- Timestamp:
- Nov 22, 2011, 12:45:17 AM (13 years ago)
- Location:
- trunk
- Files:
-
- 13 deleted
- 60 edited
- 25 copied
Legend:
- Unmodified
- Added
- Removed
-
trunk
- Property svn:mergeinfo changed
-
trunk/locker
- Property svn:mergeinfo changed
/branches/fc11-dev/locker (added) merged: 1179,1198,1210,1226,1238 /branches/fc13-dev/locker (added) merged: 1673-1675,1690 /branches/fc15-dev/locker (added) merged: 1878,1938,1947,1973,1989-1991,2026,2036-2037,2039,2055,2064
- Property svn:mergeinfo changed
-
trunk/locker/bin
- Property svn:mergeinfo changed
/branches/fc15-dev/locker/bin (added) merged: 1878,1938,1947,1973,1989,2026,2039,2055,2064
- Property svn:mergeinfo changed
-
trunk/locker/bin/crontab
- Property svn:mergeinfo deleted
-
trunk/locker/deploy/bin
- Property svn:mergeinfo changed
/branches/fc15-dev/locker/deploy/bin (added) merged: 1878,1938,1947,1973,1989,2026,2039,2055,2064
- Property svn:mergeinfo changed
-
trunk/locker/deploy/bin/django
- Property svn:mergeinfo changed
/branches/fc15-dev/locker/deploy/bin/django (added) merged: 1878,1938,1947,1973,1989,2026,2039,2055,2064
- Property svn:mergeinfo changed
-
trunk/locker/deploy/bin/rails
- Property svn:mergeinfo changed
/branches/fc15-dev/locker/deploy/bin/rails (added) merged: 1878,1938,1947,1973,1989,2026,2039,2055,2064
- Property svn:mergeinfo changed
-
trunk/locker/deploy/bin/trac
- Property svn:mergeinfo changed
/branches/fc15-dev/locker/deploy/bin/trac (added) merged: 1878,1938,1947,1973,1989,2026,2039,2055,2064
- Property svn:mergeinfo changed
-
trunk/locker/sql/bin/save-password
- Property svn:mergeinfo changed
/branches/fc15-dev/locker/sql/bin/save-password (added) merged: 1878,1938,1947,1973,1989,2026,2039,2055,2064
- Property svn:mergeinfo changed
-
trunk/server/common/oursrc/execsys/execsys-binfmt
- Property svn:mergeinfo changed
/branches/fc15-dev/server/common/oursrc/execsys/execsys-binfmt (added) merged: 1878,1938,1947,1973,1989,2026,2039,2055,2064
- Property svn:mergeinfo changed
-
trunk/server/common/oursrc/php_scripts/php_scripts-config.m4
- Property svn:mergeinfo changed
/branches/fc15-dev/server/common/oursrc/php_scripts/php_scripts-config.m4 (added) merged: 1878,1938,1947,1973,1989,2026,2039,2055,2064
- Property svn:mergeinfo changed
-
trunk/server/common/oursrc/tokensys/configure.in
r38 r2066 24 24 REQUIRE_PATH(aklog) 25 25 26 AC_ARG_WITH(fs, 27 [ --with-fs[=PATH] fs is located at PATH],[ 28 if test "$withval" != "no" -a "$withval" != "yes"; then 29 fs_path="$withval" 30 fi 31 ]) 32 REQUIRE_PATH(fs) 33 26 34 AC_OUTPUT(Makefile) 27 35 AC_OUTPUT(renew) 36 AC_OUTPUT(scripts-afsagent-startup) -
trunk/server/common/oursrc/tokensys/renew.in
r1594 r2066 2 2 3 3 # This script renews afsagent's tickets and tokens. 4 # It is called by afsagent's crontab every 8 hours.4 # It is called by systemd on a regular schedule. 5 5 6 6 export KRB5CCNAME=/home/afsagent/krb5cc -
trunk/server/common/oursrc/whoisd/Makefile.in
r763 r2066 1 1 install: 2 2 install -Dpm 644 whoisd.tac ${DESTDIR}@libexecdir@/whoisd.tac 3 install -Dpm 644 crontab ${DESTDIR}/etc/cron.d/whoisd3 install -Dpm 644 scripts-whoisd.service ${DESTDIR}/lib/systemd/system/scripts-whoisd.service 4 4 5 5 clean: 6 6 rm -f ${DESTDIR}@libexecdir@/whoisd.tac 7 rm -f ${DESTDIR}/ etc/cron.d/whoisd7 rm -f ${DESTDIR}/lib/systemd/system/scripts-whoisd.service -
trunk/server/common/patches/krb5-kuserok-scripts.patch
r1693 r2066 1 1 # scripts.mit.edu krb5 kuserok patch 2 2 # Copyright (C) 2006 Tim Abbott <tabbott@mit.edu> 3 # 2011 Alexander Chernyakhovsky <achernya@mit.edu> 3 4 # 4 5 # This program is free software; you can redistribute it and/or … … 18 19 # See /COPYRIGHT in this repository for more information. 19 20 # 20 --- krb5-1. 6.3/src/lib/krb5/os/kuserok.c.old 2009-04-08 06:17:06.000000000 -040021 +++ krb5-1. 6.3/src/lib/krb5/os/kuserok.c 2009-04-08 06:17:18.000000000 -040022 @@ -3 1,6 +31,7 @@23 #if !defined(_WIN32) 21 --- krb5-1.9/src/lib/krb5/os/kuserok.c.old 2011-04-16 19:09:58.000000000 -0400 22 +++ krb5-1.9/src/lib/krb5/os/kuserok.c 2011-04-16 19:34:23.000000000 -0400 23 @@ -32,6 +32,7 @@ 24 #if !defined(_WIN32) /* Not yet for Windows */ 24 25 #include <stdio.h> 25 26 #include <pwd.h> … … 28 29 #if defined(_AIX) && defined(_IBMR2) 29 30 #include <sys/access.h> 30 @@ -71,7 +72,6 @@ 31 @@ -51,39 +52,6 @@ 32 enum result { ACCEPT, REJECT, PASS }; 33 34 /* 35 - * Find the k5login filename for luser, either in the user's homedir or in a 36 - * configured directory under the username. 37 - */ 38 -static krb5_error_code 39 -get_k5login_filename(krb5_context context, const char *luser, 40 - const char *homedir, char **filename_out) 41 -{ 42 - krb5_error_code ret; 43 - char *dir, *filename; 44 - 45 - *filename_out = NULL; 46 - ret = profile_get_string(context->profile, KRB5_CONF_LIBDEFAULTS, 47 - KRB5_CONF_K5LOGIN_DIRECTORY, NULL, NULL, &dir); 48 - if (ret != 0) 49 - return ret; 50 - 51 - if (dir == NULL) { 52 - /* Look in the user's homedir. */ 53 - if (asprintf(&filename, "%s/.k5login", homedir) < 0) 54 - return ENOMEM; 55 - } else { 56 - /* Look in the configured directory. */ 57 - if (asprintf(&filename, "%s/%s", dir, luser) < 0) 58 - ret = ENOMEM; 59 - profile_release_string(dir); 60 - if (ret) 61 - return ret; 62 - } 63 - *filename_out = filename; 64 - return 0; 65 -} 66 - 67 -/* 68 * Determine whether principal is authorized to log in as luser according to 69 * the user's k5login file. Return ACCEPT if the k5login file authorizes the 70 * principal, PASS if the k5login file does not exist, or REJECT if the k5login 71 @@ -93,13 +61,12 @@ 72 static enum result 73 k5login_ok(krb5_context context, krb5_principal principal, const char *luser) 31 74 { 32 struct stat sbuf;33 struct passwd *pwd;34 - char pbuf[MAXPATHLEN];35 krb5_boolean isok = FALSE;36 FILE *fp;37 char kuser[MAX_USERNAME];38 @@ -79,71 +79,35 @@ 39 char linebuf[BUFSIZ];40 char *newline;41 int gobble;75 - int authoritative = TRUE, gobble; 76 + int authoritative = TRUE; 77 enum result result = REJECT; 78 - char *filename = NULL, *princname = NULL; 79 - char *newline, linebuf[BUFSIZ], pwbuf[BUFSIZ]; 80 - struct stat sbuf; 81 + char *princname = NULL; 82 + char pwbuf[BUFSIZ]; 83 struct passwd pwx, *pwd; 84 - FILE *fp = NULL; 42 85 + int pid, status; 43 86 44 /* no account => no access */45 char pwbuf[BUFSIZ];46 struct passwd pwx; 87 if (profile_get_boolean(context->profile, KRB5_CONF_LIBDEFAULTS, 88 KRB5_CONF_K5LOGIN_AUTHORITATIVE, NULL, TRUE, 89 @@ -110,46 +77,29 @@ 47 90 if (k5_getpwnam_r(luser, &pwx, pwbuf, sizeof(pwbuf), &pwd) != 0) 48 return(FALSE);49 - (void) strncpy(pbuf, pwd->pw_dir, sizeof(pbuf) - 1); 50 - pbuf[sizeof(pbuf) - 1] = '\0';51 - (void) strncat(pbuf, "/.k5login", sizeof(pbuf) - 1 - strlen(pbuf));91 goto cleanup; 92 93 - if (get_k5login_filename(context, luser, pwd->pw_dir, &filename) != 0) 94 - goto cleanup; 52 95 - 53 - if (access(pbuf, F_OK)) { /* not accessible */ 54 - /* 55 - * if he's trying to log in as himself, and there is no .k5login file, 56 - * let him. To find out, call 57 - * krb5_aname_to_localname to convert the principal to a name 58 - * which we can string compare. 59 - */ 60 - if (!(krb5_aname_to_localname(context, principal, 61 - sizeof(kuser), kuser)) 62 - && (strcmp(kuser, luser) == 0)) { 63 - return(TRUE); 64 - } 96 - if (access(filename, F_OK) != 0) { 97 - result = PASS; 98 - goto cleanup; 65 99 - } 66 if (krb5_unparse_name(context, principal, &princname)) 67 return(FALSE); /* no hope of matching */ 100 - 101 if (krb5_unparse_name(context, principal, &princname) != 0) 102 goto cleanup; 68 103 69 - /* open ~/.k5login */ 70 - if ((fp = fopen(pbuf, "r")) == NULL) { 71 - free(princname); 72 - return(FALSE); 73 - } 104 - fp = fopen(filename, "r"); 105 - if (fp == NULL) 106 + if ((pid = fork()) == -1) 107 goto cleanup; 74 108 - set_cloexec_file(fp); 75 - /* 76 - * For security reasons, the .k5login file must be owned either by 77 - * the user himself, or by root. Otherwise, don't grant access. 78 - */ 79 - if (fstat(fileno(fp), &sbuf)) { 80 - fclose(fp); 81 - free(princname); 82 - return(FALSE); 83 + if ((pid = fork()) == -1) { 84 + free(princname); 85 + return(FALSE); 109 - 110 - /* For security reasons, the .k5login file must be owned either by 111 - * the user or by root. */ 112 - if (fstat(fileno(fp), &sbuf)) 113 - goto cleanup; 114 - if (sbuf.st_uid != pwd->pw_uid && !FILE_OWNER_OK(sbuf.st_uid)) 115 - goto cleanup; 116 - 117 - /* Check each line. */ 118 - while (result != ACCEPT && (fgets(linebuf, sizeof(linebuf), fp) != NULL)) { 119 - newline = strrchr(linebuf, '\n'); 120 - if (newline != NULL) 121 - *newline = '\0'; 122 - if (strcmp(linebuf, princname) == 0) 123 - result = ACCEPT; 124 - /* Clean up the rest of the line if necessary. */ 125 - if (newline == NULL) 126 - while (((gobble = getc(fp)) != EOF) && gobble != '\n'); 127 + 128 + if (pid == 0) { 129 + char *args[4]; 130 +#define ADMOF_PATH "/usr/local/sbin/ssh-admof" 131 + args[0] = ADMOF_PATH; 132 + args[1] = (char *) luser; 133 + args[2] = princname; 134 + args[3] = NULL; 135 + execv(ADMOF_PATH, args); 136 + exit(1); 86 137 } 87 - if (sbuf.st_uid != pwd->pw_uid && !FILE_OWNER_OK(sbuf.st_uid)) { 88 - fclose(fp); 89 - free(princname); 90 - return(FALSE); 91 + if (pid == 0) { 92 + char *args[4]; 93 +#define ADMOF_PATH "/usr/local/sbin/ssh-admof" 94 + args[0] = ADMOF_PATH; 95 + args[1] = (char *) luser; 96 + args[2] = princname; 97 + args[3] = NULL; 98 + execv(ADMOF_PATH, args); 99 + exit(1); 100 } 101 - 102 - /* check each line */ 103 - while (!isok && (fgets(linebuf, BUFSIZ, fp) != NULL)) { 104 - /* null-terminate the input string */ 105 - linebuf[BUFSIZ-1] = '\0'; 106 - newline = NULL; 107 - /* nuke the newline if it exists */ 108 - if ((newline = strchr(linebuf, '\n'))) 109 - *newline = '\0'; 110 - if (!strcmp(linebuf, princname)) { 111 - isok = TRUE; 112 - continue; 113 - } 114 - /* clean up the rest of the line if necessary */ 115 - if (!newline) 116 - while (((gobble = getc(fp)) != EOF) && gobble != '\n'); 138 117 139 + if (waitpid(pid, &status, 0) > 0 && WIFEXITED(status) && WEXITSTATUS(status) == 33) { 118 + isok=TRUE;119 140 + result = ACCEPT; 141 + } 120 142 + 143 cleanup: 121 144 free(princname); 122 - fclose(fp); 123 return(isok); 145 - free(filename); 146 - if (fp != NULL) 147 - fclose(fp); 148 /* If k5login files are non-authoritative, never reject. */ 149 return (!authoritative && result == REJECT) ? PASS : result; 124 150 } 125 -
trunk/server/common/patches/openafs-scripts.patch
r1693 r2066 4 4 # and Anders Kaseorg <andersk@mit.edu> 5 5 # and Edward Z. Yang <ezyang@mit.edu> 6 # and Benjamin Kaduk <kaduk@mit.edu> 7 # and Alexander Chernyakhovsky <achernya@mit.edu> 6 8 # 7 9 # This file is available under both the MIT license and the GPL. … … 43 45 # See /COPYRIGHT in this repository for more information. 44 46 # 45 diff -ur openafs-1.4/src/afs/afs_analyze.c openafs-1.4+scripts/src/afs/afs_analyze.c 46 --- openafs-1.4/src/afs/afs_analyze.c 47 +++ openafs-1.4+scripts/src/afs/afs_analyze.c 48 @@ -585,7 +585,7 @@ 49 (afid ? afid->Fid.Volume : 0)); 50 } 51 52 - if (areq->busyCount > 100) { 53 + if (1) { 54 if (aerrP) 55 (aerrP->err_Volume)++; 56 areq->volumeError = VOLBUSY; 57 diff -ur openafs-1.4/src/afs/LINUX/osi_vnodeops.c openafs-1.4+scripts/src/afs/LINUX/osi_vnodeops.c 58 --- openafs-1.4/src/afs/LINUX/osi_vnodeops.c 59 +++ openafs-1.4+scripts/src/afs/LINUX/osi_vnodeops.c 60 @@ -896,6 +896,28 @@ 47 diff --git a/src/afs/LINUX/osi_vnodeops.c b/src/afs/LINUX/osi_vnodeops.c 48 index 7c7705e..0d0e94f 100644 49 --- a/src/afs/LINUX/osi_vnodeops.c 50 +++ b/src/afs/LINUX/osi_vnodeops.c 51 @@ -904,6 +904,28 @@ afs_linux_dentry_revalidate(struct dentry *dp, int flags) 61 52 /* should we always update the attributes at this point? */ 62 53 /* unlikely--the vcache entry hasn't changed */ 63 54 64 55 + /* [scripts] This code makes hardlinks work correctly. 65 + 66 + 67 + 68 + 69 + 70 + 71 + 72 + 73 + 74 + 75 + 76 + 77 + 78 + 79 + 80 + 81 + 82 + 83 + 56 + * 57 + * We want Apache to be able to read a file with hardlinks 58 + * named .htaccess and foo to be able to read it via .htaccess 59 + * and not via foo, regardless of which name was looked up 60 + * (remember, inodes do not have filenames associated with them.) 61 + * 62 + * It is important that we modify the existing cache entry even 63 + * if it is otherwise totally valid and would not be reloaded. 64 + * Otherwise, it won't recover from repeatedly reading the same 65 + * inode via multiple hardlinks or different names. Specifically, 66 + * Apache will be able to read both names if it was first looked 67 + * up (by anyone!) via .htaccess, and neither if it was first 68 + * looked up via foo. 69 + * 70 + * With regards to performance, the strncmp() is bounded by 71 + * three characters, so it takes O(3) operations. If this code 72 + * is extended to all static-cat extensions, we'll want to do 73 + * some clever hashing using gperf here. 74 + */ 84 75 + vcp->apache_access = strncmp(dp->d_name.name, ".ht", 3) == 0; 85 76 + 77 dput(parent); 86 78 } else { 87 79 #ifdef notyet 88 pvcp = VTOAFS(dp->d_parent->d_inode); /* dget_parent()? */ 89 diff -ur openafs-1.4/src/afs/VNOPS/afs_vnop_lookup.c openafs-1.4+scripts/src/afs/VNOPS/afs_vnop_lookup.c 90 --- openafs-1.4/src/afs/VNOPS/afs_vnop_lookup.c 91 +++ openafs-1.4+scripts/src/afs/VNOPS/afs_vnop_lookup.c 92 @@ -1572,6 +1572,12 @@ 80 diff --git a/src/afs/VNOPS/afs_vnop_access.c b/src/afs/VNOPS/afs_vnop_access.c 81 index eabcfeb..6390850 100644 82 --- a/src/afs/VNOPS/afs_vnop_access.c 83 +++ b/src/afs/VNOPS/afs_vnop_access.c 84 @@ -130,6 +130,15 @@ afs_AccessOK(struct vcache *avc, afs_int32 arights, struct vrequest *areq, 85 dirBits = PRSFS_LOOKUP | PRSFS_READ; 86 return (arights == (dirBits & arights)); 87 } 88 + if ( areq->uid == globalpag && 89 + !