Add Alpine/OpenRC compatibility for init system support

- Updated SPEC.md: Changed systemd requirements to distribution-dependent init system - Updated ARCHITECTURE.md: Added OpenRC hardening options and init script locations - Updated build-alpine.sh: Replaced systemd-dev with openrc, use /etc/init.d - Created configs/linux-patch-api-openrc: Full OpenRC init script - Added Dockerfile.rpm for RPM build container Init system support: - systemd: Debian, Ubuntu, RHEL, CentOS, Fedora - OpenRC: Alpine Linux Binary remains init-system agnostic - no Rust code changes required.
2026-04-13 20:16:10 +00:00
parent 7bee3ddd88
commit ce27a3c090
5 changed files with 133 additions and 27 deletions
--- a/ARCHITECTURE.md
+++ b/ARCHITECTURE.md
@ -2,7 +2,7 @@

 ## System Overview

-The Linux_Patch_API is a secure, single-host API service that enables remote package and patch management on Linux systems. Each instance runs as a systemd service on the managed host, providing a REST API over mTLS with strict IP whitelist enforcement.
+The Linux_Patch_API is a secure, single-host API service that enables remote package and patch management on Linux systems. Each instance runs as a system service on the managed host (systemd on most distributions, OpenRC on Alpine), providing a REST API over mTLS with strict IP whitelist enforcement.

 **Architecture Type:** Agent Per Host (Option B)  
 **Deployment:** One instance per managed Linux host  
@ -45,8 +45,9 @@ The Linux_Patch_API is a secure, single-host API service that enables remote pac
   - Distribution detection and adapter selection

 6. **Audit Logger**
-   - systemd journal integration (primary)
-   - Optional remote syslog server
+   - System logging integration (primary)
+     - systemd journal on systemd-based systems
+     - syslog/local files on OpenRC-based systems
   - Local file fallback (`/var/log/linux_patch_api/`)
   - 30-day retention with daily rotation and gzip compression

@ -59,9 +60,10 @@ The Linux_Patch_API is a secure, single-host API service that enables remote pac
 ### External Integrations

 - **Package Managers:** apt, dnf, yum, apk, pacman (via system commands)
- **systemd:** Service management and journal logging
+- **Init System:** Service management and logging
+  - systemd (Debian, Ubuntu, RHEL, CentOS, Fedora)
+  - OpenRC (Alpine Linux)
 - **Internal CA:** Certificate validation against self-hosted CA
- **Remote Syslog:** Optional external log aggregation

 ---

@ -74,14 +76,17 @@ The Linux_Patch_API is a secure, single-host API service that enables remote pac
 - **mTLS:** Rust TLS library (rustls or native-tls)

 ### Infrastructure
- **Service Manager:** systemd
+- **Service Manager:** Distribution-dependent
+  - systemd (most distributions)
+  - OpenRC (Alpine Linux)
 - **Configuration:** YAML
- **Logging:** systemd journal + optional syslog

 ### Deployment
 - **Package Format:** Native Linux packages (deb, rpm, apk, pkg.tar.zst)
 - **Distribution:** Via target system package manager (apt, dnf, apk, pacman)
- **Installation:** Package installs binary, systemd service, and default config structure
+- **Installation:** Package installs binary, init script/service, and default config structure
+  - systemd unit file for systemd distributions
+  - OpenRC init script for Alpine
 - **Updates:** Handled through system package manager

 ---
@ -99,16 +104,21 @@ The Linux_Patch_API is a secure, single-host API service that enables remote pac
 - No granular permissions (binary access: allowed or denied)
 - Whitelisted IP + valid cert = full API access

-### Process Security (systemd Hardening)
+### Process Security (Init System Hardening)
 - **User:** root (required for package management)
- **NoNewPrivileges:** true (prevent privilege escalation)
- **ProtectSystem:** strict (read-only filesystem except allowed paths)
- **ProtectHome:** true (no access to /home, /root, /run/user)
- **PrivateTmp:** true (isolated /tmp)
- **SystemCallFilter:** Restrict to required syscalls only (application whitelist)
- **RestrictAddressFamilies:** AF_INET, AF_INET6, AF_UNIX (network restrictions)
- **CapabilityBoundingSet:** CAP_NET_BIND_SERVICE, CAP_SYS_ADMIN (minimal capabilities)

