Cleaning up

- Use systemd-rpm macros - Remove %triggerun for openvpn < 2.2.1 (which is way too old anyhow for newer Fedoras) - Fixed several issues with installed files - Fixed ./configure arguments - several of them where outdated or used wrong - Removed the deprecated openvpn@.service in favour of the new upstream unit files - Added README.systemd which describes the new unit files - Fixed wrong mixing of %doc and %{_pkgdocdir} causing duplication of sample and contrib directories - Install management-notes.txt, which contains useful information about the OpenVPN management interface commands - Don't own %{_localstatedir}/run/%{name} ... that's handled by tmpfiles.d/openvpn.conf instead. - Own /etc/openvpn{,client,server}/
8 years ago · a9b2582ae9
parent 4daec6fd69
commit a9b2582ae9
3 changed files with 96 additions and 83 deletions
--- a/README.systemd
+++ b/README.systemd
@ -0,0 +1,71 @@
+OpenVPN and systemd
+===================
+
+As of OpenVPN v2.4, upstream is shipping systemd unit files to provide a
+fine grained control of each OpenVPN configuration as well as trying to
+restrict the capabilities the OpenVPN process have on a system.
+
+
+Configuration profile types
+---------------------------
+These new unit files separates between client and server profiles.  The
+configuration files are kept in separate directories, to provide clarity
+of the profile they run under.
+
+Typically the client profile cannot bind to any ports below port 1024
+and the client configuration is always started with --nobind.
+
+The server profile is allowed to bind to any ports.  In addition it enables
+a client status file, usually found in the /run/openvpn-server directory.
+The status format is set to version 2 by default.  These settings may be
+overridden by adding --status and/or --status-version in the OpenVPN
+configuration file.
+
+Neither of these profiles makes use of PID files, but OpenVPN reports back to
+systemd its PID once it has initialized.
+
+For configuration using a peer-to-peer mode (not using --mode server on one
+of the sides) it is recommended to use the client profile.
+
+
+Configuration files
+-------------------
+These new unit files expects client configuration files to be made available
+in /etc/openvpn/client.  Similar for the server configurations, it is expected
+to be found in /etc/openvpn/server.  The configuration files must have a .conf
+file extension.
+
+
+Managing VPN tunnels
+--------------------
+Use the normal systemctl tool to start, stop VPN tunnels, as well as enable
+and disable tunnels at boot time.  The syntax is:
+
+ - client configurations:
+    # systemctl $OPER openvpn-client@$CONFIGNAME
+
+ - server configurations:
+    # systemctl $OPER openvpn-server@$CONFIGNAME
+
+Similarly, to view the OpenVPN journal log use a similar syntax:
+
+   # journalctl -u openvpn-client@$CONFIGNAME
+ or
+   # journalctl -u openvpn-server@$CONFIGNAME
+
+* Examples
+  Say your server configuration is /etc/openvpn/server/tun0.conf, you
+  start this VPN service like this:
+
+    # systemctl start openvpn-server@tun0
+
+  A client configuration file in /etc/openvpn/client/corpvpn.conf is
+  started like this:
+
+    # systemctl start openvpn-client@corpvpn
+
+  To view the server configuration's journal only listing entries from
+  yesterday and until today:
+
+    # journalctl --since yesterday -u openvpn-server@tun0
+
--- a/openvpn.spec
+++ b/openvpn.spec
@ -10,18 +10,10 @@ Summary:           A full-featured SSL VPN solution
 URL:               https://community.openvpn.net/
 Source0:           https://swupdate.openvpn.org/community/releases/%{name}-%{version}%{?prerelease:_%{prerelease}}.tar.xz
 Source1:           https://swupdate.openvpn.org/community/releases/%{name}-%{version}%{?prerelease:_%{prerelease}}.tar.xz.asc
-# Sample 2.0 config files
 Source2:           roadwarrior-server.conf
 Source3:           roadwarrior-client.conf
-# Systemd service  (deprecated)
-Source4:           openvpn@.service
-
-# Don't start openvpn by default.
-#Patch0:            openvpn-init.patch
-#Patch1:            openvpn-script-security.patch
-#Patch2:            openvpn-2.1.1-init.patch
-#Patch3:            openvpn-2.1.1-initinfo.patch
-Patch4:             0001-workaround-Allow-weaker-RSA-keys-and-MD-algorithms-i.patch
+Source4:           README.systemd
+Patch0:            0001-workaround-Allow-weaker-RSA-keys-and-MD-algorithms-i.patch
 License:           GPLv2
 Group:             Applications/Internet
 BuildRequires:     systemd-devel
@ -56,11 +48,7 @@ for compression.

