On Mon, 13 Jul 2020 22:01:47 -0400 Julien Lepiller <[email protected]> wrote:
> Le 13 juillet 2020 20:18:09 GMT-04:00, Reza Alizadeh Majd > <[email protected]> a écrit : > > > >my service definition is as follows: > > > > > >--8<---------------cut here---------------start------------->8--- > >(define-record-type* <kyc-configuration> > > kyc-configuration make-kyc-configuration > > kyc-configuration? > > (package kyc-configuration-package > > (default kyc)) > > (user kyc-configuration-user > > (default "kyc-service")) > > (group kyc-configuration-group > > (default "kyc-service"))) > > > >(define %kyc-accounts > > (list (user-group (name "kyc-service")) > > (user-group (name "kyc-rpc")) > > (user-account > > (name "kyc-service") > > (group "kyc-service") > > (system? #f) > > (supplementary-groups '("wheel" "kyc-rpc" "video")) > > (comment "KYC service user")))) > > > >(define kyc-shepherd-service > > (match-lambda > > (($ <kyc-configuration> package user group) > > (list (shepherd-service > > (provision '(kyc)) > > (documentation "Run KYC as a daemon.") > > (requirement '(networking user-processes)) > > (modules `((srfi srfi-1) > > (srfi srfi-26) > > ,@%default-modules)) > > (start #~(make-forkexec-constructor > > (list > > (string-append #$package "/bin/kyc")) > > #:user #$user > > #:group #$group > > #:environment-variables > > (list (string-append "PATH=" #$coreutils "/bin:" (getenv > > "PATH")) (string-append "HOME=" "/home/" #$user)))) > > (stop #~(make-kill-destructor))))))) > > > >(define kyc-service-type > > (service-type > > (name 'kyc) > > (extensions (list (service-extension shepherd-root-service-type > > kyc-shepherd-service) > > (service-extension account-service-type > > (const > > %kyc-accounts)))) (default-value (kyc-configuration)))) > > > >--8<---------------cut here---------------end--------------->8--- > > > >is there anything that I missed for this service definition? > > I don't see in your snippet where you create the socket or where you > change ownership of it, so I don't really understand what is going > wrong. > > Maybe the service itself is responsible for creating the socket and > changing ownership? In that case, I wouldn't use #:uses or #:group, > as these will run the service as the unpriviledged user from the > start, instead of running it as root and letting it change user after > it's set up things. > > If you want to create the socket yourself, why not use an > activation-service-type? Thanks for your response, the application itself is responsible for creation of socket, and the socket is created without problem, but when I try to change the ownership for socket file, I receive "operation not permitted" error. I also logged in to the user responsible for running the service and run the application manually, socket creation and permission set operations were succeed. referring to above snippet, when I perform all these operations manually, everything works without problem: --8<---------------cut here---------------start------------->8--- kyc-service@kyc-station /tmp/rpc$ whoami kyc-service kyc-service@kyc-station /tmp/rpc$ groups kyc-service wheel kyc-rpc kyc-service@kyc-station /tmp/rpc$ ll total 0 srwxr-xr-x 1 kyc-service kyc-service 0 Jul 14 04:22 kyc kyc-service@kyc-station /tmp/rpc$ chown kyc-service:kyc-rpc kyc kyc-service@kyc-station /tmp/rpc$ ll total 0 srwxr-xr-x 1 kyc-service kyc-rpc 0 Jul 14 04:22 kyc --8<---------------cut here---------------end--------------->8--- -- Reza Alizadeh Majd PantherX Team https://www.pantherx.org/
