s6-rc-init verbose equivalent messages?

2021-08-19 Thread Dewayne Geraghty 
Is there anyway of tracking down the cause of the following fatal failure?
# /usr/local/bin/s6-rc-init -c /s/comp -l /s/run /s/scan
s6-rc-init: fatal: unable to supervise service directories in
/s/run/servicedirs: No such file or directory

I've completed a disk-disk copy, as I need to integrate s6 into
hardenedbsd.  The compile command works:
# /usr/local/bin/s6-rc-compile -v9 /s/comp /usr/local/etc/s6
...
all good.  But s6-rc-init is stuck, as above.  There are no changes to
the system except IP addresses. I'm baffled!

Regards, Dewayne.

Re: Query on s6-log and s6-supervise

2021-06-08 Thread Dewayne Geraghty 
Apologies, I'd implied that we have multiple s6-supervise processes
running and their children pipe to one file which is read by one s6-log
file.

You can achieve this outcome by using s6-rc's, where one consumer can
receive multiple inputs from producers.

There is a special (but not unique) case where a program, such as apache
which will have explicit log files (defined in apache's config file) to
record web-page accesses and error logs, on a per server basis.  Because
all the supervised apache instances can write to one error logfile, I
instructed apache to write to a pipe.  Multiple supervised apache
instances using the one pipe (aka funnel), which was read by one s6-log.
 This way reducing the number of (s6-log) processes.  I could do the
same with the access logs and use the regex function of s6-log, but I
tend to simplicity.

Re: Query on s6-log and s6-supervise

2021-06-08 Thread Dewayne Geraghty 
Thanks Laurent, that's really interesting.  By comparison, my FBSD
system uses:

# ps -axw -o pid,vsz,rss,time,comm | grep s6
   virt KB  resident cpu total
38724   10904   1600 0:00.02 s6-log
41848   10788   1552 0:00.03 s6-log
42138   10848   1576 0:00.01 s6-log
4   10888   1596 0:00.02 s6-log
45878   10784   1516 0:00.00 s6-svscan
54453   10792   1544 0:00.00 s6-supervise
... lots ...
67937   10792   1540 0:00.00 s6-supervise
76442   10724   1484 0:00.01 s6-ipcserverd
76455   11364   1600 0:00.01 s6-fdholderd
84229   10896712 0:00.01 s6-log

Processes pull-in both ld-elf and libc.so, from procstat -v
start   end path
0x1021000   0x122a000   /usr/local/bin/s6-supervise
0x801229000 0x80124f000 /libexec/ld-elf.so.1
0x801272000 0x80144c000 /lib/libc.so.7

Yes - libc is ... large.

Arjun, if you want to reduce the number of s6-log processes perhaps
consider piping them to a file which s6-log reads from.  For example we
maintain various web servers, the accesses are unique and of interest to
customers, but they don't (really) care about the errors so we aggregate
this with one s6-log. Works very well  :)

