[arch-commits] Commit in openvpn/trunk (6 files)

Christian Hesse eworm at archlinux.org
Tue Dec 27 13:58:33 UTC 2016 

    Date: Tuesday, December 27, 2016 @ 13:58:32
  Author: eworm
Revision: 284860

upgpkg: openvpn 2.4.0-1

new upstream release

This requires administrative interaction for active systemd units.
Changes are explained in install message and news will be posted once
this package moves to [core].

Added:
  openvpn/trunk/0001-plugin.patch
  openvpn/trunk/0002-do-not-race-on-RuntimeDirectory.patch
  openvpn/trunk/news.md
  openvpn/trunk/openvpn.install
Modified:
  openvpn/trunk/PKGBUILD
Deleted:
  openvpn/trunk/openvpn at .service

--------------------------------------------+
 0001-plugin.patch                          |   46 +++++++++++++++
 0002-do-not-race-on-RuntimeDirectory.patch |   59 +++++++++++++++++++
 PKGBUILD                                   |   81 +++++++++++++++++++--------
 news.md                                    |   17 +++++
 openvpn.install                            |   24 ++++++++
 openvpn at .service                           |   17 -----
 6 files changed, 203 insertions(+), 41 deletions(-)

Added: 0001-plugin.patch
===================================================================
--- 0001-plugin.patch	                        (rev 0)
+++ 0001-plugin.patch	2016-12-27 13:58:32 UTC (rev 284860)
@@ -0,0 +1,46 @@
+diff --git a/configure.ac b/configure.ac
+index f4073d0..5fe652e 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -301,13 +301,12 @@ AC_ARG_WITH(
+ 	[with_crypto_library="openssl"]
+ )
+ 
+-AC_ARG_WITH(
+-	[plugindir],
+-	[AS_HELP_STRING([--with-plugindir], [plugin directory @<:@default=LIBDIR/openvpn@:>@])],
+-	,
+-	[with_plugindir="\$(libdir)/openvpn/plugins"]
+-)
+-
++AC_ARG_VAR([PLUGINDIR], [Path of plug-in directory @<:@default=LIBDIR/openvpn/plugins@:>@])
++if test -n "${PLUGINDIR}"; then
++	plugindir="${PLUGINDIR}"
++else
++	plugindir="\${libdir}/openvpn/plugins"
++fi
+ 
+ AC_DEFINE_UNQUOTED([TARGET_ALIAS], ["${host}"], [A string representing our host])
+ case "$host" in
+@@ -1245,7 +1244,6 @@ AM_CONDITIONAL([ENABLE_PLUGIN_AUTH_PAM], [test "${enable_plugin_auth_pam}" = "ye
+ AM_CONDITIONAL([ENABLE_PLUGIN_DOWN_ROOT], [test "${enable_plugin_down_root}" = "yes"])
+ AM_CONDITIONAL([ENABLE_CRYPTO], [test "${enable_crypto}" = "yes"])
+ 
+-plugindir="${with_plugindir}"
+ sampledir="\$(docdir)/sample"
+ AC_SUBST([plugindir])
+ AC_SUBST([sampledir])
+diff --git a/src/openvpn/Makefile.am b/src/openvpn/Makefile.am
+index 4c18449..188834a 100644
+--- a/src/openvpn/Makefile.am
++++ b/src/openvpn/Makefile.am
+@@ -27,7 +27,8 @@ AM_CFLAGS = \
+ 	$(OPTIONAL_CRYPTO_CFLAGS) \
+ 	$(OPTIONAL_LZO_CFLAGS) \
+ 	$(OPTIONAL_LZ4_CFLAGS) \
+-	$(OPTIONAL_PKCS11_HELPER_CFLAGS)
++	$(OPTIONAL_PKCS11_HELPER_CFLAGS) \
++	-DPLUGIN_LIBDIR=\"${plugindir}\"
+ if WIN32
+ # we want unicode entry point but not the macro
+ AM_CFLAGS += -municode -UUNICODE

