unofficial mirror of guix-patches@gnu.org 
 help / color / mirror / code / Atom feed
* [bug#31894] Containerize openntpd service
@ 2018-06-19  9:31 Efraim Flashner
  2018-06-22 19:39 ` Ludovic Courtès
  0 siblings, 1 reply; 4+ messages in thread
From: Efraim Flashner @ 2018-06-19  9:31 UTC (permalink / raw)
  To: 31894


[-- Attachment #1.1: Type: text/plain, Size: 565 bytes --]

I tested this patch with the included vm image, using the following
script. After logging in, 'ntpctl -s all' shows openntpd connecting to
the ntp servers and updating the time.

/.$(./pre-inst-env guix environment guix -- ./pre-inst-env guix system vm ~/vm-image.scm) -m 768 -device e1000,netdev=net0 -netdev user,id=net0,hostfwd=tcp::5555-:53


-- 
Efraim Flashner   <efraim@flashner.co.il>   אפרים פלשנר
GPG key = A28B F40C 3E55 1372 662D  14F7 41AA E7DC CA3D 8351
Confidentiality cannot be guaranteed on emails sent or received unencrypted

[-- Attachment #1.2: 0001-services-openntpd-Containerize-openntpd-service.patch --]
[-- Type: text/plain, Size: 5573 bytes --]

From 064903c5a976280b95cd9bba17e958e662be605d Mon Sep 17 00:00:00 2001
From: Efraim Flashner <efraim@flashner.co.il>
Date: Tue, 19 Jun 2018 12:24:47 +0300
Subject: [PATCH] services: openntpd: Containerize openntpd service.

* gnu/packages/ntp.scm (openntpd)[arguments]: Add 'privsep-path' to
'configure-flags and adjust the 'localstatedir' flag.
* gnu/services/networking.scm (openntpd-shepherd-service): Change the
start-service command to run in a container, expose '/var/log/openntpd'
and '/var/lib/openntpd' to the container.
(openntpd-service-activation): Adjust directories for the changes above.
---
 gnu/packages/ntp.scm        |  3 +-
 gnu/services/networking.scm | 58 ++++++++++++++++++++++++-------------
 2 files changed, 40 insertions(+), 21 deletions(-)

diff --git a/gnu/packages/ntp.scm b/gnu/packages/ntp.scm
index e9ae9fa46..2c202b400 100644
--- a/gnu/packages/ntp.scm
+++ b/gnu/packages/ntp.scm
@@ -109,7 +109,8 @@ computers over a network.")
     (build-system gnu-build-system)
     (arguments
      '(#:configure-flags '("--with-privsep-user=ntpd"
-                           "--localstatedir=/var")
+                           "--with-privsep-path=/var/lib/openntpd"
+                           "--localstatedir=/var/lib/openntpd")
        #:phases
        (modify-phases %standard-phases
          (add-after 'unpack 'modify-install-locations
diff --git a/gnu/services/networking.scm b/gnu/services/networking.scm
index d5d0cf9d1..100a18e7c 100644
--- a/gnu/services/networking.scm
+++ b/gnu/services/networking.scm
@@ -428,22 +428,39 @@ make an initial adjustment of more than 1,000 seconds."
       (define ntpd.conf
         (plain-file "ntpd.conf" config))
 
-      (list (shepherd-service
-              (provision '(ntpd))
-              (documentation "Run the Network Time Protocol (NTP) daemon.")
-              (requirement '(user-processes networking))
-              (start #~(make-forkexec-constructor
-                         (list (string-append #$openntpd "/sbin/ntpd")
-                               "-f" #$ntpd.conf
-                               "-d" ;; don't daemonize
-                               #$@(if allow-large-adjustment?
-                                    '("-s")
-                                    '()))
-                         ;; When ntpd is daemonized it repeatedly tries to respawn
-                         ;; while running, leading shepherd to disable it.  To
-                         ;; prevent spamming stderr, redirect output to logfile.
-                         #:log-file "/var/log/ntpd"))
-              (stop #~(make-kill-destructor)))))))
+      (with-imported-modules (source-module-closure
+                              '((gnu build shepherd)
+                                (gnu system file-systems)))
+        (list (shepherd-service
+                (provision '(ntpd))
+                (documentation "Run the Network Time Protocol (NTP) daemon.")
+                (requirement '(user-processes networking))
+                  (modules '((gnu build shepherd)
+                             (gnu system file-systems)))
+                (start #~(make-forkexec-constructor/container
+                           (list (string-append #$openntpd "/sbin/ntpd")
+                                 "-f" #$ntpd.conf
+                                 "-d" ;; don't daemonize
+                                 #$@(if allow-large-adjustment?
+                                      '("-s")
+                                      '()))
+                           #:mappings (list (file-system-mapping
+                                              (source "/var/lib/openntpd")
+                                              (target source)
+                                              (writable? #t))
+                                            (file-system-mapping
+                                              (source "/var/log/openntpd")
+                                              (target "/var/log")
+                                              (writable? #t))
+                                            ;; For the privsep ntpd user.
+                                            (file-system-mapping
+                                              (source "/var/lib/openntpd")
+                                              (target "/var/empty")))
+                           ;; When ntpd is daemonized it repeatedly tries to respawn
+                           ;; while running, leading shepherd to disable it.  To
+                           ;; prevent spamming stderr, redirect output to logfile.
+                           #:log-file "/var/log/ntpd"))
+                (stop #~(make-kill-destructor))))))))
 
