From: "Ludovic Courtès" <ludo@gnu.org>
To: Thiago Jung Bauermann <bauermann@kolabnow.com>
Cc: 54997@debbugs.gnu.org
Subject: [bug#54997] [PATCH 00/12] Add "least authority" program wrapper
Date: Tue, 26 Apr 2022 22:30:47 +0200 [thread overview]
Message-ID: <87o80nk2o8.fsf_-_@gnu.org> (raw)
In-Reply-To: <87h76klv6j.fsf@kolabnow.com> (Thiago Jung Bauermann's message of "Fri, 22 Apr 2022 17:10:19 -0300")
Hi!
Thiago Jung Bauermann <bauermann@kolabnow.com> skribis:
> I'm a bit concerned about running arbitrary commands as PID 1 of process
> namespaces. A process running as PID 1 (even in a child namespace) is a
> special case and is treated differently by the Linux kernel than any
> other process, so it needs to be a program that has been designed to
> work in that situation. There are two differences from regular
> processes:
>
> 1. PID 1 inherits orphan processes and needs to wait() on them when they
> quit, in order to avoid accumulating zombie processes in the system.
>
> 2. Unlike regular processes, PID 1 doesn't have default signal handlers.
Good points.
> Both of these aspects are described in more detail here:
>
> https://github.com/krallin/tini/issues/8#issuecomment-146135930
>
> So to avoid an accumulation of zombie processes and other signal-related
> problems, I suggest adding a “(init-program ,tini)” parameter to
> ‘least-authority-wrapper’ and executing ‘program’ as a subprocess of
> ‘tini’ or whatever was passed as the #:init-program (perhaps #f could
> mean running ‘program’ directly as PID 1).
Hmm yes. It’s not great that the choice is between ‘unshare’—efficient
but the process lives in the parent PID namespace—and ‘clone’—but then
you have to fork twice.
But yeah, you’re right. I’ll try what you suggest and send a v2.
> I mention this because I'm currently dealing with a problem that has
> exactly this root cause: I'm working on updating the public-inbox
> package to the latest version, and the testsuite is failing because it
> tests that lei's daemon process is correctly terminated. But that
> doesn't work because “guix build” doesn't use a proper init program as
> PID 1 and thus the daemon process goes to zombie state and the testsuite
> thinks that it didn't go away. I'm hoping to send a patch to fix that
> issue.
Now that you mention it, this was discussed before:
https://issues.guix.gnu.org/30948
I think we should do something about it in gnu-build-system.scm.
Thanks for your feedback!
Ludo’.
next prev parent reply other threads:[~2022-04-26 20:31 UTC|newest]
Thread overview: 54+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-04-17 21:01 [bug#54997] [PATCH 00/12] Add "least authority" program wrapper Ludovic Courtès
2022-04-17 21:04 ` [bug#54997] [PATCH 01/12] gexp: Add 'references-file' Ludovic Courtès
2022-04-17 21:04 ` [bug#54997] [PATCH 02/12] file-systems: Avoid load-time warnings when attempting to load (guix store) Ludovic Courtès
2022-04-17 21:04 ` [bug#54997] [PATCH 03/12] linux-container: 'call-with-container' relays SIGTERM and SIGINT Ludovic Courtès
2022-04-17 21:04 ` [bug#54997] [PATCH 04/12] Add (guix least-authority) Ludovic Courtès
2022-04-18 9:15 ` Maxime Devos
2022-04-19 22:04 ` [bug#54997] [PATCH 00/12] Add "least authority" program wrapper Ludovic Courtès
2022-04-18 9:18 ` [bug#54997] [PATCH 04/12] Add (guix least-authority) Maxime Devos
2022-04-19 22:05 ` [bug#54997] [PATCH 00/12] Add "least authority" program wrapper Ludovic Courtès
2022-04-22 20:10 ` [bug#54997] [PATCH 04/12] Add (guix least-authority) Thiago Jung Bauermann via Guix-patches via
2022-04-26 20:30 ` Ludovic Courtès [this message]
2022-04-29 3:43 ` [bug#54997] [PATCH 00/12] Add "least authority" program wrapper Thiago Jung Bauermann via Guix-patches via
2022-04-26 20:48 ` Ludovic Courtès
2022-04-27 16:56 ` [bug#54997] [PATCH v2 00/15] " Ludovic Courtès
