Use /etc/default/mumble-server for LD_PRELOAD ECDHE

author: Silvio Rhatto <rhatto@riseup.net> 2013-11-07 10:23:45 -0200
committer: Silvio Rhatto <rhatto@riseup.net> 2013-11-07 10:23:45 -0200
commit: 12551a6bcdb0fa7915567db280073cb21de59a6c (patch)
tree: be529cd5de1fdd1d9f1e4174a29d5e93c480a079
parent: 8a5ef2ce56429e1da0e9d15c73df5351a1f17515 (diff)
download: puppet-mumble-12551a6bcdb0fa7915567db280073cb21de59a6c.tar.gz
puppet-mumble-12551a6bcdb0fa7915567db280073cb21de59a6c.tar.bz2
3 files changed, 153 insertions, 129 deletions
diff --git a/files/ecdhforce/mumble-server.Debian b/files/ecdhforce/mumble-server.Debian
index 61b6808..7c4f707 100755..100644
--- a/files/ecdhforce/mumble-server.Debian
+++ b/files/ecdhforce/mumble-server.Debian
@@ -1,133 +1,17 @@
-#! /bin/sh
-#
-### BEGIN INIT INFO
-# Provides:             mumble-server
-# Required-Start:       $network $local_fs $remote_fs dbus
-# Required-Stop:	$network $local_fs $remote_fs dbus
-# Should-Start:		$mysql
-# Should-Stop:		$mysql
-# Default-Start:        2 3 4 5
-# Default-Stop:         0 1 6
-# Short-Description:    Mumble VoIP Server
-### END INIT INFO
+# 0 = don't start, 1 = start
+MURMUR_DAEMON_START=1
 
-PATH=/sbin:/bin:/usr/sbin:/usr/bin
-NAME=mumble-server
-DESC="Mumble VoIP Server"
-PIDDIR=/var/run/$NAME
-PIDFILE=$PIDDIR/$NAME.pid
-DAEMON=/usr/sbin/murmurd
-USER=mumble-server
-GROUP=mumble-server
-
-test -x $DAEMON || exit 0
-
-INIFILE=/etc/mumble-server.ini
-DAEMON_OPTS="-ini $INIFILE"
-MURMUR_DAEMON_START=0
+# 0 = don't use capabilities, 1 = start process as root and drop to non-privileged user
+# If started as root, mumble will keep the CAP_NET_ADMIN privilege and drop
+# all others. This allows it to set high-priority TOS on outgoing IP packets.
 MURMUR_USE_CAPABILITIES=0
-MURMUR_LIMIT_NOFILE=0
-
-# ECDHE Perfect Forward Secrecy on the Murmur server via an LD_PRELOAD
-# https://github.com/ultramancool/ecdhforce
-STARTSTOP="LD_PRELOAD=/var/lib/mumble-server/ecdhforce/ecdhforce.so start-stop-daemon"
 
-# Include murmur defaults if available
-if [ -f /etc/default/$NAME ] ; then
-	. /etc/default/$NAME
-fi
+# This controls how many file descriptors the murmur process can open.
+# As a rule of thumb, you should have about 20 descriptors per virtaul 
+# server and one for each client. So 30 servers with 20 clients each would
+# need at least 720 descriptors (30 * 4 + 30 * 20).
+# MURMUR_LIMIT_NOFILE=65536
 
