> >> +[Unit]
> >> >> +Description=OpenBSD Secure Shell server socket
> >> >> +Before=sshd.service
> >> >> +Conflicts=sshd.service
> >> >
> >> > No, that would stop the socket when the service is started, and you don't want that.
> >> > If you do that, only one connection would be accepted before the socket is stoped
> >> > and since you have accept=yes no further connections would be accepted
> >>
> >> there is the singular sshd service
> >> and the sshd.socket which spawns sshd@ instance services.
> >> Those are mutually exclusive (because of the "Conflicts"), the
> >> "Before" line just ensures that the sshd.socket wins out by default.
> >>
> >
> > aah right, I messed up sshd.service and sshd at .service in my head.
> > my bad.
> >
> > I personally think we shouldn't install both methods.
> > either choose a distro-wide decision or provide a config option
> >
> > Anyway, I see what you are doing now, and that should work, AFAICT.
> >
> > I still think that it's cool that openssh supports all those startup methods,
> > but I'm not convinced we need to support all of them in BR.
>
> sshd is better for throughput/efficiency if you have alot connections,
>
> the socket option saves memory if you rarely have connections (and is
> actually a simpler service file).
>
> I would support both, but let users pick.
>
> Norbert
How about this option:
config BR2_PACKAGE_OPENSSH_SERVER_SOCKET
bool "server socket"
depends on BR2_INIT_SYSTEMD
help
Systemd socket activation server.
makefile gonna get allota ifdefs, right now it's a bit naive anyway,
as you could pick server and not key_utils and then the services (sys
and systemd) would fail when trying to verify/generate the host keys.
Norbert
^ permalink raw reply [flat|nested] 22+ messages in thread
* [Buildroot] [PATCH 4/4] package/openssh: add sd socket-activated ssh daemon services
2020-06-07 21:30 ` Norbert Lange
@ 2020-06-07 21:43 ` Jérémy ROSEN
0 siblings, 0 replies; 22+ messages in thread
From: Jérémy ROSEN @ 2020-06-07 21:43 UTC (permalink / raw)
To: buildroot
Sounds good... the help text might need a little work, but I like the idea
itself...
Le dim. 7 juin 2020 ? 23:30, Norbert Lange <nolange79@gmail.com> a ?crit :
> Am So., 7. Juni 2020 um 21:45 Uhr schrieb Norbert Lange <
> nolange79 at gmail.com>:
> >
> > Am So., 7. Juni 2020 um 21:32 Uhr schrieb J?r?my ROSEN <
> jeremy.rosen at smile.fr>:
> > >
> > >
> > >
> > > Le dim. 7 juin 2020 ? 21:11, Norbert Lange <nolange79@gmail.com> a
> ?crit :
> > >>
> > >> Am So., 7. Juni 2020 um 13:07 Uhr schrieb J?r?my ROSEN <
> jeremy.rosen at smile.fr>:
> > >> >
> > >> >
> > >> >
> > >> > Le sam. 6 juin 2020 ? 00:59, Norbert Lange <nolange79@gmail.com> a
> ?crit :
> > >> >>
> > >> >> Signed-off-by: Norbert Lange <nolange79@gmail.com>
> > >> >> ---
> > >> >> package/openssh/openssh.mk | 6 +++---
> > >> >> package/openssh/sshd-host-keygen.service | 2 +-
> > >> >> package/openssh/sshd.socket | 11 +++++++++++
> > >> >> package/openssh/sshd at .service | 10 ++++++++++
> > >> >> 4 files changed, 25 insertions(+), 4 deletions(-)
> > >> >> create mode 100644 package/openssh/sshd.socket
> > >> >> create mode 100644 package/openssh/sshd at .service
> > >> >>
> > >> >> diff --git a/package/openssh/openssh.mk b/package/openssh/
> openssh.mk
> > >> >> index 6b3ee1f5f4..1f2638e9c9 100644
> > >> >> --- a/package/openssh/openssh.mk
> > >> >> +++ b/package/openssh/openssh.mk
> > >> >> @@ -114,9 +114,9 @@ endef
> > >> >> OPENSSH_POST_INSTALL_TARGET_HOOKS +=
> OPENSSH_INSTALL_SERVER_PROGRAMS
> > >> >>
> > >> >> define OPENSSH_INSTALL_INIT_SYSTEMD
> > >> >> - mkdir $(TARGET_DIR)/usr/lib/systemd/system
> > >> >> - $(INSTALL) -m 644 package/openssh/sshd*.service \
> > >> >> - $(TARGET_DIR)/usr/lib/systemd/system/
> > >> >> + mkdir -p $(TARGET_DIR)/usr/lib/systemd/system
> > >> >> + $(INSTALL) -m 644 package/openssh/sshd*.service
> package/openssh/sshd.socket \
> > >> >> + $(TARGET_DIR)/usr/lib/systemd/system/.
