From b434a530278c7900855f9627470b266ab78bf7fc Mon Sep 17 00:00:00 2001 From: Andrey Bondrov Date: Fri, 14 Oct 2016 21:03:46 +0400 Subject: [PATCH 01/30] MassBuild#1169: Increase release tag --- dhcp.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dhcp.spec b/dhcp.spec index afb80a5..cffa240 100644 --- a/dhcp.spec +++ b/dhcp.spec @@ -4,7 +4,7 @@ Name: dhcp Epoch: 3 Version: %{major_version}%{patch_version} -Release: 7 +Release: 8 Summary: The ISC DHCP (Dynamic Host Configuration Protocol) server/relay agent/client License: Distributable Group: System/Servers From 7843c37521488284edbfb4c65a80bbcf751e5fa7 Mon Sep 17 00:00:00 2001 From: Andrey Bondrov Date: Sat, 4 Feb 2017 18:24:55 +0300 Subject: [PATCH 02/30] MassBuild#1230: Increase release tag --- dhcp.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dhcp.spec b/dhcp.spec index cffa240..fa57614 100644 --- a/dhcp.spec +++ b/dhcp.spec @@ -4,7 +4,7 @@ Name: dhcp Epoch: 3 Version: %{major_version}%{patch_version} -Release: 8 +Release: 9 Summary: The ISC DHCP (Dynamic Host Configuration Protocol) server/relay agent/client License: Distributable Group: System/Servers From 088bc4c1875a9883c3d6693a63df8ddca36a3e2d Mon Sep 17 00:00:00 2001 From: Mikhail Novosyolov Date: Sat, 6 Oct 2018 01:29:04 +0300 Subject: [PATCH 03/30] Begin changes. See ROSA-NEWS for details. --- Arch-0002-iproute2.patch | 15 ++++++++ ROSA-NEWS | 25 ++++++++++++++ dhclient@.service | 14 ++++++++ dhcp.spec | 75 +++++++++++++++++++++++++++------------- dhcpd.service | 19 ++++++++-- dhcpd.tmpfiles | 2 +- dhcpd6.service | 26 +++++++++++--- isc-dhcp-client.conf | 4 +++ isc-dhcpd.conf | 4 +++ 9 files changed, 152 insertions(+), 32 deletions(-) create mode 100644 Arch-0002-iproute2.patch create mode 100644 ROSA-NEWS create mode 100644 dhclient@.service create mode 100644 isc-dhcp-client.conf create mode 100644 isc-dhcpd.conf diff --git a/Arch-0002-iproute2.patch b/Arch-0002-iproute2.patch new file mode 100644 index 0000000..74a4be6 --- /dev/null +++ b/Arch-0002-iproute2.patch @@ -0,0 +1,15 @@ +https://git.archlinux.org/svntogit/packages.git/tree/trunk?h=packages/dhcp + +diff --git a/client/scripts/linux b/client/scripts/linux +index 5fb16121..c4cef632 100755 +--- a/client/scripts/linux ++++ b/client/scripts/linux +@@ -362,7 +362,7 @@ case "$reason" in + interface_up_wait_time=5 + for i in $(seq 0 ${interface_up_wait_time}) + do +- ifconfig ${interface} | grep RUNNING >/dev/null 2>&1 ++ ${ip} link show dev ${interface} | grep -q LOWER_UP 2>&1 + if [ $? -eq 0 ]; then + break; + fi diff --git a/ROSA-NEWS b/ROSA-NEWS new file mode 100644 index 0000000..6b06e56 --- /dev/null +++ b/ROSA-NEWS @@ -0,0 +1,25 @@ +dhcp v4.4.1 +05.10.2018 +by mikhailnov + +* Removed 'After=syslog.target' from systemd service dhcpd.service +https://www.freedesktop.org/wiki/Software/systemd/syslog/ says: +"we do no longer recommend people to order their units after syslog.target" + +* Merged old ROSA's dhcpd(6).service and Arch's dhcpd{4|6}.service + +* dhcpd user was added on package installation (dhcp-server), but dhcpd was actually ran from root, not dhcpd +* use sysusers.d(5) (config isc-dhcpd.conf) instaed of manually created dhcpd user +* migration: delete dhcpd user on package uninstallation +* the same for dhclient (isc-dhcp-client.conf) (will it work from not root?) + +* /etc/sysconfig/dhcp6 called in dhcpd6.service did not exist (dhcpd6.service was broken); +let's use copy /etc/sysconfig/dhcpd to /etc/sysconfig/dhcpd6 + +* TODO: Fedora's patch dhcp-paths.patch + +* Empty leases databases are not created on package build anymore (what for were they created?) + +* /var/lib/dhcpd and /var/lib/dhclient are now defined as variables in the RPM spec + +* dhclient@.service from Arch Linux, added: 'User=isc-dhcp-client', - to run dhclient from not root (requires testing) diff --git a/dhclient@.service b/dhclient@.service new file mode 100644 index 0000000..01b3841 --- /dev/null +++ b/dhclient@.service @@ -0,0 +1,14 @@ +[Unit] +Description=dhclient on %I +Wants=network.target +Before=network.target + +[Service] +ExecStart=/usr/sbin/dhclient -pf /run/dhclient@%i/dhclient.pid -d %I +RuntimeDirectory=dhclient@%i +User=isc-dhcp-client +ProtectSystem=on +ProtectHome=on + +[Install] +WantedBy=multi-user.target diff --git a/dhcp.spec b/dhcp.spec index fa57614..c56a98e 100644 --- a/dhcp.spec +++ b/dhcp.spec @@ -1,10 +1,12 @@ -%define major_version 4.3.2 +%define major_version 4.4.1 %define patch_version %{nil} +%define var_dhcpd %{_var}/lib/dhcpd +%define var_dhclient %{_var}/lib/dhclient Name: dhcp Epoch: 3 Version: %{major_version}%{patch_version} -Release: 9 +Release: 1 Summary: The ISC DHCP (Dynamic Host Configuration Protocol) server/relay agent/client License: Distributable Group: System/Servers @@ -24,6 +26,11 @@ Source16: dhcrelay.service Source17: dhcpd.tmpfiles Source18: dhclient.tmpfiles Source19: dhcrelay.tmpfiles +# sysusers.d(5) (systemd-sysusers) +Source20: isc-dhcpd.conf +Source21: isc-dhcp-client.conf +Source22: dhclient@.service + # mageia patches Patch100: dhcp-4.2.2-ifup.patch #Patch101: dhcp-4.2.2-fix-format-errors.patch # I see it applied in the source already @@ -178,10 +185,10 @@ install -m0644 %{SOURCE10} doc --enable-paranoia \ --enable-early-chroot \ --with-ldapcrypto \ - --with-srv-lease-file=%{_var}/lib/dhcpd/dhcpd.leases \ - --with-srv6-lease-file=%{_var}/lib/dhcpd/dhcpd6.leases \ - --with-cli-lease-file=%{_var}/lib/dhclient/dhclient.leases \ - --with-cli6-lease-file=%{_var}/lib/dhclient/dhclient6.leases \ + --with-srv-lease-file=%{var_dhcpd}/dhcpd.leases \ + --with-srv6-lease-file=%{var_dhcpd}/dhcpd6.leases \ + --with-cli-lease-file=%{var_dhclient}/dhclient.leases \ + --with-cli6-lease-file=%{var_dhclient}/dhclient6.leases \ --with-srv-pid-file=/run/dhcpd/dhcpd.pid \ --with-srv6-pid-file=/run/dhcpd/dhcpd6.pid \ --with-cli-pid-file=/run/dhclient/dhclient.pid \ @@ -203,11 +210,16 @@ install -d %{buildroot}%{_unitdir} install -m 644 %{SOURCE12} %{buildroot}%{_unitdir}/dhcpd.service install -m 644 %{SOURCE14} %{buildroot}%{_unitdir}/dhcpd6.service install -m 644 %{SOURCE16} %{buildroot}%{_unitdir}/dhcrelay.service +install -m 644 %{SOURCE22} %{buildroot}%{_unitdir}/ install -D -p -m 644 %{SOURCE17} %{buildroot}%{_tmpfilesdir}/dhcpd.conf install -D -p -m 644 %{SOURCE18} %{buildroot}%{_tmpfilesdir}/dhclient.conf install -D -p -m 644 %{SOURCE19} %{buildroot}%{_tmpfilesdir}/dhcrelay.conf +install -d %{buildroot}%{_sysusersdir} +install -m 644 %{SOURCE20} %{buildroot}%{_sysusersdir}/ +install -m 644 %{SOURCE21} %{buildroot}%{_sysusersdir}/ + install -m 755 %{SOURCE7} %{SOURCE8} %{buildroot}%{_sbindir} install -m 644 %{SOURCE2} %{buildroot}%{_sysconfdir} install -m 755 contrib/ldap/dhcpd-conf-to-ldap %{buildroot}%{_sbindir} @@ -223,7 +235,7 @@ cat > %{buildroot}%{_sysconfdir}/sysconfig/dhcpd < %{buildroot}%{_sysconfdir}/sysconfig/dhcpd < %{buildroot}%{_sysconfdir}/sysconfig6 + +install -d %{buildroot}%{var_dhcpd} +#touch %{buildroot}%{var_dhcpd}/dhcpd.leases +install -d %{buildroot}%{var_dhclient} +#touch %{buildroot}%{var_dhclient}/dhclient.leases cat > %{buildroot}%{_sysconfdir}/sysconfig/dhcrelay <&1 >/dev/null || true %files common -%doc README contrib/ldap/README.ldap RELNOTES +%doc README ROSA-NEWS contrib/ldap/README.ldap RELNOTES %doc contrib/3.0b1-lease-convert %{_mandir}/man5/dhcp-options.5* @@ -327,6 +352,7 @@ rm -rf %{_var}/lib/dhclient/dhclient.leases %config(noreplace) %{_sysconfdir}/dhcpd.conf %config(noreplace) %{_sysconfdir}/dhclient-exit-hooks %config(noreplace) %{_sysconfdir}/sysconfig/dhcpd +%config(noreplace) %{_sysconfdir}/sysconfig/dhcpd6 %{_sbindir}/dhcpd %{_sbindir}/dhcpreport.pl %{_sbindir}/dhcpd-conf-to-ldap @@ -338,8 +364,8 @@ rm -rf %{_var}/lib/dhclient/dhclient.leases %{_mandir}/man5/dhcpd.leases.5* %{_mandir}/man5/dhcp-eval.5* %{_mandir}/man8/dhcpd.8* -%dir %{_var}/lib/dhcpd -%config(noreplace) %ghost %{_var}/lib/dhcpd/dhcpd.leases +%dir %{var_dhcpd} +%config(noreplace) %ghost %{var_dhcpd}/dhcpd.leases %files relay %{_unitdir}/dhcrelay.service @@ -352,13 +378,14 @@ rm -rf %{_var}/lib/dhclient/dhclient.leases %doc client/dhclient.conf.example %attr (0755,root,root) /sbin/dhclient-script %{_tmpfilesdir}/dhclient.conf +%{_unitdir}/dhclient@.service /sbin/dhclient %{_mandir}/man5/dhclient.conf.5* %{_mandir}/man5/dhclient.leases.5* %{_mandir}/man8/dhclient.8* %{_mandir}/man8/dhclient-script.8* -%dir %{_var}/lib/dhclient -%config(noreplace) %ghost %{_var}/lib/dhclient/dhclient.leases +%dir %{var_dhclient} +%config(noreplace) %ghost %{var_dhclient}/dhclient.leases %files devel %{_includedir}/* diff --git a/dhcpd.service b/dhcpd.service index 4cb5a58..4bacf76 100644 --- a/dhcpd.service +++ b/dhcpd.service @@ -1,13 +1,28 @@ [Unit] Description=DHCPv4 Server Daemon -After=syslog.target network.target ldap.service +Documentation=man:dhcpd(8) man:dhcpd.conf(5) +Wants=network-online.target +# ldap.service: probably LDAP server starts first and dhcpd must start providing DHCP server only after LDAP has started to use LDAP for IP addresses (?) +After=network-online.target time-sync.target ldap.service [Service] Environment=CONFIGFILE=/etc/dhcpd.conf LEASEFILE=/var/lib/dhcpd/dhcpd.leases EnvironmentFile=-/etc/sysconfig/dhcpd Type=forking -PIDFile=/run/dhcpd/dhcpd.pid ExecStart=/usr/sbin/dhcpd -pf /run/dhcpd/dhcpd.pid -cf $CONFIGFILE -lf $LEASEFILE $OPTIONS $INTERFACES +PIDFile=/run/dhcpd/dhcpd.pid +User=isc-dhcpd +AmbientCapabilities=CAP_NET_BIND_SERVICE CAP_NET_RAW +ProtectSystem=full +ProtectHome=on +KillSignal=SIGINT +# We pull in network-online.target for a configured network connection. +# However this is not guaranteed to be the network connection our +# networks are configured for. So try to restart on failure with a delay +# of two seconds. Rate limiting kicks in after 12 seconds. +RestartSec=2s +Restart=on-failure +StartLimitInterval=12s [Install] WantedBy=multi-user.target diff --git a/dhcpd.tmpfiles b/dhcpd.tmpfiles index d545ce8..dd3b209 100644 --- a/dhcpd.tmpfiles +++ b/dhcpd.tmpfiles @@ -1 +1 @@ -d /run/dhcpd 755 root root +d /run/dhcpd 755 isc-dhcpd isc-dhcpd diff --git a/dhcpd6.service b/dhcpd6.service index bd1fac4..af7de4e 100644 --- a/dhcpd6.service +++ b/dhcpd6.service @@ -1,13 +1,29 @@ [Unit] Description=DHCPv6 Server Daemon -After=syslog.target network.target +Documentation=man:dhcpd(8) man:dhcpd.conf(5) +Wants=network-online.target +# ldap.service: probably LDAP server starts first and dhcpd must start providing DHCP server only after LDAP has started to use LDAP for IP addresses (?) +# network-online.target seems unreasonable because network is probsbly not online on the DHCP server in a local network +After=network.target time-sync.target ldap.service [Service] -Environment=CONFIGFILE=/etc/dhcpd6.conf LEASEFILE=/var/lib/dhcp/dhcpd6.leases -EnvironmentFile=-/etc/sysconfig/dhcpd6 +Environment=CONFIGFILE=/etc/dhcpd6.conf LEASEFILE=/var/lib/dhcpd/dhcpd6.leases +EnvironmentFile=-/etc/sysconfig/dhcpd Type=forking -PIDFile=/var/run/dhcpd6.pid -ExecStart=/usr/sbin/dhcpd -6 -pf /var/run/dhcpd6.pid -cf $CONFIGFILE -lf $LEASEFILE $OPTIONS $INTERFACES +ExecStart=/usr/sbin/dhcpd -6 -pf /run/dhcpd/dhcpd6.pid -cf $CONFIGFILE -lf $LEASEFILE $OPTIONS $INTERFACES +PIDFile=/run/dhcpd/dhcpd6.pid +User=isc-dhcpd +AmbientCapabilities=CAP_NET_BIND_SERVICE CAP_NET_RAW +ProtectSystem=full +ProtectHome=on +KillSignal=SIGINT +# We pull in network-online.target for a configured network connection. +# However this is not guaranteed to be the network connection our +# networks are configured for. So try to restart on failure with a delay +# of two seconds. Rate limiting kicks in after 12 seconds. +RestartSec=2s +Restart=on-failure +StartLimitInterval=12s [Install] WantedBy=multi-user.target diff --git a/isc-dhcp-client.conf b/isc-dhcp-client.conf new file mode 100644 index 0000000..8ab9da2 --- /dev/null +++ b/isc-dhcp-client.conf @@ -0,0 +1,4 @@ +# The shell is /sbin/nologin +u isc-dhcp-client - "ISC DHCP client user" / +g isc-dhcp-client - "ISC DHCP client group" +m isc-dhcp-client isc-dhcp-client diff --git a/isc-dhcpd.conf b/isc-dhcpd.conf new file mode 100644 index 0000000..92a85e3 --- /dev/null +++ b/isc-dhcpd.conf @@ -0,0 +1,4 @@ +# The shell is /sbin/nologin +u isc-dhcpd - "ISC DHCP daemon user" / +g isc-dhcpd - "ISC DHCP daemon group" +m isc-dhcpd isc-dhcpd From fa84235961346511ce9518ab0e6efac20189e405 Mon Sep 17 00:00:00 2001 From: Mikhail Novosyolov Date: Mon, 8 Oct 2018 10:28:44 +0300 Subject: [PATCH 04/30] Fixes --- .abf.yml | 11 ++--------- Arch-0002-iproute2.patch | 2 +- dhcp.spec | 4 ++++ 3 files changed, 7 insertions(+), 10 deletions(-) diff --git a/.abf.yml b/.abf.yml index fa6f3f9..4180479 100644 --- a/.abf.yml +++ b/.abf.yml @@ -1,11 +1,4 @@ -removed_sources: - dhcp-4.2.5-P1.tar.gz: 120b6e476b2ac0d35e1dc8dee53752c42449b925 - dhcp-4.2.5-P1.tar.gz.sha512.asc: d43248ba82d8a2f393f2f6c283ea06fb2df38d18 - dhcp-4.2.5.tar.gz: d029505509aee83ea28972d5d1c95dc4b5db99f1 - dhcp-4.2.5.tar.gz.sha512.asc: ac49b30ef17acb36cc5603faa5d780e423aa0e06 - dhcp-4.3.0.tar.gz: deed72a4636461042b74de68c2825dc52623e1d1 - dhcp-4.3.0.tar.gz.sha512.asc: e05375f86430f0d92a371fe8f619aa73e65de19a sources: - dhcp-4.3.2.tar.gz: c7fcc4fa2bd135700b410f47eca238dd67419654 - dhcp-4.3.2.tar.gz.sha512.asc: dd76a14f1424e216dfaf186b75566a867de311d4 + dhcp-4.4.1.tar.gz: 7be2c4911107f613c2d4b0a943261603c6b8507a + dhcp-4.4.1.tar.gz.sha512.asc: 1e5af5476f181d2045e4b30171e3f423aa260fbe dhcp-dynamic-dns-examples.tar.bz2: d33980aad3e0380fc89f8346ab37786d39157696 diff --git a/Arch-0002-iproute2.patch b/Arch-0002-iproute2.patch index 74a4be6..ca6b4a8 100644 --- a/Arch-0002-iproute2.patch +++ b/Arch-0002-iproute2.patch @@ -9,7 +9,7 @@ index 5fb16121..c4cef632 100755 for i in $(seq 0 ${interface_up_wait_time}) do - ifconfig ${interface} | grep RUNNING >/dev/null 2>&1 -+ ${ip} link show dev ${interface} | grep -q LOWER_UP 2>&1 ++ /sbin/ip link show dev ${interface} | grep -q LOWER_UP 2>&1 if [ $? -eq 0 ]; then break; fi diff --git a/dhcp.spec b/dhcp.spec index c56a98e..ce39fa8 100644 --- a/dhcp.spec +++ b/dhcp.spec @@ -30,6 +30,7 @@ Source19: dhcrelay.tmpfiles Source20: isc-dhcpd.conf Source21: isc-dhcp-client.conf Source22: dhclient@.service +Source100: ROSA-NEWS # mageia patches Patch100: dhcp-4.2.2-ifup.patch @@ -43,6 +44,7 @@ Patch7: dhcp-4.2.0-default-requested-options.patch Patch15: dhcp-4.2.2-missing-ipv6-not-fatal.patch Patch17: dhcp-4.2.0-add_timeout_when_NULL.patch Patch18: dhcp-4.3.0-64_bit_lease_parse.patch +Patch19: Arch-0002-iproute2.patch BuildRequires: bind-devel BuildRequires: groff-base BuildRequires: groff-for-man @@ -177,6 +179,8 @@ Requires(pre): openldap-config # Ensure 64-bit platforms parse lease file dates & times correctly %patch18 -p1 -b .64-bit_lease_parse +%patch19 -p1 + install -m0644 %{SOURCE10} doc %build From 643b60520d27b9cd246b239e424c8942390d8962 Mon Sep 17 00:00:00 2001 From: Mikhail Novosyolov Date: Mon, 8 Oct 2018 12:35:21 +0300 Subject: [PATCH 05/30] Continue changes: it builds --- dhcp.spec | 53 ++++++++++++++++++----------------------------------- 1 file changed, 18 insertions(+), 35 deletions(-) diff --git a/dhcp.spec b/dhcp.spec index ce39fa8..98ad3a9 100644 --- a/dhcp.spec +++ b/dhcp.spec @@ -12,7 +12,7 @@ License: Distributable Group: System/Servers URL: http://www.isc.org/software/dhcp Source0: