Package: guix-patches;
Reported by: Ludovic Courtès <ludo <at> gnu.org>
Date: Sun, 17 Apr 2022 21:02:02 UTC
Severity: normal
Tags: patch
Done: Ludovic Courtès <ludo <at> gnu.org>
Bug is archived. No further changes may be made.
To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 54997 in the body.
You can then email your comments to 54997 AT debbugs.gnu.org in the normal way.
Toggle the display of automated, internal messages from the tracker.
View this report as an mbox folder, status mbox, maintainer mbox
guix-patches <at> gnu.org:bug#54997; Package guix-patches.
(Sun, 17 Apr 2022 21:02:02 GMT) Full text and rfc822 format available.Ludovic Courtès <ludo <at> gnu.org>:guix-patches <at> gnu.org.
(Sun, 17 Apr 2022 21:02:02 GMT) Full text and rfc822 format available.Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
From: Ludovic Courtès <ludo <at> gnu.org> To: guix-patches <at> gnu.org Cc: Ludovic Courtès <ludo <at> gnu.org> Subject: [PATCH 00/12] Add "least authority" program wrapper Date: Sun, 17 Apr 2022 23:01:07 +0200
Hello Guix!
So we have this fancy ‘make-forkexec-constructor/container’ thing
to spawn Shepherd services in a container:
https://guix.gnu.org/en/blog/2017/running-system-services-in-containers/
It’s nice, but it doesn’t compose. What if you want an inetd-style
service *and* have it run in a container? We certainly don’t want to
end up defining ‘make-inetd-constructor/container’ and so on.
Instead, the new (guix least-authority) module provides a way to
create “least-authority wrappers” for a given program: the wrapper
forks[*] a process that lives in separate namespaces, with
‘call-with-container’, sets up bind mounts and everything in the child,
and executes the program in that environment. ([*] I considered
using unshare(2) instead of forking but that doesn’t quite work,
notably because the process itself would remain in the same PID
namespace as its parent.)
Subsequent patches change most, but not all, users of
‘make-forkexec-constructor/container’ to ‘least-authority-wrapper’.
One situation where ‘make-forkexec-constructor/container’ cannot be
replaced yet is when we rely on #:pid-file, as is the case for Tor
(‘make-forkexec-constructor/container’ goes to great lengths to read
PID files in the container and be happy with a PID that is only
valid within that namespace.) The remaining users are Jami and
Pagekite; that is left as an exercise to the reader. :-)
I have plans to use ‘least-authority-wrapper’ in other contexts, in
particular as the basis of a new package transformation option.
Thoughts?
Ludo’.
Ludovic Courtès (12):
gexp: Add 'references-file'.
file-systems: Avoid load-time warnings when attempting to load (guix
store).
linux-container: 'call-with-container' relays SIGTERM and SIGINT.
Add (guix least-authority).
services: dicod: Rewrite using 'least-authority-wrapper'.
services: dicod: Use 'make-inetd-constructor'.
services: bitlbee: Use 'make-inetd-constructor'.
services: ipfs: Adjust for Shepherd 0.9.
services: ipfs: Use 'least-authority-wrapper'.
services: wesnothd: Grant write access to /var/run/wesnothd.
services: wesnothd: Use 'least-authority-wrapper'.
services: quassel: Use 'least-authority-wrapper'.
Makefile.am | 1 +
gnu/build/linux-container.scm | 15 ++--
gnu/build/shepherd.scm | 3 +-
gnu/services/base.scm | 22 ------
gnu/services/dict.scm | 61 ++++++++++------
gnu/services/games.scm | 33 +++++++--
gnu/services/messaging.scm | 105 +++++++++++++++++----------
gnu/services/networking.scm | 118 +++++++++++++++---------------
gnu/system/file-systems.scm | 5 +-
gnu/tests/messaging.scm | 21 +-----
guix/gexp.scm | 43 +++++++++++
guix/least-authority.scm | 131 ++++++++++++++++++++++++++++++++++
tests/gexp.scm | 18 +++++
13 files changed, 403 insertions(+), 173 deletions(-)
create mode 100644 guix/least-authority.scm
base-commit: 950f3e4f98add14f645dc4c9f8c512cac7b8a779
--
2.35.1
guix-patches <at> gnu.org:bug#54997; Package guix-patches.
(Sun, 17 Apr 2022 21:06:02 GMT) Full text and rfc822 format available.Message #8 received at 54997 <at> debbugs.gnu.org (full text, mbox):
From: Ludovic Courtès <ludo <at> gnu.org> To: 54997 <at> debbugs.gnu.org Cc: Ludovic Courtès <ludo <at> gnu.org> Subject: [PATCH 02/12] file-systems: Avoid load-time warnings when attempting to load (guix store). Date: Sun, 17 Apr 2022 23:04:43 +0200
This makes sure warnings like "incompatible bytecode version" don't go
through when looking for (guix store).
* gnu/system/file-systems.scm (%store-prefix): Parameterize
'current-warning-port' around 'resolve-module' call.
---
gnu/system/file-systems.scm | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/gnu/system/file-systems.scm b/gnu/system/file-systems.scm
index 437f8da898..f8f4276283 100644
--- a/gnu/system/file-systems.scm
+++ b/gnu/system/file-systems.scm
@@ -1,5 +1,5 @@
;;; GNU Guix --- Functional package management for GNU
-;;; Copyright © 2013-2021 Ludovic Courtès <ludo <at> gnu.org>
+;;; Copyright © 2013-2022 Ludovic Courtès <ludo <at> gnu.org>
;;; Copyright © 2020 Google LLC
;;; Copyright © 2020 Jakub Kądziołka <kuba <at> kadziolka.net>
;;; Copyright © 2020, 2021 Maxim Cournoyer <maxim.cournoyer <at> gmail.com>
@@ -272,7 +272,8 @@ (define (%store-prefix)
;; Note: If we have (guix store database) in the search path and we do *not*
;; have (guix store) proper, 'resolve-module' returns an empty (guix store)
;; with one sub-module.
- (cond ((and=> (resolve-module '(guix store) #:ensure #f)
+ (cond ((and=> (parameterize ((current-warning-port (%make-void-port "w0")))
+ (resolve-module '(guix store) #:ensure #f))
(lambda (store)
(module-variable store '%store-prefix)))
=>
--
2.35.1
guix-patches <at> gnu.org:bug#54997; Package guix-patches.
(Sun, 17 Apr 2022 21:06:02 GMT) Full text and rfc822 format available.Message #11 received at 54997 <at> debbugs.gnu.org (full text, mbox):
From: Ludovic Courtès <ludo <at> gnu.org> To: 54997 <at> debbugs.gnu.org Cc: Ludovic Courtès <ludo <at> gnu.org> Subject: [PATCH 01/12] gexp: Add 'references-file'. Date: Sun, 17 Apr 2022 23:04:42 +0200
* gnu/services/base.scm (references-file): Remove.
* guix/gexp.scm (references-file): New procedure.
* tests/gexp.scm ("references-file"): New test.
---
gnu/services/base.scm | 22 ----------------------
guix/gexp.scm | 43 +++++++++++++++++++++++++++++++++++++++++++
tests/gexp.scm | 18 ++++++++++++++++++
3 files changed, 61 insertions(+), 22 deletions(-)
diff --git a/gnu/services/base.scm b/gnu/services/base.scm
index 5d7c69a9cd..182badd97f 100644
--- a/gnu/services/base.scm
+++ b/gnu/services/base.scm
@@ -219,8 +219,6 @@ (define-module (gnu services base)
pam-limits-service-type
pam-limits-service
- references-file
-
%base-services))
;;; Commentary:
@@ -1768,26 +1766,6 @@ (define (guix-activation config)
(substitute-key-authorization authorized-keys guix)
#~#f))))
-(define* (references-file item #:optional (name "references"))
- "Return a file that contains the list of references of ITEM."
- (if (struct? item) ;lowerable object
- (computed-file name
- (with-extensions (list guile-gcrypt) ;for store-copy
- (with-imported-modules (source-module-closure
- '((guix build store-copy)))
- #~(begin
- (use-modules (guix build store-copy))
-
- (call-with-output-file #$output
- (lambda (port)
- (write (map store-info-item
- (call-with-input-file "graph"
- read-reference-graph))
- port))))))
- #:options `(#:local-build? #f
- #:references-graphs (("graph" ,item))))
- (plain-file name "()")))
-
(define guix-service-type
(service-type
(name 'guix)
diff --git a/guix/gexp.scm b/guix/gexp.scm
index 9fdb7a30be..9ef7622062 100644
--- a/guix/gexp.scm
+++ b/guix/gexp.scm
@@ -118,6 +118,7 @@ (define-module (guix gexp)
mixed-text-file
file-union
directory-union
+ references-file
imported-files
imported-modules
@@ -2173,6 +2174,48 @@ (define log-port
#:resolve-collision
(ungexp resolve-collision)))))))))
+(define* (references-file item #:optional (name "references")
+ #:key guile)
+ "Return a file that contains the list of direct and indirect references (the
+closure) of ITEM."
+ (if (struct? item) ;lowerable object
+ (computed-file name
+ (gexp (begin
+ (use-modules (ice-9 rdelim)
+ (ice-9 match))
+
+ (define (drop-lines port n)
+ ;; Drop N lines read from PORT.
+ (let loop ((n n))
+ (unless (zero? n)
+ (read-line port)
+ (loop (- n 1)))))
+
+ (define (read-graph port)
+ ;; Return the list of references read from
+ ;; PORT. This is a stripped-down version of
+ ;; 'read-reference-graph'.
+ (let loop ((items '()))
+ (match (read-line port)
+ ((? eof-object?)
+ items)
+ ((? string? item)
+ (let ((deriver (read-line port))
+ (count
+ (string->number (read-line port))))
+ (drop-lines port count)
+ (loop (cons item items)))))))
+
+ (call-with-output-file (ungexp output)
+ (lambda (port)
+ (write (call-with-input-file "graph"
+ read-graph)
+ port)))))
+ #:guile guile
+ #:options `(#:local-build? #t
+ #:references-graphs (("graph" ,item))))
+ (plain-file name "()")))
+
;;;
;;; Syntactic sugar.
diff --git a/tests/gexp.scm b/tests/gexp.scm
index c80ca13fab..35bd99e6d4 100644
--- a/tests/gexp.scm
+++ b/tests/gexp.scm
@@ -1606,6 +1606,24 @@ (define (contents=? file str)
(not (member (derivation-file-name native) refs))
(member (derivation-file-name cross) refs))))))
+(test-assertm "references-file"
+ (let* ((exp #~(symlink #$%bootstrap-guile #$output))
+ (computed (computed-file "computed" exp
+ #:guile %bootstrap-guile))
+ (refs (references-file computed "refs"
+ #:guile %bootstrap-guile)))
+ (mlet* %store-monad ((drv0 (lower-object %bootstrap-guile))
+ (drv1 (lower-object computed))
+ (drv2 (lower-object refs)))
+ (mbegin %store-monad
+ (built-derivations (list drv2))
+ (mlet %store-monad ((refs ((store-lift requisites)
+ (list (derivation->output-path drv1)))))
+ (return (lset= string=?
+ (call-with-input-file (derivation->output-path drv2)
+ read)
+ refs)))))))
+
(test-assert "lower-object & gexp-input-error?"
(guard (c ((gexp-input-error? c)
(gexp-error-invalid-input c)))
--
2.35.1
guix-patches <at> gnu.org:bug#54997; Package guix-patches.
(Sun, 17 Apr 2022 21:06:02 GMT) Full text and rfc822 format available.Message #14 received at 54997 <at> debbugs.gnu.org (full text, mbox):
From: Ludovic Courtès <ludo <at> gnu.org> To: 54997 <at> debbugs.gnu.org Cc: Ludovic Courtès <ludo <at> gnu.org> Subject: [PATCH 03/12] linux-container: 'call-with-container' relays SIGTERM and SIGINT. Date: Sun, 17 Apr 2022 23:04:44 +0200
* gnu/build/linux-container.scm (call-with-container): Add #:relayed-signals
and honor it.
---
gnu/build/linux-container.scm | 15 ++++++++++-----
1 file changed, 10 insertions(+), 5 deletions(-)
diff --git a/gnu/build/linux-container.scm b/gnu/build/linux-container.scm
index bdeca2cdb9..c19029aa65 100644
--- a/gnu/build/linux-container.scm
+++ b/gnu/build/linux-container.scm
@@ -303,6 +303,7 @@ (define (call-with-temporary-directory proc)
(define* (call-with-container mounts thunk #:key (namespaces %namespaces)
(host-uids 1) (guest-uid 0) (guest-gid 0)
+ (relayed-signals (list SIGINT SIGTERM))
(process-spawned-hook (const #t)))
"Run THUNK in a new container process and return its exit status; call
PROCESS-SPAWNED-HOOK with the PID of the new process that has been spawned.
@@ -320,6 +321,9 @@ (define* (call-with-container mounts thunk #:key (namespaces %namespaces)
GUEST-UID and GUEST-GID specify the first UID (respectively GID) that host
UIDs (respectively GIDs) map to in the namespace.
+RELAYED-SIGNALS is the list of signals that are \"relayed\" to the container
+process when caught by its parent.
+
Note that if THUNK needs to load any additional Guile modules, the relevant
module files must be present in one of the mappings in MOUNTS and the Guile
load path must be adjusted as needed."
@@ -328,11 +332,12 @@ (define* (call-with-container mounts thunk #:key (namespaces %namespaces)
(let ((pid (run-container root mounts namespaces host-uids thunk
#:guest-uid guest-uid
#:guest-gid guest-gid)))
- ;; Catch SIGINT and kill the container process.
- (sigaction SIGINT
- (lambda (signum)
- (false-if-exception
- (kill pid SIGKILL))))
+ (define (relay-signal signal)
+ (false-if-exception (kill pid signal)))
+
+ (for-each (lambda (signal)
+ (sigaction signal relay-signal))
+ relayed-signals)
(process-spawned-hook pid)
(match (waitpid pid)
--
2.35.1
guix-patches <at> gnu.org:bug#54997; Package guix-patches.
(Sun, 17 Apr 2022 21:06:03 GMT) Full text and rfc822 format available.Message #17 received at 54997 <at> debbugs.gnu.org (full text, mbox):
From: Ludovic Courtès <ludo <at> gnu.org> To: 54997 <at> debbugs.gnu.org Cc: Ludovic Courtès <ludo <at> gnu.org> Subject: [PATCH 04/12] Add (guix least-authority). Date: Sun, 17 Apr 2022 23:04:45 +0200
* guix/least-authority.scm: New file.
* Makefile.am (MODULES): Add it.
* gnu/build/shepherd.scm (default-mounts): Make public.
---
Makefile.am | 1 +
gnu/build/shepherd.scm | 3 +-
guix/least-authority.scm | 131 +++++++++++++++++++++++++++++++++++++++
3 files changed, 134 insertions(+), 1 deletion(-)
create mode 100644 guix/least-authority.scm
diff --git a/Makefile.am b/Makefile.am
index fecce7c6f7..d0d58da4e3 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -130,6 +130,7 @@ MODULES = \
guix/cache.scm \
guix/cve.scm \
guix/workers.scm \
+ guix/least-authority.scm \
guix/ipfs.scm \
guix/build-system.scm \
guix/build-system/android-ndk.scm \
diff --git a/gnu/build/shepherd.scm b/gnu/build/shepherd.scm
index d52e53eb78..f4caefce3c 100644
--- a/gnu/build/shepherd.scm
+++ b/gnu/build/shepherd.scm
@@ -31,7 +31,8 @@ (define-module (gnu build shepherd)
exec-command
%precious-signals)
#:autoload (shepherd system) (unblock-signals)
- #:export (make-forkexec-constructor/container
+ #:export (default-mounts
+ make-forkexec-constructor/container
fork+exec-command/container))
;;; Commentary:
diff --git a/guix/least-authority.scm b/guix/least-authority.scm
new file mode 100644
index 0000000000..806c47508f
--- /dev/null
+++ b/guix/least-authority.scm
@@ -0,0 +1,131 @@
+;;; GNU Guix --- Functional package management for GNU
+;;; Copyright © 2022 Ludovic Courtès <ludo <at> gnu.org>
+;;;
+;;; This file is part of GNU Guix.
+;;;
+;;; GNU Guix is free software; you can redistribute it and/or modify it
+;;; under the terms of the GNU General Public License as published by
+;;; the Free Software Foundation; either version 3 of the License, or (at
+;;; your option) any later version.
+;;;
+;;; GNU Guix is distributed in the hope that it will be useful, but
+;;; WITHOUT ANY WARRANTY; without even the implied warranty of
+;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+;;; GNU General Public License for more details.
+;;;
+;;; You should have received a copy of the GNU General Public License
+;;; along with GNU Guix. If not, see <http://www.gnu.org/licenses/>.
+
+(define-module (guix least-authority)
+ #:use-module (guix gexp)
+ #:use-module (guix modules)
+ #:use-module ((guix store) #:select (%store-prefix))
+ #:autoload (gnu build linux-container) (%namespaces)
+ #:autoload (gnu system file-systems) (file-system-mapping
+ file-system-mapping-source
+ spec->file-system
+ file-system->spec
+ file-system-mapping->bind-mount)
+ #:export (least-authority-wrapper))
+
+;;; Commentary:
+;;;
+;;; This module provides tools to execute programs with the least authority
+;;; necessary, using Linux namespaces.
+;;;
+;;; Code:
+
+(define %precious-variables
+ ;; Environment variables preserved by the wrapper by default.
+ '("HOME" "USER" "LOGNAME" "DISPLAY" "XAUTHORITY" "TERM" "TZ" "PAGER"))
+
+(define* (least-authority-wrapper program
+ #:key (name "pola-wrapper")
+ (guest-uid 1000)
+ (guest-gid 1000)
+ (mappings '())
+ (namespaces %namespaces)
+ (directory "/")
+ (preserved-environment-variables
+ %precious-variables))
+ "Return a wrapper of PROGRAM that executes it with the least authority.
+
+PROGRAM is executed in separate namespaces according to NAMESPACES, a list of
+symbols; it turns with GUEST-UID and GUEST-GID. MAPPINGS is a list of
+<file-system-mapping> records indicating directories mirrored inside the
+execution environment of PROGRAM. DIRECTORY is the working directory of the
+wrapped process. Each environment listed in PRESERVED-ENVIRONMENT-VARIABLES
+is preserved; other environment variables are erased."
+ (define code
+ (with-imported-modules (source-module-closure
+ '((gnu system file-systems)
+ (gnu build shepherd)
+ (gnu build linux-container)))
+ #~(begin
+ (use-modules (gnu system file-systems)
+ (gnu build linux-container)
+ ((gnu build shepherd) #:select (default-mounts))
+ (srfi srfi-1))
+
+ (define variables
+ (filter-map (lambda (variable)
+ (let ((value (getenv variable)))
+ (and value
+ (string-append variable "=" value))))
+ '#$preserved-environment-variables))
+
+ (define (read-file file)
+ (call-with-input-file file read))
+
+ (define references
+ (delete-duplicates
+ (append-map read-file
+ '#$(map references-file
+ (cons program
+ (map file-system-mapping-source
+ mappings))))))
+
+ (define (store? file-system)
+ (string=? (file-system-mount-point file-system)
+ #$(%store-prefix)))
+
+ (define mounts
+ (append (map (lambda (item)
+ (file-system-mapping->bind-mount
+ (file-system-mapping (source item)
+ (target item))))
+ references)
+ (remove store?
+ (default-mounts
+ #:namespaces '#$namespaces))
+ (map spec->file-system
+ '#$(map (compose file-system->spec
+ file-system-mapping->bind-mount)
+ mappings))))
+
+ (define (reify-exit-status status)
+ (cond ((status:exit-val status) => exit)
+ ((or (status:term-sig status)
+ (status:stop-sig status))
+ => (lambda (signal)
+ (format (current-error-port)
+ "~a terminated with signal ~a~%"
+ #$program signal)
+ (exit 126)))))
+
+ ;; Note: 'call-with-container' creates a sub-process that this one
+ ;; waits for. This might seem suboptimal but unshare(2) isn't
+ ;; really applicable: the process would still run in the same PID
+ ;; namespace.
+
+ (reify-exit-status
+ (call-with-container mounts
+ (lambda ()
+ (chdir #$directory)
+ (environ variables)
+ (apply execl #$program #$program (cdr (command-line))))
+ #:guest-uid #$guest-uid
+ #:guest-gid #$guest-gid
+ #:namespaces '#$namespaces)))))
+
+ (program-file name code))
--
2.35.1
guix-patches <at> gnu.org:bug#54997; Package guix-patches.
