From e006df102382618400410b2e67430fb81eb93d97 Mon Sep 17 00:00:00 2001 From: Matthijs Kooijman Date: Tue, 5 May 2009 15:07:22 +0200 Subject: [PATCH 01/16] rsyslog: Enable queuing of log messages. This prevents messages from getting lost when the log vserver is temporarily unavailable. --- etc/rsyslog.conf | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/etc/rsyslog.conf b/etc/rsyslog.conf index 088b8bb..7b95903 100644 --- a/etc/rsyslog.conf +++ b/etc/rsyslog.conf @@ -79,5 +79,15 @@ local0,local1,local2,\ #### Remote logging #### ######################## -# Send all log entries to the log vserver -*.* :omrelp:log:514;RSYSLOG_SyslogProtocol23Format +# Send all log entries to the log vserver, but queue them in memory as well as +# on disk if needed. +$WorkDirectory /var/spool/rsyslog +# Use a linked list for queueing +$ActionQueueType LinkedList +# Name to use for the queue file +$ActionQueueFileName remote +# infinite retries on insert failure +$ActionResumeRetryCount -1 +# save in-memory data if rsyslog shuts down +$ActionQueueSaveOnShutdown on +*.* @@log;RSYSLOG_SyslogProtocol23Format -- 2.30.2 From 033368ac1cf3e8576f589405dcfbe5a3e0dc6816 Mon Sep 17 00:00:00 2001 From: Matthijs Kooijman Date: Tue, 5 May 2009 15:55:27 +0200 Subject: [PATCH 02/16] rsyslog: Make the main queue disk-assisted as well. --- etc/rsyslog.conf | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/etc/rsyslog.conf b/etc/rsyslog.conf index 7b95903..c6e706b 100644 --- a/etc/rsyslog.conf +++ b/etc/rsyslog.conf @@ -35,6 +35,17 @@ $DirCreateMode 0755 # $IncludeConfig /etc/rsyslog.d/*.conf +# Store any queues here. This directory is not created automatically, so it +# must already exist! +$WorkDirectory /var/spool/rsyslog + +# Use a (disk-assisted) main queue +# Use a linked list for queueing +$MainMsgQueueType LinkedList +# Name to use for the queue file +$MainMsgQueueFileName main +# save in-memory data if rsyslog shuts down +$MainMsgQueueSaveOnShutdown on ####################### #### Local logging #### @@ -81,7 +92,6 @@ local0,local1,local2,\ # Send all log entries to the log vserver, but queue them in memory as well as # on disk if needed. -$WorkDirectory /var/spool/rsyslog # Use a linked list for queueing $ActionQueueType LinkedList # Name to use for the queue file -- 2.30.2 From 8c8d29d2441584403b7e6d79bdc6b2638e112a3a Mon Sep 17 00:00:00 2001 From: Matthijs Kooijman Date: Tue, 5 May 2009 17:06:45 +0200 Subject: [PATCH 03/16] ssh: Add default initscript configuration. --- etc/default/ssh | 11 +++++++++++ 1 file changed, 11 insertions(+) create mode 100644 etc/default/ssh diff --git a/etc/default/ssh b/etc/default/ssh new file mode 100644 index 0000000..9680d34 --- /dev/null +++ b/etc/default/ssh @@ -0,0 +1,11 @@ +# Default settings for openssh-server. This file is sourced by /bin/sh from +# /etc/init.d/ssh. + +# Options to pass to sshd +SSHD_OPTS= + +# OOM-killer adjustment for sshd (see +# linux/Documentation/filesystems/proc.txt; lower values reduce likelihood +# of being killed, while -17 means the OOM-killer will ignore sshd; set to +# the empty string to skip adjustment) +SSHD_OOM_ADJUST=-17 -- 2.30.2 From 5e14935679f15c54c8be47c88d36632ec1cc9ade Mon Sep 17 00:00:00 2001 From: Matthijs Kooijman Date: Tue, 5 May 2009 17:07:10 +0200 Subject: [PATCH 04/16] ssh: Disable changing of the oom_adj value. This value is meant for making sure ssh is never killed by the oom killer, but that is not allowed inside