[arch-commits] Commit in pound/trunk (5 files)

David Runge dvzrv at archlinux.org
Fri Nov 6 14:46:59 UTC 2020


    Date: Friday, November 6, 2020 @ 14:46:59
  Author: dvzrv
Revision: 744354

upgpkg: pound 3.0-1: Upgrade to 3.0.

Replace old .cfg configuration with new default .yaml configuration.
Add patch to set the runtime dir to /run/pound.
Switch to https for upstream url.
Apply all available hardening options to the service file.

Added:
  pound/trunk/pound-3.0-runtime_dir.patch
  pound/trunk/pound.yaml
Modified:
  pound/trunk/PKGBUILD
  pound/trunk/pound.service
Deleted:
  pound/trunk/pound.cfg

-----------------------------+
 PKGBUILD                    |   71 +++++++++---------
 pound-3.0-runtime_dir.patch |   66 +++++++++++++++++
 pound.cfg                   |   85 ----------------------
 pound.service               |   28 ++++++-
 pound.yaml                  |  161 ++++++++++++++++++++++++++++++++++++++++++
 5 files changed, 287 insertions(+), 124 deletions(-)

Modified: PKGBUILD
===================================================================
--- PKGBUILD	2020-11-06 14:30:34 UTC (rev 744353)
+++ PKGBUILD	2020-11-06 14:46:59 UTC (rev 744354)
@@ -5,63 +5,66 @@
 
 _name=Pound
 pkgname=pound
-pkgver=2.8
-pkgrel=3
+pkgver=3.0
+pkgrel=1
 pkgdesc="A reverse proxy, load balancer, and SSL wrapper"
 arch=('x86_64')
-url="http://www.apsis.ch/pound/index_html"
+url="https://www.apsis.ch/pound.html"
 license=('GPL3')
-depends=('gcc-libs' 'glibc' 'pcre' 'openssl-1.0')
-makedepends=('gperftools')
-backup=('etc/pound/pound.cfg')
-# switch to https://github.com/graygnuorg/pound for openssl
+depends=('gcc-libs' 'glibc' 'libyaml' 'nanomsg' 'pcre')
+makedepends=('cmake' 'gperftools' 'mbedtls' 'uthash')
+backup=("etc/${pkgname}/${pkgname}.yaml")
 source=("http://www.apsis.ch/${pkgname}/${_name}-${pkgver}.tgz"
         "${_name}-${pkgver}.tgz.asc::http://www.apsis.ch/${pkgname}/${_name}-${pkgver}.asc"
+        "${pkgname}-3.0-runtime_dir.patch"
         "${pkgname}.service"
-        "${pkgname}.cfg")
-sha512sums=('cf0b865b17d3628e273626e07733f1320e4768702c0f64c8ef0f78d46667f770b223bdc7dca88016a95e5ebd23ae646f95a9b2f4a54a5a80001a10047f07eacc'
+        "${pkgname}.yaml")
+sha512sums=('28426fa2d66efa310fce43fc57b87b6cd9d646573161ab880b139feec856710306002af623f023907bb77f8b37979cf2332dc3e16cde48c6d349d813c6ac47e2'
             'SKIP'
-            'c4b47825e3f394db9e8e784f6342d7912081c7de94638e51d27c6a7de0b13fd9665f5540412c8ddaf3157040f9b83d234e01d93ad3a61be45955aaf3afc6f543'
-            '32d33474a115dfc9d5ccc094ffdb3c367108a48976cf3e58442642dab08167cd0a1808eefa1879e3c38b607d2a6a1cd28142dbd690244368760daba1f95526f6')
-b2sums=('2e4526fb78bb8bf1206a60318fef23925f2eb3b2d72c56895e6cc839e944ad8a58820be8c6c54ff2f12cd8e34ee8500dc8f7555c968fe4cd42ae7cc51ef6feec'
+            '25db5c13750c2770ae5a91d850f2f00e888474a05b2464c6f03ebe4dc628c86edf8df640daa96e9dcb7240de43537a731671376f20e0dfb599ef5fc2eaf6c053'
+            '887ebace94fb6974b34e096c3f9d85e7e45186f816f8a0b4218ffecf2bf041702bc5d40547ca5883691e1d5f959e28b8ce3aac0f12c877760c0e80d8319f57e9'
+            '329fb0064f9720cc41332894d3e96e098ffd789d13bcb3b35d67dd9f7b4c0667d1b4cf1d93df9427b4e867d5f0b5857be412ae8d34abed5aa3c2774a499b3292')
+b2sums=('8834d2d57c81bf792d803bc2aef7ad5d17243539ea3fddab777ab3dbd7f903a2f771762ee8d4818c63b7c6380c253dc7c7465e10225f884c2bb968af3dfab831'
         'SKIP'
-        '41fade7a7dc90d4de479b95748f272be4d4ed1e0226539b1dacb20caeef20b30f66b62afc401b4e5fb43b9cbfe107d22dad88a772469f4963ecb564357cd4f2a'
-        '1dc6854854fcc1e0ce32249f6dbfe89b9ccb5ebe614bc700252090a1bb1e072d763859f42bdc1e3a8aa5ddded271cecb5d4c82ef0a90ed98c113ca019cbb255b')
+        'eba66845b02eff8cea9353f1617f9fcbce040609ea22a1061d98a69c109fed1aaaf6fb338cde1c969153df383def7ae5e3231f281140d32702acfb8c628fa0e4'
+        '886e7218d0098f86edfde32b0d8ccdf47f7a8d6a3417144bbd9279cac14d51065fe72b312844ff6a24be6d16183a3b4a44b0d012c1d08808d07ea96d660ff69f'
+        'a7ebb7714abf8bc7c2c0f627f6fdcc226a293277a98455bd52340536754ef3a5aef75340b8535402c78a9a754f78d4793c1d7b0c15b0b8d393fd3760a6398858')
 validpgpkeys=('8BB562A0F1DB703FB7EB1E95AB72C62A8691DD02') # Robert Segall <roseg at apsis.ch>
 
