#!/bin/bash # # --- BEGIN COPYRIGHT BLOCK --- # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; version 2 of the License. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License along # with this program; if not, write to the Free Software Foundation, Inc., # 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # # Copyright (C) 2007 Red Hat, Inc. # All rights reserved. # --- END COPYRIGHT BLOCK --- # # pki-rad Startup script for the Apache HTTP pki-ra Server # # chkconfig: - 86 14 # description: Registration Authority \ # (Apache 2.2) # processname: pki-rad # piddir: /var/run/pki/ra # config: ${PKI_SERVER_ROOT}/conf/httpd.conf PKI_INIT_SCRIPT="" PKI_PATH="/usr/share/pki/ra" PKI_PIDDIR="/var/run/pki/ra" PKI_PROCESS="pki-rad" PKI_REGISTRY="/etc/sysconfig/pki/ra" PKI_SELINUX_TYPE="pki_ra_t" PKI_TYPE="pki-ra" # PKI subsystem-level directory and file values for locks lockfile="/var/lock/subsys/pki-rad" # Disallow 'others' the ability to 'write' to new files umask 00002 default_error=0 command="$1" pki_instance="$2" case "${command}" in start|stop|restart|condrestart|force-restart|try-restart) # * 1 generic or unspecified error (current practice) default_error=1 ;; reload) default_error=3 ;; status) # * 4 program or service status is unknown default_error=4 ;; *) # * 2 invalid argument(s) default_error=2 ;; esac # Check to insure that this script's original invocation directory # has not been deleted! CWD=`/bin/pwd > /dev/null 2>&1` if [ $? -ne 0 ] ; then echo "Cannot invoke '$0' from non-existent directory!" exit ${default_error} fi # Check to insure that this script's associated PKI # subsystem currently resides on this system. if [ ! -d ${PKI_PATH} ] ; then echo "This machine is missing the '${PKI_TYPE}' subsystem!" if [ "${command}" != "status" ]; then # * 5 program is not installed exit 5 else exit ${default_error} fi fi # Check to insure that this script's associated PKI # subsystem instance registry currently resides on this system. if [ ! -d ${PKI_REGISTRY} ] ; then echo "This machine contains no registered '${PKI_TYPE}' subsystem instances!" if [ "${command}" != "status" ]; then # * 5 program is not installed exit 5 else exit ${default_error} fi fi # Obtain the operating system upon which this script is being executed # and initialize environment variables OS=`uname -s` ARCHITECTURE="" LD_LIBRARY_PATH="" # Time to wait in seconds, before killing process # # NOTE: Defined in "tomcat5.conf" for PKI Java/Tomcat Subsystems. # STARTUP_WAIT=30 SHUTDOWN_WAIT=30 # This script must be run as root! RV=0 if [ ${OS} = "Linux" ] ; then PKI_INIT_SCRIPT="/sbin/service ${PKI_PROCESS}" if [ `id -u` -ne 0 ] ; then echo "Must be 'root' to execute '$0'!" if [ "${command}" != "status" ]; then # * 4 user had insufficient privilege exit 4 else # * 4 program or service status is unknown exit 4 fi fi ARCHITECTURE=`uname -i` if [ ${ARCHITECTURE} = "i386" ] ; then LD_LIBRARY_PATH="/usr/lib:/lib:${LD_LIBRARY_PATH}" elif [ ${ARCHITECTURE} = "x86_64" ] ; then LD_LIBRARY_PATH="/usr/lib64:/lib64:${LD_LIBRARY_PATH}" else echo "Unsupported architecture '${ARCHITECTURE}'!" exit ${default_error} fi elif [ ${OS} = "SunOS" ] ; then PKI_INIT_SCRIPT="/etc/init.d/${PKI_PROCESS}" if [ `/usr/xpg4/bin/id -u` -ne 0 ] ; then echo "Must be 'root' to execute '$0'!" if [ "${command}" != "status" ]; then # * 4 user had insufficient privilege exit 4 else # * 4 program or service status is unknown exit 4 fi fi ARCHITECTURE=`uname -p` if [ "${ARCHITECTURE}" = "sparc" ] && [ -d "/usr/lib/sparcv9/" ] ; then ARCHITECTURE="sparcv9" fi if [ ${ARCHITECTURE} = "sparcv9" ] ; then LD_LIBRARY_PATH="/usr/lib/sparcv9:/lib/sparcv9:${LD_LIBRARY_PATH}" LD_LIBRARY_PATH="/usr/lib/sparcv9/dirsec:${LD_LIBRARY_PATH}" else echo "Unsupported architecture '${ARCHITECTURE}'!" exit ${default_error} fi else echo "Unsupported OS '${OS}'!" exit ${default_error} fi export LD_LIBRARY_PATH # Source function library. if [ -f /etc/init.d/functions ]; then . /etc/init.d/functions else # The checkpid() function is provided for platforms that do not # contain the "/etc/init.d/functions" file (e. g. - Solaris) . . . # Check if ${pid} (could be plural) are running (keep count) checkpid() { rv=0 for i in $* ; do ps -p $i > /dev/null 2>&1 ; if [ $? -ne 0 ] ; then rv=`expr $rv + 1` else rv=`expr $rv + 0` fi done # echo "rv=$rv" return $rv } # Create the following directories on platforms # where they do not exist (e. g. - Solaris) . . . if [ ! -d "/var/lock" ] ; then mkdir -p /var/lock chown root:sys /var/lock chmod 00755 /var/lock fi if [ ! -d "/var/lock/subsys" ] ; then mkdir -p /var/lock/subsys chown root:root /var/lock/subsys chmod 00755 /var/lock/subsys fi fi PKI_REGISTRY_ENTRIES="" TOTAL_PKI_REGISTRY_ENTRIES=0 TOTAL_UNCONFIGURED_PKI_ENTRIES=0 # Gather ALL registered instances of this PKI subsystem type for FILE in `/bin/ls -1 ${PKI_REGISTRY}/* 2>/dev/null`; do if [ -f "$FILE" ] ; then inst=`echo "$FILE"` PKI_REGISTRY_ENTRIES="${PKI_REGISTRY_ENTRIES} $inst" TOTAL_PKI_REGISTRY_ENTRIES=`expr ${TOTAL_PKI_REGISTRY_ENTRIES} + 1` fi done if [ -n "${pki_instance}" ]; then for I in ${PKI_REGISTRY_ENTRIES}; do if [ "${PKI_REGISTRY}/${pki_instance}" = "$I" ]; then PKI_REGISTRY_ENTRIES="${PKI_REGISTRY}/${pki_instance}" TOTAL_PKI_REGISTRY_ENTRIES=1 break fi done fi usage() { echo -n "Usage: ${PKI_INIT_SCRIPT} " echo -n "{start" echo -n "|stop" echo -n "|restart" echo -n "|condrestart" echo -n "|force-restart" echo -n "|try-restart" echo -n "|reload" echo -n "|status} " echo -n "[instance-name]" echo echo } list_instances() { echo for FILE in `/bin/ls -1 ${PKI_REGISTRY}/* 2>/dev/null`; do echo " ${FILE}" done echo } # Check arguments if [ $# -lt 1 ] ; then # * 3 unimplemented feature (for example, "reload") # [insufficient arguments] echo "$0: Insufficient arguments!" echo usage echo "where valid instance names include:" list_instances exit 3 elif [ ${default_error} -eq 2 ] ; then # * 2 invalid argument echo "$0: Invalid arguments!" echo usage echo "where valid instance names include:" list_instances exit 2 elif [ $# -gt 2 ] ; then echo "$0: Excess arguments!" echo usage echo "where valid instance names include:" list_instances if [ "${command}" != "status" ]; then # * 2 excess arguments exit 2 else # * 4 program or service status is unknown exit 4 fi fi # If an "instance" was supplied, check that it is a "valid" instance if [ -n "${pki_instance}" ]; then if [ "${PKI_REGISTRY}/${pki_instance}" != "${PKI_REGISTRY_ENTRIES}" ]; then echo -n "${pki_instance} is an invalid '${PKI_TYPE}' instance" echo_failure echo if [ "${command}" != "status" ]; then # * 5 program is not installed exit 5 else # * 4 program or service status is unknown exit 4 fi fi fi # On Solaris /var/run is in tmpfs and gets wiped out upon reboot # we have to recreate the ${PKI_PIDDIR} directory and make sure that # the directory is writable by the ${PKI_TYPE} server process. # # IMPORTANT: ALL PKI subsystems installed on this machine MUST utilize # the SAME values for ${PKI_GROUP} and ${PKI_USER}, since the # "${PKI_PIDDIR}" will end up with the ownership permissions # of the first instance that executes this function! # fix_pid_dir_ownership() { if [ ! -d ${PKI_PIDDIR} ] ; then mkdir -p ${PKI_PIDDIR} chown root:root /var/run/pki chmod 00755 /var/run/pki chown root:root ${PKI_PIDDIR} chmod 00755 ${PKI_PIDDIR} fi } check_pki_configuration_status() { rv=0 rv=`grep -c ^preop ${pki_instance_configuration_file}` rv=`expr ${rv} + 0` if [ ${rv} -ne 0 ] ; then echo " '${PKI_INSTANCE_ID}' must still be CONFIGURED!" echo " (see /var/log/${PKI_INSTANCE_ID}-install.log)" if [ "${command}" != "status" ]; then # * 6 program is not configured rv=6 else # * 4 program or service status is unknown rv=4 fi TOTAL_UNCONFIGURED_PKI_ENTRIES=`expr ${TOTAL_UNCONFIGURED_PKI_ENTRIES} + 1` elif [ -f ${RESTART_SERVER} ] ; then echo -n " Although '${PKI_INSTANCE_ID}' has been CONFIGURED, " echo -n "it must still be RESTARTED!" echo if [ "${command}" != "status" ]; then # * 1 generic or unspecified error (current practice) rv=1 else # * 4 program or service status is unknown rv=4 fi fi return ${rv} } get_pki_status_definitions() { # establish