On Wed, Aug 17, 2016 at 02:30:15PM +0200, Lukas Slebodnik wrote:
> On (17/08/16 13:46), Jakub Hrozek wrote:
> >On Wed, Aug 17, 2016 at 12:49:26PM +0200, Lukas Slebodnik wrote:
> >> On (17/08/16 12:27), Jakub Hrozek wrote:
> >> >On Wed, Aug 17, 2016 at 10:23:51AM +0200, Lukas Slebodnik wrote:
> >> >> On (15/08/16 16:05), Jakub Hrozek wrote:
> >> >> >From 86a24747f45bdb3caeb8c36d63c74a08aed90421 Mon Sep 17 00:00:00 2001
> >> >> >From: Jakub Hrozek <jhro...@redhat.com>
> >> >> >Date: Mon, 15 Aug 2016 14:10:23 +0200
> >> >> >Subject: [PATCH 3/3] BUILD: Ship systemd service file for sssd-secrets
> >> >> >
> >> >> >Adds two new files: sssd-secrets.socket and sssd-secrets.service. These
> >> >> >can be used to socket-acticate the secrets responder even without
> >> >> >explicitly starting it in the sssd config file.
> >> >> >
> >> >> >The specfile activates the socket after installation which means that
> >> >> >the admin would just be able to use the secrets socket and the
> >> >> >sssd_secrets responder would be started automatically by systemd.
> >> >> >
> >> >> >The sssd-secrets responder is started as root, mostly because I didn't
> >> >> >think of an easy way to pass the uid/gid to the responders without
> >> >> >asking about the sssd user identity in the first place. But
> >> >> >nonetheless,
> >> >> >the sssd-secrets responder wasn't tested as non-root and at least the
> >> >> >initialization should be performed as root for the time being.
> >> >> >---
> >> >> > Makefile.am | 21 +++++++++++++++++++--
> >> >> > contrib/sssd.spec.in | 5 +++++
> >> >> > src/sysv/systemd/sssd-secrets.service.in | 2 ++
> >> >> > src/sysv/systemd/sssd-secrets.socket.in | 5 +++++
> >> >> > 4 files changed, 31 insertions(+), 2 deletions(-)
> >> >> > create mode 100644 src/sysv/systemd/sssd-secrets.service.in
> >> >> > create mode 100644 src/sysv/systemd/sssd-secrets.socket.in
> >> >> >
> >> >> >diff --git a/Makefile.am b/Makefile.am
> >> >> >index
> >> >> >7c15bd7cdb336bc38f2055382121d73a3583b1e7..5d38fc96462356471f1f1506403b2d76961d485d
> >> >> > 100644
> >> >> >--- a/Makefile.am
> >> >> >+++ b/Makefile.am
> >> >> >@@ -3848,7 +3848,10 @@ systemdunit_DATA =
> >> >> > systemdconf_DATA =
> >> >> > if HAVE_SYSTEMD_UNIT
> >> >> > systemdunit_DATA += \
> >> >> >- src/sysv/systemd/sssd.service
> >> >> >+ src/sysv/systemd/sssd.service \
> >> >> >+ src/sysv/systemd/sssd-secrets.socket \
> >> >> >+ src/sysv/systemd/sssd-secrets.service \
> >> >> >+ $(NULL)
> >> >> > if WITH_JOURNALD
> >> >> > systemdconf_DATA += \
> >> >> > src/sysv/systemd/journal.conf
> >> >> >@@ -3886,6 +3889,7 @@ edit_cmd = $(SED) \
> >> >> > -e 's|@sbindir[@]|$(sbindir)|g' \
> >> >> > -e 's|@environment_file[@]|$(environment_file)|g' \
> >> >> > -e 's|@localstatedir[@]|$(localstatedir)|g' \
> >> >> >+ -e 's|@libexecdir[@]|$(libexecdir)|g' \
> >> >> > -e 's|@prefix[@]|$(prefix)|g'
> >> >> >
> >> >> > replace_script = \
> >> >> >@@ -3897,7 +3901,10 @@ replace_script = \
> >> >> >
> >> >> > EXTRA_DIST += \
> >> >> > src/sysv/systemd/sssd.service.in \
> >> >> >- src/sysv/systemd/journal.conf.in
> >> >> >+ src/sysv/systemd/journal.conf.in \
> >> >> >+ src/sysv/systemd/sssd-secrets.socket.in \
> >> >> >+ src/sysv/systemd/sssd-secrets.service.in \
> >> >> >+ $(NULL)
> >> >> >
> >> >> > src/sysv/systemd/sssd.service: src/sysv/systemd/sssd.service.in
> >> >> > Makefile
