From unknown Sat Sep 06 21:07:46 2025 X-Loop: help-debbugs@gnu.org Subject: [bug#31894] Containerize openntpd service Resent-From: Efraim Flashner Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Tue, 19 Jun 2018 09:33:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: report 31894 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: To: 31894@debbugs.gnu.org X-Debbugs-Original-To: guix-patches@gnu.org Received: via spool by submit@debbugs.gnu.org id=B.15294007404150 (code B ref -1); Tue, 19 Jun 2018 09:33:01 +0000 Received: (at submit) by debbugs.gnu.org; 19 Jun 2018 09:32:20 +0000 Received: from localhost ([127.0.0.1]:55726 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1fVCzs-00014r-DP for submit@debbugs.gnu.org; Tue, 19 Jun 2018 05:32:20 -0400 Received: from eggs.gnu.org ([208.118.235.92]:47335) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1fVCzq-00014e-D8 for submit@debbugs.gnu.org; Tue, 19 Jun 2018 05:32:19 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1fVCzf-0006NJ-4C for submit@debbugs.gnu.org; Tue, 19 Jun 2018 05:32:13 -0400 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: ** X-Spam-Status: No, score=2.3 required=5.0 tests=BAYES_50,RCVD_IN_SORBS_WEB autolearn=disabled version=3.3.2 Received: from lists.gnu.org ([2001:4830:134:3::11]:48865) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1fVCze-0006NE-VA for submit@debbugs.gnu.org; Tue, 19 Jun 2018 05:32:07 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:38287) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1fVCzc-0005mO-Ir for guix-patches@gnu.org; Tue, 19 Jun 2018 05:32:06 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1fVCzX-0006Mi-J4 for guix-patches@gnu.org; Tue, 19 Jun 2018 05:32:04 -0400 Received: from flashner.co.il ([178.62.234.194]:32910) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1fVCzX-0006MW-1S for guix-patches@gnu.org; Tue, 19 Jun 2018 05:31:59 -0400 Received: from localhost (unknown [31.210.182.47]) by flashner.co.il (Postfix) with ESMTPSA id 647E64028D for ; Tue, 19 Jun 2018 09:31:56 +0000 (UTC) Date: Tue, 19 Jun 2018 12:31:55 +0300 From: Efraim Flashner Message-ID: <20180619093155.GA1200@macbook41> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="hHWLQfXTYDoKhP50" Content-Disposition: inline User-Agent: Mutt/1.10.0 (2018-05-17) X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] [fuzzy] X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6.x X-Received-From: 2001:4830:134:3::11 X-Spam-Score: -2.5 (--) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.5 (---) --hHWLQfXTYDoKhP50 Content-Type: multipart/mixed; boundary="MGYHOYXEY6WxJCY8" Content-Disposition: inline --MGYHOYXEY6WxJCY8 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable I tested this patch with the included vm image, using the following script. After logging in, 'ntpctl -s all' shows openntpd connecting to the ntp servers and updating the time. /.$(./pre-inst-env guix environment guix -- ./pre-inst-env guix system vm ~= /vm-image.scm) -m 768 -device e1000,netdev=3Dnet0 -netdev user,id=3Dnet0,ho= stfwd=3Dtcp::5555-:53 --=20 Efraim Flashner =D7=90=D7=A4=D7=A8=D7=99=D7=9D = =D7=A4=D7=9C=D7=A9=D7=A0=D7=A8 GPG key =3D A28B F40C 3E55 1372 662D 14F7 41AA E7DC CA3D 8351 Confidentiality cannot be guaranteed on emails sent or received unencrypted --MGYHOYXEY6WxJCY8 Content-Type: text/plain; charset=utf-8 Content-Disposition: attachment; filename="0001-services-openntpd-Containerize-openntpd-service.patch" Content-Transfer-Encoding: quoted-printable =46rom 064903c5a976280b95cd9bba17e958e662be605d Mon Sep 17 00:00:00 2001 =46rom: Efraim Flashner Date: Tue, 19 Jun 2018 12:24:47 +0300 Subject: [PATCH] services: openntpd: Containerize openntpd service. * gnu/packages/ntp.scm (openntpd)[arguments]: Add 'privsep-path' to 'configure-flags and adjust the 'localstatedir' flag. * gnu/services/networking.scm (openntpd-shepherd-service): Change the start-service command to run in a container, expose '/var/log/openntpd' and '/var/lib/openntpd' to the container. (openntpd-service-activation): Adjust directories for the changes above. --- gnu/packages/ntp.scm | 3 +- gnu/services/networking.scm | 58 ++++++++++++++++++++++++------------- 2 files changed, 40 insertions(+), 21 deletions(-) diff --git a/gnu/packages/ntp.scm b/gnu/packages/ntp.scm index e9ae9fa46..2c202b400 100644 --- a/gnu/packages/ntp.scm +++ b/gnu/packages/ntp.scm @@ -109,7 +109,8 @@ computers over a network.") (build-system gnu-build-system) (arguments '(#:configure-flags '("--with-privsep-user=3Dntpd" - "--localstatedir=3D/var") + "--with-privsep-path=3D/var/lib/openntpd" + "--localstatedir=3D/var/lib/openntpd") #:phases (modify-phases %standard-phases (add-after 'unpack 'modify-install-locations diff --git a/gnu/services/networking.scm b/gnu/services/networking.scm index d5d0cf9d1..100a18e7c 100644 --- a/gnu/services/networking.scm +++ b/gnu/services/networking.scm @@ -428,22 +428,39 @@ make an initial adjustment of more than 1,000 seconds= =2E" (define ntpd.conf (plain-file "ntpd.conf" config)) =20 - (list (shepherd-service - (provision '(ntpd)) - (documentation "Run the Network Time Protocol (NTP) daemon.") - (requirement '(user-processes networking)) - (start #~(make-forkexec-constructor - (list (string-append #$openntpd "/sbin/ntpd") - "-f" #$ntpd.conf - "-d" ;; don't daemonize - #$@(if allow-large-adjustment? - '("-s") - '())) - ;; When ntpd is daemonized it repeatedly tries to= respawn - ;; while running, leading shepherd to disable it.= To - ;; prevent spamming stderr, redirect output to lo= gfile. - #:log-file "/var/log/ntpd")) - (stop #~(make-kill-destructor))))))) + (with-imported-modules (source-module-closure + '((gnu build shepherd) + (gnu system file-systems))) + (list (shepherd-service + (provision '(ntpd)) + (documentation "Run the Network Time Protocol (NTP) daemon= =2E") + (requirement '(user-processes networking)) + (modules '((gnu build shepherd) + (gnu system file-systems))) + (start #~(make-forkexec-constructor/container + (list (string-append #$openntpd "/sbin/ntpd") + "-f" #$ntpd.conf + "-d" ;; don't daemonize + #$@(if allow-large-adjustment? + '("-s") + '())) + #:mappings (list (file-system-mapping + (source "/var/lib/openntpd") + (target source) + (writable? #t)) + (file-system-mapping + (source "/var/log/openntpd") + (target "/var/log") + (writable? #t)) + ;; For the privsep ntpd user. + (file-system-mapping + (source "/var/lib/openntpd") + (target "/var/empty"))) + ;; When ntpd is daemonized it repeatedly tries = to respawn + ;; while running, leading shepherd to disable i= t. To + ;; prevent spamming stderr, redirect output to = logfile. + #:log-file "/var/log/ntpd")) + (stop #~(make-kill-destructor)))))))) =20 (define (openntpd-service-activation config) "Return the activation gexp for CONFIG." @@ -451,10 +468,11 @@ make an initial adjustment of more than 1,000 seconds= =2E" #~(begin (use-modules (guix build utils)) =20 - (mkdir-p "/var/db") - (mkdir-p "/var/run") - (unless (file-exists? "/var/db/ntpd.drift") - (with-output-to-file "/var/db/ntpd.drift" + (mkdir-p "/var/lib/openntpd/db") + (mkdir-p "/var/lib/openntpd/run") + (mkdir-p "/var/log/openntpd") + (unless (file-exists? "/var/lib/openntpd/db/ntpd.drift") + (with-output-to-file "/var/lib/openntpd/db/ntpd.drift" (lambda _ (format #t "0.0"))))))) =20 --=20 2.17.1 --MGYHOYXEY6WxJCY8 Content-Type: text/plain; charset=utf-8 Content-Disposition: attachment; filename="vm-image.scm" ;;; This is an operating system configuration template for a "bare-bones" setup, ;;; suitable for booting in a virtualized environment, including virtual private ;;; servers (VPS). (use-modules (gnu)) (use-package-modules bootloaders disk nvi) (use-service-modules networking) (define vm-image-motd (plain-file "motd" " This is the GNU system. Welcome! This instance of GuixSD is a bare-bones template for virtualized environments. You will probably want to do these things first if you booted in a virtual private server (VPS): * Set a password for 'root'. * Set up networking. * Expand the root partition to fill the space available by 0) deleting and recreating the partition with fdisk, 1) reloading the partition table with partprobe, and then 2) resizing the filesystem with resize2fs.\n")) (operating-system (host-name "gnu") (timezone "Etc/UTC") (locale "en_US.utf8") ;; Assuming /dev/sdX is the target hard disk, and "my-root" is ;; the label of the target root file system. (bootloader (bootloader-configuration (bootloader grub-bootloader) (target "/dev/sda") (terminal-outputs '(console)))) (file-systems (cons (file-system (device (file-system-label "my-root")) (mount-point "/") (type "ext4")) %base-file-systems)) ;; This is where user accounts are specified. The "root" ;; account is implicit, and is initially created with the ;; empty password. (users %base-user-accounts) ;; Globally-installed packages. (packages (cons* nvi fdisk grub ; mostly so xrefs to its manual work parted ; partprobe %base-packages)) (services (cons* (service connman-service-type) (service wpa-supplicant-service-type) (service