From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:38470) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1fVD0h-0006Zx-13 for guix-patches@gnu.org; Tue, 19 Jun 2018 05:33:12 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1fVD0a-0006W1-3Q for guix-patches@gnu.org; Tue, 19 Jun 2018 05:33:09 -0400 Received: from debbugs.gnu.org ([208.118.235.43]:47829) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1fVD0Z-0006Vx-Sd for guix-patches@gnu.org; Tue, 19 Jun 2018 05:33:04 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1fVD0X-00015m-Oh for guix-patches@gnu.org; Tue, 19 Jun 2018 05:33:03 -0400 Subject: [bug#31894] Containerize openntpd service Resent-Message-ID: Received: from eggs.gnu.org ([2001:4830:134:3::10]:38287) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1fVCzc-0005mO-Ir for guix-patches@gnu.org; Tue, 19 Jun 2018 05:32:06 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1fVCzX-0006Mi-J4 for guix-patches@gnu.org; Tue, 19 Jun 2018 05:32:04 -0400 Received: from flashner.co.il ([178.62.234.194]:32910) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1fVCzX-0006MW-1S for guix-patches@gnu.org; Tue, 19 Jun 2018 05:31:59 -0400 Received: from localhost (unknown [31.210.182.47]) by flashner.co.il (Postfix) with ESMTPSA id 647E64028D for ; Tue, 19 Jun 2018 09:31:56 +0000 (UTC) Date: Tue, 19 Jun 2018 12:31:55 +0300 From: Efraim Flashner Message-ID: <20180619093155.GA1200@macbook41> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="hHWLQfXTYDoKhP50" Content-Disposition: inline List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+kyle=kyleam.com@gnu.org Sender: "Guix-patches" To: 31894@debbugs.gnu.org --hHWLQfXTYDoKhP50 Content-Type: multipart/mixed; boundary="MGYHOYXEY6WxJCY8" Content-Disposition: inline --MGYHOYXEY6WxJCY8 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable I tested this patch with the included vm image, using the following script. After logging in, 'ntpctl -s all' shows openntpd connecting to the ntp servers and updating the time. /.$(./pre-inst-env guix environment guix -- ./pre-inst-env guix system vm ~= /vm-image.scm) -m 768 -device e1000,netdev=3Dnet0 -netdev user,id=3Dnet0,ho= stfwd=3Dtcp::5555-:53 --=20 Efraim Flashner =D7=90=D7=A4=D7=A8=D7=99=D7=9D = =D7=A4=D7=9C=D7=A9=D7=A0=D7=A8 GPG key =3D A28B F40C 3E55 1372 662D 14F7 41AA E7DC CA3D 8351 Confidentiality cannot be guaranteed on emails sent or received unencrypted --MGYHOYXEY6WxJCY8 Content-Type: text/plain; charset=utf-8 Content-Disposition: attachment; filename="0001-services-openntpd-Containerize-openntpd-service.patch" Content-Transfer-Encoding: quoted-printable =46rom 064903c5a976280b95cd9bba17e958e662be605d Mon Sep 17 00:00:00 2001 =46rom: Efraim Flashner Date: Tue, 19 Jun 2018 12:24:47 +0300 Subject: [PATCH] services: openntpd: Containerize openntpd service. * gnu/packages/ntp.scm (openntpd)[arguments]: Add 'privsep-path' to 'configure-flags and adjust the 'localstatedir' flag. * gnu/services/networking.scm (openntpd-shepherd-service): Change the start-service command to run in a container, expose '/var/log/openntpd' and '/var/lib/openntpd' to the container. (openntpd-service-activation): Adjust directories for the changes above. --- gnu/packages/ntp.scm | 3 +- gnu/services/networking.scm | 58 ++++++++++++++++++++++++------------- 2 files changed, 40 insertions(+), 21 deletions(-) diff --git a/gnu/packages/ntp.scm b/gnu/packages/ntp.scm index e9ae9fa46..2c202b400 100644 --- a/gnu/packages/ntp.scm +++ b/gnu/packages/ntp.scm @@ -109,7 +109,8 @@ computers over a network.") (build-system gnu-build-system) (arguments '(#:configure-flags '("--with-privsep-user=3Dntpd" - "--localstatedir=3D/var") + "--with-privsep-path=3D/var/lib/openntpd" + "--localstatedir=3D/var/lib/openntpd") #:phases (modify-phases %standard-phases (add-after 'unpack 'modify-install-locations diff --git a/gnu/services/networking.scm b/gnu/services/networking.scm index d5d0cf9d1..100a18e7c 100644 --- a/gnu/services/networking.scm +++ b/gnu/services/networking.scm @@ -428,22 +428,39 @@ make an initial adjustment of more than 1,000 seconds= =2E" (define ntpd.conf (plain-file "ntpd.conf" config)) =20 - (list (shepherd-service - (provision '(ntpd)) - (documentation "Run the Network Time Protocol (NTP) daemon.") - (requirement '(user-processes networking)) - (start #~(make-forkexec-constructor - (list (string-append #$openntpd "/sbin/ntpd") - "-f" #$ntpd.conf - "-d" ;; don't daemonize - #$@(if allow-large-adjustment? - '("-s") - '())) - ;; When ntpd is daemonized it repeatedly tries to= respawn - ;; while running, leading shepherd to disable it.