unofficial mirror of guix-patches@gnu.org 
 help / color / mirror / code / Atom feed
* [bug#62802] [PATCH 0/4] Add reload action to syslog service.
@ 2023-04-13  1:15 Maxim Cournoyer
  2023-04-13  1:24 ` [bug#62802] [PATCH 1/4] services: syslog: Move configuration to /etc/syslog.conf Maxim Cournoyer
  0 siblings, 1 reply; 10+ messages in thread
From: Maxim Cournoyer @ 2023-04-13  1:15 UTC (permalink / raw)
  To: 62802; +Cc: Maxim Cournoyer

Hi,

This series was motivated by investigations as to why the fail2ban would not
trigger bans although my SSH port was under constant brute force attacks.  It
turns out that it was because by default fail2ban consults /var/log/secure to
for the authentication logs, at least that's how our fail2ban package in Guix
behaves.

So this patch series does two things:

1. It adds a reload action, useful to test without rebooting the graphical
session.

2. It adds the missing auth.info log to /var/log/secure so that a fail2ban
sshd jail works out of the box on Guix System.

Thanks!

Maxim Cournoyer (4):
  services: syslog: Move configuration to /etc/syslog.conf.
  services: syslog: Add a reload action.
  services/syslog: Strip leading white space indent in syslog.conf.
  services: syslog: Log auth.info to /var/log/secure in default
    configuration.

 doc/guix.texi         |  12 ++++
 gnu/services/base.scm | 128 ++++++++++++++++++++++++++----------------
 2 files changed, 92 insertions(+), 48 deletions(-)


base-commit: 0fe2c78cac19acfb46c3bc365075293e51e0e5aa
-- 
2.39.2





^ permalink raw reply	[flat|nested] 10+ messages in thread

* [bug#62802] [PATCH 1/4] services: syslog: Move configuration to /etc/syslog.conf.
  2023-04-13  1:15 [bug#62802] [PATCH 0/4] Add reload action to syslog service Maxim Cournoyer
@ 2023-04-13  1:24 ` Maxim Cournoyer
  2023-04-13  1:24   ` [bug#62802] [PATCH 2/4] services: syslog: Add a reload action Maxim Cournoyer
                     ` (3 more replies)
  0 siblings, 4 replies; 10+ messages in thread
From: Maxim Cournoyer @ 2023-04-13  1:24 UTC (permalink / raw)
  To: 62802; +Cc: Maxim Cournoyer

Having the configuration live at a static location makes it possible to
hot-reload it.

* gnu/services/base.scm (syslog.conf): New variable.
(syslog-etc, syslog-shepherd-service): New procedures.
(syslog-service-type): Rewrite using the above new variable and procedures,
extending etc-service-type with its configuration file.
---

 gnu/services/base.scm | 61 ++++++++++++++++++++++++++-----------------
 1 file changed, 37 insertions(+), 24 deletions(-)

diff --git a/gnu/services/base.scm b/gnu/services/base.scm
index e5c6bf5335..1ed874aa84 100644
--- a/gnu/services/base.scm
+++ b/gnu/services/base.scm
@@ -15,7 +15,7 @@
 ;;; Copyright © 2020, 2021 Brice Waegeneire <brice@waegenei.re>
 ;;; Copyright © 2021 qblade <qblade@protonmail.com>
 ;;; Copyright © 2021 Hui Lu <luhuins@163.com>
-;;; Copyright © 2021, 2022 Maxim Cournoyer <maxim.cournoyer@gmail.com>
+;;; Copyright © 2021, 2022, 2023 Maxim Cournoyer <maxim.cournoyer@gmail.com>
 ;;; Copyright © 2021 muradm <mail@muradm.net>
 ;;; Copyright © 2022 Guillaume Le Vaillant <glv@posteo.net>
 ;;; Copyright © 2022 Justin Veilleux <terramorpha@cock.li>
@@ -1526,30 +1526,43 @@ (define-record-type* <syslog-configuration>
   (config-file          syslog-configuration-config-file
                         (default %default-syslog.conf)))
 
