From: "Ludovic Courtès" <ludo@gnu.org>
To: 51440@debbugs.gnu.org
Cc: "Ludovic Courtès" <ludo@gnu.org>
Subject: [bug#51440] [PATCH v2 06/10] services: secret-service: Turn into a Shepherd service.
Date: Mon, 15 Nov 2021 23:30:40 +0100 [thread overview]
Message-ID: <20211115223044.10943-7-ludo@gnu.org> (raw)
In-Reply-To: <20211115223044.10943-1-ludo@gnu.org>
* gnu/services/virtualization.scm (secret-service-activation): Remove.
(secret-service-shepherd-services): New procedure.
(secret-service-type)[extensions]: Remove ACTIVATION-SERVICE-TYPE
extension. Add SHEPHERD-ROOT-SERVICE-TYPE and
USER-PROCESSES-SERVICE-TYPE extensions.
* gnu/build/secret-service.scm (delete-file*): New procedure.
(secret-service-receive-secrets): Use it.
---
gnu/build/secret-service.scm | 17 ++++++++++++-
gnu/services/virtualization.scm | 45 ++++++++++++++++++++++++---------
2 files changed, 49 insertions(+), 13 deletions(-)
diff --git a/gnu/build/secret-service.scm b/gnu/build/secret-service.scm
index 46dcf1b9c3..4e183e11e8 100644
--- a/gnu/build/secret-service.scm
+++ b/gnu/build/secret-service.scm
@@ -1,5 +1,5 @@
;;; GNU Guix --- Functional package management for GNU
-;;; Copyright © 2020 Ludovic Courtès <ludo@gnu.org>
+;;; Copyright © 2020, 2021 Ludovic Courtès <ludo@gnu.org>
;;; Copyright © 2020 Jan (janneke) Nieuwenhuizen <janneke@gnu.org>
;;;
;;; This file is part of GNU Guix.
@@ -111,6 +111,15 @@ (define (send-files sock)
(close-port sock)
#f))))
+(define (delete-file* file)
+ "Ensure FILE does not exist."
+ (catch 'system-error
+ (lambda ()
+ (delete-file file))
+ (lambda args
+ (unless (= ENOENT (system-error-errno args))
+ (apply throw args)))))
+
(define (secret-service-receive-secrets port)
"Listen to local PORT and wait for a secret service client to send secrets.
Write them to the file system. Return the list of files installed on success,
@@ -170,6 +179,12 @@ (define (read-secrets port)
(log "installing file '~a' (~a bytes)...~%"
file size)
(mkdir-p (dirname file))
+
+ ;; It could be that FILE already exists, for instance
+ ;; because it has been created by a service's activation
+ ;; snippet (e.g., SSH host keys). Delete it.
+ (delete-file* file)
+
(call-with-output-file file
(lambda (output)
(dump port output size)
diff --git a/gnu/services/virtualization.scm b/gnu/services/virtualization.scm
index 1a5744ffbf..b1b10afed6 100644
--- a/gnu/services/virtualization.scm
+++ b/gnu/services/virtualization.scm
@@ -898,23 +898,44 @@ (define qemu-guest-agent-service-type
;;; Secrets for guest VMs.
;;;
-(define (secret-service-activation port)
- "Return an activation snippet that fetches sensitive material at local PORT,
+(define (secret-service-shepherd-services port)
+ "Return a Shepherd service that fetches sensitive material at local PORT,
over TCP. Reboot upon failure."
- (with-imported-modules '((gnu build secret-service)
- (guix build utils))
- #~(begin
- (use-modules (gnu build secret-service))
- (let ((sent (secret-service-receive-secrets #$port)))
- (unless sent
- (sleep 3)
- (reboot))))))
+ ;; This is a Shepherd service, rather than an activation snippet, to make
+ ;; sure it is started once 'networking' is up so it can accept incoming
+ ;; connections.
+ (list
+ (shepherd-service
+ (documentation "Fetch secrets from the host at startup time.")
+ (provision '(secret-service-client))
+ (requirement '(loopback networking))
+ (modules '((gnu build secret-service)
+ (guix build utils)))
+ (start (with-imported-modules '((gnu build secret-service)
+ (guix build utils))
+ #~(lambda ()
+ ;; Since shepherd's output port goes to /dev/log, write this
+ ;; message to stderr so it's visible on the Mach console.
+ (format (current-error-port)
+ "receiving secrets from the host...~%")
+ (force-output (current-error-port))
+
+ (let ((sent (secret-service-receive-secrets #$port)))
+ (unless sent
+ (sleep 3)
+ (reboot))))))
+ (stop #~(const #f)))))
(define secret-service-type
(service-type
(name 'secret-service)
- (extensions (list (service-extension activation-service-type
- secret-service-activation)))
+ (extensions (list (service-extension shepherd-root-service-type
+ secret-service-shepherd-services)
+
+ ;; Make every Shepherd service depend on
+ ;; 'secret-service-client'.
