GNU bug report logs -
#54205
[PATCH Shepherd] Factor out a public CALL-IN-FORK.
Previous Next
Reported by: Attila Lendvai <attila <at> lendvai.name>
Date: Tue, 1 Mar 2022 07:08:01 UTC
Severity: normal
Tags: patch, wontfix
Done: Ludovic Courtès <ludo <at> gnu.org>
Bug is archived. No further changes may be made.
To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 54205 in the body.
You can then email your comments to 54205 AT debbugs.gnu.org in the normal way.
Toggle the display of automated, internal messages from the tracker.
Report forwarded
to
guix-patches <at> gnu.org:
bug#54205; Package
guix-patches.
(Tue, 01 Mar 2022 07:08:01 GMT)
Full text and
rfc822 format available.
Acknowledgement sent
to
Attila Lendvai <attila <at> lendvai.name>:
New bug report received and forwarded. Copy sent to
guix-patches <at> gnu.org.
(Tue, 01 Mar 2022 07:08:01 GMT)
Full text and
rfc822 format available.
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
This enables service implementations to easily inject code that is run before
their service is started. One such example is calling setrlimit from a start
action to set NOFILE (the open files limit), before the service is exec'ed and
thus inherits this value from the parent process, i.e. from Shepherd.
* modules/shepherd/service.scm (fork-and-call): New function.
(fork+exec-command): Use the above.
---
modules/shepherd/service.scm | 51 ++++++++++++++++++++----------------
1 file changed, 29 insertions(+), 22 deletions(-)
diff --git a/modules/shepherd/service.scm b/modules/shepherd/service.scm
index ad8608b..8d5e30f 100644
--- a/modules/shepherd/service.scm
+++ b/modules/shepherd/service.scm
@@ -79,6 +79,7 @@
make-forkexec-constructor
make-kill-destructor
exec-command
+ fork-and-call
fork+exec-command
default-pid-file-timeout
read-pid-file
@@ -883,19 +884,8 @@ false."
;; Signals that the shepherd process handles.
(list SIGCHLD SIGINT SIGHUP SIGTERM))
-(define* (fork+exec-command command
- #:key
- (user #f)
- (group #f)
- (supplementary-groups '())
- (log-file #f)
- (directory (default-service-directory))
- (file-creation-mask #f)
- (create-session? #t)
- (environment-variables
- (default-environment-variables)))
- "Spawn a process that executed COMMAND as per 'exec-command', and return
-its PID."
+(define* (fork-and-call thunk)
+ "Call THUNK in a fork."
;; Install the SIGCHLD handler if this is the first fork+exec-command call.
(unless %sigchld-handler-installed?
(sigaction SIGCHLD handle-SIGCHLD SA_NOCLDSTOP)
@@ -916,17 +906,34 @@ its PID."
;; process.
(unblock-signals %precious-signals)
- (exec-command command
- #:user user
- #:group group
- #:supplementary-groups supplementary-groups
- #:log-file log-file
- #:directory directory
- #:file-creation-mask file-creation-mask
- #:create-session? create-session?
- #:environment-variables environment-variables))
+ (thunk))
pid))))
+(define* (fork+exec-command command
+ #:key
+ (user #f)
+ (group #f)
+ (supplementary-groups '())
+ (log-file #f)
+ (directory (default-service-directory))
+ (file-creation-mask #f)
+ (create-session? #t)
+ (environment-variables
+ (default-environment-variables)))
+ "Spawn a process that executed COMMAND as per 'exec-command', and return
+its PID."
+ (fork-and-call
+ (lambda ()
+ (exec-command command
+ #:user user
+ #:group group
+ #:supplementary-groups supplementary-groups
+ #:log-file log-file
+ #:directory directory
+ #:file-creation-mask file-creation-mask
+ #:create-session? create-session?
+ #:environment-variables environment-variables))))
+
(define* (make-forkexec-constructor command
#:key
(user #f)
--
2.34.0
Information forwarded
to
guix-patches <at> gnu.org:
bug#54205; Package
guix-patches.
