diff options
| author | Emīls Piņķis <emils@mullvad.net> | 2022-09-02 15:10:55 +0200 |
|---|---|---|
| committer | Emīls Piņķis <emils@mullvad.net> | 2022-09-13 11:51:04 +0200 |
| commit | b358f13b5a02c30f0155b9feb22413b04dde81c0 (patch) | |
| tree | b876a2c779c8f320292544c983e715051667031d | |
| parent | 9be68db2506f6e5fe28f58acc2495ab8bd3b67d5 (diff) | |
| download | mullvadvpn-b358f13b5a02c30f0155b9feb22413b04dde81c0.tar.xz mullvadvpn-b358f13b5a02c30f0155b9feb22413b04dde81c0.zip | |
Improve daemon unit file
Set the `MULLVAD_RESOURCE_DIR` environment variable and specify the
path as a required mount path.
| -rw-r--r-- | dist-assets/linux/after-install.sh | 4 | ||||
| -rw-r--r-- | dist-assets/linux/after-remove.sh | 2 | ||||
| -rw-r--r-- | dist-assets/linux/before-install.sh | 1 | ||||
| -rw-r--r-- | dist-assets/linux/before-remove.sh | 1 | ||||
| -rw-r--r-- | dist-assets/linux/mullvad-daemon.service | 10 | ||||
| -rw-r--r-- | dist-assets/linux/mullvad-early-boot-blocking.service | 16 | ||||
| -rw-r--r-- | dist-assets/linux/post-transaction.sh | 12 | ||||
| -rw-r--r-- | gui/tasks/distribution.js | 16 |
8 files changed, 41 insertions, 21 deletions
diff --git a/dist-assets/linux/after-install.sh b/dist-assets/linux/after-install.sh index e50af2eaf7..4a1771772f 100644 --- a/dist-assets/linux/after-install.sh +++ b/dist-assets/linux/after-install.sh @@ -3,6 +3,6 @@ set -eu chmod u+s "/usr/bin/mullvad-exclude" -systemctl enable "/etc/systemd/system/mullvad-daemon.service" +systemctl enable "/usr/lib/systemd/system/mullvad-daemon.service" systemctl start mullvad-daemon.service -systemctl enable "/etc/systemd/system/mullvad-early-boot-blocking.service" +systemctl enable "/usr/lib/systemd/system/mullvad-early-boot-blocking.service" diff --git a/dist-assets/linux/after-remove.sh b/dist-assets/linux/after-remove.sh index 8dfe875a46..22c9529982 100644 --- a/dist-assets/linux/after-remove.sh +++ b/dist-assets/linux/after-remove.sh @@ -1,6 +1,8 @@ #!/usr/bin/env bash set -eu +echo "Running after-remove.sh" + function remove_logs_and_cache { rm -r --interactive=never /var/log/mullvad-vpn/ || \ echo "Failed to remove mullvad-vpn logs" diff --git a/dist-assets/linux/before-install.sh b/dist-assets/linux/before-install.sh index a8efb02adb..5150f153ff 100644 --- a/dist-assets/linux/before-install.sh +++ b/dist-assets/linux/before-install.sh @@ -6,6 +6,7 @@ if which systemctl &> /dev/null; then /opt/Mullvad\ VPN/resources/mullvad-setup prepare-restart || true systemctl stop mullvad-daemon.service systemctl disable mullvad-daemon.service + systemctl disable mullvad-early-boot-blocking.service || true cp /var/log/mullvad-vpn/daemon.log /var/log/mullvad-vpn/old-install-daemon.log \ || echo "Failed to copy old daemon log" fi diff --git a/dist-assets/linux/before-remove.sh b/dist-assets/linux/before-remove.sh index 1134c9a51b..bfa1faae9f 100644 --- a/dist-assets/linux/before-remove.sh +++ b/dist-assets/linux/before-remove.sh @@ -1,6 +1,7 @@ #!/usr/bin/env bash set -eu +echo "Running before-remove.sh" # SIGTERM for some reason causes the app to crash sometimes and SIGINT works as expected. pkill -2 -x "mullvad-gui" || true sleep 0.5 diff --git a/dist-assets/linux/mullvad-daemon.service b/dist-assets/linux/mullvad-daemon.service index 843955e043..e36bd90eff 100644 --- a/dist-assets/linux/mullvad-daemon.service +++ b/dist-assets/linux/mullvad-daemon.service @@ -1,18 +1,20 @@ # Systemd service unit file for the Mullvad VPN daemon +# testing if new changes are added [Unit] Description=Mullvad VPN daemon -Wants=network.target -After=network-online.target -After=NetworkManager.service -After=systemd-resolved.service +Before=network-online.target +After=mullvad-early-boot-blocking.service NetworkManager.service systemd-resolved.service + StartLimitBurst=5 StartLimitIntervalSec=20 +RequiresMountsFor=/opt/Mullvad\x20VPN/resources/ [Service] Restart=always RestartSec=1 ExecStart=/usr/bin/mullvad-daemon -v --disable-stdout-timestamps +Environment="MULLVAD_RESOURCE_DIR=/opt/Mullvad VPN/resources/" [Install] WantedBy=multi-user.target diff --git a/dist-assets/linux/mullvad-early-boot-blocking.service b/dist-assets/linux/mullvad-early-boot-blocking.service new file mode 100644 index 0000000000..466eebb796 --- /dev/null +++ b/dist-assets/linux/mullvad-early-boot-blocking.service @@ -0,0 +1,16 @@ +# Systemd service unit file to block all traffic during early boot. +# This is required since almost no distributions use a `network-pre.target`, +# which implies it's difficult to ensure that the daemon will start and block +# traffic before any network configuration will be applied. +# +[Unit] +Description=Mullvad early boot network blocker +DefaultDependencies=no +Before=basic.target mullvad-daemon.service + +[Service] +Type=oneshot +ExecStart=/usr/bin/mullvad-daemon --initialize-early-boot-firewall + +[Install] +WantedBy=mullvad-daemon.service diff --git a/dist-assets/linux/post-transaction.sh b/dist-assets/linux/post-transaction.sh index 52edc5bffe..a2a14d17d8 100644 --- a/dist-assets/linux/post-transaction.sh +++ b/dist-assets/linux/post-transaction.sh @@ -2,6 +2,12 @@ # This is to mitigate post-uninstall hooks being ran AFTER post-install hooks # during an upgrade on Fedora. set -eu -systemctl enable "/etc/systemd/system/mullvad-daemon.service" || true -systemctl start mullvad-daemon.service || true -systemctl enable "/etc/systemd/system/mullvad-early-boot-blocking.service" || true + +# Repeated enablement of the daemon service will result in the early-boot unit +# being executed when the daemon is already running, which results in the +# firewall rules being applied. +if ! systemctl is-enabled mullvad-daemon; then + systemctl enable "/usr/lib/systemd/system/mullvad-daemon.service" || true + systemctl start mullvad-daemon.service || true + systemctl enable "/usr/lib/systemd/system/mullvad-early-boot-blocking.service" || true +fi diff --git a/gui/tasks/distribution.js b/gui/tasks/distribution.js index 45b9ce851b..7152eb4b8a 100644 --- a/gui/tasks/distribution.js +++ b/gui/tasks/distribution.js @@ -186,12 +186,8 @@ const config = { distAssets('linux/before-install.sh'), '--before-remove', distAssets('linux/before-remove.sh'), - '--config-files', - '/etc/systemd/system/mullvad-daemon.service', - '--config-files', - '/etc/systemd/system/mullvad-early-boot-blocking.service', - distAssets('linux/mullvad-daemon.service') +'=/etc/systemd/system/', - distAssets('linux/mullvad-early-boot-blocking.service') +'=/etc/systemd/system/', + distAssets('linux/mullvad-daemon.service') +'=/usr/lib/systemd/system/mullvad-daemon.service', + distAssets('linux/mullvad-early-boot-blocking.service') +'=/usr/lib/systemd/system/mullvad-early-boot-blocking.service', distAssets(path.join(getLinuxTargetSubdir(), 'mullvad')) + '=/usr/bin/', distAssets(path.join(getLinuxTargetSubdir(), 'mullvad-daemon')) + '=/usr/bin/', distAssets(path.join(getLinuxTargetSubdir(), 'mullvad-exclude')) + '=/usr/bin/', @@ -214,12 +210,8 @@ const config = { distAssets('linux/before-remove.sh'), '--rpm-posttrans', distAssets('linux/post-transaction.sh'), - '--config-files', - '/etc/systemd/system/mullvad-daemon.service', - '--config-files', - '/etc/systemd/system/mullvad-early-boot-blocking.service', - distAssets('linux/mullvad-daemon.service') +'=/etc/systemd/system/', - distAssets('linux/mullvad-early-boot-blocking.service') +'=/etc/systemd/system/', + distAssets('linux/mullvad-daemon.service') +'=/usr/lib/systemd/system/mullvad-daemon.service', + distAssets('linux/mullvad-early-boot-blocking.service') +'=/usr/lib/systemd/system/mullvad-early-boot-blocking.service', distAssets(path.join(getLinuxTargetSubdir(), 'mullvad')) + '=/usr/bin/', distAssets(path.join(getLinuxTargetSubdir(), 'mullvad-daemon')) + '=/usr/bin/', distAssets(path.join(getLinuxTargetSubdir(), 'mullvad-exclude')) + '=/usr/bin/', |
