GNU logs - #37388, boring messages

Message sent to bug-guix@HIDDEN:

Subject: bug#37388: <nginx-configuration> can lead to syntactically invalid configs
Resent-From: Ludovic =?UTF-8?Q?Court=C3=A8s?= <ludo@HIDDEN>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
Resent-CC: bug-guix@HIDDEN
Resent-Date: Thu, 12 Sep 2019 07:58:01 +0000
Resent-Message-ID: <handler.37388.B.156827504116808 <at> debbugs.gnu.org>
Resent-Sender: help-debbugs@HIDDEN
To: bug-Guix@HIDDEN
From: Ludovic =?UTF-8?Q?Court=C3=A8s?= <ludo@HIDDEN>
Date: Thu, 12 Sep 2019 09:57:13 +0200
Message-ID: <87d0g6q752.fsf@HIDDEN>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.3 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Precedence: list
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>

Hello Guix!

It=E2=80=99s nice that we have <nginx-configuration> but I noticed that, un=
like
most or all other configuration records that we have, it=E2=80=99s possible=
 to
create an <nginx-configuration> record that leads to a syntactically
invalid nginx config file.

For example, if you have a location block like this:

        (nginx-location-configuration
          (uri "/manual/")
          (body (list "alias /srv/guix-manual")))

Guix will silently create an invalid nginx config file, which you=E2=80=99ll
only notice once you=E2=80=99ve reconfigured and nginx fails to start.

See why?  That=E2=80=99s because we=E2=80=99re missing a semicolon in the =
=E2=80=9Calias=E2=80=9D
directive, and that directive is spit out directly as is.

To address it, we could have record types for <alias>, <root>, and all
the directives out there; it could be tedious, unless we automate it,
effectively creating a complete EDSL.

Another approach would be to have an sexp representation of the nginx
configuration language.  That=E2=80=99d effectively replace semicolons with
parentheses :-), but more importantly, that would allow us to not paste
strings as-is in the resulting config file.  The downside is that it=E2=80=
=99s
very much =E2=80=9Cfree style=E2=80=9D compared to records, but we could st=
ill
pattern-match the sexp to validate certain properties.

Thoughts?

Ludo=E2=80=99.

Message sent:

Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Mailer: MIME-tools 5.505 (Entity 5.505)
Content-Type: text/plain; charset=utf-8
X-Loop: help-debbugs@HIDDEN
From: help-debbugs@HIDDEN (GNU bug Tracking System)
To: Ludovic =?UTF-8?Q?Court=C3=A8s?= <ludo@HIDDEN>
Subject: bug#37388: Acknowledgement (<nginx-configuration> can lead to
 syntactically invalid configs)
Message-ID: <handler.37388.B.156827504116808.ack <at> debbugs.gnu.org>
References: <87d0g6q752.fsf@HIDDEN>
X-Gnu-PR-Message: ack 37388
X-Gnu-PR-Package: guix
Reply-To: 37388 <at> debbugs.gnu.org
Date: Thu, 12 Sep 2019 07:58:01 +0000

Thank you for filing a new bug report with debbugs.gnu.org.

This is an automatically generated reply to let you know your message
has been received.

Your message is being forwarded to the package maintainers and other
interested parties for their attention; they will reply in due course.

Your message has been sent to the package maintainer(s):
 bug-guix@HIDDEN

If you wish to submit further information on this problem, please
send it to 37388 <at> debbugs.gnu.org.

Please do not send mail to help-debbugs@HIDDEN unless you wish
to report a problem with the Bug-tracking system.

--=20
37388: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=3D37388
GNU Bug Tracking System
Contact help-debbugs@HIDDEN with problems

Message sent to bug-guix@HIDDEN:

Subject: bug#37388: <nginx-configuration> can lead to syntactically invalid configs
Resent-From: =?UTF-8?Q?G=C3=A1bor?= Boskovits <boskovits@HIDDEN>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
Resent-CC: bug-guix@HIDDEN
Resent-Date: Thu, 12 Sep 2019 12:50:02 +0000
Resent-Message-ID: <handler.37388.B37388.15682925718345 <at> debbugs.gnu.org>
Resent-Sender: help-debbugs@HIDDEN
To: Ludovic =?UTF-8?Q?Court=C3=A8s?= <ludo@HIDDEN>
Cc: 37388 <at> debbugs.gnu.org
MIME-Version: 1.0
References: <87d0g6q752.fsf@HIDDEN>
In-Reply-To: <87d0g6q752.fsf@HIDDEN>
From: =?UTF-8?Q?G=C3=A1bor?= Boskovits <boskovits@HIDDEN>
Date: Thu, 12 Sep 2019 14:49:10 +0200
Message-ID: <CAE4v=piOdgg0wSL2VDJYo07nMPSYYUMvYvPhGnnBVQ_nVzHc+Q@HIDDEN>
Content-Type: multipart/alternative; boundary="0000000000001aab6e05925a91a7"
Precedence: list
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>

