Package: openvpn
Version: 2.1.3-2
Tags: patch
I have found the following changes to /etc/init.d/openvpn make it
easy to run openvpn with the --chroot option.
This patch moves all the openvpn /var/run files into a subdirectory,
so that directory can be then moved into the chroot tree and still
linked from the real /var/run. The link makes programs inside the
chroot (openvpn itself) and outside (this script) see a consistent
view.
This patch also automatically handles creating the user specified
by a --user option.
< Stephen
--- debian/openvpn.init.d-2.1.3-2 2011-02-16 09:44:05
+++ debian/openvpn.init.d 2011-02-18 10:42:02
@@ -35,6 +35,26 @@
. /etc/default/openvpn
fi
+# Outputs the value of a config variable.
+# $1 -- the name of the config variable to output
+config_line() {
+ sed -n "s/^[ \t]*$1[ \t]\+\(.*\)/\1/p" \
+ "$CONFIG_DIR/$NAME.conf"
+}
+
+# Everybody needs /etc/localtime for logging.
+# Clients resolving the server name need /etc/resolv.conf and/or /etc/hosts.
+# Hook scripts need /bin/sh, its shared libraries, and /dev/null.
+files_to_copy_into_chroot="\
+ /etc/localtime \
+ /etc/resolv.conf \
+ /etc/hosts \
+ /bin/sh \
+ /lib/ld-linux.so.* \
+ /lib/libc.so.* \
+ /dev/null \
+ "
+
start_vpn () {
if grep -q '^[ ]*daemon' $CONFIG_DIR/$NAME.conf ; then
# daemon already given in config file
@@ -52,22 +72,66 @@
STATUSARG=""
else
# prepare default status file
- STATUSARG="--status /var/run/openvpn.$NAME.status $STATUSREFRESH"
+ STATUSARG="--status /var/run/openvpn/$NAME.status $STATUSREFRESH"
+ fi
+
+ USER_HOME=/var/lib/openvpn
+
+ CHROOT=$(config_line chroot)
+ if test -n "$CHROOT" ; then
+ # Sanity check for chroot directory name:
+ # must include "openvpn" and not include ".."
+ if echo "$CHROOT" | grep -q -i openvpn &&
+ echo "$CHROOT" | grep -q -v '\.\.'
+ then
+ USER_HOME=$CHROOT
+ # Copy config files into the chroot.
+ mkdir -p "$CHROOT"/etc
+ cp -a "$CONFIG_DIR" "$CHROOT"/etc
+ # Copy other system files we may need into the chroot.
+ for file in $files_to_copy_into_chroot ; do
+ mkdir -p "$CHROOT/$(dirname "$file")"
+ if [ "$file" = /dev/null ]; then
+ test -c "$CHROOT"/dev/null || mknod "$CHROOT"/dev/null c 1 3
+ else
+ test -f "$file" && cp -p "$file" "$CHROOT/$file"
+ fi
+ done
+ mkdir -p "$CHROOT"/var/run/openvpn
+ # Arrange that this, like the real /var/run/openvpn, gets
+ # cleared at boot.
+ grep -q "$CHROOT"/var/run/openvpn /etc/mtab ||
+ mount -t tmpfs -o noexec,nodev none "$CHROOT"/var/run/openvpn
+ rm -rf /var/run/openvpn
+ ln -s "$CHROOT"/var/run/openvpn /var/run/openvpn
+ else
+ log_failure_msg "$NAME (illegal chroot directory name)"
+ fi
+ else
+ mkdir -p /var/run/openvpn
+ fi
+
+ USERARG=$(config_line user)
+ if test -n "$USERARG" ; then
+ # user requested in config file, may need to create it
+ if test -z "$(getent passwd "$USERARG")" ; then
+ adduser --system --group --home "$USER_HOME" "$USERARG"
+ fi
fi
log_progress_msg "$NAME"
STATUS=0
start-stop-daemon --start --quiet --oknodo \
- --pidfile /var/run/openvpn.$NAME.pid \
- --exec $DAEMON -- $OPTARGS --writepid /var/run/openvpn.$NAME.pid \
+ --pidfile /var/run/openvpn/$NAME.pid \
+ --exec $DAEMON -- $OPTARGS --writepid /var/run/openvpn/$NAME.pid \
$DAEMONARG $STATUSARG --cd $CONFIG_DIR \
--config $CONFIG_DIR/$NAME.conf || STATUS=1
}
stop_vpn () {
kill `cat $PIDFILE` || true
rm -f $PIDFILE
- rm -f /var/run/openvpn.$NAME.status 2> /dev/null
+ rm -f /var/run/openvpn/$NAME.status 2> /dev/null
}
case "$1" in
@@ -118,7 +182,7 @@
log_daemon_msg "Stopping $DESC"
if test -z "$2" ; then
- for PIDFILE in `ls /var/run/openvpn.*.pid 2> /dev/null`; do
+ for PIDFILE in `ls /var/run/openvpn/*.pid 2> /dev/null`; do
NAME=`echo $PIDFILE | cut -c18-`
NAME=${NAME%%.pid}
stop_vpn
@@ -127,8 +191,8 @@
else
while shift ; do
[ -z "$1" ] && break
- if test -e /var/run/openvpn.$1.pid ; then
- PIDFILE=`ls /var/run/openvpn.$1.pid 2> /dev/null`
+ if test -e /var/run/openvpn/$1.pid ; then
+ PIDFILE=`ls /var/run/openvpn/$1.pid 2> /dev/null`
NAME=`echo $PIDFILE | cut -c18-`
NAME=${NAME%%.pid}
stop_vpn
@@ -143,7 +207,7 @@
# Only 'reload' running VPNs. New ones will only start with 'start' or
'restart'.
reload|force-reload)
log_daemon_msg "Reloading $DESC"
- for PIDFILE in `ls /var/run/openvpn.*.pid 2> /dev/null`; do
+ for PIDFILE in `ls /var/run/openvpn/*.pid 2> /dev/null`; do
NAME=`echo $PIDFILE | cut -c18-`
NAME=${NAME%%.pid}
# If openvpn if running under a different user than root we'll need to restart
@@ -163,7 +227,7 @@
# Only 'soft-restart' running VPNs. New ones will only start with 'start' or
'restart'.
soft-restart)
log_daemon_msg "$DESC sending SIGUSR1"
- for PIDFILE in `ls /var/run/openvpn.*.pid 2> /dev/null`; do
+ for PIDFILE in `ls /var/run/openvpn/*.pid 2> /dev/null`; do
NAME=`echo $PIDFILE | cut -c18-`
NAME=${NAME%%.pid}
kill -USR1 `cat $PIDFILE` || true
@@ -180,7 +244,7 @@
;;
cond-restart)
log_daemon_msg "Restarting $DESC."
- for PIDFILE in `ls /var/run/openvpn.*.pid 2> /dev/null`; do
+ for PIDFILE in `ls /var/run/openvpn/*.pid 2> /dev/null`; do
NAME=`echo $PIDFILE | cut -c18-`
NAME=${NAME%%.pid}
stop_vpn
@@ -228,9 +292,9 @@
fi
if test "x$AUTOVPN" = "x1" ; then
# If it is autostarted, then it contributes to global status
- status_of_proc -p /var/run/openvpn.${NAME}.pid openvpn "VPN '${NAME}'"
|| GLOBAL_STATUS=1
+ status_of_proc -p /var/run/openvpn/${NAME}.pid openvpn "VPN '${NAME}'"
|| GLOBAL_STATUS=1
else
- status_of_proc -p /var/run/openvpn.${NAME}.pid openvpn "VPN '${NAME}'
(non autostarted)" || true
+ status_of_proc -p /var/run/openvpn/${NAME}.pid openvpn "VPN '${NAME}'
(non autostarted)" || true
fi
done
else
@@ -241,7 +305,7 @@
NAME=$1
if test -e $CONFIG_DIR/$NAME.conf ; then
# Config exists
- status_of_proc -p /var/run/openvpn.${NAME}.pid openvpn "VPN '${NAME}'"
|| GLOBAL_STATUS=1
+ status_of_proc -p /var/run/openvpn/${NAME}.pid openvpn "VPN '${NAME}'"
|| GLOBAL_STATUS=1
else
# Config does not exist
log_warning_msg "VPN '$NAME': missing $CONFIG_DIR/$NAME.conf file !"
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
