diff --git a/Makefile b/Makefile index 19425ecd..92cba4f4 100644 --- a/Makefile +++ b/Makefile @@ -72,6 +72,8 @@ aplupload: .PHONY: install install: country.dat vznet.conf vzdump.conf vzdump-hook-script.pl + install -d -m 0700 -o www-data -g www-data ${DESTDIR}/var/log/pveproxy + install -D -m 0644 debian/pve.logrotate ${DESTDIR}/etc/logrotate.d/pve install -d ${DESTDIR}/usr/share/${PACKAGE} install -d ${DESTDIR}/usr/share/man/man1 install -d ${DOCDIR}/examples diff --git a/PVE/APIDaemon.pm b/PVE/APIDaemon.pm index 127e42f9..f24f8f3f 100755 --- a/PVE/APIDaemon.pm +++ b/PVE/APIDaemon.pm @@ -704,10 +704,11 @@ sub start_workers { sleep (1); } elsif ($pid) { #parent $workers->{$pid} = 1; - $0 = "$0 worker"; syslog('info', "worker $pid started"); $need--; } else { + $0 = "$0 worker"; + $SIG{TERM} = $SIG{QUIT} = sub { $child_terminate = 1; }; diff --git a/bin/init.d/pveproxy b/bin/init.d/pveproxy index f4b0c2d3..d95dff50 100755 --- a/bin/init.d/pveproxy +++ b/bin/init.d/pveproxy @@ -15,13 +15,18 @@ PATH=/sbin:/bin:/usr/bin:/usr/sbin DAEMON=/usr/bin/pveproxy NAME=pveproxy DESC="PVE API Proxy Server" -PIDFILE=/var/run/pveproxy.pid +RUNDIR=/var/run/pveproxy +PIDFILE=${RUNDIR}/pveproxy.pid test -f $DAEMON || exit 0 # avoid warnings about uninstalled locales when pveproxy executes commands export LC_ALL="C" +mkdir -p ${RUNDIR} || true +chmod 0700 ${RUNDIR} || true +chown www-data:www-data ${RUNDIR} || true + case "$1" in start) log_daemon_msg "Starting $DESC" "$NAME" diff --git a/bin/pvedaemon b/bin/pvedaemon index 447bb5a2..218e440c 100755 --- a/bin/pvedaemon +++ b/bin/pvedaemon @@ -49,9 +49,7 @@ eval { lockfile => $lockfile, keep_alive => 100, max_conn => 500, - max_requests => 1000, - logfile => '/var/log/pve/pvedaemon.log', # fixme? - ); + max_requests => 1000); }; my $err = $@; diff --git a/bin/pveproxy b/bin/pveproxy index 2d0865e6..05a89d10 100755 --- a/bin/pveproxy +++ b/bin/pveproxy @@ -6,6 +6,7 @@ delete @ENV{qw(IFS CDPATH ENV BASH_ENV)}; use lib '..'; # fixme use strict; +use English; use Getopt::Long; use POSIX ":sys_wait_h"; use Socket; @@ -21,7 +22,7 @@ use File::Find; use Data::Dumper; -my $pidfile = "/var/run/pveproxy.pid"; +my $pidfile = "/var/run/pveproxy/pveproxy.pid"; my $lockfile = "/var/lock/pveproxy.lck"; my $opt_debug; @@ -42,6 +43,16 @@ $SIG{'__WARN__'} = sub { $0 = "pveproxy"; +# run as www-data +my $gid = getgrnam('www-data') || die "getgrnam failed - $!\n"; +POSIX::setgid($gid) || die "setgid $gid failed - $!\n"; +$EGID = "$gid $gid"; # this calls setgroups +my $uid = getpwnam('www-data') || die "getpwnam failed - $!\n"; +POSIX::setuid($uid) || die "setuid $uid failed - $!\n"; + +# just to be sure +die "detected strange uid/gid\n" if !