Bug#837944: ocserv should use standalone systemd config to avoid hardcode port

Thu, 15 Sep 2016 12:46:02 -0700 

Thanks, Mike.

I tried /etc/systemd/system/ocserv.socket.d/port.conf trick, looks like it
adds port to listen, but didn't replace the ports defined in
/lib/systemd/system/ocserv.socket:

$ sudo systemctl status ocserv.socket
● ocserv.socket - OpenConnect SSL VPN server Socket
   Loaded: loaded (/lib/systemd/system/ocserv.socket; enabled; vendor
preset: enabled)
  Drop-In: /etc/systemd/system/ocserv.socket.d
           └─port.conf
   Active: failed (Result: resources) since Thu 2016-09-15 12:38:10 PDT;
49s ago
   Listen: [::]:443 (Stream)
           [::]:443 (Datagram)
           [::]:12345 (Stream)
           [::]:12345 (Datagram)

Sep 15 11:30:46 Simpson systemd[1]: Listening on OpenConnect SSL VPN server
Socket.
Sep 15 12:38:10 Simpson systemd[1]: Closed OpenConnect SSL VPN server
Socket.
Sep 15 12:38:22 Simpson systemd[1]: ocserv.socket: Failed to listen on
sockets: Address already in use
Sep 15 12:38:22 Simpson systemd[1]: Failed to listen on OpenConnect SSL VPN
server Socket.
Sep 15 12:38:22 Simpson systemd[1]: ocserv.socket: Unit entered failed
state.
Sep 15 12:38:22 Simpson systemd[1]: ocserv.socket: Failed to listen on
sockets: Address already in use
Sep 15 12:38:22 Simpson systemd[1]: Failed to listen on OpenConnect SSL VPN
server Socket.

On Thu, Sep 15, 2016 at 12:24 PM Mike Miller <mtmil...@debian.org> wrote:

> On Thu, Sep 15, 2016 at 11:37:24 -0700, Yuxuan Wang wrote:
> > The currect packed ocserv uses socket-activated systemd config[1] from
> > upstream.
> >
> > These config hardcoded the port number (443), ignoring the port number
> > configured in /etc/ocserv/ocserv.conf, and will be overwritten every
> > time the package upgrades. So if the user manually changed the port
> > number, and have another service occupied port 443, upgrade will fail.
> >
> > Upstream also provided another systemd config, standalone[2], which
> > doesn't have this problem and will honor the port defined in
> > /etc/ocserv/ocserv.conf
> >
> > I think this package should use the standalone version of systemd config
> > instead.
>
> On the contarary, customizing the port number used in the
> socket-activated configuration is much easier and less error-prone.
>
> Instead of editing the file /etc/ocserv/ocserv.conf, just create a file
> /etc/systemd/system/ocserv.socket.d/port.conf with the contents
>
>   [Socket]
>   ListenStream=12345
>   ListenDatagram=12345
>
> This file will not be overwritten or replaced, and the custom port
> number will be preserved across upgrades.
>
> This technique is common to any socket-activated service, but may not be
> explicitly docummented in the ocserv package itself.
>
> --
> mike
>
-- 
fishy

Reply via email to