-(define syslog-service-type
-  (shepherd-service-type
-   'syslog
-   (lambda (config)
-     (define config-file
-       (syslog-configuration-config-file config))
+;;; Note: a static file name is used for syslog.conf so that the reload action
+;;; work as intended.
+(define syslog.conf "/etc/syslog.conf")
 
-     (shepherd-service
-      (documentation "Run the syslog daemon (syslogd).")
-      (provision '(syslogd))
-      (requirement '(user-processes))
-      (actions (list (shepherd-configuration-action config-file)))
-      (start #~(let ((spawn (make-forkexec-constructor
-                             (list #$(syslog-configuration-syslogd config)
-                                   "--rcfile" #$config-file)
-                             #:pid-file "/var/run/syslog.pid")))
-                 (lambda ()
-                   ;; Set the umask such that file permissions are #o640.
-                   (let ((mask (umask #o137))
-                         (pid  (spawn)))
-                     (umask mask)
-                     pid))))
-      (stop #~(make-kill-destructor))))
-   (syslog-configuration)
+(define (syslog-etc configuration)
+  (match-record configuration <syslog-configuration>
+    (config-file)
+    (list `(,(basename syslog.conf) ,config-file))))
+
+(define (syslog-shepherd-service config)
+  (define config-file
+    (syslog-configuration-config-file config))
+
+  (shepherd-service
+   (documentation "Run the syslog daemon (syslogd).")
+   (provision '(syslogd))
+   (requirement '(user-processes))
+   (actions (list (shepherd-configuration-action syslog.conf)))
+   (start #~(let ((spawn (make-forkexec-constructor
+                          (list #$(syslog-configuration-syslogd config)
+                                #$(string-append "--rcfile=" syslog.conf))
+                          #:pid-file "/var/run/syslog.pid")))
+              (lambda ()
+                ;; Set the umask such that file permissions are #o640.
+                (let ((mask (umask #o137))
+                      (pid  (spawn)))
+                  (umask mask)
+                  pid))))
+   (stop #~(make-kill-destructor))))
+
+(define syslog-service-type
+  (service-type
+   (name 'syslog)
+   (default-value (syslog-configuration))
+   (extensions (list (service-extension shepherd-root-service-type
+                                        (compose list syslog-shepherd-service))
+                     (service-extension etc-service-type syslog-etc)))
    (description "Run the syslog daemon, @command{syslogd}, which is
 responsible for logging system messages.")))
 

base-commit: 0fe2c78cac19acfb46c3bc365075293e51e0e5aa
-- 
2.39.2





^ permalink raw reply related	[flat|nested] 10+ messages in thread

* [bug#62802] [PATCH 2/4] services: syslog: Add a reload action.
  2023-04-13  1:24 ` [bug#62802] [PATCH 1/4] services: syslog: Move configuration to /etc/syslog.conf Maxim Cournoyer
@ 2023-04-13  1:24   ` Maxim Cournoyer
  2023-04-13  1:24   ` [bug#62802] [PATCH 3/4] services/syslog: Strip leading white space indent in syslog.conf Maxim Cournoyer
                     ` (2 subsequent siblings)
  3 siblings, 0 replies; 10+ messages in thread
From: Maxim Cournoyer @ 2023-04-13  1:24 UTC (permalink / raw)
  To: 62802; +Cc: Maxim Cournoyer

* gnu/services/base.scm (syslog-service-type) [actions]: Add a reload action.
* doc/guix.texi (Base Services): Document it.
---

 doc/guix.texi         | 12 ++++++++++++
 gnu/services/base.scm | 16 +++++++++++++++-
 2 files changed, 27 insertions(+), 1 deletion(-)

diff --git a/doc/guix.texi b/doc/guix.texi
index acb6f0c2e1..70909917a5 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -18573,6 +18573,18 @@ Type of the service that runs the syslog daemon, whose value is a
 @code{<syslog-configuration>} object.
 @end defvar
 
+To have a modified @code{syslog-configuration} come into effect after
+reconfiguring your system, the @samp{reload} action should be preferred
+to restarting the service, as many services such as the login manager
+depend on it and would be restarted as well:
+
+@example
+# herd reload syslog
+@end example
+
+which will cause the running @command{syslogd} process to reload its
+configuration.
+
 @deftp {Data Type} syslog-configuration
 Data type representing the configuration of the syslog daemon.
 
