clinton/domtool2.git
5 years agoClient.getpass: allow use on non-tty devices master
Clinton Ebadi [Fri, 9 May 2014 08:41:29 +0000 (04:41 -0400)]
Client.getpass: allow use on non-tty devices

Warn user the password will be echoed just in case. This allows
getpass to be used with input piped to it (e.g. from the hcoop members
portal).

5 years agoAdd vmail command for changing password when you know the current password
Clinton Ebadi [Fri, 9 May 2014 08:40:31 +0000 (04:40 -0400)]
Add vmail command for changing password when you know the current password

Not 100% sure if this the best way, but the members portal was tied to
*the* mail node, which is not good to begin with, and breaks when
there are multiple mail nodes.

 * Replaces vmailpasswd.c, which is an awful program (passed password on
   the command line revealing it to `ps' and only supports a local
   filesystem userdb).
 * Restricted to users with the priv `vmail' for now, and only used by
   the portal. Not much worth in exposing generally it seems (vmail
   users cannot login to any shell machines, at least at hcoop)
 * Includes helper python program to run crypt() (better than C at
   least...)
 * New function to parse the userdb into a StringMap (a better
   approach is possible, similar to the Vmail.list). Will be used to
   compile the database for Dovecot later.
 * New binary `domtool-portal' to expose replacement vmailpasswd command

5 years agoManage spamassassin preferences in shared space
Clinton Ebadi [Tue, 6 May 2014 23:54:09 +0000 (19:54 -0400)]
Manage spamassassin preferences in shared space

5 years agoDisentangle vmail from the mail node, Prepare for dovecot support
Clinton Ebadi [Tue, 6 May 2014 23:52:41 +0000 (19:52 -0400)]
Disentangle vmail from the mail node, Prepare for dovecot support

* Use new Slave.run and Connect.commandWorker where possible
* Always reload vmail db in worker, never in dispatcher
* Move non-courier-specific configuration variables to Config.Vmail.
  The master userdb is still managed using courier-authlib-userdb.
* Manage vmail db in afs, syncing as needed.

5 years agodomtool-config: print errors on stderr, return failure code, export vmaildb
Clinton Ebadi [Tue, 6 May 2014 23:20:29 +0000 (19:20 -0400)]
domtool-config: print errors on stderr, return failure code, export vmaildb

5 years agoSlave.run: run a command using Unix.execute
Clinton Ebadi [Tue, 6 May 2014 23:19:17 +0000 (19:19 -0400)]
Slave.run: run a command using Unix.execute

Similar to Slave.shell, only it passes the arguments list directly to
Unix.execute.

5 years agoConnection utilities (or: copying and pasting code is bad)
Clinton Ebadi [Tue, 6 May 2014 23:17:46 +0000 (19:17 -0400)]
Connection utilities (or: copying and pasting code is bad)

Finally get around to factoring out functions to connect to the
dispatcher, connect to a worker, and send a "simple" message to
workers (one where MsgOk/MsgError are the only valid replies).

5 years agomod_auth_kerb: Enabled KDC Verification and Negotiate
Clinton Ebadi [Fri, 2 May 2014 03:47:31 +0000 (23:47 -0400)]
mod_auth_kerb: Enabled KDC Verification and Negotiate

Every <Location> that enables kerberos auth has to include the
keytab/service declarations. Since we're verifying the KDC, allow
gssapi negotiate.

5 years agoAdd mccarthy as admin web server and mail node
Clinton Ebadi [Tue, 29 Apr 2014 07:14:11 +0000 (03:14 -0400)]
Add mccarthy as admin web server and mail node

5 years agoNew `make install_serverslave' target, don't use sudo in make install_{server,slave}
Clinton Ebadi [Tue, 29 Apr 2014 07:10:21 +0000 (03:10 -0400)]
New `make install_serverslave' target, don't use sudo in make install_{server,slave}

The dispatcher node is likely also running a worker node, and both
must be stopped before installation or else one of them segfaults when
its binary is overwritten.

