[Pkg-sssd-devel] sssd: Changes to 'ubuntu-xenial'
Victor Tapia King
victortapia-guest at moszumanska.debian.org
Fri Mar 24 17:23:26 UTC 2017
Rebased ref, commits from common ancestor:
commit 5ff9d1474a9d48bcfc003be3979da472ebaec1d8
Author: Victor Tapia <victor.tapia at canonical.com>
Date: Fri Mar 24 18:19:05 2017 +0100
Fixes for LP#1566508 and LP#1669712.
* d/p/pidfile-creation.diff: Delay the pidfile creation until the
responders are up (LP: #1566508)
* d/p/sanitize_newline.diff: Sanitize newline and carriage return
characters before LDAP queries. (LP: #1669712)
diff --git a/debian/changelog b/debian/changelog
index 31a9c56..ff60a59 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,6 +1,15 @@
+sssd (1.13.4-1ubuntu1.4) xenial; urgency=medium
+
+ * d/p/pidfile-creation.diff: Delay the pidfile creation until the
+ responders are up (LP: #1566508)
+ * d/p/sanitize_newline.diff: Sanitize newline and carriage return
+ characters before LDAP queries. (LP: #1669712)
+
+ -- Victor Tapia <victor.tapia at canonical.com> Tue, 24 Mar 2017 11:20:32 +0100
+
sssd (1.13.4-1ubuntu1.2) xenial; urgency=medium
- * d/p/restart_providers_on_timeshift.diff: Implement watchdog and
+ * d/p/restart_providers_on_timeshift.patch: Implement watchdog and
use SIGUSR2 after watchdog detects time shift to execute pending
scheduled tasks that could be stuck (LP: #1641875)
diff --git a/debian/patches/pidfile-creation.diff b/debian/patches/pidfile-creation.diff
new file mode 100644
index 0000000..b974758
--- /dev/null
+++ b/debian/patches/pidfile-creation.diff
@@ -0,0 +1,281 @@
+Description: Mark SSSD as started after all responders are up.
+ This patch fixes the sssd boot process for upstart and sssd
+ creating the pidfile after the responders are up and using it
+ to determine when the service is ready/started.
+
+Origin: upstream, commit: d4063e9a21a4e203bee7e0a0144fa8cabb14cc46
+Author: Victor Tapia <victor.tapia at canonical.com>
+Bug: https://fedorahosted.org/sssd/ticket/3080
+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1566508
+Reviewed-By: Rafael Tinoco <rafael.tinoco at canonical.com>
+Last-Update: 2017-03-07
+
+--- a/configure.ac
++++ b/configure.ac
+@@ -343,10 +343,6 @@
+ AM_CHECK_SEMANAGE
+ fi
+
+-if test x$HAVE_SYSTEMD_UNIT != x; then
+- AM_CHECK_SYSTEMD
+-fi
+-
+ dnl If journald was selected for logging, configure journald
+ if test x$syslog = xjournald; then
+ AM_CHECK_JOURNALD
+--- a/Makefile.am
++++ b/Makefile.am
+@@ -1102,6 +1102,7 @@
+ $(INOTIFY_LIBS) \
+ $(LIBNL_LIBS) \
+ $(KEYUTILS_LIBS) \
++ $(SYSTEMD_DAEMON_LIBS) \
+ $(SSSD_INTERNAL_LTLIBS)
+
+ sssd_nss_SOURCES = \
+--- a/src/external/systemd.m4
