[PATCH Shepherd] shepherd: service: Add #:supplementary-groups.

DoneSubmitted by Oleg Pykhalov.
Details
2 participants
  • Oleg Pykhalov
  • Ludovic Courtès
Owner
unassigned
Severity
normal
O
O
Oleg Pykhalov wrote on 28 May 07:19 +0200
(name . guix-patches)(address . guix-patches@gnu.org)
87a71sbpr4.fsf@gmail.com
Hello Guix,
This patch provides a way to specify supplementary groups for services.It's useful for services which could be used with a Docker group,e.g. Jenkins.
‘shepherd’ package in Guix succeeded to build with current patch. And Isucceeded to pull and reconfigure my Guix system with it. Also ‘makecheck’ in Shepherd's Git repository passes tests.
From 5718eb5f4130530b48df896d7f7e4a126e08428a Mon Sep 17 00:00:00 2001From: Oleg Pykhalov <go.wigust@gmail.com>Date: Sun, 24 May 2020 20:30:27 +0300Subject: [PATCH] service: Add #:supplementary-groups.
* modules/shepherd/service.scm (format-supplementary-groups): New procedure.(exec-command, fork+exec-command, make-forkexec-constructor): Add'#:supplementary-groups'.* doc/shepherd.texi (Service De- and Constructors): Document this.--- doc/shepherd.texi | 39 +++++++++++++++++++++--------------- modules/shepherd/service.scm | 16 ++++++++++++++- 2 files changed, 38 insertions(+), 17 deletions(-)
Toggle diff (159 lines)diff --git a/doc/shepherd.texi b/doc/shepherd.texiindex 7217ec2..56ef03d 100644--- a/doc/shepherd.texi+++ b/doc/shepherd.texi@@ -11,7 +11,8 @@ @copying Copyright @copyright{} @value{OLD-YEARS} Wolfgang J@"ahrling@* Copyright @copyright{} @value{NEW-YEARS} Ludovic Courtès@*-Copyright @copyright{} 2020 Brice Waegeneire+Copyright @copyright{} 2020 Brice Waegeneire@*+Copyright @copyright{} 2020 Oleg Pykhalov Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.3 or@@ -893,21 +894,24 @@ execution of the @var{command} was successful, @code{#t} if not. @deffn {procedure} make-forkexec-constructor @var{command} @ [#:user #f] @ [#:group #f] @+ [#:supplementary-groups '()] @ [#:pid-file #f] [#:pid-file-timeout (default-pid-file-timeout)] @ [#:log-file #f] @ [#:directory (default-service-directory)] @ [#:file-creation-mask #f] @ [#:environment-variables (default-environment-variables)] Return a procedure that forks a child process, closes all file-descriptors except the standard output and standard error descriptors, sets-the current directory to @var{directory}, sets the umask to-@var{file-creation-mask} unless it is @code{#f}, changes the environment to-@var{environment-variables} (using the @code{environ} procedure), sets the-current user to @var{user} and the current group to @var{group} unless they-are @code{#f}, and executes @var{command} (a list of strings.) The result of-the procedure will be the PID of the child process. Note that this will-not work as expected if the process ``daemonizes'' (forks); in that-case, you will need to pass @code{#:pid-file}, as explained below.+descriptors except the standard output and standard error descriptors,+sets the current directory to @var{directory}, sets the umask to+@var{file-creation-mask} unless it is @code{#f}, changes the environment+to @var{environment-variables} (using the @code{environ} procedure),+sets the current user to @var{user} the current group to @var{group}+unless they are @code{#f} and supplementary groups to+@var{supplementary-groups} unless they are @code{'()}, and executes+@var{command} (a list of strings.) The result of the procedure will be+the PID of the child process. Note that this will not work as expected+if the process ``daemonizes'' (forks); in that case, you will need to+pass @code{#:pid-file}, as explained below. When @var{pid-file} is true, it must be the name of a PID file associated with the process being launched; the return value is the PID@@ -937,6 +941,7 @@ procedures. @deffn {procedure} exec-command @var{command} @ [#:user #f] @ [#:group #f] @+ [#:supplementary-groups '()] @ [#:log-file #f] @ [#:directory (default-service-directory)] @ [#:file-creation-mask #f] @@@ -944,6 +949,7 @@ procedures. @deffnx {procedure} fork+exec-command @var{command} @ [#:user #f] @ [#:group #f] @+ [#:supplementary-groups '()] @ [#:directory (default-service-directory)] @ [#:file-creation-mask #f] @ [#:environment-variables (default-environment-variables)]@@ -955,12 +961,13 @@ if it's true, whereas file descriptor 0 (standard input) points to @file{/dev/null}; all other file descriptors are closed prior to yielding control to @var{command}. -By default, @var{command} is run as the current user. If the-@var{user} keyword argument is present and not false, change to-@var{user} immediately before invoking @var{command}. @var{user} may-be a string, indicating a user name, or a number, indicating a user-ID. Likewise, @var{command} will be run under the current group,-unless the @var{group} keyword argument is present and not false.