Re: s6-rc : Anomalies or normal behaviour

2020-10-05 Thread Dewayne Geraghty 
On 4/10/2020 1:14 pm, Laurent Bercot wrote:
>> 1. I expected to see the date in seconds since time epoch, but result is
>> variable name
>> # execlineb -Pc 'backtick D { date "+%s" } echo $D'
>> $D
> 
>  Normal behaviour, since there's no shell to interpret $D as the
> contents of variable D. Try using "importas D D" before the echo:
> it will read the value of D and substitute $D with this value, so
> echo will print the value. Yeah, execline is annoying like that, it's
> just a habit to take.
>  Also, you generally want "backtick -n", to chomp the newline at
> the end of your input.
> 
> 
>> ---
>> 2. When I use emptyenv within an execlineb script, I have a "defunct"
>> zombie process
>> 89685  3  S<   0:00.01   |-- s6-supervise base:time-srv
>>  3020  -  S> -N -g -u ntpd --nofork
>>  3601  -  Z<   0:00.00   |   `-- 
>>
>> The time server script is
>> #!/usr/local/bin/execlineb -P
>> emptyenv
>> multidefine -d " " "base time ntpd /usr/local/sbin/ntpd" { JAIL SERVICE
>> USER PROGRAM }
>> background { echo Starting service $SERVICE using $PROGRAM on $JAIL
>> under user $USER }
>> fdmove 2 1
>> redirfd -w 1 /m/base:time/fifo
>> $PROGRAM -c /etc/ntp.conf -N -g -u $USER --nofork
>>
>> removing emptyenv, prevents the zombie from being created.  Is this
>> normal?
> 
>  The zombie is the echo program in your background block, since it's a
> direct child of your run script and there's nothing that reaps it
> after it's forked (fdmove, redirfd, ntpd - those programs don't expect
> to inherit a child). So the zombie is expected. To prevent that, use
> "background -d", which will doublefork your echo program, so it will
> be reparented to pid 1 which will reap it properly.
> 
EDIT My error, the problem was background, and -d fixes this.
>  The anomaly is that you *don't* have that zombie without emptyenv;
> my first guess is that there's something in your environment that changes
> the behaviour of ntpd and makes it reap the zombie somehow.
> 
> 
>> ---
>> 3. Is it normal/standard/good practice to include a dependency in a
>> bundle.  For example, I have a "time" bundle whose contents are
>> time-srv.  time-srv starts the ntpd service, and has as a dependency
>> time-log.
>>
>> Using "s6-rc -u change time", everything behaves as documented, ie
>> starts "time" which starts time-log, then time-srv.  However
>>
>> # s6-rc -v 9 -d change base:time
>> s6-rc: info: bringing selected services down
>> s6-rc: info: processing service base:time-srv: stopping
>> s6-rc: info: service base:time-srv stopped successfully
>> # Starting logging service time for base with user s6log folder
>> /var/log/time
>>
>> and the time-log continues running.
> 
>  If you only have time-srv in your 'time' bundle, then time-srv and
> time are equivalent. Telling s6-rc to bring down time will do the
> exact same thing as telling it to bring down time-srv. time-log is
> not impacted. So the behaviour is expected.
> 
>  If you want "s6-rc -d change time" to also bring down time-log, then
> yes, you should add time-log to the time bundle. Then 'time' will
> address both time-srv and time-log.
> 
> 
>> y 6 seconds  # This is time-srv
>> up (pid 85131) 6 seconds  # This is time-log,so it
>> has been restarted
> 
>  If you're using a manually created named pipe to transmit data
> from time-srv to time-log, that pipe will close when time-srv exits,
> and your logger will get EOF and probably exit, which is why it
> stopped; but time-log's supervisor has received no instruction that
> it should stop, so it will restart it. This is also expected.
> 
>  The simplest way of achieving the behaviour you want is s6-rc's
> integrated pipeline feature. Get rid of your named pipe and of your
> stdout (for time-srv) and stdin (for time-log) redirections; get rid
> of your time bundle definition. Then declare time-log as a consumer
> for time-srv and time-srv as a producer for time-log. In the
> time-log source definition directory, write 'time' into the
> pipeline-name file. Then recompile your database.
> 
>  This will automatically create a pipe between time-srv and time-log;
> the pipe will be held open so it won't close even if one of the
> processes exits; and it will automatically create a 'time' bundle
> that contains both time-srv and time-log.
> 
>  You're on the right track. :)
> 
> -- 
>  Laurent
> 
> 
Laurent,

Thank-you very much.  Using your advise (re 1 & 2) I've redeployed our
testing platform and everything works as expected :)

re 3. Implementing the producer-for/consumer-for pair, we've gone from
(The application server in jail b3 to log server in jail b2 Ref1).

# cat b3:named-setup2/up
#!/usr/local/bin/execlineb -P
define D /m/b3/fifo/named
foreground { if -n { test -p $D } foreground { /usr/bin/mkfifo $D } }
foreground { /usr/sbin/chown s6log:named $D }
foreground { /bin/chmod 720 $D }

# cat b3:named2/run
#!/usr/local/bin/execlineb -P
fdmove 2 1
redirfd -w 1 /m/b3/fifo/named
/usr/sbin/jexec b3

Re: s6-rc : Anomalies or normal behaviour

2020-10-03 Thread Dewayne Geraghty 
Apologies, my earlier email, item 2, pointed to emptyenv as the cause of
zombie processes on FreeBSD 12.2S, actually it is due to background.

