[bug#54997] [PATCH 00/12] Add "least authority" program wrapper

[Maxime Devos]

Ludovic Courtès schreef op zo 17-04-2022 om 23:01 [+0200]:
> Hello Guix!
> 
> So we have this fancy ‘make-forkexec-constructor/container’ thing
> to spawn Shepherd services in a container:
> 
>   https://guix.gnu.org/en/blog/2017/running-system-services-in-containers/
> 
> It’s nice, but it doesn’t compose.  What if you want an inetd-style
> service *and* have it run in a container?  We certainly don’t want to
> end up defining ‘make-inetd-constructor/container’ and so on.

Currently, it doesn't compose, but can it be made composable?
More concretely, maybe there could be a set of ‘process procedures’
implementable by record types:

  ;; Inspired by <https://docs.racket-lang.org/reference/subprocess.html>,
  ;; with some differences
  (define (subprocess-start/separate process) ...)  ; run it in a separate 
process
  (define (subprocess-start/replace process) ...) ; run it with 'exec'
  (define (subprocess-kill process) ...)
  (define (subprocess-wait process) ...)
  (define (subprocess-status process) ...)

  ;; Basic process constructor, doesn't do containers
  (define (command-process ...) ...)

  ;; Container
  (define (contain inner #:key container-stuff ...)
    subprocess-start/separate: (run-container ... (lambda () 
(subprocess-start/replace inner)))
    other procedures ...
    return the record)

Then make-inetd-constructor could be changed to accept a lambda producing
'subprocess' records.  By passing it a subprocess wrapped by 'contain', it would
automatically support container things:

(define (make-inetd-constructor/container-command command* ...)
  (make-inetd-constructor (lambda () (contain (command-process comand*))) ...))

Greetings,
Maxime.

signature.asc
Description: This is a digitally signed message part