(Tue, 01 Mar 2022 07:31:01 GMT)
Full text and
rfc822 format available.
Message #8 received at 54205 <at> debbugs.gnu.org (full text, mbox):
This enables service implementations to easily inject code that is run before
their service is started. One such example is calling setrlimit from a start
action to set NOFILE (the open files limit), before the service is exec'ed and
inherits this value from the parent process, i.e. from Shepherd.
* modules/shepherd/service.scm (fork-and-call): New function.
(fork+exec-command): Use the above.
---
v2: fixes the commit message.
modules/shepherd/service.scm | 51 ++++++++++++++++++++----------------
1 file changed, 29 insertions(+), 22 deletions(-)
diff --git a/modules/shepherd/service.scm b/modules/shepherd/service.scm
index ad8608b..8d5e30f 100644
--- a/modules/shepherd/service.scm
+++ b/modules/shepherd/service.scm
@@ -79,6 +79,7 @@
make-forkexec-constructor
make-kill-destructor
exec-command
+ fork-and-call
fork+exec-command
default-pid-file-timeout
read-pid-file
@@ -883,19 +884,8 @@ false."
;; Signals that the shepherd process handles.
(list SIGCHLD SIGINT SIGHUP SIGTERM))
-(define* (fork+exec-command command
- #:key
- (user #f)
- (group #f)
- (supplementary-groups '())
- (log-file #f)
- (directory (default-service-directory))
- (file-creation-mask #f)
- (create-session? #t)
- (environment-variables
- (default-environment-variables)))
- "Spawn a process that executed COMMAND as per 'exec-command', and return
-its PID."
+(define* (fork-and-call thunk)
+ "Call THUNK in a fork."
;; Install the SIGCHLD handler if this is the first fork+exec-command call.
(unless %sigchld-handler-installed?
(sigaction SIGCHLD handle-SIGCHLD SA_NOCLDSTOP)
@@ -916,17 +906,34 @@ its PID."
;; process.
(unblock-signals %precious-signals)
- (exec-command command
- #:user user
- #:group group
- #:supplementary-groups supplementary-groups
- #:log-file log-file
- #:directory directory
- #:file-creation-mask file-creation-mask
- #:create-session? create-session?
- #:environment-variables environment-variables))
+ (thunk))
pid))))
+(define* (fork+exec-command command
+ #:key
+ (user #f)
+ (group #f)
+ (supplementary-groups '())
+ (log-file #f)
+ (directory (default-service-directory))
+ (file-creation-mask #f)
+ (create-session? #t)
+ (environment-variables
+ (default-environment-variables)))
+ "Spawn a process that executed COMMAND as per 'exec-command', and return
+its PID."
+ (fork-and-call
+ (lambda ()
+ (exec-command command
+ #:user user
+ #:group group
+ #:supplementary-groups supplementary-groups
+ #:log-file log-file
+ #:directory directory
+ #:file-creation-mask file-creation-mask
+ #:create-session? create-session?
+ #:environment-variables environment-variables))))
+
(define* (make-forkexec-constructor command
#:key
(user #f)
--
2.34.0
Information forwarded
to
guix-patches <at> gnu.org:
bug#54205; Package
guix-patches.
(Tue, 01 Mar 2022 12:02:02 GMT)
Full text and
rfc822 format available.
Message #11 received at 54205 <at> debbugs.gnu.org (full text, mbox):
Am Dienstag, dem 01.03.2022 um 08:29 +0100 schrieb Attila Lendvai:
> This enables service implementations to easily inject code that is
> run before their service is started. One such example is calling
> setrlimit from a start action to set NOFILE (the open files limit),
> before the service is exec'ed and inherits this value from the parent
> process, i.e. from Shepherd.
