systemd: fix services to allow TLS configurations via java.security.ciphers (#3163)

yadvr · GabrielBrascher · commit cb3fed0e4e15 · 2019-02-04T19:51:30.000-02:00
* systemd: fix services to allow TLS configurations via java.security.ciphers This fixes the management server and systemd services to allow the java.security.ciphers file to configure disabled TLS protocols and algorithms. This also cleans up systemd service files for agent and usage server. This fixes #3140 Signed-off-by: Rohit Yadav <rohit.yadav@shapeblue.com> * configure: fix travis failure due pycodestyle error Signed-off-by: Rohit Yadav <rohit.yadav@shapeblue.com>
diff --git a/debian/cloudstack-agent.postinst b/debian/cloudstack-agent.postinst
@@ -25,6 +25,8 @@ case "$1" in
         NEWCONFDIR="/etc/cloudstack/agent"
         CONFFILES="agent.properties log4j.xml log4j-cloud.xml"
 
+        mkdir -m 0755 -p /usr/share/cloudstack-agent/tmp
+
         # Copy old configuration so the admin doesn't have to do that
         # Only do so when we are installing for the first time
         if [ -z "$2" ]; then
diff --git a/packaging/centos63/cloud-management.rc b/packaging/centos63/cloud-management.rc
@@ -71,7 +71,7 @@ setJavaHome() {
 setJavaHome
 
 JARS=$(ls /usr/share/cloudstack-management/lib/*.jar | tr '\n' ':' | sed s'/.$//')
-CLASSPATH="$JARS:$CLASSPATH"
+CLASSPATH="$JARS:$CLASSPATH:/usr/share/java/commons-daemon.jar"
 
 start() {
     if [ -s "$PIDFILE" ] && kill -0 $(cat "$PIDFILE") >/dev/null 2>&1; then
diff --git a/packaging/centos7/cloud-agent.rc b/packaging/centos7/cloud-agent.rc
diff --git a/packaging/centos7/cloud.spec b/packaging/centos7/cloud.spec
@@ -59,7 +59,6 @@ intelligent IaaS cloud implementation.
 %package management
 Summary:   CloudStack management server UI
 Requires: java-1.8.0-openjdk
-Requires: apache-commons-daemon-jsvc
 Requires: python
 Requires: bash
 Requires: bzip2
@@ -425,6 +424,7 @@ if [ ! -d %{_sysconfdir}/libvirt/hooks ] ; then
     mkdir %{_sysconfdir}/libvirt/hooks
 fi
 cp -a ${RPM_BUILD_ROOT}%{_datadir}/%{name}-agent/lib/libvirtqemuhook %{_sysconfdir}/libvirt/hooks/qemu
+mkdir -m 0755 -p /usr/share/cloudstack-agent/tmp
 /sbin/service libvirtd restart
 /sbin/systemctl enable cloudstack-agent > /dev/null 2>&1 || true
 
diff --git a/packaging/debian/init/cloud-management b/packaging/debian/init/cloud-management
@@ -75,7 +75,7 @@ if [ -f "$DEFAULT" ]; then
 fi
 
 JARS=$(ls /usr/share/cloudstack-management/lib/*.jar | tr '\n' ':' | sed s'/.$//')
-CLASSPATH="$JARS:$CLASSPATH"
+CLASSPATH="$JARS:$CLASSPATH:/usr/share/java/commons-daemon.jar"
 
 [ -f "$DAEMON" ] || exit 0
 
diff --git a/packaging/systemd/cloudstack-agent.default b/packaging/systemd/cloudstack-agent.default
@@ -15,8 +15,8 @@
 # specific language governing permissions and limitations
 # under the License.
 
