unofficial mirror of guix-patches@gnu.org 
 help / color / mirror / code / Atom feed
* [bug#54997] [PATCH 00/12] Add "least authority" program wrapper
@ 2022-04-17 21:01 Ludovic Courtès
  2022-04-17 21:04 ` [bug#54997] [PATCH 01/12] gexp: Add 'references-file' Ludovic Courtès
  2022-04-22 15:02 ` Maxime Devos
  0 siblings, 2 replies; 54+ messages in thread
From: Ludovic Courtès @ 2022-04-17 21:01 UTC (permalink / raw)
  To: 54997; +Cc: Ludovic Courtès

Hello Guix!

So we have this fancy ‘make-forkexec-constructor/container’ thing
to spawn Shepherd services in a container:

  https://guix.gnu.org/en/blog/2017/running-system-services-in-containers/

It’s nice, but it doesn’t compose.  What if you want an inetd-style
service *and* have it run in a container?  We certainly don’t want to
end up defining ‘make-inetd-constructor/container’ and so on.

Instead, the new (guix least-authority) module provides a way to
create “least-authority wrappers” for a given program: the wrapper
forks[*] a process that lives in separate namespaces, with
‘call-with-container’, sets up bind mounts and everything in the child,
and executes the program in that environment.  ([*] I considered
using unshare(2) instead of forking but that doesn’t quite work,
notably because the process itself would remain in the same PID
namespace as its parent.)

Subsequent patches change most, but not all, users of
‘make-forkexec-constructor/container’ to ‘least-authority-wrapper’.

One situation where ‘make-forkexec-constructor/container’ cannot be
replaced yet is when we rely on #:pid-file, as is the case for Tor
(‘make-forkexec-constructor/container’ goes to great lengths to read
PID files in the container and be happy with a PID that is only
valid within that namespace.)  The remaining users are Jami and
Pagekite; that is left as an exercise to the reader.  :-)

I have plans to use ‘least-authority-wrapper’ in other contexts, in
particular as the basis of a new package transformation option.

Thoughts?

Ludo’.

Ludovic Courtès (12):
  gexp: Add 'references-file'.
  file-systems: Avoid load-time warnings when attempting to load (guix
    store).
  linux-container: 'call-with-container' relays SIGTERM and SIGINT.
  Add (guix least-authority).
  services: dicod: Rewrite using 'least-authority-wrapper'.
  services: dicod: Use 'make-inetd-constructor'.
  services: bitlbee: Use 'make-inetd-constructor'.
  services: ipfs: Adjust for Shepherd 0.9.
  services: ipfs: Use 'least-authority-wrapper'.
  services: wesnothd: Grant write access to /var/run/wesnothd.
  services: wesnothd: Use 'least-authority-wrapper'.
  services: quassel: Use 'least-authority-wrapper'.

 Makefile.am                   |   1 +
 gnu/build/linux-container.scm |  15 ++--
 gnu/build/shepherd.scm        |   3 +-
 gnu/services/base.scm         |  22 ------
 gnu/services/dict.scm         |  61 ++++++++++------
 gnu/services/games.scm        |  33 +++++++--
 gnu/services/messaging.scm    | 105 +++++++++++++++++----------
 gnu/services/networking.scm   | 118 +++++++++++++++---------------
 gnu/system/file-systems.scm   |   5 +-
 gnu/tests/messaging.scm       |  21 +-----
 guix/gexp.scm                 |  43 +++++++++++
 guix/least-authority.scm      | 131 ++++++++++++++++++++++++++++++++++
 tests/gexp.scm                |  18 +++++
 13 files changed, 403 insertions(+), 173 deletions(-)
 create mode 100644 guix/least-authority.scm


base-commit: 950f3e4f98add14f645dc4c9f8c512cac7b8a779
-- 
2.35.1





^ permalink raw reply	[flat|nested] 54+ messages in thread

end of thread, other threads:[~2022-05-02  4:26 UTC | newest]