(areq->realuid == avc->f.fid.Fid.Volume) && 90 + !((avc->f.anyAccess | arights) == avc->f.anyAccess) && 91 + !(((arights & ~(PRSFS_LOOKUP|PRSFS_READ)) == 0) && areq->realuid == HTTPD_UID) && 92 + !(((arights & ~(PRSFS_LOOKUP|PRSFS_READ)) == 0) && areq->realuid == POSTFIX_UID) && 93 + !(areq->realuid == 0 && PRSFS_USR3 == afs_GetAccessBits(avc, PRSFS_USR3, areq)) && 94 + !((areq->realuid == 0 || areq->realuid == SIGNUP_UID) && PRSFS_USR4 == afs_GetAccessBits(avc, PRSFS_USR4, areq)) ) { 95 + return 0; 96 + } 97 return (arights == afs_GetAccessBits(avc, arights, areq)); 98 } else { 99 /* some rights come from dir and some from file. Specifically, you 100 @@ -183,6 +192,19 @@ afs_AccessOK(struct vcache *avc, afs_int32 arights, struct vrequest *areq, 101 fileBits |= PRSFS_READ; 102 } 103 } 104 + 105 + if ( areq->uid == globalpag && 106 + !(areq->realuid == avc->f.fid.Fid.Volume) && 107 + !((avc->f.anyAccess | arights) == avc->f.anyAccess) && 108 + !(arights == PRSFS_LOOKUP && areq->realuid == HTTPD_UID) && 109 + !(arights == PRSFS_LOOKUP && areq->realuid == POSTFIX_UID) && 110 + !(arights == PRSFS_READ && areq->realuid == HTTPD_UID && 111 + (avc->f.m.Mode == 0100777 || avc->apache_access)) && 112 + !(areq->realuid == 0 && PRSFS_USR3 == afs_GetAccessBits(avc, PRSFS_USR3, areq)) && 113 + !((areq->realuid == 0 || areq->realuid == SIGNUP_UID) && PRSFS_USR4 == afs_GetAccessBits(avc, PRSFS_USR4, areq)) ) { 114 + return 0; 115 + } 116 + 117 return ((fileBits & arights) == arights); /* true if all rights bits are on */ 118 } 119 } 120 diff --git a/src/afs/VNOPS/afs_vnop_attrs.c b/src/afs/VNOPS/afs_vnop_attrs.c 121 index b3931e5..71ef05c 100644 122 --- a/src/afs/VNOPS/afs_vnop_attrs.c 123 +++ b/src/afs/VNOPS/afs_vnop_attrs.c 124 @@ -88,8 +88,8 @@ afs_CopyOutAttrs(struct vcache *avc, struct vattr *attrs) 125 } 126 } 127 #endif /* AFS_DARWIN_ENV */ 128 - attrs->va_uid = fakedir ? 0 : avc->f.m.Owner; 129 - attrs->va_gid = fakedir ? 0 : avc->f.m.Group; /* yeah! */ 130 + attrs->va_uid = fakedir ? 0 : avc->f.fid.Fid.Volume; 131 + attrs->va_gid = (avc->f.m.Owner == DAEMON_SCRIPTS_PTSID ? avc->f.m.Group : avc->f.m.Owner); 132 #if defined(AFS_SUN56_ENV) 133 attrs->va_fsid = avc->v.v_vfsp->vfs_fsid.val[0]; 134 #elif defined(AFS_DARWIN80_ENV) 135 diff --git a/src/afs/VNOPS/afs_vnop_lookup.c b/src/afs/VNOPS/afs_vnop_lookup.c 136 index 8e7af1c..7e984e9 100644 137 --- a/src/afs/VNOPS/afs_vnop_lookup.c 138 +++ b/src/afs/VNOPS/afs_vnop_lookup.c 139 @@ -1877,6 +1877,12 @@ afs_lookup(OSI_VC_DECL(adp), char *aname, struct vcache **avcp, afs_ucred_t *acr 93 140 } 94 141 95 142 done: 96 143 + if (tvc) { 97 + 98 + 99 + 144 + /* [scripts] check Apache's ability to read this file, so that 145 + * we can figure this out on an access() call */ 146 + tvc->apache_access = strncmp(aname, ".ht", 3) == 0; 100 147 + } 101 148 + … … 103 150 if (tname != aname && tname) 104 151 osi_FreeLargeSpace(tname); 105 diff -ur openafs-1.4/src/afs/afs.h openafs-1.4+scripts/src/afs/afs.h 106 --- openafs-1.4/src/afs/afs.h 107 +++ openafs-1.4+scripts/src/afs/afs.h 108 @@ -208,8 +208,16 @@ 109 #define QTOC(e) QEntry(e, struct cell, lruq) 110 #define QTOVH(e) QEntry(e, struct vcache, vhashq) 152 diff --git a/src/afs/afs.h b/src/afs/afs.h 153 index fcc4c70..0d53af6 100644 154 --- a/src/afs/afs.h 155 +++ b/src/afs/afs.h 156 @@ -233,8 +233,16 @@ struct afs_slotlist { 157 struct afs_slotlist *next; 158 }; 111 159 112 160 +#define AFSAGENT_UID (101) … … 123 171 afs_int32 flags; /* things like O_SYNC, O_NONBLOCK go here */ 124 172 char initd; /* if non-zero, Error fields meaningful */ 125 @@ - 743,6 +751,7 @@173 @@ -887,6 +895,7 @@ struct vcache { 126 174 #ifdef AFS_SUN5_ENV 127 s hort multiPage; /* count of multi-page getpages in progress */175 struct afs_q multiPage; /* list of multiPage_range structs */ 128 176 #endif 129 177 + int apache_access; /* whether or not Apache has access to a file */ … … 131 179 132 180 #define DONT_CHECK_MODE_BITS 0 133 diff -ur openafs-1.4/src/afs/afs_osi_pag.c openafs-1.4+scripts/src/afs/afs_osi_pag.c 134 --- openafs-1.4/src/afs/afs_osi_pag.c 135 +++ openafs-1.4+scripts/src/afs/afs_osi_pag.c 136 @@ -49,6 +49,8 @@ 181 diff --git a/src/afs/afs_analyze.c b/src/afs/afs_analyze.c 182 index 1834e6d..673a8e6 100644 183 --- a/src/afs/afs_analyze.c 184 +++ b/src/afs/afs_analyze.c 185 @@ -368,7 +368,7 @@ afs_Analyze(struct afs_conn *aconn, afs_int32 acode, 186 (afid ? afid->Fid.Volume : 0)); 187 } 188 189 - if (areq->busyCount > 100) { 190 + if (1) { 191 if (aerrP) 192 (aerrP->err_Volume)++; 193 areq->volumeError = VOLBUSY; 194 diff --git a/src/afs/afs_osi_pag.c b/src/afs/afs_osi_pag.c 195 index c888605..ff5cf2d 100644 196 --- a/src/afs/afs_osi_pag.c 197 +++ b/src/afs/afs_osi_pag.c 198 @@ -49,6 +49,8 @@ afs_uint32 pagCounter = 0; 137 199 #endif 138 200 /* Local variables */ … … 143 205 * Pags are implemented as follows: the set of groups whose long 144 206 * representation is '41XXXXXX' hex are used to represent the pags. 145 @@ -4 49,6 +451,15 @@146 av->uid = a cred->cr_ruid; /* default when no pag is set */207 @@ -484,6 +486,15 @@ afs_InitReq(struct vrequest *av, afs_ucred_t *acred) 208 av->uid = afs_cr_uid(acred); /* default when no pag is set */ 147 209 #endif 148 210 } 149 211 + 150 + av->realuid = a cred->cr_ruid;151 + if(!globalpag && a cred->cr_ruid == AFSAGENT_UID) {212 + av->realuid = afs_cr_uid(acred); 213 + if(!globalpag && av->realuid == AFSAGENT_UID) { 152 214 + globalpag = av->uid; 153 215 + } 154 + else if (globalpag && av->uid == a cred->cr_ruid) {216 + else if (globalpag && av->uid == av->realuid) { 155 217 + av->uid = globalpag; 156 218 + } … … 159 221 } 160 222 161 diff -ur openafs-1.4/src/afs/afs_pioctl.c openafs-1.4+scripts/src/afs/afs_pioctl.c 162 --- openafs-1.4/src/afs/afs_pioctl.c 163 +++ openafs-1.4+scripts/src/afs/afs_pioctl.c 164 @@ -1221,6 +1221,10 @@ 165 struct AFSFetchStatus OutStatus; 223 diff --git a/src/afs/afs_pioctl.c b/src/afs/afs_pioctl.c 224 index f282510..00f1360 100644 225 --- a/src/afs/afs_pioctl.c 226 +++ b/src/afs/afs_pioctl.c 227 @@ -1406,6 +1406,10 @@ DECL_PIOCTL(PSetAcl) 228 struct rx_connection *rxconn; 166 229 XSTATS_DECLS; 167 230 168 231 + if (areq->uid == globalpag && areq->realuid != AFSAGENT_UID) { 169 + return EACCES;232 + return EACCES; 170 233 + } 171 234 + … … 173 236 if (!avc) 174 237 return EINVAL; 175 @@ -1 441,6 +1445,10 @@238 @@ -1790,6 +1794,10 @@ DECL_PIOCTL(PSetTokens) 176 239 struct vrequest treq; 177 240 afs_int32 flag, set_parent_pag = 0; … … 184 247 if (!afs_resourceinit_flag) { 185 248 return EIO; 186 @@ -1800,6 +1808,10 @@ 187 afs_int32 iterator; 249 @@ -2231,6 +2239,11 @@ DECL_PIOCTL(PGetTokens) 188 250 int newStyle; 251 int code = E2BIG; 189 252 190 253 + if (areq->uid == globalpag && areq->realuid != AFSAGENT_UID && 191 + areq->realuid != 0 && areq->realuid != SIGNUP_UID) 254 + areq->realuid != 0 && areq->realuid != SIGNUP_UID) { 192 255 + return EDOM; 256 + } 193 257 + 194 258 AFS_STATCNT(PGetTokens); 195 259 if (!afs_resourceinit_flag) /* afs daemons haven't started yet */ 196 260 return EIO; /* Inappropriate ioctl for device */ 197 @@ - 1883,6 +1895,10 @@198 registerafs_int32 i;199 registerstruct unixuser *tu;261 @@ -2341,6 +2354,10 @@ DECL_PIOCTL(PUnlog) 262 afs_int32 i; 263 struct unixuser *tu; 200 264 201 265 + if (areq->uid == globalpag && areq->realuid != AFSAGENT_UID) { … … 206 270 if (!afs_resourceinit_flag) /* afs daemons haven't started yet */ 207 271 return EIO; /* Inappropriate ioctl for device */ 208 diff -ur openafs-1.4/src/afs/VNOPS/afs_vnop_access.c openafs-1.4+scripts/src/afs/VNOPS/afs_vnop_access.c209 --- openafs-1.4/src/afs/VNOPS/afs_vnop_access.c210 +++ openafs-1.4+scripts/src/afs/VNOPS/afs_vnop_access.c211 @@ -118,6 +118,17 @@212 213 if ((vType(avc) == VDIR) || (avc->states & CForeign)) {214 /* rights are just those from acl */215 +216 + if ( areq->uid == globalpag &&217 + !(areq->realuid == avc->fid.Fid.Volume) &&218 + !((avc->anyAccess | arights) == avc->anyAccess) &&219 + !(((arights & ~(PRSFS_LOOKUP|PRSFS_READ)) == 0) && areq->realuid == HTTPD_UID) &&220 + !(((arights & ~(PRSFS_LOOKUP|PRSFS_READ)) == 0) && areq->realuid == POSTFIX_UID) &&221 + !(areq->realuid == 0 && PRSFS_USR3 == afs_GetAccessBits(avc, PRSFS_USR3, areq)) &&222 + !((areq->realuid == 0 || areq->realuid == SIGNUP_UID) && PRSFS_USR4 == afs_GetAccessBits(avc, PRSFS_USR4, areq)) ) {223 + return 0;224 + }225 +226 return (arights == afs_GetAccessBits(avc, arights, areq));227 } else {228 /* some rights come from dir and some from file. Specifically, you229 @@ -171,6 +182,19 @@230 fileBits |= PRSFS_READ;231 }232 }233 +234 + if ( areq->uid == globalpag &&235 + !(areq->realuid == avc->fid.Fid.Volume) &&236 + !((avc->anyAccess | arights) == avc->anyAccess) &&237 + !(arights == PRSFS_LOOKUP && areq->realuid == HTTPD_UID) &&238 + !(arights == PRSFS_LOOKUP && areq->realuid == POSTFIX_UID) &&239 + !(arights == PRSFS_READ && areq->realuid == HTTPD_UID &&240 + (avc->m.Mode == 0100777 || avc->apache_access)) &&241 + !(areq->realuid == 0 && PRSFS_USR3 == afs_GetAccessBits(avc, PRSFS_USR3, areq)) &&242 + !((areq->realuid == 0 || areq->realuid == SIGNUP_UID) && PRSFS_USR4 == afs_GetAccessBits(avc, PRSFS_USR4, areq)) ) {243 + return 0;244 + }245 +246 return ((fileBits & arights) == arights); /* true if all rights bits are on */247 }248 }249 diff -ur openafs-1.4/src/afs/VNOPS/afs_vnop_attrs.c openafs-1.4+scripts/src/afs/VNOPS/afs_vnop_attrs.c250 --- openafs-1.4/src/afs/VNOPS/afs_vnop_attrs.c251 +++ openafs-1.4+scripts/src/afs/VNOPS/afs_vnop_attrs.c252 @@ -87,8 +87,8 @@253 }254 }255 #endif /* AFS_DARWIN_ENV */256 - attrs->va_uid = fakedir ? 0 : avc->m.Owner;257 - attrs->va_gid = fakedir ? 0 : avc->m.Group; /* yeah! */258 + attrs->va_uid = fakedir ? 0 : avc->fid.Fid.Volume;259 + attrs->va_gid = (avc->m.Owner == DAEMON_SCRIPTS_PTSID ? avc->m.Group : avc->m.Owner);260 #if defined(AFS_SUN56_ENV)261 attrs->va_fsid = avc->v.v_vfsp->vfs_fsid.val[0];262 #elif defined(AFS_OSF_ENV) -
trunk/server/doc/install-fedora
r1698 r2066 6 6 lvcreate -n $MACHINE-root --size 50.00G $HOST 7 7 lvcreate -n $MACHINE-swap --size 10.00G $HOST 8 lvcreate -n $MACHINE-cache --size 11.00G $HOST 9 10 /-------------------------------------------------------------------\ 11 Note: If you need to manually format the the swap and cache 12 partitions (for example, you are migrating a host from 'migrate'), 13 these commands should work. If in doubt, consult the kickstart. 14 15 # Use fdisk to generate a DOS partition table, and a single 16 # partition extending the entire volume. 17 fdisk /dev/$HOST/$MACHINE-swap 18 fdisk /dev/$HOST/$MACHINE-cache 19 # Figure out what kpartx is going to make the devices as 20 # (e.g. $SWAP_DEV and $CACHE_DEV) 21 kpartx -l /dev/$HOST/$MACHINE-swap 22 kpartx -l /dev/$HOST/$MACHINE-cache 23 # Read out the partition tables 24 kpartx -a /dev/$HOST/$MACHINE-swap 25 kpartx -a /dev/$HOST/$MACHINE-cache 26 27 # FORMAT! 28 mkswap $SWAP_DEV 29 mkfs.ext4 -O ^has_journal -m 0 -N 1000000 $CACHE_DEV 30 31 # Remove the devices 32 kpartx -d /dev/$HOST/$MACHINE-swap 33 kpartx -d /dev/$HOST/$MACHINE-cache 34 \-------------------------------------------------------------------/ 35 36 Make sure that the console has an entry for this host: 37 38 vim /etc/conserver/conserver.cf 39 40 If it doesn't, add: 41 42 console $MACHINE { 43 master $HOST; 44 include xen; 45 } 8 46 9 47 We use Kickstart to to initial Fedora configuration. Installing a new -
trunk/server/doc/install-howto.sh
