[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[bug#54997] [PATCH 00/12] Add "least authority" program wrapper
|
From: |
Ludovic Courtès |
|
Subject: |
[bug#54997] [PATCH 00/12] Add "least authority" program wrapper |
|
Date: |
Sun, 17 Apr 2022 23:01:07 +0200 |
Hello Guix!
So we have this fancy ‘make-forkexec-constructor/container’ thing
to spawn Shepherd services in a container:
https://guix.gnu.org/en/blog/2017/running-system-services-in-containers/
It’s nice, but it doesn’t compose. What if you want an inetd-style
service *and* have it run in a container? We certainly don’t want to
end up defining ‘make-inetd-constructor/container’ and so on.
Instead, the new (guix least-authority) module provides a way to
create “least-authority wrappers” for a given program: the wrapper
forks[*] a process that lives in separate namespaces, with
‘call-with-container’, sets up bind mounts and everything in the child,
and executes the program in that environment. ([*] I considered
using unshare(2) instead of forking but that doesn’t quite work,
notably because the process itself would remain in the same PID
namespace as its parent.)
Subsequent patches change most, but not all, users of
‘make-forkexec-constructor/container’ to ‘least-authority-wrapper’.
One situation where ‘make-forkexec-constructor/container’ cannot be
replaced yet is when we rely on #:pid-file, as is the case for Tor
(‘make-forkexec-constructor/container’ goes to great lengths to read
PID files in the container and be happy with a PID that is only
valid within that namespace.) The remaining users are Jami and
Pagekite; that is left as an exercise to the reader. :-)
I have plans to use ‘least-authority-wrapper’ in other contexts, in
particular as the basis of a new package transformation option.
Thoughts?
Ludo’.
Ludovic Courtès (12):
gexp: Add 'references-file'.
file-systems: Avoid load-time warnings when attempting to load (guix
store).
linux-container: 'call-with-container' relays SIGTERM and SIGINT.
Add (guix least-authority).
services: dicod: Rewrite using 'least-authority-wrapper'.
services: dicod: Use 'make-inetd-constructor'.
services: bitlbee: Use 'make-inetd-constructor'.
services: ipfs: Adjust for Shepherd 0.9.
services: ipfs: Use 'least-authority-wrapper'.
services: wesnothd: Grant write access to /var/run/wesnothd.
services: wesnothd: Use 'least-authority-wrapper'.
services: quassel: Use 'least-authority-wrapper'.
Makefile.am | 1 +
gnu/build/linux-container.scm | 15 ++--
gnu/build/shepherd.scm | 3 +-
gnu/services/base.scm | 22 ------
gnu/services/dict.scm | 61 ++++++++++------
gnu/services/games.scm | 33 +++++++--
gnu/services/messaging.scm | 105 +++++++++++++++++----------
gnu/services/networking.scm | 118 +++++++++++++++---------------
gnu/system/file-systems.scm | 5 +-
gnu/tests/messaging.scm | 21 +-----
guix/gexp.scm | 43 +++++++++++
guix/least-authority.scm | 131 ++++++++++++++++++++++++++++++++++
tests/gexp.scm | 18 +++++
13 files changed, 403 insertions(+), 173 deletions(-)
create mode 100644 guix/least-authority.scm
base-commit: 950f3e4f98add14f645dc4c9f8c512cac7b8a779
--
2.35.1
- [bug#54997] [PATCH 00/12] Add "least authority" program wrapper,
Ludovic Courtès <=
- [bug#54997] [PATCH 01/12] gexp: Add 'references-file'., Ludovic Courtès, 2022/04/17
- [bug#54997] [PATCH 02/12] file-systems: Avoid load-time warnings when attempting to load (guix store)., Ludovic Courtès, 2022/04/17
- [bug#54997] [PATCH 03/12] linux-container: 'call-with-container' relays SIGTERM and SIGINT., Ludovic Courtès, 2022/04/17
- [bug#54997] [PATCH 04/12] Add (guix least-authority)., Ludovic Courtès, 2022/04/17
- [bug#54997] [PATCH 04/12] Add (guix least-authority)., Maxime Devos, 2022/04/18
- [bug#54997] [PATCH 00/12] Add "least authority" program wrapper, Ludovic Courtès, 2022/04/19
- [bug#54997] [PATCH 04/12] Add (guix least-authority)., Thiago Jung Bauermann, 2022/04/22
- [bug#54997] [PATCH 00/12] Add "least authority" program wrapper, Ludovic Courtès, 2022/04/26