/mandos/trunk

To get this branch, use:
bzr branch http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to mandos.conf.xml

  • Committer: Teddy Hogeborn
  • Date: 2019-08-02 22:16:53 UTC
  • Revision ID: teddy@recompile.se-20190802221653-ic1iko9hbefzwsk7
Fix bug in server Debian package: Fails to start on first install

There has been a very long-standing bug where installation of the
server (the "mandos" Debian package) would fail to start the server
properly right after installation.  It would work on manual (re)start
after installation, or after reboot, and even after package purge and
reinstall, it would then work the first time.  The problem, it turns
out, is when the new "_mandos" user (and corresponding group) is
created, the D-Bus server is not reloaded, and is therefore not aware
of that user, and does not recognize the user and group name in the
/etc/dbus-1/system.d/mandos.conf file.  The Mandos server, when it
tries to start and access the D-Bus, is then not permitted to connect
to its D-Bus bus name, and disables D-Bus use as a fallback measure;
i.e. the server works, but it is not controllable via D-Bus commands
(via mandos-ctl or mandos-monitor).  The next time the D-Bus daemon is
reloaded for any reason, the new user & group would become visible to
the D-Bus daemon and after that, any restart of the Mandos server
would succeed and it would bind to its D-Bus name properly, and
thereby be visible and controllable by mandos-ctl & mandos-monitor.
This was mostly invisible when using sysvinit, but systemd makes the
problem visible since the systemd service file for the Mandos server
is configured to not consider the Mandos server "started" until the
D-Bus name has been bound; this makes the starting of the service wait
for 90 seconds and then fail with a timeout error.

Fixing this should also make the Debian CI autopkgtest tests work.

* debian/mandos.postinst (configure): After creating (or renaming)
                                      user & group, reload D-Bus
                                      daemon (if present).

Show diffs side-by-side

added added

removed removed

Lines of Context:
1
1
<?xml version="1.0" encoding="UTF-8"?>
2
2
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3
3
        "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
4
 
<!ENTITY VERSION "1.0">
5
4
<!ENTITY CONFNAME "mandos.conf">
6
5
<!ENTITY CONFPATH "<filename>/etc/mandos/mandos.conf</filename>">
7
 
<!ENTITY TIMESTAMP "2008-08-31">
 
6
<!ENTITY TIMESTAMP "2019-06-20">
 
7
<!ENTITY % common SYSTEM "common.ent">
 
8
%common;
8
9
]>
9
10
 
10
11
<refentry xmlns:xi="http://www.w3.org/2001/XInclude">
12
13
    <title>Mandos Manual</title>
13
14
    <!-- NWalsh’s docbook scripts use this to generate the footer: -->
14
15
    <productname>Mandos</productname>
15
 
    <productnumber>&VERSION;</productnumber>
 
16
    <productnumber>&version;</productnumber>
16
17
    <date>&TIMESTAMP;</date>
17
18
    <authorgroup>
18
19
      <author>
19
20
        <firstname>Björn</firstname>
20
21
        <surname>Påhlsson</surname>
21
22
        <address>
22
 
          <email>belorn@fukt.bsnet.se</email>
 
23
          <email>belorn@recompile.se</email>
23
24
        </address>
24
25
      </author>
25
26
      <author>
26
27
        <firstname>Teddy</firstname>
27
28
        <surname>Hogeborn</surname>
28
29
        <address>
29
 
          <email>teddy@fukt.bsnet.se</email>
 
30
          <email>teddy@recompile.se</email>
30
31
        </address>
31
32
      </author>
32
33
    </authorgroup>
33
34
    <copyright>
34
35
      <year>2008</year>
 
