* gnunet-service, first draft in need of review.
@ 2016-12-19 19:30 ng0
2016-12-19 19:30 ` [PATCH] gnu: services: Add gnunet-service ng0
2016-12-20 16:59 ` gnunet-service, first draft in need of review Hartmut Goebel
0 siblings, 2 replies; 7+ messages in thread
From: ng0 @ 2016-12-19 19:30 UTC (permalink / raw)
To: guix-devel
Hi, I picked up the service I started working on in september.
In some parts I'm picking a starting point now with what I already
worked on in the past, file:net-misc/gnunet/files/gnunet.initd visible
at https://gnunet.org/git/youbroketheinternet-overlay.git/
specifically with the setuid parts. I'm pretty sure that the setuid
thing was removed in a later revision, but (sadly) I have to deal with
this terrible old checkout which is 0.10.1 for reasons.
I'd like someone to review the shepherd service so I can be sure that
the errors I'm getting aren't gnunet related. You have to configure a
system (didn't test VMs) with this patch. gnunet will fail to start,
and then you have to "sudo shepherd start gnunet". Your user can get
added to the now existing gnunet group, which is the upstream intended
way to use gnunet (or one of the ways) with one system user/group and
users belonging to the group to start/execute the binaries.
^ permalink raw reply [flat|nested] 7+ messages in thread
* [PATCH] gnu: services: Add gnunet-service.
2016-12-19 19:30 gnunet-service, first draft in need of review ng0
@ 2016-12-19 19:30 ` ng0
2016-12-21 9:10 ` Ludovic Courtès
2016-12-20 16:59 ` gnunet-service, first draft in need of review Hartmut Goebel
1 sibling, 1 reply; 7+ messages in thread
From: ng0 @ 2016-12-19 19:30 UTC (permalink / raw)
To: guix-devel; +Cc: ng0
From: ng0 <ng0@we.make.ritual.n0.is>
---
doc/guix.texi | 36 ++++++++++++++
gnu/services/networking.scm | 114 +++++++++++++++++++++++++++++++++++++++++++-
2 files changed, 149 insertions(+), 1 deletion(-)
diff --git a/doc/guix.texi b/doc/guix.texi
index 99bde4aca..6c683393e 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -8903,6 +8903,42 @@ Boolean values @var{ipv4?} and @var{ipv6?} determine whether to use IPv4/IPv6
sockets.
@end deffn
+@cindex GNUnet
+@cindex gnunet
+@subsubheading GNUnet Service
+
+@deffn {Scheme Variable} gnunet-service-type
+This is the type of the @uref{https://gnunet.org, GNUnet}
+service, whose value should be an @code{gnunet-configuration} object
+as in this example:
+
+@example
+(service gnunet-service-type
+ (gnunet-configuration
+ (config-file (local-file "./gnunet.conf"))))
+@end example
+@end deffn
+
+@deftp {Data Type} gnunet-configuration
+Data type representing the configuration of GNUnet.
+
+@table @asis
+@item @code{package} (default: @var{gnunet})
+Package object of the GNUnet service.
+
+@item @code{config-file} (default: @var{%default-gnunet-file})
+File-like object of the GNUnet configuration file to use. For NAT is
+assumes by default that you are behind a NAT (@var{BEHIND_NAT = YES})
+and enables UPNP (@var{ENABLE_UPNP = YES}).
+The hostlist is configured with the options @var{-b} (bootstrap using
+configured hostlist servers) and @var{-e} (enable learning advertised hostlists).
+Read the configuration files in @var{"~/.guix-profile/share/gnunet/config.d/"}
+for more information. These files also set the defaults when you don't set
+any explicit values to override them.
+
+@end table
+@end deftp
+
@node X Window
@subsubsection X Window
diff --git a/gnu/services/networking.scm b/gnu/services/networking.scm
index d672ecf68..ff3615ea2 100644
--- a/gnu/services/networking.scm
+++ b/gnu/services/networking.scm
@@ -3,6 +3,7 @@
;;; Copyright © 2015 Mark H Weaver <mhw@netris.org>
;;; Copyright © 2016 Efraim Flashner <efraim@flashner.co.il>
;;; Copyright © 2016 John Darrington <jmd@gnu.org>
+;;; Copyright © 2016 ng0 <ng0@libertad.pw>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -27,6 +28,7 @@
#:use-module (gnu system pam)
#:use-module (gnu packages admin)
#:use-module (gnu packages connman)
+ #:use-module (gnu packages gnunet)
#:use-module (gnu packages linux)
#:use-module (gnu packages tor)
#:use-module (gnu packages messaging)
@@ -66,7 +68,12 @@
wicd-service
network-manager-service
connman-service
- wpa-supplicant-service-type))
+ wpa-supplicant-service-type
+
+ gnunet-configuration
+ gnunet-configuration?
