[Pkg-sssd-devel] sssd: Changes to 'ubuntu-trusty'
Victor Tapia King
victortapia-guest at moszumanska.debian.org
Fri Mar 24 20:04:34 UTC 2017
debian/changelog | 9 +
debian/patches/pidfile-creation.diff | 269 +++++++++++++++++++++++++++++++++++
debian/patches/sanitize_newline.diff | 31 ++++
debian/patches/series | 2
debian/sssd-common.sssd.upstart.in | 17 ++
5 files changed, 327 insertions(+), 1 deletion(-)
New commits:
commit 569c7edbe44e8479a3d6fae63be98ee0761a2396
Author: Victor Tapia <victor.tapia at canonical.com>
Date: Fri Mar 24 21:02:17 2017 +0100
Fixes for LP#1566508 and LP#1669712.
* d/p/pidfile-creation.diff: Delay the pidfile creation until the
responders are up (LP: #1566508)
* d/p/sanitize_newline.diff: Sanitize newline and carriage return
characters before LDAP queries. (LP: #1669712)
diff --git a/debian/changelog b/debian/changelog
index 38ad28d..381ee70 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,12 @@
+sssd (1.11.8-0ubuntu0.6) trusty; urgency=medium
+
+ * d/p/pidfile-creation.diff: Delay the pidfile creation until the
+ responders are up (LP: #1566508)
+ * d/p/sanitize_newline.diff: Sanitize newline and carriage return
+ characters before LDAP queries. (LP: #1669712)
+
+ -- Victor Tapia <victor.tapia at canonical.com> Fri, 24 Mar 2017 11:26:41 +0100
+
sssd (1.11.8-0ubuntu0.5) trusty; urgency=medium
* d/p/BUILD-Fix-linking-with-librt.diff: Upstream fix for FTBS on
diff --git a/debian/patches/pidfile-creation.diff b/debian/patches/pidfile-creation.diff
new file mode 100644
index 0000000..7ba1341
--- /dev/null
+++ b/debian/patches/pidfile-creation.diff
@@ -0,0 +1,269 @@
+Description: Mark SSSD as started after all responders are up.
+ This patch fixes the sssd boot process for upstart and sssd
+ creating the pidfile after the responders are up and using it
+ to determine when the service is ready/started.
+
+Origin: upstream, commit: d4063e9a21a4e203bee7e0a0144fa8cabb14cc46
+Author: Victor Tapia <victor.tapia at canonical.com>
+Bug: https://fedorahosted.org/sssd/ticket/3080
+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1566508
+Reviewed-By: Rafael Tinoco <rafael.tinoco at canonical.com>
+Last-Update: 2017-03-07
+
+--- a/configure.ac
++++ b/configure.ac
+@@ -251,10 +251,6 @@
+ AM_CHECK_SEMANAGE
+ fi
+
+-if test x$HAVE_SYSTEMD_UNIT != x; then
+- AM_CHECK_SYSTEMD
+-fi
+-
+ if test x$cryptolib = xnss; then
+ AM_CHECK_NSS
+ fi
+--- a/Makefile.am
++++ b/Makefile.am
+@@ -724,6 +724,7 @@
+ $(INOTIFY_LIBS) \