36
      <year>2009</year>
 
37
      <year>2010</year>
 
38
      <year>2011</year>
 
39
      <year>2012</year>
 
40
      <year>2013</year>
 
41
      <year>2014</year>
 
42
      <year>2015</year>
 
43
      <year>2016</year>
 
44
      <year>2017</year>
 
45
      <year>2018</year>
 
46
      <year>2019</year>
35
47
      <holder>Teddy Hogeborn</holder>
36
48
      <holder>Björn Påhlsson</holder>
37
49
    </copyright>
38
50
    <xi:include href="legalnotice.xml"/>
39
51
  </refentryinfo>
40
 
 
 
52
  
41
53
  <refmeta>
42
54
    <refentrytitle>&CONFNAME;</refentrytitle>
43
55
    <manvolnum>5</manvolnum>
49
61
      Configuration file for the Mandos server
50
62
    </refpurpose>
51
63
  </refnamediv>
52
 
 
 
64
  
53
65
  <refsynopsisdiv>
54
66
    <synopsis>&CONFPATH;</synopsis>
55
67
  </refsynopsisdiv>
56
 
 
 
68
  
57
69
  <refsect1 id="description">
58
70
    <title>DESCRIPTION</title>
59
71
    <para>
71
83
      <quote>#</quote> or <quote>;</quote> are ignored and may be used
72
84
      to provide comments.
73
85
    </para>
74
 
 
 
86
    
75
87
  </refsect1>
76
88
  <refsect1>
77
89
    <title>OPTIONS</title>
84
96
          <xi:include href="mandos-options.xml" xpointer="interface"/>
85
97
        </listitem>
86
98
      </varlistentry>
87
 
 
 
99
      
88
100
      <varlistentry>
89
101
        <term><option>address<literal> = </literal><replaceable
90
102
          >ADDRESS</replaceable></option></term>
92
104
          <xi:include href="mandos-options.xml" xpointer="address"/>
93
105
        </listitem>
94
106
      </varlistentry>
95
 
 
 
107
      
96
108
      <varlistentry>
97
109
        <term><option>port<literal> = </literal><replaceable
98
110
        >NUMBER</replaceable></option></term>
100
112
          <xi:include href="mandos-options.xml" xpointer="port"/>
101
113
        </listitem>
102
114
      </varlistentry>
103
 
 
 
115
      
104
116
      <varlistentry>
105
117
        <term><option>debug<literal> = </literal>{ <literal
106
118
          >1</literal> | <literal>yes</literal> | <literal
111
123
          <xi:include href="mandos-options.xml" xpointer="debug"/>
112
124
        </listitem>
113
125
      </varlistentry>
114
 
 
 
126
      
115
127
      <varlistentry>
116
128
        <term><option>priority<literal> = </literal><replaceable
117
129
        >STRING</replaceable></option></term>
119
131
          <xi:include href="mandos-options.xml" xpointer="priority"/>
120
132
        </listitem>
121
133
      </varlistentry>
122
 
 
 
134
      
123
135
      <varlistentry>
124
136
        <term><option>servicename<literal> = </literal
125
137
        ><replaceable>NAME</replaceable></option></term>
129
141
        </listitem>
130
142
      </varlistentry>
131
143
      