 prepare() {
   mv -v "${_name}-${pkgver}" "${pkgname}-${pkgver}"
   cd "${pkgname}-${pkgver}"
-  # use openssl-1.0 to generate dhparam
-  sed -e 's/openssl/openssl-1.0/' -i Makefile.in
+  # set runtime dir to /run/pound
+  patch -Np1 -i "../${pkgname}-3.0-runtime_dir.patch"
+  # remove vendored uthash so we build with the packaged version
+  rm -v include/ut{hash,array}.h
 }
 
 build() {
   cd "${pkgname}-${pkgver}"
-  # use openssl-1.0
-  CPPFLAGS+=" -I/usr/include/openssl-1.0" \
-  LDFLAGS+=" -L/usr/lib/openssl-1.0" \
-  ./configure --prefix=/usr \
-              --sysconfdir=/etc/pound \
-              --bindir=/usr/bin \
-              --sbindir=/usr/bin \
-              --with-ssl='/usr/lib/openssl-1.0' \
-              --with-owner=root \
-              --with-group=root
-  make
+  cmake -DCMAKE_INSTALL_PREFIX=/usr \
+        -DCMAKE_BUILD_TYPE='None' \
+        -Wno-dev \
+        -B build \
+        -S .
+  make VERBOSE=1 -C build
 }
 
 package() {
-  depends+=('libtcmalloc.so')
+  depends+=('libmbedtls.so' 'libmbedcrypto.so' 'libmbedx509.so'
+  'libtcmalloc.so')
+
   cd "${pkgname}-${pkgver}"
-  make DESTDIR="$pkgdir" install
+  # cmake setup has no install target :(
+  install -vDm 755 build/"${pkgname}" -t "${pkgdir}/usr/bin/"
   # configuration
-  install -vDm 644 "${srcdir}/${pkgname}.cfg" \
-    "${pkgdir}/etc/${pkgname}/${pkgname}.cfg"
+  install -vDm 644 "../${pkgname}.yaml" -t "${pkgdir}/etc/${pkgname}/"
   # systemd service
-  install -vDm 644 "$srcdir/${pkgname}.service" \
-    "${pkgdir}/usr/lib/systemd/system/${pkgname}.service"
+  install -vDm 644 "../${pkgname}.service" \
+    -t "${pkgdir}/usr/lib/systemd/system/"
+  # man page
+  install -vDm 644 man/${pkgname}.8 -t "${pkgdir}/usr/share/man/man8/"
   # docs
-  install -vDm 644 {CHANGELOG,FAQ,README} \
+  install -vDm 644 README.md \
     -t "${pkgdir}/usr/share/doc/${pkgname}/"
 }