# execlineb -Pc 'background { echo hello } pipeline { ps -axw } grep
defunct'
hello
30144  0  Z+   0:00.00 

while the following tests both foreground and emptyenv
# execlineb -Pc 'emptyenv foreground { echo hello } pipeline { /bin/ps
-axw } /usr/bin/grep defunct'
hello
#

Software revision level (as available in the FreeBSD ports system)
execline-2.6.0.1
s6-2.9.1.0
s6-rc-0.5.1.2
skalibs-2.9.2.1

Further detail:
# execlineb -Pc 'emptyenv background { echo hello } pipeline { /bin/ps
-axwwdo pid,ppid,stat,command } /usr/bin/grep -B1  "defunct"'
hello
71212 70760 Ss   | | `-- -csh (csh)
16885 71212 S+   | |   `-- /usr/bin/grep -B1 defunct
17052 16885 Z+   | | |-- 

I've also placed a ktrace and kdump of
execlineb -Pc 'ktrace -f /tmp/bgnd.kt /usr/local/bin/background {
/bin/ps } echo a'
here
http://www.heuristicsystems.com/s6/

s6-rc : Anomalies or normal behaviour

2020-10-03 Thread Dewayne Geraghty 
Is this correct behaviour or are these just anomalies?
1. Use of backtick variable assignment on FreeBSD doesn't appear correct
2. Use of emptyenv results in a remnant "defunct" process
3. Should a bundle's contents file include the dependencies of its
contents file, for a down change to the bundle to bring the service's
components down?


1. I expected to see the date in seconds since time epoch, but result is
variable name
# execlineb -Pc 'backtick D { date "+%s" } echo $D'
$D

Note: this isn't how I intend to use backtick, but I try to use the
simplest case to understand how things work

---
2. When I use emptyenv within an execlineb script, I have a "defunct"
zombie process
89685  3  S<   0:00.01   |-- s6-supervise base:time-srv
 3020  -  S

The time server script is
#!/usr/local/bin/execlineb -P
emptyenv
multidefine -d " " "base time ntpd /usr/local/sbin/ntpd" { JAIL SERVICE
USER PROGRAM }
background { echo Starting service $SERVICE using $PROGRAM on $JAIL
under user $USER }
fdmove 2 1
redirfd -w 1 /m/base:time/fifo
$PROGRAM -c /etc/ntp.conf -N -g -u $USER --nofork

removing emptyenv, prevents the zombie from being created.  Is this normal?

---
3. Is it normal/standard/good practice to include a dependency in a
bundle.  For example, I have a "time" bundle whose contents are
time-srv.  time-srv starts the ntpd service, and has as a dependency
time-log.

Using "s6-rc -u change time", everything behaves as documented, ie
starts "time" which starts time-log, then time-srv.  However

# s6-rc -v 9 -d change base:time
s6-rc: info: bringing selected services down
s6-rc: info: processing service base:time-srv: stopping
s6-rc: info: service base:time-srv stopped successfully
# Starting logging service time for base with user s6log folder
/var/log/time

and the time-log continues running.

Admittedly
# s6-svstat /s/scan/base:time-srv ; s6-svstat /s/scan/base:time-log
down (exitcode 0) 6 seconds, ready 6 seconds  # This is time-srv
up (pid 85131) 6 seconds  # This is time-log,so it
has been restarted

To obtain the desired/expected behaviour and bring time-log down must it
also be added to the bundle's contents?

These observations were made using FreeBSD 12.2Stable on amd64.

Apologies for still asking newbie questions, but I'm trying to embed s6
here, which translates to properly understand.
Regards, Dewayne.

Re: runit SIGPWR support

2020-02-12 Thread Dewayne Geraghty 
Yes Colin, you're right.  PWR is not in the FreeBSD list of signals, per
# kill -l
HUP INT QUIT ILL TRAP ABRT EMT FPE KILL BUS SEGV SYS PIPE ALRM TERM URG
STOP TSTP CONT CHLD TTIN TTOU IO XCPU XFSZ VTALRM PROF WINCH INFO USR1
USR2 LWP

Also doesn't appear in Open Group Base Specifications Issue 7 list of
signals https://pubs.opengroup.org/onlinepubs/9699919799/
Cheerio.

Re: s6 usability

2019-12-22 Thread Dewayne Geraghty 
On the question of PATH for BSD land (FreeBSD, TrueOS, HardenedBSD et 
al), binaries installed from packages (ports) live under /usr/local, 
with the exception of /var and /tmp.  The wars were fought and 
/usr/local can easily be mounted read-only.


