Re: [gentoo-dev] Init Scripts - gentoo-dev - Gentoo Mailing List Archives

From:	James Yonan <jim@×××××.net>
To:	Marko Mikulicic <marko@××××.org>, James Yonan <jim@×××××.net>
Cc:	gentoo-dev@g.o
Subject:	Re: [gentoo-dev] Init Scripts
Date:	Sat, 28 Jun 2003 18:36:15
Message-Id:	`twig.1056825371.41079@yonan.net`

1

Marko,

2

3

It's an interesting approach, though it requires that you gentooize the

4

openvpn config files, therefore breaking the ability to move the config files

5

across platforms.

6

7

I'm not sure if the init script you provided is just something you wrote for

8

personal use, or if you are making an argument that it (or the style it

9

embodies) should be officially incorporated as the Gentoo Init Script for

10

OpenVPN.  If it is the latter, then I must take this opportunity to argue :)

11

12

If you look at other services (apache, samba, etc.) there is a precedent for

13

only putting very minimal info (such as command line options) in conf.d, but

14

leaving the .conf files as they are in /etc/<package>.  I think it's important

15

for .conf files to be compatible across different distros and OSes, and IMHO

16

if you start moving too much complexity from .conf files to conf.d files, they

17

lose their lightweight "meta-configuration" properties, and instead just

18

become new versions of .conf files which don't add any new value and subtract

19

from portability.

20

21

Now having said that, I appreciate the elegance of a simple conf.d file that

22

can be understood and edited in 5 seconds.  I think the way that gentoo has

23

extracted the parameters formerly hardcoded in init.d files or buried in other

24

places and put them in conf.d is a nice idiom.  But I'm not sure where the

25

gentoo philosophy for .conf files fits in.  Certainly you're not going to put

26

apache.conf in a conf.d file.  Now maybe you figure out the 1% of apache.conf

27

that people really want to change and put that in conf.d.  But for the openvpn

28

case, I would argue that maintaining the existing configuration architecture

29

as it exists for other platforms, i.e. putting a .conf file for each tunnel in

30

/etc/openvpn, makes more sense, as it maintains the individuality of each

31

tunnel in a separate file.  I would use /etc/conf.d/openvpn for something like

32

global command line parameters to pass to each tunnel, but I'm not sure it's

33

the right place to put tunnel-specific configuration info.

34

35

For a supporting example, take NFS.  /etc/conf.d/nfs only contains global

36

command line parms, while /etc/exports has the per-share data.  Another

37

example is xinetd.  Conf files are split across services in /etc/xinetd and

38

the conf.d file only contains command line parameters.

39

40

Anyway, this is my approach to openvpn's init script:

41

42

#!/sbin/runscript

43

44

# OpenVPN start/stop script

45

# Adapted to Gentoo by James Yonan

46

47

# Originally Contributed to the OpenVPN project by

48

# Douglas Keller <doug@×××××××××××××××.org>

49

# 2002.05.15

50

51

# This script does the following:

52

#

53

# - Starts an openvpn process for each .conf file it finds in

54

#   /etc/openvpn.

55

#

56

# - If /etc/openvpn/xxx.sh exists for a xxx.conf file then it executes

57

#   it before starting openvpn (useful for doing openvpn --mktun...).

58

59

# Location of openvpn binary

60

openvpn=/usr/local/sbin/openvpn

61

62

# PID directory

63

piddir=/var/run/openvpn

64

65

# Our working directory (.conf files should be here)

66

work=/etc/openvpn

67

68

# Our options

69

opts="start stop restart condrestart"

70

71

depend() {

72

    need net

73

    use dns

74

}

75

76

start() {

77

    ebegin "Starting OpenVPN"

