* [bug#31894] Containerize openntpd service
@ 2018-06-19 9:31 Efraim Flashner
2018-06-22 19:39 ` Ludovic Courtès
0 siblings, 1 reply; 4+ messages in thread
From: Efraim Flashner @ 2018-06-19 9:31 UTC (permalink / raw)
To: 31894
[-- Attachment #1.1: Type: text/plain, Size: 565 bytes --]
I tested this patch with the included vm image, using the following
script. After logging in, 'ntpctl -s all' shows openntpd connecting to
the ntp servers and updating the time.
/.$(./pre-inst-env guix environment guix -- ./pre-inst-env guix system vm ~/vm-image.scm) -m 768 -device e1000,netdev=net0 -netdev user,id=net0,hostfwd=tcp::5555-:53
--
Efraim Flashner <efraim@flashner.co.il> אפרים פלשנר
GPG key = A28B F40C 3E55 1372 662D 14F7 41AA E7DC CA3D 8351
Confidentiality cannot be guaranteed on emails sent or received unencrypted
[-- Attachment #1.2: 0001-services-openntpd-Containerize-openntpd-service.patch --]
[-- Type: text/plain, Size: 5573 bytes --]
From 064903c5a976280b95cd9bba17e958e662be605d Mon Sep 17 00:00:00 2001
From: Efraim Flashner <efraim@flashner.co.il>
Date: Tue, 19 Jun 2018 12:24:47 +0300
Subject: [PATCH] services: openntpd: Containerize openntpd service.
* gnu/packages/ntp.scm (openntpd)[arguments]: Add 'privsep-path' to
'configure-flags and adjust the 'localstatedir' flag.
* gnu/services/networking.scm (openntpd-shepherd-service): Change the
start-service command to run in a container, expose '/var/log/openntpd'
and '/var/lib/openntpd' to the container.
(openntpd-service-activation): Adjust directories for the changes above.
---
gnu/packages/ntp.scm | 3 +-
gnu/services/networking.scm | 58 ++++++++++++++++++++++++-------------
2 files changed, 40 insertions(+), 21 deletions(-)
diff --git a/gnu/packages/ntp.scm b/gnu/packages/ntp.scm
index e9ae9fa46..2c202b400 100644
--- a/gnu/packages/ntp.scm
+++ b/gnu/packages/ntp.scm
@@ -109,7 +109,8 @@ computers over a network.")
(build-system gnu-build-system)
(arguments
'(#:configure-flags '("--with-privsep-user=ntpd"
- "--localstatedir=/var")
+ "--with-privsep-path=/var/lib/openntpd"
+ "--localstatedir=/var/lib/openntpd")
#:phases
(modify-phases %standard-phases
(add-after 'unpack 'modify-install-locations
diff --git a/gnu/services/networking.scm b/gnu/services/networking.scm
index d5d0cf9d1..100a18e7c 100644
--- a/gnu/services/networking.scm
+++ b/gnu/services/networking.scm
@@ -428,22 +428,39 @@ make an initial adjustment of more than 1,000 seconds."
(define ntpd.conf
(plain-file "ntpd.conf" config))
- (list (shepherd-service
- (provision '(ntpd))
- (documentation "Run the Network Time Protocol (NTP) daemon.")
- (requirement '(user-processes networking))
- (start #~(make-forkexec-constructor
- (list (string-append #$openntpd "/sbin/ntpd")
- "-f" #$ntpd.conf
- "-d" ;; don't daemonize
- #$@(if allow-large-adjustment?
- '("-s")
- '()))
- ;; When ntpd is daemonized it repeatedly tries to respawn
- ;; while running, leading shepherd to disable it. To
- ;; prevent spamming stderr, redirect output to logfile.
- #:log-file "/var/log/ntpd"))
- (stop #~(make-kill-destructor)))))))
+ (with-imported-modules (source-module-closure
+ '((gnu build shepherd)
+ (gnu system file-systems)))
+ (list (shepherd-service
+ (provision '(ntpd))
+ (documentation "Run the Network Time Protocol (NTP) daemon.")