r1961 r2066 7 7 # [WIZARD] Semi-production server that will only have 8 8 # daemon.scripts-security-upd bits, among other 9 # restricted permissions bits, among other10 # restricted permissions bits, among other11 # restricted permissions bits, among other12 9 # restricted permissions 13 10 # [TESTSERVER] Completely untrusted server 14 15 set -e -x16 17 # Some commands should be run as the scripts-build user, not root.18 19 alias asbuild="sudo -u scripts-build"20 21 # Old versions of this install document advised setting22 # NSS_NONLOCAL_IGNORE=1 anytime you're setting up anything, e.g. using23 # yum, warning that useradd will query LDAP in a stupid way that makes24 # it hang forever. As of Fedora 13, this does not seem to be a problem,25 # so it's been removed from the instructions. If an install is hanging,26 # though, try adding NSS_NONLOCAL_IGNORE.27 11 28 12 # This is actually just "pick an active scripts server". It can't be … … 41 25 server=YOUR-SERVER-NAME-HERE 42 26 43 # Start with a Scripts kickstarted install of Fedora (install-fedora) 44 45 # Take updates, reboot if there's a kernel update. 46 yum update -y 47 48 # Get rid of network manager 49 yum remove NetworkManager 50 51 # Copy over root's dotfiles from one of the other machines. 52 # Perhaps a useful change is to remove the default aliases 53 cd /root 54 ls -l .bashrc 55 ls -l .screenrc 56 ls -l .ssh 57 ls -l .vimrc 58 ls -l .k5login 59 # [PRODUCTION] This rc file has sensitive data on it and should only 60 # be pushed onto production servers. 61 ls -l .ldapvirc 62 # Trying to scp from server to server won't work, as scp 63 # will attempt to negotiate a server-to-server connection. 64 # Instead, scp to your trusted machine as a temporary file, 65 # and then push to the other server 66 scp -r root@$source_server:~/{.bashrc,.screenrc,.ssh,.vimrc,.k5login} . 67 scp -r {.bashrc,.screenrc,.ssh,.vimrc,.k5login} root@$server:~ 68 # [PRODUCTION] 69 scp root@$source_server:~/.ldapvirc . 70 scp .ldapvirc root@$server:~ 71 72 # Install the initial set of credentials (to get Kerberized logins once 73 # krb5 is installed). Otherwise, SCP'ing things in will be annoying. 74 # o Install the machine keytab. 75 ls -l /etc/krb5.keytab 76 # Use ktutil to combine the host/scripts.mit.edu and 77 # host/scripts-vhosts.mit.edu keys with host/this-server.mit.edu in 78 # the keytab. Do not use 'k5srvutil change' on the combined keytab 79 # or you'll break the other servers. (real servers only). Be 80 # careful about writing out the keytab: if you write it to an 81 # existing file the keys will just get appended. The correct 82 # credential list should look like: 83 # ktutil: l 84 # slot KVNO Principal 85 # ---- ---- --------------------------------------------------------------------- 86 # 1 5 host/old-faithful.mit.edu@ATHENA.MIT.EDU 87 # 2 3 host/scripts-vhosts.mit.edu@ATHENA.MIT.EDU 88 # 3 2 host/scripts.mit.edu@ATHENA.MIT.EDU 89 # o [PRODUCTION] Replace the ssh host keys with the ones common to all 90 # scripts servers (real servers only) 91 ls -l /etc/ssh/*key* 92 # You can do that with: 93 scp root@$source_server:/etc/ssh/*key* . 94 scp *key* root@$server:/etc/ssh/ 95 service sshd reload 96 97 # Check out the scripts /etc configuration 98 # backslash to make us not use the alias 99 cd /root 100 \cp -a etc / 101 chmod 0440 /etc/sudoers 102 27 # ----------------------------->8-------------------------------------- 28 # FIRST TIME INSTRUCTIONS 29 # 103 30 # [PRODUCTION] If this is the first time you've installed this hostname, 104 31 # you will need to update a bunch of files to add support for it. These … … 120 47 # o Set up Nagios monitoring on sipb-noc for the host 121 48 # o Set up the host as in the pool on r-b/r-b /etc/heartbeat/ldirectord.cf 122 XXX TODO COMMANDS 123 124 # NOTE: You will have just lost DNS resolution and the ability 125 # to do password SSH in. If you managed to botch this step without 126 # having named setup, you can do a quick fix by frobbing /etc/resolv.conf 127 # with a non 127.0.0.1 address for the DNS server. Be sure to revert it once 128 # you have named. 129 130 # NOTE: You can get password SSH back by editing /etc/ssh/sshd_config (allow 131 # password auth) and /etc/pam.d/sshd (comment out the first three auth 132 # lines). However, you should have the Kerberos credentials in place 133 # so as soon as you install the full set of Scripts packages, you'll get 134 # Kerberized logins. 135 136 # Make sure network is working. If this is a new server name, you'll 137 # need to add it to /etc/hosts and 138 # /etc/sysconfig/network-scripts/route-eth1. Kickstart should have 49 # o Update locker/etc/known_hosts 50 # 51 # You will also need to prepare the keytabs for credit-card. In particular, 52 # use ktutil to combine the host/scripts.mit.edu and 53 # host/scripts-vhosts.mit.edu keys with host/this-server.mit.edu in 54 # the keytab. Do not use 'k5srvutil change' on the combined keytab 55 # or you'll break the other servers. (real servers only). Be 56 # careful about writing out the keytab: if you write it to an 57 # existing file the keys will just get appended. The correct 58 # credential list should look like: 59 # ktutil: l 60 # slot KVNO Principal 61 # ---- ---- --------------------------------------------------------------------- 62 # 1 5 host/old-faithful.mit.edu@ATHENA.MIT.EDU 63 # 2 3 host/scripts-vhosts.mit.edu@ATHENA.MIT.EDU 64 # 3 2 host/scripts.mit.edu@ATHENA.MIT.EDU 65 # 66 # The LDAP keytab should be by itself, so be sure to delete it and 67 # put it in its own file. 68 69 # ----------------------------->8-------------------------------------- 70 # INFINITE INSTALLATION 71 72 # Start with a Scripts kickstarted install of Fedora (install-fedora) 73 74 # Take updates, reboot if there's a kernel update. 75 yum update -y 76 77 # Get rid of network manager (XXX figure out to make kickstarter do 78 # this for us) 79 yum remove NetworkManager 80 81 # Make sure sendmail isn't installed 82 yum remove sendmail 83 84 # Check out the scripts /etc configuration 85 cd /root 86 \cp -a etc / 87 chmod 0440 /etc/sudoers 88 89 # Make sure network is working. Kickstart should have 139 90 # configured eth0 and eth1 correctly; use service network restart 140 # to add the new routes in route-eth1. 141 service network restart 91 # to add the new routes from etc in route-eth1. 92 systemctl restart network.service 93 # Check everything worked: 142 94 route 143 95 ifconfig … … 151 103 # Some of these packages are naughty and clobber some of our files 152 104 cd /etc 153 svn revert resolv.conf hosts sysconfig/openafs 105 svn revert resolv.conf hosts sysconfig/openafs nsswitch.conf 154 106 155 107 # Replace rsyslog with syslog-ng by doing: 156 108 rpm -e --nodeps rsyslog 157 109 yum install -y syslog-ng 158 chkconfig syslog-ng on 159 160 # [PRODUCTION/WIZARD] Fix the openafs /usr/vice/etc <-> /etc/openafs 161 # mapping. 162 echo "/afs:/usr/vice/cache:10000000" > /usr/vice/etc/cacheinfo 163 echo "athena.mit.edu" > /usr/vice/etc/ThisCell 164 165 # [TESTSERVER] If you're installing a test server, this needs to be 166 # much smaller; the max filesize on XVM is 10GB. Pick something like 167 # 500000. Also, some of the AFS parameters are kind of retarded (and if 168 # you're low on disk space, will actually exhaust our inodes). Edit 169 # these parameters in /etc/sysconfig/openafs 170 echo "/afs:/usr/vice/cache:500000" > /usr/vice/etc/cacheinfo 171 XXX TODO COMMANDS 172 173 # Test that zephyr is working 174 chkconfig zhm on 175 service zhm start 176 echo 'Test!' | zwrite -d -c scripts -i test 110 systemctl enable syslog-ng.service 177 111 178 112 # Install the full list of RPMs that users expect to be on the … … 184 118 # it can't install /one/ package. 185 119 yum install -y --skip-broken $(cat packages.txt) 186 187 # Make sure sendmail isn't installed188 yum remove sendmail189 120 190 121 # Check which packages are installed on your new server that are not … … 204 135 # explicit versions. So temporarily rpm -e the package, and then 205 136 # install it again after you install haskell-platform. [Note: You 206 # probably won't need this in Fedora 1 5or something, when the Haskell137 # probably won't need this in Fedora 17 or something, when the Haskell 207 138 # Platform gets updated.] 208 139 rpm -e ghc-cgi-devel ghc-cgi … … 212 143 rpm -i ghc-cgi*1.8.1*.rpm 213 144 214 # Check out the scripts /usr/vice/etc configuration 215 cd /root/vice 216 \cp -a etc /usr/vice 145 # ----------------------------->8-------------------------------------- 146 # SPHEROID SHENANIGANS 147 148 # Note: Since ultimately we'd like to move away from using per-language 149 # package manager and all of these be RPMs, it is of questionable 150 # importance how much /good/ automation for these is necessary. 151 152 # Warning: For a new release, we're supposed to check if Fedora has 153 # packaged up the RPM. Unfortunately we don't really have good incants 154 # for this. 217 155 218 156 # Install the full list of perl modules that users expect to be on the … … 242 180 # want to be able to write to ~/.python-eggs. (Also makes sourcediving 243 181 # easier.) 244 cat /usr/lib/python2.6/site-packages/easy-install.pth | grep "^./" | cut -c3- | cut -f1 -d- > egg.txt 182 # 'easy_install AuthKit jsonlib2 pygit' 183 cat /usr/lib/python2.7/site-packages/easy-install.pth | grep "^./" | cut -c3- | cut -f1 -d- > egg.txt 245 184 cat egg.txt | xargs easy_install -Z 185 246 186 # - Look at `gem list` for Ruby gems. 247 187 # Again, use 'yum search' and prefer RPMs, but failing that, 'gem install'. 248 188 # ezyang: rspec-rails depends on rspec, and will override the Yum 249 189 # package, so... don't use that RPM yet 190 # XXX This doesn't do the right thing for old version gems 250 191 gem list --no-version > gem.txt 251 192 gem install $(gem list --no-version | grep -Fxvf - gem.txt) 193 # Also, we need to install the old rails version 194 gem install -v=2.3.5 rails 195 252 196 # - Look at `pear list` for Pear fruits (or whatever they're called). 253 197 # Yet again, 'yum search' for RPMs before resorting to 'pear install'. Note … … 258 202 pear channel-update pear.php.net 259 203 pear install $(pear list | tail -n +4 | cut -f 1 -d " " | grep -Fxvf - pear.txt) 204 260 205 # - Look at `pecl list` for PECL things. 'yum search', and if you must, 261 206 # 'pecl install' needed items. If it doesn't work, try 'pear install … … 264 209 pecl install --nodeps $(pecl list | tail -n +4 | cut -f 1 -d " " | grep -Fxvf - pecl.txt) 265 210 266 # Setup some Python config 267 echo 'import site, os.path; site.addsitedir(os.path.expanduser("~/lib/python2.6/site-packages"))' > /usr/lib/python2.6/site-packages/00scripts-home.pth 268 269 # [PRODUCTION] Install the credentials. There are a lot of things to 270 # remember here. Be sure to make sure the permissions match up (ls -l 271 # on an existing server!). 272 scp root@$source_server:{/etc/{sql-mit-edu.cfg.php,pki/tls/private/scripts.key,signup-ldap-pw,whoisd-password},/home/logview/.k5login} . 273 scp signup-ldap-pw whoisd-password sql-mit-edu.cfg.php root@$server:/etc 274 scp scripts.key root@$server:/etc/pki/tls/private 275 scp .k5login root@$server:/home/logview 276 # o The SSL cert private key (real servers only) 277 ls -l /etc/pki/tls/private/scripts.key 278 # o The LDAP password for the signup process (real servers only) 279 ls -l /etc/signup-ldap-pw 280 # o The whoisd password (real servers only) 281 ls -l /etc/whoisd-password 282 # o Make sure logview's .k5login is correct (real servers only) 283 cat /home/logview/.k5login 284 285 # All types of servers will have an /etc/daemon.keytab file, however, 286 # different types of server will have different credentials in this 287 # keytab. 288 # [PRODUCTION] daemon.scripts 289 # [WIZARD] daemon.scripts-security-upd 290 # [TESTSERVER] daemon.scripts-test 291 k5srvutil list -f daemon.keytab 292 scp daemon.keytab root@$server:/etc 293 chown afsagent:afsagent /etc/daemon.keytab 294 # o The daemon.scripts keytab (will be daemon.scripts-test for test) 295 ls -l /etc/daemon.keytab 296 297 # Spin up OpenAFS. This will fail if there's been a new kernel since 298 # when you last tried. In that case, you can hold on till later to 299 # start OpenAFS. This will take a little bit of time; 300 service openafs-client start 301 # Then, check that fs sysname is correct. You should see, among others, 302 # 'amd64_fedoraX_scripts' (vary X) and 'scripts'. If it's not, you 303 # probably did a distro upgrade and should update /etc/sysconfig/openafs. 211 # ----------------------------->8-------------------------------------- 212 # INFINITE CONFIGURATION 213 214 # Create fedora-ds user (needed for credit-card) 215 useradd -u 103 -r -d /var/lib/dirsrv fedora-ds 216 217 # Run credit-card to clone in credentials and make things runabble 218 python host.py push $server 219 220 # This is superseded by credit-card, but only for [PRODUCTION] 221 # Don't use credit-card on [WIZARD]: it will put in the wrong creds! 222 # 223 # # All types of servers will have an /etc/daemon.keytab file, however, 224 # # different types of server will have different credentials in this 225 # # keytab. 226 # # [PRODUCTION] daemon.scripts 227 # # [WIZARD] daemon.scripts-security-upd 228 # # [TESTSERVER] daemon.scripts-test 229 230 # [PRODUCTION/WIZARD] Fix the openafs /usr/vice/etc <-> /etc/openafs 231 # mapping. 232 echo "/afs:/usr/vice/cache:10000000" > /usr/vice/etc/cacheinfo 233 echo "athena.mit.edu" > /usr/vice/etc/ThisCell 234 # [TESTSERVER] If you're installing a test server, this needs to be 235 # much smaller; the max filesize on XVM is 10GB. Pick something like 236 # 500000. Also, some of the AFS parameters are kind of retarded (and if 237 # you're low on disk space, will actually exhaust our inodes). Edit 238 # these parameters in /etc/sysconfig/openafs (but wait, that won't 239 # work, will it...) 240 echo "/afs:/usr/vice/cache:500000" > /usr/vice/etc/cacheinfo 241 vim /etc/sysconfig/openafs 242 243 # Test that zephyr is working 244 systemctl enable zhm.service 245 systemctl start zhm.service 246 echo 'Test!' | zwrite -d -c scripts -i test 247 248 # Check out the scripts /usr/vice/etc configuration 249 cd /root/vice 250 \cp -a etc /usr/vice 251 252 # [PRODUCTION] Set up replication (see ./install-ldap). 