I have tested thoses new versions and they work fine (just copy the last ebuild with new version number), but without the runscript. The runscript seems to have troubles with creation of pidfile, don't know how to fix it after testing some solutions. Maybe because darkstat is running two instances, and the pid in /var/run/darkstat.pid is wrong. Reproducible: Always Steps to Reproduce:
Tiger, thank you for report. While I'm working on this could you explain is there any specific interest in version 3.0619?
There's no specifics interest for this, I just include this version to inform you about new versions availables. I'm working on the initscript (I found the same problem with the net-irc/inspircd initscript), but I don't find any specific documentation about initscript and policy for thoses scripts.
For documentation see handbook: http://www.gentoo.org/doc/en/handbook/handbook-x86.xml?part=2&chap=4#doc_chap4 The solution for pid problem is to use --pidfile darkstat option instead of start-stop-daemon option. If you are interested in my progress take a look at my overlay: http://overlays.gentoo.org/dev/pva/browser/net-analyzer/darkstat The problem is that I'm still thinking how to pass FILTER to darkstat. Current implementation does not work. Other things should work.
I found the problem, add that in initscript : [ -n "${FILTER}" ] && DARK_OPTS="${DARK_OPTS} -f '${FILTER}'" darkstat only accept filters with ''.
Sorry to ask, but have you tested it? What is your baselayout version? That was the first solution I thought about and it does not work here: camobap ~ # /etc/init.d/darkstat start * Starting darkstat on ath0 ... start-stop-daemon --start --exec /usr/sbin/darkstat -- --chroot / --pidfile /var/run/darkstat.pid --no-promisc --no-dns --user darkstat -i ath0 -p 668 -b 0.0.0.0 --daylog /var/lib/darkstat/darkstat.log -f 'host 87.250.251.8' darkstat 3.0.707 (built with libpcap 2.4) error: illegal argument: "87.250.251.8'" usage: darkstat -i interface [snip] See I've inserted echo of the actual command to run. If I run the same command from line it works. I have to find the cause of this behavior before bump.
Well. I've updated init script and now it works. But that's workaround which I'd like to fix...
I have tested only from command line, but it's very strange to not work in initscript, I'm working on and it should be fixed. I have two questions about your ebuild : 1) why you compile darkstat with a virtual directory for chroot ? (I think we can create a /var/lib/darkstat/chroot empty folder for it if needed) 2) Is / chroot directory secure ? I seen you fix the default chroot to root filesystem ([ -z "${CHROOT}" ] && CHROOT="/"). Is there a special reaso for it ? (darkstat manual say "For security reasons, this directory should be empty, ..")
Yawn! I found how to pass filter args in the initscript ! @@ -36,7 +36,6 @@ [ -n "${PORT}" ] && DARK_OPTS="${DARK_OPTS} -p ${PORT}" [ -n "${ADDRESS}" ] && DARK_OPTS="${DARK_OPTS} -b ${ADDRESS}" [ -n "${DAYLOGFILE}" ] && DARK_OPTS="${DARK_OPTS} --daylog ${DAYLOGFILE}" - [ -n "${FILTER}" ] && DARK_OPTS="${DARK_OPTS} -f ${FILTER}" # Defaults: [ -z "${CHROOT}" ] && CHROOT="/" @@ -50,9 +49,10 @@ # If ${PIDFILE} exist darkstat fails to start [ -f ${PIDFILE} ] && rm ${PIDFILE} ebegin "Starting darkstat on ${INTERFACE}" - start-stop-daemon --start --exec /usr/sbin/darkstat -- \ + start-stop-daemon --start --quiet --exec /usr/sbin/darkstat -- \ --chroot ${CHROOT} --pidfile ${PIDFILE} \ - ${DARK_OPTS} ${DARKSTAT_OPTS} + ${DARKSTAT_OPTS} ${DARK_OPTS} -f "$FILTER" \ + &> /dev/null eend $? } It was a long way, I didn't understand why it's the only way to pass filter arguments in the initscript.
When we merge darkstat again we have an access violation because /var/lib/darkstat is not owned by darkstat user. This patch fix that : @@ -30,7 +30,6 @@ newconfd "${FILESDIR}"/darkstat-confd.new darkstat keepdir /var/lib/darkstat - chown darkstat /var/lib/darkstat } pkg_preinst() { @@ -38,6 +37,8 @@ } pkg_postinst() { + chown darkstat:darkstat "${ROOT}"/var/lib/darkstat + elog "WARNING: the darkstat init script has changed" elog "To start different darkstat instances which will listen on a different" elog "interfaces create in /etc/init.d directory the 'darkstat.if' symlink to"
meh, somehow this was hidden in my named search, had a user on irc with a request to bump it, so did it, I guess this will be an -r1 then. Sorry
I requested the bump in the comment #10 and I too was indeed a little hasty in not noticing the mentioned problems. Few comments on the basis of 3.0.707. 1. The program chroots automatically to /var/empty. This is determined in the Makefile and it can be changed there with --with-chroot-dir /var/foo. 2. The above applies also to the UID/GID that the program choosen to drop privileges to. Whilst this can changed again at compile time by using the --with-privdrop-user, there is probably no need to patch the Makefile due (a) the program chooses the user 'nobody' that is in the default Gentoo install and used by many other networking programs (c.f. e.g. net-analyzer/ngrep) and (b) because this can be specified with a command line argument at runtime. 3. Due to the above two reasons, there are no access violations whatsoever. 4. Talked to Markus in IRC and it was decided that probably a reasonably enough way to handle the chroot/user-dilemma is to provide options for these in the conf.d-file with a warning that if an user wants to change these, permissions must be changed accordingly. Alternatively a new 'darkstat'-user can be created. 5. The mandatory chroot-option caused the pidfile-problems; I followed the ideas laid down in the comment #8. 6. Ditto for the filtering options. 7. New conf.d and init scripts are provided as attachments.
Created attachment 134939 [details] a new init script
Created attachment 134941 [details] a new conf.d script
Created attachment 134947 [details, diff] patch file for confd
Created attachment 134949 [details, diff] patch file for initd
Tiger, actually default chroot "/" is not safe, but I just wanted to mimic behavior of named and dhcp which by default do not use chroot but create them on user request. But I see the difference: both that packages are client and server. So if you need only client you do not need chroot. So I've changed ebuild and now it'll create /var/lib/darkstat directory for chroot, while it's still possible to overide default value both at runtime and build time (for latter, see ebuild) Fix for FILTER is good and taken. chown is a bug in portage and I've added workaround. Jukka, /var/empty is not the best solution. It's used by sshd (man sshd). Also personally I do not like user "nobody" to own all daemons. It's simple to create different users for different daemons and that's adds some security with no harm at all. And note, gentoo do not use bashisms in init.d scripts, thus [[ ]] should be [ ] with all consequences. That's said, all problems seems to be solved so I'm going to test it a bit and bump in an hour.
Thank you all, guys. darkstat-3.0.707-r1 is in the tree. I hope I did not missed anything. Enjoy :)
