From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp2 ([2001:41d0:2:bcc0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms11 with LMTPS id 3J2QNRA3W2CmPwAA0tVLHw (envelope-from ) for ; Wed, 24 Mar 2021 12:56:48 +0000 Received: from aspmx1.migadu.com ([2001:41d0:2:bcc0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp2 with LMTPS id kBfhMBA3W2DlMQAAB5/wlQ (envelope-from ) for ; Wed, 24 Mar 2021 12:56:48 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 11BB022110 for ; Wed, 24 Mar 2021 13:56:48 +0100 (CET) Received: from localhost ([::1]:37438 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lP343-0003ot-7Z for larch@yhetil.org; Wed, 24 Mar 2021 08:56:47 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:50620) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lP2zT-0007pe-1r for guix-patches@gnu.org; Wed, 24 Mar 2021 08:52:03 -0400 Received: from debbugs.gnu.org ([209.51.188.43]:50913) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1lP2zS-0007la-PQ for guix-patches@gnu.org; Wed, 24 Mar 2021 08:52:02 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1lP2zS-0004VE-Nf for guix-patches@gnu.org; Wed, 24 Mar 2021 08:52:02 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#47013] services: export sysctl-configuration record field accessors References: <7072c80a192f3c136cb70da4a0662d77ce508b56.1615236603.git.leo@famulari.name> In-Reply-To: <7072c80a192f3c136cb70da4a0662d77ce508b56.1615236603.git.leo@famulari.name> Resent-From: muradm Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Wed, 24 Mar 2021 12:52:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 47013 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 47013@debbugs.gnu.org Received: via spool by 47013-submit@debbugs.gnu.org id=B47013.161659031017257 (code B ref 47013); Wed, 24 Mar 2021 12:52:02 +0000 Received: (at 47013) by debbugs.gnu.org; 24 Mar 2021 12:51:50 +0000 Received: from localhost ([127.0.0.1]:34220 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lP2zF-0004UA-Fn for submit@debbugs.gnu.org; Wed, 24 Mar 2021 08:51:49 -0400 Received: from mail-ed1-f45.google.com ([209.85.208.45]:37702) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lP0uY-0005Vj-8G for 47013@debbugs.gnu.org; Wed, 24 Mar 2021 06:38:50 -0400 Received: by mail-ed1-f45.google.com with SMTP id x21so27037313eds.4 for <47013@debbugs.gnu.org>; Wed, 24 Mar 2021 03:38:50 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=muradm-net.20150623.gappssmtp.com; s=20150623; h=date:from:to:subject:message-id:mime-version:content-disposition; bh=43TrP1R+z22bEEHgYa1WfYf9aZRFzxuZhGYkLgZOID4=; b=jO4QMPCVIRnvLU8p9MpTTe/PGmtpL1/RurtSPFiSSKCiXcFjibhGYtcRq7k3LEMfid Eo30PyxkDQuDuPjiTbgWpRjP4oW0gF7NaF48vNKgr+KmzjaXFyitAt+CiTw109FLkbNS yyDhpVp38JAfwME5SaF2CNVFeUh1HkjXmfwuZ1XnUmtB+neHQ3BByf4iR9t2WKh7Bldi bJ9jRLHfboYh4d79ty4mzsL9wxfMtsHvNxR7HDwDQLpPyQvAw80wUoziu0nWN0mIDv4e 1LKGQAyqfVitJizZq7S65HG3kGwlaMibwC+J4K1JrCr1dXiZdJTWDRuDzAxxy7Sa6MNO VYJg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:subject:message-id:mime-version :content-disposition; bh=43TrP1R+z22bEEHgYa1WfYf9aZRFzxuZhGYkLgZOID4=; b=bLTEaNU3BL0rAJM/O2WbLchUG+1ukMRhH2CuAjAGtfLcm70l14Ixk+d3WXRV22YnLF VYZ0piEdNMXGvAo1Z0to4XwRWIDk/x58qzIDdDFXh++pWx4FStZ/THwU/Ha40c+YadYh 