Hello community, here is the log from the commit of package varnish for openSUSE:11.4 checked in at Wed Apr 27 17:49:12 CEST 2011. -------- --- old-versions/11.4/all/varnish/varnish.changes 2010-08-17 11:31:58.000000000 +0200 +++ 11.4/varnish/varnish.changes 2011-04-15 10:09:02.000000000 +0200 @@ -1,0 +2,16 @@ +Sun Apr 3 23:38:24 UTC 2011 - jengelh@medozas.de + +- Fix security-problematic ownership of /etc/varnish files + (bnc#678811) +- Run spec-beautifier over it +- Replace default shipped vcl.conf by something working +- Run as varnish user +- Start varnishlog together with varnishd +- Properly use PID files in init script + +------------------------------------------------------------------- +Sat Oct 9 04:31:06 UTC 2010 - jengelh@medozas.de + +- Create and package /var/log/varnish + +------------------------------------------------------------------- Package does not exist at destination yet. Using Fallback old-versions/11.4/all/varnish Destination is old-versions/11.4/UPDATES/all/varnish calling whatdependson for 11.4-i586 Old: ---- upstream-config.tar.bz2 New: ---- varnish.logrotate vcl.conf ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ varnish.spec ++++++ --- /var/tmp/diff_new_pack.VCjNH7/_old 2011-04-27 17:48:28.000000000 +0200 +++ /var/tmp/diff_new_pack.VCjNH7/_new 2011-04-27 17:48:28.000000000 +0200 @@ -1,7 +1,7 @@ # -# spec file for package varnish (Version 2.1.3) +# spec file for package varnish # -# Copyright (c) 2010 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2011 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -20,29 +20,28 @@ Name: varnish Version: 2.1.3 -Release: 1 +Release: 3.<RELEASE4> # License: BSD Group: Productivity/Networking/Web/Proxy # BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRequires: libxslt ncurses-devel pcre-devel pkg-config -Prereq(post): /usr/sbin/useradd /usr/sbin/groupadd +Prereq(post): %_sbindir/useradd %_sbindir/groupadd %if 0%{?suse_version} Recommends: logrotate %endif -%define _bindir %{_sbindir} -%define pkg_home %{_var}/lib/%{name} -%define pkg_logdir %{_var}/log/%{name} -%define pkg_cachedir %{_var}/cache/%{name} -%define pkg_name %{name} +%define pkg_home %_localstatedir/lib/%name +%define pkg_logdir %_localstatedir/log/%name +%define pkg_cachedir %_localstatedir/cache/%name # Url: http://www.varnish-cache.org/ -Source0: http://downloads.sourceforge.net/varnish/varnish-%{version}.tar.gz -# http://downloads.sourceforge.net/varnish/varnish-%{version}.tar.bz2 -Source1: upstream-config.tar.bz2 +Source0: http://downloads.sourceforge.net/varnish/varnish-%version.tar.gz +# http://downloads.sourceforge.net/varnish/varnish-%version.tar.bz2 Source2: varnish.init Source3: varnish.sysconfig +Source4: vcl.conf +Source5: varnish.logrotate # Summary: Varnish is a high-performance HTTP accelerator @@ -63,13 +62,13 @@ %define library_name libvarnish1 -%package -n %{library_name} +%package -n %library_name Group: Productivity/Networking/Web/Proxy # Summary: Shared libraries for Varnish -%description -n %{library_name} +%description -n %library_name Varnish is an HTTP accelerator. An HTTP accelerator (often called Reverse Proxy) is an application that stores (caches) documents that have been requested over the HTTP protocol. @@ -91,7 +90,7 @@ %package devel License: BSD Group: Development/Libraries/C and C++ -Requires: %{name} = %{version} +Requires: %name = %version # Summary: Development files for Varnish @@ -115,91 +114,82 @@ %prep -%setup -qa1 -#sed -e ' s/8080/80/g ' etc/vcl.conf > redhat/vcl.conf +%setup -q %build %if 0%{?suse_version} > 1000 -export CFLAGS="%{optflags} -fstack-protector" +export CFLAGS="%optflags -fstack-protector" %endif -%configure --disable-static --localstatedir=%{_var}/cache/ \ +%configure --disable-static --localstatedir=%_localstatedir/cache/ \ --enable-debugging-symbols \ --enable-developer-warnings -%{__make} +make %{?