+ gnunet-service-type
+ %default-gnunet-config-file))
;;; Commentary:
;;;
@@ -781,4 +788,109 @@ configure networking."
(service-extension dbus-root-service-type list)
(service-extension profile-service-type list)))))
+\f
+;;; GNUnet
+;;;
+;;;
+
+(define-record-type* <gnunet-configuration>
+ gnunet-configuration make-gnunet-configuration
+ gnunet-configuration?
+ (package gnunet-configuration-package
+ (default gnunet))
+ (config-file gnunet-configuration-config-file
+ (default %default-gnunet-config-file)))
+
+(define %default-gnunet-config-file
+ (plain-file "gnunet.conf" "
+[PATHS]
+SERVICEHOME = /var/lib/gnunet
+GNUNET_CONFIG_HOME = /var/lib/gnunet
+
+[arm]
+SYSTEM_ONLY = YES
+USER_ONLY = NO
+
+[nat]
+BEHIND_NAT = YES
+ENABLE_UPNP = YES
+
+[hostlist]
+OPTIONS = -b -e
+"))
+
+(define gnunet-shepherd-service
+ (match-lambda
+ (($ <gnunet-configuration> package config-file)
+ (list (shepherd-service
+ (provision '(gnunet))
+ (requirement '(user-processes loopback))
+ (documentation "Run the GNUnet service.")
+ (start
+ (let ((gnunet
+ (file-append package "/lib/gnunet/libexec/gnunet-service-arm")))
+ #~(make-forkexec-constructor
+ (list #$gnunet "-c" #$config-file)
+ #:pid-file "/var/run/gnunet.pid")))
+ (stop
+ #~(make-kill-destructor
+ (list #$gnunet "-e"))))))))
+
+(define %gnunet-accounts
+ (list (user-group
+ (name "gnunetdns")
+ (system? #t))
+ (user-group
+ (name "gnunet")
+ (system? #t))
+ (user-account
+ (name "gnunet")
+ (group "gnunet")
+ (system? #t)
+ (comment "GNUnet system user")
+ (home-directory "/var/empty")
+ (shell #~(string-append #$shadow "/sbin/nologin")))))
+
+(define gnunet-activation
+ (match-lambda
+ (($ <gnunet-configuration> package config-file)
+ (let ((gnunet
+ (file-append package "/lib/gnunet/libexec/gnunet-service-arm")))
+ #~(begin
+ (use-modules (guix build utils))
+ (define %user (getpw "gnunet"))
+ (mkdir-p "/var/lib/gnunet/")
+ (chown "/var/lib/gnunet" (passwd:uid %user) (passwd:gid %user))
+ (chmod "/var/lib/gnunet/" #o600)
+ (mkdir-p "/var/lib/gnunet/.local/share/gnunet")
+ (mkdir-p "/var/lib/gnunet/.cache/gnunet")
+ (mkdir-p "/var/lib/gnunet/.config/gnunet")
+ (chmod "/var/lib/gnunet/.config/gnunet" #o600)
+ (chmod "/var/lib/gnunet/.cache/gnunet" #o600)
+ (chmod "/var/lib/gnunet/.local/share/gnunet" #o600))))))
+
+(define gnunet-setuid-programs
+ (match-lambda
+ (($ <gnunet-configuration> package)
+ (list (file-append package "/lib/gnunet/libexec/gnunet-helper-exit")
+ (file-append package "/lib/gnunet/libexec/gnunet-helper-nat-server")
+ (file-append package "/lib/gnunet/libexec/gnunet-helper-nat-client")
+ (file-append package "/lib/gnunet/libexec/gnunet-helper-transport-bluetooth")
+ (file-append package "/lib/gnunet/libexec/gnunet-helper-transport-wlan")
+ (file-append package "/lib/gnunet/libexec/gnunet-helper-vpn")))))
+
+(define gnunet-service-type
+ (service-type
+ (name 'gnunet)
+ (extensions (list (service-extension account-service-type
+ (const %gnunet-accounts))
+ (service-extension activation-service-type
+ gnunet-activation)
+ (service-extension profile-service-type
+ (compose list gnunet-configuration-package))
+ (service-extension setuid-program-service-type
+ gnunet-setuid-programs)
+ (service-extension shepherd-root-service-type
+ gnunet-shepherd-service)))))
+
;;; networking.scm ends here
--
2.11.0
^ permalink raw reply related [flat|nested] 7+ messages in thread
* Re: gnunet-service, first draft in need of review.
