|
From: | GNU bug Tracking System |
Subject: | [debbugs-tracker] bug#31894: closed (Containerize openntpd service) |
Date: | Tue, 26 Jun 2018 08:27:01 +0000 |
Your message dated Tue, 26 Jun 2018 11:25:57 +0300 with message-id <address@hidden> and subject line Re: [bug#31894] Containerize openntpd service has caused the debbugs.gnu.org bug report #31894, regarding Containerize openntpd service to be marked as done. (If you believe you have received this mail in error, please contact address@hidden) -- 31894: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=31894 GNU Bug Tracking System Contact address@hidden with problems
--- Begin Message ---Subject: Containerize openntpd service Date: Tue, 19 Jun 2018 12:31:55 +0300 User-agent: Mutt/1.10.0 (2018-05-17) I tested this patch with the included vm image, using the following script. After logging in, 'ntpctl -s all' shows openntpd connecting to the ntp servers and updating the time. /.$(./pre-inst-env guix environment guix -- ./pre-inst-env guix system vm ~/vm-image.scm) -m 768 -device e1000,netdev=net0 -netdev user,id=net0,hostfwd=tcp::5555-:53 -- Efraim Flashner <address@hidden> אפרים פלשנר GPG key = A28B F40C 3E55 1372 662D 14F7 41AA E7DC CA3D 8351 Confidentiality cannot be guaranteed on emails sent or received unencrypted0001-services-openntpd-Containerize-openntpd-service.patch
Description: Text documentvm-image.scm
Description: Text documentsignature.asc
Description: PGP signature
--- End Message ---
--- Begin Message ---Subject: Re: [bug#31894] Containerize openntpd service Date: Tue, 26 Jun 2018 11:25:57 +0300 User-agent: Mutt/1.10.0 (2018-05-17) On Fri, Jun 22, 2018 at 09:39:01PM +0200, Ludovic Courtès wrote: > Hello Efraim, > > Efraim Flashner <address@hidden> skribis: > > > I tested this patch with the included vm image, using the following > > script. After logging in, 'ntpctl -s all' shows openntpd connecting to > > the ntp servers and updating the time. > > > > /.$(./pre-inst-env guix environment guix -- ./pre-inst-env guix system vm > > ~/vm-image.scm) -m 768 -device e1000,netdev=net0 -netdev > > user,id=net0,hostfwd=tcp::5555-:53 > > [...] > > > From 064903c5a976280b95cd9bba17e958e662be605d Mon Sep 17 00:00:00 2001 > > From: Efraim Flashner <address@hidden> > > Date: Tue, 19 Jun 2018 12:24:47 +0300 > > Subject: [PATCH] services: openntpd: Containerize openntpd service. > > > > * gnu/packages/ntp.scm (openntpd)[arguments]: Add 'privsep-path' to > > 'configure-flags and adjust the 'localstatedir' flag. > > * gnu/services/networking.scm (openntpd-shepherd-service): Change the > > start-service command to run in a container, expose '/var/log/openntpd' > > and '/var/lib/openntpd' to the container. > > (openntpd-service-activation): Adjust directories for the changes above. > > Neat! The patch LGTM, especially since you’ve confirmed that it still > works as expected. :-) > > One thing though: could you make sure containerization isn’t redundant > with what OpenNTPD already does? Namely, could you grep the source for > calls to “chroot”, “unshare”, or “seccomp”? If it happens to be already > doing one of these things, it may be that using a container brings > little or nothing. > > If it’s OK, please push! From grepping the source: ./INSTALL-OpenNTPD always uses Privilege Separation (ie the majority of the ./INSTALL:processing is done as a chroot'ed, unprivileged user). The code also supports the assertion. it defaults to /var/empty, unless the --with-privsep-path=path flag is set, so it looks like my patch is unnecessary after all. :) > > While I’m at it, one question about this comment (which was already there): > > > + ;; When ntpd is daemonized it repeatedly tries > > to respawn > > + ;; while running, leading shepherd to disable > > it. To > > + ;; prevent spamming stderr, redirect output to > > logfile. > > + #:log-file "/var/log/ntpd")) > > What’s described here is expected: when it daemonizes, the initial > process that shepherd spawned terminates immediately, which is why > shepherd tries to respawn it (it cannot guess that there’s in fact a > child process that keeps running.) > > The right thing to do for things that daemonize is to use the #:pid-file > option, which instructs shepherd to poll that file. Should we do this > here? There are many examples of that, including bitlbee, which is > containerized. > I'll take a look at that and see if I can fix that. > Thanks, > Ludo’. -- Efraim Flashner <address@hidden> אפרים פלשנר GPG key = A28B F40C 3E55 1372 662D 14F7 41AA E7DC CA3D 8351 Confidentiality cannot be guaranteed on emails sent or received unencryptedsignature.asc
Description: PGP signature
--- End Message ---
[Prev in Thread] | Current Thread | [Next in Thread] |