+ $(LIBNL_LIBS) \
+ $(KEYUTILS_LIBS) \
++ $(SYSTEMD_DAEMON_LIBS) \
+ $(SSSD_INTERNAL_LTLIBS)
+
+ sssd_nss_SOURCES = \
+--- a/src/external/systemd.m4
++++ b/src/external/systemd.m4
+@@ -1,8 +1,42 @@
+ dnl A macro to check presence of systemd on the system
+-AC_DEFUN([AM_CHECK_SYSTEMD],
+-[
+- PKG_CHECK_EXISTS(systemd,
+- [ HAVE_SYSTEMD=1, AC_SUBST(HAVE_SYSTEMD) ],
+- [AC_MSG_ERROR([Could not detect systemd presence])]
+- )
+-])
++PKG_CHECK_EXISTS([systemd],
++ [HAVE_SYSTEMD=yes],
++ [HAVE_SYSTEMD=no])
++
++dnl Libraries libsystemd-journal and libsystem-login are deprecarted
++dnl since systemd 209 and are removed in systemd 230. The library libsystemd
++dnl is replacement of libsystemd-{login,journal,daemon,id128} libraries
++PKG_CHECK_EXISTS([libsystemd],
++ [HAVE_LIBSYSTEMD=yes],
++ [HAVE_LIBSYSTEMD=no])
++
++AS_IF([test x$HAVE_LIBSYSTEMD = xyes],
++ [login_lib_name=libsystemd],
++ [login_lib_name=libsystemd-login])
++
++AS_IF([test x$HAVE_SYSTEMD = xyes],
++ [AC_DEFINE_UNQUOTED([HAVE_SYSTEMD], 1, [Build with systemd support])],
++ [AC_MSG_NOTICE([Build without systemd support])])
++
++AS_IF([test x$HAVE_SYSTEMD = xyes],
++ [PKG_CHECK_MODULES(
++ [SYSTEMD_LOGIN],
++ [$login_lib_name],
++ [AC_DEFINE_UNQUOTED([HAVE_SYSTEMD_LOGIN], 1,
++ [Build with $login_lib_name support])],
++ [AC_MSG_NOTICE([Build without $login_lib_name support])])],
++ [AC_MSG_NOTICE([Build without $login_lib_name support])])
++
++AS_IF([test x$HAVE_LIBSYSTEMD = xyes],
++ [daemon_lib_name=libsystemd],
++ [daemon_lib_name=libsystemd-daemon])
++
++AS_IF([test x$HAVE_SYSTEMD = xyes],
++ [PKG_CHECK_MODULES(
++ [SYSTEMD_DAEMON],
++ [$daemon_lib_name],
++ [AC_DEFINE_UNQUOTED([HAVE_SYSTEMD_DAEMON], 1,
++ [Build with $daemon_lib_name support])],
++ [AC_MSG_NOTICE([Build without $daemon_lib_name support])])],
++ [AC_MSG_NOTICE([Build without $daemon_lib_name support])])
++
+--- a/src/monitor/monitor.c
++++ b/src/monitor/monitor.c
+@@ -55,6 +55,10 @@
+ #include <keyutils.h>
+ #endif
+
++#ifdef HAVE_SYSTEMD
++#include <systemd/sd-daemon.h>
++#endif
++
+ /* ping time cannot be less then once every few seconds or the
+ * monitor will get crazy hammering children with messages */
+ #define MONITOR_DEF_PING_TIME 10
+@@ -77,7 +81,6 @@
+
+ /* name of the monitor server instance */
+ #define MONITOR_NAME "sssd"
+-#define SSSD_PIDFILE_PATH PID_PATH"/"MONITOR_NAME".pid"
+
+ /* Special value to leave the Kerberos Replay Cache set to use
+ * the libkrb5 defaults
+@@ -172,6 +175,7 @@