-JAVA=/usr/bin/java
-JAVA_HEAP_INITIAL=256m
-JAVA_HEAP_MAX=2048m
+JAVA_OPTS="-Djava.io.tmpdir=/usr/share/cloudstack-agent/tmp -Xms256m -Xmx2048m"
+
+CLASSPATH="/usr/share/cloudstack-agent/lib/*:/usr/share/cloudstack-agent/plugins/*:/etc/cloudstack/agent:/usr/share/cloudstack-common/scripts"
+
 JAVA_CLASS=com.cloud.agent.AgentShell
-JAVA_TMPDIR=/usr/share/cloudstack-agent/tmp
diff --git a/packaging/systemd/cloudstack-agent.service b/packaging/systemd/cloudstack-agent.service
@@ -23,12 +23,8 @@ After=libvirtd.service
 
 [Service]
 Type=simple
-EnvironmentFile=-/etc/default/cloudstack-agent
-ExecStart=/bin/sh -ec '\
-    export ACP=`ls /usr/share/cloudstack-agent/lib/*.jar /usr/share/cloudstack-agent/plugins/*.jar 2>/dev/null|tr "\\n" ":"`; \
-    export CLASSPATH="$ACP:/etc/cloudstack/agent:/usr/share/cloudstack-common/scripts"; \
-    mkdir -m 0755 -p ${JAVA_TMPDIR}; \
-    ${JAVA} -Djava.io.tmpdir="${JAVA_TMPDIR}" -Xms${JAVA_HEAP_INITIAL} -Xmx${JAVA_HEAP_MAX} -cp "$CLASSPATH" $JAVA_CLASS'
+EnvironmentFile=/etc/default/cloudstack-agent
+ExecStart=/usr/bin/java $JAVA_OPTS -cp $CLASSPATH $JAVA_CLASS
 Restart=always
 RestartSec=10s
 
diff --git a/packaging/systemd/cloudstack-management.default b/packaging/systemd/cloudstack-management.default
@@ -15,17 +15,8 @@
 # specific language governing permissions and limitations
 # under the License.
 
-# Where your java installation lives
-#JAVA_HOME="/usr/lib/jvm/java"
+JAVA_OPTS="-Djava.security.properties=/etc/cloudstack/management/java.security.ciphers -Djava.awt.headless=true -Dcom.sun.management.jmxremote=false -Xmx2G -XX:+HeapDumpOnOutOfMemoryError -XX:HeapDumpPath=/var/log/cloudstack/management/ -XX:ErrorFile=/var/log/cloudstack/management/cloudstack-management.err "
 
-JAVA_OPTS="-Djava.awt.headless=true -Dcom.sun.management.jmxremote=false -Xmx2g -XX:+HeapDumpOnOutOfMemoryError -XX:HeapDumpPath=/var/log/cloudstack/management/ -XX:PermSize=512M -XX:MaxPermSize=800m -Djava.security.properties=/etc/cloudstack/management/java.security.ciphers "
-
-CLOUDSTACK_USER="cloud"
-
-CLOUDSTACK_PID="/var/run/cloudstack-management.pid"
-
-LOGDIR="/var/log/cloudstack/management"
-
-CLASSPATH="/etc/cloudstack/management:/usr/share/cloudstack-common:/usr/share/cloudstack-management/setup:/usr/share/cloudstack-management:/usr/share/java/mysql-connector-java.jar:/usr/share/java/commons-daemon.jar"
+CLASSPATH="/usr/share/cloudstack-management/lib/*:/etc/cloudstack/management:/usr/share/cloudstack-common:/usr/share/cloudstack-management/setup:/usr/share/cloudstack-management:/usr/share/java/mysql-connector-java.jar"
 
 BOOTSTRAP_CLASS=org.apache.cloudstack.ServerDaemon
diff --git a/packaging/systemd/cloudstack-management.service b/packaging/systemd/cloudstack-management.service
@@ -23,14 +23,12 @@ After=syslog.target network.target
 