In general, I think such capabilities should be added to exec-command,
rather than resorting to a lambda. It takes a little while to realize
that call-in-fork, fork-and-call or whatever you want to name it is in
fact not pure evil; mainly because shepherd could in its stead already
invoke any lambda you throw at it. That being said, one should always
be aware that this child process runs with the full permissions of
shepherd, which you normally don't want to do for a service.
> [...]
> +(define* (fork-and-call thunk)
> + "Call THUNK in a fork."
> ;; Install the SIGCHLD handler if this is the first fork+exec-
> command call.
This docstring, as well as the procedure name only describe what is
done with thunk in the crudest terms. What's more, I don't think it
makes too much sense to restrict ourselves to thunks if we already run
arbitrary code anyway.
In my opinion, it ought to be
> +(define* (fork+apply proc . args)
> + "Spawn a process that calls PROC with ARGS and return its PID."
> (unless %sigchld-handler-installed?
> (sigaction SIGCHLD handle-SIGCHLD SA_NOCLDSTOP)
> @@ -916,17 +906,34 @@ its PID."
> ;; process.
> (unblock-signals %precious-signals)
>
> - (exec-command command
> - #:user user
> - #:group group
> - #:supplementary-groups supplementary-
> groups
> - #:log-file log-file
> - #:directory directory
> - #:file-creation-mask file-creation-mask
> - #:create-session? create-session?
> - #:environment-variables environment-
> variables))
> + (apply proc args))
> pid))))
WDYT?
> +(define* (fork+exec-command command
> + #:key
> + (user #f)
> + (group #f)
> + (supplementary-groups '())
> + (log-file #f)
> + (directory (default-service-directory))
> + (file-creation-mask #f)
> + (create-session? #t)
> + (environment-variables
> + (default-environment-variables)))
> + "Spawn a process that executed COMMAND as per 'exec-command', and
> return
> +its PID."
This is just copypasta from a previous mistake, but
s/executed/executes/.
Cheers
Information forwarded
to
guix-patches <at> gnu.org:
bug#54205; Package
guix-patches.
(Tue, 01 Mar 2022 12:48:02 GMT)
Full text and
rfc822 format available.
Message #14 received at 54205 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
Attila Lendvai schreef op di 01-03-2022 om 08:06 [+0100]:
> their service is started. One such example is calling setrlimit from a start
> action to set NOFILE (the open files limit), before the service is exec'ed and
> thus inherits this value from the parent process, i.e. from Shepherd.
'fork+exec-command' already accepts a 'environment-variables' and
'file-creation-mask', how about adding an 'open-file-limit' argument?
To me, that seems more declarative and less fragile than having
to call 'call-in-fork' manually in a 'start' procedure (*).
Support for other rlimits can be added on an as-needed basis.
Alternatively, the argument could be generalised to a more general
'rlimit' argument:
#:rlimits
`((,RLIMIT_AS ,SOFT ,HARD)
(,RLIMIT_NPROC ,SOFT ,HARD)
(,RLIMIT_NOFILE ,SOFT ,HARD))
WDYT?
Greetings,
Maxime.
(*) E.g., one of the ideas for making shepherd faster, was using some
kind of multi-threading. Forking when multi-threading is ill-defined
(see POSIX) though, so some kind of zygote process + IPC might be
necessary
(http://neugierig.org/software/chromium/notes/2011/08/zygote.html has a
nice explanation on zygote processes, the bits about software updates
can be ignored here).
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to
guix-patches <at> gnu.org:
bug#54205; Package
guix-patches.
(Tue, 01 Mar 2022 13:05:02 GMT)
Full text and
rfc822 format available.
