mirrors/flatcar-scripts
1
0
Fork 0
mirror of https://github.com/flatcar/scripts.git synced 2025-08-16 01:16:59 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #128 from philips/move-stateful-around

Browse Source 
Move stateful around
This commit is contained in:
Brandon Philips 2013-07-26 11:33:54 -07:00
commit c55c29dce2
27 changed files with 24 additions and 929 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
sdk_container/src/third_party/coreos-overlay/coreos-base/chromeos-auth-config/files/chromeos-auth vendored
View File

@ -4,11 +4,11 @@ auth [success=ignore default=3] pam_exec.so \
# Check if a custom devmode password file exists and prefer it.
auth [success=ignore default=1] pam_exec.so \
quiet /usr/bin/test -f /mnt/stateful_partition/etc/devmode.passwd
quiet /usr/bin/test -f /media/state/etc/devmode.passwd
# If we get to pwdfile, use it or bypass the password-less login.
auth [success=done default=1] pam_pwdfile.so \
pwdfile /mnt/stateful_partition/etc/devmode.passwd
pwdfile /media/state/etc/devmode.passwd
# If we get here, allow password-less access
auth sufficient pam_exec.so quiet /usr/bin/crossystem cros_debug?1

0
sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-base/coreos-base-0-r60.ebuild → sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-base/coreos-base-0-r61.ebuild vendored
View File

8
sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-base/coreos-base-0.ebuild vendored
View File

@ -106,6 +106,10 @@ src_install() {
# target-specific fun
if ! use cros_host ; then
# Add a /srv directory for mounting into later
dodir /srv
keepdir /srv
dodir /bin /usr/bin
# Make mount work in the way systemd prescribes
@ -165,7 +169,7 @@ pkg_postinst() {
# build roots we copy over the user entries if they already exist.
local system_user="core"
local system_id="1000"
local system_home="/home/${system_user}/user"
local system_home="/home/${system_user}"
# Add a chronos-access group to provide non-chronos users,
# mostly system daemons running as a non-chronos user, group permissions
# to access files/directories owned by chronos.
@ -284,7 +288,7 @@ pkg_postinst() {
# Some default directories. These are created here rather than at
# install because some of them may already exist and have mounts.
for x in /dev /home /media \
/mnt/stateful_partition /proc /root /sys /var/lock; do
/proc /root /sys /var/lock; do
[ -d "${ROOT}/$x" ] && continue
install -d --mode=0755 --owner=root --group=root "${ROOT}/$x"
done

0
sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-init/coreos-init-0.0.1-r10.ebuild → sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-init/coreos-init-0.0.1-r11.ebuild vendored
View File

2
sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-init/coreos-init-0.0.1.ebuild vendored
View File

@ -3,7 +3,7 @@
# Distributed under the terms of the GNU General Public License v2
EAPI="4"
CROS_WORKON_COMMIT="1f2cd73df612360c8c1910f6e9ca7bd3732c2dec"
CROS_WORKON_COMMIT="defdf1c8856372681c6e0be318beec8af7eb36be"
CROS_WORKON_PROJECT="coreos/init"
CROS_WORKON_LOCALNAME="init"

0
sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-installer/coreos-installer-0.0.1-r280.ebuild → sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-installer/coreos-installer-0.0.1-r281.ebuild vendored
View File

2
sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-installer/coreos-installer-0.0.1.ebuild vendored
View File

@ -2,7 +2,7 @@
# Distributed under the terms of the GNU General Public License v2
EAPI="4"
CROS_WORKON_COMMIT="c76738e1550b495b77559c3f728ee5bd17a9518a"
CROS_WORKON_COMMIT="c7232f27aef96a59e81fb48974a815521c5a488e"
CROS_WORKON_PROJECT="coreos/installer"
CROS_WORKON_LOCALNAME="installer"
CROS_WORKON_OUTOFTREE_BUILD=1

0
sdk_container/src/third_party/coreos-overlay/coreos-base/cros-devutils/cros-devutils-0.0.1-r520.ebuild → sdk_container/src/third_party/coreos-overlay/coreos-base/cros-devutils/cros-devutils-0.0.1-r522.ebuild vendored
View File

6
sdk_container/src/third_party/coreos-overlay/coreos-base/cros-devutils/cros-devutils-0.0.1.ebuild vendored
View File

@ -2,7 +2,7 @@
# Distributed under the terms of the GNU General Public License v2
EAPI="4"
CROS_WORKON_COMMIT="c13826733534ba1e42671ca42bec56b1f6ba6ba0"
CROS_WORKON_COMMIT="1ba18f0a0ebbe7677de65b0ccf035aa05bc56024"
CROS_WORKON_PROJECT="coreos/dev-util"
CROS_WORKON_REPO="git://github.com"
CROS_WORKON_LOCALNAME="dev"
@ -10,8 +10,8 @@ CROS_WORKON_LOCALDIR="src/platform"
inherit cros-workon multilib python
DESCRIPTION="Development utilities for ChromiumOS"
HOMEPAGE="http://www.chromium.org/"
DESCRIPTION="Development utilities for CoreOS"
HOMEPAGE="http://coreos.com"
LICENSE="GPL-2"
SLOT="0"

0
sdk_container/src/third_party/coreos-overlay/coreos-base/gmerge/gmerge-0.0.1-r564.ebuild → sdk_container/src/third_party/coreos-overlay/coreos-base/gmerge/gmerge-0.0.1-r565.ebuild vendored
View File

2
sdk_container/src/third_party/coreos-overlay/coreos-base/gmerge/gmerge-0.0.1.ebuild vendored
View File

@ -2,7 +2,7 @@
# Distributed under the terms of the GNU General Public License v2
EAPI="4"
CROS_WORKON_COMMIT="c13826733534ba1e42671ca42bec56b1f6ba6ba0"
CROS_WORKON_COMMIT="72f475940f7a9b2228e1960cbce0d4b538b41527"
CROS_WORKON_PROJECT="coreos/dev-util"
CROS_WORKON_LOCALNAME="dev"
CROS_WORKON_REPO="git://github.com"

4
sdk_container/src/third_party/coreos-overlay/coreos-base/gmerge/gmerge-9999.ebuild vendored
View File

@ -2,8 +2,10 @@
# Distributed under the terms of the GNU General Public License v2
EAPI="4"
CROS_WORKON_PROJECT="chromiumos/platform/dev-util"
CROS_WORKON_PROJECT="coreos/dev-util"
CROS_WORKON_REPO="git://github.com"
CROS_WORKON_LOCALNAME="dev"
CROS_WORKON_LOCALDIR="src/platform"
inherit cros-workon