78

79

    # Load the TUN/TAP module

80

    /sbin/modprobe tun >/dev/null 2>&1

81

82

    if [ ! -d  $piddir ]; then

83

	mkdir $piddir

84

fi

85

86

    cd $work

87

88

    # Start every .conf in $work and run .sh if exists

89

    local errors=0

90

    local successes=0

91

    local retstatus=0

92

    for c in `/bin/ls *.conf 2>/dev/null`; do

93

	bn=${c%%.conf}

94

	if [ -f "$bn.sh" ]; then

95

	    . $bn.sh

96

fi

97

	rm -f $piddir/$bn.pid

98

	$openvpn --daemon --writepid $piddir/$bn.pid --config $c --cd $work

99

	if [ $? = 0 ]; then

100

	    successes=1

101

	else

102

	    errors=1

103

fi

104

    done

105

106

    # Decide status based on errors/successes.

107

    # If at least one tunnel succeeded, we return success.

108

    # If some tunnels succeeded and some failed, we return

109

    #   success but give a warning.

110

    if [ $successes = 1 ]; then

111

	if [ $errors = 1 ]; then

112

	    ewarn "Note: At least one OpenVPN tunnel failed to start"

113

fi

114

    else

115

	retstatus=1

116

	if [ $errors = 0 ]; then

117

	    ewarn "Note: No OpenVPN configuration files were found in $work"

118

fi

119

fi

120

    eend $retstatus "Error starting OpenVPN"

121

}

122

123

stop() {

124

    ebegin "Stopping OpenVPN"

125

    for pidf in `/bin/ls $piddir/*.pid 2>/dev/null`; do

126

	if [ -s $pidf ]; then

127

	    kill `cat $pidf` >/dev/null 2>&1

128

fi

129

	rm -f $pidf

130

    done

131

    eend 0

132

}

133

134

# this should really be in runscript.sh

135

started() {

136

    if [ -L "${svcdir}/started/${myservice}" ]; then

137

	return 1

138

    else

139

	return 0

140

fi

141

}

142

143

# attempt to restart ONLY if we are already started

144

condrestart() {

145

    started || restart

146

}

147

148

######################### 

149

150

James

151

152

153

Marko Mikulicic <marko@××××.org> said:

154

155

> This is a multi-part message in MIME format.

156

> --------------030500030705070304060203

157

> Content-Type: text/plain; charset=us-ascii; format=flowed

158

> Content-Transfer-Encoding: 7bit

159

>

160

> James Yonan wrote:

161

> > Hi,

162

> >

163

> > I'm new to Gentoo and I'm trying to convert the RedHat init script for OpenVPN

164

> > over to Gentoo's format.  Though I'm still learning the Gentoo way of writing

165

> > init scripts, I would like to suggest the following additions to runscript.sh:

166

>

167

> > [....]

168

> > (2) Condrestart is a useful init script method, often seen in RH init scripts.

169

> >    It basically says "restart only if service is already running".  It is

170

> > commonly used to restart a daemon after a software update.  OpenVPN needs it

171

> > so that the VPN daemon can be restarted if a network adaptor gets a new IP

172

> > address from a DHCP server.  In cases like these, you obviously don't want to

173

> > restart the daemon unless it is already running.  Condrestart becomes

174

> > breathtakingly simple if started() above is defined:

175

> >

176

> > condrestart() {

177

> >     started || restart

178

> > }

179

> >

180

> > If there are better ways of doing these things in Gentoo, please let me know.

181

> >  Otherwise, I can send a formal patch of my changes to runscript.sh

182

>

183

> I don't know the soultion for your problem but I have written a simple

184

> script for

185

> openvpn, which I use with success on a bunch of machines. It is very

186

> "gentooish"

187

> because it puts the configuration in /etc/conf.d/openvpn.

188

>   Take a look at it, maybe it can be useful.

189

>

190

> marko

191

>

192

> --------------030500030705070304060203

193

> Content-Type: text/plain;

194

>  name="openvpn"

195

> Content-Transfer-Encoding: 7bit

196

> Content-Disposition: inline;

197

>  filename="openvpn"

198

>

199

> #!/sbin/runscript

200

>

201

> depend() {

202

>   need net

203

> }

204

>

205

> session() {

206

>   echo $(eval echo \$\{${1}_${2}\})

207

> }

208

>

209

> start () {

210

>  ebegin "Starting openvpn"

211

>  for i in ${!remote_*}; do

212

>

213

>   SESSION=${i##remote_}

214

>   einfo "starting session $SESSION"