> > >> >> $(OPENSSH_INSTALL_SYSTEMD_SYSUSERS)
> > >> >> endef
> > >> >>
> > >> >> diff --git a/package/openssh/sshd-host-keygen.service
> b/package/openssh/sshd-host-keygen.service
> > >> >> index 058e671c44..ffde622b01 100644
> > >> >> --- a/package/openssh/sshd-host-keygen.service
> > >> >> +++ b/package/openssh/sshd-host-keygen.service
> > >> >> @@ -17,4 +17,4 @@ Type=oneshot
> > >> >> RemainAfterExit=yes
> > >> >>
> > >> >> [Install]
> > >> >> -WantedBy=sshd.service
> > >> >> +WantedBy=sshd.service sshd.socket
> > >> >> diff --git a/package/openssh/sshd.socket
> b/package/openssh/sshd.socket
> > >> >> new file mode 100644
> > >> >> index 0000000000..bbae9ed7aa
> > >> >> --- /dev/null
> > >> >> +++ b/package/openssh/sshd.socket
> > >> >> @@ -0,0 +1,11 @@
> > >> >> +[Unit]
> > >> >> +Description=OpenBSD Secure Shell server socket
> > >> >> +Before=sshd.service
> > >> >> +Conflicts=sshd.service
> > >> >
> > >> > No, that would stop the socket when the service is started, and you
> don't want that.
> > >> > If you do that, only one connection would be accepted before the
> socket is stoped
> > >> > and since you have accept=yes no further connections would be
> accepted
> > >>
> > >> there is the singular sshd service
> > >> and the sshd.socket which spawns sshd@ instance services.
> > >> Those are mutually exclusive (because of the "Conflicts"), the
> > >> "Before" line just ensures that the sshd.socket wins out by default.
> > >>
> > >
> > > aah right, I messed up sshd.service and sshd at .service in my head.
> > > my bad.
> > >
> > > I personally think we shouldn't install both methods.
> > > either choose a distro-wide decision or provide a config option
> > >
> > > Anyway, I see what you are doing now, and that should work, AFAICT.
> > >
> > > I still think that it's cool that openssh supports all those startup
> methods,
> > > but I'm not convinced we need to support all of them in BR.
> >
> > sshd is better for throughput/efficiency if you have alot connections,
> >
> > the socket option saves memory if you rarely have connections (and is
> > actually a simpler service file).
> >
> > I would support both, but let users pick.
> >
> > Norbert
>
> How about this option:
>
> config BR2_PACKAGE_OPENSSH_SERVER_SOCKET
> bool "server socket"
> depends on BR2_INIT_SYSTEMD
> help
> Systemd socket activation server.
>
> makefile gonna get allota ifdefs, right now it's a bit naive anyway,
> as you could pick server and not key_utils and then the services (sys
> and systemd) would fail when trying to verify/generate the host keys.
>
> Norbert
>
--
[image: SMILE] <http://www.smile.eu/>
20 rue des Jardins
92600 Asni?res-sur-Seine
*J?r?my ROSEN*
Architecte technique
[image: email] jeremy.rosen at smile.fr
[image: phone] +33 6 88 25 87 42
[image: url] http://www.smile.eu
[image: Twitter] <https://twitter.com/GroupeSmile> [image: Facebook]
<https://www.facebook.com/smileopensource> [image: LinkedIn]
<https://www.linkedin.com/company/smile> [image: Github]
<https://github.com/Smile-SA>
[image: D?couvrez l?univers Smile, rendez-vous sur smile.eu]
<https://www.smile.eu/fr/publications/livres-blancs/yocto?utm_source=signature&utm_medium=email&utm_campaign=signature>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.busybox.net/pipermail/buildroot/attachments/20200607/b76f928e/attachment.html>
^ permalink raw reply [flat|nested] 22+ messages in thread
* [Buildroot] [PATCH 2/4] package/openssh: improve integration for systemd
2020-06-07 19:42 ` Jérémy ROSEN
@ 2020-06-11 0:04 ` Norbert Lange
2020-06-11 6:14 ` Jérémy ROSEN
0 siblings, 1 reply; 22+ messages in thread
From: Norbert Lange @ 2020-06-11 0:04 UTC (permalink / raw)
To: buildroot
Am So., 7. Juni 2020 um 21:42 Uhr schrieb J?r?my ROSEN <jeremy.rosen@smile.fr>:
>
>
>
> Le dim. 7 juin 2020 ? 21:24, Norbert Lange <nolange79@gmail.com> a ?crit :
>>
>> Am So., 7. Juni 2020 um 21:16 Uhr schrieb J?r?my ROSEN <jeremy.rosen@smile.fr>:
>> >
>> >
>> >
>> > Le dim. 7 juin 2020 ? 21:03, Norbert Lange <nolange79@gmail.com> a ?crit :
>> >>
>> >> Am So., 7. Juni 2020 um 12:54 Uhr schrieb J?r?my ROSEN <jeremy.rosen@smile.fr>:
>> >> >
>> >> >
>> >> >
>> >> > Le sam. 6 juin 2020 ? 00:59, Norbert Lange <nolange79@gmail.com> a ?crit :
>> >> >>
>> >> >> the openssh daemon is not suited for systemd's simple
>> >> >> service type. dependend services should only start
>> >> >> when sshd is ready to accept connections.
>> >> >>
>> >> >> A patch is added from debian to allow openssh
>> >> >> to communicate this state.
>> >> >>
>> >> >> Restarts are prevented if the reason is a faulty
>> >> >> config file (errocode 255).
>> >> >>
>> >> >> The "user confinement directory" is changed to
>> >> >> '/run/sshd' which is automatically managed by systemd.
