fix #6769, plus some related configuration issues and better documentation

This commit is contained in:
Christian Grothoff 2021-04-18 02:21:03 +02:00
parent a98e131226
commit 294730cf01
No known key found for this signature in database
GPG Key ID: 939E6BE1E29FC3CC
7 changed files with 68 additions and 24 deletions

6
debian/changelog vendored
View File

@ -1,3 +1,9 @@
taler-exchange (0.9.0-9) unstable; urgency=low
* Fix #6769: have systemd create exchange UNIX domain socket with nice permissions.
-- Christian Grothoff <grothoff@gnu.org> Sun, 18 Apr 2021 13:02:10 +0100
taler-exchange (0.9.0-8) unstable; urgency=low
* Fix minor memory leak.

View File

@ -1,8 +1,12 @@
# First line should be: "INLINE@ /etc/taler-exchange-db.conf"
@INLINE@ /etc/taler-exchange-db.conf
# First line should be: "INLINE@ taler-exchange-db.conf"
# 2nd line should be: "INLINE@ taler-secmod.conf"
@INLINE@ taler-exchange-db.conf
@INLINE@ taler-secmod.conf
# Do not edit this file using 'taler-config', otherwise the line
# above will be lost!
#
# Please read the taler-exchange.README.Debian for how to configure a Taler exchange.
#
[PATHS]
@ -19,10 +23,16 @@ UNIXPATH = /var/lib/taler-exchange/exchange.sock
# Only supported database is Postgres right now.
DATABASE = postgres
[taler]
# Here you need to set the currency of your exchange:
# CURRENCY = KUDOS
# Here you MUST add the master public key of the offline system
# which you can get using `taler-exchange-offline setup`.
# This is just an example, your key will be different!
# MASTER_PUBLIC_KEY = YE6Q6TR1EDB7FD0S68TGDZGF1P0GHJD2S0XVV8R2S62MYJ6HJ4ZG
MASTER_PUBLIC_KEY =
[coin_FOO]
# You must specify the various denominations to be offered by your exchange
# in sections called "coin_".
# For your terms of service and privacy policy, you should specify
# an Etag that must be updated whenever there are significant
# changes to either document. The format is up to you, what matters
# is that the value is updated and never re-used. See the HTTP
# specification on Etags.
# TERMS_ETAG =
# PRIVACY_ETAG =

View File

@ -1,5 +1,5 @@
# First line should be: "INLINE@ /etc/taler-exchange-db.conf"
@INLINE@ /etc/taler-exchange-db.conf
# First line should be: "INLINE@ taler-exchange-db.conf"
@INLINE@ taler-exchange-db.conf
# Do not edit this file using 'taler-config', otherwise the line
# above will be lost!

View File

@ -6,10 +6,14 @@ exchange with this minimal template. You must:
* Configure the Postgres database for the exchange, ideally including
remote replication of the database to the auditor.
* Run taler-exchange-dbinit (also after package upgrades).
* Edit /etc/taler-exchange.conf to must setup the currency and denominations
* Run `taler-exchange-dbinit` (also after package upgrades).
* Edit ``/etc/taler-secmod.conf`` to must setup the currency and denominations
details.
* Edit /etc/taler-wire.conf to provide details about the bank account access.
* Edit `/etc/taler-wire.conf` to provide details about the bank account access.
* Run `taler-exchange-offline setup` on your offline system and add
the resulting master public key into the ``[exchange]`` section of
``/etc/taler-exchange.conf`` under ``MASTER_PUBLIC_KEY``.
None of these are done by the Debian package because we cannot provide the
required complete configuration details.
@ -18,13 +22,13 @@ required complete configuration details.
Once you have done this, you can use the following commands to start, stop or
restart the Taler exchange:
# systemctl start taler-exchange
# systemctl stop taler-exchange
# systemctl restart taler-exchange
# systemctl start taler-exchange-httpd.service
# systemctl stop taler-exchange-httpd.service
# systemctl restart taler-exchange-httpd.service
To permanently the exchange whenever the system boots, use:
# systemctl enable taler-exchange
# systemctl enable taler-exchange-httpd
-- Christian Grothoff <grothoff@gnu.org> Mon 28 Dec 2020 11:37:14 AM CET