5 years agoFix domtool-addcert for when user running is not in `wheel'
Clinton Ebadi [Tue, 29 Apr 2014 01:12:44 +0000 (21:12 -0400)]
Fix domtool-addcert for when user running is not in `wheel'

Domtool on deleuze assumed admin users would be in group
`wheel'. This is no longer true. Instead, make the CA readable only by
root, generate the new keys and certs into a non-afs temp directory,
and then move everything into afs afterward.

5 years agoUnify web_node/default_node, and provide a default for WebPlaces
Clinton Ebadi [Mon, 28 Apr 2014 23:23:43 +0000 (19:23 -0400)]
Unify web_node/default_node, and provide a default for WebPlaces

5 years agoFix typo in defaults
Clinton Ebadi [Mon, 28 Apr 2014 23:23:26 +0000 (19:23 -0400)]
Fix typo in defaults

5 years agoMove more bind config into domtool, remove hardcoded /var/domtool references release
Clinton Ebadi [Sun, 27 Apr 2014 07:47:41 +0000 (03:47 -0400)]
Move more bind config into domtool, remove hardcoded /var/domtool references

dns_master_node and dns_slave_nodes do not need to be defined in SML,
and were removed.

Instead of checking Config.Bind.masterNode and skipping generating a
zone file on bind slaves, don't generate the incorrect soa.conf at
all (same effect, but the correct way).

5 years agoEvaluate `val' and `var' bindings in the environment in which they were defined
Clinton Ebadi [Sun, 27 Apr 2014 02:11:24 +0000 (22:11 -0400)]
Evaluate `val' and `var' bindings in the environment in which they were defined

Until this change, you could create a program such as:

  val mine : your_domain = "mydomain.org";
  val not_mine = mine;
  val mine = "not-my-domain.org";

  dom not_mine with end;

And domtool would happily configure "not-mydomain.org" for you.

5 years agoReduce toplevel environment decls and allow them in user config
Clinton Ebadi [Sun, 27 Apr 2014 01:19:29 +0000 (21:19 -0400)]
Reduce toplevel environment decls and allow them in user config

The root of the dynamic environment is passed separately to Eval.exec'
to allow user config to re-declare dynamics (like regular vals). This
uncovered (and perpetuates) a bug with process DVal/DEnv:

  val foo = "foo";
  val bar = foo;
  val foo = "bar";

When bar is expanded, it now has the value "bar" instead of
"foo", which is wrong.

5 years agomerge toplevel-dynamic-environment
Clinton Ebadi [Sat, 26 Apr 2014 00:05:10 +0000 (20:05 -0400)]
merge toplevel-dynamic-environment

5 years agoExample config file for a single-machine development setup config-cleanup
Clinton Ebadi [Sat, 26 Apr 2014 00:01:51 +0000 (20:01 -0400)]
Example config file for a single-machine development setup

5 years agobootstrap: run server to add first user
Clinton Ebadi [Fri, 25 Apr 2014 23:25:13 +0000 (19:25 -0400)]
bootstrap: run server to add first user

5 years agodomtool-config: export truststore
Clinton Ebadi [Fri, 25 Apr 2014 23:19:48 +0000 (19:19 -0400)]
domtool-config: export truststore

5 years agoRemove Config.{dispatcher,defaultNode}
Clinton Ebadi [Fri, 25 Apr 2014 22:58:03 +0000 (18:58 -0400)]
Remove Config.{dispatcher,defaultNode}

defaultNode was punned to dispatcherName, and dispatcher relied on
other values in the file. I.e. you had to set all three to change the
dispatcher! Consolidate all into dispatcherName.

