[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[bug#54997] [PATCH 00/12] Add "least authority" program wrapper
|
From: |
Ludovic Courtès |
|
Subject: |
[bug#54997] [PATCH 00/12] Add "least authority" program wrapper |
|
Date: |
Tue, 26 Apr 2022 22:22:42 +0200 |
|
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/27.2 (gnu/linux) |
Hi Maxime,
Maxime Devos <maximedevos@telenet.be> skribis:
> Ludovic Courtès schreef op zo 17-04-2022 om 23:01 [+0200]:
>> Hello Guix!
>>
>> So we have this fancy ‘make-forkexec-constructor/container’ thing
>> to spawn Shepherd services in a container:
>>
>> https://guix.gnu.org/en/blog/2017/running-system-services-in-containers/
>>
>> It’s nice, but it doesn’t compose. What if you want an inetd-style
>> service *and* have it run in a container? We certainly don’t want to
>> end up defining ‘make-inetd-constructor/container’ and so on.
>
> Currently, it doesn't compose, but can it be made composable?
> More concretely, maybe there could be a set of ‘process procedures’
> implementable by record types:
>
> ;; Inspired by <https://docs.racket-lang.org/reference/subprocess.html>,
> ;; with some differences
> (define (subprocess-start/separate process) ...) ; run it in a separate
> process
> (define (subprocess-start/replace process) ...) ; run it with 'exec'
> (define (subprocess-kill process) ...)
> (define (subprocess-wait process) ...)
> (define (subprocess-status process) ...)
>
> ;; Basic process constructor, doesn't do containers
> (define (command-process ...) ...)
>
> ;; Container
> (define (contain inner #:key container-stuff ...)
> subprocess-start/separate: (run-container ... (lambda ()
> (subprocess-start/replace inner)))
> other procedures ...
> return the record)
>
> Then make-inetd-constructor could be changed to accept a lambda producing
> 'subprocess' records. By passing it a subprocess wrapped by 'contain', it
> would
> automatically support container things:
>
> (define (make-inetd-constructor/container-command command* ...)
> (make-inetd-constructor (lambda () (contain (command-process comand*)))
> ...))
A (sub)process abstraction could be useful, indeed.
But like you write, we’d need further changes in shepherd itself, which
makes it less appealing IMO. I like that the “POLA wrapper” allows us
to deal with this aspect in a fairly orthogonal fashion.
Thanks!
Ludo’.
- [bug#54997] [PATCH 09/12] services: ipfs: Use 'least-authority-wrapper'., (continued)
- [bug#54997] [PATCH 09/12] services: ipfs: Use 'least-authority-wrapper'., Maxime Devos, 2022/04/18
- [bug#54997] [PATCH 00/12] Add "least authority" program wrapper, Ludovic Courtès, 2022/04/19
- [bug#54997] [PATCH 00/12] Add "least authority" program wrapper, Maxime Devos, 2022/04/22
- [bug#54997] [PATCH 00/12] Add "least authority" program wrapper, Ludovic Courtès, 2022/04/27
- [bug#54997] [PATCH 00/12] Add "least authority" program wrapper, Maxime Devos, 2022/04/28
- [bug#54997] [PATCH 00/12] Add "least authority" program wrapper, Ludovic Courtès, 2022/04/28
- [bug#54997] [PATCH 00/12] Add "least authority" program wrapper, Maxime Devos, 2022/04/28
[bug#54997] [PATCH 01/12] gexp: Add 'references-file'., Thiago Jung Bauermann, 2022/04/22
[bug#54997] [PATCH 00/12] Add "least authority" program wrapper, Maxime Devos, 2022/04/22
- [bug#54997] [PATCH 00/12] Add "least authority" program wrapper,
Ludovic Courtès <=