--0000000000001aab6e05925a91a7
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

Hello,

Ludovic Court=C3=A8s <ludo@HIDDEN> ezt =C3=ADrta (id=C5=91pont: 2019. szep=
t. 12., Cs,
9:58):

> Hello Guix!
>
> It=E2=80=99s nice that we have <nginx-configuration> but I noticed that, =
unlike
> most or all other configuration records that we have, it=E2=80=99s possib=
le to
> create an <nginx-configuration> record that leads to a syntactically
> invalid nginx config file.
>
> For example, if you have a location block like this:
>
>         (nginx-location-configuration
>           (uri "/manual/")
>           (body (list "alias /srv/guix-manual")))
>
> Guix will silently create an invalid nginx config file, which you=E2=80=
=99ll
> only notice once you=E2=80=99ve reconfigured and nginx fails to start.
>
> See why?  That=E2=80=99s because we=E2=80=99re missing a semicolon in the=
 =E2=80=9Calias=E2=80=9D
> directive, and that directive is spit out directly as is.
>
> To address it, we could have record types for <alias>, <root>, and all
> the directives out there; it could be tedious, unless we automate it,
> effectively creating a complete EDSL.
>
> Another approach would be to have an sexp representation of the nginx
> configuration language.  That=E2=80=99d effectively replace semicolons wi=
th
> parentheses :-), but more importantly, that would allow us to not paste
> strings as-is in the resulting config file.  The downside is that it=E2=
=80=99s
> very much =E2=80=9Cfree style=E2=80=9D compared to records, but we could =
still
> pattern-match the sexp to validate certain properties.
>
>
I would most probably go for the sexp version.


> Thoughts?
>

I would like to add some more information to this, which I encountered when
trying to find a solution to the last-modified issue:

1. the nginx configuration can only be extended using server blocks, so it
is not possible to inject a location or a nested location.
2. the meaning of the nginx configuration can dependent on the order of
directives in the configuration. Either we should give
and explicit mechanism for dealing with that, or disallow such
configurations.

If you feel these points to be off topic, then I can open a separate bug
for that, but these seem to relate to the confgiuration mechanism,
and should be considered when designing the new interface. Wdyt?


>
> Ludo=E2=80=99.
>
>
>
>
Best regards,
g_bor

--=20
OpenPGP Key Fingerprint: 7988:3B9F:7D6A:4DBF:3719:0367:2506:A96C:CF63:0B21

--0000000000001aab6e05925a91a7
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><div>Hello,<br></div><br><div class=3D"gmail_quote"><div d=
ir=3D"ltr" class=3D"gmail_attr">Ludovic Court=C3=A8s &lt;<a href=3D"mailto:=
ludo@HIDDEN">ludo@HIDDEN</a>&gt; ezt =C3=ADrta (id=C5=91pont: 2019. szept=
. 12., Cs, 9:58):<br></div><blockquote class=3D"gmail_quote" style=3D"margi=
n:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex=
">Hello Guix!<br>
<br>
It=E2=80=99s nice that we have &lt;nginx-configuration&gt; but I noticed th=
at, unlike<br>
most or all other configuration records that we have, it=E2=80=99s possible=
 to<br>
create an &lt;nginx-configuration&gt; record that leads to a syntactically<=
br>
invalid nginx config file.<br>
<br>
For example, if you have a location block like this:<br>
<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 (nginx-location-configuration<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 (uri &quot;/manual/&quot;)<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 (body (list &quot;alias /srv/guix-manual=
&quot;)))<br>
<br>
Guix will silently create an invalid nginx config file, which you=E2=80=99l=
l<br>
only notice once you=E2=80=99ve reconfigured and nginx fails to start.<br>
<br>
See why?=C2=A0 That=E2=80=99s because we=E2=80=99re missing a semicolon in =
the =E2=80=9Calias=E2=80=9D<br>
directive, and that directive is spit out directly as is.<br>
<br>
To address it, we could have record types for &lt;alias&gt;, &lt;root&gt;, =
and all<br>
the directives out there; it could be tedious, unless we automate it,<br>
effectively creating a complete EDSL.<br>
<br>
Another approach would be to have an sexp representation of the nginx<br>
configuration language.=C2=A0 That=E2=80=99d effectively replace semicolons=
 with<br>
parentheses :-), but more importantly, that would allow us to not paste<br>
strings as-is in the resulting config file.=C2=A0 The downside is that it=
=E2=80=99s<br>
very much =E2=80=9Cfree style=E2=80=9D compared to records, but we could st=
ill<br>
pattern-match the sexp to validate certain properties.<br>
<br></blockquote><div><br></div><div>I would most probably go for the sexp =
version.<br></div><div>=C2=A0</div><blockquote class=3D"gmail_quote" style=
=3D"margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding=
-left:1ex">
Thoughts?<br></blockquote><div><br></div><div>I would like to add some more=
 information to this, which I encountered when trying to find a solution to=
 the last-modified issue:</div><div><br></div><div>1. the nginx configurati=
on can only be extended using server blocks, so it is not possible to injec=
t a location or a nested location.</div><div>2. the meaning of the nginx co=
nfiguration can dependent on the order of directives in the configuration. =
Either we should give</div><div>and explicit mechanism for dealing with tha=
t, or disallow such configurations.</div><div><br></div><div>If you feel th=
ese points to be off topic, then I can open a separate bug for that, but th=
ese seem to relate to the confgiuration mechanism,</div><div>and should be =
considered when designing the new interface. Wdyt?<br></div><div>=C2=A0</di=
v><blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;borde=
r-left:1px solid rgb(204,204,204);padding-left:1ex">
<br>
Ludo=E2=80=99.<br>
<br>
<br>
<br>
</blockquote></div><div><br></div><div>Best regards,</div><div>g_bor<br></d=
iv><br>-- <br><div dir=3D"ltr" class=3D"gmail_signature"><div dir=3D"ltr">O=
penPGP Key Fingerprint: 7988:3B9F:7D6A:4DBF:3719:0367:2506:A96C:CF63:0B21<b=
r></div></div></div>

