Commit c191356c authored by Mathieu Mirmont's avatar Mathieu Mirmont

Fix service crash after installation (Closes: #859419)

OpenDNSSEC requires manual configuration before the signer and enforcer
daemons can be started.

One of these configuration steps consists of installing and configuring
a Hardware Security Module (HSM) that will handle the cryptographic key
operations. Most people will want to use the software HSM implementation
provided by the recommended softhsm2 package, but other options are
possible.

The file /etc/opendnssec/prevent-startup is created during fresh
installations and prevents the daemons from being automatically started.
Users are expected to remove this file and start the daemons once they
have configured OpenDNSSEC.
parent 4a58673a
......@@ -13,4 +13,21 @@ to add opendnssec user to softhsm group by issuing:
# adduser opendnssec softhsm
-- Ondřej Surý <ondrej@debian.org>, Mon, 2 Jan 2017 15:55:37 +0100
Manual configuration required
-----------------------------
OpenDNSSEC requires manual configuration before the signer and
enforcer daemons can be started.
One of these configuration steps consists in installing and
configuring a Hardware Security Module (HSM) that will handle the
cryptographic key operations. Most people will want to use the
software HSM implementation provided by the recommended softhsm2
package, but other options are possible.
The file /etc/opendnssec/prevent-startup is created during fresh
installations and prevents the daemons from being automatically
started. You should remove this file and start the daemons once you
have configured OpenDNSSEC.
-- Mathieu Mirmont <mat@parad0x.org>, Wed, 30 Jan 2019 17:46:07 +0100
......@@ -8,4 +8,10 @@ if [ -n "$2" ] && dpkg --compare-versions "$2" lt "2.0"; then
db_go
fi
# Warn about the extra configuration step required, but only on fresh installs.
if [ -z "$2" ]; then
db_input high opendnssec/conf-required || true
db_go
fi
exit 0
......@@ -15,6 +15,24 @@ unset_perms() {
dpkg-statoverride --quiet --remove "$1" || true
}
disable_autostart() {
cat <<-EOF > /etc/opendnssec/prevent-startup
OpenDNSSEC requires manual configuration before the signer and enforcer
daemons can be started.
One of these configuration steps involves installing and configuring a
Hardware Security Module (HSM) that will handle the cryptographic key
operations. Most people will want to use the software HSM
implementation provided by the recommended softhsm2 package, but other
options are possible.
The file /etc/opendnssec/prevent-startup (this file) is created during
fresh install ations and prevents the daemons from being automatically
started. You should remove this file and start the daemons once you
have configured OpenDNSSEC.
EOF
}
case "$1" in
configure)
......@@ -47,6 +65,11 @@ case "$1" in
set_perms root opendnssec 0640 /etc/opendnssec/$conf
done
# Prevent the daemons from being started automatically, but only on
# fresh installs.
if [ -z "$2" ]; then
disable_autostart
fi
;;
abort-upgrade|abort-remove|abort-deconfigure)
......
......@@ -40,6 +40,7 @@ case "$1" in
deluser --quiet opendnssec || true
fi
rm -f /etc/opendnssec/prevent-startup
;;
abort-install|abort-upgrade)
......
......@@ -15,3 +15,20 @@ _Description: OpenDNSSEC 2.0.0 database and tools migration
have tooling around OpenDNSSEC you should be aware that some command line
utilities have changed. A fair amount of backward compatibility has been
respected, but changes are present.
Template: opendnssec/conf-required
Type: note
_Description: Manual OpenDNSSEC configuration required
OpenDNSSEC requires manual configuration before the signer and
enforcer daemons can be started.
.
One of these configuration steps consists of installing and
configuring a Hardware Security Module (HSM) that will handle the
cryptographic key operations. Most people will want to use the
software HSM implementation provided by the recommended softhsm2
package, but other options are possible.
.
The file /etc/opendnssec/prevent-startup is created during fresh
installations and prevents the daemons from being automatically
started. You should remove this file and start the daemons once you
have configured OpenDNSSEC.
......@@ -38,4 +38,10 @@ do_tmpfiles() {
do_start_prepare() {
do_tmpfiles "$(basename "$0")"
DAEMON_ARGS="$DAEMON_ARGS $ODS_ENFORCERD_OPT"
# Prevent startup if this file exists
if [ -e /etc/opendnssec/prevent-startup ]; then
log_action_msg "Not starting $DESC (/etc/opendnssec/prevent-startup)"
exit 0
fi
}
......@@ -7,6 +7,7 @@ Type=simple
EnvironmentFile=-/etc/default/opendnssec
EnvironmentFile=-/etc/default/opendnssec-enforcer
ExecStart=/usr/sbin/ods-enforcerd -d $DAEMON_ARGS $ODS_ENFORCERD_OPT
ConditionPathExists=!/etc/opendnssec/prevent-startup
[Install]
WantedBy=multi-user.target
......@@ -35,4 +35,10 @@ do_tmpfiles() {
do_start_prepare() {
do_tmpfiles "$(basename "$0")"
DAEMON_ARGS="$DAEMON_ARGS $ODS_SIGNERD_OPT"
# Prevent startup if this file exists
if [ -e /etc/opendnssec/prevent-startup ]; then
log_action_msg "Not starting $DESC (/etc/opendnssec/prevent-startup)"
exit 0
fi
}
......@@ -7,6 +7,7 @@ Type=simple
EnvironmentFile=-/etc/default/opendnssec
EnvironmentFile=-/etc/default/opendnssec-signer
ExecStart=/usr/sbin/ods-signerd -d $DAEMON_ARGS $ODS_SIGNERD_OPT
ConditionPathExists=!/etc/opendnssec/prevent-startup
[Install]
WantedBy=multi-user.target
From: =?utf-8?q?Ond=C5=99ej_Sur=C3=BD?= <ondrej@debian.org>
Date: Wed, 21 Oct 2015 10:46:05 +0200
Subject: comment out the default SoftHSM block
---
conf/conf.xml.in | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/conf/conf.xml.in
+++ b/conf/conf.xml.in
@@ -4,6 +4,7 @@
<RepositoryList>
+<!--
<Repository name="SoftHSM">
<Module>@pkcs11_softhsm_module@</Module>
<TokenLabel>OpenDNSSEC</TokenLabel>
@@ -13,6 +14,7 @@
<AllowExtraction/>
-->
</Repository>
+-->
<!--
<Repository name="sca6000">
0001-fix-localstate-dir.patch
0002-comment-out-the-default-SoftHSM-block.patch
0003-rename-regress-for-autotest.patch
0004-ods-control.in-fixes.patch
0005-Fix-manpage-sections.patch
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment