From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp2 ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms11 with LMTPS id SO+/MGreQ19CPgAA0tVLHw (envelope-from ) for ; Mon, 24 Aug 2020 15:36:10 +0000 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp2 with LMTPS id 2OyVLGreQ19wZQAAB5/wlQ (envelope-from ) for ; Mon, 24 Aug 2020 15:36:10 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 2DEEF940309 for ; Mon, 24 Aug 2020 15:36:10 +0000 (UTC) Received: from localhost ([::1]:35330 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1kAEW0-0005AU-Vq for larch@yhetil.org; Mon, 24 Aug 2020 11:36:09 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:38154) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1kAEVu-0005AH-H4 for bug-guix@gnu.org; Mon, 24 Aug 2020 11:36:02 -0400 Received: from debbugs.gnu.org ([209.51.188.43]:47405) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1kAEVu-0005lm-8R for bug-guix@gnu.org; Mon, 24 Aug 2020 11:36:02 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1kAEVu-0007nv-6N for bug-guix@gnu.org; Mon, 24 Aug 2020 11:36:02 -0400 X-Loop: help-debbugs@gnu.org Subject: bug#37388: can lead to syntactically invalid configs Resent-From: Ludovic =?UTF-8?Q?Court=C3=A8s?= Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Mon, 24 Aug 2020 15:36:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 37388 X-GNU-PR-Package: guix X-GNU-PR-Keywords: To: Christopher Baines Received: via spool by 37388-submit@debbugs.gnu.org id=B37388.159828332629947 (code B ref 37388); Mon, 24 Aug 2020 15:36:02 +0000 Received: (at 37388) by debbugs.gnu.org; 24 Aug 2020 15:35:26 +0000 Received: from localhost ([127.0.0.1]:58951 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kAEVK-0007mx-4M for submit@debbugs.gnu.org; Mon, 24 Aug 2020 11:35:26 -0400 Received: from eggs.gnu.org ([209.51.188.92]:56088) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kAEVI-0007mj-91 for 37388@debbugs.gnu.org; Mon, 24 Aug 2020 11:35:24 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]:47461) by eggs.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1kAEVC-0005Zt-To; Mon, 24 Aug 2020 11:35:18 -0400 Received: from [2001:660:6102:320:e120:2c8f:8909:cdfe] (port=41500 helo=ribbon) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1kAEVA-0002pw-Rb; Mon, 24 Aug 2020 11:35:17 -0400 From: Ludovic =?UTF-8?Q?Court=C3=A8s?= References: <87d0g6q752.fsf@inria.fr> <87d0g3nqjw.fsf@cbaines.net> Date: Mon, 24 Aug 2020 17:35:12 +0200 In-Reply-To: <87d0g3nqjw.fsf@cbaines.net> (Christopher Baines's message of "Sat, 14 Sep 2019 11:02:59 +0100") Message-ID: <87eenw12hb.fsf@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.3 (gnu/linux) MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="=-=-=" X-Spam-Score: -2.3 (--) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-Spam-Score: -3.3 (---) X-BeenThere: bug-guix@gnu.org List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: 37388@debbugs.gnu.org Errors-To: bug-guix-bounces+larch=yhetil.org@gnu.org Sender: "bug-Guix" X-Scanner: scn0 Authentication-Results: aspmx1.migadu.com; dkim=none; dmarc=none; spf=pass (aspmx1.migadu.com: domain of bug-guix-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=bug-guix-bounces@gnu.org X-Spam-Score: -1.01 X-TUID: DF2E5S0X79g+ --=-=-= Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Hello! Christopher Baines skribis: > Ludovic Court=C3=A8s writes: > >> It=E2=80=99s nice that we have but I noticed that,= unlike >> most or all other configuration records that we have, it=E2=80=99s possi= ble to >> create an record that leads to a syntactically >> invalid nginx config file. >> >> For example, if you have a location block like this: >> >> (nginx-location-configuration >> (uri "/manual/") >> (body (list "alias /srv/guix-manual"))) >> >> Guix will silently create an