Of the 1446 packages I have installed (no desktop stuff),
the breakdown is

# ls /usr/local/bin/ | wc -l
2857
# ls /usr/local/sbin/ | wc -l
 349
# find /usr/local/bin/ -type d -depth 1
/usr/local/bin/db5; # No directories under /usr/local/sbin
# ls /usr/local/libexec|wc -l
  72

The placement of files, is more a "distribution" decision that I'm sure 
is already settled.


On the documentation front, Laurent's work is very good, but I did find 
the examples from the gentoo docset for s6 & s6-rc, a life saver for 
someone with no prior process or service management background.  (I'd 
only used monit previously, and still do to reload application configs 
and some other system state change events over s6 tools).

Re: s6 usability

2019-12-01 Thread Dewayne Geraghty 

Hi Steve,


Does the *user* need to code execline scripts, or is it just
something the program does? If the former, then make a point that one
doesn't need to use execline for s6-rc to be a very powerful startup
system.


No the user doesn't need to write execline scripts. The following 
equally applies to s6-rc.


Refer to:https://skarnet.org/software/s6/overview.html
for:
"execline makes it natural to handle long command lines made of massive 
amounts of chain loading. This is by no means mandatory, though: a run 
script can be any executable file you want, provided that running it 
eventually results in a long-lived process with the same PID."



Regarding creating a s6 subdir of bin.  I have some 1325 applications 
(FreeBSD people call them ports), only 1 has a separate directory under bin.

Re: runit patches to fix compiler warnings on RHEL 7

2019-11-29 Thread Dewayne Geraghty 

Jan,

I'm also a virgin to process/service management software, learning 
s6-rc, s6, execlineb is not for the faint-hearted nor the time-poor. 
Getting a handle on the concepts, and the naming conventions - its 
really hard work.


Execline enforces a discipline, a rigor demanding anticipatory planning 
(to get right).  I ran some performance tests and execlineb is 
marginally better.  So why persist?  Largely because an execline script 
is immediately obvious and explicit.  Seriously, at a glance you know 
what the script will achieve.  Could I write a sh script to do the same 
task?  Yes, and probably do it a lot quicker.  But.  I would loose the 
elegance and readability - where sh has an equivalence with assembler, 
execline is akin to BASIC, it makes you think differently :)


I'm developing solutions for PROTECTED level security (its an Australian 
Govt thing), and skarnet's service management provides assurance, and 
s6-log provides near-certainty of logging completeness. I'm very happy 
with the toolset, worth the time investment.

Re: s6-log can create current with 640?

2019-10-26 Thread Dewayne Geraghty 
Hi Laurent,  Answers embedded

On 26/10/2019 4:27 pm, Laurent Bercot wrote:
>> I'd mistakenly assumed execlineb knew where its friends were; though in
>> hindsight its a bit much to assume that execlineb internally changes the
>> PATH.
> 
> The real question is, why is there a "umask" binary that's not the one
> from execline? Non-chainloading non-builtin umask is nonsense, just
> like non-chainloading non-builtin cd.
> 

I can only shed a ray of light, though this /usr/bin/umask has been
around for some time.  I fired up an old FreeBSD 9.2 system that has it.
Content being:

#!/bin/sh
# $FreeBSD: stable/9/usr.bin/alias/generic.sh 151635 2005-10-24
22:32:19Z cperciva $
# This file is in the public domain.
builtin ${0##*/} ${1+"$@"}

which is the same as 12.1.  Why? I can only refer to src logs:

...

r151635 | cperciva | 2005-10-25 08:32:19 +1000 (Tue, 25 Oct 2005) | 10 lines

Use the "builtin" shell function to make sure that the requested
command is handled as a shell function.  This avoids the following
peculiar behaviour when /usr/bin is on a case-insensitive filesystem:
# READ foo
(... long pause, depending upon the amount of swap space available ...)
sh: Resource temporarily unavailable.

...

r100200 | wollman | 2002-07-17 08:16:05 +1000 (Wed, 17 Jul 2002) | 5 lines

A little bit more thought has resulted in a generic script which can
implement any of the useless POSIX-required ``regular shell builtin''
utilities, saving one frag and one inode each.  The script moves to
usr.bin/alias which is alphabetically the first of these commands.



the last entry before the cvs logs were transferred to svn.


