From 064903c5a976280b95cd9bba17e958e662be605d Mon Sep 17 00:00:00 2001 From: Efraim Flashner Date: Tue, 19 Jun 2018 12:24:47 +0300 Subject: [PATCH] services: openntpd: Containerize openntpd service. * gnu/packages/ntp.scm (openntpd)[arguments]: Add 'privsep-path' to 'configure-flags and adjust the 'localstatedir' flag. * gnu/services/networking.scm (openntpd-shepherd-service): Change the start-service command to run in a container, expose '/var/log/openntpd' and '/var/lib/openntpd' to the container. (openntpd-service-activation): Adjust directories for the changes above. --- gnu/packages/ntp.scm | 3 +- gnu/services/networking.scm | 58 ++++++++++++++++++++++++------------- 2 files changed, 40 insertions(+), 21 deletions(-) diff --git a/gnu/packages/ntp.scm b/gnu/packages/ntp.scm index e9ae9fa46..2c202b400 100644 --- a/gnu/packages/ntp.scm +++ b/gnu/packages/ntp.scm @@ -109,7 +109,8 @@ computers over a network.") (build-system gnu-build-system) (arguments '(#:configure-flags '("--with-privsep-user=ntpd" - "--localstatedir=/var") + "--with-privsep-path=/var/lib/openntpd" + "--localstatedir=/var/lib/openntpd") #:phases (modify-phases %standard-phases (add-after 'unpack 'modify-install-locations diff --git a/gnu/services/networking.scm b/gnu/services/networking.scm index d5d0cf9d1..100a18e7c 100644 --- a/gnu/services/networking.scm +++ b/gnu/services/networking.scm @@ -428,22 +428,39 @@ make an initial adjustment of more than 1,000 seconds." (define ntpd.conf (plain-file "ntpd.conf" config)) - (list (shepherd-service - (provision '(ntpd)) - (documentation "Run the Network Time Protocol (NTP) daemon.") - (requirement '(user-processes networking)) - (start #~(make-forkexec-constructor - (list (string-append #$openntpd "/sbin/ntpd") - "-f" #$ntpd.conf - "-d" ;; don't daemonize - #$@(if allow-large-adjustment? - '("-s") - '())) - ;; When ntpd is daemonized it repeatedly tries to respawn - ;; while running, leading shepherd to disable it. To - ;; prevent spamming stderr, redirect output to logfile. - #:log-file "/var/log/ntpd")) - (stop #~(make-kill-destructor))))))) + (with-imported-modules (source-module-closure + '((gnu build shepherd) + (gnu system file-systems))) + (list (shepherd-service + (provision '(ntpd)) + (documentation "Run the Network Time Protocol (NTP) daemon.") + (requirement '(user-processes networking)) + (modules '((gnu build shepherd) + (gnu system file-systems))) + (start #~(make-forkexec-constructor/container + (list (string-append #$openntpd "/sbin/ntpd") + "-f" #$ntpd.conf + "-d" ;; don't daemonize + #$@(if allow-large-adjustment? + '("-s") + '())) + #:mappings (list (file-system-mapping + (source "/var/lib/openntpd") + (target source) + (writable? #t)) + (file-system-mapping + (source "/var/log/openntpd") + (target "/var/log") + (writable? #t)) + ;; For the privsep ntpd user. + (file-system-mapping + (source "/var/lib/openntpd") + (target "/var/empty"))) + ;; When ntpd is daemonized it repeatedly tries to respawn + ;; while running, leading shepherd to disable it. To + ;; prevent spamming stderr, redirect output to logfile. + #:log-file "/var/log/ntpd")) + (stop #~(make-kill-destructor)))))))) (define (openntpd-service-activation config) "Return the activation gexp for CONFIG." @@ -451,10 +468,11 @@ make an initial adjustment of more than 1,000 seconds." #~(begin (use-modules (guix build utils)) - (mkdir-p "/var/db") - (mkdir-p "/var/run") - (unless (file-exists? "/var/db/ntpd.drift") - (with-output-to-file "/var/db/ntpd.drift" + (mkdir-p "/var/lib/openntpd/db") + (mkdir-p "/var/lib/openntpd/run") + (mkdir-p "/var/log/openntpd") + (unless (file-exists? "/var/lib/openntpd/db/ntpd.drift") + (with-output-to-file "/var/lib/openntpd/db/ntpd.drift" (lambda _ (format #t "0.0"))))))) -- 2.17.1