+By default, @var{command} is run as the current user. If the @var{user}+keyword argument is present and not false, change to @var{user}+immediately before invoking @var{command}. @var{user} may be a string,+indicating a user name, or a number, indicating a user ID. Likewise,+@var{command} will be run under the current group, unless the+@var{group} keyword argument is present and not false, and+supplementary-groups is not '(). @code{fork+exec-command} does the same as @code{exec-command}, but in a separate process whose PID it returns.diff --git a/modules/shepherd/service.scm b/modules/shepherd/service.scmindex 45fcf32..03bdc02 100644--- a/modules/shepherd/service.scm+++ b/modules/shepherd/service.scm@@ -6,6 +6,7 @@ ;; Copyright (C) 2018 Carlo Zancanaro <carlo@zancanaro.id.au> ;; Copyright (C) 2019 Ricardo Wurmus <rekado@elephly.net> ;; Copyright (C) 2020 Mathieu Othacehe <m.othacehe@gmail.com>+;; Copyright (C) 2020 Oleg Pykhalov <go.wigust@gmail.com> ;; ;; This file is part of the GNU Shepherd. ;;@@ -772,10 +773,17 @@ daemon writing FILE is running in a separate PID namespace." (try-again) (apply throw args))))))) +(define (format-supplementary-groups supplementary-groups)+ (if (vector? supplementary-groups)+ supplementary-groups+ (list->vector (map (lambda (group) (group:gid (getgr group)))+ supplementary-groups))))+ (define* (exec-command command #:key (user #f) (group #f)+ (supplementary-groups '()) (log-file #f) (directory (default-service-directory)) (file-creation-mask #f)@@ -831,7 +839,7 @@ false." (catch #t (lambda () ;; Clear supplementary groups.- (setgroups #())+ (setgroups (format-supplementary-groups supplementary-groups)) (setgid (group:gid (getgr group)))) (lambda (key . args) (format (current-error-port)@@ -874,6 +882,7 @@ false." #:key (user #f) (group #f)+ (supplementary-groups '()) (log-file #f) (directory (default-service-directory)) (file-creation-mask #f)@@ -901,6 +910,8 @@ its PID." (exec-command command #:user user #:group group+ #:supplementary-groups (format-supplementary-groups+ supplementary-groups) #:log-file log-file #:directory directory #:file-creation-mask file-creation-mask@@ -914,6 +925,7 @@ its PID." #:key (user #f) (group #f)+ (supplementary-groups '()) (directory (default-service-directory)) (environment-variables (default-environment-variables))@@ -951,6 +963,8 @@ start." (let ((pid (fork+exec-command command #:user user #:group group+ #:supplementary-groups+ (format-supplementary-groups supplementary-groups) #:log-file log-file #:directory directory #:file-creation-mask file-creation-mask-- 2.26.2
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEcjhxI46s62NFSFhXFn+OpQAa+pwFAl7PSd8ACgkQFn+OpQAa+pwzyRAAnJ0ze5KPWRpyuhVORlqC7supHpNRwulvAdgU9pJwBCmljITiwvyyqsgwe0kXK6K6El5/YvDLKg2NTiEDGXP8blZPQnPEHBdJ9H42jvs1RckKMF/DgjhZEkrvA009d4QpMgO34s2RL5uLhygpapLhairTwbd7C7xhzb96rqgZiUuk5AP7Y1T2OHMIuJ9HNbQS0MuzCvMWJ8fUke6veX3yxfHSPPSeNyNF6yeGTQMCHf0YGxWJlEkArPtQyLru7hQqKLFNdloDMy0UpzXYGYn0CASl3mVZhNyzUqKl7m+LbcpsLlAVg8QuDjNDy/5BFjiFhJjOrMB6cC8sD2W1uiaLN9FTU137g0Evo8TnzZu6TgHGByWFa5xS1O7ImuO9epqJpABvgHqHs7TQ9dluGAtsaYwpySrN87NIYZ/52RcOPir2bHWEz1h8Nij9G48+drDchVbcCaq+38iqHU3CGyM7QWeSMcvjQRJEm+XUCpZTXP3hKmmPIq5iOjJ7GlyqT4lC+XAjJOwsd8h4ftQSiT327ESyPY8wQtsB1+xpYpxbsyZiH+VsDcJG6q3zSU8OiPWuyMn4EUDGNRhvj+lKXmZ8t1Ulc7JCVlSr2FkyzseH8avpaGADxCpY8Wqh8SY6UqAqYlzVeyRP4FYVeMFk+1G2rZaBJVqFD1ceYGZJOEUbTo0==daKp-----END PGP SIGNATURE-----
L
L
Ludovic Courtès wrote on 14 Jun 22:53 +0200
(name . Oleg Pykhalov)(address . go.wigust@gmail.com)(address . 41573@debbugs.gnu.org)
87mu55s72d.fsf@gnu.org
Hello,
Oleg Pykhalov <go.wigust@gmail.com> skribis:
Toggle quote (10 lines)> From 5718eb5f4130530b48df896d7f7e4a126e08428a Mon Sep 17 00:00:00 2001> From: Oleg Pykhalov <go.wigust@gmail.com>> Date: Sun, 24 May 2020 20:30:27 +0300> Subject: [PATCH] service: Add #:supplementary-groups.>> * modules/shepherd/service.scm (format-supplementary-groups): New procedure.> (exec-command, fork+exec-command, make-forkexec-constructor): Add> '#:supplementary-groups'.> * doc/shepherd.texi (Service De- and Constructors): Document this.