View File

@ -101,11 +101,29 @@ TALER_AGGRUSER=${_AGGRUSERNAME}
TALER_GROUP=${_GROUPNAME}
EOF
cat > "/etc/systemd/system/taler-exchange-httpd.socket" <<EOF
[Unit]
Description=Taler Exchange Socket
PartOf=taler-exchange-httpd.service
[Socket]
ListenStream=/var/lib/taler-exchange/exchange.sock
Accept=no
Service=taler-exchange-httpd.service
SocketUser=${_EUSERNAME}
SocketGroup=www-data
SocketMode=0660
[Install]
WantedBy=sockets.target
EOF
cat > "/etc/systemd/system/taler-exchange-httpd.service" <<EOF
[Unit]
Description=GNU Taler payment system exchange REST API
Requires=taler-exchange-secmod-rsa.service taler-exchange-secmod-eddsa.service
Wants=taler-exchange-wirewatch taler-exchange-aggregator taler-exchange-transfer
AssertPathExists=/var/lib/taler-exchange/
Requires=taler-exchange-httpd.socket taler-exchange-secmod-rsa.service taler-exchange-secmod-eddsa.service
Wants=taler-exchange-wirewatch.service taler-exchange-aggregator.service taler-exchange-transfer.service
After=postgres.service network.target
[Service]
@ -131,7 +149,7 @@ EnvironmentFile=/etc/default/taler-exchange
User=${_RSECUSERNAME}
Type=simple
Restart=on-failure
ExecStart=/usr/bin/taler-exchange-secmod-rsa -c /etc/taler-exchange.conf
ExecStart=/usr/bin/taler-exchange-secmod-rsa -c /etc/taler-secmod.conf
PrivateTmp=no
PrivateDevices=yes
ProtectSystem=full
@ -146,7 +164,7 @@ EnvironmentFile=/etc/default/taler-exchange
User=${_ESECUSERNAME}
Type=simple
Restart=on-failure
ExecStart=/usr/bin/taler-exchange-secmod-eddsa -c /etc/taler-exchange.conf
ExecStart=/usr/bin/taler-exchange-secmod-eddsa -c /etc/taler-secmod.conf
PrivateTmp=no
PrivateDevices=yes
ProtectSystem=full
@ -213,6 +231,8 @@ EOF
chmod 770 /var/lib/taler-exchange/tmp
chmod +s /var/lib/taler-exchange/tmp
chown root:${_GROUPNAME} /etc/taler-secmod.conf
chmod 640 /etc/taler-secmod.conf
chown ${_WIREUSERNAME}:root /etc/taler-wire.conf
chmod 460 /etc/taler-wire.conf
chown root:${_DBGROUPNAME} /etc/taler-exchange-db.conf
@ -222,6 +242,7 @@ EOF
systemctl daemon-reload >/dev/null 2>&1 || true
echo "done."
# Cleaning

View File

@ -57,6 +57,7 @@ case "${1}" in
fi
rm -rf /var/log/taler-exchange/ /var/lib/taler-exchange /etc/default/taler-exchange
rm -f /etc/taler-wire.conf /etc/taler-exchange-db.conf /etc/taler-exchange.conf
;;
remove|upgrade|failed-upgrade|abort-install|abort-upgrade|disappear)

View File

@ -1729,7 +1729,7 @@ main (int argc,
if ( (-1 == flags) &&
(EBADF == errno) )
{
fprintf (stderr,
GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
"Bad listen socket passed, ignored\n");
fh = -1;
}
@ -1740,6 +1740,8 @@ main (int argc,
flags)) )
GNUNET_log_strerror (GNUNET_ERROR_TYPE_ERROR,
"fcntl");
GNUNET_log (GNUNET_ERROR_TYPE_INFO,
"Successfully obtained listen socket from hypervisor\n");
}
/* initialize #internal_key_state with an RC of 1 */