2016-12-19 19:30 gnunet-service, first draft in need of review ng0
2016-12-19 19:30 ` [PATCH] gnu: services: Add gnunet-service ng0
@ 2016-12-20 16:59 ` Hartmut Goebel
2016-12-20 17:11 ` ng0
1 sibling, 1 reply; 7+ messages in thread
From: Hartmut Goebel @ 2016-12-20 16:59 UTC (permalink / raw)
To: guix-devel
Am 19.12.2016 um 20:30 schrieb ng0:
> I'd like someone to review the shepherd service so I can be sure that
> the errors I'm getting aren't gnunet related. You have to configure a
Maybe this is due to wrong file-system permissions: In gnunet-activation
you write:
+ (chmod "/var/lib/gnunet/" #o600)
+ (mkdir-p "/var/lib/gnunet/.local/share/gnunet")
So the service first removes the write permissions and then tries to
create a sub-directory.
--
Regards
Hartmut Goebel
| Hartmut Goebel | h.goebel@crazy-compilers.com |
| www.crazy-compilers.com | compilers which you thought are impossible |
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: gnunet-service, first draft in need of review.
2016-12-20 16:59 ` gnunet-service, first draft in need of review Hartmut Goebel
@ 2016-12-20 17:11 ` ng0
2016-12-20 19:44 ` Hartmut Goebel
0 siblings, 1 reply; 7+ messages in thread
From: ng0 @ 2016-12-20 17:11 UTC (permalink / raw)
To: guix-devel
Hartmut Goebel <h.goebel@crazy-compilers.com> writes:
> Am 19.12.2016 um 20:30 schrieb ng0:
>> I'd like someone to review the shepherd service so I can be sure that
>> the errors I'm getting aren't gnunet related. You have to configure a
>
> Maybe this is due to wrong file-system permissions: In gnunet-activation
> you write:
>
> + (chmod "/var/lib/gnunet/" #o600)
> + (mkdir-p "/var/lib/gnunet/.local/share/gnunet")
>
>
> So the service first removes the write permissions and then tries to
> create a sub-directory.
I found the files created (for example $directory/hostlists/new
(or whatever the name was) is owned by root. this should not
happen, it should be gnunet:gnunet.
The permissions have to be very restrictive, at least from what I
remember writing the Gentoo package and service.
I'll try to adjust the chmod level then, maybe this fixed the not
starting problem.
> --
> Regards
> Hartmut Goebel
>
> | Hartmut Goebel | h.goebel@crazy-compilers.com |
> | www.crazy-compilers.com | compilers which you thought are impossible |
>
>
>
--
♥Ⓐ ng0 | PGP keys and more: https://n0is.noblogs.org/
| http://ng0.chaosnet.org
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: gnunet-service, first draft in need of review.
2016-12-20 17:11 ` ng0
@ 2016-12-20 19:44 ` Hartmut Goebel
0 siblings, 0 replies; 7+ messages in thread
From: Hartmut Goebel @ 2016-12-20 19:44 UTC (permalink / raw)
To: ng0, guix-devel
Am 20.12.2016 um 18:11 schrieb ng0:
> I found the files created (for example $directory/hostlists/new
> (or whatever the name was) is owned by root. this should not
> happen, it should be gnunet:gnunet.
Then maybe the process is run as root. postgresql-shepherd-service has
an example for how to switch the user.
--
Regards
Hartmut Goebel
| Hartmut Goebel | h.goebel@crazy-compilers.com |
| www.crazy-compilers.com | compilers which you thought are impossible |
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH] gnu: services: Add gnunet-service.
2016-12-19 19:30 ` [PATCH] gnu: services: Add gnunet-service ng0
@ 2016-12-21 9:10 ` Ludovic Courtès
2016-12-21 14:57 ` ng0
0 siblings, 1 reply; 7+ messages in thread
From: Ludovic Courtès @ 2016-12-21 9:10 UTC (permalink / raw)
To: ng0; +Cc: guix-devel, ng0
ng0 <ng0@libertad.pw> skribis:
> +@cindex GNUnet
> +@cindex gnunet
> +@subsubheading GNUnet Service
> +
> +@deffn {Scheme Variable} gnunet-service-type
> +This is the type of the @uref{https://gnunet.org, GNUnet}
Since GNUnet is supposed to be available to unprivileged users via
‘gnunet-arm’, perhaps you could clarify a bit what this does and what
the tradeoffs are?
[...]
> + (user-account
> + (name "gnunet")
> + (group "gnunet")
> + (system? #t)
> + (comment "GNUnet system user")
> + (home-directory "/var/empty")
> + (shell #~(string-append #$shadow "/sbin/nologin")))))
Prefer (file-append shadow "/sbin/nologin").