2
sdk_container/src/third_party/coreos-overlay/coreos-base/oem-ami/files/install-ec2-key.sh vendored
View File

@ -2,7 +2,7 @@
/usr/bin/block-until-url http://169.254.169.254/
USER_DIR="/home/core/user"
USER_DIR="/home/core"
if [ ! -d ${USER_DIR}/.ssh ] ; then
mkdir -p ${USER_DIR}/.ssh

0
sdk_container/src/third_party/coreos-overlay/coreos-base/oem-ami/oem-ami-0.0.1-r6.ebuild → sdk_container/src/third_party/coreos-overlay/coreos-base/oem-ami/oem-ami-0.0.1-r7.ebuild vendored
View File

0
sdk_container/src/third_party/coreos-overlay/coreos-base/update_engine/update_engine-0.0.1-r377.ebuild → sdk_container/src/third_party/coreos-overlay/coreos-base/update_engine/update_engine-0.0.1-r378.ebuild vendored
View File

2
sdk_container/src/third_party/coreos-overlay/coreos-base/update_engine/update_engine-0.0.1.ebuild vendored
View File

@ -2,7 +2,7 @@
# Distributed under the terms of the GNU General Public License v2
EAPI="4"
CROS_WORKON_COMMIT="0db9ec826cd605fd9cc5dd576ecddeba0d3ec3e5"
CROS_WORKON_COMMIT="a71fdb93c89d6f716f36c30ff79b7089f4a3f3f5"
CROS_WORKON_PROJECT="coreos/update_engine"
CROS_WORKON_REPO="git://github.com"

0
sdk_container/src/third_party/coreos-overlay/coreos-base/vboot_reference/vboot_reference-1.0-r869.ebuild → sdk_container/src/third_party/coreos-overlay/coreos-base/vboot_reference/vboot_reference-1.0-r870.ebuild vendored
View File

2
sdk_container/src/third_party/coreos-overlay/coreos-base/vboot_reference/vboot_reference-1.0.ebuild vendored
View File

@ -2,7 +2,7 @@
# Distributed under the terms of the GNU General Public License v2
EAPI="4"
CROS_WORKON_COMMIT="eae86599ec97213565a0e9caeac1775e6c118e3f"
CROS_WORKON_COMMIT="db08bec32eb103072824a3c98070306511ff868b"
CROS_WORKON_PROJECT="coreos/vboot_reference"
CROS_WORKON_REPO="git://github.com"

2
sdk_container/src/third_party/coreos-overlay/coreos/config/make.conf.common-target vendored
View File

@ -55,7 +55,7 @@ DISTDIR="/var/lib/portage/distfiles-target"
# Username and home directory of the shared user.
SHARED_USER_NAME="core"
SHARED_USER_HOME="/home/core/user"
SHARED_USER_HOME="/home/core"
SHARED_USER_PASSWD_FILE="/etc/shared_user_passwd.txt"
# the AC_FUNC_WAIT3 macro uses runtime-checks for the function, which

4
sdk_container/src/third_party/coreos-overlay/dev-db/etcd/files/coreos-c10n vendored
View File

@ -22,9 +22,9 @@ if [ $? -eq 0 ] && [ ! -z "$USER_DATA" ]; then
# validate ssh key
ssh-keygen -l -f $TMP > /dev/null 2>&1
if [ $? -eq 0 ]; then
cat $TMP >> /home/core/user/.ssh/authorized_keys
cat $TMP >> /home/core/.ssh/authorized_keys
echo "SSH key updated"
chown -R core: /home/core/user/.ssh/
chown -R core: /home/core/.ssh/
else
echo "Not a valid ssh key"
fi

2
sdk_container/src/third_party/coreos-overlay/dev-db/etcd/files/etcd-bootstrap vendored
View File

@ -7,7 +7,7 @@ MY_IP=$(curl -s $META_URL/meta-data/local-ipv4)
BOOTSTRAP="/var/run/etcd/bootstrap.config"
# for etcd
STATE=/mnt/stateful_partition/etcd
STATE=/media/state/etcd
mkdir -p $STATE
[ ! -e $BOOTSTRAP ] && echo bootstrap config missing && exit 1

1
sdk_container/src/third_party/coreos-overlay/net-misc/strongswan/Manifest vendored
View File

@ -1 +0,0 @@
DIST strongswan-4.6.4.tar.bz2 3504672 RMD160 51406171d60e51866d7b3afd89c1c2c9e3884de1 SHA1 a0bb51ace911dbfb8d4a9560e150b0661ea6220c SHA256 f372b4cc3d6c8a50a0b262e02e6a7fad43f91cc5a80cbd9432eb3c48ab2d4c69

33
sdk_container/src/third_party/coreos-overlay/net-misc/strongswan/files/ipsec vendored
View File

@ -1,33 +0,0 @@
#!/sbin/runscript
# Copyright 1999-2006 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
depend() {
need logger net
}
start() {
ebegin "Starting ${IPSECD}"
ipsec start
eend $?
}
stop() {
ebegin "Stopping ${IPSECD}"
ipsec stop
eend $?
}
restart() {
ebegin "Restarting ${IPSECD}"
svc_stop
sleep 2
svc_start
eend $?
}
status() {
ebegin "${IPSECD} Status (verbose):"
ipsec statusall
eend $?
}

302
sdk_container/src/third_party/coreos-overlay/net-misc/strongswan/files/strongswan-4.6.4-ignore-peer-id-check.patch vendored
View File