(Sun, 17 Apr 2022 21:06:03 GMT) Full text and rfc822 format available.Message #20 received at 54997 <at> debbugs.gnu.org (full text, mbox):
From: Ludovic Courtès <ludo <at> gnu.org> To: 54997 <at> debbugs.gnu.org Cc: Ludovic Courtès <ludo <at> gnu.org> Subject: [PATCH 06/12] services: dicod: Use 'make-inetd-constructor'. Date: Sun, 17 Apr 2022 23:04:47 +0200
* gnu/services/dict.scm (dicod-shepherd-service): Use
'make-inetd-constructor' in the 'start' method when available.
---
gnu/services/dict.scm | 18 ++++++++++++++----
1 file changed, 14 insertions(+), 4 deletions(-)
diff --git a/gnu/services/dict.scm b/gnu/services/dict.scm
index 62b21f8d53..109917c05c 100644
--- a/gnu/services/dict.scm
+++ b/gnu/services/dict.scm
@@ -146,6 +146,7 @@ (define %dicod-activation
(define (dicod-shepherd-service config)
(let* ((dicod.conf (dicod-configuration-file config))
+ (interfaces (dicod-configuration-interfaces config))
(dicod (least-authority-wrapper
(file-append (dicod-configuration-dico config)
"/bin/dicod")
@@ -165,10 +166,19 @@ (define (dicod-shepherd-service config)
(provision '(dicod))
(requirement '(user-processes))
(documentation "Run the dicod daemon.")
- (start #~(make-forkexec-constructor
- (list #$dicod "--foreground"
- (string-append "--config=" #$dicod.conf))
- #:user "dicod" #:group "dicod"))
+ (start #~(if (and (defined? 'make-inetd-constructor)
+ #$(= 1 (length interfaces))) ;XXX
+ (make-inetd-constructor
+ (list #$dicod "--inetd" "--foreground"
+ (string-append "--config=" #$dicod.conf))
+ (addrinfo:addr
+ (car (getaddrinfo #$(first interfaces) "dict")))
+ #:user "dicod" #:group "dicod"
+ #:service-name-stem "dicod")
+ (make-forkexec-constructor
+ (list #$dicod "--foreground"
+ (string-append "--config=" #$dicod.conf))
+ #:user "dicod" #:group "dicod")))
(stop #~(make-kill-destructor))))))
(define dicod-service-type
--
2.35.1
guix-patches <at> gnu.org:bug#54997; Package guix-patches.
(Sun, 17 Apr 2022 21:06:03 GMT) Full text and rfc822 format available.Message #23 received at 54997 <at> debbugs.gnu.org (full text, mbox):
From: Ludovic Courtès <ludo <at> gnu.org> To: 54997 <at> debbugs.gnu.org Cc: Ludovic Courtès <ludo <at> gnu.org> Subject: [PATCH 05/12] services: dicod: Rewrite using 'least-authority-wrapper'. Date: Sun, 17 Apr 2022 23:04:46 +0200
* gnu/services/dict.scm (dicod-shepherd-service): Rewrite using
'least-authority-wrapper' plus 'make-forkexec-constructor' instead of
'make-forkexec-constructor/container'.
---
gnu/services/dict.scm | 51 ++++++++++++++++++++++++-------------------
1 file changed, 29 insertions(+), 22 deletions(-)
diff --git a/gnu/services/dict.scm b/gnu/services/dict.scm
index a97ad8f608..62b21f8d53 100644
--- a/gnu/services/dict.scm
+++ b/gnu/services/dict.scm
@@ -1,6 +1,6 @@
;;; GNU Guix --- Functional package management for GNU
;;; Copyright © 2016 Sou Bunnbu <iyzsong <at> gmail.com>
-;;; Copyright © 2016, 2017, 2018, 2020 Ludovic Courtès <ludo <at> gnu.org>
+;;; Copyright © 2016, 2017, 2018, 2020, 2022 Ludovic Courtès <ludo <at> gnu.org>
;;; Copyright © 2017 Huang Ying <huang.ying.caritas <at> gmail.com>
;;;
;;; This file is part of GNU Guix.
@@ -22,12 +22,15 @@ (define-module (gnu services dict)
#:use-module (guix gexp)
#:use-module (guix records)
#:use-module (guix modules)
+ #:use-module (guix least-authority)
#:use-module (gnu services)
#:use-module (gnu services shepherd)
#:use-module (gnu system shadow)
#:use-module ((gnu packages admin) #:select (shadow))
#:use-module (gnu packages dico)
#:use-module (gnu packages dictionaries)
+ #:autoload (gnu build linux-container) (%namespaces)
+ #:autoload (gnu system file-systems) (file-system-mapping)
#:use-module (srfi srfi-1)
#:use-module (srfi srfi-26)
#:use-module (ice-9 match)
@@ -142,27 +145,31 @@ (define %dicod-activation
(chown rundir (passwd:uid user) (passwd:gid user)))))
(define (dicod-shepherd-service config)
- (let ((dicod (file-append (dicod-configuration-dico config)
- "/bin/dicod"))
- (dicod.conf (dicod-configuration-file config)))
- (with-imported-modules (source-module-closure
- '((gnu build shepherd)
- (gnu system file-systems)))
- (list (shepherd-service
- (provision '(dicod))
- (requirement '(user-processes))
- (documentation "Run the dicod daemon.")
- (modules '((gnu build shepherd)
- (gnu system file-systems)))
- (start #~(make-forkexec-constructor/container
- (list #$dicod "--foreground"
- (string-append "--config=" #$dicod.conf))
- #:user "dicod" #:group "dicod"
- #:mappings (list (file-system-mapping
- (source "/var/run/dicod")
- (target source)
- (writable? #t)))))
- (stop #~(make-kill-destructor)))))))
+ (let* ((dicod.conf (dicod-configuration-file config))
+ (dicod (least-authority-wrapper
+ (file-append (dicod-configuration-dico config)
+ "/bin/dicod")
+ #:name "dicod"
+ #:mappings (list (file-system-mapping
+ (source "/var/run/dicod")
+ (target source)
+ (writable? #t))
+ (file-system-mapping
+ (source "/dev/log")
+ (target source))
+ (file-system-mapping
+ (source dicod.conf)
+ (target source)))
+ #:namespaces (delq 'net %namespaces))))
+ (list (shepherd-service
+ (provision '(dicod))
+ (requirement '(user-processes))
+ (documentation "Run the dicod daemon.")
+ (start #~(make-forkexec-constructor
+ (list #$dicod "--foreground"
+ (string-append "--config=" #$dicod.conf))
+ #:user "dicod" #:group "dicod"))
+ (stop #~(make-kill-destructor))))))
(define dicod-service-type
(service-type
--
2.35.1
guix-patches <at> gnu.org:bug#54997; Package guix-patches.
(Sun, 17 Apr 2022 21:06:04 GMT) Full text and rfc822 format available.Message #26 received at 54997 <at> debbugs.gnu.org (full text, mbox):
From: Ludovic Courtès <ludo <at> gnu.org> To: 54997 <at> debbugs.gnu.org Cc: Ludovic Courtès <ludo <at> gnu.org> Subject: [PATCH 07/12] services: bitlbee: Use 'make-inetd-constructor'. Date: Sun, 17 Apr 2022 23:04:48 +0200
* gnu/services/messaging.scm (bitlbee-shepherd-service): Add call to
'least-authority-wrapper'. In 'start' method, use
'make-inetd-constructor' when available.
* gnu/tests/messaging.scm (run-bitlbee-test)["valid PID"]: Remove test.
---
gnu/services/messaging.scm | 63 ++++++++++++++++++++++++++++----------
gnu/tests/messaging.scm | 21 +------------
2 files changed, 48 insertions(+), 36 deletions(-)
diff --git a/gnu/services/messaging.scm b/gnu/services/messaging.scm
index 4bceb1d37a..7fdd8cf285 100644
--- a/gnu/services/messaging.scm
+++ b/gnu/services/messaging.scm
@@ -1,7 +1,7 @@
;;; GNU Guix --- Functional package management for GNU
;;; Copyright © 2017, 2018 Clément Lassieur <clement <at> lassieur.org>
;;; Copyright © 2017 Mathieu Othacehe <m.othacehe <at> gmail.com>
-;;; Copyright © 2015, 2017, 2018, 2019, 2020 Ludovic Courtès <ludo <at> gnu.org>
+;;; Copyright © 2015, 2017-2020, 2022 Ludovic Courtès <ludo <at> gnu.org>
;;; Copyright © 2018 Pierre-Antoine Rouby <contact <at> parouby.fr>
;;;
;;; This file is part of GNU Guix.
@@ -28,11 +28,14 @@ (define-module (gnu services messaging)
#:use-module (gnu services shepherd)
#:use-module (gnu services configuration)
#:use-module (gnu system shadow)
+ #:autoload (gnu build linux-container) (%namespaces)
+ #:use-module ((gnu system file-systems) #:select (file-system-mapping))
#:use-module (guix gexp)
#:use-module (guix modules)
#:use-module (guix records)
#:use-module (guix packages)
#:use-module (guix deprecation)
+ #:use-module (guix least-authority)
#:use-module (srfi srfi-1)
#:use-module (srfi srfi-35)
#:use-module (ice-9 match)
@@ -821,7 +824,18 @@ (define bitlbee-shepherd-service
DaemonInterface = " interface "
DaemonPort = " (number->string port) "
PluginDir = " plugins "/lib/bitlbee
-" extra-settings)))
+" extra-settings))
+ (bitlbee* (least-authority-wrapper
+ (file-append bitlbee "/sbin/bitlbee")
+ #:name "bitlbee"
+ #:mappings (list (file-system-mapping
+ (source "/var/lib/bitlbee")
+ (target source)
+ (writable? #t))
+ (file-system-mapping
+ (source conf)
+ (target conf)))
+ #:namespaces (delq 'net %namespaces))))
(with-imported-modules (source-module-closure
'((gnu build shepherd)
@@ -836,20 +850,37 @@ (define bitlbee-shepherd-service
(modules '((gnu build shepherd)
(gnu system file-systems)))
- (start #~(make-forkexec-constructor/container
- (list #$(file-append bitlbee "/sbin/bitlbee")
- "-n" "-F" "-u" "bitlbee" "-c" #$conf)
-
- ;; Allow 'bitlbee-purple' to use libpurple plugins.
- #:environment-variables
- (list (string-append "PURPLE_PLUGIN_PATH="
- #$plugins "/lib/purple-2"))
-
- #:pid-file "/var/run/bitlbee.pid"
- #:mappings (list (file-system-mapping
- (source "/var/lib/bitlbee")
- (target source)
- (writable? #t)))))
+ (start #~(if (defined? 'make-inetd-constructor)
+
+ (make-inetd-constructor
+ (list #$bitlbee* "-I"
+ "-u" "bitlbee" "-c" #$conf)
+ (addrinfo:addr
+ (car (getaddrinfo #$interface
+ #$(number->string port)
+ (logior AI_NUMERICHOST
+ AI_NUMERICSERV))))
+ #:service-name-stem "bitlbee"
+
+ ;; Allow 'bitlbee-purple' to use libpurple plugins.
+ #:environment-variables
+ (list (string-append "PURPLE_PLUGIN_PATH="
+ #$plugins "/lib/purple-2")))
+
+ (make-forkexec-constructor/container
+ (list #$(file-append bitlbee "/sbin/bitlbee")
+ "-n" "-F" "-u" "bitlbee" "-c" #$conf)
+
+ ;; Allow 'bitlbee-purple' to use libpurple plugins.
+ #:environment-variables
+ (list (string-append "PURPLE_PLUGIN_PATH="
+ #$plugins "/lib/purple-2"))
+
+ #:pid-file "/var/run/bitlbee.pid"
+ #:mappings (list (file-system-mapping
+ (source "/var/lib/bitlbee")
+ (target source)
+ (writable? #t))))))
(stop #~(make-kill-destructor)))))))))
(define %bitlbee-accounts
diff --git a/gnu/tests/messaging.scm b/gnu/tests/messaging.scm
index 202a1c2f73..1e26c0ddea 100644
--- a/gnu/tests/messaging.scm
+++ b/gnu/tests/messaging.scm
@@ -1,6 +1,6 @@
;;; GNU Guix --- Functional package management for GNU
;;; Copyright © 2017, 2018 Clément Lassieur <clement <at> lassieur.org>
-;;; Copyright © 2017, 2018, 2021 Ludovic Courtès <ludo <at> gnu.org>
+;;; Copyright © 2017-2018, 2021-2022 Ludovic Courtès <ludo <at> gnu.org>
;;; Copyright © 2018 Efraim Flashner <efraim <at> flashner.co.il>
;;;
;;; This file is part of GNU Guix.
@@ -198,25 +198,6 @@ (define marionette
(start-service 'bitlbee))
marionette))
- (test-equal "valid PID"
- #$(file-append bitlbee "/sbin/bitlbee")
- (marionette-eval
- '(begin
- (use-modules (srfi srfi-1)
- (gnu services herd))
-
- (let ((bitlbee
- (find (lambda (service)
- (equal? '(bitlbee)
- (live-service-provision service)))
- (current-services))))
- (and (pk 'bitlbee-service bitlbee)
- (let ((pid (live-service-running bitlbee)))
- (readlink (string-append "/proc/"
- (number->string pid)
- "/exe"))))))
- marionette))
-
(test-assert "connect"
(let* ((address (make-socket-address AF_INET INADDR_LOOPBACK
6667))
--
2.35.1
guix-patches <at> gnu.org:bug#54997; Package guix-patches.
(Sun, 17 Apr 2022 21:06:04 GMT) Full text and rfc822 format available.Message #29 received at 54997 <at> debbugs.gnu.org (full text, mbox):
From: Ludovic Courtès <ludo <at> gnu.org> To: 54997 <at> debbugs.gnu.org Cc: Ludovic Courtès <ludo <at> gnu.org> Subject: [PATCH 08/12] services: ipfs: Adjust for Shepherd 0.9. Date: Sun, 17 Apr 2022 23:04:49 +0200
This is a followup to e1f0c88ea221d846b5a533c4dc88e99e953af63e.
* gnu/services/networking.scm (%ipfs-activation)[shepherd&co]: New
variable.
[container-gexp]: Use it.
---
gnu/services/networking.scm | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/gnu/services/networking.scm b/gnu/services/networking.scm
index 5bb8638930..b302be5aaf 100644
--- a/gnu/services/networking.scm
+++ b/gnu/services/networking.scm
@@ -2074,12 +2074,19 @@ (define inner-gexp
#$@(map (cute apply set-config!-gexp <>) settings)))
(define inner-script
(program-file "ipfs-activation-inner" inner-gexp))
+
+ (define shepherd&co
+ ;; 'make-forkexec-constructor/container' needs version 0.9 for
+ ;; #:supplementary-groups.
+ (cons shepherd-0.9
+ (list (lookup-package-input shepherd-0.9 "guile-fibers"))))
+
;; Run ipfs init and ipfs config from a container,
;; in case the IPFS daemon was compromised at some point
;; and ~/.ipfs is now a symlink to somewhere outside
;; %ipfs-home.
(define container-gexp
- (with-extensions (list shepherd)
+ (with-extensions shepherd&co
(with-imported-modules (source-module-closure
'((gnu build shepherd)
(gnu system file-systems)))
--
2.35.1
guix-patches <at> gnu.org:bug#54997; Package guix-patches.
(Sun, 17 Apr 2022 21:06:05 GMT) Full text and rfc822 format available.Message #32 received at 54997 <at> debbugs.gnu.org (full text, mbox):
From: Ludovic Courtès <ludo <at> gnu.org> To: 54997 <at> debbugs.gnu.org Cc: Ludovic Courtès <ludo <at> gnu.org> Subject: [PATCH 10/12] services: wesnothd: Grant write access to /var/run/wesnothd. Date: Sun, 17 Apr 2022 23:04:51 +0200
* gnu/services/games.scm (wesnothd-shepherd-service): Augment 'modules'
field. Pass #:mappings argument to 'make-forkexec-constructor/container'.
(wesnothd-activation): New variable.
(wesnothd-service-type): Extend ACTIVATION-SERVICE-TYPE.
---
gnu/services/games.scm | 24 ++++++++++++++++++++++--
1 file changed, 22 insertions(+), 2 deletions(-)
diff --git a/gnu/services/games.scm b/gnu/services/games.scm
index b743f6a4b6..dc0bfbe9dc 100644
--- a/gnu/services/games.scm
+++ b/gnu/services/games.scm
@@ -1,5 +1,6 @@
;;; GNU Guix --- Functional package management for GNU
;;; Copyright © 2018 Arun Isaac <arunisaac <at> systemreboot.net>
+;;; Copyright © 2022 Ludovic Courtès <ludo <at> gnu.org>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -57,18 +58,35 @@ (define wesnothd-shepherd-service
(match-lambda
(($ <wesnothd-configuration> package port)
(with-imported-modules (source-module-closure
- '((gnu build shepherd)))
+ '((gnu build shepherd)
+ (gnu system file-systems)))
(shepherd-service
(documentation "The Battle for Wesnoth server")
(provision '(wesnoth-daemon))
(requirement '(networking))
- (modules '((gnu build shepherd)))
+ (modules '((gnu build shepherd)
+ (gnu system file-systems)))
(start #~(make-forkexec-constructor/container
(list #$(file-append package "/bin/wesnothd")
"-p" #$(number->string port))
+ #:mappings (list (file-system-mapping
+ (source "/var/run/wesnothd")
+ (target source)
+ (writable? #t)))
#:user "wesnothd" #:group "wesnothd"))
(stop #~(make-kill-destructor)))))))
+(define wesnothd-activation
+ (with-imported-modules '((guix build utils))
+ #~(begin
+ (use-modules (guix build utils))
+
+ (let* ((user (getpw "wesnothd"))
+ (directory "/var/run/wesnothd"))
+ ;; wesnothd creates a Unix-domain socket in DIRECTORY.
+ (mkdir-p directory)
+ (chown directory (passwd:uid user) (passwd:gid user))))))
+
(define wesnothd-service-type
(service-type
(name 'wesnothd)
@@ -77,6 +95,8 @@ (define wesnothd-service-type
(extensions
(list (service-extension account-service-type
(const %wesnothd-accounts))
+ (service-extension activation-service-type
+ (const wesnothd-activation))
(service-extension shepherd-root-service-type
(compose list wesnothd-shepherd-service))))
(default-value (wesnothd-configuration))))
--
2.35.1
guix-patches <at> gnu.org:bug#54997; Package guix-patches.
(Sun, 17 Apr 2022 21:06:05 GMT) Full text and rfc822 format available.Message #35 received at 54997 <at> debbugs.gnu.org (full text, mbox):
From: Ludovic Courtès <ludo <at> gnu.org> To: 54997 <at> debbugs.gnu.org Cc: Ludovic Courtès <ludo <at> gnu.org> Subject: [PATCH 11/12] services: wesnothd: Use 'least-authority-wrapper'. Date: Sun, 17 Apr 2022 23:04:52 +0200
* gnu/services/games.scm (wesnothd-shepherd-service): Use
'least-authority-wrapper' instead of
'make-forkexec-constructor/container'.
---
gnu/services/games.scm | 25 +++++++++++++------------
1 file changed, 13 insertions(+), 12 deletions(-)
diff --git a/gnu/services/games.scm b/gnu/services/games.scm
index dc0bfbe9dc..6c2af44b49 100644
--- a/gnu/services/games.scm
+++ b/gnu/services/games.scm
@@ -23,6 +23,9 @@ (define-module (gnu services games)
#:use-module (gnu packages admin)
#:use-module (gnu packages games)
#:use-module (gnu system shadow)
+ #:use-module ((gnu system file-systems) #:select (file-system-mapping))
+ #:use-module (gnu build linux-container)
+ #:autoload (guix least-authority) (least-authority-wrapper)
#:use-module (guix gexp)
#:use-module (guix modules)
#:use-module (guix records)
@@ -57,22 +60,20 @@ (define %wesnothd-accounts
(define wesnothd-shepherd-service
(match-lambda
(($ <wesnothd-configuration> package port)
- (with-imported-modules (source-module-closure
- '((gnu build shepherd)
- (gnu system file-systems)))
+ (let ((wesnothd (least-authority-wrapper
+ (file-append package "/bin/wesnothd")
+ #:name "wesnothd"
+ #:mappings (list (file-system-mapping
+ (source "/var/run/wesnothd")
+ (target source)
+ (writable? #t)))
+ #:namespaces (delq 'net %namespaces))))
(shepherd-service
(documentation "The Battle for Wesnoth server")
(provision '(wesnoth-daemon))
(requirement '(networking))
- (modules '((gnu build shepherd)
- (gnu system file-systems)))
- (start #~(make-forkexec-constructor/container
- (list #$(file-append package "/bin/wesnothd")
- "-p" #$(number->string port))
- #:mappings (list (file-system-mapping
- (source "/var/run/wesnothd")
- (target source)
- (writable? #t)))
+ (start #~(make-forkexec-constructor
+ (list #$wesnothd "-p" #$(number->string port))
#:user "wesnothd" #:group "wesnothd"))
(stop #~(make-kill-destructor)))))))
--
2.35.1
guix-patches <at> gnu.org:bug#54997; Package guix-patches.
