[Pkg-sssd-devel] sssd: Changes to 'ubuntu-xenial'

Victor Tapia King victortapia-guest at moszumanska.debian.org
Fri Mar 24 17:23:26 UTC 2017


Rebased ref, commits from common ancestor:
commit 5ff9d1474a9d48bcfc003be3979da472ebaec1d8
Author: Victor Tapia <victor.tapia at canonical.com>
Date:   Fri Mar 24 18:19:05 2017 +0100

    Fixes for LP#1566508 and LP#1669712.
    
      * d/p/pidfile-creation.diff: Delay the pidfile creation until the
        responders are up (LP: #1566508)
      * d/p/sanitize_newline.diff: Sanitize newline and carriage return
        characters before LDAP queries. (LP: #1669712)

diff --git a/debian/changelog b/debian/changelog
index 31a9c56..ff60a59 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,6 +1,15 @@
+sssd (1.13.4-1ubuntu1.4) xenial; urgency=medium
+
+  * d/p/pidfile-creation.diff: Delay the pidfile creation until the
+    responders are up (LP: #1566508)
+  * d/p/sanitize_newline.diff: Sanitize newline and carriage return
+    characters before LDAP queries. (LP: #1669712)
+
+ -- Victor Tapia <victor.tapia at canonical.com>  Tue, 24 Mar 2017 11:20:32 +0100
+
 sssd (1.13.4-1ubuntu1.2) xenial; urgency=medium
 
-  * d/p/restart_providers_on_timeshift.diff: Implement watchdog and
+  * d/p/restart_providers_on_timeshift.patch: Implement watchdog and
     use SIGUSR2 after watchdog detects time shift to execute pending
     scheduled tasks that could be stuck (LP: #1641875)
 
