Fixes for deb packaging + systemd support

[theoweiss]

Fix for #1429

Tested for debian 7 (sysv init) and debian 8 (systemd init).

It would be nice to have some more tests and also upgrade tests!

Changes:

• removed fragile handling of openhab group from deb packaging
• updated db4o persistence service to use the smarthome.userdata system property
• relies on evolved rrd4j persistence service, which uses the smarthome.userdata property
• changed /etc/init.d/openhab to set smarthome.userdata property to /var/lib/openhab
• added systemd service description for openhab
• added script which sets permissions on various runtime directories according to OPENHAB_USER_GROUP variable
• removed symlink configuration from pom.xml for /usr/share/openhab/webapps/static to /var/lib/openhab/webapps,
  because it was broken and may be have unintentional behavior for the greent addon.

How it works

• For security reasons the openHAB runtime runs as unprivileged non-root user
  (openHAB runtime user).
• The default user is named "openhab" and with the primary group "openhab".
• The user and group can be adapted with the variable USER_AND_GROUP in the
  /etc/default/openhab configuration file.
• The openHAB runtime user and group are created using the deb file postinst
  script. It's postinst not preinst because user and group information can be
  and is obtained from /etc/default/openhab.
• Permissions used for the deb file
  • All files and directories contained in the deb file are owned by user root and
    group root.
  • Most files and directories are readable by others (file mode 644 or 444, directory mode 755).
  • For security reasons some files should only be readable for the openHAB runtime user
    and his primary group (mode 440). In the deb file they are owned by root:root, the
    ownership will be adapted at daemon startup.
    For now these files are /etc/openhab/configurations/user.cfg and /etc/openhab/jetty/etc/keystore.
  • There are files and directories which must be writable by the openHAB runtime user.
    These files / directories like all others are owned by root:root in the deb file.
    The permissions and owner are adapted at daemon startup time. Therefore changes to
    USER_AND_GROUP in /etc/default/openhab during application lifetime are honored.
• The permissions and owner of files and directories which should be writable by the openHAB
  runtime user are adopted at startup time.
  • the directory /usr/share/openhab/webapps/static is owned by the openHAB runtime user because
    the "version" and "uuid" files are created at runtime startup.
  • the directory /var/log/openhab is owned by the openHAB runtime user to enable the creation
    of log files for the openHAB runtime
  • /var/lib/openHAB/workspace is used as osgi workspace and therefore owned by the openHAB
    runtime user.
  • sub directories of /var/lib/openHAB/ are used for storing user data like persistence
    database files, therefore /var/lib/openHAB/ is owned by the openHAB runtime user
    • rrd4j persistence stores its files in /var/lib/openhab/rrd4j, this is achieved by setting the
      the java system property smarthome.userdata=/var/lib/openhab.
    • db4o persistence stores its files in /var/lib/openhab/db4o, this is achieved by setting
      the java system property smarthome.userdata=/var/lib/openhab.
• systemd and sysv init from one deb package
  • is inspired by the deb packaging of elasticsearch:
    Lack of systemd init files in deb package elastic/elasticsearch#8493
    and relies on this recommendation from a debian forum:
    http://lists.alioth.debian.org/pipermail/pkg-systemd-maintainers/2014-December/005077.html
  • systemd and sysv init share configuration through /usr/share/openhab/bin/openhab.in.sh and
    functionality through /usr/share/openhab/bin/setpermissions.sh
• systemd init executes /usr/share/openhab/bin/setpermissions.sh as root, this is granted by
  setting PermissionsStartOnly=true

[buildhive]

openhab » openhab #2321 SUCCESS
This pull request looks good
(what's this?)

[teichsta]

Hi Theo,

Thanks for this contribution!

A short question: "smarthome.userdata" in openHAB1?

Best, Thomas

• sent from a mobile device -

Am 15.02.2015 um 21:52 schrieb Theo Weiss [email protected]:

Fix for #1429
Changes:

removed fragile handling of openhab group from deb packaging
updated db4o persistence service to use the smarthome.userdata system property
relies on evolved rrd4j persistence service, which uses the smarthome.userdata property
changed /etc/init.d/openhab to set smarthome.userdata property to /var/lib/openhab
added systemd service description for openhab
added script which sets permissions on various runtime directories according to OPENHAB_USER_GROUP variable
removed symlink configuration from pom.xml for /usr/share/openhab/webapps/static to /var/lib/openhab/webapps, because it was broken and may be have unintentional behavior for the greent addon.
How it works