well-known strings listen_statement="Listen" total_ports=0 UNSECURE_PORT="" CLIENTAUTH_PORT="" NON_CLIENTAUTH_PORT="" # check to see that an instance-specific "httpd.conf" file exists if [ ! -f ${PKI_HTTPD_CONF} ] ; then echo "File '${PKI_HTTPD_CONF}' does not exist!" exit ${default_error} fi # check to see that an instance-specific "nss.conf" file exists if [ ! -f ${PKI_NSS_CONF} ] ; then echo "File '${PKI_NSS_CONF}' does not exist!" exit ${default_error} fi # read this instance-specific "httpd.conf" file line-by-line # to obtain the current value of the PKI unsecure port exec < ${PKI_HTTPD_CONF} while read line; do # look for the listen statement head=`echo $line | cut -b1-6` if [ "$head" == "$listen_statement" ] ; then # once the 'unsecure' listen statement has been found, # extract the numeric port information port=`echo $line | cut -b8-` UNSECURE_PORT=$port echo " Unsecure Port = http://${PKI_SERVER_NAME}:${UNSECURE_PORT}" total_ports=`expr ${total_ports} + 1` break; fi done # read this instance-specific "nss.conf" file line-by-line # to obtain the current value of the "clientauth" PKI secure port # AND the current value of the "non-clientauth" PKI secure port exec < ${PKI_NSS_CONF} while read line; do # look for the listen statement head=`echo $line | cut -b1-6` if [ "$head" == "$listen_statement" ] && [ ${total_ports} -eq 2 ] ; then # once the 'non-clientauth' listen statement has been found, # extract the numeric port information non_clientauth_port=`echo $line | cut -b8-` NON_CLIENTAUTH_PORT=$non_clientauth_port echo " Secure Non-Clientauth Port = https://${PKI_SERVER_NAME}:${NON_CLIENTAUTH_PORT}" total_ports=`expr ${total_ports} + 1` break fi if [ "$head" == "$listen_statement" ] && [ ${total_ports} -eq 1 ] ; then # once the 'clientauth' listen statement has been found, # extract the numeric port information clientauth_port=`echo $line | cut -b8-` CLIENTAUTH_PORT=$clientauth_port echo " Secure Clientauth Port = https://${PKI_SERVER_NAME}:${CLIENTAUTH_PORT}" total_ports=`expr ${total_ports} + 1` fi done if [ ${total_ports} -eq 3 ] ; then return 0 else return ${default_error} fi } get_pki_configuration_definitions() { # Obtain the PKI Subsystem Type line=`grep ^cs.type= ${pki_instance_configuration_file}` pki_subsystem=`echo "${line}" | cut -b9-` if [ "${line}" != "" ] ; then if [ "${pki_subsystem}" != "CA" ] && [ "${pki_subsystem}" != "KRA" ] && [ "${pki_subsystem}" != "OCSP" ] && [ "${pki_subsystem}" != "TKS" ] && [ "${pki_subsystem}" != "RA" ] && [ "${pki_subsystem}" != "TPS" ] then return ${default_error} fi if [ "${pki_subsystem}" == "KRA" ] ; then # Rename "KRA" to "DRM" pki_subsystem="DRM" fi else return ${default_error} fi # If "${pki_subsystem}" is a CA, DRM, OCSP, or TKS, # check to see if "${pki_subsystem}" is a "Clone" pki_clone="" if [ "${pki_subsystem}" == "CA" ] || [ "${pki_subsystem}" == "DRM" ] || [ "${pki_subsystem}" == "OCSP" ] || [ "${pki_subsystem}" == "TKS" ] then line=`grep ^subsystem.select= ${pki_instance_configuration_file}` if [ "${line}" != "" ] ; then pki_clone=`echo "${line}" | cut -b18-` if [ "${pki_clone}" != "Clone" ] ; then # Reset "${pki_clone}" to be empty pki_clone="" fi else return ${default_error} fi fi # If "${pki_subsystem}" is a CA, and is NOT a "Clone", check to # see "${pki_subsystem}" is a "Root" or a "Subordinate" CA pki_hierarchy="" if [ "${pki_subsystem}" == "CA" ] && [ "${pki_clone}" != "Clone" ] then line=`grep ^hierarchy.select= ${pki_instance_configuration_file}` if [ "${line}" != "" ] ; then pki_hierarchy=`echo "${line}" | cut -b18-` else return ${default_error} fi fi # If ${pki_subsystem} is a CA, check to # see if it is also a Security Domain pki_security_domain="" if [ "${pki_subsystem}" == "CA" ] ; then line=`grep ^securitydomain.select= ${pki_instance_configuration_file}` if [ "${line}" != "" ] ; then pki_security_domain=`echo "${line}" | cut -b23-` if [ "${pki_security_domain}" == "new" ] ; then # Set a fixed value for "${pki_security_domain}" pki_security_domain="(Security Domain)" else # Reset "${pki_security_domain}" to be empty