diff options
author | Chris Severance | 2015-08-01 09:10:05 -0400 |
---|---|---|
committer | Chris Severance | 2015-08-01 09:10:05 -0400 |
commit | 4fa8c845e6133712ef2c71e448cf072e0056abe9 (patch) | |
tree | d181c7b1db4a6b0606dc6056b99c715c45034557 | |
parent | d77c11c1464c83e3205508188863e364cb8c55cf (diff) | |
download | aur-4fa8c845e6133712ef2c71e448cf072e0056abe9.tar.gz |
PKGBUILD improvements, run as non root
-rw-r--r-- | .SRCINFO | 18 | ||||
-rw-r--r-- | PKGBUILD | 126 | ||||
-rwxr-xr-x | newrelic-sysmond.inst.sh | 96 | ||||
-rw-r--r-- | newrelic-sysmond.install | 86 | ||||
-rw-r--r-- | newrelic-sysmond.logrotate | 9 | ||||
-rw-r--r-- | newrelic-sysmond.service | 27 |
6 files changed, 245 insertions, 117 deletions
@@ -1,22 +1,28 @@ pkgbase = newrelic-sysmond - pkgdesc = system monitor services provided by newrelic + pkgdesc = collect, monitor, and analyze critical server load metrics including CPU, memory, network, process, disk utilization and capacity pkgver = 2.1.0.124 pkgrel = 1 url = http://newrelic.com/ install = newrelic-sysmond.install arch = i686 arch = x86_64 - license = non-free + license = custom makedepends = binutils depends = glibc depends = bash + depends = grep + depends = sed + depends = awk + depends = systemd backup = etc/newrelic/nrsysmond.cfg source = http://download.newrelic.com/server_monitor/archive/2.1.0.124/newrelic-sysmond-2.1.0.124-linux.tar.gz + source = newrelic-sysmond.logrotate + source = newrelic-sysmond.inst.sh source = newrelic-sysmond.service - source = newrelic-sysmond.install - md5sums = b18f27bec4c9e5a5cf524225e41a7d15 - md5sums = f4ebc44c550896309d6121455a8669f3 - md5sums = aa0022b03b291c97f5f4b3cb2d24104d + sha256sums = 052e42d156e20f77e78f82372123eadf069ef2e5758a1184725a906ead551d9b + sha256sums = 02d70a783e30a7b6f8c438b1bae5a57d37d2204d112ccca38eada2b9044a5ebe + sha256sums = bcce083629dcd0827f86247872ee4b42dec2c51349b4cc10c0ce7619f94faf9f + sha256sums = 7ec93da5ddf521cd1850f1ef491182d7363fd565db8697c33261d09300fab6af pkgname = newrelic-sysmond @@ -1,46 +1,100 @@ -# Maintainer: Felix Yan <felixonmars@archlinux.org> +# Maintainer: Chris Severance aur.severach aATt spamgourmet dott com +# Maintainer: Paul Severance <paulseverance+aur@gmail.com> +# Contributor: Felix Yan <felixonmars@archlinux.org> # Contributor: Preston <pentie [at] gmail.com> -pkgname=newrelic-sysmond -pkgver=2.1.0.124 -pkgrel=1 -pkgdesc="system monitor services provided by newrelic" +# Install: https://docs.newrelic.com/docs/servers/new-relic-servers-linux/installation-configuration/servers-installation-other-linux +# source PKGBUILD +# Edit PKGBUILD.local and set your RUNAS user +# makepkg -scCfi +# Watch screen for Install instructions. + +# UnInstall cleanup: (as root) +# systemctl status newrelic-sysmond.service +# systemctl stop newrelic-sysmond.service +# systemctl disable newrelic-sysmond.service +# pacman -R newrelic-sysmond +# Sub in the username you picked into the following +# rm -rf '/var/log/newrelic' '/etc/newrelic' '/.newrelic' + +set -u +pkgname='newrelic-sysmond' +pkgver='2.1.0.124' +pkgrel='1' +pkgdesc='collect, monitor, and analyze critical server load metrics including CPU, memory, network, process, disk utilization and capacity' arch=('i686' 