<?xml version="1.0"?>
<!DOCTYPE service_bundle SYSTEM "/usr/share/lib/xml/dtd/service_bundle.dtd.1">
<!--
	This manifest allows one to setup a normal and an UML hets server service.
##
    Copyright 2015 Jens Elkner, Otto-von-Guericke-Universität Magdeburg.
	License: CDDL 1.0
##
 	To setup these services, just make sure, that your system has a user named
	'webservd' as well as a group named 'webservd' too (should be there by
	default). If not or you want to run the server as a different user/group,
	please change corresponding values in the exec_method element below. After
	that copy this file to the manifest store, e.g.
		cp smf.xml /lib/svc/manifest/network/hets.xml
	restart the SMF import, e.g.:
		svcadm restart manifest-import
	and enable the service you want, e.g.:
		svcadm enable hets:default

	It is assumed, that /usr/sbin is part of your PATH env variable.

	If you have installed the Solaris package 'LNFhets-server' (SVR4) or
	'developer/hets/hets-server' manifests are installed/removed automatically,
	so one needs to enable the service, only (last step above).
##
	To remove these services just stop them all, e.g.
		svcadm disable hets:default ; svcadm disable hets:uml
	remove the manifest from the system's manifest store, e.g.
		rm -f /lib/svc/manifest/network/hets.xml
	and restart the SMF import as shown	avbove:
		svcadm restart manifest-import
##
	To let other "normal" users manage these services and its parameters,
	assign the 'solaris.smf.manage.hets' authorization to them. The recommended
	way is to (1) register the authorization, (2) add a corresponding profile
	and finally (3) assign the profile to intended users.
	(1)
		auths remove -S files solaris.smf.manage.hets
		auths add -S files -t 'Allow the managment of the hets services' \
			solaris.smf.manage.hets
	(2)
		print 'set desc="HETS service manager"' \
			'\n#add defaultpriv=basic,dtrace_proc,dtrace_user' \
			'\nadd auths=solaris.smf.manage.hets' \
			>/tmp/hets.profile
		profiles -p hets-worker -S files delete -F
		profiles -p hets-worker -S files -f /tmp/hets.profile
	(3)
		usermod -P+'hets-worker' -S files john
	This is sufficient for a local machine. If you use LDAP and want to apply
	these settings to all machines in your ldap domain, just use '-S ldap'
	instead of '-S files' in the commands shown above.
##
	However, since our Solaris LDAP proxies are not allowed to change account
	data, we use our own LDAP management scripts INSTEAD:
	(1)
		nis_adm -a solaris.smf.manage.hets \
			-p desc="Allow the managment of the network/hets service" auth_attr
	(2)
		nis_adm -a hets-worker -p desc="HETS service manager" \
			-p attr="auths=solaris.smf.manage.hets" prof_attr
	(3)
		nis_adm -m john -p SolarisAttrKeyValue="profiles=hets-worker" passwd
	NOTE: you should check with 'nis_user john', wheter the user already has
	a non-empty 'SolarisAttrKeyValue' and add it to the line above (same way
	as one would do it in /etc/user_attr.d/*). Finally And check with:
		nis_cat {auth_attr,prof_attr,user_attr}

	To remove the profile from LDAP use:
		nis_adm -r hets-worker prof_attr
	analog
		nis_adm -r solaris.smf.manage.hets auth_attr
	and remove all special privileges for john:
		nis_adm -r john -p SolarisAttrKeyValue="*" passwd
##
	For more information see: svcadm(1M), svcs(1), svcprop(1), smf(5).
-->

<service_bundle type='manifest' name='LNFhets:server'>

<service name='network/hets' type='service' version='1'>

	<!-- Wait for network interfaces to be initialized.  -->
	<dependency name='network' grouping='require_all' restart_on='error'
	    type='service'>
	    <service_fmri value='svc:/milestone/network:default'/>
	</dependency>

	<!-- Wait for all local filesystems to be mounted.  -->
	<dependency name='filesystem-local' grouping='require_all'
		restart_on='none' type='service'>
	    <service_fmri value='svc:/system/filesystem/local:default'/>
	</dependency>