>> >> >>
>> >> >> Signed-off-by: Norbert Lange <nolange79@gmail.com>
>> >> >> ---
>> >> >> package/openssh/00-systemd-readiness.patch | 84 ++++++++++++++++++++++
>> >> >> package/openssh/openssh.mk | 14 +++-
>> >> >> package/openssh/sshd-sysusers.conf | 2 +-
>> >> >> package/openssh/sshd.service | 13 +++-
>> >> >> 4 files changed, 109 insertions(+), 4 deletions(-)
>> >> >> create mode 100644 package/openssh/00-systemd-readiness.patch
>> >> >>
>> >> >> diff --git a/package/openssh/00-systemd-readiness.patch b/package/openssh/00-systemd-readiness.patch
>> >> >> new file mode 100644
>> >> >> index 0000000000..be3b6b0074
>> >> >> --- /dev/null
>> >> >> +++ b/package/openssh/00-systemd-readiness.patch
>> >> >> @@ -0,0 +1,84 @@
>> >> >> +From ab765b2bd55062a704f09da8f8c1c4ad1d6630a7 Mon Sep 17 00:00:00 2001
>> >> >> +From: Michael Biebl <biebl@debian.org>
>> >> >> +Date: Mon, 21 Dec 2015 16:08:47 +0000
>> >> >> +Subject: Add systemd readiness notification support
>> >> >> +
>> >> >> +Bug-Debian: https://bugs.debian.org/778913
>> >> >> +Forwarded: no
>> >> >> +Last-Update: 2017-08-22
>> >> >> +
>> >> >> +Patch-Name: systemd-readiness.patch
>> >> >> +---
>> >> >> + configure.ac | 24 ++++++++++++++++++++++++
>> >> >> + sshd.c | 9 +++++++++
>> >> >> + 2 files changed, 33 insertions(+)
>> >> >> +
>> >> >> +diff --git a/configure.ac b/configure.ac
>> >> >> +index e894db9fc..c119d6fd1 100644
>> >> >> +--- a/configure.ac
>> >> >> ++++ b/configure.ac
>> >> >> +@@ -4499,6 +4499,29 @@ AC_ARG_WITH([kerberos5],
>> >> >> + AC_SUBST([GSSLIBS])
>> >> >> + AC_SUBST([K5LIBS])
>> >> >> +
>> >> >> ++# Check whether user wants systemd support
>> >> >> ++SYSTEMD_MSG="no"
>> >> >> ++AC_ARG_WITH(systemd,
>> >> >> ++ [ --with-systemd Enable systemd support],
>> >> >> ++ [ if test "x$withval" != "xno" ; then
>> >> >> ++ AC_PATH_TOOL([PKGCONFIG], [pkg-config], [no])
>> >> >> ++ if test "$PKGCONFIG" != "no"; then
>> >> >> ++ AC_MSG_CHECKING([for libsystemd])
>> >> >> ++ if $PKGCONFIG --exists libsystemd; then
>> >> >> ++ SYSTEMD_CFLAGS=`$PKGCONFIG --cflags libsystemd`
>> >> >> ++ SYSTEMD_LIBS=`$PKGCONFIG --libs libsystemd`
>> >> >> ++ CPPFLAGS="$CPPFLAGS $SYSTEMD_CFLAGS"
>> >> >> ++ SSHDLIBS="$SSHDLIBS $SYSTEMD_LIBS"
>> >> >> ++ AC_MSG_RESULT([yes])
>> >> >> ++ AC_DEFINE(HAVE_SYSTEMD, 1, [Define if you want systemd support.])
>> >> >> ++ SYSTEMD_MSG="yes"
>> >> >> ++ else
>> >> >> ++ AC_MSG_RESULT([no])
>> >> >> ++ fi
>> >> >> ++ fi
>> >> >> ++ fi ]
>> >> >> ++)
>> >> >> ++
>> >> >> + # Looking for programs, paths and files
>> >> >> +
>> >> >> + PRIVSEP_PATH=/var/empty
>> >> >> +@@ -5305,6 +5328,7 @@ echo " libldns support: $LDNS_MSG"
>> >> >> + echo " Solaris process contract support: $SPC_MSG"
>> >> >> + echo " Solaris project support: $SP_MSG"
>> >> >> + echo " Solaris privilege support: $SPP_MSG"
>> >> >> ++echo " systemd support: $SYSTEMD_MSG"
>> >> >> + echo " IP address in \$DISPLAY hack: $DISPLAY_HACK_MSG"
>> >> >> + echo " Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG"
>> >> >> + echo " BSD Auth support: $BSD_AUTH_MSG"
>> >> >> +diff --git a/sshd.c b/sshd.c
>> >> >> +index 4e8ff0662..5e7679a33 100644
>> >> >> +--- a/sshd.c
>> >> >> ++++ b/sshd.c
>> >> >> +@@ -85,6 +85,10 @@
>> >> >> + #include <prot.h>
>> >> >> + #endif
>> >> >> +
>> >> >> ++#ifdef HAVE_SYSTEMD
>> >> >> ++#include <systemd/sd-daemon.h>
>> >> >> ++#endif
>> >> >> ++
>> >> >> + #include "xmalloc.h"
>> >> >> + #include "ssh.h"
>> >> >> + #include "ssh2.h"
>> >> >> +@@ -1951,6 +1955,11 @@ main(int ac, char **av)
>> >> >> + }
>> >> >> + }
>> >> >> +
>> >> >> ++#ifdef HAVE_SYSTEMD
