[arch-general] Leafnode and Systemd
Leafnode-2 <http://www.dt.e-technik.uni-dortmund.de/~ma/leafnode/beta/> is a local caching proxy nntp server. It isn't among Arch's packages, but I have been using it for some years on another distro (Mandrake/Mandriva). Systemd launches xinetd on start-up: $ cat /usr/lib/systemd/system/xinetd.service [Unit] Description=A secure replacement for inetd After=network.target [Service] ExecStart=/usr/sbin/xinetd -dontfork ExecReload=/bin/kill -HUP $MAINPID [Install] WantedBy=multi-user.target $ And xinetd has this file for Leafnode: $ cat /etc/xinetd.d/nntp service Leafnode { flags = NAMEINARGS NOLIBWRAP per_source = 3 port = 119 socket_type = stream protocol = tcp user = news server = /usr/sbin/tcpd server_args = /usr/local/sbin/leafnode type = UNLISTED wait = no instances = 7 only_from = 127.0.0.1 } (actually generated using webmin, but in accord with the instructions in the README and INSTALL files in the Leafnode tarball). But this doesn't allow any user to access Leafnode; I suspect this is because /usr/sbin/tcpd doesn't exist (being a part of tcp-wrappers which Arch no longer has). (I can run the Leafnode components fetchnews and texpire as root; but attempts to connect to the local server result in "connection refused"). There are no daemons launched from /etc/rc.conf. I have installed ufw as a substitute for tcp-wrappers and created this file: $ cat /etc/ufw/applications.d/ufw-newsserver [Leafnode] title=Leafnode description=NNTP caching proxy server ports=119/tcp $ and have these rules in force, at least one of which should allow local access to leafnode, I think: # ufw status Status: active To Action From -- ------ ---- Anywhere ALLOW 127.0.0.1 newsserver ALLOW 127.0.0.1 127.0.0.1 119/tcp ALLOW 127.0.0.1 Leafnode ALLOW 127.0.0.1 Rather than install tcp-wrappers on my Arch system, I'd like to use whatever the proper "server" is nowadays instead of /usr/sbin/tcpd - but what is it? Or is there something other than xinetd that works as a 'super server' with systemd? I've only been using Arch for a few months, and it's a bit of a challenge getting used to the Arch Way - particularly while it's changing over to systemd etc - so please be patient with me if I've missed something simple or made a newbie mistake! -- -- ^^^^^^^^^^ -- Whiskers -- ~~~~~~~~~~
Am 17.10.2012 21:29, schrieb Whiskers:
Rather than install tcp-wrappers on my Arch system, I'd like to use whatever the proper "server" is nowadays instead of /usr/sbin/tcpd - but what is it?
Why would you replace tcpd with anything? Does it serve any purpose at all?
On Thu, 18 Oct 2012 00:03:57 +0200 Thomas Bächler <thomas@archlinux.org> wrote:
Am 17.10.2012 21:29, schrieb Whiskers:
Rather than install tcp-wrappers on my Arch system, I'd like to use whatever the proper "server" is nowadays instead of /usr/sbin/tcpd - but what is it?
Why would you replace tcpd with anything? Does it serve any purpose at all?
Thanks for responding. On a system with tcp-wrappers, tcpd is the "server" which launches leafnode. From man leafnode: [...] The leafnode program itself is the NNTP server. It is run from /etc/inetd.conf when someone wants to read news. The other parts of the package, fetchnews and texpire, are responsible for fetching new news from another server, and for deleting old news. [...] No network-level access control is supported. This is a deliberate omission: Implementing this is a job which should not be redone for each and every service. I recommend that either firewalling or tcpd be used for access control. [...] Xinetd is the 'new improved' inetd, and the xinetd setup recommended in the Leafnode tarball's README has tcpd as the "server" and leafnode as the "server argument", as in the /etc/xinetd.d/nntp file previously quoted. This of course doesn't work on my Arch system, as tcp-wrappers (and thus, tcpd) is missing. So I'm trying to work out how to get leafnode available on demand, without using tcp-wrappers and tcpd, but with ufw, and with the new systemd (I've uninstalled initscripts from my system). Changing the xinetd configuration for leafnode so that tcpd isn't required, like this: $ cat /etc/xinetd.d/nntp service Leafnode { flags = NOLIBWRAP per_source = 3 port = 119 socket_type = stream protocol = tcp user = news server = /usr/local/sbin/leafnode type = UNLISTED wait = no instances = 7 only_from = 127.0.0.1 } still doesn't make leafnode accessible to my usenet client (slrn). Which is strange, as I can run leafnode manually from the command line: $ leafnode 200 Leafnode NNTP daemon, version 2.0.0.alpha20110806a at tavy.mobile.private quit 205 Always happy to serve! ... and even then, slrn reports Failed to initialize server Run-Time Error Reason: slrn fatal error: Failed to initialize server. I have even created /etc/hosts.deny and /etc/hosts.allow, in case xinetd expects to find them (although I can't find mention of that in the documentation I've seen). Still no luck. I'm beginning to wonder if xinetd itself isn't redundant; can systemd alone manage access control and work as a 'super server'? I'm still trying to get to grips with all that systemd can do - and how to make it do it. Presumably, I'll have to invent a custom systemd 'service' for systemd if that is the way to go. -- -- ^^^^^^^^^^ -- Whiskers -- ~~~~~~~~~~
On Thu, Oct 18, 2012 at 08:26:16PM +0100, Whiskers wrote:
On Thu, 18 Oct 2012 00:03:57 +0200 Thomas Bächler <thomas@archlinux.org> wrote:
Am 17.10.2012 21:29, schrieb Whiskers:
Rather than install tcp-wrappers on my Arch system, I'd like to use whatever the proper "server" is nowadays instead of /usr/sbin/tcpd - but what is it?