+ (requirement '(user-processes networking))
+ (modules '((gnu build shepherd)
+ (gnu system file-systems)))
+ (start #~(make-forkexec-constructor/container
+ (list (string-append #$openntpd "/sbin/ntpd")
+ "-f" #$ntpd.conf
+ "-d" ;; don't daemonize
+ #$@(if allow-large-adjustment?
+ '("-s")
+ '()))
+ #:mappings (list (file-system-mapping
+ (source "/var/lib/openntpd")
+ (target source)
+ (writable? #t))
+ (file-system-mapping
+ (source "/var/log/openntpd")
+ (target "/var/log")
+ (writable? #t))
+ ;; For the privsep ntpd user.
+ (file-system-mapping
+ (source "/var/lib/openntpd")
+ (target "/var/empty")))
+ ;; When ntpd is daemonized it repeatedly tries to respawn
+ ;; while running, leading shepherd to disable it. To
+ ;; prevent spamming stderr, redirect output to logfile.
+ #:log-file "/var/log/ntpd"))
+ (stop #~(make-kill-destructor))))))))
(define (openntpd-service-activation config)
"Return the activation gexp for CONFIG."
@@ -451,10 +468,11 @@ make an initial adjustment of more than 1,000 seconds."
#~(begin
(use-modules (guix build utils))
- (mkdir-p "/var/db")
- (mkdir-p "/var/run")
- (unless (file-exists? "/var/db/ntpd.drift")
- (with-output-to-file "/var/db/ntpd.drift"
+ (mkdir-p "/var/lib/openntpd/db")
+ (mkdir-p "/var/lib/openntpd/run")
+ (mkdir-p "/var/log/openntpd")
+ (unless (file-exists? "/var/lib/openntpd/db/ntpd.drift")
+ (with-output-to-file "/var/lib/openntpd/db/ntpd.drift"
(lambda _
(format #t "0.0")))))))
--
2.17.1
[-- Attachment #1.3: vm-image.scm --]
[-- Type: text/plain, Size: 2356 bytes --]
;;; This is an operating system configuration template for a "bare-bones" setup,
;;; suitable for booting in a virtualized environment, including virtual private
;;; servers (VPS).
(use-modules (gnu))
(use-package-modules bootloaders disk nvi)
(use-service-modules networking)
(define vm-image-motd (plain-file "motd" "
This is the GNU system. Welcome!
This instance of GuixSD is a bare-bones template for virtualized environments.
You will probably want to do these things first if you booted in a virtual
private server (VPS):
* Set a password for 'root'.
* Set up networking.
* Expand the root partition to fill the space available by 0) deleting and
recreating the partition with fdisk, 1) reloading the partition table with
partprobe, and then 2) resizing the filesystem with resize2fs.\n"))
(operating-system
(host-name "gnu")
(timezone "Etc/UTC")
(locale "en_US.utf8")
;; Assuming /dev/sdX is the target hard disk, and "my-root" is
;; the label of the target root file system.
(bootloader (bootloader-configuration
(bootloader grub-bootloader)
(target "/dev/sda")
(terminal-outputs '(console))))
(file-systems (cons (file-system
(device (file-system-label "my-root"))
(mount-point "/")
(type "ext4"))
%base-file-systems))
;; This is where user accounts are specified. The "root"
;; account is implicit, and is initially created with the
;; empty password.
(users %base-user-accounts)
;; Globally-installed packages.
(packages (cons* nvi fdisk
grub ; mostly so xrefs to its manual work
parted ; partprobe
%base-packages))
(services (cons*
(service connman-service-type)
(service wpa-supplicant-service-type)
(service openntpd-service-type
(openntpd-configuration
(listen-on '("127.0.0.1" "::1"))
(allow-large-adjustment? #t)))
(modify-services %base-services
(login-service-type config =>
(login-configuration
(inherit config)
(motd vm-image-motd)))))))
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [bug#31894] Containerize openntpd service
2018-06-19 9:31 [bug#31894] Containerize openntpd service Efraim Flashner
@ 2018-06-22 19:39 ` Ludovic Courtès
2018-06-26 8:25 ` bug#31894: " Efraim Flashner
0 siblings, 1 reply; 4+ messages in thread
From: Ludovic Courtès @ 2018-06-22 19:39 UTC (permalink / raw)
To: Efraim Flashner; +Cc: 31894
Hello Efraim,
Efraim Flashner <efraim@flashner.co.il> skribis:
> I tested this patch with the included vm image, using the following
> script. After logging in, 'ntpctl -s all' shows openntpd connecting to
> the ntp servers and updating the time.