>> >> >> ++ /* Signal systemd that we are ready to accept connections */
>> >> >> ++ sd_notify(0, "READY=1");
>> >> >> ++#endif
>> >> >> ++
>> >> >> + /* Accept a connection and return in a forked child */
>> >> >> + server_accept_loop(&sock_in, &sock_out,
>> >> >> + &newsock, config_s);
>> >> >> diff --git a/package/openssh/openssh.mk b/package/openssh/openssh.mk
>> >> >> index 55b917e20a..d425db1428 100644
>> >> >> --- a/package/openssh/openssh.mk
>> >> >> +++ b/package/openssh/openssh.mk
>> >> >> @@ -12,6 +12,7 @@ OPENSSH_CONF_ENV = \
>> >> >> LD="$(TARGET_CC)" \
>> >> >> LDFLAGS="$(TARGET_CFLAGS)" \
>> >> >> LIBS=`$(PKG_CONFIG_HOST_BINARY) --libs openssl`
>> >> >> +OPENSSH_AUTORECONF = YES
>> >> >> OPENSSH_CONF_OPTS = \
>> >> >> --sysconfdir=/etc/ssh \
>> >> >> --with-default-path=$(BR2_SYSTEM_DEFAULT_PATH) \
>> >> >> @@ -22,9 +23,20 @@ OPENSSH_CONF_OPTS = \
>> >> >> --disable-wtmpx \
>> >> >> --disable-strip
>> >> >>
>> >> >> +ifeq ($(BR2_PACKAGE_SYSTEMD),y)
>> >> >> +OPENSSH_DEPENDENCIES = systemd
>> >> >> +
>> >> >> +OPENSSH_CONF_OPTS += \
>> >> >> + --with-privsep-path=/run/sshd \
>> >> >> + --with-pid-dir=/run \
>> >> >> + --with-systemd
>> >> >> +
>> >> >> +else
>> >> >> +
>> >> >> define OPENSSH_PERMISSIONS
>> >> >> /var/empty d 755 root root - - - - -
>> >> >> endef
>> >> >
>> >> >
>> >> > Do we still need this when using systemd, or can it be commented out ?
>> >>
>> >> Not sure what you mean with "this"?
>> >> The OPENSSH_PERMISSIONS block is needed when not using systemd and it
>> >> is only active then.
>> >>
>> >
>> > my bad, I missed the enclosing ifeq()
>> >
>> >>
>> >> >
>> >> >
>> >> >>
>> >> >> +endif
>> >> >>
>> >> >> ifeq ($(BR2_TOOLCHAIN_SUPPORTS_PIE),)
>> >> >> OPENSSH_CONF_OPTS += --without-pie
>> >> >> @@ -72,7 +84,7 @@ define OPENSSH_INSTALL_SYSTEMD_SYSUSERS
>> >> >> endef
>> >> >> else
>> >> >> define OPENSSH_USERS
>> >> >> - sshd -1 sshd -1 * /var/empty - - SSH drop priv user
>> >> >> + sshd -1 sshd -1 * $(if $(BR2_PACKAGE_SYSTEMD),/run/sshd,/var/empty) - - SSH drop priv user
>> >> >> endef
>> >> >> endif
>> >> >>
>> >> >> diff --git a/package/openssh/sshd-sysusers.conf b/package/openssh/sshd-sysusers.conf
>> >> >> index ac77aec065..303d0dbb63 100644
>> >> >> --- a/package/openssh/sshd-sysusers.conf
>> >> >> +++ b/package/openssh/sshd-sysusers.conf
>> >> >> @@ -1 +1 @@
>> >> >> -u sshd - "SSH drop priv user" /var/empty
>> >> >> +u sshd - "SSH drop priv user" /run/sshd
>> >> >> diff --git a/package/openssh/sshd.service b/package/openssh/sshd.service
>> >> >> index b5e96b3a25..715bd3f7eb 100644
>> >> >> --- a/package/openssh/sshd.service
>> >> >> +++ b/package/openssh/sshd.service
>> >> >> @@ -1,11 +1,20 @@
>> >> >> [Unit]
>> >> >> Description=OpenSSH server daemon
>> >> >> -After=syslog.target network.target auditd.service
>> >> >> +Documentation=man:sshd(8) man:sshd_config(5)
>> >> >> +After=network.target auditd.service
>> >> >>
>> >> >>
>> >> >> [Service]
>> >> >> ExecStartPre=/usr/bin/ssh-keygen -A
>> >> >> -ExecStart=/usr/sbin/sshd -D -e
>> >> >> +ExecStartPre=/usr/sbin/sshd -t
>> >> >> +ExecStart=/usr/sbin/sshd -D
>> >> >
>> >> > You droped the -e, so you are logging to syslog
>> >> > However you droped the dependency on syslog.target earlier...
>> >> > (maybe it should be syslog.socket instead of .target, btw)
>> >>
>> >>
>> >> syslog.target is long long gone, and the syslog will be
>> >> unconditionally available
>> >> https://www.freedesktop.org/wiki/Software/systemd/syslog/
>> >>
>> >>
>> >> >
>> >> >
>> >> > how exactly do you want to log ? (I think logging to stdout is better, it will be
>> >> > redirected to the journal.