_smp_mflags} %install %makeinstall -find %{buildroot} -ls +find %buildroot -ls +# There is no use for them to normal users +mv %buildroot/%_bindir/* %buildroot/%_sbindir/ # # remove unneeded files # libvarnish.la has -lrt as dependency lib -#%{__rm} -fv %{buildroot}%{_libdir}/*.la +#rm -fv %buildroot%_libdir/*.la # ##missing directories -%{__install} -d -m 0755 %{buildroot}{%{pkg_logdir},%{pkg_home}} -%{__install} -D -m 0644 redhat/varnish.logrotate %{buildroot}/etc/logrotate.d/varnish -%if 0%{?suse_version} -# -##init scripts -%{__install} -D -m 0644 %{S:3} %{buildroot}/var/adm/fillup-templates/sysconfig.%{name} -%{__install} -D -m 0755 %{S:2} %{buildroot}%{_sysconfdir}/init.d/%{name} -%{__ln_s} -f %{_sysconfdir}/init.d/%{name} %{buildroot}%{_sbindir}/rc%{name} -# -##config files -%{__install} -D -m 0644 etc/vcl.conf %{buildroot}%{_sysconfdir}/%{name}/vcl.conf -%{__install} -D -m 0644 etc/vcl.conf %{buildroot}%{_sysconfdir}/%{name}/vcl.conf.example -%else +install -d -m 0755 %buildroot{%pkg_logdir,%pkg_home} +install -D -m 0644 %{S:5} %buildroot%_sysconfdir/logrotate.d/varnish # ##init scripts -%{__install} -D -m 0644 redhat/varnish.sysconfig %{buildroot}%{_sysconfdir}/sysconfig/%{name} -%{__install} -D -m 0755 redhat/varnish.initrc %{buildroot}%{_sysconfdir}/init.d/%{name} +install -D -m 0644 %{S:3} %buildroot/var/adm/fillup-templates/sysconfig.%name +install -D -m 0755 %{S:2} %buildroot%_sysconfdir/init.d/%name +ln -s -f %_sysconfdir/init.d/%name %buildroot%_sbindir/rc%name # ##config files -%{__install} -D -m 0644 redhat/vcl.conf %{buildroot}%{_sysconfdir}/%{name}/vcl.conf -%{__install} -D -m 0644 redhat/vcl.conf %{buildroot}%{_sysconfdir}/%{name}/vcl.conf.example -%endif +install -D -m 0644 %{S:4} %buildroot%_sysconfdir/%name/vcl.conf +install -D -m 0644 %{S:4} %buildroot%_sysconfdir/%name/vcl.conf.example find "%buildroot" -type f -name "*.la" -delete - -%clean -%{__rm} -rf %{buildroot} +mkdir -p "%buildroot/%_localstatedir/log/varnish" %pre -/usr/sbin/groupadd -r %{pkg_name} 2>/dev/null || : -/usr/sbin/useradd -g %{pkg_name} -s /bin/false -r -c "user for %{pkg_name}" -d %{pkg_home} %{pkg_name} 2>/dev/null || : +%_bindir/getent group varnish >/dev/null || \ + %_sbindir/groupadd -r varnish || : +%_bindir/getent passwd varnish >/dev/null || \ + %_sbindir/useradd -g varnish -s /bin/false -r -c "user for Varnish" \ + -d %pkg_home varnish || : %if 0%{?suse_version} %post -%fillup_and_insserv %{pkg_name} +%fillup_and_insserv %name %preun -%stop_on_removal %{pkg_name} +%stop_on_removal %name %postun -%restart_on_update %{pkg_name} -%{insserv_cleanup} +%restart_on_update %name +%insserv_cleanup %else # how to do the same for RH/mandriva? %endif -%post -n %{library_name} -p /sbin/ldconfig +%post -n %library_name -p /sbin/ldconfig -%postun -n %{library_name} -p /sbin/ldconfig +%postun -n %library_name -p /sbin/ldconfig %files %defattr(-,root,root,-) %if 0%{?suse_version} -%{_sbindir}/rc%{name} -/var/adm/fillup-templates/sysconfig.