Added: pound-3.0-runtime_dir.patch
===================================================================
--- pound-3.0-runtime_dir.patch	                        (rev 0)
+++ pound-3.0-runtime_dir.patch	2020-11-06 14:46:59 UTC (rev 744354)
@@ -0,0 +1,66 @@
+diff -ruN a/include/pound.h.in b/include/pound.h.in
+--- a/include/pound.h.in	2020-11-03 11:53:10.000000000 +0100
++++ b/include/pound.h.in	2020-11-06 11:27:38.356394898 +0100
+@@ -103,7 +103,7 @@
+ #include    "hpack.h"
+ 
+ #define F_CONF      "/etc/pound/pound.yaml"
+-#define F_PID       "/var/run/pound.pid"
++#define F_PID       "/run/pound/pound.pid"
+ 
+ #ifndef NI_MAXHOST
+ #define NI_MAXHOST  1025
+@@ -203,4 +203,4 @@
+ extern void *thr_http(void *);
+ 
+ /* http2.c */
+-extern void do_http2(HTTP_LISTENER *, FILE *, char *, char *, int);
+\ No newline at end of file
++extern void do_http2(HTTP_LISTENER *, FILE *, char *, char *, int);
+diff -ruN a/man/pound.8 b/man/pound.8
+--- a/man/pound.8	2020-11-03 11:53:10.000000000 +0100
++++ b/man/pound.8	2020-11-06 11:28:20.249080056 +0100
+@@ -131,7 +131,7 @@
+ will write its own pid into this file. Normally this is used for shell
+ scripts that control starting and stopping of the daemon.
+ Default:
+-.I /var/run/pound.pid
++.I /run/pound/pound.pid
+ .PP
+ One (or more) copies of
+ .B Pound
+@@ -481,7 +481,7 @@
+ .RE
+ .SH FILES
+ .TP
+-\fI/var/run/pound.pid\fR
++\fI/run/pound/pound.pid\fR
+ this is where
+ .B Pound
+ will attempt to record its process id.
+@@ -496,4 +496,4 @@
+ Copyright \(co 2002-2020 Apsis GmbH.
+ .br
+ This is free software; see the source for copying conditions.  There is NO
+-warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
+\ No newline at end of file
++warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
+diff -ruN a/src/config.c b/src/config.c
+--- a/src/config.c	2020-11-03 11:53:10.000000000 +0100
++++ b/src/config.c	2020-11-06 11:28:00.302721953 +0100
+@@ -612,7 +612,7 @@
+ 
+     memset(&global, '\0', sizeof(global));
+     opterr = 0;
+-    global.pid = "/var/run/pound.pid";
++    global.pid = "/run/pound/pound.pid";
+     global.log_level = 0;
+     while((c_opt = getopt(argc, argv, "f:cvd:p:")) > 0)
+         switch(c_opt) {
+@@ -710,4 +710,4 @@
+     if(o_check)
+         exit(0);
+     return;
+-}
+\ No newline at end of file
++}