--0000000000001aab6e05925a91a7--

Message sent to bug-guix@HIDDEN:

Subject: bug#37388: <nginx-configuration> can lead to syntactically invalid configs
Resent-From: Ludovic =?UTF-8?Q?Court=C3=A8s?= <ludo@HIDDEN>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
Resent-CC: bug-guix@HIDDEN
Resent-Date: Sat, 14 Sep 2019 09:49:01 +0000
Resent-Message-ID: <handler.37388.B37388.15684545027894 <at> debbugs.gnu.org>
Resent-Sender: help-debbugs@HIDDEN
To: =?UTF-8?Q?G=C3=A1bor?= Boskovits <boskovits@HIDDEN>
Cc: 37388 <at> debbugs.gnu.org
From: Ludovic =?UTF-8?Q?Court=C3=A8s?= <ludo@HIDDEN>
References: <87d0g6q752.fsf@HIDDEN>
 <CAE4v=piOdgg0wSL2VDJYo07nMPSYYUMvYvPhGnnBVQ_nVzHc+Q@HIDDEN>
Date: Sat, 14 Sep 2019 11:48:11 +0200
In-Reply-To: <CAE4v=piOdgg0wSL2VDJYo07nMPSYYUMvYvPhGnnBVQ_nVzHc+Q@HIDDEN>
 ("=?UTF-8?Q?G=C3=A1bor?= Boskovits"'s message of "Thu, 12 Sep 2019
 14:49:10 +0200")
Message-ID: <87lfur5hus.fsf@HIDDEN>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.3 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Precedence: list
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>

Hi G=C3=A1bor,

G=C3=A1bor Boskovits <boskovits@HIDDEN> skribis:

> I would like to add some more information to this, which I encountered wh=
en
> trying to find a solution to the last-modified issue:
>
> 1. the nginx configuration can only be extended using server blocks, so it
> is not possible to inject a location or a nested location.
> 2. the meaning of the nginx configuration can dependent on the order of
> directives in the configuration. Either we should give
> and explicit mechanism for dealing with that, or disallow such
> configurations.
>
> If you feel these points to be off topic, then I can open a separate bug
> for that, but these seem to relate to the confgiuration mechanism,
> and should be considered when designing the new interface. Wdyt?

I think it would deserve a separate issue, but I agree that extension of
<nginx-configuration> is tricky due to ordering.

Thanks for your feedback,
Ludo=E2=80=99.

Message sent to bug-guix@HIDDEN:

