GNU bug report logs - #54997
[PATCH 00/12] Add "least authority" program wrapper

Previous Next

Package: guix-patches;

Reported by: Ludovic Courtès <ludo <at> gnu.org>

Date: Sun, 17 Apr 2022 21:02:02 UTC

Severity: normal

Tags: patch

Done: Ludovic Courtès <ludo <at> gnu.org>

Bug is archived. No further changes may be made.

Full log

Message #83 received at 54997 <at> debbugs.gnu.org (full text, mbox):

From: Maxime Devos <maximedevos <at> telenet.be>
To: Ludovic Courtès <ludo <at> gnu.org>, 54997 <at> debbugs.gnu.org
Subject: Re: [bug#54997] [PATCH 00/12] Add "least authority" program wrapper
Date: Fri, 22 Apr 2022 17:02:03 +0200

[Message part 1 (text/plain, inline)]
Ludovic Courtès schreef op zo 17-04-2022 om 23:01 [+0200]:
> Hello Guix!
> 
> So we have this fancy ‘make-forkexec-constructor/container’ thing
> to spawn Shepherd services in a container:
> 
>   https://guix.gnu.org/en/blog/2017/running-system-services-in-containers/
> 
> It’s nice, but it doesn’t compose.  What if you want an inetd-style
> service *and* have it run in a container?  We certainly don’t want to
> end up defining ‘make-inetd-constructor/container’ and so on.

Currently, it doesn't compose, but can it be made composable?
More concretely, maybe there could be a set of ‘process procedures’
implementable by record types:

  ;; Inspired by <https://docs.racket-lang.org/reference/subprocess.html>,
  ;; with some differences
  (define (subprocess-start/separate process) ...)  ; run it in a separate process
  (define (subprocess-start/replace process) ...) ; run it with 'exec'
  (define (subprocess-kill process) ...)
  (define (subprocess-wait process) ...)
  (define (subprocess-status process) ...)

  ;; Basic process constructor, doesn't do containers
  (define (command-process ...) ...)

  ;; Container
  (define (contain inner #:key container-stuff ...)
    subprocess-start/separate: (run-container ... (lambda () (subprocess-start/replace inner)))
    other procedures ...
    return the record)

Then make-inetd-constructor could be changed to accept a lambda producing
'subprocess' records.  By passing it a subprocess wrapped by 'contain', it would
automatically support container things:

(define (make-inetd-constructor/container-command command* ...)
  (make-inetd-constructor (lambda () (contain (command-process comand*))) ...))

Greetings,
Maxime.

[signature.asc (application/pgp-signature, inline)]
This bug report was last modified 3 years and 72 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.