Why would you replace tcpd with anything? Does it serve any purpose at all?
Thanks for responding.
On a system with tcp-wrappers, tcpd is the "server" which launches leafnode. From man leafnode:
[...]
The leafnode program itself is the NNTP server. It is run from /etc/inetd.conf when someone wants to read news. The other parts of the package, fetchnews and texpire, are responsible for fetching new news from another server, and for deleting old news.
[...]
No network-level access control is supported. This is a deliberate omission: Implementing this is a job which should not be redone for each and every service.
I recommend that either firewalling or tcpd be used for access control.
[...]
Xinetd is the 'new improved' inetd, and the xinetd setup recommended in the Leafnode tarball's README has tcpd as the "server" and leafnode as the "server argument", as in the /etc/xinetd.d/nntp file previously quoted. This of course doesn't work on my Arch system, as tcp-wrappers (and thus, tcpd) is missing.
It's quite simple. Get rid of tcpd as the "server". It's just a wrapper that launches an arbitrary process which doesn't link to libwrap.so so that tcp-wrappers can be used for ACLs. It isn't a requirement -- it's a recommendation.
So I'm trying to work out how to get leafnode available on demand, without using tcp-wrappers and tcpd, but with ufw, and with the new systemd (I've uninstalled initscripts from my system).
Use inetd-style activation via systemd. See sshd@.service and sshd.socket as an example. xinetd is redundant. d
On Thu, 18 Oct 2012 15:55:30 -0400 Dave Reisner <d@falconindy.com> wrote: [...]
Use inetd-style activation via systemd. See sshd@.service and sshd.socket as an example. xinetd is redundant.
Thanks for the pointers; something for another evening! -- -- ^^^^^^^^^^ -- Whiskers -- ~~~~~~~~~~
Thanks for the pointers; something for another evening
This bug has attached sysemd service files for leafnode. https://bugs.archlinux.org/task/24530
On Fri, 19 Oct 2012 07:23:51 +0200 Damjan Georgievski <gdamjan@gmail.com> wrote:
Thanks for the pointers; something for another evening
This bug has attached sysemd service files for leafnode. https://bugs.archlinux.org/task/24530
Interesting :)) I'll play around some more and report back. Two points occur to me: 1) If the system's /etc/hosts file contains both Pv6 and IPv4 entries for localhost, I think naming the localhost (instead of putting the traditional 127.0.0.1) should make systemd look up the corresponding IP address and use whichever comes first in /etc/hosts. I'm pretty sure that works with xinetd, anyway. 2) Once functional socket and service files have been worked out, they should be passed upstream to the maintainer of Leafnode, for inclusion in his documentation. This would be more widely helpful than modifying the Arch packages - Leafnode users are accustomed to setting up their own access controls, with help from the documentation. -- -- ^^^^^^^^^^ -- Whiskers -- ~~~~~~~~~~
Thank you to all those who responded :)) I now have Leafnode-2 up and running smoothly with systemd. I have created these files: $ cat /etc/systemd/system/leafnode.socket [Unit] Description=Leafnode NNTP Socket [Socket] ListenStream=119 Accept=yes [Install] WantedBy=sockets.target and $ cat /etc/systemd/system/leafnode@.service [Unit] Description=Leafnode NNTP service After=syslog.target [Service] ExecStart=/usr/local/sbin/leafnode StandardInput=socket User=news Access control depends entirely on ufw (iptables), rather than specifying a hostname or IPv6 or IPv4 number in leafnode.socket, although that would probably work instead. The ListenStream line could probably be omitted entirely, unless some port other than 119 is required. Run # systemctl start leafnode.socket and # systemctl enable leafnode.socket to start systemd listening for calls for Leafnode immediately and after the next system boot. -- -- ^^^^^^^^^^ -- Whiskers -- ~~~~~~~~~~
On Mon, Oct 22, 2012 at 11:19:37PM +0100, Whiskers wrote:
Thank you to all those who responded :))
I now have Leafnode-2 up and running smoothly with systemd.