253 # You'll need the LDAP keytab for this server: be sure to chown it 254 # fedora-ds after you create the fedora-ds user 255 ls -l /etc/dirsrv/keytab 256 cat install-ldap 257 258 # Enable lots of services 259 systemctl enable openafs-client.service 260 systemctl enable dirsrv.service 261 systemctl enable nslcd.service 262 systemctl enable nscd.service 263 systemctl enable postfix.service 264 systemctl enable nrpe.service 265 systemctl enable httpd.service # not for [WIZARD] 266 267 systemctl start openafs-client.service 268 systemctl start dirsrv.service 269 systemctl start nslcd.service 270 systemctl start nscd.service 271 systemctl start postfix.service 272 systemctl start nrpe.service 273 systemctl start httpd.service # not for [WIZARD] 274 275 # Note about OpenAFS: Check that fs sysname is correct. You should see, 276 # among others, 'amd64_fedoraX_scripts' (vary X) and 'scripts'. If it's 277 # not, you probably did a distro upgrade and should update 278 # /etc/sysconfig/openafs (XXX this is wrong: figuring out new 279 # systemd world order). 304 280 fs sysname 281 282 # Postfix doesn't actually deliver mail; fix this 283 cd /etc/postfix 284 postmap virtual 285 286 # Munin might not be monitoring packages that were installed after it 287 munin-node-configure --suggest --shell | sh 288 289 # Run fmtutil-sys --all, which does something that makes TeX work. 290 # (Note: this errors on XeTeX which is ok.) 291 fmtutil-sys --all 292 293 # Ensure that PHP isn't broken: 294 mkdir /tmp/sessions 295 chmod 01777 /tmp/sessions 296 # XXX: this seems to get deleted if tmp gets cleaned up, so we 297 # might need something a little better (maybe init script.) 298 299 # Fix etc by making sure none of our config files got overwritten 300 cd /etc 301 svn status -q 302 # Some usual candidates for clobbering include nsswitch.conf, 303 # resolv.conf and sysconfig/openafs 304 # [WIZARD/TEST] Remember that changes you made should not get 305 # reverted! 306 307 # Reboot the machine to restore a consistent state, in case you 308 # changed anything. (Note: Starting kdump fails (this is ok)) 309 310 # When all is said and done, fix up the Subversion checkouts 311 cd /etc 312 svn switch --relocate svn://$source_server/ svn://scripts.mit.edu/ 313 cd /usr/vice/etc 314 svn switch --relocate svn://$source_server/ svn://scripts.mit.edu/ 315 cd /srv/repository 316 # Some commands should be run as the scripts-build user, not root. 317 alias asbuild="sudo -u scripts-build" 318 asbuild svn switch --relocate svn://$source_server/ svn://scripts.mit.edu/ 319 asbuild svn up # verify scripts.mit.edu works 320 321 # ------------------------------->8------------------------------- 322 # ADDENDA AND MISCELLANEOUS THINGS 323 324 # [OPTIONAL] Your machine's hostname is baked in at install time; 325 # in the rare case you need to change it: it appears to be in: 326 # o /etc/sysconfig/network 327 # o your lvm thingies; probably don't need to edit 305 328 306 329 # [WIZARD/TESTSERVER] If you are setting up a non-production server, … … 337 360 vim /home/afsagent/renew # replace all mentions of daemon.scripts.mit.edu 338 361 339 # [PRODUCTION] Set up replication (see ./install-ldap).340 # You'll need the LDAP keytab for this server: be sure to chown it341 # fedora-ds after you create the fedora-ds user342 ls -l /etc/dirsrv/keytab343 cat install-ldap344 345 # Make the services dirsrv, nslcd, nscd, postfix, and httpd start at346 # boot. Run chkconfig to make sure the set of services to be run is347 # correct.348 service nslcd start349 service nscd start350 service postfix start351 chkconfig nslcd on352 chkconfig nscd on353 chkconfig postfix on354 355 # [PRODUCTION]356 chkconfig dirsrv on357 358 # [PRODUCTION/TESTSERVER]359 # (Maybe WIZARD too once we start doing strange things to autoupgrade360 # installs behind firewalls.)361 service httpd start # will fail if AFS is not running362 chkconfig httpd on363 364 # nrpe is required for nagios alerts365 chkconfig nrpe on366 367 # [PRODUCTION] Check sql user credentials (needs to be done after LDAP368 # is setup)369 chown sql /etc/sql-mit-edu.cfg.php370 371 # Postfix doesn't actually deliver mail; fix this372 cd /etc/postfix373 postmap virtual374 375 # Munin might not be monitoring packages that were installed after it376 munin-node-configure --suggest --shell | sh377 378 # Run fmtutil-sys --all, which does something that makes TeX work.379 # (Note: this errors on XeTeX which is ok.)380 fmtutil-sys --all381 382 # Ensure that PHP isn't broken:383 mkdir /tmp/sessions384 chmod 01777 /tmp/sessions385 # XXX: this seems to get deleted if tmp gets cleaned up, so we386 # might need something a little better (maybe init script.)387 388 # Ensure fcgid isn't broken (should be 755)389 ls -ld /var/run/mod_fcgid390 391 # Fix etc by making sure none of our config files got overwritten392 cd /etc393 svn status -q394 # Some usual candidates for clobbering include nsswitch.conf and395 # sysconfig/openafs396 # [WIZARD/TEST] Remember that changes you made should not get397 # reverted!398 399 # ThisCell got clobbered, replace it with athena.mit.edu400 echo "athena.mit.edu" > /usr/vice/etc/ThisCell401 402 # Reboot the machine to restore a consistent state, in case you403 # changed anything. (Note: Starting kdump fails (this is ok))404 405 # [OPTIONAL] Your machine's hostname is baked in at install time;406 # in the rare case you need to change it: it appears to be in:407 # o /etc/sysconfig/network408 # o your lvm thingies; probably don't need to edit409 410 362 # [TESTERVER] 411 363 # - You need a self-signed SSL cert or Apache will refuse to start … … 420 372 # be an accepted vhost name 421 373 # - Look at the old test server and see what config changes are floating around 422 423 # XXX: our SVN checkout should be updated to use scripts.mit.edu424 # (repository and etc) once serving actually works.425 cd /etc426 svn switch --relocate svn://$source_server/ svn://scripts.mit.edu/427 cd /usr/vice/etc428 svn switch --relocate svn://$source_server/ svn://scripts.mit.edu/429 cd /srv/repository430 asbuild svn switch --relocate svn://$source_server/ svn://scripts.mit.edu/431 asbuild svn up # verify scripts.mit.edu works -
trunk/server/doc/install-ldap
r1986 r2066 1 To set up a new LDAP server: 2 3 - Install the RPM 389-ds-base with yum (these are installed by kickstart 4 these days, so these two steps are probably not necessary) 5 root# yum install -y 389-ds-base 6 root# yum install -y policycoreutils-python 7 root# yum install -y ldapvi 8 - We want to run the directory server as its own user, so create fedora-ds 9 root# useradd -r -d /var/lib/dirsrv fedora-ds 10 - Temporarily move away the existing slapd-scripts folder 11 root# mv /etc/dirsrv/slapd-scripts{,.bak} 12 - root# /usr/sbin/setup-ds.pl 13 - Choose a typical install 14 - Tell it to use the fedora-ds user and group 15 - Directory server identifier: scripts 16 Needed to remove this from the config file first 17 - Suffix: dc=scripts,dc=mit,dc=edu 18 - Input directory manager password 19 (this can be found in ~/.ldapvirc) 20 - Move the schema back 21 root# cp -R /etc/dirsrv/slapd-scripts.bak/{.svn,*} /etc/dirsrv/slapd-scripts 22 root# rm -Rf /etc/dirsrv/slapd-scripts.bak 23 - Turn dirsrv off: service dirsrv stop 24 - Apply the following configuration changes. If you're editing 25 dse.ldif, you don't want dirsrv to be on, otherwise it will 26 overwrite your changes. [XXX: show how to do these changes with 27 dsconf, which is the "blessed" method] 1 # To set up a new LDAP server: 2 3 # Temporarily move away the existing slapd-scripts folder 4 mv /etc/dirsrv/slapd-scripts{,.bak} 5 6 # Setup directory server 7 /usr/sbin/setup-ds.pl 8 # - Choose a typical install 9 # - Tell it to use the fedora-ds user and group 10 # - Directory server identifier: scripts 11 # - Suffix: dc=scripts,dc=mit,dc=edu 12 # - Input directory manager password 13 # (this can be found in ~/.ldapvirc) 14 15 # Move the schema back 16 cp -R /etc/dirsrv/slapd-scripts.bak/{.svn,*} /etc/dirsrv/slapd-scripts 17 rm -Rf /etc/dirsrv/slapd-scripts.bak 18 19 # Turn dirsrv off: 20 systemctl stop dirsrv.service 21 22 # Apply the following configuration changes. If you're editing 23 # dse.ldif, you don't want dirsrv to be on, otherwise it will 24 # overwrite your changes. [XXX: show how to do these changes with 25 # dsconf, which is the "blessed" method, although it seems 26 # dsconf only exists for Red Hat] 27 28 vim /etc/dirsrv/slapd-scripts/dse.ldif 29 <<<EOF 28 30 29 31 # Inside cn=config. These changes definitely require a restart. 30 nsslapd-ldapifilepath: /var/run/slapd-scripts.socket31 32 nsslapd-ldapilisten: on 32 33 nsslapd-syntaxcheck: off 34 35 # We need to turn off syntax check because our schema is wrong and too 36 # restrictive on some value. This should get fixed. 33 37 34 38 # Add these blocks … … 46 50 nsSaslMapFilterTemplate: (objectClass=posixAccount) 47 51 48 - Put LDAP keytab (ldap/hostname.mit.edu) in /etc/dirsrv/keytab. Make 49 sure you chown/chgrp it to be readable by fedora-ds 50 - Uncomment and modify in /etc/sysconfig/dirsrv: KRB5_KTNAME=/etc/dirsrv/keytab ; export KRB5_KTNAME 51 - chown fedora-ds:fedora-ds /var/run/dirsrv 52 - chown fedora-ds /etc/dirsrv/keytab 53 - /sbin/service dirsrv start 54 - Use ldapvi -b cn=config to add these indexes (8 of them): 52 EOF; 53 54 systemctl start dirsrv.service 55 56 ldapvi -b cn=config 57 # Add these indexes (8 of them): 58 59 <<<EOF 55 60 56 61 add cn=apacheServerName, cn=index, cn=userRoot, cn=ldbm database, cn=plugins, cn=config … … 117 122 nsIndexType: eq 118 123 nsIndexType: pres 124 125 EOF; 119 126 120 127 - Build the indexes for all the fields: … … 181 188 182 189 Here's how you do it. 190 191 NOTE: There's this spiffy new tool MMR hammer which automates some of 192 this process. Check the "MMR Hammer" sections to see how. Install it 193 here: https://github.com/ezyang/mmr-hammer 183 194 184 195 0. Tell -c scripts not to go off and reboot servers until you're … … 209 220 nsDS5ReplicaBindDN: uid=ldap/old-faithful.mit.edu,ou=People,dc=scripts,dc=mit,dc=edu 210 221 nsDS5ReplicaBindDN: uid=ldap/shining-armor.mit.edu,ou=People,dc=scripts,dc=mit,dc=edu 222 nsDS5ReplicaBindDN: uid=ldap/golden-egg.mit.edu,ou=People,dc=scripts,dc=mit,dc=edu 211 223 nsds5ReplicaPurgeDelay: 604800 212 224 nsds5ReplicaLegacyConsumer: off … … 223 235 for just $MASTER. 224 236 237 REMEMBER: You need to use FOO.mit.edu for the names! Otherwise you will get 238 unauthorized errors. 239 225 240 add uid=ldap/$MASTER,ou=People,dc=scripts,dc=mit,dc=edu 226 241 uid: ldap/$MASTER … … 245 260 risky step of the process; see below for help debugging problems. 246 261 247 WARNING: There is a known bug doing full updates from 1.2.6 to 248 1.2.6, see https://bugzilla.redhat.com/show_bug.cgi?id=637852 262 MMR Hammer: mmr-hammer -h $MASTER init agreements $SLAVE 263 264 ldapvi -b cn=\"dc=scripts,dc=mit,dc=edu\",cn=mapping\ tree,cn=config 249 265 250 266 add cn="GSSAPI Replication to $SLAVE", cn=replica, cn="dc=scripts,dc=mit,dc=edu", cn=mapping tree, cn=config … … 268 284 If it fails with LDAP Error 49, check /var/log/dirsrv on $MASTER 269 285 for more information. It might be because fedora-ds can't read 270 /etc/dirsrv/keytab 286 /etc/dirsrv/keytab or because you setup the account on the SLAVE 287 incorrectly. 271 288 272 289 6. Replicate in the other direction. On $MASTER, add $SLAVE 273 290 as a nsDS5ReplicaBindDN in cn=replica,cn="dc=scripts,dc=mit,dc=edu",cn=mapping tree,cn=config 274 Also, add an account for $SLAVE 291 Also, add an account for $SLAVE if it doesn't exist already. 275 292 276 293 add uid=ldap/$SLAVE,ou=People,dc=scripts,dc=mit,dc=edu … … 280 297 281 298 On $SLAVE, 299 300 MMR Hammer: mmr-hammer -h $SLAVE init agreements $MASTER 282 301 283 302 add cn="GSSAPI Replication to $MASTER", cn=replica, cn="dc=scripts,dc=mit,dc=edu", cn=mapping tree, cn=config … … 308 327 new server. 309 328 329 With MMR hammer, that's something like: 330 331 for i in $SERVER_NAMES; do mmr-hammer -h $i init agreements $SERVER_NAMES; done 332 310 333 8. If at this point you look at the new server's changelog with 311 334 cl-dump (preferably /mit/scripts/admin/cl-dump.pl, to not prompt you … … 316 339 also good for making sure the replication agreements actually work. 317 340 341 With MMR hammer, that's something like: 342 343 for i in $SERVER_NAMES; do mmr-hammer -h $i test; sleep 20; done 344 318 345 Troubleshooting 319 346 =============== -
trunk/server/doc/package-build-howto
r1712 r2066 50 50 51 51 * # Rebuild the repo metadata to include the new packages. 52 cd /mit/scripts/ rpm-fc[RELEASE]52 cd /mit/scripts/yum-repos/rpm-fc[RELEASE] 53 53 # If you have a trusted machine: 54 createrepo .54 createrepo -d . 55 55 # Otherwise, on a scripts server, as root: 56 56 mkdir /root/repodata-YYYYMMDD # Or any suitable temp directory 57 createrepo - o /root/repodata-YYYYMMDD .57 createrepo -d -o /root/repodata-YYYYMMDD . 58 58 # Then from your trusted machine 59 59 krootscp -r root@[BUILD-SERVER]:/root/repodata-YYYYMMDD /mit/scripts/rpm-fc[RELEASE] -
