On Tue, Jul 14, 2020 at 12:54:56PM +0430, Reza Alizadeh Majd wrote: > On Mon, 13 Jul 2020 22:01:47 -0400 > Julien Lepiller wrote: > > > Le 13 juillet 2020 20:18:09 GMT-04:00, Reza Alizadeh Majd > > a écrit : > > > > > >my service definition is as follows: > > > > > > > > >--8<---------------cut here---------------start------------->8--- > > >(define-record-type* > > > kyc-configuration make-kyc-configuration > > > kyc-configuration? > > > (package kyc-configuration-package > > > (default kyc)) > > > (user kyc-configuration-user > > > (default "kyc-service")) > > > (group kyc-configuration-group > > > (default "kyc-service"))) > > > > > >(define %kyc-accounts > > > (list (user-group (name "kyc-service")) > > > (user-group (name "kyc-rpc")) > > > (user-account > > > (name "kyc-service") > > > (group "kyc-service") > > > (system? #f) > > > (supplementary-groups '("wheel" "kyc-rpc" "video")) > > > (comment "KYC service user")))) > > > > > >(define kyc-shepherd-service > > > (match-lambda > > > (($ package user group) > > > (list (shepherd-service > > > (provision '(kyc)) > > > (documentation "Run KYC as a daemon.") > > > (requirement '(networking user-processes)) > > > (modules `((srfi srfi-1) > > > (srfi srfi-26) > > > ,@%default-modules)) > > > (start #~(make-forkexec-constructor > > > (list > > > (string-append #$package "/bin/kyc")) > > > #:user #$user > > > #:group #$group > > > #:environment-variables > > > (list (string-append "PATH=" #$coreutils "/bin:" (getenv > > > "PATH")) (string-append "HOME=" "/home/" #$user)))) > > > (stop #~(make-kill-destructor))))))) > > > > > >(define kyc-service-type > > > (service-type > > > (name 'kyc) > > > (extensions (list (service-extension shepherd-root-service-type > > > kyc-shepherd-service) > > > (service-extension account-service-type > > > (const > > > %kyc-accounts)))) (default-value (kyc-configuration)))) > > > > > >--8<---------------cut here---------------end--------------->8--- > > > > > >is there anything that I missed for this service definition? > > > > I don't see in your snippet where you create the socket or where you > > change ownership of it, so I don't really understand what is going > > wrong. > > > > Maybe the service itself is responsible for creating the socket and > > changing ownership? In that case, I wouldn't use #:uses or #:group, > > as these will run the service as the unpriviledged user from the > > start, instead of running it as root and letting it change user after > > it's set up things. > > > > If you want to create the socket yourself, why not use an > > activation-service-type? > > Thanks for your response, > > the application itself is responsible for creation of socket, and the > socket is created without problem, but when I try to change the > ownership for socket file, I receive "operation not permitted" error. > > I also logged in to the user responsible for running the service and > run the application manually, socket creation and permission set > operations were succeed. > > referring to above snippet, when I perform all these operations > manually, everything works without problem: > > --8<---------------cut here---------------start------------->8--- > kyc-service@kyc-station /tmp/rpc$ whoami > kyc-service > kyc-service@kyc-station /tmp/rpc$ groups > kyc-service wheel kyc-rpc > kyc-service@kyc-station /tmp/rpc$ ll > total 0 > srwxr-xr-x 1 kyc-service kyc-service 0 Jul 14 04:22 kyc > kyc-service@kyc-station /tmp/rpc$ chown kyc-service:kyc-rpc kyc > kyc-service@kyc-station /tmp/rpc$ ll > total 0 > srwxr-xr-x 1 kyc-service kyc-rpc 0 Jul 14 04:22 kyc > --8<---------------cut here---------------end--------------->8--- > I don't remember what the default directory for running services is. I see that kyc-service has a home directory so IIRC it should be there, but if it isn't then it might be trying to run from '/'. Can you add '#:directory "/tmp/rpc"' to your start snippet? Then it'll try to run from that directory. -- Efraim Flashner אפרים פלשנר GPG key = A28B F40C 3E55 1372 662D 14F7 41AA E7DC CA3D 8351 Confidentiality cannot be guaranteed on emails sent or received unencrypted