GNU bug report logs - #54997
[PATCH 00/12] Add "least authority" program wrapper

Previous Next

Package: guix-patches;

Reported by: Ludovic Courtès <ludo <at> gnu.org>

Date: Sun, 17 Apr 2022 21:02:02 UTC

Severity: normal

Tags: patch

Done: Ludovic Courtès <ludo <at> gnu.org>

Bug is archived. No further changes may be made.

Full log

View this message in rfc822 format

From: help-debbugs <at> gnu.org (GNU bug Tracking System)
To: Ludovic Courtès <ludo <at> gnu.org>
Subject: bug#54997: closed (Re: bug#54997: [PATCH 00/12] Add "least
 authority" program wrapper)
Date: Sun, 01 May 2022 20:17:02 +0000

[Message part 1 (text/plain, inline)]
Your bug report

#54997: [PATCH 00/12] Add "least authority" program wrapper

which was filed against the guix-patches package, has been closed.

The explanation is attached below, along with your original report.
If you require more details, please reply to 54997 <at> debbugs.gnu.org.

-- 
54997: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=54997
GNU Bug Tracking System
Contact help-debbugs <at> gnu.org with problems

[Message part 2 (message/rfc822, inline)]
From: Ludovic Courtès <ludo <at> gnu.org>
To: 54997-done <at> debbugs.gnu.org
Cc: Maxime Devos <maximedevos <at> telenet.be>,
 Thiago Jung Bauermann <bauermann <at> kolabnow.com>
Subject: Re: bug#54997: [PATCH 00/12] Add "least authority" program wrapper
Date: Sun, 01 May 2022 22:16:27 +0200

Ludovic Courtès <ludo <at> gnu.org> skribis:

>   gexp: Add 'references-file'.
>   file-systems: Avoid load-time warnings when attempting to load (guix
>     store).
>   linux-container: 'call-with-container' relays SIGTERM and SIGINT.
>   linux-container: Ensure signal-handling asyncs get a chance to run.
>   linux-container: Add #:child-is-pid1? parameter to
>     'call-with-container'.
>   Add (guix least-authority).
>   services: dicod: Rewrite using 'least-authority-wrapper'.
>   services: dicod: Use 'make-inetd-constructor'.
>   services: bitlbee: Use 'make-inetd-constructor'.
>   services: ipfs: Adjust for Shepherd 0.9.
>   services: ipfs: Use 'least-authority-wrapper'.
>   services: wesnothd: Grant write access to /var/run/wesnothd.
>   services: wesnothd: Use 'least-authority-wrapper'.
>   services: quassel: Use 'least-authority-wrapper'.
>   services: opendht: Use 'least-authority-wrapper'.

Pushed as fee06d5aaa71a965ea0bc06c1ff15c138a8bb2c8, thanks again for
reviewing!

Ludo’.


[Message part 3 (message/rfc822, inline)]
From: Ludovic Courtès <ludo <at> gnu.org>
To: guix-patches <at> gnu.org
Cc: Ludovic Courtès <ludo <at> gnu.org>
Subject: [PATCH 00/12] Add "least authority" program wrapper
Date: Sun, 17 Apr 2022 23:01:07 +0200

Hello Guix!

So we have this fancy ‘make-forkexec-constructor/container’ thing
to spawn Shepherd services in a container:

  https://guix.gnu.org/en/blog/2017/running-system-services-in-containers/

It’s nice, but it doesn’t compose.  What if you want an inetd-style
service *and* have it run in a container?  We certainly don’t want to
end up defining ‘make-inetd-constructor/container’ and so on.

Instead, the new (guix least-authority) module provides a way to
create “least-authority wrappers” for a given program: the wrapper
forks[*] a process that lives in separate namespaces, with
‘call-with-container’, sets up bind mounts and everything in the child,
and executes the program in that environment.  ([*] I considered
using unshare(2) instead of forking but that doesn’t quite work,
notably because the process itself would remain in the same PID
namespace as its parent.)

Subsequent patches change most, but not all, users of
‘make-forkexec-constructor/container’ to ‘least-authority-wrapper’.

One situation where ‘make-forkexec-constructor/container’ cannot be
replaced yet is when we rely on #:pid-file, as is the case for Tor
(‘make-forkexec-constructor/container’ goes to great lengths to read
PID files in the container and be happy with a PID that is only
valid within that namespace.)  The remaining users are Jami and
Pagekite; that is left as an exercise to the reader.  :-)

I have plans to use ‘least-authority-wrapper’ in other contexts, in
particular as the basis of a new package transformation option.

Thoughts?

Ludo’.

Ludovic Courtès (12):
  gexp: Add 'references-file'.
  file-systems: Avoid load-time warnings when attempting to load (guix
    store).
  linux-container: 'call-with-container' relays SIGTERM and SIGINT.
  Add (guix least-authority).
  services: dicod: Rewrite using 'least-authority-wrapper'.
  services: dicod: Use 'make-inetd-constructor'.
  services: bitlbee: Use 'make-inetd-constructor'.
  services: ipfs: Adjust for Shepherd 0.9.
  services: ipfs: Use 'least-authority-wrapper'.
  services: wesnothd: Grant write access to /var/run/wesnothd.
  services: wesnothd: Use 'least-authority-wrapper'.
  services: quassel: Use 'least-authority-wrapper'.

 Makefile.am                   |   1 +
 gnu/build/linux-container.scm |  15 ++--
 gnu/build/shepherd.scm        |   3 +-
 gnu/services/base.scm         |  22 ------
 gnu/services/dict.scm         |  61 ++++++++++------
 gnu/services/games.scm        |  33 +++++++--
 gnu/services/messaging.scm    | 105 +++++++++++++++++----------
 gnu/services/networking.scm   | 118 +++++++++++++++---------------
 gnu/system/file-systems.scm   |   5 +-
 gnu/tests/messaging.scm       |  21 +-----
 guix/gexp.scm                 |  43 +++++++++++
 guix/least-authority.scm      | 131 ++++++++++++++++++++++++++++++++++
 tests/gexp.scm                |  18 +++++
 13 files changed, 403 insertions(+), 173 deletions(-)
 create mode 100644 guix/least-authority.scm


base-commit: 950f3e4f98add14f645dc4c9f8c512cac7b8a779
-- 
2.35.1
This bug report was last modified 3 years and 72 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.