summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorSilvio Rhatto <rhatto@riseup.net>2013-11-07 10:23:45 -0200
committerSilvio Rhatto <rhatto@riseup.net>2013-11-07 10:23:45 -0200
commit12551a6bcdb0fa7915567db280073cb21de59a6c (patch)
treebe529cd5de1fdd1d9f1e4174a29d5e93c480a079
parent8a5ef2ce56429e1da0e9d15c73df5351a1f17515 (diff)
downloadpuppet-mumble-12551a6bcdb0fa7915567db280073cb21de59a6c.tar.gz
puppet-mumble-12551a6bcdb0fa7915567db280073cb21de59a6c.tar.bz2
Use /etc/default/mumble-server for LD_PRELOAD ECDHE
-rw-r--r--[-rwxr-xr-x]files/ecdhforce/mumble-server.Debian142
-rwxr-xr-xfiles/ecdhforce/mumble-server.init.d.Debian129
-rw-r--r--manifests/ecdhforce.pp11
3 files changed, 153 insertions, 129 deletions
diff --git a/files/ecdhforce/mumble-server.Debian b/files/ecdhforce/mumble-server.Debian
index 61b6808..7c4f707 100755..100644
--- a/files/ecdhforce/mumble-server.Debian
+++ b/files/ecdhforce/mumble-server.Debian
@@ -1,133 +1,17 @@
-#! /bin/sh
-#
-### BEGIN INIT INFO
-# Provides: mumble-server
-# Required-Start: $network $local_fs $remote_fs dbus
-# Required-Stop: $network $local_fs $remote_fs dbus
-# Should-Start: $mysql
-# Should-Stop: $mysql
-# Default-Start: 2 3 4 5
-# Default-Stop: 0 1 6
-# Short-Description: Mumble VoIP Server
-### END INIT INFO
+# 0 = don't start, 1 = start
+MURMUR_DAEMON_START=1
-PATH=/sbin:/bin:/usr/sbin:/usr/bin
-NAME=mumble-server
-DESC="Mumble VoIP Server"
-PIDDIR=/var/run/$NAME
-PIDFILE=$PIDDIR/$NAME.pid
-DAEMON=/usr/sbin/murmurd
-USER=mumble-server
-GROUP=mumble-server
-
-test -x $DAEMON || exit 0
-
-INIFILE=/etc/mumble-server.ini
-DAEMON_OPTS="-ini $INIFILE"
-MURMUR_DAEMON_START=0
+# 0 = don't use capabilities, 1 = start process as root and drop to non-privileged user
+# If started as root, mumble will keep the CAP_NET_ADMIN privilege and drop
+# all others. This allows it to set high-priority TOS on outgoing IP packets.
MURMUR_USE_CAPABILITIES=0
-MURMUR_LIMIT_NOFILE=0
-
-# ECDHE Perfect Forward Secrecy on the Murmur server via an LD_PRELOAD
-# https://github.com/ultramancool/ecdhforce
-STARTSTOP="LD_PRELOAD=/var/lib/mumble-server/ecdhforce/ecdhforce.so start-stop-daemon"
-# Include murmur defaults if available
-if [ -f /etc/default/$NAME ] ; then
- . /etc/default/$NAME
-fi
+# This controls how many file descriptors the murmur process can open.
+# As a rule of thumb, you should have about 20 descriptors per virtaul
+# server and one for each client. So 30 servers with 20 clients each would
+# need at least 720 descriptors (30 * 4 + 30 * 20).
