Package: strongswan
Version: 5.5.1-2
Severity: normal
Hi,
this is the part of the feed back of "Ubuntu changes" that is probably more
discussion worthy.
And I'm not even speaking of renamed service names yet :-)
Our Ubuntu Delta for quite a while dropped some outdated code.
I didn't come up with the wording - it was called outdated before I even
touched Strongswan - so no offense intended.
Since I was not 100% sure if I consider all special cases that might apply
to I'm only starting a discussion about it and we can see if you agree
(instead of submitting patches).
In d/strongswan-starter.postinst there seems to be code that is no more
needed:
- section about runlevel changes
- entire section on opportunistic encryption - this was never used
Also the debconf for the inc file is IMHO not working.
cat /var/lib/strongswan/ipsec.conf.inc
#include /etc/ipsec.d/examples/oe.conf
That file is not existing (and not created) on my Debian-sid system.
I tried to get as much as possible from its debconf but it does only add
the disabled OE.
$ dpkg-reconfigure strongswan-starter -p low
Disabling opportunistic encryption (OE) in config file ... already
disabled
All that together would make up some nice cleanup like the attached patch I
have as a suggestion.
Looking forward to a discussion on all of that.
--
Christian Ehrhardt
Software Engineer, Ubuntu Server
Canonical Ltd
Cleanup outdated strongswan packaging code
* clean up d/strongswan-starter.postinst:
- Removed section about runlevel changes
- Removed entire section on opportunistic encryption
strongSwan.
* d/rules: Removed pieces on 'patching ipsec.conf' on build.
* d/ipsec.secrets.proto: Removed ipsec.secrets.inc reference.
diff --git a/debian/strongswan-starter.postinst b/debian/strongswan-starter.postinst
index 9e4d7b1..a1dd748 100644
--- a/debian/strongswan-starter.postinst
+++ b/debian/strongswan-starter.postinst
@@ -29,7 +29,6 @@ set -e
# installation fails and the `postinst' is called with `abort-upgrade',
# `abort-remove' or `abort-deconfigure'.
-CONF_FILE=/var/lib/strongswan/ipsec.conf.inc
SECRETS_FILE=/var/lib/strongswan/ipsec.secrets.inc
Warn ()
@@ -75,50 +74,6 @@ make_x509_cert() {
-days $2 $selfsigned >/dev/null
}
-enable_daemon_start() {
- daemon=$1
- protocol=$2
-
- echo -n "Enabling ${protocol} support by ${daemon}... "
- if [ -e $CONF_FILE ] && egrep -q "^\w+${daemon}start=yes\w*$" $CONF_FILE; then
- echo "already enabled"
- elif [ -e $CONF_FILE ] && egrep -q "^\w+${daemon}start=no\w*$" $CONF_FILE; then
- sed "s/${daemon}start=no/${daemon}start=yes/" < $CONF_FILE > $CONF_FILE.tmp
- cp $CONF_FILE.tmp $CONF_FILE
- rm $CONF_FILE.tmp
- echo "done"
- elif [ -e $CONF_FILE ] && egrep -q "^\w+#\w*${daemon}start=(yes|no)\w*$" $CONF_FILE; then
- sed "s/^\w+#\w*${daemon}start=(yes|no)\w*$/\t${daemon}start=yes/" < $CONF_FILE > $CONF_FILE.tmp
- cp $CONF_FILE.tmp $CONF_FILE
- rm $CONF_FILE.tmp
- echo "done"
- elif [ ! -e $CONF_FILE ]; then
- echo -e "\t${daemon}start=yes" > $CONF_FILE
- else
- echo "ERROR: unknown or nonexistant ${daemon}start= directive, please fix manually!"
- fi
-}
-
-disable_daemon_start() {
- daemon=$1
- protocol=$2
-
- echo -n "Disabling ${protocol} support by ${daemon}... "
- if [ -e $CONF_FILE ] && ( egrep -q "^\w+${daemon}start=no\w*$" $CONF_FILE ||
- egrep -q "^\w+#\w*${daemon}start=(yes|no)\w*$" $CONF_FILE ); then
- echo "already disabled"
- elif [ -e $CONF_FILE ] && egrep -q "^\w+${daemon}start=yes\w*$" $CONF_FILE; then
- sed "s/${daemon}start=yes/${daemon}start=no/" < $CONF_FILE > $CONF_FILE.tmp
- cp $CONF_FILE.tmp $CONF_FILE
- rm $CONF_FILE.tmp
- echo "done"
- elif [ ! -e $CONF_FILE ]; then
- echo -e "\t${daemon}start=yes" > $CONF_FILE
- else
- echo "ERROR: unknown or nonexistant ${daemon}start= directive, please fix manually!"