5 years agoBuild domtool-config by default
Clinton Ebadi [Fri, 25 Apr 2014 22:02:31 +0000 (18:02 -0400)]
Build domtool-config by default

5 years agoboostrap: fail on error, create cert for local machine
Clinton Ebadi [Fri, 25 Apr 2014 22:02:12 +0000 (18:02 -0400)]
boostrap: fail on error, create cert for local machine

5 years agobootstrap: ensure ca config exists before continuing
Clinton Ebadi [Fri, 25 Apr 2014 22:01:34 +0000 (18:01 -0400)]
bootstrap: ensure ca config exists before continuing

5 years agodomtool-adduser: use domtool-config to find ca
Clinton Ebadi [Fri, 25 Apr 2014 21:48:42 +0000 (17:48 -0400)]
domtool-adduser: use domtool-config to find ca

5 years agodomtool-addcert: use domtool-config, support non-afs cert/key dirs
Clinton Ebadi [Fri, 25 Apr 2014 21:32:50 +0000 (17:32 -0400)]
domtool-addcert: use domtool-config, support non-afs cert/key dirs

Removed `chown -R domtool.nogroup' calls since they are meaningless in
afs and incorrect on normal file systems. chown -R the key dir to the
user.nogroup unless `-unsafe' is passed, which allows the creation of
useless keys (the user running the script can read the key instead of
the intended user, which is ok for development).

Still needs improvement.

5 years agoscripts: use getent instead of hardcoding an afs homedir
Clinton Ebadi [Fri, 25 Apr 2014 21:10:37 +0000 (17:10 -0400)]
scripts: use getent instead of hardcoding an afs homedir

5 years agoScripts to bootstrap a development domtool environment
Clinton Ebadi [Fri, 25 Apr 2014 21:10:07 +0000 (17:10 -0400)]
Scripts to bootstrap a development domtool environment

5 years agodomtool-config: dump nodes, site domain, and certificate paths
Clinton Ebadi [Thu, 24 Apr 2014 05:39:26 +0000 (01:39 -0400)]
domtool-config: dump nodes, site domain, and certificate paths

5 years agoAdd caDir and move serialDir into Config.Bind
Clinton Ebadi [Thu, 24 Apr 2014 05:39:11 +0000 (01:39 -0400)]
Add caDir and move serialDir into Config.Bind

5 years agoInclude CONFIG_CORE signature in domtool.cfs and fix webbw build
Clinton Ebadi [Thu, 24 Apr 2014 05:38:11 +0000 (01:38 -0400)]
Include CONFIG_CORE signature in domtool.cfs and fix webbw build

5 years agoInitial domtool-config tool
Clinton Ebadi [Wed, 16 Apr 2014 17:46:33 +0000 (13:46 -0400)]
Initial domtool-config tool

Query static configuration information from domtool at run time. Will
be used for new installation bootstrap and make install.

5 years agoMakefile improvements
Clinton Ebadi [Wed, 16 Apr 2014 07:59:05 +0000 (03:59 -0400)]
Makefile improvements

* Respect CFLAGS
* Require DEBUG=1 instead of just DEBUG being set
* Add TC=1 to instruct mlton to only type check
* BUILD32, in theory, could be used to build 32-bit binaries with
  mlton on a 32-bit host, but is not working currently

5 years agoFactor path prefixes into ConfigCore structure
Clinton Ebadi [Wed, 16 Apr 2014 07:57:24 +0000 (03:57 -0400)]
Factor path prefixes into ConfigCore structure

Not fully worked out yet, but this is the first step toward making it
easier to relocate domtool.

5 years agoAdd \\ config argument to moinMoin and wordPress
Clinton Ebadi [Tue, 15 Apr 2014 04:08:46 +0000 (00:08 -0400)]
Add \\ config argument to moinMoin and wordPress

5 years agoMove domtool-server from deleuze to fritz
Clinton Ebadi [Wed, 9 Apr 2014 22:39:57 +0000 (18:39 -0400)]
Move domtool-server from deleuze to fritz

5 years agodomtool-doc: fake privs toplevel-dynamic-environment
Clinton Ebadi [Wed, 9 Apr 2014 21:28:35 +0000 (17:28 -0400)]
domtool-doc: fake privs

With environment defaults in the basis library, permissions need to be
faked to allow typechecking of your_FOO refinement types to succeed.

5 years agoAllow faking your_{user,path,group} and homedir
Clinton Ebadi [Wed, 9 Apr 2014 21:26:59 +0000 (17:26 -0400)]
Allow faking your_{user,path,group} and homedir

Autodoc hates the your_FOO refinement types, and I see no reason why
users wouldn't want to fake these values if they are already faking
domain permissions. Additionally, set the homedir to /tmp if the user
is unset and we're faking privs.

