From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp2 ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms11 with LMTPS id mCOIJQtKz14IMQAA0tVLHw (envelope-from ) for ; Thu, 28 May 2020 05:20:11 +0000 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp2 with LMTPS id gFGZIQtKz17mDgAAB5/wlQ (envelope-from ) for ; Thu, 28 May 2020 05:20:11 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id CCF729404CA for ; Thu, 28 May 2020 05:20:10 +0000 (UTC) Received: from localhost ([::1]:43954 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1jeAxc-0006Av-T8 for larch@yhetil.org; Thu, 28 May 2020 01:20:08 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:35150) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1jeAxW-0006Ap-LN for guix-patches@gnu.org; Thu, 28 May 2020 01:20:02 -0400 Received: from debbugs.gnu.org ([209.51.188.43]:39119) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1jeAxW-0006JZ-Bl for guix-patches@gnu.org; Thu, 28 May 2020 01:20:02 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1jeAxW-0000lS-65 for guix-patches@gnu.org; Thu, 28 May 2020 01:20:02 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#41573] [PATCH Shepherd] shepherd: service: Add #:supplementary-groups. Resent-From: Oleg Pykhalov Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Thu, 28 May 2020 05:20:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: report 41573 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 41573@debbugs.gnu.org X-Debbugs-Original-To: guix-patches Received: via spool by submit@debbugs.gnu.org id=B.15906431782903 (code B ref -1); Thu, 28 May 2020 05:20:02 +0000 Received: (at submit) by debbugs.gnu.org; 28 May 2020 05:19:38 +0000 Received: from localhost ([127.0.0.1]:50665 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1jeAx8-0000kk-46 for submit@debbugs.gnu.org; Thu, 28 May 2020 01:19:38 -0400 Received: from lists.gnu.org ([209.51.188.17]:46274) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1jeAx5-0000kb-0u for submit@debbugs.gnu.org; Thu, 28 May 2020 01:19:36 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:35136) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1jeAx4-00069E-RS for guix-patches@gnu.org; Thu, 28 May 2020 01:19:34 -0400 Received: from mail-lj1-x236.google.com ([2a00:1450:4864:20::236]:39850) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1jeAx3-0006Du-Aa for guix-patches@gnu.org; Thu, 28 May 2020 01:19:34 -0400 Received: by mail-lj1-x236.google.com with SMTP id o9so77468ljj.6 for ; Wed, 27 May 2020 22:19:32 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:subject:date:message-id:user-agent:mime-version; bh=laD4u4siQ0xe7+zXd4/3hKllNkjv6RBFybj6ZMnYUbs=; b=a1sNeftSmJ8CWsmZnsp89Se65wfgCb5S9DgAb6NyeexpYxP9e4G55/5NldmANgMCaa 91PuCcIEwhok/fWNfkMqCzDz+IHDbKINRljmQXyu1uOH8bCDcwdyyzE+1h0fU6wl0GgX SX/1T15rAea3dQP7UZyhLHuuB9H5A0EhtZJ65szOkxTdBg8/XudOXjLuMEyM7umxld3w 4oW/DoDNQ79cqSP/3qSalxR4feK47Ynq67C8Kwq/vNMRZ4QZEuLUb4L5w/xyn5P9vDXp 3rDlM95TdY33yipaInaujC50thyPKGwrB/EQMJ4R/1F5yecinPMyOih2AiKTCr8YssEa HYZQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:subject:date:message-id:user-agent :mime-version; bh=laD4u4siQ0xe7+zXd4/3hKllNkjv6RBFybj6ZMnYUbs=; b=qzBjlGDQvMHrnAhkkR6ID9W411vpEo2bqhxUtONJGQVreCocUhxyZigLRG8r+hXZR/ hAVUAp6nX5hq+WnxJSNHnsYgEfk7Z3TRwhdtVP9JdGh51PgERgCB7vjxtWIzol6SRwkj OPM0+Vl6i5VIUwKioe3ZrF1s1KEsrtk24eOof+5SPcfcNSpuY9P+rzWyg2UXIpe6q27c MTYK16YYuPRS3uySQ0wt+NWoFtpJunkJg3my69l9hxhVcissaTSYRW6L1YlGrujS/vY5 