From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:48541) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1eLZsw-00024Y-Qa for guix-patches@gnu.org; Sun, 03 Dec 2017 14:25:08 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1eLZst-0002Jj-Hr for guix-patches@gnu.org; Sun, 03 Dec 2017 14:25:06 -0500 Received: from debbugs.gnu.org ([208.118.235.43]:35113) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1eLZst-0002JT-BO for guix-patches@gnu.org; Sun, 03 Dec 2017 14:25:03 -0500 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1eLZst-0006IJ-3u for guix-patches@gnu.org; Sun, 03 Dec 2017 14:25:03 -0500 Subject: [bug#29483] [PATCH] services: Add openntpd service. Resent-Message-ID: From: Marius Bakke In-Reply-To: <20171128090443.15544-1-efraim@flashner.co.il> References: <20171128090443.15544-1-efraim@flashner.co.il> Date: Sun, 03 Dec 2017 20:24:13 +0100 Message-ID: <87d13vzkbm.fsf@fastmail.com> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+kyle=kyleam.com@gnu.org Sender: "Guix-patches" To: Efraim Flashner , 29483@debbugs.gnu.org --=-=-= Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Efraim Flashner writes: > * gnu/packages/ntp.scm (openntpd)[arguments]: Add 'configure-flags to > set openntpd daemon's user and protected path. Add a custom phase to not > try to create said directory at install time. > * gnu/services/networking.scm (): New record type. > (openntpd-shepherd-service, openntpd-service-activation): New procedures. > (openntpd-service-type): New variable. > * doc/guix.texi (Networking Services): Add openntpd documentation. > --- > doc/guix.texi | 11 ++++++ > gnu/packages/ntp.scm | 12 ++++++ > gnu/services/networking.scm | 92 +++++++++++++++++++++++++++++++++++++++= +++++- > 3 files changed, 114 insertions(+), 1 deletion(-) > > diff --git a/doc/guix.texi b/doc/guix.texi > index 2a6825682..f0a7dd958 100644 > --- a/doc/guix.texi > +++ b/doc/guix.texi > @@ -10498,6 +10498,17 @@ make an initial adjustment of more than 1,000 se= conds. > List of host names used as the default NTP servers. > @end defvr >=20=20 > +@cindex Openntpd > +@deffn {Scheme Procedure} openntpd-service [#:openntpd @var{openntpd}] @ > + [#:servers @var{%ntp-servers}] @ > + [#:allow-large-adjustment? #f] > +Return a service that runs the daemon from @var{openntpd}, the > +@uref{http://www.openntpd.org, OpenNTPD package}. The daemon will > +keep the system clock synchronized with that of @var{servers}. > +@var{allow-large-adjustment?} determines whether @command{ntpd} is allow= ed to > +make an initial adjustment of more than 180 seconds." > +@end deffn > + > @cindex inetd > @deffn {Scheme variable} inetd-service-type > This service runs the @command{inetd} (@pxref{inetd invocation,,, > diff --git a/gnu/packages/ntp.scm b/gnu/packages/ntp.scm > index d270f513d..619b9f998 100644 > --- a/gnu/packages/ntp.scm > +++ b/gnu/packages/ntp.scm > @@ -107,6 +107,18 @@ computers over a network.") > (base32 > "0fn12i4kzsi0zkr4qp3dp9bycmirnfapajqvdfx02zhr4hanj0kv"))= )) > (build-system gnu-build-system) > + (arguments > + '(#:configure-flags '("--with-privsep-user=3Dntpd" > + "--with-privsep-path=3D/var/lib/openntpd" > + "--localstatedir=3D/var/lib/openntpd") Do we have to change localstatedir? Would it work to create /var/run/ntpd.sock and chown it? Or is this the common way of deployment? No strong opinion though. > + #:phases > + (modify-phases %standard-phases > + (add-after 'unpack 'modify-install-locations > + (lambda _ > + ;; Don't try to create /var/lib/openntpd/run or /var/lib/op= enntpd/db > + (substitute* "src/Makefile.in" > + (("DESTDIR\\)\\$\\(localstatedir") "TMPDIR")) > + #t))))) > (inputs > `(("libressl" ,libressl))) ; enable TLS time constraints. See ntpd.