@ -1,302 +0,0 @@
diff -rupN strongswan-4.6.4/src/pluto/ipsec_doi.c strongswan-4.6.4.patched/src/pluto/ipsec_doi.c
--- strongswan-4.6.4/src/pluto/ipsec_doi.c 2011-10-16 08:19:04.000000000 -0700
+++ strongswan-4.6.4.patched/src/pluto/ipsec_doi.c 2012-06-05 22:27:58.208664827 -0700
@@ -112,6 +112,8 @@ enum endpoint {
EP_REMOTE = 1 << 1,
};
+extern bool ignore_peer_id_check;
+
/* create output HDR as replica of input HDR */
void echo_hdr(struct msg_digest *md, bool enc, u_int8_t np)
{
@@ -2429,7 +2431,15 @@ static bool switch_connection(struct msg
loglog(RC_LOG_SERIOUS,
"we require peer to have ID '%Y', but peer declares '%Y'",
c->spd.that.id, peer);
- return FALSE;
+ if (ignore_peer_id_check)
+ {
+ loglog(RC_LOG_SERIOUS,
+ "ignore peer ID mismatch");
+ }
+ else
+ {
+ return FALSE;
+ }
}
if (c->spd.that.ca)
diff -rupN strongswan-4.6.4/src/pluto/plutomain.c strongswan-4.6.4.patched/src/pluto/plutomain.c
--- strongswan-4.6.4/src/pluto/plutomain.c 2012-02-06 09:05:46.000000000 -0800
+++ strongswan-4.6.4.patched/src/pluto/plutomain.c 2012-06-05 22:27:58.208664827 -0700
@@ -256,6 +256,8 @@ bool pkcs11_keep_state = FALSE;
/* by default pluto does not allow pkcs11 proxy access via whack */
bool pkcs11_proxy = FALSE;
+bool ignore_peer_id_check = FALSE;
+
/* argument string to pass to PKCS#11 module.
* Not used for compliant modules, just for NSS softoken
*/
@@ -339,6 +341,7 @@ int main(int argc, char **argv)
{ "disable_port_floating", no_argument, NULL, '4' },
{ "debug-natt", no_argument, NULL, '5' },
{ "virtual_private", required_argument, NULL, '6' },
+ { "ignorepeeridcheck", no_argument, NULL, '7' },
#ifdef DEBUG
{ "debug-none", no_argument, NULL, 'N' },
{ "debug-all", no_argument, NULL, 'A' },
@@ -539,6 +542,9 @@ int main(int argc, char **argv)
case '6': /* --virtual_private */
virtual_private = optarg;
continue;
+ case '7': /* --ignorepeeridcheck */
+ ignore_peer_id_check = TRUE;
+ continue;
default:
#ifdef DEBUG
diff -rupN strongswan-4.6.4/src/starter/args.c strongswan-4.6.4.patched/src/starter/args.c
--- strongswan-4.6.4/src/starter/args.c 2012-05-30 09:17:15.000000000 -0700
+++ strongswan-4.6.4.patched/src/starter/args.c 2012-06-05 22:27:58.208664827 -0700
@@ -189,6 +189,7 @@ static const token_info_t token_info[] =
{ ARG_STR, offsetof(starter_config_t, setup.pkcs11initargs), NULL },
{ ARG_ENUM, offsetof(starter_config_t, setup.pkcs11keepstate), LST_bool },
{ ARG_ENUM, offsetof(starter_config_t, setup.pkcs11proxy), LST_bool },
+ { ARG_ENUM, offsetof(starter_config_t, setup.ignorepeeridcheck), LST_bool },
/* KLIPS keywords */
{ ARG_LST, offsetof(starter_config_t, setup.klipsdebug), LST_klipsdebug },
diff -rupN strongswan-4.6.4/src/starter/confread.h strongswan-4.6.4.patched/src/starter/confread.h
--- strongswan-4.6.4/src/starter/confread.h 2012-05-30 09:17:15.000000000 -0700
+++ strongswan-4.6.4.patched/src/starter/confread.h 2012-06-05 22:27:58.208664827 -0700
@@ -210,6 +210,7 @@ struct starter_config {
char *pkcs11initargs;
bool pkcs11keepstate;
bool pkcs11proxy;
+ bool ignorepeeridcheck;
/* KLIPS keywords */
char **klipsdebug;
diff -rupN strongswan-4.6.4/src/starter/invokepluto.c strongswan-4.6.4.patched/src/starter/invokepluto.c
--- strongswan-4.6.4/src/starter/invokepluto.c 2012-02-06 09:05:46.000000000 -0800
+++ strongswan-4.6.4.patched/src/starter/invokepluto.c 2012-06-05 22:27:58.208664827 -0700
@@ -238,6 +238,10 @@ starter_start_pluto (starter_config_t *c
{
arg[argc++] = "--pkcs11proxy";
}
+ if (cfg->setup.ignorepeeridcheck)
+ {
+ arg[argc++] = "--ignorepeeridcheck";
+ }
if (_pluto_pid)
{
diff -rupN strongswan-4.6.4/src/starter/keywords.c strongswan-4.6.4.patched/src/starter/keywords.c