215

>

216

>   CMD="openvpn --float --remote $(session remote $SESSION)\

217

>   --ifconfig $(session ifconfig $SESSION) --dev tun --daemon\

218

>   --cd /etc/openvpn --writepid /var/run/openvpn/$SESSION.pid"

219

>

220

>   if [ ! -z $(session secret $SESSION) ]; then

221

>     CMD="$CMD --secret $(session secret $SESSION)"

222

>   fi

223

>   if [ ! -z $(session verbose $SESSION) ]; then

224

>     CMD="$CMD --verb $(session verbose $SESSION)"

225

>   fi

226

>   if [ ! -z $(session shaper $SESSION) ]; then

227

>     CMD="$CMD --shaper $(session shaper $SESSION)"

228

>   fi

229

>   if [ ! -z $(session port $SESSION) ]; then

230

>     CMD="$CMD --port $(session port $SESSION)"

231

>   fi

232

>   if [ ! -z $(session compression $SESSION) ]; then

233

>     if [ "$(session compression $SESSION)" = "yes" ]; then

234

>       CMD="$CMD --comp-lzo"

235

>     fi

236

>   fi

237

>

238

>

239

>   if [ ! -d  /var/run/openvpn ]; then

240

>       mkdir /var/run/openvpn

241

>   fi

242

>

243

>   /usr/sbin/$CMD

244

>   # can't detect error

245

>

246

>   if [ ! -z $(session route $SESSION) ]; then

247

>     GW=$(echo $(session ifconfig $SESSION) | cut -d " " -f 1)

248

>

249

>     for ((i=0;i<5;i++)); do

250

>       ifconfig | grep -q $GW && break

251

>       sleep 1

252

>     done

253

>

254

>     ifconfig | grep -q $GW ||  {

255

>       retval=$?

256

>       eend ${retval} "Failed to set routing"

257

>       return ${retval}

258

>     }

259

>     einfo "setting route for network $(session route $SESSION)"

260

>     route add -net $(session route $SESSION) gw $GW

261

>   fi

262

>  done

263

>

264

>  eend 0

265

> }

266

>

267

> stop () {

268

>  ebegin "Stopping openvpn"

269

>

270

>  for pidf in $(/bin/ls /var/run/openvpn/*.pid 2>/dev/null); do

271

>    kill $(cat $pidf)

272

>    rm -f $pidf

273

>  done

274

>

275

>  eend 0

276

> }

277

>

278

> --------------030500030705070304060203

279

> Content-Type: text/plain;

280

>  name="openvpn.conf"

281

> Content-Transfer-Encoding: 7bit

282

> Content-Disposition: inline;

283

>  filename="openvpn.conf"

284

>

285

> # /etc/conf.d/openvpn:

286

>

287

> ### abcdefg

288

>

289

> # hostname of the remote peer

290

> remote_abcdefg="abcdefg.linux-site.net"

291

>

292

> # tun interface addresses

293

> ifconfig_abcdefg="192.168.200.2 192.168.200.1"

294

>

295

> # (opt) ssl key (symmetric key)

296

> secret_abcdefg="abcdefg.vpnkey"

297

>

298

> # verbosity level

299

> verbose_abcdefg=5

300

>

301

> # destination network ip

302

> route_abcdefg=192.168.1.0/24

303

>

304

> # limit outgoing traffic

305

> #shaper_abcdefg=1000

306

>

307

> # UDP port (default 5000)

308

> #port_abcdefg=5000

309

>

310

> # use compression ? (yes/no)

311

> compression_abcdefg=yes

312

>

313

> ### xyzw

314

>

315

> # hostname of the remote peer

316

> remote_xyzw="62.202.4.19"

317

>

318

> # tun interface addresses

319

> ifconfig_xyzw="192.168.200.4 192.168.200.3"

320

>

321

> # (opt) ssl key (symmetric key)

322

> secret_xyzw="xyzw.vpnkey"

323

>

324

> # verbosity level

325

> verbose_xyzw=5

326

>

327

> # destination network ip

328

> route_xyzw=192.168.195.0/24

329

>

330

> # limit outgoing traffic

331

> #shaper_xyzw=1000

332

>

333

> # UDP port (default 5000)

