aboutsummaryrefslogtreecommitdiff
path: root/gnu/services
diff options
context:
space:
mode:
Diffstat (limited to 'gnu/services')
-rw-r--r--gnu/services/security.scm25
-rw-r--r--gnu/services/shepherd.scm27
-rw-r--r--gnu/services/virtualization.scm1
-rw-r--r--gnu/services/web.scm66
4 files changed, 73 insertions, 46 deletions
diff --git a/gnu/services/security.scm b/gnu/services/security.scm
index fd5bf19730..15fae7a628 100644
--- a/gnu/services/security.scm
+++ b/gnu/services/security.scm
@@ -179,11 +179,6 @@
(define (fail2ban-jail-configuration-serialize-symbol field-name value)
(fail2ban-jail-configuration-serialize-string field-name (symbol->string value)))
-(define (fail2ban-jail-configuration-serialize-extra-content field-name value)
- (if (maybe-value-set? value)
- (string-append "\n" value "\n")
- ""))
-
(define-maybe integer (prefix fail2ban-jail-configuration-))
(define-maybe string (prefix fail2ban-jail-configuration-))
(define-maybe boolean (prefix fail2ban-jail-configuration-))
@@ -204,7 +199,7 @@
"Backend to use to detect changes in the @code{log-path}. The default is
'auto. To consult the defaults of the jail configuration, refer to the
@file{/etc/fail2ban/jail.conf} file of the @code{fail2ban} package."
-fail2ban-jail-configuration-serialize-backend)
+ fail2ban-jail-configuration-serialize-backend)
(max-retry
maybe-integer
"The number of failures before a host get banned
@@ -273,7 +268,7 @@ names matching their filter name.")
maybe-symbol
"The encoding of the log files handled by the jail.
Possible values are: @code{'ascii}, @code{'utf-8} and @code{'auto}."
-fail2ban-jail-configuration-serialize-log-encoding)
+ fail2ban-jail-configuration-serialize-log-encoding)
(log-path
(list-of-strings '())
"The file names of the log files to be monitored.")
@@ -281,9 +276,10 @@ fail2ban-jail-configuration-serialize-log-encoding)
(list-of-fail2ban-jail-actions '())
"A list of @code{<fail2ban-jail-action-configuration>}.")
(extra-content
- maybe-string
- "Extra content for the jail configuration."
- fail2ban-jail-configuration-serialize-extra-content)
+ (text-config '())
+ "Extra content for the jail configuration, provided as a list of file-like
+objects."
+ serialize-text-config)
(prefix fail2ban-jail-configuration-))
(define list-of-fail2ban-jail-configurations?
@@ -312,8 +308,9 @@ extensions.")
(list-of-fail2ban-jail-configurations '())
"Instances of @code{<fail2ban-jail-configuration>} explicitly provided.")
(extra-content
- maybe-string
- "Extra raw content to add to the end of the @file{jail.local} file."))
+ (text-config '())
+ "Extra raw content to add to the end of the @file{jail.local} file,
+provided as a list of file-like objects."))
(define (serialize-fail2ban-configuration config)
(let* ((jails (fail2ban-configuration-jails config))
@@ -322,9 +319,7 @@ extensions.")
(interpose
(append (map serialize-fail2ban-jail-configuration
(append jails extra-jails))
- (list (if (maybe-value-set? extra-content)
- extra-content
- ""))))))
+ (list (serialize-text-config 'extra-content extra-content))))))
(define (config->fail2ban-etc-directory config)
(let* ((fail2ban (fail2ban-configuration-fail2ban config))
diff --git a/gnu/services/shepherd.scm b/gnu/services/shepherd.scm
index 4fd4b2a497..61f759a19d 100644
--- a/gnu/services/shepherd.scm
+++ b/gnu/services/shepherd.scm
@@ -344,6 +344,31 @@ as shepherd package."
(use-modules (srfi srfi-34)
(system repl error-handling))
+ (define (call-with-file file flags proc)
+ (let ((port #f))
+ (dynamic-wind
+ (lambda ()
+ (set! port (open file flags)))
+ (lambda ()
+ (proc port))
+ (lambda ()
+ (close-port port)
+ (set! port #f)))))
+
+ ;; There's code run from shepherd that uses 'call-with-input-file' &
+ ;; co.--e.g., the 'urandom-seed' service. Starting from Shepherd
+ ;; 0.9.2, users need to make sure not to leak non-close-on-exec file
+ ;; descriptors to child processes. To address that, replace the
+ ;; standard bindings with O_CLOEXEC variants.
+ (set! call-with-input-file
+ (lambda (file proc)
+ (call-with-file file (logior O_RDONLY O_CLOEXEC)
+ proc)))
+ (set! call-with-output-file
+ (lambda (file proc)
+ (call-with-file file (logior O_WRONLY O_CREAT O_CLOEXEC)
+ proc)))
+
;; Specify the default environment visible to all the services.