(Sun, 17 Apr 2022 21:06:05 GMT) Full text and rfc822 format available.Message #38 received at 54997 <at> debbugs.gnu.org (full text, mbox):
From: Ludovic Courtès <ludo <at> gnu.org> To: 54997 <at> debbugs.gnu.org Cc: Ludovic Courtès <ludo <at> gnu.org> Subject: [PATCH 09/12] services: ipfs: Use 'least-authority-wrapper'. Date: Sun, 17 Apr 2022 23:04:50 +0200
* gnu/services/networking.scm (ipfs-binary): Call
'least-authority-wrapper'.
(%ipfs-home-mapping): Remove surrounding gexp.
(ipfs-shepherd-service)[exec-command]: New procedure.
[ipfs-config-command, set-config!-gexp, shepherd&co]
[container-gexp, container-script]: Remove.
[inner-gexp]: Use 'exec-command'.
---
gnu/services/networking.scm | 123 +++++++++++++++++-------------------
1 file changed, 58 insertions(+), 65 deletions(-)
diff --git a/gnu/services/networking.scm b/gnu/services/networking.scm
index b302be5aaf..4708ade0ca 100644
--- a/gnu/services/networking.scm
+++ b/gnu/services/networking.scm
@@ -1,5 +1,5 @@
;;; GNU Guix --- Functional package management for GNU
-;;; Copyright © 2013, 2014, 2015, 2016, 2017, 2018, 2019, 2020, 2021 Ludovic Courtès <ludo <at> gnu.org>
+;;; Copyright © 2013-2022 Ludovic Courtès <ludo <at> gnu.org>
;;; Copyright © 2015 Mark H Weaver <mhw <at> netris.org>
;;; Copyright © 2016, 2018, 2020 Efraim Flashner <efraim <at> flashner.co.il>
;;; Copyright © 2016 John Darrington <jmd <at> gnu.org>
@@ -43,6 +43,7 @@ (define-module (gnu services networking)
#:use-module (gnu services dbus)
#:use-module (gnu system shadow)
#:use-module (gnu system pam)
+ #:use-module ((gnu system file-systems) #:select (file-system-mapping))
#:use-module (gnu packages admin)
#:use-module (gnu packages base)
#:use-module (gnu packages bash)
@@ -59,6 +60,7 @@ (define-module (gnu services networking)
#:use-module (gnu packages gnome)
#:use-module (gnu packages ipfs)
#:use-module (gnu build linux-container)
+ #:autoload (guix least-authority) (least-authority-wrapper)
#:use-module (guix gexp)
#:use-module (guix records)
#:use-module (guix modules)
@@ -2018,13 +2020,20 @@ (define %ipfs-accounts
(system? #t))))
(define (ipfs-binary config)
- (file-append (ipfs-configuration-package config) "/bin/ipfs"))
+ (define command
+ (file-append (ipfs-configuration-package config) "/bin/ipfs"))
+
+ (least-authority-wrapper
+ command
+ #:name "ipfs"
+ #:mappings (list %ipfs-home-mapping)
+ #:namespaces (delq 'net %namespaces)))
(define %ipfs-home-mapping
- #~(file-system-mapping
- (source #$%ipfs-home)
- (target #$%ipfs-home)
- (writable? #t)))
+ (file-system-mapping
+ (source %ipfs-home)
+ (target %ipfs-home)
+ (writable? #t)))
(define %ipfs-environment
#~(list #$(string-append "HOME=" %ipfs-home)))
@@ -2033,82 +2042,66 @@ (define (ipfs-shepherd-service config)
"Return a <shepherd-service> for IPFS with CONFIG."
(define ipfs-daemon-command
#~(list #$(ipfs-binary config) "daemon"))
- (list
- (with-imported-modules (source-module-closure
- '((gnu build shepherd)
- (gnu system file-systems)))
- (shepherd-service
- (provision '(ipfs))
- ;; While IPFS is most useful when the machine is connected
- ;; to the network, only loopback is required for starting
- ;; the service.
- (requirement '(loopback))
- (documentation "Connect to the IPFS network")
- (modules '((gnu build shepherd)
- (gnu system file-systems)))
- (start #~(make-forkexec-constructor/container
- #$ipfs-daemon-command
- #:namespaces '#$(fold delq %namespaces '(user net))
- #:mappings (list #$%ipfs-home-mapping)
- #:log-file "/var/log/ipfs.log"
- #:user "ipfs"
- #:group "ipfs"
- #:environment-variables #$%ipfs-environment))
- (stop #~(make-kill-destructor))))))
+
+ (list (shepherd-service
+ (provision '(ipfs))
+ ;; While IPFS is most useful when the machine is connected
+ ;; to the network, only loopback is required for starting
+ ;; the service.
+ (requirement '(loopback))
+ (documentation "Connect to the IPFS network")
+ (start #~(make-forkexec-constructor
+ #$ipfs-daemon-command
+ #:log-file "/var/log/ipfs.log"
+ #:user "ipfs" #:group "ipfs"
+ #:environment-variables #$%ipfs-environment))
+ (stop #~(make-kill-destructor)))))
(define (%ipfs-activation config)
"Return an activation gexp for IPFS with CONFIG"
- (define (ipfs-config-command setting value)
- #~(#$(ipfs-binary config) "config" #$setting #$value))
- (define (set-config!-gexp setting value)
- #~(system* #$@(ipfs-config-command setting value)))
+ (define (exec-command . args)
+ ;; Exec the given ifps command with the right authority.
+ #~(let ((pid (primitive-fork)))
+ (if (zero? pid)
+ (dynamic-wind
+ (const #t)
+ (lambda ()
+ ;; Run ipfs init and ipfs config from a container,
+ ;; in case the IPFS daemon was compromised at some point
+ ;; and ~/.ipfs is now a symlink to somewhere outside
+ ;; %ipfs-home.
+ (let ((pw (getpwnam "ipfs")))
+ (setgroups '#())
+ (setgid (passwd:gid pw))
+ (setuid (passwd:uid pw))
+ (environ #$%ipfs-environment)
+ (execl #$(ipfs-binary config) #$@args)))
+ (lambda ()
+ (primitive-exit 127)))
+ (waitpid pid))))
+
(define settings
`(("Addresses.API" ,(ipfs-configuration-api config))
("Addresses.Gateway" ,(ipfs-configuration-gateway config))))
+
(define inner-gexp
#~(begin
(umask #o077)
;; Create $HOME/.ipfs structure
- (system* #$(ipfs-binary config) "init")
+ #$(exec-command "ipfs" "init")
;; Apply settings
- #$@(map (cute apply set-config!-gexp <>) settings)))
+ #$@(map (match-lambda
+ ((setting value)
+ (exec-command "ipfs" "config" setting value)))
+ settings)))
+
(define inner-script
(program-file "ipfs-activation-inner" inner-gexp))
- (define shepherd&co
- ;; 'make-forkexec-constructor/container' needs version 0.9 for
- ;; #:supplementary-groups.
- (cons shepherd-0.9
- (list (lookup-package-input shepherd-0.9 "guile-fibers"))))
-
- ;; Run ipfs init and ipfs config from a container,
- ;; in case the IPFS daemon was compromised at some point
- ;; and ~/.ipfs is now a symlink to somewhere outside
- ;; %ipfs-home.
- (define container-gexp
- (with-extensions shepherd&co
- (with-imported-modules (source-module-closure
- '((gnu build shepherd)
- (gnu system file-systems)))
- #~(begin
- (use-modules (gnu build shepherd)
- (gnu system file-systems))
- (let* ((constructor
- (make-forkexec-constructor/container
- (list #$inner-script)
- #:namespaces '#$(fold delq %namespaces '(user))
- #:mappings (list #$%ipfs-home-mapping)
- #:user "ipfs"
- #:group "ipfs"
- #:environment-variables #$%ipfs-environment))
- (pid (constructor)))
- (waitpid pid))))))
;; The activation may happen from the initrd, which uses
;; a statically-linked guile, while the guix container
;; procedures require a working dynamic-link.
- (define container-script
- (program-file "ipfs-activation-container" container-gexp))
- #~(system* #$container-script))
+ #~(system* #$inner-script))
(define ipfs-service-type
(service-type
--
2.35.1
guix-patches <at> gnu.org:bug#54997; Package guix-patches.
(Sun, 17 Apr 2022 21:06:06 GMT) Full text and rfc822 format available.Message #41 received at 54997 <at> debbugs.gnu.org (full text, mbox):
From: Ludovic Courtès <ludo <at> gnu.org> To: 54997 <at> debbugs.gnu.org Cc: Ludovic Courtès <ludo <at> gnu.org> Subject: [PATCH 12/12] services: quassel: Use 'least-authority-wrapper'. Date: Sun, 17 Apr 2022 23:04:53 +0200
* gnu/services/messaging.scm (quassel-shepherd-service): Use
'least-authority-wrapper' instead of
'make-forkexec-constructor/container'.
---
gnu/services/messaging.scm | 42 ++++++++++++++++++++------------------
1 file changed, 22 insertions(+), 20 deletions(-)
diff --git a/gnu/services/messaging.scm b/gnu/services/messaging.scm
index 7fdd8cf285..05bf6e784b 100644
--- a/gnu/services/messaging.scm
+++ b/gnu/services/messaging.scm
@@ -939,29 +939,31 @@ (define-record-type* <quassel-configuration>
(define quassel-shepherd-service
(match-lambda
(($ <quassel-configuration> quassel interface port loglevel)
- (with-imported-modules (source-module-closure
- '((gnu build shepherd)
- (gnu system file-systems)))
+ (let ((quassel (least-authority-wrapper
+ (file-append quassel "/bin/quasselcore")
+ #:name "quasselcore"
+ #:mappings (list (file-system-mapping
+ (source "/var/lib/quassel")
+ (target source)
+ (writable? #t))
+ (file-system-mapping
+ (source "/var/log/quassel")
+ (target source)
+ (writable? #t)))
+ ;; XXX: The daemon needs to live in the main user
+ ;; namespace, as root, so it can access /var/lib/quassel
+ ;; owned by "quasselcore".
+ #:namespaces (fold delq %namespaces '(net user)))))
(list (shepherd-service
(provision '(quassel))
(requirement '(user-processes networking))
- (modules '((gnu build shepherd)
- (gnu system file-systems)))
- (start #~(make-forkexec-constructor/container
- (list #$(file-append quassel "/bin/quasselcore")
- "--configdir=/var/lib/quassel"
- "--logfile=/var/log/quassel/core.log"
- (string-append "--loglevel=" #$loglevel)
- (string-append "--port=" (number->string #$port))
- (string-append "--listen=" #$interface))
- #:mappings (list (file-system-mapping
- (source "/var/lib/quassel")
- (target source)
- (writable? #t))
- (file-system-mapping
- (source "/var/log/quassel")
- (target source)
- (writable? #t)))))
+ (start #~(make-forkexec-constructor
+ (list #$quassel
+ "--configdir=/var/lib/quassel"
+ "--logfile=/var/log/quassel/core.log"
+ (string-append "--loglevel=" #$loglevel)
+ (string-append "--port=" (number->string #$port))
+ (string-append "--listen=" #$interface))))
(stop #~(make-kill-destructor))))))))
(define %quassel-account
--
2.35.1
guix-patches <at> gnu.org:bug#54997; Package guix-patches.
(Mon, 18 Apr 2022 09:09:02 GMT) Full text and rfc822 format available.Message #44 received at 54997 <at> debbugs.gnu.org (full text, mbox):
From: Maxime Devos <maximedevos <at> telenet.be> To: Ludovic Courtès <ludo <at> gnu.org>, 54997 <at> debbugs.gnu.org Subject: Re: [bug#54997] [PATCH 09/12] services: ipfs: Use 'least-authority-wrapper'. Date: Mon, 18 Apr 2022 11:08:02 +0200
[Message part 1 (text/plain, inline)]
Ludovic Courtès schreef op zo 17-04-2022 om 23:04 [+0200]: > [...] > > (define (ipfs-binary config) > - (file-append (ipfs-configuration-package config) "/bin/ipfs")) > + (define command > + (file-append (ipfs-configuration-package config) "/bin/ipfs")) > + > + (least-authority-wrapper > + command > + #:name "ipfs" > + #:mappings (list %ipfs-home-mapping) > + #:namespaces (delq 'net %namespaces))) To simplify things later, could #:user "ipfs" and #:group "ipfs" be added to the least-authority wrapper (and implemented in the 'least- authority procedre)? Then ... > + (define (exec-command . args) > + ;; Exec the given ifps command with the right authority. > + #~(let ((pid (primitive-fork))) > + (if (zero? pid) > + (dynamic-wind > + (const #t) > + (lambda () > + ;; Run ipfs init and ipfs config from a container, > + ;; in case the IPFS daemon was compromised at some point > + ;; and ~/.ipfs is now a symlink to somewhere outside > + ;; %ipfs-home. > + (let ((pw (getpwnam "ipfs"))) > + (setgroups '#()) > + (setgid (passwd:gid pw)) > + (setuid (passwd:uid pw)) > + (environ #$%ipfs-environment) > + (execl #$(ipfs-binary config) #$@args))) > + (lambda () > + (primitive-exit 127))) > + (waitpid pid)))) would become simpler as it wouldn't need to fork, exec, waitpid and dynamic-wind. Alternatively, if associating a user and group with a pola wrapper is problematic (*), what do you think of defining a 'system*/with-capabilities' or 'invoke/with-capabilities' in a central location? Greetings, Maxime.
[signature.asc (application/pgp-signature, inline)]
guix-patches <at> gnu.org:bug#54997; Package guix-patches.
(Mon, 18 Apr 2022 09:13:02 GMT) Full text and rfc822 format available.Message #47 received at 54997 <at> debbugs.gnu.org (full text, mbox):
From: Maxime Devos <maximedevos <at> telenet.be> To: Ludovic Courtès <ludo <at> gnu.org>, 54997 <at> debbugs.gnu.org Subject: Re: [bug#54997] [PATCH 12/12] services: quassel: Use 'least-authority-wrapper'. Date: Mon, 18 Apr 2022 11:12:11 +0200
[Message part 1 (text/plain, inline)]
Ludovic Courtès schreef op zo 17-04-2022 om 23:04 [+0200]: > + ;; XXX: The daemon needs to live in the main user > + ;; namespace, as root, so it can access /var/lib/quassel > + ;; owned by "quasselcore". The previous code did not have this comment, was the old code broken or is this a limitation of least-authority-wrapper? Greetings, Maxime.
[signature.asc (application/pgp-signature, inline)]
guix-patches <at> gnu.org:bug#54997; Package guix-patches.
(Mon, 18 Apr 2022 09:15:01 GMT) Full text and rfc822 format available.Message #50 received at 54997 <at> debbugs.gnu.org (full text, mbox):
From: Maxime Devos <maximedevos <at> telenet.be> To: Ludovic Courtès <ludo <at> gnu.org>, 54997 <at> debbugs.gnu.org Subject: Re: [bug#54997] [PATCH 07/12] services: bitlbee: Use 'make-inetd-constructor'. Date: Mon, 18 Apr 2022 11:13:59 +0200
[Message part 1 (text/plain, inline)]
Ludovic Courtès schreef op zo 17-04-2022 om 23:04 [+0200]: > + (start #~(if (defined? 'make-inetd-constructor) This is for compatibility with reconfiguring on old Shepherds I presume? I would add a comment here ;; Only use 'make-inetd-constructor' if it exists in the current, ;; Shepherd, possibly we are reconfiguring on an old Shepherd that ;; does not yet have 'make-inetd-constructor'. Greetings, Maxime.
[signature.asc (application/pgp-signature, inline)]
guix-patches <at> gnu.org:bug#54997; Package guix-patches.
(Mon, 18 Apr 2022 09:16:01 GMT) Full text and rfc822 format available.Message #53 received at 54997 <at> debbugs.gnu.org (full text, mbox):
From: Maxime Devos <maximedevos <at> telenet.be> To: Ludovic Courtès <ludo <at> gnu.org>, 54997 <at> debbugs.gnu.org Subject: Re: [bug#54997] [PATCH 04/12] Add (guix least-authority). Date: Mon, 18 Apr 2022 11:15:50 +0200
[Message part 1 (text/plain, inline)]
Ludovic Courtès schreef op zo 17-04-2022 om 23:04 [+0200]:
> +(define %precious-variables
> + ;; Environment variables preserved by the wrapper by default.
> + '("HOME" "USER" "LOGNAME" "DISPLAY" "XAUTHORITY" "TERM" "TZ" "PAGER"))
This appears to be duplicated from (guix profiles), so there seems to
be a risk here of them going out-of-sync; would it make send for
(guix profiles) to read (guix least-authority) here?
Greetings,
Maxime.
[signature.asc (application/pgp-signature, inline)]
guix-patches <at> gnu.org:bug#54997; Package guix-patches.
(Mon, 18 Apr 2022 09:19:02 GMT) Full text and rfc822 format available.Message #56 received at 54997 <at> debbugs.gnu.org (full text, mbox):
From: Maxime Devos <maximedevos <at> telenet.be> To: Ludovic Courtès <ludo <at> gnu.org>, 54997 <at> debbugs.gnu.org Subject: Re: [bug#54997] [PATCH 04/12] Add (guix least-authority). Date: Mon, 18 Apr 2022 11:18:49 +0200
[Message part 1 (text/plain, inline)]
Ludovic Courtès schreef op zo 17-04-2022 om 23:04 [+0200]: > +(define* (least-authority-wrapper program > + #:key (name "pola-wrapper") > + (guest-uid 1000) > + (guest-gid 1000) > + (mappings '()) > + (namespaces %namespaces) > + (directory "/") > + (preserved-environment-variables > + %precious-variables)) Could there be an option to define environment variables? E.g. set GUIX_LOCPATH for Guile packages that need locale data to read non-ASCII file names. As is, it seems like an environment-setting wrapper has to be inserted inside the pola wrapper to do this. Greetings, Maxime.
[signature.asc (application/pgp-signature, inline)]
guix-patches <at> gnu.org:bug#54997; Package guix-patches.
(Tue, 19 Apr 2022 22:01:01 GMT) Full text and rfc822 format available.Message #59 received at 54997 <at> debbugs.gnu.org (full text, mbox):
From: Ludovic Courtès <ludo <at> gnu.org> To: Maxime Devos <maximedevos <at> telenet.be> Cc: 54997 <at> debbugs.gnu.org Subject: Re: bug#54997: [PATCH 00/12] Add "least authority" program wrapper Date: Tue, 19 Apr 2022 23:59:53 +0200
Hi Maxime, Maxime Devos <maximedevos <at> telenet.be> skribis: > Ludovic Courtès schreef op zo 17-04-2022 om 23:04 [+0200]: >> + ;; XXX: The daemon needs to live in the main user >> + ;; namespace, as root, so it can access /var/lib/quassel >> + ;; owned by "quasselcore". > > The previous code did not have this comment, was the old code broken or > is this a limitation of least-authority-wrapper? It’s just that ‘make-forkexec-constructor/container’ does it by default: --8<---------------cut here---------------start------------->8--- (define (default-namespaces args) ;; Most daemons are here to talk to the network, and most of them expect to ;; run under a non-zero UID. (fold delq %namespaces '(net user))) --8<---------------cut here---------------end--------------->8--- ‘least-authority-wrapper’ is stricter by defaulting to ‘%namespaces’. Ludo’.
guix-patches <at> gnu.org:bug#54997; Package guix-patches.
(Tue, 19 Apr 2022 22:03:02 GMT) Full text and rfc822 format available.Message #62 received at 54997 <at> debbugs.gnu.org (full text, mbox):
From: Ludovic Courtès <ludo <at> gnu.org> To: Maxime Devos <maximedevos <at> telenet.be> Cc: 54997 <at> debbugs.gnu.org Subject: Re: bug#54997: [PATCH 00/12] Add "least authority" program wrapper Date: Wed, 20 Apr 2022 00:02:26 +0200
Maxime Devos <maximedevos <at> telenet.be> skribis: > Ludovic Courtès schreef op zo 17-04-2022 om 23:04 [+0200]: >> [...] >> >> (define (ipfs-binary config) >> - (file-append (ipfs-configuration-package config) "/bin/ipfs")) >> + (define command >> + (file-append (ipfs-configuration-package config) "/bin/ipfs")) >> + >> + (least-authority-wrapper >> + command >> + #:name "ipfs" >> + #:mappings (list %ipfs-home-mapping) >> + #:namespaces (delq 'net %namespaces))) > > To simplify things later, could #:user "ipfs" and #:group "ipfs" be > added to the least-authority wrapper (and implemented in the 'least- > authority procedre)? Then ... To me it’s setuid/setgid is beyond the scope of ‘least-authority-wrapper’. And indeed, this place is the only one that needs it. > would become simpler as it wouldn't need to fork, exec, waitpid and > dynamic-wind. Alternatively, if associating a user and group with a > pola wrapper is problematic (*), what do you think of defining a > 'system*/with-capabilities' or 'invoke/with-capabilities' in a central > location? I’m not sure what these procedures would do. I think we should build the house one brick at a time; this is the first brick but I’m sure there’ll be others as we gain more experience and clearer use cases. Ludo’.
guix-patches <at> gnu.org:bug#54997; Package guix-patches.