vservers. --- etc/default/ssh | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/etc/default/ssh b/etc/default/ssh index 9680d34..afbc23b 100644 --- a/etc/default/ssh +++ b/etc/default/ssh @@ -8,4 +8,5 @@ SSHD_OPTS= # linux/Documentation/filesystems/proc.txt; lower values reduce likelihood # of being killed, while -17 means the OOM-killer will ignore sshd; set to # the empty string to skip adjustment) -SSHD_OOM_ADJUST=-17 +# Disabled since oom_adj is not available inside vservers +SSHD_OOM_ADJUST= -- 2.30.2 From 3efd2f3ff6b490e947d45ec28925f35888ec6896 Mon Sep 17 00:00:00 2001 From: Matthijs Kooijman Date: Tue, 5 May 2009 18:09:52 +0200 Subject: [PATCH 05/16] rsyslog: Use another format for forwarding messages. The syslog protocol 23 format seems to be broken in rsyslog for messages that were originally generated by legacy applications (i.e., do not have a structured-data field). See http://bugzilla.adiscon.com/show_bug.cgi?id=125 --- etc/rsyslog.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/etc/rsyslog.conf b/etc/rsyslog.conf index c6e706b..ab6876b 100644 --- a/etc/rsyslog.conf +++ b/etc/rsyslog.conf @@ -100,4 +100,4 @@ $ActionQueueFileName remote $ActionResumeRetryCount -1 # save in-memory data if rsyslog shuts down $ActionQueueSaveOnShutdown on -*.* @@log;RSYSLOG_SyslogProtocol23Format +*.* @@log;RSYSLOG_ForwardFormat -- 2.30.2 From 35359cf1b51f5d677b6351d7529f1f4986c0f7b8 Mon Sep 17 00:00:00 2001 From: Matthijs Kooijman Date: Thu, 13 Aug 2009 11:18:59 +0200 Subject: [PATCH 06/16] git: Automatically create non-existing repositories. This extends the git-prepend-base script to automatically create a bare git repository when it does not exist yet. This also makes the option handling slightly more robust, to prevent the script from messing with arguments that aren't git repository paths at all. --- usr/local/bin/git-prepend-base | 19 +++++++++++++++++-- 1 file changed, 17 insertions(+), 2 deletions(-) diff --git a/usr/local/bin/git-prepend-base b/usr/local/bin/git-prepend-base index 6b524cb..cd8f7c1 100755 --- a/usr/local/bin/git-prepend-base +++ b/usr/local/bin/git-prepend-base @@ -16,9 +16,24 @@ ARGS=() i=0 until [ "$#" -eq 0 ] do - if ! echo $1 | egrep "^(--|$BASE_PATH)" &>/dev/null; then - ARGS[$i]="$BASE_PATH/$1" + if echo $1 | egrep "^--" &>/dev/null; then + # This is an option argument, leave it untouched + ARGS[$i]="$1" + elif echo $1 | egrep ".git$" &>/dev/null; then + # This is a path to a git repository + DIR="$1" + # Prepend BASE_PATH if the path does not start with it already. + if ! echo $DIR | egrep "^$BASE_PATH" &>/dev/null; then + DIR="$BASE_PATH/$DIR" + fi + + # Create the git repository if it does not exist yet + if [ ! -e "$DIR" ]; then + mkdir "$DIR" &> /dev/null && (cd $DIR && git --bare init &> /dev/null) + fi + ARGS[$i]="$DIR" else + # Not a path to a git repository, leave untouched. ARGS[$i]="$1" fi ((i++)) -- 2.30.2 From 72f5c5eeda71df1ed0efd64a752f004862ac59ab Mon Sep 17 00:00:00 2001 From: Matthijs Kooijman Date: Thu, 13 Aug 2009 11:22:56 +0200 Subject: [PATCH 07/16] git: Rename git-prepend-base to git-wrapper. The script now does more than prepending the basedir, so give it a more general name. --- usr/local/bin/git-receive-pack | 2 +- usr/local/bin/git-upload-pack | 2 +- usr/local/bin/{git-prepend-base => git-wrapper} | 0 3 files changed, 2 insertions(+), 2 deletions(-) rename usr/local/bin/{git-prepend-base => git-wrapper} (100%) diff --git