334

> port_xyzw=5001

335

>

336

> # use compression ? (yes/no)

337

> compression_xyzw=yes

338

>

339

>

340

> --------------030500030705070304060203--

341

>

--

--

352

gentoo-dev@g.o mailing list

Gentoo Archives: gentoo-dev

Replies

1	Marko,
2
3	It's an interesting approach, though it requires that you gentooize the
4	openvpn config files, therefore breaking the ability to move the config files
5	across platforms.
6
7	I'm not sure if the init script you provided is just something you wrote for
8	personal use, or if you are making an argument that it (or the style it
9	embodies) should be officially incorporated as the Gentoo Init Script for
10	OpenVPN. If it is the latter, then I must take this opportunity to argue :)
11
12	If you look at other services (apache, samba, etc.) there is a precedent for
13	only putting very minimal info (such as command line options) in conf.d, but
14	leaving the .conf files as they are in /etc/<package>. I think it's important
15	for .conf files to be compatible across different distros and OSes, and IMHO
16	if you start moving too much complexity from .conf files to conf.d files, they
17	lose their lightweight "meta-configuration" properties, and instead just
18	become new versions of .conf files which don't add any new value and subtract
19	from portability.
20
21	Now having said that, I appreciate the elegance of a simple conf.d file that
22	can be understood and edited in 5 seconds. I think the way that gentoo has
23	extracted the parameters formerly hardcoded in init.d files or buried in other
24	places and put them in conf.d is a nice idiom. But I'm not sure where the
25	gentoo philosophy for .conf files fits in. Certainly you're not going to put
26	apache.conf in a conf.d file. Now maybe you figure out the 1% of apache.conf
27	that people really want to change and put that in conf.d. But for the openvpn
28	case, I would argue that maintaining the existing configuration architecture
29	as it exists for other platforms, i.e. putting a .conf file for each tunnel in
30	/etc/openvpn, makes more sense, as it maintains the individuality of each
31	tunnel in a separate file. I would use /etc/conf.d/openvpn for something like
32	global command line parameters to pass to each tunnel, but I'm not sure it's
33	the right place to put tunnel-specific configuration info.
34
35	For a supporting example, take NFS. /etc/conf.d/nfs only contains global
36	command line parms, while /etc/exports has the per-share data. Another
37	example is xinetd. Conf files are split across services in /etc/xinetd and
38	the conf.d file only contains command line parameters.
39
40	Anyway, this is my approach to openvpn's init script:
41
42	#!/sbin/runscript
43
44	# OpenVPN start/stop script
45	# Adapted to Gentoo by James Yonan
46
47	# Originally Contributed to the OpenVPN project by
48	# Douglas Keller <doug@×××××××××××××××.org>
49	# 2002.05.15
50
51	# This script does the following:
52	#
53	# - Starts an openvpn process for each .conf file it finds in
54	# /etc/openvpn.
55	#
56	# - If /etc/openvpn/xxx.sh exists for a xxx.conf file then it executes
57	# it before starting openvpn (useful for doing openvpn --mktun...).
58
59	# Location of openvpn binary
60	openvpn=/usr/local/sbin/openvpn
61
62	# PID directory
63	piddir=/var/run/openvpn
64
65	# Our working directory (.conf files should be here)
66	work=/etc/openvpn
67
68	# Our options
69	opts="start stop restart condrestart"
70
71	depend() {
72	need net
73	use dns
74	}
75
76	start() {
77	ebegin "Starting OpenVPN"