	<!-- hets comes via NFS, so wait for the automounter.  -->
	<dependency name='autofs' grouping='optional_all' restart_on='error'
	    type='service'>
	    <service_fmri value='svc:/system/filesystem/autofs:default'/>
	</dependency>

	
	<exec_method type='method' name='start' timeout_seconds='60'
		exec='@CLIENT_BASEDIR@/bin/%{exec/name} -X %{config/auto-rule} %{config/casl-amalg} -S %{config/port} %{config/relative}'>
		<method_context>
			<method_credential user='webservd' group='webservd'
				privileges='basic,!proc_session,!proc_info,!file_link_any,net_privaddr'/>
			<method_environment>
				<envvar name='TEXMFVAR' value='/var/tmp/hets.texmf' />
				<!-- suggested heap size 300m, but max. 3GB (for now 4G ==
					natural limit since 32bit) -->
				<envvar name='GHCRTS' value='-H300m -M3G' />
				<envvar name='PATH' value='@CLIENT_BASEDIR@/bin:/usr/bin' />
			</method_environment>
		</method_context>
	</exec_method>

	<exec_method type='method' name='stop' timeout_seconds='60'
		exec=':kill' />

	<property_group name='exec' type='application'>
		<propval name='name' type='astring' value='hets-server'/>
	</property_group>

	<property_group name='config' type='application'>
		<stability value='Evolving' />
		<!-- always required -->
		<propval name='port' type='integer' value='800' />
		<!-- we use these 2 for the normal hets, but NOT for hets UML -->
		<propval name='auto-rule' type='astring' value='-A'/>
		<propval name='casl-amalg' type='astring' value='--casl-amalg=none'/>
		<!-- we use this one NOT for the normal hets, but for hets UML -->
		<propval name='relative' type='astring' value='--relative-positions'/>
		<property name='value_authorization' type='astring'>
			<astring_list>
				<value_node value='solaris.smf.manage.hets' />
			</astring_list>
		</property>
	</property_group>

	<property_group name='startd' type='framework'>
		<!-- sub-process core dumps shouldn't restart session -->
		<propval name='ignore_error' type='astring' value='core,signal' />
		<!-- Unfortunately hets has no daemon mode and thus we are limited
			to the 'child' service model -->
		<propval name='duration' type='astring' value='child' />
	</property_group>

	<!--
	Permission to manage this service can be assigned e.g. with:
		print 'john::::auths=solaris.smf.manage.hets' >>/etc/user_attr.d/hets
	However, recommended is the procedure shown on top of this file. See also:
	auths(1), user_attr(4), smf_security(5).
	-->
	<property_group name='general' type='framework'>
		<!-- allows to: restart, refresh, mark, clear -->
		<propval name='action_authorization' type='astring'
			value='solaris.smf.manage.hets' />
		<!-- allows to: enable, disable -->
		<propval name='value_authorization' type='astring'
			value='solaris.smf.manage.hets' />
	</property_group>

	<instance name='default' enabled='false' complete='true'>
		<property_group name='config' type='application'>
			<propval name='relative' type='astring' value=''/>
		</property_group>
	</instance>
	<instance name='uml' enabled='false' complete='true'>
		<property_group name='exec' type='application'>
			<propval name='name' type='astring' value='hets-uml-server'/>
		</property_group>
		<property_group name='config' type='application'>
			<propval name='port' type='integer' value='801' />
			<propval name='auto-rule' type='astring' value='' />
			<propval name='casl-amalg' type='astring' value='' />
		</property_group>
	</instance>

	<stability value='Evolving' />

	<template>
		<common_name>
			<loctext xml:lang='C'>
				het server
			</loctext>
		</common_name>
		<documentation>
			<manpage title='hets-server' section='1'
				manpath='@CLIENT_BASEDIR@/share/man' />
			<doc_link name='hets.eu' uri='http://hets.eu/' />
		</documentation>
	</template>
</service>

</service_bundle>
<!-- vim: ts=4 sw=4 filetype=xml
-->