> >> >> > @$(MKDIR_P) src/sysv/systemd/
> >> >> >@@ -3907,6 +3914,14 @@ src/sysv/systemd/journal.conf:
> >> >> >src/sysv/systemd/journal.conf.in Makefile
> >> >> > @$(MKDIR_P) src/sysv/systemd/
> >> >> > $(replace_script)
> >> >> >
> >> >> >+src/sysv/systemd/sssd-secrets.socket:
> >> >> >src/sysv/systemd/sssd-secrets.socket.in Makefile
> >> >> >+ @$(MKDIR_P) src/sysv/systemd/
> >> >> >+ $(replace_script)
> >> >> >+
> >> >> >+src/sysv/systemd/sssd-secrets.service:
> >> >> >src/sysv/systemd/sssd-secrets.service.in Makefile
> >> >> >+ @$(MKDIR_P) src/sysv/systemd/
> >> >> >+ $(replace_script)
> >> >> >+
> >> >> > SSSD_USER_DIRS = \
> >> >> > $(DESTDIR)$(dbpath) \
> >> >> > $(DESTDIR)$(keytabdir) \
> >> >> >@@ -4122,6 +4137,8 @@ endif
> >> >> > done;
> >> >> > rm -Rf ldb_mod_test_dir
> >> >> > rm -f $(builddir)/src/sysv/systemd/sssd.service
> >> >> >+ rm -f $(builddir)/src/sysv/systemd/sssd-secrets.socket
> >> >> >+ rm -f $(builddir)/src/sysv/systemd/sssd-secrets.service
> >> >> > rm -f $(builddir)/src/sysv/systemd/journal.conf
> >> >> >
> >> >> > CLEANFILES += *.X */*.X */*/*.X
> >> >> >diff --git a/contrib/sssd.spec.in b/contrib/sssd.spec.in
> >> >> >index
> >> >> >a9a43560e61acf1cb4b2388d50303587252c2c19..b58eebba54a82a041f72507b430ceca708a34632
> >> >> > 100644
> >> >> >--- a/contrib/sssd.spec.in
> >> >> >+++ b/contrib/sssd.spec.in
> >> >> >@@ -746,6 +746,8 @@ done
> >> >> > %{_sbindir}/sssd
> >> >> > %if (0%{?use_systemd} == 1)
> >> >> > %{_unitdir}/sssd.service
> >> >> >+%{_unitdir}/sssd-secrets.socket
> >> >> >+%{_unitdir}/sssd-secrets.service
> >> >> > %else
> >> >> > %{_initrddir}/%{name}
> >> >> > %endif
> >> >> >@@ -1077,12 +1079,15 @@ getent passwd sssd >/dev/null || useradd -r -g
> >> >> >sssd -d / -s /sbin/nologin -c "Us
> >> >> > # systemd
> >> >> > %post common
> >> >> > %systemd_post sssd.service
> >> >> >+%systemd_post sssd-secrets.socket
> >> >> >
> >> >> > %preun common
> >> >> > %systemd_preun sssd.service
> >> >> >+%systemd_preun sssd-secrets.socket
> >> >> >
> >> >> > %postun common
> >> >> > %systemd_postun_with_restart sssd.service
> >> >> >+%systemd_postun_with_restart sssd-secrets.socket
> >> >> >
> >> >> systemd_post and systemd_preun should be used just with *.socket
> >> >> Because you do not want to directly enable/disable socket activated
> >> >> service
> >> >>
> >> >> systemd_postun_with_restart is an alias for "systemctl try-restart"
> >> >> for package upgrade. So we shoudl try to restart sssd-secrets.service
> >> >
> >> >I agree about not starting, but are you sure about not *enabling*? I can
> >> >test that, but I thought that if the service wasn't enabled, then
> >> >systemd wouldn't start it.
> >> >
> >> The latest patch do not enable sssd-secrets.service and that's fine.
> >> and other socket activated services are not enabled by default.
> >> So we needn't change systemd_post, systemd_preun.
> >>
> >> [root@host ~]# systemctl status rpcbind.socket rpcbind.service
> >> ● rpcbind.socket - RPCbind Server Activation Socket
> >> Loaded: loaded (/usr/lib/systemd/system/rpcbind.socket; enabled; vendor
> >> preset: disabled)
> >> Active: active (listening) since Tue 2016-08-02 19:12:01 CEST; 2 weeks
> >> 0 days ago
> >> Listen: /var/run/rpcbind.sock (Stream)
> >>
> >> Aug 02 19:12:01 host.brq.redhat.com systemd[1]: Listening on RPCbind
> >> Server Activation Socket.