diff --git a/debian/patches/pidfile-creation.diff b/debian/patches/pidfile-creation.diff
new file mode 100644
index 0000000..b974758
--- /dev/null
+++ b/debian/patches/pidfile-creation.diff
@@ -0,0 +1,281 @@
+Description: Mark SSSD as started after all responders are up.
+ This patch fixes the sssd boot process for upstart and sssd
+ creating the pidfile after the responders are up and using it
+ to determine when the service is ready/started.
+
+Origin: upstream, commit: d4063e9a21a4e203bee7e0a0144fa8cabb14cc46
+Author: Victor Tapia <victor.tapia at canonical.com>
+Bug: https://fedorahosted.org/sssd/ticket/3080
+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1566508
+Reviewed-By: Rafael Tinoco <rafael.tinoco at canonical.com>
+Last-Update: 2017-03-07
+
+--- a/configure.ac
++++ b/configure.ac
+@@ -343,10 +343,6 @@
+     AM_CHECK_SEMANAGE
+ fi
+ 
+-if test x$HAVE_SYSTEMD_UNIT != x; then
+-    AM_CHECK_SYSTEMD
+-fi
+-
+ dnl If journald was selected for logging, configure journald
+ if test x$syslog = xjournald; then
+     AM_CHECK_JOURNALD
+--- a/Makefile.am
++++ b/Makefile.am
+@@ -1102,6 +1102,7 @@
+     $(INOTIFY_LIBS) \
+     $(LIBNL_LIBS) \
+     $(KEYUTILS_LIBS) \
++    $(SYSTEMD_DAEMON_LIBS) \
+     $(SSSD_INTERNAL_LTLIBS)
+ 
+ sssd_nss_SOURCES = \
+--- a/src/external/systemd.m4
++++ b/src/external/systemd.m4
+@@ -1,28 +1,44 @@
+-dnl There are no module libsystemd-journal and libsystem-login
+-dnl up systemd version 209
++dnl A macro to check presence of systemd on the system
++PKG_CHECK_EXISTS([systemd],
++                 [HAVE_SYSTEMD=yes],
++                 [HAVE_SYSTEMD=no])
++
++dnl Libraries libsystemd-journal and libsystem-login are deprecarted
++dnl since systemd 209 and are removed in systemd 230. The library libsystemd
++dnl is replacement of libsystemd-{login,journal,daemon,id128} libraries
+ PKG_CHECK_EXISTS([libsystemd],
+                  [HAVE_LIBSYSTEMD=yes],
+                  [HAVE_LIBSYSTEMD=no])
+ 
+-dnl A macro to check presence of systemd on the system
+-AC_DEFUN([AM_CHECK_SYSTEMD],
+-[
+-    PKG_CHECK_EXISTS(systemd,
+-                     [ HAVE_SYSTEMD=1, AC_SUBST(HAVE_SYSTEMD) ],
+-                     [AC_MSG_ERROR([Could not detect systemd presence])])
+-])
+-
+ AS_IF([test x$HAVE_LIBSYSTEMD = xyes],
+       [login_lib_name=libsystemd],
+       [login_lib_name=libsystemd-login])
+ 
+-AM_COND_IF([HAVE_SYSTEMD],
+-           [PKG_CHECK_MODULES([SYSTEMD_LOGIN],
+-                              [$login_lib_name],
+-                              [AC_DEFINE_UNQUOTED([HAVE_SYSTEMD_LOGIN], 1,
+-                                          [Build with libsystemdlogin support])
+-                              ],
+-           [AC_MSG_NOTICE([Build without libsystemd-login support])])])
++AS_IF([test x$HAVE_SYSTEMD = xyes],
++      [AC_DEFINE_UNQUOTED([HAVE_SYSTEMD], 1, [Build with systemd support])],
++      [AC_MSG_NOTICE([Build without systemd support])])
++
++AS_IF([test x$HAVE_SYSTEMD = xyes],
++      [PKG_CHECK_MODULES(
++          [SYSTEMD_LOGIN],
++          [$login_lib_name],
++          [AC_DEFINE_UNQUOTED([HAVE_SYSTEMD_LOGIN], 1,
++                              [Build with $login_lib_name support])],
++          [AC_MSG_NOTICE([Build without $login_lib_name support])])],
++      [AC_MSG_NOTICE([Build without $login_lib_name support])])
++
++AS_IF([test x$HAVE_LIBSYSTEMD = xyes],
++      [daemon_lib_name=libsystemd],
++      [daemon_lib_name=libsystemd-daemon])
++
++AS_IF([test x$HAVE_SYSTEMD = xyes],
++      [PKG_CHECK_MODULES(
++          [SYSTEMD_DAEMON],
++          [$daemon_lib_name],
++          [AC_DEFINE_UNQUOTED([HAVE_SYSTEMD_DAEMON], 1,
++                              [Build with $daemon_lib_name support])],
++          [AC_MSG_NOTICE([Build without $daemon_lib_name support])])],
++      [AC_MSG_NOTICE([Build without $daemon_lib_name support])])
+ 
+ dnl A macro to check presence of journald on the system