;; Without this statement, all the environment variables of PID 1
;; are inherited by child services.
@@ -387,7 +412,7 @@ as shepherd package."
;; call; this avoids situations where services wrongfully lead
;; PID 1 to read from stdin (the console), which users may not
;; have access to (see <https://bugs.gnu.org/23697>).
- (redirect-port (open-input-file "/dev/null")
+ (redirect-port (open "/dev/null" (logior O_RDONLY O_CLOEXEC))
(current-input-port)))))
(scheme-file "shepherd.conf" config)))
diff --git a/gnu/services/virtualization.scm b/gnu/services/virtualization.scm
index 8b480e1bd3..cb6227403b 100644
--- a/gnu/services/virtualization.scm
+++ b/gnu/services/virtualization.scm
@@ -965,6 +965,7 @@ that will be listening to receive secret keys on port 1004, TCP."
(generate-host-keys? #f)))
(guix-service-type
config => (guix-configuration
+ (inherit config)
(generate-substitute-key? #f))))))))
diff --git a/gnu/services/web.scm b/gnu/services/web.scm
index b144cf7076..5bac496f01 100644
--- a/gnu/services/web.scm
+++ b/gnu/services/web.scm
@@ -1393,7 +1393,7 @@ files.")
(replacement anonip-configuration-replacement ;string
(default #f))
(ipv4mask anonip-configuration-ipv4mask ;number
- (default #f))
+ (default #f))
(ipv6mask anonip-configuration-ipv6mask ;number
(default #f))
(increment anonip-configuration-increment ;number
@@ -1425,35 +1425,41 @@ files.")
(format #false "~a=~a"
option value))))
(list)))))
- (list (shepherd-service
- (provision (list (symbol-append 'anonip- (string->symbol output))))
- (requirement '(user-processes))
- (documentation "Anonimyze the given log file location with anonip.")
- (start #~(lambda _
- (unless (file-exists? #$input)
- (mknod #$input 'fifo #o600 0))
- (let ((pid (fork+exec-command
- (append
- (list #$(file-append (anonip-configuration-anonip config)
- "/bin/anonip")
- (string-append "--input=" #$input)
- (string-append "--output=" #$output))
- (if #$(anonip-configuration-skip-private? config)
- '("--skip-private") (list))
- '#$(optional anonip-configuration-column "--column")
- '#$(optional anonip-configuration-ipv4mask "--ipv4mask")
- '#$(optional anonip-configuration-ipv6mask "--ipv6mask")
- '#$(optional anonip-configuration-increment "--increment")
- '#$(optional anonip-configuration-replacement "--replacement")
- '#$(optional anonip-configuration-delimiter "--delimiter")
- '#$(optional anonip-configuration-regex "--regex"))
- ;; Run in a UTF-8 locale
- #:environment-variables
- (list (string-append "GUIX_LOCPATH=" #$glibc-utf8-locales
- "/lib/locale")
- "LC_ALL=en_US.utf8"))))
- pid)))
- (stop #~(make-kill-destructor))))))
+ (list
+ (shepherd-service
+ (provision
+ (list (symbol-append 'anonip- (string->symbol output))))
+ (requirement '(user-processes))
+ (documentation
+ "Anonimyze the given log file location with anonip.")
+ (start
+ #~(lambda _
+ (unless (file-exists? #$input)
+ (mknod #$input 'fifo #o600 0))
+ (let ((pid
+ (fork+exec-command
+ (append
+ (list #$(file-append (anonip-configuration-anonip config)
+ "/bin/anonip")
+ (string-append "--input=" #$input)
+ (string-append "--output=" #$output))
+ (if #$(anonip-configuration-skip-private? config)
+ '("--skip-private") (list))
+ '#$(optional anonip-configuration-column "--column")
+ '#$(optional anonip-configuration-ipv4mask "--ipv4mask")
+ '#$(optional anonip-configuration-ipv6mask "--ipv6mask")
+ '#$(optional anonip-configuration-increment "--increment")
+ '#$(optional anonip-configuration-replacement
+ "--replacement")
+ '#$(optional anonip-configuration-delimiter "--delimiter")
+ '#$(optional anonip-configuration-regex "--regex"))
+ ;; Run in a UTF-8 locale
+ #:environment-variables
+ (list (string-append "GUIX_LOCPATH=" #$glibc-utf8-locales
+ "/lib/locale")
+ "LC_ALL=en_US.utf8"))))
+ pid)))
+ (stop #~(make-kill-destructor))))))
(define anonip-service-type
(service-type
generated by cgit v1.2.3 (git 2.45.0) at 2024-11-22 13:42:43 +0000