diff --git a/gnu/services/base.scm b/gnu/services/base.scm
index 1ed874aa84..db7a0bbc56 100644
--- a/gnu/services/base.scm
+++ b/gnu/services/base.scm
@@ -1543,7 +1543,21 @@ (define config-file
    (documentation "Run the syslog daemon (syslogd).")
    (provision '(syslogd))
    (requirement '(user-processes))
-   (actions (list (shepherd-configuration-action syslog.conf)))
+   (actions
+    (list (shepherd-configuration-action syslog.conf)
+          (shepherd-action
+           (name 'reload)
+           (documentation "Reload the configuration file from disk.")
+           (procedure
+            #~(lambda (pid)
+                (if pid
+                    (begin
+                      (kill pid SIGHUP)
+                      (display #$(G_ "Service syslog has been asked to \
+reload its settings file.")))
+                    (display #$(G_ "Service syslog is not running."))))))))
+   ;; Note: a static file name is used for syslog.conf so that the reload
+   ;; action work as intended.
    (start #~(let ((spawn (make-forkexec-constructor
                           (list #$(syslog-configuration-syslogd config)
                                 #$(string-append "--rcfile=" syslog.conf))
-- 
2.39.2





^ permalink raw reply related	[flat|nested] 10+ messages in thread

* [bug#62802] [PATCH 3/4] services/syslog: Strip leading white space indent in syslog.conf.
  2023-04-13  1:24 ` [bug#62802] [PATCH 1/4] services: syslog: Move configuration to /etc/syslog.conf Maxim Cournoyer
  2023-04-13  1:24   ` [bug#62802] [PATCH 2/4] services: syslog: Add a reload action Maxim Cournoyer
@ 2023-04-13  1:24   ` Maxim Cournoyer
  2023-04-13  1:24   ` [bug#62802] [PATCH 4/4] services: syslog: Log auth.info to /var/log/secure in default configuration Maxim Cournoyer
  2023-04-20 15:22   ` [bug#62802] " Ludovic Courtès
  3 siblings, 0 replies; 10+ messages in thread
From: Maxim Cournoyer @ 2023-04-13  1:24 UTC (permalink / raw)
  To: 62802; +Cc: Maxim Cournoyer

This is a cosmetic change.

* gnu/services/base.scm (%default-syslog.conf): Add a comment referencing the
documentation.  Strip the extraneous leading trailing white space indent.
---

 gnu/services/base.scm | 41 ++++++++++++++++++++++-------------------
 1 file changed, 22 insertions(+), 19 deletions(-)

diff --git a/gnu/services/base.scm b/gnu/services/base.scm
index db7a0bbc56..0cde151e1a 100644
--- a/gnu/services/base.scm
+++ b/gnu/services/base.scm
@@ -1491,31 +1491,34 @@ (define-deprecated (nscd-service #:optional (config (nscd-configuration)))
 Service Switch}, for an example."
   (service nscd-service-type config))
 
-;; Snippet adapted from the GNU inetutils manual.
+;;; Snippet adapted from the GNU inetutils manual.
 (define %default-syslog.conf
-  (plain-file "syslog.conf" "
-     # Log all error messages, authentication messages of
-     # level notice or higher and anything of level err or
-     # higher to the console.
-     # Don't log private authentication messages!
-     *.alert;auth.notice;authpriv.none      -/dev/console
+  (plain-file "syslog.conf" "\
+# See info '(inetutils) syslogd invocation' for the documentation
+# of the syslogd configuration syntax.
 