-. /lib/init/vars.sh
-. /lib/lsb/init-functions
-
-if [ "$MURMUR_LIMIT_NOFILE" -gt 0 ] ; then
-	ulimit -n $MURMUR_LIMIT_NOFILE
-fi
-
-case "$1" in
-  start)
-  	if [ "$MURMUR_DAEMON_START" != "1" ] ; then
-  		log_warning_msg "Not starting $DESC $NAME, disabled via /etc/default/$NAME"
-  		exit 0
-  	fi
-  	[ "$VERBOSE" != no ] && log_daemon_msg "Starting $DESC" "$NAME"
-	[ -d $PIDDIR ] || install -o $USER -d $PIDDIR
-	if [ "$MURMUR_USE_CAPABILITIES" != "1" ] ; then
-	  $STARTSTOP --start --quiet \
-		--pidfile $PIDFILE \
-		--chuid $USER:$GROUP \
-		--exec $DAEMON \
-		-- $DAEMON_OPTS
-	else
-	  $STARTSTOP --start --quiet \
-		--pidfile $PIDFILE \
-		--exec $DAEMON \
-		-- $DAEMON_OPTS
-	fi
-	case "$?" in
-		0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
-		2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
-	esac
-	;;
-  stop)
-  	[ "$VERBOSE" != no ] && log_daemon_msg "Stopping $DESC" "$NAME"
-	$STARTSTOP --stop --quiet \
-		--retry=TERM/30/KILL/5 \
-		--pidfile $PIDFILE \
-		--user $USER \
-		--exec $DAEMON
-	case "$?" in
-		0|1)	rm -f $PIDFILE
-			[ "$VERBOSE" != no ] && log_end_msg 0
-			;;
-		2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
-	esac
-	;;
-  force-reload)
-	$STARTSTOP --stop --test --quiet \
-		--pidfile $PIDFILE \
-		--user $USER \
-		--exec $DAEMON \
-	&& $0 restart || exit 0
-	;;
-  restart)
- 	[ "$VERBOSE" != no ] && log_daemon_msg "Restarting $DESC" "$NAME"
-	$STARTSTOP --stop --quiet \
-		--retry=TERM/30/KILL/5 \
-		--pidfile $PIDFILE \
-		--user $USER \
-		--exec $DAEMON
-	case "$?" in
-		0|1)
-		  	[ -d $PIDDIR ] || install -o $USER -d $PIDDIR
-			rm -f $PIDFILE
-			if [ "$MURMUR_USE_CAPABILITIES" != "1" ] ; then
-			  $STARTSTOP --start --quiet \
-				--pidfile $PIDFILE \
-				--chuid $USER:$GROUP \
-				--exec $DAEMON \
-				-- $DAEMON_OPTS
-			else
-			  $STARTSTOP --start --quiet \
-				--pidfile $PIDFILE \
-				--exec $DAEMON \
-				-- $DAEMON_OPTS
-			fi
-			case "$?" in
-				0) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
-				*) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
-			esac
-			;;
-		*)
-			[ "$VERBOSE" != no ] && log_end_msg 0
-			;;
-	esac
-	;;
-  *)
-	N=/etc/init.d/$NAME
-	echo "Usage: $N {start|stop|restart|force-reload}" >&2
-	exit 3
-	;;
-esac
-
-exit 0
+# ECDHE Perfect Forward Secrecy on the Murmur server via LD_PRELOAD
+# https://github.com/ultramancool/ecdhforce
+export LD_PRELOAD="/var/lib/mumble-server/ecdhforce/ecdhforce.so start-stop-daemon"
diff --git a/files/ecdhforce/mumble-server.init.d.Debian b/files/ecdhforce/mumble-server.init.d.Debian
new file mode 100755
index 0000000..00b5403
--- /dev/null
+++ b/files/ecdhforce/mumble-server.init.d.Debian
@@ -0,0 +1,129 @@
+#! /bin/sh
+#
+### BEGIN INIT INFO
+# Provides:             mumble-server
+# Required-Start:       $network $local_fs $remote_fs dbus
+# Required-Stop:	$network $local_fs $remote_fs dbus
+# Should-Start:		$mysql
+# Should-Stop:		$mysql
+# Default-Start:        2 3 4 5
+# Default-Stop:         0 1 6
+# Short-Description:    Mumble VoIP Server
+### END INIT INFO
+
+PATH=/sbin:/bin:/usr/sbin:/usr/bin
+NAME=mumble-server
+DESC="Mumble VoIP Server"
+PIDDIR=/var/run/$NAME
+PIDFILE=$PIDDIR/$NAME.pid
+DAEMON=/usr/sbin/murmurd
+USER=mumble-server
+GROUP=mumble-server
+
+test -x $DAEMON || exit 0
+
+INIFILE=/etc/mumble-server.ini
+DAEMON_OPTS="-ini $INIFILE"
+MURMUR_DAEMON_START=0
+MURMUR_USE_CAPABILITIES=0
+MURMUR_LIMIT_NOFILE=0
+
+# Include murmur defaults if available
+if [ -f /etc/default/$NAME ] ; then
+	. /etc/default/$NAME
+fi
+
+. /lib/init/vars.sh
+. /lib/lsb/init-functions
+
+if [ "$MURMUR_LIMIT_NOFILE" -gt 0 ] ; then
+	ulimit -n $MURMUR_LIMIT_NOFILE
+fi
+
+case "$1" in
+  start)
+  	if [ "$MURMUR_DAEMON_START" != "1" ] ; then
+  		log_warning_msg "Not starting $DESC $NAME, disabled via /etc/default/$NAME"
+  		exit 0
+  	fi
+  	[ "$VERBOSE" != no ] && log_daemon_msg "Starting $DESC" "$NAME"
+	[ -d $PIDDIR ] || install -o $USER -d $PIDDIR
+	if [ "$MURMUR_USE_CAPABILITIES" != "1" ] ; then
+	  $start-stop-daemon --start --quiet \
+		--pidfile $PIDFILE \
+		--chuid $USER:$GROUP \
+		--exec $DAEMON \
+		-- $DAEMON_OPTS
+	else
+	  $start-stop-daemon --start --quiet \
+		--pidfile $PIDFILE \
+		--exec $DAEMON \
+		-- $DAEMON_OPTS
+	fi
+	case "$?" in
+		0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
+		2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
+	esac
+	;;
+  stop)
+  	[ "$VERBOSE" != no ] && log_daemon_msg "Stopping $DESC" "$NAME"
+	$start-stop-daemon --stop --quiet \
+		--retry=TERM/30/KILL/5 \
+		--pidfile $PIDFILE \
+		--user $USER \
+		--exec $DAEMON
+	case "$?" in
+		0|1)	rm -f $PIDFILE
+			[ "$VERBOSE" != no ] && log_end_msg 0
+			;;
+		2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
+	esac
+	;;
+  force-reload)
+	$start-stop-daemon --stop --test --quiet \
+		--pidfile $PIDFILE \
+		--user $USER \
+		--exec $DAEMON \
+	&& $0 restart || exit 0
+	;;
+  restart)
+ 	[ "$VERBOSE" != no ] && log_daemon_msg "Restarting $DESC" "$NAME"
+	$start-stop-daemon --stop --quiet \
+		--retry=TERM/30/KILL/5 \
+		--pidfile $PIDFILE \
+		--user $USER \
+		--exec $DAEMON
+	case "$?" in
+		0|1)
+		  	[ -d $PIDDIR ] || install -o $USER -d $PIDDIR
+			rm -f $PIDFILE
+			if [ "$MURMUR_USE_CAPABILITIES" != "1" ] ; then
+			  $start-stop-daemon --start --quiet \
+				--pidfile $PIDFILE \
+				--chuid $USER:$GROUP \
+				--exec $DAEMON \
+				-- $DAEMON_OPTS
+			else
+			  $start-stop-daemon --start --quiet \
+				--pidfile $PIDFILE \
+				--exec $DAEMON \
+				-- $DAEMON_OPTS
+			fi
+			case "$?" in
+				0) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
+				*) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
+			esac
+			;;
+		*)
+			[ "$VERBOSE" != no ] && log_end_msg 0
+			;;
+	esac
+	;;
+  *)
+	N=/etc/init.d/$NAME
+	echo "Usage: $N {start|stop|restart|force-reload}" >&2
+	exit 3
+	;;
+esac
+
+exit 0
diff --git a/manifests/ecdhforce.pp b/manifests/ecdhforce.pp
index 1067b33..bf4104a 100644
--- a/manifests/ecdhforce.pp
+++ b/manifests/ecdhforce.pp
@@ -31,11 +31,22 @@ class mumble::ecdhforce {
     group   => root,
   }
 