Examining the Makefile/usr/src/usr.bin/alias/Makefile
# $FreeBSD: stable/12/usr.bin/alias/Makefile 284255 2015-06-11 04:22:17Z
sjg $

SCRIPTS=generic.sh
SCRIPTSNAME=alias

LINKS=  ${BINDIR}/alias ${BINDIR}/bg \
${BINDIR}/alias ${BINDIR}/cd \
${BINDIR}/alias ${BINDIR}/command \
${BINDIR}/alias ${BINDIR}/fc \
${BINDIR}/alias ${BINDIR}/fg \
${BINDIR}/alias ${BINDIR}/getopts \
${BINDIR}/alias ${BINDIR}/hash \
${BINDIR}/alias ${BINDIR}/jobs \
${BINDIR}/alias ${BINDIR}/read \
${BINDIR}/alias ${BINDIR}/type \
${BINDIR}/alias ${BINDIR}/ulimit \
${BINDIR}/alias ${BINDIR}/umask \
${BINDIR}/alias ${BINDIR}/unalias \
${BINDIR}/alias ${BINDIR}/wait

and yes they exist in /usr/bin/

>From tcsh
# which cd
cd: shell built-in command.

>From sh
# which echo
/bin/echo

Ok - that's done my head in.
> 
>> Unfortunately it seems that the path can't be set within execlineb
>> context.
> 
> Of course it can. What's happening is that both export and envfile
> set the PATH *on execution of the next command*, so the command that's
> right after them will still be searched with the old PATH. In other words:
> 
> "export PATH /usr/local/bin umask 033 echo blah" will not work, because
> umask will still be searched for in the old PATH (but echo would be
> searched in the new PATH), but
> "export PATH /usr/local/bin exec umask 033 echo blah" will work, because
> exec is searched in the old PATH and umask is searched in the new PATH.
> 
> (exec is an execline nop that can be useful in those cases, if you
> don't have another command to put between the export PATH and the
> command you need to search in the new PATH.)
>

Thank-you, the explanation helps.  I guess through bad experiences with
(non-execline) exec, I avoid it unless I really do want to transfer
control to it.

I think with this example
# rm -v /tmp/t1 ; setenv PATH
/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin ; execlineb -Pc 'importas
op PATH emptyenv export PATH /usr/local/bin:$op exec umask 002 redirfd
-w 1 /tmp/t1 echo blah4' ; /bin/ls -l t1 ; cat /tmp/t1
/tmp/t1
-rw-rw-r--  1 root  wheel  6 26 Oct 18:02 t1
blah4

Due to the above discussion around umask, I will have to consider either
adding to my execline scripts :(
importas op PATH
emptyenv
export PATH /usr/local/bin:$op

or explicit paths as needed.

Thank-you to the contributors for your patience.

Re: s6-log can create current with 640?

2019-10-25 Thread Dewayne Geraghty 
On 26/10/2019 4:06 am, Guillermo wrote:
...
> Let me guess: the value of PATH is
> /sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin,
> execline's chain loading umask is in /usr/local/bin, and FreeBSD
> happens to have an 'umask' shell script in /usr/bin. If that is
> correct, then you'll have to either use the absolute pathname
> /usr/local/bin/umask in the execlineb chain, or run it with a PATH in
> which /usr/local/bin comes before /usr/bin.
> 
> G.
> 

Irk!  Thank-you Guillermo, your guess is correct.
I'd mistakenly assumed execlineb knew where its friends were; though in
hindsight its a bit much to assume that execlineb internally changes the
PATH.

This works correctly
# rm /tmp/t1 ; setenv PATH
"/usr/local/bin:/bin:/sbin:/usr/sbin:/usr/bin" ; printenv | grep -i path
; ktrace -f /tmp/t1-pathok-umaskfirst \
/usr/local/bin/execlineb -Pc 'export path "/usr/local/bin" umask 033
redirfd -w 1 /tmp/t1 echo hello' ; echo $? ; ls -l /tmp/t1

PATH=/usr/local/bin:/bin:/sbin:/usr/sbin:/usr/bin
0
-rw-r--r--  1 root  wheel  6 26 Oct 11:19 /tmp/t1

as does
/usr/local/bin/execlineb -Pc '/usr/local/bin/umask 033
/usr/local/bin/redirfd -w 1 /tmp/t1 echo hello'

Unfortunately it seems that the path can't be set within execlineb context.

