Bug 202937 - Fix rc.d script in www/h2o
Summary: Fix rc.d script in www/h2o
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Some People
Assignee: Grzegorz Blach
Depends on:
Blocks: 203147
  Show dependency treegraph
Reported: 2015-09-06 20:42 UTC by Grzegorz Blach
Modified: 2015-09-18 09:57 UTC (History)
1 user (show)

See Also:
dch: maintainer-feedback+

Fix for rc.d script (2.98 KB, patch)
2015-09-06 20:42 UTC, Grzegorz Blach
gblach: maintainer-approval? (dch)
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Grzegorz Blach freebsd_committer 2015-09-06 20:42:07 UTC
Created attachment 160784 [details]
Fix for rc.d script

Currently rc.d script in www/h2o is broken.  Daemon simply don't start with `/usr/local/etc/rc.d/h2o start`.  Attached patch fixes this issue.
Comment 1 Dave Cottlehuber freebsd_committer 2015-09-10 21:28:57 UTC
Thanks Grzegorz for the patch! I'm new to BSD so forgive my questions & errors.

1. remove PIDDIR and leave pidfile to be set by h2o.conf


If I read these changes correctly, now we require h2o to start as root, and drop privileges. Is this considered safe enough?

My intent with PIDDIR etc was h2o should be run completely non-privileged, from a daemon process. See https://github.com/h2o/h2o/issues/152 & https://github.com/h2o/h2o/issues/145 for some comments on that.

BTW using daemon mode is a good idea, IIRC this wasn't available when the original port was done, so this is definitely an improvement! thanks.

2. daemon invocation changes


`grep pid-file: ...` feels tidier.

why is procname set to perl, when /usr/local/bin/h2o is a binary, not perl? Is there a reason for switching from the default?

/usr/local/bin/h2o: ELF 64-bit LSB executable, x86-64, version 1 (FreeBSD), dynamically linked, interpreter /libexec/ld-elf.so.1, for FreeBSD 10.2, not stripped

I +1 this change anyway, I would just like to understand the last points better for myself.
Comment 2 Grzegorz Blach freebsd_committer 2015-09-10 22:14:18 UTC
Ad. 1)

Design of Unix requires to start h2o as root, since only root can open port < 1024.  H2o needs to listen on port 80, so you can't run this (and many others) server completely non-privileged.  It's save and common pattern to start server as root, open port for listening and then switch to another user.

Ad. 2)

When you want to stop daemon, rc.d script reads PID from PIDFILE and looks for process with given PID and given procname.  If found process is stopped, otherwise process isn't terminated.  H2o in daemon mode uses perl script as top-level process and spawn regular h2o as subprocesses.  In PIDFILE is saved PID which points to this perl script.  When you set procname!=perl (eg. h2o) server can't be found by rc.d script, thus can't be stopped.
Comment 3 Grzegorz Blach freebsd_committer 2015-09-10 23:00:38 UTC
Committed, thanks.
Comment 4 commit-hook freebsd_committer 2015-09-10 23:00:54 UTC
A commit references this bug:

Author: gblach
Date: Thu Sep 10 22:59:57 UTC 2015
New revision: 396629
URL: https://svnweb.freebsd.org/changeset/ports/396629

  - Fix rc.d script

  PR:		202937
  Submitted by:	gblach
  Approved by:	Dave Cottlehuber (dch <at> skunkwerks <dot> at)

Comment 5 Dave Cottlehuber freebsd_committer 2015-09-14 21:00:27 UTC
Can we reopen this? With this patch I don't get daemon to stop or correctly anymore. I think this is the recent perl update breaking things.