= To - ;; prevent spamming stderr, redirect output to lo= gfile. - #:log-file "/var/log/ntpd")) - (stop #~(make-kill-destructor))))))) + (with-imported-modules (source-module-closure + '((gnu build shepherd) + (gnu system file-systems))) + (list (shepherd-service + (provision '(ntpd)) + (documentation "Run the Network Time Protocol (NTP) daemon= =2E") + (requirement '(user-processes networking)) + (modules '((gnu build shepherd) + (gnu system file-systems))) + (start #~(make-forkexec-constructor/container + (list (string-append #$openntpd "/sbin/ntpd") + "-f" #$ntpd.conf + "-d" ;; don't daemonize + #$@(if allow-large-adjustment? + '("-s") + '())) + #:mappings (list (file-system-mapping + (source "/var/lib/openntpd") + (target source) + (writable? #t)) + (file-system-mapping + (source "/var/log/openntpd") + (target "/var/log") + (writable? #t)) + ;; For the privsep ntpd user. + (file-system-mapping + (source "/var/lib/openntpd") + (target "/var/empty"))) + ;; When ntpd is daemonized it repeatedly tries = to respawn + ;; while running, leading shepherd to disable i= t. To + ;; prevent spamming stderr, redirect output to = logfile. + #:log-file "/var/log/ntpd")) + (stop #~(make-kill-destructor)))))))) =20 (define (openntpd-service-activation config) "Return the activation gexp for CONFIG." @@ -451,10 +468,11 @@ make an initial adjustment of more than 1,000 seconds= =2E" #~(begin (use-modules (guix build utils)) =20 - (mkdir-p "/var/db") - (mkdir-p "/var/run") - (unless (file-exists? "/var/db/ntpd.drift") - (with-output-to-file "/var/db/ntpd.drift" + (mkdir-p "/var/lib/openntpd/db") + (mkdir-p "/var/lib/openntpd/run") + (mkdir-p "/var/log/openntpd") + (unless (file-exists? "/var/lib/openntpd/db/ntpd.drift") + (with-output-to-file "/var/lib/openntpd/db/ntpd.drift" (lambda _ (format #t "0.0"))))))) =20 --=20 2.17.1 --MGYHOYXEY6WxJCY8 Content-Type: text/plain; charset=utf-8 Content-Disposition: attachment; filename="vm-image.scm" ;;; This is an operating system configuration template for a "bare-bones" setup, ;;; suitable for booting in a virtualized environment, including virtual private ;;; servers (VPS). (use-modules (gnu)) (use-package-modules bootloaders disk nvi) (use-service-modules networking) (define vm-image-motd (plain-file "motd" " This is the GNU system. Welcome! This instance of GuixSD is a bare-bones template for virtualized environments. You will probably want to do these things first if you booted in a virtual private server (VPS): * Set a password for 'root'. * Set up networking. * Expand the root partition to fill the space available by 0) deleting and recreating the partition with fdisk, 1) reloading the partition table with partprobe, and then 2) resizing the filesystem with resize2fs.\n")) (operating-system (host-name "gnu") (timezone "Etc/UTC") (locale "en_US.utf8") ;; Assuming /dev/sdX is the target hard disk, and "my-root" is ;; the label of the target root file system. (bootloader (bootloader-configuration (bootloader grub-bootloader) (target "/dev/sda") (terminal-outputs '(console)))) (file-systems (cons (file-system (device (file-system-label "my-root")) (mount-point "/") (type "ext4")) %base-file-systems)) ;; This is where user accounts are specified. The "root" ;; account is implicit, and is initially created with the ;; empty password. (users %base-user-accounts) ;; Globally-installed packages. (packages (cons* nvi fdisk grub ; mostly so xrefs to its manual work parted ; partprobe %base-packages)) (services (cons* (service connman-service-type) (service wpa-supplicant-service-type) (service openntpd-service-type (openntpd-configuration (listen-on '("127.0.0.1" "::1")) (allow-large-adjustment? #t))) (modify-services %base-services (login-service-type config => (login-configuration (inherit config) (motd vm-image-motd))))))) --MGYHOYXEY6WxJCY8-- --hHWLQfXTYDoKhP50 Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCgAdFiEEoov0DD5VE3JmLRT3Qarn3Mo9g1EFAlsozYsACgkQQarn3Mo9 g1HVnA/7BDkUbhYgZJP3HIbDxfNHFB+hZOGZ9t0d+NN2d0r54SVDhTdulRigmsFI N2TKdEvSncGhHPaIWYwV/5hj6Vq+yLq1abXBrisZtQBQRgzuKxQ3G7vgkcX9sPv3 i0wsoCHEMSl2vAGOIejQMtHwy4XAl5DBnozTQCy/M30h5m+TaCebAp8lMc1Et/ON L+NhrbtIwWso/Cy1Aa65bGPhSK8L7yKJnrOWpOtD9nBzrouUKHxbaQ5/RUePAGyX fZjb4gqUtIAAd/uFerkR3h3nd4L4siv8AKTVG4Say9Lwv//Q51rhreDPo6hmkMZF dV9Rm7txG0LqQkVfp8HJ2OUVeaezbPZCaCUy7yeLxO/K2FgkoE6Fqm2IiAODQyA4 qP6Nk3cvB52YCfGE7DwWOvjQrCYoyoUgEFHfJTy4wO8w8uyfdz+rf/kuyipviXyh 3ZUVsrLPBYgNUZM0X+tWWvEh/Q2soZsLMXBC7GONEXi0i+c4fPxsBXa8PmwSuTTV uN6JbhgOGjIP21lktjLssJReR0pePUs9c97Lm2uahAQUQLw+k7wHLPL5x/M4Rn2s RhUaWNo/ga2HNz7Z0chnt7x/4KXhwGLfXyCvKEFL5Q4dbvlBKw4R4ZNSSKboP2tA 1ZHUfg17b4fKUY84EgUyrrCU0tDI5bS2HDfnTuRsJT0wzWQL4Sc= =tU7E -----END PGP SIGNATURE----- --hHWLQfXTYDoKhP50--