Merge pull request #2182 from orlitzky/openrc-improvements

OpenRC service script improvements

MANIFEST

@@ -393,8 +393,8 @@ files/fail2ban.service.in
 files/fail2ban-tmpfiles.conf
 files/fail2ban.upstart
 files/gen_badbots
-files/gentoo-confd
+files/fail2ban-openrc.conf
-files/gentoo-initd
+files/fail2ban-openrc.init.in
 files/ipmasq-ZZZzzz_fail2ban.rul
 files/logwatch/fail2ban
 files/logwatch/fail2ban-0.8.log

files/fail2ban-openrc.conf

@@ -0,0 +1,2 @@
+# For available options, plase run "fail2ban-server --help".
+#FAIL2BAN_OPTIONS="-x"

files/fail2ban-openrc.init.in

@@ -0,0 +1,86 @@
+#!/sbin/openrc-run
+# This file is part of Fail2Ban.
+#
+# Fail2Ban is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# Fail2Ban is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with Fail2Ban; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+#
+# Author: Sireyessire, Cyril Jaquier
+#
+
+description="Ban hosts that cause multiple authentication errors"
+description_reload="reload configuration without dropping bans"
+extra_started_commands="reload"
+
+# Can't (and shouldn't) be changed by the end-user.
+#
+# Note that @BINDIR@ is already supplied by the build system. Some
+# day, it might be nice to have @RUNDIR@ supplied by the build system
+# as well, so that we don't have to hard-code /run here.
+FAIL2BAN_RUNDIR="/run/${RC_SVCNAME}"
+FAIL2BAN_SOCKET="${FAIL2BAN_RUNDIR}/${RC_SVCNAME}.sock"
+
+# The fail2ban-client program is also capable of starting and stopping
+# the server, but things are simpler if we let start-stop-daemon do it.
+command="@BINDIR@/fail2ban-server"
+pidfile="${FAIL2BAN_RUNDIR}/${RC_SVCNAME}.pid"
+
+# We force the pidfile/socket location in this service script because
+# we're taking responsibility for ensuring that their parent directory
+# exists and has the correct permissions (which we can't do if the
+# user is allowed to change them).
+command_args="${FAIL2BAN_OPTIONS} -p ${pidfile} -s ${FAIL2BAN_SOCKET}"
+retry="30"
+
+depend() {
+	use logger
+	after iptables
+}
+
+checkconfig() {
+    "${command}" ${command_args} --test
+}
+
+start_pre() {
+	# If this isn't a restart, make sure that the user's config isn't
+	# busted before we try to start the daemon (this will produce
+	# better error messages than if we just try to start it blindly).
+	#
+	# If, on the other hand, this *is* a restart, then the stop_pre
+	# action will have ensured that the config is usable and we don't
+	# need to do that again.
+	if [ "${RC_CMD}" != "restart" ] ; then
+		checkconfig || return $?
+	fi
+	checkpath -d "${FAIL2BAN_RUNDIR}"
+}
+
+stop_pre() {
+	# If this is a restart, check to make sure the user's config
+	# isn't busted before we stop the running daemon.
+	if [ "${RC_CMD}" = "restart" ] ; then
+		checkconfig || return $?
+	fi
+}
+
+reload() {
+	# The fail2ban-client uses an undocumented protocol to tell
+	# the server to reload(), so we have to use it here rather
+	# than e.g. sending a signal to the server daemon. Note that
+	# the reload will fail (on the server side) if the new config
+	# is invalid; we therefore don't need to test it ourselves
+	# with checkconfig() before initiating the reload.
+	ebegin "Reloading ${RC_SVCNAME}"
+	"@BINDIR@/fail2ban-client" ${command_args} reload
+	eend $? "Failed to reload ${RC_SVCNAME}"
+}

files/gentoo-confd

@@ -1,8 +0,0 @@
-# Config file for /etc/init.d/fail2ban
-#
-# For information on options, see "/usr/bin/fail2ban-client -h".
-
-FAIL2BAN_OPTIONS=""
-
-# Force execution of the server even if the socket already exists:
-#FAIL2BAN_OPTIONS="-x"