Added: 0002-do-not-race-on-RuntimeDirectory.patch
===================================================================
--- 0002-do-not-race-on-RuntimeDirectory.patch	                        (rev 0)
+++ 0002-do-not-race-on-RuntimeDirectory.patch	2016-12-27 13:58:32 UTC (rev 284860)
@@ -0,0 +1,59 @@
+From 3e8b360cca4d97bef113a25f982601d4742af896 Mon Sep 17 00:00:00 2001
+From: Christian Hesse <mail at eworm.de>
+Date: Fri, 16 Dec 2016 22:56:15 +0100
+Subject: [PATCH 1/1] do not race on RuntimeDirectory
+
+Different unit instances create and destroy the same RuntimeDirectory.
+This leads to running instances where the status file (and possibly
+more runtime data) is no longer accessible.
+
+So do not handle this in unit files but provide a tmpfiles.d
+configuration and let systemd-tmpfiles do the work.
+Nobody will (unintentionally) delete the directories and its content.
+As /run is volatile we do not have to care about cleanup.
+
+Signed-off-by: Christian Hesse <mail at eworm.de>
+---
+ distro/systemd/openvpn-client at .service | 2 --
+ distro/systemd/openvpn-server at .service | 2 --
+ distro/systemd/openvpn.conf            | 2 ++
+ 3 files changed, 2 insertions(+), 4 deletions(-)
+ create mode 100644 distro/systemd/openvpn.conf
+
+diff --git a/distro/systemd/openvpn-client at .service b/distro/systemd/openvpn-client at .service
+index 5618af3..1187ee8 100644
+--- a/distro/systemd/openvpn-client at .service
++++ b/distro/systemd/openvpn-client at .service
+@@ -9,8 +9,6 @@ Documentation=https://community.openvpn.net/openvpn/wiki/HOWTO
+ [Service]
+ Type=notify
+ PrivateTmp=true
+-RuntimeDirectory=openvpn-client
+-RuntimeDirectoryMode=0710
+ WorkingDirectory=/etc/openvpn/client
+ ExecStart=/usr/sbin/openvpn --suppress-timestamps --nobind --config %i.conf
+ CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE
+diff --git a/distro/systemd/openvpn-server at .service b/distro/systemd/openvpn-server at .service
+index b9b4dba..25a6bb7 100644
+--- a/distro/systemd/openvpn-server at .service
++++ b/distro/systemd/openvpn-server at .service
+@@ -9,8 +9,6 @@ Documentation=https://community.openvpn.net/openvpn/wiki/HOWTO
+ [Service]
+ Type=notify
+ PrivateTmp=true
+-RuntimeDirectory=openvpn-server
+-RuntimeDirectoryMode=0710
+ WorkingDirectory=/etc/openvpn/server
+ ExecStart=/usr/sbin/openvpn --status %t/openvpn-server/status-%i.log --status-version 2 --suppress-timestamps --config %i.conf
+ CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE
+diff --git a/distro/systemd/openvpn.conf b/distro/systemd/openvpn.conf
+new file mode 100644
+index 0000000..bb79671
+--- /dev/null
++++ b/distro/systemd/openvpn.conf
+@@ -0,0 +1,2 @@
++d /run/openvpn-client 0710 root root -
++d /run/openvpn-server 0710 root root -
+-- 
+2.11.0
+

Modified: PKGBUILD
===================================================================
--- PKGBUILD	2016-12-27 13:20:34 UTC (rev 284859)
+++ PKGBUILD	2016-12-27 13:58:32 UTC (rev 284860)
@@ -1,56 +1,89 @@
 # $Id$
-# Maintainer: Thomas Bächler <thomas at archlinux.org>
+# Maintainer: Christian Hesse <mail at eworm.de>
 
