1 |
Marko, |
2 |
|
3 |
It's an interesting approach, though it requires that you gentooize the |
4 |
openvpn config files, therefore breaking the ability to move the config files |
5 |
across platforms. |
6 |
|
7 |
I'm not sure if the init script you provided is just something you wrote for |
8 |
personal use, or if you are making an argument that it (or the style it |
9 |
embodies) should be officially incorporated as the Gentoo Init Script for |
10 |
OpenVPN. If it is the latter, then I must take this opportunity to argue :) |
11 |
|
12 |
If you look at other services (apache, samba, etc.) there is a precedent for |
13 |
only putting very minimal info (such as command line options) in conf.d, but |
14 |
leaving the .conf files as they are in /etc/<package>. I think it's important |
15 |
for .conf files to be compatible across different distros and OSes, and IMHO |
16 |
if you start moving too much complexity from .conf files to conf.d files, they |
17 |
lose their lightweight "meta-configuration" properties, and instead just |
18 |
become new versions of .conf files which don't add any new value and subtract |
19 |
from portability. |
20 |
|
21 |
Now having said that, I appreciate the elegance of a simple conf.d file that |
22 |
can be understood and edited in 5 seconds. I think the way that gentoo has |
23 |
extracted the parameters formerly hardcoded in init.d files or buried in other |
24 |
places and put them in conf.d is a nice idiom. But I'm not sure where the |
25 |
gentoo philosophy for .conf files fits in. Certainly you're not going to put |
26 |
apache.conf in a conf.d file. Now maybe you figure out the 1% of apache.conf |
27 |
that people really want to change and put that in conf.d. But for the openvpn |
28 |
case, I would argue that maintaining the existing configuration architecture |
29 |
as it exists for other platforms, i.e. putting a .conf file for each tunnel in |
30 |
/etc/openvpn, makes more sense, as it maintains the individuality of each |
31 |
tunnel in a separate file. I would use /etc/conf.d/openvpn for something like |
32 |
global command line parameters to pass to each tunnel, but I'm not sure it's |
33 |
the right place to put tunnel-specific configuration info. |
34 |
|
35 |
For a supporting example, take NFS. /etc/conf.d/nfs only contains global |
36 |
command line parms, while /etc/exports has the per-share data. Another |
37 |
example is xinetd. Conf files are split across services in /etc/xinetd and |
38 |
the conf.d file only contains command line parameters. |
39 |
|
40 |
Anyway, this is my approach to openvpn's init script: |
41 |
|
42 |
#!/sbin/runscript |
43 |
|
44 |
# OpenVPN start/stop script |
45 |
# Adapted to Gentoo by James Yonan |
46 |
|
47 |
# Originally Contributed to the OpenVPN project by |
48 |
# Douglas Keller <doug@×××××××××××××××.org> |
49 |
# 2002.05.15 |
50 |
|
51 |
# This script does the following: |
52 |
# |
53 |
# - Starts an openvpn process for each .conf file it finds in |
54 |
# /etc/openvpn. |
55 |
# |
56 |
# - If /etc/openvpn/xxx.sh exists for a xxx.conf file then it executes |
57 |
# it before starting openvpn (useful for doing openvpn --mktun...). |
58 |
|
59 |
# Location of openvpn binary |
60 |
openvpn=/usr/local/sbin/openvpn |
61 |
|
62 |
# PID directory |
63 |
piddir=/var/run/openvpn |
64 |
|
65 |
# Our working directory (.conf files should be here) |
66 |
work=/etc/openvpn |
67 |
|
68 |
# Our options |
69 |
opts="start stop restart condrestart" |
70 |
|
71 |
depend() { |
72 |
need net |
73 |
use dns |
74 |
} |
75 |
|
76 |
start() { |
77 |
ebegin "Starting OpenVPN" |
78 |
|
79 |
# Load the TUN/TAP module |
80 |
/sbin/modprobe tun >/dev/null 2>&1 |
81 |
|
82 |
if [ ! -d $piddir ]; then |
83 |
mkdir $piddir |
84 |
fi |
85 |
|
86 |
cd $work |
87 |
|
88 |
# Start every .conf in $work and run .sh if exists |
89 |
local errors=0 |
90 |
local successes=0 |
91 |
local retstatus=0 |
92 |