(Tue, 19 Apr 2022 22:04:01 GMT) Full text and rfc822 format available.Message #65 received at 54997 <at> debbugs.gnu.org (full text, mbox):
From: Ludovic Courtès <ludo <at> gnu.org> To: Maxime Devos <maximedevos <at> telenet.be> Cc: 54997 <at> debbugs.gnu.org Subject: Re: bug#54997: [PATCH 00/12] Add "least authority" program wrapper Date: Wed, 20 Apr 2022 00:03:16 +0200
Maxime Devos <maximedevos <at> telenet.be> skribis: > Ludovic Courtès schreef op zo 17-04-2022 om 23:04 [+0200]: >> + (start #~(if (defined? 'make-inetd-constructor) > > This is for compatibility with reconfiguring on old Shepherds I > presume? Yes. > I would add a comment here > > ;; Only use 'make-inetd-constructor' if it exists in the current, > ;; Shepherd, possibly we are reconfiguring on an old Shepherd that > ;; does not yet have 'make-inetd-constructor'. Will do; probably something shorter because the same pattern occurs every time we use Shepherd 0.9 features.
guix-patches <at> gnu.org:bug#54997; Package guix-patches.
(Tue, 19 Apr 2022 22:05:02 GMT) Full text and rfc822 format available.Message #68 received at 54997 <at> debbugs.gnu.org (full text, mbox):
From: Ludovic Courtès <ludo <at> gnu.org> To: Maxime Devos <maximedevos <at> telenet.be> Cc: 54997 <at> debbugs.gnu.org Subject: Re: bug#54997: [PATCH 00/12] Add "least authority" program wrapper Date: Wed, 20 Apr 2022 00:04:28 +0200
Maxime Devos <maximedevos <at> telenet.be> skribis:
> Ludovic Courtès schreef op zo 17-04-2022 om 23:04 [+0200]:
>> +(define %precious-variables
>> + ;; Environment variables preserved by the wrapper by default.
>> + '("HOME" "USER" "LOGNAME" "DISPLAY" "XAUTHORITY" "TERM" "TZ" "PAGER"))
>
> This appears to be duplicated from (guix profiles), so there seems to
> be a risk here of them going out-of-sync; would it make send for
> (guix profiles) to read (guix least-authority) here?
It is duplicated, but OTOH the use case is different. So I think it’s
OK to have a different definition here.
(Perhaps eventually we’ll do something fancier, like preserving
XAUTHORITY and DISPLAY if and only if we’re running an X11 program.)
Ludo’.
guix-patches <at> gnu.org:bug#54997; Package guix-patches.
(Tue, 19 Apr 2022 22:06:01 GMT) Full text and rfc822 format available.Message #71 received at 54997 <at> debbugs.gnu.org (full text, mbox):
From: Ludovic Courtès <ludo <at> gnu.org> To: Maxime Devos <maximedevos <at> telenet.be> Cc: 54997 <at> debbugs.gnu.org Subject: Re: bug#54997: [PATCH 00/12] Add "least authority" program wrapper Date: Wed, 20 Apr 2022 00:05:23 +0200
Maxime Devos <maximedevos <at> telenet.be> skribis: > Ludovic Courtès schreef op zo 17-04-2022 om 23:04 [+0200]: >> +(define* (least-authority-wrapper program >> + #:key (name "pola-wrapper") >> + (guest-uid 1000) >> + (guest-gid 1000) >> + (mappings '()) >> + (namespaces %namespaces) >> + (directory "/") >> + (preserved-environment-variables >> + %precious-variables)) > > Could there be an option to define environment variables? E.g. set > GUIX_LOCPATH for Guile packages that need locale data to read non-ASCII > file names. As is, it seems like an environment-setting wrapper has to > be inserted inside the pola wrapper to do this. Yes, good point. I’m tempted to wait until the first use case comes up though. :-) Thanks for taking a look!
guix-patches <at> gnu.org:bug#54997; Package guix-patches.
(Fri, 22 Apr 2022 05:13:02 GMT) Full text and rfc822 format available.Message #74 received at submit <at> debbugs.gnu.org (full text, mbox):
From: Thiago Jung Bauermann <bauermann <at> kolabnow.com> To: Ludovic Courtès <ludo <at> gnu.org> Cc: 54997 <at> debbugs.gnu.org, guix-patches <at> gnu.org Subject: Re: [bug#54997] [PATCH 01/12] gexp: Add 'references-file'. Date: Fri, 22 Apr 2022 02:01:39 -0300
Hello Ludo, This is an awesome series! It will be yet another strength of Guix to have many services as possible (and even desktop apps, hopefully) isolated. I have one question: Ludovic Courtès <ludo <at> gnu.org> writes: > + (define (read-graph port) > + ;; Return the list of references read from > + ;; PORT. This is a stripped-down version of > + ;; 'read-reference-graph'. > + (let loop ((items '())) > + (match (read-line port) > + ((? eof-object?) > + items) > + ((? string? item) > + (let ((deriver (read-line port)) > + (count > + (string->number (read-line port)))) > + (drop-lines port count) > + (loop (cons item items))))))) I'm sure I'm being dense, but I don't see how ‘item’ can change between iterations of this loop. Which in my mind means that ‘read-graph’ can only return a list where the original ‘item’ argument from ‘references-file’ is repeated many times over. I ran the tests/gexp.scm test and all tests pass, so this code must be working... -- Thanks Thiago
guix-patches <at> gnu.org:bug#54997; Package guix-patches.
(Fri, 22 Apr 2022 05:13:02 GMT) Full text and rfc822 format available.guix-patches <at> gnu.org:bug#54997; Package guix-patches.
(Fri, 22 Apr 2022 14:41:02 GMT) Full text and rfc822 format available.Message #80 received at 54997 <at> debbugs.gnu.org (full text, mbox):
From: Maxime Devos <maximedevos <at> telenet.be> To: Ludovic Courtès <ludo <at> gnu.org> Cc: 54997 <at> debbugs.gnu.org Subject: Re: bug#54997: [PATCH 00/12] Add "least authority" program wrapper Date: Fri, 22 Apr 2022 16:39:43 +0200
[Message part 1 (text/plain, inline)]
Ludovic Courtès schreef op wo 20-04-2022 om 00:02 [+0200]:
> > would become simpler as it wouldn't need to fork, exec, waitpid and
> > dynamic-wind. Alternatively, if associating a user and group with
> > a
> > pola wrapper is problematic (*), what do you think of defining a
> > 'system*/with-capabilities' or 'invoke/with-capabilities' in a
> > central
> > location?
>
> I’m not sure what these procedures would do.
>
> I think we should build the house one brick at a time; this is the
> first brick but I’m sure there’ll be others as we gain more
> experience and clearer use cases.
This system*/with-capabilities brick would do the primitive-
fork+setuid+setgid+execl thing:
(define (system*/with-capabilities command #:key user group extra-
groups environment)
;; Exec the given command with the right authority.
(let ((pid (primitive-fork)))
(if (zero? pid)
(dynamic-wind
(const #t)
(lambda ()
(let ((pw (getpwnam "ipfs"))) ; TODO use 'user' and
'group', and don't change user/group when already this user/group
(setgroups '#())
(setgid (passwd:gid pw))
(setuid (passwd:uid pw))
(environ environment)
(apply execl command)))
(lambda ()
(primitive-exit 127)))
(waitpid pid)))))
This would make this functionality available outside the ipfs service
as well. Over time, it could be extended to support more kinds of
ambient authority, e.g. namespaces, POSIX ‘capabilities’, capability
masks to disallow gaining capabilities by runningsetuid binaries, the
file system hierarchy (with bind mounts), removing all users and groups
(on the Hurd), ...
Many of these are supported by 'least-authority-wrapper' but these POLA
wrappers require creating an additional process which seems a bit
unoptimal to me (memory- and latency-wise).
Also, having to do fork, waitpid and primitive-fork seems rather low-
level to me, so I prefer moving this code into somewhere like (gnu
build SOMEWHERE) or to keep the old make-forkexec-constructor/container
code.
Greetinsgs,
Maxime.
[signature.asc (application/pgp-signature, inline)]
guix-patches <at> gnu.org:bug#54997; Package guix-patches.
(Fri, 22 Apr 2022 15:03:02 GMT) Full text and rfc822 format available.Message #83 received at 54997 <at> debbugs.gnu.org (full text, mbox):
From: Maxime Devos <maximedevos <at> telenet.be> To: Ludovic Courtès <ludo <at> gnu.org>, 54997 <at> debbugs.gnu.org Subject: Re: [bug#54997] [PATCH 00/12] Add "least authority" program wrapper Date: Fri, 22 Apr 2022 17:02:03 +0200
[Message part 1 (text/plain, inline)]
Ludovic Courtès schreef op zo 17-04-2022 om 23:01 [+0200]:
> Hello Guix!
>
> So we have this fancy ‘make-forkexec-constructor/container’ thing
> to spawn Shepherd services in a container:
>
> https://guix.gnu.org/en/blog/2017/running-system-services-in-containers/
>
> It’s nice, but it doesn’t compose. What if you want an inetd-style
> service *and* have it run in a container? We certainly don’t want to
> end up defining ‘make-inetd-constructor/container’ and so on.
Currently, it doesn't compose, but can it be made composable?
More concretely, maybe there could be a set of ‘process procedures’
implementable by record types:
;; Inspired by <https://docs.racket-lang.org/reference/subprocess.html>,
;; with some differences
(define (subprocess-start/separate process) ...) ; run it in a separate process
(define (subprocess-start/replace process) ...) ; run it with 'exec'
(define (subprocess-kill process) ...)
(define (subprocess-wait process) ...)
(define (subprocess-status process) ...)
;; Basic process constructor, doesn't do containers
(define (command-process ...) ...)
;; Container
(define (contain inner #:key container-stuff ...)
subprocess-start/separate: (run-container ... (lambda () (subprocess-start/replace inner)))
other procedures ...
return the record)
Then make-inetd-constructor could be changed to accept a lambda producing
'subprocess' records. By passing it a subprocess wrapped by 'contain', it would
automatically support container things:
(define (make-inetd-constructor/container-command command* ...)
(make-inetd-constructor (lambda () (contain (command-process comand*))) ...))
Greetings,
Maxime.
[signature.asc (application/pgp-signature, inline)]
guix-patches <at> gnu.org:bug#54997; Package guix-patches.
(Fri, 22 Apr 2022 20:29:01 GMT) Full text and rfc822 format available.Message #86 received at 54997 <at> debbugs.gnu.org (full text, mbox):
From: Thiago Jung Bauermann <bauermann <at> kolabnow.com> To: Ludovic Courtès <ludo <at> gnu.org> Cc: 54997 <at> debbugs.gnu.org Subject: Re: [bug#54997] [PATCH 04/12] Add (guix least-authority). Date: Fri, 22 Apr 2022 17:10:19 -0300
Hello, Ludovic Courtès <ludo <at> gnu.org> writes: > + (reify-exit-status > + (call-with-container mounts > + (lambda () > + (chdir #$directory) > + (environ variables) > + (apply execl #$program #$program (cdr (command-line)))) I'm a bit concerned about running arbitrary commands as PID 1 of process namespaces. A process running as PID 1 (even in a child namespace) is a special case and is treated differently by the Linux kernel than any other process, so it needs to be a program that has been designed to work in that situation. There are two differences from regular processes: 1. PID 1 inherits orphan processes and needs to wait() on them when they quit, in order to avoid accumulating zombie processes in the system. 2. Unlike regular processes, PID 1 doesn't have default signal handlers. Both of these aspects are described in more detail here: https://github.com/krallin/tini/issues/8#issuecomment-146135930 So to avoid an accumulation of zombie processes and other signal-related problems, I suggest adding a “(init-program ,tini)” parameter to ‘least-authority-wrapper’ and executing ‘program’ as a subprocess of ‘tini’ or whatever was passed as the #:init-program (perhaps #f could mean running ‘program’ directly as PID 1). I mention this because I'm currently dealing with a problem that has exactly this root cause: I'm working on updating the public-inbox package to the latest version, and the testsuite is failing because it tests that lei's daemon process is correctly terminated. But that doesn't work because “guix build” doesn't use a proper init program as PID 1 and thus the daemon process goes to zombie state and the testsuite thinks that it didn't go away. I'm hoping to send a patch to fix that issue. -- Thanks Thiago
guix-patches <at> gnu.org:bug#54997; Package guix-patches.
(Tue, 26 Apr 2022 20:18:01 GMT) Full text and rfc822 format available.Message #89 received at 54997 <at> debbugs.gnu.org (full text, mbox):
From: Ludovic Courtès <ludo <at> gnu.org> To: Thiago Jung Bauermann <bauermann <at> kolabnow.com> Cc: 54997 <at> debbugs.gnu.org Subject: Re: bug#54997: [PATCH 00/12] Add "least authority" program wrapper Date: Tue, 26 Apr 2022 22:17:44 +0200
Hi Thiago,
Thiago Jung Bauermann <bauermann <at> kolabnow.com> skribis:
> This is an awesome series! It will be yet another strength of Guix to
> have many services as possible (and even desktop apps, hopefully)
> isolated.
Thanks. :-)
> Ludovic Courtès <ludo <at> gnu.org> writes:
>
>> + (define (read-graph port)
>> + ;; Return the list of references read from
>> + ;; PORT. This is a stripped-down version of
>> + ;; 'read-reference-graph'.
>> + (let loop ((items '()))
>> + (match (read-line port)
>> + ((? eof-object?)
>> + items)
>> + ((? string? item)
>> + (let ((deriver (read-line port))
>> + (count
>> + (string->number (read-line port))))
>> + (drop-lines port count)
>> + (loop (cons item items)))))))
>
> I'm sure I'm being dense, but I don't see how ‘item’ can change between
> iterations of this loop.
Each iteration reads a new line from PORT, an input port on a text file.
The file is created by guix-daemon and has a format like this:
FILE
DERIVER
NUMBER-OF-REFERENCES
REF1
...
REFN
where each FILE is a store item (see store-copy.scm for details).
Here we only care about FILE and REF*.
> Which in my mind means that ‘read-graph’ can only return a list where
> the original ‘item’ argument from ‘references-file’ is repeated many
> times over. I ran the tests/gexp.scm test and all tests pass, so this
> code must be working...
I think it does! :-) It wouldn’t hurt to add a call to
‘delete-duplicates’ though.
Ludo’.
guix-patches <at> gnu.org:bug#54997; Package guix-patches.
(Tue, 26 Apr 2022 20:23:02 GMT) Full text and rfc822 format available.Message #92 received at 54997 <at> debbugs.gnu.org (full text, mbox):
From: Ludovic Courtès <ludo <at> gnu.org> To: Maxime Devos <maximedevos <at> telenet.be> Cc: 54997 <at> debbugs.gnu.org Subject: Re: bug#54997: [PATCH 00/12] Add "least authority" program wrapper Date: Tue, 26 Apr 2022 22:22:42 +0200
Hi Maxime, Maxime Devos <maximedevos <at> telenet.be> skribis: > Ludovic Courtès schreef op zo 17-04-2022 om 23:01 [+0200]: >> Hello Guix! >> >> So we have this fancy ‘make-forkexec-constructor/container’ thing >> to spawn Shepherd services in a container: >> >> https://guix.gnu.org/en/blog/2017/running-system-services-in-containers/ >> >> It’s nice, but it doesn’t compose. What if you want an inetd-style >> service *and* have it run in a container? We certainly don’t want to >> end up defining ‘make-inetd-constructor/container’ and so on. > > Currently, it doesn't compose, but can it be made composable? > More concretely, maybe there could be a set of ‘process procedures’ > implementable by record types: > > ;; Inspired by <https://docs.racket-lang.org/reference/subprocess.html>, > ;; with some differences > (define (subprocess-start/separate process) ...) ; run it in a separate process > (define (subprocess-start/replace process) ...) ; run it with 'exec' > (define (subprocess-kill process) ...) > (define (subprocess-wait process) ...) > (define (subprocess-status process) ...) > > ;; Basic process constructor, doesn't do containers > (define (command-process ...) ...) > > ;; Container > (define (contain inner #:key container-stuff ...) > subprocess-start/separate: (run-container ... (lambda () (subprocess-start/replace inner))) > other procedures ... > return the record) > > Then make-inetd-constructor could be changed to accept a lambda producing > 'subprocess' records. By passing it a subprocess wrapped by 'contain', it would > automatically support container things: > > (define (make-inetd-constructor/container-command command* ...) > (make-inetd-constructor (lambda () (contain (command-process comand*))) ...)) A (sub)process abstraction could be useful, indeed. But like you write, we’d need further changes in shepherd itself, which makes it less appealing IMO. I like that the “POLA wrapper” allows us to deal with this aspect in a fairly orthogonal fashion. Thanks! Ludo’.
guix-patches <at> gnu.org:bug#54997; Package guix-patches.
(Tue, 26 Apr 2022 20:31:02 GMT) Full text and rfc822 format available.Message #95 received at 54997 <at> debbugs.gnu.org (full text, mbox):
From: Ludovic Courtès <ludo <at> gnu.org> To: Thiago Jung Bauermann <bauermann <at> kolabnow.com> Cc: 54997 <at> debbugs.gnu.org Subject: Re: bug#54997: [PATCH 00/12] Add "least authority" program wrapper Date: Tue, 26 Apr 2022 22:30:47 +0200
Hi! Thiago Jung Bauermann <bauermann <at> kolabnow.com> skribis: > I'm a bit concerned about running arbitrary commands as PID 1 of process > namespaces. A process running as PID 1 (even in a child namespace) is a > special case and is treated differently by the Linux kernel than any > other process, so it needs to be a program that has been designed to > work in that situation. There are two differences from regular > processes: > > 1. PID 1 inherits orphan processes and needs to wait() on them when they > quit, in order to avoid accumulating zombie processes in the system. > > 2. Unlike regular processes, PID 1 doesn't have default signal handlers. Good points. > Both of these aspects are described in more detail here: > > https://github.com/krallin/tini/issues/8#issuecomment-146135930 > > So to avoid an accumulation of zombie processes and other signal-related > problems, I suggest adding a “(init-program ,tini)” parameter to > ‘least-authority-wrapper’ and executing ‘program’ as a subprocess of > ‘tini’ or whatever was passed as the #:init-program (perhaps #f could > mean running ‘program’ directly as PID 1). Hmm yes. It’s not great that the choice is between ‘unshare’—efficient but the process lives in the parent PID namespace—and ‘clone’—but then you have to fork twice. But yeah, you’re right. I’ll try what you suggest and send a v2. > I mention this because I'm currently dealing with a problem that has > exactly this root cause: I'm working on updating the public-inbox > package to the latest version, and the testsuite is failing because it > tests that lei's daemon process is correctly terminated. But that > doesn't work because “guix build” doesn't use a proper init program as > PID 1 and thus the daemon process goes to zombie state and the testsuite > thinks that it didn't go away. I'm hoping to send a patch to fix that > issue. Now that you mention it, this was discussed before: https://issues.guix.gnu.org/30948 I think we should do something about it in gnu-build-system.scm. Thanks for your feedback! Ludo’.
guix-patches <at> gnu.org:bug#54997; Package guix-patches.
(Tue, 26 Apr 2022 20:49:02 GMT) Full text and rfc822 format available.Message #98 received at 54997 <at> debbugs.gnu.org (full text, mbox):
From: Ludovic Courtès <ludo <at> gnu.org> To: Thiago Jung Bauermann <bauermann <at> kolabnow.com> Cc: 54997 <at> debbugs.gnu.org Subject: Re: bug#54997: [PATCH 00/12] Add "least authority" program wrapper Date: Tue, 26 Apr 2022 22:48:18 +0200
Thiago Jung Bauermann <bauermann <at> kolabnow.com> skribis: > I'm a bit concerned about running arbitrary commands as PID 1 of process > namespaces. A process running as PID 1 (even in a child namespace) is a > special case and is treated differently by the Linux kernel than any > other process, so it needs to be a program that has been designed to > work in that situation. There are two differences from regular > processes: > > 1. PID 1 inherits orphan processes and needs to wait() on them when they > quit, in order to avoid accumulating zombie processes in the system. > > 2. Unlike regular processes, PID 1 doesn't have default signal handlers. Actually right now ‘make-forkexec-constructor/container’ runs processes as PID 1. AFAIK this hasn’t been a problem in practice, probably for two reasons: (1) we’re wrapping daemons that don’t fork (unlike Jenkins…), and (2) ‘call-with-container’ installs a SIGINT handler and probably daemons also install SIGTERM and related handlers of their own. Anyway, it’s a class of problem that would be best avoided in the first place! Ludo’.
guix-patches <at> gnu.org:bug#54997; Package guix-patches.