> >>
> >> ● rpcbind.service - RPC bind service
> >> Loaded: loaded (/usr/lib/systemd/system/rpcbind.service; indirect;
> >> vendor preset: disabled)
> >> Active: inactive (dead)
> >>
> >>
> >>
> >>
> >> [root@host ~]# systemctl status cockpit.socket cockpit.service
> >> ● cockpit.socket - Cockpit Web Service Socket
> >> Loaded: loaded (/usr/lib/systemd/system/cockpit.socket; enabled; vendor
> >> preset: enabled)
> >> Active: active (listening) since Fri 2016-08-12 08:32:39 CEST; 5 days
> >> ago
> >> Docs: man:cockpit-ws(8)
> >> Listen: [::]:9090 (Stream)
> >>
> >> Aug 12 08:32:39 host.brq.redhat.com systemd[1]: Listening on Cockpit Web
> >> Service Socket.
> >>
> >> ● cockpit.service - Cockpit Web Service
> >> Loaded: loaded (/usr/lib/systemd/system/cockpit.service; static; vendor
> >> preset: disabled)
> >> Active: inactive (dead)
> >> Docs: man:cockpit-ws(8)
> >>
> >>
> >>
> >> [root@host ~]# systemctl status dbus.socket dbus.service
> >> ● dbus.socket - D-Bus System Message Bus Socket
> >> Loaded: loaded (/usr/lib/systemd/system/dbus.socket; static; vendor
> >> preset: disabled)
> >> Active: active (running) since Tue 2016-08-02 19:12:01 CEST; 2 weeks 0
> >> days ago
> >> Listen: /run/dbus/system_bus_socket (Stream)
> >>
> >> Aug 02 19:12:01 host.brq.redhat.com systemd[1]: Listening on D-Bus System
> >> Message Bus Socket.
> >>
> >> ● dbus.service - D-Bus System Message Bus
> >> Loaded: loaded (/usr/lib/systemd/system/dbus.service; static; vendor
> >> preset: disabled)
> >> Active: active (running) since Tue 2016-08-02 19:12:01 CEST; 2 weeks 0
> >> days ago
> >> Docs: man:dbus-daemon(1)
> >> Main PID: 1102 (dbus-daemon)
> >> Tasks: 2 (limit: 4915)
> >> CGroup: /system.slice/dbus.service
> >> └─1102 /usr/bin/dbus-daemon --system --address=systemd:
> >> --nofork --nopidfile --systemd-activation
> >>
> >> >>
> >> >> > %else
> >> >> > # sysv
> >> >> >diff --git a/src/sysv/systemd/sssd-secrets.service.in
> >> >> >b/src/sysv/systemd/sssd-secrets.service.in
> >> >> >new file mode 100644
> >> >> >index
> >> >> >0000000000000000000000000000000000000000..4236cc2eb85c83c574da8a96ca9d760922aacbd9
> >> >> >--- /dev/null
> >> >> >+++ b/src/sysv/systemd/sssd-secrets.service.in
> >> >> >@@ -0,0 +1,2 @@
> >> >> >+[Service]
> >> >> >+ExecStart=@libexecdir@/sssd/sssd_secrets --uid 0 --gid 0
> >> >> >--debug-to-files
> >> >>
> >> >> I checked another socket activated service (cups, pcscd)
> >> >> and they have "Also=$name.socket" in Install section for service
> >> >> But on the other hand other socket activated services(cockpit, dbus,
> >> >> systemd-journald) does not have it. So I'm not sure whether we need it.
> >> >
> >> >Hmm, Also= seems to imply that if the service is enabled, the socket
> >> >should be enabled as well, which IMO makes sense. So I will add it.
> >> >
> >>
> >> >>
> >> >>
> >> >> Anyway, It would be good to add "[Unit]" section to both files +
> >> >> Description
> >> >> and later also Documentation=man:$name($number)
> >> >
> >> >Do we need Unit? I thought that if it's not set, then systemd would use
> >> >the same name as the socket for the service. But I /can/ add it if you
> >> >prefer.
> >> >
> >> It might work without it but it would be good to have human readable
> >> description and later also hint for man page.
> >>
> >> e.g.
