UPDATE: security/sshguard, 1.5-->2.1.0 (2nd try)

classic Classic list List threaded Threaded
21 messages Options
12
Reply | Threaded
Open this post in threaded view
|

Re: sshguard-2.2.0 (start/stop issues resolved)

Andreas Kusalananda Kähäri-4

Sigh... Some day, I'll learn how to do patches correctly.  See new diff
(I had forgotten to "cvs add" some of the patches/* files).  The
already submitted tar file is correct though.

Andreas

On Thu, Dec 06, 2018 at 03:20:10PM +0100, Andreas Kusalananda Kähäri wrote:

> On Wed, Dec 05, 2018 at 12:05:07AM +0000, Stuart Henderson wrote:
> > On 2018/12/05 00:21, Andreas Kusalananda Kähäri wrote:
> > > Attached is a port of sshguard-2.2.0 which appears to work, sort of.  It
> > > does not start at boot when started from pkg_scripts.  It *does* start
> > > reliably when started manually with "rcctl start sshguard" and it shuts
> > > down reliably both at system shutdown and manually (and in-between, it
> > > runs well).
> > >
> > > Any help with possible diagnoses of the startup problem would be
> > > helpful.  I haven't found any other port that starts a shell script as a
> > > daemon, but I have only looked for "/bin/sh" in the rc scripts for that.
> > >
> > > The "stop" action in the rc script is a bit unorthodox:
> > >
> > > kill -- "-$( ps -o pgid= -p "$( pgrep -o -T "${daemon_rtable}" -fx "${pexp}" )" )"
> > >
> > > ... and that's to send a TERM signal to all the processes in the
> > > relevant process group (sshguard consists of a total of seven separate
> > > processes).  The main script does do something similar to this ("kill 0"
> > > in a trap), but this may require bash to work (and even then it doesn't
> > > seem to work reliably).
> > >
> > > I have attached a diff for the port as well as a tar archive of it.
> >
> > It may be worth removing from pkg_scripts and running from rc.local
> > to see if it fails there. If so then run from there under ktrace e.g.
> > "ktrace -f /tmp/ktrace.out -i /usr/sbin/rcctl start sshguard" and
> > see if anything can be gleaned from running kdump on that file.
>
> Yes, it's getting hupped.  I have now patched out the installing of the
> signal handler for HUP in one of the helper programs, and I'm ignoring
> the same signal in the main script.  The daemon now survives the boot.
> Termination has also been improved (see end).
>
> >
> > A couple of porting notes,
>
> I appreciate these.  Thanks!  They are all incorporated.
>
> >
> > > +CONFIGURE_STYLE=simple
> > > +CONFIGURE_ARGS= --sysconfdir="${SYSCONFDIR}" \
> > > + --mandir="${TRUEPREFIX}/man"
> >
> > This has crept back in, it should stay at CONFIGURE_STYLE=gnu and
> > remove the manual setting of --sysconfdir= and --mandir.
> >
> > > +share/examples/sshguard/
> > > +share/examples/sshguard/sshguard.conf.sample
> > > +share/examples/sshguard/whitelistfile.example
> > > Index: pkg/README
> > > ===================================================================
> > > RCS file: /extra/cvs/ports/security/sshguard/pkg/README,v
> > > retrieving revision 1.3
> > > diff -u -p -r1.3 README
> > > --- pkg/README 4 Sep 2018 12:46:21 -0000 1.3
> > > +++ pkg/README 4 Dec 2018 21:10:55 -0000
> > > @@ -4,7 +4,13 @@ $OpenBSD: README,v 1.3 2018/09/04 12:46:
> > >  | Running ${PKGSTEM} on OpenBSD
> > >  +-----------------------------------------------------------------------
> > >  
> > > -To use sshguard with pf(4), add the following to /etc/pf.conf:
> > > +Copy the example configuration file:
> > > +
> > > +    cp ${PREFIX}/share/examples/sshguard/sshguard.conf.sample \
> > > +       ${SYSCONFDIR}/sshguard.conf
> >
> > Should use @sample in PLIST instead of telling people to do that by
> > hand, e.g.
> >
> > share/examples/sshguard/
> > share/examples/sshguard/sshguard.conf.sample
> > @sample ${SYSCONFDIR}/sshguard.conf
> >
> > Simpler, and helps pkg_delete -c.
> >
> > > +
> > > +pexp="/bin/sh $pexp"
> > > +
> > > +rc_stop () {
> > > +    # Need to send TERM to all processes in the process group not just
> > > +    # to the ones matching "$pexp".  The main sshguard shell script does
> > > +    # set up a trap for doing this, but it relies on running under bash.
> > > +    kill -- "-$( ps -o pgid= -p "$( pgrep -o -T "${daemon_rtable}" -fx "${pexp}" )" )"
> > > +}
> > >  
> > >  rc_bg=YES
> > >  rc_reload=NO
> >
> > <insert see-no-evil-monkey emoji here> ;)
>
> It was evil and have now been removed.  I noticed that this way of doing
> it would probably have killed the kernel relinking that happens after
> boot, had anyone manually stopped the sshguard daemon with "rcctl stop
> sshguard" early enough.  This is not the way to do it.
>
> Instead, I do what I believe the sshguard-devs intended people to do,
> which is to kill the "sshg-blocker" process instead.  This leads to the
> rest of the group of processes terminating, except for a "tail" process
> (but this will exit as soon as it discovers that there is nobody
> reading from the pipe it's writing to).
>
> This leads me to believe that the diff attached is an actual working
> port of sshguard-2.2.0.  A tar archive of the port is also attached, as
> before.
>
> I'm happy to be maintainer of this port if nobody else feels that they
> should be.
>
> Regards,
> Andreas
>
> --
> Andreas Kusalananda Kähäri,
> National Bioinformatics Infrastructure Sweden (NBIS),
> Uppsala University, Sweden.


--
Andreas Kusalananda Kähäri,
National Bioinformatics Infrastructure Sweden (NBIS),
Uppsala University, Sweden.

sshguard-updated.diff (11K) Download Attachment
12