GNU bug report logs - #31894
Containerize openntpd service

Previous Next

Package: guix-patches;

Reported by: Efraim Flashner <efraim <at> flashner.co.il>

Date: Tue, 19 Jun 2018 09:33:01 UTC

Severity: normal

Done: Efraim Flashner <efraim <at> flashner.co.il>

Bug is archived. No further changes may be made.

Full log

View this message in rfc822 format

From: help-debbugs <at> gnu.org (GNU bug Tracking System)
To: Efraim Flashner <efraim <at> flashner.co.il>
Cc: tracker <at> debbugs.gnu.org
Subject: bug#31894: closed (Containerize openntpd service)
Date: Tue, 26 Jun 2018 08:27:01 +0000

[Message part 1 (text/plain, inline)]
Your message dated Tue, 26 Jun 2018 11:25:57 +0300
with message-id <20180626082557.GA1537 <at> macbook41>
and subject line Re: [bug#31894] Containerize openntpd service
has caused the debbugs.gnu.org bug report #31894,
regarding Containerize openntpd service
to be marked as done.

(If you believe you have received this mail in error, please contact
help-debbugs <at> gnu.org.)


-- 
31894: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=31894
GNU Bug Tracking System
Contact help-debbugs <at> gnu.org with problems

[Message part 2 (message/rfc822, inline)]
From: Efraim Flashner <efraim <at> flashner.co.il>
To: guix-patches <at> gnu.org
Subject: Containerize openntpd service
Date: Tue, 19 Jun 2018 12:31:55 +0300

[Message part 3 (text/plain, inline)]
I tested this patch with the included vm image, using the following
script. After logging in, 'ntpctl -s all' shows openntpd connecting to
the ntp servers and updating the time.

/.$(./pre-inst-env guix environment guix -- ./pre-inst-env guix system vm ~/vm-image.scm) -m 768 -device e1000,netdev=net0 -netdev user,id=net0,hostfwd=tcp::5555-:53


-- 
Efraim Flashner   <efraim <at> flashner.co.il>   אפרים פלשנר
GPG key = A28B F40C 3E55 1372 662D  14F7 41AA E7DC CA3D 8351
Confidentiality cannot be guaranteed on emails sent or received unencrypted

[0001-services-openntpd-Containerize-openntpd-service.patch (text/plain, attachment)]
[vm-image.scm (text/plain, attachment)]
[signature.asc (application/pgp-signature, inline)]
[Message part 7 (message/rfc822, inline)]
From: Efraim Flashner <efraim <at> flashner.co.il>
To: Ludovic Courtès <ludo <at> gnu.org>
Cc: 31894-done <at> debbugs.gnu.org
Subject: Re: [bug#31894] Containerize openntpd service
Date: Tue, 26 Jun 2018 11:25:57 +0300

[Message part 8 (text/plain, inline)]
On Fri, Jun 22, 2018 at 09:39:01PM +0200, Ludovic Courtès wrote:
> Hello Efraim,
> 
> Efraim Flashner <efraim <at> flashner.co.il> skribis:
> 
> > I tested this patch with the included vm image, using the following
> > script. After logging in, 'ntpctl -s all' shows openntpd connecting to
> > the ntp servers and updating the time.
> >
> > /.$(./pre-inst-env guix environment guix -- ./pre-inst-env guix system vm ~/vm-image.scm) -m 768 -device e1000,netdev=net0 -netdev user,id=net0,hostfwd=tcp::5555-:53
> 
> [...]
> 
> > From 064903c5a976280b95cd9bba17e958e662be605d Mon Sep 17 00:00:00 2001
> > From: Efraim Flashner <efraim <at> flashner.co.il>
> > Date: Tue, 19 Jun 2018 12:24:47 +0300
> > Subject: [PATCH] services: openntpd: Containerize openntpd service.
> >
> > * gnu/packages/ntp.scm (openntpd)[arguments]: Add 'privsep-path' to
> > 'configure-flags and adjust the 'localstatedir' flag.
> > * gnu/services/networking.scm (openntpd-shepherd-service): Change the
> > start-service command to run in a container, expose '/var/log/openntpd'
> > and '/var/lib/openntpd' to the container.
> > (openntpd-service-activation): Adjust directories for the changes above.
> 
> Neat!  The patch LGTM, especially since you’ve confirmed that it still
> works as expected.  :-)
> 
> One thing though: could you make sure containerization isn’t redundant
> with what OpenNTPD already does?  Namely, could you grep the source for
> calls to “chroot”, “unshare”, or “seccomp”?  If it happens to be already
> doing one of these things, it may be that using a container brings
> little or nothing.
> 
> If it’s OK, please push!

From grepping the source:

./INSTALL-OpenNTPD always uses Privilege Separation (ie the majority of the
./INSTALL:processing is done as a chroot'ed, unprivileged user).

The code also supports the assertion.

it defaults to /var/empty, unless the --with-privsep-path=path flag is
set, so it looks like my patch is unnecessary after all. :)

> 
> While I’m at it, one question about this comment (which was already there):
> 
> > +                           ;; When ntpd is daemonized it repeatedly tries to respawn
> > +                           ;; while running, leading shepherd to disable it.  To
> > +                           ;; prevent spamming stderr, redirect output to logfile.
> > +                           #:log-file "/var/log/ntpd"))
> 
> What’s described here is expected: when it daemonizes, the initial
> process that shepherd spawned terminates immediately, which is why
> shepherd tries to respawn it (it cannot guess that there’s in fact a
> child process that keeps running.)
> 
> The right thing to do for things that daemonize is to use the #:pid-file
> option, which instructs shepherd to poll that file.  Should we do this
> here?  There are many examples of that, including bitlbee, which is
> containerized.
> 

I'll take a look at that and see if I can fix that.

> Thanks,
> Ludo’.

-- 
Efraim Flashner   <efraim <at> flashner.co.il>   אפרים פלשנר
GPG key = A28B F40C 3E55 1372 662D  14F7 41AA E7DC CA3D 8351
Confidentiality cannot be guaranteed on emails sent or received unencrypted

[signature.asc (application/pgp-signature, inline)]
This bug report was last modified 7 years and 45 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.