for c in `/bin/ls *.conf 2>/dev/null`; do |
93 |
bn=${c%%.conf} |
94 |
if [ -f "$bn.sh" ]; then |
95 |
. $bn.sh |
96 |
fi |
97 |
rm -f $piddir/$bn.pid |
98 |
$openvpn --daemon --writepid $piddir/$bn.pid --config $c --cd $work |
99 |
if [ $? = 0 ]; then |
100 |
successes=1 |
101 |
else |
102 |
errors=1 |
103 |
fi |
104 |
done |
105 |
|
106 |
# Decide status based on errors/successes. |
107 |
# If at least one tunnel succeeded, we return success. |
108 |
# If some tunnels succeeded and some failed, we return |
109 |
# success but give a warning. |
110 |
if [ $successes = 1 ]; then |
111 |
if [ $errors = 1 ]; then |
112 |
ewarn "Note: At least one OpenVPN tunnel failed to start" |
113 |
fi |
114 |
else |
115 |
retstatus=1 |
116 |
if [ $errors = 0 ]; then |
117 |
ewarn "Note: No OpenVPN configuration files were found in $work" |
118 |
fi |
119 |
fi |
120 |
eend $retstatus "Error starting OpenVPN" |
121 |
} |
122 |
|
123 |
stop() { |
124 |
ebegin "Stopping OpenVPN" |
125 |
for pidf in `/bin/ls $piddir/*.pid 2>/dev/null`; do |
126 |
if [ -s $pidf ]; then |
127 |
kill `cat $pidf` >/dev/null 2>&1 |
128 |
fi |
129 |
rm -f $pidf |
130 |
done |
131 |
eend 0 |
132 |
} |
133 |
|
134 |
# this should really be in runscript.sh |
135 |
started() { |
136 |
if [ -L "${svcdir}/started/${myservice}" ]; then |
137 |
return 1 |
138 |
else |
139 |
return 0 |
140 |
fi |
141 |
} |
142 |
|
143 |
# attempt to restart ONLY if we are already started |
144 |
condrestart() { |
145 |
started || restart |
146 |
} |
147 |
|
148 |
######################### |
149 |
|
150 |
James |
151 |
|
152 |
|
153 |
Marko Mikulicic <marko@××××.org> said: |
154 |
|
155 |
> This is a multi-part message in MIME format. |
156 |
> --------------030500030705070304060203 |
157 |
> Content-Type: text/plain; charset=us-ascii; format=flowed |
158 |
> Content-Transfer-Encoding: 7bit |
159 |
> |
160 |
> James Yonan wrote: |
161 |
> > Hi, |
162 |
> > |
163 |
> > I'm new to Gentoo and I'm trying to convert the RedHat init script for OpenVPN |
164 |
> > over to Gentoo's format. Though I'm still learning the Gentoo way of writing |
165 |
> > init scripts, I would like to suggest the following additions to runscript.sh: |
166 |
> |
167 |
> > [....] |
168 |
> > (2) Condrestart is a useful init script method, often seen in RH init scripts. |
169 |
> > It basically says "restart only if service is already running". It is |
170 |
> > commonly used to restart a daemon after a software update. OpenVPN needs it |
171 |
> > so that the VPN daemon can be restarted if a network adaptor gets a new IP |
172 |
> > address from a DHCP server. In cases like these, you obviously don't want to |
173 |
> > restart the daemon unless it is already running. Condrestart becomes |
174 |
> > breathtakingly simple if started() above is defined: |
175 |
> > |
176 |
> > condrestart() { |
177 |
> > started || restart |
178 |
> > } |
179 |
> > |
180 |
> > If there are better ways of doing these things in Gentoo, please let me know. |
181 |
> > Otherwise, I can send a formal patch of my changes to runscript.sh |
182 |
> |
183 |
> I don't know the soultion for your problem but I have written a simple |
184 |
> script for |
185 |
> openvpn, which I use with success on a bunch of machines. It is very |
186 |
> "gentooish" |
187 |
> because it puts the configuration in /etc/conf.d/openvpn. |
188 |
> Take a look at it, maybe it can be useful. |
189 |
> |
190 |
> marko |
191 |
> |
192 |
> --------------030500030705070304060203 |
193 |
> Content-Type: text/plain; |
194 |
> name="openvpn" |
195 |
> Content-Transfer-Encoding: 7bit |
196 |
> Content-Disposition: inline; |
197 |
> filename="openvpn" |
198 |
> |
199 |
> #!/sbin/runscript |
200 |
> |
201 |
> depend() { |
202 |
> need net |
203 |
> } |
204 |
> |
205 |
> session() { |
206 |
> echo $(eval echo \$\{${1}_${2}\}) |
207 |
> } |
208 |
> |
209 |
> start () { |
210 |
> ebegin "Starting openvpn" |
211 |