[...]
Toggle quote (6 lines)> +(define (format-supplementary-groups supplementary-groups)> + (if (vector? supplementary-groups)> + supplementary-groups> + (list->vector (map (lambda (group) (group:gid (getgr group)))> + supplementary-groups))))
Perhaps we should remove the ‘vector?’ case, no? I find it clearer whenthe interface accepts just one single data type.
Apart from that, it LGTM!
Note that for compatibility reasons we’ll have to wait before using itin Guix System.
Thanks,Ludo’.
O
O
Oleg Pykhalov wrote on 19 Jun 03:28 +0200
(name . Ludovic Courtès)(address . ludo@gnu.org)(address . 41573@debbugs.gnu.org)
871rmb4zdy.fsf@gmail.com
Hello,
Ludovic Courtès <ludo@gnu.org> writes:
Toggle quote (23 lines)> Oleg Pykhalov <go.wigust@gmail.com> skribis:>>> From 5718eb5f4130530b48df896d7f7e4a126e08428a Mon Sep 17 00:00:00 2001>> From: Oleg Pykhalov <go.wigust@gmail.com>>> Date: Sun, 24 May 2020 20:30:27 +0300>> Subject: [PATCH] service: Add #:supplementary-groups.>>>> * modules/shepherd/service.scm (format-supplementary-groups): New procedure.>> (exec-command, fork+exec-command, make-forkexec-constructor): Add>> '#:supplementary-groups'.>> * doc/shepherd.texi (Service De- and Constructors): Document this.>> [...]>>> +(define (format-supplementary-groups supplementary-groups)>> + (if (vector? supplementary-groups)>> + supplementary-groups>> + (list->vector (map (lambda (group) (group:gid (getgr group)))>> + supplementary-groups))))>> Perhaps we should remove the ‘vector?’ case, no? I find it clearer when> the interface accepts just one single data type.
OK.
Toggle quote (5 lines)> Apart from that, it LGTM!>> Note that for compatibility reasons we’ll have to wait before using it> in Guix System.
No problem.
I updated the patch and tested it again with make check andreconfiguring my system.
From 20a08c750c4d6126d36835c64fed211299cb03e3 Mon Sep 17 00:00:00 2001From: Oleg Pykhalov <go.wigust@gmail.com>Date: Sun, 24 May 2020 20:30:27 +0300Subject: [PATCH] service: Add #:supplementary-groups.