Deleted: pound.cfg
===================================================================
--- pound.cfg	2020-11-06 14:30:34 UTC (rev 744353)
+++ pound.cfg	2020-11-06 14:46:59 UTC (rev 744354)
@@ -1,85 +0,0 @@
-###############################################################################
-## Pound configration file
-###############################################################################
-##
-##
-## GLOBAL SETTINGS
-##
-## Specify the user and group Pound will run as.
-#User         "pound"
-#Group        "pound"
-##
-## Specify the directory that Pound will chroot to at runtime.
-#RootJail     "/"
-##
-## Have Pound run in the foreground (if 0) or as a daemon (if 1).
-#Daemon       1
-##
-## Specify the log facility to use.
-#LogFacility  daemon
-##
-## Specify the logging level.
-#LogLevel     1
-##
-## Ignore case when matching URLs.
-#IgnoreCase   0
-##
-## Enable or disable the dynamic rescaling code.
-#DynScale     0
-##
-## Specify how often Pound will check for resurected back-end hosts.
-#Alive        30
-##
-## Specify for how long Pound will wait for a client request.
-#Client       10
-##
-## How long should Pound wait for a response from the back-end.
-#TimeOut      15
-##
-## How long should Pound wait for a connection to the back-end.
-#ConnTO       15
-##
-## How long should Pound continue to answer interrupted connections.
-#Grace        30
-##
-## Use an OpenSSL hardware acceleration card.
-#SSLEngine    "name"
-##
-## Set the control socket path.
-Control      "/run/pound/poundctl.socket"
-##
-##
-## LISTENERS
-##
-## Configure services and backends for the HTTP reverse proxy.
-#ListenHTTP
-#    Address  10.0.0.1
-#    Port     80
-#    Service
-#        BackEnd
-#            Address 127.0.0.1
-#            Port    8080
-#        End
-#        BackEnd
-#            Address 127.0.0.1
-#            Port    8081
-#        End
-#    End
-#End
-##
-## Configure services and backends for the HTTPS reverse proxy.
-#ListenHTTPS
-#    Address  10.0.0.1
-#    Port     443
-#    Cert     "/etc/ssl/certs/pound.pem"
-#    Service
-#        BackEnd
-#            Address 127.0.0.1
-#            Port    8080
-#        End
-#        BackEnd
-#            Address 127.0.0.1
-#            Port    8081
-#        End
-#    End
-#End

Modified: pound.service
===================================================================
--- pound.service	2020-11-06 14:30:34 UTC (rev 744353)
+++ pound.service	2020-11-06 14:46:59 UTC (rev 744354)
@@ -5,15 +5,33 @@
 Wants=network-online.target
 
 [Service]
-Type=forking
+AmbientCapabilities=CAP_NET_BIND_SERVICE
+CapabilityBoundingSet=CAP_NET_BIND_SERVICE
+DeviceAllow=
 DynamicUser=yes
-RuntimeDirectory=pound
-ExecStart=/usr/bin/pound -f /etc/pound/pound.cfg -p /run/pound/pound.pid
+ExecStart=/usr/bin/pound
+LockPersonality=yes
+MemoryDenyWriteExecute=yes
 PIDFile=/run/pound/pound.pid
+PrivateDevices=yes
+PrivateTmp=true
+ProtectClock=yes
 ProtectControlGroups=yes
+ProtectHome=yes
+ProtectHostname=yes
+ProtectKernelLogs=yes
 ProtectKernelModules=yes
-CapabilityBoundingSet=CAP_NET_BIND_SERVICE
-AmbientCapabilities=CAP_NET_BIND_SERVICE
+ProtectKernelTunables=yes
+RestrictAddressFamilies=~AF_PACKET AF_NETLINK AF_UNIX
+RestrictNamespaces=yes
+RestrictRealtime=yes
+RuntimeDirectory=pound
+StateDirectory=pound
+SystemCallArchitectures=native
+SystemCallFilter=@system-service
+SystemCallFilter=~@resources @privileged
+Type=forking
+UMask=177
 