+ struct netlink_ctx *nlctx;
+ const char *conf_path;
+ struct sss_sigchild_ctx *sigchld_ctx;
++ bool pid_file_created;
+ bool is_daemon;
+ pid_t parent_pid;
+ };
+@@ -429,7 +433,30 @@
+ ctx->started_services++;
+ }
+
+- if (ctx->started_services == ctx->num_services) {
++ /* create the pid file if all services are alive */
++ if (!ctx->pid_file_created && ctx->started_services == ctx->num_services) {
++ DEBUG(SSSDBG_TRACE_FUNC,
++ "All services have successfully started, creating pid file\n");
++ ret = pidfile(PID_PATH, MONITOR_NAME);
++ if (ret != EOK) {
++ DEBUG(SSSDBG_FATAL_FAILURE,
++ "Error creating pidfile: %s/%s.pid! (%d [%s])\n",
++ PID_PATH, MONITOR_NAME, ret, strerror(ret));
++ kill(getpid(), SIGTERM);
++ }
++
++ ctx->pid_file_created = true;
++
++#ifdef HAVE_SYSTEMD
++ DEBUG(SSSDBG_TRACE_FUNC, "Sending startup notification to systemd\n");
++ ret = sd_notify(0, "READY=1");
++ if (ret < 0) {
++ DEBUG(SSSDBG_CRIT_FAILURE,
++ "Error sending notification to systemd %d: %s\n",
++ -ret, strerror(-ret));
++ }
++#endif
++
+ /* Initialization is complete, terminate parent process if in daemon
+ * mode. Make sure we send the signal to the right process */
+ if (ctx->is_daemon) {
+@@ -1389,7 +1416,7 @@
+ int ret;
+
+ errno = 0;
+- ret = unlink(SSSD_PIDFILE_PATH);
++ ret = unlink(SSSD_PIDFILE);
+ if (ret == -1) {
+ ret = errno;
+ DEBUG(SSSDBG_FATAL_FAILURE,
+@@ -1603,6 +1630,7 @@
+ return ENOMEM;
+ }
+
++ ctx->pid_file_created = false;
+ talloc_set_destructor((TALLOC_CTX *)ctx, monitor_ctx_destructor);
+
+ cdb_file = talloc_asprintf(ctx, "%s/%s", DB_PATH, CONFDB_FILE);
+@@ -2803,8 +2831,6 @@
+ return 6;
+ }
+
+- /* we want a pid file check */
+- flags |= FLAGS_PID_FILE;
+ /* the monitor should not run a watchdog on itself */
+ flags |= FLAGS_NO_WATCHDOG;
+
+@@ -2871,6 +2897,15 @@
+ }
+ }
+
++ /* Check if the SSSD is already running */
++ ret = check_file(SSSD_PIDFILE, 0, 0, S_IFREG|0600, 0, NULL, false);
++ if (ret == EOK) {
++ DEBUG(SSSDBG_FATAL_FAILURE,
++ "pidfile exists at %s\n", SSSD_PIDFILE);
++ ERROR("SSSD is already running\n");
++ return 2;
++ }
++
+ /* Parse config file, fail if cannot be done */
+ ret = load_configuration(tmp_ctx, config_file, &monitor);
+ if (ret != EOK) {
+--- a/src/sysv/sssd.in
++++ b/src/sysv/sssd.in
+@@ -40,6 +40,8 @@
+ LOCK_FILE=@localstatedir@/lock/subsys/sssd
+ PID_FILE=@localstatedir@/run/sssd.pid
+
++TIMEOUT=15
++
+ start() {
+ [ -x $SSSD ] || exit 5
+ echo -n $"Starting $prog: "
+@@ -47,6 +49,19 @@
+ RETVAL=$?