++++ b/src/external/systemd.m4
+@@ -1,28 +1,44 @@
+-dnl There are no module libsystemd-journal and libsystem-login
+-dnl up systemd version 209
++dnl A macro to check presence of systemd on the system
++PKG_CHECK_EXISTS([systemd],
++ [HAVE_SYSTEMD=yes],
++ [HAVE_SYSTEMD=no])
++
++dnl Libraries libsystemd-journal and libsystem-login are deprecarted
++dnl since systemd 209 and are removed in systemd 230. The library libsystemd
++dnl is replacement of libsystemd-{login,journal,daemon,id128} libraries
+ PKG_CHECK_EXISTS([libsystemd],
+ [HAVE_LIBSYSTEMD=yes],
+ [HAVE_LIBSYSTEMD=no])
+
+-dnl A macro to check presence of systemd on the system
+-AC_DEFUN([AM_CHECK_SYSTEMD],
+-[
+- PKG_CHECK_EXISTS(systemd,
+- [ HAVE_SYSTEMD=1, AC_SUBST(HAVE_SYSTEMD) ],
+- [AC_MSG_ERROR([Could not detect systemd presence])])
+-])
+-
+ AS_IF([test x$HAVE_LIBSYSTEMD = xyes],
+ [login_lib_name=libsystemd],
+ [login_lib_name=libsystemd-login])
+
+-AM_COND_IF([HAVE_SYSTEMD],
+- [PKG_CHECK_MODULES([SYSTEMD_LOGIN],
+- [$login_lib_name],
+- [AC_DEFINE_UNQUOTED([HAVE_SYSTEMD_LOGIN], 1,
+- [Build with libsystemdlogin support])
+- ],
+- [AC_MSG_NOTICE([Build without libsystemd-login support])])])
++AS_IF([test x$HAVE_SYSTEMD = xyes],
++ [AC_DEFINE_UNQUOTED([HAVE_SYSTEMD], 1, [Build with systemd support])],
++ [AC_MSG_NOTICE([Build without systemd support])])
++
++AS_IF([test x$HAVE_SYSTEMD = xyes],
++ [PKG_CHECK_MODULES(
++ [SYSTEMD_LOGIN],
++ [$login_lib_name],
++ [AC_DEFINE_UNQUOTED([HAVE_SYSTEMD_LOGIN], 1,
++ [Build with $login_lib_name support])],
++ [AC_MSG_NOTICE([Build without $login_lib_name support])])],
++ [AC_MSG_NOTICE([Build without $login_lib_name support])])
++
++AS_IF([test x$HAVE_LIBSYSTEMD = xyes],
++ [daemon_lib_name=libsystemd],
++ [daemon_lib_name=libsystemd-daemon])
++
++AS_IF([test x$HAVE_SYSTEMD = xyes],
++ [PKG_CHECK_MODULES(
++ [SYSTEMD_DAEMON],
++ [$daemon_lib_name],
++ [AC_DEFINE_UNQUOTED([HAVE_SYSTEMD_DAEMON], 1,
++ [Build with $daemon_lib_name support])],
++ [AC_MSG_NOTICE([Build without $daemon_lib_name support])])],
++ [AC_MSG_NOTICE([Build without $daemon_lib_name support])])
+
+ dnl A macro to check presence of journald on the system
+ AC_DEFUN([AM_CHECK_JOURNALD],
+--- a/src/monitor/monitor.c
++++ b/src/monitor/monitor.c
+@@ -55,6 +55,10 @@
+ #include <keyutils.h>
+ #endif
+
++#ifdef HAVE_SYSTEMD
++#include <systemd/sd-daemon.h>
++#endif
++
+ /* ping time cannot be less then once every few seconds or the
+ * monitor will get crazy hammering children with messages */
+ #define MONITOR_DEF_PING_TIME 10
+@@ -77,7 +81,6 @@
+
+ /* name of the monitor server instance */
+ #define MONITOR_NAME "sssd"