>> >>
>> >>
>> >> stdout is not really useful if syslog is supported.
>> >>
>> > i'd go the other way round
>> >
>> > syslog is not really necessary if stdout is available,
>> > but it's a matter of taste :P so let's go your way.
>>
>> Its more the point, that Openssh already implemented syslog, and thats
>> a clear functional superset of listening to stdout.
>>
>> >
>> >>
>> >> >
>> >> >
>> >> >>
>> >> >> +ExecReload=/usr/sbin/sshd -t
>> >> >> ExecReload=/bin/kill -HUP $MAINPID
>> >> >> +KillMode=process
>> >> >
>> >> >
>> >> > Wouldn't mixed be better here ?
>> >> > I'm not really sure what the use-case for procss is anyway...
>> >>
>> >>
>> >> I taken that from debian, I could not argue against it (there is a
>> >> long discussion which I linked above).
>> >> Can you argue *for* mixed?
>> >>
>> >
>> >
>> > I didn't see any link
>> > * process : SIGTERM and SIGKILL is sent only to MainPID
>> > * mixed : SIGTERM is sent to MainPID, SIGKILL is sent to every process in the service cgroup.
>> >
>> > This means that if all works well, they do the same thing
>> >
>> > in case the MainPID fails to properly terminate its children, process would leave children alive
>> > but mixed woul kill everybody
>> >
>> > Since we are trying to terminate the service, it makes sense to me to make sur all child process
>> > are killed.
>> >
>> > but I don't see your link so I may be missing something
>>
>> The link is in the added patch: https://bugs.debian.org/778913
>>
>> As said, I could not argue either way, but I got some respect for the
>> debian guys ;)
>>
>
> The thread does not actually discuss process vs mixed...
>
> so doesn't really help here.
> OTOH, the debian version has been vetted by mbiel which is a systemc core-maintainer.
>
> so i would go with mixed if I were to write the service from scratch, but since I don't have an
> explanation for the choice of process, I'm not entirely sure...
>
> A possibility is that ssh creates a process per connection. in that case
> * process would not kill all ongoing connections
> * mixed would
>
> maybe it was chosen to protect existing connection. that would make some sense.
Well, debian and arch seem to agree on using "process", I guess it
means to just prevent
new connections and not kill existing ones?
Can I get a "reviewed-by" for this patch, so this and #3 can be merged?
Norbert
^ permalink raw reply [flat|nested] 22+ messages in thread
* [Buildroot] [PATCH 2/4] package/openssh: improve integration for systemd
2020-06-11 0:04 ` Norbert Lange
@ 2020-06-11 6:14 ` Jérémy ROSEN
0 siblings, 0 replies; 22+ messages in thread
From: Jérémy ROSEN @ 2020-06-11 6:14 UTC (permalink / raw)
To: buildroot
sure
Reviewed-by J?r?my Rosen <jeremy.rosen@smile.fr>
Sorry for noticing that everything was adressed
Le jeu. 11 juin 2020 ? 02:04, Norbert Lange <nolange79@gmail.com> a ?crit :
> Am So., 7. Juni 2020 um 21:42 Uhr schrieb J?r?my ROSEN <
> jeremy.rosen at smile.fr>:
> >
> >
> >
> > Le dim. 7 juin 2020 ? 21:24, Norbert Lange <nolange79@gmail.com> a
> ?crit :
> >>
> >> Am So., 7. Juni 2020 um 21:16 Uhr schrieb J?r?my ROSEN <
> jeremy.rosen at smile.fr>:
> >> >
> >> >
> >> >
> >> > Le dim. 7 juin 2020 ? 21:03, Norbert Lange <nolange79@gmail.com> a
> ?crit :
> >> >>
> >> >> Am So., 7. Juni 2020 um 12:54 Uhr schrieb J?r?my ROSEN <
> jeremy.rosen at smile.fr>:
> >> >> >
> >> >> >
> >> >> >
> >> >> > Le sam. 6 juin 2020 ? 00:59, Norbert Lange <nolange79@gmail.com>
> a ?crit :
> >> >> >>
> >> >> >> the openssh daemon is not suited for systemd's simple
> >> >> >> service type. dependend services should only start
> >> >> >> when sshd is ready to accept connections.
> >> >> >>
> >> >> >> A patch is added from debian to allow openssh
> >> >> >> to communicate this state.
> >> >> >>
> >> >> >> Restarts are prevented if the reason is a faulty
> >> >> >> config file (errocode 255).
> >> >> >>
> >> >> >> The "user confinement directory" is changed to
> >> >> >> '/run/sshd' which is automatically managed by systemd.