+ echo
+ [ "$RETVAL" = 0 ] && touch $LOCK_FILE
++
++ # Wait for pidfile creation or timeout
++ sec=0
++ [ "$RETVAL" = 0 ] && while [ $sec -lt $TIMEOUT -a ! -f $PID_FILE ]
++ do
++ sleep 1
++ sec=$(($sec+1))
++ done
++
++ if [ "$sec" = "$TIMEOUT" ]; then
++ RETVAL=-1
++ fi
++
+ return $RETVAL
+ }
+
+--- a/src/sysv/systemd/sssd.service.in
++++ b/src/sysv/systemd/sssd.service.in
+@@ -3,16 +3,13 @@
+ # SSSD will not be started until syslog is
+ After=syslog.target
+ # SSSD must be running before we permit user sessions
+-Before=systemd-user-sessions.service nss-user-lookup.target
++Before=systemd-user-sessions.service nss-user-lookup.target autofs.service
+ Wants=nss-user-lookup.target
+
+ [Service]
+-EnvironmentFile=- at environment_file@
+-ExecStart=@sbindir@/sssd -D -f
+-# These two should be used with traditional UNIX forking daemons
+-# consult systemd.service(5) for more details
+-Type=forking
+-PIDFile=@localstatedir@/run/sssd.pid
++ExecStart=@sbindir@/sssd -i -f
++Type=notify
++NotifyAccess=main
+
+ [Install]
+ WantedBy=multi-user.target
+--- a/src/tools/tools_util.h
++++ b/src/tools/tools_util.h
+@@ -27,9 +27,6 @@
+
+ #include "util/util.h"
+
+-#define SSSD_PIDFILE ""PID_PATH"/sssd.pid"
+-#define MAX_PID_LENGTH 10
+-
+ #define BAD_POPT_PARAMS(pc, msg, val, label) do { \
+ usage(pc, msg); \
+ val = EXIT_FAILURE; \
+--- a/src/util/util.h
++++ b/src/util/util.h
+@@ -50,6 +50,10 @@
+ #include "util/util_safealign.h"
+ #include "util/sss_format.h"
+
++/* name of the monitor server instance */
++#define SSSD_PIDFILE PID_PATH"/sssd.pid"
++#define MAX_PID_LENGTH 10
++
+ #define _(STRING) gettext (STRING)
+
+ #define ENUM_INDICATOR "*"
diff --git a/debian/patches/sanitize_newline.diff b/debian/patches/sanitize_newline.diff
new file mode 100644
index 0000000..bab13c1
--- /dev/null
+++ b/debian/patches/sanitize_newline.diff
@@ -0,0 +1,31 @@
+Description: Sanitize newline and return carriage characters
+ Introducing valid usernames with trailing newline or return carriage
+ characters triggers the removal of valid LDB cache entries. This patch
+ sanitizes these characters in order to fix the LDAP query, addressing
+ the issue.
+
+Author: Victor Tapia <victor.tapia at canonical.com>
+Bug: https://pagure.io/SSSD/sssd/issue/3317
+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1669712
+Last-Update: 2017-03-10
+
+--- a/src/util/util.c
++++ b/src/util/util.c
+@@ -567,6 +567,16 @@
+ output[j++] = '5';
+ output[j++] = 'c';
+ break;
++ case '\r':
++ output[j++] = '\\';
++ output[j++] = '0';
++ output[j++] = 'd';
++ break;
++ case '\n':
++ output[j++] = '\\';
++ output[j++] = '0';
++ output[j++] = 'a';
++ break;
+ default:
+ output[j++] = input[i];
+ }
+
diff --git a/debian/patches/series b/debian/patches/series
index 7e035ce..8631edc 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -5,3 +5,5 @@ AD-SRV-prefer-site-local-DCs-in-LDAP-ping.diff
fix-upstream-2519.diff
restart_providers_on_timeshift.diff
BUILD-Fix-linking-with-librt.diff
+pidfile-creation.diff
+sanitize_newline.diff
diff --git a/debian/sssd-common.sssd.upstart.in b/debian/sssd-common.sssd.upstart.in
index 3c0180a..f267ffe 100644
--- a/debian/sssd-common.sssd.upstart.in
+++ b/debian/sssd-common.sssd.upstart.in
@@ -7,7 +7,7 @@
description "System Security Services Daemon"
-start on (filesystem and net-device-up)
+start on (filesystem and net-device-up and starting autofs)
stop on runlevel [06]
respawn
@@ -31,3 +31,18 @@ script
exec sssd $DAEMON_OPTS
end script
+
+post-start script
+ # Wait until the responders are active to transition to started.
+ TIMEOUT=30
+ sec=0
+ while [ $sec -lt $TIMEOUT -a ! -f /var/run/sssd.pid ]
+ do
+ sleep 1
+ sec=$(($sec+1))
+ done
+
+ if [ "$sec" -eq "$TIMEOUT" ]; then
+ stop
+ fi
+end script
More information about the Pkg-sssd-devel
mailing list