From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([2001:4830:134:3::10]:44846)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1djC69-00022B-0h
	for guix-patches@gnu.org; Sat, 19 Aug 2017 18:20:06 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1djC65-0004aj-RE
	for guix-patches@gnu.org; Sat, 19 Aug 2017 18:20:04 -0400
Received: from debbugs.gnu.org ([208.118.235.43]:37231)
	by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16)
	(Exim 4.71) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
	id 1djC65-0004af-NY
	for guix-patches@gnu.org; Sat, 19 Aug 2017 18:20:01 -0400
Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1djC65-0005Po-HM
	for guix-patches@gnu.org; Sat, 19 Aug 2017 18:20:01 -0400
Subject: [bug#27855] [PATCH] gnu: Add rsync service.
Resent-Message-ID: <handler.27855.B27855.150318119720803@debbugs.gnu.org>
Date: Sat, 19 Aug 2017 23:19:49 +0100
From: Christopher Baines <mail@cbaines.net>
Message-ID: <20170819231949.0ce64135@cbaines.net>
In-Reply-To: <87o9rb8fg3.fsf@gmail.com>
References: <20170727220151.2116-1-go.wigust@gmail.com>
	<20170728231747.5eae3af9@cbaines.net> <874ltvh5d6.fsf@gmail.com>
	<20170729125554.29836b28@cbaines.net> <87r2wszni8.fsf@gmail.com>
	<20170803163322.3e87b004@cbaines.net> <87fud8zkqv.fsf@gmail.com>
	<20170810081820.71b29b0a@cbaines.net>
	<20170810192139.2c3f04da@cbaines.net> <87mv778d66.fsf@gmail.com>
	<87y3qprjjd.fsf@gmail.com> <20170812075903.0dc36c0c@cbaines.net>
	<87valtylnc.fsf@gmail.com> <20170812184649.2003677a@cbaines.net>
	<87wp68wnbz.fsf@gmail.com> <20170812221817.3f04b061@cbaines.net>
	<87o9rb8fg3.fsf@gmail.com>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha512;
	boundary="Sig_/R0Dl9ZhQk./WTYXAfOLXcWY";
	protocol="application/pgp-signature"
List-Id: <guix-patches.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-patches>,
	<mailto:guix-patches-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/guix-patches/>
List-Post: <mailto:guix-patches@gnu.org>
List-Help: <mailto:guix-patches-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-patches>,
	<mailto:guix-patches-request@gnu.org?subject=subscribe>
Errors-To: guix-patches-bounces+kyle=kyleam.com@gnu.org
Sender: "Guix-patches" <guix-patches-bounces+kyle=kyleam.com@gnu.org>
To: Oleg Pykhalov <go.wigust@gmail.com>
Cc: 27855@debbugs.gnu.org

--Sig_/R0Dl9ZhQk./WTYXAfOLXcWY
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

On Sat, 19 Aug 2017 23:34:20 +0300
Oleg Pykhalov <go.wigust@gmail.com> wrote:

> Hello Christopher,
>=20
> Christopher Baines <mail@cbaines.net> writes:
>=20
> >> > Yep, I think I just stopped writing the test after finding the
> >> > issue with the PID file.
> >> >
> >> > I haven't looked in to how to fix this in the test, so if you
> >> > could, that would be great. Otherwise, I'll probably have time
> >> > to look at this again within a week or so.
> >> >
> >> > You'll probably need to refactor the test a bit, as at the
> >> > moment, the information regarding the port isn't available where
> >> > you run the commands.   =20
> >>=20
> >> Of course I'll try.  By the way, how to run a =E2=80=9Cvm=E2=80=9D?  P=
revious
> >> method =E2=80=9C./pre-inst-env guix system vm gnu/tests/rsync.scm=E2=
=80=9D doesn't
> >> work for me. =20
> >
> > I'm guessing that you'll need to make the file evaluate (I'm not
> > sure if that is the right word here) to an operating-system, e.g.
> > put %rsync-os-with-port-2000 right at the bottom of the file, and
> > then guix system vm should give you a start script that will start
> > a VM for that OS. =20
>=20
> I did some work on rsync service:
>=20
> - Fixed PID and synchronization to specific port.
> - Merged two rsync oses in one with optional port.
> - Added ports to rsync synchronization tests and change protocol from
>   ssh to rsync.
> - Added some logic to config: chroot (can use only root), user and
>   group.
>=20
> All tests passed successfully for me.