I tried both "path" and "PATH" in the following export and envfile examples.

export

/usr/local/bin/execlineb -Pc '/usr/local/bin/export PATH /usr/local/bin
umask 033 redirfd -w 1 /tmp/t1 echo hello' ; echo $? ; ls -l /tmp/t1
rm: /tmp/t1: No such file or directory
PATH=/bin:/sbin:/usr/sbin:/usr/bin
0
ls: /tmp/t1: No such file or directory

envfile

/usr/local/bin/execlineb -Pc '/usr/local/bin/envfile /tmp/e umask 035
redirfd -w 1 /tmp/t1 echo hello' ; echo $? ; ls -l /tmp/t1
where /tmp/e
path = /usr/local/bin:/bin:/sbin:/usr/sbin:/usr/bin

I've moved the various kdumps into
http://www.heuristicsystems.com/s6-umask/

However I don't think there is a problem with export as
/usr/local/bin/execlineb -Pc 'export T1 /tmp/t1 umask 033 importas T1v
T1 redirfd -w 1 $T1v echo hello'
works correctly, but envfile doesn't; might be worth a look. (?)

Kind regards, Dewayne

Re: s6-log can create current with 640?

2019-10-25 Thread Dewayne Geraghty 
Laurent, I've embedded responses:

On 24/10/2019 10:58 am, Laurent Bercot wrote:
>> My initial attempt
>>
>> #!/usr/local/bin/execlineb -P
>> s6-setuidgid uucp
>> redirfd -r 0 /services/ntp/fifo
>> umask 037
>> /usr/local/bin/s6-log -b n14 r7000 s10 S300 !"/usr/bin/xz -7q"
>> /var/log/ntpd
> 
>  Hi Dewayne,
> 
>  - Is there a reason why you're using a manually created fifo instead
> of the built-in logging facility offered by s6-svscan? You could tell
> ntpd to log to /dev/stdout, and have the logger in a ntpd/log service
> directory, and your logs would automatically be available on your
> logger's stdin.
> 
That's really testing my memory! I recall using the producer/consumer
pair; as well as s6-trig-notify and s6-ftrig-listen. But at the end of
the day, processes like apache have multiple log files, and in my case 5
access log files and one error log.  So either I use one aggregated log
(input) with multiple regex expressions in an s6-log statement (which I
was advised against doing) or multiple
s6-log for each input, which I chose.

In addition the log content need to traverse different VM contexts,
where I usually use lo0; but in this case, a nullfs and fifo was the
better choice per some early benchmarks (via the wrk tool).

Re: ntp and its log file?  Yes within a single machine context, one
process writes to stdout and another takes that as input for s6-log to
handle, makes sense (and easy).  However the "logger" will relocate to a
separate VM, when unrelated problems with an ASLR enabled ntpd are
fixed.  Again a nullfs and fifo are sufficient - one VM writes to the
fifo, a different user in a different VM reads & processes the log via
s6-log.

Aside: If someone isn't familiar with FreeBSD, it can be hard to get a
handle on FreeBSD jails, its a bit more than a simple chroot.  I think
its reasonable to consider them as very lightweight VMs.  Each can have
separate security levels, shared memory; multiple network interfaces and
IP addresses etc; all sharing the one kernel.  The only con, is that the
first IP address is treated as routable and localhost points to it.


>  - About umask: that's very strange. Can you strace, or ktrace, or
> whatever tool gives you a list of system calls, the script? It will
> show exactly what's going on.
> 

Apologies for the delay. Needed to rebuild the kernel to enable ktrace.

Results for umask
rm -f /tmp/t1 ; /usr/local/bin/execlineb -Pc 'redirfd -w 1 /tmp/t1 umask
037 echo hello' ; echo $? ; ls -l /tmp/t1
0
-rw-r-  1 root  wheel  0 25 Oct 18:33 /tmp/t1

rm -f /tmp/t1 ; /usr/local/bin/execlineb -Pc 'redirfd -w 1 /tmp/t1 umask
023 echo hello' ; echo $? ; ls -l /tmp/t1
0
-rw-r-  1 root  wheel  0 25 Oct 18:36 /tmp/t1

I've placed the ktrace's dumpfile in txt format so its readable for you at
http://www.heuristicsystems.com/s6-umask/t1.kdump

The OS umask is 027.