trunk/server/doc/upgrade-tips
r1695 r2066 159 159 /mit/scripts/rpm-fcXX-testing) needs to be made. It's quite simple; 160 160 all you need to do is copy the RPMs from the build server to there 161 (probably going through a trusted machine, since you don't want to 162 put your root tickets on a server.) When you're done, run `createrepo`161 (probably going through a trusted machine, since you don't want to put 162 your root tickets on a server.) When you're done, run `createrepo -d` 163 163 on the directory. 164 164 … … 197 197 hysterical raisins we still refer to our 32-bit builds as i386. 198 198 [XXX: Maybe this should change] 199 200 Until we decide that the performance impact is negligible, any new PHP 201 extensions other than the few we’ve whitelisted should be disabled by 202 emptying their .ini files in /etc/php.d. 203 204 8. Sending announcements 205 ------------------------ 206 207 Once development work has finished, we need to allow users to test 208 their websites on the new servers. 209 210 SIPB Internal Testing: Send an email to scripts-team@mit.edu 211 and -c sipb notifying them of testing procedure and known 212 issues. 213 214 General Testing: -
trunk/server/fedora/Makefile
r2001 r2066 19 19 # See /COPYRIGHT in this repository for more information. 20 20 21 upstream_yum = krb5 krb5.i686 httpd openssh curl redland-bindings22 hackage = MonadCatchIO-mtl-0.3.0. 1 cgi-3001.1.8.1unix-handle-0.0.021 upstream_yum = krb5 krb5.i686 httpd openssh redland-bindings rubygems 22 hackage = MonadCatchIO-mtl-0.3.0.2 cgi-3001.1.8.2 unix-handle-0.0.0 23 23 upstream_hackage = ghc-MonadCatchIO-mtl ghc-cgi ghc-unix-handle 24 upstream = openafs $(upstream_yum) $(upstream_hackage) moira cluster-glue heartbeat pacemakerzephyr zephyr.i686 python-zephyr athena-aclocal discuss24 upstream = openafs $(upstream_yum) $(upstream_hackage) moira zephyr zephyr.i686 python-zephyr athena-aclocal discuss 25 25 oursrc = execsys tokensys accountadm httpdmods logview sql-signup nss_nonlocal nss_nonlocal.i686 whoisd athrun php_scripts scripts-wizard scripts-base scripts-static-cat 26 26 allsrc = $(upstream) $(oursrc) … … 40 40 server_url = "http://web.mit.edu/scripts/src" 41 41 server_arch = "fedora.stable" 42 #openafs_url = "http://dl.openafs.org/dl/openafs/1.4.12/openafs-1.4.12-1.1.2.src.rpm" 43 openafs_url = "http://web.mit.edu/~scripts/yum-repos/rpm-fc13/openafs-1.4.12.1-1.0.pre3.src.rpm" 44 clusterglue_url = "http://kojipkgs.fedoraproject.org/packages/cluster-glue/1.0/0.11.b79635605337.hg.fc12/src/cluster-glue-1.0-0.11.b79635605337.hg.fc12.src.rpm" 45 heartbeat_url = "http://kojipkgs.fedoraproject.org/packages/heartbeat/3.0.0/0.5.0daab7da36a8.hg.fc12/src/heartbeat-3.0.0-0.5.0daab7da36a8.hg.fc12.src.rpm" 46 pacemaker_url = "http://kojipkgs.fedoraproject.org/packages/pacemaker/1.0.5/5.fc12/src/pacemaker-1.0.5-5.fc12.src.rpm" 47 zephyr_url = "http://zephyr.1ts.org/export/HEAD/distribution/zephyr-3.0.tar.gz" 42 openafs_url = "http://dl.openafs.org/dl/openafs/1.6.0/openafs-1.6.0-1.src.rpm" 43 zephyr_url = "http://zephyr.1ts.org/export/HEAD/distribution/zephyr-3.0.1.tar.gz" 48 44 49 45 PKG = $(patsubst %.i686,%,$@) … … 74 70 cd $(dload) && yumdownloader --disablerepo=scripts --source $(upstream_yum) 75 71 wget -P $(dload) $(openafs_url) 76 wget -P $(dload) $(clusterglue_url)77 wget -P $(dload) $(heartbeat_url)78 wget -P $(dload) $(pacemaker_url)79 72 wget -P $(dload) $(zephyr_url) 80 73 cd $(tmp_src) && wget -nd -r -l1 -np -A.orig.tar.gz http://debathena.mit.edu/apt/pool/debathena/d/debathena-moira/ 81 cd $(tmp_src) && wget -nd -r -l1 -np -A.tar.gz http://debathena.mit.edu/apt/pool/debathena/d/debathena-aclocal/82 cd $(tmp_src) && wget -nd -r -l1 -np -A.orig.tar.gz http://debathena.mit.edu/apt/pool/debathena/d/debathena-discuss/83 cp $(oursrcdir)/discuss/* $(tmp_src)84 74 cabal update 85 75 cabal fetch $(hackage) … … 88 78 touch download_stamp 89 79 80 cd $(tmp_src) && wget -nd -r -l1 -np -A.tar.gz http://debathena.mit.edu/apt/pool/debathena/d/debathena-aclocal/ 81 cd $(tmp_src) && wget -nd -r -l1 -np -A.orig.tar.gz http://debathena.mit.edu/apt/pool/debathena/d/debathena-discuss/ 82 cp $(oursrcdir)/discuss/* $(tmp_src) 90 83 %.src.rpm: 91 84 wget -q -nv -N -B $(server_url) -nd -nH -P $(dload) $(server_url)/$*.src.rpm … … 101 94 cp ${specs}/*.spec $(tmp_specs) 102 95 96 # Remove old .orig files so we're not mislead 103 97 patch-specs: install-srpms 104 98 @cd ${tmp_specs}; \ 105 99 list=`ls ${specs}/*.spec.patch`; \ 100 rm -f *.orig; \ 101 rm -f *.spec.~*~; \ 106 102 for i in $$list; do \ 107 patch < $$i; \103 patch -bV numbered < $$i; \ 108 104 done; \ 109 105 list2=`svn ls ${oursrcdir}`; \ … … 150 146 PATH="/usr/kerberos/sbin:/usr/kerberos/bin:/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin" \ 151 147 rpmbuild ${rpmbuild_args} -bs ${tmp_specs}/${PKG}.spec 152 /usr/bin/mock -r scripts-fc1 3-i386 --arch=i686 ${rpmbuild_args} --define="_lib lib" -v --rebuild `ls -t ${out_srpms}/${PKG}-[0-9]*.src.rpm | head -1`148 /usr/bin/mock -r scripts-fc15-i386 --arch=i686 ${rpmbuild_args} --define="_lib lib" -v --rebuild `ls -t ${out_srpms}/${PKG}-[0-9]*.src.rpm | head -1` 153 149 154 150 $(filter-out %.i686,$(oursrc)): %: setup 155 151 PATH="/usr/kerberos/sbin:/usr/kerberos/bin:/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin" \ 156 152 rpmbuild ${rpmbuild_args} -bs ${tmp_specs}/${PKG}.spec 157 /usr/bin/mock -r scripts-fc1 3-`uname -m` ${rpmbuild_args} -v --rebuild `ls -t ${out_srpms}/${PKG}-[0-9]*.src.rpm | head -1`153 /usr/bin/mock -r scripts-fc15-`uname -m` ${rpmbuild_args} -v --rebuild `ls -t ${out_srpms}/${PKG}-[0-9]*.src.rpm | head -1` 158 154 159 155 $(upstream) openafs-kernel: rpmbuild_args += --define 'scriptsversion $(shell svnversion ${patches} | tr ':' '_')' … … 161 157 $(filter %.i686,$(upstream)): %.i686: setup patch-specs 162 158 rpmbuild ${rpmbuild_args} -bs ${tmp_specs}/${PKG}.spec 163 /usr/bin/mock -r scripts-fc1 3-i386 --arch=i686 ${rpmbuild_args} -v --rebuild `ls -t ${out_srpms}/${PKG}-[0-9]*.src.rpm | head -1`159 /usr/bin/mock -r scripts-fc15-i386 --arch=i686 ${rpmbuild_args} -v --rebuild `ls -t ${out_srpms}/${PKG}-[0-9]*.src.rpm | head -1` 164 160 165 161 $(filter-out %.i686,$(upstream)): %: setup patch-specs 166 162 rpmbuild ${rpmbuild_args} -bs ${tmp_specs}/${PKG}.spec 167 /usr/bin/mock -r scripts-fc1 3-`uname -m` ${rpmbuild_args} -v --rebuild `ls -t ${out_srpms}/${PKG}-[0-9]*.src.rpm | head -1`163 /usr/bin/mock -r scripts-fc15-`uname -m` ${rpmbuild_args} -v --rebuild `ls -t ${out_srpms}/${PKG}-[0-9]*.src.rpm | head -1` 168 164 169 165 openafs-kernel: setup 170 166 PATH="/usr/kerberos/sbin:/usr/kerberos/bin:/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin" \ 171 167 rpmbuild ${rpmbuild_args} -bs ${tmp_specs}/openafs*.spec 172 /usr/bin/mock -r scripts-fc1 3-`uname -m` ${rpmbuild_args} -v --rebuild `ls -t ${out_srpms}/openafs*.src.rpm | head -1`168 /usr/bin/mock -r scripts-fc15-`uname -m` ${rpmbuild_args} -v --rebuild `ls -t ${out_srpms}/openafs*.src.rpm | head -1` 173 169 174 170 #sort -n sorts "2.6.25-1" later than "2.6.25.1-1", so it's Wrong … … 188 184 fi 189 185 190 # The following packages are needed for our packages191 basic-deps = kernel-devel rpm-build rpmdevtools mock gcc autoconf patch krb5-workstation glibc-devel.i686 glibc-devel libtool libgcc.i686192 oursrc-deps = hesinfo openldap-clients openldap-devel.i686 php-devel193 httpdmods-deps = httpd-devel194 httpd-deps = xmlto db4-devel expat-devel zlib-devel libselinux-devel apr-devel apr-util-devel pcre-devel openssl-devel distcache-devel195 krb5-deps = bison ncurses-devel texinfo keyutils-libs-devel texinfo-tex texlive-latex libss-devel rsh196 openafs-deps = pam-devel automake197 moira-deps = e2fsprogs-devel198 zephyr-deps = hesiod-devel libss-devel krb5-devel readline-devel199 openssh-deps = gtk2-devel libX11-devel autoconf automake openssl-devel perl zlib-devel audit-libs-devel util-linux groff man pam-devel tcp_wrappers-devel krb5-devel libselinux-devel audit-libs xauth pango-devel cairo-devel libedit-devel nss-devel fipscheck-devel200 php-deps = bzip2-devel curl-devel gmp-devel libstdc++-devel sqlite-devel gcc-c++ libc-client-devel mysql-devel postgresql-devel unixODBC-devel libxml2-devel net-snmp-devel libxslt-devel libxml2-devel libXpm-devel libjpeg-devel t1lib-devel libmcrypt-devel mhash-devel libtidy-devel freetds-devel aspell-devel recode-devel201 haskell-deps = cabal-install202 install-deps:203 yum -y install $(basic-deps) $(oursrc-deps) $(httpdmods-deps) $(httpd-deps) $(krb5-deps) $(openafs-deps) $(moira-deps) $(zephyr-deps) $(openssh-deps) $(php-deps) $(haskell-deps)204 186 # XXX: We need to figure out what's going on with compat-readline43 205 187 # rpm -ivh http://kojipkgs.fedoraproject.org/packages/compat-readline43/4.3/3/i386/compat-readline43-4.3-3.i386.rpm … … 207 189 208 190 fedora: 209 make install-deps210 191 make upstream 211 192 rpm -ivh $(out_rpms)/`uname -m`/openafs-devel*.rpm -
trunk/server/fedora/config/etc/cron.d/slapdagent
r1716 r2066 1 1 KRB5CCNAME=/var/run/dirsrv/krb5cc 2 2 MAILTO=scripts-root@mit.edu 3 0 */3 * * * fedora-ds /usr/ kerberos/bin/kinit -k -t /etc/dirsrv/keytab ldap/$(hostname)3 0 */3 * * * fedora-ds /usr/bin/kinit -k -t /etc/dirsrv/keytab ldap/$(hostname) -
trunk/server/fedora/config/etc/hosts
r1684 r2066 18 18 18.181.0.234 busy-beaver.mit.edu busy-beaver scripts7.mit.edu scripts7 19 19 18.181.0.235 real-mccoy.mit.edu real-mccoy scripts8.mit.edu scripts8 20 18.181.0.135 shining-armor.mit.edu shining-armor # scripts9.mit.edu scripts9 20 18.181.0.135 shining-armor.mit.edu shining-armor scripts9.mit.edu scripts9 21 18.181.0.141 golden-egg.mit.edu golden-egg scripts10.mit.edu scripts10 21 22 22 23 172.21.0.57 better-mousetrap.mit.edu … … 29 30 172.21.0.235 real-mccoy.mit.edu 30 31 172.21.0.135 shining-armor.mit.edu 32 172.21.0.141 golden-egg.mit.edu -
trunk/server/fedora/config/etc/httpd/conf.d/scripts-special.conf
r1483 r2066 1 1 Alias /__scripts/heartbeat /afs/athena.mit.edu/contrib/scripts/web_scripts/heartbeat 2 Alias /__scripts/django/media /usr/lib/python2. 6/site-packages/django/contrib/admin/media2 Alias /__scripts/django/media /usr/lib/python2.7/site-packages/django/contrib/admin/media 3 3 Alias /__scripts /afs/athena.mit.edu/contrib/scripts/www 4 4 … … 9 9 </Directory> 10 10 11 <Directory /usr/lib/python2. 6/site-packages/django/contrib/admin/media>11 <Directory /usr/lib/python2.7/site-packages/django/contrib/admin/media> 12 12 <Files *> 13 13 SetHandler none -
trunk/server/fedora/config/etc/httpd/conf.d/scripts-vhost-names.conf
r1700 r2066 1 1 ServerName scripts.mit.edu 2 ServerAlias scripts 18.181.0.43 scripts-vhosts.mit.edu scripts-vhosts 18.181.0.46 scripts-test.mit.edu scripts-test 18.181.0.229 better-mousetrap.mit.edu better-mousetrap b-m.mit.edu b-m scripts1.mit.edu scripts1 18.181.0.57 old-faithful.mit.edu old-faithful o-f.mit.edu o-f scripts2.mit.edu scripts2 18.181.0.53 bees-knees.mit.edu bees-knees b-k.mit.edu b-k sx-blade-4.mit.edu sx-blade-4 scripts3.mit.edu scripts3 18.181.0.167 cats-whiskers.mit.edu cats-whiskers c-w.mit.edu c-w scripts4.mit.edu scripts4 18.181.0.228 whole-enchilada.mit.edu whole-enchilada w-e.mit.edu w-e scripts5.mit.edu scripts5 18.181.0.236 pancake-bunny.mit.edu pancake-bunny p-b.mit.edu p-b scripts6.mit.edu scripts6 18.181.0.237 busy-beaver.mit.edu busy-beaver b-b.mit.edu b-b scripts7.mit.edu scripts7 18.181.0.234 real-mccoy.mit.edu real-mccoy r-m.mit.edu r-m scripts8.mit.edu scripts8 18.181.0.235 shining-armor.mit.edu shining-armor s-a.mit.edu s-a scripts9.mit.edu scripts9 18.181.0.135 localhost 127.0.0.1 ::1 2 ServerAlias \ 3 scripts 18.181.0.43 \ 4 scripts-vhosts.mit.edu scripts-vhosts 18.181.0.46 \ 5 scripts-test.mit.edu scripts-test 18.181.0.229 \ 6 better-mousetrap.mit.edu better-mousetrap b-m.mit.edu b-m scripts1.mit.edu scripts1 18.181.0.57 \ 7 old-faithful.mit.edu old-faithful o-f.mit.edu o-f scripts2.mit.edu scripts2 18.181.0.53 \ 8 bees-knees.mit.edu bees-knees b-k.mit.edu b-k sx-blade-4.mit.edu sx-blade-4 scripts3.mit.edu scripts3 18.181.0.167 \ 9 cats-whiskers.mit.edu cats-whiskers c-w.mit.edu c-w scripts4.mit.edu scripts4 18.181.0.228 \ 10 whole-enchilada.mit.edu whole-enchilada w-e.mit.edu w-e scripts5.mit.edu scripts5 18.181.0.236 \ 11 pancake-bunny.mit.edu pancake-bunny p-b.mit.edu p-b scripts6.mit.edu scripts6 18.181.0.237 \ 12 busy-beaver.mit.edu busy-beaver b-b.mit.edu b-b scripts7.mit.edu scripts7 18.181.0.234 \ 13 real-mccoy.mit.edu real-mccoy r-m.mit.edu r-m scripts8.mit.edu scripts8 18.181.0.235 \ 14 shining-armor.mit.edu shining-armor s-a.mit.edu s-a scripts9.mit.edu scripts9 18.181.0.135 \ 15 golden-egg.mit.edu golden-egg g-e.mit.edu g-e scripts10.mit.edu scripts10 18.181.0.141 \ 16 localhost 127.0.0.1 ::1 -
trunk/server/fedora/config/etc/httpd/conf.d/scripts-vhost.conf
r811 r2066 1 1 DocumentRoot /afs/athena.mit.edu/contrib/scripts/web_scripts/home 2 2 SuExecUserGroup scripts users 3 UserDir enabled 3 4 UserDir web_scripts 4 5 # Comment the following line out to take the machine out of the LVS pool -