a/usr/local/bin/git-receive-pack b/usr/local/bin/git-receive-pack index f0c4399..b37e17d 120000 --- a/usr/local/bin/git-receive-pack +++ b/usr/local/bin/git-receive-pack @@ -1 +1 @@ -git-prepend-base \ No newline at end of file +git-wrapper \ No newline at end of file diff --git a/usr/local/bin/git-upload-pack b/usr/local/bin/git-upload-pack index f0c4399..b37e17d 120000 --- a/usr/local/bin/git-upload-pack +++ b/usr/local/bin/git-upload-pack @@ -1 +1 @@ -git-prepend-base \ No newline at end of file +git-wrapper \ No newline at end of file diff --git a/usr/local/bin/git-prepend-base b/usr/local/bin/git-wrapper similarity index 100% rename from usr/local/bin/git-prepend-base rename to usr/local/bin/git-wrapper -- 2.30.2 From 3b28063ff56df163bced9bb9c0baf4b9b608e1eb Mon Sep 17 00:00:00 2001 From: Matthijs Kooijman Date: Thu, 13 Aug 2009 11:34:43 +0200 Subject: [PATCH 08/16] git: Only create repositories for git-receive-pack. This prevents empty repositories from being created when a typo is made when fetching. --- usr/local/bin/git-wrapper | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/usr/local/bin/git-wrapper b/usr/local/bin/git-wrapper index cd8f7c1..43da4e1 100755 --- a/usr/local/bin/git-wrapper +++ b/usr/local/bin/git-wrapper @@ -27,8 +27,9 @@ do DIR="$BASE_PATH/$DIR" fi - # Create the git repository if it does not exist yet - if [ ! -e "$DIR" ]; then + # When the client wants us to receive a pack, create the git + # repository if it does not exist yet + if [ "`basename $0`" = "git-receive-pack" -a ! -e "$DIR" ]; then mkdir "$DIR" &> /dev/null && (cd $DIR && git --bare init &> /dev/null) fi ARGS[$i]="$DIR" -- 2.30.2 From d67b176d349ef991f5efdb678841b36ff1eae73c Mon Sep 17 00:00:00 2001 From: Matthijs Kooijman Date: Thu, 13 Aug 2009 11:43:38 +0200 Subject: [PATCH 09/16] git: Make the git-wrapper script a bit more readable. --- usr/local/bin/git-wrapper | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/usr/local/bin/git-wrapper b/usr/local/bin/git-wrapper index 43da4e1..1920599 100755 --- a/usr/local/bin/git-wrapper +++ b/usr/local/bin/git-wrapper @@ -10,6 +10,11 @@ BASE_PATH='/data/vcs/git' +function init_repos() { + mkdir "$1" &> /dev/null || return 1 + (cd $1 && git --bare init &> /dev/null) || return 1 +} + # We keep an array of arguments, so we can handle quoting an spaces in # arguments properly. ARGS=() @@ -30,7 +35,7 @@ do # When the client wants us to receive a pack, create the git # repository if it does not exist yet if [ "`basename $0`" = "git-receive-pack" -a ! -e "$DIR" ]; then - mkdir "$DIR" &> /dev/null && (cd $DIR && git --bare init &> /dev/null) + init_repos "$DIR" fi ARGS[$i]="$DIR" else -- 2.30.2 From 6ac9194a16209a6d214cb293f97b277dec74ad6d Mon Sep 17 00:00:00 2001 From: Matthijs Kooijman Date: Thu, 13 Aug 2009 11:50:59 +0200 Subject: [PATCH 10/16] git: Add a post-update hook for new repositories. --- usr/local/bin/git-wrapper | 2 ++ 1 file changed, 2 insertions(+) diff --git a/usr/local/bin/git-wrapper b/usr/local/bin/git-wrapper index 1920599..6896ec8 100755 --- a/usr/local/bin/git-wrapper +++ b/usr/local/bin/git-wrapper @@ -9,10 +9,12 @@ # --base-path-relaxed. BASE_PATH='/data/vcs/git' +POST_UPDATE_HOOK="$BASE_PATH/hooks/post-update" function init_repos() { mkdir "$1" &> /dev/null || return 1 (cd $1 && git --bare init &> /dev/null) || return 1 + cp -P "$POST_UPDATE_HOOK" "$1/hooks/" || return 1 } # We keep an array of arguments, so we can handle quoting