> >> [root@host ~]# systemctl cat cockpit.socket
> >> # /usr/lib/systemd/system/cockpit.socket
> >> [Unit]
> >> Description=Cockpit Web Service Socket
> >> Documentation=man:cockpit-ws(8)
> >>
> >> [Socket]
> >> ListenStream=9090
> >>
> >> [Install]
> >> WantedBy=sockets.target
> >>
> >>
> >>
> >> [root@host ~]# systemctl cat cockpit.service
> >> # /usr/lib/systemd/system/cockpit.service
> >> [Unit]
> >> Description=Cockpit Web Service
> >> Documentation=man:cockpit-ws(8)
> >> Requires=cockpit.socket
> >>
> >> [Service]
> >> ExecStartPre=/usr/sbin/remotectl certificate --ensure --user=root
> >> --group=cockpit-ws --selinux-type=etc_t
> >> ExecStart=/usr/libexec/cockpit-ws
> >> PermissionsStartOnly=true
> >> User=cockpit-ws
> >> Group=cockpit-ws
> >>
> >> >I'm still working on the manpage..
> >> It was just a note that you should not forget :-)
> >
> >See the new patch:
> >
> ># systemctl disable sssd-secrets.service
> >Removed symlink
> >/etc/systemd/system/sockets.target.wants/sssd-secrets.socket.
> ># systemctl enable sssd-secrets.service
> >Created symlink from
> >/etc/systemd/system/sockets.target.wants/sssd-secrets.socket to
> >/usr/lib/systemd/system/sssd-secrets.socket.
> >
> >I think that's the Also= directive at work
> >
> OK
>
> >The Description now shows with "systemctl show sssd-secrets.service" and
> >.socket.
>
> systemd_postun_with_restart is an alias for "systemctl try-restart"
> for package upgrade. So we should try to restart sssd-secrets.service
> and not just sssd-secrets.socket. Otherwise, old sssd-sevice will be running
> after upgrade.
OK, the attached patch also adds "%systemd_postun_with_restart
sssd-secrets.service"
>From 25f2233d1bd1dab93a46d612d40240739bc2982b Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhro...@redhat.com>
Date: Mon, 8 Aug 2016 14:07:04 +0200
Subject: [PATCH 1/3] UTIL: Use sss_atomic_read_s in generate_csprng_buffer
There was a bug in generate_csprng_buffer() where if we read the exact
amount of bytes from /dev/urandom, we would always return EIO. Instead,
let's reuse the existing code from sss_atomic_read_s() which fixes this
bug and reduces code duplication.
---
Makefile.am | 2 ++
src/util/crypto/sss_crypto.c | 29 +++++------------------------
2 files changed, 7 insertions(+), 24 deletions(-)
diff --git a/Makefile.am b/Makefile.am
index
c74869722d7ae09fa8b3f641f148bc18154c2c93..b1488c4506dc8ac957f71a9007b1e15121a4126b
100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -814,6 +814,7 @@ if HAVE_NSS
src/util/crypto/nss/nss_nite.c \
src/util/crypto/nss/nss_util.c \
src/util/crypto/sss_crypto.c \
+ src/util/atomic_io.c \
$(NULL)
SSS_CRYPT_CFLAGS = $(NSS_CFLAGS)
SSS_CRYPT_LIBS = $(NSS_LIBS)
@@ -835,6 +836,7 @@ else
src/util/crypto/libcrypto/crypto_obfuscate.c \
src/util/crypto/libcrypto/crypto_nite.c \
src/util/crypto/sss_crypto.c \
+ src/util/atomic_io.c \
$(NULL)
SSS_CRYPT_CFLAGS = $(CRYPTO_CFLAGS)
SSS_CRYPT_LIBS = $(CRYPTO_LIBS)
diff --git a/src/util/crypto/sss_crypto.c b/src/util/crypto/sss_crypto.c
index
4c775f3d926ae32f3cb72b1329c0a025a0550ed5..ac90bac07c7006a2950331b86bcc412207a3e401
100644
--- a/src/util/crypto/sss_crypto.c
+++ b/src/util/crypto/sss_crypto.c
@@ -25,41 +25,22 @@
int generate_csprng_buffer(uint8_t *buf, size_t size)
{
ssize_t rsize;
- ssize_t pos;
int ret;
int fd;
fd = open("/dev/urandom", O_RDONLY);
if (fd == -1) return errno;
- rsize = 0;
- pos = 0;
- while (rsize < size) {
- rsize = read(fd, buf + pos, size - pos);
- switch (rsize) {
- case -1:
- if (errno == EINTR) continue;
- ret = EIO;
- goto done;
- case 0:
- ret = EIO;
- goto done;
- default:
- if (rsize + pos < size - pos) {
- pos += rsize;
- continue;
- }
- ret = EIO;
- goto done;
- }
- }
- if (rsize != size) {
+ rsize = sss_atomic_read_s(fd, buf, size);
+ if (rsize == -1) {
+ ret = errno;
+ goto done;
+ } else if (rsize != size) {
ret = EFAULT;
goto done;
}
ret = EOK;
-
done:
close(fd);
return ret;
--
2.4.11
>From f1d66d6668b1f21795d2103aba1576160a4a6207 Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhro...@redhat.com>
Date: Mon, 8 Aug 2016 13:50:54 +0200
Subject: [PATCH 2/3] SECRETS: Use sss_atomic_read/write for better readability
sss_atomic_read_s and sss_atomic_write_s are macro-wrappers around
sss_atomic_io_s but it's easier to follow the code with the read/write
vairants used directly.