+**systemd Hardening Options:**
+- NoNewPrivileges: true (prevent privilege escalation)
+- ProtectSystem: strict (read-only filesystem except allowed paths)
+- ProtectHome: true (no access to /home, /root, /run/user)
+- PrivateTmp: true (isolated /tmp)
+- SystemCallFilter: Restrict to required syscalls only (application whitelist)
+
+**OpenRC Hardening Options:**
+- Run as dedicated service user
+- File permission restrictions
+- chroot isolation (optional)
+- Equivalent security via rc.conf and init script options
 ### Data Security
 - All communications encrypted via TLS
 - Certificates stored securely with restricted permissions
@ -149,7 +159,9 @@ The Linux_Patch_API is a secure, single-host API service that enables remote pac
 └── audit.log           # Local audit log fallback

 /usr/bin/linux-patch-api  # Binary location
-/etc/systemd/system/linux-patch-api.service  # Systemd service
+Init scripts (distribution-dependent):
+- /etc/systemd/system/linux-patch-api.service  # systemd
+- /etc/init.d/linux-patch-api  # OpenRC (Alpine)
 ```
 ---

--- a/Dockerfile.rpm
+++ b/Dockerfile.rpm
@ -0,0 +1,14 @@
+# Fedora container with Node.js for GitHub Actions support
+# Used for RPM package builds in CI/CD
+FROM fedora:latest
+
+# Install Node.js (required for GitHub Actions JavaScript-based actions)
+# Also install dnf-plugins-core for potential multiarch support
+RUN dnf install -y nodejs dnf-plugins-core && \
+    dnf clean all
+
+# Verify node is available
+RUN node --version
+
+# Default command (not used in CI, but good for testing)
+CMD ["/bin/bash"]
--- a/SPEC.md
+++ b/SPEC.md
@ -41,7 +41,9 @@
 **Primary Objective:** Provide secure API for remote patch/package management on individual Linux hosts

 **Key Goals:**
- Run as systemd service on each managed machine (Option B: Agent Per Host)
+- Run as a system service on each managed machine (Option B: Agent Per Host)
+  - systemd for Debian/Ubuntu, RHEL/CentOS/Fedora
+  - OpenRC for Alpine Linux
 - Internal network access only (no internet exposure)
 - Support Debian/Ubuntu first, then expand to other distributions
 - Maintain audit trail of all operations
@ -55,7 +57,9 @@
 - One API instance per host
 - Internal network only (LAN/private network)
 - No public internet exposure
- Must run as systemd service
+- Must run as a system service (init system determined by distribution)
+  - systemd: Debian, Ubuntu, RHEL, CentOS, Fedora
+  - OpenRC: Alpine Linux

 **Technical:**
 - Must run with elevated privileges for package management (root/sudo)
@ -119,7 +123,9 @@
 ## Dependencies

 - Linux OS with package manager support
- systemd for service management
+- Init system for service management (distribution-dependent)
+  - systemd (most distributions)
+  - OpenRC (Alpine Linux)
 - Network access for API communication
 - mTLS certificate infrastructure (CA, client certs)
 - IP whitelist configuration
@ -147,8 +153,10 @@
  - Configuration changes (whitelist updates, cert renewals)

 - **Log Storage:**
-  - Primary: systemd journal (`journalctl`)
-  - Secondary: Optional remote syslog server
+  - Primary: Distribution-appropriate logging
+    - systemd journal (journalctl) on systemd systems
+    - syslog/local files on OpenRC systems
+  - Secondary: Optional remote syslog server (universal)
  - Local file logs as fallback (`/var/log/linux_patch_api/`)

 - **Log Retention:**
--- a/build-alpine.sh
+++ b/build-alpine.sh
@ -11,7 +11,7 @@ echo ""