X-Loop: help-debbugs@HIDDEN
Subject: bug#37388: <nginx-configuration> can lead to syntactically invalid configs
Resent-From: Christopher Baines <mail@HIDDEN>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
Resent-CC: bug-guix@HIDDEN
Resent-Date: Sat, 14 Sep 2019 10:04:01 +0000
Resent-Message-ID: <handler.37388.B37388.15684553869288 <at> debbugs.gnu.org>
Resent-Sender: help-debbugs@HIDDEN
X-GNU-PR-Message: followup 37388
X-GNU-PR-Package: guix
X-GNU-PR-Keywords: 
To: ludo@HIDDEN
Cc: 37388 <at> debbugs.gnu.org
Received: via spool by 37388-submit <at> debbugs.gnu.org id=B37388.15684553869288
          (code B ref 37388); Sat, 14 Sep 2019 10:04:01 +0000
Received: (at 37388) by debbugs.gnu.org; 14 Sep 2019 10:03:06 +0000
Received: from localhost ([127.0.0.1]:45898 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1i94tV-0002Pk-TU
	for submit <at> debbugs.gnu.org; Sat, 14 Sep 2019 06:03:06 -0400
Received: from mira.cbaines.net ([212.71.252.8]:58642)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <mail@HIDDEN>) id 1i94tT-0002Pb-Mu
 for 37388 <at> debbugs.gnu.org; Sat, 14 Sep 2019 06:03:04 -0400
Received: from localhost (cpc102582-walt20-2-0-cust14.13-2.cable.virginm.net
 [86.27.34.15])
 by mira.cbaines.net (Postfix) with ESMTPSA id 8F08617383;
 Sat, 14 Sep 2019 11:03:02 +0100 (BST)
Received: from capella (localhost [127.0.0.1])
 by localhost (OpenSMTPD) with ESMTP id 772f1c1b;
 Sat, 14 Sep 2019 10:03:01 +0000 (UTC)
References: <87d0g6q752.fsf@HIDDEN>
User-agent: mu4e 1.2.0; emacs 26.3
From: Christopher Baines <mail@HIDDEN>
In-reply-to: <87d0g6q752.fsf@HIDDEN>
Date: Sat, 14 Sep 2019 11:02:59 +0100
Message-ID: <87d0g3nqjw.fsf@HIDDEN>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-=";
 micalg=pgp-sha512; protocol="application/pgp-signature"
X-Spam-Score: -0.0 (/)
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

--=-=-=
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable


Ludovic Court=C3=A8s <ludo@HIDDEN> writes:

> It=E2=80=99s nice that we have <nginx-configuration> but I noticed that, =
unlike
> most or all other configuration records that we have, it=E2=80=99s possib=
le to
> create an <nginx-configuration> record that leads to a syntactically
> invalid nginx config file.
>
> For example, if you have a location block like this:
>
>         (nginx-location-configuration
>           (uri "/manual/")
>           (body (list "alias /srv/guix-manual")))
>
> Guix will silently create an invalid nginx config file, which you=E2=80=
=99ll
> only notice once you=E2=80=99ve reconfigured and nginx fails to start.

I wonder if some errors could be caught at build time, before attempting
to start the service.

If in the derivation to build the configuration file, nginx is run
against the built config file with -t, that might spot errors at
derivation build time.

> See why?  That=E2=80=99s because we=E2=80=99re missing a semicolon in the=
 =E2=80=9Calias=E2=80=9D
> directive, and that directive is spit out directly as is.
>
> To address it, we could have record types for <alias>, <root>, and all
> the directives out there; it could be tedious, unless we automate it,
> effectively creating a complete EDSL.
>
> Another approach would be to have an sexp representation of the nginx
> configuration language.  That=E2=80=99d effectively replace semicolons wi=
th
> parentheses :-), but more importantly, that would allow us to not paste
> strings as-is in the resulting config file.  The downside is that it=E2=
=80=99s
> very much =E2=80=9Cfree style=E2=80=9D compared to records, but we could =
still
> pattern-match the sexp to validate certain properties.

An sexp representation sounds good, although I think records will work
out better for the common and high level parts.

--=-=-=
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEEPonu50WOcg2XVOCyXiijOwuE9XcFAl18utNfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDNF
ODlFRUU3NDU4RTcyMEQ5NzU0RTBCMjVFMjhBMzNCMEI4NEY1NzcACgkQXiijOwuE
9XcVaRAAkk2xc34iv59mrjjNpAS0GuHJXnWMMb5acwt5ZQuiCDBbdemEgeV18j++
cyo99sXIYzzcz83nOsSirN+5ztrPdFDWxFuv0yloickkzNP6Pek89J9n8Ulbik+a
nA1OtypJdyv3v/cCVXybJo8neSIwK6dJ0/7hPZcc4ogYSO2WF2WKQXk15Oueypw/
Q1ceCL80BSvevYBQpKkVte81Oc8rARBHiyGsTOkHfiM3ffcB6naD2lkv+GLl46L/
bI/YRsbrLhARAd1V6gPCBe61KCJmakaq204qvSAIuTLbTIc78/eGTSHPQK/oEoaT
qjjMkiQDQYD4fqrUiq6Yr70lwImOZj3OFQJ6MfBA9r1ZIwhxBlAy48BbAqycNxED
4AnaFO9+pzuSZVJdV7XMjkqnU562nt+/0EkK5GElp41Cn74s8dTbEcH7HN4OZWeS
HJcpjbHD0IgNudisaBvZgbTFwIURSpVlz/pRtVlaBlbJAvz4fnMFiwalbCR1kQU+
p6mDvxPA2l8xOY0MsP3b8dkSe1E/8EYh5KsRhqtVapq8qACelAgtw1tvZD05iQmg
ObJao0yfgLSc0D5drgjem9RbieIqn+/k795gmUUAfCH2AdcILGkRMC5z4MGx+QMy
DZBAQzlsoDpr4DmCXnI+Tirvxlmb+dNjh1jCUINqL9t0DB2rqDw=
=/B6t
-----END PGP SIGNATURE-----
--=-=-=--