 (define (openntpd-service-activation config)
   "Return the activation gexp for CONFIG."
@@ -451,10 +468,11 @@ make an initial adjustment of more than 1,000 seconds."
     #~(begin
         (use-modules (guix build utils))
 
-        (mkdir-p "/var/db")
-        (mkdir-p "/var/run")
-        (unless (file-exists? "/var/db/ntpd.drift")
-          (with-output-to-file "/var/db/ntpd.drift"
+        (mkdir-p "/var/lib/openntpd/db")
+        (mkdir-p "/var/lib/openntpd/run")
+        (mkdir-p "/var/log/openntpd")
+        (unless (file-exists? "/var/lib/openntpd/db/ntpd.drift")
+          (with-output-to-file "/var/lib/openntpd/db/ntpd.drift"
                                (lambda _
                                  (format #t "0.0")))))))
 
-- 
2.17.1


[-- Attachment #1.3: vm-image.scm --]
[-- Type: text/plain, Size: 2356 bytes --]

;;; This is an operating system configuration template for a "bare-bones" setup,
;;; suitable for booting in a virtualized environment, including virtual private
;;; servers (VPS).

(use-modules (gnu))
(use-package-modules bootloaders disk nvi)
(use-service-modules networking)

(define vm-image-motd (plain-file "motd" "
This is the GNU system.  Welcome!

This instance of GuixSD is a bare-bones template for virtualized environments.

You will probably want to do these things first if you booted in a virtual
private server (VPS):

* Set a password for 'root'.
* Set up networking.
* Expand the root partition to fill the space available by 0) deleting and
recreating the partition with fdisk, 1) reloading the partition table with
partprobe, and then 2) resizing the filesystem with resize2fs.\n"))

(operating-system
  (host-name "gnu")
  (timezone "Etc/UTC")
  (locale "en_US.utf8")

  ;; Assuming /dev/sdX is the target hard disk, and "my-root" is
  ;; the label of the target root file system.
  (bootloader (bootloader-configuration
               (bootloader grub-bootloader)
               (target "/dev/sda")
               (terminal-outputs '(console))))
  (file-systems (cons (file-system
                        (device (file-system-label "my-root"))
                        (mount-point "/")
                        (type "ext4"))
                      %base-file-systems))

  ;; This is where user accounts are specified.  The "root"
  ;; account is implicit, and is initially created with the
  ;; empty password.
  (users %base-user-accounts)

  ;; Globally-installed packages.
  (packages (cons* nvi fdisk
                   grub   ; mostly so xrefs to its manual work
                   parted ; partprobe
                   %base-packages))

  (services (cons*
              (service connman-service-type)
              (service wpa-supplicant-service-type)
              (service openntpd-service-type
                       (openntpd-configuration
                         (listen-on '("127.0.0.1" "::1"))
                         (allow-large-adjustment? #t)))

              (modify-services %base-services
                (login-service-type config =>
                                    (login-configuration
                                      (inherit config)
                                      (motd vm-image-motd)))))))

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

^ permalink raw reply related	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2018-06-26 13:49 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2018-06-19  9:31 [bug#31894] Containerize openntpd service Efraim Flashner
2018-06-22 19:39 ` Ludovic Courtès
2018-06-26  8:25   ` bug#31894: " Efraim Flashner
2018-06-26 13:48     ` [bug#31894] " Ludovic Courtès

Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/guix.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).