+  # TODO: remove definition in the future
   file { '/etc/init.d/mumble-server':
     ensure  => present,
     owner   => root,
     group   => root,
     mode    => 0755,
+    source  => "puppet:///modules/mumble/ecdhforce/mumble-server.init.d.${::operatingsystem}",
+    require => Exec['ecdhforce-link'],
+    notify  => Service['mumble-server'],
+  }
+
+  file { '/etc/default/mumble-server':
+    ensure  => present,
+    owner   => root,
+    group   => root,
+    mode    => 0755,
     source  => "puppet:///modules/mumble/ecdhforce/mumble-server.${::operatingsystem}",
     require => Exec['ecdhforce-link'],
     notify  => Service['mumble-server'],
author	Silvio Rhatto <rhatto@riseup.net>	2013-11-07 10:23:45 -0200
committer	Silvio Rhatto <rhatto@riseup.net>	2013-11-07 10:23:45 -0200
commit	12551a6bcdb0fa7915567db280073cb21de59a6c (patch)
tree	be529cd5de1fdd1d9f1e4174a29d5e93c480a079
parent	8a5ef2ce56429e1da0e9d15c73df5351a1f17515 (diff)
download	puppet-mumble-12551a6bcdb0fa7915567db280073cb21de59a6c.tar.gz puppet-mumble-12551a6bcdb0fa7915567db280073cb21de59a6c.tar.bz2