* [bug#63561] [PATCH 1/2] services: rsync: Use make-inetd-constructor.
@ 2023-05-18 1:56 Maxim Cournoyer
2023-05-18 1:56 ` [bug#63562] [PATCH 2/2] services: rsync: Use least authority wrapper Maxim Cournoyer
2023-05-18 16:58 ` [bug#63562] " Ludovic Courtès
0 siblings, 2 replies; 5+ messages in thread
From: Maxim Cournoyer @ 2023-05-18 1:56 UTC (permalink / raw)
To: 63561; +Cc: Maxim Cournoyer
* gnu/services/rsync.scm (rsync-shepherd-service): Use make-inetd-constructor
if available in start slot.
* gnu/tests/rsync.scm (run-rsync-test): Delete "PID file" test.
---
gnu/services/rsync.scm | 44 ++++++++++++++++++++++++++++++++++--------
gnu/tests/rsync.scm | 6 ------
2 files changed, 36 insertions(+), 14 deletions(-)
diff --git a/gnu/services/rsync.scm b/gnu/services/rsync.scm
index aeb4275031..826b757b1c 100644
--- a/gnu/services/rsync.scm
+++ b/gnu/services/rsync.scm
@@ -1,6 +1,7 @@
;;; GNU Guix --- Functional package management for GNU
;;; Copyright © 2017 Oleg Pykhalov <go.wigust@gmail.com>
;;; Copyright © 2021, 2023 Ludovic Courtès <ludo@gnu.org>
+;;; Copyright © 2023 Maxim Cournoyer <maxim.cournoyer@gmail.com>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -221,23 +222,50 @@ (define (rsync-config-file config)
(define (rsync-shepherd-service config)
"Return a <shepherd-service> for rsync with CONFIG."
+
+ ;; XXX: Predicates copied from (gnu services ssh).
+ (define inetd-style?
+ #~(and (defined? 'make-inetd-constructor)
+ (not (string=? (@ (shepherd config) Version) "0.9.0"))))
+
+ (define ipv6-support?
+ #~(catch 'system-error
+ (lambda ()
+ (let ((sock (socket AF_INET6 SOCK_STREAM 0)))
+ (close-port sock)
+ #t))
+ (const #f)))
+
(let* ((rsync (rsync-configuration-package config))
(pid-file (rsync-configuration-pid-file config))
(port-number (rsync-configuration-port-number config))
(user (rsync-configuration-user config))
(group (rsync-configuration-group config))
- (config-file (rsync-config-file config)))
+ (config-file (rsync-config-file config))
+ (rsync-command #~(list (string-append #$rsync "/bin/rsync")
+ "--config" #$config-file "--daemon")))
(list (shepherd-service
(provision '(rsync))
(documentation "Run rsync daemon.")
(actions (list (shepherd-configuration-action config-file)))
- (start #~(make-forkexec-constructor
- (list (string-append #$rsync "/bin/rsync")
- "--config" #$config-file
- "--daemon")
- #:pid-file #$pid-file
- #:user #$user
- #:group #$group))
+ (start #~(if #$inetd-style?
+ (make-inetd-constructor
+ #$rsync-command
+ (cons (endpoint
+ (make-socket-address AF_INET INADDR_ANY
+ #$port-number))
+ (if #$ipv6-support?
+ (list
+ (endpoint
+ (make-socket-address AF_INET6 IN6ADDR_ANY
+ #$port-number)))
+ '()))
+ #:user #$user
+ #:group #$group)
+ (make-forkexec-constructor #$rsync-command
+ #:pid-file #$pid-file
+ #:user #$user
+ #:group #$group)))
(stop #~(make-kill-destructor))))))
(define rsync-service-type
diff --git a/gnu/tests/rsync.scm b/gnu/tests/rsync.scm
index ea53a157bb..182e5f76ff 100644
--- a/gnu/tests/rsync.scm
+++ b/gnu/tests/rsync.scm
@@ -70,12 +70,6 @@ (define* (run-rsync-test rsync-os #:optional (rsync-port 873))
(start-service 'rsync))
marionette))
- ;; Make sure the PID file is created.
- (test-assert "PID file"
- (marionette-eval
- '(file-exists? "/var/run/rsyncd/rsyncd.pid")
- marionette))
-
(test-assert "Test file copied to share"
(marionette-eval
'(begin
base-commit: 9c161c1f0def13676002ce34625ba023857b9ab2
--
2.39.2
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [bug#63562] [PATCH 2/2] services: rsync: Use least authority wrapper.
2023-05-18 1:56 [bug#63561] [PATCH 1/2] services: rsync: Use make-inetd-constructor Maxim Cournoyer
@ 2023-05-18 1:56 ` Maxim Cournoyer
2023-05-18 17:00 ` Ludovic Courtès
2023-05-18 16:58 ` [bug#63562] " Ludovic Courtès
1 sibling, 1 reply; 5+ messages in thread
From: Maxim Cournoyer @ 2023-05-18 1:56 UTC (permalink / raw)
To: 63562; +Cc: Maxim Cournoyer
* gnu/services/rsync.scm (rsync-shepherd-service) Wrap rsync command in a
least-authority-wrapper.
---
gnu/services/rsync.scm | 97 ++++++++++++++++++++++++++++--------------
1 file changed, 65 insertions(+), 32 deletions(-)
diff --git a/gnu/services/rsync.scm b/gnu/services/rsync.scm
index 826b757b1c..42e4d0247e 100644
--- a/gnu/services/rsync.scm
+++ b/gnu/services/rsync.scm
@@ -19,16 +19,20 @@
;;; along with GNU Guix. If not, see <http://www.gnu.org/licenses/>.
(define-module (gnu services rsync)
+ #:use-module ((gnu build linux-container) #:select (%namespaces))
#:use-module (gnu services)
#:use-module (gnu services base)
#:use-module (gnu services shepherd)
+ #:autoload (gnu system file-systems) (file-system-mapping)
#:use-module (gnu system shadow)
- #:use-module (gnu packages rsync)
#:use-module (gnu packages admin)
+ #:use-module (gnu packages linux)
+ #:use-module (gnu packages rsync)
#:use-module (guix records)
#:use-module (guix gexp)
#:use-module (guix diagnostics)
#:use-module (guix i18n)
+ #:use-module (guix least-authority)
#:use-module (srfi srfi-1)
#:use-module (srfi srfi-26)
#:use-module (ice-9 match)
@@ -236,37 +240,66 @@ (define (rsync-shepherd-service config)
#t))
(const #f)))
- (let* ((rsync (rsync-configuration-package config))
- (pid-file (rsync-configuration-pid-file config))
- (port-number (rsync-configuration-port-number config))
- (user (rsync-configuration-user config))
- (group (rsync-configuration-group config))
- (config-file (rsync-config-file config))
- (rsync-command #~(list (string-append #$rsync "/bin/rsync")
- "--config" #$config-file "--daemon")))
- (list (shepherd-service
- (provision '(rsync))
- (documentation "Run rsync daemon.")
- (actions (list (shepherd-configuration-action config-file)))
- (start #~(if #$inetd-style?
- (make-inetd-constructor
- #$rsync-command
- (cons (endpoint
- (make-socket-address AF_INET INADDR_ANY
- #$port-number))
- (if #$ipv6-support?
- (list
- (endpoint
- (make-socket-address AF_INET6 IN6ADDR_ANY
- #$port-number)))
- '()))
- #:user #$user
- #:group #$group)
- (make-forkexec-constructor #$rsync-command
- #:pid-file #$pid-file
- #:user #$user
- #:group #$group)))
- (stop #~(make-kill-destructor))))))
+ (define (module->file-system-mapping module)
+ "Return the <file-system-mapping> record corresponding to MODULE, an
+<rsync-module> object."
+ (match-record module <rsync-module>
+ (file-name read-only?)
+ (file-system-mapping
+ (source file-name)
+ (target source)
+ (writable? (not read-only?)))))
+
+ (match-record config <rsync-configuration>
+ (package log-file modules pid-file port-number user group)
+ ;; Run the rsync daemon in its own 'mnt' namespace, to guard against
+ ;; change to mount points it may be serving.
+ (let* ((config-file (rsync-config-file config))
+ (rsync-command #~(list #$(least-authority-wrapper
+ (file-append rsync "/bin/rsync")
+ #:name "rsync"
+ #:namespaces (fold delq %namespaces
+ '(net user))
+ #:mappings
+ (append (list (file-system-mapping
+ (source "/var/run/rsyncd")
+ (target source)
+ (writable? #t))
+ (file-system-mapping
+ (source (dirname log-file))
+ (target source)
+ (writable? #t))
+ (file-system-mapping
+ (source config-file)
+ (target source)))
+ (map module->file-system-mapping
+ modules)))
+ "--config" #$config-file "--daemon")))
+ (list (shepherd-service
+ (provision '(rsync))
+ (documentation "Run rsync daemon.")
+ (actions (list (shepherd-configuration-action config-file)))
+ (start #~(if #$inetd-style?
+ (make-inetd-constructor
+ #$rsync-command
+ (cons (endpoint
+ (make-socket-address AF_INET INADDR_ANY
+ #$port-number))
+ (if #$ipv6-support?