Great :) Now that the tests pass at least, I don't see any reason to
not merge this soonish.

I've still done some thingking about how the configuration works
though, and I've been considering a few ways of tweaking this so that
its harder to break, and clear in how it works.

One way I've managed to break the service so far is setting the user
and group to root in the configuration. This causes the tests to fail,
and in a odd way, as I think the problem is that the creation of
the /var/run/rsync directory relies on the account service, but I'm
guessing that the account service does nothing in this case, as root is
already an account.

One way of making this harder to break would be to explicitly create
the necessary directories when this service is activated, e.g.:

  (mkdir-p (dirname #$(rsync-configuration-pid-file config)))
  (mkdir-p (dirname #$(rsync-configuration-lock-file config)))

I think there is also the opportunity to make the service configuration
clearer here, as considering the default port test, the default
configuration says it will run as the rsync user, but the service will
actually run as the root user.

This could be improved by making the configuration more uncertain by
default, e.g. user defaults to #f, which means the correct user is
decided based on the port.

Also on the subject of clarity, the use-chroot? option is something
that can be specified, but the value might not be used. My preference
would be to change the "logic" in the configuration file generation, to
validation, e.g.:

  (if (and use-chroot? (not (eq? user "root")))
      (error "rsync-service: to run rsync in a chroot, the user must be roo=
t"))

The use-chroot? option might also benefit from making the user default
to #f, as then the service could decide the user based on the port and
use-chroot? settings, without contradicting the configuration.

--Sig_/R0Dl9ZhQk./WTYXAfOLXcWY
Content-Type: application/pgp-signature
Content-Description: OpenPGP digital signature

-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEEPonu50WOcg2XVOCyXiijOwuE9XcFAlmYuYVfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDNF
ODlFRUU3NDU4RTcyMEQ5NzU0RTBCMjVFMjhBMzNCMEI4NEY1NzcACgkQXiijOwuE
9Xd/RRAAg3IylWaNFdF0woe2zEzuQp3bN7GsNn+PEpdFuHXQVF7XtK1A14NKukM8
ATc+HgrZv6SUHOo+5nvopdHN3++a8/6jdnO7dj/OTWOQKrpMeGVFayUizXoqpg6r
JjjxzMTrRi7eFE611wFiMRyLUH+nSaUBAmgHN01u+qQAarRcV1ej5vWIgd2WwLDO
9XDm/58uDT0EbVqRoQMbG5lqUVyfWnQLMzhUAQi83C0JxSDtZO5soW2H+vsu6HC6
24dhsvItdkRHIN92UBnfu5t4qN2LZy3qBwrwjnxBmHrsItb/zJQseBS5NPk0Lji2
0lFBvIuHemJJRckcyhPd4msNTn97GtrALH7ZvqbtzVb5sAVrm4kkhPmmrqa7Eo8I
AQ9TFm4D+nzW7zpXOfiCy9U8ZtqL8i6AQrix6xG09ufkoK71v4uHVRtQAT28NIfN
52K8G7HVpjZnx3Q48JnZZdWI5iqE9daLTKWyllPNVoBKBby1F/CtgYDnmpTfJgIP
PhgJWCBMTnthFv0UkzTS4rkjgW39LBpSXeyXP6Ir/TGXmF7PgeASOmm4hbnBAsRM
BNg6VNDnjk/T3IYR7T526vGcQBDAjOApV3RFBtmwS5ZJD/ue5WRNlkno595CNyKW
0mjVP5JXP7Lryy4g3zPQst9iMh5rTuD0D0EZVraZXDGEmaXGBL0=
=4Gep
-----END PGP SIGNATURE-----

--Sig_/R0Dl9ZhQk./WTYXAfOLXcWY--