---
src/responder/secrets/local.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/src/responder/secrets/local.c b/src/responder/secrets/local.c
index
470aec0e195a54dd2af2b929ff1b7a304331a214..17469249b357cbdc5e50ddff6b563fdf2f377577
100644
--- a/src/responder/secrets/local.c
+++ b/src/responder/secrets/local.c
@@ -621,7 +621,7 @@ int generate_master_key(const char *filename, size_t size)
fd = open(filename, O_CREAT|O_EXCL|O_WRONLY, 0600);
if (fd == -1) return errno;
- rsize = sss_atomic_io_s(fd, buf, size, false);
+ rsize = sss_atomic_write_s(fd, buf, size);
close(fd);
if (rsize != size) {
ret = unlink(filename);
@@ -681,8 +681,8 @@ int local_secrets_provider_handle(struct sec_ctx *sctx,
}
if (ret) return EFAULT;
- size = sss_atomic_io_s(mfd, lctx->master_key.data,
- lctx->master_key.length, true);
+ size = sss_atomic_read_s(mfd, lctx->master_key.data,
+ lctx->master_key.length);
close(mfd);
if (size < 0 || size != lctx->master_key.length) return EIO;
--
2.4.11
>From 6491718f59e1bbac40bc672dce646598cc0bf282 Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhro...@redhat.com>
Date: Mon, 15 Aug 2016 14:10:23 +0200
Subject: [PATCH 3/3] BUILD: Ship systemd service file for sssd-secrets
Adds two new files: sssd-secrets.socket and sssd-secrets.service. These
can be used to socket-acticate the secrets responder even without
explicitly starting it in the sssd config file.
The specfile activates the socket after installation which means that
the admin would just be able to use the secrets socket and the
sssd_secrets responder would be started automatically by systemd.
The sssd-secrets responder is started as root, mostly because I didn't
think of an easy way to pass the uid/gid to the responders without
asking about the sssd user identity in the first place. But nonetheless,
the sssd-secrets responder wasn't tested as non-root and at least the
initialization should be performed as root for the time being.
---
Makefile.am | 21 +++++++++++++++++++--
contrib/sssd.spec.in | 6 ++++++
src/sysv/systemd/sssd-secrets.service.in | 8 ++++++++
src/sysv/systemd/sssd-secrets.socket.in | 8 ++++++++
4 files changed, 41 insertions(+), 2 deletions(-)
create mode 100644 src/sysv/systemd/sssd-secrets.service.in
create mode 100644 src/sysv/systemd/sssd-secrets.socket.in
diff --git a/Makefile.am b/Makefile.am
index
b1488c4506dc8ac957f71a9007b1e15121a4126b..3e7d172351a80c21753d21a23f1c94228dfbebf0
100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -3853,7 +3853,10 @@ systemdunit_DATA =
systemdconf_DATA =
if HAVE_SYSTEMD_UNIT
systemdunit_DATA += \
- src/sysv/systemd/sssd.service
+ src/sysv/systemd/sssd.service \
+ src/sysv/systemd/sssd-secrets.socket \
+ src/sysv/systemd/sssd-secrets.service \
+ $(NULL)
if WITH_JOURNALD
systemdconf_DATA += \
src/sysv/systemd/journal.conf
@@ -3891,6 +3894,7 @@ edit_cmd = $(SED) \
-e 's|@sbindir[@]|$(sbindir)|g' \
-e 's|@environment_file[@]|$(environment_file)|g' \
-e 's|@localstatedir[@]|$(localstatedir)|g' \
+ -e 's|@libexecdir[@]|$(libexecdir)|g' \
-e 's|@prefix[@]|$(prefix)|g'
replace_script = \