(Wed, 27 Apr 2022 16:57:01 GMT) Full text and rfc822 format available.Message #101 received at 54997 <at> debbugs.gnu.org (full text, mbox):
From: Ludovic Courtès <ludo <at> gnu.org> To: 54997 <at> debbugs.gnu.org Cc: Ludovic Courtès <ludo <at> gnu.org> Subject: [PATCH v2 01/15] gexp: Add 'references-file'. Date: Wed, 27 Apr 2022 18:56:21 +0200
* gnu/services/base.scm (references-file): Remove.
* guix/gexp.scm (references-file): New procedure.
* tests/gexp.scm ("references-file"): New test.
---
gnu/services/base.scm | 22 ----------------------
guix/gexp.scm | 44 +++++++++++++++++++++++++++++++++++++++++++
tests/gexp.scm | 18 ++++++++++++++++++
3 files changed, 62 insertions(+), 22 deletions(-)
diff --git a/gnu/services/base.scm b/gnu/services/base.scm
index 5d7c69a9cd..182badd97f 100644
--- a/gnu/services/base.scm
+++ b/gnu/services/base.scm
@@ -219,8 +219,6 @@ (define-module (gnu services base)
pam-limits-service-type
pam-limits-service
- references-file
-
%base-services))
;;; Commentary:
@@ -1768,26 +1766,6 @@ (define (guix-activation config)
(substitute-key-authorization authorized-keys guix)
#~#f))))
-(define* (references-file item #:optional (name "references"))
- "Return a file that contains the list of references of ITEM."
- (if (struct? item) ;lowerable object
- (computed-file name
- (with-extensions (list guile-gcrypt) ;for store-copy
- (with-imported-modules (source-module-closure
- '((guix build store-copy)))
- #~(begin
- (use-modules (guix build store-copy))
-
- (call-with-output-file #$output
- (lambda (port)
- (write (map store-info-item
- (call-with-input-file "graph"
- read-reference-graph))
- port))))))
- #:options `(#:local-build? #f
- #:references-graphs (("graph" ,item))))
- (plain-file name "()")))
-
(define guix-service-type
(service-type
(name 'guix)
diff --git a/guix/gexp.scm b/guix/gexp.scm
index 9fdb7a30be..ef92223048 100644
--- a/guix/gexp.scm
+++ b/guix/gexp.scm
@@ -118,6 +118,7 @@ (define-module (guix gexp)
mixed-text-file
file-union
directory-union
+ references-file
imported-files
imported-modules
@@ -2173,6 +2174,49 @@ (define log-port
#:resolve-collision
(ungexp resolve-collision)))))))))
+(define* (references-file item #:optional (name "references")
+ #:key guile)
+ "Return a file that contains the list of direct and indirect references (the
+closure) of ITEM."
+ (if (struct? item) ;lowerable object
+ (computed-file name
+ (gexp (begin
+ (use-modules (srfi srfi-1)
+ (ice-9 rdelim)
+ (ice-9 match))
+
+ (define (drop-lines port n)
+ ;; Drop N lines read from PORT.
+ (let loop ((n n))
+ (unless (zero? n)
+ (read-line port)
+ (loop (- n 1)))))
+
+ (define (read-graph port)
+ ;; Return the list of references read from
+ ;; PORT. This is a stripped-down version of
+ ;; 'read-reference-graph'.
+ (let loop ((items '()))
+ (match (read-line port)
+ ((? eof-object?)
+ (delete-duplicates items))
+ ((? string? item)
+ (let ((deriver (read-line port))
+ (count
+ (string->number (read-line port))))
+ (drop-lines port count)
+ (loop (cons item items)))))))
+
+ (call-with-output-file (ungexp output)
+ (lambda (port)
+ (write (call-with-input-file "graph"
+ read-graph)
+ port)))))
+ #:guile guile
+ #:options `(#:local-build? #t
+ #:references-graphs (("graph" ,item))))
+ (plain-file name "()")))
+
;;;
;;; Syntactic sugar.
diff --git a/tests/gexp.scm b/tests/gexp.scm
index c80ca13fab..35bd99e6d4 100644
--- a/tests/gexp.scm
+++ b/tests/gexp.scm
@@ -1606,6 +1606,24 @@ (define (contents=? file str)
(not (member (derivation-file-name native) refs))
(member (derivation-file-name cross) refs))))))
+(test-assertm "references-file"
+ (let* ((exp #~(symlink #$%bootstrap-guile #$output))
+ (computed (computed-file "computed" exp
+ #:guile %bootstrap-guile))
+ (refs (references-file computed "refs"
+ #:guile %bootstrap-guile)))
+ (mlet* %store-monad ((drv0 (lower-object %bootstrap-guile))
+ (drv1 (lower-object computed))
+ (drv2 (lower-object refs)))
+ (mbegin %store-monad
+ (built-derivations (list drv2))
+ (mlet %store-monad ((refs ((store-lift requisites)
+ (list (derivation->output-path drv1)))))
+ (return (lset= string=?
+ (call-with-input-file (derivation->output-path drv2)
+ read)
+ refs)))))))
+
(test-assert "lower-object & gexp-input-error?"
(guard (c ((gexp-input-error? c)
(gexp-error-invalid-input c)))
--
2.35.1
bauermann <at> kolabnow.com, maximedevos <at> telenet.be, guix-patches <at> gnu.org:bug#54997; Package guix-patches.
(Wed, 27 Apr 2022 16:57:01 GMT) Full text and rfc822 format available.Message #104 received at 54997 <at> debbugs.gnu.org (full text, mbox):
From: Ludovic Courtès <ludo <at> gnu.org> To: 54997 <at> debbugs.gnu.org Cc: Ludovic Courtès <ludo <at> gnu.org> Subject: [PATCH v2 00/15] Add "least authority" program wrapper Date: Wed, 27 Apr 2022 18:56:20 +0200
Hi!
Changes since v1:
• Add ‘delete-duplicates’ call in ‘references-file’.
• Work around unreliable signal delivery in Guile (note that
this is not a new problem; I just happened to notice it).
This part is unsatisfactory. The solution in the Shepherd is
signalfd(2) on GNU/Linux, but using it requires quite a bit
of infrastructure.
• New #:child-is-pid1? parameter for ‘call-with-container’, set
to #false by ‘least-authority-wrapper’. This is probably
overkill for most cases (daemons that, unlike Jenkins, don’t
run arbitrary user scripts are unlikely to leave zombies
behind them), but safer.
• Converted opendht service to ‘least-authority-wrapper’.
I think it’s good to go.
Thoughts?
Thanks,
Ludo’.
Ludovic Courtès (15):
gexp: Add 'references-file'.
file-systems: Avoid load-time warnings when attempting to load (guix
store).
linux-container: 'call-with-container' relays SIGTERM and SIGINT.
linux-container: Ensure signal-handling asyncs get a chance to run.
linux-container: Add #:child-is-pid1? parameter to
'call-with-container'.
Add (guix least-authority).
services: dicod: Rewrite using 'least-authority-wrapper'.
services: dicod: Use 'make-inetd-constructor'.
services: bitlbee: Use 'make-inetd-constructor'.
services: ipfs: Adjust for Shepherd 0.9.
services: ipfs: Use 'least-authority-wrapper'.
services: wesnothd: Grant write access to /var/run/wesnothd.
services: wesnothd: Use 'least-authority-wrapper'.
services: quassel: Use 'least-authority-wrapper'.
services: opendht: Use 'least-authority-wrapper'.
Makefile.am | 1 +
gnu/build/linux-container.scm | 78 +++++++++++++++--
gnu/build/shepherd.scm | 3 +-
gnu/services/base.scm | 22 -----
gnu/services/dict.scm | 61 ++++++++-----
gnu/services/games.scm | 33 +++++--
gnu/services/messaging.scm | 105 ++++++++++++++--------
gnu/services/networking.scm | 158 +++++++++++++++++-----------------
gnu/system/file-systems.scm | 5 +-
gnu/tests/messaging.scm | 21 +----
guix/gexp.scm | 44 ++++++++++
guix/least-authority.scm | 135 +++++++++++++++++++++++++++++
tests/gexp.scm | 18 ++++
13 files changed, 491 insertions(+), 193 deletions(-)
create mode 100644 guix/least-authority.scm
base-commit: 950f3e4f98add14f645dc4c9f8c512cac7b8a779
--
2.35.1
guix-patches <at> gnu.org:bug#54997; Package guix-patches.
(Wed, 27 Apr 2022 16:58:02 GMT) Full text and rfc822 format available.Message #107 received at 54997 <at> debbugs.gnu.org (full text, mbox):
From: Ludovic Courtès <ludo <at> gnu.org> To: 54997 <at> debbugs.gnu.org Cc: Ludovic Courtès <ludo <at> gnu.org> Subject: [PATCH v2 02/15] file-systems: Avoid load-time warnings when attempting to load (guix store). Date: Wed, 27 Apr 2022 18:56:22 +0200
This makes sure warnings like "incompatible bytecode version" don't go
through when looking for (guix store).
* gnu/system/file-systems.scm (%store-prefix): Parameterize
'current-warning-port' around 'resolve-module' call.
---
gnu/system/file-systems.scm | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/gnu/system/file-systems.scm b/gnu/system/file-systems.scm
index 437f8da898..f8f4276283 100644
--- a/gnu/system/file-systems.scm
+++ b/gnu/system/file-systems.scm
@@ -1,5 +1,5 @@
;;; GNU Guix --- Functional package management for GNU
-;;; Copyright © 2013-2021 Ludovic Courtès <ludo <at> gnu.org>
+;;; Copyright © 2013-2022 Ludovic Courtès <ludo <at> gnu.org>
;;; Copyright © 2020 Google LLC
;;; Copyright © 2020 Jakub Kądziołka <kuba <at> kadziolka.net>
;;; Copyright © 2020, 2021 Maxim Cournoyer <maxim.cournoyer <at> gmail.com>
@@ -272,7 +272,8 @@ (define (%store-prefix)
;; Note: If we have (guix store database) in the search path and we do *not*
;; have (guix store) proper, 'resolve-module' returns an empty (guix store)
;; with one sub-module.
- (cond ((and=> (resolve-module '(guix store) #:ensure #f)
+ (cond ((and=> (parameterize ((current-warning-port (%make-void-port "w0")))
+ (resolve-module '(guix store) #:ensure #f))
(lambda (store)
(module-variable store '%store-prefix)))
=>
--
2.35.1
guix-patches <at> gnu.org:bug#54997; Package guix-patches.
(Wed, 27 Apr 2022 16:58:03 GMT) Full text and rfc822 format available.Message #110 received at 54997 <at> debbugs.gnu.org (full text, mbox):
From: Ludovic Courtès <ludo <at> gnu.org> To: 54997 <at> debbugs.gnu.org Cc: Ludovic Courtès <ludo <at> gnu.org> Subject: [PATCH v2 03/15] linux-container: 'call-with-container' relays SIGTERM and SIGINT. Date: Wed, 27 Apr 2022 18:56:23 +0200
* gnu/build/linux-container.scm (call-with-container): Add #:relayed-signals.
[install-signal-handlers]: New procedure.
Call it.
---
gnu/build/linux-container.scm | 20 ++++++++++++++------
1 file changed, 14 insertions(+), 6 deletions(-)
diff --git a/gnu/build/linux-container.scm b/gnu/build/linux-container.scm
index bdeca2cdb9..03c01439ce 100644
--- a/gnu/build/linux-container.scm
+++ b/gnu/build/linux-container.scm
@@ -303,6 +303,7 @@ (define (call-with-temporary-directory proc)
(define* (call-with-container mounts thunk #:key (namespaces %namespaces)
(host-uids 1) (guest-uid 0) (guest-gid 0)
+ (relayed-signals (list SIGINT SIGTERM))
(process-spawned-hook (const #t)))
"Run THUNK in a new container process and return its exit status; call
PROCESS-SPAWNED-HOOK with the PID of the new process that has been spawned.
@@ -320,20 +321,27 @@ (define* (call-with-container mounts thunk #:key (namespaces %namespaces)
GUEST-UID and GUEST-GID specify the first UID (respectively GID) that host
UIDs (respectively GIDs) map to in the namespace.
+RELAYED-SIGNALS is the list of signals that are \"relayed\" to the container
+process when caught by its parent.
+
Note that if THUNK needs to load any additional Guile modules, the relevant
module files must be present in one of the mappings in MOUNTS and the Guile
load path must be adjusted as needed."
+ (define (install-signal-handlers pid)
+ ;; Install handlers that forward signals to PID.
+ (define (relay-signal signal)
+ (false-if-exception (kill pid signal)))
+
+ (for-each (lambda (signal)
+ (sigaction signal relay-signal))
+ relayed-signals))
+
(call-with-temporary-directory
(lambda (root)
(let ((pid (run-container root mounts namespaces host-uids thunk
#:guest-uid guest-uid
#:guest-gid guest-gid)))
- ;; Catch SIGINT and kill the container process.
- (sigaction SIGINT
- (lambda (signum)
- (false-if-exception
- (kill pid SIGKILL))))
-
+ (install-signal-handlers pid)
(process-spawned-hook pid)
(match (waitpid pid)
((_ . status) status))))))
--
2.35.1
guix-patches <at> gnu.org:bug#54997; Package guix-patches.
(Wed, 27 Apr 2022 16:58:03 GMT) Full text and rfc822 format available.Message #113 received at 54997 <at> debbugs.gnu.org (full text, mbox):
From: Ludovic Courtès <ludo <at> gnu.org> To: 54997 <at> debbugs.gnu.org Cc: Ludovic Courtès <ludo <at> gnu.org> Subject: [PATCH v2 04/15] linux-container: Ensure signal-handling asyncs get a chance to run. Date: Wed, 27 Apr 2022 18:56:24 +0200
Previously we could enter the blocking 'waitpid' call and miss an
opportunity to run the signal handler async.
* gnu/build/linux-container.scm (call-with-container)
[periodically-schedule-asyncs]: New procedure.
[install-signal-handlers]: Call it.
---
gnu/build/linux-container.scm | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/gnu/build/linux-container.scm b/gnu/build/linux-container.scm
index 03c01439ce..1fac8f4b92 100644
--- a/gnu/build/linux-container.scm
+++ b/gnu/build/linux-container.scm
@@ -327,11 +327,20 @@ (define* (call-with-container mounts thunk #:key (namespaces %namespaces)
Note that if THUNK needs to load any additional Guile modules, the relevant
module files must be present in one of the mappings in MOUNTS and the Guile
load path must be adjusted as needed."
+ (define (periodically-schedule-asyncs)
+ ;; XXX: In Guile there's a time window where a signal-handling async could
+ ;; be queued without being processed by the time we enter a blocking
+ ;; syscall like waitpid(2) (info "(guile) Signals"). This terrible hack
+ ;; ensures pending asyncs get a chance to run periodically.
+ (sigaction SIGALRM (lambda _ (alarm 1)))
+ (alarm 1))
+
(define (install-signal-handlers pid)
;; Install handlers that forward signals to PID.
(define (relay-signal signal)
(false-if-exception (kill pid signal)))
+ (periodically-schedule-asyncs)
(for-each (lambda (signal)
(sigaction signal relay-signal))
relayed-signals))
--
2.35.1
guix-patches <at> gnu.org:bug#54997; Package guix-patches.
(Wed, 27 Apr 2022 16:58:04 GMT) Full text and rfc822 format available.Message #116 received at 54997 <at> debbugs.gnu.org (full text, mbox):
From: Ludovic Courtès <ludo <at> gnu.org> To: 54997 <at> debbugs.gnu.org Cc: Ludovic Courtès <ludo <at> gnu.org> Subject: [PATCH v2 05/15] linux-container: Add #:child-is-pid1? parameter to 'call-with-container'. Date: Wed, 27 Apr 2022 18:56:25 +0200
* gnu/build/linux-container.scm (wait-child-process)
(status->exit-status): New procedures.
(call-with-container): Add #:child-is-pid1? parameter and honor it.
[thunk*]: New variable. Pass it to 'run-container'.
---
gnu/build/linux-container.scm | 49 ++++++++++++++++++++++++++++++++++-
1 file changed, 48 insertions(+), 1 deletion(-)
diff --git a/gnu/build/linux-container.scm b/gnu/build/linux-container.scm
index 1fac8f4b92..a0c8174721 100644
--- a/gnu/build/linux-container.scm
+++ b/gnu/build/linux-container.scm
@@ -301,9 +301,28 @@ (define (call-with-temporary-directory proc)
(lambda ()
(false-if-exception (delete-file-recursively tmp-dir))))))
+(define (wait-child-process)
+ "Wait for one child process and return a pair, like 'waitpid', or return #f
+if there are no child processes left."
+ (catch 'system-error
+ (lambda ()
+ (waitpid WAIT_ANY))
+ (lambda args
+ (if (= ECHILD (system-error-errno args))
+ #f
+ (apply throw args)))))
+
+(define (status->exit-status status)
+ "Reify STATUS as an exit status."
+ (or (status:exit-val status)
+ ;; See <http://www.tldp.org/LDP/abs/html/exitcodes.html#EXITCODESREF>.
+ (+ 128 (or (status:term-sig status)
+ (status:stop-sig status)))))
+
(define* (call-with-container mounts thunk #:key (namespaces %namespaces)
(host-uids 1) (guest-uid 0) (guest-gid 0)
(relayed-signals (list SIGINT SIGTERM))
+ (child-is-pid1? #t)
(process-spawned-hook (const #t)))
"Run THUNK in a new container process and return its exit status; call
PROCESS-SPAWNED-HOOK with the PID of the new process that has been spawned.
@@ -324,9 +343,37 @@ (define* (call-with-container mounts thunk #:key (namespaces %namespaces)
RELAYED-SIGNALS is the list of signals that are \"relayed\" to the container
process when caught by its parent.
+When CHILD-IS-PID1? is true, and if NAMESPACES contains 'pid', then the child
+process runs directly as PID 1. As such, it is responsible for (1) installing
+signal handlers and (2) reaping terminated processes by calling 'waitpid'.
+When CHILD-IS-PID1? is false, a new intermediate process is created instead
+that takes this responsibility.
+
Note that if THUNK needs to load any additional Guile modules, the relevant
module files must be present in one of the mappings in MOUNTS and the Guile
load path must be adjusted as needed."
+ (define thunk*
+ (if (and (memq 'pid namespaces)
+ (not child-is-pid1?))
+ (lambda ()
+ ;; Behave like an init process: create a sub-process that calls
+ ;; THUNK, and wait for child processes. Furthermore, forward
+ ;; RELAYED-SIGNALS to the child process.
+ (match (primitive-fork)
+ (0
+ (call-with-clean-exit thunk))
+ (pid
+ (install-signal-handlers pid)
+ (let loop ()
+ (match (wait-child-process)
+ ((child . status)
+ (if (= child pid)
+ (primitive-exit (status->exit-status status))
+ (loop)))
+ (#f
+ (primitive-exit 128))))))) ;cannot happen
+ thunk))
+
(define (periodically-schedule-asyncs)
;; XXX: In Guile there's a time window where a signal-handling async could
;; be queued without being processed by the time we enter a blocking
@@ -347,7 +394,7 @@ (define (relay-signal signal)
(call-with-temporary-directory
(lambda (root)
- (let ((pid (run-container root mounts namespaces host-uids thunk
+ (let ((pid (run-container root mounts namespaces host-uids thunk*
#:guest-uid guest-uid
#:guest-gid guest-gid)))
(install-signal-handlers pid)
--
2.35.1
guix-patches <at> gnu.org:bug#54997; Package guix-patches.
(Wed, 27 Apr 2022 16:58:04 GMT) Full text and rfc822 format available.Message #119 received at 54997 <at> debbugs.gnu.org (full text, mbox):
From: Ludovic Courtès <ludo <at> gnu.org> To: 54997 <at> debbugs.gnu.org Cc: Ludovic Courtès <ludo <at> gnu.org> Subject: [PATCH v2 12/15] services: wesnothd: Grant write access to /var/run/wesnothd. Date: Wed, 27 Apr 2022 18:56:32 +0200
* gnu/services/games.scm (wesnothd-shepherd-service): Augment 'modules'
field. Pass #:mappings argument to 'make-forkexec-constructor/container'.
(wesnothd-activation): New variable.
(wesnothd-service-type): Extend ACTIVATION-SERVICE-TYPE.
