#14995: systemd unit files - review
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi weasel, following your comment [1] about your plans to use systemd instead of init.d scripts I prepared unit files [2] - tested with debian jessie. Would be great if you could comment on them. Since it feels a bit as if I would use the wrong communication channel (trac), please let me know if I should move this elsewhere. thanks, Nusenu [1] https://trac.torproject.org/projects/tor/ticket/14995#comment:14 [2] https://trac.torproject.org/projects/tor/ticket/14995#comment:24 https://github.com/nusenu/tor-multi-instance-initscripts/blob/master/debian/... https://github.com/nusenu/tor-multi-instance-initscripts/blob/master/debian/... -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJVFqosAAoJEFv7XvVCELh0AjgQAIlLflC6f+mqUUiAyvQsTO/4 +fNK1MBFUNJUpEws3gqD/3OQfBnhuV9Po4SiRMPfQo0IHuLSB0jNHslOexVBWzpY s4ypeNAH+Eu58Pomexo9xOMCZTmM7Jmhm8HdCodSXBMSKlK1jMwqqmRRQDnijf3T hYos6yeJydwXnV2yDaeF6AOiuAzIQC2s+Mwu+tynX3ETCIyDzsDcQEOaDiwnmWBX 76kIqz0sF0N7tOeMiLoMvK1J9HhW+sMH4aaGwZFXPCMLEpziIB5spEmgvpa+SoQ0 dG2q3Hd7ryBaac/KSeX/Dyidur8LxheA9slVqwkdcorXWBdQd7Xnom2WTOs/2cSf Dy3ZFJD1vi3/y6Gq0DsWY3Z4XhPPs4gTVOL056Xc/GyZXmPvAVI5mk8EdtU7ezbu NxXqjVoEcX59IWhyMOjh2eaeEZvaxmyfP38ek2f6nH5pZv9FtmjKZ61LwYtL8qJx wEn+qIVXy1Zl+qU/NhUpMeUqn029Ci+mL+6x/JfNpaka81Rtqsb+6SKQQwPwGGu7 2SwsDjM+B6YsWSf3niL3rp23XWaT1mM830QBnTrMpE+kht/4b1ytgs7NV72E30+5 Ibi5y/F/TkTc6yExJd1qxKkpXY0gnEWIgf0l4ik5FOD3DK47lQgKYg4feAcPxLUo qFDT5Y0Fnhezh5DVnRp+ =mtYl -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi Weasel,
following your comment [1] about your plans to use systemd instead of init.d scripts I prepared unit files [2] - tested with debian jessie.
Would be great if you could comment on them.
Since it feels a bit as if I would use the wrong communication channel (trac), please let me know if I should move this elsewhere.
Now that jessie and vivid is released and debian's systemd has a bug [1] with legacy sysv scripts I wanted to ask what the status of the systemd integration is. Do you have any plans on it? I think systemd support would also improve security when taking advantage of systemd's security features - a few of them are unfortunately buggy and therefore disabled in the files below. tested with jessie: https://github.com/nusenu/ansible-relayor/blob/master/files/debian_tor%40.se... tested with vivid: https://github.com/nusenu/ansible-relayor/blob/master/files/ubuntu_tor%40.se... thanks, nusenu [1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=751638 -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJVP2vNAAoJEFv7XvVCELh0Zp4QAJKVEK7+/ymalsL1eo5yzEgz 8zxXpyYxL3nWDdSuMBZfkfv6Xn+RxB/GbfhFLs1k6DL5Artpr203MALJt65pWBdp KU1KiqzVnZH3VMSFKqKbtONOUGT4BUExYkfEh2qP4LN+I4fTQdxJuAqdukIvoO6L V4nM4eb7fPNFo3xMhYve6P9/tLUZkY8RCH+vuZzt1b+xRtHW9nh/B+sHDH/qUJVx brSUOZmtVRX53ZAthoG0AU+oqiQCQSD0gf847PWmkK0xjcHcKAcsyodjlsCqfbCJ AiWwaJu+aR1ZF4LlFvDeCeLE0QGty1ZNva6wd7jSm1dub83I8S8t/jcpiX5FQbVn E+R7i3yM55BWrJ2npz926tR3FVtVrMlT9xBC8Tzv8sCDb8pS4YpTBxlUtdeQ7VdJ 2XFBdrWK1xxWXjreTOtqvK0QwDbdsrDQ6xTLlOmAxqCKJG3xtXCaGtZHh8pV7J8/ 8uPHce8VhrTBiYZI0wqo6zNXmgIVAvRagx1ORX9K4YCHomanxwwNf42lAHFdq5+8 iWrFAxv+RR3HWWO5gnVLh9aV179Y/hIzF9hT9812E+QOq1ScwpxZGkH/IJbqnQ0k Dk4ncWfaggRs3ihnbdLxXVJgRm7p/2lPbZxZx7aWsi2tbSGUaivINWkyXvpiIGz+ 60bYtFpEQ25jZugWlPGv =u89B -----END PGP SIGNATURE-----
Hi, [dropping Weasel from the Cc list as I'm pretty sure he reads tor-dev@.] nusenu wrote (28 Apr 2015 11:15:25 GMT) :
Now that jessie and vivid is released and debian's systemd has a bug [1] with legacy sysv scripts
FYI this is blocked by missing functionality in sysv-rc's update-rc.d.