@@ -3902,7 +3906,10 @@ replace_script = \
EXTRA_DIST += \
src/sysv/systemd/sssd.service.in \
- src/sysv/systemd/journal.conf.in
+ src/sysv/systemd/journal.conf.in \
+ src/sysv/systemd/sssd-secrets.socket.in \
+ src/sysv/systemd/sssd-secrets.service.in \
+ $(NULL)
src/sysv/systemd/sssd.service: src/sysv/systemd/sssd.service.in Makefile
@$(MKDIR_P) src/sysv/systemd/
@@ -3912,6 +3919,14 @@ src/sysv/systemd/journal.conf:
src/sysv/systemd/journal.conf.in Makefile
@$(MKDIR_P) src/sysv/systemd/
$(replace_script)
+src/sysv/systemd/sssd-secrets.socket: src/sysv/systemd/sssd-secrets.socket.in
Makefile
+ @$(MKDIR_P) src/sysv/systemd/
+ $(replace_script)
+
+src/sysv/systemd/sssd-secrets.service:
src/sysv/systemd/sssd-secrets.service.in Makefile
+ @$(MKDIR_P) src/sysv/systemd/
+ $(replace_script)
+
SSSD_USER_DIRS = \
$(DESTDIR)$(dbpath) \
$(DESTDIR)$(keytabdir) \
@@ -4127,6 +4142,8 @@ endif
done;
rm -Rf ldb_mod_test_dir
rm -f $(builddir)/src/sysv/systemd/sssd.service
+ rm -f $(builddir)/src/sysv/systemd/sssd-secrets.socket
+ rm -f $(builddir)/src/sysv/systemd/sssd-secrets.service
rm -f $(builddir)/src/sysv/systemd/journal.conf
CLEANFILES += *.X */*.X */*/*.X
diff --git a/contrib/sssd.spec.in b/contrib/sssd.spec.in
index
a9a43560e61acf1cb4b2388d50303587252c2c19..22c0583f7047b716f891467fcd4d95f66c831fcb
100644
--- a/contrib/sssd.spec.in
+++ b/contrib/sssd.spec.in
@@ -746,6 +746,8 @@ done
%{_sbindir}/sssd
%if (0%{?use_systemd} == 1)
%{_unitdir}/sssd.service
+%{_unitdir}/sssd-secrets.socket
+%{_unitdir}/sssd-secrets.service
%else
%{_initrddir}/%{name}
%endif
@@ -1077,12 +1079,16 @@ getent passwd sssd >/dev/null || useradd -r -g sssd -d
/ -s /sbin/nologin -c "Us
# systemd
%post common
%systemd_post sssd.service
+%systemd_post sssd-secrets.socket
%preun common
%systemd_preun sssd.service
+%systemd_preun sssd-secrets.socket
%postun common
%systemd_postun_with_restart sssd.service
+%systemd_postun_with_restart sssd-secrets.socket
+%systemd_postun_with_restart sssd-secrets.service
%else
# sysv
diff --git a/src/sysv/systemd/sssd-secrets.service.in
b/src/sysv/systemd/sssd-secrets.service.in
new file mode 100644
index
0000000000000000000000000000000000000000..119c9bb4b37b672159db707aa11a6d11215f29bf
--- /dev/null
+++ b/src/sysv/systemd/sssd-secrets.service.in
@@ -0,0 +1,8 @@
+[Unit]
+Description=SSSD Secrets Service responder
+
+[Install]
+Also=sssd-secrets.socket
+
+[Service]
+ExecStart=@libexecdir@/sssd/sssd_secrets --uid 0 --gid 0 --debug-to-files
diff --git a/src/sysv/systemd/sssd-secrets.socket.in
b/src/sysv/systemd/sssd-secrets.socket.in
new file mode 100644
index
0000000000000000000000000000000000000000..682e8f6e0fa58092a90259523f9f2f59e0131435
--- /dev/null
+++ b/src/sysv/systemd/sssd-secrets.socket.in
@@ -0,0 +1,8 @@
+[Unit]
+Description=SSSD Secrets Service responder socket
+
+[Socket]
+ListenStream=@localstatedir@/run/secrets.socket
+
+[Install]
+WantedBy=sockets.target
--
2.4.11
_______________________________________________
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/admin/lists/sssd-devel@lists.fedorahosted.org
