Hi Carlo,
On Mon, 05 Feb 2018 21:49:08 +1100
Carlo Zancanaro <ca...@zancanaro.id.au> wrote:
> User services - Alex has already sent a patch to the list to allow
> generating user services from the Guix side. The idea is to
> generate a Shepherd config file, allowing a user to invoke
> shepherd manually to start their services.
>A further extension to
> this would be to have something like systemd's "user sessions",
> where the pid 1 Shepherd automatically starts a user's services
> when they log in.
I assume that means "starts a user's shepherd when they log in".
elogind already emits a signal on dbus which tells you when a user logged in
return sd_bus_emit_signal(
u->manager->bus,
"/org/freedesktop/login1",
"org.freedesktop.login1.Manager",
new_user ? "UserNew" : "UserRemoved",
"uo", (uint32_t) u->uid, p);
Also, a directory /run/user/<id> appears - which alternatively can be
monitored by inotify or something.
So the system shepherd could have a shepherd service which does
while (1) {
wait until /run/user/<id> appears
vfork
if child: setuid, exec user shepherd, _exit
if parent: wait until child dies
}
We better be sure that no one else can create directories in /run/user .
In non-pseudocode, both "wait until /run/user/<id> appears" and
"wait until child dies" would have to be in the same call,
maybe epoll or something.
Maybe call the service shepherd-nursery-service or something, like a star
nursery :)
> Child process control - this is my personal frustration, where
> Shepherd loses track of processes that fork away (e.g. "emacs
> --daemon"). I barely know anything about Linux process management,
> but from my reading this can be solved through Linux namespaces
> (if user namespaces are available). Could someone who knows more
> about this let me know if that's a productive direction for me to
> investigate? Or tell me a better way to go about it?
User namespaces just present a different set of names to your process
(via VFS) so it looks like a chroot basically.
It does nothing for processes except fake their ids and limit your
overview of them.
You probably want process groups (see setsid(2)) or maybe containers.