 pkgname=openvpn
-pkgver=2.3.14
+pkgver=2.4.0
 pkgrel=1
-pkgdesc="An easy-to-use, robust, and highly configurable VPN (Virtual Private Network)"
-arch=(i686 x86_64)
-url="http://openvpn.net/index.php/open-source.html"
+pkgdesc='An easy-to-use, robust and highly configurable VPN (Virtual Private Network)'
+arch=('i686' 'x86_64')
+url='http://openvpn.net/index.php/open-source.html'
 depends=('openssl' 'lzo' 'iproute2' 'libsystemd' 'pkcs11-helper')
 optdepends=('easy-rsa: easy CA and certificate handling')
 makedepends=('systemd')
 license=('custom')
-source=(https://swupdate.openvpn.net/community/releases/openvpn-${pkgver}.tar.xz{,.asc}
-        openvpn at .service)
-sha256sums=('f3a0d0eaf8d544409f76a9f2a238a0cd3dde9e1a9c1f98ac732a8b572bcdee98'
+install=openvpn.install
+validpgpkeys=('03300E11FED16F59715F9996C29D97ED198D22A3'  # Samuli Seppänen <samuli.seppanen at gmail.com>
+              '7ACD56B74144925C6214329757DB9DAB613B8DA1') # David Sommerseth (OpenVPN Technologies, Inc) <davids at openvpn.net>
+source=("https://swupdate.openvpn.net/community/releases/openvpn-${pkgver}.tar.xz"{,.asc}
+        '0001-plugin.patch'
+        '0002-do-not-race-on-RuntimeDirectory.patch')
+sha256sums=('6f23ba49a1dbeb658f49c7ae17d9ea979de6d92c7357de3d55cd4525e1b2f87e'
             'SKIP'
-            '28840ef1e4c7c80da1d9de3224fad8e8540e0cf58326d65227cf3ce7ab867990')
-validpgpkeys=('03300E11FED16F59715F9996C29D97ED198D22A3')  # Samuli Seppänen
+            'b8254067b4ef5d157d87267a76938d86f101972303c7ff20131cc9f28659a30c'
+            'a87b081f998db99190e8b9e185cd7aade5bd6dfb5c03777c82b75d28cd3b375c')
 
+prepare() {
+  cd "${srcdir}"/${pkgname}-${pkgver}
+
+  # plugin path
+  patch -Np1 < "${srcdir}"/0001-plugin.patch
+
+  # do not race on RuntimeDirectory
+  patch -Np1 < "${srcdir}"/0002-do-not-race-on-RuntimeDirectory.patch
+
+  # regenerate configure script
+  autoreconf -fi
+}
+
 build() {
-  cd "${srcdir}"/$pkgname-$pkgver
-  CFLAGS="$CFLAGS -DPLUGIN_LIBDIR=\\\"/usr/lib/openvpn\\\"" ./configure \
+  cd "${srcdir}"/${pkgname}-${pkgver}
+
+  ./configure \
     --prefix=/usr \
     --sbindir=/usr/bin \
-    --enable-password-save \
-    --mandir=/usr/share/man \
     --enable-iproute2 \
+    --enable-pkcs11 \
+    --enable-plugins \
     --enable-systemd \
-    --enable-pkcs11 \
     --enable-x509-alt-username
   make
 }
 
+check() {
+  cd "${srcdir}"/${pkgname}-${pkgver}
+
+  make check
+}
+
 package() {
-  cd "${srcdir}"/$pkgname-$pkgver
+  cd "${srcdir}"/${pkgname}-${pkgver}
 
   # Install openvpn
   make DESTDIR="${pkgdir}" install
-  install -d -m755 "${pkgdir}"/etc/openvpn
 
+  # Create empty configuration directories
+  install -d -m0750 -g 90 "${pkgdir}"/etc/openvpn/{client,server}
+
   # Install examples
-  install -d -m755 "${pkgdir}"/usr/share/openvpn
+  install -d -m0755 "${pkgdir}"/usr/share/openvpn
   cp -r sample/sample-config-files "${pkgdir}"/usr/share/openvpn/examples
 
   # Install license
-  install -d -m755 "${pkgdir}"/usr/share/licenses/${pkgname}/
-  ln -sf /usr/share/doc/${pkgname}/{COPYING,COPYRIGHT.GPL} "${pkgdir}"/usr/share/licenses/${pkgname}/
+  install -d -m0755 "${pkgdir}"/usr/share/licenses/openvpn/
+  ln -sf /usr/share/doc/openvpn/{COPYING,COPYRIGHT.GPL} "${pkgdir}"/usr/share/licenses/openvpn/
 