>
> /.$(./pre-inst-env guix environment guix -- ./pre-inst-env guix system vm ~/vm-image.scm) -m 768 -device e1000,netdev=net0 -netdev user,id=net0,hostfwd=tcp::5555-:53
[...]
> From 064903c5a976280b95cd9bba17e958e662be605d Mon Sep 17 00:00:00 2001
> From: Efraim Flashner <efraim@flashner.co.il>
> Date: Tue, 19 Jun 2018 12:24:47 +0300
> Subject: [PATCH] services: openntpd: Containerize openntpd service.
>
> * gnu/packages/ntp.scm (openntpd)[arguments]: Add 'privsep-path' to
> 'configure-flags and adjust the 'localstatedir' flag.
> * gnu/services/networking.scm (openntpd-shepherd-service): Change the
> start-service command to run in a container, expose '/var/log/openntpd'
> and '/var/lib/openntpd' to the container.
> (openntpd-service-activation): Adjust directories for the changes above.
Neat! The patch LGTM, especially since you’ve confirmed that it still
works as expected. :-)
One thing though: could you make sure containerization isn’t redundant
with what OpenNTPD already does? Namely, could you grep the source for
calls to “chroot”, “unshare”, or “seccomp”? If it happens to be already
doing one of these things, it may be that using a container brings
little or nothing.
If it’s OK, please push!
While I’m at it, one question about this comment (which was already there):
> + ;; When ntpd is daemonized it repeatedly tries to respawn
> + ;; while running, leading shepherd to disable it. To
> + ;; prevent spamming stderr, redirect output to logfile.
> + #:log-file "/var/log/ntpd"))
What’s described here is expected: when it daemonizes, the initial
process that shepherd spawned terminates immediately, which is why
shepherd tries to respawn it (it cannot guess that there’s in fact a
child process that keeps running.)
The right thing to do for things that daemonize is to use the #:pid-file
option, which instructs shepherd to poll that file. Should we do this
here? There are many examples of that, including bitlbee, which is
containerized.
Thanks,
Ludo’.
^ permalink raw reply [flat|nested] 4+ messages in thread
* bug#31894: Containerize openntpd service
2018-06-22 19:39 ` Ludovic Courtès
@ 2018-06-26 8:25 ` Efraim Flashner
2018-06-26 13:48 ` [bug#31894] " Ludovic Courtès
0 siblings, 1 reply; 4+ messages in thread
From: Efraim Flashner @ 2018-06-26 8:25 UTC (permalink / raw)
To: Ludovic Courtès; +Cc: 31894-done
[-- Attachment #1: Type: text/plain, Size: 3231 bytes --]
On Fri, Jun 22, 2018 at 09:39:01PM +0200, Ludovic Courtès wrote:
> Hello Efraim,
>
> Efraim Flashner <efraim@flashner.co.il> skribis:
>
> > I tested this patch with the included vm image, using the following
> > script. After logging in, 'ntpctl -s all' shows openntpd connecting to
> > the ntp servers and updating the time.
> >
> > /.$(./pre-inst-env guix environment guix -- ./pre-inst-env guix system vm ~/vm-image.scm) -m 768 -device e1000,netdev=net0 -netdev user,id=net0,hostfwd=tcp::5555-:53
>
> [...]
>
> > From 064903c5a976280b95cd9bba17e958e662be605d Mon Sep 17 00:00:00 2001
> > From: Efraim Flashner <efraim@flashner.co.il>
> > Date: Tue, 19 Jun 2018 12:24:47 +0300
> > Subject: [PATCH] services: openntpd: Containerize openntpd service.