 [Service]
 UMask=0022
-Type=forking
-Environment="NAME=cloudstack-management"
+Type=simple
+User=cloud
 EnvironmentFile=/etc/default/cloudstack-management
-ExecStartPre=/bin/bash -c "/bin/systemctl set-environment JAVA_HOME=$( readlink -f $( which java ) | sed s:bin/.*$:: )"
-ExecStartPre=/bin/bash -c "/bin/systemctl set-environment JARS=$(ls /usr/share/cloudstack-management/lib/*.jar | tr '\n' ':' | sed s'/.$//')"
-ExecStart=/usr/bin/jsvc -home "${JAVA_HOME}" -user "${CLOUDSTACK_USER}" -cp "${JARS}:${CLASSPATH}" -errfile "${LOGDIR}/${NAME}.err" -cwd "${LOGDIR}" -pidfile "${CLOUDSTACK_PID}" "${JAVA_OPTS}" "${BOOTSTRAP_CLASS}"
-ExecStop=/usr/bin/jsvc -cp "${JARS}:${CLASSPATH}" -pidfile "${CLOUDSTACK_PID}" -stop "${BOOTSTRAP_CLASS}"
-SuccessExitStatus=143
+WorkingDirectory=/var/log/cloudstack/management
+PIDFile=/var/run/cloudstack-management.pid
+ExecStart=/usr/bin/java $JAVA_OPTS -cp $CLASSPATH $BOOTSTRAP_CLASS
 
 [Install]
 WantedBy=multi-user.target
diff --git a/packaging/systemd/cloudstack-usage.default b/packaging/systemd/cloudstack-usage.default
@@ -15,8 +15,8 @@
 # specific language governing permissions and limitations
 # under the License.
 
-JAVA=/usr/bin/java
-JAVA_HEAP_INITIAL=256m
-JAVA_HEAP_MAX=2048m
+JAVA_OPTS="-Dpid=$$ -Xms256m -Xmx2048m"
+
+CLASSPATH="/usr/share/cloudstack-usage/*:/usr/share/cloudstack-usage/lib/*:/usr/share/cloudstack-mysql-ha/lib/*:/etc/cloudstack/usage:/usr/share/java/mysql-connector-java.jar"
+
 JAVA_CLASS=com.cloud.usage.UsageServer
-JAVA_PID=$$
diff --git a/packaging/systemd/cloudstack-usage.service b/packaging/systemd/cloudstack-usage.service
@@ -23,11 +23,8 @@ After=network.target network-online.target
 
 [Service]
 Type=simple
-EnvironmentFile=-/etc/default/cloudstack-usage
-ExecStart=/bin/sh -ec '\
-    export UCP=`ls /usr/share/cloudstack-usage/cloud-usage-*.jar /usr/share/cloudstack-usage/lib/*.jar /usr/share/cloudstack-mysql-ha/lib/*.jar | tr "\\n" ":"`; \
-    export CLASSPATH="$UCP:/etc/cloudstack/usage:/usr/share/java/mysql-connector-java.jar"; \
-    ${JAVA} -Dpid=${JAVA_PID} -Xms${JAVA_HEAP_INITIAL} -Xmx${JAVA_HEAP_MAX} -cp "$CLASSPATH" $JAVA_CLASS'
+EnvironmentFile=/etc/default/cloudstack-usage
+ExecStart=/usr/bin/java $JAVA_OPTS -cp $CLASSPATH $JAVA_CLASS
 Restart=always
 RestartSec=10s
 
diff --git a/systemvm/debian/opt/cloud/bin/configure.py b/systemvm/debian/opt/cloud/bin/configure.py
@@ -124,10 +124,10 @@ def add_rule(self):
             rnge = ''
             if "first_port" in self.rule.keys() and \
                self.rule['first_port'] == self.rule['last_port']:
-                    rnge = " --dport %s " % self.rule['first_port']
+                rnge = " --dport %s " % self.rule['first_port']
             if "first_port" in self.rule.keys() and \
                self.rule['first_port'] != self.rule['last_port']:
-                    rnge = " --dport %s:%s" % (rule['first_port'], rule['last_port'])
+                rnge = " --dport %s:%s" % (rule['first_port'], rule['last_port'])
 
             logging.debug("Current ACL IP direction is ==> %s", self.direction)
 
