[bug#54997] [PATCH v2 00/15] Add "least authority" program wrapper

guix-patches

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[bug#54997] [PATCH v2 00/15] Add "least authority" program wrapper

From:	Ludovic Courtès
Subject:	[bug#54997] [PATCH v2 00/15] Add "least authority" program wrapper
Date:	Wed, 27 Apr 2022 18:56:20 +0200

Hi!

Changes since v1:

  • Add ‘delete-duplicates’ call in ‘references-file’.

  • Work around unreliable signal delivery in Guile (note that
    this is not a new problem; I just happened to notice it).
    This part is unsatisfactory.  The solution in the Shepherd is
    signalfd(2) on GNU/Linux, but using it requires quite a bit
    of infrastructure.

  • New #:child-is-pid1? parameter for ‘call-with-container’, set
    to #false by ‘least-authority-wrapper’.  This is probably
    overkill for most cases (daemons that, unlike Jenkins, don’t
    run arbitrary user scripts are unlikely to leave zombies
    behind them), but safer.

  • Converted opendht service to ‘least-authority-wrapper’.

I think it’s good to go.

Thoughts?

Thanks,
Ludo’.

Ludovic Courtès (15):
  gexp: Add 'references-file'.
  file-systems: Avoid load-time warnings when attempting to load (guix
    store).
  linux-container: 'call-with-container' relays SIGTERM and SIGINT.
  linux-container: Ensure signal-handling asyncs get a chance to run.
  linux-container: Add #:child-is-pid1? parameter to
    'call-with-container'.
  Add (guix least-authority).
  services: dicod: Rewrite using 'least-authority-wrapper'.
  services: dicod: Use 'make-inetd-constructor'.
  services: bitlbee: Use 'make-inetd-constructor'.
  services: ipfs: Adjust for Shepherd 0.9.
  services: ipfs: Use 'least-authority-wrapper'.
  services: wesnothd: Grant write access to /var/run/wesnothd.
  services: wesnothd: Use 'least-authority-wrapper'.
  services: quassel: Use 'least-authority-wrapper'.
  services: opendht: Use 'least-authority-wrapper'.

 Makefile.am                   |   1 +
 gnu/build/linux-container.scm |  78 +++++++++++++++--
 gnu/build/shepherd.scm        |   3 +-
 gnu/services/base.scm         |  22 -----
 gnu/services/dict.scm         |  61 ++++++++-----
 gnu/services/games.scm        |  33 +++++--
 gnu/services/messaging.scm    | 105 ++++++++++++++--------
 gnu/services/networking.scm   | 158 +++++++++++++++++-----------------
 gnu/system/file-systems.scm   |   5 +-
 gnu/tests/messaging.scm       |  21 +----
 guix/gexp.scm                 |  44 ++++++++++
 guix/least-authority.scm      | 135 +++++++++++++++++++++++++++++
 tests/gexp.scm                |  18 ++++
 13 files changed, 491 insertions(+), 193 deletions(-)
 create mode 100644 guix/least-authority.scm


base-commit: 950f3e4f98add14f645dc4c9f8c512cac7b8a779
-- 
2.35.1

[Prev in Thread]

Current Thread

[Next in Thread]

[bug#54997] [PATCH 02/12] file-systems: Avoid load-time warnings when attempting to load (guix store)., (continued)

Prev by Date: [bug#54997] [PATCH v2 01/15] gexp: Add 'references-file'.
Next by Date: [bug#54997] [PATCH v2 05/15] linux-container: Add #:child-is-pid1? parameter to 'call-with-container'.
Previous by thread: [bug#54997] [PATCH 00/12] Add "least authority" program wrapper
Next by thread: [bug#54997] [PATCH v2 01/15] gexp: Add 'references-file'.
Index(es):
- Date
- Thread