 %prep
 %setup -q -n %{name}-%{version}%{?prerelease:_%{prerelease}}
-#%patch0 -p0
-#%patch1 -p1
-#%patch2 -p0
-#%patch3 -p0
-%patch4 -p1
+%patch0 -p1

 sed -i -e 's,%{_datadir}/openvpn/plugin,%{_libdir}/openvpn/plugin,' doc/openvpn.8

@ -69,24 +57,16 @@ find contrib sample -type f -perm /100 \
    -exec chmod a-x {} \;

 %build
-#  --enable-pthread        Enable pthread support (Experimental for OpenVPN 2.0)
-#  --enable-password-save  Allow --askpass and --auth-user-pass passwords to be
-#                          read from a file
-#  --enable-iproute2       Enable support for iproute2
-#  --with-ifconfig-path=PATH   Path to ifconfig tool
-#  --with-iproute-path=PATH    Path to iproute tool
-#  --with-route-path=PATH  Path to route tool
 %configure \
    --enable-iproute2 \
-    --with-iproute-path=/sbin/ip \
-    --enable-plugins \
-    --enable-plugin-down-root \
-    --enable-plugin-auth-pam \
    --with-crypto-library=mbedtls \
+    --enable-selinux \
    --enable-systemd \
    --docdir=%{_pkgdocdir} \
    SYSTEMD_UNIT_DIR=%{_unitdir} \
-    TMPFILES_DIR=%{_tmpfilesdir}
+    TMPFILES_DIR=%{_tmpfilesdir} \
+    IPROUTE=/sbin/ip
+#    --enable-pkcs11 \
 %{__make}

 #%check
@ -119,29 +99,15 @@ find contrib sample -type f -perm /100 \
 #    %{_tmppath}/%{name}-%{version}-%{release}-%(%{__id_u})-loopback-server

 %install
-#install -D -m 0644 doc/%{name}.8 $RPM_BUILD_ROOT%{_mandir}/man8/%{name}.8
-#install -D -m 0755 src/openvpn/%{name} $RPM_BUILD_ROOT%{_sbindir}/%{name}
-
-mkdir -p %{buildroot}%{_unitdir}
-install -D -m 0644 %{SOURCE4} $RPM_BUILD_ROOT%{_unitdir}/
-rm -rf %{buildroot}%{_initrddir}
-install -d -m 0755 $RPM_BUILD_ROOT%{_sysconfdir}/%{name}
-
-#mkdir -p $RPM_BUILD_ROOT%{_datadir}/%{name}
-#cp -pR easy-rsa $RPM_BUILD_ROOT%{_datadir}/%{name}/
-#rm -rf $RPM_BUILD_ROOT%{_datadir}/%{name}/easy-rsa/Windows
-cp %{SOURCE2} %{SOURCE3} sample/sample-config-files/
-
 %{__make} install DESTDIR=$RPM_BUILD_ROOT
 find $RPM_BUILD_ROOT -name '*.la' | xargs rm -f
+mkdir -p -m 0750 $RPM_BUILD_ROOT%{_sysconfdir}/%{name}/client $RPM_BUILD_ROOT%{_sysconfdir}/%{name}/server
+cp %{SOURCE2} %{SOURCE3} sample/sample-config-files/

 # Package installs into %%{_pkgdocdir} directly
 # Add further files
-cp -a AUTHORS PORTS INSTALL contrib sample $RPM_BUILD_ROOT%{_pkgdocdir}
+cp -a AUTHORS contrib sample %{SOURCE4} $RPM_BUILD_ROOT%{_pkgdocdir}