openntpd-service-type (openntpd-configuration (listen-on '("127.0.0.1" "::1")) (allow-large-adjustment? #t))) (modify-services %base-services (login-service-type config => (login-configuration (inherit config) (motd vm-image-motd))))))) --MGYHOYXEY6WxJCY8-- --hHWLQfXTYDoKhP50 Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCgAdFiEEoov0DD5VE3JmLRT3Qarn3Mo9g1EFAlsozYsACgkQQarn3Mo9 g1HVnA/7BDkUbhYgZJP3HIbDxfNHFB+hZOGZ9t0d+NN2d0r54SVDhTdulRigmsFI N2TKdEvSncGhHPaIWYwV/5hj6Vq+yLq1abXBrisZtQBQRgzuKxQ3G7vgkcX9sPv3 i0wsoCHEMSl2vAGOIejQMtHwy4XAl5DBnozTQCy/M30h5m+TaCebAp8lMc1Et/ON L+NhrbtIwWso/Cy1Aa65bGPhSK8L7yKJnrOWpOtD9nBzrouUKHxbaQ5/RUePAGyX fZjb4gqUtIAAd/uFerkR3h3nd4L4siv8AKTVG4Say9Lwv//Q51rhreDPo6hmkMZF dV9Rm7txG0LqQkVfp8HJ2OUVeaezbPZCaCUy7yeLxO/K2FgkoE6Fqm2IiAODQyA4 qP6Nk3cvB52YCfGE7DwWOvjQrCYoyoUgEFHfJTy4wO8w8uyfdz+rf/kuyipviXyh 3ZUVsrLPBYgNUZM0X+tWWvEh/Q2soZsLMXBC7GONEXi0i+c4fPxsBXa8PmwSuTTV uN6JbhgOGjIP21lktjLssJReR0pePUs9c97Lm2uahAQUQLw+k7wHLPL5x/M4Rn2s RhUaWNo/ga2HNz7Z0chnt7x/4KXhwGLfXyCvKEFL5Q4dbvlBKw4R4ZNSSKboP2tA 1ZHUfg17b4fKUY84EgUyrrCU0tDI5bS2HDfnTuRsJT0wzWQL4Sc= =tU7E -----END PGP SIGNATURE----- --hHWLQfXTYDoKhP50-- From unknown Sat Sep 06 21:07:46 2025 X-Loop: help-debbugs@gnu.org Subject: [bug#31894] Containerize openntpd service Resent-From: ludo@gnu.org (Ludovic =?UTF-8?Q?Court=C3=A8s?=) Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Fri, 22 Jun 2018 19:40:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 31894 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: To: Efraim Flashner Cc: 31894@debbugs.gnu.org Received: via spool by 31894-submit@debbugs.gnu.org id=B31894.15296963516058 (code B ref 31894); Fri, 22 Jun 2018 19:40:02 +0000 Received: (at 31894) by debbugs.gnu.org; 22 Jun 2018 19:39:11 +0000 Received: from localhost ([127.0.0.1]:60586 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1fWRtn-0001Ze-Es for submit@debbugs.gnu.org; Fri, 22 Jun 2018 15:39:11 -0400 Received: from eggs.gnu.org ([208.118.235.92]:54796) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1fWRtm-0001ZQ-34 for 31894@debbugs.gnu.org; Fri, 22 Jun 2018 15:39:10 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1fWRtg-0008UX-5J for 31894@debbugs.gnu.org; Fri, 22 Jun 2018 15:39:05 -0400 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=0.8 required=5.0 tests=BAYES_50 autolearn=disabled version=3.3.2 Received: from fencepost.gnu.org ([2001:4830:134:3::e]:55557) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1fWRtg-0008US-0o; Fri, 22 Jun 2018 15:39:04 -0400 Received: from [2a01:e0a:1d:7270:af76:b9b:ca24:c465] (port=47840 helo=ribbon) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1fWRtf-0002Nl-Ir; Fri, 22 Jun 2018 15:39:03 -0400 From: ludo@gnu.org (Ludovic =?UTF-8?Q?Court=C3=A8s?=) References: <20180619093155.GA1200@macbook41> Date: Fri, 22 Jun 2018 21:39:01 +0200 In-Reply-To: <20180619093155.GA1200@macbook41> (Efraim Flashner's message of "Tue, 19 Jun 2018 12:31:55 +0300") Message-ID: <87d0wiy5ka.fsf@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.1 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 2001:4830:134:3::e X-Spam-Score: -5.0 (-----) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -6.0 (------) Hello Efraim, Efraim Flashner skribis: > I tested this patch with the included vm image, using the following > script. After logging in, 'ntpctl -s all' shows openntpd connecting to > the ntp servers and updating the time. > > /.$(./pre-inst-env guix environment guix -- ./pre-inst-env guix system vm= ~/vm-image.scm) -m 768 -device e1000,netdev=3Dnet0 -netdev user,id=3Dnet0,= hostfwd=3Dtcp::5555-:53 [...] > From 064903c5a976280b95cd9bba17e958e662be605d Mon Sep 17 00:00:00 2001 > From: Efraim Flashner > Date: Tue, 19 Jun 2018 12:24:47 +0300 > Subject: [PATCH] services: openntpd: Containerize openntpd service. > > * gnu/packages/ntp.scm (openntpd)[arguments]: Add 'privsep-path' to > 'configure-flags and adjust the 'localstatedir' flag. > * gnu/services/networking.scm (openntpd-shepherd-service): Change the > start-service command to run in a container, expose '/var/log/openntpd' > and '/var/lib/openntpd' to the container. > (openntpd-service-activation): Adjust directories for the changes above. Neat! The patch LGTM, especially since you=E2=80=99ve confirmed that it st= ill works as expected. :-) One thing though: could you make sure containerization isn=E2=80=99t redund= ant with what OpenNTPD already does? Namely, could you grep the source for calls to =E2=80=9Cchroot=E2=80=9D, =E2=80=9Cunshare=E2=80=9D, or =E2=80=9Cs= eccomp=E2=80=9D? If it happens to be already doing one of these things, it may be that using a container brings little or nothing. If it=E2=80=99s OK, please push! While I=E2=80=99m at it, one question about this comment (which was already= there): > + ;; When ntpd is daemonized it repeatedly trie= s to respawn > + ;; while running, leading shepherd to disable= it. To > + ;; prevent spamming stderr, redirect output t= o logfile. > + #:log-file "/var/log/ntpd")) What=E2=80=99s described here is expected: when it daemonizes, the initial process that shepherd spawned terminates immediately, which is why shepherd tries to respawn it (it cannot guess that there=E2=80=99s in fact a child process that keeps running.) The right thing to do for things that daemonize is to use the #:pid-file option, which instructs shepherd to poll that file. Should we do this here? There are many examples of that, including bitlbee, which is containerized. Thanks, Ludo=E2=80=99. From unknown Sat Sep 06 21:07:46 2025 MIME-Version: 1.0 X-Mailer: MIME-tools 5.505 (Entity 5.505) X-Loop: help-debbugs@gnu.org From: help-debbugs@gnu.org (GNU bug Tracking System) To: Efraim Flashner Subject: bug#31894: closed (Re: [bug#31894] Containerize openntpd service) Message-ID: References: <20180626082557.GA1537@macbook41> <20180619093155.GA1200@macbook41> X-Gnu-PR-Message: they-closed 31894 X-Gnu-PR-Package: guix-patches Reply-To: 31894@debbugs.gnu.org Date: Tue, 26 Jun 2018 08:27:02 +0000 Content-Type: multipart/mixed; boundary="----------=_1530001622-24354-1" This is a multi-part message in MIME format... ------------=_1530001622-24354-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Your bug report #31894: Containerize openntpd service which was filed against the guix-patches package, has been closed. The explanation is attached below, along with your original report. If you require more details, please reply to 31894@debbugs.gnu.org. --=20 31894: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=3D31894 GNU Bug Tracking System Contact help-debbugs@gnu.org with problems ------------=_1530001622-24354-1 Content-Type: message/rfc822 Content-Disposition: inline Content-Transfer-Encoding: 7bit Received: (at 31894-done) by debbugs.gnu.org; 26 Jun 2018 08:26:06 +0000 Received: from localhost ([127.0.0.1]:35604 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1fXjIb-0006Je-Pt for submit@debbugs.gnu.org; Tue, 26 Jun 2018 04:26:06 -0400 Received: from flashner.co.il ([178.62.234.194]:39028) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1fXjIa-0006J8-Ii for 31894-done@debbugs.gnu.org; Tue, 26 Jun 2018 04:26:05 -0400 Received: from localhost (unknown [31.210.182.47]) by flashner.co.il (Postfix) with ESMTPSA id AF97940297; Tue, 26 Jun 2018 08:25:58 +0000 (UTC) Date: Tue, 26 Jun 2018 11:25:57 +0300 From: Efraim Flashner To: Ludovic =?utf-8?Q?Court=C3=A8s?= Subject: Re: [bug#31894] Containerize openntpd service Message-ID: <20180626082557.GA1537@macbook41> References: <20180619093155.GA1200@macbook41> <87d0wiy5ka.fsf@gnu.org> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="lrZ03NoBR/3+SXJZ" Content-Disposition: inline In-Reply-To: <87d0wiy5ka.fsf@gnu.org> User-Agent: Mutt/1.10.0 (2018-05-17) X-Spam-Score: 1.5 (+) X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: On Fri, Jun 22, 2018 at 09:39:01PM +0200, Ludovic Courtès wrote: > Hello Efraim, > > Efraim Flashner skribis: > > > I tested this patch with the included vm image, using the following > > script. After logging in, 'ntpctl -s all' shows openntpd connecting to > > the ntp servers and updating the time. > > > > /.$(./pre-inst-env guix environment guix -- ./pre-inst-env guix system vm ~/vm-image.scm) -m 768 -device e1000,netdev=net0 -netdev user,id=net0,hostfwd=tcp::5555-:53 > > [...] > > > From 064903c5a976280b95cd9bba17e958e662be605d Mon Sep 17 00:00:00 2001 > > From: Efraim Flashner > > Date: Tue, 19 Jun 2018 12:24:47 +0300 > > Subject: [PATCH] services: openntpd: Containerize openntpd service. > > > > * gnu/packages/ntp.scm (openntpd)[arguments]: Add 'privsep-path' to > > 'configure-flags and adjust the 'localstatedir' flag. > > * gnu/services/networking.scm (openntpd-shepherd-service): Change the > > start-service command to run in a container, expose '/var/log/openntpd' > > and '/var/lib/openntpd' to the container. > > (openntpd-service-activation): Adjust directories for the changes above. > > Neat! The patch LGTM, especially since you’ve confirmed that it still > works as expected. :-) > > One thing though: could you make sure containerization isn’t redundant > with what OpenNTPD already does? Namely, could you grep the source for > calls to “chroot”, “unshare”, or “seccomp”? If it happens to be already > doing one of these things, it may be that using a container brings > little or nothing. > > If it’s OK, please push! [...] Content analysis details: (1.5 points, 10.