'x86_64') -url="http://newrelic.com/" -license=('non-free') -depends=('glibc' 'bash') +url='http://newrelic.com/' +license=('custom') +depends=('glibc' 'bash' 'grep' 'sed' 'awk' 'systemd') makedepends=('binutils') backup=('etc/newrelic/nrsysmond.cfg') -install=newrelic-sysmond.install -source=("http://download.newrelic.com/server_monitor/archive/${pkgver}/${pkgname}"-"${pkgver}"-"linux.tar.gz" - "newrelic-sysmond.service" - "newrelic-sysmond.install") +install="${pkgname}.install" +source=("http://download.newrelic.com/server_monitor/archive/${pkgver}/${pkgname}-${pkgver}-linux.tar.gz" + "${pkgname}.logrotate" + "${pkgname}.inst.sh" + "${pkgname}.service") -build() { - cd "$srcdir/$pkgname-$pkgver-linux" -} +sha256sums=('052e42d156e20f77e78f82372123eadf069ef2e5758a1184725a906ead551d9b' + '02d70a783e30a7b6f8c438b1bae5a57d37d2204d112ccca38eada2b9044a5ebe' + 'bcce083629dcd0827f86247872ee4b42dec2c51349b4cc10c0ce7619f94faf9f' + '7ec93da5ddf521cd1850f1ef491182d7363fd565db8697c33261d09300fab6af') package() { - cd "$srcdir/$pkgname-$pkgver-linux" - mkdir -p "$pkgdir"/usr/bin/ \ - "$pkgdir"/etc/newrelic/ \ - "$pkgdir"/etc/default/ \ - "$pkgdir"/usr/share/doc/newrelic/ \ - "$pkgdir"/usr/lib/systemd/system/; - - if [ $CARCH == i686 ]; then - install -v -Dm755 ./daemon/nrsysmond.x86 "$pkgdir"/usr/bin/nrsysmond - else - install -v -Dm755 ./daemon/nrsysmond.x64 "$pkgdir"/usr/bin/nrsysmond - fi - - install -v -Dm644 ./nrsysmond.cfg "$pkgdir"/etc/newrelic/ - install -v -Dm755 ./scripts/nrsysmond-config "$pkgdir"/usr/bin/ - install -v -Dm644 ./scripts/newrelic-sysmond.default.debian "$pkgdir"/etc/default/newrelic-sysmond - install -v -Dm644 INSTALL.txt LICENSE.txt "$pkgdir"/usr/share/doc/newrelic/ - install -v -Dm644 ../newrelic-sysmond.service "$pkgdir"/usr/lib/systemd/system/ + set -u + cd "${srcdir}/${pkgname}-${pkgver}-linux" + + install -dm770 "${pkgdir}/var/log/newrelic" # For some reason the daemon writes files with umask 000 + + case "${CARCH}" in + 'i686') install -Dpm755 'daemon/nrsysmond.x86' "${pkgdir}/usr/bin/nrsysmond";; + 'x86_64') install -Dpm755 'daemon/nrsysmond.x64' "${pkgdir}/usr/bin/nrsysmond";; + *)echo "${}";; + esac + + install -Dpm755 "${srcdir}/newrelic-sysmond.inst.sh" "${pkgdir}/usr/bin/newrelic-sysmond-inst" + + # The installer makes this file chmod 640. Anything in this file can be found + # with ps -ef, ls -l /etc/default, or cat newrelic-sysmond.service by any + # user so there's no reason to go through all the chmod hassle for a file + # that has nothing to hide. + install -dm750 "${pkgdir}/etc/newrelic" # The New Relic instructions say 600 but this is clearly wrong. + install -Dpm640 'nrsysmond.cfg' -t "${pkgdir}/etc/newrelic/" + sed -i -e '# Forward location of this setting' \ + -e 's:^#pidfile=.*$'":&\n# In Arch Linux this setting is found in /usr/lib/systemd/system/${pkgname}.service:g" \ + "${pkgdir}/etc/newrelic/nrsysmond.cfg" + install -Dpm755 'scripts/nrsysmond-config' -t "${pkgdir}/usr/bin/" + sed -i -e '# Our sed recognizes tab escape sequences' \ + -e 's:\t\]:\\t]:g' \ + "${pkgdir}/usr/bin/nrsysmond-config" + install -Dpm644 "scripts/${pkgname}.default.debian" "${pkgdir}/etc/default/${pkgname}" + sed -i -e "# Disable a setting we don't use" \ + -e 's;^nrdaemon=.*$'";# The nrdaemon is set by the Arch Linux package installer and cannot be changed here.