Message sent to bug-guix@HIDDEN:

X-Loop: help-debbugs@HIDDEN
Subject: bug#37388: <nginx-configuration> can lead to syntactically invalid configs
Resent-From: Ludovic =?UTF-8?Q?Court=C3=A8s?= <ludo@HIDDEN>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
Resent-CC: bug-guix@HIDDEN
Resent-Date: Sat, 14 Sep 2019 12:27:01 +0000
Resent-Message-ID: <handler.37388.B37388.15684639976193 <at> debbugs.gnu.org>
Resent-Sender: help-debbugs@HIDDEN
X-GNU-PR-Message: followup 37388
X-GNU-PR-Package: guix
X-GNU-PR-Keywords: 
To: Christopher Baines <mail@HIDDEN>
Cc: 37388 <at> debbugs.gnu.org
Received: via spool by 37388-submit <at> debbugs.gnu.org id=B37388.15684639976193
          (code B ref 37388); Sat, 14 Sep 2019 12:27:01 +0000
Received: (at 37388) by debbugs.gnu.org; 14 Sep 2019 12:26:37 +0000
Received: from localhost ([127.0.0.1]:45982 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1i978P-0001bo-69
	for submit <at> debbugs.gnu.org; Sat, 14 Sep 2019 08:26:37 -0400
Received: from eggs.gnu.org ([209.51.188.92]:52021)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <ludo@HIDDEN>) id 1i978O-0001bc-21
 for 37388 <at> debbugs.gnu.org; Sat, 14 Sep 2019 08:26:36 -0400
Received: from fencepost.gnu.org ([2001:470:142:3::e]:51844)
 by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from <ludo@HIDDEN>)
 id 1i978I-0003cw-U1; Sat, 14 Sep 2019 08:26:30 -0400
Received: from [2a01:e0a:1d:7270:af76:b9b:ca24:c465] (port=58842 helo=ribbon)
 by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256)
 (Exim 4.82) (envelope-from <ludo@HIDDEN>)
 id 1i978H-0000LC-V3; Sat, 14 Sep 2019 08:26:30 -0400
From: Ludovic =?UTF-8?Q?Court=C3=A8s?= <ludo@HIDDEN>
References: <87d0g6q752.fsf@HIDDEN> <87d0g3nqjw.fsf@HIDDEN>
X-URL: http://www.fdn.fr/~lcourtes/
X-Revolutionary-Date: 28 Fructidor an 227 de la =?UTF-8?Q?R=C3=A9volution?=
X-PGP-Key-ID: 0x090B11993D9AEBB5
X-PGP-Key: http://www.fdn.fr/~lcourtes/ludovic.asc
X-PGP-Fingerprint: 3CE4 6455 8A84 FDC6 9DB4  0CFB 090B 1199 3D9A EBB5
X-OS: x86_64-pc-linux-gnu
Date: Sat, 14 Sep 2019 14:26:27 +0200
In-Reply-To: <87d0g3nqjw.fsf@HIDDEN> (Christopher Baines's message of
 "Sat, 14 Sep 2019 11:02:59 +0100")
Message-ID: <87r24j3vyk.fsf@HIDDEN>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.3 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic]
X-Spam-Score: -2.3 (--)
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -3.3 (---)

Hi,

Christopher Baines <mail@HIDDEN> skribis:

> Ludovic Court=C3=A8s <ludo@HIDDEN> writes:
>
>> It=E2=80=99s nice that we have <nginx-configuration> but I noticed that,=
 unlike
>> most or all other configuration records that we have, it=E2=80=99s possi=
ble to
>> create an <nginx-configuration> record that leads to a syntactically
>> invalid nginx config file.
>>
>> For example, if you have a location block like this:
>>
>>         (nginx-location-configuration
>>           (uri "/manual/")
>>           (body (list "alias /srv/guix-manual")))
>>
>> Guix will silently create an invalid nginx config file, which you=E2=80=
=99ll
>> only notice once you=E2=80=99ve reconfigured and nginx fails to start.
>
> I wonder if some errors could be caught at build time, before attempting
> to start the service.
>
> If in the derivation to build the configuration file, nginx is run
> against the built config file with -t, that might spot errors at
> derivation build time.

Yeah, this is probably doable.

I would consider it a stop-gap measure though.  Fundamentally, I think
we should make it so that, by construction, invalid (or at least
syntactically-invalid) config files cannot be produced.