%{name} +%_sbindir/rc%name +/var/adm/fillup-templates/sysconfig.%name %else -%config(noreplace) %{_sysconfdir}/sysconfig/%{name} +%config(noreplace) %_sysconfdir/sysconfig/%name %endif -%config(noreplace) %{_sysconfdir}/init.d/%{name} +%config(noreplace) %_sysconfdir/init.d/%name # -%dir %attr(750,%{pkg_name},%{pkg_name}) %{_sysconfdir}/%{name}/ -%config(noreplace) %attr(640,%{pkg_name},%{pkg_name}) %{_sysconfdir}/%{name}/vcl.conf -%config %attr(640,%{pkg_name},%{pkg_name}) %{_sysconfdir}/%{name}/vcl.conf.example -%config(noreplace) %attr(640,%{pkg_name},%{pkg_name}) %{_sysconfdir}/%{name}/default.vcl +%dir %attr(750,root,varnish) %_sysconfdir/%name/ +%config(noreplace) %attr(640,root,varnish) %_sysconfdir/%name/vcl.conf +%config %attr(640,root,varnish) %_sysconfdir/%name/vcl.conf.example +%config(noreplace) %attr(640,root,varnish) %_sysconfdir/%name/default.vcl # %_sbindir/* %doc %_mandir/*/* @@ -207,18 +197,19 @@ %if ! 0%{?suse_version} %doc redhat/README.redhat %endif -%dir %attr(750,%{pkg_name},%{pkg_name}) %{pkg_home} -%dir %attr(750,%{pkg_name},%{pkg_name}) %{pkg_cachedir} -%config(noreplace) /etc/logrotate.d/varnish +%dir %attr(750,varnish,varnish) %pkg_home +%dir %attr(750,varnish,varnish) %pkg_cachedir +%config(noreplace) %_sysconfdir/logrotate.d/varnish +%dir %attr(750,varnish,varnish) %_localstatedir/log/varnish -%files -n %{library_name} +%files -n %library_name %defattr(-,root,root,-) %_libdir/*.so.* %files devel %defattr(-,root,root,-) -%{_includedir}/varnish/ -%{_libdir}/pkgconfig/* -%{_libdir}/*.so +%_includedir/varnish/ +%_libdir/pkgconfig/* +%_libdir/*.so %changelog ++++++ varnish.init ++++++ --- /var/tmp/diff_new_pack.VCjNH7/_old 2011-04-27 17:48:28.000000000 +0200 +++ /var/tmp/diff_new_pack.VCjNH7/_new 2011-04-27 17:48:28.000000000 +0200 @@ -1,16 +1,5 @@ #!/bin/sh # -# /etc/init.d/varnish -# and its symbolic link -# /(usr/)sbin/rcvarnish -# -# Note: This template uses functions rc_XXX defined in /etc/rc.status on -# UnitedLinux/SUSE/Novell based Linux distributions. If you want to base your -# script on this template and ensure that it works on non UL based LSB -# compliant Linux distributions, you either have to provide the rc.status -# functions from UL or change the script to work without them. -# See skeleton.compat for a template that works with other distros as well. -# ### BEGIN INIT INFO # Provides: varnish # Required-Start: $syslog $remote_fs @@ -22,73 +11,6 @@ # Short-Description: varnish HTTP accelerator # Description: varnish HTTP accelerator ### END INIT INFO -# -# Any extensions to the keywords given above should be preceeded by -# X-VendorTag- (X-UnitedLinux- X-SuSE- for us) according to LSB. -# -# Notes on Required-Start/Should-Start: -# * There are two different issues that are solved by Required-Start -# and Should-Start -# (a) Hard dependencies: This is used by the runlevel editor to determine -# which services absolutely need to be started to make the start of -# this service make sense. Example: nfsserver should have -# Required-Start: $portmap -# Also, required services are started before the dependent ones. -# The runlevel editor will warn about such missing hard dependencies -# and suggest enabling. During system startup, you may expect an error, -# if the dependency is not fulfilled. -# (b) Specifying the init script ordering, not real (hard) dependencies. -# This is needed by insserv to determine which