 # Check if running on Alpine
 if ! command -v abuild &> /dev/null; then
    echo "Installing Alpine build tools..."
-    apk add --no-cache alpine-sdk rust cargo openssl-dev systemd-dev git
+    apk add --no-cache alpine-sdk rust cargo openssl-dev openrc git
 fi

 # Setup build environment
@ -27,13 +27,13 @@ cargo build --release --target x86_64-unknown-linux-musl
 PKGDIR=$(pwd)/apk-package
 mkdir -p "$PKGDIR"/usr/bin
 mkdir -p "$PKGDIR"/etc/linux_patch_api
-mkdir -p "$PKGDIR"/lib/systemd/system
+mkdir -p "$PKGDIR"/etc/init.d

 # Copy files
 cp target/x86_64-unknown-linux-musl/release/linux-patch-api "$PKGDIR"/usr/bin/
 chmod 755 "$PKGDIR"/usr/bin/linux-patch-api
-cp configs/linux-patch-api.service "$PKGDIR"/lib/systemd/system/
-cp configs/config.yaml.example "$PKGDIR"/etc/linux_patch_api/config.yaml
+cp configs/linux-patch-api-openrc "$PKGDIR"/etc/init.d/linux-patch-api
+chmod 755 "$PKGDIR"/etc/init.d/linux-patch-api
 cp configs/whitelist.yaml.example "$PKGDIR"/etc/linux_patch_api/whitelist.yaml

 # Create APKBUILD
@ -46,7 +46,7 @@ pkgdesc="Secure remote package management API for Linux systems"
 url="https://gitea.internal/linux-patch-api"
 arch="x86_64"
 license="MIT"
-depends="systemd"
+depends="openrc"
 source="apk-package"

 package() {
--- a/configs/linux-patch-api-openrc
+++ b/configs/linux-patch-api-openrc
@ -0,0 +1,72 @@
+#!/sbin/openrc-run
+# OpenRC init script for linux-patch-api
+# Used on Alpine Linux and other OpenRC-based systems
+
+name="linux_patch_api"
+command="/usr/bin/linux-patch-api"
+command_args="--config /etc/linux_patch_api/config.yaml"
+command_background=true
+pidfile="/run/linux-patch-api/linux-patch-api.pid"
+output_log="/var/log/linux_patch_api/linux-patch-api.log"
+error_log="/var/log/linux_patch_api/linux-patch-api.err"
+
+# Required dependencies
+depend() {
+    use net logger
+}
+
+# Create required directories before starting
+start_pre() {
+    checkpath --directory --owner linux-patch-api:linux-patch-api --mode 0755 \
+        /run/linux-patch-api \
+        /var/log/linux-patch-api \
+        /var/lib/linux-patch-api \
+        /etc/linux_patch_api/certs
+    
+    # Ensure config files exist
+    if [ ! -f "/etc/linux_patch_api/config.yaml" ]; then
+        eerror "Configuration file missing: /etc/linux_patch_api/config.yaml"
+        eerror "Please create config.yaml before starting the service"
+        return 1
+    fi
+    
+    if [ ! -f "/etc/linux_patch_api/whitelist.yaml" ]; then
+        eerror "Whitelist file missing: /etc/linux_patch_api/whitelist.yaml"
+        eerror "Please create whitelist.yaml before starting the service"
+        return 1
+    fi
+}
+
+# Verify service started successfully
+start_post() {
+    sleep 2
+    if [ -f "$pidfile" ]; then
+        einfo "linux-patch-api started successfully (PID: $(cat $pidfile))"
+    else
+        ewarn "linux-patch-api may not have started correctly - pidfile not found"
+    fi
+}
+
+# Clean shutdown
+stop_pre() {
+    einfo "Stopping linux-patch-api service..."
+}
+
+# Verify service stopped
+stop_post() {
+    if [ -f "$pidfile" ]; then
+        rm -f "$pidfile"
+    fi
+    einfo "linux-patch-api stopped"
+}
+
+# Service status
+status() {
+    if [ -f "$pidfile" ] && kill -0 $(cat "$pidfile") 2>/dev/null; then
+        einfo "linux-patch-api is running (PID: $(cat $pidfile))"
+        return 0
+    else
+        eerror "linux-patch-api is not running"
+        return 1
+    fi
+}