+-#define SSSD_PIDFILE_PATH PID_PATH"/"MONITOR_NAME".pid"
+
+ /* Special value to leave the Kerberos Replay Cache set to use
+ * the libkrb5 defaults
+@@ -170,6 +173,7 @@
+ struct netlink_ctx *nlctx;
+ const char *conf_path;
+ struct sss_sigchild_ctx *sigchld_ctx;
++ bool pid_file_created;
+ bool is_daemon;
+ pid_t parent_pid;
+
+@@ -431,7 +435,30 @@
+ ctx->started_services++;
+ }
+
+- if (ctx->started_services == ctx->num_services) {
++ /* create the pid file if all services are alive */
++ if (!ctx->pid_file_created && ctx->started_services == ctx->num_services) {
++ DEBUG(SSSDBG_TRACE_FUNC,
++ "All services have successfully started, creating pid file\n");
++ ret = pidfile(PID_PATH, MONITOR_NAME);
++ if (ret != EOK) {
++ DEBUG(SSSDBG_FATAL_FAILURE,
++ "Error creating pidfile: %s/%s.pid! (%d [%s])\n",
++ PID_PATH, MONITOR_NAME, ret, strerror(ret));
++ kill(getpid(), SIGTERM);
++ }
++
++ ctx->pid_file_created = true;
++
++#ifdef HAVE_SYSTEMD
++ DEBUG(SSSDBG_TRACE_FUNC, "Sending startup notification to systemd\n");
++ ret = sd_notify(0, "READY=1");
++ if (ret < 0) {
++ DEBUG(SSSDBG_CRIT_FAILURE,
++ "Error sending notification to systemd %d: %s\n",
++ -ret, strerror(-ret));
++ }
++#endif
++
+ /* Initialization is complete, terminate parent process if in daemon
+ * mode. Make sure we send the signal to the right process */
+ if (ctx->is_daemon) {
+@@ -1476,7 +1503,7 @@
+ int ret;
+
+ errno = 0;
+- ret = unlink(SSSD_PIDFILE_PATH);
++ ret = unlink(SSSD_PIDFILE);
+ if (ret == -1) {
+ ret = errno;
+ DEBUG(SSSDBG_FATAL_FAILURE,
+@@ -1698,6 +1725,7 @@
+ return ENOMEM;
+ }
+
++ ctx->pid_file_created = false;
+ talloc_set_destructor((TALLOC_CTX *)ctx, monitor_ctx_destructor);
+
+ cdb_file = talloc_asprintf(ctx, "%s/%s", DB_PATH, CONFDB_FILE);
+@@ -2949,8 +2977,6 @@
+ return 6;
+ }
+
+- /* we want a pid file check */
+- flags |= FLAGS_PID_FILE;
+ /* the monitor should not run a watchdog on itself */
+ flags |= FLAGS_NO_WATCHDOG;
+
+@@ -3018,6 +3044,15 @@
+ }
+ }
+
++ /* Check if the SSSD is already running */
++ ret = check_file(SSSD_PIDFILE, 0, 0, S_IFREG|0600, 0, NULL, false);
++ if (ret == EOK) {
++ DEBUG(SSSDBG_FATAL_FAILURE,
++ "pidfile exists at %s\n", SSSD_PIDFILE);
++ ERROR("SSSD is already running\n");
++ return 2;
++ }
++
+ /* Parse config file, fail if cannot be done */
+ ret = load_configuration(tmp_ctx, config_file, &monitor);
+ if (ret != EOK) {
+--- a/src/sysv/sssd.in
++++ b/src/sysv/sssd.in
+@@ -40,6 +40,8 @@
+ LOCK_FILE=@localstatedir@/lock/subsys/sssd
+ PID_FILE=@localstatedir@/run/sssd.pid
+
++TIMEOUT=15
++
+ start() {
+ [ -x $SSSD ] || exit 5
+ echo -n $"Starting $prog: "
+@@ -47,6 +49,19 @@
+ RETVAL=$?