-     # Log anything (except mail) of level info or higher.
-     # Don't log private authentication messages!
-     *.info;mail.none;authpriv.none         -/var/log/messages
+# Log all error messages, authentication messages of
+# level notice or higher and anything of level err or
+# higher to the console.
+# Don't log private authentication messages!
+*.alert;auth.notice;authpriv.none      -/dev/console
 
-     # Log \"debug\"-level entries and nothing else.
-     *.=debug                               -/var/log/debug
+# Log anything (except mail) of level info or higher.
+# Don't log private authentication messages!
+*.info;mail.none;authpriv.none         -/var/log/messages
 
-     # Same, in a different place.
-     *.info;mail.none;authpriv.none         -/dev/tty12
+# Log \"debug\"-level entries and nothing else.
+*.=debug                               -/var/log/debug
 
-     # The authpriv file has restricted access.
-     # 'fsync' the file after each line (hence the lack of a leading dash).
-     authpriv.*                              /var/log/secure
+# Same, in a different place.
+*.info;mail.none;authpriv.none         -/dev/tty12
 
-     # Log all the mail messages in one place.
-     mail.*                                 -/var/log/maillog
+# The authpriv file has restricted access.
+# 'fsync' the file after each line (hence the lack of a leading dash).
+authpriv.*                              /var/log/secure
+
+# Log all the mail messages in one place.
+mail.*                                 -/var/log/maillog
 "))
 
 (define-record-type* <syslog-configuration>
-- 
2.39.2





^ permalink raw reply related	[flat|nested] 10+ messages in thread

* [bug#62802] [PATCH 4/4] services: syslog: Log auth.info to /var/log/secure in default configuration.
  2023-04-13  1:24 ` [bug#62802] [PATCH 1/4] services: syslog: Move configuration to /etc/syslog.conf Maxim Cournoyer
  2023-04-13  1:24   ` [bug#62802] [PATCH 2/4] services: syslog: Add a reload action Maxim Cournoyer
  2023-04-13  1:24   ` [bug#62802] [PATCH 3/4] services/syslog: Strip leading white space indent in syslog.conf Maxim Cournoyer
@ 2023-04-13  1:24   ` Maxim Cournoyer
  2023-04-20 15:26     ` [bug#62802] [PATCH 0/4] Add reload action to syslog service Ludovic Courtès
  2023-04-20 15:22   ` [bug#62802] " Ludovic Courtès
  3 siblings, 1 reply; 10+ messages in thread
From: Maxim Cournoyer @ 2023-04-13  1:24 UTC (permalink / raw)
  To: 62802; +Cc: Maxim Cournoyer

This causes authentication failures such as those generated by SSH brute force
attacks to appear in /var/log/secure, which is picked up by tools such as
fail2ban.

* gnu/services/base.scm (%default-syslog.conf): Add a auth.info selector for
the /var/log/secure log.

---

 gnu/services/base.scm | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/gnu/services/base.scm b/gnu/services/base.scm
index 0cde151e1a..282d36c8b1 100644
--- a/gnu/services/base.scm
+++ b/gnu/services/base.scm
@@ -1515,7 +1515,9 @@ (define %default-syslog.conf
 
 # The authpriv file has restricted access.
 # 'fsync' the file after each line (hence the lack of a leading dash).
-authpriv.*                              /var/log/secure
+# Also include unprivileged auth logs of info or higher level
+# to conveniently gather the authentication data at the same place.
+authpriv.*;auth.info                    /var/log/secure
 
 # Log all the mail messages in one place.
 mail.*                                 -/var/log/maillog
-- 
2.39.2





^ permalink raw reply related	[flat|nested] 10+ messages in thread

* [bug#62802] [PATCH 0/4] Add reload action to syslog service.
  2023-04-13  1:24 ` [bug#62802] [PATCH 1/4] services: syslog: Move configuration to /etc/syslog.conf Maxim Cournoyer
                     ` (2 preceding siblings ...)
  2023-04-13  1:24   ` [bug#62802] [PATCH 4/4] services: syslog: Log auth.info to /var/log/secure in default configuration Maxim Cournoyer
@ 2023-04-20 15:22   ` Ludovic Courtès
  2023-04-21 12:50     ` Maxim Cournoyer
  3 siblings, 1 reply; 10+ messages in thread
From: Ludovic Courtès @ 2023-04-20 15:22 UTC (permalink / raw)
  To: Maxim Cournoyer; +Cc: 62802

Maxim Cournoyer <maxim.cournoyer@gmail.com> skribis:

> Having the configuration live at a static location makes it possible to
> hot-reload it.
>
> * gnu/services/base.scm (syslog.conf): New variable.
> (syslog-etc, syslog-shepherd-service): New procedures.
> (syslog-service-type): Rewrite using the above new variable and procedures,
> extending etc-service-type with its configuration file.

