Revert: systemd socket activation; it doesn't fit server mode ipsec.

Configuration via config file doesn't work at all with socket activation because pluto forks addconn during startup to feed config in via pluto.ctl socket. This doesn't work with socket activated ipsec.service. Running pluto with socket activation would require separate systemd service and special option for pluto to run as socket activated service. This reverts commit d4230d0. Conflicts: programs/pluto/server.c Signed-off-by: Tuomo Soini <[email protected]>
tisj · Nov 10, 2015 · 9915c69 · 9915c69
1 parent 53c0dbe
commit 9915c69
Show file tree

Hide file tree

Showing 3 changed files with 20 additions and 59 deletions.
diff --git a/initsystems/systemd/Makefile b/initsystems/systemd/Makefile
@@ -2,7 +2,7 @@ LIBRESWANSRCDIR?=$(shell cd ../..; pwd)
 SRCDIR?=${LIBRESWANSRCDIR}/initsystems/systemd/
 UNITDIR=$(shell pkg-config systemd --variable=systemdsystemunitdir)
 
-SYSTEMDFILES=ipsec.service pluto.socket
+SYSTEMDFILE=ipsec.service
 SYSCONFIGFILE=sysconfig.pluto
 SUBDIRS=
 ifeq ($(DESTDIR),)
@@ -16,7 +16,7 @@ include ${LIBRESWANSRCDIR}/Makefile.inc
 include ${LIBRESWANSRCDIR}/Makefile.top
 
 programs:     systemdfiles sysconfigfiles
-systemdfiles: $(SYSTEMDFILES)
+systemdfiles: $(SYSTEMDFILE)
 sysconfigfiles: $(SYSCONFIGFILE)
 install:      programs doinstall postcheck
 install-programs: doinstall postcheck
@@ -25,7 +25,7 @@ doinstall: programs installsystemdservice installsysconfig oldinitdcheck
 
 installsystemdservice:
 	@mkdir -p $(SYSTEMDDIR)
-	$(INSTALL) $(INSTCONFFLAGS) $(SYSTEMDFILES) $(SYSTEMDDIR)
+	$(INSTALL) $(INSTCONFFLAGS) $(SYSTEMDFILE) $(SYSTEMDDIR)
 	@if test $(SYSTEMDDIR) = ${UNITDIR} ; then \
 		systemctl --system daemon-reload ; \
 	fi

diff --git a/initsystems/systemd/ipsec.service.in b/initsystems/systemd/ipsec.service.in
@@ -12,7 +12,6 @@ EnvironmentFile=-@FINALSYSCONFDIR@/sysconfig/pluto
 #Environment=IPSEC_SBINDIR=@FINALSBINDIR@
 #Environment=IPSEC_EXECDIR=@FINALSBINDIR@/ipsec
 #PIDFile=@FINALVARDIR@/run/pluto/pluto.pid
-Sockets=pluto.socket
 #
 # Check configuration file
 ExecStartPre=@FINALLIBEXECDIR@/addconn --config @FINALCONFFILE@ --checkconfig
@@ -32,4 +31,3 @@ ExecReload=@FINALLIBEXECDIR@/whack --listen
 
 [Install]
 WantedBy=multi-user.target
-Also=pluto.socket
diff --git a/programs/pluto/server.c b/programs/pluto/server.c
@@ -134,31 +134,6 @@ struct sockaddr_un info_addr = {
 	.sun_path  = DEFAULT_CTLBASE INFO_SUFFIX
 };
 
-/* If we're socket-activated by systemd, return the control socket fd. */
-static int activated_socket()
-{
-	char *s;
-
-	s = getenv("LISTEN_PID");
-	if (!s) {
-		loglog(RC_INFORMATIONAL, "No Socket activation");
-		return -1;
-	}
-	if (atoi(s) != getpid ()) {
-		loglog(RC_INFORMATIONAL, "Socket activation, but not for us %d != %d?", atoi(s), getpid ());
-		return -1;
-	}
-
-	s = getenv("LISTEN_FDS");
-	if (atoi(s) != 1) {
-		loglog(RC_INFORMATIONAL, "Too many sockets to activate on.");
-		return -1;
-	}
-
-	loglog(RC_INFORMATIONAL, "Activated with the control socket.");
-	return 3;
-}
-
 /* Initialize the control socket.
  * Note: this is called very early, so little infrastructure is available.
  * It is important that the socket is created before the original
@@ -170,39 +145,28 @@ err_t init_ctl_socket(void)
 
 	LIST_INIT(&interface_dev);
 
-	ctl_fd = activated_socket();
+	delete_ctl_socket();    /* preventative medicine */
+	ctl_fd = safe_socket(AF_UNIX, SOCK_STREAM, 0);
 	if (ctl_fd == -1) {
-		delete_ctl_socket();    /* preventative medicine */
-		ctl_fd = safe_socket(AF_UNIX, SOCK_STREAM, 0);
-
-		if (ctl_fd == -1) {
-			failed = "create";
-		} else if (setsockopt(ctl_fd, SOL_SOCKET, SO_REUSEADDR,
-				      (const void *)&on, sizeof(on)) < 0) {
-			failed = "setsockopt";
-		} else {
+		failed = "create";
+	} else if (fcntl(ctl_fd, F_SETFD, FD_CLOEXEC) == -1) {
+		failed = "fcntl FD+CLOEXEC";
+	} else if (setsockopt(ctl_fd, SOL_SOCKET, SO_REUSEADDR,
+			      (const void *)&on, sizeof(on)) < 0) {
+		failed = "setsockopt";
+	} else {
 		/* to keep control socket secure, use umask */
 #ifdef PLUTO_GROUP_CTL
-			mode_t ou = umask(~(S_IRWXU | S_IRWXG));
+		mode_t ou = umask(~(S_IRWXU | S_IRWXG));
 #else
-			mode_t ou = umask(~S_IRWXU);
+		mode_t ou = umask(~S_IRWXU);
 #endif
-			if (!ctl_addr.sun_path)
-				strncpy(ctl_addr.sun_path, DEFAULT_CTLBASE CTL_SUFFIX,
-					sizeof(ctl_addr.sun_path));
-
-			if (bind(ctl_fd, (struct sockaddr *)&ctl_addr,
-				 offsetof(struct sockaddr_un,
-					  sun_path) + strlen(ctl_addr.sun_path)) < 0)
-				failed = "bind";
-			umask(ou);
-		}
-	}
 
-	if (ctl_fd != -1 && fcntl(ctl_fd, F_SETFD, FD_CLOEXEC) == -1) {
-		failed = "fcntl FD+CLOEXEC";
-		close(ctl_fd);
-		ctl_fd = -1;
+		if (bind(ctl_fd, (struct sockaddr *)&ctl_addr,
+			 offsetof(struct sockaddr_un,
+				  sun_path) + strlen(ctl_addr.sun_path)) < 0)
+			failed = "bind";
+		umask(ou);
 	}
 
 #ifdef PLUTO_GROUP_CTL
@@ -235,8 +199,7 @@ err_t init_ctl_socket(void)
 void delete_ctl_socket(void)
 {
 	/* Is noting failure useful?  Not when used as preventative medicine. */
-	if (*ctl_addr.sun_path)
-		unlink(ctl_addr.sun_path);
+	unlink(ctl_addr.sun_path);
 }
 
 bool listening = FALSE;  /* should we pay attention to IKE messages? */