I have created these files:
$ cat /etc/systemd/system/leafnode.socket [Unit] Description=Leafnode NNTP Socket
[Socket] ListenStream=119 Accept=yes
[Install] WantedBy=sockets.target
and
$ cat /etc/systemd/system/leafnode@.service [Unit] Description=Leafnode NNTP service After=syslog.target
This isn't needed. syslog is always available thanks to the journal socket.
[Service] ExecStart=/usr/local/sbin/leafnode
/usr/local?
StandardInput=socket User=news
Access control depends entirely on ufw (iptables), rather than specifying a hostname or IPv6 or IPv4 number in leafnode.socket, although that would
Binding to a specifc IP is hardly what I'd call access control.
probably work instead. The ListenStream line could probably be omitted entirely, unless some port other than 119 is required.
Without the ListenStream declaration, systemd has no idea what port to open the socket on. It's needed.
Run
# systemctl start leafnode.socket
and
# systemctl enable leafnode.socket
to start systemd listening for calls for Leafnode immediately and after the next system boot.
-- -- ^^^^^^^^^^ -- Whiskers -- ~~~~~~~~~~
On Mon, 22 Oct 2012 18:40:23 -0400 Dave Reisner <d@falconindy.com> wrote:
On Mon, Oct 22, 2012 at 11:19:37PM +0100, Whiskers wrote:
Thank you to all those who responded :))
I now have Leafnode-2 up and running smoothly with systemd.
I have created these files:
$ cat /etc/systemd/system/leafnode.socket [Unit] Description=Leafnode NNTP Socket
[Socket] ListenStream=119 Accept=yes
[Install] WantedBy=sockets.target
and
$ cat /etc/systemd/system/leafnode@.service [Unit] Description=Leafnode NNTP service After=syslog.target
This isn't needed. syslog is always available thanks to the journal socket.
OK.
[Service] ExecStart=/usr/local/sbin/leafnode
/usr/local?
That's where Leafnode-2 puts itself by default.
StandardInput=socket User=news
Access control depends entirely on ufw (iptables), rather than specifying a hostname or IPv6 or IPv4 number in leafnode.socket, although that would
Binding to a specifc IP is hardly what I'd call access control.
Wouldn't "ListenStream=127.0.0.1;119" prevent anyone not logged in to localhost from using Leafnode?
probably work instead. The ListenStream line could probably be omitted entirely, unless some port other than 119 is required.
Without the ListenStream declaration, systemd has no idea what port to open the socket on. It's needed.
Xinetd doesn't need to be told. Isn't there a table of standard ports for specified services? [...]
-- -- ^^^^^^^^^^ -- Whiskers -- ~~~~~~~~~~
-- -- ^^^^^^^^^^ -- Whiskers -- ~~~~~~~~~~
On Tue, Oct 23, 2012 at 12:34:20AM +0100, Whiskers wrote:
On Mon, 22 Oct 2012 18:40:23 -0400 Dave Reisner <d@falconindy.com> wrote:
On Mon, Oct 22, 2012 at 11:19:37PM +0100, Whiskers wrote:
Thank you to all those who responded :))
I now have Leafnode-2 up and running smoothly with systemd.
I have created these files:
$ cat /etc/systemd/system/leafnode.socket [Unit] Description=Leafnode NNTP Socket
[Socket] ListenStream=119 Accept=yes
[Install] WantedBy=sockets.target
and
$ cat /etc/systemd/system/leafnode@.service [Unit] Description=Leafnode NNTP service After=syslog.target
This isn't needed. syslog is always available thanks to the journal socket.
OK.
[Service] ExecStart=/usr/local/sbin/leafnode
/usr/local?
That's where Leafnode-2 puts itself by default.