+ (service-extension user-processes-service-type
+ (const '(secret-service-client)))))
(description
"This service fetches secret key and other sensitive material over TCP at
boot time. This service is meant to be used by virtual machines (VMs) that
--
2.33.0
next prev parent reply other threads:[~2021-11-15 22:32 UTC|newest]
Thread overview: 45+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-10-27 13:59 [bug#51440] [PATCH 00/10] Declarative static networking interface Ludovic Courtès
2021-10-27 14:02 ` [bug#51440] [PATCH 01/10] tests: Add 'static-networking' test Ludovic Courtès
2021-10-27 14:02 ` [bug#51440] [PATCH 02/10] tests: openvswitch: Check whether ovs0 is up Ludovic Courtès
2021-10-27 14:02 ` [bug#51440] [PATCH 03/10] doc: Add new "Networking Setup" node for the main setup options Ludovic Courtès
2021-10-27 14:02 ` [bug#51440] [PATCH 04/10] gnu: guile-netlink: Allow cross-compilation Ludovic Courtès
2021-10-28 0:58 ` Julien Lepiller
2021-10-29 21:38 ` [bug#51440] [PATCH 00/10] Declarative static networking interface Ludovic Courtès
2021-10-27 14:02 ` [bug#51440] [PATCH 05/10] services: static-networking: Use Guile-Netlink on GNU/Linux Ludovic Courtès
2021-10-27 14:02 ` [bug#51440] [PATCH 06/10] services: secret-service: Turn into a Shepherd service Ludovic Courtès
2021-10-27 14:02 ` [bug#51440] [PATCH 07/10] services: static-networking: Change interface to mimic netlink Ludovic Courtès
2021-10-28 1:17 ` Julien Lepiller
2021-10-29 21:43 ` [bug#51440] [PATCH 00/10] Declarative static networking interface Ludovic Courtès
2021-10-27 14:02 ` [bug#51440] [PATCH 08/10] services: Define '%qemu-static-networking' Ludovic Courtès
2021-10-27 14:02 ` [bug#51440] [PATCH 09/10] services: Define '%loopback-static-networking' Ludovic Courtès
2021-10-27 14:02 ` [bug#51440] [PATCH 10/10] tests: Replace uses of deprecated 'static-networking-service' Ludovic Courtès
2021-10-27 15:29 ` [bug#51440] [PATCH 00/10] Declarative static networking interface Julien Lepiller
2021-10-29 21:44 ` Ludovic Courtès
2021-11-03 13:27 ` David Aaron Fendley
2021-11-11 22:08 ` Ludovic Courtès
2021-11-14 20:52 ` Ludovic Courtès
2021-11-15 22:30 ` [bug#51440] [PATCH v2 " Ludovic Courtès
2021-11-15 22:30 ` [bug#51440] [PATCH v2 01/10] tests: Add 'static-networking' test Ludovic Courtès
2021-11-15 22:30 ` [bug#51440] [PATCH v2 02/10] tests: openvswitch: Check whether ovs0 is up Ludovic Courtès
2021-11-15 22:30 ` [bug#51440] [PATCH v2 03/10] doc: Add new "Networking Setup" node for the main setup options Ludovic Courtès
2021-11-15 22:30 ` [bug#51440] [PATCH v2 04/10] gnu: guile-netlink: Allow cross-compilation Ludovic Courtès
2021-11-15 22:30 ` [bug#51440] [PATCH v2 05/10] services: static-networking: Use Guile-Netlink on GNU/Linux Ludovic Courtès
2021-11-15 22:30 ` Ludovic Courtès [this message]
2021-11-15 22:30 ` [bug#51440] [PATCH v2 07/10] services: static-networking: Change interface to mimic netlink Ludovic Courtès
2021-11-15 22:30 ` [bug#51440] [PATCH v2 08/10] services: Define '%qemu-static-networking' Ludovic Courtès
2021-11-15 22:30 ` [bug#51440] [PATCH v2 09/10] services: Define '%loopback-static-networking' Ludovic Courtès
2021-11-15 22:30 ` [bug#51440] [PATCH v2 10/10] tests: Replace uses of deprecated 'static-networking-service' Ludovic Courtès
2021-11-17 17:13 ` [bug#51440] [PATCH 00/10] Declarative static networking interface Ludovic Courtès
2021-11-17 19:36 ` Jonathan Brielmaier
2021-11-17 19:36 ` [bug#51440] Static IPv6 address is reversed! Vivien Kraus via Guix-patches via
2021-12-10 10:51 ` [bug#51440] [PATCH 00/10] Declarative static networking interface Ludovic Courtès
2021-12-11 12:56 ` Vivien Kraus via Guix-patches via
2021-12-11 21:39 ` Ludovic Courtès
2021-12-11 22:19 ` Julien Lepiller
2021-12-11 23:32 ` Vivien Kraus via Guix-patches via
2021-12-12 22:00 ` Ludovic Courtès
2021-12-12 22:26 ` Vivien Kraus via Guix-patches via
2021-12-12 23:11 ` bug#51440: " Ludovic Courtès
2021-12-13 17:29 ` [bug#51440] " Mathieu Othacehe
2021-12-14 11:17 ` Vivien Kraus via Guix-patches via
2021-12-14 15:03 ` Ludovic Courtès
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20211115223044.10943-7-ludo@gnu.org \
--to=ludo@gnu.org \
--cc=51440@debbugs.gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this external index
https://git.savannah.gnu.org/cgit/guix.git
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.