\n#&;g" \ + -e '# Provide change requirements for RUNAS' \ + -e 's;^RUNAS=.*$'";#&\n# In Arch Linux the RUNAS setting is found in /usr/lib/systemd/system/${pkgname}.service as User=;g" \ + "${pkgdir}/etc/default/${pkgname}" + install -Dpm644 'INSTALL.txt' 'LICENSE.txt' -t "${pkgdir}/usr/share/doc/newrelic/" + install -Dpm644 "${srcdir}/${pkgname}.service" -t "${pkgdir}/usr/lib/systemd/system/" + sed -i -e "# Apply user group info" \ + -e "s;NEWRELIC_USER;${_opt_ASUSER};g" \ + "${pkgdir}/usr/lib/systemd/system/${pkgname}.service" + install -Dpm644 "${srcdir}/${pkgname}.logrotate" "${pkgdir}/etc/logrotate.d/${pkgname}" + + # Ensure there are no forbidden paths. Place at the end of package() and comment out as you find or need exceptions. (git-aurcheck) + #! grep -lr "/sbin" "${pkgdir}" || echo "${}" + ! grep -lr "/usr/tmp" "${pkgdir}" || echo "${}" + #! grep -lr "/usr/local" "${pkgdir}" || echo "${}" + #! pcregrep -lr "(?<!/usr)/bin" "${pkgdir}" || echo "${}" + ! test -d "${pkgdir}/usr/sbin" || echo "${}" + ! test -d "${pkgdir}/usr/local" || echo "${}" + set +u } -md5sums=('b18f27bec4c9e5a5cf524225e41a7d15' - 'f4ebc44c550896309d6121455a8669f3' - 'aa0022b03b291c97f5f4b3cb2d24104d') +[ ! -s 'PKGBUILD.local' ] && cat > 'PKGBUILD.local' << EOF +# Set your RUNAS user here +# root is insecure and unnecesary +# Default: newrelic +_opt_ASUSER='newrelic' +EOF +source 'PKGBUILD.local' + +set +u diff --git a/newrelic-sysmond.inst.sh b/newrelic-sysmond.inst.sh new file mode 100755 index 000000000000..b0afe642b9f1 --- /dev/null +++ b/newrelic-sysmond.inst.sh @@ -0,0 +1,96 @@ +#!/usr/bin/bash + +set -u +if [ "${EUID}" -ne 0 ]; then + echo 'Must be root!' + exit 1 +fi + +_fn_install() { + # From https://docs.newrelic.com/docs/servers/new-relic-servers-linux/installation-configuration/servers-installation-other-linux + systemctl daemon-reload # in case the admin has edited the file + local _RUNAS="$(sed -ne 's:^User=\(.*\)$:\1:p' '/usr/lib/systemd/system/newrelic-sysmond.service')" + + # Create the newrelic user and group + if [ ! -z "${_RUNAS}" -a "${_RUNAS}" != 'root' ]; then + #useradd --system -M --home / --shell '/usr/bin/nologin' "${_RUNAS}" || : + groupadd -r "${_RUNAS}" || : + useradd -r -g "${_RUNAS}" -d "/.${_RUNAS}" -s '/usr/bin/nologin' -c 'New Relic monitoring daemon' "${_RUNAS}" || : + mkdir -p "/.${_RUNAS}" + chmod 700 "/.${_RUNAS}" + chown -R "${_RUNAS}:${_RUNAS}" "/.${_RUNAS}" + fi + chown -R "root:${_RUNAS}" '/etc/newrelic/' + chown -R "root:${_RUNAS}" '/var/log/newrelic' + #chmod 750 '/etc/newrelic/' # WTF were they thinking with chmod 600? + + # Kludge the permissions (now done in PKGBUILD) + #mkdir -p '/var/log/newrelic' + #chmod 1777 '/var/log/newrelic' + + local _deffile='/etc/default/newrelic-sysmond' + local _cfgfile="$(source "${_deffile}"; echo "${cfgfile:-/etc/newrelic/nrsysmond.cfg}")" + + # This file contains nothing needing group access so it doesn't need to be chown to group any more + #chown "root:${_RUNAS}" "${_cfgfile}" + #chmod 640 ${_cfgfile} + + # + # When first installing the package, the license key will not be set. + # Instead of throwing an error, we want to whine to the user and then exit cleanly. + # + + if sed -e '/^[ \t]*#/d' "${_cfgfile}" | grep -ql 