pki_security_domain="" fi else return ${default_error} fi fi # Always obtain this PKI instance's "registered" # security domain information pki_security_domain_name="" pki_security_domain_hostname="" pki_security_domain_https_admin_port="" line=`grep ^securitydomain.name= ${pki_instance_configuration_file}` if [ "${line}" != "" ] ; then pki_security_domain_name=`echo "${line}" | cut -b21-` else return ${default_error} fi line=`grep ^securitydomain.host= ${pki_instance_configuration_file}` if [ "${line}" != "" ] ; then pki_security_domain_hostname=`echo "${line}" | cut -b21-` else return ${default_error} fi line=`grep ^securitydomain.httpsadminport= ${pki_instance_configuration_file}` if [ "${line}" != "" ] ; then pki_security_domain_https_admin_port=`echo "${line}" | cut -b31-` else return ${default_error} fi # Compose the "PKI Instance Name" Status Line pki_instance_name="PKI Instance Name: ${PKI_INSTANCE_ID}" # Compose the "PKI Subsystem Type" Status Line header="PKI Subsystem Type: " if [ "${pki_clone}" != "" ] ; then if [ "${pki_security_domain}" != "" ]; then # Possible Values: # # "CA Clone (Security Domain)" # data="${pki_subsystem} ${pki_clone} ${pki_security_domain}" else # Possible Values: # # "CA Clone" # "DRM Clone" # "OCSP Clone" # "TKS Clone" # data="${pki_subsystem} ${pki_clone}" fi elif [ "${pki_hierarchy}" != "" ] ; then if [ "${pki_security_domain}" != "" ]; then # Possible Values: # # "Root CA (Security Domain)" # "Subordinate CA (Security Domain)" # data="${pki_hierarchy} ${pki_subsystem} ${pki_security_domain}" else # Possible Values: # # "Root CA" # "Subordinate CA" # data="${pki_hierarchy} ${pki_subsystem}" fi else # Possible Values: # # "DRM" # "OCSP" # "RA" # "TKS" # "TPS" # data="${pki_subsystem}" fi pki_subsystem_type="${header} ${data}" # Compose the "Registered PKI Security Domain Information" Status Line header="Name: " registered_pki_security_domain_name="${header} ${pki_security_domain_name}" header="URL: " if [ "${pki_security_domain_hostname}" != "" ] && [ "${pki_security_domain_https_admin_port}" != "" ] then data="https://${pki_security_domain_hostname}:${pki_security_domain_https_admin_port}" else return ${default_error} fi registered_pki_security_domain_url="${header} ${data}" # Print the "PKI Subsystem Type" Status Line echo echo " ${pki_instance_name}" # Print the "PKI Subsystem Type" Status Line echo echo " ${pki_subsystem_type}" # Print the "Registered PKI Security Domain Information" Status Line echo echo " Registered PKI Security Domain Information:" echo " ==========================================================================" echo " ${registered_pki_security_domain_name}" echo " ${registered_pki_security_domain_url}" echo " ==========================================================================" return 0 } get_pki_secure_port() { # establish well-known strings listen_statement="Listen" # first check to see that an instance-specific "nss.conf" file exists if [ ! -f ${PKI_NSS_CONF} ] ; then echo "File '${PKI_NSS_CONF}' does not exist!" exit ${default_error} fi # read this instance-specific "nss.conf" file line-by-line # to obtain the current value of the "clientauth" PKI secure port exec < ${PKI_NSS_CONF} while read line; do # look for the listen statement head=`echo $line | cut -b1-6` if [ "$head" == "$listen_statement" ] ; then # once the 'clientauth' listen statement has been found, # extract the numeric port information port=`echo $line | cut -b8-` SECURE_PORT=$port return 0 fi done return ${default_error} } display_instance_status() { rv=0 if [ -f ${pidfile} ] ; then pid=`cat ${pidfile}` if [ "${pid}" == "" ] ; then echo "${PKI_INSTANCE_ID} pid file exists but is empty" if [ "${command}" != "status" ]; then # * 1 generic or unspecified error (current practice) rv=1 else # * 4 program or service status is unknown rv=4 fi elif kill -0 ${pid} > /dev/null 2>&1 ; then echo "${PKI_INSTANCE_ID} (pid ${pid}) is running ..." echo check_pki_configuration_status rv=$? if [ ${rv} -eq 0 ] ; then get_pki_status_definitions rv=$? if [ ${rv} -ne 0 ] ; then echo echo "${PKI_INSTANCE_ID} Status Definitions not found" else get_pki_configuration_definitions rv=$? if [ ${rv} -ne 0 ] ; then echo echo "${PKI_INSTANCE_ID} Configuration Definitions not found" fi fi else # From the PKI point of view for a "non-status" action, # a returned error code of "6" implies that the program # is not "configured". Similarly, an error code of "1" # implies that the program was "configured" but must # still be restarted. # # Similarly, from the PKI point of view for a "status" # action, a returned error code of "4" implies that either # the program is not "configured", or that the program # was "configured" but must still be restarted. # # Regardless, it must still be considered that the instance # is "running" from the viewpoint of other OS programs such # as 'chkconfig'. # # For this reason, when returning from # 'display_instance_status()', ignore non-zero return codes # returned from 'check_pki_configuration_status()'. # if [ "${command}" != "status" ]; then # * 0 action was successful rv=0 else # * 0 program is running or service is OK rv=0 fi fi echo else echo "${PKI_INSTANCE_ID} is dead but pid file exists" if [ "${command}" != "status" ]; then # * 1 generic or unspecified error (current practice) rv=1 else # * 1 program is dead and /var/run pid file exists rv=1 fi fi else echo "${PKI_INSTANCE_ID} is stopped" if [ "${command}" != "status" ]; then # * 7 program is not running rv=7 else # * 3 program is not running rv=3 fi fi return ${rv} } start_instance() { rv=0 echo -n $"Starting ${prog}: " if [ -f ${RESTART_SERVER} ] ; then rm -f ${RESTART_SERVER} fi if [ -f ${PKI_LOCKFILE} ] ; then if [ -f ${pidfile} ]; then read kpid < ${pidfile} if checkpid $kpid 2>&1; then echo echo "${PKI_INSTANCE_ID} (pid ${kpid}) is already running ..." echo check_pki_configuration_status rv=$? if [ ${rv} != 0 ]; then # From the PKI point of view for a "non-status" action, # a returned error code of "6" implies that the program # is not "configured". Similarly, an error code of "1" # implies that the program was "configured" but must # still be restarted. # # Regardless, it must still be considered that the instance # is "running" from the viewpoint of other OS programs such # as 'chkconfig'. # # For "non-status" actions, ignore return codes of "1" # from 'check_pki_configuration_status()'. # # However, for "non-status" actions that have a return # code of "6", return this value unchanged to # the calling routine so that the total number of # configuration errors may be counted. # echo if [ ${rv} = 1 ] ; then # * 0 action was successful return 0 elif [ ${rv} = 6 ] ; then # * 6 program is not configured return 6 else # should never be reached return ${rv} fi else return 0 fi else echo echo -n "lock file found but no process " echo -n "running for pid $kpid, continuing" echo echo rm -f ${PKI_LOCKFILE} fi fi fi fix_pid_dir_ownership touch ${pidfile} chown ${PKI_USER}:${PKI_GROUP} ${pidfile} chmod 00600 ${pidfile} [ -x /sbin/restorecon ] && /sbin/restorecon ${pidfile} # restore context for ncipher hsm [ -x /sbin/restorecon ] && [ -d /dev/nfast ] && /sbin/restorecon -R /dev/nfast if [ -f /etc/init.d/functions ]; then /usr/sbin/selinuxenabled rv=$? if [ ${rv} = 0 ] ; then if [ ${ARCHITECTURE} = "i386" ] ; then LANG=${PKI_HTTPD_LANG} daemon runcon -t ${PKI_SELINUX_TYPE} -- ${httpd} ${PKI_OPTIONS} # overwrite output from "daemon" echo -n $"Starting ${prog}: " elif [ ${ARCHITECTURE} = "x86_64" ] ; then # NOTE: "daemon" is incompatible with "httpd" # on 64-bit architectures LANG=${PKI_HTTPD_LANG} runcon -t ${PKI_SELINUX_TYPE} -- ${httpd} ${PKI_OPTIONS} fi else LANG=${PKI_HTTPD_LANG} daemon ${httpd} ${PKI_OPTIONS} # overwrite output from "daemon" echo -n $"Starting ${prog}: " fi else LANG=${PKI_HTTPD_LANG} ${httpd} ${PKI_OPTIONS} -k start fi rv=$? if [ ${rv} = 0 ] ; then touch ${PKI_LOCKFILE} chown ${PKI_USER}:${PKI_GROUP} ${PKI_LOCKFILE} chmod 00600 ${PKI_LOCKFILE} fi if [ ${rv} = 0 ] ; then count=0; let swait=$STARTUP_WAIT until [ -s ${pidfile} ] || [ $count -gt $swait ] do echo -n "." sleep 1 let count=$count+1; done