+# MURMUR_LIMIT_NOFILE=65536
-. /lib/init/vars.sh
-. /lib/lsb/init-functions
-
-if [ "$MURMUR_LIMIT_NOFILE" -gt 0 ] ; then
- ulimit -n $MURMUR_LIMIT_NOFILE
-fi
-
-case "$1" in
- start)
- if [ "$MURMUR_DAEMON_START" != "1" ] ; then
- log_warning_msg "Not starting $DESC $NAME, disabled via /etc/default/$NAME"
- exit 0
- fi
- [ "$VERBOSE" != no ] && log_daemon_msg "Starting $DESC" "$NAME"
- [ -d $PIDDIR ] || install -o $USER -d $PIDDIR
- if [ "$MURMUR_USE_CAPABILITIES" != "1" ] ; then
- $STARTSTOP --start --quiet \
- --pidfile $PIDFILE \
- --chuid $USER:$GROUP \
- --exec $DAEMON \
- -- $DAEMON_OPTS
- else
- $STARTSTOP --start --quiet \
- --pidfile $PIDFILE \
- --exec $DAEMON \
- -- $DAEMON_OPTS
- fi
- case "$?" in
- 0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
- 2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
- esac
- ;;
- stop)
- [ "$VERBOSE" != no ] && log_daemon_msg "Stopping $DESC" "$NAME"
- $STARTSTOP --stop --quiet \
- --retry=TERM/30/KILL/5 \
- --pidfile $PIDFILE \
- --user $USER \
- --exec $DAEMON
- case "$?" in
- 0|1) rm -f $PIDFILE
- [ "$VERBOSE" != no ] && log_end_msg 0
- ;;
- 2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
- esac
- ;;
- force-reload)
- $STARTSTOP --stop --test --quiet \
- --pidfile $PIDFILE \
- --user $USER \
- --exec $DAEMON \
- && $0 restart || exit 0
- ;;
- restart)
- [ "$VERBOSE" != no ] && log_daemon_msg "Restarting $DESC" "$NAME"
- $STARTSTOP --stop --quiet \
- --retry=TERM/30/KILL/5 \
- --pidfile $PIDFILE \
- --user $USER \
- --exec $DAEMON
- case "$?" in
- 0|1)
- [ -d $PIDDIR ] || install -o $USER -d $PIDDIR
- rm -f $PIDFILE
- if [ "$MURMUR_USE_CAPABILITIES" != "1" ] ; then
- $STARTSTOP --start --quiet \
- --pidfile $PIDFILE \
- --chuid $USER:$GROUP \
- --exec $DAEMON \
- -- $DAEMON_OPTS
- else
- $STARTSTOP --start --quiet \
- --pidfile $PIDFILE \
- --exec $DAEMON \
- -- $DAEMON_OPTS
- fi
- case "$?" in
- 0) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
- *) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
- esac
- ;;
- *)
- [ "$VERBOSE" != no ] && log_end_msg 0
- ;;
- esac
- ;;
- *)
- N=/etc/init.d/$NAME
- echo "Usage: $N {start|stop|restart|force-reload}" >&2
- exit 3
- ;;
-esac
-
-exit 0
+# ECDHE Perfect Forward Secrecy on the Murmur server via LD_PRELOAD
+# https://github.com/ultramancool/ecdhforce
+export LD_PRELOAD="/var/lib/mumble-server/ecdhforce/ecdhforce.so start-stop-daemon"
diff --git a/files/ecdhforce/mumble-server.init.d.Debian b/files/ecdhforce/mumble-server.init.d.Debian
new file mode 100755
index 0000000..00b5403
--- /dev/null
+++ b/files/ecdhforce/mumble-server.init.d.Debian
@@ -0,0 +1,129 @@
+#! /bin/sh
+#
+### BEGIN INIT INFO
+# Provides: mumble-server
+# Required-Start: $network $local_fs $remote_fs dbus
+# Required-Stop: $network $local_fs $remote_fs dbus
+# Should-Start: $mysql
+# Should-Stop: $mysql
+# Default-Start: 2 3 4 5
+# Default-Stop: 0 1 6
+# Short-Description: Mumble VoIP Server
+### END INIT INFO
+
+PATH=/sbin:/bin:/usr/sbin:/usr/bin
+NAME=mumble-server
+DESC="Mumble VoIP Server"
+PIDDIR=/var/run/$NAME
+PIDFILE=$PIDDIR/$NAME.pid
+DAEMON=/usr/sbin/murmurd
+USER=mumble-server
+GROUP=mumble-server
+
+test -x $DAEMON || exit 0
+
+INIFILE=/etc/mumble-server.ini