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 1.5 RCVD_IN_SORBS_WEB RBL: SORBS: sender is an abusable web server [31.210.182.47 listed in dnsbl.sorbs.net] -0.0 SPF_HELO_PASS SPF: HELO matches SPF record -0.0 SPF_PASS SPF: sender matches SPF record X-Debbugs-Envelope-To: 31894-done Cc: 31894-done@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: 0.5 (/) --lrZ03NoBR/3+SXJZ Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Jun 22, 2018 at 09:39:01PM +0200, Ludovic Court=C3=A8s wrote: > Hello Efraim, >=20 > Efraim Flashner skribis: >=20 > > I tested this patch with the included vm image, using the following > > script. After logging in, 'ntpctl -s all' shows openntpd connecting to > > the ntp servers and updating the time. > > > > /.$(./pre-inst-env guix environment guix -- ./pre-inst-env guix system = vm ~/vm-image.scm) -m 768 -device e1000,netdev=3Dnet0 -netdev user,id=3Dnet= 0,hostfwd=3Dtcp::5555-:53 >=20 > [...] >=20 > > From 064903c5a976280b95cd9bba17e958e662be605d Mon Sep 17 00:00:00 2001 > > From: Efraim Flashner > > Date: Tue, 19 Jun 2018 12:24:47 +0300 > > Subject: [PATCH] services: openntpd: Containerize openntpd service. > > > > * gnu/packages/ntp.scm (openntpd)[arguments]: Add 'privsep-path' to > > 'configure-flags and adjust the 'localstatedir' flag. > > * gnu/services/networking.scm (openntpd-shepherd-service): Change the > > start-service command to run in a container, expose '/var/log/openntpd' > > and '/var/lib/openntpd' to the container. > > (openntpd-service-activation): Adjust directories for the changes above. >=20 > Neat! The patch LGTM, especially since you=E2=80=99ve confirmed that it = still > works as expected. :-) >=20 > One thing though: could you make sure containerization isn=E2=80=99t redu= ndant > with what OpenNTPD already does? Namely, could you grep the source for > calls to =E2=80=9Cchroot=E2=80=9D, =E2=80=9Cunshare=E2=80=9D, or =E2=80= =9Cseccomp=E2=80=9D? If it happens to be already > doing one of these things, it may be that using a container brings > little or nothing. >=20 > If it=E2=80=99s OK, please push! =46rom grepping the source: =2E/INSTALL-OpenNTPD always uses Privilege Separation (ie the majority of t= he =2E/INSTALL:processing is done as a chroot'ed, unprivileged user). The code also supports the assertion. it defaults to /var/empty, unless the --with-privsep-path=3Dpath flag is set, so it looks like my patch is unnecessary after all. :) >=20 > While I=E2=80=99m at it, one question about this comment (which was alrea= dy there): >=20 > > + ;; When ntpd is daemonized it repeatedly tr= ies to respawn > > + ;; while running, leading shepherd to disab= le it. To > > + ;; prevent spamming stderr, redirect output= to logfile. > > + #:log-file "/var/log/ntpd")) >=20 > What=E2=80=99s described here is expected: when it daemonizes, the initial > process that shepherd spawned terminates immediately, which is why > shepherd tries to respawn it (it cannot guess that there=E2=80=99s in fac= t a > child process that keeps running.) >=20 > The right thing to do for things that daemonize is to use the #:pid-file > option, which instructs shepherd to poll that file. Should we do this > here? There are many examples of that, including bitlbee, which is > containerized. >=20 I'll take a look at that and see if I can fix that. > Thanks, > Ludo=E2=80=99. --=20 Efraim Flashner =D7=90=D7=A4=D7=A8=D7=99=D7=9D = =D7=A4=D7=9C=D7=A9=D7=A0=D7=A8 GPG key =3D A28B F40C 3E55 1372 662D 14F7 41AA E7DC CA3D 8351 Confidentiality cannot be guaranteed on emails sent or received unencrypted --lrZ03NoBR/3+SXJZ Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCgAdFiEEoov0DD5VE3JmLRT3Qarn3Mo9g1EFAlsx+JIACgkQQarn3Mo9 g1HEjQ/+IutRzTe+9W5+WU+SKHgqV3laX2bU8OxnyiLYXITsLH/dq8kx6fNMF+D0 pBAmL5c08SjzVjU3C1kzLoWvLu6zxRLYGcK8SYg/kwG2OGybBBv+vsY7BTxfb5TV ewn2QqHKoAfhEOVcXZ3N/j/Eco8plnRJbUfhv6mzFYCp4zgnMnsqJw0/euGULEtW Haz/wOK6YZFKp8QphYPsFfae3y0pg2DUNEK8X5/axTdwYr7K61DAx5ZCtXhSOUYn nmrAbPw0gaUoGDD9kGMRxzyTMLonLC7TUKYoVfMWxaV3eXxnpZYjZeLB9WD9t3cd 8cav1dl3urHCrm6rzikJPIqkJSsK7hN4pxE78M+slWLcTqWv0jqjY9fi/gLtvpel oL2W+kGaPLExczsDv4QnIZGgElaRc2VdPJ6mprJoKanFNrNx/yE0gf2y39Gcv3kr +8a7bsDiPtRb6D6iQxC1IXj0h9cBlZBxCtWyVwhiX5fqTCMj8p+cBkrBWPvkmPie +mOZiSca/qsl4wN1MMcFNySZVzJz9+3HpZHD4TotAR+Itkt2ZpGHt5ILXyfd4N8U MZwtdJQppiaINKDsIoj+VF6x9XAJfzxPi3eGV3NbxMiIfJ4WXwYC53pvmCS9/T93 2tZ8mgGNfzXUF5CY1soh9AC+HD3L7shiCzvv11JHkaLtHzguKZ4= =Aj7f -----END PGP SIGNATURE----- --lrZ03NoBR/3+SXJZ-- ------------=_1530001622-24354-1 Content-Type: message/rfc822 Content-Disposition: inline Content-Transfer-Encoding: 7bit Received: (at submit) by debbugs.gnu.org; 19 Jun 2018 09:32:20 +0000 Received: from localhost ([127.0.0.1]:55726 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1fVCzs-00014r-DP for submit@debbugs.gnu.org; Tue, 19 Jun 2018 05:32:20 -0400 Received: from eggs.gnu.org ([208.118.235.92]:47335) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1fVCzq-00014e-D8 for submit@debbugs.gnu.org; Tue, 19 Jun 2018 05:32:19 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1fVCzf-0006NJ-4C for submit@debbugs.gnu.org; Tue, 19 Jun 2018 05:32:13 -0400 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: ** X-Spam-Status: No, score=2.3 required=5.0 tests=BAYES_50,RCVD_IN_SORBS_WEB autolearn=disabled version=3.3.2 Received: from lists.gnu.org ([2001:4830:134:3::11]:48865) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1fVCze-0006NE-VA for submit@debbugs.gnu.org; Tue, 19 Jun 2018 05:32:07 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:38287) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1fVCzc-0005mO-Ir for guix-patches@gnu.org; Tue, 19 Jun 2018 05:32:06 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1fVCzX-0006Mi-J4 for guix-patches@gnu.org; Tue, 19 Jun 2018 05:32:04 -0400 Received: from flashner.co.il ([178.62.234.194]:32910) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1fVCzX-0006MW-1S for guix-patches@gnu.org; Tue, 19 Jun 2018 05:31:59 -0400 Received: from localhost (unknown [31.210.182.47]) by flashner.co.il (Postfix) with ESMTPSA id 647E64028D for ; Tue, 19 Jun 2018 09:31:56 +0000 (UTC) Date: Tue, 19 Jun 2018 12:31:55 +0300 From: Efraim Flashner To: guix-patches@gnu.org Subject: Containerize openntpd service Message-ID: <20180619093155.GA1200@macbook41> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="hHWLQfXTYDoKhP50" Content-Disposition: inline User-Agent: Mutt/1.10.0 (2018-05-17) X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] [fuzzy] X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6.x X-Received-From: 2001:4830:134:3::11 X-Spam-Score: -2.5 (--) X-Debbugs-Envelope-To: submit X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.5 (---) --hHWLQfXTYDoKhP50 Content-Type: multipart/mixed; boundary="MGYHOYXEY6WxJCY8" Content-Disposition: inline --MGYHOYXEY6WxJCY8 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable I tested this patch with the included vm image, using the following script. After logging in, 'ntpctl -s all' shows openntpd connecting to the ntp servers and updating the time. /.$(./pre-inst-env guix environment guix -- ./pre-inst-env guix system vm ~= /vm-image.scm) -m 768 -device e1000,netdev=3Dnet0 -netdev user,id=3Dnet0,ho= stfwd=3Dtcp::5555-:53 --=20 Efraim Flashner =D7=90=D7=A4=D7=A8=D7=99=D7=9D = =D7=A4=D7=9C=D7=A9=D7=A0=D7=A8 GPG key =3D A28B F40C 3E55 1372 662D 14F7 41AA E7DC CA3D 8351 Confidentiality cannot be guaranteed on emails sent or received unencrypted --MGYHOYXEY6WxJCY8 Content-Type: text/plain; charset=utf-8 Content-Disposition: attachment; filename="0001-services-openntpd-Containerize-openntpd-service.patch" Content-Transfer-Encoding: quoted-printable =46rom 064903c5a976280b95cd9bba17e958e662be605d Mon Sep 17 00:00:00 2001 =46rom: Efraim Flashner Date: Tue, 19 Jun 2018 12:24:47 +0300 Subject: [PATCH] services: openntpd: Containerize openntpd service. * gnu/packages/ntp.scm (openntpd)[arguments]: Add 'privsep-path' to 'configure-flags and adjust the 'localstatedir' flag. * gnu/services/networking.scm (openntpd-shepherd-service): Change the start-service command to run in a container, expose '/var/log/openntpd' and '/var/lib/openntpd' to the container. (openntpd-service-activation): Adjust directories for the changes above. --- gnu/packages/ntp.scm | 3 +- gnu/services/networking.scm | 58 ++++++++++++++++++++++++------------- 2 files changed, 40 insertions(+), 21 deletions(-) diff --git a/gnu/packages/ntp.scm b/gnu/packages/ntp.scm index e9ae9fa46..2c202b400 100644 --- a/gnu/packages/ntp.scm +++ b/gnu/packages/ntp.scm @@ -109,7 +109,8 @@ computers over a network.") (build-system gnu-build-system) (arguments '(#:configure-flags '("--with-privsep-user=3Dntpd" - "--localstatedir=3D/var") + "--with-privsep-path=3D/var/lib/openntpd" + "--localstatedir=3D/var/lib/openntpd") #:phases (modify-phases %standard-phases (add-after 'unpack 'modify-install-locations diff --git a/gnu/services/networking.scm b/gnu/services/networking.scm index d5d0cf9d1..100a18e7c 100644 --- a/gnu/services/networking.scm +++ b/gnu/services/networking.scm @@ -428,22 +428,39 @@ make an initial adjustment of more than 1,000 seconds= =2E" (define ntpd.conf (plain-file "ntpd.conf" config)) =20 - (list (shepherd-service - (provision '(ntpd)) - (documentation "Run the Network Time Protocol (NTP) daemon.") - (requirement '(user-processes networking)) - (start #~(make-forkexec-constructor - (list (string-append #$openntpd "/sbin/ntpd") - "-f" #$ntpd.conf - "-d" ;; don't daemonize - #$@(if allow-large-adjustment? - '("-s") - '())) - ;; When ntpd is daemonized it repeatedly tries to= respawn - ;; while running, leading shepherd to disable it.= To - ;; prevent spamming stderr, redirect output to lo= gfile. - #:log-file "/var/log/ntpd")) - (stop #~(make-kill-destructor))))))) + (with-imported-modules (source-module-closure + '((gnu build shepherd) + (gnu system file-systems))) + (list (shepherd-service + (provision '(ntpd)) + (documentation "Run the Network Time Protocol (NTP) daemon= =2E") + (requirement '(user-processes networking)) + (modules '((gnu build shepherd) + (gnu system file-systems))) + (start #~(make-forkexec-constructor/container + (list (string-append #$openntpd "/sbin/ntpd") + "-f" #$ntpd.conf + "-d" ;; don't daemonize + #$@(if allow-large-adjustment? + '("-s") + '())) + #:mappings (list (file-system-mapping + (source "/var/lib/openntpd") + (target source) + (writable? #t)) + (file-system-mapping + (source "/var/log/openntpd") + (target "/var/log") + (writable? #t)) + ;; For the privsep ntpd user. + (file-system-mapping + (source "/var/lib/openntpd") + (target "/var/empty"))) + ;; When ntpd is daemonized it repeatedly tries = to respawn + ;; while running, leading shepherd to disable i= t. To + ;; prevent spamming stderr, redirect output to = logfile. + #:log-file "/var/log/ntpd")) + (stop #~(make-kill-destructor)))))))) =20 (define (openntpd-service-activation config) "Return the activation gexp for CONFIG." @@ -451,10 +468,11 @@ make an initial adjustment of more than 1,000 seconds= =2E" #~(begin (use-modules (guix build utils)) =20 - (mkdir-p "/var/db") - (mkdir-p "/var/run") - (unless (file-exists? "/var/db/ntpd.drift") - (with-output-to-file "/var/db/ntpd.drift" + (mkdir-p "/var/lib/openntpd/db") + (mkdir-p "/var/lib/openntpd/run") + (mkdir-p "/var/log/openntpd") + (unless (file-exists? "/var/lib/openntpd/db/ntpd.drift") + (with-output-to-file "/var/lib/openntpd/db/ntpd.drift" (lambda _ (format #t "0.0"))))))) =20 --=20 2.17.1 --MGYHOYXEY6WxJCY8 Content-Type: text/plain; charset=utf-8 Content-Disposition: attachment; filename="vm-image.scm" ;;; This is an operating system configuration template for a "bare-bones" setup, ;;; suitable for booting in a virtualized environment, including virtual private ;;; servers (VPS). (use-modules (gnu)) (use-package-modules bootloaders disk nvi) (use-service-modules networking) (define vm-image-motd (plain-file "motd" " This is the GNU system. Welcome! This instance of GuixSD is a bare-bones template for virtualized environments. You will probably want to do these things first if you booted in a virtual private server (VPS): * Set a password for 'root'. * Set up networking. * Expand the root partition to fill the space available by 0) deleting and recreating the partition with fdisk, 1) reloading the partition table with partprobe, and then 2) resizing the filesystem with resize2fs.\n")) (operating-system (host-name "gnu") (timezone "Etc/UTC") (locale "en_US.utf8") ;; Assuming /dev/sdX is the target hard disk, and "my-root" is ;; the label of the target root file system. (bootloader (bootloader-configuration (bootloader grub-bootloader) (target "/dev/sda") (terminal-outputs '(console)))) (file-systems (cons (file-system (device (file-system-label "my-root")) (mount-point "/") (type "ext4")) %base-file-systems)) ;; This is where user accounts are specified. The "root" ;; account is implicit, and is initially created with the ;; empty password. (users %base-user-accounts) ;; Globally-installed packages. (packages (cons* nvi fdisk grub ; mostly so xrefs to its manual work parted ; partprobe %base-packages)) (services (cons* (service connman-service-type) (service wpa-supplicant-service-type) (service openntpd-service-type (openntpd-configuration (listen-on '("127.0.0.1" "::1")) (allow-large-adjustment? #t))) (modify-services %base-services (login-service-type config => (login-configuration (inherit config) (motd vm-image-motd))))))) --MGYHOYXEY6WxJCY8-- --hHWLQfXTYDoKhP50 Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCgAdFiEEoov0DD5VE3JmLRT3Qarn3Mo9g1EFAlsozYsACgkQQarn3Mo9 g1HVnA/7BDkUbhYgZJP3HIbDxfNHFB+hZOGZ9t0d+NN2d0r54SVDhTdulRigmsFI N2TKdEvSncGhHPaIWYwV/5hj6Vq+yLq1abXBrisZtQBQRgzuKxQ3G7vgkcX9sPv3 i0wsoCHEMSl2vAGOIejQMtHwy4XAl5DBnozTQCy/M30h5m+TaCebAp8lMc1Et/ON L+NhrbtIwWso/Cy1Aa65bGPhSK8L7yKJnrOWpOtD9nBzrouUKHxbaQ5/RUePAGyX fZjb4gqUtIAAd/uFerkR3h3nd4L4siv8AKTVG4Say9Lwv//Q51rhreDPo6hmkMZF dV9Rm7txG0LqQkVfp8HJ2OUVeaezbPZCaCUy7yeLxO/K2FgkoE6Fqm2IiAODQyA4 qP6Nk3cvB52YCfGE7DwWOvjQrCYoyoUgEFHfJTy4wO8w8uyfdz+rf/kuyipviXyh 3ZUVsrLPBYgNUZM0X+tWWvEh/Q2soZsLMXBC7GONEXi0i+c4fPxsBXa8PmwSuTTV uN6JbhgOGjIP21lktjLssJReR0pePUs9c97Lm2uahAQUQLw+k7wHLPL5x/M4Rn2s RhUaWNo/ga2HNz7Z0chnt7x/4KXhwGLfXyCvKEFL5Q4dbvlBKw4R4ZNSSKboP2tA 1ZHUfg17b4fKUY84EgUyrrCU0tDI5bS2HDfnTuRsJT0wzWQL4Sc= =tU7E -----END PGP SIGNATURE----- --hHWLQfXTYDoKhP50-- ------------=_1530001622-24354-1-- From unknown Sat Sep 06 21:07:46 2025 X-Loop: help-debbugs@gnu.org Subject: [bug#31894] Containerize openntpd service Resent-From: ludo@gnu.org (Ludovic =?UTF-8?Q?Court=C3=A8s?=) Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Tue, 26 Jun 2018 13:49:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 31894 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: To: Efraim Flashner Cc: 31894-done@debbugs.gnu.org Received: via spool by 31894-done@debbugs.gnu.org id=D31894.153002092729189 (code D ref 31894); Tue, 26 Jun 2018 13:49:02 +0000 Received: (at 31894-done) by debbugs.gnu.org; 26 Jun 2018 13:48:47 +0000 Received: from localhost ([127.0.0.1]:35773 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1fXoKs-0007aj-MT for submit@debbugs.gnu.org; Tue, 26 Jun 2018 09:48:46 -0400 Received: from eggs.gnu.org ([208.118.235.92]:42773) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1fXoKq-0007aU-QF for 31894-done@debbugs.gnu.org; Tue, 26 Jun 2018 09:48:45 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1fXoKi-0005Z8-Ge for 31894-done@debbugs.gnu.org; Tue, 26 Jun 2018 09:48:39 -0400 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=-0.5 required=5.0 tests=BAYES_05 autolearn=disabled version=3.3.2 Received: from fencepost.gnu.org ([2001:4830:134:3::e]:58061) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1fXoKi-0005Z4-Ct; Tue, 26 Jun 2018 09:48:36 -0400 Received: from [193.50.110.137] (port=37198 helo=ribbon) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1fXoKh-0004hV-U9; Tue, 26 Jun 2018 09:48:36 -0400 From: ludo@gnu.org (Ludovic =?UTF-8?Q?Court=C3=A8s?=) References: <20180619093155.GA1200@macbook41> <87d0wiy5ka.fsf@gnu.org> <20180626082557.GA1537@macbook41> X-URL: http://www.fdn.fr/~lcourtes/ X-Revolutionary-Date: 8 Messidor an 226 de la =?UTF-8?Q?R=C3=A9volution?= X-PGP-Key-ID: 0x090B11993D9AEBB5 X-PGP-Key: http://www.fdn.fr/~lcourtes/ludovic.asc X-PGP-Fingerprint: 3CE4 6455 8A84 FDC6 9DB4 0CFB 090B 1199 3D9A EBB5 X-OS: x86_64-pc-linux-gnu Date: Tue, 26 Jun 2018 15:48:34 +0200 In-Reply-To: <20180626082557.GA1537@macbook41> (Efraim Flashner's message of "Tue, 26 Jun 2018 11:25:57 +0300") Message-ID: <87efgt4q19.fsf@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.1 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 2001:4830:134:3::e X-Spam-Score: -5.0 (-----) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -6.0 (------) Efraim Flashner skribis: > On Fri, Jun 22, 2018 at 09:39:01PM +0200, Ludovic Court=C3=A8s wrote: [...] >> One thing though: could you make sure containerization isn=E2=80=99t red= undant >> with what OpenNTPD already does? Namely, could you grep the source for >> calls to =E2=80=9Cchroot=E2=80=9D, =E2=80=9Cunshare=E2=80=9D, or =E2=80= =9Cseccomp=E2=80=9D? If it happens to be already >> doing one of these things, it may be that using a container brings >> little or nothing. >>=20 >> If it=E2=80=99s OK, please push! > > From grepping the source: > > ./INSTALL-OpenNTPD always uses Privilege Separation (ie the majority of t= he > ./INSTALL:processing is done as a chroot'ed, unprivileged user). > > The code also supports the assertion. > > it defaults to /var/empty, unless the --with-privsep-path=3Dpath flag is > set, so it looks like my patch is unnecessary after all. :) Heh, alright. Perhaps you=E2=80=99ll find another candidate for containerization. ;-) Thanks, Ludo=E2=80=99.