[Buildroot] [PATCH 2/4] package/openssh: improve integration for systemd

Jérémy ROSEN jeremy.rosen at smile.fr
Sun Jun 7 10:54:25 UTC 2020


Le sam. 6 juin 2020 à 00:59, Norbert Lange <nolange79 at gmail.com> a écrit :

> the openssh daemon is not suited for systemd's simple
> service type. dependend services should only start
> when sshd is ready to accept connections.
>
> A patch is added from debian to allow openssh
> to communicate this state.
>
> Restarts are prevented if the reason is a faulty
> config file (errocode 255).
>
> The "user confinement directory" is changed to
> '/run/sshd' which is automatically managed by systemd.
>
> Signed-off-by: Norbert Lange <nolange79 at gmail.com>
> ---
>  package/openssh/00-systemd-readiness.patch | 84 ++++++++++++++++++++++
>  package/openssh/openssh.mk                 | 14 +++-
>  package/openssh/sshd-sysusers.conf         |  2 +-
>  package/openssh/sshd.service               | 13 +++-
>  4 files changed, 109 insertions(+), 4 deletions(-)
>  create mode 100644 package/openssh/00-systemd-readiness.patch
>
> diff --git a/package/openssh/00-systemd-readiness.patch
> b/package/openssh/00-systemd-readiness.patch
> new file mode 100644
> index 0000000000..be3b6b0074
> --- /dev/null
> +++ b/package/openssh/00-systemd-readiness.patch
> @@ -0,0 +1,84 @@
> +From ab765b2bd55062a704f09da8f8c1c4ad1d6630a7 Mon Sep 17 00:00:00 2001
> +From: Michael Biebl <biebl at debian.org>
> +Date: Mon, 21 Dec 2015 16:08:47 +0000
> +Subject: Add systemd readiness notification support
> +
> +Bug-Debian: https://bugs.debian.org/778913
> +Forwarded: no
> +Last-Update: 2017-08-22
> +
> +Patch-Name: systemd-readiness.patch
> +---
> + configure.ac | 24 ++++++++++++++++++++++++
> + sshd.c       |  9 +++++++++
> + 2 files changed, 33 insertions(+)
> +
> +diff --git a/configure.ac b/configure.ac
> +index e894db9fc..c119d6fd1 100644
> +--- a/configure.ac
> ++++ b/configure.ac
> +@@ -4499,6 +4499,29 @@ AC_ARG_WITH([kerberos5],
> + AC_SUBST([GSSLIBS])
> + AC_SUBST([K5LIBS])
> +
> ++# Check whether user wants systemd support
> ++SYSTEMD_MSG="no"
> ++AC_ARG_WITH(systemd,
> ++      [  --with-systemd          Enable systemd support],
> ++      [ if test "x$withval" != "xno" ; then
> ++              AC_PATH_TOOL([PKGCONFIG], [pkg-config], [no])
> ++              if test "$PKGCONFIG" != "no"; then
> ++                      AC_MSG_CHECKING([for libsystemd])
> ++                      if $PKGCONFIG --exists libsystemd; then
> ++                              SYSTEMD_CFLAGS=`$PKGCONFIG --cflags
> libsystemd`
> ++                              SYSTEMD_LIBS=`$PKGCONFIG --libs libsystemd`
> ++                              CPPFLAGS="$CPPFLAGS $SYSTEMD_CFLAGS"
> ++                              SSHDLIBS="$SSHDLIBS $SYSTEMD_LIBS"
> ++                              AC_MSG_RESULT([yes])
> ++                              AC_DEFINE(HAVE_SYSTEMD, 1, [Define if you
> want systemd support.])
> ++                              SYSTEMD_MSG="yes"
> ++                      else
> ++                              AC_MSG_RESULT([no])
> ++                      fi
> ++              fi
> ++      fi ]
> ++)
> ++
> + # Looking for programs, paths and files
> +
> + PRIVSEP_PATH=/var/empty
> +@@ -5305,6 +5328,7 @@ echo "                   libldns support: $LDNS_MSG"
> + echo "  Solaris process contract support: $SPC_MSG"
> + echo "           Solaris project support: $SP_MSG"
> + echo "         Solaris privilege support: $SPP_MSG"
> ++echo "                   systemd support: $SYSTEMD_MSG"
> + echo "       IP address in \$DISPLAY hack: $DISPLAY_HACK_MSG"
> + echo "           Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG"
> + echo "                  BSD Auth support: $BSD_AUTH_MSG"
> +diff --git a/sshd.c b/sshd.c
> +index 4e8ff0662..5e7679a33 100644
> +--- a/sshd.c
> ++++ b/sshd.c
> +@@ -85,6 +85,10 @@
> + #include <prot.h>
> + #endif
> +
> ++#ifdef HAVE_SYSTEMD
> ++#include <systemd/sd-daemon.h>
> ++#endif
> ++
> + #include "xmalloc.h"
> + #include "ssh.h"
> + #include "ssh2.h"
> +@@ -1951,6 +1955,11 @@ main(int ac, char **av)
> +                       }
> +               }
> +
> ++#ifdef HAVE_SYSTEMD
> ++              /* Signal systemd that we are ready to accept connections
> */
> ++              sd_notify(0, "READY=1");
> ++#endif
> ++
> +               /* Accept a connection and return in a forked child */
> +               server_accept_loop(&sock_in, &sock_out,
> +                   &newsock, config_s);
> diff --git a/package/openssh/openssh.mk b/package/openssh/openssh.mk
> index 55b917e20a..d425db1428 100644
> --- a/package/openssh/openssh.mk
> +++ b/package/openssh/openssh.mk
> @@ -12,6 +12,7 @@ OPENSSH_CONF_ENV = \
>         LD="$(TARGET_CC)" \
>         LDFLAGS="$(TARGET_CFLAGS)" \
>         LIBS=`$(PKG_CONFIG_HOST_BINARY) --libs openssl`
> +OPENSSH_AUTORECONF = YES
>  OPENSSH_CONF_OPTS = \
>         --sysconfdir=/etc/ssh \
>         --with-default-path=$(BR2_SYSTEM_DEFAULT_PATH) \
> @@ -22,9 +23,20 @@ OPENSSH_CONF_OPTS = \
>         --disable-wtmpx \
>         --disable-strip
>
> +ifeq ($(BR2_PACKAGE_SYSTEMD),y)
> +OPENSSH_DEPENDENCIES = systemd
> +
> +OPENSSH_CONF_OPTS += \
> +       --with-privsep-path=/run/sshd \
> +       --with-pid-dir=/run \
> +       --with-systemd
> +
> +else
> +
>  define OPENSSH_PERMISSIONS
>         /var/empty d 755 root root - - - - -
>  endef
>

