Package: kea-dhcp4-server Version: 2.2.0-6 Severity: normal File: kea Tags: patch
Dear Maintainers, thank you for your work to make Kea available on Debian. I appreciate that you include init scripts and support init diversity. Unfortunately those script don't work as expected. I fixed them and made them mimic the behaviour of the Systemd service files as closely as possible. It would be nice if you could apply the attached patch to: - set PIDFILE to the path used by Kea - create the pid-directory if doesn't exist - make the lock-directory match the one used in the Systemd service - remove KEA_LOGGER_DESTINATION as it has no effect without an export and is not set in the service file either - use start-stop-stop-daemon's exec parameter instead of name (as they exceed the 15 chars limit) - run the daemons as non-root (default is _kea) - make that user owner of the pid and lock directories - give Kea access to raw sockets and privileged ports via setcap (this is not as nice as AmbientCapabilities in Systemd, but at least is what Kea's docs suggest) Thank you in advance, Stefan -- System Information: Debian Release: 12.1 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 6.1.0-12-cloud-amd64 (SMP w/1 CPU thread; PREEMPT) Locale: LANG=C, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: sysvinit (via /sbin/init) Versions of packages kea-dhcp4-server depends on: ii init-system-helpers 1.65.2 ii kea-common 2.2.0-6 ii libc6 2.36-9+deb12u1 ii libgcc-s1 12.2.0-14 ii libstdc++6 12.2.0-14 kea-dhcp4-server recommends no packages. Versions of packages kea-dhcp4-server suggests: pn kea-doc <none> -- Configuration Files: /etc/init.d/kea-dhcp4-server changed [not included] /etc/kea/kea-dhcp4.conf changed [not included] -- no debconf information
diff --git a/debian/kea-ctrl-agent.init b/debian/kea-ctrl-agent.init index 0dc99dd..3d1d5fa 100644 --- a/debian/kea-ctrl-agent.init +++ b/debian/kea-ctrl-agent.init @@ -6,9 +6,9 @@ # Default-Start: 2 3 4 5 # Default-Stop: 0 1 6 # Short-Description: Kea DHCP Control Agent for REST Service -# Description: <Enter a long description of the software> -# <...> -# <...> +# Description: Kea is an IPv4 and IPv6 DHCP server developed by Internet +# Systems Consortium providing a very high-performance with +# PostgreSQL, MySQL and memfile backends. ### END INIT INFO # Author: Jason Guy <jason.e....@gmail.com> # Do NOT "set -e" @@ -19,11 +19,11 @@ DESC=kea-ctrl-agent NAME=kea-ctrl-agent DAEMON=/usr/sbin/kea-ctrl-agent DAEMON_ARGS="-c /etc/kea/kea-ctrl-agent.conf" -PIDFILE=/run/$NAME.pid +DAEMONUSER=_kea +PIDFILE=/run/kea/kea-ctrl-agent.kea-ctrl-agent.pid SCRIPTNAME=/etc/init.d/$NAME -KEA_PIDFILE_DIR=/run/ -KEA_LOCKFILE_DIR=/run/lock/kea/ -KEA_LOGGER_DESTINATION=/var/log/kea/ +KEA_PIDFILE_DIR=/run/kea +KEA_LOCKFILE_DIR=/run/lock/kea # Exit if the package is not installed [ -x "$DAEMON" ] || exit 0 @@ -43,6 +43,15 @@ create_lockfile_dir() { if [ ! -d "$KEA_LOCKFILE_DIR" ]; then mkdir -m 0750 -p "$KEA_LOCKFILE_DIR" + chown "$DAEMONUSER:" "$KEA_LOCKFILE_DIR" + fi +} + +create_pidfile_dir() +{ + if [ ! -d "$KEA_PIDFILE_DIR" ]; then + mkdir -m 0750 -p "$KEA_PIDFILE_DIR" + chown "$DAEMONUSER:" "$KEA_PIDFILE_DIR" fi } @@ -52,13 +61,15 @@ create_lockfile_dir() do_start() { create_lockfile_dir + create_pidfile_dir + export KEA_LOCKFILE_DIR # Return # 0 if daemon has been started # 1 if daemon was already running # 2 if daemon could not be started start-stop-daemon --start --quiet --pidfile $PIDFILE --exec $DAEMON --test > /dev/null \ || return 1 - start-stop-daemon --start --quiet --pidfile $PIDFILE --exec $DAEMON -b -- \ + start-stop-daemon --start --quiet --pidfile $PIDFILE --exec $DAEMON -b -c $DAEMONUSER -- \ $DAEMON_ARGS \ || return 2 } @@ -73,7 +84,7 @@ do_stop() # 1 if daemon was already stopped # 2 if daemon could not be stopped # other if a failure occurred - start-stop-daemon --stop --quiet --retry=TERM/30/KILL/5 --pidfile $PIDFILE --name $NAME + start-stop-daemon --stop --quiet --retry=TERM/30/KILL/5 --pidfile $PIDFILE --exec $DAEMON --user $DAEMONUSER RETVAL="$?" [ "$RETVAL" = 2 ] && return 2 # Wait for children to finish too if this is a daemon that forks @@ -82,7 +93,7 @@ do_stop() # that waits for the process to drop all resources that could be # needed by services started subsequently. A last resort is to # sleep for some time. - start-stop-daemon --stop --quiet --oknodo --retry=0/30/KILL/5 --exec $DAEMON + start-stop-daemon --stop --quiet --oknodo --retry=0/30/KILL/5 --exec $DAEMON --user $DAEMONUSER [ "$?" = 2 ] && return 2 # Many daemons don't delete their pidfiles when they exit. rm -f $PIDFILE @@ -93,12 +104,7 @@ do_stop() # Function that sends a SIGHUP to the daemon/service # do_reload() { - # - # If the daemon can reload its configuration without - # restarting (for example, when it is sent a SIGHUP), - # then implement that here. - # - start-stop-daemon --stop --signal 1 --quiet --pidfile $PIDFILE --name $NAME + start-stop-daemon --stop --signal 1 --quiet --pidfile $PIDFILE --exec $DAEMON --user $DAEMONUSER return 0 } @@ -122,20 +128,12 @@ case "$1" in status) status_of_proc "$DAEMON" "$NAME" && exit 0 || exit $? ;; - #reload|force-reload) - # - # If do_reload() is not implemented then leave this commented out - # and leave 'force-reload' as an alias for 'restart'. - # - #log_daemon_msg "Reloading $DESC" "$NAME" - #do_reload - #log_end_msg $? - #;; - restart|force-reload) - # - # If the "reload" option is implemented then remove the - # 'force-reload' alias - # + reload|force-reload) + log_daemon_msg "Reloading $DESC" "$NAME" + do_reload + log_end_msg $? + ;; + restart) log_daemon_msg "Restarting $DESC" "$NAME" do_stop case "$?" in diff --git a/debian/kea-dhcp-ddns-server.init b/debian/kea-dhcp-ddns-server.init index 2a1a135..c67be9e 100644 --- a/debian/kea-dhcp-ddns-server.init +++ b/debian/kea-dhcp-ddns-server.init @@ -6,9 +6,9 @@ # Default-Start: 2 3 4 5 # Default-Stop: 0 1 6 # Short-Description: Kea DHCP DDNS Server -# Description: <Enter a long description of the software> -# <...> -# <...> +# Description: Kea is an IPv4 and IPv6 DHCP server developed by Internet +# Systems Consortium providing a very high-performance with +# PostgreSQL, MySQL and memfile backends. ### END INIT INFO # Author: Adam Majer <ad...@zombino.com> # Do NOT "set -e" @@ -19,11 +19,11 @@ DESC=kea-dhcp-ddns NAME=kea-dhcp-ddns DAEMON=/usr/sbin/kea-dhcp-ddns DAEMON_ARGS="-c /etc/kea/kea-dhcp-ddns.conf" -PIDFILE=/run/$NAME.pid +DAEMONUSER=_kea +PIDFILE=/run/kea/kea-dhcp-ddns.kea-dhcp-ddns.pid # depends on config-filename: https://kea.readthedocs.io/en/latest/arm/ddns.html#starting-and-stopping-the-dhcp-ddns-server SCRIPTNAME=/etc/init.d/$NAME -KEA_PIDFILE_DIR=/run/ -KEA_LOCKFILE_DIR=/run/lock/kea/ -KEA_LOGGER_DESTINATION=/var/log/kea/ +KEA_PIDFILE_DIR=/run/kea +KEA_LOCKFILE_DIR=/run/lock/kea # Exit if the package is not installed [ -x "$DAEMON" ] || exit 0 @@ -43,22 +43,39 @@ create_lockfile_dir() { if [ ! -d "$KEA_LOCKFILE_DIR" ]; then mkdir -m 0750 -p "$KEA_LOCKFILE_DIR" + chown "$DAEMONUSER:" "$KEA_LOCKFILE_DIR" fi } +create_pidfile_dir() +{ + if [ ! -d "$KEA_PIDFILE_DIR" ]; then + mkdir -m 0750 -p "$KEA_PIDFILE_DIR" + chown "$DAEMONUSER:" "$KEA_PIDFILE_DIR" + fi +} + +setcap_binary() +{ + setcap "cap_net_bind_service" $DAEMON +} + # # Function that starts the daemon/service # do_start() { create_lockfile_dir + create_pidfile_dir + setcap_binary + export KEA_LOCKFILE_DIR # Return # 0 if daemon has been started # 1 if daemon was already running # 2 if daemon could not be started start-stop-daemon --start --quiet --pidfile $PIDFILE --exec $DAEMON --test > /dev/null \ || return 1 - start-stop-daemon --start --quiet --pidfile $PIDFILE --exec $DAEMON -b -- \ + start-stop-daemon --start --quiet --pidfile $PIDFILE --exec $DAEMON -b -c $DAEMONUSER -- \ $DAEMON_ARGS \ || return 2 } @@ -73,7 +90,7 @@ do_stop() # 1 if daemon was already stopped # 2 if daemon could not be stopped # other if a failure occurred - start-stop-daemon --stop --quiet --retry=TERM/30/KILL/5 --pidfile $PIDFILE --name $NAME + start-stop-daemon --stop --quiet --retry=TERM/30/KILL/5 --pidfile $PIDFILE --exec $DAEMON --user $DAEMONUSER RETVAL="$?" [ "$RETVAL" = 2 ] && return 2 # Wait for children to finish too if this is a daemon that forks @@ -82,7 +99,7 @@ do_stop() # that waits for the process to drop all resources that could be # needed by services started subsequently. A last resort is to # sleep for some time. - start-stop-daemon --stop --quiet --oknodo --retry=0/30/KILL/5 --exec $DAEMON + start-stop-daemon --stop --quiet --oknodo --retry=0/30/KILL/5 --exec $DAEMON --user $DAEMONUSER [ "$?" = 2 ] && return 2 # Many daemons don't delete their pidfiles when they exit. rm -f $PIDFILE @@ -93,12 +110,7 @@ do_stop() # Function that sends a SIGHUP to the daemon/service # do_reload() { - # - # If the daemon can reload its configuration without - # restarting (for example, when it is sent a SIGHUP), - # then implement that here. - # - start-stop-daemon --stop --signal 1 --quiet --pidfile $PIDFILE --name $NAME + start-stop-daemon --stop --signal 1 --quiet --pidfile $PIDFILE --exec $DAEMON --user $DAEMONUSER return 0 } @@ -122,20 +134,12 @@ case "$1" in status) status_of_proc "$DAEMON" "$NAME" && exit 0 || exit $? ;; - #reload|force-reload) - # - # If do_reload() is not implemented then leave this commented out - # and leave 'force-reload' as an alias for 'restart'. - # - #log_daemon_msg "Reloading $DESC" "$NAME" - #do_reload - #log_end_msg $? - #;; - restart|force-reload) - # - # If the "reload" option is implemented then remove the - # 'force-reload' alias - # + reload|force-reload) + log_daemon_msg "Reloading $DESC" "$NAME" + do_reload + log_end_msg $? + ;; + restart) log_daemon_msg "Restarting $DESC" "$NAME" do_stop case "$?" in diff --git a/debian/kea-dhcp4-server.init b/debian/kea-dhcp4-server.init index bcf4ad8..c91aa61 100644 --- a/debian/kea-dhcp4-server.init +++ b/debian/kea-dhcp4-server.init @@ -6,9 +6,9 @@ # Default-Start: 2 3 4 5 # Default-Stop: 0 1 6 # Short-Description: Kea DHCP IPv4 Server -# Description: <Enter a long description of the software> -# <...> -# <...> +# Description: Kea is an IPv4 and IPv6 DHCP server developed by Internet +# Systems Consortium providing a very high-performance with +# PostgreSQL, MySQL and memfile backends. ### END INIT INFO # Author: Adam Majer <ad...