--- strongswan-4.6.4/src/starter/keywords.c 2012-05-30 09:20:52.000000000 -0700
+++ strongswan-4.6.4.patched/src/starter/keywords.c 2012-06-05 22:27:58.208664827 -0700
@@ -54,7 +54,7 @@ struct kw_entry {
kw_token_t token;
};
-#define TOTAL_KEYWORDS 131
+#define TOTAL_KEYWORDS 132
#define MIN_WORD_LENGTH 3
#define MAX_WORD_LENGTH 17
#define MIN_HASH_VALUE 9
@@ -79,15 +79,15 @@ hash (str, len)
247, 247, 247, 247, 247, 247, 247, 247, 247, 247,
247, 247, 247, 247, 247, 247, 247, 247, 247, 247,
247, 247, 247, 247, 247, 247, 247, 247, 247, 247,
- 247, 247, 247, 247, 247, 247, 247, 247, 247, 12,
+ 247, 247, 247, 247, 247, 247, 247, 247, 247, 0,
126, 247, 247, 247, 247, 247, 247, 247, 247, 247,
247, 247, 247, 247, 247, 247, 247, 247, 247, 247,
247, 247, 247, 247, 247, 247, 247, 247, 247, 247,
247, 247, 247, 247, 247, 247, 247, 247, 247, 247,
- 247, 247, 247, 247, 247, 51, 247, 11, 1, 92,
- 43, 0, 6, 0, 110, 0, 247, 120, 56, 37,
+ 247, 247, 247, 247, 247, 20, 247, 11, 3, 92,
+ 43, 0, 6, 0, 110, 0, 247, 132, 56, 57,
27, 72, 43, 1, 16, 0, 5, 75, 1, 247,
- 247, 11, 5, 247, 247, 247, 247, 247, 247, 247,
+ 247, 11, 4, 247, 247, 247, 247, 247, 247, 247,
247, 247, 247, 247, 247, 247, 247, 247, 247, 247,
247, 247, 247, 247, 247, 247, 247, 247, 247, 247,
247, 247, 247, 247, 247, 247, 247, 247, 247, 247,
@@ -164,12 +164,14 @@ static const struct kw_entry wordlist[]
{"marginpackets", KW_MARGINPACKETS},
{"leftnatip", KW_LEFTNATIP},
{"mediated_by", KW_MEDIATED_BY},
+ {"me_peerid", KW_ME_PEERID},
{"ldapbase", KW_LDAPBASE},
{"leftfirewall", KW_LEFTFIREWALL},
{"rightfirewall", KW_RIGHTFIREWALL},
{"crluri", KW_CRLURI},
- {"mobike", KW_MOBIKE},
+ {"crluri1", KW_CRLURI},
{"rightnatip", KW_RIGHTNATIP},
+ {"mobike", KW_MOBIKE},
{"rightnexthop", KW_RIGHTNEXTHOP},
{"mediation", KW_MEDIATION},
{"leftallowany", KW_LEFTALLOWANY},
@@ -177,14 +179,12 @@ static const struct kw_entry wordlist[]
{"overridemtu", KW_OVERRIDEMTU},
{"aaa_identity", KW_AAA_IDENTITY},
{"esp", KW_ESP},
- {"crluri1", KW_CRLURI},
{"lefthostaccess", KW_LEFTHOSTACCESS},
{"leftsubnet", KW_LEFTSUBNET},
{"leftid", KW_LEFTID},
{"forceencaps", KW_FORCEENCAPS},
{"eap", KW_EAP},
{"nat_traversal", KW_NAT_TRAVERSAL},
- {"me_peerid", KW_ME_PEERID},
{"rightcert", KW_RIGHTCERT},
{"installpolicy", KW_INSTALLPOLICY},
{"authby", KW_AUTHBY},
@@ -194,50 +194,50 @@ static const struct kw_entry wordlist[]
{"rightupdown", KW_RIGHTUPDOWN},
{"keyexchange", KW_KEYEXCHANGE},
{"ocspuri", KW_OCSPURI},
- {"compress", KW_COMPRESS},
+ {"ocspuri1", KW_OCSPURI},
{"rightcertpolicy", KW_RIGHTCERTPOLICY},
{"cacert", KW_CACERT},
{"eap_identity", KW_EAP_IDENTITY},
{"hidetos", KW_HIDETOS},
- {"ike", KW_IKE},
+ {"force_keepalive", KW_FORCE_KEEPALIVE},
{"leftsubnetwithin", KW_LEFTSUBNETWITHIN},
{"righthostaccess", KW_RIGHTHOSTACCESS},
{"packetdefault", KW_PACKETDEFAULT},
{"dpdaction", KW_DPDACTION},
- {"ocspuri1", KW_OCSPURI},
{"pfsgroup", KW_PFSGROUP},
{"rightauth", KW_RIGHTAUTH},
+ {"xauth_identity", KW_XAUTH_IDENTITY},
{"also", KW_ALSO},
{"leftsourceip", KW_LEFTSOURCEIP},
{"rightid2", KW_RIGHTID2},
- {"dumpdir", KW_DUMPDIR},
- {"rekey", KW_REKEY},
- {"ikelifetime", KW_IKELIFETIME},
- {"dpdtimeout", KW_DPDTIMEOUT},
+ {"ike", KW_IKE},
+ {"compress", KW_COMPRESS},
{"ldaphost", KW_LDAPHOST},
- {"rekeyfuzz", KW_REKEYFUZZ},
{"leftcert2", KW_LEFTCERT2},
- {"leftikeport", KW_LEFTIKEPORT},
{"crlcheckinterval", KW_CRLCHECKINTERVAL},
{"plutostderrlog", KW_PLUTOSTDERRLOG},
{"plutostart", KW_PLUTOSTART},
{"rightauth2", KW_RIGHTAUTH2},
+ {"rekey", KW_REKEY},
+ {"ikelifetime", KW_IKELIFETIME},
{"leftca2", KW_LEFTCA2},
- {"mark", KW_MARK},
- {"force_keepalive", KW_FORCE_KEEPALIVE},
+ {"rekeyfuzz", KW_REKEYFUZZ},
