From cb3fed0e4e1594d3f82de4de0554a68e09b25817 Mon Sep 17 00:00:00 2001 From: Rohit Yadav Date: Tue, 5 Feb 2019 03:21:30 +0530 Subject: [PATCH] systemd: fix services to allow TLS configurations via java.security.ciphers (#3163) * systemd: fix services to allow TLS configurations via java.security.ciphers This fixes the management server and systemd services to allow the java.security.ciphers file to configure disabled TLS protocols and algorithms. This also cleans up systemd service files for agent and usage server. This fixes #3140 Signed-off-by: Rohit Yadav * configure: fix travis failure due pycodestyle error Signed-off-by: Rohit Yadav --- debian/cloudstack-agent.postinst | 2 + packaging/centos63/cloud-management.rc | 2 +- packaging/centos7/cloud-agent.rc | 122 ------------------ packaging/centos7/cloud.spec | 2 +- packaging/debian/init/cloud-management | 2 +- packaging/systemd/cloudstack-agent.default | 8 +- packaging/systemd/cloudstack-agent.service | 8 +- .../systemd/cloudstack-management.default | 13 +- .../systemd/cloudstack-management.service | 12 +- packaging/systemd/cloudstack-usage.default | 8 +- packaging/systemd/cloudstack-usage.service | 7 +- systemvm/debian/opt/cloud/bin/configure.py | 4 +- 12 files changed, 26 insertions(+), 164 deletions(-) delete mode 100755 packaging/centos7/cloud-agent.rc diff --git a/debian/cloudstack-agent.postinst b/debian/cloudstack-agent.postinst index c358c3ca680..0942047a340 100755 --- a/debian/cloudstack-agent.postinst +++ b/debian/cloudstack-agent.postinst @@ -25,6 +25,8 @@ case "$1" in NEWCONFDIR="/etc/cloudstack/agent" CONFFILES="agent.properties log4j.xml log4j-cloud.xml" + mkdir -m 0755 -p /usr/share/cloudstack-agent/tmp + # Copy old configuration so the admin doesn't have to do that # Only do so when we are installing for the first time if [ -z "$2" ]; then diff --git a/packaging/centos63/cloud-management.rc b/packaging/centos63/cloud-management.rc index 0ef5fc4a171..df7a5831121 100755 --- a/packaging/centos63/cloud-management.rc +++ b/packaging/centos63/cloud-management.rc @@ -71,7 +71,7 @@ setJavaHome() { setJavaHome JARS=$(ls /usr/share/cloudstack-management/lib/*.jar | tr '\n' ':' | sed s'/.$//') -CLASSPATH="$JARS:$CLASSPATH" +CLASSPATH="$JARS:$CLASSPATH:/usr/share/java/commons-daemon.jar" start() { if [ -s "$PIDFILE" ] && kill -0 $(cat "$PIDFILE") >/dev/null 2>&1; then diff --git a/packaging/centos7/cloud-agent.rc b/packaging/centos7/cloud-agent.rc deleted file mode 100755 index 5882780c524..00000000000 --- a/packaging/centos7/cloud-agent.rc +++ /dev/null @@ -1,122 +0,0 @@ -#!/bin/bash - -# chkconfig: 35 99 10 -# description: Cloud Agent -# pidfile: /var/run/cloudstack-agent.pid - -# Licensed to the Apache Software Foundation (ASF) under one -# or more contributor license agreements. See the NOTICE file -# distributed with this work for additional information -# regarding copyright ownership. The ASF licenses this file -# to you under the Apache License, Version 2.0 (the -# "License"); you may not use this file except in compliance -# with the License. You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, -# software distributed under the License is distributed on an -# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -# KIND, either express or implied. See the License for the -# specific language governing permissions and limitations -# under the License. - -# WARNING: if this script is changed, then all other initscripts MUST BE changed to match it as well - -. /etc/rc.d/init.d/functions - -# set environment variables - -TMP=/usr/share/cloudstack-agent/tmp -SHORTNAME=$(basename $0 | sed -e 's/^[SK][0-9][0-9]//') -PIDFILE=/var/run/"$SHORTNAME".pid -LOCKFILE=/var/lock/subsys/"$SHORTNAME" -LOGDIR=/var/log/cloudstack/agent -LOGFILE=${LOGDIR}/agent.log -PROGNAME="Cloud Agent" -CLASS="com.cloud.agent.AgentShell" -JSVC=`which jsvc 2>/dev/null`; - -# exit if we don't find jsvc -if [ -z "$JSVC" ]; then - echo no jsvc found in path; - exit 1; -fi - -# create java tmp dir if not found -mkdir -m 0755 -p "$TMP" - -unset OPTIONS -[ -r /etc/sysconfig/"$SHORTNAME" ] && source /etc/sysconfig/"$SHORTNAME" - -# The first existing directory is used for JAVA_HOME (if JAVA_HOME is not defined in $DEFAULT) -JDK_DIRS="/usr/lib/jvm/jre /usr/lib/jvm/java-1.8.0-openjdk /usr/lib/jvm/java-8-openjdk-i386 /usr/lib/jvm/java-8-openjdk-amd64" - -for jdir in $JDK_DIRS; do - if [ -r "$jdir/bin/java" -a -z "${JAVA_HOME}" ]; then - JAVA_HOME="$jdir" - fi -done -export JAVA_HOME - -ACP=`ls /usr/share/cloudstack-agent/lib/*.jar | tr '\n' ':' | sed s'/.$//'` -PCP=`ls /usr/share/cloudstack-agent/plugins/*.jar 2>/dev/null | tr '\n' ':' | sed s'/.$//'` - -# We need to append the JSVC daemon JAR to the classpath -# AgentShell implements the JSVC daemon methods -export CLASSPATH="/usr/share/java/commons-daemon.jar:$ACP:$PCP:/etc/cloudstack/agent:/usr/share/cloudstack-common/scripts" - -start() { - echo -n $"Starting $PROGNAME: " - if hostname --fqdn >/dev/null 2>&1 ; then - $JSVC -Djava.io.tmpdir="$TMP" -Xms256m -Xmx2048m -cp "$CLASSPATH" -pidfile "$PIDFILE" \ - -errfile $LOGDIR/cloudstack-agent.err -outfile $LOGDIR/cloudstack-agent.out $CLASS - RETVAL=$? - echo - else - failure - echo - echo The host name does not resolve properly to an IP address. Cannot start "$PROGNAME". > /dev/stderr - RETVAL=9 - fi - [ $RETVAL = 0 ] && touch ${LOCKFILE} - return $RETVAL -} - -stop() { - echo -n $"Stopping $PROGNAME: " - $JSVC -pidfile "$PIDFILE" -stop $CLASS - RETVAL=$? - echo - [ $RETVAL = 0 ] && rm -f ${LOCKFILE} ${PIDFILE} -} - -case "$1" in - start) - start - ;; - stop) - stop - ;; - status) - status -p ${PIDFILE} $SHORTNAME - RETVAL=$? - ;; - restart) - stop - sleep 3 - start - ;; - condrestart) - if status -p ${PIDFILE} $SHORTNAME >&/dev/null; then - stop - sleep 3 - start - fi - ;; - *) - echo $"Usage: $SHORTNAME {start|stop|restart|condrestart|status|help}" - RETVAL=3 -esac - -exit $RETVAL diff --git a/packaging/centos7/cloud.spec b/packaging/centos7/cloud.spec index 1cc89939cae..8a4dd2ac74d 100644 --- a/packaging/centos7/cloud.spec +++ b/packaging/centos7/cloud.spec @@ -59,7 +59,6 @@ intelligent IaaS cloud implementation. %package management Summary: CloudStack management server UI Requires: java-1.8.0-openjdk -Requires: apache-commons-daemon-jsvc Requires: python Requires: bash Requires: bzip2 @@ -425,6 +424,7 @@ if [ ! -d %{_sysconfdir}/libvirt/hooks ] ; then mkdir %{_sysconfdir}/libvirt/hooks fi cp -a ${RPM_BUILD_ROOT}%{_datadir}/%{name}-agent/lib/libvirtqemuhook %{_sysconfdir}/libvirt/hooks/qemu +mkdir -m 0755 -p /usr/share/cloudstack-agent/tmp /sbin/service libvirtd restart /sbin/systemctl enable cloudstack-agent > /dev/null 2>&1 || true diff --git a/packaging/debian/init/cloud-management b/packaging/debian/init/cloud-management index 580f683b829..5ccef70eb32 100755 --- a/packaging/debian/init/cloud-management +++ b/packaging/debian/init/cloud-management @@ -75,7 +75,7 @@ if [ -f "$DEFAULT" ]; then fi JARS=$(ls /usr/share/cloudstack-management/lib/*.jar | tr '\n' ':' | sed s'/.