> +(define gnunet-activation
> + (match-lambda
> + (($ <gnunet-configuration> package config-file)
> + (let ((gnunet
> + (file-append package "/lib/gnunet/libexec/gnunet-service-arm")))
> + #~(begin
> + (use-modules (guix build utils))
> + (define %user (getpw "gnunet"))
> + (mkdir-p "/var/lib/gnunet/")
> + (chown "/var/lib/gnunet" (passwd:uid %user) (passwd:gid %user))
> + (chmod "/var/lib/gnunet/" #o600)
> + (mkdir-p "/var/lib/gnunet/.local/share/gnunet")
> + (mkdir-p "/var/lib/gnunet/.cache/gnunet")
> + (mkdir-p "/var/lib/gnunet/.config/gnunet")
> + (chmod "/var/lib/gnunet/.config/gnunet" #o600)
> + (chmod "/var/lib/gnunet/.cache/gnunet" #o600)
> + (chmod "/var/lib/gnunet/.local/share/gnunet" #o600))))))
The .local, .share, and .config sub-directories here look fishy. I’d
suggest reporting that as a bug upstream. :-)
The rest LGTM!
Thanks,
Ludo’.
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH] gnu: services: Add gnunet-service.
2016-12-21 9:10 ` Ludovic Courtès
@ 2016-12-21 14:57 ` ng0
0 siblings, 0 replies; 7+ messages in thread
From: ng0 @ 2016-12-21 14:57 UTC (permalink / raw)
To: Ludovic Courtès; +Cc: guix-devel
Ludovic Courtès <ludo@gnu.org> writes:
> ng0 <ng0@libertad.pw> skribis:
>
>> +@cindex GNUnet
>> +@cindex gnunet
>> +@subsubheading GNUnet Service
>> +
>> +@deffn {Scheme Variable} gnunet-service-type
>> +This is the type of the @uref{https://gnunet.org, GNUnet}
>
> Since GNUnet is supposed to be available to unprivileged users via
> ‘gnunet-arm’, perhaps you could clarify a bit what this does and what
> the tradeoffs are?
I can document this in the next preview I send to the
list. Running gnunet via system service is the correct way to run
it, this way multiple unix users can have their own ego (gnunet
term) etc. You will no longer use gnunet-arm, you just use the
gnunet subsystems directly.
>
> [...]
>
>> + (user-account
>> + (name "gnunet")
>> + (group "gnunet")
>> + (system? #t)
>> + (comment "GNUnet system user")
>> + (home-directory "/var/empty")
>> + (shell #~(string-append #$shadow "/sbin/nologin")))))
>
> Prefer (file-append shadow "/sbin/nologin").
Ok.
>> +(define gnunet-activation
>> + (match-lambda
>> + (($ <gnunet-configuration> package config-file)
>> + (let ((gnunet
>> + (file-append package "/lib/gnunet/libexec/gnunet-service-arm")))
>> + #~(begin
>> + (use-modules (guix build utils))
>> + (define %user (getpw "gnunet"))
>> + (mkdir-p "/var/lib/gnunet/")
>> + (chown "/var/lib/gnunet" (passwd:uid %user) (passwd:gid %user))
>> + (chmod "/var/lib/gnunet/" #o600)
>> + (mkdir-p "/var/lib/gnunet/.local/share/gnunet")
>> + (mkdir-p "/var/lib/gnunet/.cache/gnunet")
>> + (mkdir-p "/var/lib/gnunet/.config/gnunet")
>> + (chmod "/var/lib/gnunet/.config/gnunet" #o600)
>> + (chmod "/var/lib/gnunet/.cache/gnunet" #o600)
>> + (chmod "/var/lib/gnunet/.local/share/gnunet" #o600))))))
>
> The .local, .share, and .config sub-directories here look fishy. I’d
> suggest reporting that as a bug upstream. :-)
I'm discussing it right now, to figure out if this was fixed
later or if this is still relevant to report, and if it was fixed
later if it can be backported.
> The rest LGTM!
>
> Thanks,
> Ludo’.
>
Thanks for this first review.
--
♥Ⓐ ng0 | PGP keys and more: https://n0is.noblogs.org/
| http://ng0.chaosnet.org
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2016-12-21 14:58 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2016-12-19 19:30 gnunet-service, first draft in need of review ng0
2016-12-19 19:30 ` [PATCH] gnu: services: Add gnunet-service ng0
2016-12-21 9:10 ` Ludovic Courtès
2016-12-21 14:57 ` ng0
2016-12-20 16:59 ` gnunet-service, first draft in need of review Hartmut Goebel
2016-12-20 17:11 ` ng0
2016-12-20 19:44 ` Hartmut Goebel
Code repositories for project(s) associated with this external index
https://git.savannah.gnu.org/cgit/guix.git
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.