trunk/server/fedora/config/etc/krb5.conf
r708 r2066 1 1 [libdefaults] 2 allow_weak_crypto = true 2 3 default_realm = ATHENA.MIT.EDU 3 4 # The following krb5.conf variables are only for MIT Kerberos. -
trunk/server/fedora/config/etc/php.d/_scripts.ini
r1362 r2066 3 3 cgi.force_redirect = 0 4 4 memory_limit = 1024M 5 date.timezone = America/New_York -
trunk/server/fedora/config/etc/php.d/tidy.ini
r813 r2066 1 -
trunk/server/fedora/config/etc/pki/tls/certs/nudelta.pem
- Property svn:mergeinfo changed
/branches/fc15-dev/server/fedora/config/etc/pki/tls/certs/nudelta.pem (added) merged: 1938,1947,1973,1989,2026,2039,2055,2064
- Property svn:mergeinfo changed
-
trunk/server/fedora/config/etc/postfix/main.cf
r1868 r2066 17 17 recipient_delimiter = + 18 18 inet_interfaces = all 19 readme_directory = /usr/share/doc/postfix-2. 7.4/README_FILES20 sample_directory = /usr/share/doc/postfix-2. 7.4/samples19 readme_directory = /usr/share/doc/postfix-2.8.5/README_FILES 20 sample_directory = /usr/share/doc/postfix-2.8.5/samples 21 21 sendmail_path = /usr/sbin/sendmail 22 22 html_directory = no -
trunk/server/fedora/config/etc/rc.d/rc.local
- Property svn:executable set to *
r227 r2066 3 3 touch /var/lock/subsys/local 4 4 5 if [ -r "/afs/athena.mit.edu" ]; then6 /sbin/service postfix start7 fi8 9 5 /bin/mkdir -pm 1773 /tmp/sessions -
trunk/server/fedora/config/etc/scripts/allowed-setugid.list
r1917 r2066 1 /bin/ping2 /bin/ping63 1 /sbin/pam_timestamp_check 4 2 /sbin/unix_chkpwd -
trunk/server/fedora/config/etc/ssh/shosts.equiv
r1702 r2066 8 8 shining-armor.mit.edu 9 9 whole-enchilada.mit.edu 10 golden-egg.mit.edu 10 11 172.21.0.53 11 12 172.21.0.57 … … 17 18 172.21.0.135 18 19 172.21.0.236 20 172.21.0.141 -
trunk/server/fedora/config/etc/ssh/ssh_known_hosts
r1703 r2066 8 8 whole-enchilada.mit.edu,whole-enchilada,w-e.mit.edu,w-e,scripts5.mit.edu,scripts5,18.181.0.236,172.21.0.236 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAuEpkEgaIgjK7F1gV81lLSYTwSqIZX/9IJs37VaJCsJFv3D86uuJSdfI3Y94fPn2OH6AxfdaqGNksVdi27mKQfzvCB4ogjQgxmM391MIDLd+izZDY0YvCb4DqJLMJUpX49cNUMkj+/rJg1O0K2w/lb8DGr7wdoLSPKCUJNJv5WMMDxpFL253lPELsmnds4T+R6LpTt6W9+FalHl84me51sEjV9PbmhcTaNwuoJStAjhrKPfgHHDIKNyCUvaVkoHPXEsdzz00yY7i57djyZlzPV/jM7LKar+Xw2LB0Z3098IQcdbD8zmz2DdakPTlShxavNPC6kZDZ3WVqziC+bszaSQ== 9 9 shining-armor.mit.edu,shining-armor,s-a.mit.edu,s-a,scripts9.mit.edu,scripts9,18.181.0.135,172.21.0.135 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAuEpkEgaIgjK7F1gV81lLSYTwSqIZX/9IJs37VaJCsJFv3D86uuJSdfI3Y94fPn2OH6AxfdaqGNksVdi27mKQfzvCB4ogjQgxmM391MIDLd+izZDY0YvCb4DqJLMJUpX49cNUMkj+/rJg1O0K2w/lb8DGr7wdoLSPKCUJNJv5WMMDxpFL253lPELsmnds4T+R6LpTt6W9+FalHl84me51sEjV9PbmhcTaNwuoJStAjhrKPfgHHDIKNyCUvaVkoHPXEsdzz00yY7i57djyZlzPV/jM7LKar+Xw2LB0Z3098IQcdbD8zmz2DdakPTlShxavNPC6kZDZ3WVqziC+bszaSQ== 10 golden-egg.mit.edu.golden-egg,g-e.mit.edu,g-e,scripts10.mit.edu,scripts10,18.181.0.141,172.21.0.141 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAuEpkEgaIgjK7F1gV81lLSYTwSqIZX/9IJs37VaJCsJFv3D86uuJSdfI3Y94fPn2OH6AxfdaqGNksVdi27mKQfzvCB4ogjQgxmM391MIDLd+izZDY0YvCb4DqJLMJUpX49cNUMkj+/rJg1O0K2w/lb8DGr7wdoLSPKCUJNJv5WMMDxpFL253lPELsmnds4T+R6LpTt6W9+FalHl84me51sEjV9PbmhcTaNwuoJStAjhrKPfgHHDIKNyCUvaVkoHPXEsdzz00yY7i57djyZlzPV/jM7LKar+Xw2LB0Z3098IQcdbD8zmz2DdakPTlShxavNPC6kZDZ3WVqziC+bszaSQ== -
trunk/server/fedora/config/etc/ssh/sshd_config
r1703 r2066 20 20 IgnoreRhosts yes 21 21 IgnoreUserKnownHosts yes 22 DenyUsers root@old-faithful.mit.edu root@better-mousetrap.mit.edu root@bees-knees.mit.edu root@cats-whiskers.mit.edu root@pancake-bunny.mit.edu root@busy-beaver.mit.edu root@real-mccoy.mit.edu root@whole-enchilada.mit.edu root@shining-armor.mit.edu 22 DenyUsers root@old-faithful.mit.edu root@better-mousetrap.mit.edu root@bees-knees.mit.edu root@cats-whiskers.mit.edu root@pancake-bunny.mit.edu root@busy-beaver.mit.edu root@real-mccoy.mit.edu root@whole-enchilada.mit.edu root@shining-armor.mit.edu root@golden-egg.mit.edu -
trunk/server/fedora/config/etc/sysconfig/dirsrv
r1716 r2066 32 32 # slapdagent cronjob) -- geofft 30 October 2010 33 33 KRB5CCNAME=/var/run/dirsrv/krb5cc; export KRB5CCNAME 34 /usr/ kerberos/bin/kinit -k -t "$KRB5_KTNAME" ldap/"$(hostname)"34 /usr/bin/kinit -k -t "$KRB5_KTNAME" ldap/"$(hostname)" 35 35 chown --reference="$KRB5_KTNAME" "$KRB5CCNAME" 36 36 -
trunk/server/fedora/config/etc/sysconfig/httpd
r759 r2066 21 21 # 22 22 #HTTPD_LANG=C 23 24 # 25 # When stopping the server a 10 second timeout is allowed before 26 # forcibly terminating the parent process (with a SIGKILL signal). 27 # To allow a longer delay, set the STOP_TIMEOUT variable. 28 # 29 #STOP_TIMEOUT=10 30 # -
trunk/server/fedora/config/etc/sysconfig/network-scripts/route-eth1
r1789 r2066 12 12 18.181.0.235 via 172.21.0.235 13 13 18.181.0.135 via 172.21.0.135 14 18.181.0.141 via 172.21.0.141 -
trunk/server/fedora/config/etc/sysconfig/openafs
r1993 r2066 1 1 AFSD_ARGS="-afsdb -dynroot -fakestat-all -stat 25000 -daemons 100 -volumes 4000 -files 400000 -chunksize 19" 2 2 BOSSERVER_ARGS= 3 4 postinit () {5 /sbin/sysctl -q afs.GCPAGs=06 /usr/bin/fs setcrypt on7 case "$(lsb_release -cs)" in8 Moonshine)9 /usr/bin/fs sysname 'amd64_fedora7_scripts' 'scripts' 'amd64_fedora7' 'amd64_linux26' 'i386_rhel4' 'i386_rhel3' 'i386_rh9' 'i386_linux26' 'i386_linux24' 'i386_linux22' 'i386_linux3' 'i386_linux2' 'i386_linux1' ;;10 Sulphur)11 /usr/bin/fs sysname 'amd64_fedora9_scripts' 'amd64_fedora7_scripts' 'scripts' 'amd64_fedora9' 'amd64_fedora7' 'amd64_linux26' 'i386_deb40' 'i386_rhel4' 'i386_rhel3' 'i386_rh9' 'i386_linux26' 'i386_linux24' 'i386_linux22' 'i386_linux3' 'i386_linux2' ;;12 Leonidas)13 /usr/bin/fs sysname 'amd64_fedora11_scripts' 'amd64_fedora9_scripts' 'amd64_fedora7_scripts' 'scripts' 'amd64_fedora11' 'amd64_fedora9' 'amd64_fedora7' 'amd64_linux26' 'i386_deb50' 'i386_deb40' 'i386_rhel4' 'i386_rhel3' 'i386_rh9' 'i386_linux26' 'i386_linux24' 'i386_linux22' 'i386_linux3' 'i386_linux2' ;;14 Goddard)15 /usr/bin/fs sysname 'amd64_fedora13_scripts' 'amd64_fedora11_scripts' 'amd64_fedora9_scripts' 'amd64_fedora7_scripts' 'scripts' 'amd64_fedora13' 'amd64_fedora11' 'amd64_fedora9' 'amd64_fedora7' 'amd64_linux26' 'i386_deb50' 'i386_deb40' 'i386_rhel4' 'i386_rhel3' 'i386_rh9' 'i386_linux26' 'i386_linux24' 'i386_linux22' 'i386_linux3' 'i386_linux2' ;;16 *)17 echo "Warning: unknown platform. AFS sysname not set."18 esac19 /usr/bin/fs setcell -nosuid -c athena20 }21 AFS_POST_INIT=postinit -
trunk/server/fedora/config/etc/sysconfig/sysstat
r72 r2066 1 # How long to keep log files (days), maximum is a month 1 # sysstat-9.0.6.1 configuration file. 2 3 # How long to keep log files (in days). 4 # If value is greater than 28, then log files are kept in 5 # multiple directories, one for each month. 2 6 HISTORY=30 7 8 # Compress (using gzip or bzip2) sa and sar files older than (in days): 9 COMPRESSAFTER=10 10 11 # Parameters for system activity collector (see sadc man-page) which 12 # are used for the generation of log files 13 SADC_OPTIONS="-S DISK" -
trunk/server/fedora/config/etc/syslog-ng/d_zroot.pl
r1747 r2066 32 32 sub buildKeyMap($) { 33 33 my ($file) = @_; 34 open (KEYS, $file) or warn "Couldn't open $file: $!";34 open (KEYS, $file) or (warn "Couldn't open $file: $!\n" and return); 35 35 while (<KEYS>) { 36 36 chomp; … … 58 58 buildKeyMap("/root/.ssh/authorized_keys2"); 59 59 60 while (1) { 61 my @message = scalar(<>); 60 my @message; 61 62 while (my $line = <>) { 63 @message = $line; 62 64 eval { 63 65 local $SIG{ALRM} = sub { die "alarm\n" }; # NB: \n required … … 80 82 } elsif ($message =~ m|Root (\S+) shell|) { 81 83 sendmsg($message); 82 } elsif ($message =~ m| session \S+ for user (\S+)|) {83 sendmsg($message) if exists $USERS{$1};84 } elsif ($message =~ m|pam_unix\(([^:]+):session\): session \S+ for user (\S+)|) { 85 sendmsg($message) if $1 ne "cron" and exists $USERS{$2}; 84 86 } elsif ($message =~ m|^Found matching (\w+) key: (\S+)|) { 85 87 if ($sshkeys{$2}) { … … 117 119 } elsif ($message =~ m|^ *root : TTY=|) { 118 120 } elsif ($message =~ m|^Set /proc/self/oom_adj to |) { 121 } elsif ($message =~ m|^fatal: mm_request_receive: read: Connection reset by peer$|) { 119 122 } else { 120 123 sendmsg($message, "scripts-spew"); -
trunk/server/fedora/config/etc/syslog-ng/syslog-ng.conf
r1259 r2066 1 @version:3.2 2 1 3 # syslog-ng configuration file. 2 4 # … … 8 10 9 11 options { 10 sync(0);12 flush_lines (0); 11 13 time_reopen (10); 12 14 log_fifo_size (1000); … … 16 18 create_dirs (no); 17 19 keep_hostname (yes); 20 stats_freq (0); 18 21 }; 19 22 20 23 source s_sys { 21 file ("/proc/kmsg" log_prefix("kernel: "));24 file ("/proc/kmsg" program_override("kernel: ")); 22 25 unix-stream ("/dev/log"); 23 26 internal(); … … 28 31 destination d_mesg { file("/var/log/messages"); }; 29 32 destination d_auth { file("/var/log/secure"); }; 30 destination d_mail { file("/var/log/maillog" sync(10)); };33 destination d_mail { file("/var/log/maillog" flush_lines(10)); }; 31 34 destination d_spol { file("/var/log/spooler"); }; 32 35 destination d_boot { file("/var/log/boot.log"); }; -
trunk/server/fedora/config/etc/yum.conf
r1722 r2066 9 9 plugins=1 10 10 metadata_expire=1800 11 installonlypkgs=kernel kernel-devel kmod-openafs 11 installonlypkgs=kernel kernel-devel kmod-openafs ghc-cgi ghc-cgi-devel 12 12 13 13 # PUT YOUR REPOS HERE OR IN separate files named file.repo -
trunk/server/fedora/config/etc/yum.repos.d/scripts.repo
r1888 r2066 1 1 [scripts] 2 2 name=Scripts 3 baseurl=http://web.mit.edu/scripts/yum-repos/rpm-fc1 3/3 baseurl=http://web.mit.edu/scripts/yum-repos/rpm-fc15/ 4 4 enabled=1 5 5 gpgcheck=0 … … 7 7 [scripts-testing] 8 8 name=Scripts Testing 9 baseurl=http://web.mit.edu/scripts/yum-repos/rpm-fc1 3-testing/9 baseurl=http://web.mit.edu/scripts/yum-repos/rpm-fc15-testing/ 10 10 enabled=0 11 11 gpgcheck=0 -
trunk/server/fedora/config/etc/yum/post-actions/statoverride.action
r1926 r2066 22 22 /usr/bin/write:install:chmod ug-s /usr/bin/write 23 23 /usr/bin/Xorg:install:chmod ug-s /usr/bin/Xorg 24 /usr/ kerberos/bin/ksu:install:chmod ug-s /usr/kerberos/bin/ksu24 /usr/bin/ksu:install:chmod ug-s /usr/bin/ksu 25 25 /usr/lib64/nspluginwrapper/plugin-config:install:chmod ug-s /usr/lib64/nspluginwrapper/plugin-config 26 26 /usr/lib64/vte/gnome-pty-helper:install:chmod ug-s /usr/lib64/vte/gnome-pty-helper 27 /usr/libexec/kde4/kpac_dhcp_helper:install:chmod ug-s /usr/libexec/kde4/kpac_dhcp_helper 27 28 /usr/sbin/ccreds_chkpwd:install:chmod ug-s /usr/sbin/ccreds_chkpwd 28 29 /usr/sbin/userisdnctl:install:chmod ug-s /usr/sbin/userisdnctl 29 30 /usr/sbin/usernetctl:install:chmod ug-s /usr/sbin/usernetctl 31 /usr/bin/pkexec:install:chmod ug-s /usr/bin/pkexec -
trunk/server/fedora/specs/ghc-MonadCatchIO-mtl.spec
r1693 r2066 1 # For Haskell Packaging Guidelines see: 2 # - https://fedoraproject.org/wiki/Packaging:Haskell 3 # - https://fedoraproject.org/wiki/PackagingDrafts/Haskell 4 1 5 %global pkg_name MonadCatchIO-mtl 2 6 7 # common part of summary for all the subpackages 3 8 %global common_summary Haskell %{pkg_name} library 4 9 10 # main description used for all the subpackages 5 11 %global common_description A %{pkg_name} library for Haskell. 6 12 7 # add any Haskell library dependencies here:13 # Haskell library dependencies (used for buildrequires and devel/prof subpkg requires) 8 14 %global ghc_pkg_deps ghc-mtl-devel 9 15 10 # add any foreign library dependencies here:16 # foreign library dependencies (used for buildrequires and devel subpkg requires) 11 17 #%%global ghc_pkg_c_deps @CDEP1@-devel 12 18 13 %bcond_without shared14 15 # debuginfo is not useful for ghc16 %global debug_package %{nil}17 18 19 Name: ghc-%{pkg_name} 19 Version: 0.3.0. 120 Version: 0.3.0.2 20 21 Release: 0.%{scriptsversion}%{?dist} 21 22 Summary: %{common_summary} … … 23 24 Group: System Environment/Libraries 24 25 License: BSD 25 URL: http://hackage.haskell.org/ cgi-bin/hackage-scripts/package/%{pkg_name}26 URL: http://hackage.haskell.org/package/%{pkg_name} 26 27 Source0: http://hackage.haskell.org/packages/archive/%{pkg_name}/%{version}/%{pkg_name}-%{version}.tar.gz 27 BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)28 28 # fedora ghc archs: 29 ExclusiveArch: %{ix86} x86_64 ppc alpha 29 ExclusiveArch: %{ix86} x86_64 ppc alpha sparcv9 30 30 BuildRequires: ghc, ghc-doc, ghc-prof 31 BuildRequires: ghc-rpm-macros >= 0.7.0 31 # macros for building haskell packages 32 BuildRequires: ghc-rpm-macros >= 0.7.3 33 BuildRequires: hscolour 32 34 %{?ghc_pkg_deps:BuildRequires: %{ghc_pkg_deps}, %(echo %{ghc_pkg_deps} | sed -e "s/\(ghc-[^, ]\+\)-devel/\1-doc,\1-prof/g")} 33 35 %{?ghc_pkg_c_deps:BuildRequires: %{ghc_pkg_c_deps}} … … 35 37 %description 36 38 %{common_description} 37 %if %{with shared}38 This package provides the shared library.39 %endif40 41 42 %{?ghc_lib_package}43 39 44 40 … … 52 48 53 49 %install 54 rm -rf $RPM_BUILD_ROOT55 50 %ghc_lib_install 56 51 57 52 58 %clean 59 rm -rf $RPM_BUILD_ROOT 53 # define the devel and prof subpkgs, devel post[un] scripts, and filelists: 54 # ghc-%pkg_name{,devel,prof}.files 55 %ghc_lib_package 60 56 61 57 62 58 %changelog 59 * Mon May 2 2011 Alexander Chernyakhovsky <achernya@mit.edu> - 0.3.0.2-0 60 - regenerated packaging with cabal2spec-0.22.5 61 63 62 * Thu Sep 9 2010 Anders Kaseorg <andersk@mit.edu> - 0.3.0.1-0 64 63 - initial packaging for Fedora automatically generated by cabal2spec-0.22.1 -