if [ -f /etc/init.d/functions ]; then if [ "$CONSOLETYPE" = "serial" ]; then echo -n " " fi echo_success echo else echo " [ OK ]" fi get_pki_secure_port if [ $? -ne 0 ] ; then SECURE_PORT="<Port Undefined>" fi # Set permissions of log files for file in ${pki_logs_directory}/*; do chown ${PKI_USER}:${PKI_GROUP} ${file} chmod 00660 ${file} done # ignore "status" return codes echo display_instance_status else if [ -f /etc/init.d/functions ]; then if [ "$CONSOLETYPE" = "serial" ]; then $0 echo -n " " fi echo_failure echo else echo " [ FAILED ]" fi fi if [ ${OS} = "Linux" ] ; then sleep 10 elif [ ${OS} = "SunOS" ] ; then sleep 20 fi return ${rv} } stop_instance() { rv=0 echo -n "Stopping ${prog}: " if [ -f ${PKI_LOCKFILE} ] ; then ${httpd} ${PKI_OPTIONS} -k stop rv=$? if [ ${rv} = 0 ]; then count=0; if [ -f ${pidfile} ]; then read kpid < ${pidfile} let kwait=$SHUTDOWN_WAIT until [ `ps -p $kpid | grep -c $kpid` = '0' ] || [ $count -gt $kwait ] do echo -n "." sleep 1 let count=$count+1; done if [ $count -gt $kwait ]; then kill -9 $kpid fi fi rm -f ${PKI_LOCKFILE} rm -f ${pidfile} if [ -f /etc/init.d/functions ]; then if [ "$CONSOLETYPE" = "serial" ]; then echo -n " " fi echo_success echo else echo " [ OK ]" fi else if [ -f /etc/init.d/functions ]; then if [ "$CONSOLETYPE" = "serial" ]; then echo -n " " fi echo_failure echo else echo " [ FAILED ]" fi rv=${default_error} fi else echo echo "process already stopped" rv=0 fi return ${rv} } reload_instance() { rv=0 echo -n $"Reloading ${prog}: " if ! LANG=${PKI_HTTPD_LANG} ${httpd} ${PKI_OPTIONS} -t >&/dev/null; then rv=$? echo $"not reloading due to configuration syntax error" if [ -f /etc/init.d/functions ]; then failure $"not reloading ${httpd} due to configuration syntax error" else echo $"not reloading ${httpd} due to configuration syntax error" fi else if [ -f /etc/init.d/functions ]; then killproc -p ${pidfile} ${httpd} -HUP rv=$? else if [ -f ${PKI_LOCKFILE} ] ; then if [ -f ${pidfile} ]; then read kpid < ${pidfile} if checkpid $kpid 2>&1; then kill -HUP $kpid rv=$? if [ ${rv} != 0 ]; then rv=${default_error} fi fi else # * 7 program is not running rv=7 echo echo -n "lock file found but no process " echo -n "running for pid $kpid, continuing" echo echo rm -f ${PKI_LOCKFILE} fi fi fi fi echo return ${rv} } # The semantics of the 'start()' function differs from the way 'apachectl' # does things -- attempting to start while running is a failure. # So we just do it the way init scripts are expected to behave here. start() { # From "http://fedoraproject.org/wiki/FCNewInit/Initscripts": # # * 0 action was successful # * 1 generic or unspecified error (current practice) # * 2 invalid or excess argument(s) # * 3 unimplemented feature (for example, "reload") # * 4 user had insufficient privilege # * 5 program is not installed # * 6 program is not configured # * 7 program is not running # * 8-99 reserved for future LSB use # * 100-149 reserved for distribution use # * 150-199 reserved for application use # * 200-254 reserved # error_rv=0 rv=0 if [ -n "${PKI_REGISTRY_ENTRIES}" ]; then config_errors=0 errors=0 if [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] ; then echo "BEGIN STARTING '${PKI_TYPE}' INSTANCE(S):" fi # Start every PKI instance of this type that isn't already running for PKI_REGISTRY_ENTRY in ${PKI_REGISTRY_ENTRIES}; do # Source values associated with this particular PKI instance [ -f ${PKI_REGISTRY_ENTRY} ] && . ${PKI_REGISTRY_ENTRY} pidfile=${PKI_PIDDIR}/${PKI_PIDFILE} [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] && echo start_instance rv=$? if [ ${rv} = 6 ] ; then # Since at least ONE configuration error exists, then there # is at least ONE unconfigured instance from the PKI point # of view. # # However, it must still be considered that the # instance is "running" from the point of view of other # OS programs such as 'chkconfig'. # # Therefore, ignore non-zero return codes resulting # from configuration errors. # config_errors=`expr $config_errors + 1` rv=0 elif [ ${rv} != 0 ] ; then errors=`expr $errors + 1` error_rv=${rv} fi