Message #17 received at 54205 <at> debbugs.gnu.org (full text, mbox):
> In general, I think such capabilities should be added to exec-command,
> rather than resorting to a lambda. It takes a little while to realize
> that call-in-fork, fork-and-call or whatever you want to name it is in
> fact not pure evil; mainly because shepherd could in its stead already
> invoke any lambda you throw at it. That being said, one should always
> be aware that this child process runs with the full permissions of
> shepherd, which you normally don't want to do for a service.
does the above mean that you're concerned about the security implications? if
so, then i don't understand, because Guile already allows calling/accessing
private functions/symbols, and thus this change doesn't really increase the
(already enormous) attack surface in the guile codebase.
it does increase the shoot-oneself-in-the-foot-surface a little bit, though.
it's worth pointing out, though, that trusting a channel, and adding a shepherd
service defined by it to the machine's config, is essentially giving root access
to the channel author. and this is already the case, prior to my change.
BTW, can i not already simply pass 0, or "root" as #:user to EXEC-COMMAND?
> In my opinion, it ought to be
>
> > +(define* (fork+apply proc . args)
> [...]
>
> WDYT?
makes sense, i'll update the patch... but given the feedback from the two of
you, should i?
i think i'll abandon this, and implement Maxime's #:rlimits suggestion.
i'm not sure how much better that will be, but at least it won't make future
threading harder, and allows me to make progress with my project.
if anyone prefers the FORK+APPLY version, then do speak up!
--
• attila lendvai
• PGP: 963F 5D5F 45C7 DFCD 0A39
--
“An atheist doesn't have to be someone who thinks he has a proof that there can't be a god. He only has to be someone who believes that the evidence on the God question is at a similar level to the evidence on the werewolf question.”
— John McCarthy (1927–2011), father of Lisp
Information forwarded
to
guix-patches <at> gnu.org:
bug#54205; Package
guix-patches.
(Tue, 01 Mar 2022 14:02:02 GMT)
Full text and
rfc822 format available.
Message #20 received at 54205 <at> debbugs.gnu.org (full text, mbox):
Am Dienstag, dem 01.03.2022 um 13:04 +0000 schrieb Attila Lendvai:
> > In general, I think such capabilities should be added to exec-
> > command, rather than resorting to a lambda. It takes a little while
> > to realize that call-in-fork, fork-and-call or whatever you want to
> > name it is in fact not pure evil; mainly because shepherd could in
> > its stead already invoke any lambda you throw at it. That being
> > said, one should always be aware that this child process runs with
> > the full permissions of shepherd, which you normally don't want to
> > do for a service.
>
>
> does the above mean that you're concerned about the security
> implications? if so, then i don't understand, because Guile already
> allows calling/accessing private functions/symbols, and thus this
> change doesn't really increase the (already enormous) attack surface
> in the guile codebase.
This attack surface is less enormous if you consider the average case
of a shepherd service in which the arguments to fork+exec-command are
already evaluated by the time the procedure is call and thus both
"sane" within and without the fork. Most of the time people are not
too conscious about the fact that shepherd can already run arbitrary
Guile code as part of actions and you typically only use that to its
fullest extent when you're trying to do something real clever.
> it does increase the shoot-oneself-in-the-foot-surface a little bit,
> though.
>
> it's worth pointing out, though, that trusting a channel, and adding
> a shepherd service defined by it to the machine's config, is
> essentially giving root access to the channel author. and this is
> already the case, prior to my change.
>
> BTW, can i not already simply pass 0, or "root" as #:user to EXEC-
> COMMAND?
Only if you're already root, i.e. this won't work for user shepherds,
which can't become root (easily). On the other hand, I did get my user
shepherd to launch pkexec commands, so that's that.
>
> > In my opinion, it ought to be
> >
> > > +(define* (fork+apply proc . args)
> > [...]
> >
> > WDYT?
>
> makes sense, i'll update the patch... but given the feedback from the
> two of you, should i?
>
> i think i'll abandon this, and implement Maxime's #:rlimits
> suggestion.
>
> i'm not sure how much better that will be, but at least it won't make
> future threading harder, and allows me to make progress with my
> project.
>
> if anyone prefers the FORK+APPLY version, then do speak up!