I’m really not a fan of static configuration file names: you can never
be sure what config the service is using—compare this with the
unambiguous ‘--config=/gnu/store/…example.conf’.

Unfortunately there’s often no other option if we want to support live
reconfiguration—there’s only so much a signal can convey.

So I guess it’s a “weak accept” from me, because live reload is useful.

With the Shepherd in ‘master’, there’s a hook to change a service’s
“running value” so it should be possible to stop the previous process,
start a new one, and update the service’s running value (which is not
equivalent to SIGHUP, but maybe good enough for some cases).

A simpler approach might be run the service in a container with
/gnu/store/…conf mapped to a fixed location, and somehow update that
mapping as we go.  Food for thought!

Ludo’.




^ permalink raw reply	[flat|nested] 10+ messages in thread

* [bug#62802] [PATCH 0/4] Add reload action to syslog service.
  2023-04-13  1:24   ` [bug#62802] [PATCH 4/4] services: syslog: Log auth.info to /var/log/secure in default configuration Maxim Cournoyer
@ 2023-04-20 15:26     ` Ludovic Courtès
  2023-04-21 13:36       ` bug#62802: " Maxim Cournoyer
  0 siblings, 1 reply; 10+ messages in thread
From: Ludovic Courtès @ 2023-04-20 15:26 UTC (permalink / raw)
  To: Maxim Cournoyer; +Cc: 62802

Maxim Cournoyer <maxim.cournoyer@gmail.com> skribis:

> This causes authentication failures such as those generated by SSH brute force
> attacks to appear in /var/log/secure, which is picked up by tools such as
> fail2ban.

Nice, go for it!

Ludo’.




^ permalink raw reply	[flat|nested] 10+ messages in thread

* [bug#62802] [PATCH 0/4] Add reload action to syslog service.
  2023-04-20 15:22   ` [bug#62802] " Ludovic Courtès
@ 2023-04-21 12:50     ` Maxim Cournoyer
  2023-04-21 14:03       ` Ludovic Courtès
  0 siblings, 1 reply; 10+ messages in thread
From: Maxim Cournoyer @ 2023-04-21 12:50 UTC (permalink / raw)
  To: Ludovic Courtès; +Cc: 62802

Hello,

Ludovic Courtès <ludo@gnu.org> writes:

> Maxim Cournoyer <maxim.cournoyer@gmail.com> skribis:
>
>> Having the configuration live at a static location makes it possible to
>> hot-reload it.
>>
>> * gnu/services/base.scm (syslog.conf): New variable.
>> (syslog-etc, syslog-shepherd-service): New procedures.
>> (syslog-service-type): Rewrite using the above new variable and procedures,
>> extending etc-service-type with its configuration file.
>
> I’m really not a fan of static configuration file names: you can never
> be sure what config the service is using—compare this with the
> unambiguous ‘--config=/gnu/store/…example.conf’.

Right; although now if you aren't sure what is used you can 'reload' it,
eh :-).

> Unfortunately there’s often no other option if we want to support live
> reconfiguration—there’s only so much a signal can convey.
>
> So I guess it’s a “weak accept” from me, because live reload is useful.

OK!

> With the Shepherd in ‘master’, there’s a hook to change a service’s
> “running value” so it should be possible to stop the previous process,
> start a new one, and update the service’s running value (which is not
> equivalent to SIGHUP, but maybe good enough for some cases).

Wouldn't that be equivalent to restarting the service?  I wasn't aware
of the new hook facility, I'll have to read on it, thanks!

> A simpler approach might be run the service in a container with
> /gnu/store/…conf mapped to a fixed location, and somehow update that
> mapping as we go.  Food for thought!

Interesting idea... although it'd only be compatible with Linux and I
dislike writing special cases in services (or anywhere if I can help
it).