 
144
      <varlistentry>
 
145
        <term><option>use_dbus<literal> = </literal>{ <literal
 
146
          >1</literal> | <literal>yes</literal> | <literal
 
147
          >true</literal> | <literal>on</literal> | <literal
 
148
          >0</literal> | <literal>no</literal> | <literal
 
149
          >false</literal> | <literal>off</literal> }</option></term>
 
150
        <listitem>
 
151
          <xi:include href="mandos-options.xml" xpointer="dbus"/>
 
152
        </listitem>
 
153
      </varlistentry>
 
154
      
 
155
      <varlistentry>
 
156
        <term><option>use_ipv6<literal> = </literal>{ <literal
 
157
          >1</literal> | <literal>yes</literal> | <literal
 
158
          >true</literal> | <literal>on</literal> | <literal
 
159
          >0</literal> | <literal>no</literal> | <literal
 
160
          >false</literal> | <literal>off</literal> }</option></term>
 
161
        <listitem>
 
162
          <xi:include href="mandos-options.xml" xpointer="ipv6"/>
 
163
        </listitem>
 
164
      </varlistentry>
 
165
      
 
166
      <varlistentry>
 
167
        <term><option>restore<literal> = </literal>{ <literal
 
168
          >1</literal> | <literal>yes</literal> | <literal
 
169
          >true</literal> | <literal>on</literal> | <literal
 
170
          >0</literal> | <literal>no</literal> | <literal
 
171
          >false</literal> | <literal>off</literal> }</option></term>
 
172
        <listitem>
 
173
          <xi:include href="mandos-options.xml" xpointer="restore"/>
 
174
        </listitem>
 
175
      </varlistentry>
 
176
      
 
177
      <varlistentry>
 
178
        <term><option>statedir<literal> = </literal><replaceable
 
179
        >DIRECTORY</replaceable></option></term>
 
180
        <listitem>
 
181
          <xi:include href="mandos-options.xml" xpointer="statedir"/>
 
182
        </listitem>
 
183
      </varlistentry>
 
184
      
 
185
      <varlistentry>
 
186
        <term><option>socket<literal> = </literal><replaceable
 
187
        >NUMBER</replaceable></option></term>
 
188
        <listitem>
 
189
          <xi:include href="mandos-options.xml" xpointer="socket"/>
 
190
        </listitem>
 
191
      </varlistentry>
 
192
      
132
193
    </variablelist>
133
194
  </refsect1>
134
195
  
144
205
    <para>
145
206
      The <literal>[DEFAULT]</literal> is necessary because the Python
146
207
      built-in module <systemitem class="library">ConfigParser</systemitem>
147
 
      requres it.
 
208
      requires it.
148
209
    </para>
 
210
    <xi:include href="bugs.xml"/>
149
211
  </refsect1>
150
212
  
151
213
  <refsect1 id="example">
165
227
      <programlisting>
166
228
[DEFAULT]
167
229
# A configuration example
168
 
interface = eth0
169
 
address = 2001:db8:f983:bd0b:30de:ae4a:71f2:f672
 
230
interface = enp1s0
 
231
address = fe80::aede:48ff:fe71:f6f2
170
232
port = 1025
171
 
debug = true
172
 
priority = SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP
 
233
debug = True
 
234
priority = SECURE128:!CTYPE-X.509:+CTYPE-RAWPK:!RSA:!VERS-ALL:+VERS-TLS1.3:%PROFILE_ULTRA
173
235
servicename = Daena
 
236
use_dbus = False
 
237
use_ipv6 = True
 
238
restore = True
 
239
statedir = /var/lib/mandos
174
240
      </programlisting>
175
241
    </informalexample>
176
242
  </refsect1>
178
244
  <refsect1 id="see_also">
179
245
    <title>SEE ALSO</title>
180
246
    <para>
 
247
      <citerefentry><refentrytitle>intro</refentrytitle>
 
248
      <manvolnum>8mandos</manvolnum></citerefentry>,
181
249
      <citerefentry><refentrytitle>gnutls_priority_init</refentrytitle
182
250
      ><manvolnum>3</manvolnum></citerefentry>,
183
251
      <citerefentry><refentrytitle>mandos</refentrytitle>
185
253
      <citerefentry><refentrytitle>mandos-clients.conf</refentrytitle>
186
254
      <manvolnum>5</manvolnum></citerefentry>
187
255
    </para>
188
 
 
 
256
    
189
257
    <variablelist>
190
258
      <varlistentry>
191
259
        <term>
211
279
              <para>
212
280
                The clients use IPv6 link-local addresses, which are
213
281
                immediately usable since a link-local addresses is
214
 
                automatically assigned to a network interfaces when it
 
282
                automatically assigned to a network interface when it
215
283
                is brought up.
216
284
              </para>
217
285
            </listitem>