> >> >> >>
> >> >> >> Signed-off-by: Norbert Lange <nolange79@gmail.com>
> >> >> >> ---
> >> >> >> package/openssh/00-systemd-readiness.patch | 84
> ++++++++++++++++++++++
> >> >> >> package/openssh/openssh.mk | 14 +++-
> >> >> >> package/openssh/sshd-sysusers.conf | 2 +-
> >> >> >> package/openssh/sshd.service | 13 +++-
> >> >> >> 4 files changed, 109 insertions(+), 4 deletions(-)
> >> >> >> create mode 100644 package/openssh/00-systemd-readiness.patch
> >> >> >>
> >> >> >> diff --git a/package/openssh/00-systemd-readiness.patch
> b/package/openssh/00-systemd-readiness.patch
> >> >> >> new file mode 100644
> >> >> >> index 0000000000..be3b6b0074
> >> >> >> --- /dev/null
> >> >> >> +++ b/package/openssh/00-systemd-readiness.patch
> >> >> >> @@ -0,0 +1,84 @@
> >> >> >> +From ab765b2bd55062a704f09da8f8c1c4ad1d6630a7 Mon Sep 17
> 00:00:00 2001
> >> >> >> +From: Michael Biebl <biebl@debian.org>
> >> >> >> +Date: Mon, 21 Dec 2015 16:08:47 +0000
> >> >> >> +Subject: Add systemd readiness notification support
> >> >> >> +
> >> >> >> +Bug-Debian: https://bugs.debian.org/778913
> >> >> >> +Forwarded: no
> >> >> >> +Last-Update: 2017-08-22
> >> >> >> +
> >> >> >> +Patch-Name: systemd-readiness.patch
> >> >> >> +---
> >> >> >> + configure.ac | 24 ++++++++++++++++++++++++
> >> >> >> + sshd.c | 9 +++++++++
> >> >> >> + 2 files changed, 33 insertions(+)
> >> >> >> +
> >> >> >> +diff --git a/configure.ac b/configure.ac
> >> >> >> +index e894db9fc..c119d6fd1 100644
> >> >> >> +--- a/configure.ac
> >> >> >> ++++ b/configure.ac
> >> >> >> +@@ -4499,6 +4499,29 @@ AC_ARG_WITH([kerberos5],
> >> >> >> + AC_SUBST([GSSLIBS])
> >> >> >> + AC_SUBST([K5LIBS])
> >> >> >> +
> >> >> >> ++# Check whether user wants systemd support
> >> >> >> ++SYSTEMD_MSG="no"
> >> >> >> ++AC_ARG_WITH(systemd,
> >> >> >> ++ [ --with-systemd Enable systemd support],
> >> >> >> ++ [ if test "x$withval" != "xno" ; then
> >> >> >> ++ AC_PATH_TOOL([PKGCONFIG], [pkg-config], [no])
> >> >> >> ++ if test "$PKGCONFIG" != "no"; then
> >> >> >> ++ AC_MSG_CHECKING([for libsystemd])
> >> >> >> ++ if $PKGCONFIG --exists libsystemd; then
> >> >> >> ++ SYSTEMD_CFLAGS=`$PKGCONFIG
> --cflags libsystemd`
> >> >> >> ++ SYSTEMD_LIBS=`$PKGCONFIG --libs
> libsystemd`
> >> >> >> ++ CPPFLAGS="$CPPFLAGS
> $SYSTEMD_CFLAGS"
> >> >> >> ++ SSHDLIBS="$SSHDLIBS $SYSTEMD_LIBS"
> >> >> >> ++ AC_MSG_RESULT([yes])
> >> >> >> ++ AC_DEFINE(HAVE_SYSTEMD, 1,
> [Define if you want systemd support.])
> >> >> >> ++ SYSTEMD_MSG="yes"
> >> >> >> ++ else
> >> >> >> ++ AC_MSG_RESULT([no])
> >> >> >> ++ fi
> >> >> >> ++ fi
> >> >> >> ++ fi ]
> >> >> >> ++)
> >> >> >> ++
> >> >> >> + # Looking for programs, paths and files
> >> >> >> +
> >> >> >> + PRIVSEP_PATH=/var/empty
> >> >> >> +@@ -5305,6 +5328,7 @@ echo " libldns support:
> $LDNS_MSG"
> >> >> >> + echo " Solaris process contract support: $SPC_MSG"
> >> >> >> + echo " Solaris project support: $SP_MSG"
> >> >> >> + echo " Solaris privilege support: $SPP_MSG"
> >> >> >> ++echo " systemd support: $SYSTEMD_MSG"
> >> >> >> + echo " IP address in \$DISPLAY hack: $DISPLAY_HACK_MSG"
> >> >> >> + echo " Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG"
> >> >> >> + echo " BSD Auth support: $BSD_AUTH_MSG"
> >> >> >> +diff --git a/sshd.c b/sshd.c
> >> >> >> +index 4e8ff0662..5e7679a33 100644
> >> >> >> +--- a/sshd.c
> >> >> >> ++++ b/sshd.c
> >> >> >> +@@ -85,6 +85,10 @@
> >> >> >> + #include <prot.h>
> >> >> >> + #endif
> >> >> >> +
> >> >> >> ++#ifdef HAVE_SYSTEMD
> >> >> >> ++#include <systemd/sd-daemon.h>
> >> >> >> ++#endif
> >> >> >> ++
> >> >> >> + #include "xmalloc.h"
> >> >> >> + #include "ssh.h"
> >> >> >> + #include "ssh2.h"
> >> >> >> +@@ -1951,6 +1955,11 @@ main(int ac, char **av)
> >> >> >> + }
> >> >> >> + }
> >> >> >> +
> >> >> >> ++#ifdef HAVE_SYSTEMD