5 years agoAnnotate defaults
Clinton Ebadi [Wed, 9 Apr 2014 21:24:28 +0000 (17:24 -0400)]
Annotate defaults

5 years agoAutodoc support for default env var declarations
Clinton Ebadi [Wed, 9 Apr 2014 21:24:02 +0000 (17:24 -0400)]
Autodoc support for default env var declarations

5 years agoAllow all users to use "nogroup" as `your_group'
Clinton Ebadi [Wed, 9 Apr 2014 18:52:43 +0000 (14:52 -0400)]
Allow all users to use "nogroup" as `your_group'

5 years agoMove default environment settings from SML to Domtool
Clinton Ebadi [Wed, 9 Apr 2014 18:52:20 +0000 (14:52 -0400)]
Move default environment settings from SML to Domtool

* Removed all Config settings that were only used to set env defaults
* Communicate values that must be generated SML-side using extern vals
* Remove Defaults module entirely

5 years agoMove ambient environment defaults into Env.env
Clinton Ebadi [Wed, 9 Apr 2014 17:56:05 +0000 (13:56 -0400)]
Move ambient environment defaults into Env.env

* Compute initial type in `checkFile' rather than passing in `env_vars'
* Not happy with function names (initialDynEnvFOO is not very nice
  looking)

5 years agoParse new `var' primitive
Clinton Ebadi [Wed, 9 Apr 2014 09:50:10 +0000 (05:50 -0400)]
Parse new `var' primitive

Binds CSymbol to default for an environment variable.

5 years agoRemove .cvsignore, add .gitignore
Clinton Ebadi [Wed, 9 Apr 2014 18:54:09 +0000 (14:54 -0400)]
Remove .cvsignore, add .gitignore

Whoops...

5 years agoFix missing copyright info
Clinton Ebadi [Wed, 9 Apr 2014 07:45:47 +0000 (03:45 -0400)]
Fix missing copyright info

5 years agoServe moin 1.9.8 htdocs prefix with apache gnutls
Clinton Ebadi [Wed, 2 Apr 2014 20:18:45 +0000 (16:18 -0400)]
Serve moin 1.9.8 htdocs prefix with apache

5 years agoUse mod_disk_cache for wordpress wp-content and moin static files
Clinton Ebadi [Wed, 2 Apr 2014 20:18:27 +0000 (16:18 -0400)]
Use mod_disk_cache for wordpress wp-content and moin static files

5 years agoFix definition of DefaultAliasSource
Clinton Ebadi [Sun, 30 Mar 2014 00:38:47 +0000 (20:38 -0400)]
Fix definition of DefaultAliasSource

5 years agoEasy_domain: Use DefaultAliasSource for DefaultAlias
Clinton Ebadi [Sat, 29 Mar 2014 01:35:05 +0000 (21:35 -0400)]
Easy_domain: Use DefaultAliasSource for DefaultAlias
A catch-all alias by default is deprecated. Rather than eliminating a
default email alias entirely, it will soon default to
$hcoop-username@$domain. Use new DefaultAliasSource environment
variable to change. The default is still a catch-all temporarily.

5 years agoQuiet compiler warning for Firewall.format{Input,Output}Rules
Clinton Ebadi [Sat, 29 Mar 2014 01:32:45 +0000 (21:32 -0400)]
Quiet compiler warning for Firewall.format{Input,Output}Rules
I think the type needs rethinking to make the case exhaustive

5 years agoRe-enable querying user firewall rules
Clinton Ebadi [Sat, 29 Mar 2014 01:32:09 +0000 (21:32 -0400)]
Re-enable querying user firewall rules

5 years agoAdd AuthGroupFile
Clinton Ebadi [Sat, 29 Mar 2014 00:35:14 +0000 (20:35 -0400)]
Add AuthGroupFile
RequireGroup is kind of useless without it

5 years agoPoint docstrings at Apache 2.2 documentation
Clinton Ebadi [Sat, 29 Mar 2014 00:19:09 +0000 (20:19 -0400)]
Point docstrings at Apache 2.2 documentation

6 years agoRemove moinMoinOld directive
Clinton Ebadi [Mon, 22 Jul 2013 23:24:02 +0000 (19:24 -0400)]
Remove moinMoinOld directive

6 years agoRemove references to mire from source code
Clinton Ebadi [Mon, 22 Jul 2013 23:14:05 +0000 (19:14 -0400)]
Remove references to mire from source code
* Nuke it from orbit!
* Also: why are we destroying all webalizer output in domtool-reset-global?!