ezkbCNOwCoRfEgCEFindRjCpJF3BCvpu6ypNn+sOsHT9B8+sa0icibuTubRcbozziFNP 2oTA== X-Gm-Message-State: AOAM531cdaZGs3sACyfZKDj4EtmoD9W/UYBEpezyEWxlKEhMbCuqmgHR KxTVSVvUWnx0VAjiC9Ov+PvE7gqE X-Google-Smtp-Source: ABdhPJx7/dpqvWcOSM7ygOGkusAWpvfX+BmkJhFuwCp64fadkdXmGmhoDc1zWhneZvHtXiSUtZctrw== X-Received: by 2002:a2e:5808:: with SMTP id m8mr546202ljb.244.1590643170663; Wed, 27 May 2020 22:19:30 -0700 (PDT) Received: from guixsd (92-100-136-169.dynamic.avangarddsl.ru. [92.100.136.169]) by smtp.gmail.com with ESMTPSA id f9sm1327714ljf.99.2020.05.27.22.19.29 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 27 May 2020 22:19:29 -0700 (PDT) From: Oleg Pykhalov Date: Thu, 28 May 2020 08:19:27 +0300 Message-ID: <87a71sbpr4.fsf@gmail.com> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.3 (gnu/linux) MIME-Version: 1.0 Content-Type: multipart/signed; boundary="==-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" Received-SPF: pass client-ip=2a00:1450:4864:20::236; envelope-from=go.wigust@gmail.com; helo=mail-lj1-x236.google.com X-detected-operating-system: by eggs.gnu.org: No matching host in p0f cache. That's all we know. X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001 autolearn=_AUTOLEARN X-Spam_action: no action X-Spam-Score: 0.7 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-Spam-Score: -2.3 (--) X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+larch=yhetil.org@gnu.org Sender: "Guix-patches" X-Scanner: scn0 Authentication-Results: aspmx1.migadu.com; dkim=fail (rsa verify failed) header.d=gmail.com header.s=20161025 header.b=a1sNeftS; dmarc=fail reason="SPF not aligned (relaxed)" header.from=gmail.com (policy=none); spf=pass (aspmx1.migadu.com: domain of guix-patches-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-patches-bounces@gnu.org X-Spam-Score: -2.01 X-TUID: hHMPEgEmpjE1 --==-=-= Content-Type: multipart/mixed; boundary="=-=-=" --=-=-= Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Hello Guix, This patch provides a way to specify supplementary groups for services. It's useful for services which could be used with a Docker group, e.g. Jenkins. =E2=80=98shepherd=E2=80=99 package in Guix succeeded to build with current = patch. And I succeeded to pull and reconfigure my Guix system with it. Also =E2=80=98ma= ke check=E2=80=99 in Shepherd's Git repository passes tests. --=-=-= Content-Type: text/x-patch; charset=utf-8 Content-Disposition: attachment; filename=0001-service-Add-supplementary-groups.patch Content-Transfer-Encoding: quoted-printable Content-Description: [PATCH Shepherd] shepherd: service: Add #:supplementary-groups. From=205718eb5f4130530b48df896d7f7e4a126e08428a Mon Sep 17 00:00:00 2001 From: Oleg Pykhalov Date: Sun, 24 May 2020 20:30:27 +0300 Subject: [PATCH] service: Add #:supplementary-groups. * modules/shepherd/service.scm (format-supplementary-groups): New procedure. (exec-command, fork+exec-command, make-forkexec-constructor): Add '#:supplementary-groups'. * doc/shepherd.texi (Service De- and Constructors): Document this. =2D-- doc/shepherd.texi | 39 +++++++++++++++++++++--------------- modules/shepherd/service.scm | 16 ++++++++++++++- 2 files changed, 38 insertions(+), 17 deletions(-) diff --git a/doc/shepherd.texi b/doc/shepherd.texi index 7217ec2..56ef03d 100644 =2D-- a/doc/shepherd.texi +++ b/doc/shepherd.texi @@ -11,7 +11,8 @@ @copying Copyright @copyright{} @value{OLD-YEARS} Wolfgang