. /etc/rc.d/init.d/functions
shibd="@-PREFIX-@/sbin/shibd"
SHIBD_USER=root
-pidfile=@-PKGRUNDIR-@/shibd.pid
prog=shibd
-#VER=`cat /etc/redhat-release | awk '{print $3}' | awk -F . '{print $1}'`
-RETVAL=0
+pidfile=@-PKGRUNDIR-@/shibd.pid
+lockfile=/var/lock/subsys/$prog
-if [ -f /etc/sysconfig/shibd ] ; then
- . /etc/sysconfig/shibd
-fi
+[ -e /etc/sysconfig/$prog ] && . /etc/sysconfig/$prog
start() {
echo -n $"Starting $prog: "
- if [ -f /var/lock/subsys/shibd ] ; then
+ if [ -f $lockfile ] ; then
if [ -f $pidfile ]; then
read kpid < $pidfile
if checkpid $kpid 2>&1; then
echo "process already running"
- return -1
+ return 1;
else
echo "lock file found but no process running for pid $kpid, continuing"
fi
fi
fi
-#_RHEL6_ export LD_LIBRARY_PATH=/opt/shibboleth/lib:$LD_LIBRARY_PATH
export SHIBD_PID=$pidfile
touch $pidfile
chown $SHIBD_USER:$SHIBD_USER $pidfile
/sbin/restorecon $pidfile
fi
# Handle transition from root to non-root packages.
- chown $SHIBD_USER:$SHIBD_USER @-PKGRUNDIR-@/*
+ chown $SHIBD_USER:$SHIBD_USER @-PKGRUNDIR-@/* 2>/dev/null || :
daemon --user $SHIBD_USER $shibd -p $pidfile -f -w 30
RETVAL=$?
echo
- [ $RETVAL = 0 ] && touch /var/lock/subsys/shibd
+ [ $RETVAL -eq 0 ] && touch $lockfile
return $RETVAL
}
RETVAL=$?
echo
- [ $RETVAL = 0 ] && rm -f /var/lock/subsys/shibd $pidfile
+ [ $RETVAL -eq 0 ] && rm -f $lockfile $pidfile
+ return $RETVAL
}
-# See how we were called.
-case "$1" in
- start)
- start
- ;;
- stop)
- stop
- ;;
- status)
- status $shibd
- RETVAL=$?
- ;;
- restart)
+restart() {
stop
sleep 5
start
- ;;
- *)
- echo $"Usage: $prog {start|stop|status|restart}"
- exit 1
+}
+
+reload() {
+ restart
+}
+
+force_reload() {
+ restart
+}
+
+rh_status() {
+ # run checks to determine if the service is running or use generic status
+ status $prog
+}
+
+rh_status_q() {
+ rh_status >/dev/null 2>&1
+}
+
+case "$1" in
+ start)
+ rh_status_q && exit 0
+ $1
+ ;;
+ stop)
+ rh_status_q || exit 0
+ $1
+ ;;
+ restart)
+ $1
+ ;;
+ reload)
+ rh_status_q || exit 7
+ $1
+ ;;
+ force-reload)
+ force_reload
+ ;;
+ status)
+ rh_status
+ ;;
+ condrestart|try-restart)
+ rh_status_q || exit 0
+ restart
+ ;;
+ *)
+ echo $"Usage: $0 {start|stop|status|restart|condrestart|try-restart|reload|force-reload}"
+ exit 2
esac
-exit $RETVAL
+exit $?
PID_FILE=@-PKGRUNDIR-@/shibd.pid
SHIBD_USER=root
DAEMON_OPTS=""
-
+
# Force removal of socket
DAEMON_OPTS="$DAEMON_OPTS -f"
# Use defined configuration file
DAEMON_OPTS="$DAEMON_OPTS -c $SHIB_CONFIG"
-
-# Set uid to run as
-DAEMON_OPTS="$DAEMON_OPTS -u $SHIBD_USER"
# Specify pid file to use
DAEMON_OPTS="$DAEMON_OPTS -p $PID_FILE"
# Specify wait time to use
DAEMON_OPTS="$DAEMON_OPTS -w 30"
+
+[ -e /etc/sysconfig/$NAME ] && . /etc/sysconfig/$NAME
# Exit if the package is not installed.
test -x "$DAEMON" || exit 5
case "$1" in
start)
- # Handle transition from root to non-root packages.
- chown $SHIBD_USER:$SHIBD_USER @-PKGRUNDIR-@/*
+ # Handle transition from root to non-root packages.