6 years agoCheck user exists before opening incoming ports
Clinton Ebadi [Sat, 13 Jul 2013 06:50:04 +0000 (02:50 -0400)]
Check user exists before opening incoming ports
* Although we can't limit who actually listens on the port, better to
  not open any ports for members who might be gone

6 years agoOverhaul fwtool
Clinton Ebadi [Sat, 13 Jul 2013 06:18:45 +0000 (02:18 -0400)]
Overhaul fwtool
* Parse into structured representation, and then convert later
* Printing code is still ugly, the rest is much easier to follow IMHO
* Fix ProxiedServer rule generation ("www-data" on a web nodes needs
  port opened too)
* Fix LocalServer rule generation (allow user to connect to their own
  server)
* Probably secretly sucks in some way
* UNTESTED

7 years agoFix ProxiedServer firewall rule generation for web node
Clinton Ebadi [Tue, 19 Feb 2013 19:29:44 +0000 (14:29 -0500)]
Fix ProxiedServer firewall rule generation for web node

7 years agoSwitch default web node from mire to navajos
Clinton Ebadi [Fri, 15 Feb 2013 18:54:39 +0000 (13:54 -0500)]
Switch default web node from mire to navajos
Bombs away!

7 years agoHide .svn and .git dirs on wordpress sites
Clinton Ebadi [Thu, 31 Jan 2013 17:22:49 +0000 (12:22 -0500)]
Hide .svn and .git dirs on wordpress sites

7 years agoRemove php4 support Good riddance
Clinton Ebadi [Thu, 31 Jan 2013 17:18:19 +0000 (12:18 -0500)]
Remove php4 support Good riddance

7 years agoSSLCertificateChainFile support
Clinton Ebadi [Tue, 22 Jan 2013 22:23:46 +0000 (17:23 -0500)]
SSLCertificateChainFile support
Like kerberos auth, this works around non-SSL vhosts by printing a
warning and ignore the directive.

7 years agobare fwtool regen
Clinton Ebadi [Tue, 22 Jan 2013 18:57:30 +0000 (13:57 -0500)]
bare fwtool regen
Regenerate all nodes at once

7 years agoSupport MultiViews
Clinton Ebadi [Fri, 18 Jan 2013 18:49:46 +0000 (13:49 -0500)]
Support MultiViews
Closes https://bugzilla.hcoop.net/show_bug.cgi?id=845

7 years agoUpdate lib
Clinton Ebadi [Fri, 18 Jan 2013 18:46:06 +0000 (13:46 -0500)]
Update lib

7 years agoRemove fritz from webNodes, remove mire from slave dns
Clinton Ebadi [Tue, 15 Jan 2013 20:14:58 +0000 (15:14 -0500)]
Remove fritz from webNodes, remove mire from slave dns
Kill all of the old machines, I say.

7 years agoChange package-exists to return section/description
Clinton Ebadi [Sun, 6 Jan 2013 11:18:52 +0000 (06:18 -0500)]
Change package-exists to return section/description
Kind of ugly, will break in wheezy (fields are localized and names
change), but we need this information for the portal. Possible evil
use of MsgNo without MsgYes.

7 years agoAdd missed signature change
Clinton Ebadi [Sun, 6 Jan 2013 08:47:38 +0000 (03:47 -0500)]
Add missed signature change

7 years agoMove Acl.read from start of slave loop to firewall handling case
Clinton Ebadi [Sun, 6 Jan 2013 08:33:08 +0000 (03:33 -0500)]
Move Acl.read from start of slave loop to firewall handling case
Reading it before blocking waiting for a message could result in stale
permissions being used for a single request.