2022-04-27 16:56 ` [bug#54997] [PATCH v2 01/15] gexp: Add 'references-file' Ludovic Courtès
2022-04-27 16:56 ` [bug#54997] [PATCH v2 02/15] file-systems: Avoid load-time warnings when attempting to load (guix store) Ludovic Courtès
2022-04-27 16:56 ` [bug#54997] [PATCH v2 03/15] linux-container: 'call-with-container' relays SIGTERM and SIGINT Ludovic Courtès
2022-04-27 16:56 ` [bug#54997] [PATCH v2 04/15] linux-container: Ensure signal-handling asyncs get a chance to run Ludovic Courtès
2022-04-27 16:56 ` [bug#54997] [PATCH v2 05/15] linux-container: Add #:child-is-pid1? parameter to 'call-with-container' Ludovic Courtès
2022-04-27 16:56 ` [bug#54997] [PATCH v2 06/15] Add (guix least-authority) Ludovic Courtès
2022-04-27 16:56 ` [bug#54997] [PATCH v2 07/15] services: dicod: Rewrite using 'least-authority-wrapper' Ludovic Courtès
2022-04-27 16:56 ` [bug#54997] [PATCH v2 08/15] services: dicod: Use 'make-inetd-constructor' Ludovic Courtès
2022-04-27 16:56 ` [bug#54997] [PATCH v2 09/15] services: bitlbee: " Ludovic Courtès
2022-04-27 16:56 ` [bug#54997] [PATCH v2 10/15] services: ipfs: Adjust for Shepherd 0.9 Ludovic Courtès
2022-04-27 16:56 ` [bug#54997] [PATCH v2 11/15] services: ipfs: Use 'least-authority-wrapper' Ludovic Courtès
2022-04-27 16:56 ` [bug#54997] [PATCH v2 12/15] services: wesnothd: Grant write access to /var/run/wesnothd Ludovic Courtès
2022-04-27 16:56 ` [bug#54997] [PATCH v2 13/15] services: wesnothd: Use 'least-authority-wrapper' Ludovic Courtès
2022-04-27 16:56 ` [bug#54997] [PATCH v2 14/15] services: quassel: " Ludovic Courtès
2022-04-27 16:56 ` [bug#54997] [PATCH v2 15/15] services: opendht: " Ludovic Courtès
2022-05-01 20:16 ` bug#54997: [PATCH 00/12] Add "least authority" program wrapper Ludovic Courtès
2022-05-02 4:25 ` [bug#54997] " Thiago Jung Bauermann via Guix-patches via
2022-04-17 21:04 ` [bug#54997] [PATCH 05/12] services: dicod: Rewrite using 'least-authority-wrapper' Ludovic Courtès
2022-04-17 21:04 ` [bug#54997] [PATCH 06/12] services: dicod: Use 'make-inetd-constructor' Ludovic Courtès
2022-04-17 21:04 ` [bug#54997] [PATCH 07/12] services: bitlbee: " Ludovic Courtès
2022-04-18 9:13 ` Maxime Devos
2022-04-19 22:03 ` [bug#54997] [PATCH 00/12] Add "least authority" program wrapper Ludovic Courtès
2022-04-17 21:04 ` [bug#54997] [PATCH 08/12] services: ipfs: Adjust for Shepherd 0.9 Ludovic Courtès
2022-04-17 21:04 ` [bug#54997] [PATCH 09/12] services: ipfs: Use 'least-authority-wrapper' Ludovic Courtès
2022-04-18 9:08 ` Maxime Devos
2022-04-19 22:02 ` [bug#54997] [PATCH 00/12] Add "least authority" program wrapper Ludovic Courtès
2022-04-22 14:39 ` Maxime Devos
2022-04-27 22:01 ` Ludovic Courtès
2022-04-28 11:29 ` Maxime Devos
2022-04-28 19:25 ` Ludovic Courtès
2022-04-28 19:52 ` Maxime Devos
2022-04-17 21:04 ` [bug#54997] [PATCH 10/12] services: wesnothd: Grant write access to /var/run/wesnothd Ludovic Courtès
2022-04-17 21:04 ` [bug#54997] [PATCH 11/12] services: wesnothd: Use 'least-authority-wrapper' Ludovic Courtès
2022-04-17 21:04 ` [bug#54997] [PATCH 12/12] services: quassel: " Ludovic Courtès
2022-04-18 9:12 ` Maxime Devos
2022-04-19 21:59 ` [bug#54997] [PATCH 00/12] Add "least authority" program wrapper Ludovic Courtès
2022-04-22 5:01 ` [bug#54997] [PATCH 01/12] gexp: Add 'references-file' Thiago Jung Bauermann via Guix-patches via
2022-04-26 20:17 ` [bug#54997] [PATCH 00/12] Add "least authority" program wrapper Ludovic Courtès
2022-04-22 15:02 ` Maxime Devos
2022-04-26 20:22 ` Ludovic Courtès
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87o80nk2o8.fsf_-_@gnu.org \
--to=ludo@gnu.org \
--cc=54997@debbugs.gnu.org \
--cc=bauermann@kolabnow.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this external index
https://git.savannah.gnu.org/cgit/guix.git
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.