-- 
Thanks,
Maxim




^ permalink raw reply	[flat|nested] 10+ messages in thread

* bug#62802: [PATCH 0/4] Add reload action to syslog service.
  2023-04-20 15:26     ` [bug#62802] [PATCH 0/4] Add reload action to syslog service Ludovic Courtès
@ 2023-04-21 13:36       ` Maxim Cournoyer
  0 siblings, 0 replies; 10+ messages in thread
From: Maxim Cournoyer @ 2023-04-21 13:36 UTC (permalink / raw)
  To: Ludovic Courtès; +Cc: 62802-done

Hello,

Ludovic Courtès <ludo@gnu.org> writes:

> Maxim Cournoyer <maxim.cournoyer@gmail.com> skribis:
>
>> This causes authentication failures such as those generated by SSH brute force
>> attacks to appear in /var/log/secure, which is picked up by tools such as
>> fail2ban.
>
> Nice, go for it!

Great, the change is now installed.  Thanks for the review!

-- 
Thanks,
Maxim




^ permalink raw reply	[flat|nested] 10+ messages in thread

* [bug#62802] [PATCH 0/4] Add reload action to syslog service.
  2023-04-21 12:50     ` Maxim Cournoyer
@ 2023-04-21 14:03       ` Ludovic Courtès
  0 siblings, 0 replies; 10+ messages in thread
From: Ludovic Courtès @ 2023-04-21 14:03 UTC (permalink / raw)
  To: Maxim Cournoyer; +Cc: 62802

Hi!

Maxim Cournoyer <maxim.cournoyer@gmail.com> skribis:

> Ludovic Courtès <ludo@gnu.org> writes:

[...]

>> I’m really not a fan of static configuration file names: you can never
>> be sure what config the service is using—compare this with the
>> unambiguous ‘--config=/gnu/store/…example.conf’.
>
> Right; although now if you aren't sure what is used you can 'reload' it,
> eh :-).

True.  :-)  The other issue is that that makes it impossible to run
several instances of the service (not a problem for syslogd of course,
but could be an issue elsewhere).

>> With the Shepherd in ‘master’, there’s a hook to change a service’s
>> “running value” so it should be possible to stop the previous process,
>> start a new one, and update the service’s running value (which is not
>> equivalent to SIGHUP, but maybe good enough for some cases).
>
> Wouldn't that be equivalent to restarting the service?  I wasn't aware
> of the new hook facility, I'll have to read on it, thanks!

There’s nothing to read :-) and it wasn’t designed with that use case in
mind, but we’ll see.

>> A simpler approach might be run the service in a container with
>> /gnu/store/…conf mapped to a fixed location, and somehow update that
>> mapping as we go.  Food for thought!
>
> Interesting idea... although it'd only be compatible with Linux and I
> dislike writing special cases in services (or anywhere if I can help
> it).

Yeah.

Ludo’.




^ permalink raw reply	[flat|nested] 10+ messages in thread

end of thread, other threads:[~2023-04-21 15:57 UTC | newest]

Thread overview: 10+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2023-04-13  1:15 [bug#62802] [PATCH 0/4] Add reload action to syslog service Maxim Cournoyer
2023-04-13  1:24 ` [bug#62802] [PATCH 1/4] services: syslog: Move configuration to /etc/syslog.conf Maxim Cournoyer
2023-04-13  1:24   ` [bug#62802] [PATCH 2/4] services: syslog: Add a reload action Maxim Cournoyer
2023-04-13  1:24   ` [bug#62802] [PATCH 3/4] services/syslog: Strip leading white space indent in syslog.conf Maxim Cournoyer
2023-04-13  1:24   ` [bug#62802] [PATCH 4/4] services: syslog: Log auth.info to /var/log/secure in default configuration Maxim Cournoyer
2023-04-20 15:26     ` [bug#62802] [PATCH 0/4] Add reload action to syslog service Ludovic Courtès
2023-04-21 13:36       ` bug#62802: " Maxim Cournoyer
2023-04-20 15:22   ` [bug#62802] " Ludovic Courtès
2023-04-21 12:50     ` Maxim Cournoyer
2023-04-21 14:03       ` Ludovic Courtès

Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/guix.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).