[arch-commits] Commit in openvpn/trunk (6 files)
Christian Hesse
eworm at archlinux.org
Tue Dec 27 13:58:33 UTC 2016
Date: Tuesday, December 27, 2016 @ 13:58:32
Author: eworm
Revision: 284860
upgpkg: openvpn 2.4.0-1
new upstream release
This requires administrative interaction for active systemd units.
Changes are explained in install message and news will be posted once
this package moves to [core].
Added:
openvpn/trunk/0001-plugin.patch
openvpn/trunk/0002-do-not-race-on-RuntimeDirectory.patch
openvpn/trunk/news.md
openvpn/trunk/openvpn.install
Modified:
openvpn/trunk/PKGBUILD
Deleted:
openvpn/trunk/openvpn at .service
--------------------------------------------+
0001-plugin.patch | 46 +++++++++++++++
0002-do-not-race-on-RuntimeDirectory.patch | 59 +++++++++++++++++++
PKGBUILD | 81 +++++++++++++++++++--------
news.md | 17 +++++
openvpn.install | 24 ++++++++
openvpn at .service | 17 -----
6 files changed, 203 insertions(+), 41 deletions(-)
Added: 0001-plugin.patch
===================================================================
--- 0001-plugin.patch (rev 0)
+++ 0001-plugin.patch 2016-12-27 13:58:32 UTC (rev 284860)
@@ -0,0 +1,46 @@
+diff --git a/configure.ac b/configure.ac
+index f4073d0..5fe652e 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -301,13 +301,12 @@ AC_ARG_WITH(
+ [with_crypto_library="openssl"]
+ )
+
+-AC_ARG_WITH(
+- [plugindir],
+- [AS_HELP_STRING([--with-plugindir], [plugin directory @<:@default=LIBDIR/openvpn@:>@])],
+- ,
+- [with_plugindir="\$(libdir)/openvpn/plugins"]
+-)
+-
++AC_ARG_VAR([PLUGINDIR], [Path of plug-in directory @<:@default=LIBDIR/openvpn/plugins@:>@])
++if test -n "${PLUGINDIR}"; then
++ plugindir="${PLUGINDIR}"
++else
++ plugindir="\${libdir}/openvpn/plugins"
++fi
+
+ AC_DEFINE_UNQUOTED([TARGET_ALIAS], ["${host}"], [A string representing our host])
+ case "$host" in
+@@ -1245,7 +1244,6 @@ AM_CONDITIONAL([ENABLE_PLUGIN_AUTH_PAM], [test "${enable_plugin_auth_pam}" = "ye
+ AM_CONDITIONAL([ENABLE_PLUGIN_DOWN_ROOT], [test "${enable_plugin_down_root}" = "yes"])
+ AM_CONDITIONAL([ENABLE_CRYPTO], [test "${enable_crypto}" = "yes"])
+
+-plugindir="${with_plugindir}"
+ sampledir="\$(docdir)/sample"
+ AC_SUBST([plugindir])
+ AC_SUBST([sampledir])
+diff --git a/src/openvpn/Makefile.am b/src/openvpn/Makefile.am
+index 4c18449..188834a 100644
+--- a/src/openvpn/Makefile.am
++++ b/src/openvpn/Makefile.am
+@@ -27,7 +27,8 @@ AM_CFLAGS = \
+ $(OPTIONAL_CRYPTO_CFLAGS) \
+ $(OPTIONAL_LZO_CFLAGS) \
+ $(OPTIONAL_LZ4_CFLAGS) \
+- $(OPTIONAL_PKCS11_HELPER_CFLAGS)
++ $(OPTIONAL_PKCS11_HELPER_CFLAGS) \
++ -DPLUGIN_LIBDIR=\"${plugindir}\"
+ if WIN32
+ # we want unicode entry point but not the macro
+ AM_CFLAGS += -municode -UUNICODE
Added: 0002-do-not-race-on-RuntimeDirectory.patch
===================================================================
--- 0002-do-not-race-on-RuntimeDirectory.patch (rev 0)
+++ 0002-do-not-race-on-RuntimeDirectory.patch 2016-12-27 13:58:32 UTC (rev 284860)
@@ -0,0 +1,59 @@
+From 3e8b360cca4d97bef113a25f982601d4742af896 Mon Sep 17 00:00:00 2001
+From: Christian Hesse <mail at eworm.de>
+Date: Fri, 16 Dec 2016 22:56:15 +0100
+Subject: [PATCH 1/1] do not race on RuntimeDirectory
+
+Different unit instances create and destroy the same RuntimeDirectory.
