From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:45912) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1fWRud-0007IB-Gt for guix-patches@gnu.org; Fri, 22 Jun 2018 15:40:04 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1fWRuc-0000Hh-Mq for guix-patches@gnu.org; Fri, 22 Jun 2018 15:40:03 -0400 Received: from debbugs.gnu.org ([208.118.235.43]:52689) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1fWRuc-0000HO-It for guix-patches@gnu.org; Fri, 22 Jun 2018 15:40:02 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1fWRuc-0001ap-Ch for guix-patches@gnu.org; Fri, 22 Jun 2018 15:40:02 -0400 Subject: [bug#31894] Containerize openntpd service Resent-Message-ID: From: ludo@gnu.org (Ludovic =?UTF-8?Q?Court=C3=A8s?=) References: <20180619093155.GA1200@macbook41> Date: Fri, 22 Jun 2018 21:39:01 +0200 In-Reply-To: <20180619093155.GA1200@macbook41> (Efraim Flashner's message of "Tue, 19 Jun 2018 12:31:55 +0300") Message-ID: <87d0wiy5ka.fsf@gnu.org> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+kyle=kyleam.com@gnu.org Sender: "Guix-patches" To: Efraim Flashner Cc: 31894@debbugs.gnu.org Hello Efraim, Efraim Flashner skribis: > I tested this patch with the included vm image, using the following > script. After logging in, 'ntpctl -s all' shows openntpd connecting to > the ntp servers and updating the time. > > /.$(./pre-inst-env guix environment guix -- ./pre-inst-env guix system vm= ~/vm-image.scm) -m 768 -device e1000,netdev=3Dnet0 -netdev user,id=3Dnet0,= hostfwd=3Dtcp::5555-:53 [...] > From 064903c5a976280b95cd9bba17e958e662be605d Mon Sep 17 00:00:00 2001 > From: Efraim Flashner > Date: Tue, 19 Jun 2018 12:24:47 +0300 > Subject: [PATCH] services: openntpd: Containerize openntpd service. > > * gnu/packages/ntp.scm (openntpd)[arguments]: Add 'privsep-path' to > 'configure-flags and adjust the 'localstatedir' flag. > * gnu/services/networking.scm (openntpd-shepherd-service): Change the > start-service command to run in a container, expose '/var/log/openntpd' > and '/var/lib/openntpd' to the container. > (openntpd-service-activation): Adjust directories for the changes above. Neat! The patch LGTM, especially since you=E2=80=99ve confirmed that it st= ill works as expected. :-) One thing though: could you make sure containerization isn=E2=80=99t redund= ant with what OpenNTPD already does? Namely, could you grep the source for calls to =E2=80=9Cchroot=E2=80=9D, =E2=80=9Cunshare=E2=80=9D, or =E2=80=9Cs= eccomp=E2=80=9D? If it happens to be already doing one of these things, it may be that using a container brings little or nothing. If it=E2=80=99s OK, please push! While I=E2=80=99m at it, one question about this comment (which was already= there): > + ;; When ntpd is daemonized it repeatedly trie= s to respawn > + ;; while running, leading shepherd to disable= it. To > + ;; prevent spamming stderr, redirect output t= o logfile. > + #:log-file "/var/log/ntpd")) What=E2=80=99s described here is expected: when it daemonizes, the initial process that shepherd spawned terminates immediately, which is why shepherd tries to respawn it (it cannot guess that there=E2=80=99s in fact a child process that keeps running.) The right thing to do for things that daemonize is to use the #:pid-file option, which instructs shepherd to poll that file. Should we do this here? There are many examples of that, including bitlbee, which is containerized. Thanks, Ludo=E2=80=99.