-# tmpfiles.d
-mkdir -p %{buildroot}%{_localstatedir}/run/
-install -d -m 0710 %{buildroot}%{_localstatedir}/run/%{name}/

 %pre
 getent group openvpn &>/dev/null || groupadd -r openvpn
@ -150,54 +116,42 @@ getent passwd openvpn &>/dev/null || \
        -d /etc/openvpn openvpn

 %post
-if [ $1 -eq 1 ] ; then 
-    # Initial installation 
-    /bin/systemctl daemon-reload >/dev/null 2>&1 || :
-fi
+%systemd_post openvpn-client@\*.service
+%systemd_post openvpn-server@\*.service

 %preun
-if [ $1 -eq 0 ] ; then
-    # Package removal, not upgrade
-    /bin/systemctl --no-reload disable openvpn.service > /dev/null 2>&1 || :
-    /bin/systemctl stop openvpn.service > /dev/null 2>&1 || :
-fi
+%systemd_preun openvpn-client@\*.service
+%systemd_preun openvpn-server@\*.service

 %postun
-/bin/systemctl daemon-reload >/dev/null 2>&1 || :
-# Normally, we'd try a restart here, but in this case, it could be troublesome.
-
-%triggerun -- openvpn < 2.2.1-2
-# Save the current service runlevel info
-# User must manually run systemd-sysv-convert --apply openvpn
-# to migrate them to systemd targets
-/usr/bin/systemd-sysv-convert --save openvpn >/dev/null 2>&1 ||:
-
-# Run these because the SysV package being removed won't do them
-/sbin/chkconfig --del openvpn >/dev/null 2>&1 || :
-/bin/systemctl try-restart openvpn.service >/dev/null 2>&1 || :
+%systemd_postun openvpn-client@\*.service
+%systemd_postun openvpn-server@\*.service


 %files
 %{_pkgdocdir}
 %exclude %{_pkgdocdir}/README.IPv6
 %exclude %{_pkgdocdir}/README.polarssl
-%exclude %{_pkgdocdir}/management-notes.txt
-
-%doc contrib sample
 %{_mandir}/man8/%{name}.8*
 %{_sbindir}/%{name}
-#%{_datadir}/%{name}/
 %{_includedir}/openvpn-plugin.h
 %{_includedir}/openvpn-msg.h
 %{_libdir}/%{name}/
-%{_unitdir}/%{name}@.service
 %{_unitdir}/%{name}-client@.service
 %{_unitdir}/%{name}-server@.service
 %{_tmpfilesdir}/%{name}.conf
-%attr(0710,root,openvpn) %dir %{_localstatedir}/run/%{name}/
 %config %dir %{_sysconfdir}/%{name}/
+%config %dir %{_sysconfdir}/%{name}/client
+%config %dir %{_sysconfdir}/%{name}/server
+

 %changelog
+* Fri Mar 24 2017 David Sommerseth <dazo@eurephia.org> - 2.4.1-2
+- Various cleanups
+- Use systemd-rpm macros (rhbz #850257)
+- Removed the deprecated openvpn@.service unit.  Replaced by openvpn-{client,server}@.service
+- Added README.systemd describing new systemd unit files
+
 * Thu Mar 23 2017 David Sommerseth <dazo@eurephia.org> - 2.4.1-1
 - Updating to upstream release, v2.4.1
 - Added mbed TLS patch to allow RSA keys down to 1024 bits plus SHA1
--- a/openvpn@.service
+++ b/openvpn@.service
@ -1,12 +0,0 @@
-[Unit]
-Description=OpenVPN Robust And Highly Flexible Tunneling Application On %I
-After=network.target
-
-[Service]
-PrivateTmp=true
-Type=forking
-PIDFile=/var/run/openvpn/%i.pid
-ExecStart=/usr/sbin/openvpn --daemon --writepid /var/run/openvpn/%i.pid --cd /etc/openvpn/ --config %i.conf
-
-[Install]
-WantedBy=multi-user.target