+ {"leftikeport", KW_LEFTIKEPORT},
+ {"dumpdir", KW_DUMPDIR},
{"auto", KW_AUTO},
+ {"dpdtimeout", KW_DPDTIMEOUT},
{"charondebug", KW_CHARONDEBUG},
{"dpddelay", KW_DPDDELAY},
- {"xauth_identity", KW_XAUTH_IDENTITY},
+ {"mark", KW_MARK},
{"charonstart", KW_CHARONSTART},
{"fragicmp", KW_FRAGICMP},
{"prepluto", KW_PREPLUTO},
+ {"ignorepeeridcheck", KW_IGNOREPEERIDCHECK},
{"closeaction", KW_CLOSEACTION},
{"leftid2", KW_LEFTID2},
{"plutodebug", KW_PLUTODEBUG},
{"tfc", KW_TFC},
{"auth", KW_AUTH},
- {"rekeymargin", KW_REKEYMARGIN},
{"modeconfig", KW_MODECONFIG},
{"leftauth", KW_LEFTAUTH},
{"xauth", KW_XAUTH},
@@ -247,6 +247,7 @@ static const struct kw_entry wordlist[]
{"nocrsend", KW_NOCRSEND},
{"leftauth2", KW_LEFTAUTH2},
{"rightca2", KW_RIGHTCA2},
+ {"rekeymargin", KW_REKEYMARGIN},
{"rightcert2", KW_RIGHTCERT2},
{"pkcs11module", KW_PKCS11MODULE},
{"reauth", KW_REAUTH},
@@ -265,24 +266,24 @@ static const short lookup[] =
21, 22, 23, 24, 25, -1, -1, -1, 26, 27,
28, -1, 29, -1, -1, -1, 30, -1, 31, 32,
33, 34, 35, -1, 36, 37, -1, 38, -1, 39,
- 40, -1, -1, 41, 42, 43, -1, -1, 44, 45,
- 46, -1, 47, -1, 48, 49, 50, 51, 52, 53,
- -1, 54, 55, -1, -1, -1, 56, -1, 57, 58,
- 59, 60, -1, 61, -1, -1, 62, 63, 64, 65,
- 66, -1, 67, 68, 69, 70, -1, 71, 72, 73,
- 74, -1, 75, 76, 77, 78, 79, 80, 81, 82,
- 83, -1, 84, 85, 86, 87, 88, 89, 90, 91,
- 92, 93, 94, -1, 95, 96, 97, 98, -1, -1,
- 99, 100, -1, -1, 101, -1, 102, -1, -1, 103,
- -1, 104, 105, -1, 106, -1, -1, -1, -1, -1,
- 107, 108, -1, -1, -1, -1, -1, 109, -1, -1,
- -1, -1, 110, -1, 111, -1, -1, -1, -1, -1,
- -1, -1, -1, 112, 113, 114, -1, 115, -1, 116,
+ 40, -1, 41, 42, 43, 44, -1, -1, 45, 46,
+ 47, 48, 49, -1, 50, 51, 52, 53, 54, 55,
+ -1, -1, 56, -1, -1, -1, 57, -1, 58, 59,
+ 60, 61, -1, -1, -1, -1, 62, 63, 64, 65,
+ 66, -1, 67, 68, 69, 70, 71, -1, 72, 73,
+ 74, -1, 75, 76, 77, 78, 79, 80, -1, 81,
+ 82, 83, 84, 85, 86, 87, -1, 88, -1, 89,
+ -1, 90, -1, -1, 91, 92, 93, 94, 95, 96,
+ 97, 98, -1, -1, 99, 100, 101, -1, 102, 103,
+ -1, 104, -1, 105, 106, -1, -1, -1, -1, -1,
+ 107, 108, -1, -1, -1, -1, 109, 110, -1, -1,
+ -1, -1, 111, -1, 112, -1, -1, -1, -1, -1,
+ -1, -1, -1, 113, 114, -1, -1, 115, -1, 116,
-1, 117, -1, -1, 118, 119, -1, -1, -1, 120,
-1, -1, -1, -1, -1, 121, 122, -1, -1, -1,
- -1, -1, -1, -1, -1, -1, 123, -1, 124, -1,
- -1, -1, -1, -1, -1, -1, 125, 126, 127, 128,
- -1, -1, 129, -1, -1, -1, 130
+ -1, -1, -1, -1, -1, -1, 123, 124, 125, -1,
+ -1, -1, -1, -1, -1, -1, 126, 127, 128, 129,
+ -1, -1, 130, -1, -1, -1, 131
};
#ifdef __GNUC__
diff -rupN strongswan-4.6.4/src/starter/keywords.h strongswan-4.6.4.patched/src/starter/keywords.h
--- strongswan-4.6.4/src/starter/keywords.h 2012-05-30 09:17:15.000000000 -0700
+++ strongswan-4.6.4.patched/src/starter/keywords.h 2012-06-05 22:27:58.208664827 -0700
@@ -43,9 +43,10 @@ typedef enum {
KW_PKCS11INITARGS,
KW_PKCS11KEEPSTATE,
KW_PKCS11PROXY,
+ KW_IGNOREPEERIDCHECK,
#define KW_PLUTO_FIRST KW_PLUTODEBUG
-#define KW_PLUTO_LAST KW_PKCS11PROXY
+#define KW_PLUTO_LAST KW_IGNOREPEERIDCHECK
/* KLIPS keywords */
KW_KLIPSDEBUG,
@@ -218,4 +219,3 @@ typedef enum {
} kw_token_t;
#endif /* _KEYWORDS_H_ */
-
diff -rupN strongswan-4.6.4/src/starter/keywords.txt strongswan-4.6.4.patched/src/starter/keywords.txt
--- strongswan-4.6.4/src/starter/keywords.txt 2012-05-30 09:17:15.000000000 -0700
+++ strongswan-4.6.4.patched/src/starter/keywords.txt 2012-06-05 22:27:58.208664827 -0700
@@ -56,6 +56,7 @@ pkcs11module, KW_PKCS11MODULE
pkcs11initargs, KW_PKCS11INITARGS
pkcs11keepstate, KW_PKCS11KEEPSTATE
pkcs11proxy, KW_PKCS11PROXY
+ignorepeeridcheck, KW_IGNOREPEERIDCHECK
keyexchange, KW_KEYEXCHANGE
type, KW_TYPE
pfs, KW_PFS