= conf(5). > (home-page "http://www.openntpd.org/") > diff --git a/gnu/services/networking.scm b/gnu/services/networking.scm > index b0c23aafc..82762738f 100644 > --- a/gnu/services/networking.scm > +++ b/gnu/services/networking.scm > @@ -1,7 +1,7 @@ > ;;; GNU Guix --- Functional package management for GNU > ;;; Copyright =C2=A9 2013, 2014, 2015, 2016, 2017 Ludovic Court=C3=A8s <= ludo@gnu.org> > ;;; Copyright =C2=A9 2015 Mark H Weaver > -;;; Copyright =C2=A9 2016 Efraim Flashner > +;;; Copyright =C2=A9 2016, 2017 Efraim Flashner > ;;; Copyright =C2=A9 2016 John Darrington > ;;; Copyright =C2=A9 2017 Cl=C3=A9ment Lassieur > ;;; Copyright =C2=A9 2017 Thomas Danckaert > @@ -62,6 +62,11 @@ > ntp-service > ntp-service-type >=20=20 > + openntpd-configuration > + openntpd-configuration? > + openntpd-service > + openntpd-service-type > + > inetd-configuration > inetd-entry > inetd-service-type > @@ -447,6 +452,91 @@ make an initial adjustment of more than 1,000 second= s." > (allow-large-adjustment? > allow-large-adjustment?)))) >=20=20 > +(define-record-type* > + openntpd-configuration make-openntpd-configuration > + openntpd-configuration? > + (openntpd openntpd-configuration-openntpd > + (default openntpd)) > + (servers openntpd-configuration-servers) > + (allow-large-adjustment? openntpd-allow-large-adjustment? > + (default #f))) ; upstream default > + > +(define openntpd-shepherd-service > + (match-lambda > + (($ openntpd servers allow-large-adjustment= ?) > + (let () > + (define config > + (string-append (string-join (map (cut string-append "server " <= >) > + servers) > + "\n") > + " > +# Only listen on localhost > +listen on 127.0.0.1 > +listen on ::1 > + > +# Query the 'Date' from trusted HTTPS servers via TLS. > +constraint from www.gnu.org\n")) It would be good if these options are configurable. A user may want to use a different constraint server, or none at all, and maybe also expose this as an SNTP service. IIRC constraints can also be specified multiple times, so maybe add #:listen-on and #:constraints ? It would also be great to have a system test that at least verifies that the default configuration is okay. Testing NTP functionality may be trickier. > + > + (define ntpd.conf > + (plain-file "ntpd.conf" config)) > + > + (list (shepherd-service > + (provision '(openntpd)) > + (documentation "Run the Network Time Protocol (NTP) daemon= .") > + (requirement '(user-processes networking)) > + (start #~(make-forkexec-constructor > + (list (string-append #$openntpd "/sbin/ntpd") > + "-f" #$ntpd.conf > + #$@(if allow-large-adjustment? > + '("-s") > + '())))) > + (stop #~(make-kill-destructor)))))))) > + > +(define (openntpd-service-activation config) > + "Return the activation gexp for CONFIG." > + (with-imported-modules '((guix build utils)) > + #~(begin > + (use-modules (guix build utils)) > + (define %user > + (getpw "ntpd")) > + > + (let ((directory "/var/lib/openntpd")) > + (mkdir-p directory) > + ;; and for the socket > + (mkdir-p (string-append directory "/db")) > + (mkdir-p (string-append directory "/run")) > + (chown directory (passwd:uid %user) (passwd:gid %user)) > + (chmod directory #o755))))) > + > +(define openntpd-service-type > + (service-type (name 'openntpd) > + (extensions > + (list (service-extension shepherd-root-service-type > + openntpd-shepherd-service) > + (service-extension account-service-type > + (const %ntp-accounts)) > + (service-extension activation-service-type > + openntpd-service-activation))) > + (description > + "Run the @command{ntpd}, the Network Time Protocol (NTP) > +daemon of the @uref{http://www.ntp.org, Network Time Foundation}, as > +implemented by OpenNTPD. The daemon will keep the system clock synchron= ized > +with that of the given servers."))) > + > +(define* (openntpd-service #:key (openntpd openntpd) > + (servers %ntp-servers) > + allow-large-adjustment?) > + "Return a service that runs the daemon from @var{openntpd}, the > +@uref{http://www.openntpd.org, OpenNTPD package}. The daemon will > +keep the system clock synchronized with that of @var{servers}. > +@var{allow-large-adjustment?} determines whether @command{ntpd} is allow= ed to > +make an initial adjustment of more than 180 seconds." > + (service openntpd-service-type > + (openntpd-configuration (openntpd openntpd) > + (servers servers) > + (allow-large-adjustment? > + allow-large-adjustment?)))) > + > > ;;; > ;;; Inetd. > --=20 > 2.15.0 --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQEzBAEBCgAdFiEEu7At3yzq9qgNHeZDoqBt8qM6VPoFAlokT10ACgkQoqBt8qM6 VPrCowf/Wn/LpCkbR5Im6o6kZn0iLa/rYT/3Z8jxkuj/fZJUDxKIKlPH+Tg33kaG IOMh3PIrxlJNQgdSHDhd/G63P8g5S72WC62nJ30Jq1rQmr0iV0bLD65WqZWQXWNh K/MAdY6uWsdtxoxqU73z9YtBucSCDcq2rAXumjIwf86Fp+CndxRwpHElbt14bclu /muj+bj0DehkU+uieE8jq9bAjWbRnZ6dB32f0WS0zbM4Vuk+1NssVv1dhz2u8QO/ KutsYN1uuj1tW9EPwRKYb2nc0ACG1jrGuQW15Atwp517soY53vBWh3YabkgwWOWg YmyMAXyxUq3uYBlGwYrIixYLH4SOnA== =FaHV -----END PGP SIGNATURE----- --=-=-=--