done if [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt ${errors} ] ; then touch ${lockfile} chmod 00600 ${lockfile} fi # ONLY print a "WARNING" message if multiple # instances are being examined if [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] ; then # NOTE: "bad" return code(s) OVERRIDE configuration errors! if [ ${errors} -eq 1 ]; then # Since only ONE error exists, return that "bad" error code. rv=${error_rv} elif [ ${errors} -gt 1 ]; then # Since MORE than ONE error exists, return an OVERALL status # of "1 generic or unspecified error (current practice)" rv=1 fi if [ ${errors} -ge 1 ]; then echo echo -n "WARNING: " echo -n "${errors} of ${TOTAL_PKI_REGISTRY_ENTRIES} " echo -n "'${PKI_TYPE}' instances failed to start!" echo fi if [ ${TOTAL_UNCONFIGURED_PKI_ENTRIES} -ge 1 ]; then echo echo -n "WARNING: " echo -n "${TOTAL_UNCONFIGURED_PKI_ENTRIES} " echo -n "of ${TOTAL_PKI_REGISTRY_ENTRIES} " echo -n "'${PKI_TYPE}' instances MUST be configured!" echo fi echo echo "FINISHED STARTING '${PKI_TYPE}' INSTANCE(S)." fi else echo echo "ERROR: No '${PKI_TYPE}' instances installed!" rv=5 fi return ${rv} } # The semantics of the 'stop()' function differs from the way 'apachectl' # does things -- attempting to shutdown when not running is a failure. # So we just do it the way init scripts are expected to behave here. stop() { # From "http://fedoraproject.org/wiki/FCNewInit/Initscripts": # # * 0 action was successful # * 1 generic or unspecified error (current practice) # * 2 invalid or excess argument(s) # * 3 unimplemented feature (for example, "reload") # * 4 user had insufficient privilege # * 5 program is not installed # * 6 program is not configured # * 7 program is not running # * 8-99 reserved for future LSB use # * 100-149 reserved for distribution use # * 150-199 reserved for application use # * 200-254 reserved # error_rv=0 rv=0 if [ -n "${PKI_REGISTRY_ENTRIES}" ]; then errors=0 if [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] ; then echo "BEGIN SHUTTING DOWN '${PKI_TYPE}' INSTANCE(S):" fi # Shutdown every PKI instance of this type that is running for PKI_REGISTRY_ENTRY in ${PKI_REGISTRY_ENTRIES}; do # Source values associated with this particular PKI instance [ -f ${PKI_REGISTRY_ENTRY} ] && . ${PKI_REGISTRY_ENTRY} pidfile=${PKI_PIDDIR}/${PKI_PIDFILE} [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] && echo stop_instance rv=$? if [ ${rv} != 0 ] ; then errors=`expr $errors + 1` error_rv=${rv} fi done if [ ${errors} -eq 0 ] ; then rm -f ${lockfile} fi # ONLY print a "WARNING" message if multiple # instances are being examined if [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] ; then if [ ${errors} -eq 1 ]; then # Since only ONE error exists, return that "bad" error code. rv=${error_rv} elif [ ${errors} -gt 1 ]; then # Since MORE than ONE error exists, return an OVERALL status # of "1 generic or unspecified error (current practice)" rv=1 fi if [ ${errors} -ge 1 ]; then echo echo -n "WARNING: " echo -n "${errors} of ${TOTAL_PKI_REGISTRY_ENTRIES} " echo -n "'${PKI_TYPE}' instances were " echo -n "unsuccessfully stopped!" echo fi echo echo "FINISHED SHUTTING DOWN '${PKI_TYPE}' INSTANCE(S)." fi else echo echo "ERROR: No '${PKI_TYPE}' instances installed!" rv=5 fi return ${rv} } restart() { # From "http://fedoraproject.org/wiki/FCNewInit/Initscripts": # # * 0 action was successful # * 1 generic or unspecified error (current practice) # * 2 invalid or excess argument(s) # * 3 unimplemented feature (for example, "reload") # * 4 user had insufficient privilege # * 5 program is not installed # * 6 program is not configured # * 7 program is not running # * 8-99 reserved for future LSB use # * 100-149 reserved for distribution use # * 150-199 reserved for application use # * 200-254 reserved # stop sleep 2 echo echo "============================================================" echo start return $? } reload() { # From "http://fedoraproject.org/wiki/FCNewInit/Initscripts": # # * 0 action was successful # * 1 generic or unspecified error (current practice) # * 2 invalid