FWIW Maxime's complaint would also hold w.r.t. fork+exec-command, which
would then be implemented in terms of fork+apply, so assuming that
fork+exec-command still exists after the switch to multiple threads,
we'd have to patch at least one location either way. fork+apply could
make it so that less hacks are required overall to make all forking
behaviour inside shepherd services as intended, but that's so far only
a theoretical claim with no evidence to back it up.
I think the real question is what you are trying to achieve here. If
you only want to add rlimits, that's an exec-command thing. If you
instead wanted to spawn a Guile function within a sandbox (rather than
a completely new command), that would require something along the lines
of fork+apply at least under the hood. With the things you've
described, I don't think it makes sense (yet) to export fork+apply, but
it might still make sense to refactor fork+exec-command under the hood.
Cheers
Information forwarded
to
guix-patches <at> gnu.org:
bug#54205; Package
guix-patches.
(Tue, 01 Mar 2022 17:17:01 GMT)
Full text and
rfc822 format available.
Message #23 received at 54205 <at> debbugs.gnu.org (full text, mbox):
Liliana Marie Prikler <liliana.prikler <at> ist.tugraz.at> writes:
> Am Dienstag, dem 01.03.2022 um 13:04 +0000 schrieb Attila Lendvai:
>> > In general, I think such capabilities should be added to exec-
>> > command, rather than resorting to a lambda. It takes a little while
>> > to realize that call-in-fork, fork-and-call or whatever you want to
>> > name it is in fact not pure evil; mainly because shepherd could in
>> > its stead already invoke any lambda you throw at it. That being
>> > said, one should always be aware that this child process runs with
>> > the full permissions of shepherd, which you normally don't want to
>> > do for a service.
>>
>>
>> does the above mean that you're concerned about the security
>> implications? if so, then i don't understand, because Guile already
>> allows calling/accessing private functions/symbols, and thus this
>> change doesn't really increase the (already enormous) attack surface
>> in the guile codebase.
> This attack surface is less enormous if you consider the average case
> of a shepherd service in which the arguments to fork+exec-command are
> already evaluated by the time the procedure is call and thus both
> "sane" within and without the fork. Most of the time people are not
> too conscious about the fact that shepherd can already run arbitrary
> Guile code as part of actions and you typically only use that to its
> fullest extent when you're trying to do something real clever.
In general this would be improved if we move Guix in general, and the
Shepherd services in particular, to an object capability based security
model.
It's on my TODO to lay out a sketch for how this could happen, assuming
there's support for it in the community (which I don't expect to go one
way or another until a plan is laid out to talk about).
Information forwarded
to
guix-patches <at> gnu.org:
bug#54205; Package
guix-patches.
(Tue, 01 Mar 2022 17:18:02 GMT)
Full text and
rfc822 format available.
Information forwarded
to
guix-patches <at> gnu.org:
bug#54205; Package
guix-patches.
(Wed, 02 Mar 2022 16:06:02 GMT)
Full text and
rfc822 format available.
Message #29 received at 54205 <at> debbugs.gnu.org (full text, mbox):
Hi,
Maxime Devos <maximedevos <at> telenet.be> skribis:
> Attila Lendvai schreef op di 01-03-2022 om 08:06 [+0100]:
>> their service is started. One such example is calling setrlimit from a start
>> action to set NOFILE (the open files limit), before the service is exec'ed and
>> thus inherits this value from the parent process, i.e. from Shepherd.
>
> 'fork+exec-command' already accepts a 'environment-variables' and
> 'file-creation-mask', how about adding an 'open-file-limit' argument?
> To me, that seems more declarative and less fragile than having
> to call 'call-in-fork' manually in a 'start' procedure (*).
Seconded.
> Support for other rlimits can be added on an as-needed basis.
> Alternatively, the argument could be generalised to a more general
> 'rlimit' argument:
>
> #:rlimits
> `((,RLIMIT_AS ,SOFT ,HARD)
> (,RLIMIT_NPROC ,SOFT ,HARD)
> (,RLIMIT_NOFILE ,SOFT ,HARD))
>
> WDYT?
This interface brings more flexibility, I’m all for it.