> >> >> >> ++ /* Signal systemd that we are ready to accept
> connections */
> >> >> >> ++ sd_notify(0, "READY=1");
> >> >> >> ++#endif
> >> >> >> ++
> >> >> >> + /* Accept a connection and return in a forked
> child */
> >> >> >> + server_accept_loop(&sock_in, &sock_out,
> >> >> >> + &newsock, config_s);
> >> >> >> diff --git a/package/openssh/openssh.mk b/package/openssh/
> openssh.mk
> >> >> >> index 55b917e20a..d425db1428 100644
> >> >> >> --- a/package/openssh/openssh.mk
> >> >> >> +++ b/package/openssh/openssh.mk
> >> >> >> @@ -12,6 +12,7 @@ OPENSSH_CONF_ENV = \
> >> >> >> LD="$(TARGET_CC)" \
> >> >> >> LDFLAGS="$(TARGET_CFLAGS)" \
> >> >> >> LIBS=`$(PKG_CONFIG_HOST_BINARY) --libs openssl`
> >> >> >> +OPENSSH_AUTORECONF = YES
> >> >> >> OPENSSH_CONF_OPTS = \
> >> >> >> --sysconfdir=/etc/ssh \
> >> >> >> --with-default-path=$(BR2_SYSTEM_DEFAULT_PATH) \
> >> >> >> @@ -22,9 +23,20 @@ OPENSSH_CONF_OPTS = \
> >> >> >> --disable-wtmpx \
> >> >> >> --disable-strip
> >> >> >>
> >> >> >> +ifeq ($(BR2_PACKAGE_SYSTEMD),y)
> >> >> >> +OPENSSH_DEPENDENCIES = systemd
> >> >> >> +
> >> >> >> +OPENSSH_CONF_OPTS += \
> >> >> >> + --with-privsep-path=/run/sshd \
> >> >> >> + --with-pid-dir=/run \
> >> >> >> + --with-systemd
> >> >> >> +
> >> >> >> +else
> >> >> >> +
> >> >> >> define OPENSSH_PERMISSIONS
> >> >> >> /var/empty d 755 root root - - - - -
> >> >> >> endef
> >> >> >
> >> >> >
> >> >> > Do we still need this when using systemd, or can it be commented
> out ?
> >> >>
> >> >> Not sure what you mean with "this"?
> >> >> The OPENSSH_PERMISSIONS block is needed when not using systemd and it
> >> >> is only active then.
> >> >>
> >> >
> >> > my bad, I missed the enclosing ifeq()
> >> >
> >> >>
> >> >> >
> >> >> >
> >> >> >>
> >> >> >> +endif
> >> >> >>
> >> >> >> ifeq ($(BR2_TOOLCHAIN_SUPPORTS_PIE),)
> >> >> >> OPENSSH_CONF_OPTS += --without-pie
> >> >> >> @@ -72,7 +84,7 @@ define OPENSSH_INSTALL_SYSTEMD_SYSUSERS
> >> >> >> endef
> >> >> >> else
> >> >> >> define OPENSSH_USERS
> >> >> >> - sshd -1 sshd -1 * /var/empty - - SSH drop priv user
> >> >> >> + sshd -1 sshd -1 * $(if
> $(BR2_PACKAGE_SYSTEMD),/run/sshd,/var/empty) - - SSH drop priv user
> >> >> >> endef
> >> >> >> endif
> >> >> >>
> >> >> >> diff --git a/package/openssh/sshd-sysusers.conf
> b/package/openssh/sshd-sysusers.conf
> >> >> >> index ac77aec065..303d0dbb63 100644
> >> >> >> --- a/package/openssh/sshd-sysusers.conf
> >> >> >> +++ b/package/openssh/sshd-sysusers.conf
> >> >> >> @@ -1 +1 @@
> >> >> >> -u sshd - "SSH drop priv user" /var/empty
> >> >> >> +u sshd - "SSH drop priv user" /run/sshd
> >> >> >> diff --git a/package/openssh/sshd.service
> b/package/openssh/sshd.service
> >> >> >> index b5e96b3a25..715bd3f7eb 100644
> >> >> >> --- a/package/openssh/sshd.service
> >> >> >> +++ b/package/openssh/sshd.service
> >> >> >> @@ -1,11 +1,20 @@
> >> >> >> [Unit]
> >> >> >> Description=OpenSSH server daemon
> >> >> >> -After=syslog.target network.target auditd.service
> >> >> >> +Documentation=man:sshd(8) man:sshd_config(5)
> >> >> >> +After=network.target auditd.service
> >> >> >>
> >> >> >>
> >> >> >> [Service]
> >> >> >> ExecStartPre=/usr/bin/ssh-keygen -A
> >> >> >> -ExecStart=/usr/sbin/sshd -D -e
> >> >> >> +ExecStartPre=/usr/sbin/sshd -t
> >> >> >> +ExecStart=/usr/sbin/sshd -D
> >> >> >
> >> >> > You droped the -e, so you are logging to syslog
> >> >> > However you droped the dependency on syslog.target earlier...
> >> >> > (maybe it should be syslog.socket instead of .target, btw)
> >> >>
> >> >>
> >> >> syslog.target is long long gone, and the syslog will be
> >> >> unconditionally available
> >> >> https://www.freedesktop.org/wiki/Software/systemd/syslog/
> >> >>
> >> >>
> >> >> >
> >> >> >
> >> >> > how exactly do you want to log ? (I think logging to stdout is
> better, it will be
> >> >> > redirected to the journal.