+ echo
+ [ "$RETVAL" = 0 ] && touch $LOCK_FILE
++
++ # Wait for pidfile creation or timeout
++ sec=0
++ [ "$RETVAL" = 0 ] && while [ $sec -lt $TIMEOUT -a ! -f $PID_FILE ]
++ do
++ sleep 1
++ sec=$(($sec+1))
++ done
++
++ if [ "$sec" = "$TIMEOUT" ]; then
++ RETVAL=-1
++ fi
++
+ return $RETVAL
+ }
+
+--- a/src/sysv/systemd/sssd.service.in
++++ b/src/sysv/systemd/sssd.service.in
+@@ -1,16 +1,13 @@
+ [Unit]
+ Description=System Security Services Daemon
+ # SSSD must be running before we permit user sessions
+-Before=systemd-user-sessions.service nss-user-lookup.target
++Before=systemd-user-sessions.service nss-user-lookup.target autofs.service
+ Wants=nss-user-lookup.target
+
+ [Service]
+-EnvironmentFile=- at environment_file@
+-ExecStart=@sbindir@/sssd -D -f
+-# These two should be used with traditional UNIX forking daemons
+-# consult systemd.service(5) for more details
+-Type=forking
+-PIDFile=@localstatedir@/run/sssd.pid
++ExecStart=@sbindir@/sssd -i -f
++Type=notify
++NotifyAccess=main
+
+ [Install]
+ WantedBy=multi-user.target
+--- a/src/tools/tools_util.h
++++ b/src/tools/tools_util.h
+@@ -27,9 +27,6 @@
+
+ #include "util/util.h"
+
+-#define SSSD_PIDFILE ""PID_PATH"/sssd.pid"
+-#define MAX_PID_LENGTH 10
+-
+ #define BAD_POPT_PARAMS(pc, msg, val, label) do { \
+ usage(pc, msg); \
+ val = EXIT_FAILURE; \
+--- a/src/util/util.h
++++ b/src/util/util.h
+@@ -53,6 +53,10 @@
+ #include "util/sss_format.h"
+ #include "util/debug.h"
+
++/* name of the monitor server instance */
++#define SSSD_PIDFILE PID_PATH"/sssd.pid"
++#define MAX_PID_LENGTH 10
++
+ #define _(STRING) gettext (STRING)
+
+ #define ENUM_INDICATOR "*"
diff --git a/debian/patches/sanitize_newline.diff b/debian/patches/sanitize_newline.diff
new file mode 100644
index 0000000..7119ba7
--- /dev/null
+++ b/debian/patches/sanitize_newline.diff
@@ -0,0 +1,31 @@
+Description: Sanitize newline and return carriage characters
+ Introducing valid usernames with trailing newline or return carriage
+ characters triggers the removal of valid LDB cache entries. This patch
+ sanitizes these characters in order to fix the LDAP query, addressing
+ the issue.
+
+Author: Victor Tapia <victor.tapia at canonical.com>
+Bug: https://pagure.io/SSSD/sssd/issue/3317
+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1669712
+Last-Update: 2017-03-10
+
+--- sssd-1.13.4/src/util/util.c 2016-04-13 16:48:41.000000000 +0200
++++ sssd/src/util/util.c 2017-03-10 13:16:23.605399778 +0100
+@@ -586,6 +589,16 @@
+ output[j++] = '5';
+ output[j++] = 'c';
+ break;
++ case '\r':
++ output[j++] = '\\';
++ output[j++] = '0';
++ output[j++] = 'd';
++ break;
++ case '\n':
++ output[j++] = '\\';
++ output[j++] = '0';
++ output[j++] = 'a';
++ break;
+ default:
+ output[j++] = input[i];
+ }
+
diff --git a/debian/patches/series b/debian/patches/series
index f78dc91..4b0f09c 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,3 +1,5 @@
ipa-terminate-if-view-name-fails.diff
gpo-add-unity-to-ad-gpo-map-interactive.diff
restart_providers_on_timeshift.diff
+pidfile-creation.diff
+sanitize_newline.diff
diff --git a/debian/sssd-common.sssd.upstart.in b/debian/sssd-common.sssd.upstart.in
index aae8470..312de6f 100644
--- a/debian/sssd-common.sssd.upstart.in
+++ b/debian/sssd-common.sssd.upstart.in
@@ -7,7 +7,7 @@
description "System Security Services Daemon"
-start on (filesystem and net-device-up)
+start on (filesystem and net-device-up and starting autofs)
stop on runlevel [06]
expect fork
@@ -27,3 +27,18 @@ script
exec sssd $DAEMON_OPTS
end script
+
+post-start script
+ # Wait until the responders are active to transition to started.
+ TIMEOUT=30
+ sec=0
+ while [ $sec -lt $TIMEOUT -a ! -f /var/run/sssd.pid ]
+ do
+ sleep 1
+ sec=$(($sec+1))
+ done
+
+ if [ "$sec" -eq "$TIMEOUT" ]; then
+ stop
+ fi
+end script
More information about the Pkg-sssd-devel
mailing list