($UID == $uid && $EUID == $uid && $GID eq "$gid $gid" && $EGID eq "$gid $gid"); + PVE::APIDaemon::enable_debug() if $opt_debug; sub add_dirs { @@ -77,7 +88,7 @@ eval { max_conn => 500, max_requests => 1000, trusted_env => 0, # not trusted, anyone can connect - logfile => '/var/log/pve/access.log', + logfile => '/var/log/pveproxy/access.log', lockfile => $lockfile, ssl => { key_file => '/etc/pve/local/pve-ssl.key', @@ -103,6 +114,7 @@ if ($err) { exit (-1); } + if ($opt_debug || !($cpid = fork ())) { $SIG{PIPE} = 'IGNORE'; diff --git a/debian/conffiles b/debian/conffiles index 1e64c3b5..73e61a46 100644 --- a/debian/conffiles +++ b/debian/conffiles @@ -7,3 +7,4 @@ /etc/cron.daily/pve /etc/vz/vznet.conf /etc/vzdump.conf +/etc/logrotate.d/pve diff --git a/debian/control.in b/debian/control.in index 65b7a664..6276f09c 100644 --- a/debian/control.in +++ b/debian/control.in @@ -3,7 +3,7 @@ Version: @VERSION@-@PACKAGERELEASE@ Section: admin Priority: optional Architecture: amd64 -Depends: perl5, libtimedate-perl, libauthen-pam-perl, libintl-perl, rsync, libjson-perl, liblockfile-simple-perl, vncterm, qemu-server (>= 1.1-1), libwww-perl (>= 6.04-1), libnet-http-perl (>= 6.06-1), libhttp-daemon-perl, wget, libnet-dns-perl, vlan, ifenslave-2.6 (>= 1.1.0-10), liblinux-inotify2-perl, debconf (>= 0.5) | debconf-2.0, netcat-traditional, pve-cluster (>= 1.0-29), libpve-common-perl, libpve-storage-perl, libterm-readline-gnu-perl, libpve-access-control, libio-socket-ssl-perl, libfilesys-df-perl, libfile-readbackwards-perl, libfile-sync-perl, redhat-cluster-pve, resource-agents-pve, fence-agents-pve, cstream, postfix | mail-transport-agent, libxml-parser-perl, lzop, dtach, libanyevent-perl, libio-compress-perl, liburi-perl +Depends: perl5, libtimedate-perl, libauthen-pam-perl, libintl-perl, rsync, libjson-perl, liblockfile-simple-perl, vncterm, qemu-server (>= 1.1-1), libwww-perl (>= 6.04-1), libnet-http-perl (>= 6.06-1), libhttp-daemon-perl, wget, libnet-dns-perl, vlan, ifenslave-2.6 (>= 1.1.0-10), liblinux-inotify2-perl, debconf (>= 0.5) | debconf-2.0, netcat-traditional, pve-cluster (>= 1.0-29), libpve-common-perl, libpve-storage-perl, libterm-readline-gnu-perl, libpve-access-control, libio-socket-ssl-perl, libfilesys-df-perl, libfile-readbackwards-perl, libfile-sync-perl, redhat-cluster-pve, resource-agents-pve, fence-agents-pve, cstream, postfix | mail-transport-agent, libxml-parser-perl, lzop, dtach, libanyevent-perl, libio-compress-perl, liburi-perl, logrotate Conflicts: netcat-openbsd, vzdump Replaces: vzdump Provides: vzdump diff --git a/debian/pve.logrotate b/debian/pve.logrotate new file mode 100644 index 00000000..81a4bfbf --- /dev/null +++ b/debian/pve.logrotate @@ -0,0 +1,13 @@ +/var/log/pveproxy/access.log { + rotate 7 + daily + missingok + compress + delaycompress + notifempty + create 640 www-data www-data + sharedscripts + postrotate + /etc/init.d/pveproxy reload > /dev/null + endscript +}