---
gnu/services/games.scm | 24 ++++++++++++++++++++++--
1 file changed, 22 insertions(+), 2 deletions(-)
diff --git a/gnu/services/games.scm b/gnu/services/games.scm
index b743f6a4b6..dc0bfbe9dc 100644
--- a/gnu/services/games.scm
+++ b/gnu/services/games.scm
@@ -1,5 +1,6 @@
;;; GNU Guix --- Functional package management for GNU
;;; Copyright © 2018 Arun Isaac <arunisaac <at> systemreboot.net>
+;;; Copyright © 2022 Ludovic Courtès <ludo <at> gnu.org>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -57,18 +58,35 @@ (define wesnothd-shepherd-service
(match-lambda
(($ <wesnothd-configuration> package port)
(with-imported-modules (source-module-closure
- '((gnu build shepherd)))
+ '((gnu build shepherd)
+ (gnu system file-systems)))
(shepherd-service
(documentation "The Battle for Wesnoth server")
(provision '(wesnoth-daemon))
(requirement '(networking))
- (modules '((gnu build shepherd)))
+ (modules '((gnu build shepherd)
+ (gnu system file-systems)))
(start #~(make-forkexec-constructor/container
(list #$(file-append package "/bin/wesnothd")
"-p" #$(number->string port))
+ #:mappings (list (file-system-mapping
+ (source "/var/run/wesnothd")
+ (target source)
+ (writable? #t)))
#:user "wesnothd" #:group "wesnothd"))
(stop #~(make-kill-destructor)))))))
+(define wesnothd-activation
+ (with-imported-modules '((guix build utils))
+ #~(begin
+ (use-modules (guix build utils))
+
+ (let* ((user (getpw "wesnothd"))
+ (directory "/var/run/wesnothd"))
+ ;; wesnothd creates a Unix-domain socket in DIRECTORY.
+ (mkdir-p directory)
+ (chown directory (passwd:uid user) (passwd:gid user))))))
+
(define wesnothd-service-type
(service-type
(name 'wesnothd)
@@ -77,6 +95,8 @@ (define wesnothd-service-type
(extensions
(list (service-extension account-service-type
(const %wesnothd-accounts))
+ (service-extension activation-service-type
+ (const wesnothd-activation))
(service-extension shepherd-root-service-type
(compose list wesnothd-shepherd-service))))
(default-value (wesnothd-configuration))))
--
2.35.1
guix-patches <at> gnu.org:bug#54997; Package guix-patches.
(Wed, 27 Apr 2022 16:58:05 GMT) Full text and rfc822 format available.Message #122 received at 54997 <at> debbugs.gnu.org (full text, mbox):
From: Ludovic Courtès <ludo <at> gnu.org> To: 54997 <at> debbugs.gnu.org Cc: Ludovic Courtès <ludo <at> gnu.org> Subject: [PATCH v2 10/15] services: ipfs: Adjust for Shepherd 0.9. Date: Wed, 27 Apr 2022 18:56:30 +0200
This is a followup to e1f0c88ea221d846b5a533c4dc88e99e953af63e.
* gnu/services/networking.scm (%ipfs-activation)[shepherd&co]: New
variable.
[container-gexp]: Use it.
---
gnu/services/networking.scm | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/gnu/services/networking.scm b/gnu/services/networking.scm
index 5bb8638930..b302be5aaf 100644
--- a/gnu/services/networking.scm
+++ b/gnu/services/networking.scm
@@ -2074,12 +2074,19 @@ (define inner-gexp
#$@(map (cute apply set-config!-gexp <>) settings)))
(define inner-script
(program-file "ipfs-activation-inner" inner-gexp))
+
+ (define shepherd&co
+ ;; 'make-forkexec-constructor/container' needs version 0.9 for
+ ;; #:supplementary-groups.
+ (cons shepherd-0.9
+ (list (lookup-package-input shepherd-0.9 "guile-fibers"))))
+
;; Run ipfs init and ipfs config from a container,
;; in case the IPFS daemon was compromised at some point
;; and ~/.ipfs is now a symlink to somewhere outside
;; %ipfs-home.
(define container-gexp
- (with-extensions (list shepherd)
+ (with-extensions shepherd&co
(with-imported-modules (source-module-closure
'((gnu build shepherd)
(gnu system file-systems)))
--
2.35.1
guix-patches <at> gnu.org:bug#54997; Package guix-patches.
(Wed, 27 Apr 2022 16:58:05 GMT) Full text and rfc822 format available.Message #125 received at 54997 <at> debbugs.gnu.org (full text, mbox):
From: Ludovic Courtès <ludo <at> gnu.org> To: 54997 <at> debbugs.gnu.org Cc: Ludovic Courtès <ludo <at> gnu.org> Subject: [PATCH v2 08/15] services: dicod: Use 'make-inetd-constructor'. Date: Wed, 27 Apr 2022 18:56:28 +0200
* gnu/services/dict.scm (dicod-shepherd-service): Use
'make-inetd-constructor' in the 'start' method when available.
---
gnu/services/dict.scm | 18 ++++++++++++++----
1 file changed, 14 insertions(+), 4 deletions(-)
diff --git a/gnu/services/dict.scm b/gnu/services/dict.scm
index 62b21f8d53..109917c05c 100644
--- a/gnu/services/dict.scm
+++ b/gnu/services/dict.scm
@@ -146,6 +146,7 @@ (define %dicod-activation
(define (dicod-shepherd-service config)
(let* ((dicod.conf (dicod-configuration-file config))
+ (interfaces (dicod-configuration-interfaces config))
(dicod (least-authority-wrapper
(file-append (dicod-configuration-dico config)
"/bin/dicod")
@@ -165,10 +166,19 @@ (define (dicod-shepherd-service config)
(provision '(dicod))
(requirement '(user-processes))
(documentation "Run the dicod daemon.")
- (start #~(make-forkexec-constructor
- (list #$dicod "--foreground"
- (string-append "--config=" #$dicod.conf))
- #:user "dicod" #:group "dicod"))
+ (start #~(if (and (defined? 'make-inetd-constructor)
+ #$(= 1 (length interfaces))) ;XXX
+ (make-inetd-constructor
+ (list #$dicod "--inetd" "--foreground"
+ (string-append "--config=" #$dicod.conf))
+ (addrinfo:addr
+ (car (getaddrinfo #$(first interfaces) "dict")))
+ #:user "dicod" #:group "dicod"
+ #:service-name-stem "dicod")
+ (make-forkexec-constructor
+ (list #$dicod "--foreground"
+ (string-append "--config=" #$dicod.conf))
+ #:user "dicod" #:group "dicod")))
(stop #~(make-kill-destructor))))))
(define dicod-service-type
--
2.35.1
guix-patches <at> gnu.org:bug#54997; Package guix-patches.
(Wed, 27 Apr 2022 16:58:05 GMT) Full text and rfc822 format available.Message #128 received at 54997 <at> debbugs.gnu.org (full text, mbox):
From: Ludovic Courtès <ludo <at> gnu.org> To: 54997 <at> debbugs.gnu.org Cc: Ludovic Courtès <ludo <at> gnu.org> Subject: [PATCH v2 06/15] Add (guix least-authority). Date: Wed, 27 Apr 2022 18:56:26 +0200
* guix/least-authority.scm: New file.
* Makefile.am (MODULES): Add it.
* gnu/build/shepherd.scm (default-mounts): Make public.
---
Makefile.am | 1 +
gnu/build/shepherd.scm | 3 +-
guix/least-authority.scm | 135 +++++++++++++++++++++++++++++++++++++++
3 files changed, 138 insertions(+), 1 deletion(-)
create mode 100644 guix/least-authority.scm
diff --git a/Makefile.am b/Makefile.am
index fecce7c6f7..d0d58da4e3 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -130,6 +130,7 @@ MODULES = \
guix/cache.scm \
guix/cve.scm \
guix/workers.scm \
+ guix/least-authority.scm \
guix/ipfs.scm \
guix/build-system.scm \
guix/build-system/android-ndk.scm \
diff --git a/gnu/build/shepherd.scm b/gnu/build/shepherd.scm
index d52e53eb78..f4caefce3c 100644
--- a/gnu/build/shepherd.scm
+++ b/gnu/build/shepherd.scm
@@ -31,7 +31,8 @@ (define-module (gnu build shepherd)
exec-command
%precious-signals)
#:autoload (shepherd system) (unblock-signals)
- #:export (make-forkexec-constructor/container
+ #:export (default-mounts
+ make-forkexec-constructor/container
fork+exec-command/container))
;;; Commentary:
diff --git a/guix/least-authority.scm b/guix/least-authority.scm
new file mode 100644
index 0000000000..d871816fca
--- /dev/null
+++ b/guix/least-authority.scm
@@ -0,0 +1,135 @@
+;;; GNU Guix --- Functional package management for GNU
+;;; Copyright © 2022 Ludovic Courtès <ludo <at> gnu.org>
+;;;
+;;; This file is part of GNU Guix.
+;;;
+;;; GNU Guix is free software; you can redistribute it and/or modify it
+;;; under the terms of the GNU General Public License as published by
+;;; the Free Software Foundation; either version 3 of the License, or (at
+;;; your option) any later version.
+;;;
+;;; GNU Guix is distributed in the hope that it will be useful, but
+;;; WITHOUT ANY WARRANTY; without even the implied warranty of
+;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+;;; GNU General Public License for more details.
+;;;
+;;; You should have received a copy of the GNU General Public License
+;;; along with GNU Guix. If not, see <http://www.gnu.org/licenses/>.
+
+(define-module (guix least-authority)
+ #:use-module (guix gexp)
+ #:use-module (guix modules)
+ #:use-module ((guix store) #:select (%store-prefix))
+ #:autoload (gnu build linux-container) (%namespaces)
+ #:autoload (gnu system file-systems) (file-system-mapping
+ file-system-mapping-source
+ spec->file-system
+ file-system->spec
+ file-system-mapping->bind-mount)
+ #:export (least-authority-wrapper))
+
+;;; Commentary:
+;;;
+;;; This module provides tools to execute programs with the least authority
+;;; necessary, using Linux namespaces.
+;;;
+;;; Code:
+
+(define %precious-variables
+ ;; Environment variables preserved by the wrapper by default.
+ '("HOME" "USER" "LOGNAME" "DISPLAY" "XAUTHORITY" "TERM" "TZ" "PAGER"))
+
+(define* (least-authority-wrapper program
+ #:key (name "pola-wrapper")
+ (guest-uid 1000)
+ (guest-gid 1000)
+ (mappings '())
+ (namespaces %namespaces)
+ (directory "/")
+ (preserved-environment-variables
+ %precious-variables))
+ "Return a wrapper of PROGRAM that executes it with the least authority.
+
+PROGRAM is executed in separate namespaces according to NAMESPACES, a list of
+symbols; it turns with GUEST-UID and GUEST-GID. MAPPINGS is a list of
+<file-system-mapping> records indicating directories mirrored inside the
+execution environment of PROGRAM. DIRECTORY is the working directory of the
+wrapped process. Each environment listed in PRESERVED-ENVIRONMENT-VARIABLES
+is preserved; other environment variables are erased."
+ (define code
+ (with-imported-modules (source-module-closure
+ '((gnu system file-systems)
+ (gnu build shepherd)
+ (gnu build linux-container)))
+ #~(begin
+ (use-modules (gnu system file-systems)
+ (gnu build linux-container)
+ ((gnu build shepherd) #:select (default-mounts))
+ (srfi srfi-1))
+
+ (define variables
+ (filter-map (lambda (variable)
+ (let ((value (getenv variable)))
+ (and value
+ (string-append variable "=" value))))
+ '#$preserved-environment-variables))
+
+ (define (read-file file)
+ (call-with-input-file file read))
+
+ (define references
+ (delete-duplicates
+ (append-map read-file
+ '#$(map references-file
+ (cons program
+ (map file-system-mapping-source
+ mappings))))))
+
+ (define (store? file-system)
+ (string=? (file-system-mount-point file-system)
+ #$(%store-prefix)))
+
+ (define mounts
+ (append (map (lambda (item)
+ (file-system-mapping->bind-mount
+ (file-system-mapping (source item)
+ (target item))))
+ references)
+ (remove store?
+ (default-mounts
+ #:namespaces '#$namespaces))
+ (map spec->file-system
+ '#$(map (compose file-system->spec
+ file-system-mapping->bind-mount)
+ mappings))))
+
+ (define (reify-exit-status status)
+ (cond ((status:exit-val status) => exit)
+ ((or (status:term-sig status)
+ (status:stop-sig status))
+ => (lambda (signal)
+ (format (current-error-port)
+ "~a terminated with signal ~a~%"
+ #$program signal)
+ (exit (+ 128 signal))))))
+
+ ;; Note: 'call-with-container' creates a sub-process that this one
+ ;; waits for. This might seem suboptimal but unshare(2) isn't
+ ;; really applicable: the process would still run in the same PID
+ ;; namespace.
+
+ (reify-exit-status
+ (call-with-container mounts
+ (lambda ()
+ (chdir #$directory)
+ (environ variables)
+ (apply execl #$program #$program (cdr (command-line))))
+
+ ;; Don't assume PROGRAM can behave as an init process.
+ #:child-is-pid1? #f
+
+ #:guest-uid #$guest-uid
+ #:guest-gid #$guest-gid
+ #:namespaces '#$namespaces)))))
+
+ (program-file name code))
--
2.35.1
guix-patches <at> gnu.org:bug#54997; Package guix-patches.
(Wed, 27 Apr 2022 16:58:06 GMT) Full text and rfc822 format available.Message #131 received at 54997 <at> debbugs.gnu.org (full text, mbox):
From: Ludovic Courtès <ludo <at> gnu.org> To: 54997 <at> debbugs.gnu.org Cc: Ludovic Courtès <ludo <at> gnu.org> Subject: [PATCH v2 07/15] services: dicod: Rewrite using 'least-authority-wrapper'. Date: Wed, 27 Apr 2022 18:56:27 +0200
* gnu/services/dict.scm (dicod-shepherd-service): Rewrite using
'least-authority-wrapper' plus 'make-forkexec-constructor' instead of
'make-forkexec-constructor/container'.
---
gnu/services/dict.scm | 51 ++++++++++++++++++++++++-------------------
1 file changed, 29 insertions(+), 22 deletions(-)
diff --git a/gnu/services/dict.scm b/gnu/services/dict.scm
index a97ad8f608..62b21f8d53 100644
--- a/gnu/services/dict.scm
+++ b/gnu/services/dict.scm
@@ -1,6 +1,6 @@
;;; GNU Guix --- Functional package management for GNU
;;; Copyright © 2016 Sou Bunnbu <iyzsong <at> gmail.com>
-;;; Copyright © 2016, 2017, 2018, 2020 Ludovic Courtès <ludo <at> gnu.org>
+;;; Copyright © 2016, 2017, 2018, 2020, 2022 Ludovic Courtès <ludo <at> gnu.org>
;;; Copyright © 2017 Huang Ying <huang.ying.caritas <at> gmail.com>
;;;
;;; This file is part of GNU Guix.
@@ -22,12 +22,15 @@ (define-module (gnu services dict)
#:use-module (guix gexp)
#:use-module (guix records)
#:use-module (guix modules)
+ #:use-module (guix least-authority)
#:use-module (gnu services)
#:use-module (gnu services shepherd)
#:use-module (gnu system shadow)
#:use-module ((gnu packages admin) #:select (shadow))
#:use-module (gnu packages dico)
#:use-module (gnu packages dictionaries)
+ #:autoload (gnu build linux-container) (%namespaces)
+ #:autoload (gnu system file-systems) (file-system-mapping)
#:use-module (srfi srfi-1)
#:use-module (srfi srfi-26)
#:use-module (ice-9 match)
@@ -142,27 +145,31 @@ (define %dicod-activation
(chown rundir (passwd:uid user) (passwd:gid user)))))
(define (dicod-shepherd-service config)
- (let ((dicod (file-append (dicod-configuration-dico config)
- "/bin/dicod"))
- (dicod.conf (dicod-configuration-file config)))
- (with-imported-modules (source-module-closure
- '((gnu build shepherd)
- (gnu system file-systems)))
- (list (shepherd-service
- (provision '(dicod))
- (requirement '(user-processes))
- (documentation "Run the dicod daemon.")
- (modules '((gnu build shepherd)
- (gnu system file-systems)))
- (start #~(make-forkexec-constructor/container
- (list #$dicod "--foreground"
- (string-append "--config=" #$dicod.conf))
- #:user "dicod" #:group "dicod"
- #:mappings (list (file-system-mapping
- (source "/var/run/dicod")
- (target source)
- (writable? #t)))))
- (stop #~(make-kill-destructor)))))))
+ (let* ((dicod.conf (dicod-configuration-file config))
+ (dicod (least-authority-wrapper
+ (file-append (dicod-configuration-dico config)
+ "/bin/dicod")
+ #:name "dicod"
+ #:mappings (list (file-system-mapping
+ (source "/var/run/dicod")
+ (target source)
+ (writable? #t))
+ (file-system-mapping
+ (source "/dev/log")
+ (target source))
+ (file-system-mapping
+ (source dicod.conf)
+ (target source)))
+ #:namespaces (delq 'net %namespaces))))
+ (list (shepherd-service
+ (provision '(dicod))
+ (requirement '(user-processes))
+ (documentation "Run the dicod daemon.")
+ (start #~(make-forkexec-constructor
+ (list #$dicod "--foreground"
+ (string-append "--config=" #$dicod.conf))
+ #:user "dicod" #:group "dicod"))
+ (stop #~(make-kill-destructor))))))
(define dicod-service-type
(service-type
--
2.35.1
guix-patches <at> gnu.org:bug#54997; Package guix-patches.
(Wed, 27 Apr 2022 16:58:06 GMT) Full text and rfc822 format available.Message #134 received at 54997 <at> debbugs.gnu.org (full text, mbox):
From: Ludovic Courtès <ludo <at> gnu.org> To: 54997 <at> debbugs.gnu.org Cc: Ludovic Courtès <ludo <at> gnu.org> Subject: [PATCH v2 13/15] services: wesnothd: Use 'least-authority-wrapper'. Date: Wed, 27 Apr 2022 18:56:33 +0200
* gnu/services/games.scm (wesnothd-shepherd-service): Use
'least-authority-wrapper' instead of
'make-forkexec-constructor/container'.
---
gnu/services/games.scm | 25 +++++++++++++------------
1 file changed, 13 insertions(+), 12 deletions(-)
diff --git a/gnu/services/games.scm b/gnu/services/games.scm
index dc0bfbe9dc..6c2af44b49 100644
--- a/gnu/services/games.scm
+++ b/gnu/services/games.scm
@@ -23,6 +23,9 @@ (define-module (gnu services games)
#:use-module (gnu packages admin)
#:use-module (gnu packages games)
#:use-module (gnu system shadow)
+ #:use-module ((gnu system file-systems) #:select (file-system-mapping))
+ #:use-module (gnu build linux-container)
+ #:autoload (guix least-authority) (least-authority-wrapper)
#:use-module (guix gexp)
#:use-module (guix modules)
#:use-module (guix records)
@@ -57,22 +60,20 @@ (define %wesnothd-accounts
(define wesnothd-shepherd-service
(match-lambda
(($ <wesnothd-configuration> package port)
- (with-imported-modules (source-module-closure
- '((gnu build shepherd)
- (gnu system file-systems)))
+ (let ((wesnothd (least-authority-wrapper
+ (file-append package "/bin/wesnothd")
+ #:name "wesnothd"
+ #:mappings (list (file-system-mapping
+ (source "/var/run/wesnothd")
+ (target source)
+ (writable? #t)))
+ #:namespaces (delq 'net %namespaces))))
(shepherd-service
(documentation "The Battle for Wesnoth server")
(provision '(wesnoth-daemon))
(requirement '(networking))
- (modules '((gnu build shepherd)
- (gnu system file-systems)))
- (start #~(make-forkexec-constructor/container
- (list #$(file-append package "/bin/wesnothd")
- "-p" #$(number->string port))
- #:mappings (list (file-system-mapping
- (source "/var/run/wesnothd")
- (target source)
- (writable? #t)))
+ (start #~(make-forkexec-constructor
+ (list #$wesnothd "-p" #$(number->string port))
#:user "wesnothd" #:group "wesnothd"))
(stop #~(make-kill-destructor)))))))
--
2.35.1
guix-patches <at> gnu.org:bug#54997; Package guix-patches.
(Wed, 27 Apr 2022 16:58:07 GMT) Full text and rfc822 format available.Message #137 received at 54997 <at> debbugs.gnu.org (full text, mbox):
From: Ludovic Courtès <ludo <at> gnu.org> To: 54997 <at> debbugs.gnu.org Cc: Ludovic Courtès <ludo <at> gnu.org> Subject: [PATCH v2 09/15] services: bitlbee: Use 'make-inetd-constructor'. Date: Wed, 27 Apr 2022 18:56:29 +0200
* gnu/services/messaging.scm (bitlbee-shepherd-service): Add call to
'least-authority-wrapper'. In 'start' method, use
'make-inetd-constructor' when available.