service should be -# started first (and at a later stage what services can be started -# in parallel). The tag Should-Start: is used for this. -# It tells, that if a service is available, it should be started -# before. If not, never mind. -# * When specifying hard dependencies or ordering requirements, you can -# use names of services (contents of their Provides: section) -# or pseudo names starting with a $. The following ones are available -# according to LSB (1.1): -# $local_fs all local file systems are mounted -# (most services should need this!) -# $remote_fs all remote file systems are mounted -# (note that /usr may be remote, so -# many services should Require this!) -# $syslog system logging facility up -# $network low level networking (eth card, ...) -# $named hostname resolution available -# $netdaemons all network daemons are running -# The $netdaemons pseudo service has been removed in LSB 1.2. -# For now, we still offer it for backward compatibility. -# These are new (LSB 1.2): -# $time the system time has been set correctly -# $portmap SunRPC portmapping service available -# UnitedLinux extensions: -# $ALL indicates that a script should be inserted -# at the end -# * The services specified in the stop tags -# (Required-Stop/Should-Stop) -# specify which services need to be still running when this service -# is shut down. Often the entries there are just copies or a subset -# from the respective start tag. -# * Should-Start/Stop are now part of LSB as of 2.0, -# formerly SUSE/Unitedlinux used X-UnitedLinux-Should-Start/-Stop. -# insserv does support both variants. -# * X-UnitedLinux-Default-Enabled: yes/no is used at installation time -# (%fillup_and_insserv macro in %post of many RPMs) to specify whether -# a startup script should default to be enabled after installation. -# It's not used by insserv. -# -# Note on runlevels: -# 0 - halt/poweroff 6 - reboot -# 1 - single user 2 - multiuser without network exported -# 3 - multiuser w/ network (text mode) 5 - multiuser w/ network and X11 (xdm) -# -# Note on script names: -# http://www.linuxbase.org/spec/refspecs/LSB_1.3.0/gLSB/gLSB/scrptnames.html -# A registry has been set up to manage the init script namespace. -# http://www.lanana.org/ -# Please use the names already registered or register one or use a -# vendor prefix. - # Check for missing binaries (stale symlinks should not happen) # Note: Special treatment of stop for LSB conformance @@ -103,6 +25,11 @@ if [ "$1" = "stop" ]; then exit 0; else exit 6; fi; } +VARNISHD_BIN="$VARNISH_BIN" +VARNISHD_PID=/var/run/varnishd.pid +VARNISHLOG_BIN=/usr/sbin/varnishncsa +VARNISHLOG_PID=/var/run/varnishlog.pid + # Read config . $VARNISH_CONFIG @@ -152,20 +79,25 @@ echo -n "Starting varnish " ## Start daemon with startproc(8). If this fails ## the return value is set appropriately by startproc. - /sbin/startproc $VARNISH_BIN ${VARNISHD_PARAMS:--f /etc/varnish/vcl.conf -T127.0.0.1:6082 -s file,/var/cache/varnish} + /sbin/startproc "$VARNISHD_BIN" -P "$VARNISHD_PID" ${VARNISHD_PARAMS:--f /etc/varnish/vcl.conf -T:6082 -s file,/var/cache/varnish,524288 -u varnish} # Remember status and be verbose rc_status -v + echo -n "Starting varnishlog " + /sbin/startproc "$VARNISHLOG_BIN" -P "$VARNISHLOG_PID" ${VARNISHLOG_PARAMS:--a -w /var/log/varnish/varnish.log} + rc_status -v ;; stop) echo -n "Shutting down varnish " ## Stop daemon with killproc(8) and if this fails ## killproc sets the return value according to LSB. - /sbin/killproc -TERM $VARNISH_BIN + /sbin/killproc -p "$VARNISHD_PID" "$VARNISHD_BIN" # Remember status and be verbose rc_status -v + echo -n "Shutting down varnishlog " + /sbin/killproc -p "$VARNISHLOG_PID" "$VARNISHLOG_BIN" ;; try-restart|condrestart) ## Do a restart only if the service was active before. @@ -214,9 +146,11 @@ # If it supports signaling: echo -n "Reload service varnish " - /sbin/killproc -HUP $VARNISH_BIN + /sbin/killproc -p "$VARNISHD_PID" -HUP "$VARNISHD_BIN" #touch /var/run/varnish.pid rc_status -v + echo -n "Reload service varnishlog " + /sbin/killproc -p "$VARNISHLOG_PID" -HUP "$VARNISHLOG_BIN" ## Otherwise if it does not support reload: #rc_failed 3 @@ -236,17 +170,22 @@ # 5--199 reserved (5--99 LSB, 100--149 distro, 150--199 appl.) # NOTE: checkproc returns LSB compliant status values. - /sbin/checkproc $VARNISH_BIN + /sbin/checkproc -p "$VARNISHD_PID" "$VARNISHD_BIN" # NOTE: rc_status knows that we called this init script with # "status" option and adapts its messages accordingly. rc_status -v + echo -n "Checking for service varnishlog " + /sbin/checkproc -p "$VARNISHLOG_PID" "$VARNISHLOG_BIN" + rc_status -v ;; probe) ## Optional: Probe for the necessity of a reload, print out the ## argument to this init script which is required for a reload. ## Note: probe is not (yet) part of LSB (as of 1.9) - test /etc/sysconfig/varnish -nt /var/run/varnish.pid && test -f /etc/varnish/default.vcl.net -nt /var/run/varnish.pid && echo reload + test /etc/sysconfig/varnish -nt "$VARNISHD_PID" && \ + test -f /etc/varnish/default.vcl.net -nt "$VARNISHD_PID" && \ + echo reload ;; *) echo "Usage: $0 {start|stop|status|try-restart|restart|force-reload|reload|probe}" ++++++ varnish.logrotate ++++++ /var/log/varnish/*.log { missingok notifempty sharedscripts delaycompress postrotate /etc/init.d/varnish reload endscript } ++++++ varnish.sysconfig ++++++ --- /var/tmp/diff_new_pack.VCjNH7/_old 2011-04-27 17:48:28.000000000 +0200 +++ /var/tmp/diff_new_pack.VCjNH7/_new 2011-04-27 17:48:28.000000000 +0200 @@ -10,4 +10,16 @@ # # You might want to keep "/var/cache/varnish" when using the file backend. # -VARNISHD_PARAMS="-f /etc/varnish/vcl.conf -T127.0.0.1:6082 -s file,/var/cache/varnish,524288" +VARNISHD_PARAMS="-f /etc/varnish/vcl.conf -T:6082 -s file,/var/cache/varnish,524288 -u varnish" + +## Path: Network/WWW/Varnishd +## Description: Start parameters for varnishlog +## Type: string +## Default: "-a -w /var/log/varnish.log" +## Config: varnishd +# +# start parameters for varnishlog/varnishncsa +# +# see man 1 varnishlog for more +# +VARNISHLOG_PARAMS="-a -w /var/log/varnish/varnish.log" ++++++ vcl.conf ++++++ # # This is a basic VCL configuration file for varnish. See the vcl(7) # man page for details on VCL syntax and semantics. # # $Id: vcl.conf 1200 2006-10-19 09:21:42Z des $ # backend default { .host = "127.0.0.1"; .port = "8080"; } sub vcl_recv { # pass mode can't handle POST (yet) if (req.request == "POST") { return(pipe); } # don't bother caching large files if(req.url ~ "\.(pdf|mp3|flv|mov|mp4|mpg|mpeg|avi|dmg)") { return(pipe); } # force lookup even when cookies are present if (req.request == "GET" && req.http.cookie) { return(lookup); } } ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Remember to have fun... -- To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-commit+help@opensuse.org