$//') -CLASSPATH="$JARS:$CLASSPATH" +CLASSPATH="$JARS:$CLASSPATH:/usr/share/java/commons-daemon.jar" [ -f "$DAEMON" ] || exit 0 diff --git a/packaging/systemd/cloudstack-agent.default b/packaging/systemd/cloudstack-agent.default index 41fa85bfd22..36f0562ec64 100644 --- a/packaging/systemd/cloudstack-agent.default +++ b/packaging/systemd/cloudstack-agent.default @@ -15,8 +15,8 @@ # specific language governing permissions and limitations # under the License. -JAVA=/usr/bin/java -JAVA_HEAP_INITIAL=256m -JAVA_HEAP_MAX=2048m +JAVA_OPTS="-Djava.io.tmpdir=/usr/share/cloudstack-agent/tmp -Xms256m -Xmx2048m" + +CLASSPATH="/usr/share/cloudstack-agent/lib/*:/usr/share/cloudstack-agent/plugins/*:/etc/cloudstack/agent:/usr/share/cloudstack-common/scripts" + JAVA_CLASS=com.cloud.agent.AgentShell -JAVA_TMPDIR=/usr/share/cloudstack-agent/tmp diff --git a/packaging/systemd/cloudstack-agent.service b/packaging/systemd/cloudstack-agent.service index 9cde22d7eb0..9bdbdf82f57 100644 --- a/packaging/systemd/cloudstack-agent.service +++ b/packaging/systemd/cloudstack-agent.service @@ -23,12 +23,8 @@ After=libvirtd.service [Service] Type=simple -EnvironmentFile=-/etc/default/cloudstack-agent -ExecStart=/bin/sh -ec '\ - export ACP=`ls /usr/share/cloudstack-agent/lib/*.jar /usr/share/cloudstack-agent/plugins/*.jar 2>/dev/null|tr "\\n" ":"`; \ - export CLASSPATH="$ACP:/etc/cloudstack/agent:/usr/share/cloudstack-common/scripts"; \ - mkdir -m 0755 -p ${JAVA_TMPDIR}; \ - ${JAVA} -Djava.io.tmpdir="${JAVA_TMPDIR}" -Xms${JAVA_HEAP_INITIAL} -Xmx${JAVA_HEAP_MAX} -cp "$CLASSPATH" $JAVA_CLASS' +EnvironmentFile=/etc/default/cloudstack-agent +ExecStart=/usr/bin/java $JAVA_OPTS -cp $CLASSPATH $JAVA_CLASS Restart=always RestartSec=10s diff --git a/packaging/systemd/cloudstack-management.default b/packaging/systemd/cloudstack-management.default index 8610e03d115..00b8ec1809b 100644 --- a/packaging/systemd/cloudstack-management.default +++ b/packaging/systemd/cloudstack-management.default @@ -15,17 +15,8 @@ # specific language governing permissions and limitations # under the License. -# Where your java installation lives -#JAVA_HOME="/usr/lib/jvm/java" +JAVA_OPTS="-Djava.security.properties=/etc/cloudstack/management/java.security.ciphers -Djava.awt.headless=true -Dcom.sun.management.jmxremote=false -Xmx2G -XX:+HeapDumpOnOutOfMemoryError -XX:HeapDumpPath=/var/log/cloudstack/management/ -XX:ErrorFile=/var/log/cloudstack/management/cloudstack-management.err " -JAVA_OPTS="-Djava.awt.headless=true -Dcom.sun.management.jmxremote=false -Xmx2g -XX:+HeapDumpOnOutOfMemoryError -XX:HeapDumpPath=/var/log/cloudstack/management/ -XX:PermSize=512M -XX:MaxPermSize=800m -Djava.security.properties=/etc/cloudstack/management/java.security.ciphers " - -CLOUDSTACK_USER="cloud" - -CLOUDSTACK_PID="/var/run/cloudstack-management.pid" - -LOGDIR="/var/log/cloudstack/management" - -CLASSPATH="/etc/cloudstack/management:/usr/share/cloudstack-common:/usr/share/cloudstack-management/setup:/usr/share/cloudstack-management:/usr/share/java/mysql-connector-java.jar:/usr/share/java/commons-daemon.jar" +CLASSPATH="/usr/share/cloudstack-management/lib/*:/etc/cloudstack/management:/usr/share/cloudstack-common:/usr/share/cloudstack-management/setup:/usr/share/cloudstack-management:/usr/share/java/mysql-connector-java.jar" BOOTSTRAP_CLASS=org.apache.cloudstack.ServerDaemon diff --git a/packaging/systemd/cloudstack-management.service b/packaging/systemd/cloudstack-management.service index 58c43437c10..f1be34eaeb6 100644 --- a/packaging/systemd/cloudstack-management.service +++ b/packaging/systemd/cloudstack-management.service @@ -23,14 +23,12 @@ After=syslog.target network.target [Service] UMask=0022 -Type=forking -Environment="NAME=cloudstack-management" +Type=simple +User=cloud EnvironmentFile=/etc/default/cloudstack-management -ExecStartPre=/bin/bash -c "/bin/systemctl set-environment JAVA_HOME=$( readlink -f $( which java ) | sed s:bin/.