or excess argument(s) # * 3 unimplemented feature (for example, "reload") # * 4 user had insufficient privilege # * 5 program is not installed # * 6 program is not configured # * 7 program is not running # * 8-99 reserved for future LSB use # * 100-149 reserved for distribution use # * 150-199 reserved for application use # * 200-254 reserved # error_rv=0 rv=0 if [ -n "${PKI_REGISTRY_ENTRIES}" ]; then errors=0 if [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] ; then echo "BEGIN RELOADING '${PKI_TYPE}' INSTANCE(S):" fi # Reload every PKI instance of this type that is running for PKI_REGISTRY_ENTRY in ${PKI_REGISTRY_ENTRIES}; do # Source values associated with this particular PKI instance [ -f ${PKI_REGISTRY_ENTRY} ] && . ${PKI_REGISTRY_ENTRY} pidfile=${PKI_PIDDIR}/${PKI_PIDFILE} [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] && echo reload_instance rv=$? if [ ${rv} != 0 ] ; then errors=`expr $errors + 1` error_rv=${rv} fi done # ONLY print a "WARNING" message if multiple # instances are being examined if [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] ; then if [ ${errors} -eq 1 ]; then # Since only ONE error exists, return that "bad" error code. rv=${error_rv} elif [ ${errors} -gt 1 ]; then # Since MORE than ONE error exists, return an OVERALL status # of "1 generic or unspecified error (current practice)" rv=1 fi if [ ${errors} -ge 1 ]; then echo echo -n "WARNING: " echo -n "${errors} of ${TOTAL_PKI_REGISTRY_ENTRIES} " echo -n "'${PKI_TYPE}' instances were " echo -n "unsuccessfully reloaded!" echo fi echo echo "FINISHED RELOADING '${PKI_TYPE}' INSTANCE(S)." fi else echo echo "ERROR: No '${PKI_TYPE}' instances reloaded!" rv=5 fi return ${rv} } status() { # From "http://fedoraproject.org/wiki/FCNewInit/Initscripts": # # * 0 program is running or service is OK # * 1 program is dead and /var/run pid file exists # * 2 program is dead and /var/lock lock file exists # * 3 program is not running # * 4 program or service status is unknown # * 5-99 reserved for future LSB use # * 100-149 reserved for distribution use # * 150-199 reserved for application use # * 200-254 reserved # error_rv=0 rv=0 if [ -n "${PKI_REGISTRY_ENTRIES}" ]; then errors=0 if [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] ; then echo "REPORT STATUS OF '${PKI_TYPE}' INSTANCE(S):" fi # Obtain status of every PKI instance of this type for PKI_REGISTRY_ENTRY in ${PKI_REGISTRY_ENTRIES}; do # Source values associated with this particular PKI instance [ -f ${PKI_REGISTRY_ENTRY} ] && . ${PKI_REGISTRY_ENTRY} pidfile=${PKI_PIDDIR}/${PKI_PIDFILE} [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] && echo display_instance_status rv=$? if [ ${rv} -ne 0 ] ; then errors=`expr $errors + 1` error_rv=${rv} fi done # ONLY print a "WARNING" message if multiple # instances are being examined if [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] ; then if [ ${errors} -eq 1 ]; then # Since only ONE error exists, return that "bad" error code. rv=${error_rv} elif [ ${errors} -gt 1 ]; then # Since MORE than ONE error exists, return an OVERALL status # of "4 - program or service status is unknown" rv=4 fi if [ ${errors} -ge 1 ]; then echo echo -n "WARNING: " echo -n "${errors} of ${TOTAL_PKI_REGISTRY_ENTRIES} " echo -n "'${PKI_TYPE}' instances reported status failures!" echo fi if [ ${TOTAL_UNCONFIGURED_PKI_ENTRIES} -ge 1 ]; then echo echo -n "WARNING: " echo -n "${TOTAL_UNCONFIGURED_PKI_ENTRIES} " echo -n "of ${TOTAL_PKI_REGISTRY_ENTRIES} " echo -n "'${PKI_TYPE}' instances MUST be configured!" echo fi echo echo "FINISHED REPORTING STATUS OF '${PKI_TYPE}' INSTANCE(S)." fi else echo echo "ERROR: No '${PKI_TYPE}' instances installed!" rv=4 fi return ${rv} } # See how we were called. case "${command}" in start|stop|restart|reload|status) ${command} exit $? ;; condrestart|force-restart|try-restart) [ ! -f ${lockfile} ] || restart exit $? ;; *) # * 3 unimplemented feature (for example, "reload") # [invalid command - should never be reached] echo usage echo "where valid instance names include:" list_instances exit 3 ;; esac