> >> >>
> >> >>
> >> >> stdout is not really useful if syslog is supported.
> >> >>
> >> > i'd go the other way round
> >> >
> >> > syslog is not really necessary if stdout is available,
> >> > but it's a matter of taste :P so let's go your way.
> >>
> >> Its more the point, that Openssh already implemented syslog, and thats
> >> a clear functional superset of listening to stdout.
> >>
> >> >
> >> >>
> >> >> >
> >> >> >
> >> >> >>
> >> >> >> +ExecReload=/usr/sbin/sshd -t
> >> >> >> ExecReload=/bin/kill -HUP $MAINPID
> >> >> >> +KillMode=process
> >> >> >
> >> >> >
> >> >> > Wouldn't mixed be better here ?
> >> >> > I'm not really sure what the use-case for procss is anyway...
> >> >>
> >> >>
> >> >> I taken that from debian, I could not argue against it (there is a
> >> >> long discussion which I linked above).
> >> >> Can you argue *for* mixed?
> >> >>
> >> >
> >> >
> >> > I didn't see any link
> >> > * process : SIGTERM and SIGKILL is sent only to MainPID
> >> > * mixed : SIGTERM is sent to MainPID, SIGKILL is sent to every
> process in the service cgroup.
> >> >
> >> > This means that if all works well, they do the same thing
> >> >
> >> > in case the MainPID fails to properly terminate its children, process
> would leave children alive
> >> > but mixed woul kill everybody
> >> >
> >> > Since we are trying to terminate the service, it makes sense to me to
> make sur all child process
> >> > are killed.
> >> >
> >> > but I don't see your link so I may be missing something
> >>
> >> The link is in the added patch: https://bugs.debian.org/778913
> >>
> >> As said, I could not argue either way, but I got some respect for the
> >> debian guys ;)
> >>
> >
> > The thread does not actually discuss process vs mixed...
> >
> > so doesn't really help here.
> > OTOH, the debian version has been vetted by mbiel which is a systemc
> core-maintainer.
> >
> > so i would go with mixed if I were to write the service from scratch,
> but since I don't have an
> > explanation for the choice of process, I'm not entirely sure...
> >
> > A possibility is that ssh creates a process per connection. in that case
> > * process would not kill all ongoing connections
> > * mixed would
> >
> > maybe it was chosen to protect existing connection. that would make some
> sense.
>
> Well, debian and arch seem to agree on using "process", I guess it
> means to just prevent
> new connections and not kill existing ones?
>
> Can I get a "reviewed-by" for this patch, so this and #3 can be merged?
>
> Norbert
>
--
[image: SMILE] <http://www.smile.eu/>
20 rue des Jardins
92600 Asni?res-sur-Seine
*J?r?my ROSEN*
Architecte technique
[image: email] jeremy.rosen at smile.fr
[image: phone] +33 6 88 25 87 42
[image: url] http://www.smile.eu
[image: Twitter] <https://twitter.com/GroupeSmile> [image: Facebook]
<https://www.facebook.com/smileopensource> [image: LinkedIn]
<https://www.linkedin.com/company/smile> [image: Github]
<https://github.com/Smile-SA>
[image: D?couvrez l?univers Smile, rendez-vous sur smile.eu]
<https://www.smile.eu/fr/publications/livres-blancs/yocto?utm_source=signature&utm_medium=email&utm_campaign=signature>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.busybox.net/pipermail/buildroot/attachments/20200611/4fb1bac3/attachment.html>
^ permalink raw reply [flat|nested] 22+ messages in thread
end of thread, other threads:[~2020-06-11 6:14 UTC | newest]
Thread overview: 22+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-06-05 22:59 [Buildroot] [PATCH 1/4] package/openssh: Depend on libaudit if available Norbert Lange
2020-06-05 22:59 ` [Buildroot] [PATCH 2/4] package/openssh: improve integration for systemd Norbert Lange
2020-06-06 20:31 ` Thomas Petazzoni
2020-06-07 10:54 ` Jérémy ROSEN
2020-06-07 19:03 ` Norbert Lange
2020-06-07 19:16 ` Jérémy ROSEN
2020-06-07 19:24 ` Norbert Lange
2020-06-07 19:42 ` Jérémy ROSEN
2020-06-11 0:04 ` Norbert Lange
2020-06-11 6:14 ` Jérémy ROSEN
2020-06-05 22:59 ` [Buildroot] [PATCH 3/4] package/openssh: seperate sd service for host key generation Norbert Lange
2020-06-07 10:44 ` Jérémy ROSEN
2020-06-07 18:55 ` Norbert Lange
2020-06-07 19:09 ` Jérémy ROSEN
2020-06-05 22:59 ` [Buildroot] [PATCH 4/4] package/openssh: add sd socket-activated ssh daemon services Norbert Lange
2020-06-07 11:06 ` Jérémy ROSEN
2020-06-07 19:10 ` Norbert Lange
2020-06-07 19:31 ` Jérémy ROSEN
2020-06-07 19:45 ` Norbert Lange
2020-06-07 21:30 ` Norbert Lange
2020-06-07 21:43 ` Jérémy ROSEN
2020-06-06 20:29 ` [Buildroot] [PATCH 1/4] package/openssh: Depend on libaudit if available Thomas Petazzoni
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.