* gnu/tests/messaging.scm (run-bitlbee-test)["valid PID"]: Remove test.
---
gnu/services/messaging.scm | 63 ++++++++++++++++++++++++++++----------
gnu/tests/messaging.scm | 21 +------------
2 files changed, 48 insertions(+), 36 deletions(-)
diff --git a/gnu/services/messaging.scm b/gnu/services/messaging.scm
index 4bceb1d37a..7fdd8cf285 100644
--- a/gnu/services/messaging.scm
+++ b/gnu/services/messaging.scm
@@ -1,7 +1,7 @@
;;; GNU Guix --- Functional package management for GNU
;;; Copyright © 2017, 2018 Clément Lassieur <clement <at> lassieur.org>
;;; Copyright © 2017 Mathieu Othacehe <m.othacehe <at> gmail.com>
-;;; Copyright © 2015, 2017, 2018, 2019, 2020 Ludovic Courtès <ludo <at> gnu.org>
+;;; Copyright © 2015, 2017-2020, 2022 Ludovic Courtès <ludo <at> gnu.org>
;;; Copyright © 2018 Pierre-Antoine Rouby <contact <at> parouby.fr>
;;;
;;; This file is part of GNU Guix.
@@ -28,11 +28,14 @@ (define-module (gnu services messaging)
#:use-module (gnu services shepherd)
#:use-module (gnu services configuration)
#:use-module (gnu system shadow)
+ #:autoload (gnu build linux-container) (%namespaces)
+ #:use-module ((gnu system file-systems) #:select (file-system-mapping))
#:use-module (guix gexp)
#:use-module (guix modules)
#:use-module (guix records)
#:use-module (guix packages)
#:use-module (guix deprecation)
+ #:use-module (guix least-authority)
#:use-module (srfi srfi-1)
#:use-module (srfi srfi-35)
#:use-module (ice-9 match)
@@ -821,7 +824,18 @@ (define bitlbee-shepherd-service
DaemonInterface = " interface "
DaemonPort = " (number->string port) "
PluginDir = " plugins "/lib/bitlbee
-" extra-settings)))
+" extra-settings))
+ (bitlbee* (least-authority-wrapper
+ (file-append bitlbee "/sbin/bitlbee")
+ #:name "bitlbee"
+ #:mappings (list (file-system-mapping
+ (source "/var/lib/bitlbee")
+ (target source)
+ (writable? #t))
+ (file-system-mapping
+ (source conf)
+ (target conf)))
+ #:namespaces (delq 'net %namespaces))))
(with-imported-modules (source-module-closure
'((gnu build shepherd)
@@ -836,20 +850,37 @@ (define bitlbee-shepherd-service
(modules '((gnu build shepherd)
(gnu system file-systems)))
- (start #~(make-forkexec-constructor/container
- (list #$(file-append bitlbee "/sbin/bitlbee")
- "-n" "-F" "-u" "bitlbee" "-c" #$conf)
-
- ;; Allow 'bitlbee-purple' to use libpurple plugins.
- #:environment-variables
- (list (string-append "PURPLE_PLUGIN_PATH="
- #$plugins "/lib/purple-2"))
-
- #:pid-file "/var/run/bitlbee.pid"
- #:mappings (list (file-system-mapping
- (source "/var/lib/bitlbee")
- (target source)
- (writable? #t)))))
+ (start #~(if (defined? 'make-inetd-constructor)
+
+ (make-inetd-constructor
+ (list #$bitlbee* "-I"
+ "-u" "bitlbee" "-c" #$conf)
+ (addrinfo:addr
+ (car (getaddrinfo #$interface
+ #$(number->string port)
+ (logior AI_NUMERICHOST
+ AI_NUMERICSERV))))
+ #:service-name-stem "bitlbee"
+
+ ;; Allow 'bitlbee-purple' to use libpurple plugins.
+ #:environment-variables
+ (list (string-append "PURPLE_PLUGIN_PATH="
+ #$plugins "/lib/purple-2")))
+
+ (make-forkexec-constructor/container
+ (list #$(file-append bitlbee "/sbin/bitlbee")
+ "-n" "-F" "-u" "bitlbee" "-c" #$conf)
+
+ ;; Allow 'bitlbee-purple' to use libpurple plugins.
+ #:environment-variables
+ (list (string-append "PURPLE_PLUGIN_PATH="
+ #$plugins "/lib/purple-2"))
+
+ #:pid-file "/var/run/bitlbee.pid"
+ #:mappings (list (file-system-mapping
+ (source "/var/lib/bitlbee")
+ (target source)
+ (writable? #t))))))
(stop #~(make-kill-destructor)))))))))
(define %bitlbee-accounts
diff --git a/gnu/tests/messaging.scm b/gnu/tests/messaging.scm
index 202a1c2f73..1e26c0ddea 100644
--- a/gnu/tests/messaging.scm
+++ b/gnu/tests/messaging.scm
@@ -1,6 +1,6 @@
;;; GNU Guix --- Functional package management for GNU
;;; Copyright © 2017, 2018 Clément Lassieur <clement <at> lassieur.org>
-;;; Copyright © 2017, 2018, 2021 Ludovic Courtès <ludo <at> gnu.org>
+;;; Copyright © 2017-2018, 2021-2022 Ludovic Courtès <ludo <at> gnu.org>
;;; Copyright © 2018 Efraim Flashner <efraim <at> flashner.co.il>
;;;
;;; This file is part of GNU Guix.
@@ -198,25 +198,6 @@ (define marionette
(start-service 'bitlbee))
marionette))
- (test-equal "valid PID"
- #$(file-append bitlbee "/sbin/bitlbee")
- (marionette-eval
- '(begin
- (use-modules (srfi srfi-1)
- (gnu services herd))
-
- (let ((bitlbee
- (find (lambda (service)
- (equal? '(bitlbee)
- (live-service-provision service)))
- (current-services))))
- (and (pk 'bitlbee-service bitlbee)
- (let ((pid (live-service-running bitlbee)))
- (readlink (string-append "/proc/"
- (number->string pid)
- "/exe"))))))
- marionette))
-
(test-assert "connect"
(let* ((address (make-socket-address AF_INET INADDR_LOOPBACK
6667))
--
2.35.1
guix-patches <at> gnu.org:bug#54997; Package guix-patches.
(Wed, 27 Apr 2022 16:58:07 GMT) Full text and rfc822 format available.Message #140 received at 54997 <at> debbugs.gnu.org (full text, mbox):
From: Ludovic Courtès <ludo <at> gnu.org> To: 54997 <at> debbugs.gnu.org Cc: Ludovic Courtès <ludo <at> gnu.org> Subject: [PATCH v2 11/15] services: ipfs: Use 'least-authority-wrapper'. Date: Wed, 27 Apr 2022 18:56:31 +0200
* gnu/services/networking.scm (ipfs-binary): Call
'least-authority-wrapper'.
(%ipfs-home-mapping): Remove surrounding gexp.
(ipfs-shepherd-service)[exec-command]: New procedure.
[ipfs-config-command, set-config!-gexp, shepherd&co]
[container-gexp, container-script]: Remove.
[inner-gexp]: Use 'exec-command'.
---
gnu/services/networking.scm | 123 +++++++++++++++++-------------------
1 file changed, 58 insertions(+), 65 deletions(-)
diff --git a/gnu/services/networking.scm b/gnu/services/networking.scm
index b302be5aaf..4708ade0ca 100644
--- a/gnu/services/networking.scm
+++ b/gnu/services/networking.scm
@@ -1,5 +1,5 @@
;;; GNU Guix --- Functional package management for GNU
-;;; Copyright © 2013, 2014, 2015, 2016, 2017, 2018, 2019, 2020, 2021 Ludovic Courtès <ludo <at> gnu.org>
+;;; Copyright © 2013-2022 Ludovic Courtès <ludo <at> gnu.org>
;;; Copyright © 2015 Mark H Weaver <mhw <at> netris.org>
;;; Copyright © 2016, 2018, 2020 Efraim Flashner <efraim <at> flashner.co.il>
;;; Copyright © 2016 John Darrington <jmd <at> gnu.org>
@@ -43,6 +43,7 @@ (define-module (gnu services networking)
#:use-module (gnu services dbus)
#:use-module (gnu system shadow)
#:use-module (gnu system pam)
+ #:use-module ((gnu system file-systems) #:select (file-system-mapping))
#:use-module (gnu packages admin)
#:use-module (gnu packages base)
#:use-module (gnu packages bash)
@@ -59,6 +60,7 @@ (define-module (gnu services networking)
#:use-module (gnu packages gnome)
#:use-module (gnu packages ipfs)
#:use-module (gnu build linux-container)
+ #:autoload (guix least-authority) (least-authority-wrapper)
#:use-module (guix gexp)
#:use-module (guix records)
#:use-module (guix modules)
@@ -2018,13 +2020,20 @@ (define %ipfs-accounts
(system? #t))))
(define (ipfs-binary config)
- (file-append (ipfs-configuration-package config) "/bin/ipfs"))
+ (define command
+ (file-append (ipfs-configuration-package config) "/bin/ipfs"))
+
+ (least-authority-wrapper
+ command
+ #:name "ipfs"
+ #:mappings (list %ipfs-home-mapping)
+ #:namespaces (delq 'net %namespaces)))
(define %ipfs-home-mapping
- #~(file-system-mapping
- (source #$%ipfs-home)
- (target #$%ipfs-home)
- (writable? #t)))
+ (file-system-mapping
+ (source %ipfs-home)
+ (target %ipfs-home)
+ (writable? #t)))
(define %ipfs-environment
#~(list #$(string-append "HOME=" %ipfs-home)))
@@ -2033,82 +2042,66 @@ (define (ipfs-shepherd-service config)
"Return a <shepherd-service> for IPFS with CONFIG."
(define ipfs-daemon-command
#~(list #$(ipfs-binary config) "daemon"))
- (list
- (with-imported-modules (source-module-closure
- '((gnu build shepherd)
- (gnu system file-systems)))
- (shepherd-service
- (provision '(ipfs))
- ;; While IPFS is most useful when the machine is connected
- ;; to the network, only loopback is required for starting
- ;; the service.
- (requirement '(loopback))
- (documentation "Connect to the IPFS network")
- (modules '((gnu build shepherd)
- (gnu system file-systems)))
- (start #~(make-forkexec-constructor/container
- #$ipfs-daemon-command
- #:namespaces '#$(fold delq %namespaces '(user net))
- #:mappings (list #$%ipfs-home-mapping)
- #:log-file "/var/log/ipfs.log"
- #:user "ipfs"
- #:group "ipfs"
- #:environment-variables #$%ipfs-environment))
- (stop #~(make-kill-destructor))))))
+
+ (list (shepherd-service
+ (provision '(ipfs))
+ ;; While IPFS is most useful when the machine is connected
+ ;; to the network, only loopback is required for starting
+ ;; the service.
+ (requirement '(loopback))
+ (documentation "Connect to the IPFS network")
+ (start #~(make-forkexec-constructor
+ #$ipfs-daemon-command
+ #:log-file "/var/log/ipfs.log"
+ #:user "ipfs" #:group "ipfs"
+ #:environment-variables #$%ipfs-environment))
+ (stop #~(make-kill-destructor)))))
(define (%ipfs-activation config)
"Return an activation gexp for IPFS with CONFIG"
- (define (ipfs-config-command setting value)
- #~(#$(ipfs-binary config) "config" #$setting #$value))
- (define (set-config!-gexp setting value)
- #~(system* #$@(ipfs-config-command setting value)))
+ (define (exec-command . args)
+ ;; Exec the given ifps command with the right authority.
+ #~(let ((pid (primitive-fork)))
+ (if (zero? pid)
+ (dynamic-wind
+ (const #t)
+ (lambda ()
+ ;; Run ipfs init and ipfs config from a container,
+ ;; in case the IPFS daemon was compromised at some point
+ ;; and ~/.ipfs is now a symlink to somewhere outside
+ ;; %ipfs-home.
+ (let ((pw (getpwnam "ipfs")))
+ (setgroups '#())
+ (setgid (passwd:gid pw))
+ (setuid (passwd:uid pw))
+ (environ #$%ipfs-environment)
+ (execl #$(ipfs-binary config) #$@args)))
+ (lambda ()
+ (primitive-exit 127)))
+ (waitpid pid))))
+
(define settings
`(("Addresses.API" ,(ipfs-configuration-api config))
("Addresses.Gateway" ,(ipfs-configuration-gateway config))))
+
(define inner-gexp
#~(begin
(umask #o077)
;; Create $HOME/.ipfs structure
- (system* #$(ipfs-binary config) "init")
+ #$(exec-command "ipfs" "init")
;; Apply settings
- #$@(map (cute apply set-config!-gexp <>) settings)))
+ #$@(map (match-lambda
+ ((setting value)
+ (exec-command "ipfs" "config" setting value)))
+ settings)))
+
(define inner-script
(program-file "ipfs-activation-inner" inner-gexp))
- (define shepherd&co
- ;; 'make-forkexec-constructor/container' needs version 0.9 for
- ;; #:supplementary-groups.
- (cons shepherd-0.9
- (list (lookup-package-input shepherd-0.9 "guile-fibers"))))
-
- ;; Run ipfs init and ipfs config from a container,
- ;; in case the IPFS daemon was compromised at some point
- ;; and ~/.ipfs is now a symlink to somewhere outside
- ;; %ipfs-home.
- (define container-gexp
- (with-extensions shepherd&co
- (with-imported-modules (source-module-closure
- '((gnu build shepherd)
- (gnu system file-systems)))
- #~(begin
- (use-modules (gnu build shepherd)
- (gnu system file-systems))
- (let* ((constructor
- (make-forkexec-constructor/container
- (list #$inner-script)
- #:namespaces '#$(fold delq %namespaces '(user))
- #:mappings (list #$%ipfs-home-mapping)
- #:user "ipfs"
- #:group "ipfs"
- #:environment-variables #$%ipfs-environment))
- (pid (constructor)))
- (waitpid pid))))))
;; The activation may happen from the initrd, which uses
;; a statically-linked guile, while the guix container
;; procedures require a working dynamic-link.
- (define container-script
- (program-file "ipfs-activation-container" container-gexp))
- #~(system* #$container-script))
+ #~(system* #$inner-script))
(define ipfs-service-type
(service-type
--
2.35.1
guix-patches <at> gnu.org:bug#54997; Package guix-patches.
(Wed, 27 Apr 2022 16:58:07 GMT) Full text and rfc822 format available.Message #143 received at 54997 <at> debbugs.gnu.org (full text, mbox):
From: Ludovic Courtès <ludo <at> gnu.org> To: 54997 <at> debbugs.gnu.org Cc: Ludovic Courtès <ludo <at> gnu.org> Subject: [PATCH v2 14/15] services: quassel: Use 'least-authority-wrapper'. Date: Wed, 27 Apr 2022 18:56:34 +0200
* gnu/services/messaging.scm (quassel-shepherd-service): Use
'least-authority-wrapper' instead of
'make-forkexec-constructor/container'.
---
gnu/services/messaging.scm | 42 ++++++++++++++++++++------------------
1 file changed, 22 insertions(+), 20 deletions(-)
diff --git a/gnu/services/messaging.scm b/gnu/services/messaging.scm
index 7fdd8cf285..05bf6e784b 100644
--- a/gnu/services/messaging.scm
+++ b/gnu/services/messaging.scm
@@ -939,29 +939,31 @@ (define-record-type* <quassel-configuration>
(define quassel-shepherd-service
(match-lambda
(($ <quassel-configuration> quassel interface port loglevel)
- (with-imported-modules (source-module-closure
- '((gnu build shepherd)
- (gnu system file-systems)))
+ (let ((quassel (least-authority-wrapper
+ (file-append quassel "/bin/quasselcore")
+ #:name "quasselcore"
+ #:mappings (list (file-system-mapping
+ (source "/var/lib/quassel")
+ (target source)
+ (writable? #t))
+ (file-system-mapping
+ (source "/var/log/quassel")
+ (target source)
+ (writable? #t)))
+ ;; XXX: The daemon needs to live in the main user
+ ;; namespace, as root, so it can access /var/lib/quassel
+ ;; owned by "quasselcore".
+ #:namespaces (fold delq %namespaces '(net user)))))
(list (shepherd-service
(provision '(quassel))
(requirement '(user-processes networking))
- (modules '((gnu build shepherd)
- (gnu system file-systems)))
- (start #~(make-forkexec-constructor/container
- (list #$(file-append quassel "/bin/quasselcore")
- "--configdir=/var/lib/quassel"
- "--logfile=/var/log/quassel/core.log"
- (string-append "--loglevel=" #$loglevel)
- (string-append "--port=" (number->string #$port))
- (string-append "--listen=" #$interface))
- #:mappings (list (file-system-mapping
- (source "/var/lib/quassel")
- (target source)
- (writable? #t))
- (file-system-mapping
- (source "/var/log/quassel")
- (target source)
- (writable? #t)))))
+ (start #~(make-forkexec-constructor
+ (list #$quassel
+ "--configdir=/var/lib/quassel"
+ "--logfile=/var/log/quassel/core.log"
+ (string-append "--loglevel=" #$loglevel)
+ (string-append "--port=" (number->string #$port))
+ (string-append "--listen=" #$interface))))
(stop #~(make-kill-destructor))))))))
(define %quassel-account
--
2.35.1
guix-patches <at> gnu.org:bug#54997; Package guix-patches.
(Wed, 27 Apr 2022 16:58:08 GMT) Full text and rfc822 format available.Message #146 received at 54997 <at> debbugs.gnu.org (full text, mbox):
From: Ludovic Courtès <ludo <at> gnu.org> To: 54997 <at> debbugs.gnu.org Cc: Ludovic Courtès <ludo <at> gnu.org> Subject: [PATCH v2 15/15] services: opendht: Use 'least-authority-wrapper'. Date: Wed, 27 Apr 2022 18:56:35 +0200
* gnu/services/networking.scm (opendht-configuration->command-line-arguments):
Use 'least-authority-wrapper'.
(opendht-shepherd-service): Use 'make-forkexec-constructor'.
---
gnu/services/networking.scm | 40 ++++++++++++++++++++-----------------
1 file changed, 22 insertions(+), 18 deletions(-)
diff --git a/gnu/services/networking.scm b/gnu/services/networking.scm
index 4708ade0ca..5873070bdd 100644
--- a/gnu/services/networking.scm
+++ b/gnu/services/networking.scm
@@ -796,7 +796,19 @@ (define (opendht-configuration->command-line-arguments config)
(match-record config <opendht-configuration>
(opendht bootstrap-host enable-logging? port debug? peer-discovery?
proxy-server-port proxy-server-port-tls)
- (let ((dhtnode #~(string-append #$opendht:tools "/bin/dhtnode")))
+ (let ((dhtnode (least-authority-wrapper
+ ;; XXX: Work around lack of support for multiple outputs
+ ;; in 'file-append'.
+ (computed-file "dhtnode"
+ #~(symlink
+ (string-append #$opendht:tools
+ "/bin/dhtnode")
+ #$output))
+ #:name "dhtnode"
+ #:mappings (list (file-system-mapping
+ (source "/dev/log") ;for syslog
+ (target source)))
+ #:namespaces (delq 'net %namespaces))))
`(,dhtnode
"--service" ;non-forking mode
,@(if (string? bootstrap-host)
@@ -822,23 +834,15 @@ (define (opendht-configuration->command-line-arguments config)
(define (opendht-shepherd-service config)
"Return a <shepherd-service> running OpenDHT."
- (with-imported-modules (source-module-closure
- '((gnu build shepherd)
- (gnu system file-systems)))
- (shepherd-service
- (documentation "Run an OpenDHT node.")
- (provision '(opendht dhtnode dhtproxy))
- (requirement '(networking syslogd))
- (modules '((gnu build shepherd)
- (gnu system file-systems)))
- (start #~(make-forkexec-constructor/container
- (list #$@(opendht-configuration->command-line-arguments config))
- #:mappings (list (file-system-mapping
- (source "/dev/log") ;for syslog
- (target source)))
- #:user "opendht"
- #:group "opendht"))
- (stop #~(make-kill-destructor)))))
+ (shepherd-service
+ (documentation "Run an OpenDHT node.")
+ (provision '(opendht dhtnode dhtproxy))
+ (requirement '(networking syslogd))
+ (start #~(make-forkexec-constructor
+ (list #$@(opendht-configuration->command-line-arguments config))
+ #:user "opendht"
+ #:group "opendht"))
+ (stop #~(make-kill-destructor))))
(define opendht-service-type
(service-type
--
2.35.1
guix-patches <at> gnu.org:bug#54997; Package guix-patches.