7 years agoAdd query for existence of package
Clinton Ebadi [Sun, 6 Jan 2013 08:31:52 +0000 (03:31 -0500)]
Add query for existence of package
Used by the portal to determine if a package exists, rather than
querying the local apt. The implementation is copied from the portal
mostly, and is probably less than ideal: I think the return value of
apt-cache could be used, but the man page is unclear and this works
so...

7 years agoDo not generate zone files on bind slaves
Clinton Ebadi [Fri, 4 Jan 2013 08:36:01 +0000 (03:36 -0500)]
Do not generate zone files on bind slaves
* bind slaves perform domain transfers from the master server, so
  there is no need to generate and push zone files to them. In theory.

7 years agoRemove `bind_config' group chowning from domtool-publish
Clinton Ebadi [Fri, 4 Jan 2013 08:34:08 +0000 (03:34 -0500)]
Remove `bind_config' group chowning from domtool-publish
* This was added so that jsl and others could adminster the bind
  config without full root. No one is doing that now, no reason to
  require a non-standard group for the time being.

7 years agoAdd new outpost as domtool-slave and dns slave
Clinton Ebadi [Fri, 4 Jan 2013 08:33:10 +0000 (03:33 -0500)]
Add new outpost as domtool-slave and dns slave

7 years agoRemove outpost
Clinton Ebadi [Thu, 3 Jan 2013 06:36:38 +0000 (01:36 -0500)]
Remove outpost
It disappeared on us :(

7 years agoAdd bog as domtool-slave
Clinton Ebadi [Sun, 30 Dec 2012 21:04:42 +0000 (16:04 -0500)]
Add bog as domtool-slave
* firewall and proxy target for user servers

7 years agoDrop default TTL to one hour
Clinton Ebadi [Sat, 22 Dec 2012 19:37:47 +0000 (14:37 -0500)]
Drop default TTL to one hour
* We're transitioning to a new node, and dyndns says an hour is
  reasonable on the modern Internet anyway.

7 years agoAdd new moinmoin static files prefix to world readable files
Clinton Ebadi [Tue, 18 Dec 2012 07:34:54 +0000 (02:34 -0500)]
Add new moinmoin static files prefix to world readable files

7 years agoUse sh instead of pagsh for init scripts
Clinton Ebadi [Tue, 11 Dec 2012 08:13:53 +0000 (03:13 -0500)]
Use sh instead of pagsh for init scripts
pagsh provides no benefit since domtool is started using k5start, and
should have been removed ages ago. Slipped through the cracks until it
broke something.

7 years agoFix domtool-postgres script
Clinton Ebadi [Tue, 11 Dec 2012 07:51:06 +0000 (02:51 -0500)]
Fix domtool-postgres script
Export PGPORT is not enough, because sudo clears the environment. Whoops.

7 years agoClean postgres driver variables and add postgres-9.1 support
Clinton Ebadi [Mon, 10 Dec 2012 01:44:38 +0000 (20:44 -0500)]
Clean postgres driver variables and add postgres-9.1 support
* Like with mysql, remove magic spaces at the end of the config
  settings
* Curry the definitions of the postgres dbms functions for
  multi-version support
* Register new postgres-9.1 dbms backend

7 years agoRemove spaces from dbtool mysql driver config
Clinton Ebadi [Mon, 10 Dec 2012 01:42:18 +0000 (20:42 -0500)]
Remove spaces from dbtool mysql driver config
This was used to avoid an extra " " in the shell command in SML. I
think that's just asking for subtle bugs.

7 years agoUpdate Easy_Domain to support trivial configuration of default node
Clinton Ebadi [Mon, 10 Dec 2012 01:41:07 +0000 (20:41 -0500)]
Update Easy_Domain to support trivial configuration of default node

7 years agoForce php in wordpress locations to version 5
Clinton Ebadi [Mon, 10 Dec 2012 01:40:32 +0000 (20:40 -0500)]
Force php in wordpress locations to version 5

7 years agoAdd navajos to library
Clinton Ebadi [Mon, 10 Dec 2012 01:40:09 +0000 (20:40 -0500)]
Add navajos to library

7 years agoEVar -> EString in default for DefaultWebNode
Clinton Ebadi [Sun, 9 Dec 2012 06:18:33 +0000 (01:18 -0500)]
EVar -> EString in default for DefaultWebNode
Even sml lets you do stupid things!