+ AC_DEFUN([AM_CHECK_JOURNALD],
+--- a/src/monitor/monitor.c
++++ b/src/monitor/monitor.c
+@@ -55,6 +55,10 @@
+ #include <keyutils.h>
+ #endif
+ 
++#ifdef HAVE_SYSTEMD
++#include <systemd/sd-daemon.h>
++#endif
++
+ /* ping time cannot be less then once every few seconds or the
+  * monitor will get crazy hammering children with messages */
+ #define MONITOR_DEF_PING_TIME 10
+@@ -77,7 +81,6 @@
+ 
+ /* name of the monitor server instance */
+ #define MONITOR_NAME        "sssd"
+-#define SSSD_PIDFILE_PATH   PID_PATH"/"MONITOR_NAME".pid"
+ 
+ /* Special value to leave the Kerberos Replay Cache set to use
+  * the libkrb5 defaults
+@@ -170,6 +173,7 @@
+     struct netlink_ctx *nlctx;
+     const char *conf_path;
+     struct sss_sigchild_ctx *sigchld_ctx;
++    bool pid_file_created;
+     bool is_daemon;
+     pid_t parent_pid;
+ 
+@@ -431,7 +435,30 @@
+         ctx->started_services++;
+     }
+ 
+-    if (ctx->started_services == ctx->num_services) {
++    /* create the pid file if all services are alive */
++    if (!ctx->pid_file_created && ctx->started_services == ctx->num_services) {
++        DEBUG(SSSDBG_TRACE_FUNC,
++              "All services have successfully started, creating pid file\n");
++        ret = pidfile(PID_PATH, MONITOR_NAME);
++        if (ret != EOK) {
++            DEBUG(SSSDBG_FATAL_FAILURE,
++                  "Error creating pidfile: %s/%s.pid! (%d [%s])\n",
++                  PID_PATH, MONITOR_NAME, ret, strerror(ret));
++            kill(getpid(), SIGTERM);
++        }
++
++        ctx->pid_file_created = true;
++
++#ifdef HAVE_SYSTEMD
++        DEBUG(SSSDBG_TRACE_FUNC, "Sending startup notification to systemd\n");
++        ret = sd_notify(0, "READY=1");
++        if (ret < 0) {
++            DEBUG(SSSDBG_CRIT_FAILURE,
++                  "Error sending notification to systemd %d: %s\n",
++                  -ret, strerror(-ret));
++        }
++#endif
++
+         /* Initialization is complete, terminate parent process if in daemon
+          * mode. Make sure we send the signal to the right process */
+         if (ctx->is_daemon) {
+@@ -1476,7 +1503,7 @@
+     int ret;
+ 
+     errno = 0;
+-    ret = unlink(SSSD_PIDFILE_PATH);
++    ret = unlink(SSSD_PIDFILE);
+     if (ret == -1) {
+         ret = errno;
+         DEBUG(SSSDBG_FATAL_FAILURE,
+@@ -1698,6 +1725,7 @@
+         return ENOMEM;
+     }
+ 
++    ctx->pid_file_created = false;
+     talloc_set_destructor((TALLOC_CTX *)ctx, monitor_ctx_destructor);
+ 
+     cdb_file = talloc_asprintf(ctx, "%s/%s", DB_PATH, CONFDB_FILE);
+@@ -2949,8 +2977,6 @@
+         return 6;
+     }
+ 
+-    /* we want a pid file check */
+-    flags |= FLAGS_PID_FILE;
+     /* the monitor should not run a watchdog on itself */
+     flags |= FLAGS_NO_WATCHDOG;
+ 
+@@ -3018,6 +3044,15 @@
+         }
+     }
+ 
++    /* Check if the SSSD is already running */
++    ret = check_file(SSSD_PIDFILE, 0, 0, S_IFREG|0600, 0, NULL, false);
++    if (ret == EOK) {
++        DEBUG(SSSDBG_FATAL_FAILURE,
++              "pidfile exists at %s\n", SSSD_PIDFILE);
++        ERROR("SSSD is already running\n");
++        return 2;
++    }
++
+     /* Parse config file, fail if cannot be done */
+     ret = load_configuration(tmp_ctx, config_file, &monitor);
+     if (ret != EOK) {
+--- a/src/sysv/sssd.in
++++ b/src/sysv/sssd.in
+@@ -40,6 +40,8 @@
+ LOCK_FILE=@localstatedir@/lock/subsys/sssd
+ PID_FILE=@localstatedir@/run/sssd.pid
+ 
++TIMEOUT=15
++
+ start() {
+     [ -x $SSSD ] || exit 5
+     echo -n $"Starting $prog: "
+@@ -47,6 +49,19 @@
+     RETVAL=$?
+     echo
+     [ "$RETVAL" = 0 ] && touch $LOCK_FILE
++
++    # Wait for pidfile creation or timeout
++    sec=0
++    [ "$RETVAL" = 0 ] && while [ $sec -lt $TIMEOUT -a ! -f $PID_FILE ]
++    do
++        sleep 1
++        sec=$(($sec+1))
++    done
++
++    if [ "$sec" = "$TIMEOUT" ]; then
++        RETVAL=-1
++    fi
++
+     return $RETVAL