Do we still need this when using systemd, or can it be commented out ?


> +endif
>
>  ifeq ($(BR2_TOOLCHAIN_SUPPORTS_PIE),)
>  OPENSSH_CONF_OPTS += --without-pie
> @@ -72,7 +84,7 @@ define OPENSSH_INSTALL_SYSTEMD_SYSUSERS
>  endef
>  else
>  define OPENSSH_USERS
> -       sshd -1 sshd -1 * /var/empty - - SSH drop priv user
> +       sshd -1 sshd -1 * $(if
> $(BR2_PACKAGE_SYSTEMD),/run/sshd,/var/empty) - - SSH drop priv user
>  endef
>  endif
>
> diff --git a/package/openssh/sshd-sysusers.conf
> b/package/openssh/sshd-sysusers.conf
> index ac77aec065..303d0dbb63 100644
> --- a/package/openssh/sshd-sysusers.conf
> +++ b/package/openssh/sshd-sysusers.conf
> @@ -1 +1 @@
> -u sshd - "SSH drop priv user" /var/empty
> +u sshd - "SSH drop priv user" /run/sshd
> diff --git a/package/openssh/sshd.service b/package/openssh/sshd.service
> index b5e96b3a25..715bd3f7eb 100644
> --- a/package/openssh/sshd.service
> +++ b/package/openssh/sshd.service
> @@ -1,11 +1,20 @@
>  [Unit]
>  Description=OpenSSH server daemon
> -After=syslog.target network.target auditd.service
> +Documentation=man:sshd(8) man:sshd_config(5)
> +After=network.target auditd.service


>  [Service]
>  ExecStartPre=/usr/bin/ssh-keygen -A
> -ExecStart=/usr/sbin/sshd -D -e
> +ExecStartPre=/usr/sbin/sshd -t
> +ExecStart=/usr/sbin/sshd -D
>
You droped the -e, so  you are logging to syslog
However you droped the dependency on syslog.target earlier...
(maybe it should be syslog.socket instead of .target, btw)

how exactly do you want to log  ? (I think logging to stdout is better, it
will be
redirected to the journal.


> +ExecReload=/usr/sbin/sshd -t
>  ExecReload=/bin/kill -HUP $MAINPID
> +KillMode=process
>

Wouldn't mixed be better here ?
I'm not really sure what the use-case for procss is anyway...


> +Restart=on-failure
> +RestartPreventExitStatus=255
> +Type=notify
> +RuntimeDirectory=sshd
> +RuntimeDirectoryMode=0755
>
>  [Install]
>  WantedBy=multi-user.target
> --
> 2.26.2
>
> _______________________________________________
> buildroot mailing list
> buildroot at busybox.net
> http://lists.busybox.net/mailman/listinfo/buildroot
>


-- 
[image: SMILE]  <http://www.smile.eu/>

20 rue des Jardins
92600 Asnières-sur-Seine
*Jérémy ROSEN*
Architecte technique

[image: email] jeremy.rosen at smile.fr
[image: phone]  +33 6 88 25 87 42
[image: url] http://www.smile.eu

[image: Twitter] <https://twitter.com/GroupeSmile> [image: Facebook]
<https://www.facebook.com/smileopensource> [image: LinkedIn]
<https://www.linkedin.com/company/smile> [image: Github]
<https://github.com/Smile-SA>

[image: Découvrez l’univers Smile, rendez-vous sur smile.eu]
<https://www.smile.eu/fr/publications/livres-blancs/yocto?utm_source=signature&utm_medium=email&utm_campaign=signature>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.busybox.net/pipermail/buildroot/attachments/20200607/19becf37/attachment-0002.html>


More information about the buildroot mailing list