+ chown $SHIBD_USER:$SHIBD_USER @-PKGRUNDIR-@/* 2>/dev/null || :
echo -n "Starting $DESC ($NAME)"
## Start daemon with startproc(8). If this fails
# NOTE: startproc return 0, even if service is
# already running to match LSB spec.
- /sbin/startproc -p $PID_FILE $DAEMON $DAEMON_OPTS > /dev/null 2>&1
+ /sbin/startproc -u $SHIBD_USER -p $PID_FILE $DAEMON $DAEMON_OPTS > /dev/null 2>&1
# Remember status and be verbose
rc_status -v
Requires: openssl
PreReq: xmltooling-schemas, opensaml-schemas
%if 0%{?suse_version} > 1030 && 0%{?suse_version} < 1130
-PreReq: %{insserv_prereq}
+PreReq: %{insserv_prereq} %{fillup_prereq}
BuildRequires: libXerces-c-devel >= 2.8.0
%else
BuildRequires: libxerces-c-devel >= 2.8.0
%{!?_without_builtinapache:BuildRequires: httpd-devel}
BuildRequires: redhat-rpm-config
Requires(pre): shadow-utils
+Requires(post): chkconfig
+Requires(preun): chkconfig, initscripts
%endif
%if "%{_vendor}" == "suse"
Requires(pre): pwdutils
%{!?_without_builtinapache:BuildRequires: apache2-devel}
%endif
-%define runuser shibboleth
+%define runuser shibd
%if "%{_vendor}" == "suse"
%define pkgdocdir %{_docdir}/%{name}
%else
$RPM_BUILD_ROOT%{_sysconfdir}/%{name}/native.logger
%endif
-%if 0%{?rhel} >= 6 || 0%{?centos_version} >= 600
- %{__sed} -i "s/#_RHEL6_//g" \
- $RPM_BUILD_ROOT%{_sysconfdir}/%{name}/shibd-redhat
- %{__sed} -i "s/\/opt\/shibboleth\/lib/\/opt\/shibboleth\/%{_lib}/g" \
- $RPM_BUILD_ROOT%{_sysconfdir}/%{name}/shibd-redhat
- chrpath -d $RPM_BUILD_ROOT%{_sbindir}/shibd
- chrpath -d $RPM_BUILD_ROOT%{_bindir}/mdquery
- chrpath -d $RPM_BUILD_ROOT%{_bindir}/resolvertest
-%endif
-
# Plug the SP into the built-in Apache on a recognized system.
touch rpm.filelist
APACHE_CONFIG="no"
if [ "$APACHE_CONFD" != "no" ] ; then
%{__mkdir} -p $RPM_BUILD_ROOT$APACHE_CONFD
%{__cp} -p $RPM_BUILD_ROOT%{_sysconfdir}/%{name}/$APACHE_CONFIG $RPM_BUILD_ROOT$APACHE_CONFD/shib.conf
- echo "%config(noreplace) $APACHE_CONFD/shib.conf" > rpm.filelist
+ echo "%config(noreplace) $APACHE_CONFD/shib.conf" >> rpm.filelist
fi
fi
+# Establish location of sysconfig file, if any.
+SYSCONFIG_SHIBD="no"
+%if "%{_vendor}" == "redhat"
+ %{__mkdir} -p $RPM_BUILD_ROOT%{_sysconfdir}/sysconfig
+ echo "%config(noreplace) %{_sysconfdir}/sysconfig/shibd" >> rpm.filelist
+ SYSCONFIG_SHIBD="$RPM_BUILD_ROOT%{_sysconfdir}/sysconfig/shibd"
+%endif
+%if "%{_vendor}" == "suse"
+ %{__mkdir} -p $RPM_BUILD_ROOT%{_localstatedir}/adm/fillup-templates
+ echo "%{_localstatedir}/adm/fillup-templates/sysconfig.shibd" >> rpm.filelist
+ SYSCONFIG_SHIBD="$RPM_BUILD_ROOT%{_localstatedir}/adm/fillup-templates/sysconfig.shibd"
+%endif
+if [ "$SYSCONFIG_SHIBD" != "no" ] ; then
+ # Populate the sysconfig file.
+ cat > $SYSCONFIG_SHIBD <<EOF
+# Shibboleth SP init script customization
+
+# User account for shibd
+SHIBD_USER=%{runuser}
+EOF
+ %if 0%{?rhel} >= 6 || 0%{?centos_version} >= 600
+ cat >> $SYSCONFIG_SHIBD <<EOF
+
+# Override OS-supplied libcurl
+export LD_LIBRARY_PATH=/opt/shibboleth/%{_lib}
+EOF
+ # Strip existing rpath to libcurl.