78
79	# Load the TUN/TAP module
80	/sbin/modprobe tun >/dev/null 2>&1
81
82	if [ ! -d $piddir ]; then
83	mkdir $piddir
84	fi
85
86	cd $work
87
88	# Start every .conf in $work and run .sh if exists
89	local errors=0
90	local successes=0
91	local retstatus=0
92	for c in `/bin/ls *.conf 2>/dev/null`; do
93	bn=${c%%.conf}
94	if [ -f "$bn.sh" ]; then
95	. $bn.sh
96	fi
97	rm -f $piddir/$bn.pid
98	$openvpn --daemon --writepid $piddir/$bn.pid --config $c --cd $work
99	if [ $? = 0 ]; then
100	successes=1
101	else
102	errors=1
103	fi
104	done
105
106	# Decide status based on errors/successes.
107	# If at least one tunnel succeeded, we return success.
108	# If some tunnels succeeded and some failed, we return
109	# success but give a warning.
110	if [ $successes = 1 ]; then
111	if [ $errors = 1 ]; then
112	ewarn "Note: At least one OpenVPN tunnel failed to start"
113	fi
114	else
115	retstatus=1
116	if [ $errors = 0 ]; then
117	ewarn "Note: No OpenVPN configuration files were found in $work"
118	fi
119	fi
120	eend $retstatus "Error starting OpenVPN"
121	}
122
123	stop() {
124	ebegin "Stopping OpenVPN"
125	for pidf in `/bin/ls $piddir/*.pid 2>/dev/null`; do
126	if [ -s $pidf ]; then
127	kill `cat $pidf` >/dev/null 2>&1
128	fi
129	rm -f $pidf
130	done
131	eend 0
132	}
133
134	# this should really be in runscript.sh
135	started() {
136	if [ -L "${svcdir}/started/${myservice}" ]; then
137	return 1
138	else
139	return 0
140	fi
141	}
142
143	# attempt to restart ONLY if we are already started
144	condrestart() {
145	started \|\| restart
146	}
147
148	#########################
149
150	James
151
152
153	Marko Mikulicic <marko@××××.org> said:
154
155	> This is a multi-part message in MIME format.
156	> --------------030500030705070304060203
157	> Content-Type: text/plain; charset=us-ascii; format=flowed
158	> Content-Transfer-Encoding: 7bit
159	>
160	> James Yonan wrote:
161	> > Hi,
162	> >
163	> > I'm new to Gentoo and I'm trying to convert the RedHat init script for OpenVPN
164	> > over to Gentoo's format. Though I'm still learning the Gentoo way of writing
165	> > init scripts, I would like to suggest the following additions to runscript.sh:
166	>
167	> > [....]
168	> > (2) Condrestart is a useful init script method, often seen in RH init scripts.
169	> > It basically says "restart only if service is already running". It is
170	> > commonly used to restart a daemon after a software update. OpenVPN needs it
171	> > so that the VPN daemon can be restarted if a network adaptor gets a new IP
172	> > address from a DHCP server. In cases like these, you obviously don't want to
173	> > restart the daemon unless it is already running. Condrestart becomes
174	> > breathtakingly simple if started() above is defined:
175	> >
176	> > condrestart() {
177	> > started \|\| restart
178	> > }
179	> >
180	> > If there are better ways of doing these things in Gentoo, please let me know.
181	> > Otherwise, I can send a formal patch of my changes to runscript.sh
182	>
183	> I don't know the soultion for your problem but I have written a simple
184	> script for
185	> openvpn, which I use with success on a bunch of machines. It is very
186	> "gentooish"
187	> because it puts the configuration in /etc/conf.d/openvpn.
188	> Take a look at it, maybe it can be useful.
189	>
190	> marko
191	>
192	> --------------030500030705070304060203
193	> Content-Type: text/plain;
194	> name="openvpn"
195	> Content-Transfer-Encoding: 7bit
196	> Content-Disposition: inline;
197	> filename="openvpn"
198	>
199	> #!/sbin/runscript