ftp://ftp.isc.org/isc/%{name}/%{major_version}%{patch_version}/%{name}-%{major_version}%{patch_version}.tar.gz -Source1: ftp://ftp.isc.org/isc/%{name}/%{major_version}%{patch_version}/%{name}-%{major_version}%{patch_version}.tar.gz.sha512.asc +#Source1: ftp://ftp.isc.org/isc/%{name}/%{major_version}%{patch_version}/%{name}-%{major_version}%{patch_version}.tar.gz.sha512.asc Source2: dhcpd.conf Source4: dhcp-dynamic-dns-examples.tar.bz2 Source7: dhcpreport.pl @@ -32,16 +32,6 @@ Source21: isc-dhcp-client.conf Source22: dhclient@.service Source100: ROSA-NEWS -# mageia patches -Patch100: dhcp-4.2.2-ifup.patch -#Patch101: dhcp-4.2.2-fix-format-errors.patch # I see it applied in the source already -# prevents needless deassociation, working around mdv bug #43441 -Patch102: dhcp-4.1.1-prevent_wireless_deassociation.patch -Patch103: dhcp-4.2.5-P1-man.patch -# fedora patches -Patch7: dhcp-4.2.0-default-requested-options.patch -#Patch8: dhcp-4.2.2-xen-checksum.patch # fixed in upstream since 4.3.2 -Patch15: dhcp-4.2.2-missing-ipv6-not-fatal.patch Patch17: dhcp-4.2.0-add_timeout_when_NULL.patch Patch18: dhcp-4.3.0-64_bit_lease_parse.patch Patch19: Arch-0002-iproute2.patch @@ -159,36 +149,24 @@ BuildArch: noarch Requires(pre): openldap-config %prep -%setup -q -n %{name}-%{major_version}%{patch_version} -%patch100 -p1 -b .ifup -#patch101 -p1 -b .format_not_a_string_literal_and_no_format_arguments -%patch102 -p1 -b .prevent_wireless_deassociation -%patch103 -p1 -b .man +#%setup -q -n %{name}-%{major_version}%{patch_version} +%setup +pushd bind ; tar -xvf bind.tar.gz >/dev/null ; popd -# Add NIS domain, NIS servers, NTP servers, interface-mtu and domain-search -# to the list of default requested DHCP options -%patch7 -p1 -b .requested -# Handle Xen partial UDP checksums -#patch8 -p1 -b .xen -# If the ipv6 kernel module is missing, do not segfault -# (Submitted to dhcp-bugs@isc.org - [ISC-Bugs #19367]) -%patch15 -p1 -b .noipv6 # Handle cases in add_timeout() where the function is called with a NULL # value for the 'when' parameter %patch17 -p1 -b .dracut # Ensure 64-bit platforms parse lease file dates & times correctly %patch18 -p1 -b .64-bit_lease_parse - +# change ipconfig to modern ip (from Arch) %patch19 -p1 -install -m0644 %{SOURCE10} doc - %build %serverbuild_hardened +##/bin/cp configure.ac+lt configure.ac +#%autoreconf +##autoreconf -ifv %configure2_5x \ - --enable-paranoia \ - --enable-early-chroot \ - --with-ldapcrypto \ --with-srv-lease-file=%{var_dhcpd}/dhcpd.leases \ --with-srv6-lease-file=%{var_dhcpd}/dhcpd6.leases \ --with-cli-lease-file=%{var_dhclient}/dhclient.leases \ @@ -198,13 +176,16 @@ install -m0644 %{SOURCE10} doc --with-cli-pid-file=/run/dhclient/dhclient.pid \ --with-cli6-pid-file=/run/dhclient/dhclient6.pid \ --with-relay-pid-file=/run/dhcrelay/dhcrelay.pid \ - --disable-static -%make + --enable-paranoia \ + --enable-early-chroot \ + --with-ldapcrypto +make %install %makeinstall_std +install -m0644 %{SOURCE10} doc # Install correct dhclient-script install -d %{buildroot}/sbin mv %{buildroot}%{_sbindir}/dhclient %{buildroot}/sbin/dhclient @@ -250,12 +231,12 @@ cat > %{buildroot}%{_sysconfdir}/sysconfig/dhcpd < %{buildroot}%{_sysconfdir}/sysconfig6 +cat %{buildroot}%{_sysconfdir}/sysconfig | sed 's,dhcpd,dhcpd6,g' > %{buildroot}%{_sysconfdir}/sysconfig/dhcpd6 install -d %{buildroot}%{var_dhcpd} -#touch %{buildroot}%{var_dhcpd}/dhcpd.leases +touch %{buildroot}%{var_dhcpd}/dhcpd.leases install -d %{buildroot}%{var_dhclient} -#touch %{buildroot}%{var_dhclient}/dhclient.leases +touch %{buildroot}%{var_dhclient}/dhclient.leases cat > %{buildroot}%{_sysconfdir}/sysconfig/dhcrelay < Date: Mon, 8 Oct 2018 13:02:39 +0300 Subject: [PATCH 06/30] Fix packing RPM --- dhcp.spec | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/dhcp.spec b/dhcp.spec index 98ad3a9..cc5bdb7 100644 --- a/dhcp.spec +++ b/dhcp.spec @@ -149,8 +149,8 @@ BuildArch: noarch Requires(pre): openldap-config %prep -#%setup -q -n %{name}-%{major_version}%{patch_version} -%setup +%setup -q -n %{name}-%{major_version}%{patch_version} +#%setup pushd bind ; tar -xvf bind.tar.gz >/dev/null ; popd # Handle cases in add_timeout() where the function is called with a NULL @@ -186,6 +186,7 @@ make %makeinstall_std install -m0644 %{SOURCE10} doc +install -m0644 %{SOURCE100} ROSA-NEWS # Install correct dhclient-script install -d %{buildroot}/sbin mv %{buildroot}%{_sbindir}/dhclient %{buildroot}/sbin/dhclient From 9863cacf80b3319b8df12bc1e551d10fb1dd96e0 Mon Sep 17 00:00:00 2001 From: Mikhail Novosyolov Date: Mon, 8 Oct 2018 13:40:21 +0300 Subject: [PATCH 07/30] Fixes to dhclient@.service --- dhclient@.service | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/dhclient@.service b/dhclient@.service index 01b3841..76f4923 100644 --- a/dhclient@.service +++ b/dhclient@.service @@ -4,11 +4,14 @@ Wants=network.target Before=network.target [Service] -ExecStart=/usr/sbin/dhclient -pf /run/dhclient@%i/dhclient.pid -d %I +ExecStart=/usr/sbin/dhclient -lf /var/lib/dhclient/dhclient.leases -pf /run/dhclient@%i/dhclient.pid -d %I RuntimeDirectory=dhclient@%i User=isc-dhcp-client -ProtectSystem=on -ProtectHome=on +ProtectSystem=yes +ProtectHome=yes +ReadWritePaths=/var/lib/dhclient/ +RestartSec=2s +Restart=on-failure [Install] WantedBy=multi-user.target From 4f36392da6788ff4859b85fde5041c7e180d5b8f Mon Sep 17 00:00:00 2001 From: Mikhail Novosyolov Date: Mon, 8 Oct 2018 13:52:05 +0300 Subject: [PATCH 08/30] Some spec clean up --- dhcp.spec | 17 +++++++++++------ 1 file changed, 11 insertions(+), 6 deletions(-) diff --git a/dhcp.spec b/dhcp.spec index cc5bdb7..a7c8563 100644 --- a/dhcp.spec +++ b/dhcp.spec @@ -29,18 +29,24 @@ Source19: dhcrelay.tmpfiles # sysusers.d(5) (systemd-sysusers) Source20: isc-dhcpd.conf Source21: isc-dhcp-client.conf +# Per-interface dhclient service from Arch Linux (modified) Source22: dhclient@.service Source100: ROSA-NEWS Patch17: dhcp-4.2.0-add_timeout_when_NULL.patch Patch18: dhcp-4.3.0-64_bit_lease_parse.patch Patch19: Arch-0002-iproute2.patch -BuildRequires: bind-devel + +# Starting from dhcp 4.x built in Bind libs are used +#BuildRequires: bind-devel BuildRequires: groff-base BuildRequires: groff-for-man BuildRequires: libtool BuildRequires: openldap-devel BuildRequires: systemd-units +# --with-ldap-gssapi +BuildRequires: pkconfig(krb5-gssapi) +BuildRequires: pkgconfig(libcap-ng) Requires(post,preun): rpm-helper %description @@ -163,9 +169,6 @@ pushd bind ; tar -xvf bind.tar.gz >/dev/null ; popd %build %serverbuild_hardened -##/bin/cp configure.ac+lt configure.ac -#%autoreconf -##autoreconf -ifv %configure2_5x \ --with-srv-lease-file=%{var_dhcpd}/dhcpd.leases \ --with-srv6-lease-file=%{var_dhcpd}/dhcpd6.leases \ @@ -178,7 +181,9 @@ pushd bind ; tar -xvf bind.tar.gz >/dev/null ; popd --with-relay-pid-file=/run/dhcrelay/dhcrelay.pid \ --enable-paranoia \ --enable-early-chroot \ - --with-ldapcrypto + --with-ldap \ + --with-ldapcrypto \ + --with-ldap-gssapi make %install @@ -306,11 +311,11 @@ EOF %_preun_service dhcrelay %post client -#touch %{var_dhclient}/dhclient.leases # migrate from root:root as it was before ROSA package v4.4.1 # create this directory if it does not esist and then chmod it to allow dhcpd to work properly %sysusers_create isc-dhcp-client.conf [ ! -d %{var_dhclient}/ ] && mkdir -p %{var_dhclient}/ +touch %{var_dhclient}/dhclient.leases || true [ -d %{var_dhclient} ] && chown -R isc-dhcp-client:isc-dhcp-client %{var_dhclient}/ %tmpfiles_create dhclient.conf From 61c033f6638f532df48a9daa65e4ab02e88aa2c9 Mon Sep 17 00:00:00 2001 From: Mikhail Novosyolov Date: Mon, 8 Oct 2018 13:52:30 +0300 Subject: [PATCH 09/30] Minor updates to chanagelog --- ROSA-NEWS | 2 -- 1 file changed, 2 deletions(-) diff --git a/ROSA-NEWS b/ROSA-NEWS index 6b06e56..06882c8 100644 --- a/ROSA-NEWS +++ b/ROSA-NEWS @@ -18,8 +18,6 @@ let's use copy /etc/sysconfig/dhcpd to /etc/sysconfig/dhcpd6 * TODO: Fedora's patch dhcp-paths.patch -* Empty leases databases are not created on package build anymore (what for were they created?) - * /var/lib/dhcpd and /var/lib/dhclient are now defined as variables in the RPM spec * dhclient@.service from Arch Linux, added: 'User=isc-dhcp-client', - to run dhclient from not root (requires testing) From 2761040c9c25ac0429e74e89561e0144079259a2 Mon Sep 17 00:00:00 2001 From: Mikhail Novosyolov Date: Mon, 8 Oct 2018 13:52:41 +0300 Subject: [PATCH 10/30] Delete old patches --- ...4.1.1-prevent_wireless_deassociation.patch | 39 ---- dhcp-4.2.0-default-requested-options.patch | 44 ----- dhcp-4.2.2-ifup.patch | 185 ------------------ dhcp-4.2.2-missing-ipv6-not-fatal.patch | 40 ---- dhcp-4.2.5-P1-man.patch | 22 --- 5 files changed, 330 deletions(-) delete mode 100644 dhcp-4.1.1-prevent_wireless_deassociation.patch delete mode 100644 dhcp-4.2.0-default-requested-options.patch delete mode 100644 dhcp-4.2.2-ifup.patch delete mode 100644 dhcp-4.2.2-missing-ipv6-not-fatal.patch delete mode 100644 dhcp-4.2.5-P1-man.patch diff --git a/dhcp-4.1.1-prevent_wireless_deassociation.patch b/dhcp-4.1.1-prevent_wireless_deassociation.patch deleted file mode 100644 index b19b028..0000000 --- a/dhcp-4.1.1-prevent_wireless_deassociation.patch +++ /dev/null @@ -1,39 +0,0 @@ -diff -p -up dhcp-4.1.1/client/scripts/linux.prevent_wireless dhcp-4.1.1/client/scripts/linux ---- dhcp-4.1.1/client/scripts/linux.prevent_wireless 2010-02-25 11:37:31.000000000 -0300 -+++ dhcp-4.1.1/client/scripts/linux 2010-02-25 11:37:37.000000000 -0300 -@@ -13,6 +13,8 @@ - - # 1. ifconfig down apparently deletes all relevant routes and flushes - # the arp cache, so this doesn't need to be done explicitly. -+# 1.1. ifconfig $interface inet 0 is enough, and prevents unneeded -+# deassociation on wireless interfaces - - # 2. The alias address handling here has not been tested AT ALL. - # I'm just going by the doc of modern Linux ip aliasing, which uses -@@ -170,7 +172,7 @@ if [ x$reason = xBOUND ] || [ x$reason = - if [ x$old_ip_address != x ] && [ x$old_ip_address != x$new_ip_address ]; then - # IP address changed. Bringing down the interface will delete all routes, - # and clear the ARP cache. -- ifconfig $interface inet 0 down -+ ifconfig $interface inet 0 - - fi - if [ x$old_ip_address = x ] || [ x$old_ip_address != x$new_ip_address ] || \ -@@ -224,7 +226,7 @@ if [ x$reason = xEXPIRE ] || [ x$reason - fi - if [ x$old_ip_address != x ]; then - # Shut down interface, which will delete routes and clear arp cache. -- ifconfig $interface inet 0 down -+ ifconfig $interface inet 0 - fi - if [ x$alias_ip_address != x ]; then - ifconfig $interface:0 inet $alias_ip_address $alias_subnet_arg -@@ -259,7 +261,7 @@ if [ x$reason = xTIMEOUT ]; then - fi - exit_with_hooks 0 - fi -- ifconfig $interface inet 0 down -+ ifconfig $interface inet 0 - exit_with_hooks 1 - fi - diff --git a/dhcp-4.2.0-default-requested-options.patch b/dhcp-4.2.0-default-requested-options.patch deleted file mode 100644 index fea8a4b..0000000 --- a/dhcp-4.2.0-default-requested-options.patch +++ /dev/null @@ -1,44 +0,0 @@ -diff -up dhcp-4.2.0/client/clparse.c.requested dhcp-4.2.0/client/clparse.c ---- dhcp-4.2.0/client/clparse.c.requested 2010-07-21 13:29:05.000000000 +0200 -+++ dhcp-4.2.0/client/clparse.c 2010-07-21 13:50:29.000000000 +0200 -@@ -37,7 +37,7 @@ - - struct client_config top_level_config; - --#define NUM_DEFAULT_REQUESTED_OPTS 9 -+#define NUM_DEFAULT_REQUESTED_OPTS 14 - struct option *default_requested_options[NUM_DEFAULT_REQUESTED_OPTS + 1]; - - static void parse_client_default_duid(struct parse *cfile); -@@ -111,6 +111,31 @@ isc_result_t read_client_conf () - option_code_hash_lookup(&default_requested_options[8], - dhcpv6_universe.code_hash, &code, 0, MDL); - -+ /* 10 */ -+ code = DHO_NIS_DOMAIN; -+ option_code_hash_lookup(&default_requested_options[9], -+ dhcp_universe.code_hash, &code, 0, MDL); -+ -+ /* 11 */ -+ code = DHO_NIS_SERVERS; -+ option_code_hash_lookup(&default_requested_options[10], -+ dhcp_universe.code_hash, &code, 0, MDL); -+ -+ /* 12 */ -+ code = DHO_NTP_SERVERS; -+ option_code_hash_lookup(&default_requested_options[11], -+ dhcp_universe.code_hash, &code, 0, MDL); -+ -+ /* 13 */ -+ code = DHO_INTERFACE_MTU; -+ option_code_hash_lookup(&default_requested_options[12], -+ dhcp_universe.code_hash, &code, 0, MDL); -+ -+ /* 14 */ -+ code = DHO_DOMAIN_SEARCH; -+ option_code_hash_lookup(&default_requested_options[13], -+ dhcp_universe.code_hash, &code, 0, MDL); -+ - for (code = 0 ; code < NUM_DEFAULT_REQUESTED_OPTS ; code++) { - if (default_requested_options[code] == NULL) - log_fatal("Unable to find option definition for " diff --git a/dhcp-4.2.2-ifup.patch b/dhcp-4.2.2-ifup.patch deleted file mode 100644 index 0050468..0000000 --- a/dhcp-4.2.2-ifup.patch +++ /dev/null @@ -1,185 +0,0 @@ -diff -Naur -x '*~' -x '*.orig' -x '*.rej' dhcp-4.2.2/client/scripts/linux dhcp-4.2.2-ifup/client/scripts/linux ---- dhcp-4.2.2/client/scripts/linux 2011-05-18 22:01:54.000000000 +0200 -+++ dhcp-4.2.2-ifup/client/scripts/linux 2011-08-29 19:07:58.722894019 +0200 -@@ -1,8 +1,11 @@ - #!/bin/bash --# dhclient-script for Linux. Dan Halbert, March, 1997. --# Updated for Linux 2.[12] by Brian J. Murrell, January 1999. --# No guarantees about this. I'm a novice at the details of Linux --# networking. -+# Network Interface Configuration System -+# -+# Based on: -+# dhclient-script for Linux. Dan Halbert, March, 1997. -+# Updated for Linux 2.[12] by Brian J. Murrell, January 1999. -+# Modified for Mandriva Linux 1999-2009 -+ - - # Notes: - -@@ -26,28 +29,35 @@ - ip=/sbin/ip - - make_resolv_conf() { -+ local d -+ local ns -+ -+ if [ -n "$DOMAIN" ]; then -+ d="search $DOMAIN" -+ fi -+ - if [ x"$new_domain_name_servers" != x ]; then -- cat /dev/null > /etc/resolv.conf.dhclient -- chmod 644 /etc/resolv.conf.dhclient -- if [ x"$new_domain_search" != x ]; then -- echo search $new_domain_search >> /etc/resolv.conf.dhclient -+ if [ -n "$DOMAIN" ]; then -+ # already done above -+ d="search $DOMAIN" -+ elif [ x"$new_domain_search" != x ]; then -+ d="search $new_domain_search" - elif [ x"$new_domain_name" != x ]; then - # Note that the DHCP 'Domain Name Option' is really just a domain - # name, and that this practice of using the domain name option as - # a search path is both nonstandard and deprecated. -- echo search $new_domain_name >> /etc/resolv.conf.dhclient -+ d="search $new_domain_name" - fi - for nameserver in $new_domain_name_servers; do -- echo nameserver $nameserver >>/etc/resolv.conf.dhclient -+ ns="$ns"$'\n'"nameserver ${nameserver}" - done - -- mv /etc/resolv.conf.dhclient /etc/resolv.conf - elif [ "x${new_dhcp6_name_servers}" != x ] ; then -- cat /dev/null > /etc/resolv.conf.dhclient6 -- chmod 644 /etc/resolv.conf.dhclient6 -- -- if [ "x${new_dhcp6_domain_search}" != x ] ; then -- echo search ${new_dhcp6_domain_search} >> /etc/resolv.conf.dhclient6 -+ if [ -n "$DOMAIN" ]; then -+ # already done above -+ d="search $DOMAIN" -+ elif [ "x${new_dhcp6_domain_search}" != x ] ; then -+ d="search ${new_dhcp6_domain_search}" - fi - shopt -s nocasematch - for nameserver in ${new_dhcp6_name_servers} ; do -@@ -59,11 +69,13 @@ - else - zone_id= - fi -- echo nameserver ${nameserver}$zone_id >> /etc/resolv.conf.dhclient6 -+ ns="$ns"$'\n'"nameserver ${nameserver}$zone_id" - done - shopt -u nocasematch -+ fi - -- mv /etc/resolv.conf.dhclient6 /etc/resolv.conf -+ if [ -n "$d" -o -n "$ns" ]; then -+ change_resolv_conf "$d" "$ns" - fi - } - -@@ -88,6 +100,25 @@ - fi - fi - -+# Import Mandriva Linux configuration -+cd /etc/sysconfig/network-scripts; -+. /etc/sysconfig/network-scripts/network-functions -+. /etc/rc.d/init.d/functions -+ -+[ -f ../network ] && . ../network -+[ -f ../networking/network ] && . ../networking/network -+ -+CONFIG=$interface -+ -+need_config ${CONFIG} -+ -+if [ -f "${CONFIG}" ]; then -+ source_config -+else -+ echo $"$0: configuration for $interface not found." >&2 -+ DEVICE=$interface -+fi -+ - ### - ### DHCPv4 Handlers - ### -@@ -138,15 +169,6 @@ - - if [ x$reason = xBOUND ] || [ x$reason = xRENEW ] || \ - [ x$reason = xREBIND ] || [ x$reason = xREBOOT ]; then -- current_hostname=`hostname` -- if [ x$current_hostname = x ] || \ -- [ x$current_hostname = "x(none)" ] || \ -- [ x$current_hostname = xlocalhost ] || \ -- [ x$current_hostname = x$old_host_name ]; then -- if [ x$new_host_name != x$old_host_name ]; then -- hostname "$new_host_name" -- fi -- fi - - if [ x$old_ip_address != x ] && [ x$alias_ip_address != x ] && \ - [ x$alias_ip_address != x$old_ip_address ]; then -@@ -165,12 +187,14 @@ - ifconfig $interface inet $new_ip_address $new_subnet_arg \ - $new_broadcast_arg $mtu_arg - # Add a network route to the computed network address. -+ if [ "${PEERGATEWAY}" != "no" ]; then - for router in $new_routers; do - if [ "x$new_subnet_mask" = "x255.255.255.255" ] ; then - route add -host $router dev $interface - fi - route add default gw $router $metric_arg dev $interface - done -+ fi - else - # we haven't changed the address, have we changed other options - # that we wish to update? -@@ -193,7 +217,25 @@ - ifconfig $interface:0 inet $alias_ip_address $alias_subnet_arg - route add -host $alias_ip_address $interface:0 - fi -- make_resolv_conf -+ if [ -n "$METRIC" ]; then -+ ifmetric $interface $METRIC -+ fi -+ if [ "${PEERDNS}" != "no" ]; then -+ make_resolv_conf -+ fi -+ if [ "${NEEDHOSTNAME}" = "yes" ]; then -+ if [ -z "$new_host_name" ]; then -+ eval `/bin/ipcalc --silent --hostname $new_ip_address` -+ new_host_name=$HOSTNAME -+ fi -+ if [ -n "$new_host_name" ]; then -+ current_hostname=`hostname` -+ -+ if [ "$new_host_name" != "$current_hostname" ]; then -+ set_hostname $new_host_name -+ fi -+ fi -+ fi - exit_with_hooks 0 - fi - -@@ -227,13 +269,17 @@ - ifconfig $interface:0 inet $alias_ip_address $alias_subnet_arg - route add -host $alias_ip_address dev $interface:0 - fi -+ if [ "${PEERGATEWAY}" != "no" ]; then - for router in $new_routers; do - if [ "x$new_subnet_mask" = "x255.255.255.255" ] ; then - route add -host $router dev $interface - fi - route add default gw $router $metric_arg dev $interface - done -+ fi -+ if [ "${PEERDNS}" != "no" ]; then - make_resolv_conf -+ fi - exit_with_hooks 0 - fi - ifconfig $interface inet 0 down diff --git a/dhcp-4.2.2-missing-ipv6-not-fatal.patch b/dhcp-4.2.2-missing-ipv6-not-fatal.patch deleted file mode 100644 index 3e94311..0000000 --- a/dhcp-4.2.2-missing-ipv6-not-fatal.patch +++ /dev/null @@ -1,40 +0,0 @@ -diff -Naur -x '*~' -x '*.rej' -x '*.orig' dhcp-4.2.2/common/discover.c dhcp-4.2.2-missing-ipv6-not-fatal/common/discover.c ---- dhcp-4.2.2/common/discover.c 2011-07-20 00:22:48.000000000 +0200 -+++ dhcp-4.2.2-missing-ipv6-not-fatal/common/discover.c 2011-09-12 13:33:04.300509236 +0200 -@@ -455,7 +455,7 @@ - } - - #ifdef DHCPv6 -- if (local_family == AF_INET6) { -+ if ((local_family == AF_INET6) && !access("/proc/net/if_inet6", R_OK)) { - ifaces->fp6 = fopen("/proc/net/if_inet6", "r"); - if (ifaces->fp6 == NULL) { - log_error("Error opening '/proc/net/if_inet6' to " -@@ -466,6 +466,8 @@ - ifaces->fp = NULL; - return 0; - } -+ } else { -+ ifaces->fp6 = NULL; - } - #endif - -@@ -733,7 +735,7 @@ - return 1; - } - #ifdef DHCPv6 -- if (!(*err)) { -+ if (!(*err) && ifaces->fp6) { - if (local_family == AF_INET6) - return next_iface6(info, err, ifaces); - } -@@ -752,7 +754,8 @@ - ifaces->sock = -1; - #ifdef DHCPv6 - if (local_family == AF_INET6) { -- fclose(ifaces->fp6); -+ if (ifaces->fp6) -+ fclose(ifaces->fp6); - ifaces->fp6 = NULL; - } - #endif diff --git a/dhcp-4.2.5-P1-man.patch b/dhcp-4.2.5-P1-man.patch deleted file mode 100644 index 84bb383..0000000 --- a/dhcp-4.2.5-P1-man.patch +++ /dev/null @@ -1,22 +0,0 @@ -diff -Naur dhcp-4.2.5-P1/client/dhclient.conf.5 dhcp-4.2.5-P1.oden/client/dhclient.conf.5 ---- dhcp-4.2.5-P1/client/dhclient.conf.5 2013-03-05 19:26:51.000000000 +0100 -+++ dhcp-4.2.5-P1.oden/client/dhclient.conf.5 2013-03-28 11:55:37.131387053 +0100 -@@ -202,7 +202,8 @@ - options. Only the option names should be specified in the request - statement - not option parameters. By default, the DHCPv4 client - requests the subnet-mask, broadcast-address, time-offset, routers, --domain-name, domain-name-servers and host-name options while the DHCPv6 -+domain-search, domain-name, domain-name-servers, host-name, nis-domain, -+nis-servers, ntp-servers and interface-mtu options while the DHCPv6 - client requests the dhcp6 name-servers and domain-search options. Note - that if you enter a \'request\' statement, you over-ride these defaults - and these options will not be requested. -@@ -713,7 +714,7 @@ - supersede domain-search "fugue.com", "rc.vix.com", "home.vix.com"; - prepend domain-name-servers 127.0.0.1; - request subnet-mask, broadcast-address, time-offset, routers, -- domain-name, domain-name-servers, host-name; -+ domain-search, domain-name, domain-name-servers, host-name; - require subnet-mask, domain-name-servers; - script "CLIENTBINDIR/dhclient-script"; - media "media 10baseT/UTP", "media 10base2/BNC"; From 3c7ee5f3d35dd5896a3ad73079788cfd36206fc9 Mon Sep 17 00:00:00 2001 From: Mikhail Novosyolov Date: Mon, 8 Oct 2018 14:02:00 +0300 Subject: [PATCH 11/30] Fix krb5 build dep --- dhcp.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dhcp.spec b/dhcp.spec index a7c8563..8d301db 100644 --- a/dhcp.spec +++ b/dhcp.spec @@ -45,7 +45,7 @@ BuildRequires: libtool BuildRequires: openldap-devel BuildRequires: systemd-units # --with-ldap-gssapi -BuildRequires: pkconfig(krb5-gssapi) +BuildRequires: krb5-devel BuildRequires: pkgconfig(libcap-ng) Requires(post,preun): rpm-helper From 7a76ea353215195d7bc46a49c4d1a3a29a8c4386 Mon Sep 17 00:00:00 2001 From: Mikhail Novosyolov Date: Mon, 8 Oct 2018 14:52:23 +0300 Subject: [PATCH 12/30] Fixes of systemd security capabilities. Remove isc-dhcp-client user. --- ROSA-NEWS | 1 - dhclient@.service | 13 ++++++++----- dhcp.spec | 8 ++++---- dhcpd.service | 2 +- 4 files changed, 13 insertions(+), 11 deletions(-) diff --git a/ROSA-NEWS b/ROSA-NEWS index 06882c8..eb924ee 100644 --- a/ROSA-NEWS +++ b/ROSA-NEWS @@ -11,7 +11,6 @@ https://www.freedesktop.org/wiki/Software/systemd/syslog/ says: * dhcpd user was added on package installation (dhcp-server), but dhcpd was actually ran from root, not dhcpd * use sysusers.d(5) (config isc-dhcpd.conf) instaed of manually created dhcpd user * migration: delete dhcpd user on package uninstallation -* the same for dhclient (isc-dhcp-client.conf) (will it work from not root?) * /etc/sysconfig/dhcp6 called in dhcpd6.service did not exist (dhcpd6.service was broken); let's use copy /etc/sysconfig/dhcpd to /etc/sysconfig/dhcpd6 diff --git a/dhclient@.service b/dhclient@.service index 76f4923..de70b16 100644 --- a/dhclient@.service +++ b/dhclient@.service @@ -6,12 +6,15 @@ Before=network.target [Service] ExecStart=/usr/sbin/dhclient -lf /var/lib/dhclient/dhclient.leases -pf /run/dhclient@%i/dhclient.pid -d %I RuntimeDirectory=dhclient@%i -User=isc-dhcp-client -ProtectSystem=yes -ProtectHome=yes -ReadWritePaths=/var/lib/dhclient/ +# https://www.freedesktop.org/software/systemd/man/systemd.exec.html#ProtectSystem= +# /var is not read-only +ProtectSystem=true +ProtectHome=true RestartSec=2s Restart=on-failure +AmbientCapabilities=CAP_NET_BIND_SERVICE CAP_NET_RAW +# https://www.freedesktop.org/software/systemd/man/systemd.exec.html#ReadWritePaths= +CapabilityBoundingSet=~CAP_SYS_ADMIN [Install] -WantedBy=multi-user.target +WantedBy=multi-user.target diff --git a/dhcp.spec b/dhcp.spec index 8d301db..45088a0 100644 --- a/dhcp.spec +++ b/dhcp.spec @@ -28,7 +28,7 @@ Source18: dhclient.tmpfiles Source19: dhcrelay.tmpfiles # sysusers.d(5) (systemd-sysusers) Source20: isc-dhcpd.conf -Source21: isc-dhcp-client.conf +#Source21: isc-dhcp-client.conf # Per-interface dhclient service from Arch Linux (modified) Source22: dhclient@.service Source100: ROSA-NEWS @@ -209,7 +209,7 @@ install -D -p -m 644 %{SOURCE19} %{buildroot}%{_tmpfilesdir}/dhcrelay.conf install -d %{buildroot}%{_sysusersdir} install -m 644 %{SOURCE20} %{buildroot}%{_sysusersdir}/ -install -m 644 %{SOURCE21} %{buildroot}%{_sysusersdir}/ +#install -m 644 %{SOURCE21} %{buildroot}%{_sysusersdir}/ install -m 755 %{SOURCE7} %{SOURCE8} %{buildroot}%{_sbindir} install -m 644 %{SOURCE2} %{buildroot}%{_sysconfdir} @@ -313,10 +313,10 @@ EOF %post client # migrate from root:root as it was before ROSA package v4.4.1 # create this directory if it does not esist and then chmod it to allow dhcpd to work properly -%sysusers_create isc-dhcp-client.conf +#%sysusers_create isc-dhcp-client.conf [ ! -d %{var_dhclient}/ ] && mkdir -p %{var_dhclient}/ touch %{var_dhclient}/dhclient.leases || true -[ -d %{var_dhclient} ] && chown -R isc-dhcp-client:isc-dhcp-client %{var_dhclient}/ +#[ -d %{var_dhclient} ] && chown -R isc-dhcp-client:isc-dhcp-client %{var_dhclient}/ %tmpfiles_create dhclient.conf %postun client diff --git a/dhcpd.service b/dhcpd.service index 4bacf76..1ed184e 100644 --- a/dhcpd.service +++ b/dhcpd.service @@ -14,7 +14,7 @@ PIDFile=/run/dhcpd/dhcpd.pid User=isc-dhcpd AmbientCapabilities=CAP_NET_BIND_SERVICE CAP_NET_RAW ProtectSystem=full -ProtectHome=on +ProtectHome=true KillSignal=SIGINT # We pull in network-online.target for a configured network connection. # However this is not guaranteed to be the network connection our From 0234b5510d6e93e30de936f3ce241b3043fcb752 Mon Sep 17 00:00:00 2001 From: Mikhail Novosyolov Date: Mon, 8 Oct 2018 14:55:28 +0300 Subject: [PATCH 13/30] Drop mv from /usr/sbin to /sbin --- dhcp.spec | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/dhcp.spec b/dhcp.spec index 45088a0..bc10bc3 100644 --- a/dhcp.spec +++ b/dhcp.spec @@ -192,10 +192,7 @@ make install -m0644 %{SOURCE10} doc install -m0644 %{SOURCE100} ROSA-NEWS -# Install correct dhclient-script -install -d %{buildroot}/sbin -mv %{buildroot}%{_sbindir}/dhclient %{buildroot}/sbin/dhclient -install -m 755 client/scripts/linux %{buildroot}/sbin/dhclient-script +install -m 755 client/scripts/linux %{buildroot}%{_sbindir}/dhclient-script install -d %{buildroot}%{_unitdir} install -m 644 %{SOURCE12} %{buildroot}%{_unitdir}/dhcpd.service From 43716ab4e0d40bb004925e22a69ae0862781307b Mon Sep 17 00:00:00 2001 From: Mikhail Novosyolov Date: Mon, 8 Oct 2018 14:55:47 +0300 Subject: [PATCH 14/30] add CapabilityBoundingSet=~CAP_SYS_ADMIN --- dhcpd.service | 1 + 1 file changed, 1 insertion(+) diff --git a/dhcpd.service b/dhcpd.service index 1ed184e..e832b02 100644 --- a/dhcpd.service +++ b/dhcpd.service @@ -13,6 +13,7 @@ ExecStart=/usr/sbin/dhcpd -pf /run/dhcpd/dhcpd.pid -cf $CONFIGFILE -lf $LEASEFIL PIDFile=/run/dhcpd/dhcpd.pid User=isc-dhcpd AmbientCapabilities=CAP_NET_BIND_SERVICE CAP_NET_RAW +CapabilityBoundingSet=~CAP_SYS_ADMIN ProtectSystem=full ProtectHome=true KillSignal=SIGINT From 778772ceef0f9669d88afcba6b349819ffb5c5b6 Mon Sep 17 00:00:00 2001 From: Mikhail Novosyolov Date: Mon, 8 Oct 2018 14:57:25 +0300 Subject: [PATCH 15/30] Change /sbin to /usr/sbin in %files --- dhcp.spec | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/dhcp.spec b/dhcp.spec index bc10bc3..20dc5fe 100644 --- a/dhcp.spec +++ b/dhcp.spec @@ -365,10 +365,10 @@ rm -rf %{var_dhclient}/dhclient.leases %files client %doc client/dhclient.conf.example -%attr (0755,root,root) /sbin/dhclient-script +%attr (0755,root,root) %{_sbindir}/dhclient-script %{_tmpfilesdir}/dhclient.conf %{_unitdir}/dhclient@.service -/sbin/dhclient +%{_sbindir}/dhclient %{_mandir}/man5/dhclient.conf.5* %{_mandir}/man5/dhclient.leases.5* %{_mandir}/man8/dhclient.8* From b95ebd141ef9576ddd1e3631d6f96465686cf4e9 Mon Sep 17 00:00:00 2001 From: Mikhail Novosyolov Date: Mon, 8 Oct 2018 15:03:04 +0300 Subject: [PATCH 16/30] Drop /etc/sysconfig/dhcpd6 --- dhcp.spec | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/dhcp.spec b/dhcp.spec index 20dc5fe..bf7f692 100644 --- a/dhcp.spec +++ b/dhcp.spec @@ -6,7 +6,7 @@ Name: dhcp Epoch: 3 Version: %{major_version}%{patch_version} -Release: 1 +Release: 2 Summary: The ISC DHCP (Dynamic Host Configuration Protocol) server/relay agent/client License: Distributable Group: System/Servers @@ -234,8 +234,6 @@ cat > %{buildroot}%{_sysconfdir}/sysconfig/dhcpd < %{buildroot}%{_sysconfdir}/sysconfig/dhcpd6 - install -d %{buildroot}%{var_dhcpd} touch %{buildroot}%{var_dhcpd}/dhcpd.leases install -d %{buildroot}%{var_dhclient} @@ -340,7 +338,6 @@ rm -rf %{var_dhclient}/dhclient.leases %config(noreplace) %{_sysconfdir}/dhcpd.conf %config(noreplace) %{_sysconfdir}/dhclient-exit-hooks %config(noreplace) %{_sysconfdir}/sysconfig/dhcpd -%config(noreplace) %{_sysconfdir}/sysconfig/dhcpd6 %{_sbindir}/dhcpd %{_sbindir}/dhcpreport.pl %{_sbindir}/dhcpd-conf-to-ldap From 2d1aa8d0d03046ea129237333fe31ca907346de0 Mon Sep 17 00:00:00 2001 From: Mikhail Novosyolov Date: Mon, 8 Oct 2018 15:05:48 +0300 Subject: [PATCH 17/30] Fixes to dhcpd services --- dhclient@.service | 3 +++ dhcpd.service | 6 +++++- dhcpd6.service | 14 +++++++++----- 3 files changed, 17 insertions(+), 6 deletions(-) diff --git a/dhclient@.service b/dhclient@.service index de70b16..27a4042 100644 --- a/dhclient@.service +++ b/dhclient@.service @@ -18,3 +18,6 @@ CapabilityBoundingSet=~CAP_SYS_ADMIN [Install] WantedBy=multi-user.target + +# This unit file in based on +# https://git.archlinux.org/svntogit/packages.git/tree/trunk?h=packages/dhcp diff --git a/dhcpd.service b/dhcpd.service index e832b02..278ea7e 100644 --- a/dhcpd.service +++ b/dhcpd.service @@ -14,7 +14,8 @@ PIDFile=/run/dhcpd/dhcpd.pid User=isc-dhcpd AmbientCapabilities=CAP_NET_BIND_SERVICE CAP_NET_RAW CapabilityBoundingSet=~CAP_SYS_ADMIN -ProtectSystem=full +# not ProtectSystem=full because we need a writable leases file in /var +ProtectSystem=true ProtectHome=true KillSignal=SIGINT # We pull in network-online.target for a configured network connection. @@ -27,3 +28,6 @@ StartLimitInterval=12s [Install] WantedBy=multi-user.target + +# This unit file in based on ROSA's unit file and Arch's +# https://git.archlinux.org/svntogit/packages.git/tree/trunk?h=packages/dhcp diff --git a/dhcpd6.service b/dhcpd6.service index af7de4e..f4c3bea 100644 --- a/dhcpd6.service +++ b/dhcpd6.service @@ -1,10 +1,9 @@ [Unit] -Description=DHCPv6 Server Daemon +Description=DHCPv4 Server Daemon Documentation=man:dhcpd(8) man:dhcpd.conf(5) Wants=network-online.target # ldap.service: probably LDAP server starts first and dhcpd must start providing DHCP server only after LDAP has started to use LDAP for IP addresses (?) -# network-online.target seems unreasonable because network is probsbly not online on the DHCP server in a local network -After=network.target time-sync.target ldap.service +After=network-online.target time-sync.target ldap.service [Service] Environment=CONFIGFILE=/etc/dhcpd6.conf LEASEFILE=/var/lib/dhcpd/dhcpd6.leases @@ -14,8 +13,10 @@ ExecStart=/usr/sbin/dhcpd -6 -pf /run/dhcpd/dhcpd6.pid -cf $CONFIGFILE -lf $LEAS PIDFile=/run/dhcpd/dhcpd6.pid User=isc-dhcpd AmbientCapabilities=CAP_NET_BIND_SERVICE CAP_NET_RAW -ProtectSystem=full -ProtectHome=on +CapabilityBoundingSet=~CAP_SYS_ADMIN +# not ProtectSystem=full because we need a writable leases file in /var +ProtectSystem=true +ProtectHome=true KillSignal=SIGINT # We pull in network-online.target for a configured network connection. # However this is not guaranteed to be the network connection our @@ -27,3 +28,6 @@ StartLimitInterval=12s [Install] WantedBy=multi-user.target + +# This unit file in based on ROSA's unit file and Arch's +# https://git.archlinux.org/svntogit/packages.git/tree/trunk?h=packages/dhcp From 63f934bca8f65f6fe15141e4564d4264a89690c7 Mon Sep 17 00:00:00 2001 From: Mikhail Novosyolov Date: Mon, 8 Oct 2018 15:22:29 +0300 Subject: [PATCH 18/30] upd ROSA-NEWS --- ROSA-NEWS | 21 +++++++++++++++------ 1 file changed, 15 insertions(+), 6 deletions(-) diff --git a/ROSA-NEWS b/ROSA-NEWS index eb924ee..fab35a4 100644 --- a/ROSA-NEWS +++ b/ROSA-NEWS @@ -1,22 +1,31 @@ dhcp v4.4.1 -05.10.2018 +08.10.2018 by mikhailnov +* Dropped old patches +* Now upstream uses built-in bind libraries, we also use them for now (they are linked statically) +* Now it's built with KerberOS support + * Removed 'After=syslog.target' from systemd service dhcpd.service https://www.freedesktop.org/wiki/Software/systemd/syslog/ says: "we do no longer recommend people to order their units after syslog.target" - * Merged old ROSA's dhcpd(6).service and Arch's dhcpd{4|6}.service +* dhclient@.service from Arch Linux, modified a bit to improve secutrity (e.g. usage: systemctl enable dhclient@enp1s0) +* Improved security of dhcpd.service and dhcpd6.service by setting and dropping some capabilities(7) * dhcpd user was added on package installation (dhcp-server), but dhcpd was actually ran from root, not dhcpd * use sysusers.d(5) (config isc-dhcpd.conf) instaed of manually created dhcpd user * migration: delete dhcpd user on package uninstallation * /etc/sysconfig/dhcp6 called in dhcpd6.service did not exist (dhcpd6.service was broken); -let's use copy /etc/sysconfig/dhcpd to /etc/sysconfig/dhcpd6 - -* TODO: Fedora's patch dhcp-paths.patch +let's use /etc/sysconfig/dhcpd for both IPv4 and IPv6 * /var/lib/dhcpd and /var/lib/dhclient are now defined as variables in the RPM spec +Note: they are hardcoded in systemd units -* dhclient@.service from Arch Linux, added: 'User=isc-dhcp-client', - to run dhclient from not root (requires testing) +* TODO(?): Fedora's patch dhcp-paths.patch +* TODO: should we ship a separate config of systemd tmpfiles for '/run/dhcpd'? +Probable no, it's created automatically (https://www.freedesktop.org/software/systemd/man/systemd.exec.html#Sandboxing) +$ stat /run/dhcpd | grep Доступ +Доступ: (0755/drwxr-xr-x) Uid: ( 997/isc-dhcpd) Gid: ( 997/isc-dhcpd) +Доступ: 2018-10-08 15:15:23.618806764 +0300 From 69090bde56c8655e093422ab70b51f757807f82a Mon Sep 17 00:00:00 2001 From: Mikhail Novosyolov Date: Mon, 8 Oct 2018 15:33:06 +0300 Subject: [PATCH 19/30] upd ROSA-NEWS --- ROSA-NEWS | 1 + 1 file changed, 1 insertion(+) diff --git a/ROSA-NEWS b/ROSA-NEWS index fab35a4..ab9c85f 100644 --- a/ROSA-NEWS +++ b/ROSA-NEWS @@ -2,6 +2,7 @@ dhcp v4.4.1 08.10.2018 by mikhailnov +* dhclient and dhclient moved from /sbin to /usr/sin * Dropped old patches * Now upstream uses built-in bind libraries, we also use them for now (they are linked statically) * Now it's built with KerberOS support From 9a5baa4982f283203209cc5c7c1976b48b0c85b5 Mon Sep 17 00:00:00 2001 From: Mikhail Novosyolov Date: Mon, 8 Oct 2018 15:59:17 +0300 Subject: [PATCH 20/30] minor cleanup --- dhcp.spec | 3 --- 1 file changed, 3 deletions(-) diff --git a/dhcp.spec b/dhcp.spec index bf7f692..cfbb399 100644 --- a/dhcp.spec +++ b/dhcp.spec @@ -283,9 +283,6 @@ include %{_sysconfdir}/openldap/schema/dhcp.schema EOF -#\%pre server -#\%_pre_useradd dhcpd /dev/null /bin/false - %post server %_post_service dhcpd %tmpfiles_create dhcpd.conf From 576171118977ea16da5c53e5b91acd1a380e74d1 Mon Sep 17 00:00:00 2001 From: Mikhail Novosyolov Date: Mon, 8 Oct 2018 20:52:42 +0300 Subject: [PATCH 21/30] Remove *.leases files from packages: they can be created automatically if the directory exists. Directories are created by %post scripts. Don't remove *.leases no packages uninstallation. --- ROSA-NEWS | 3 +++ dhcp.spec | 13 +------------ 2 files changed, 4 insertions(+), 12 deletions(-) diff --git a/ROSA-NEWS b/ROSA-NEWS index ab9c85f..8c7f2a9 100644 --- a/ROSA-NEWS +++ b/ROSA-NEWS @@ -24,6 +24,9 @@ let's use /etc/sysconfig/dhcpd for both IPv4 and IPv6 * /var/lib/dhcpd and /var/lib/dhclient are now defined as variables in the RPM spec Note: they are hardcoded in systemd units +* .leases files are not packaged any more, because modern dhcpd and dhclient can create them automatically, +but the directoiry, e.g. /var/lib/dhclient, has to exist and be writable. + * TODO(?): Fedora's patch dhcp-paths.patch * TODO: should we ship a separate config of systemd tmpfiles for '/run/dhcpd'? Probable no, it's created automatically (https://www.freedesktop.org/software/systemd/man/systemd.exec.html#Sandboxing) diff --git a/dhcp.spec b/dhcp.spec index cfbb399..189bab6 100644 --- a/dhcp.spec +++ b/dhcp.spec @@ -234,11 +234,6 @@ cat > %{buildroot}%{_sysconfdir}/sysconfig/dhcpd < %{buildroot}%{_sysconfdir}/sysconfig/dhcrelay < Date: Mon, 8 Oct 2018 21:15:31 +0300 Subject: [PATCH 22/30] upd ROSA-NEWS --- ROSA-NEWS | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/ROSA-NEWS b/ROSA-NEWS index 8c7f2a9..ecfa76f 100644 --- a/ROSA-NEWS +++ b/ROSA-NEWS @@ -26,10 +26,6 @@ Note: they are hardcoded in systemd units * .leases files are not packaged any more, because modern dhcpd and dhclient can create them automatically, but the directoiry, e.g. /var/lib/dhclient, has to exist and be writable. +* Don't remove *.leases on package uninstallation * TODO(?): Fedora's patch dhcp-paths.patch -* TODO: should we ship a separate config of systemd tmpfiles for '/run/dhcpd'? -Probable no, it's created automatically (https://www.freedesktop.org/software/systemd/man/systemd.exec.html#Sandboxing) -$ stat /run/dhcpd | grep Доступ -Доступ: (0755/drwxr-xr-x) Uid: ( 997/isc-dhcpd) Gid: ( 997/isc-dhcpd) -Доступ: 2018-10-08 15:15:23.618806764 +0300 From c409ed2fb9a1f315a3418444176654dac28ce964 Mon Sep 17 00:00:00 2001 From: Mikhail Novosyolov Date: Mon, 8 Oct 2018 21:34:54 +0300 Subject: [PATCH 23/30] Remove empty %dir where leases were located --- dhcp.spec | 2 -- 1 file changed, 2 deletions(-) diff --git a/dhcp.spec b/dhcp.spec index 189bab6..af3ace4 100644 --- a/dhcp.spec +++ b/dhcp.spec @@ -338,7 +338,6 @@ EOF %{_mandir}/man5/dhcpd.leases.5* %{_mandir}/man5/dhcp-eval.5* %{_mandir}/man8/dhcpd.8* -%dir %{var_dhcpd} %config %{_sysusersdir}/isc-dhcpd.conf %files relay @@ -358,7 +357,6 @@ EOF %{_mandir}/man5/dhclient.leases.5* %{_mandir}/man8/dhclient.8* %{_mandir}/man8/dhclient-script.8* -%dir %{var_dhclient} %files devel %{_includedir}/* From b2e0aea917bb138e796fd7efa6374170f2a9265d Mon Sep 17 00:00:00 2001 From: Mikhail Novosyolov Date: Wed, 10 Oct 2018 00:08:09 +0300 Subject: [PATCH 24/30] patch path to dhclient-script. Remove empty %postun --- dhcp-patchs.patch | 11 +++++++++++ dhcp.spec | 7 +++---- 2 files changed, 14 insertions(+), 4 deletions(-) create mode 100644 dhcp-patchs.patch diff --git a/dhcp-patchs.patch b/dhcp-patchs.patch new file mode 100644 index 0000000..db2905f --- /dev/null +++ b/dhcp-patchs.patch @@ -0,0 +1,11 @@ +--- includes/dhcpd.h.orig 2018-10-09 23:57:26.022826271 +0300 ++++ includes/dhcpd.h 2018-10-09 23:57:49.108813082 +0300 +@@ -1568,7 +1568,7 @@ + #endif + + #ifndef _PATH_DHCLIENT_SCRIPT +-#define _PATH_DHCLIENT_SCRIPT "/sbin/dhclient-script" ++#define _PATH_DHCLIENT_SCRIPT "/usr/sbin/dhclient-script" + #endif + + #ifndef _PATH_DHCLIENT_PID diff --git a/dhcp.spec b/dhcp.spec index af3ace4..35ba3d2 100644 --- a/dhcp.spec +++ b/dhcp.spec @@ -6,7 +6,7 @@ Name: dhcp Epoch: 3 Version: %{major_version}%{patch_version} -Release: 2 +Release: 3 Summary: The ISC DHCP (Dynamic Host Configuration Protocol) server/relay agent/client License: Distributable Group: System/Servers @@ -36,6 +36,7 @@ Source100: ROSA-NEWS Patch17: dhcp-4.2.0-add_timeout_when_NULL.patch Patch18: dhcp-4.3.0-64_bit_lease_parse.patch Patch19: Arch-0002-iproute2.patch +Patch20: dhcp-patchs.patch # Starting from dhcp 4.x built in Bind libs are used #BuildRequires: bind-devel @@ -166,6 +167,7 @@ pushd bind ; tar -xvf bind.tar.gz >/dev/null ; popd %patch18 -p1 -b .64-bit_lease_parse # change ipconfig to modern ip (from Arch) %patch19 -p1 +%patch20 -p0 %build %serverbuild_hardened @@ -303,9 +305,6 @@ EOF [ ! -d %{var_dhclient}/ ] && mkdir -p %{var_dhclient}/ %tmpfiles_create dhclient.conf -%postun client -: - %postun server # Migrate from dhcpd user created by scripts # to a dynamic user by systemd-sysusers From 2123cf871541156fd44f8346d81415b179fa54d4 Mon Sep 17 00:00:00 2001 From: Mikhail Novosyolov Date: Wed, 10 Oct 2018 00:09:37 +0300 Subject: [PATCH 25/30] Require bash for scripts --- dhcp.spec | 1 + 1 file changed, 1 insertion(+) diff --git a/dhcp.spec b/dhcp.spec index 35ba3d2..7c9e867 100644 --- a/dhcp.spec +++ b/dhcp.spec @@ -49,6 +49,7 @@ BuildRequires: systemd-units BuildRequires: krb5-devel BuildRequires: pkgconfig(libcap-ng) Requires(post,preun): rpm-helper +Requires: bash %description DHCP (Dynamic Host Configuration Protocol) is a protocol which allows From 6fb0cd0559d03abd3ffe4564ead728028c318b58 Mon Sep 17 00:00:00 2001 From: Mikhail Novosyolov Date: Wed, 10 Oct 2018 01:07:23 +0300 Subject: [PATCH 26/30] Fix patch: use sed to change hardcoded paths --- dhcp-patchs.patch | 11 ----------- dhcp.spec | 4 ++-- 2 files changed, 2 insertions(+), 13 deletions(-) delete mode 100644 dhcp-patchs.patch diff --git a/dhcp-patchs.patch b/dhcp-patchs.patch deleted file mode 100644 index db2905f..0000000 --- a/dhcp-patchs.patch +++ /dev/null @@ -1,11 +0,0 @@ ---- includes/dhcpd.h.orig 2018-10-09 23:57:26.022826271 +0300 -+++ includes/dhcpd.h 2018-10-09 23:57:49.108813082 +0300 -@@ -1568,7 +1568,7 @@ - #endif - - #ifndef _PATH_DHCLIENT_SCRIPT --#define _PATH_DHCLIENT_SCRIPT "/sbin/dhclient-script" -+#define _PATH_DHCLIENT_SCRIPT "/usr/sbin/dhclient-script" - #endif - - #ifndef _PATH_DHCLIENT_PID diff --git a/dhcp.spec b/dhcp.spec index 7c9e867..b5aee72 100644 --- a/dhcp.spec +++ b/dhcp.spec @@ -36,7 +36,6 @@ Source100: ROSA-NEWS Patch17: dhcp-4.2.0-add_timeout_when_NULL.patch Patch18: dhcp-4.3.0-64_bit_lease_parse.patch Patch19: Arch-0002-iproute2.patch -Patch20: dhcp-patchs.patch # Starting from dhcp 4.x built in Bind libs are used #BuildRequires: bind-devel @@ -168,7 +167,8 @@ pushd bind ; tar -xvf bind.tar.gz >/dev/null ; popd %patch18 -p1 -b .64-bit_lease_parse # change ipconfig to modern ip (from Arch) %patch19 -p1 -%patch20 -p0 +# change hardcoded path /sbin/dhclient-script to /usr/sbin/dhclient-script +sed -i 'includes/dhcpd.h' -e 's,/sbin/dhclient-script,/usr/sbin/dhclient-script,g' || true %build %serverbuild_hardened From 9b22fdad45627f492337e9f25e77898f13ad1d2c Mon Sep 17 00:00:00 2001 From: Mikhail Novosyolov Date: Wed, 10 Oct 2018 01:27:24 +0300 Subject: [PATCH 27/30] Improved sed command --- dhcp.spec | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/dhcp.spec b/dhcp.spec index b5aee72..1848907 100644 --- a/dhcp.spec +++ b/dhcp.spec @@ -167,8 +167,8 @@ pushd bind ; tar -xvf bind.tar.gz >/dev/null ; popd %patch18 -p1 -b .64-bit_lease_parse # change ipconfig to modern ip (from Arch) %patch19 -p1 -# change hardcoded path /sbin/dhclient-script to /usr/sbin/dhclient-script -sed -i 'includes/dhcpd.h' -e 's,/sbin/dhclient-script,/usr/sbin/dhclient-script,g' || true +# change hardcoded paths from /sbin/dhc* to /usr/sbin/dhc*, if there are any +sed -i 'includes/dhcpd.h' -e 's,\"/sbin/dhc,\"/usr/sbin/dhc,g' || true %build %serverbuild_hardened From 316b003afd6aabfd783f452c6db3f104e2a7edca Mon Sep 17 00:00:00 2001 From: Mikhail Novosyolov Date: Fri, 12 Oct 2018 08:17:16 +0300 Subject: [PATCH 28/30] Revert moving dhclient&dhclient-script from /sbin to /usr/sbin. They can be used while booting a minimal system without /usr. They do not depend from anything in /usr, except locales. --- dhclient@.service | 2 +- dhcp.spec | 9 +++++---- 2 files changed, 6 insertions(+), 5 deletions(-) diff --git a/dhclient@.service b/dhclient@.service index 27a4042..98544cd 100644 --- a/dhclient@.service +++ b/dhclient@.service @@ -4,7 +4,7 @@ Wants=network.target Before=network.target [Service] -ExecStart=/usr/sbin/dhclient -lf /var/lib/dhclient/dhclient.leases -pf /run/dhclient@%i/dhclient.pid -d %I +ExecStart=/sbin/dhclient -lf /var/lib/dhclient/dhclient.leases -pf /run/dhclient@%i/dhclient.pid -d %I RuntimeDirectory=dhclient@%i # https://www.freedesktop.org/software/systemd/man/systemd.exec.html#ProtectSystem= # /var is not read-only diff --git a/dhcp.spec b/dhcp.spec index 1848907..877bc18 100644 --- a/dhcp.spec +++ b/dhcp.spec @@ -6,7 +6,7 @@ Name: dhcp Epoch: 3 Version: %{major_version}%{patch_version} -Release: 3 +Release: 4 Summary: The ISC DHCP (Dynamic Host Configuration Protocol) server/relay agent/client License: Distributable Group: System/Servers @@ -195,7 +195,8 @@ make install -m0644 %{SOURCE10} doc install -m0644 %{SOURCE100} ROSA-NEWS -install -m 755 client/scripts/linux %{buildroot}%{_sbindir}/dhclient-script +mv %{buildroot}%{_sbindir}/dhclient %{buildroot}/sbin/dhclient +install -m 755 client/scripts/linux %{buildroot}/sbin/dhclient-script install -d %{buildroot}%{_unitdir} install -m 644 %{SOURCE12} %{buildroot}%{_unitdir}/dhcpd.service @@ -349,10 +350,10 @@ EOF %files client %doc client/dhclient.conf.example -%attr (0755,root,root) %{_sbindir}/dhclient-script +%attr (0755,root,root) /sbin/dhclient-script %{_tmpfilesdir}/dhclient.conf %{_unitdir}/dhclient@.service -%{_sbindir}/dhclient +/sbin/dhclient %{_mandir}/man5/dhclient.conf.5* %{_mandir}/man5/dhclient.leases.5* %{_mandir}/man8/dhclient.8* From 15c9b87f53b9b4e078f3986650a239e2703d9678 Mon Sep 17 00:00:00 2001 From: Mikhail Novosyolov Date: Fri, 12 Oct 2018 08:30:49 +0300 Subject: [PATCH 29/30] Create /sbin in buildroot --- dhcp.spec | 1 + 1 file changed, 1 insertion(+) diff --git a/dhcp.spec b/dhcp.spec index 877bc18..e8c4425 100644 --- a/dhcp.spec +++ b/dhcp.spec @@ -195,6 +195,7 @@ make install -m0644 %{SOURCE10} doc install -m0644 %{SOURCE100} ROSA-NEWS +install -d %{buildroot}/sbin mv %{buildroot}%{_sbindir}/dhclient %{buildroot}/sbin/dhclient install -m 755 client/scripts/linux %{buildroot}/sbin/dhclient-script From 80ba2f6592025ee67cc267907d9da3ee4dd471ec Mon Sep 17 00:00:00 2001 From: Mikhail Novosyolov Date: Fri, 12 Oct 2018 09:42:53 +0300 Subject: [PATCH 30/30] upd ROSA-NEWS --- ROSA-NEWS | 1 - 1 file changed, 1 deletion(-) diff --git a/ROSA-NEWS b/ROSA-NEWS index ecfa76f..c0eb2c0 100644 --- a/ROSA-NEWS +++ b/ROSA-NEWS @@ -2,7 +2,6 @@ dhcp v4.4.1 08.10.2018 by mikhailnov -* dhclient and dhclient moved from /sbin to /usr/sin * Dropped old patches * Now upstream uses built-in bind libraries, we also use them for now (they are linked statically) * Now it's built with KerberOS support