Thread overview: 54+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2022-04-17 21:01 [bug#54997] [PATCH 00/12] Add "least authority" program wrapper Ludovic Courtès
2022-04-17 21:04 ` [bug#54997] [PATCH 01/12] gexp: Add 'references-file' Ludovic Courtès
2022-04-17 21:04   ` [bug#54997] [PATCH 02/12] file-systems: Avoid load-time warnings when attempting to load (guix store) Ludovic Courtès
2022-04-17 21:04   ` [bug#54997] [PATCH 03/12] linux-container: 'call-with-container' relays SIGTERM and SIGINT Ludovic Courtès
2022-04-17 21:04   ` [bug#54997] [PATCH 04/12] Add (guix least-authority) Ludovic Courtès
2022-04-18  9:15     ` Maxime Devos
2022-04-19 22:04       ` [bug#54997] [PATCH 00/12] Add "least authority" program wrapper Ludovic Courtès
2022-04-18  9:18     ` [bug#54997] [PATCH 04/12] Add (guix least-authority) Maxime Devos
2022-04-19 22:05       ` [bug#54997] [PATCH 00/12] Add "least authority" program wrapper Ludovic Courtès
2022-04-22 20:10     ` [bug#54997] [PATCH 04/12] Add (guix least-authority) Thiago Jung Bauermann via Guix-patches via
2022-04-26 20:30       ` [bug#54997] [PATCH 00/12] Add "least authority" program wrapper Ludovic Courtès
2022-04-29  3:43         ` Thiago Jung Bauermann via Guix-patches via
2022-04-26 20:48       ` Ludovic Courtès
2022-04-27 16:56         ` [bug#54997] [PATCH v2 00/15] " Ludovic Courtès
2022-04-27 16:56           ` [bug#54997] [PATCH v2 01/15] gexp: Add 'references-file' Ludovic Courtès
2022-04-27 16:56           ` [bug#54997] [PATCH v2 02/15] file-systems: Avoid load-time warnings when attempting to load (guix store) Ludovic Courtès
2022-04-27 16:56           ` [bug#54997] [PATCH v2 03/15] linux-container: 'call-with-container' relays SIGTERM and SIGINT Ludovic Courtès
2022-04-27 16:56           ` [bug#54997] [PATCH v2 04/15] linux-container: Ensure signal-handling asyncs get a chance to run Ludovic Courtès
2022-04-27 16:56           ` [bug#54997] [PATCH v2 05/15] linux-container: Add #:child-is-pid1? parameter to 'call-with-container' Ludovic Courtès
2022-04-27 16:56           ` [bug#54997] [PATCH v2 06/15] Add (guix least-authority) Ludovic Courtès
2022-04-27 16:56           ` [bug#54997] [PATCH v2 07/15] services: dicod: Rewrite using 'least-authority-wrapper' Ludovic Courtès
2022-04-27 16:56           ` [bug#54997] [PATCH v2 08/15] services: dicod: Use 'make-inetd-constructor' Ludovic Courtès
2022-04-27 16:56           ` [bug#54997] [PATCH v2 09/15] services: bitlbee: " Ludovic Courtès
2022-04-27 16:56           ` [bug#54997] [PATCH v2 10/15] services: ipfs: Adjust for Shepherd 0.9 Ludovic Courtès
2022-04-27 16:56           ` [bug#54997] [PATCH v2 11/15] services: ipfs: Use 'least-authority-wrapper' Ludovic Courtès
2022-04-27 16:56           ` [bug#54997] [PATCH v2 12/15] services: wesnothd: Grant write access to /var/run/wesnothd Ludovic Courtès
2022-04-27 16:56           ` [bug#54997] [PATCH v2 13/15] services: wesnothd: Use 'least-authority-wrapper' Ludovic Courtès
2022-04-27 16:56           ` [bug#54997] [PATCH v2 14/15] services: quassel: " Ludovic Courtès
2022-04-27 16:56           ` [bug#54997] [PATCH v2 15/15] services: opendht: " Ludovic Courtès
2022-05-01 20:16           ` bug#54997: [PATCH 00/12] Add "least authority" program wrapper Ludovic Courtès
2022-05-02  4:25             ` [bug#54997] " Thiago Jung Bauermann via Guix-patches via
2022-04-17 21:04   ` [bug#54997] [PATCH 05/12] services: dicod: Rewrite using 'least-authority-wrapper' Ludovic Courtès
2022-04-17 21:04   ` [bug#54997] [PATCH 06/12] services: dicod: Use 'make-inetd-constructor' Ludovic Courtès
2022-04-17 21:04   ` [bug#54997] [PATCH 07/12] services: bitlbee: " Ludovic Courtès
2022-04-18  9:13     ` Maxime Devos
2022-04-19 22:03       ` [bug#54997] [PATCH 00/12] Add "least authority" program wrapper Ludovic Courtès
2022-04-17 21:04   ` [bug#54997] [PATCH 08/12] services: ipfs: Adjust for Shepherd 0.9 Ludovic Courtès
2022-04-17 21:04   ` [bug#54997] [PATCH 09/12] services: ipfs: Use 'least-authority-wrapper' Ludovic Courtès
2022-04-18  9:08     ` Maxime Devos
2022-04-19 22:02       ` [bug#54997] [PATCH 00/12] Add "least authority" program wrapper Ludovic Courtès
2022-04-22 14:39         ` Maxime Devos
2022-04-27 22:01           ` Ludovic Courtès
2022-04-28 11:29             ` Maxime Devos
2022-04-28 19:25               ` Ludovic Courtès
2022-04-28 19:52                 ` Maxime Devos
2022-04-17 21:04   ` [bug#54997] [PATCH 10/12] services: wesnothd: Grant write access to /var/run/wesnothd Ludovic Courtès
2022-04-17 21:04   ` [bug#54997] [PATCH 11/12] services: wesnothd: Use 'least-authority-wrapper' Ludovic Courtès
2022-04-17 21:04   ` [bug#54997] [PATCH 12/12] services: quassel: " Ludovic Courtès
2022-04-18  9:12     ` Maxime Devos
2022-04-19 21:59       ` [bug#54997] [PATCH 00/12] Add "least authority" program wrapper Ludovic Courtès
2022-04-22  5:01   ` [bug#54997] [PATCH 01/12] gexp: Add 'references-file' Thiago Jung Bauermann via Guix-patches via
2022-04-26 20:17     ` [bug#54997] [PATCH 00/12] Add "least authority" program wrapper Ludovic Courtès
2022-04-22 15:02 ` Maxime Devos
2022-04-26 20:22   ` Ludovic Courtès

Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/guix.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).