(Wed, 27 Apr 2022 22:03:02 GMT) Full text and rfc822 format available.Message #149 received at 54997 <at> debbugs.gnu.org (full text, mbox):
From: Ludovic Courtès <ludo <at> gnu.org> To: Maxime Devos <maximedevos <at> telenet.be> Cc: 54997 <at> debbugs.gnu.org Subject: Re: bug#54997: [PATCH 00/12] Add "least authority" program wrapper Date: Thu, 28 Apr 2022 00:01:54 +0200
[Message part 1 (text/plain, inline)]
Hi, Maxime Devos <maximedevos <at> telenet.be> skribis: > Many of these are supported by 'least-authority-wrapper' but these POLA > wrappers require creating an additional process which seems a bit > unoptimal to me (memory- and latency-wise). Yeah, that’s why I initially looked at unshare(2), just to find out that we can’t quite do the same as with clone(2)—in particular we cannot escape the current PID namespace. (There were also complications, such as the fact that you can only unshare(2) a single-threaded process, meaning that Guile had to be started with GC_MARKERS=1. For posterity, part of the patch I had is attached below.) > Also, having to do fork, waitpid and primitive-fork seems rather low- > level to me, so I prefer moving this code into somewhere like (gnu > build SOMEWHERE) or to keep the old make-forkexec-constructor/container > code. ‘primitive-fork’ and ‘waitpid’ calls are in (gnu build linux-container) right now so I guess we’re fine? The goal though is to replace uses of ‘make-forkexec-constructor/container’ with uses of ‘least-authority-wrapper’, as done in this patch series. Ludo’.
[Message part 2 (text/x-patch, inline)]
diff --git a/gnu/build/linux-container.scm b/gnu/build/linux-container.scm
index bdeca2cdb9..308c0bb325 100644
--- a/gnu/build/linux-container.scm
+++ b/gnu/build/linux-container.scm
@@ -1,6 +1,6 @@
;;; GNU Guix --- Functional package management for GNU
;;; Copyright © 2015 David Thompson <davet <at> gnu.org>
-;;; Copyright © 2017, 2018, 2019 Ludovic Courtès <ludo <at> gnu.org>
+;;; Copyright © 2017, 2018, 2019, 2022 Ludovic Courtès <ludo <at> gnu.org>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -21,6 +21,7 @@ (define-module (gnu build linux-container)
#:use-module (ice-9 format)
#:use-module (ice-9 match)
#:use-module (ice-9 rdelim)
+ #:use-module (srfi srfi-1)
#:use-module (srfi srfi-98)
#:use-module (guix build utils)
#:use-module (guix build syscalls)
@@ -33,7 +34,8 @@ (define-module (gnu build linux-container)
run-container
call-with-container
container-excursion
- container-excursion*))
+ container-excursion*
+ self-sever))
(define (user-namespace-supported?)
"Return #t if user namespaces are supported on this system."
@@ -174,50 +176,53 @@ (define* (mount* source target type #:optional (flags 0) options
(chmod "/" #o755)))
(define* (initialize-user-namespace pid host-uids
- #:key (guest-uid 0) (guest-gid 0))
+ #:key (guest-uid 0) (guest-gid 0)
+ (uid (getuid)) (gid (getgid)))
"Configure the user namespace for PID. HOST-UIDS specifies the number of
host user identifiers to map into the user namespace. GUEST-UID and GUEST-GID
specify the first UID (respectively GID) that host UIDs (respectively GIDs)
map to in the namespace."
(define proc-dir
- (string-append "/proc/" (number->string pid)))
+ (string-append "/proc/"
+ (match pid
+ ('self "self")
+ (_ (number->string pid)))))
(define (scope file)
(string-append proc-dir file))
- (let ((uid (getuid))
- (gid (getgid)))
-
- ;; Only root can write to the gid map without first disabling the
- ;; setgroups syscall.
- (unless (and (zero? uid) (zero? gid))
- (call-with-output-file (scope "/setgroups")
- (lambda (port)
- (display "deny" port))))
-
- ;; Map the user/group that created the container to the root user
- ;; within the container.
- (call-with-output-file (scope "/uid_map")
+ ;; Only root can write to the gid map without first disabling the
+ ;; setgroups syscall.
+ (unless (and (zero? uid) (zero? gid))
+ (call-with-output-file (scope "/setgroups")
(lambda (port)
- (format port "~d ~d ~d" guest-uid uid host-uids)))
- (call-with-output-file (scope "/gid_map")
- (lambda (port)
- (format port "~d ~d ~d" guest-gid gid host-uids)))))
+ (display "deny" port))))
+
+ ;; Map the user/group that created the container to the root user
+ ;; within the container.
+ (call-with-output-file (scope "/uid_map")
+ (lambda (port)
+ (format port "~d ~d ~d" guest-uid uid host-uids)))
+ (call-with-output-file (scope "/gid_map")
+ (lambda (port)
+ (format port "~d ~d ~d" guest-gid gid host-uids))))
(define (namespaces->bit-mask namespaces)
"Return the number suitable for the 'flags' argument of 'clone' that
corresponds to the symbols in NAMESPACES."
;; Use the same flags as fork(3) in addition to the namespace flags.
- (apply logior SIGCHLD
- (map (match-lambda
- ('cgroup CLONE_NEWCGROUP)
- ('mnt CLONE_NEWNS)
- ('uts CLONE_NEWUTS)
- ('ipc CLONE_NEWIPC)
- ('user CLONE_NEWUSER)
- ('pid CLONE_NEWPID)
- ('net CLONE_NEWNET))
- namespaces)))
+ (fold (lambda (namespace flags)
+ (logior flags
+ (match namespace
+ ('cgroup CLONE_NEWCGROUP)
+ ('mnt CLONE_NEWNS)
+ ('uts CLONE_NEWUTS)
+ ('ipc CLONE_NEWIPC)
+ ('user CLONE_NEWUSER)
+ ('pid CLONE_NEWPID)
+ ('net CLONE_NEWNET))))
+ 0
+ namespaces))
(define* (run-container root mounts namespaces host-uids thunk
#:key (guest-uid 0) (guest-gid 0))
@@ -236,7 +241,7 @@ (define* (run-container root mounts namespaces host-uids thunk
(match (socketpair PF_UNIX SOCK_STREAM 0)
((child . parent)
(let ((flags (namespaces->bit-mask namespaces)))
- (match (clone flags)
+ (match (clone (logior SIGCHLD flags))
(0
(call-with-clean-exit
(lambda ()
@@ -392,3 +397,23 @@ (define (container-excursion* pid thunk)
(close-port out)
(close-port in)
#f)))))
+
+(define* (self-sever mounts
+ #:key (namespaces %namespaces) (host-uids 1)
+ (guest-uid 0) (guest-gid 0))
+ (let ((uid (getuid))
+ (gid (getgid)))
+ (unshare (namespaces->bit-mask namespaces))
+
+ (initialize-user-namespace 'self host-uids
+ #:uid uid #:gid gid
+ #:guest-uid uid
+ #:guest-gid guest-gid)
+
+ (when (memq 'mnt namespaces)
+ ;; (mount "none" "/" #f (logior MS_REC MS_PRIVATE))
+ (call-with-temporary-directory
+ (lambda (root)
+ (mount-file-systems root mounts
+ #:mount-/proc? (memq 'pid namespaces)
+ #:mount-/sys? (memq 'net namespaces)))))))
diff --git a/guix/build/syscalls.scm b/guix/build/syscalls.scm
index a7401fd73f..5ee6bd1229 100644
--- a/guix/build/syscalls.scm
+++ b/guix/build/syscalls.scm
@@ -1,5 +1,5 @@
;;; GNU Guix --- Functional package management for GNU
-;;; Copyright © 2014, 2015, 2016, 2017, 2018, 2019, 2020, 2021 Ludovic Courtès <ludo <at> gnu.org>
+;;; Copyright © 2014-2022 Ludovic Courtès <ludo <at> gnu.org>
;;; Copyright © 2015 David Thompson <davet <at> gnu.org>
;;; Copyright © 2015 Mark H Weaver <mhw <at> netris.org>
;;; Copyright © 2017 Mathieu Othacehe <m.othacehe <at> gmail.com>
@@ -49,6 +49,11 @@ (define-module (guix build syscalls)
MS_RELATIME
MS_BIND
MS_MOVE
+ MS_REC
+ MS_SILENT
+ MS_POSIXACL
+ MS_UNBINDABLE
+ MS_PRIVATE
MS_LAZYTIME
MNT_FORCE
MNT_DETACH
@@ -140,6 +145,7 @@ (define-module (guix build syscalls)
CLONE_NEWPID
CLONE_NEWNET
clone
+ unshare
setns
PF_PACKET
@@ -537,6 +543,11 @@ (define MS_REMOUNT 32)
(define MS_NOATIME 1024)
(define MS_BIND 4096)
(define MS_MOVE 8192)
+(define MS_REC 16384)
+(define MS_SILENT 32768)
+(define MS_POSIXACL 65536)
+(define MS_UNBINDABLE 131072)
+(define MS_PRIVATE 262144)
(define MS_RELATIME 2097152)
(define MS_STRICTATIME 16777216)
(define MS_LAZYTIME 33554432)
@@ -1101,6 +1112,23 @@ (define clone
(list err))
ret)))))
+(define unshare
+ (let ((proc (syscall->procedure int "unshare" (list int))))
+ (lambda (flags)
+ "Disassociate the current process from parts of its execution context
+according to FLAGS, which must be a logical or of CLONE_NEW* constants.
+
+Note that CLONE_NEWUSER requires that the calling process be single-threaded,
+which is possible if and only if libgc is running a single marker thread; this
+can be achieved by setting the GC_MARKERS environment variable to 1. If the
+calling process is multi-threaded, this throws to 'system-error' with EINVAL."
+ (let-values (((ret err)
+ (without-automatic-finalization (proc flags))))
+ (unless (zero? ret)
+ (throw 'system-error "unshare" "~a: ~A"
+ (list flags (strerror err))
+ err))))))
+
(define setns
;; Some systems may be using an old (pre-2.14) version of glibc where there
;; is no 'setns' function available.
guix-patches <at> gnu.org:bug#54997; Package guix-patches.
(Thu, 28 Apr 2022 11:30:02 GMT) Full text and rfc822 format available.Message #152 received at 54997 <at> debbugs.gnu.org (full text, mbox):
From: Maxime Devos <maximedevos <at> telenet.be> To: Ludovic Courtès <ludo <at> gnu.org> Cc: 54997 <at> debbugs.gnu.org Subject: Re: bug#54997: [PATCH 00/12] Add "least authority" program wrapper Date: Thu, 28 Apr 2022 13:29:39 +0200
[Message part 1 (text/plain, inline)]
Ludovic Courtès schreef op do 28-04-2022 om 00:01 [+0200]: > > Also, having to do fork, waitpid and primitive-fork seems rather > > low-level to me, so I prefer moving this code into somewhere like > > (gnu build SOMEWHERE) or to keep the old make-forkexec- > > constructor/container code. > > ‘primitive-fork’ and ‘waitpid’ calls are in (gnu build linux- > container) > right now so I guess we’re fine? Their use in (gnu build linux-container) seems fine to me, but their use in %ipfs-activation doesn't: > + #~(let ((pid (primitive-fork))) > + (if (zero? pid) > + (dynamic-wind > + (const #t) > + (lambda () > + [...] (execl #$(ipfs-binary config) #$@args))) > + (lambda () > + (primitive-exit 127))) Greetings, Maxime.
[signature.asc (application/pgp-signature, inline)]
guix-patches <at> gnu.org:bug#54997; Package guix-patches.
(Thu, 28 Apr 2022 19:26:02 GMT) Full text and rfc822 format available.Message #155 received at 54997 <at> debbugs.gnu.org (full text, mbox):
From: Ludovic Courtès <ludo <at> gnu.org> To: Maxime Devos <maximedevos <at> telenet.be> Cc: 54997 <at> debbugs.gnu.org Subject: Re: bug#54997: [PATCH 00/12] Add "least authority" program wrapper Date: Thu, 28 Apr 2022 21:25:17 +0200
Hi Maxime, Maxime Devos <maximedevos <at> telenet.be> skribis: > Ludovic Courtès schreef op do 28-04-2022 om 00:01 [+0200]: >> > Also, having to do fork, waitpid and primitive-fork seems rather >> > low-level to me, so I prefer moving this code into somewhere like >> > (gnu build SOMEWHERE) or to keep the old make-forkexec- >> > constructor/container code. >> >> ‘primitive-fork’ and ‘waitpid’ calls are in (gnu build linux- >> container) >> right now so I guess we’re fine? > > Their use in (gnu build linux-container) seems fine to me, but their > use in %ipfs-activation doesn't: > >> + #~(let ((pid (primitive-fork))) >> + (if (zero? pid) >> + (dynamic-wind >> + (const #t) >> + (lambda () >> + [...] (execl #$(ipfs-binary config) #$@args))) >> + (lambda () >> + (primitive-exit 127))) Oh I see, and I agree. Now, to be fair, this patch deletes more lines than it adds: > * gnu/services/networking.scm (ipfs-binary): Call > 'least-authority-wrapper'. > (%ipfs-home-mapping): Remove surrounding gexp. > (ipfs-shepherd-service)[exec-command]: New procedure. > [ipfs-config-command, set-config!-gexp, shepherd&co] > [container-gexp, container-script]: Remove. > [inner-gexp]: Use 'exec-command'. > --- > gnu/services/networking.scm | 123 +++++++++++++++++------------------- > 1 file changed, 58 insertions(+), 65 deletions(-) The previous code abused ‘make-forkexec-constructor/container’ as a way to spawn processes during activation, which wasn’t great either IMO. So yes, I agree there’s room for improvement here and that this calls for some kind of ‘system*’ interface, if the need is common enough. But! I don’t think this is a blocker for the whole series. WDYT? :-) Thanks, Ludo’.
guix-patches <at> gnu.org:bug#54997; Package guix-patches.
(Thu, 28 Apr 2022 19:53:02 GMT) Full text and rfc822 format available.Message #158 received at 54997 <at> debbugs.gnu.org (full text, mbox):
From: Maxime Devos <maximedevos <at> telenet.be> To: Ludovic Courtès <ludo <at> gnu.org> Cc: 54997 <at> debbugs.gnu.org Subject: Re: bug#54997: [PATCH 00/12] Add "least authority" program wrapper Date: Thu, 28 Apr 2022 21:52:14 +0200
[Message part 1 (text/plain, inline)]
Ludovic Courtès schreef op do 28-04-2022 om 21:25 [+0200]: > The previous code abused ‘make-forkexec-constructor/container’ as a way > to spawn processes during activation, which wasn’t great either IMO. > > So yes, I agree there’s room for improvement here and that this calls > for some kind of ‘system*’ interface, if the need is common enough. > But! I don’t think this is a blocker for the whole series. > > WDYT? :-) Agreed that it's not a blocker, but next I have to write something similar, I think I'll then propose some kind of variant of system*. I guess I'm personally more inclined than you to write abstractions that only have a single use. Greetings, Maxime.
[signature.asc (application/pgp-signature, inline)]
guix-patches <at> gnu.org:bug#54997; Package guix-patches.
(Fri, 29 Apr 2022 03:52:02 GMT) Full text and rfc822 format available.Message #161 received at 54997 <at> debbugs.gnu.org (full text, mbox):
From: Thiago Jung Bauermann <bauermann <at> kolabnow.com> To: Ludovic Courtès <ludo <at> gnu.org> Cc: 54997 <at> debbugs.gnu.org Subject: Re: bug#54997: [PATCH 00/12] Add "least authority" program wrapper Date: Fri, 29 Apr 2022 00:43:59 -0300
Hi Ludo! Ludovic Courtès <ludo <at> gnu.org> writes: > Thiago Jung Bauermann <bauermann <at> kolabnow.com> skribis: >> So to avoid an accumulation of zombie processes and other signal-related >> problems, I suggest adding a “(init-program ,tini)” parameter to >> ‘least-authority-wrapper’ and executing ‘program’ as a subprocess of >> ‘tini’ or whatever was passed as the #:init-program (perhaps #f could >> mean running ‘program’ directly as PID 1). > > Hmm yes. It’s not great that the choice is between ‘unshare’—efficient > but the process lives in the parent PID namespace—and ‘clone’—but then > you have to fork twice. Yeah, the signals part of the Unix design isn't great. > But yeah, you’re right. I’ll try what you suggest and send a v2. Thank you for making these changes! I had a look at v2 and it looks great. >> I mention this because I'm currently dealing with a problem that has >> exactly this root cause: I'm working on updating the public-inbox >> package to the latest version, and the testsuite is failing because it >> tests that lei's daemon process is correctly terminated. But that >> doesn't work because “guix build” doesn't use a proper init program as >> PID 1 and thus the daemon process goes to zombie state and the testsuite >> thinks that it didn't go away. I'm hoping to send a patch to fix that >> issue. > > Now that you mention it, this was discussed before: > > https://issues.guix.gnu.org/30948 > > I think we should do something about it in gnu-build-system.scm. Nice! Thank you for the link. The discussion there was very informative. I'll try to implement your idea of adding a new build phase to install the appropriate signal handlers. Probably even steal your child reaping code from the v2 patches. > Thanks for your feedback! Thank you for taking it into account! -- Thanks Thiago
Ludovic Courtès <ludo <at> gnu.org>:Ludovic Courtès <ludo <at> gnu.org>:Message #166 received at 54997-done <at> debbugs.gnu.org (full text, mbox):
From: Ludovic Courtès <ludo <at> gnu.org> To: 54997-done <at> debbugs.gnu.org Cc: Maxime Devos <maximedevos <at> telenet.be>, Thiago Jung Bauermann <bauermann <at> kolabnow.com> Subject: Re: bug#54997: [PATCH 00/12] Add "least authority" program wrapper Date: Sun, 01 May 2022 22:16:27 +0200
Ludovic Courtès <ludo <at> gnu.org> skribis: > gexp: Add 'references-file'. > file-systems: Avoid load-time warnings when attempting to load (guix > store). > linux-container: 'call-with-container' relays SIGTERM and SIGINT. > linux-container: Ensure signal-handling asyncs get a chance to run. > linux-container: Add #:child-is-pid1? parameter to > 'call-with-container'. > Add (guix least-authority). > services: dicod: Rewrite using 'least-authority-wrapper'. > services: dicod: Use 'make-inetd-constructor'. > services: bitlbee: Use 'make-inetd-constructor'. > services: ipfs: Adjust for Shepherd 0.9. > services: ipfs: Use 'least-authority-wrapper'. > services: wesnothd: Grant write access to /var/run/wesnothd. > services: wesnothd: Use 'least-authority-wrapper'. > services: quassel: Use 'least-authority-wrapper'. > services: opendht: Use 'least-authority-wrapper'. Pushed as fee06d5aaa71a965ea0bc06c1ff15c138a8bb2c8, thanks again for reviewing! Ludo’.
guix-patches <at> gnu.org:bug#54997; Package guix-patches.
(Mon, 02 May 2022 04:26:01 GMT) Full text and rfc822 format available.Message #169 received at 54997-done <at> debbugs.gnu.org (full text, mbox):
From: Thiago Jung Bauermann <bauermann <at> kolabnow.com> To: Ludovic Courtès <ludo <at> gnu.org> Cc: Maxime Devos <maximedevos <at> telenet.be>, 54997-done <at> debbugs.gnu.org Subject: Re: bug#54997: [PATCH 00/12] Add "least authority" program wrapper Date: Mon, 02 May 2022 01:25:02 -0300
Ludovic Courtès <ludo <at> gnu.org> writes: > Ludovic Courtès <ludo <at> gnu.org> skribis: > >> gexp: Add 'references-file'. >> file-systems: Avoid load-time warnings when attempting to load (guix >> store). >> linux-container: 'call-with-container' relays SIGTERM and SIGINT. >> linux-container: Ensure signal-handling asyncs get a chance to run. >> linux-container: Add #:child-is-pid1? parameter to >> 'call-with-container'. >> Add (guix least-authority). >> services: dicod: Rewrite using 'least-authority-wrapper'. >> services: dicod: Use 'make-inetd-constructor'. >> services: bitlbee: Use 'make-inetd-constructor'. >> services: ipfs: Adjust for Shepherd 0.9. >> services: ipfs: Use 'least-authority-wrapper'. >> services: wesnothd: Grant write access to /var/run/wesnothd. >> services: wesnothd: Use 'least-authority-wrapper'. >> services: quassel: Use 'least-authority-wrapper'. >> services: opendht: Use 'least-authority-wrapper'. > > Pushed as fee06d5aaa71a965ea0bc06c1ff15c138a8bb2c8, thanks again for > reviewing! That's great! Thank you for addressing the PID 1 issue! -- Thanks Thiago
Debbugs Internal Request <help-debbugs <at> gnu.org>
to internal_control <at> debbugs.gnu.org.
(Mon, 30 May 2022 11:24:10 GMT) Full text and rfc822 format available.
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.