> >
> > * gnu/packages/ntp.scm (openntpd)[arguments]: Add 'privsep-path' to
> > 'configure-flags and adjust the 'localstatedir' flag.
> > * gnu/services/networking.scm (openntpd-shepherd-service): Change the
> > start-service command to run in a container, expose '/var/log/openntpd'
> > and '/var/lib/openntpd' to the container.
> > (openntpd-service-activation): Adjust directories for the changes above.
>
> Neat! The patch LGTM, especially since you’ve confirmed that it still
> works as expected. :-)
>
> One thing though: could you make sure containerization isn’t redundant
> with what OpenNTPD already does? Namely, could you grep the source for
> calls to “chroot”, “unshare”, or “seccomp”? If it happens to be already
> doing one of these things, it may be that using a container brings
> little or nothing.
>
> If it’s OK, please push!
From grepping the source:
./INSTALL-OpenNTPD always uses Privilege Separation (ie the majority of the
./INSTALL:processing is done as a chroot'ed, unprivileged user).
The code also supports the assertion.
it defaults to /var/empty, unless the --with-privsep-path=path flag is
set, so it looks like my patch is unnecessary after all. :)
>
> While I’m at it, one question about this comment (which was already there):
>
> > + ;; When ntpd is daemonized it repeatedly tries to respawn
> > + ;; while running, leading shepherd to disable it. To
> > + ;; prevent spamming stderr, redirect output to logfile.
> > + #:log-file "/var/log/ntpd"))
>
> What’s described here is expected: when it daemonizes, the initial
> process that shepherd spawned terminates immediately, which is why
> shepherd tries to respawn it (it cannot guess that there’s in fact a
> child process that keeps running.)
>
> The right thing to do for things that daemonize is to use the #:pid-file
> option, which instructs shepherd to poll that file. Should we do this
> here? There are many examples of that, including bitlbee, which is
> containerized.
>
I'll take a look at that and see if I can fix that.
> Thanks,
> Ludo’.
--
Efraim Flashner <efraim@flashner.co.il> אפרים פלשנר
GPG key = A28B F40C 3E55 1372 662D 14F7 41AA E7DC CA3D 8351
Confidentiality cannot be guaranteed on emails sent or received unencrypted
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
^ permalink raw reply [flat|nested] 4+ messages in thread
* [bug#31894] Containerize openntpd service
2018-06-26 8:25 ` bug#31894: " Efraim Flashner
@ 2018-06-26 13:48 ` Ludovic Courtès
0 siblings, 0 replies; 4+ messages in thread
From: Ludovic Courtès @ 2018-06-26 13:48 UTC (permalink / raw)
To: Efraim Flashner; +Cc: 31894-done
Efraim Flashner <efraim@flashner.co.il> skribis:
> On Fri, Jun 22, 2018 at 09:39:01PM +0200, Ludovic Courtès wrote:
[...]
>> One thing though: could you make sure containerization isn’t redundant
>> with what OpenNTPD already does? Namely, could you grep the source for
>> calls to “chroot”, “unshare”, or “seccomp”? If it happens to be already
>> doing one of these things, it may be that using a container brings
>> little or nothing.
>>
>> If it’s OK, please push!
>
> From grepping the source:
>
> ./INSTALL-OpenNTPD always uses Privilege Separation (ie the majority of the
> ./INSTALL:processing is done as a chroot'ed, unprivileged user).
>
> The code also supports the assertion.
>
> it defaults to /var/empty, unless the --with-privsep-path=path flag is
> set, so it looks like my patch is unnecessary after all. :)
Heh, alright. Perhaps you’ll find another candidate for
containerization. ;-)
Thanks,
Ludo’.
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2018-06-26 13:49 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2018-06-19 9:31 [bug#31894] Containerize openntpd service Efraim Flashner
2018-06-22 19:39 ` Ludovic Courtès
2018-06-26 8:25 ` bug#31894: " Efraim Flashner
2018-06-26 13:48 ` [bug#31894] " Ludovic Courtès
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).