> An sexp representation sounds good, although I think records will work
> out better for the common and high level parts.

The way I see it, sexps and records could be almost indistinguishable
provided some appropriate macrology.  But sexps are definitely easier to
implement.

Thanks,
Ludo=E2=80=99.

Message sent to bug-guix@HIDDEN:

X-Loop: help-debbugs@HIDDEN
Subject: bug#37388: <nginx-configuration> can lead to syntactically invalid configs
Resent-From: Christopher Baines <mail@HIDDEN>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
Resent-CC: bug-guix@HIDDEN
Resent-Date: Sat, 14 Sep 2019 15:46:02 +0000
Resent-Message-ID: <handler.37388.B37388.1568475935548 <at> debbugs.gnu.org>
Resent-Sender: help-debbugs@HIDDEN
X-GNU-PR-Message: followup 37388
X-GNU-PR-Package: guix
X-GNU-PR-Keywords: 
To: Ludovic =?UTF-8?Q?Court=C3=A8s?= <ludo@HIDDEN>
Cc: 37388 <at> debbugs.gnu.org
Received: via spool by 37388-submit <at> debbugs.gnu.org id=B37388.1568475935548
          (code B ref 37388); Sat, 14 Sep 2019 15:46:02 +0000
Received: (at 37388) by debbugs.gnu.org; 14 Sep 2019 15:45:35 +0000
Received: from localhost ([127.0.0.1]:47059 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1i9AEx-00008l-IB
	for submit <at> debbugs.gnu.org; Sat, 14 Sep 2019 11:45:35 -0400
Received: from mira.cbaines.net ([212.71.252.8]:58722)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <mail@HIDDEN>) id 1i9AEv-00008d-I1
 for 37388 <at> debbugs.gnu.org; Sat, 14 Sep 2019 11:45:34 -0400
Received: from localhost (cpc102582-walt20-2-0-cust14.13-2.cable.virginm.net
 [86.27.34.15])
 by mira.cbaines.net (Postfix) with ESMTPSA id 7C36117383;
 Sat, 14 Sep 2019 16:45:32 +0100 (BST)
Received: from capella (localhost [127.0.0.1])
 by localhost (OpenSMTPD) with ESMTP id 79f629aa;
 Sat, 14 Sep 2019 15:45:32 +0000 (UTC)
References: <87d0g6q752.fsf@HIDDEN> <87d0g3nqjw.fsf@HIDDEN>
 <87r24j3vyk.fsf@HIDDEN>
User-agent: mu4e 1.2.0; emacs 26.3
From: Christopher Baines <mail@HIDDEN>
In-reply-to: <87r24j3vyk.fsf@HIDDEN>
Date: Sat, 14 Sep 2019 16:45:27 +0100
Message-ID: <87a7b6op9k.fsf@HIDDEN>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-=";
 micalg=pgp-sha512; protocol="application/pgp-signature"
X-Spam-Score: -0.0 (/)
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

--=-=-=
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable


Ludovic Court=C3=A8s <ludo@HIDDEN> writes:

>> I wonder if some errors could be caught at build time, before attempting
>> to start the service.
>>
>> If in the derivation to build the configuration file, nginx is run
>> against the built config file with -t, that might spot errors at
>> derivation build time.
>
> Yeah, this is probably doable.
>
> I would consider it a stop-gap measure though.  Fundamentally, I think
> we should make it so that, by construction, invalid (or at least
> syntactically-invalid) config files cannot be produced.

Catching errors earlier is better, but being able to catch any syntactic
issues that have snuck through, as well as semantic ones when building
the configuration would be good I think. I haven't actually tested out
the NGinx configuration check functionality though, so I'm guessing
about what it does.

--=-=-=
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEEPonu50WOcg2XVOCyXiijOwuE9XcFAl19CxdfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDNF
ODlFRUU3NDU4RTcyMEQ5NzU0RTBCMjVFMjhBMzNCMEI4NEY1NzcACgkQXiijOwuE
9XeJ3BAAnwq2sbeedy6HErF/PMtoSFPaozUo0n1KCGBnxPPa35t+FcLXOyEmFBVI
JEiuNpQRoAcjdcSPgLgkFZEXjZtOv7eq+FsPRqEWqkU6SJq3ufMiy+GkqhuntM8Z
wLmSinXJVs/oU3UKgLIp6ZUUmBfEdryyjFLUXsG1ar1vVHPVURJBX/A8rXJZGKoN
Urovv7IvDTWD0yRkPnczAVAAYPIjh/BaDokMmQzoqkqBKuhjDVZYOKa0cu8UK+MN
MAhQnaNr9ncZkiYBLuaSPNMOjAbk664axENZWxBG/gmPSwyQ4di5yaksYnzjGUio
9ujgz/adtk3fO110Brzjc4GOYkmDFHNYU8wwUOU6r5VXfJY10Lphpmlg6HVuxJQf
P66besTTfF/u75tE6UzrxaVitqYH847dye0l1YijEK9Juv138x+PlZZ04UgoFJZP
ZWyaNw+h5suIzLw3eswCQH0u0TYL+WSV5ftUmCdmr/6AxIuKgsrg343mEGrgIy3p
kkWqHXPoXY3msEDLqzY62+HJWRnyGPPb8O5srsnIoYFpYyeM6bNkougHlCDOPWUn
IZhVFrdVovG4Yo/TWwiOSNDoYbYh3F/8z9WcB3fSs23gj/HC2uMOvXGzhaCnbuEG
7Hycri3CBKrQguzK6vB1QFMz9OOLFDTcEhlLjVeURcjQmDoaCKo=
=RBzU
-----END PGP SIGNATURE-----
--=-=-=--