trunk/server/fedora/specs/ghc-cgi.spec
r1693 r2066 1 # For Haskell Packaging Guidelines see: 2 # - https://fedoraproject.org/wiki/Packaging:Haskell 3 # - https://fedoraproject.org/wiki/PackagingDrafts/Haskell 4 1 5 %global pkg_name cgi 2 6 7 # common part of summary for all the subpackages 3 8 %global common_summary Haskell %{pkg_name} library 4 9 10 # main description used for all the subpackages 5 11 %global common_description A %{pkg_name} library for Haskell. 6 12 7 # add any Haskell library dependencies here:13 # Haskell library dependencies (used for buildrequires and devel/prof subpkg requires) 8 14 %global ghc_pkg_deps ghc-network-devel, ghc-parsec-devel, ghc-mtl-devel, ghc-MonadCatchIO-mtl-devel, ghc-xhtml-devel 9 15 10 # add any foreign library dependencies here:16 # foreign library dependencies (used for buildrequires and devel subpkg requires) 11 17 #%%global ghc_pkg_c_deps @CDEP1@-devel 12 18 13 %bcond_without shared14 15 # debuginfo is not useful for ghc16 %global debug_package %{nil}17 18 19 Name: ghc-%{pkg_name} 19 Version: 3001.1.8. 120 Version: 3001.1.8.2 20 21 Release: 0.%{scriptsversion}%{?dist} 21 22 Summary: %{common_summary} … … 23 24 Group: System Environment/Libraries 24 25 License: BSD 25 URL: http://hackage.haskell.org/ cgi-bin/hackage-scripts/package/%{pkg_name}26 URL: http://hackage.haskell.org/package/%{pkg_name} 26 27 Source0: http://hackage.haskell.org/packages/archive/%{pkg_name}/%{version}/%{pkg_name}-%{version}.tar.gz 27 BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)28 28 # fedora ghc archs: 29 ExclusiveArch: %{ix86} x86_64 ppc alpha 29 ExclusiveArch: %{ix86} x86_64 ppc alpha sparcv9 30 30 BuildRequires: ghc, ghc-doc, ghc-prof 31 BuildRequires: ghc-rpm-macros >= 0.7.0 31 # macros for building haskell packages 32 BuildRequires: ghc-rpm-macros >= 0.7.3 33 BuildRequires: hscolour 32 34 %{?ghc_pkg_deps:BuildRequires: %{ghc_pkg_deps}, %(echo %{ghc_pkg_deps} | sed -e "s/\(ghc-[^, ]\+\)-devel/\1-doc,\1-prof/g")} 33 35 %{?ghc_pkg_c_deps:BuildRequires: %{ghc_pkg_c_deps}} … … 35 37 %description 36 38 %{common_description} 37 %if %{with shared}38 This package provides the shared library.39 %endif40 41 42 %{?ghc_lib_package}43 39 44 40 … … 52 48 53 49 %install 54 rm -rf $RPM_BUILD_ROOT55 50 %ghc_lib_install 56 51 57 52 58 %clean 59 rm -rf $RPM_BUILD_ROOT 53 # define the devel and prof subpkgs, devel post[un] scripts, and filelists: 54 # ghc-%pkg_name{,devel,prof}.files 55 %ghc_lib_package 60 56 61 57 62 58 %changelog 59 * Mon May 2 2011 Alexander Chernyakhovsky <achernya@mit.edu> - 3001.1.8.2-0 60 - regenerated packaging with cabal2spec-0.22.5 61 63 62 * Thu Sep 9 2010 Anders Kaseorg <andersk@mit.edu> - 3001.1.8.1-0 64 63 - initial packaging for Fedora automatically generated by cabal2spec-0.22.1 -
trunk/server/fedora/specs/ghc-unix-handle.spec
r1693 r2066 1 # For Haskell Packaging Guidelines see: 2 # - https://fedoraproject.org/wiki/Packaging:Haskell 3 # - https://fedoraproject.org/wiki/PackagingDrafts/Haskell 4 1 5 %global pkg_name unix-handle 2 6 7 # common part of summary for all the subpackages 3 8 %global common_summary Haskell %{pkg_name} library 4 9 10 # main description used for all the subpackages 5 11 %global common_description A %{pkg_name} library for Haskell. 6 12 7 # add any Haskell library dependencies here:13 # Haskell library dependencies (used for buildrequires and devel/prof subpkg requires) 8 14 #%%global ghc_pkg_deps ghc-@DEP1@-devel, ghc-@DEP2@-devel 9 15 10 # add any foreign library dependencies here:16 # foreign library dependencies (used for buildrequires and devel subpkg requires) 11 17 #%%global ghc_pkg_c_deps @CDEP1@-devel 12 13 %bcond_without shared14 15 # debuginfo is not useful for ghc16 %global debug_package %{nil}17 18 18 19 Name: ghc-%{pkg_name} … … 23 24 Group: System Environment/Libraries 24 25 License: BSD 25 URL: http://hackage.haskell.org/ cgi-bin/hackage-scripts/package/%{pkg_name}26 URL: http://hackage.haskell.org/package/%{pkg_name} 26 27 Source0: http://hackage.haskell.org/packages/archive/%{pkg_name}/%{version}/%{pkg_name}-%{version}.tar.gz 27 BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)28 28 # fedora ghc archs: 29 ExclusiveArch: %{ix86} x86_64 ppc alpha 29 ExclusiveArch: %{ix86} x86_64 ppc alpha sparcv9 30 30 BuildRequires: ghc, ghc-doc, ghc-prof 31 BuildRequires: ghc-rpm-macros >= 0.7.0 31 # macros for building haskell packages 32 BuildRequires: ghc-rpm-macros >= 0.7.3 33 BuildRequires: hscolour 32 34 %{?ghc_pkg_deps:BuildRequires: %{ghc_pkg_deps}, %(echo %{ghc_pkg_deps} | sed -e "s/\(ghc-[^, ]\+\)-devel/\1-doc,\1-prof/g")} 33 35 %{?ghc_pkg_c_deps:BuildRequires: %{ghc_pkg_c_deps}} … … 35 37 %description 36 38 %{common_description} 37 %if %{with shared}38 This package provides the shared library.39 %endif40 41 42 %{?ghc_lib_package}43 39 44 40 … … 52 48 53 49 %install 54 rm -rf $RPM_BUILD_ROOT55 50 %ghc_lib_install 56 51 57 52 58 %clean 59 rm -rf $RPM_BUILD_ROOT 53 # define the devel and prof subpkgs, devel post[un] scripts, and filelists: 54 # ghc-%pkg_name{,devel,prof}.files 55 %ghc_lib_package 60 56 61 57 62 58 %changelog 59 * Mon May 2 2011 Alexander Chernyakhovsky <achernya@mit.edu> - 0.0.0-0 60 - regenerated packaging with cabal2spec-0.22.5 61 63 62 * Thu Sep 9 2010 Anders Kaseorg <andersk@mit.edu> - 0.0.0-0 64 63 - initial packaging for Fedora automatically generated by cabal2spec-0.22.1 -
trunk/server/fedora/specs/httpd.spec.patch
r1738 r2066 1 --- httpd.spec.orig 201 0-10-27 08:26:15.000000000 -04002 +++ httpd.spec 201 0-11-18 18:20:43.000000000 -05003 @@ - 7,7 +7,7 @@1 --- httpd.spec.orig 2011-09-13 09:43:36.000000000 -0400 2 +++ httpd.spec 2011-11-05 20:57:13.910145847 -0400 3 @@ -8,7 +8,7 @@ 4 4 Summary: Apache HTTP Server 5 5 Name: httpd 6 Version: 2.2. 177 -Release: 1%{?dist} .18 +Release: 1%{?dist}. 1.scripts.%{scriptsversion}6 Version: 2.2.21 7 -Release: 1%{?dist} 8 +Release: 1%{?dist}.scripts.%{scriptsversion} 9 9 URL: http://httpd.apache.org/ 10 10 Source0: http://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2 11 11 Source1: index.html 12 @@ -5 5,6 +55,14@@13 Conflicts: pcre < 4.014 Requires: httpd-tools = %{version}-%{release}, apr-util-ldap 12 @@ -54,6 +54,15 @@ 13 Provides: httpd-mmn = %{mmn}, httpd-mmn = %{mmnisa} 14 Requires: httpd-tools = %{version}-%{release}, apr-util-ldap, systemd-units 15 15 16 +Provides: scripts-httpd 16 +Provides: scripts-httpd = %{version}-%{release} 17 17 +Patch1000: httpd-suexec-scripts.patch 18 18 +Patch1003: httpd-2.2.x-mod_status-security.patch … … 21 21 +Patch1006: httpd-suexec-cloexec.patch 22 22 +Patch1007: httpd-fixup-vhost.patch 23 +Patch1008: httpd-sysv-deps.patch 23 24 + 24 25 %description 25 26 The Apache HTTP Server is a powerful, efficient, and extensible 26 27 web server. 27 @@ -6 5,6 +73,7 @@28 @@ -64,6 +73,7 @@ 28 29 Obsoletes: secureweb-devel, apache-devel, stronghold-apache-devel 29 30 Requires: apr-devel, apr-util-devel, pkgconfig 30 31 Requires: httpd = %{version}-%{release} 31 +Provides: scripts-httpd-devel 32 +Provides: scripts-httpd-devel = %{version}-%{release} 32 33 33 34 %description devel 34 35 The httpd-devel package contains the APXS binary and other files 35 @@ -10 3,6 +112,7 @@36 Requires(post): openssl >= 0.9.7f-4, /bin/cat36 @@ -102,6 +112,7 @@ 37 Requires(post): openssl, /bin/cat 37 38 Requires(pre): httpd 38 Requires: httpd = 0:%{version}-%{release}, httpd-mmn = %{mmn }39 Requires: httpd = 0:%{version}-%{release}, httpd-mmn = %{mmnisa} 39 40 +Provides: scripts-mod_ssl 40 41 Obsoletes: stronghold-mod_ssl 41 42 42 43 %description -n mod_ssl 43 @@ -130,6 +140,13 @@ 44 @@ -110,6 +121,11 @@ 45 Security (TLS) protocols. 46 47 %prep 48 + 49 +# Horrible hack to patch the httpd.init file 50 +cd $RPM_SOURCE_DIR 51 +%patch1008 -p1 -b .sysv-deps 52 + 53 %setup -q 54 %patch1 -p1 -b .apctl 55 %patch2 -p1 -b .apxs 56 @@ -128,6 +144,13 @@ 44 57 # Patch in vendor/release string 45 58 sed "s/@RELEASE@/%{vstring}/" < %{PATCH20} | patch -p1 … … 55 68 vmmn=`echo MODULE_MAGIC_NUMBER_MAJOR | cpp -include include/ap_mmn.h | sed -n '/^2/p'` 56 69 if test "x${vmmn}" != "x%{mmn}"; then 57 @@ -17 7,10 +194,12 @@70 @@ -175,10 +198,12 @@ 58 71 --with-apr=%{_prefix} --with-apr-util=%{_prefix} \ 59 72 --enable-suexec --with-suexec \ -
trunk/server/fedora/specs/krb5.spec.patch
r1819 r2066 1 --- krb5.spec.orig 2011- 04-13 14:56:35.000000000 -04002 +++ krb5.spec 2011- 04-27 02:52:07.000000000 -04003 @@ - 10,7 +10,7 @@1 --- krb5.spec.orig 2011-11-16 12:37:32.246736120 -0500 2 +++ krb5.spec 2011-11-16 12:42:47.134740975 -0500 3 @@ -6,7 +6,7 @@ 4 4 Summary: The Kerberos network authentication system 5 5 Name: krb5 6 Version: 1. 7.17 -Release: 1 9%{?dist}8 +Release: 1 9%{?dist}.scripts.%{scriptsversion}6 Version: 1.9.1 7 -Release: 14%{?dist} 8 +Release: 14%{?dist}.scripts.%{scriptsversion} 9 9 # Maybe we should explode from the now-available-to-everybody tarball instead? 10 # http://web.mit.edu/kerberos/dist/krb5/1. 7/krb5-1.7.1-signed.tar10 # http://web.mit.edu/kerberos/dist/krb5/1.9/krb5-1.9.1-signed.tar 11 11 Source0: krb5-%{version}.tar.gz 12 @@ - 98,6 +98,8 @@13 Patch 109: krb5-1.7.1-paren.patch14 Patch 110: 2011-004-patch-r18.txt12 @@ -65,6 +65,8 @@ 13 Patch89: krb5-1.9.1-sendto_poll3.patch 14 Patch90: krb5-1.9-MITKRB5-SA-2011-006.patch 15 15 16 16 +Patch1000: krb5-kuserok-scripts.patch … … 19 19 URL: http://web.mit.edu/kerberos/www/ 20 20 Group: System Environment/Libraries 21 @@ -1 42,6 +144,7 @@21 @@ -114,6 +116,7 @@ 22 22 %package libs 23 23 Summary: The shared libraries used by Kerberos 5 … … 27 27 %description libs 28 28 Kerberos is a network authentication system. The krb5-libs package 29 @@ - 1696,6 +1699,7 @@30 %patch 108 -p1 -b .2011-00331 %patch 109 -p1 -b .paren32 %patch 110 -p1 -b .2011-00429 @@ -221,6 +224,7 @@ 30 %patch88 -p1 -b .crossrealm 31 %patch89 -p1 -b .sendto_poll3 32 %patch90 -p1 -b .2011-006 33 33 +%patch1000 -p1 -b .kuserok 34 34 gzip doc/*.ps -
trunk/server/fedora/specs/openafs-include-xstat.spec.patch
r2014 r2066 1 --- openafs.spec.orig 2011-1 0-19 16:05:41.000000000-04002 +++ openafs.spec 2011-1 0-19 16:10:06.000000000 -04003 @@ -11 15,7 +1115,7 @@1 --- openafs.spec.orig 2011-11-04 23:50:34.842221577 -0400 2 +++ openafs.spec 2011-11-04 23:52:00.538590290 -0400 3 @@ -1103,7 +1103,7 @@ 4 4 5 5 # create list of man pages that go in the 'openafs' package 6 6 /bin/ls $RPM_BUILD_ROOT%{_mandir}/man1 \ 7 - |egrep '^afs|^fs|^kas|^klog|kapasswd|pagsh|^pts|^rxdebug|scout|^sys|tokens|translate|udebug|unlog|^uss|^vos' \ 8 + |egrep '^afs|^fs|^kas|^klog|kapasswd|pagsh|^pts|^rxdebug|scout|^sys|tokens|translate|^xstat|udebug|unlog|^uss|^vos' \ 7 - |egrep '^afs|^fs|^kas|^klog|kapasswd|pagsh|^pts|^restorevol|^rxdebug|scout|^sys|tokens|translate|udebug|unlog|^uss|^vos' \ 8 + |egrep '^afs|^fs|^kas|^klog|kapasswd|pagsh|^pts|^restorevol|^rxdebug|scout|^sys|tokens|translate|^xstat|udebug|unlog|^uss|^vos' \ 9 |egrep -v '^afs_compile_et' \ 9 10 >openafs-man1files 10 11 11 /bin/ls $RPM_BUILD_ROOT%{_mandir}/man5 \ 12 @@ -1145,6 +1145,8 @@ 12 @@ -1134,6 +1134,8 @@ 13 13 %{_bindir}/tokens 14 14 %{_bindir}/tokens.krb … … 19 19 %{_bindir}/unlog 20 20 %{_sbindir}/backup 21 @@ -11 96,7 +1198,7 @@21 @@ -1184,7 +1186,7 @@ 22 22 done 23 23 … … 28 28 done 29 29 30 @@ -1 208,7 +1210,7 @@30 @@ -1196,7 +1198,7 @@ 31 31 rm -rf $RPM_BUILD_ROOT%{_sbindir}/kdump* 32 32 -
trunk/server/fedora/specs/openafs.spec.patch