'REPLACE_WITH_REAL_KEY'; then + #if [ -z "${NR_SILENT}" -a -z "${SILENT}" ]; then + # + # WARNING - This text is duplicated from newrelic-sysmond.init + # + cat <<EOF +********************************************************************* +********************************************************************* +*** +*** Can not start the New Relic Server Monitor until you insert a +*** valid license key in the following file: +*** +*** ${_cfgfile} +*** +*** You can do this by running the following command as root: +*** +*** nrsysmond-config --set license_key=<your_license_key_here> +*** +*** No data will be reported until the server monitor can start. +*** You can get your New Relic key from the 'Configuration' section +*** of the 'Support' menu of your New Relic account (accessible at +*** https://rpm.newrelic.com ) +*** +********************************************************************* +********************************************************************* + +Then, enable and start your server: + + systemctl enable newrelic-sysmond.service + systemctl start newrelic-sysmond.service + systemctl status newrelic-sysmond.service +EOF + #fi + fi +} + +_fn_remove() { + # What happens if we install two New Relic packages then uninstall one? + # We lose our user and the remaining package doesn't run, right? + # Until someone figures out a better way we'll let an upgrade fix it. + local _RUNAS="$(sed -ne 's:^User=\(.*\)$:\1:p' '/usr/lib/systemd/system/newrelic-sysmond.service')" + if [ ! -z "${_RUNAS}" -a "${_RUNAS}" != 'root' ] && [ "$(id -u "${_RUNAS}")" -ge 990 ]; then + userdel "${_RUNAS}" || : + groupdel "${_RUNAS}" || : + fi +} + +case "${1-}" in + install) _fn_install;; + remove) _fn_remove;; + *) echo "Usage $(basename "$0") remove|install";; +esac + +# vim:set ts=2 sw=2 et: diff --git a/newrelic-sysmond.install b/newrelic-sysmond.install index 7dcd539d4cdb..a94d9869ba36 100644 --- a/newrelic-sysmond.install +++ b/newrelic-sysmond.install @@ -1,96 +1,36 @@ -# This is a default template for a post-install scriptlet. -# Uncomment only required functions and remove any functions -# you don't need (and this header). +# Arch Linux install for newrelic-sysmond ## arg 1: the new package version -#pre_install() { - # do something here -#} - -## arg 1: the new package version -post_install() { - -#!/bin/sh -# Create the newrelic user and group -useradd --system -M --home / --shell /sbin/nologin newrelic || true - -# Kludge the permissions -mkdir /var/log/newrelic -chmod 1777 /var/log/newrelic - -cfgfile=/etc/newrelic/nrsysmond.cfg - -chown root:newrelic ${cfgfile} -chmod 640 ${cfgfile} - -# -# When first installing the package, the license key will not be set. -# Instead of throwing an error, we want to whine to the user and then exit cleanly. -# - -if sed -e '/^[ ]*#/d' "${cfgfile}" 2> /dev/null | grep -q 'REPLACE_WITH_REAL_KEY' 2> /dev/null; then - if [ -z "${NR_SILENT}" -a -z "${SILENT}" ]; then - # - # WARNING - This text is duplicated from newrelic-sysmond.init - # - cat <<EOF - -********************************************************************* -********************************************************************* -*** -*** Can not start the New Relic Server Monitor until you insert a -*** valid license key in the following