wintermute# service h2o start
/usr/local/etc/rc.d/h2o: DEBUG: Sourcing /etc/rc.conf.d/h2o
/usr/local/etc/rc.d/h2o: DEBUG: checkyesno: h2o_enable is set to YES.
Starting h2o.
/usr/local/etc/rc.d/h2o: DEBUG: run_rc_command: doit: /usr/local/bin/h2o  -m daemon -c /usr/local/etc/h2o/h2o.conf
start_server (pid:92099) starting now...
starting new worker 92102
wintermute# [INFO] raised RLIMIT_NOFILE to 22500
h2o server (pid:92102) is ready to serve requests
fetch-ocsp-response (using OpenSSL 1.0.1p-freebsd 9 Jul 2015)
fetch-ocsp-response (using OpenSSL 1.0.1p-freebsd 9 Jul 2015)
... - - [14/Sep/2015:20:44:46 +0000] "GET / HTTP/1.1" 200 344 "-" "raintank collector"

wintermute# pgrep -ilf h2o; ps aux |grep h2o; cat /var/run/h2o.pid
92121 python /usr/local/bin/autojump -a /usr/local/share/h2o
92102 /usr/local/bin/h2o -c /usr/local/etc/h2o/h2o.conf
92101 /usr/local/bin/perl -x /usr/local/share/h2o/start_server --pid-file=/var/run/h2o.pid --log-file=/var/log/h2o/error.log --daemonize --port=[::]:80 --port= --port=[::]:443 --port= -- /usr/local/bin/h2o -c /usr/local/etc/h2o/h2o.conf
www      92102   4.0  0.0    64216   7992  -  S     8:44PM     0:00.50 /usr/local/bin/h2o -c /usr/local/etc/h2o/h2o.conf
root     92101   0.1  0.0    47648  12368  -  S     8:44PM     0:00.00 /usr/local/bin/perl -x /usr/local/share/h2o/start_server --pid-file=/var/run/h2o.pid
root     92121   0.0  0.0    25612   5372  6  RN    8:44PM     0:00.00 python /usr/local/bin/autojump -a /usr/local/share/h2o (python2.7)
root     92124   0.0  0.0    18824   2612  6  S+    8:44PM     0:00.00 grep h2o

wintermute# service h2o stop
/usr/local/etc/rc.d/h2o: DEBUG: Sourcing /etc/rc.conf.d/h2o
/usr/local/etc/rc.d/h2o: DEBUG: checkyesno: h2o_enable is set to YES.
h2o not running? (check /var/run/h2o.pid).

wintermute# killall -9 -m 'h2o|perl'

wintermute# grep pid-file /usr/local/etc/h2o/h2o.conf |cut -d' ' -f2

config snippet:

listen: 80
    port: 443
access-log: /var/log/h2o/access.log
error-log: /var/log/h2o/error.log
pid-file: /var/run/h2o.pid
user: www

To fix this, I think 3 changes are required:

# /usr/local/share/h2o/*
replace all shebangs by full /usr/local/bin/perl path

# /usr/local/etc/rc.d/h2o

# /usr/ports/www/h2o/Makefile
introduce perl as a dependency which is missing from the original patch.

Which works here at least for me. Is this ok for you Grzegorz?
Comment 6 commit-hook freebsd_committer 2015-09-18 09:57:29 UTC
A commit references this bug:

Author: junovitch
Date: Fri Sep 18 09:56:31 UTC 2015
New revision: 397229
URL: https://svnweb.freebsd.org/changeset/ports/397229

  MFH r393066,r396229,r396629,r397062:

  www/h2o: 1.2.0 -> 1.4.2


  PR:		200998
  Submitted by:	sean@x-n.su
  Approved by:	Dave Cottlehuber <dch@skunkwerks.at> (maintainer)

  - Update to 1.4.4 [1]
  - Drop 8.x support [2]

  PR:		202818 [1]
  Submitted by:	Dave Cottlehuber (dch <at> skunkwerks <dot> at) [1]
  Approved by:	portmgr blanket [2]

  - Fix rc.d script

  PR:		202937
  Submitted by:	gblach
  Approved by:	Dave Cottlehuber (dch <at> skunkwerks <dot> at)

  - Fix rc.d issues introduced with recent perl changes [1]
  - Update to 1.4.5 [2]

  PR:		203147 [1], 203096 [2]
  Submitted by:	Dave Cottlehuber (maintainer)

  Security:	31ea7f73-5c55-11e5-8607-74d02b9a84d5
  Security:	CVE-2015-5638
  Approved by:	ports-secteam (feld)

_U  branches/2015Q3/