I wanted to ask what the status of the systemd integration is. Do you have any plans on it?
This is being worked on there: https://bugs.debian.org/761403 (which should be a more appropriate forum to discuss this topic.)
I think systemd support would also improve security when taking advantage of systemd's security features - a few of them are unfortunately buggy and therefore disabled in the files below.
Please report such bugs: * to the Tor project's Trac if they are bugs in contrib/dist/tor.service.in as shipped with tor * to the systemd bug tracker if they are bugs in systemd itself Thanks!
tested with jessie: https://github.com/nusenu/ansible-relayor/blob/master/files/debian_tor%40.se...
I get a 404 there. Cheers, -- intrigeri
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi intrigeri, thanks your reply.
This is being worked on there: https://bugs.debian.org/761403 (which should be a more appropriate forum to discuss this topic.)
I didn't want to report bugs/feature request in debian's bts for a non-debian repo (deb.torproject.org). This resulted in a situation where tor's trac is apparently not accepted by the maintainer and debian's bts is not entirely the correct place(?) either, but with that info I'll just use debian's bts for similar matters in the future - thanks for suggesting this and the pointer to the current ticket.
Please report such bugs:
* to the Tor project's Trac if they are bugs in contrib/dist/tor.service.in as shipped with tor
I did so in the past but since I don't know any packages actually using that service file shipped by tor https://gitweb.torproject.org/tor.git/tree/contrib/dist/tor.service.in I'll probably just report any bugs/RFEs against the package instead of tor itself. I hope this makes sense. (The service file in tor does not say on which distributions it should work and generic service file won't make use of the distribution specific features.)
* to the systemd bug tracker if they are bugs in systemd itself
https://bugs.freedesktop.org/show_bug.cgi?id=89875#c2 http://lists.freedesktop.org/archives/systemd-devel/2015-April/031377.html If anyone is interested in systemd problems I stumble on in the tor context: https://github.com/nusenu/ansible-relayor/issues?utf8=%E2%9C%93&q=is%3Aissue...
tested with jessie: https://github.com/nusenu/ansible-relayor/blob/master/files/debian_tor%40.se...
I get a 404 there.