- fi
-}
-
setup_strongswan_user() {
if ! getent passwd strongswan >/dev/null; then
adduser --quiet --system --no-create-home --home /var/lib/strongswan --shell /usr/sbin/nologin strongswan
@@ -209,88 +164,17 @@ case "$1" in
db_set strongswan/install_x509_certificate false
fi
- # lets see if we are already using dependency based booting or the correct runlevel parameters
- if ! ( [ "`find /etc/init.d/ -name '.depend.*'`" ] || [ "$runlevels" = "0K841K842S163S164S165S166K84" ] ); then
- db_fset strongswan/runlevel_changes seen false
- db_input high strongswan/runlevel_changes || true
- db_go
-
- # if the admin did not change the runlevels which got installed by older packages we can modify them
- if [ "$runlevels" = "0K346K34SS41" ] || [ "$runlevels" = "0K301K302S153S154S155S156K30" ] || [ "$runlevels" = "0K191K192S213S214S215S216K19" ]; then
- update-rc.d -f ipsec remove
- fi
-
- update-rc.d ipsec defaults 16 84 > /dev/null
- fi
-
- db_get strongswan/enable-oe
- if [ "$RET" != "true" ]; then
- echo -n "Disabling opportunistic encryption (OE) in config file ... "
- if [ -e $CONF_FILE ] && egrep -q "include /etc/ipsec.d/examples/no_oe.conf$" $CONF_FILE; then
- # also update to new-style config
- sed 's/.*include \/etc\/ipsec.d\/examples\/no_oe.conf/#include \/etc\/ipsec.d\/examples\/oe.conf/' < $CONF_FILE > $CONF_FILE.tmp
- mv $CONF_FILE.tmp $CONF_FILE
- echo -n "converted old config line to new format"
- fi
- if [ -e $CONF_FILE ] && egrep -q "^include /etc/ipsec.d/examples/oe.conf$" $CONF_FILE; then
- sed 's/include \/etc\/ipsec.d\/examples\/oe.conf/#include \/etc\/ipsec.d\/examples\/oe.conf/' < $CONF_FILE > $CONF_FILE.tmp
- mv $CONF_FILE.tmp $CONF_FILE
- echo "done"
- elif [ ! -e $CONF_FILE ]; then
- echo "#include /etc/ipsec.d/examples/oe.conf" > $CONF_FILE
- else
- echo "already disabled"
- fi
- else
- echo -n "Enabling opportunistic encryption (OE) in config file ... "
- if [ -e $CONF_FILE ] && egrep -q "include /etc/ipsec.d/examples/no_oe.conf$" $CONF_FILE; then
- # also update to new-style config
- sed 's/.*include \/etc\/ipsec.d\/examples\/no_oe.conf/include \/etc\/ipsec.d\/examples\/oe.conf/' < $CONF_FILE > $CONF_FILE.tmp
- mv $CONF_FILE.tmp $CONF_FILE
- echo -n "converted old config line to new format"
- fi
- if [ -e $CONF_FILE ] && egrep -q "^include /etc/ipsec.d/examples/oe.conf$" $CONF_FILE; then
- echo "already enabled"
- elif [ -e $CONF_FILE ] && egrep -q "^#.*include /etc/ipsec.d/examples/oe.conf$" $CONF_FILE; then
- sed 's/#.*include \/etc\/ipsec.d\/examples\/oe.conf/include \/etc\/ipsec.d\/examples\/oe.conf/' < $CONF_FILE > $CONF_FILE.tmp
- mv $CONF_FILE.tmp $CONF_FILE
- echo "done"
- elif [ ! -e $CONF_FILE ]; then
- echo "include /etc/ipsec.d/examples/oe.conf" > $CONF_FILE
- else
- cat <<EOF >> $CONF_FILE
-#Enable Opportunistic Encryption
-include /etc/ipsec.d/examples/oe.conf
-EOF
- echo "done"
- fi
- fi
-
- # disabled for now, until we can solve the don't-edit-conffiles issue
- #db_get strongswan/ikev1
- #if [ "$RET" != "true" ]; then
- # enable_daemon_start "pluto" "IKEv1"
- #else
- # disable_daemon_start "pluto" "IKEv1"
- #fi
- #db_get strongswan/ikev2
- #if [ "$RET" != "true" ]; then
- # enable_daemon_start "charon" "IKEv2"
- #else
- # disable_daemon_start "charon" "IKEv2"
- #fi
-
# create user for strongswan to change its uid into
setup_strongswan_user
diff --git a/debian/ipsec.secrets.proto b/debian/ipsec.secrets.proto
index dfa6dde..309e3fc 100644
--- a/debian/ipsec.secrets.proto
+++ b/debian/ipsec.secrets.proto
@@ -3,6 +3,3 @@
# RSA private key for this host, authenticating it to any other host
# which knows the public part.
-# this file is managed with debconf and will contain the automatically created private key
-include /var/lib/strongswan/ipsec.secrets.inc
-
diff --git a/debian/rules b/debian/rules
index 345dbe1..dc06ef0 100755
--- a/debian/rules
+++ b/debian/rules
@@ -172,12 +172,6 @@ endif
# add additional files not covered by upstream makefile...
install --mode=0600 $(CURDIR)/debian/ipsec.secrets.proto $(CURDIR)/debian/strongswan-starter/etc/ipsec.secrets
- # also "patch" ipsec.conf to include the debconf-managed file
- echo >> $(CURDIR)/debian/strongswan-starter/etc/ipsec.conf
- echo "include /var/lib/strongswan/ipsec.conf.inc" >> $(CURDIR)/debian/strongswan-starter/etc/ipsec.conf
- # and to enable both IKEv1 and IKEv2 by default
- sed -r 's/^[ \t]+# *charonstart=(yes|no) */\tcharonstart=yes/' < $(CURDIR)/debian/strongswan-starter/etc/ipsec.conf > $(CURDIR)/debian/strongswan-starter/etc/ipsec.conf.tmp
- mv $(CURDIR)/debian/strongswan-starter/etc/ipsec.conf.tmp $(CURDIR)/debian/strongswan-starter/etc/ipsec.conf
# set permissions on ipsec.secrets
chmod 600 $(CURDIR)/debian/strongswan-starter/etc/ipsec.secrets