* modules/shepherd/service.scm (format-supplementary-groups): New procedure.(exec-command, fork+exec-command, make-forkexec-constructor): Add'#:supplementary-groups'.* doc/shepherd.texi (Service De- and Constructors): Document this.--- doc/shepherd.texi | 39 +++++++++++++++++++++--------------- modules/shepherd/service.scm | 12 ++++++++++- 2 files changed, 34 insertions(+), 17 deletions(-)
Toggle diff (155 lines)diff --git a/doc/shepherd.texi b/doc/shepherd.texiindex 1de49af..18f1a4d 100644--- a/doc/shepherd.texi+++ b/doc/shepherd.texi@@ -11,7 +11,8 @@ @copying Copyright @copyright{} @value{OLD-YEARS} Wolfgang J@"ahrling@* Copyright @copyright{} @value{NEW-YEARS} Ludovic Courtès@*-Copyright @copyright{} 2020 Brice Waegeneire+Copyright @copyright{} 2020 Brice Waegeneire@*+Copyright @copyright{} 2020 Oleg Pykhalov Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.3 or@@ -893,21 +894,24 @@ execution of the @var{command} was successful, @code{#t} if not. @deffn {procedure} make-forkexec-constructor @var{command} @ [#:user #f] @ [#:group #f] @+ [#:supplementary-groups '()] @ [#:pid-file #f] [#:pid-file-timeout (default-pid-file-timeout)] @ [#:log-file #f] @ [#:directory (default-service-directory)] @ [#:file-creation-mask #f] @ [#:environment-variables (default-environment-variables)] Return a procedure that forks a child process, closes all file-descriptors except the standard output and standard error descriptors, sets-the current directory to @var{directory}, sets the umask to-@var{file-creation-mask} unless it is @code{#f}, changes the environment to-@var{environment-variables} (using the @code{environ} procedure), sets the-current user to @var{user} and the current group to @var{group} unless they-are @code{#f}, and executes @var{command} (a list of strings.) The result of-the procedure will be the PID of the child process. Note that this will-not work as expected if the process ``daemonizes'' (forks); in that-case, you will need to pass @code{#:pid-file}, as explained below.+descriptors except the standard output and standard error descriptors,+sets the current directory to @var{directory}, sets the umask to+@var{file-creation-mask} unless it is @code{#f}, changes the environment+to @var{environment-variables} (using the @code{environ} procedure),+sets the current user to @var{user} the current group to @var{group}+unless they are @code{#f} and supplementary groups to+@var{supplementary-groups} unless they are @code{'()}, and executes+@var{command} (a list of strings.) The result of the procedure will be+the PID of the child process. Note that this will not work as expected+if the process ``daemonizes'' (forks); in that case, you will need to+pass @code{#:pid-file}, as explained below. When @var{pid-file} is true, it must be the name of a PID file associated with the process being launched; the return value is the PID@@ -937,6 +941,7 @@ procedures. @deffn {procedure} exec-command @var{command} @ [#:user #f] @ [#:group #f] @+ [#:supplementary-groups '()] @ [#:log-file #f] @ [#:directory (default-service-directory)] @ [#:file-creation-mask #f] @@@ -944,6 +949,7 @@ procedures. @deffnx {procedure} fork+exec-command @var{command} @ [#:user #f] @ [#:group #f] @+ [#:supplementary-groups '()] @ [#:directory (default-service-directory)] @ [#:file-creation-mask #f] @ [#:environment-variables (default-environment-variables)]@@ -955,12 +961,13 @@ if it's true, whereas file descriptor 0 (standard input) points to @file{/dev/null}; all other file descriptors are closed prior to yielding control to @var{command}. -By default, @var{command} is run as the current user. If the-@var{user} keyword argument is present and not false, change to-@var{user} immediately before invoking @var{command}. @var{user} may-be a string, indicating a user name, or a number, indicating a user-ID. Likewise, @var{command} will be run under the current group,-unless the @var{group} keyword argument is present and not false.