> (*) E.g., one of the ideas for making shepherd faster, was using some
> kind of multi-threading. Forking when multi-threading is ill-defined
I think what we need is concurrency, not POSIX threads. IOW, we can
achieve the concurrency we need without resorting to POSIX threads, for
example using Fibers on a single POSIX thread.
Thanks,
Ludo’.
Information forwarded
to
guix-patches <at> gnu.org:
bug#54205; Package
guix-patches.
(Wed, 02 Mar 2022 18:22:01 GMT)
Full text and
rfc822 format available.
Message #32 received at 54205 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
Ludovic Courtès schreef op wo 02-03-2022 om 17:05 [+0100]:
> I think what we need is concurrency, not POSIX threads. IOW, we can
> achieve the concurrency we need without resorting to POSIX threads, for
> example using Fibers on a single POSIX thread.
guile-fibers uses threads internally, e.g. in (fibers interrupts).
Interrupts can theoretically be avoided, but that has a downside
that if a start procedure goes into infinite loop (while forgetting to
sleep), the whole shepherd would hang.
I'm not saying that we need POSIX threads per-se -- I find
'choice-operation', 'perform-operation', the channel operations and
Fibers conditions much more convenient than the (lack of) POSIX
equivalents, but I'd prefer avoiding the assumption of single-threading
where feasible, to make it ourselves not harder than necessary in the
future, in case it turns out we need POSIX threading somewhere (even if
only as an implementation detail).
Greetings,
Maxime.
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to
guix-patches <at> gnu.org:
bug#54205; Package
guix-patches.
(Thu, 03 Mar 2022 08:06:02 GMT)
Full text and
rfc822 format available.
Message #35 received at 54205 <at> debbugs.gnu.org (full text, mbox):
> > Support for other rlimits can be added on an as-needed basis.
> >
> > Alternatively, the argument could be generalised to a more general
> > 'rlimit' argument:
> >
> > #:rlimits
> > `((,RLIMIT_AS ,SOFT ,HARD)
> > (,RLIMIT_NPROC ,SOFT ,HARD)
> > (,RLIMIT_NOFILE ,SOFT ,HARD))
> >
> > WDYT?
>
> This interface brings more flexibility, I’m all for it.
FTR, i've filed this as a patch (with a test!).
https://issues.guix.gnu.org/54215
--
• attila lendvai
• PGP: 963F 5D5F 45C7 DFCD 0A39
--
“It is a miracle that curiosity survives formal education. It is a very grave mistake to think that the enjoyment of seeing and searching can be promoted by means of coercion and a sense of duty.”
— Albert Einstein (1879–1955), 'Autobiographical Notes' (1949), slightly paraphrased
Added tag(s) wontfix.
Request was from
Ludovic Courtès <ludo <at> gnu.org>
to
control <at> debbugs.gnu.org.
(Mon, 21 Mar 2022 13:04:02 GMT)
Full text and
rfc822 format available.
Reply sent
to
Ludovic Courtès <ludo <at> gnu.org>:
You have taken responsibility.
(Mon, 21 Mar 2022 13:04:02 GMT)
Full text and
rfc822 format available.
Notification sent
to
Attila Lendvai <attila <at> lendvai.name>:
bug acknowledged by developer.
(Mon, 21 Mar 2022 13:04:02 GMT)
Full text and
rfc822 format available.
Message #42 received at 54205-done <at> debbugs.gnu.org (full text, mbox):
Attila Lendvai <attila <at> lendvai.name> skribis:
> FTR, i've filed this as a patch (with a test!).
>
> https://issues.guix.gnu.org/54215
Awesome, closing this one!
Ludo’.
bug archived.
Request was from
Debbugs Internal Request <help-debbugs <at> gnu.org>
to
internal_control <at> debbugs.gnu.org.
(Tue, 19 Apr 2022 11:24:04 GMT)
Full text and
rfc822 format available.
This bug report was last modified 3 years and 147 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.