7 years agoRegister default value for DefaultWebNode environment variable
Clinton Ebadi [Sun, 9 Dec 2012 02:02:22 +0000 (21:02 -0500)]
Register default value for DefaultWebNode environment variable
This will allow users to change the value used for the defaultA and vhost

7 years agoRemove automatic insserv in Makefile
Clinton Ebadi [Fri, 7 Dec 2012 20:49:40 +0000 (15:49 -0500)]
Remove automatic insserv in Makefile
It was a bad idea. Added a --bootstrap option to the deploy script instead

7 years agoFirewell: Concat $WEBNODES list using space instead of comma
Clinton Ebadi [Fri, 7 Dec 2012 20:25:04 +0000 (15:25 -0500)]
Firewell: Concat $WEBNODES list using space instead of comma

7 years agoUse jump instead of goto in firewall
Clinton Ebadi [Fri, 7 Dec 2012 20:19:48 +0000 (15:19 -0500)]
Use jump instead of goto in firewall
They do the same thing, but ferm renamed the keyword to reflect what
it does better.

7 years agobourne shell vs bashism fix
Clinton Ebadi [Fri, 7 Dec 2012 20:19:04 +0000 (15:19 -0500)]
bourne shell vs bashism fix

7 years agoCorrect location of firewall rules
Clinton Ebadi [Fri, 7 Dec 2012 19:20:19 +0000 (14:20 -0500)]
Correct location of firewall rules
Helps to use the right pathname, usually.

7 years agoRead ACL in slave service loop
Clinton Ebadi [Fri, 7 Dec 2012 16:42:32 +0000 (11:42 -0500)]
Read ACL in slave service loop
At least the firewall needs to query permissions. Acl.read has the
handy attribute of clearing the current ACL. I think the main service
function sould also be re-reading the permissions on each loop, or
perhaps not because it may call setupUser instead? Investigate.

7 years agoBetter error message for fwtool
Clinton Ebadi [Fri, 7 Dec 2012 16:22:29 +0000 (11:22 -0500)]
Better error message for fwtool

7 years agoGenerate config into domtool work directory and copy later
Clinton Ebadi [Fri, 7 Dec 2012 15:28:08 +0000 (10:28 -0500)]
Generate config into domtool work directory and copy later
Also update paths in the config to where the live files are

7 years agoOpen outgoing ports on web nodes for firewall ProxiedServer directive
Clinton Ebadi [Fri, 7 Dec 2012 15:27:02 +0000 (10:27 -0500)]
Open outgoing ports on web nodes for firewall ProxiedServer directive
Opens outgoing ports for user on all user-accessible web nodes, but
right now that's just one machine.

7 years agoFor install_{server,slave}, insserv so domtool starts on boot
Clinton Ebadi [Thu, 6 Dec 2012 08:29:27 +0000 (03:29 -0500)]
For install_{server,slave}, insserv so domtool starts on boot
Brave GNU dependency based boot future

7 years agoExpand valid proxyHosts
Clinton Ebadi [Fri, 14 Sep 2012 05:33:47 +0000 (01:33 -0400)]
Expand valid proxyHosts
* Instead of matching `localhost', match from a list of possible hosts

7 years agoFix firewall input rules, add ProxiedServer directive
Clinton Ebadi [Fri, 14 Sep 2012 05:27:07 +0000 (01:27 -0400)]
Fix firewall input rules, add ProxiedServer directive
* mod uid-owner only works for output connections, hack it for now and
  just open the ports for everyone
* ProxiedServer allows connections from all webNodes, but does not
  open up output ports from them

7 years agoAdd navajos to domtool reset global
Clinton Ebadi [Fri, 14 Sep 2012 05:21:10 +0000 (01:21 -0400)]
Add navajos to domtool reset global
* Should clean this up in general