+ chrpath -d $RPM_BUILD_ROOT%{_sbindir}/shibd
+ chrpath -d $RPM_BUILD_ROOT%{_bindir}/mdquery
+ chrpath -d $RPM_BUILD_ROOT%{_bindir}/resolvertest
+ %endif
+fi
+
%if "%{_vendor}" == "redhat" || "%{_vendor}" == "suse"
- %{__sed} -i "s/SHIBD_USER=root/SHIBD_USER=%{runuser}/g" \
- $RPM_BUILD_ROOT%{_sysconfdir}/%{name}/shibd-%{_vendor}
# %{_initddir} not yet in RHEL5, use deprecated %{_initrddir}
install -d -m 0755 $RPM_BUILD_ROOT%{_initrddir}
install -m 0755 $RPM_BUILD_ROOT%{_sysconfdir}/%{name}/shibd-%{_vendor} $RPM_BUILD_ROOT%{_initrddir}/shibd
/sbin/ldconfig
%endif
-# Key generation
+# Key generation or ownership fix
cd %{_sysconfdir}/%{name}
-sh ./keygen.sh -b -u %{runuser} -g %{runuser}
+if [ -f sp-key.pem ] ; then
+ %{__chown} %{runuser}:%{runuser} sp-key.pem sp-cert.pem 2>/dev/null || :
+else
+ sh ./keygen.sh -b -u %{runuser} -g %{runuser}
+fi
+
+# Fix ownership of log files (even on new installs, if they're left from an older one).
+%{__chown} %{runuser}:%{runuser} %{_localstatedir}/log/%{name}/* 2>/dev/null || :
%if "%{_vendor}" == "redhat"
if [ "$1" -gt "1" ] ; then
# This adds the proper /etc/rc*.d links for the script
/sbin/chkconfig --add shibd
+
# On upgrade, restart components if they're already running.
+ # This gets repeated now down in %postun, and the next release
+ # should remove this copy. If we yank it now, we'll break upgrades.
if [ "$1" -gt "1" ] ; then
/etc/init.d/shibd status 1>/dev/null && /etc/init.d/shibd restart 1>/dev/null
%{!?_without_builtinapache:/etc/init.d/httpd status 1>/dev/null && /etc/init.d/httpd restart 1>/dev/null}
%endif
%if "%{_vendor}" == "suse"
# This adds the proper /etc/rc*.d links for the script
+ # and populates the sysconfig/shibd file.
cd /
+ %{fillup_only -n shibd}
%insserv_force_if_yast shibd
%endif
%preun
+# On final removal, stop shibd and remove service, restart Apache if running.
%if "%{_vendor}" == "redhat"
- if [ "$1" = 0 ] ; then
+ if [ "$1" -eq 0 ] ; then
/sbin/service shibd stop >/dev/null 2>&1
/sbin/chkconfig --del shibd
%{!?_without_builtinapache:/etc/init.d/httpd status 1>/dev/null && /etc/init.d/httpd restart 1>/dev/null}
%endif
%if "%{_vendor}" == "suse"
%stop_on_removal shibd
- if [ "$1" = 0 ] ; then
+ if [ "$1" -eq 0 ] ; then
%{!?_without_builtinapache:/etc/init.d/apache2 status 1>/dev/null && /etc/init.d/apache2 restart 1>/dev/null}
fi
%endif
%ifnos solaris2.8 solaris2.9 solaris2.10
/sbin/ldconfig
%endif
+%if "%{_vendor}" == "redhat"
+ # On upgrade, restart components if they're already running.
+ if [ "$1" -ge "1" ] ; then
+ /etc/init.d/shibd status 1>/dev/null && /etc/init.d/shibd restart 1>/dev/null
+ %{!?_without_builtinapache:/etc/init.d/httpd status 1>/dev/null && /etc/init.d/httpd restart 1>/dev/null}
+ exit 0
+ fi
+%endif
%if "%{_vendor}" == "suse"
-cd /
-%restart_on_update shibd
-%{!?_without_builtinapache:%restart_on_update apache2}
-%{insserv_cleanup}
+ cd /
+ %restart_on_update shibd
+ %{!?_without_builtinapache:%restart_on_update apache2}
+ %{insserv_cleanup}
%endif
%posttrans
%doc %{pkgdocdir}/api
%changelog
-* Tue Aug 9 2011 Scott Cantor <cantor.2@osu.edu> - 2.5-1
+* Wed Aug 24 2011 Scott Cantor <cantor.2@osu.edu> - 2.5-1
- Move logo and stylesheet to version-independent tree
- Make shib.conf noreplace
- Post-fixup of Alias commands in older shib.conf
-- Run shibd as non-root
+- Changes to run shibd as non-root shibboleth user
+- Move init customizations to /etc/sysconfig/shibd
+- Copy shibd restart for Red Hat to postun
* Sun Jun 26 2011 Scott Cantor <cantor.2@osu.edu> - 2.4.3-1
- Log files shouldn't be world readable.