I assumed you were using the package in [community].
StandardInput=socket User=news
Access control depends entirely on ufw (iptables), rather than specifying a hostname or IPv6 or IPv4 number in leafnode.socket, although that would
Binding to a specifc IP is hardly what I'd call access control.
Wouldn't "ListenStream=127.0.0.1;119" prevent anyone not logged in to localhost from using Leafnode?
Sure. Nit: Would be a colon, not a semi-colon delimiter.
probably work instead. The ListenStream line could probably be omitted entirely, unless some port other than 119 is required.
Without the ListenStream declaration, systemd has no idea what port to open the socket on. It's needed.
Xinetd doesn't need to be told. Isn't there a table of standard ports for specified services?
Yes, there's a table of standard ports -- it's /etc/services. It merely lets you refer to ports by name rather than by number. Something still needs to indicate what port to listen on, regardless of how its mentioned. So, I call bull on xinetd not needing to know this. _somehow_ it's being told. d
Xinetd doesn't need to be told. Isn't there a table of standard ports for specified services?
Yes, there's a table of standard ports -- it's /etc/services. It merely lets you refer to ports by name rather than by number. Something still needs to indicate what port to listen on, regardless of how its mentioned. So, I call bull on xinetd not needing to know this. _somehow_ it's being told.
Yes, xinetd knows because of the first line in the config file: service nntp { Indeed, it takes the port for nntp from /etc/services So in systemd the ListenStream=119 is mandatory Check /etc/xinetd.d/leafnode -- дамјан
On Tue, 23 Oct 2012 11:51:24 +0200 Damjan <gdamjan@gmail.com> wrote:
Xinetd doesn't need to be told. Isn't there a table of standard ports for specified services?
Yes, there's a table of standard ports -- it's /etc/services. It merely lets you refer to ports by name rather than by number. Something still needs to indicate what port to listen on, regardless of how its mentioned. So, I call bull on xinetd not needing to know this. _somehow_ it's being told.
Yes, xinetd knows because of the first line in the config file:
service nntp {
Indeed, it takes the port for nntp from /etc/services
So in systemd the ListenStream=119 is mandatory
Would "ListenStream=nntp" have the same effect? The more points in common there are between inetd xinetd and systemd configs, the less confusing it will be for those of us in the throes of conversion.
Check /etc/xinetd.d/leafnode
I think that should be /etc/xinetd.d/nntp Side comment: it appears that with no IP number specified in ListenStream, my clients speak to Leafnode via IPv6 ::1 locally, even though my router and internet connection are still IPv4 only. $ cat /etc/hosts # # /etc/hosts: static lookup table for host names # #<ip-address> <hostname.domain.org> <hostname> 127.0.0.1 localhost.localdomain localhost tavy ::1 localhost.localdomain localhost tavy # End of file $ hostname tavy.mobile.private $ telnet localhost nntp Trying ::1... Connected to localhost. Escape character is '^]'. 200 Leafnode NNTP daemon, version 2.0.0.alpha20110806a at tavy.mobile.private quit 205 Always happy to serve! Connection closed by foreign host. -- -- ^^^^^^^^^^ -- Whiskers -- ~~~~~~~~~~
Would "ListenStream=nntp" have the same effect?
"man systemd.socket" doesn't mention an option like that. And this directive is already overloaded with different possibilities.
The more points in common there are between inetd xinetd and systemd configs, the less confusing it will be for those of us in the throes of conversion.
only if you don't read the documentation :)
Check /etc/xinetd.d/leafnode
I think that should be /etc/xinetd.d/nntp
the package I have has it in /etc/xinetd.d/leafnode YMMV community/leafnode 1.11.8-5 -- дамјан
On Mon, 22 Oct 2012 19:40:37 -0400 Dave Reisner <d@falconindy.com> wrote:
On Tue, Oct 23, 2012 at 12:34:20AM +0100, Whiskers wrote:
[...]
Access control depends entirely on ufw (iptables), rather than specifying a hostname or IPv6 or IPv4 number in leafnode.socket, although that would
Binding to a specifc IP is hardly what I'd call access control.
Wouldn't "ListenStream=127.0.0.1;119" prevent anyone not logged in to localhost from using Leafnode?
Sure. Nit: Would be a colon, not a semi-colon delimiter.
Well spotted :)) [...] -- -- ^^^^^^^^^^ -- Whiskers -- ~~~~~~~~~~
participants (5)
-
Damjan
-
Damjan Georgievski
-
Dave Reisner
-
Thomas Bächler
-
Whiskers