+This leads to running instances where the status file (and possibly
+more runtime data) is no longer accessible.
+
+So do not handle this in unit files but provide a tmpfiles.d
+configuration and let systemd-tmpfiles do the work.
+Nobody will (unintentionally) delete the directories and its content.
+As /run is volatile we do not have to care about cleanup.
+
+Signed-off-by: Christian Hesse <mail at eworm.de>
+---
+ distro/systemd/openvpn-client at .service | 2 --
+ distro/systemd/openvpn-server at .service | 2 --
+ distro/systemd/openvpn.conf | 2 ++
+ 3 files changed, 2 insertions(+), 4 deletions(-)
+ create mode 100644 distro/systemd/openvpn.conf
+
+diff --git a/distro/systemd/openvpn-client at .service b/distro/systemd/openvpn-client at .service
+index 5618af3..1187ee8 100644
+--- a/distro/systemd/openvpn-client at .service
++++ b/distro/systemd/openvpn-client at .service
+@@ -9,8 +9,6 @@ Documentation=https://community.openvpn.net/openvpn/wiki/HOWTO
+ [Service]
+ Type=notify
+ PrivateTmp=true
+-RuntimeDirectory=openvpn-client
+-RuntimeDirectoryMode=0710
+ WorkingDirectory=/etc/openvpn/client
+ ExecStart=/usr/sbin/openvpn --suppress-timestamps --nobind --config %i.conf
+ CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE
+diff --git a/distro/systemd/openvpn-server at .service b/distro/systemd/openvpn-server at .service
+index b9b4dba..25a6bb7 100644
+--- a/distro/systemd/openvpn-server at .service
++++ b/distro/systemd/openvpn-server at .service
+@@ -9,8 +9,6 @@ Documentation=https://community.openvpn.net/openvpn/wiki/HOWTO
+ [Service]
+ Type=notify
+ PrivateTmp=true
+-RuntimeDirectory=openvpn-server
+-RuntimeDirectoryMode=0710
+ WorkingDirectory=/etc/openvpn/server
+ ExecStart=/usr/sbin/openvpn --status %t/openvpn-server/status-%i.log --status-version 2 --suppress-timestamps --config %i.conf
+ CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE
+diff --git a/distro/systemd/openvpn.conf b/distro/systemd/openvpn.conf
+new file mode 100644
+index 0000000..bb79671
+--- /dev/null
++++ b/distro/systemd/openvpn.conf
+@@ -0,0 +1,2 @@
++d /run/openvpn-client 0710 root root -
++d /run/openvpn-server 0710 root root -
+--
+2.11.0
+
Modified: PKGBUILD
===================================================================
--- PKGBUILD 2016-12-27 13:20:34 UTC (rev 284859)
+++ PKGBUILD 2016-12-27 13:58:32 UTC (rev 284860)
@@ -1,56 +1,89 @@
# $Id$
-# Maintainer: Thomas Bächler <thomas at archlinux.org>
+# Maintainer: Christian Hesse <mail at eworm.de>
pkgname=openvpn
-pkgver=2.3.14
+pkgver=2.4.0
pkgrel=1
-pkgdesc="An easy-to-use, robust, and highly configurable VPN (Virtual Private Network)"
-arch=(i686 x86_64)
-url="http://openvpn.net/index.php/open-source.html"
+pkgdesc='An easy-to-use, robust and highly configurable VPN (Virtual Private Network)'
+arch=('i686' 'x86_64')
+url='http://openvpn.net/index.php/open-source.html'
depends=('openssl' 'lzo' 'iproute2' 'libsystemd' 'pkcs11-helper')
optdepends=('easy-rsa: easy CA and certificate handling')
makedepends=('systemd')
license=('custom')
-source=(https://swupdate.openvpn.net/community/releases/openvpn-${pkgver}.tar.xz{,.asc}