files/gentoo-initd

@@ -1,60 +0,0 @@
-#!/sbin/openrc-run
-# This file is part of Fail2Ban.
-#
-# Fail2Ban is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation; either version 2 of the License, or
-# (at your option) any later version.
-#
-# Fail2Ban is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with Fail2Ban; if not, write to the Free Software
-# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
-#
-# Author: Sireyessire, Cyril Jaquier
-#
-
-description="Daemon to ban hosts that cause multiple authentication errors"
-description_reload="reload configuration"
-description_showlog="show fail2ban logs"
-extra_started_commands="reload showlog"
-
-FAIL2BAN="/usr/bin/fail2ban-client ${FAIL2BAN_OPTIONS}"
-
-depend() {
-	need net
-	need logger
-	after iptables
-}
-
-start() {
-	ebegin "Starting fail2ban"
-	mkdir -p /var/run/fail2ban || return 1
-	# remove stalled sock file after system crash
-	# bug 347477
-	rm -f /var/run/fail2ban/fail2ban.sock || return 1
-	start-stop-daemon --start --pidfile /var/run/fail2ban/fail2ban.pid \
-	-- ${FAIL2BAN} start
-	eend $? "Failed to start fail2ban"
-}
-
-stop() {
-	ebegin "Stopping fail2ban"
-	start-stop-daemon --stop --pidfile /var/run/fail2ban/fail2ban.pid --retry 30 \
-	-- ${FAIL2BAN} stop
-	eend $? "Failed to stop fail2ban"
-}
-
-reload() {
-	ebegin "Reloading fail2ban"
-	${FAIL2BAN} reload
-	eend $? "Failed to reload fail2ban"
-}
-
-showlog(){
-	less /var/log/fail2ban.log
-}

setup.py

@@ -89,24 +89,27 @@ class install_scripts_f2b(install_scripts):
 			if install_dir.startswith(root):
 				install_dir = install_dir[len(root):]
 		except: # pragma: no cover
-			print('WARNING: Cannot find root-base option, check the bin-path to fail2ban-scripts in "fail2ban.service".')
+			print('WARNING: Cannot find root-base option, check the bin-path to fail2ban-scripts in "fail2ban.service" and "fail2ban-openrc.init".')
-		print('Creating %s/fail2ban.service (from fail2ban.service.in): @BINDIR@ -> %s' % (buildroot, install_dir))
+
-		with open(os.path.join(source_dir, 'files/fail2ban.service.in'), 'r') as fn:
+		scripts = ['fail2ban.service', 'fail2ban-openrc.init']
-			lines = fn.readlines()
+		for script in scripts:
-		fn = None
+			print('Creating %s/%s (from %s.in): @BINDIR@ -> %s' % (buildroot, script, script, install_dir))
-		if not dry_run:
+			with open(os.path.join(source_dir, 'files/%s.in' % script), 'r') as fn:
-			fn = open(os.path.join(buildroot, 'fail2ban.service'), 'w')
+				lines = fn.readlines()
-		try:
+			fn = None
-			for ln in lines:
+			if not dry_run:
-				ln = re.sub(r'@BINDIR@', lambda v: install_dir, ln)
+				fn = open(os.path.join(buildroot, script), 'w')
-				if dry_run:
+			try:
-					sys.stdout.write(' | ' + ln)
+				for ln in lines:
-					continue
+					ln = re.sub(r'@BINDIR@', lambda v: install_dir, ln)
-				fn.write(ln)
+					if dry_run:
-		finally:
+						sys.stdout.write(' | ' + ln)
-			if fn: fn.close()
+						continue
-		if dry_run:
+					fn.write(ln)
-			print(' `')
+			finally:
+				if fn: fn.close()
+			if dry_run:
+				print(' `')
 
 
 # Wrapper to specify fail2ban own options: