provide a system service for the proxy server

[totaam]

Issue migrated from trac ticket # 1335

component: server | priority: major | resolution: worksforme

2016-10-07 13:44:54: antoine created the issue

---

Now that the proxy server can be used for starting new sessions on demand (#1319) and that we have ssl support (#1252) and a default port (#731), it makes sense to have a default service that can be used for all this.
Somewhat related to #1105, #888 and #1334.

Tasks:

• generate a test certificate
• install the service files (init and systemd...)

[totaam]

2016-10-09 09:13:54: antoine changed owner from antoine to afarr

[totaam]

2016-10-09 09:13:54: antoine edited the issue description

[totaam]

2016-10-09 09:13:54: antoine changed title from provide a service for the proxy server to provide a system service for the proxy server

[totaam]

2016-10-09 09:13:54: antoine commented

---

Major changesets (there are many more):

• r14020 + r14022 + r14023: cleanup + preparatory work
• r14024: generate a test ssl cert (RPM only), r14029 for DEB
• r14026: systemd + init file and packaging
• r14045: pidfile support
• r14081: update firewall during rpm installation (centos7 and fedora)

---

After installation, there should be a new firewall rule allowing traffic on our port (14500 see #731):

$ sudo iptables -vnL | grep -i 145
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:14500 ctstate NEW

This rule should be deleted when the RPM package is uninstalled.

The service is not started by default at the moment, to change that see Enabling and disabling services during start up in GNU/Linux (instructions vary depending on the init system used by the distribution).

To start the service (these commands should work almost everywhere: fedora, centos, debian, ubuntu, etc):

sudo service xpra start

After that, you should be able to confirm that it is running with:

sudo service xpra status

or with systemd (fedora, centos7):

sudo systemctl status xpra.service

or with systemd it should be listed in the system slice:

$ systemd-cgls
Control group /:
-.slice
├─init.scope
│ └─1 /usr/lib/systemd/systemd --switched-root --system --deserialize 24
├─system.slice
│ ├─avahi-daemon.service
│ │ ├─1140 avahi-daemon: running [desktop.local
│ │ └─1173 avahi-daemon: chroot helpe
(..)
│ ├─xpra.service
│ │ └─7249 /bin/python /usr/bin/xpra proxy :14500 --bind-tcp=0.0.0.0:14500 --auth=sys --tcp-auth=sys --ssl-cert=/etc/xpra/ssl-cert.pem --socket-permissions=666 --daemon=no --log-dir
(..)

or on systems with a "/var/run/xpra" directory (those that support tmpfiles.d, see #888):

xpra list

(as any user)
or

xpra version tcp/127.0.0.1

or

xpra version ssl/127.0.0.1/ --ssl-server-verify-mode=none

(see #1252 for details)
or even hitting this proxy server with a browser to get the session login page:

xdg-open http://127.0.0.1:14500/

In order to use any other sub-commands against this proxy server, you need to authenticate with a system account (the proxy server is configured to use the "sys" authentication module).
ie:

xpra start ssl/$USERNAME:[email protected]/ --ssl-server-verify-mode=none --start-child=xterm --exit-with-children

(see #1319 for details, bugs related to connecting or using the proxy server itself do not belong here)

@afarr: just a FYI, feel free to close.

[totaam]

2016-11-24 08:52:16: antoine changed owner from afarr to smo

[totaam]

2016-11-24 08:52:16: antoine commented

---

fallback to firewall-offline-cmd in r14484.

Further notes:

• to permanently add the rule to another zone, ie "trusted":

firewall-cmd --add-port=14500/tcp --zone=trusted --permanent

• the default zone where we add the rule as part of the rpm postinstall is:

firewall-cmd --get-default-zone

More examples: [https://www.certdepot.net/rhel7-get-started-firewalld/].

[totaam]

2016-12-26 09:29:41: antoine commented

---

We now also silence the "success" message during RPM (un)install: r14602.

[totaam]

2017-01-11 15:01:08: antoine commented

---

Added a wiki page linking back here: Service.

[totaam]

2017-02-06 19:51:09: smo changed status from new to closed

[totaam]

2017-02-06 19:51:09: smo set resolution to worksforme

[totaam]

2017-05-24 12:27:03: antoine commented

---

Debian packaging of the systemd service: #1530