The file moved to a new location and has become an ansible template (=dynamically created) instead of a static file to "improve" security [1]. CapabilityBoundingSet is dynamically build depending on which capabilities are actually required (related to [2]). This is not something you will be able to do in a service file that ships with a package, but you can still copy that service file and simply remove lines 31 and 36-39 of it [4]. Note: The dynamic service file adjustment I'm using is only a temporary workaround until [3] gets addressed - which I don't expect to happen in 2015. [1] https://github.com/nusenu/ansible-relayor/commit/cc7530a820fd2b4fd579598f6a1... [2] https://lists.torproject.org/pipermail/tor-dev/2015-April/008638.html [3] https://trac.torproject.org/projects/tor/ticket/15659 [4] https://github.com/nusenu/ansible-relayor/blob/master/templates/debian_tor%4... -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJVRPD0AAoJEFv7XvVCELh0b9QP/RD3KvqZsrHgN8IFQR5IyatB SHsQnwcngkcQgbE27s5TVwOnXLNzPwIY85nH7rqBRjLrgtweTwTVLOzw807GimxH cL81HOMT/nXdV6toyEzXu3P7W73T4GwThMzyw46hqblq3i/YYSIbfnLycpQ6vwgE dwvt4P/O2JWbtYUgzNyWMonKejFvgfyRIPZypgK855pZTaBBZbBSgwnIgdeKtdxB /GF2cFS6dQ2jHoIvI8ucv6SPWy6KKyxdkfpGzAYijp5MafzPChg+LkneUsLThail vss1/c1VqJyGi+GGxvbvc0zPGgI/ywHop3DkLpZMjD6k24XjTjayV6ec5F+Uw8UO rBtqzU06/+X+q7Je8LHIsTM3JRQFZg0Gsh1I/iN+ERrMZjtmiZ5GRB1cwObgVUAt 6BIfoE1gfXvsd6lYi16Fd9655T8F7/yrouUcU4dAVTqdGAftRMCEdyCBJSEE2GQE CjSKQ+h28I/t1RD7Iw9YmoxMVUDA5zG/gsx9CsMwTKA/YqZyqcisdWJld/l4TNuU EMzWXcsKYzeBg2JqW6ihl9JTVwvU0mip6l0J8bXDHWGl4RUBFVxVs/5yWR+PUxM5 JPSN1U31dq0Kjy23Or4fLaGil7KZ2lMbnlinyhvsj1bEP5WAmYqDxo3aJ91yRneu S5C++Lr1Rx7JG3GxLsiq =Aob6 -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 intrigeri:
This is being worked on there: https://bugs.debian.org/761403 (which should be a more appropriate forum to discuss this topic.)
Also for the ubuntu packages? -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJVRPV9AAoJEFv7XvVCELh0rFcP/RRjTZjS40d8PN5kulz+1CvD TncWbRweLMmZp8zD0vuNOsuNII2Denhy7E+2iFwtoue2CvTgM0R0UcdRjb1Ak+b5 NbwT4BdVo6H4hBI1T7lGPaUp4MMjHjDq1al/PZFqYoJqPj2H1HmjWsTq2AvE7of9 4XpebOJa27YZnNnkctzB9Z32TteYpS2rBsBnljIZwHUEwTg+TNo+3bKiSGnz85WH CJSy3FIJBsSTFjMcJzYsYpnr3iT4umRpcbKKvRDwm2HAe3G912nQ4ZO3CiRZI+Wt dAuEAHhzT4byeRAOmxKt4J8MlDIDtYBFFVxIU13/WKc4p//bXf5IBWt0gecyeh60 OToW2Vl9zfltsMO3ajdZvExDRDh9eCGqZ3hO09UaZUPaAI81SeP44FHUmru9T0mm 7d2j8ltR/VaMM/xcUo7xBHpZgJSPtuaQ6z3gQNpbJabCo0TJ5qc0vVgNtn2C8DV1 IONWk6GqCRCL4bRO76zGiPzTEgxyos2TOFfQkya0y67NgiKyxREh2ayi22rEYKtf k4inWQkhdyWWqxxelbQ/4w4uKU6JD7mfzIQ0bPVd2t3FZjC0Q5OT0DoRvI9k294z iMJCNZGyuSGHEnq5BKqFmSd9B0JuWYWd5IGnqIfwbOkzzoqiiZeuIEvE9US8ljBV xYsLahhoucqYVr/gOwCm =+oqX -----END PGP SIGNATURE-----
nusenu wrote (02 May 2015 16:04:13 GMT) :
intrigeri:
This is being worked on there: https://bugs.debian.org/761403 (which should be a more appropriate forum to discuss this topic.)
Also for the ubuntu packages?
AFAIK the Ubuntu packages are just the Debian one, rebuilt for Ubuntu. I'm not aware of any Ubuntu-specific Tor packaging effort. Cheers, -- intrigeri
participants (3)
-
intrigeri -
Nusenu -
nusenu