*$:: )" -ExecStartPre=/bin/bash -c "/bin/systemctl set-environment JARS=$(ls /usr/share/cloudstack-management/lib/*.jar | tr '\n' ':' | sed s'/.$//')" -ExecStart=/usr/bin/jsvc -home "${JAVA_HOME}" -user "${CLOUDSTACK_USER}" -cp "${JARS}:${CLASSPATH}" -errfile "${LOGDIR}/${NAME}.err" -cwd "${LOGDIR}" -pidfile "${CLOUDSTACK_PID}" "${JAVA_OPTS}" "${BOOTSTRAP_CLASS}" -ExecStop=/usr/bin/jsvc -cp "${JARS}:${CLASSPATH}" -pidfile "${CLOUDSTACK_PID}" -stop "${BOOTSTRAP_CLASS}" -SuccessExitStatus=143 +WorkingDirectory=/var/log/cloudstack/management +PIDFile=/var/run/cloudstack-management.pid +ExecStart=/usr/bin/java $JAVA_OPTS -cp $CLASSPATH $BOOTSTRAP_CLASS [Install] WantedBy=multi-user.target diff --git a/packaging/systemd/cloudstack-usage.default b/packaging/systemd/cloudstack-usage.default index 84de943ceed..26f552859f3 100644 --- a/packaging/systemd/cloudstack-usage.default +++ b/packaging/systemd/cloudstack-usage.default @@ -15,8 +15,8 @@ # specific language governing permissions and limitations # under the License. -JAVA=/usr/bin/java -JAVA_HEAP_INITIAL=256m -JAVA_HEAP_MAX=2048m +JAVA_OPTS="-Dpid=$$ -Xms256m -Xmx2048m" + +CLASSPATH="/usr/share/cloudstack-usage/*:/usr/share/cloudstack-usage/lib/*:/usr/share/cloudstack-mysql-ha/lib/*:/etc/cloudstack/usage:/usr/share/java/mysql-connector-java.jar" + JAVA_CLASS=com.cloud.usage.UsageServer -JAVA_PID=$$ diff --git a/packaging/systemd/cloudstack-usage.service b/packaging/systemd/cloudstack-usage.service index 424a4556372..f8874867c69 100644 --- a/packaging/systemd/cloudstack-usage.service +++ b/packaging/systemd/cloudstack-usage.service @@ -23,11 +23,8 @@ After=network.target network-online.target [Service] Type=simple -EnvironmentFile=-/etc/default/cloudstack-usage -ExecStart=/bin/sh -ec '\ - export UCP=`ls /usr/share/cloudstack-usage/cloud-usage-*.jar /usr/share/cloudstack-usage/lib/*.jar /usr/share/cloudstack-mysql-ha/lib/*.jar | tr "\\n" ":"`; \ - export CLASSPATH="$UCP:/etc/cloudstack/usage:/usr/share/java/mysql-connector-java.jar"; \ - ${JAVA} -Dpid=${JAVA_PID} -Xms${JAVA_HEAP_INITIAL} -Xmx${JAVA_HEAP_MAX} -cp "$CLASSPATH" $JAVA_CLASS' +EnvironmentFile=/etc/default/cloudstack-usage +ExecStart=/usr/bin/java $JAVA_OPTS -cp $CLASSPATH $JAVA_CLASS Restart=always RestartSec=10s diff --git a/systemvm/debian/opt/cloud/bin/configure.py b/systemvm/debian/opt/cloud/bin/configure.py index c8e3ff6e504..253eb7c57fe 100755 --- a/systemvm/debian/opt/cloud/bin/configure.py +++ b/systemvm/debian/opt/cloud/bin/configure.py @@ -124,10 +124,10 @@ class CsAcl(CsDataBag): rnge = '' if "first_port" in self.rule.keys() and \ self.rule['first_port'] == self.rule['last_port']: - rnge = " --dport %s " % self.rule['first_port'] + rnge = " --dport %s " % self.rule['first_port'] if "first_port" in self.rule.keys() and \ self.rule['first_port'] != self.rule['last_port']: - rnge = " --dport %s:%s" % (rule['first_port'], rule['last_port']) + rnge = " --dport %s:%s" % (rule['first_port'], rule['last_port']) logging.debug("Current ACL IP direction is ==> %s", self.direction)