- openvpn at .service)
-sha256sums=('f3a0d0eaf8d544409f76a9f2a238a0cd3dde9e1a9c1f98ac732a8b572bcdee98'
+install=openvpn.install
+validpgpkeys=('03300E11FED16F59715F9996C29D97ED198D22A3' # Samuli Seppänen <samuli.seppanen at gmail.com>
+ '7ACD56B74144925C6214329757DB9DAB613B8DA1') # David Sommerseth (OpenVPN Technologies, Inc) <davids at openvpn.net>
+source=("https://swupdate.openvpn.net/community/releases/openvpn-${pkgver}.tar.xz"{,.asc}
+ '0001-plugin.patch'
+ '0002-do-not-race-on-RuntimeDirectory.patch')
+sha256sums=('6f23ba49a1dbeb658f49c7ae17d9ea979de6d92c7357de3d55cd4525e1b2f87e'
'SKIP'
- '28840ef1e4c7c80da1d9de3224fad8e8540e0cf58326d65227cf3ce7ab867990')
-validpgpkeys=('03300E11FED16F59715F9996C29D97ED198D22A3') # Samuli Seppänen
+ 'b8254067b4ef5d157d87267a76938d86f101972303c7ff20131cc9f28659a30c'
+ 'a87b081f998db99190e8b9e185cd7aade5bd6dfb5c03777c82b75d28cd3b375c')
+prepare() {
+ cd "${srcdir}"/${pkgname}-${pkgver}
+
+ # plugin path
+ patch -Np1 < "${srcdir}"/0001-plugin.patch
+
+ # do not race on RuntimeDirectory
+ patch -Np1 < "${srcdir}"/0002-do-not-race-on-RuntimeDirectory.patch
+
+ # regenerate configure script
+ autoreconf -fi
+}
+
build() {
- cd "${srcdir}"/$pkgname-$pkgver
- CFLAGS="$CFLAGS -DPLUGIN_LIBDIR=\\\"/usr/lib/openvpn\\\"" ./configure \
+ cd "${srcdir}"/${pkgname}-${pkgver}
+
+ ./configure \
--prefix=/usr \
--sbindir=/usr/bin \
- --enable-password-save \
- --mandir=/usr/share/man \
--enable-iproute2 \
+ --enable-pkcs11 \
+ --enable-plugins \
--enable-systemd \
- --enable-pkcs11 \
--enable-x509-alt-username
make
}
+check() {
+ cd "${srcdir}"/${pkgname}-${pkgver}
+
+ make check
+}
+
package() {
- cd "${srcdir}"/$pkgname-$pkgver
+ cd "${srcdir}"/${pkgname}-${pkgver}
# Install openvpn
make DESTDIR="${pkgdir}" install
- install -d -m755 "${pkgdir}"/etc/openvpn
+ # Create empty configuration directories
+ install -d -m0750 -g 90 "${pkgdir}"/etc/openvpn/{client,server}
+
# Install examples
- install -d -m755 "${pkgdir}"/usr/share/openvpn
+ install -d -m0755 "${pkgdir}"/usr/share/openvpn
cp -r sample/sample-config-files "${pkgdir}"/usr/share/openvpn/examples
# Install license
- install -d -m755 "${pkgdir}"/usr/share/licenses/${pkgname}/
- ln -sf /usr/share/doc/${pkgname}/{COPYING,COPYRIGHT.GPL} "${pkgdir}"/usr/share/licenses/${pkgname}/
+ install -d -m0755 "${pkgdir}"/usr/share/licenses/openvpn/
+ ln -sf /usr/share/doc/openvpn/{COPYING,COPYRIGHT.GPL} "${pkgdir}"/usr/share/licenses/openvpn/
# Install contrib
- install -d -m755 "${pkgdir}"/usr/share/openvpn/contrib
- cp -r contrib "${pkgdir}"/usr/share/openvpn
+ for FILE in $(find contrib -type f); do
+ case "$(file --brief --mime-type "${FILE}")" in
+ "text/x-shellscript") install -D -m0755 "${FILE}" "${pkgdir}/usr/share/openvpn/${FILE}" ;;
+ *) install -D -m0644 "${FILE}" "${pkgdir}/usr/share/openvpn/${FILE}" ;;
+ esac
+ done
- # Install systemd service
- install -D -m644 "${srcdir}"/openvpn at .service "${pkgdir}"/usr/lib/systemd/system/openvpn at .service
+ # Install systemd files
+ install -d -m0755 "${pkgdir}"/usr/lib/systemd/system/
+ install -m0644 distro/systemd/openvpn-{client,server}@.service "${pkgdir}"/usr/lib/systemd/system/