invalid nginx config file, which you=E2=80= =99ll >> only notice once you=E2=80=99ve reconfigured and nginx fails to start. > > I wonder if some errors could be caught at build time, before attempting > to start the service. > > If in the derivation to build the configuration file, nginx is run > against the built config file with -t, that might spot errors at > derivation build time. Inspired, I tried the attached patch to do that. However, that fails in real-world situations, for example due to out-of-band references to certificates: --8<---------------cut here---------------start------------->8--- building /gnu/store/5k7w1l5ixg5vx1z7sdyabhgkpvvj7a5z-nginx.conf.drv... nginx: [alert] could not open error log file: open() "run/logs/error.log" f= ailed (2: No such file or directory) 2020/08/24 15:32:43 [warn] 7#0: the "user" directive makes sense only if th= e master process runs with super-user privileges, ignored in /gnu/store/c6z= kj7rw37hh5a8mab9g37ca2aa33py0-unchecked-nginx.conf:1 2020/08/24 15:32:43 [emerg] 7#0: cannot load certificate "/etc/letsencrypt/= live/berlin.guixsd.org/fullchain.pem": BIO_new_file() failed (SSL: error:02= 001002:system library:fopen:No such file or directory:fopen('/etc/letsencry= pt/live/berlin.guixsd.org/fullchain.pem','r') error:2006D080:BIO routines:B= IO_new_file:no such file) nginx: configuration file /gnu/store/c6zkj7rw37hh5a8mab9g37ca2aa33py0-unche= cked-nginx.conf test failed Backtrace: 2 (primitive-load "/gnu/store/4kb8dz6f6w5g50h8qghl35r1da0?") In ice-9/eval.scm: 619:8 1 (_ #f) In guix/build/utils.scm: 654:6 0 (invoke _ . _) guix/build/utils.scm:654:6: In procedure invoke: ERROR: 1. &invoke-error: program: "/gnu/store/549pl4ch0zi3jjinpf1dckhxb1i0wp8f-nginx-1.19.2/sb= in/nginx" arguments: ("-c" "/gnu/store/c6zkj7rw37hh5a8mab9g37ca2aa33py0-uncheck= ed-nginx.conf" "-p" "run" "-t") exit-status: 1 term-signal: #f stop-signal: #f builder for `/gnu/store/5k7w1l5ixg5vx1z7sdyabhgkpvvj7a5z-nginx.conf.drv' fa= iled with exit code 1 build of /gnu/store/5k7w1l5ixg5vx1z7sdyabhgkpvvj7a5z-nginx.conf.drv failed --8<---------------cut here---------------end--------------->8--- I=E2=80=99m not sure what can be done. Thoughts? Ludo=E2=80=99. --=-=-= Content-Type: text/x-patch Content-Disposition: inline diff --git a/gnu/services/web.scm b/gnu/services/web.scm index 3b9f9e40be..e47acfe118 100644 --- a/gnu/services/web.scm +++ b/gnu/services/web.scm @@ -629,7 +629,7 @@ of index files." modules global-directives extra-content) - (apply mixed-text-file "nginx.conf" + (apply mixed-text-file "unchecked-nginx.conf" (flatten "user nginx nginx;\n" "pid " run-directory "/pid;\n" @@ -662,6 +662,19 @@ of index files." extra-content "\n}\n")))) +(define (validated-nginx-configuration-file nginx file) + "Return a copy of FILE, an nginx config file, after checking that it is +syntactically correct." + (computed-file "nginx.conf" + (with-imported-modules '((guix build utils)) + #~(begin + (use-modules (guix build utils)) + + (mkdir "run") + (invoke #+(file-append nginx "/sbin/nginx") + "-c" #$file "-p" "run" "-t") + (copy-file #$file #$output))))) + (define %nginx-accounts (list (user-group (name "nginx") (system? #t)) (user-account @@ -694,8 +707,10 @@ of index files." (mkdir-p (string-append #$run-directory "/logs")) ;; Check configuration file syntax. (system* (string-append #$nginx "/sbin/nginx") - "-c" #$(or file - (default-nginx-config config)) + "-c" #$(validated-nginx-configuration-file + nginx + (or file + (default-nginx-config config))) "-p" #$run-directory "-t")))) @@ -709,8 +724,10 @@ of index files." (lambda args #~(lambda _ (invoke #$nginx-binary "-c" - #$(or file - (default-nginx-config config)) + #$(validated-nginx-configuration-file + nginx + (or file + (default-nginx-config config))) #$@args) (match '#$args (("-s" . _) #f) --=-=-=--