+DAEMON_OPTS="-ini $INIFILE"
+MURMUR_DAEMON_START=0
+MURMUR_USE_CAPABILITIES=0
+MURMUR_LIMIT_NOFILE=0
+
+# Include murmur defaults if available
+if [ -f /etc/default/$NAME ] ; then
+ . /etc/default/$NAME
+fi
+
+. /lib/init/vars.sh
+. /lib/lsb/init-functions
+
+if [ "$MURMUR_LIMIT_NOFILE" -gt 0 ] ; then
+ ulimit -n $MURMUR_LIMIT_NOFILE
+fi
+
+case "$1" in
+ start)
+ if [ "$MURMUR_DAEMON_START" != "1" ] ; then
+ log_warning_msg "Not starting $DESC $NAME, disabled via /etc/default/$NAME"
+ exit 0
+ fi
+ [ "$VERBOSE" != no ] && log_daemon_msg "Starting $DESC" "$NAME"
+ [ -d $PIDDIR ] || install -o $USER -d $PIDDIR
+ if [ "$MURMUR_USE_CAPABILITIES" != "1" ] ; then
+ $start-stop-daemon --start --quiet \
+ --pidfile $PIDFILE \
+ --chuid $USER:$GROUP \
+ --exec $DAEMON \
+ -- $DAEMON_OPTS
+ else
+ $start-stop-daemon --start --quiet \
+ --pidfile $PIDFILE \
+ --exec $DAEMON \
+ -- $DAEMON_OPTS
+ fi
+ case "$?" in
+ 0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
+ 2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
+ esac
+ ;;
+ stop)
+ [ "$VERBOSE" != no ] && log_daemon_msg "Stopping $DESC" "$NAME"
+ $start-stop-daemon --stop --quiet \
+ --retry=TERM/30/KILL/5 \
+ --pidfile $PIDFILE \
+ --user $USER \
+ --exec $DAEMON
+ case "$?" in
+ 0|1) rm -f $PIDFILE
+ [ "$VERBOSE" != no ] && log_end_msg 0
+ ;;
+ 2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
+ esac
+ ;;
+ force-reload)
+ $start-stop-daemon --stop --test --quiet \
+ --pidfile $PIDFILE \
+ --user $USER \
+ --exec $DAEMON \
+ && $0 restart || exit 0
+ ;;
+ restart)
+ [ "$VERBOSE" != no ] && log_daemon_msg "Restarting $DESC" "$NAME"
+ $start-stop-daemon --stop --quiet \
+ --retry=TERM/30/KILL/5 \
+ --pidfile $PIDFILE \
+ --user $USER \
+ --exec $DAEMON
+ case "$?" in
+ 0|1)
+ [ -d $PIDDIR ] || install -o $USER -d $PIDDIR
+ rm -f $PIDFILE
+ if [ "$MURMUR_USE_CAPABILITIES" != "1" ] ; then
+ $start-stop-daemon --start --quiet \
+ --pidfile $PIDFILE \
+ --chuid $USER:$GROUP \
+ --exec $DAEMON \
+ -- $DAEMON_OPTS
+ else
+ $start-stop-daemon --start --quiet \
+ --pidfile $PIDFILE \
+ --exec $DAEMON \
+ -- $DAEMON_OPTS
+ fi
+ case "$?" in
+ 0) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
+ *) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
+ esac
+ ;;
+ *)
+ [ "$VERBOSE" != no ] && log_end_msg 0
+ ;;
+ esac
+ ;;
+ *)
+ N=/etc/init.d/$NAME
+ echo "Usage: $N {start|stop|restart|force-reload}" >&2
+ exit 3
+ ;;
+esac
+
+exit 0
diff --git a/manifests/ecdhforce.pp b/manifests/ecdhforce.pp
index 1067b33..bf4104a 100644
--- a/manifests/ecdhforce.pp
+++ b/manifests/ecdhforce.pp
@@ -31,11 +31,22 @@ class mumble::ecdhforce {
group => root,
}
+ # TODO: remove definition in the future
file { '/etc/init.d/mumble-server':
ensure => present,
owner => root,
group => root,
mode => 0755,
+ source => "puppet:///modules/mumble/ecdhforce/mumble-server.init.d.${::operatingsystem}",
+ require => Exec['ecdhforce-link'],
+ notify => Service['mumble-server'],
+ }
+
+ file { '/etc/default/mumble-server':
+ ensure => present,
+ owner => root,
+ group => root,
+ mode => 0755,
source => "puppet:///modules/mumble/ecdhforce/mumble-server.${::operatingsystem}",
require => Exec['ecdhforce-link'],
notify => Service['mumble-server'],