+ install -D -m0644 distro/systemd/openvpn.conf "${pkgdir}"/usr/lib/tmpfiles.d/openvpn.conf
+ install -d -m0710 "${pkgdir}"/run/openvpn-{client,server}
}
+
Added: news.md
===================================================================
--- news.md (rev 0)
+++ news.md 2016-12-27 13:58:32 UTC (rev 284860)
@@ -0,0 +1,17 @@
+OpenVPN 2.4.0 update requires administrative interaction
+========================================================
+
+The upgrade to openvpn 2.4.0 makes changes that are incompatible with
+previous configurations. Take **special care** if you depend on VPN
+connectivity for **remote access**! Administrative interaction is required:
+
+* Configuration is expected in sub directories now. Move your files
+ from `/etc/openvpn/` to `/etc/openvpn/server/` or `/etc/openvpn/client/`.
+* The plugin lookup path changed, remove extra `plugins/` from relative
+ paths.
+* The systemd unit `openvpn at .service` was replaced with
+ `openvpn-client at .service` and `openvpn-server at .service`. Restart and
+ reenable accordingly.
+
+This does not affect the functionality of `networkmanager`, `connman`
+or `qopenvpn`.
Added: openvpn.install
===================================================================
--- openvpn.install (rev 0)
+++ openvpn.install 2016-12-27 13:58:32 UTC (rev 284860)
@@ -0,0 +1,24 @@
+#!/bin/sh
+
+post_upgrade() {
+ # return if old package version greater 2.4...
+ (( $(vercmp $2 '2.4') > 0 )) && return
+
+ # upgrade from pre-2.4 version...
+ echo "This upgrade from openvpn $2 to openvpn $1 made changes that require"
+ echo "administrative interaction:"
+ echo " -> Configuration is expected in sub directories now. Move your files"
+ echo " from /etc/openvpn/ to /etc/openvpn/server/ or /etc/openvpn/client/."
+ echo " -> The plugin lookup path changed, remove extra 'plugins/' from relative paths."
+ echo " -> The systemd unit openvpn at .service was replaced with openvpn-client at .service"
+ echo " and openvpn-server at .service. Restart and reenable accordingly."
+
+ local UNITS="$(systemctl list-units --quiet --no-pager --no-legend --plain | grep '^openvpn@' | cut -d' ' -f1)"
+ if (( ${#UNITS} )); then
+ echo "This is a (possibly incomplete) list of units that need to be acted on:"
+ for UNIT in ${UNITS}; do
+ echo " -> ${UNIT}"
+ done
+ fi
+}
+
Deleted: openvpn at .service
===================================================================
--- openvpn at .service 2016-12-27 13:20:34 UTC (rev 284859)
+++ openvpn at .service 2016-12-27 13:58:32 UTC (rev 284860)
@@ -1,17 +0,0 @@
-[Unit]
-Description=OpenVPN connection to %I
-After=syslog.target network.target network-online.target
-Documentation=man:openvpn(8)
-
-[Service]
-PrivateTmp=true
-Type=forking
-ExecStart=/usr/bin/openvpn --cd /etc/openvpn --config %i.conf --daemon openvpn@%i --writepid /run/openvpn@%i.pid --status-version 2
-PIDFile=/run/openvpn@%i.pid
-CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_READ_SEARCH
-LimitNPROC=10
-DeviceAllow=/dev/null rw
-DeviceAllow=/dev/net/tun rw
-
-[Install]
-WantedBy=multi-user.target
More information about the arch-commits
mailing list