200	>
201	> depend() {
202	> need net
203	> }
204	>
205	> session() {
206	> echo $(eval echo \$\{${1}_${2}\})
207	> }
208	>
209	> start () {
210	> ebegin "Starting openvpn"
211	> for i in ${!remote_*}; do
212	>
213	> SESSION=${i##remote_}
214	> einfo "starting session $SESSION"
215	>
216	> CMD="openvpn --float --remote $(session remote $SESSION)\
217	> --ifconfig $(session ifconfig $SESSION) --dev tun --daemon\
218	> --cd /etc/openvpn --writepid /var/run/openvpn/$SESSION.pid"
219	>
220	> if [ ! -z $(session secret $SESSION) ]; then
221	> CMD="$CMD --secret $(session secret $SESSION)"
222	> fi
223	> if [ ! -z $(session verbose $SESSION) ]; then
224	> CMD="$CMD --verb $(session verbose $SESSION)"
225	> fi
226	> if [ ! -z $(session shaper $SESSION) ]; then
227	> CMD="$CMD --shaper $(session shaper $SESSION)"
228	> fi
229	> if [ ! -z $(session port $SESSION) ]; then
230	> CMD="$CMD --port $(session port $SESSION)"
231	> fi
232	> if [ ! -z $(session compression $SESSION) ]; then
233	> if [ "$(session compression $SESSION)" = "yes" ]; then
234	> CMD="$CMD --comp-lzo"
235	> fi
236	> fi
237	>
238	>
239	> if [ ! -d /var/run/openvpn ]; then
240	> mkdir /var/run/openvpn
241	> fi
242	>
243	> /usr/sbin/$CMD
244	> # can't detect error
245	>
246	> if [ ! -z $(session route $SESSION) ]; then
247	> GW=$(echo $(session ifconfig $SESSION) \| cut -d " " -f 1)
248	>
249	> for ((i=0;i<5;i++)); do
250	> ifconfig \| grep -q $GW && break
251	> sleep 1
252	> done
253	>
254	> ifconfig \| grep -q $GW \|\| {
255	> retval=$?
256	> eend ${retval} "Failed to set routing"
257	> return ${retval}
258	> }
259	> einfo "setting route for network $(session route $SESSION)"
260	> route add -net $(session route $SESSION) gw $GW
261	> fi
262	> done
263	>
264	> eend 0
265	> }
266	>
267	> stop () {
268	> ebegin "Stopping openvpn"
269	>
270	> for pidf in $(/bin/ls /var/run/openvpn/*.pid 2>/dev/null); do
271	> kill $(cat $pidf)
272	> rm -f $pidf
273	> done
274	>
275	> eend 0
276	> }
277	>
278	> --------------030500030705070304060203
279	> Content-Type: text/plain;
280	> name="openvpn.conf"
281	> Content-Transfer-Encoding: 7bit
282	> Content-Disposition: inline;
283	> filename="openvpn.conf"
284	>
285	> # /etc/conf.d/openvpn:
286	>
287	> ### abcdefg
288	>
289	> # hostname of the remote peer
290	> remote_abcdefg="abcdefg.linux-site.net"
291	>
292	> # tun interface addresses
293	> ifconfig_abcdefg="192.168.200.2 192.168.200.1"
294	>
295	> # (opt) ssl key (symmetric key)
296	> secret_abcdefg="abcdefg.vpnkey"
297	>
298	> # verbosity level
299	> verbose_abcdefg=5
300	>
301	> # destination network ip
302	> route_abcdefg=192.168.1.0/24
303	>
304	> # limit outgoing traffic
305	> #shaper_abcdefg=1000
306	>
307	> # UDP port (default 5000)
308	> #port_abcdefg=5000
309	>
310	> # use compression ? (yes/no)
311	> compression_abcdefg=yes
312	>
313	> ### xyzw
314	>
315	> # hostname of the remote peer
316	> remote_xyzw="62.202.4.19"
317	>
318	> # tun interface addresses
319	> ifconfig_xyzw="192.168.200.4 192.168.200.3"
320	>
321	> # (opt) ssl key (symmetric key)
322	> secret_xyzw="xyzw.vpnkey"
323	>
324	> # verbosity level
325	> verbose_xyzw=5
326	>
327	> # destination network ip
328	> route_xyzw=192.168.195.0/24
329	>
330	> # limit outgoing traffic
331	> #shaper_xyzw=1000
332	>
333	> # UDP port (default 5000)
334	> port_xyzw=5001
335	>
336	> # use compression ? (yes/no)
337	> compression_xyzw=yes
338	>
339	>
340	> --------------030500030705070304060203--
341	>
342
343
344
345	--
346
347
348
349
350
351	--
352	gentoo-dev@g.o mailing list