   # Install contrib
-  install -d -m755 "${pkgdir}"/usr/share/openvpn/contrib
-  cp -r contrib "${pkgdir}"/usr/share/openvpn
+  for FILE in $(find contrib -type f); do
+    case "$(file --brief --mime-type "${FILE}")" in
+      "text/x-shellscript") install -D -m0755 "${FILE}" "${pkgdir}/usr/share/openvpn/${FILE}" ;;
+      *) install -D -m0644 "${FILE}" "${pkgdir}/usr/share/openvpn/${FILE}" ;;
+    esac
+  done
 
-  # Install systemd service
-  install -D -m644 "${srcdir}"/openvpn at .service "${pkgdir}"/usr/lib/systemd/system/openvpn at .service
+  # Install systemd files
+  install -d -m0755 "${pkgdir}"/usr/lib/systemd/system/
+  install -m0644 distro/systemd/openvpn-{client,server}@.service "${pkgdir}"/usr/lib/systemd/system/
+  install -D -m0644 distro/systemd/openvpn.conf "${pkgdir}"/usr/lib/tmpfiles.d/openvpn.conf
+  install -d -m0710 "${pkgdir}"/run/openvpn-{client,server}
 }
+

Added: news.md
===================================================================
--- news.md	                        (rev 0)
+++ news.md	2016-12-27 13:58:32 UTC (rev 284860)
@@ -0,0 +1,17 @@
+OpenVPN 2.4.0 update requires administrative interaction
+========================================================
+
+The upgrade to openvpn 2.4.0 makes changes that are incompatible with
+previous configurations. Take **special care** if you depend on VPN
+connectivity for **remote access**! Administrative interaction is required:
+
+* Configuration is expected in sub directories now. Move your files
+  from `/etc/openvpn/` to `/etc/openvpn/server/` or `/etc/openvpn/client/`.
+* The plugin lookup path changed, remove extra `plugins/` from relative
+  paths.
+* The systemd unit `openvpn at .service` was replaced with
+  `openvpn-client at .service` and `openvpn-server at .service`. Restart and
+  reenable accordingly.
+
+This does not affect the functionality of `networkmanager`, `connman`
+or `qopenvpn`.

Added: openvpn.install
===================================================================
--- openvpn.install	                        (rev 0)
+++ openvpn.install	2016-12-27 13:58:32 UTC (rev 284860)
@@ -0,0 +1,24 @@
+#!/bin/sh
+
+post_upgrade() {
+  # return if old package version greater 2.4...
+  (( $(vercmp $2 '2.4') > 0 )) && return
+
+  # upgrade from pre-2.4 version...
+  echo "This upgrade from openvpn $2 to openvpn $1 made changes that require"
+  echo "administrative interaction:"
+  echo " -> Configuration is expected in sub directories now. Move your files"
+  echo "    from /etc/openvpn/ to /etc/openvpn/server/ or /etc/openvpn/client/."
+  echo " -> The plugin lookup path changed, remove extra 'plugins/' from relative paths."
+  echo " -> The systemd unit openvpn at .service was replaced with openvpn-client at .service"
+  echo "    and openvpn-server at .service. Restart and reenable accordingly."
+
+  local UNITS="$(systemctl list-units --quiet --no-pager --no-legend --plain | grep '^openvpn@' | cut -d' ' -f1)"
+  if (( ${#UNITS} )); then
+    echo "This is a (possibly incomplete) list of units that need to be acted on:"
+    for UNIT in ${UNITS}; do
+      echo " -> ${UNIT}"
+    done
+  fi
+}
+

Deleted: openvpn at .service
===================================================================
--- openvpn at .service	2016-12-27 13:20:34 UTC (rev 284859)
+++ openvpn at .service	2016-12-27 13:58:32 UTC (rev 284860)
@@ -1,17 +0,0 @@
-[Unit]
-Description=OpenVPN connection to %I
-After=syslog.target network.target network-online.target
-Documentation=man:openvpn(8)
-
-[Service]
-PrivateTmp=true
-Type=forking
-ExecStart=/usr/bin/openvpn --cd /etc/openvpn --config %i.conf --daemon openvpn@%i --writepid /run/openvpn@%i.pid --status-version 2
-PIDFile=/run/openvpn@%i.pid
-CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_READ_SEARCH
-LimitNPROC=10
-DeviceAllow=/dev/null rw
-DeviceAllow=/dev/net/tun rw
-
-[Install]
-WantedBy=multi-user.target

More information about the arch-commits mailing list