+ (list
+ (endpoint
+ (make-socket-address AF_INET6 IN6ADDR_ANY
+ #$port-number)))
+ '()))
+ #:user #$user
+ #:group #$group)
+ (make-forkexec-constructor #$rsync-command
+ #:pid-file #$pid-file
+ #:user #$user
+ #:group #$group)))
+ (stop #~(if #$inetd-style?
+ (make-inetd-destructor)
+ (make-kill-destructor))))))))
(define rsync-service-type
(service-type
--
2.39.2
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [bug#63562] [PATCH 2/2] services: rsync: Use least authority wrapper.
2023-05-18 1:56 [bug#63561] [PATCH 1/2] services: rsync: Use make-inetd-constructor Maxim Cournoyer
2023-05-18 1:56 ` [bug#63562] [PATCH 2/2] services: rsync: Use least authority wrapper Maxim Cournoyer
@ 2023-05-18 16:58 ` Ludovic Courtès
1 sibling, 0 replies; 5+ messages in thread
From: Ludovic Courtès @ 2023-05-18 16:58 UTC (permalink / raw)
To: Maxim Cournoyer; +Cc: 63562, 63561
Hi,
Maxim Cournoyer <maxim.cournoyer@gmail.com> skribis:
> + (make-inetd-constructor
> + #$rsync-command
> + (cons (endpoint
> + (make-socket-address AF_INET INADDR_ANY
> + #$port-number))
> + (if #$ipv6-support?
> + (list
> + (endpoint
> + (make-socket-address AF_INET6 IN6ADDR_ANY
> + #$port-number)))
> + '()))
> + #:user #$user
> + #:group #$group)
> + (make-forkexec-constructor #$rsync-command
I found it fishy that the same command could be used both in inetd mode
and in “regular” daemon mode. Turns out that rsync does something…
surprising, as noted in rsync(1):
If standard input is a socket then rsync will assume that it is being
run via inetd, otherwise it will detach from the current terminal and
become a background daemon.
So I guess this is fine, and a welcome change!
Ludo’.
^ permalink raw reply [flat|nested] 5+ messages in thread
* [bug#63562] [PATCH 2/2] services: rsync: Use least authority wrapper.
2023-05-18 1:56 ` [bug#63562] [PATCH 2/2] services: rsync: Use least authority wrapper Maxim Cournoyer
@ 2023-05-18 17:00 ` Ludovic Courtès
2023-05-19 3:20 ` bug#63562: " Maxim Cournoyer
0 siblings, 1 reply; 5+ messages in thread
From: Ludovic Courtès @ 2023-05-18 17:00 UTC (permalink / raw)
To: Maxim Cournoyer; +Cc: 63562
Maxim Cournoyer <maxim.cournoyer@gmail.com> skribis:
> * gnu/services/rsync.scm (rsync-shepherd-service) Wrap rsync command in a
> least-authority-wrapper.
Nice, LGTM!
Since berlin relies on it for backups, we’ll have to double-check that
it all goes well, in case we overlooked something.
Ludo’.
^ permalink raw reply [flat|nested] 5+ messages in thread
* bug#63562: [PATCH 2/2] services: rsync: Use least authority wrapper.
2023-05-18 17:00 ` Ludovic Courtès
@ 2023-05-19 3:20 ` Maxim Cournoyer
0 siblings, 0 replies; 5+ messages in thread
From: Maxim Cournoyer @ 2023-05-19 3:20 UTC (permalink / raw)
To: Ludovic Courtès; +Cc: 63562-done
Hi Ludo,
Ludovic Courtès <ludo@gnu.org> writes:
> Maxim Cournoyer <maxim.cournoyer@gmail.com> skribis:
>
>> * gnu/services/rsync.scm (rsync-shepherd-service) Wrap rsync command in a
>> least-authority-wrapper.
>
> Nice, LGTM!
>
> Since berlin relies on it for backups, we’ll have to double-check that
> it all goes well, in case we overlooked something.
Thanks for the review! I've installed the change.
--
Thanks,
Maxim
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2023-05-19 3:21 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-05-18 1:56 [bug#63561] [PATCH 1/2] services: rsync: Use make-inetd-constructor Maxim Cournoyer
2023-05-18 1:56 ` [bug#63562] [PATCH 2/2] services: rsync: Use least authority wrapper Maxim Cournoyer
2023-05-18 17:00 ` Ludovic Courtès
2023-05-19 3:20 ` bug#63562: " Maxim Cournoyer
2023-05-18 16:58 ` [bug#63562] " Ludovic Courtès
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).