provide a system service for the proxy server

[Antoine Martin]

Now that the proxy server can be used for starting new sessions on demand (#1319) and that we have ssl support (#1252) and a default port (#731), it makes sense to have a default service that can be used for all this.
Somewhat related to #1105, #888 and #1334.

Tasks:

• generate a test certificate
• install the service files (init and systemd...)

[Antoine Martin]

Major changesets (there are many more):

• r14020 + r14022 + r14023: cleanup + preparatory work
• r14024: generate a test ssl cert (RPM only), r14029 for DEB
• r14026: systemd + init file and packaging
• r14045: pidfile support
• r14081: update firewall during rpm installation (centos7 and fedora)

---

After installation, there should be a new firewall rule allowing traffic on our port (14500 see #731):

$ sudo iptables -vnL | grep -i 145
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:14500 ctstate NEW

This rule should be deleted when the RPM package is uninstalled.

The service is not started by default at the moment, to change that see ​Enabling and disabling services during start up in GNU/Linux (instructions vary depending on the init system used by the distribution).

To start the service (these commands should work almost everywhere: fedora, centos, debian, ubuntu, etc):

sudo service xpra start

After that, you should be able to confirm that it is running with:

sudo service xpra status

or with systemd (fedora, centos7):

sudo systemctl status xpra.service

or with systemd it should be listed in the system slice:

$ systemd-cgls
Control group /:
-.slice
├─init.scope
│ └─1 /usr/lib/systemd/systemd --switched-root --system --deserialize 24
├─system.slice
│ ├─avahi-daemon.service
│ │ ├─1140 avahi-daemon: running [desktop.local
│ │ └─1173 avahi-daemon: chroot helpe
(..)
│ ├─xpra.service
│ │ └─7249 /bin/python /usr/bin/xpra proxy :14500 --bind-tcp=0.0.0.0:14500 --auth=sys --tcp-auth=sys --ssl-cert=/etc/xpra/ssl-cert.pem --socket-permissions=666 --daemon=no --log-dir
(..)

or on systems with a "/var/run/xpra" directory (those that support tmpfiles.d, see #888):

xpra list

(as any user)
or

xpra version tcp/127.0.0.1

or

xpra version ssl/127.0.0.1/ --ssl-server-verify-mode=none

(see #1252 for details)
or even hitting this proxy server with a browser to get the session login page:

xdg-open http://127.0.0.1:14500/

In order to use any other sub-commands against this proxy server, you need to authenticate with a system account (the proxy server is configured to use the "sys" authentication module).
ie:

xpra start ssl/$USERNAME:$YOURUNIXPASSWORD@127.0.0.1/ --ssl-server-verify-mode=none --start-child=xterm --exit-with-children

(see #1319 for details, bugs related to connecting or using the proxy server itself do not belong here)

@afarr: just a FYI, feel free to close.

[Antoine Martin]

fallback to firewall-offline-cmd in r14484.

Further notes:

• to permanently add the rule to another zone, ie "trusted":

  firewall-cmd --add-port=14500/tcp --zone=trusted --permanent
  

• the default zone where we add the rule as part of the rpm postinstall is:

  firewall-cmd --get-default-zone
  

More examples: ​https://www.certdepot.net/rhel7-get-started-firewalld/.

[Antoine Martin]

We now also silence the "success" message during RPM (un)install: r14602.

[Antoine Martin]

Added a wiki page linking back here: wiki/Service.

[Antoine Martin]

Debian packaging of the systemd service: #1530

[migration script]

this ticket has been moved to: ​https://github.com/Xpra-org/xpra/issues/1335