From a259e71858ba80af89b192a34275fb0048f30ef1 Mon Sep 17 00:00:00 2001 From: "Alex Xu (Hello71)" Date: Wed, 8 Aug 2018 23:13:59 -0400 Subject: Add systemd units, DESTDIR support --- INSTALL | 2 +- Makefile.in | 18 +++++++++++++----- configure.ac | 1 - random-seed-save.service | 16 ++++++++++++++++ random-seed-save.timer | 11 +++++++++++ random-seed.service | 28 ++++++++++++++++++++++++++++ random-seed.service.in | 28 ++++++++++++++++++++++++++++ 7 files changed, 97 insertions(+), 7 deletions(-) create mode 100644 random-seed-save.service create mode 100644 random-seed-save.timer create mode 100644 random-seed.service create mode 100644 random-seed.service.in diff --git a/INSTALL b/INSTALL index 11f3a22..1ee0cf6 100644 --- a/INSTALL +++ b/INSTALL @@ -6,5 +6,5 @@ Tests must be run as root in order to access RNDADDENTROPY. On systemd, to set random-seed as your random seed provider, execute: - systemctl enable random-seed + systemctl enable random-seed.service random-seed-save.timer systemctl mask systemd-random-seed diff --git a/Makefile.in b/Makefile.in index cbd4cdf..57aa4cb 100644 --- a/Makefile.in +++ b/Makefile.in @@ -11,6 +11,7 @@ sysconfdir = @sysconfdir@ localstatedir = @localstatedir@ mandir = @mandir@ systemdsystemunitdir = @systemdsystemunitdir@ +default_seed_path_dir = @default_seed_path_dir@ CC = @CC@ CFLAGS = -Wall -Wextra -pedantic @CFLAGS@ -MD -MP -UNDEBUG -include @abs_top_builddir@/config.h @@ -22,15 +23,22 @@ OBJ := $(SRC:.c=.o) DEP := $(SRC:.c=.d) TEST_FILE := random-seed.test -all: random-seed +all: random-seed random-seed.service random-seed: $(OBJ) -install: random-seed - install -D -m755 random-seed $(sbindir)/random-seed - install -D -m644 $(abs_srcdir)/random-seed.8 $(mandir)/man8/random-seed.8 +random-seed.service: random-seed.service.in + sed -e 's|@sbindir[@]|$(sbindir)|g' \ + -e 's|@default_seed_path_dir[@]|$(default_seed_path_dir)|g' \ + $< > $@ + +install: all + install -D -m755 random-seed $(DESTDIR)$(sbindir)/random-seed + install -D -m644 $(abs_srcdir)/random-seed.8 $(DESTDIR)$(mandir)/man8/random-seed.8 ifneq ($(systemdsystemunitdir),) - install -D -m644 $(abs_srcdir)/random-seed.service $(systemdsystemunitdir)/random-seed.service + install -D -m644 random-seed.service $(DESTDIR)$(systemdsystemunitdir)/random-seed.service + install -D -m644 $(abs_srcdir)/random-seed-save.service $(DESTDIR)$(systemdsystemunitdir)/random-seed-save.service + install -D -m644 $(abs_srcdir)/random-seed-save.timer $(DESTDIR)$(systemdsystemunitdir)/random-seed-save.timer endif test: $(TEST_FILE) diff --git a/configure.ac b/configure.ac index 51397a3..d13b943 100644 --- a/configure.ac +++ b/configure.ac @@ -42,7 +42,6 @@ AC_ARG_WITH([default-seed-path], [default_seed_path=$withval], [default_seed_path=/var/lib/random-seed]) AC_DEFINE_UNQUOTED(DEFAULT_SEED_PATH, "$default_seed_path", [default seed path]) -# assume people will not specify default_seed_path=/ default_seed_path_dir=${default_seed_path%/*} AC_SUBST(default_seed_path_dir) diff --git a/random-seed-save.service b/random-seed-save.service new file mode 100644 index 0000000..a9858bc --- /dev/null +++ b/random-seed-save.service @@ -0,0 +1,16 @@ +[Unit] +Description=Random seed save +RequiresMountsFor=@default_seed_path_dir@ +After=systemd-remount-fs.service + +[Service] +ExecStart=@sbindir@/random-seed save +CapabilityBoundingSet=CAP_SYS_ADMIN +NoNewPrivileges=yes +PrivateDevices=yes +PrivateNetwork=yes +ProtectKernelTunables=yes +ProtectKernelModules=yes +LockPersonality=yes +TemporaryFileSystem=/:ro +BindPaths=@default_seed_path_dir@ diff --git a/random-seed-save.timer b/random-seed-save.timer new file mode 100644 index 0000000..f39227d --- /dev/null +++ b/random-seed-save.timer @@ -0,0 +1,11 @@ +[Unit] +Description=Random seed save timer +ConditionVirtualization=!container + +[Timer] +OnActiveSec=3h +OnUnitInactiveSec=3h +AccuracySec=2h + +[Install] +WantedBy=timers.target diff --git a/random-seed.service b/random-seed.service new file mode 100644 index 0000000..04b2ef5 --- /dev/null +++ b/random-seed.service @@ -0,0 +1,28 @@ +[Unit] +Description=Random seed load/save +Documentation=man:random-seed(8) man:random(4) +DefaultDependencies=no +RequiresMountsFor=/var/lib +Conflicts=shutdown.target +After=systemd-remount-fs.service +Before=sysinit.target shutdown.target +ConditionVirtualization=!container + +[Service] +Type=oneshot +RemainAfterExit=yes +ExecStart=/usr/local/sbin/random-seed load +ExecStop=/usr/local/sbin/random-seed save +CapabilityBoundingSet=CAP_SYS_ADMIN +NoNewPrivileges=yes +PrivateDevices=yes +PrivateNetwork=yes +ProtectKernelTunables=yes +ProtectKernelModules=yes +LockPersonality=yes +TemporaryFileSystem=/:ro +BindPaths=/var/lib +TimeoutSec=30s + +[Install] +WantedBy=sysinit.target diff --git a/random-seed.service.in b/random-seed.service.in new file mode 100644 index 0000000..97bda54 --- /dev/null +++ b/random-seed.service.in @@ -0,0 +1,28 @@ +[Unit] +Description=Random seed load/save +Documentation=man:random-seed(8) man:random(4) +DefaultDependencies=no +RequiresMountsFor=@default_seed_path_dir@ +Conflicts=shutdown.target +After=systemd-remount-fs.service +Before=sysinit.target shutdown.target +ConditionVirtualization=!container + +[Service] +Type=oneshot +RemainAfterExit=yes +ExecStart=@sbindir@/random-seed load +ExecStop=@sbindir@/random-seed save +CapabilityBoundingSet=CAP_SYS_ADMIN +NoNewPrivileges=yes +PrivateDevices=yes +PrivateNetwork=yes +ProtectKernelTunables=yes +ProtectKernelModules=yes +LockPersonality=yes +TemporaryFileSystem=/:ro +BindPaths=@default_seed_path_dir@ +TimeoutSec=30s + +[Install] +WantedBy=sysinit.target -- cgit v1.2.3-54-g00ecf