file: -*** -*** ${cfgfile} -*** -*** You can do this by running the following command as root: -*** -*** nrsysmond-config --set license_key=<your_license_key_here> -*** -*** No data will be reported until the server monitor can start. -*** You can get your New Relic key from the 'Configuration' section -*** of the 'Support' menu of your New Relic account (accessible at -*** https://rpm.newrelic.com). -*** -********************************************************************* -********************************************************************* - -For systemd users: - - systemctl start newrelic-sysmond.service - -EOF - fi - return 0 -fi - - +pre_install() { + : } ## arg 1: the new package version ## arg 2: the old package version pre_upgrade() { - # do something here - return 0 + : } ## arg 1: the new package version ## arg 2: the old package version post_upgrade() { - # do something here - return 0 + systemctl daemon-reload + newrelic-sysmond-inst install +} + +## arg 1: the new package version +post_install() { + post_upgrade "$1" } ## arg 1: the old package version pre_remove() { - # do something here - return 0 + newrelic-sysmond-inst remove } ## arg 1: the old package version post_remove() { - # do something here - userdel newrelic || true + systemctl daemon-reload } # vim:set ts=2 sw=2 et: diff --git a/newrelic-sysmond.logrotate b/newrelic-sysmond.logrotate new file mode 100644 index 000000000000..d420766bb2f5 --- /dev/null +++ b/newrelic-sysmond.logrotate @@ -0,0 +1,9 @@ +/var/log/newrelic/nrsysmond.log { + rotate 7 + daily + missingok + notifempty + sharedscripts + copytruncate + compress +} diff --git a/newrelic-sysmond.service b/newrelic-sysmond.service index 9def14256f1a..bb43dabc5e41 100644 --- a/newrelic-sysmond.service +++ b/newrelic-sysmond.service @@ -1,11 +1,34 @@ [Unit] -Description=System monitor Services Provided by Newrelic +Description=New Relic Servers Server Monitor (newrelic-sysmond) After=network.target [Service] Type=forking PIDFile=/run/nrsysmond.pid -ExecStart=/usr/bin/nrsysmond -c /etc/newrelic/nrsysmond.cfg -p /run/nrsysmond.pid + +# https://blog.hqcodeshop.fi/archives/93-Handling-varrun-with-systemd.html +# Run ExecStartPre with root-permissions +# This seems easier and more reliable than tmpfiles.d +PermissionsStartOnly=true +ExecStartPre=/usr/bin/touch /run/nrsysmond.pid +ExecStartPre=/usr/bin/chown NEWRELIC_USER:NEWRELIC_USER /run/nrsysmond.pid +User=NEWRELIC_USER +Group=NEWRELIC_USER + +# Run ExecStart with User +ExecStart=/usr/bin/nrsysmond -c '/etc/newrelic/nrsysmond.cfg' -p '/run/nrsysmond.pid' + +# Arch Linux: +# The user and group must be the same. Change all 4 at once. Don't pick a system defined user. +# If you change the user and group names after installation, you should: +# 1) userdel 'olduser' # if it's not being used for something else +# 2) groupdel 'olduser' # if it's not being used for something else +# 3) rm -rf '/.olduser' # if there's nothing in here of importance +# 4) newrelic-sysmond.inst install # to create new user, group, and to chown folders + +# If you uninstall another New Relic package and find that the user and group have disappeared +# simply run: newrelic-sysmond.inst install +# or just upgrade the package [Install] WantedBy=multi-user.target |