 [Install]
 WantedBy=multi-user.target

Added: pound.yaml
===================================================================
--- pound.yaml	                        (rev 0)
+++ pound.yaml	2020-11-06 14:46:59 UTC (rev 744354)
@@ -0,0 +1,161 @@
+---
+# Pound configuration file. See man 8 pound for further examples.
+#
+# Global Directives
+#
+# Specify the user Pound will run as (must be defined in /etc/passwd).
+# User: "pound"
+
+# Specify the group Pound will run as (must be defined in /etc/group).
+# Group: "pound"
+
+# Specify the directory that Pound will chroot to at runtime. Please note that
+# SSL may require access to /dev/urandom, so make sure you create a device by
+# that name, accessible from the root jail directory. Pound may also require
+# access to /dev/syslog or similar.
+# RootJail: "/"
+
+# Specify a path to an HTML file to be returned in case of a 404 error.
+# Err404: "/path/to/file"
+
+# Specify a path to an HTML file to be returned in case of a 405 error.
+# Err405: "/path/to/file"
+
+# Specify a path to an HTML file to be returned in case of a 500 error.
+# Err500: "/path/to/file"
+
+# Backends
+#
+# A back-end is a definition of a single back-end server Pound will use to
+# reply to incoming requests. Each backend must be marked with an anchor (&).
+Backends:
+  - &default_backend
+    # The address that Pound will connect to. This can be a numeric IP address,
+    # or a symbolic host name that must be resolvable at  run-time. This is a
+    # mandatory parameter.
+    Address: localhost
+
+    # The port number that Pound will connect to. This is a mandatory parameter.
+    Port: 8080
+
+    # How long to wait for a backend (server) to complete and operation.
+    # Default: 15 (seconds).
+    Timeout:
+
+    # How many threads will be used to service requests to this backend. See
+    # also below for remarks on performance tuning. Default: 8 (threads).
+    Threads:
+
+    # A header to add to each reply received from this backend. The header is a
+    # string.
+    # HeadAdd:
+
+# HTTPListeners
+#
+# An HTTP listener defines an address and port that Pound will listen on for
+# HTTP requests.
+HTTPListeners:
+  -
+    # The  address  that Pound will listen on. This can be a numeric IP address,
+    # or a symbolic host name that must be resolvable at run-time. This is a
+    # mandatory parameter. The address 0.0.0.0 may be used as an alias for 'all
+    # available addresses on this machine', but this practice is strongly
+    # discouraged.
+    Address: localhost
+
+    # The port number that Pound will listen on.  This is a mandatory parameter.
+    Port: 80
+
+    # Define how long Pound will wait for client activity. Default: 5 (seconds).
+    Client:
+
+    # Define how many threads Pound will use to service client requests.
+    # Default: 8 (threads).
+    Threads:
+
+    # This defines a service. This service will be used only by this listener.
+    Services:
+
+      -
+        # The service will only be used if the request URL matches the given
+        # pattern.
+        URL:
+
+        # Use the service only if any of the request headers matches the given
+        # pattern.
+        HeadRequire:
+
+        # Use the service only if none of the request headers matches the given
+        # pattern.
+        HeadDeny:
+
+        # How long to keep the client sessions (in seconds). Sessions are a
+        # long term association between a client IP address and a specific
+        # backend in this service. A value of 0 seconds means no sessions are
+        # kept. Default: 0.
+        Session:
+
+        # A list of references to previously defined backends.
+        BackEnds:
+          - *default_backend
+
+# HTTPSListeners
+#
+# An HTTP listener defines an address and port that Pound will listen on for
+# HTTP requests.
+HTTPSListeners:
+  # -
+    # The  address  that Pound will listen on. This can be a numeric IP address,
+    # or a symbolic host name that must be resolvable at run-time. This is a
+    # mandatory parameter. The address 0.0.0.0 may be used as an alias for 'all
+    # available addresses on this machine', but this practice is strongly
+    # discouraged.
+    # Address: localhost
+
+    # The port number that Pound will listen on.  This is a mandatory parameter.
+    # Port: 443
+
+    # Define how long Pound will wait for client activity. Default: 5 (seconds).
+    # Client:
+
+    # Define how many threads Pound will use to service client requests.
+    # Default: 8 (threads).
+    # Threads:
+
+    # A file name or a list of file names. Each file must contain a certificate,
+    # optionally additional chained certificates up to a known  certificate
+    # authority,  and  the private key corresponding to the certificate.
+    # Note: the private key should probably not be password-protected, as Pound
+    # normally starts as a daemon and cannot ask for the password at start-up
+    # time.
+    # Certificates:
+
+    # A list of acceptable cipher names for this listener. The negotiation with
+    # the client will result in one of these ciphers being used, or the
+    # hand-shake will fail.
+    # Ciphers:
+
+    # This defines a service. This service will be used only by this listener.
+    # Services:
+      # -
+        # The service will only be used if the request URL matches the given
+        # pattern.
+        # URL:
+
+        # Use the service only if any of the request headers matches the given
+        # pattern.
+        # HeadRequire:
+
+        # Use the service only if none of the request headers matches the given
+        # pattern.
+        # HeadDeny:
+
+        # How long to keep the client sessions (in seconds). Sessions are a
+        # long term association between a client IP address and a specific
+        # backend in this service. A value of 0 seconds means no sessions are
+        # kept. Default: 0.
+        # Session:
+
+        # A list of references to previously defined backends.
+        # BackEnds:
+          # - *default_backend



More information about the arch-commits mailing list