14
sdk_container/src/third_party/coreos-overlay/net-misc/strongswan/files/strongswan-4.6.4-initgroups.patch vendored
View File

@ -1,14 +0,0 @@
diff -rupN strongswan-4.6.4/src/pluto/plutomain.c strongswan-4.6.4.patched/src/pluto/plutomain.c
--- strongswan-4.6.4/src/pluto/plutomain.c 2012-02-06 09:05:46.000000000 -0800
+++ strongswan-4.6.4.patched/src/pluto/plutomain.c 2012-06-05 22:24:41.335822876 -0700
@@ -726,7 +726,9 @@ int main(int argc, char **argv)
char buf[1024];
if (getpwnam_r(IPSEC_USER, &passwd, buf, sizeof(buf), &pwp) != 0 ||
- pwp == NULL || setuid(pwp->pw_uid) != 0)
+ pwp == NULL ||
+ initgroups(pwp->pw_name, pwp->pw_gid) != 0 ||
+ setuid(pwp->pw_uid) != 0)
{
plog("unable to change daemon user");
abort();

289
sdk_container/src/third_party/coreos-overlay/net-misc/strongswan/strongswan-4.6.4-r2.ebuild vendored
View File

@ -1,289 +0,0 @@
# Copyright 1999-2012 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
# $Header: /var/cvsroot/gentoo-x86/net-misc/strongswan/strongswan-4.6.4.ebuild,v 1.1 2012/05/31 16:30:53 gurligebis Exp $
EAPI=2
inherit eutils linux-info
DESCRIPTION="IPsec-based VPN solution focused on security and ease of use, supporting IKEv1/IKEv2 and MOBIKE"
HOMEPAGE="http://www.strongswan.org/"
SRC_URI="http://download.strongswan.org/${P}.tar.bz2"
LICENSE="GPL-2 RSA-MD5 RSA-PKCS11 DES"
SLOT="0"
KEYWORDS="arm amd64 ~ppc ~sparc x86"
# TODO(simonjam): Figure out why +openssl broke certificate support. Until then,
# openssl is disabled unlike upstream.
# See http://codereview.chromium.org/6833010 and http://crosbug.com/12695 for details.
IUSE="+caps cisco curl debug dhcp eap farp gcrypt ldap +ikev1 +ikev2 mysql nat-transport +non-root openssl +smartcard sqlite"
COMMON_DEPEND="!net-misc/openswan
>=dev-libs/gmp-4.1.5
gcrypt? ( dev-libs/libgcrypt )
caps? ( sys-libs/libcap )
curl? ( net-misc/curl )
ldap? ( net-nds/openldap )
smartcard? ( dev-libs/opensc )
openssl? ( >=dev-libs/openssl-0.9.8[-bindist] )
mysql? ( virtual/mysql )
sqlite? ( >=dev-db/sqlite-3.3.1 )"
DEPEND="${COMMON_DEPEND}
virtual/linux-sources
sys-kernel/linux-headers"
RDEPEND="${COMMON_DEPEND}
virtual/logger"
UGID="ipsec"
pkg_setup() {
linux-info_pkg_setup
elog "Linux kernel version: ${KV_FULL}"
if ! kernel_is -ge 2 6 16; then
eerror
eerror "This ebuild currently only supports ${PN} with the"
eerror "native Linux 2.6 IPsec stack on kernels >= 2.6.16."
eerror
fi
if use nat-transport; then
ewarn
ewarn "You have enabled NAT Traversal for transport mode with the IKEv1"
ewarn "protocol. Please double check if you really require this feature"
ewarn "as it is potentially insecure and usually only required in certain"
ewarn "situations when interoperating with Windows using L2TP/IPsec."
ewarn
fi
if kernel_is -lt 2 6 34; then
ewarn
ewarn "IMPORTANT KERNEL NOTES: Please read carefully..."
ewarn
if kernel_is -lt 2 6 29; then
ewarn "[ < 2.6.29 ] Due to a missing kernel feature, you have to"
ewarn "include all required IPv6 modules even if you just intend"
ewarn "to run on IPv4 only."
ewarn
ewarn "This has been fixed with kernels >= 2.6.29."
ewarn
fi
if kernel_is -lt 2 6 33; then
ewarn "[ < 2.6.33 ] Kernels prior to 2.6.33 include a non-standards"
ewarn "compliant implementation for SHA-2 HMAC support in ESP and"
ewarn "miss SHA384 and SHA512 HMAC support altogether."
ewarn
ewarn "If you need any of those features, please use kernel >= 2.6.33."
ewarn
fi
if kernel_is -lt 2 6 34; then
ewarn "[ < 2.6.34 ] Support for the AES-GMAC authentification-only"
ewarn "ESP cipher is only included in kernels >= 2.6.34."
ewarn
ewarn "If you need it, please use kernel >= 2.6.34."
ewarn
fi
fi
}
src_prepare() {
# Initialize the supplementary group access list when pluto starts.
# See http://crosbug.com/16252 for details.
epatch "${FILESDIR}/${P}-initgroups.patch" || die
# Provide an option to ignore peer ID check in pluto.
# See http://crosbug.com/24476 for details.
epatch "${FILESDIR}/${P}-ignore-peer-id-check.patch" || die
}
src_configure() {
local myconf=""
if use non-root; then
myconf="${myconf} --with-user=${UGID} --with-group=${UGID}"
fi
# If a user has already enabled db support, those plugins will
# most likely be desired as well. Besides they don't impose new
# dependencies and come at no cost (except for space).
if use mysql || use sqlite; then
myconf="${myconf} --enable-attr-sql --enable-sql"
fi
# strongSwan builds and installs static libs by default which are
# useless to the user (and to strongSwan for that matter) because no
# header files or alike get installed... so disabling them is safe.
#
# On Chromium OS, we use --disable-xauth-vid to prevent strongswan
# from sending a XAUTH vendor ID during ISAKMP phase 1 exchange.
# See http://crosbug.com/25675 for details.
econf \
--disable-static \
--disable-xauth-vid \
$(use_with caps capabilities libcap) \
$(use_enable curl) \
$(use_enable ldap) \
$(use_enable smartcard) \
$(use_enable cisco cisco-quirks) \
$(use_enable debug leak-detective) \
$(use_enable eap eap-sim) \
$(use_enable eap eap-sim-file) \
$(use_enable eap eap-simaka-sql) \
$(use_enable eap eap-simaka-pseudonym) \
$(use_enable eap eap-simaka-reauth) \