4pNb4dRndxQZdjKiXWAw/T87H5qFZ5P33P1fCjhH0R2xcpcbFpfbA8Zp/h/ozqCXxqsK mcOExqWptRjZhW25MfQ6uoCBeIVlOOHdWRkRDMwGSmzN9KAr6lZNjnhD1Dq3j0hJHbw3 LJSas/cChC20ok7SM64scRcE0doQUqOqfGH3RDz/V80SoMrgwxkHvu/Hgvhx+WM0KgAn xfMQ== X-Gm-Message-State: AOAM531uTh2p58q8XRmWR3nsSKtnzh4xPjDDAZ6Fl+R2BKC6SU5l2Kyv bFJXXYfR1dAODSVvluoQ8m/2Nv1knv8JseXB X-Google-Smtp-Source: ABdhPJzurbDhjCZXO2m/HlDBA/AKZfmwQR6mRTtpsA0muRFmUF+5MHNomvghU33JTqWH2zM6pSLaPQ== X-Received: by 2002:aa7:cb82:: with SMTP id r2mr2682854edt.209.1616582324065; Wed, 24 Mar 2021 03:38:44 -0700 (PDT) Received: from localhost ([217.131.81.96]) by smtp.gmail.com with ESMTPSA id bj7sm734677ejb.28.2021.03.24.03.38.43 for <47013@debbugs.gnu.org> (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 24 Mar 2021 03:38:43 -0700 (PDT) Date: Wed, 24 Mar 2021 13:38:42 +0300 From: muradm Message-ID: <20210324103842.bzd66b47qxyzeqha@muradm-aln1> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8; format=flowed Content-Disposition: inline X-Mailman-Approved-At: Wed, 24 Mar 2021 08:51:39 -0400 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+larch=yhetil.org@gnu.org Sender: "Guix-patches" X-Migadu-Flow: FLOW_IN ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1616590608; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type:resent-cc:resent-from:resent-sender: resent-message-id:in-reply-to:in-reply-to:references:references: list-id:list-help:list-unsubscribe:list-subscribe:list-post: dkim-signature; bh=43TrP1R+z22bEEHgYa1WfYf9aZRFzxuZhGYkLgZOID4=; b=ooOcE0V0/OlUlr2u0SgwiaDkm5s3BfKeEK2XETQODvts5stOhlRgUiYWSecsJAIxINP1Bh +Lxve2oeNF8NbDZLOqZoYiqzmSCfDOTGM/nvtIB9ctdeKsFXbgQMEEYP5WUy88N5scbj/h QhhZJL/TPbWuu/y6ALAt3o/tm+D7uXlmjVJsbuo9Nj/TEvJ5a61o6jFPMm/ZsnmEP8dNAS w1Svmr8zi7Gqsev/a5SqrFmWqJYMAnG4p8VRwJSxBA7hEQ3gFbV14cfGpypgCN3VxIxaJx SPAOTP2oqxv0WJYv9g+CWjC8gwcv+owcn2E89kbzZjlrPOF+vDGEHbn1pgMrEQ== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1616590608; a=rsa-sha256; cv=none; b=srFUm3i3y6/4PYd90QcR9StYcL4QFwwoHhTsY9GUDHIMzG4u0JkaVdR08msBhGN4cD2l+G qJPeomxsz6+S1XUFc18wkYOX3EtP23KT3duYF3YfMxjP+appbOrr5pPQKh/hMnVUXQI6iY oKRMfznQaX64ECgaS00W2sKohpqvBUeuZPyD+dnG6XwiQyTDov3G3qR5rkEMRYBL6q1w+e ACz62NlcMeRUQFSqPXWxFbaYVZGNzo/fpZA2/xWwTyjaMrIS9rwtBW3KIvuWcqC3w1VFz2 y2X8H0EyMuqV6pEppi58txz4gtOaiFzdEjuhvBEQ8odOGV+anJrE5XHS+ToEXg== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=muradm-net.20150623.gappssmtp.com header.s=20150623 header.b=jO4QMPCV; dmarc=none; spf=pass (aspmx1.migadu.com: domain of guix-patches-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-patches-bounces@gnu.org X-Migadu-Spam-Score: -0.92 Authentication-Results: aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=muradm-net.20150623.gappssmtp.com header.s=20150623 header.b=jO4QMPCV; dmarc=none; spf=pass (aspmx1.migadu.com: domain of guix-patches-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-patches-bounces@gnu.org X-Migadu-Queue-Id: 11BB022110 X-Spam-Score: -0.92 X-Migadu-Scanner: scn0.migadu.com X-TUID: w+Xx2BwzxWoZ As per discussion with Leo on IRC #guix. There is a need to have important sysctl settings fs.protected_hardlinks and fs.protected_symlinks for all installations of Guix in the world unless explicitly stated otherwise. Currently in Linux kernel they are unset by default. It is also stated that other distributions do