Message sent to bug-guix@HIDDEN:

X-Loop: help-debbugs@HIDDEN
Subject: bug#37388: <nginx-configuration> can lead to syntactically invalid configs
Resent-From: Ludovic =?UTF-8?Q?Court=C3=A8s?= <ludo@HIDDEN>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
Resent-CC: bug-guix@HIDDEN
Resent-Date: Mon, 24 Aug 2020 15:36:02 +0000
Resent-Message-ID: <handler.37388.B37388.159828332629947 <at> debbugs.gnu.org>
Resent-Sender: help-debbugs@HIDDEN
X-GNU-PR-Message: followup 37388
X-GNU-PR-Package: guix
X-GNU-PR-Keywords: 
To: Christopher Baines <mail@HIDDEN>
Cc: 37388 <at> debbugs.gnu.org
Received: via spool by 37388-submit <at> debbugs.gnu.org id=B37388.159828332629947
          (code B ref 37388); Mon, 24 Aug 2020 15:36:02 +0000
Received: (at 37388) by debbugs.gnu.org; 24 Aug 2020 15:35:26 +0000
Received: from localhost ([127.0.0.1]:58951 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1kAEVK-0007mx-4M
	for submit <at> debbugs.gnu.org; Mon, 24 Aug 2020 11:35:26 -0400
Received: from eggs.gnu.org ([209.51.188.92]:56088)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <ludo@HIDDEN>) id 1kAEVI-0007mj-91
 for 37388 <at> debbugs.gnu.org; Mon, 24 Aug 2020 11:35:24 -0400
Received: from fencepost.gnu.org ([2001:470:142:3::e]:47461)
 by eggs.gnu.org with esmtp (Exim 4.90_1)
 (envelope-from <ludo@HIDDEN>)
 id 1kAEVC-0005Zt-To; Mon, 24 Aug 2020 11:35:18 -0400
Received: from [2001:660:6102:320:e120:2c8f:8909:cdfe] (port=41500 helo=ribbon)
 by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256)
 (Exim 4.82) (envelope-from <ludo@HIDDEN>)
 id 1kAEVA-0002pw-Rb; Mon, 24 Aug 2020 11:35:17 -0400
From: Ludovic =?UTF-8?Q?Court=C3=A8s?= <ludo@HIDDEN>
References: <87d0g6q752.fsf@HIDDEN> <87d0g3nqjw.fsf@HIDDEN>
Date: Mon, 24 Aug 2020 17:35:12 +0200
In-Reply-To: <87d0g3nqjw.fsf@HIDDEN> (Christopher Baines's message of
 "Sat, 14 Sep 2019 11:02:59 +0100")
Message-ID: <87eenw12hb.fsf@HIDDEN>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.3 (gnu/linux)
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="=-=-="
X-Spam-Score: -2.3 (--)
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -3.3 (---)

--=-=-=
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable

Hello!

Christopher Baines <mail@HIDDEN> skribis:

> Ludovic Court=C3=A8s <ludo@HIDDEN> writes:
>
>> It=E2=80=99s nice that we have <nginx-configuration> but I noticed that,=
 unlike
>> most or all other configuration records that we have, it=E2=80=99s possi=
ble to
>> create an <nginx-configuration> record that leads to a syntactically
>> invalid nginx config file.
>>
>> For example, if you have a location block like this:
>>
>>         (nginx-location-configuration
>>           (uri "/manual/")
>>           (body (list "alias /srv/guix-manual")))
>>
>> Guix will silently create an invalid nginx config file, which you=E2=80=
=99ll
>> only notice once you=E2=80=99ve reconfigured and nginx fails to start.
>
> I wonder if some errors could be caught at build time, before attempting
> to start the service.
>
> If in the derivation to build the configuration file, nginx is run
> against the built config file with -t, that might spot errors at
> derivation build time.