J@"ahrling@* Copyright @copyright{} @value{NEW-YEARS} Ludovic Court=C3=A8s@* =2DCopyright @copyright{} 2020 Brice Waegeneire +Copyright @copyright{} 2020 Brice Waegeneire@* +Copyright @copyright{} 2020 Oleg Pykhalov =20 Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.3 or @@ -893,21 +894,24 @@ execution of the @var{command} was successful, @code{= #t} if not. @deffn {procedure} make-forkexec-constructor @var{command} @ [#:user #f] @ [#:group #f] @ + [#:supplementary-groups '()] @ [#:pid-file #f] [#:pid-file-timeout (default-pid-file-timeout)] @ [#:log-file #f] @ [#:directory (default-service-directory)] @ [#:file-creation-mask #f] @ [#:environment-variables (default-environment-variables)] Return a procedure that forks a child process, closes all file =2Ddescriptors except the standard output and standard error descriptors, s= ets =2Dthe current directory to @var{directory}, sets the umask to =2D@var{file-creation-mask} unless it is @code{#f}, changes the environment= to =2D@var{environment-variables} (using the @code{environ} procedure), sets t= he =2Dcurrent user to @var{user} and the current group to @var{group} unless t= hey =2Dare @code{#f}, and executes @var{command} (a list of strings.) The resu= lt of =2Dthe procedure will be the PID of the child process. Note that this will =2Dnot work as expected if the process ``daemonizes'' (forks); in that =2Dcase, you will need to pass @code{#:pid-file}, as explained below. +descriptors except the standard output and standard error descriptors, +sets the current directory to @var{directory}, sets the umask to +@var{file-creation-mask} unless it is @code{#f}, changes the environment +to @var{environment-variables} (using the @code{environ} procedure), +sets the current user to @var{user} the current group to @var{group} +unless they are @code{#f} and supplementary groups to +@var{supplementary-groups} unless they are @code{'()}, and executes +@var{command} (a list of strings.) The result of the procedure will be +the PID of the child process. Note that this will not work as expected +if the process ``daemonizes'' (forks); in that case, you will need to +pass @code{#:pid-file}, as explained below. =20 When @var{pid-file} is true, it must be the name of a PID file associated with the process being launched; the return value is the PID @@ -937,6 +941,7 @@ procedures. @deffn {procedure} exec-command @var{command} @ [#:user #f] @ [#:group #f] @ + [#:supplementary-groups '()] @ [#:log-file #f] @ [#:directory (default-service-directory)] @ [#:file-creation-mask #f] @ @@ -944,6 +949,7 @@ procedures. @deffnx {procedure} fork+exec-command @var{command} @ [#:user #f] @ [#:group #f] @ + [#:supplementary-groups '()] @ [#:directory (default-service-directory)] @ [#:file-creation-mask #f] @ [#:environment-variables (default-environment-variables)] @@ -955,12 +961,13 @@ if it's true, whereas file descriptor 0 (standard input) points to @file{/dev/null}; all other file descriptors are closed prior to yielding control to @var{command}. =20 =2DBy default, @var{command} is run as the current user. If the =2D@var{user} keyword argument is present and not false, change to =2D@var{user} immediately before invoking @var{command}. @var{user} may =2Dbe a string, indicating a user name, or a number, indicating a user =2DID. Likewise, @var{command} will be run under the current group, =2Dunless the @var{group} keyword argument is present