$(use_enable eap eap-identity) \
$(use_enable eap eap-md5) \
$(use_enable eap eap-gtc) \
$(use_enable eap eap-aka) \
$(use_enable eap eap-aka-3gpp2) \
$(use_enable eap eap-mschapv2) \
$(use_enable eap eap-radius) \
$(use_enable nat-transport) \
$(use_enable openssl) \
$(use_enable gcrypt) \
$(use_enable mysql) \
$(use_enable sqlite) \
$(use_enable ikev1 pluto) \
$(use_enable ikev2 charon) \
$(use_enable dhcp) \
$(use_enable farp) \
${myconf}
}
src_install() {
emake DESTDIR="${D}" install || die "Install failed"
doinitd "${FILESDIR}"/ipsec
local dir_ugid
if use non-root; then
fowners ${UGID}:${UGID} \
/etc/ipsec.conf \
/etc/ipsec.secrets \
/etc/strongswan.conf
dir_ugid="${UGID}"
else
dir_ugid="root"
fi
diropts -m 0750 -o ${dir_ugid} -g ${dir_ugid}
dodir /etc/ipsec.d \
/etc/ipsec.d/aacerts \
/etc/ipsec.d/acerts \
/etc/ipsec.d/cacerts \
/etc/ipsec.d/certs \
/etc/ipsec.d/crls \
/etc/ipsec.d/ocspcerts \
/etc/ipsec.d/private \
/etc/ipsec.d/reqs
# Replace various IPsec files with symbolic links to runtime generated
# files (by l2tpipsec_vpn) on the stateful partition of Chromium OS.
rm -f "${D}"/etc/ipsec.conf "${D}"/etc/ipsec.secrets "{$D}"/etc/ipsec.d/cacerts/cacert.der
dosym /mnt/stateful_partition/etc/ipsec.conf /etc/ipsec.conf || die
dosym /mnt/stateful_partition/etc/ipsec.secrets /etc/ipsec.secrets || die
dosym /mnt/stateful_partition/etc/cacert.der /etc/ipsec.d/cacerts/cacert.der || die
dodoc CREDITS NEWS README TODO || die
# shared libs are used only internally and there are no static libs,
# so it's safe to get rid of the .la files
find "${D}" -name '*.la' -delete || die "Failed to remove .la files."
}
pkg_preinst() {
has_version "<net-misc/strongswan-4.3.6-r1"
upgrade_from_leq_4_3_6=$(( !$? ))
has_version "<net-misc/strongswan-4.3.6-r1[-caps]"
previous_4_3_6_with_caps=$(( !$? ))
}
pkg_postinst() {
if ! use openssl && ! use gcrypt; then
elog
elog "${PN} has been compiled without both OpenSSL and libgcrypt support."
elog "Please note that this might effect availability and speed of some"
elog "cryptographic features. You are advised to enable the OpenSSL plugin."
elif ! use openssl; then
elog
elog "${PN} has been compiled without the OpenSSL plugin. This might effect"
elog "availability and speed of some cryptographic features. There will be"
elog "no support for Elliptic Curve Cryptography (Diffie-Hellman groups 19-21,"
elog "25, 26) and ECDSA."
fi
if [[ $upgrade_from_leq_4_3_6 == 1 ]]; then
chmod 0750 "${ROOT}"/etc/ipsec.d \
"${ROOT}"/etc/ipsec.d/aacerts \
"${ROOT}"/etc/ipsec.d/acerts \
"${ROOT}"/etc/ipsec.d/cacerts \
"${ROOT}"/etc/ipsec.d/certs \
"${ROOT}"/etc/ipsec.d/crls \
"${ROOT}"/etc/ipsec.d/ocspcerts \
"${ROOT}"/etc/ipsec.d/private \
"${ROOT}"/etc/ipsec.d/reqs
ewarn
ewarn "The default permissions for /etc/ipsec.d/* have been tightened for"
ewarn "security reasons. Your system installed directories have been"
ewarn "updated accordingly. Please check if necessary."
ewarn
if [[ $previous_4_3_6_with_caps == 1 ]]; then
if ! use non-root; then
ewarn
ewarn "IMPORTANT: You previously had ${PN} installed without root"
ewarn "privileges because it was implied by the 'caps' USE flag."
ewarn "This has been changed. If you want ${PN} with user privileges,"
ewarn "you have to re-emerge it with the 'non-root' USE flag enabled."
ewarn
fi
fi
fi
if ! use caps && ! use non-root; then
ewarn
ewarn "You have decided to run ${PN} with root privileges and built it"
ewarn "without support for POSIX capability dropping. It is generally"
ewarn "strongly suggested that you reconsider- especially if you intend"
ewarn "to run ${PN} as server with a public ip address."
ewarn
ewarn "You should re-emerge ${PN} with at least the 'caps' USE flag enabled."
ewarn
fi
if use non-root; then
elog
elog "${PN} has been installed without superuser privileges (USE=non-root)."
elog "This imposes several limitations mainly to the IKEv1 daemon 'pluto'"
elog "but also a few to the IKEv2 daemon 'charon'."
elog
elog "Please carefully read: http://wiki.strongswan.org/wiki/nonRoot"
elog
elog "pluto uses a helper script by default to insert/remove routing and"
elog "policy rules upon connection start/stop which requires superuser"
elog "privileges. charon in contrast does this internally and can do so"
elog "even with reduced (user) privileges."
elog
elog "Thus if you require IKEv1 (pluto) or need to specify a custom updown"
elog "script to pluto or charon which requires superuser privileges, you"
elog "can work around this limitation by using sudo to grant the"
elog "user \"ipsec\" the appropriate rights."
elog "For example (the default case):"
elog "/etc/sudoers:"
elog " Defaults:ipsec always_set_home,!env_reset"
elog " ipsec ALL=(ALL) NOPASSWD: /usr/sbin/ipsec"
elog "Under the specific connection block in /etc/ipsec.conf:"
elog " leftupdown=\"sudo ipsec _updown\""
elog
fi
elog
elog "Make sure you have _all_ required kernel modules available including"
elog "the appropriate cryptographic algorithms. A list is available at:"
elog " http://wiki.strongswan.org/projects/strongswan/wiki/KernelModules"
elog
elog "The up-to-date manual is available online at:"
elog " http://wiki.strongswan.org/"
elog
}

