[bug#60788] [PATCH v2] services: vnstat: Use least-authority-wrapper.

[Bruno Victal]

* gnu/services/monitoring.scm (vnstat-shepherd-service): Use
least-authority-wrapper.
---

This patch SHOULD NOT be applied, this is a wip patch with 
least-authority-wrapper
and it doesn't seem to work (at least when launched within a VM).
I leave it here in case anyone interested wants to dig in further.


 gnu/services/monitoring.scm | 42 ++++++++++++++++++++++++++++++-------
 1 file changed, 34 insertions(+), 8 deletions(-)

diff --git a/gnu/services/monitoring.scm b/gnu/services/monitoring.scm
index 78fc49da5c..c9e4f85701 100644
--- a/gnu/services/monitoring.scm
+++ b/gnu/services/monitoring.scm
@@ -29,6 +29,9 @@ (define-module (gnu services monitoring)
   #:use-module (gnu packages monitoring)
   #:use-module (gnu packages networking)
   #:use-module (gnu system shadow)
+  #:use-module ((gnu system file-systems) #:select (file-system-mapping))
+  #:use-module (gnu build linux-container)
+  #:autoload   (guix least-authority) (least-authority-wrapper)
   #:use-module (guix gexp)
   #:use-module (guix packages)
   #:use-module (guix records)
@@ -448,7 +451,7 @@ (define-configuration vnstat-configuration
 @var{save-interval}..@samp{60}")
 
   (pid-file
-   (maybe-string "/var/run/vnstatd.pid")
+   (maybe-string "/var/run/vnstatd/vnstatd.pid")
    "\
 Specify pid file path and name to be used.")
 
@@ -558,17 +561,40 @@ (define (vnstat-serialize-configuration config)
    (serialize-configuration config vnstat-configuration-fields)))
 
 (define (vnstat-shepherd-service config)
-  (let ((config-file (vnstat-serialize-configuration config)))
-    (match-record config <vnstat-configuration> (package pid-file)
+  (match-record config <vnstat-configuration> (package database-dir pid-file 
use-logging)
+    (let* ((config-file (vnstat-serialize-configuration config))
+           (vnstatd (least-authority-wrapper
+                     (file-append package "/sbin/vnstatd")
+                     #:name "vnstatd"
+                     #:mappings (append (if (eqv? use-logging 2)
+                                            (list (file-system-mapping
+                                                   (source "/dev/log") ; for 
syslog
+                                                   (target source)))
+                                            '())
+                                        (list (file-system-mapping
+                                               (source database-dir)
+                                               (target source)
+                                               (writable? #t))
+                                              (file-system-mapping
+                                               (source (dirname pid-file))
+                                               (target source)
+                                               (writable? #t))
+                                              (file-system-mapping
+                                               (source config-file)
+                                               (target source))))
+                     #:namespaces (delq 'net %namespaces))))
       (shepherd-service
        (documentation "Run vnstatd.")
        (requirement `(networking))
        (provision '(vnstatd))
-       (start #~(make-forkexec-constructor
-                 (list #$(file-append package "/sbin/vnstatd")
-                       "--daemon"
-                       "--config" #$config-file)
-                 #:pid-file #$pid-file))
+       (start #~(begin
+                  (mkdir-p #$database-dir)
+                  (mkdir-p (dirname #$pid-file))
+                  (make-forkexec-constructor
+                   (list #$vnstatd
+                         "--daemon"
+                         "--config" #$config-file)
+                   #:pid-file #$pid-file)))
        (stop #~(make-kill-destructor))
        (actions
         (list (shepherd-configuration-action config-file)
-- 
2.38.1