and not false. +By default, @var{command} is run as the current user. If the @var{user} +keyword argument is present and not false, change to @var{user} +immediately before invoking @var{command}. @var{user} may be a string, +indicating a user name, or a number, indicating a user ID. Likewise, +@var{command} will be run under the current group, unless the +@var{group} keyword argument is present and not false, and +supplementary-groups is not '(). =20 @code{fork+exec-command} does the same as @code{exec-command}, but in a separate process whose PID it returns. diff --git a/modules/shepherd/service.scm b/modules/shepherd/service.scm index 45fcf32..03bdc02 100644 =2D-- a/modules/shepherd/service.scm +++ b/modules/shepherd/service.scm @@ -6,6 +6,7 @@ ;; Copyright (C) 2018 Carlo Zancanaro ;; Copyright (C) 2019 Ricardo Wurmus ;; Copyright (C) 2020 Mathieu Othacehe +;; Copyright (C) 2020 Oleg Pykhalov ;; ;; This file is part of the GNU Shepherd. ;; @@ -772,10 +773,17 @@ daemon writing FILE is running in a separate PID name= space." (try-again) (apply throw args))))))) =20 +(define (format-supplementary-groups supplementary-groups) + (if (vector? supplementary-groups) + supplementary-groups + (list->vector (map (lambda (group) (group:gid (getgr group))) + supplementary-groups)))) + (define* (exec-command command #:key (user #f) (group #f) + (supplementary-groups '()) (log-file #f) (directory (default-service-directory)) (file-creation-mask #f) @@ -831,7 +839,7 @@ false." (catch #t (lambda () ;; Clear supplementary groups. =2D (setgroups #()) + (setgroups (format-supplementary-groups supplementary-groups)) (setgid (group:gid (getgr group)))) (lambda (key . args) (format (current-error-port) @@ -874,6 +882,7 @@ false." #:key (user #f) (group #f) + (supplementary-groups '()) (log-file #f) (directory (default-service-directory)) (file-creation-mask #f) @@ -901,6 +910,8 @@ its PID." (exec-command command #:user user #:group group + #:supplementary-groups (format-supplementary-groups + supplementary-groups) #:log-file log-file #:directory directory #:file-creation-mask file-creation-mask @@ -914,6 +925,7 @@ its PID." #:key (user #f) (group #f) + (supplementary-groups '()) (directory (default-service-directory)) (environment-variables (default-environment-variables)) @@ -951,6 +963,8 @@ start." (let ((pid (fork+exec-command command #:user user #:group group + #:supplementary-groups + (format-supplementary-groups supplementa= ry-groups) #:log-file log-file #:directory directory #:file-creation-mask file-creation-mask =2D-=20 2.26.2 --=-=-=-- --==-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEcjhxI46s62NFSFhXFn+OpQAa+pwFAl7PSd8ACgkQFn+OpQAa +pwzyRAAnJ0ze5KPWRpyuhVORlqC7supHpNRwulvAdgU9pJwBCmljITiwvyyqsgw e0kXK6K6El5/YvDLKg2NTiEDGXP8blZPQnPEHBdJ9H42jvs1RckKMF/DgjhZEkrv A009d4QpMgO34s2RL5uLhygpapLhairTwbd7C7xhzb96rqgZiUuk5AP7Y1T2OHMI uJ9HNbQS0MuzCvMWJ8fUke6veX3yxfHSPPSeNyNF6yeGTQMCHf0YGxWJlEkArPtQ yLru7hQqKLFNdloDMy0UpzXYGYn0CASl3mVZhNyzUqKl7m+LbcpsLlAVg8QuDjND y/5BFjiFhJjOrMB6cC8sD2W1uiaLN9FTU137g0Evo8TnzZu6TgHGByWFa5xS1O7I muO9epqJpABvgHqHs7TQ9dluGAtsaYwpySrN87NIYZ/52RcOPir2bHWEz1h8Nij9 G48+drDchVbcCaq+38iqHU3CGyM7QWeSMcvjQRJEm+XUCpZTXP3hKmmPIq5iOjJ7 GlyqT4lC+XAjJOwsd8h4ftQSiT327ESyPY8wQtsB1+xpYpxbsyZiH+VsDcJG6q3z SU8OiPWuyMn4EUDGNRhvj+lKXmZ8t1Ulc7JCVlSr2FkyzseH8avpaGADxCpY8Wqh 8SY6UqAqYlzVeyRP4FYVeMFk+1G2rZaBJVqFD1ceYGZJOEUbTo0= =daKp -----END PGP SIGNATURE----- --==-=-=--