@zombino.com> # Do NOT "set -e" @@ -19,11 +19,11 @@ DESC="kea-dhcp4" NAME=kea-dhcp4-server DAEMON=/usr/sbin/kea-dhcp4 DAEMON_ARGS="-c /etc/kea/kea-dhcp4.conf" -PIDFILE=/run/$NAME.pid +DAEMONUSER=_kea +PIDFILE=/run/kea/kea-dhcp4.kea-dhcp4.pid # depends on config-filename: https://kea.readthedocs.io/en/latest/arm/dhcp4-srv.html SCRIPTNAME=/etc/init.d/$NAME -KEA_PIDFILE_DIR=/run/ -KEA_LOCKFILE_DIR=/run/lock/kea/ -KEA_LOGGER_DESTINATION=/var/log/kea/ +KEA_PIDFILE_DIR=/run/kea +KEA_LOCKFILE_DIR=/run/lock/kea # Exit if the package is not installed [ -x "$DAEMON" ] || exit 0 @@ -43,22 +43,39 @@ create_lockfile_dir() { if [ ! -d "$KEA_LOCKFILE_DIR" ]; then mkdir -m 0750 -p "$KEA_LOCKFILE_DIR" + chown "$DAEMONUSER:" "$KEA_LOCKFILE_DIR" fi } +create_pidfile_dir() +{ + if [ ! -d "$KEA_PIDFILE_DIR" ]; then + mkdir -m 0750 -p "$KEA_PIDFILE_DIR" + chown "$DAEMONUSER:" "$KEA_PIDFILE_DIR" + fi +} + +setcap_binary() +{ + setcap "cap_net_bind_service,cap_net_raw=+ep" $DAEMON +} + # # Function that starts the daemon/service # do_start() { create_lockfile_dir + create_pidfile_dir + setcap_binary + export KEA_LOCKFILE_DIR # Return # 0 if daemon has been started # 1 if daemon was already running # 2 if daemon could not be started start-stop-daemon --start --quiet --pidfile $PIDFILE --exec $DAEMON --test > /dev/null \ || return 1 - start-stop-daemon --start --quiet --pidfile $PIDFILE --exec $DAEMON -b -- \ + start-stop-daemon --start --quiet --pidfile $PIDFILE --exec $DAEMON -b -c $DAEMONUSER -- \ $DAEMON_ARGS \ || return 2 } @@ -73,7 +90,7 @@ do_stop() # 1 if daemon was already stopped # 2 if daemon could not be stopped # other if a failure occurred - start-stop-daemon --stop --quiet --retry=TERM/30/KILL/5 --pidfile $PIDFILE --name $NAME + start-stop-daemon --stop --quiet --retry=TERM/30/KILL/5 --pidfile $PIDFILE --exec $DAEMON --user $DAEMONUSER RETVAL="$?" [ "$RETVAL" = 2 ] && return 2 # Wait for children to finish too if this is a daemon that forks @@ -82,7 +99,7 @@ do_stop() # that waits for the process to drop all resources that could be # needed by services started subsequently. A last resort is to # sleep for some time. - start-stop-daemon --stop --quiet --oknodo --retry=0/30/KILL/5 --exec $DAEMON + start-stop-daemon --stop --quiet --oknodo --retry=0/30/KILL/5 --exec $DAEMON --user $DAEMONUSER [ "$?" = 2 ] && return 2 # Many daemons don't delete their pidfiles when they exit. rm -f $PIDFILE @@ -93,12 +110,7 @@ do_stop() # Function that sends a SIGHUP to the daemon/service # do_reload() { - # - # If the daemon can reload its configuration without - # restarting (for example, when it is sent a SIGHUP), - # then implement that here. - # - start-stop-daemon --stop --signal 1 --quiet --pidfile $PIDFILE --name $NAME + start-stop-daemon --stop --signal 1 --quiet --pidfile $PIDFILE --exec $DAEMON --user $DAEMONUSER return 0 } @@ -122,20 +134,12 @@ case "$1" in status) status_of_proc "$DAEMON" "$NAME" && exit 0 || exit $? ;; - #reload|force-reload) - # - # If do_reload() is not implemented then leave this commented out - # and leave 'force-reload' as an alias for 'restart'. - # - #log_daemon_msg "Reloading $DESC" "$NAME" - #do_reload - #log_end_msg $? - #;; - restart|force-reload) - # - # If the "reload" option is implemented then remove the - # 'force-reload' alias - # + reload|force-reload) + log_daemon_msg "Reloading $DESC" "$NAME" + do_reload + log_end_msg $? + ;; + restart) log_daemon_msg "Restarting $DESC" "$NAME" do_stop case "$?" in diff --git a/debian/kea-dhcp6-server.init b/debian/kea-dhcp6-server.init index 0aa0e27..7b57f01 100644 --- a/debian/kea-dhcp6-server.init +++ b/debian/kea-dhcp6-server.init @@ -6,9 +6,9 @@ # Default-Start: 2 3 4 5 # Default-Stop: 0 1 6 # Short-Description: Kea DHCP IPv6 Server -# Description: <Enter a long description of the software> -# <...> -# <...