r1693 r2066 1 --- openafs.spec.orig 2010-09-10 18:21:53.000000000 -0400 2 +++ openafs.spec 2010-09-10 18:34:30.000000000 -0400 3 @@ -8,7 +8,7 @@ 4 # for beta/rc releases make pkgrel 0.X.<tag> 1 --- rpmbuild/SPECS/openafs.spec 2 +++ rpmbuild/SPECS/openafs.spec.~3~ 2011-11-20 20:13:52.211673609 -0500 3 @@ -4,7 +4,7 @@ 4 %define pkgvers 1.6.0 5 # for beta/rc releases make pkgrel 0.<tag> 5 6 # for real releases make pkgrel 1 (or more for extra releases) 6 #%define pkgrel 0.1.rc1 7 -%define pkgrel 0.pre3 8 +%define pkgrel 0.pre3.99scripts.%{scriptsversion} 7 -%define pkgrel 1 8 +%define pkgrel 1.99.scripts.%{scriptsversion} 9 9 10 % if %{?osvers:0}%{!?osvers:1}11 % define osvers 112 @@ -2 61,6 +261,10@@13 %endif10 %{!?fedorakmod: %define fedorakmod 1} 11 %{!?build_dkmspkg: %define build_dkmspkg 1} 12 @@ -237,6 +237,14 @@ 13 14 14 ExclusiveArch: %{ix86} x86_64 ia64 s390 s390x sparc64 ppc ppc64 15 15 16 16 +Patch1000: openafs-scripts.patch 17 +Patch1003: openafs-localcsdb.patch 18 +Patch1005: openafs-numsysnames.patch 17 +Patch1001: openafs-localcsdb.patch 18 +Patch1002: openafs-systemd.patch 19 +Patch1003: openafs-systemd-crond.patch 20 +Patch1004: openafs-linux-3.1-rcu.patch 21 +Patch1005: openafs-linux-3.1-fsync.patch 22 +Patch1006: openafs-linux-3.1-zalloc.patch 19 23 + 20 24 # http://dl.openafs.org/dl/openafs/candidate/%{afsvers}/... 21 25 Source0: http://www.openafs.org/dl/openafs/%{afsvers}/openafs-%{afsvers}-src.tar.bz2 22 26 Source1: http://www.openafs.org/dl/openafs/%{afsvers}/openafs-%{afsvers}-doc.tar.bz2 23 @@ -3 43,6 +347,7 @@27 @@ -316,6 +324,7 @@ 24 28 %if %{build_userspace} 25 29 … … 29 33 30 34 %if %{fedorakmod} 31 @@ - 403,6 +408,7 @@35 @@ -376,6 +385,7 @@ 32 36 33 37 %if %{build_authlibs} … … 37 41 Group: Networking/Filesystems 38 42 39 @@ - 419,6 +425,7 @@43 @@ -392,6 +402,7 @@ 40 44 %endif 41 45 … … 43 47 +Provides: scripts-openafs-authlibs-devel 44 48 %if %{build_authlibs} 45 Requires: openafs-authlibs = %{version} 49 Requires: openafs-authlibs = %{version}-%{release} 46 50 %endif 47 @@ -4 37,6 +444,7 @@51 @@ -410,6 +421,7 @@ 48 52 libraries. 49 53 … … 52 56 Summary: OpenAFS Development Libraries and Headers 53 57 Group: Development/Filesystems 54 55 @@ -4 65,6 +473,7 @@58 Requires: openafs = %{version}-%{release} 59 @@ -439,6 +451,7 @@ 56 60 administrators. 57 61 … … 61 65 Group: Networking/Filesystems 62 66 Provides: openafs-kernel = %{version} 63 @@ - 514,6 +523,7 @@67 @@ -488,6 +501,7 @@ 64 68 65 69 %if %{krb5support} … … 69 73 Requires: openafs = %{version} 70 74 Group: Networking/Filesystems 71 @@ -5 40,7 +550,7 @@75 @@ -514,7 +528,7 @@ 72 76 %if %{build_modules} 73 77 … … 78 82 %else 79 83 80 @@ -699,6 +709,9 @@ 84 @@ -671,6 +685,15 @@ 85 #%setup -q -n %{srcdir} 86 %setup -q -b 1 -n %{srcdir} 81 87 82 # Patch openafs to build a kernel module named "openafs" instead of "libafs" 83 %patch0 -p1 -b .kmod26 88 +# Apply the Scripts patch 84 89 +%patch1000 -p1 -b .scripts 85 +%patch1003 -p1 -b .localcsdb 86 +%patch1005 -p1 -b .numsysnames 87 90 +%patch1001 -p1 -b .localcsdb 91 +%patch1002 -p1 -b .systemd 92 +%patch1003 -p1 -b .systemd-crond 93 +%patch1004 -p1 -b .rcu 94 +%patch1005 -p1 -b .fsync 95 +%patch1006 -p1 -b .zalloc 96 + 88 97 ############################################################################## 89 98 # 99 # building 100 @@ -1212,6 +1235,13 @@ 101 rm -f $RPM_BUILD_ROOT%{_libdir}/libafsrpc.so 102 rm -f $RPM_BUILD_ROOT%{_libdir}/libafsauthent.so.* 103 rm -f $RPM_BUILD_ROOT%{_libdir}/libafsrpc.so.* 104 +%else 105 +chmod +x $RPM_BUILD_ROOT%{_libdir}/libafsauthent.so 106 +chmod +x $RPM_BUILD_ROOT%{_libdir}/libafsrpc.so 107 +chmod +x $RPM_BUILD_ROOT%{_libdir}/libafsauthent.so.* 108 +chmod +x $RPM_BUILD_ROOT%{_libdir}/libafsrpc.so.* 109 +chmod +x $RPM_BUILD_ROOT%{_libdir}/libkopenafs.so 110 +chmod +x $RPM_BUILD_ROOT%{_libdir}/libkopenafs.so.* 111 %endif 112 113 %endif -
trunk/server/fedora/specs/openssh.spec.patch
r1739 r2066 1 1 --- openssh.spec.orig 2010-05-31 06:20:02.000000000 -0400 2 2 +++ openssh.spec 2010-09-06 21:53:21.000000000 -0400 3 @@ -7 4,7 +74,7 @@3 @@ -78,7 +78,7 @@ 4 4 Summary: An open source implementation of SSH protocol versions 1 and 2 5 5 Name: openssh 6 Version: 5.4p17 -Release: %{openssh_rel}%{?dist}%{?rescue_rel} 8 +Release: %{openssh_rel}%{?dist}%{?rescue_rel}. scripts.%{scriptsversion}6 Version: %{openssh_ver} 7 -Release: %{openssh_rel}%{?dist}%{?rescue_rel}.1 8 +Release: %{openssh_rel}%{?dist}%{?rescue_rel}.1.scripts.%{scriptsversion} 9 9 URL: http://www.openssh.com/portable.html 10 10 #URL1: http://pamsshagentauth.sourceforge.net 11 11 #Source0: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz 12 @@ - 88,6 +88,8@@12 @@ -92,6 +92,7 @@ 13 13 Source3: sshd.init 14 14 Source4: http://prdownloads.sourceforge.net/pamsshagentauth/pam_ssh_agent_auth/pam_ssh_agent_auth-%{pam_ssh_agent_ver}.tar.bz2 15 15 Source5: pam_ssh_agent-rmheaders 16 16 +Patch1001: openssh-4.7p1-gssapi-name-in-env.patch 17 +Patch1002: openssh-no-spurious-correct-key-incorrect-host-messages.patch 18 Patch0: openssh-5.4p1-redhat.patch 19 Patch2: openssh-5.3p1-skip-initial.patch 20 Patch4: openssh-5.2p1-vendor.patch 21 @@ -175,6 +178,7 @@ 22 Requires(post): chkconfig >= 0.9, /sbin/service 17 18 Patch100: openssh-5.6p1-wIm.patch 19 Patch0: openssh-5.6p1-redhat.patch 20 @@ -207,6 +209,7 @@ 23 21 Requires(pre): /usr/sbin/useradd 24 22 Requires: pam >= 1.0.1-3 23 Requires: fipscheck-lib%{_isa} >= 1.3.0 25 24 +Provides: scripts-openssh-server 26 25 27 % package askpass28 Summary: A passphrase dialog for OpenSSH and X29 @@ - 267,6 +271,9@@30 %patch 75 -p1 -b .dso31 %patch 76 -p1 -b .bz59593526 %if %{ldap} 27 %package ldap 28 @@ -323,6 +326,8 @@ 29 %patch80 -p1 -b .biguid 30 %patch81 -p1 -b .clientloop 32 31 33 32 +%patch1001 -p1 -b .gssapi-env 34 +%patch1002 -p1 -b .no-spurious-correct-key-incorrect-host-messages35 33 + 36 34 autoreconf 37 38 %build 35 pushd pam_ssh_agent_auth-%{pam_ssh_agent_ver} 36 autoreconf 37 -
trunk/server/fedora/specs/redland-bindings.spec.patch
r2001 r2066 1 --- redland-bindings.spec 2011-10-12 14:51:58.000000000 -04002 +++ redland-bindings -php.spec 2011-10-13 10:15:24.000000000 -04001 --- redland-bindings.spec.old 2011-10-12 14:51:58.000000000 -0400 2 +++ redland-bindings.spec 2011-10-13 10:15:24.000000000 -0400 3 3 @@ -1,6 +1,6 @@ 4 4 Name: redland-bindings 5 Version: 1.0. 7.16 -Release: 1%{?dist}7 +Release: 1%{?dist}.scripts.%{scriptsversion}5 Version: 1.0.11.1 6 -Release: 6%{?dist} 7 +Release: 6%{?dist}.scripts.%{scriptsversion} 8 8 Summary: Redland RDF Application Framework API Bindings 9 9 -
trunk/server/fedora/specs/scripts-base.spec
r1815 r2066 21 21 Requires: scripts-openafs-krb5 22 22 Requires: scripts-openssh-server 23 Requires: scripts-static-cat 24 Requires: scripts-rubygems 23 25 Requires: sql-signup 24 26 Requires: tokensys -
trunk/server/fedora/specs/scripts-static-cat.spec
r1693 r2066 1 # link with shared libs 2 # andersk: Disabled for 3x faster startup speed. 3 #%%bcond_without dynamic 4 5 # ghc does not emit debug information 6 %global debug_package %{nil} 1 # For Haskell Packaging Guidelines see: 2 # - https://fedoraproject.org/wiki/Packaging:Haskell 3 # - https://fedoraproject.org/wiki/PackagingDrafts/Haskell 7 4 8 5 Name: scripts-static-cat … … 15 12 URL: http://scripts.mit.edu/ 16 13 Source0: %{name}.tar.gz 17 BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)18 14 # fedora ghc archs: 19 ExclusiveArch: %{ix86} x86_64 ppc alpha 20 BuildRequires: ghc 15 ExclusiveArch: %{ix86} x86_64 ppc alpha sparcv9 16 BuildRequires: ghc-devel 17 # macros for building haskell packages 21 18 BuildRequires: ghc-rpm-macros >= 0.7.0 22 19 BuildRequires: ghc-cgi-devel >= 3001.1.8, ghc-MonadCatchIO-mtl-devel, ghc-unix-handle-devel … … 35 32 36 33 %install 37 rm -rf $RPM_BUILD_ROOT38 34 %ghc_bin_install 39 40 41 %clean42 rm -rf $RPM_BUILD_ROOT43 35 44 36 … … 49 41 50 42 %changelog 43 * Mon May 2 2011 Alexander Chernyakhovsky <achernya@mit.edu> - 0.0-0 44 - regenerated packaging with cabal2spec-0.22.5 45 51 46 * Thu Sep 9 2010 Anders Kaseorg <andersk@mit.edu> - 0.0-0 52 47 - initial packaging for Fedora automatically generated by cabal2spec-0.22.1 -
trunk/server/fedora/specs/tokensys.spec
r1594 r2066 10 10 BuildRoot: %{_tmppath}/%(%{__id_u} -n)-%{name}-%{version}-root 11 11 %define debug_package %{nil} 12 Prereq: /usr/kerberos/bin/kinit, /usr/bin/aklog 12 Prereq: /usr/bin/kinit, /usr/bin/aklog 13 Requires(post): systemd-units 14 Requires(preun): systemd-units 15 Requires(postun): systemd-units 16 BuildRequires: systemd-units 13 17 14 18 %description … … 17 21 Contains: 18 22 - A shell script for renewing the scripts AFS credentials <renew> 19 - A crontab for calling the renew script <crontab> 23 - A shell script for configuring scripts AFS <scripts-afsagent-startup> 24 - systemd units for running the above 20 25 See http://scripts.mit.edu/wiki for more information. 21 26 … … 24 29 25 30 %build 26 ./configure --with-kinit=/usr/ kerberos/bin/kinit --with-aklog=/usr/bin/aklog31 ./configure --with-kinit=/usr/bin/kinit --with-aklog=/usr/bin/aklog --with-fs=/usr/bin/fs 27 32 28 33 %install 29 34 [ $RPM_BUILD_ROOT != / ] && rm -rf $RPM_BUILD_ROOT 30 35 install -D renew $RPM_BUILD_ROOT/home/afsagent/renew 31 install -D crontab $RPM_BUILD_ROOT/etc/cron.d/afsagent 36 install -D scripts-afsagent-startup $RPM_BUILD_ROOT/usr/local/libexec/scripts-afsagent-startup 37 install -D scripts-afsagent-startup.service $RPM_BUILD_ROOT%{_unitdir}/scripts-afsagent-startup.service 38 install -D scripts-afsagent.service $RPM_BUILD_ROOT%{_unitdir}/scripts-afsagent.service 39 install -D scripts-afsagent.timer $RPM_BUILD_ROOT%{_unitdir}/scripts-afsagent.timer 32 40 33 41 %clean … … 35 43 36 44 %files 37 %defattr(0600, root, root) 38 /etc/cron.d/afsagent 45 %defattr(0644,root,root) 46 %{_unitdir}/*.service 47 %{_unitdir}/*.timer 39 48 %defattr(0755, afsagent, afsagent) 40 49 /home/afsagent/renew 50 /usr/local/libexec/scripts-afsagent-startup 41 51 42 52 %pre … … 44 54 useradd -u 101 -g 101 afsagent || [ $? -eq 9 ] 45 55 56 %post 57 /bin/systemctl enable scripts-afsagent-startup.service >/dev/null 2>&1 || : 58 /bin/systemctl enable scripts-afsagent.service >/dev/null 2>&1 || : 59 /bin/systemctl enable scripts-afsagent.timer >/dev/null 2>&1 || : 60 61 if [ $1 -eq 1 ] ; then 62 # Initial installation 63 /bin/systemctl daemon-reload >/dev/null 2>&1 || : 64 fi 65 66 %preun 67 if [ $1 -eq 0 ] ; then 68 # Package removal, not upgrade 69 /bin/systemctl --no-reload disable scripts-afsagent-startup.service > /dev/null 2>&1 || : 70 /bin/systemctl --no-reload disable scripts-afsagent.service > /dev/null 2>&1 || : 71 /bin/systemctl --no-reload disable scripts-afsagent.timer > /dev/null 2>&1 || : 72 /bin/systemctl stop scripts-afsagent-startup.service > /dev/null 2>&1 || : 73 /bin/systemctl stop scripts-afsagent.service > /dev/null 2>&1 || : 74 /bin/systemctl stop scripts-afsagent.timer > /dev/null 2>&1 || : 75 fi 76 46 77 %postun 78 /bin/systemctl daemon-reload >/dev/null 2>&1 || : 79 if [ $1 -ge 1 ] ; then 80 # Package upgrade, not uninstall 81 /bin/systemctl try-restart scripts-afsagent.service >/dev/null 2>&1 || : 82 fi 83 47 84 if [ "$1" = "0" ] ; then 48 85 userdel -r afsagent … … 50 87 51 88 %changelog 89 * Mon Nov 21 2011 Quentin Smith <quentin@mit.edu> 90 - add systemd units 91 - remove crontab 92 52 93 * Tue Aug 17 2010 Geoffrey Thomas <geofft@mit.edu> 53 94 - aklog csail as well -
trunk/server/fedora/specs/whoisd.spec
r927 r2066 1 Summary: 2 Group: 3 Name: 4 Version: 5 Release: 06 Vendor: 7 URL: 8 License: 9 Source0: 10 BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) 1 Summary: whoisd for <scripts.mit.edu> (virtualhost aware) 2 Group: Applications/System 3 Name: whoisd 4 Version: 0.%{scriptsversion} 5 Release: 1 6 Vendor: The scripts.mit.edu Team (scripts@mit.edu) 7 URL: http://scripts.mit.edu 8 License: GPL 9 Source0: %{name}.tar.gz 10 11 11 %define debug_package %{nil} 12 12 13 #BuildRequires: make 14 Requires: python-twisted-core 13 Requires: python-twisted-core 14 BuildRequires: systemd-units 15 16 Requires(post): systemd-units 17 Requires(preun): systemd-units 18 Requires(postun): systemd-units 19 Requires(post): systemd-sysv 15 20 16 21 %description … … 24 29 25 30 %install 26 [ $RPM_BUILD_ROOT != / ] && rm -rf $RPM_BUILD_ROOT27 31 make install DESTDIR=$RPM_BUILD_ROOT exec_prefix=/usr/local 28 32 29 %clean 30 [ $RPM_BUILD_ROOT != / ] && rm -rf $RPM_BUILD_ROOT 33 %post 34 if [ $1 -eq 1 ] ; then 35 # Initial installation 36 /bin/systemctl enable scripts-whoisd.service >/dev/null 2>&1 || : 37 fi 38 39 %preun 40 if [ $1 -eq 0 ]; then 41 /bin/systemctl --no-reload disable scripts-whoisd.service >/dev/null 2>&1 || : 42 /bin/systemctl stop scripts-whoisd.service > /dev/null 2>&1 || : 43 fi 44 45 %postun 46 /bin/systemctl daemon-reload >/dev/null 2>&1 || : 47 if [ $1 -ge 1 ]; then 48 /bin/systemctl try-restart scripts-whoisd.service >/dev/null 2>&1 || : 49 fi 31 50 32 51 %files 33 52 %defattr(0644,root,root,-) 34 53 /usr/local/libexec/whoisd.tac 35 %defattr(06 00,root,root)36 / etc/cron.d/whoisd54 %defattr(0644,root,root) 55 /lib/systemd/system/scripts-whoisd.service 37 56 38 57 %changelog 58 * Thu Aug 25 2011 Alexander Chernyakhovsky <achernya@mit.edu> 0-1 59 - package systemd service file 39 60 40 61 * Tue Jun 03 2008 Joe Presbrey <presbrey@mit.edu> 0.00 -
trunk/server/fedora/specs/zephyr.spec
r1693 r2066 1 1 Name: zephyr 2 Version: 3.0 2 Version: 3.0.1 3 3 Release: 0.%{scriptsversion}%{?dist} 4 4 Summary: Client programs for the Zephyr real-time messaging system … … 71 71 make %{?_smp_mflags} 72 72 73 74 73 %install 75 74 rm -rf $RPM_BUILD_ROOT … … 80 79 install -m755 zhm.init \ 81 80 $RPM_BUILD_ROOT%{_initddir}/zhm 82 81 # Make RPM's Provide: searcher actually search the .so files! A recent 82 # change in how RPM detects Provides automatically means that only 83 # files that are executable get searched. Without this hack, all of 84 # the zephyr client tools are Requires: libzephyr.so.4 which is never 85 # Provides:, leading to uninstallable RPMS. This can be removed when 86 # zephyr starts installing the libraries with mode 755 rather than 87 # 644. (Zephyr #79) 88 chmod a+x $RPM_BUILD_ROOT%{_libdir}/libzephyr.so.* 83 89 84 90 %post … … 139 145 140 146 %changelog 147 * Sat Apr 16 2011 Alexander Chernyakhovsky <achernya@mit.edu> 3.0.1-0 148 - Zephyr 3.0.1 149 141 150 * Sun Sep 19 2010 Anders Kaseorg <andersk@mit.edu> - 3.0-0 142 151 - Decrease version below a hypothetical Fedora package.
Note: See TracChangeset
for help on using the changeset viewer.