For security reasons the openHAB runtime runs as unprivileged non-root user (openHAB runtime user).
The default user is named "openhab" and with the primary group "openhab".
The user and group can be adapted with the variable USER_AND_GROUP in the /etc/default/openhab configuration file.
The openHAB runtime user and group are created using the deb file postinst script. It's postinst not preinst because user and group information can be and is obtained from /etc/default/openhab.
Permissions used for the deb file
All files and directories contained in the deb file are owned by user root and group root.
Most files and directories are readable by others (file mode 644 or 444, directory mode 755).
For security reasons some files should only be readable for the openHAB runtime user and his primary group (mode 440). In the deb file they are owned by root:root, the ownership will be adapted at daemon startup. For now these files are /etc/openhab/configurations/user.cfg and /etc/openhab/jetty/etc/keystore.
There are files and directories which must be writable by the openHAB runtime user. These files / directories like all others are owned by root:root in the deb file. The permissions and owner are adapted at daemon startup time. Therefore changes to USER_AND_GROUP in /etc/default/openhab during application lifetime are honored.
The permissions and owner of files and directories which should be writable by the openHAB runtime user are adopted at startup time.
the directory /usr/share/openhab/webapps/static is owned by the openHAB runtime user because the "version" and "uuid" files are created at runtime startup.
the directory /var/log/openhab is owned by the openHAB runtime user to enable the creation of log files for the openHAB runtime
/var/lib/openHAB/workspace is used as osgi workspace and therefore owned by the openHAB runtime user.
sub directories of /var/lib/openHAB/ are used for storing user data like persistence database files, therefore /var/lib/openHAB/ is owned by the openHAB runtime user
rrd4j persistence stores its files in /var/lib/openhab/rrd4j, this is achieved by setting the the java system property smarthome.userdata=/var/lib/openhab.
db4o persistence stores its files in /var/lib/openhab/db4o, this is achieved by setting the java system property smarthome.userdata=/var/lib/openhab.
systemd and sysv init from one deb package
is inspired by the deb packaging of elasticsearch: elastic/elasticsearch#8493 and relies on this recommendation from a debian forum: http://lists.alioth.debian.org/pipermail/pkg-systemd-maintainers/2014-December/005077.html
systemd and sysv init share configuration through /usr/share/openhab/bin/openhab.in.sh and functionality through /usr/share/openhab/bin/setpermissions.sh
systemd init executes /usr/share/openhab/bin/setpermissions.sh as root, this is granted by setting PermissionsStartOnly=true
You can view, comment on, or merge this pull request online at:

#2141

Commit Summary

deb files: systemd support, fix permission problems, wip
deb files: systemd support, fix permission problems, wip
deb files, persistence rrd4j and db4o fix permission problems
deb files, persistence add Readme.txt fix configuration loading
deb files apt-get purge openhab-runtime: remove configuration
Merge branch 'master' of https://github.com/openhab/openhab into debfiles-2015-1
deb files add felix.fileinstall.filter to systemd script
deb files Readme.txt updated
File Changes

M bundles/persistence/org.openhab.persistence.db4o/pom.xml (54)
D bundles/persistence/org.openhab.persistence.db4o/src/deb/control/conffiles (1)
D bundles/persistence/org.openhab.persistence.db4o/src/deb/control/control (9)
D bundles/persistence/org.openhab.persistence.db4o/src/deb/etc/openhab/configurations/persistence/db4o.persist (1)
D bundles/persistence/org.openhab.persistence.db4o/src/deb/var/lib/openhab/persistence/db4o/.gitignore (4)
M bundles/persistence/org.openhab.persistence.db4o/src/main/java/org/openhab/persistence/db4o/internal/Db4oPersistenceService.java (15)
M bundles/persistence/org.openhab.persistence.rrd4j/pom.xml (54)
D bundles/persistence/org.openhab.persistence.rrd4j/src/deb/control/conffiles (1)
D bundles/persistence/org.openhab.persistence.rrd4j/src/deb/control/control (9)
D bundles/persistence/org.openhab.persistence.rrd4j/src/deb/etc/openhab/configurations/persistence/rrd4j.persist (1)
D bundles/persistence/org.openhab.persistence.rrd4j/src/deb/var/lib/openhab/persistence/rrd4j/.gitignore (4)
A distribution/.gitignore (1)
M distribution/pom.xml (75)
A distribution/src/deb/Readme.txt (57)
A distribution/src/deb/bin/openhab.in.sh (16)
A distribution/src/deb/bin/openhab.sh (128)
A distribution/src/deb/bin/setpermissions.sh (42)
M distribution/src/deb/control-runtime/conffiles (1)
M distribution/src/deb/control-runtime/postinst (54)
M distribution/src/deb/control-runtime/postrm (20)
D distribution/src/deb/control-runtime/preinst (20)
M distribution/src/deb/control-runtime/prerm (33)
M distribution/src/deb/etc/init.d/openhab (46)
A distribution/src/deb/systemd/openhab.service (19)
D distribution/src/deb/var/lib/openhab/webapps/static/.gitignore (4)
D distribution/src/deb/var/lib/openhab/workspace/.gitignore (4)
D distribution/src/deb/var/log/openhab/.gitignore (4)
Patch Links:

https://github.com/openhab/openhab/pull/2141.patch
https://github.com/openhab/openhab/pull/2141.diff
—
Reply to this email directly or view it on GitHub.

[theoweiss]

Hi Thomas,

yes I found it in the RRD4j service and added it to db4o:
air:openhab theo$ grep -r smarthome.userdata bundles/persistence/
bundles/persistence//org.openhab.persistence.rrd4j/src/main/java/org/openhab/persistence/rrd4j/internal/RRD4jService.java: String progArg = System.getProperty("smarthome.userdata“);

Best,
Theo

Am 16.02.2015 um 09:17 schrieb Thomas Eichstädt-Engelen [email protected]:

Hi Theo,

Thanks for this contribution!

A short question: "smarthome.userdata" in openHAB1?

Best, Thomas

[teichsta]

yes I found it in the RRD4j service and added it to db4o:

i'd prefer to rename this variable to "openhab.userdata" in opposite to the variable used by ESH. Could you please rename both occurrences?

Furthermore i am wondering wich of the commits are the fix for #1429? Assuming there could be an 1.6.3 release i would like add that fix to it but not the while PR.

Thanks, Thomas E.-E.

[theoweiss]

Am 20.02.2015 um 06:44 schrieb Thomas Eichstädt-Engelen [email protected]:

yes I found it in the RRD4j service and added it to db4o:

i'd prefer to rename this variable to "openhab.userdata" in opposite to the variable used by ESH. Could you please rename both occurrences?
yes, no problem.

Furthermore i am wondering wich of the commits are the fix for #1429? Assuming there could be an 1.6.3 release i would like add that fix to it but not the while PR.

An 1.6.3 release would be great. Cherry picking some changes would be challenging, more or less all changes are required to solve the problems. I would prefer to find way and a few people beta testing the new packages. There are different Linux OS's and different init systems involved, this made the bug fixing more difficult.

[sja]

The description here could be OSGi console port

[theoweiss]

Sounds good, I will add it.

[theoweiss]

I've prepared a commit with the discussed changes. I will to some testing before committing the changes to this PR.

[theoweiss]

Just tested the changes: looks good.
I've also tested an upgrade from 1.6.2, there is a problem to solve: up to 1.6.2 the rrd4j and db4o files are placed into /var/lib/openhab/persistence/{rrd4j, db4o}. Using the openhab.userdata property they will be created in /var/lib/openhab/{rrd4j, db4o} (without persisentce subdir). On upgrading to (1.6.3/)1.7.x the existing databases will no longer be found by the new rrd4j/db4o service.
I see to options:

1. Try to move existing databases to the new directory when upgrading the deb package using the postinst script.
2. Change the RRD4J and DB4o persistence service implementations to use openhab.userdata/persistence/{rrd4j, db4o} as directories. This should be handled in a similar way in openHAB2.

Any preferences?

[teichsta]

i would go for option 2) (fix the Persistence Services)

[theoweiss]

I will give it a try.

[buildhive]

openhab » openhab #2401 SUCCESS
This pull request looks good
(what's this?)

[buildhive]

openhab » openhab #2404 SUCCESS
This pull request looks good
(what's this?)

[theoweiss]

I'm not sure, but I think if the installation is upgraded the contents of workspace directory should be wiped out?

[theoweiss]

According to this discussion I think wiping out of the workspace is done on every startup, so there is nothing to be done on upgrading the installation: https://groups.google.com/forum/?utm_medium=email&utm_source=footer#!msg/openhab/NzpLBsO9mO0/wEpSfofma_QJ

[theoweiss]

There is another open bug concerning the deb packages #886
"5. dropbox add-on tries to write authfile at runtime into /opt/openhab/authfile.dbx (presumably cwd)"
I will make an own PR addressing this issue.