> for i in ${!remote_*}; do |
212 |
> |
213 |
> SESSION=${i##remote_} |
214 |
> einfo "starting session $SESSION" |
215 |
> |
216 |
> CMD="openvpn --float --remote $(session remote $SESSION)\ |
217 |
> --ifconfig $(session ifconfig $SESSION) --dev tun --daemon\ |
218 |
> --cd /etc/openvpn --writepid /var/run/openvpn/$SESSION.pid" |
219 |
> |
220 |
> if [ ! -z $(session secret $SESSION) ]; then |
221 |
> CMD="$CMD --secret $(session secret $SESSION)" |
222 |
> fi |
223 |
> if [ ! -z $(session verbose $SESSION) ]; then |
224 |
> CMD="$CMD --verb $(session verbose $SESSION)" |
225 |
> fi |
226 |
> if [ ! -z $(session shaper $SESSION) ]; then |
227 |
> CMD="$CMD --shaper $(session shaper $SESSION)" |
228 |
> fi |
229 |
> if [ ! -z $(session port $SESSION) ]; then |
230 |
> CMD="$CMD --port $(session port $SESSION)" |
231 |
> fi |
232 |
> if [ ! -z $(session compression $SESSION) ]; then |
233 |
> if [ "$(session compression $SESSION)" = "yes" ]; then |
234 |
> CMD="$CMD --comp-lzo" |
235 |
> fi |
236 |
> fi |
237 |
> |
238 |
> |
239 |
> if [ ! -d /var/run/openvpn ]; then |
240 |
> mkdir /var/run/openvpn |
241 |
> fi |
242 |
> |
243 |
> /usr/sbin/$CMD |
244 |
> # can't detect error |
245 |
> |
246 |
> if [ ! -z $(session route $SESSION) ]; then |
247 |
> GW=$(echo $(session ifconfig $SESSION) | cut -d " " -f 1) |
248 |
> |
249 |
> for ((i=0;i<5;i++)); do |
250 |
> ifconfig | grep -q $GW && break |
251 |
> sleep 1 |
252 |
> done |
253 |
> |
254 |
> ifconfig | grep -q $GW || { |
255 |
> retval=$? |
256 |
> eend ${retval} "Failed to set routing" |
257 |
> return ${retval} |
258 |
> } |
259 |
> einfo "setting route for network $(session route $SESSION)" |
260 |
> route add -net $(session route $SESSION) gw $GW |
261 |
> fi |
262 |
> done |
263 |
> |
264 |
> eend 0 |
265 |
> } |
266 |
> |
267 |
> stop () { |
268 |
> ebegin "Stopping openvpn" |
269 |
> |
270 |
> for pidf in $(/bin/ls /var/run/openvpn/*.pid 2>/dev/null); do |
271 |
> kill $(cat $pidf) |
272 |
> rm -f $pidf |
273 |
> done |
274 |
> |
275 |
> eend 0 |
276 |
> } |
277 |
> |
278 |
> --------------030500030705070304060203 |
279 |
> Content-Type: text/plain; |
280 |
> name="openvpn.conf" |
281 |
> Content-Transfer-Encoding: 7bit |
282 |
> Content-Disposition: inline; |
283 |
> filename="openvpn.conf" |
284 |
> |
285 |
> # /etc/conf.d/openvpn: |
286 |
> |
287 |
> ### abcdefg |
288 |
> |
289 |
> # hostname of the remote peer |
290 |
> remote_abcdefg="abcdefg.linux-site.net" |
291 |
> |
292 |
> # tun interface addresses |
293 |
> ifconfig_abcdefg="192.168.200.2 192.168.200.1" |
294 |
> |
295 |
> # (opt) ssl key (symmetric key) |
296 |
> secret_abcdefg="abcdefg.vpnkey" |
297 |
> |
298 |
> # verbosity level |
299 |
> verbose_abcdefg=5 |
300 |
> |
301 |
> # destination network ip |
302 |
> route_abcdefg=192.168.1.0/24 |
303 |
> |
304 |
> # limit outgoing traffic |
305 |
> #shaper_abcdefg=1000 |
306 |
> |
307 |
> # UDP port (default 5000) |
308 |
> #port_abcdefg=5000 |
309 |
> |
310 |
> # use compression ? (yes/no) |
311 |
> compression_abcdefg=yes |
312 |
> |
313 |
> ### xyzw |
314 |
> |
315 |
> # hostname of the remote peer |
316 |
> remote_xyzw="62.202.4.19" |
317 |
> |
318 |
> # tun interface addresses |
319 |
> ifconfig_xyzw="192.168.200.4 192.168.200.3" |
320 |
> |
321 |
> # (opt) ssl key (symmetric key) |
322 |
> secret_xyzw="xyzw.vpnkey" |
323 |
> |
324 |
> # verbosity level |
325 |
> verbose_xyzw=5 |
326 |
> |
327 |
> # destination network ip |
328 |
> route_xyzw=192.168.195.0/24 |
329 |
> |
330 |
> # limit outgoing traffic |
331 |
> #shaper_xyzw=1000 |
332 |
> |
333 |
> # UDP port (default 5000) |
334 |
> port_xyzw=5001 |
335 |
> |
336 |
> # use compression ? (yes/no) |
337 |
> compression_xyzw=yes |
338 |
> |
339 |
> |
340 |
> --------------030500030705070304060203-- |
341 |
> |
342 |
|
343 |
|
344 |
|
345 |
-- |
346 |
|
347 |
|
348 |
|
349 |
|
350 |
|
351 |
-- |
352 |
gentoo-dev@g.o mailing list |