> +# Description: Kea is an IPv4 and IPv6 DHCP server developed by Internet +# Systems Consortium providing a very high-performance with +# PostgreSQL, MySQL and memfile backends. ### END INIT INFO # Author: Adam Majer <ad...@zombino.com> # Do NOT "set -e" @@ -19,11 +19,11 @@ DESC="kea-dhcp6" NAME=kea-dhcp6-server DAEMON=/usr/sbin/kea-dhcp6 DAEMON_ARGS="-c /etc/kea/kea-dhcp6.conf" -PIDFILE=/run/$NAME.pid +DAEMONUSER=_kea +PIDFILE=/run/kea/kea-dhcp6.kea-dhcp6.pid # depends on config-filename: https://kea.readthedocs.io/en/latest/arm/dhcp6-srv.html SCRIPTNAME=/etc/init.d/$NAME -KEA_PIDFILE_DIR=/run/ -KEA_LOCKFILE_DIR=/run/lock/kea/ -KEA_LOGGER_DESTINATION=/var/log/kea/ +KEA_PIDFILE_DIR=/run/kea +KEA_LOCKFILE_DIR=/run/lock/kea # Exit if the package is not installed [ -x "$DAEMON" ] || exit 0 @@ -43,22 +43,39 @@ create_lockfile_dir() { if [ ! -d "$KEA_LOCKFILE_DIR" ]; then mkdir -m 0750 -p "$KEA_LOCKFILE_DIR" + chown "$DAEMONUSER:" "$KEA_LOCKFILE_DIR" fi } +create_pidfile_dir() +{ + if [ ! -d "$KEA_PIDFILE_DIR" ]; then + mkdir -m 0750 -p "$KEA_PIDFILE_DIR" + chown "$DAEMONUSER:" "$KEA_PIDFILE_DIR" + fi +} + +setcap_binary() +{ + setcap "cap_net_bind_service" $DAEMON +} + # # Function that starts the daemon/service # do_start() { create_lockfile_dir + create_pidfile_dir + setcap_binary + export KEA_LOCKFILE_DIR # Return # 0 if daemon has been started # 1 if daemon was already running # 2 if daemon could not be started start-stop-daemon --start --quiet --pidfile $PIDFILE --exec $DAEMON --test > /dev/null \ || return 1 - start-stop-daemon --start --quiet --pidfile $PIDFILE --exec $DAEMON -b -- \ + start-stop-daemon --start --quiet --pidfile $PIDFILE --exec $DAEMON -b -c $DAEMONUSER -- \ $DAEMON_ARGS \ || return 2 } @@ -73,7 +90,7 @@ do_stop() # 1 if daemon was already stopped # 2 if daemon could not be stopped # other if a failure occurred - start-stop-daemon --stop --quiet --retry=TERM/30/KILL/5 --pidfile $PIDFILE --name $NAME + start-stop-daemon --stop --quiet --retry=TERM/30/KILL/5 --pidfile $PIDFILE --exec $DAEMON --user $DAEMONUSER RETVAL="$?" [ "$RETVAL" = 2 ] && return 2 # Wait for children to finish too if this is a daemon that forks @@ -82,7 +99,7 @@ do_stop() # that waits for the process to drop all resources that could be # needed by services started subsequently. A last resort is to # sleep for some time. - start-stop-daemon --stop --quiet --oknodo --retry=0/30/KILL/5 --exec $DAEMON + start-stop-daemon --stop --quiet --oknodo --retry=0/30/KILL/5 --exec $DAEMON --user $DAEMONUSER [ "$?" = 2 ] && return 2 # Many daemons don't delete their pidfiles when they exit. rm -f $PIDFILE @@ -93,12 +110,7 @@ do_stop() # Function that sends a SIGHUP to the daemon/service # do_reload() { - # - # If the daemon can reload its configuration without - # restarting (for example, when it is sent a SIGHUP), - # then implement that here. - # - start-stop-daemon --stop --signal 1 --quiet --pidfile $PIDFILE --name $NAME + start-stop-daemon --stop --signal 1 --quiet --pidfile $PIDFILE --exec $DAEMON --user $DAEMONUSER return 0 } @@ -122,20 +134,12 @@ case "$1" in status) status_of_proc "$DAEMON" "$NAME" && exit 0 || exit $? ;; - #reload|force-reload) - # - # If do_reload() is not implemented then leave this commented out - # and leave 'force-reload' as an alias for 'restart'. - # - #log_daemon_msg "Reloading $DESC" "$NAME" - #do_reload - #log_end_msg $? - #;; - restart|force-reload) - # - # If the "reload" option is implemented then remove the - # 'force-reload' alias - # + reload|force-reload) + log_daemon_msg "Reloading $DESC" "$NAME" + do_reload + log_end_msg $? + ;; + restart) log_daemon_msg "Restarting $DESC" "$NAME" do_stop case "$?" in