Solution - Eddie as init service RPi Xbian (and other Debians?)

[airvpnclient 13]

My target system:
Headless Raspberry Pi 2 Model B Rev 1.1 system via ssh.

$ uname -a>
	Linux xbian 4.19.90+ #1 SMP PREEMPT Wed Dec 18 20:39:10 CET 2019 armv7l GNU/Linux

## based on Debian GNU/Linux 10 (buster)

My use case is to have this box come up on boot fully protected - VPN / DNS / firewall and stay that way.

My first effort was to eddie-cli in rc.local and I hit a few roadblocks but figured out the following:

1. The script  /etc/rc.local runs as root, but eddie-cli expects to be run by an unprivileged user (it is installed in /usr/bin).
2. Also, /etc/rc.local does not, by default provision a terminal (ttx) while eddie-cli depends on it.

These two issues can be addressed using the su command "su -P -c 'eddie-cli ....{options)...' User."  The command su -c lets rc.local run it as a normal user and the -P option gives rc.local access to a pseudo-terminal.

3. Even when the -batch directive is used, some forking program wants a typed password when escalating privileges during startup.

In order to get around that I gave my user password-free access via sudo by editing the sudoers file as set out here:

https://linuxhandbook.com/sudo-without-password/

The command eddie-cli executes via sudo, is /usr/lib/eddie-cli/eddie-cli-elevated, and there also exists /usr/lib/eddie-cli/eddie-cli-elevated2

Using the # visudo  command to allow nopassword sudo for just these these two commands:
 

xbian ALL=(ALL) NOPASSWD:/usr/lib/eddie-cli/eddie-cli-elevated,/usr/lib/eddie-cli/eddie-cli-elevated2

This 3-part kludge actually works well.  But better yet would be to have eddie-cli run as a proper init service.

For standard Debian 10 systems that would require writing a SystemD unit file, etc.  Or, since SystemD runs rc.local as a service, you could try just using the command that follows "exec" below at the end of the /etc/rc.local file.  Good scripting practice would also include tests so that rc.local exits with zero on success and non-zero on failure.  I think you would then be able to control eddie-cli by using systemctl against the rc.local service, but I haven't checked this out.

 Xbian, to their credit, eschews SystemD and uses instead Canonical's older Upstart init system -- an improvement over SystemV without the borg-like expansiveness of SystemD.  After digging a bit, I have put together a configuration file based on the one that existed for OpenVPN and it works exactly as advertised.  The system boots protected and I can manage eddie-cli with Upstart's start, stop, and status commands while the output is logged to /var/log/upstart/eddie-cli.log.
 

$ cat /etc/init/eddie-cli.conf

start on (net-device-up
          and local-filesystems
          and runlevel [2345])
stop on runlevel [!2345]

env PIDFILE="/var/run/eddie-cli/eddie.pid"

respawn
respawn limit 6 60

pre-start script
    if [ ! -e /var/run/eddie-cli ]; then
        mkdir -m 0770 /var/run/eddie-cli
        chown nobody:nogroup /var/run/eddie-cli
    fi
end script

exec su -P -c "/usr/bin/eddie-cli	\ 
  -netlock                       	\
  -login=airvpnclient            	\
  -password=*****************    	\  
  -server=Rotanev                	\
  -connect                       	\
  -batch"                        	\
xbian

pre-stop script
  PID=`cat $PIDFILE`
  kill -15 $PID
  sleep 3
  if [ "$?" -eq 0 ]; then
    rm -f $PIDFILE
  else
    echo "Unable to stop VPN"
  fi
end script

post-stop exec sleep 5

### I will also want to add to the post-stop command an iptables-restore command, against some tables I saved on the desktop 
### so swap for something like:

# post-stop exec "sleep 5 && /usr/sbin/iptables-legacy restore < /etc/eddie-cli/airvpn.tables && /usr/sbin/ip6tables-legacy restore < /etc/eddie-cli/airvpn.6tables"

### since if the service hits its respawn limit for some reason and stops, there would be no firewall
### and other services would be exposed.

Hope this helps someone.

 

[airvpnclient 13]

Parts of this Upstart configuration are not doing what I would expect and, in particular is not identifying its PID in /var/run/eddie-cli/eddie.pid.

Here is my modified Upstart script:
 

start on (net-device-up
          and local-filesystems
          and runlevel [2345])
stop on runlevel [!2345]

emits airvpn-up airvpn-down

respawn
respawn limit 6 60

pre-start script
    if [ ! -e /var/run/eddie-cli ]; then
        mkdir -m 0770 /var/run/eddie-cli
        chown nobody:nogroup /var/run/eddie-cli
    fi
end script

exec su -P -c "/usr/bin/eddie-cli	\ 
  -netlock                       \
  -login=airvpnclient            \
  -password=My.cat.has.pings.    \
  -server=Rotanev                \
  -connect                       \
  -batch"                        \
xbian

post-start script
    PIDFILE=`service eddie-cli status | egrep -m1 -oi '([0-9]+)$'`
    echo $PIDFILE > /var/run/eddie-cli/eddie.pid
end script

pre-stop script
  PID=`cat $PIDFILE`
  kill -15 $PID
  sleep 1
  if [ "$?" -eq 0 ]; then
    rm -f $PIDFILE
  else
    echo "Unable to stop Eddie-cli"
  fi
end script

post-stop exec sleep 5

I have also created the following upstart script to run after eddie-cli starts to limit its cpu use:
 

start on started eddie-cli


exec /usr/bin/cpulimit --pid $(cat /var/run/eddie-cli/eddie.pid --limit 20