the same. In perfect world I would go for Solution 1 below, as it is most effectful, and clean. Solution 1: From this statement, it seems that the first resort whould be Linux kernel it self. If it would be possible to configure them with Kconfig, that would be best place. As of my brief look at linux/fs, they are not configurable, but may be I miss somthing. Any way preferred solution would be just compile kernel with protected hardlinks and symlinks set to 1. Since other distributions do the same, it could be reasonable to expose these two settings via Kconfig, and solve it there. - pros: great for the world - cons: have to do enhancement in mainline Linux Solution 2: If it is not possible to have these two settings in kernel as per Solution 1, Guix may maintain a patch to kernel that would do this. - pros: no need to enhance mainline Linux - cons: will impact users who do use Guix and compile Linux kernel them selves Solution 3: Handle in Guix configuration. Everything below related to solution 3. Currently it is set as folowing: ;; gnu/services/sysctl.scm (define-module .... #:export (.... %default-sysctl-settings) (define %default-sysctl-settings ;; Default kernel parameters enabled with sysctl. '(("fs.protected_hardlinks" . "1") ("fs.protected_symlinks" . "1"))) (define-record-type* sysctl-configuration make-sysctl-configuration sysctl-configuration? (sysctl sysctl-configuration-sysctl ; path of the 'sysctl' command (default (file-append procps "/sbin/sysctl"))) (settings sysctl-configuration-settings ; alist of string pairs (default %default-sysctl-settings))) ;; ends- gnu/services/sysctl.scm And sysctl-service-type it self is added to the %base-services. Since sysctl-configuration-settings function to access settings field of sysctl-configuration instance is not exported, I have to do the following in my configuration: (define nomad-gx1-os (operating-system (inherit my-base-nomad-os) ;; important line-#1 ... (services (modify-services my-base-nomad-services (sysctl-service-type config => (inherit config) (settings (append %default-sysctl-settings ;; from gnu/services/sysctl.scm '(("fs.inotify.max_user_watches" . "524288") ("fs.inotify.max_user_instances" . "16384") ("fs.inotify.max_queued_events" . "65536"))))))))) This is fine, until I extend sysctl-service-type in my-base-nomad-os. Then I have to export my-base-nomad-sysctl-settings and join them with %default-sysctl-settings and extra settings for nomad-gx1-os. While it is bearable for one or two levels of inheritance, it becomes hard to keep track for more levels and/or many hosts. If sysctl-configuration-settings would be exported as per #47323, then my configuration would become simplier: (services (modify-services my-base-nomad-services (sysctl-service-type config => (inherit config) (settings (append (sysctl-configuration-settings config) ;; now I can't do this '(("fs.inotify.max_user_watches" . "524288") ("fs.inotify.max_user_instances" . "16384") ("fs.inotify.max_queued_events" . "65536"))))))))) In this case, if Guix documentation will include sysctl-configuration-settings, then most likely people won't forget use %default-sysctl-settings, and it is still possible to override them if one desires not to use protected symlinks and hardlinks. -- muradm