an spaces in -- 2.30.2 From d25f70d83bd46b7e0b58f7a87d522f74fdf28431 Mon Sep 17 00:00:00 2001 From: Matthijs Kooijman Date: Thu, 13 Aug 2009 11:52:06 +0200 Subject: [PATCH 11/16] git: Make git-wrapper exit if repos creation fails. --- usr/local/bin/git-wrapper | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/local/bin/git-wrapper b/usr/local/bin/git-wrapper index 6896ec8..570a47d 100755 --- a/usr/local/bin/git-wrapper +++ b/usr/local/bin/git-wrapper @@ -37,7 +37,7 @@ do # When the client wants us to receive a pack, create the git # repository if it does not exist yet if [ "`basename $0`" = "git-receive-pack" -a ! -e "$DIR" ]; then - init_repos "$DIR" + init_repos "$DIR" || exit 1 fi ARGS[$i]="$DIR" else -- 2.30.2 From 94063426f36b90b391ed37c28a83980ae22a14c9 Mon Sep 17 00:00:00 2001 From: Matthijs Kooijman Date: Mon, 26 Jul 2010 15:26:53 +0200 Subject: [PATCH 12/16] oidentd: Add default configuration. --- etc/default/oidentd | 17 +++++++++++++++++ etc/oidentd.conf | 22 ++++++++++++++++++++++ etc/oidentd_masq.conf | 11 +++++++++++ 3 files changed, 50 insertions(+) create mode 100644 etc/default/oidentd create mode 100644 etc/oidentd.conf create mode 100644 etc/oidentd_masq.conf diff --git a/etc/default/oidentd b/etc/default/oidentd new file mode 100644 index 0000000..14bec1e --- /dev/null +++ b/etc/default/oidentd @@ -0,0 +1,17 @@ +# options to use when starting oidentd as daemon: +# -m lookup masquaraded connections in /etc/oidentd_masq.users +# -f forward requests for masquaraded connections to real host +# -q don't log connections to oidentd +# see oidentd(8) for detailed list +OIDENT_OPTIONS="-mf" + +# user / group +OIDENT_USER=oident +OIDENT_GROUP=oident + +# Allow the default router to act as an oidentd proxy? (yes/no) +# this is needed behind a masquarading router that runs oidentd -f +# if your identd proxy is not the default router, you have to +# manually specify it via -P +OIDENT_BEHIND_PROXY=yes + diff --git a/etc/oidentd.conf b/etc/oidentd.conf new file mode 100644 index 0000000..03b28d8 --- /dev/null +++ b/etc/oidentd.conf @@ -0,0 +1,22 @@ +# Configuration for oidentd +# see oidentd.conf(5) +# +default { + default { + deny spoof + deny spoof_all + deny spoof_privport + allow random + allow random_numeric + allow numeric + deny hide + } +} + +# you may want to hide root connections +#user "root" { +# default { +# force reply "UNKNOWN" +# } +#} + diff --git a/etc/oidentd_masq.conf b/etc/oidentd_masq.conf new file mode 100644 index 0000000..8fb03f1 --- /dev/null +++ b/etc/oidentd_masq.conf @@ -0,0 +1,11 @@ +# oident masquarded connections configuration + +# use this file if your host is masquarading connections for several +# hosts and you want to return a reply based on the hostname of +# the originating machine +# by default, such requests are forwarded to the real host. +# you can disable forwarding by removing "-f" from OIDENT_OPTIONS +# in /etc/default/oidentd + +# add hosts in the following format, see oidentd_masq.conf(5) for details: +# [/mask] -- 2.30.2 From a799b50b1d46b49b57ce3212c2fcf60317e7a6f9 Mon Sep 17 00:00:00 2001 From: Matthijs Kooijman Date: Mon, 26 Jul 2010 15:29:31 +0200 Subject: [PATCH 13/16] oidentd: Allow the vserver host to forward connections. --- etc/default/oidentd | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/etc/default/oidentd b/etc/default/oidentd index 14bec1e..f807bd5 100644 --- a/etc/default/oidentd +++ b/etc/default/oidentd @@ -2,16 +2,19 @@ # -m lookup masquaraded connections in /etc/oidentd_masq.users # -f forward requests for masquaraded connections to real host # -q don't log connections to oidentd +# -P allow forwarded connectsions from this host. We use our own +# hostname here, since connections will be forwarded from oidentd +# on the vserver host. Those connections will appear to originate +# from our own (and only) IP address. # see oidentd(8) for detailed list -OIDENT_OPTIONS="-mf" +OIDENT_OPTIONS="-mf -P `hostname`" # user / group OIDENT_USER=oident OIDENT_GROUP=oident # Allow the default router to act as an oidentd proxy? (yes/no) -# this is needed behind a masquarading router that runs oidentd -f -# if your identd proxy is not the default router, you have to -# manually specify it via -P -OIDENT_BEHIND_PROXY=yes +# Since the vserver stuff messes up this autodetection, we pass in -P +# above instead. +OIDENT_BEHIND_PROXY=no -- 2.30.2 From 5e3f9a6568baf708c5bd88144cd9a59260301683 Mon Sep 17 00:00:00 2001 From: Matthijs Kooijman Date: Sun, 30 Jan 2011 21:19:31 +0100 Subject: [PATCH 14/16] git: Make git-wrapper create symlinks instead of copying them. This makes it possible to have a single hook script that calls multiple different ones, instead of being just a symlink to a single script. --- usr/local/bin/git-wrapper | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/usr/local/bin/git-wrapper b/usr/local/bin/git-wrapper index 570a47d..5481ffb 100755 --- a/usr/local/bin/git-wrapper +++ b/usr/local/bin/git-wrapper @@ -9,12 +9,15 @@ # --base-path-relaxed. BASE_PATH='/data/vcs/git' -POST_UPDATE_HOOK="$BASE_PATH/hooks/post-update" +HOOKS_PATH="$BASE_PATH/hooks" +HOOKS=post-update function init_repos() { mkdir "$1" &> /dev/null || return 1 (cd $1 && git --bare init &> /dev/null) || return 1 - cp -P "$POST_UPDATE_HOOK" "$1/hooks/" || return 1 + for hook in $HOOKS; do + ln -s "$HOOKS_PATH/$hook" "$1/hooks/" || return 1 + done } # We keep an array of arguments, so we can handle quoting an spaces in -- 2.30.2 From 52519728c21edab8d3d34cb6184576dfda5157d5 Mon Sep 17 00:00:00 2001 From: Matthijs Kooijman Date: Sun, 30 Jan 2011 21:21:32 +0100 Subject: [PATCH 15/16] git: Make git-wrapper copy post-receive as well. --- usr/local/bin/git-wrapper | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/local/bin/git-wrapper b/usr/local/bin/git-wrapper index 5481ffb..e798965 100755 --- a/usr/local/bin/git-wrapper +++ b/usr/local/bin/git-wrapper @@ -10,7 +10,7 @@ BASE_PATH='/data/vcs/git' HOOKS_PATH="$BASE_PATH/hooks" -HOOKS=post-update +HOOKS="post-update post-receive" function init_repos() { mkdir "$1" &> /dev/null || return 1 -- 2.30.2 From 4717bf25254a7cd8404b81209b6817c911451f5d Mon Sep 17 00:00:00 2001 From: Matthijs Kooijman Date: Sun, 30 Jan 2011 22:12:49 +0100 Subject: [PATCH 16/16] git: Make git-wrapper create links with -f. This allows it to overwrite the example hooks scripts that git creates by default. --- usr/local/bin/git-wrapper | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/local/bin/git-wrapper b/usr/local/bin/git-wrapper index e798965..5a55eb7 100755 --- a/usr/local/bin/git-wrapper +++ b/usr/local/bin/git-wrapper @@ -16,7 +16,7 @@ function init_repos() { mkdir "$1" &> /dev/null || return 1 (cd $1 && git --bare init &> /dev/null) || return 1 for hook in $HOOKS; do - ln -s "$HOOKS_PATH/$hook" "$1/hooks/" || return 1 + ln -s -f "$HOOKS_PATH/$hook" "$1/hooks/" || return 1 done } -- 2.30.2