From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:56091) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1fXjJa-0000Ue-F3 for guix-patches@gnu.org; Tue, 26 Jun 2018 04:27:07 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1fXjJW-00023c-Ci for guix-patches@gnu.org; Tue, 26 Jun 2018 04:27:06 -0400 Received: from debbugs.gnu.org ([208.118.235.43]:55942) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1fXjJW-00023D-7g for guix-patches@gnu.org; Tue, 26 Jun 2018 04:27:02 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1fXjJW-0006Ku-1J for guix-patches@gnu.org; Tue, 26 Jun 2018 04:27:02 -0400 Subject: bug#31894: Containerize openntpd service Resent-To: guix-patches@gnu.org Resent-Message-ID: Date: Tue, 26 Jun 2018 11:25:57 +0300 From: Efraim Flashner Message-ID: <20180626082557.GA1537@macbook41> References: <20180619093155.GA1200@macbook41> <87d0wiy5ka.fsf@gnu.org> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="lrZ03NoBR/3+SXJZ" Content-Disposition: inline In-Reply-To: <87d0wiy5ka.fsf@gnu.org> List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+kyle=kyleam.com@gnu.org Sender: "Guix-patches" To: Ludovic =?UTF-8?Q?Court=C3=A8s?= Cc: 31894-done@debbugs.gnu.org --lrZ03NoBR/3+SXJZ Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Jun 22, 2018 at 09:39:01PM +0200, Ludovic Court=C3=A8s wrote: > Hello Efraim, >=20 > Efraim Flashner skribis: >=20 > > I tested this patch with the included vm image, using the following > > script. After logging in, 'ntpctl -s all' shows openntpd connecting to > > the ntp servers and updating the time. > > > > /.$(./pre-inst-env guix environment guix -- ./pre-inst-env guix system = vm ~/vm-image.scm) -m 768 -device e1000,netdev=3Dnet0 -netdev user,id=3Dnet= 0,hostfwd=3Dtcp::5555-:53 >=20 > [...] >=20 > > From 064903c5a976280b95cd9bba17e958e662be605d Mon Sep 17 00:00:00 2001 > > From: Efraim Flashner > > Date: Tue, 19 Jun 2018 12:24:47 +0300 > > Subject: [PATCH] services: openntpd: Containerize openntpd service. > > > > * gnu/packages/ntp.scm (openntpd)[arguments]: Add 'privsep-path' to > > 'configure-flags and adjust the 'localstatedir' flag. > > * gnu/services/networking.scm (openntpd-shepherd-service): Change the > > start-service command to run in a container, expose '/var/log/openntpd' > > and '/var/lib/openntpd' to the container. > > (openntpd-service-activation): Adjust directories for the changes above. >=20 > Neat! The patch LGTM, especially since you=E2=80=99ve confirmed that it = still > works as expected. :-) >=20 > One thing though: could you make sure containerization isn=E2=80=99t redu= ndant > with what OpenNTPD already does? Namely, could you grep the source for > calls to =E2=80=9Cchroot=E2=80=9D, =E2=80=9Cunshare=E2=80=9D, or =E2=80= =9Cseccomp=E2=80=9D? If it happens to be already > doing one of these things, it may be that using a container brings > little or nothing. >=20 > If it=E2=80=99s OK, please push! =46rom grepping the source: =2E/INSTALL-OpenNTPD always uses Privilege Separation (ie the majority of t= he =2E/INSTALL:processing is done as a chroot'ed, unprivileged user). The code also supports the assertion. it defaults to /var/empty, unless the --with-privsep-path=3Dpath flag is set, so it looks like my patch is unnecessary after all. :) >=20 > While I=E2=80=99m at it, one question about this comment (which was alrea= dy there): >=20 > > + ;; When ntpd is daemonized it repeatedly tr= ies to respawn > > + ;; while running, leading shepherd to disab= le it. To > > + ;; prevent spamming stderr, redirect output= to logfile. > > + #:log-file "/var/log/ntpd")) >=20 > What=E2=80=99s described here is expected: when it daemonizes, the initial > process that shepherd spawned terminates immediately, which is why > shepherd tries to respawn it (it cannot guess that there=E2=80=99s in fac= t a > child process that keeps running.) >=20 > The right thing to do for things that daemonize is to use the #:pid-file > option, which instructs shepherd to poll that file. Should we do this > here? There are many examples of that, including bitlbee, which is > containerized. >=20 I'll take a look at that and see if I can fix that. > Thanks, > Ludo=E2=80=99. --=20 Efraim Flashner =D7=90=D7=A4=D7=A8=D7=99=D7=9D = =D7=A4=D7=9C=D7=A9=D7=A0=D7=A8 GPG key =3D A28B F40C 3E55 1372 662D 14F7 41AA E7DC CA3D 8351 Confidentiality cannot be guaranteed on emails sent or received unencrypted --lrZ03NoBR/3+SXJZ Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCgAdFiEEoov0DD5VE3JmLRT3Qarn3Mo9g1EFAlsx+JIACgkQQarn3Mo9 g1HEjQ/+IutRzTe+9W5+WU+SKHgqV3laX2bU8OxnyiLYXITsLH/dq8kx6fNMF+D0 pBAmL5c08SjzVjU3C1kzLoWvLu6zxRLYGcK8SYg/kwG2OGybBBv+vsY7BTxfb5TV ewn2QqHKoAfhEOVcXZ3N/j/Eco8plnRJbUfhv6mzFYCp4zgnMnsqJw0/euGULEtW Haz/wOK6YZFKp8QphYPsFfae3y0pg2DUNEK8X5/axTdwYr7K61DAx5ZCtXhSOUYn nmrAbPw0gaUoGDD9kGMRxzyTMLonLC7TUKYoVfMWxaV3eXxnpZYjZeLB9WD9t3cd 8cav1dl3urHCrm6rzikJPIqkJSsK7hN4pxE78M+slWLcTqWv0jqjY9fi/gLtvpel oL2W+kGaPLExczsDv4QnIZGgElaRc2VdPJ6mprJoKanFNrNx/yE0gf2y39Gcv3kr +8a7bsDiPtRb6D6iQxC1IXj0h9cBlZBxCtWyVwhiX5fqTCMj8p+cBkrBWPvkmPie +mOZiSca/qsl4wN1MMcFNySZVzJz9+3HpZHD4TotAR+Itkt2ZpGHt5ILXyfd4N8U MZwtdJQppiaINKDsIoj+VF6x9XAJfzxPi3eGV3NbxMiIfJ4WXwYC53pvmCS9/T93 2tZ8mgGNfzXUF5CY1soh9AC+HD3L7shiCzvv11JHkaLtHzguKZ4= =Aj7f -----END PGP SIGNATURE----- --lrZ03NoBR/3+SXJZ--