272
sdk_container/src/third_party/coreos-overlay/net-misc/strongswan/strongswan-4.6.4.ebuild vendored
View File

@ -1,272 +0,0 @@
# Copyright 1999-2012 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
# $Header: /var/cvsroot/gentoo-x86/net-misc/strongswan/strongswan-4.6.4.ebuild,v 1.1 2012/05/31 16:30:53 gurligebis Exp $
EAPI=2
inherit eutils linux-info
DESCRIPTION="IPsec-based VPN solution focused on security and ease of use, supporting IKEv1/IKEv2 and MOBIKE"
HOMEPAGE="http://www.strongswan.org/"
SRC_URI="http://download.strongswan.org/${P}.tar.bz2"
LICENSE="GPL-2 RSA-MD5 RSA-PKCS11 DES"
SLOT="0"
KEYWORDS="~arm ~amd64 ~ppc ~sparc ~x86"
IUSE="+caps cisco curl debug dhcp eap farp gcrypt ldap +ikev1 +ikev2 mysql nat-transport +non-root +openssl smartcard sqlite"
COMMON_DEPEND="!net-misc/openswan
>=dev-libs/gmp-4.1.5
gcrypt? ( dev-libs/libgcrypt )
caps? ( sys-libs/libcap )
curl? ( net-misc/curl )
ldap? ( net-nds/openldap )
smartcard? ( dev-libs/opensc )
openssl? ( >=dev-libs/openssl-0.9.8[-bindist] )
mysql? ( virtual/mysql )
sqlite? ( >=dev-db/sqlite-3.3.1 )"
DEPEND="${COMMON_DEPEND}
virtual/linux-sources
sys-kernel/linux-headers"
RDEPEND="${COMMON_DEPEND}
virtual/logger
sys-apps/iproute2"
UGID="ipsec"
pkg_setup() {
linux-info_pkg_setup
elog "Linux kernel version: ${KV_FULL}"
if ! kernel_is -ge 2 6 16; then
eerror
eerror "This ebuild currently only supports ${PN} with the"
eerror "native Linux 2.6 IPsec stack on kernels >= 2.6.16."
eerror
die "Please install a recent 2.6 kernel."
fi
if use nat-transport; then
ewarn
ewarn "You have enabled NAT Traversal for transport mode with the IKEv1"
ewarn "protocol. Please double check if you really require this feature"
ewarn "as it is potentially insecure and usually only required in certain"
ewarn "situations when interoperating with Windows using L2TP/IPsec."
ewarn
fi
if kernel_is -lt 2 6 34; then
ewarn
ewarn "IMPORTANT KERNEL NOTES: Please read carefully..."
ewarn
if kernel_is -lt 2 6 29; then
ewarn "[ < 2.6.29 ] Due to a missing kernel feature, you have to"
ewarn "include all required IPv6 modules even if you just intend"
ewarn "to run on IPv4 only."
ewarn
ewarn "This has been fixed with kernels >= 2.6.29."
ewarn
fi
if kernel_is -lt 2 6 33; then
ewarn "[ < 2.6.33 ] Kernels prior to 2.6.33 include a non-standards"
ewarn "compliant implementation for SHA-2 HMAC support in ESP and"
ewarn "miss SHA384 and SHA512 HMAC support altogether."
ewarn
ewarn "If you need any of those features, please use kernel >= 2.6.33."
ewarn
fi
if kernel_is -lt 2 6 34; then
ewarn "[ < 2.6.34 ] Support for the AES-GMAC authentification-only"
ewarn "ESP cipher is only included in kernels >= 2.6.34."
ewarn
ewarn "If you need it, please use kernel >= 2.6.34."
ewarn
fi
fi
if use non-root; then
enewgroup ${UGID}
enewuser ${UGID} -1 -1 -1 ${UGID}
fi
}
src_configure() {
local myconf=""
if use non-root; then
myconf="${myconf} --with-user=${UGID} --with-group=${UGID}"
fi
# If a user has already enabled db support, those plugins will
# most likely be desired as well. Besides they don't impose new
# dependencies and come at no cost (except for space).
if use mysql || use sqlite; then
myconf="${myconf} --enable-attr-sql --enable-sql"
fi
# strongSwan builds and installs static libs by default which are
# useless to the user (and to strongSwan for that matter) because no
# header files or alike get installed... so disabling them is safe.
econf \
--disable-static \
$(use_with caps capabilities libcap) \
$(use_enable curl) \
$(use_enable ldap) \
$(use_enable smartcard) \
$(use_enable cisco cisco-quirks) \
$(use_enable debug leak-detective) \
$(use_enable eap eap-sim) \
$(use_enable eap eap-sim-file) \
$(use_enable eap eap-simaka-sql) \
$(use_enable eap eap-simaka-pseudonym) \
$(use_enable eap eap-simaka-reauth) \
$(use_enable eap eap-identity) \
$(use_enable eap eap-md5) \
$(use_enable eap eap-gtc) \
$(use_enable eap eap-aka) \
$(use_enable eap eap-aka-3gpp2) \
$(use_enable eap eap-mschapv2) \
$(use_enable eap eap-radius) \
$(use_enable nat-transport) \
$(use_enable openssl) \
$(use_enable gcrypt) \
$(use_enable mysql) \
$(use_enable sqlite) \
$(use_enable ikev1 pluto) \
$(use_enable ikev2 charon) \
$(use_enable dhcp) \
$(use_enable farp) \
${myconf}
}
src_install() {
emake DESTDIR="${D}" install || die "Install failed"
doinitd "${FILESDIR}"/ipsec
local dir_ugid
if use non-root; then
fowners ${UGID}:${UGID} \
/etc/ipsec.conf \
/etc/ipsec.secrets \
/etc/strongswan.conf
dir_ugid="${UGID}"
else
dir_ugid="root"
fi
diropts -m 0750 -o ${dir_ugid} -g ${dir_ugid}
dodir /etc/ipsec.d \
/etc/ipsec.d/aacerts \
/etc/ipsec.d/acerts \
/etc/ipsec.d/cacerts \
/etc/ipsec.d/certs \
/etc/ipsec.d/crls \
/etc/ipsec.d/ocspcerts \
/etc/ipsec.d/private \
/etc/ipsec.d/reqs
dodoc CREDITS NEWS README TODO || die
# shared libs are used only internally and there are no static libs,
# so it's safe to get rid of the .la files
find "${D}" -name '*.la' -delete || die "Failed to remove .la files."
}
pkg_preinst() {
has_version "<net-misc/strongswan-4.3.6-r1"
upgrade_from_leq_4_3_6=$(( !$? ))
has_version "<net-misc/strongswan-4.3.6-r1[-caps]"
previous_4_3_6_with_caps=$(( !$? ))
}
pkg_postinst() {
if ! use openssl && ! use gcrypt; then
elog
elog "${PN} has been compiled without both OpenSSL and libgcrypt support."
elog "Please note that this might effect availability and speed of some"
elog "cryptographic features. You are advised to enable the OpenSSL plugin."
elif ! use openssl; then
elog
elog "${PN} has been compiled without the OpenSSL plugin. This might effect"
elog "availability and speed of some cryptographic features. There will be"
elog "no support for Elliptic Curve Cryptography (Diffie-Hellman groups 19-21,"
elog "25, 26) and ECDSA."
fi
if [[ $upgrade_from_leq_4_3_6 == 1 ]]; then
chmod 0750 "${ROOT}"/etc/ipsec.d \
"${ROOT}"/etc/ipsec.d/aacerts \
"${ROOT}"/etc/ipsec.d/acerts \
"${ROOT}"/etc/ipsec.d/cacerts \
"${ROOT}"/etc/ipsec.d/certs \
"${ROOT}"/etc/ipsec.d/crls \
"${ROOT}"/etc/ipsec.d/ocspcerts \
"${ROOT}"/etc/ipsec.d/private \
"${ROOT}"/etc/ipsec.d/reqs
ewarn
ewarn "The default permissions for /etc/ipsec.d/* have been tightened for"
ewarn "security reasons. Your system installed directories have been"
ewarn "updated accordingly. Please check if necessary."
ewarn
if [[ $previous_4_3_6_with_caps == 1 ]]; then
if ! use non-root; then
ewarn
ewarn "IMPORTANT: You previously had ${PN} installed without root"
ewarn "privileges because it was implied by the 'caps' USE flag."
ewarn "This has been changed. If you want ${PN} with user privileges,"
ewarn "you have to re-emerge it with the 'non-root' USE flag enabled."
ewarn
fi
fi
fi
if ! use caps && ! use non-root; then
ewarn
ewarn "You have decided to run ${PN} with root privileges and built it"
ewarn "without support for POSIX capability dropping. It is generally"
ewarn "strongly suggested that you reconsider- especially if you intend"
ewarn "to run ${PN} as server with a public ip address."
ewarn
ewarn "You should re-emerge ${PN} with at least the 'caps' USE flag enabled."
ewarn
fi
if use non-root; then
elog
elog "${PN} has been installed without superuser privileges (USE=non-root)."
elog "This imposes several limitations mainly to the IKEv1 daemon 'pluto'"
elog "but also a few to the IKEv2 daemon 'charon'."
elog
elog "Please carefully read: http://wiki.strongswan.org/wiki/nonRoot"
elog
elog "pluto uses a helper script by default to insert/remove routing and"
elog "policy rules upon connection start/stop which requires superuser"
elog "privileges. charon in contrast does this internally and can do so"
elog "even with reduced (user) privileges."
elog
elog "Thus if you require IKEv1 (pluto) or need to specify a custom updown"
elog "script to pluto or charon which requires superuser privileges, you"
elog "can work around this limitation by using sudo to grant the"
elog "user \"ipsec\" the appropriate rights."
elog "For example (the default case):"
elog "/etc/sudoers:"
elog " Defaults:ipsec always_set_home,!env_reset"
elog " ipsec ALL=(ALL) NOPASSWD: /usr/sbin/ipsec"
elog "Under the specific connection block in /etc/ipsec.conf:"
elog " leftupdown=\"sudo ipsec _updown\""
elog
fi
elog
elog "Make sure you have _all_ required kernel modules available including"
elog "the appropriate cryptographic algorithms. A list is available at:"
elog " http://wiki.strongswan.org/projects/strongswan/wiki/KernelModules"
elog
elog "The up-to-date manual is available online at:"
elog " http://wiki.strongswan.org/"
elog
}