Inspired, I tried the attached patch to do that.  However, that fails in
real-world situations, for example due to out-of-band references to
certificates:

--8<---------------cut here---------------start------------->8---
building /gnu/store/5k7w1l5ixg5vx1z7sdyabhgkpvvj7a5z-nginx.conf.drv...
nginx: [alert] could not open error log file: open() "run/logs/error.log" f=
ailed (2: No such file or directory)
2020/08/24 15:32:43 [warn] 7#0: the "user" directive makes sense only if th=
e master process runs with super-user privileges, ignored in /gnu/store/c6z=
kj7rw37hh5a8mab9g37ca2aa33py0-unchecked-nginx.conf:1
2020/08/24 15:32:43 [emerg] 7#0: cannot load certificate "/etc/letsencrypt/=
live/berlin.guixsd.org/fullchain.pem": BIO_new_file() failed (SSL: error:02=
001002:system library:fopen:No such file or directory:fopen('/etc/letsencry=
pt/live/berlin.guixsd.org/fullchain.pem','r') error:2006D080:BIO routines:B=
IO_new_file:no such file)
nginx: configuration file /gnu/store/c6zkj7rw37hh5a8mab9g37ca2aa33py0-unche=
cked-nginx.conf test failed
Backtrace:
           2 (primitive-load "/gnu/store/4kb8dz6f6w5g50h8qghl35r1da0?")
In ice-9/eval.scm:
    619:8  1 (_ #f)
In guix/build/utils.scm:
    654:6  0 (invoke _ . _)

guix/build/utils.scm:654:6: In procedure invoke:
ERROR:
  1. &invoke-error:
      program: "/gnu/store/549pl4ch0zi3jjinpf1dckhxb1i0wp8f-nginx-1.19.2/sb=
in/nginx"
      arguments: ("-c" "/gnu/store/c6zkj7rw37hh5a8mab9g37ca2aa33py0-uncheck=
ed-nginx.conf" "-p" "run" "-t")
      exit-status: 1
      term-signal: #f
      stop-signal: #f
builder for `/gnu/store/5k7w1l5ixg5vx1z7sdyabhgkpvvj7a5z-nginx.conf.drv' fa=
iled with exit code 1
build of /gnu/store/5k7w1l5ixg5vx1z7sdyabhgkpvvj7a5z-nginx.conf.drv failed
--8<---------------cut here---------------end--------------->8---

I=E2=80=99m not sure what can be done.  Thoughts?

Ludo=E2=80=99.


--=-=-=
Content-Type: text/x-patch
Content-Disposition: inline

diff --git a/gnu/services/web.scm b/gnu/services/web.scm
index 3b9f9e40be..e47acfe118 100644
--- a/gnu/services/web.scm
+++ b/gnu/services/web.scm
@@ -629,7 +629,7 @@ of index files."
                  modules
                  global-directives
                  extra-content)
-   (apply mixed-text-file "nginx.conf"
+   (apply mixed-text-file "unchecked-nginx.conf"
           (flatten
            "user nginx nginx;\n"
            "pid " run-directory "/pid;\n"
@@ -662,6 +662,19 @@ of index files."
            extra-content
            "\n}\n"))))
 
+(define (validated-nginx-configuration-file nginx file)
+  "Return a copy of FILE, an nginx config file, after checking that it is
+syntactically correct."
+  (computed-file "nginx.conf"
+                 (with-imported-modules '((guix build utils))
+                   #~(begin
+                       (use-modules (guix build utils))
+
+                       (mkdir "run")
+                       (invoke #+(file-append nginx "/sbin/nginx")
+                               "-c" #$file "-p" "run" "-t")
+                       (copy-file #$file #$output)))))
+
 (define %nginx-accounts
   (list (user-group (name "nginx") (system? #t))
         (user-account
@@ -694,8 +707,10 @@ of index files."
        (mkdir-p (string-append #$run-directory "/logs"))
        ;; Check configuration file syntax.
        (system* (string-append #$nginx "/sbin/nginx")
-                "-c" #$(or file
-                           (default-nginx-config config))
+                "-c" #$(validated-nginx-configuration-file
+                        nginx
+                        (or file
+                            (default-nginx-config config)))
                 "-p" #$run-directory
                 "-t"))))
 
@@ -709,8 +724,10 @@ of index files."
            (lambda args
              #~(lambda _
                  (invoke #$nginx-binary "-c"
-                         #$(or file
-                               (default-nginx-config config))
+                         #$(validated-nginx-configuration-file
+                            nginx
+                            (or file
+                                (default-nginx-config config)))
                          #$@args)
                  (match '#$args
                    (("-s" . _) #f)

--=-=-=--

Last modified: Mon, 24 Aug 2020 15:45:01 UTC

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997 nCipher Corporation Ltd, 1994-97 Ian Jackson.