+ }
+ 
+--- a/src/sysv/systemd/sssd.service.in
++++ b/src/sysv/systemd/sssd.service.in
+@@ -1,16 +1,13 @@
+ [Unit]
+ Description=System Security Services Daemon
+ # SSSD must be running before we permit user sessions
+-Before=systemd-user-sessions.service nss-user-lookup.target
++Before=systemd-user-sessions.service nss-user-lookup.target autofs.service
+ Wants=nss-user-lookup.target
+ 
+ [Service]
+-EnvironmentFile=- at environment_file@
+-ExecStart=@sbindir@/sssd -D -f
+-# These two should be used with traditional UNIX forking daemons
+-# consult systemd.service(5) for more details
+-Type=forking
+-PIDFile=@localstatedir@/run/sssd.pid
++ExecStart=@sbindir@/sssd -i -f
++Type=notify
++NotifyAccess=main
+ 
+ [Install]
+ WantedBy=multi-user.target
+--- a/src/tools/tools_util.h
++++ b/src/tools/tools_util.h
+@@ -27,9 +27,6 @@
+ 
+ #include "util/util.h"
+ 
+-#define SSSD_PIDFILE ""PID_PATH"/sssd.pid"
+-#define MAX_PID_LENGTH 10
+-
+ #define BAD_POPT_PARAMS(pc, msg, val, label) do { \
+         usage(pc, msg);                           \
+         val = EXIT_FAILURE;                       \
+--- a/src/util/util.h
++++ b/src/util/util.h
+@@ -53,6 +53,10 @@
+ #include "util/sss_format.h"
+ #include "util/debug.h"
+ 
++/* name of the monitor server instance */
++#define SSSD_PIDFILE PID_PATH"/sssd.pid"
++#define MAX_PID_LENGTH 10
++
+ #define _(STRING) gettext (STRING)
+ 
+ #define ENUM_INDICATOR "*"
diff --git a/debian/patches/sanitize_newline.diff b/debian/patches/sanitize_newline.diff
new file mode 100644
index 0000000..7119ba7
--- /dev/null
+++ b/debian/patches/sanitize_newline.diff
@@ -0,0 +1,31 @@
+Description: Sanitize newline and return carriage characters
+ Introducing valid usernames with trailing newline or return carriage
+ characters triggers the removal of valid LDB cache entries. This patch
+ sanitizes these characters in order to fix the LDAP query, addressing
+ the issue.
+
+Author: Victor Tapia <victor.tapia at canonical.com>
+Bug: https://pagure.io/SSSD/sssd/issue/3317
+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1669712
+Last-Update: 2017-03-10
+
+--- sssd-1.13.4/src/util/util.c	2016-04-13 16:48:41.000000000 +0200
++++ sssd/src/util/util.c	2017-03-10 13:16:23.605399778 +0100
+@@ -586,6 +589,16 @@
+             output[j++] = '5';
+             output[j++] = 'c';
+             break;
++        case '\r':
++            output[j++] = '\\';
++            output[j++] = '0';
++            output[j++] = 'd';
++            break;
++        case '\n':
++            output[j++] = '\\';
++            output[j++] = '0';
++            output[j++] = 'a';
++            break;
+         default:
+             output[j++] = input[i];
+         }
+
diff --git a/debian/patches/series b/debian/patches/series
index f78dc91..4b0f09c 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,3 +1,5 @@
 ipa-terminate-if-view-name-fails.diff
 gpo-add-unity-to-ad-gpo-map-interactive.diff
 restart_providers_on_timeshift.diff
+pidfile-creation.diff
+sanitize_newline.diff
diff --git a/debian/sssd-common.sssd.upstart.in b/debian/sssd-common.sssd.upstart.in
index aae8470..312de6f 100644
--- a/debian/sssd-common.sssd.upstart.in
+++ b/debian/sssd-common.sssd.upstart.in
@@ -7,7 +7,7 @@
 
 description	"System Security Services Daemon"
 
-start on (filesystem and net-device-up)
+start on (filesystem and net-device-up and starting autofs)
 stop on runlevel [06]
 
 expect fork
@@ -27,3 +27,18 @@ script
 
 	exec sssd $DAEMON_OPTS
 end script
+
+post-start script
+        # Wait until the responders are active to transition to started.
+        TIMEOUT=30
+        sec=0
+        while [ $sec -lt $TIMEOUT -a ! -f /var/run/sssd.pid ]
+        do
+               sleep 1
+               sec=$(($sec+1))
+        done
+
+        if [ "$sec" -eq "$TIMEOUT" ]; then
+               stop
+        fi
+end script



More information about the Pkg-sssd-devel mailing list