From mboxrd@z Thu Jan 1 00:00:00 1970 From: Alex Kost Subject: Re: (pre-)creation of tunnel network interfaces Date: Fri, 26 Feb 2016 14:47:42 +0300 Message-ID: <87ziunu201.fsf@gmail.com> References: <20160225234418.610eed7f@scratchpost.org> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="=-=-=" Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:41710) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1aZGs5-0006hW-Ao for guix-devel@gnu.org; Fri, 26 Feb 2016 06:47:46 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1aZGs1-0003TP-9j for guix-devel@gnu.org; Fri, 26 Feb 2016 06:47:45 -0500 Received: from mail-lb0-x230.google.com ([2a00:1450:4010:c04::230]:35146) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1aZGs1-0003Sf-16 for guix-devel@gnu.org; Fri, 26 Feb 2016 06:47:41 -0500 Received: by mail-lb0-x230.google.com with SMTP id bc4so45216372lbc.2 for ; Fri, 26 Feb 2016 03:47:40 -0800 (PST) In-Reply-To: <20160225234418.610eed7f@scratchpost.org> (Danny Milosavljevic's message of "Thu, 25 Feb 2016 23:44:18 +0100") List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org To: Danny Milosavljevic Cc: guix-devel@gnu.org --=-=-= Content-Type: text/plain Danny Milosavljevic (2016-02-26 01:44 +0300) wrote: > Hi, > > I'm using openconnect to connect to a few VPNs. > > Most of openconnect actually doesn't require root. > In order to avoid root, I'd like to pre-create the tunnel interfaces. > > This would be done by > > # ip tuntap add vpn0 mode tun user dannym > ^ ^--- this is the user that is allowed to use the tunnel later > ---- the new tunnel interface > > How do I specify this in a system config? By adding a service that starts this command to your operating-system declaration. It would be something like this (not tested!): --=-=-= Content-Type: text/x-scheme Content-Disposition: inline; filename=vpn-tunnel-system.scm (use-modules (ice-9 match) (gnu) (gnu packages linux) ; for iproute (gnu services) (gnu services shepherd) (guix records)) (define-record-type* vpn-tunnel make-vpn-tunnel vpn-tunnel? (interface-name vpn-tunnel-interface-name) (user-name vpn-tunnel-user-name)) (define vpn-tunnel-service-type (shepherd-service-type 'vpn-tunnel (match-lambda (($ interface user) (let ((ip #~(string-append #$iproute "/sbin/ip"))) (shepherd-service (documentation "Create tunnel interface.") (provision '(vpn-tunnel)) (requirement '(networking)) (start #~(lambda _ ;; Return #t if successfully started. (zero? (system* #$ip "tuntap" "add" #$interface "mode" "tun" "user" #$user)))) (respawn? #f))))))) (define (vpn-tunnel-service interface-name user-name) "Return a service that ..." (service vpn-tunnel-service-type (vpn-tunnel (interface-name interface-name) (user-name user-name)))) (operating-system ;; ... (services (cons* (vpn-tunnel-service "vpn0" "dannym") ;; ... %desktop-services))) --=-=-= Content-Type: text/plain -- Alex --=-=-=--