+By default, @var{command} is run as the current user. If the @var{user}+keyword argument is present and not false, change to @var{user}+immediately before invoking @var{command}. @var{user} may be a string,+indicating a user name, or a number, indicating a user ID. Likewise,+@var{command} will be run under the current group, unless the+@var{group} keyword argument is present and not false, and+supplementary-groups is not '(). @code{fork+exec-command} does the same as @code{exec-command}, but in a separate process whose PID it returns.diff --git a/modules/shepherd/service.scm b/modules/shepherd/service.scmindex 347b8cc..587ff68 100644--- a/modules/shepherd/service.scm+++ b/modules/shepherd/service.scm@@ -6,6 +6,7 @@ ;; Copyright (C) 2018 Carlo Zancanaro <carlo@zancanaro.id.au> ;; Copyright (C) 2019 Ricardo Wurmus <rekado@elephly.net> ;; Copyright (C) 2020 Mathieu Othacehe <m.othacehe@gmail.com>+;; Copyright (C) 2020 Oleg Pykhalov <go.wigust@gmail.com> ;; ;; This file is part of the GNU Shepherd. ;;@@ -773,10 +774,15 @@ daemon writing FILE is running in a separate PID namespace." (try-again) (apply throw args))))))) +(define (format-supplementary-groups supplementary-groups)+ (list->vector (map (lambda (group) (group:gid (getgr group)))+ supplementary-groups)))+ (define* (exec-command command #:key (user #f) (group #f)+ (supplementary-groups '()) (log-file #f) (directory (default-service-directory)) (file-creation-mask #f)@@ -832,7 +838,7 @@ false." (catch #t (lambda () ;; Clear supplementary groups.- (setgroups #())+ (setgroups (format-supplementary-groups supplementary-groups)) (setgid (group:gid (getgr group)))) (lambda (key . args) (format (current-error-port)@@ -879,6 +885,7 @@ false." #:key (user #f) (group #f)+ (supplementary-groups '()) (log-file #f) (directory (default-service-directory)) (file-creation-mask #f)@@ -909,6 +916,7 @@ its PID." (exec-command command #:user user #:group group+ #:supplementary-groups supplementary-groups #:log-file log-file #:directory directory #:file-creation-mask file-creation-mask@@ -919,6 +927,7 @@ its PID." #:key (user #f) (group #f)+ (supplementary-groups '()) (directory (default-service-directory)) (environment-variables (default-environment-variables))@@ -956,6 +965,7 @@ start." (let ((pid (fork+exec-command command #:user user #:group group+ #:supplementary-groups supplementary-groups #:log-file log-file #:directory directory #:file-creation-mask file-creation-mask-- 2.26.2
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEcjhxI46s62NFSFhXFn+OpQAa+pwFAl7sFNkACgkQFn+OpQAa+pyehRAAt4NZd8bLMQq1GSTyJNaJqeOT7gwOiEtUIDgQqw+Nk1+M15ocKNveZlxCgPE73iTM5U5hXdzWXILi0UkSQYY0C7cbvg1vOgDcv1vn4QEmCFrUAmZR8QO7GPUXaeXfkUm3JBGDXWybFyArkC2dMF0kfe0k8UjgGjmtlap1dC/sLRVVgJZqZV+Z0/Vzv2eJ/6zmYdqOgYqHbIwgCXeYm2hT1n6RFF2KpszjAcwdHWbjezuwzDTOdUeXCecB8p44o56pZ4BpJkahrz8JtLwiRGTE/1Sq4A38j6uJzT14DTKWgTfp2oHxv9EVkAbUy/HRlPJ1KHYGhKEXGAEaPZ0YhryzUoBgX4/4QsKidVAMdH3wNv0jAZSwwnhrYR3Hkn6pPKcuZ8Uc68IE5Ta7MCJ1oeT66Dg9ZsyFX3NAOvB3pvL13CGD2bGZPDOs95D194ORqtzWehikRSRq/JYYwfDlzvL2RMnzSHQAIbZQHvUJX4FNUOoSBcujTYNIbOTIhVqBe2PdY/ipfMG4NzlIdlaz0QMqehj/muPfpFlp0Q9B7EJ7WVJ/5oYsE95k+UI0ge/EHUNwfpr8G3odHwRJqbkHliew6NCBZeEVqIiq/8DcIkYbxcV2Tb8t0UCeE6yC0hQciC59OGpicOgQKOCLzTpnKQYTABzIl/AsyWuLBDwn8ypySks==C1QS-----END PGP SIGNATURE-----
L
L
Ludovic Courtès wrote on 19 Jun 09:56 +0200
(name . Oleg Pykhalov)(address . go.wigust@gmail.com)(address . 41573-done@debbugs.gnu.org)
871rmbij4p.fsf@gnu.org
Hi,
Oleg Pykhalov <go.wigust@gmail.com> skribis:
Toggle quote (10 lines)> From 20a08c750c4d6126d36835c64fed211299cb03e3 Mon Sep 17 00:00:00 2001> From: Oleg Pykhalov <go.wigust@gmail.com>> Date: Sun, 24 May 2020 20:30:27 +0300> Subject: [PATCH] service: Add #:supplementary-groups.>> * modules/shepherd/service.scm (format-supplementary-groups): New procedure.> (exec-command, fork+exec-command, make-forkexec-constructor): Add> '#:supplementary-groups'.> * doc/shepherd.texi (Service De- and Constructors): Document this.
Applied with the change below, thanks!
Ludo’.
Toggle diff (13 lines)diff --git a/doc/shepherd.texi b/doc/shepherd.texiindex 18f1a4d..696477e 100644--- a/doc/shepherd.texi+++ b/doc/shepherd.texi@@ -967,7 +967,7 @@ immediately before invoking @var{command}. @var{user} may be a string, indicating a user name, or a number, indicating a user ID. Likewise, @var{command} will be run under the current group, unless the @var{group} keyword argument is present and not false, and-supplementary-groups is not '().+@var{supplementary-groups} is not @code{'()}. @code{fork+exec-command} does the same as @code{exec-command}, but in a separate process whose PID it returns.
Closed
?