I also tried what I thought was the more logical
# rm -f /tmp/t1 ; /usr/local/bin/execlineb -Pc 'umask 033 redirfd -w 1
/tmp/t1 echo hello' ; echo $? ; ls -l /tmp/t1
0
ls: /tmp/t1: No such file or directory

This ktrace is
http://www.heuristicsystems.com/s6-umask/t1-umask-redirfd.kdump

I think the relevant lines are
   276 sh   CALL  umask(0)
   276 sh   RET   umask 23/0x17
   276 sh   CALL  umask(027)
   276 sh   RET   umask 0
   276 sh   CALL  umask(033)
   276 sh   RET   umask 23/0x17
   276 sh   CALL  read(0xa,0x104c9d0,0x400)

Platform details:
# uname -pivKU; cc -v ; ld -v
FreeBSD 12.1-STABLE #5 r353671M: Fri Oct 25 09:12:32 AEDT 2019  amd64
hqdev-amd64-smp-vga 1201500 1201500
FreeBSD clang version 8.0.1 (tags/RELEASE_801/final 366581) (based on
LLVM 8.0.1)
Target: x86_64-unknown-freebsd12.1
Thread model: posix
InstalledDir: /usr/bin
LLD 8.0.1 (FreeBSD 366581-128) (compatible with GNU linkers)

If there is anything I can do to assist please let me know.  (Though I
havent worked in C since 1990...)

Kind regards, Dewayne

Re: s6-log can create current with 640?

2019-10-23 Thread Dewayne Geraghty 
Thanks Jonathon.  Both attempts were within the execlineb context, so I
assume that umask was correctly employed ;).  I tried

My initial attempt

#!/usr/local/bin/execlineb -P
s6-setuidgid uucp
redirfd -r 0 /services/ntp/fifo
umask 037
/usr/local/bin/s6-log -b n14 r7000 s10 S300 !"/usr/bin/xz -7q"
/var/log/ntpd

which results in notice of "# echo: write: Broken pipe"; the ntp process
properly starts but there is no ntp logging process.

---
The usual flow is
echo: write: Broken pipe
...

and in quick succession (<1 sec):

# ps -axww | grep ntpd
28869  -  Rs 0:00.00 s6-setuidgid uucp redirfd -r 0
/service/fifo umask 037 /usr/local/bin/s6-log -b n14 r7000 s10
S300 !/usr/bin/xz -7q /var/log/ntpd

# ps -axww | grep ntpd
29457  -  Ss 0:00.03 /usr/local/sbin/ntpd -c /etc/ntp.conf -u
ntpd -x -G --nofork

and /var/log/ntpd folder is empty (with mode rwx--)
---

If I move umask up one line (before redirfd), the logging process
doesn't start; and blocks the start of ntp.  There is a dependency
relationship ntp-log <- ntp  so this is expected.

I was surprised that umask didn't work, but not overly concerned; as
Colin, quite rightly, pointed to my directory permissions as being
adequate.  Now to migrate sendmail and its milters...

Regards, Dewayne

Re: s6-log can create current with 640?

2019-10-22 Thread Dewayne Geraghty 
Thank-you, Colin.

My brain turned to mush integrating logging with fifo queues across
multiple jails (aka very lightweight VMs) and disjoint users (userA
writes, userB reads).  Unfortunately they're across various jailed
systems, so the s6 fifo tools aren't applicable.  I appreciate your
advice, and yes, if there was anyone in the uucp group, I could be
labelled "overly permissive"!  ;^)

Kind regards, Dewayne.
PS I've gotten to like s6, it helped me discover a "workaround" for an
aslr issue with ntp, which under normal circumstance I would've given up.
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=241421

s6-log can create current with 640?

2019-10-22 Thread Dewayne Geraghty 
Is there any way to tell s6-log to set the mode to ./current to
something other than 644?  640 is preferred?

For example: I write to the logdir /var/log/httpd/error which has privs:

/var/log/http
drwx--  2 uucp  uucp   1.0K Oct 23 12:37 error/

Within /var/log/httpd/error
-rwxr--r--  1 uucp  uucp   190K Oct 23 12:37 @40005dafaf1b180d862c.s*
-rw-r-  1 uucp  uucp 0B Oct 23 12:37 state
-rw-r--r--  1 uucp  uucp 0B Oct 23 12:37 current

I did try umask 037 but that just broke the pipe.

All my log files are of this form
#!/usr/local/bin/execlineb -P
s6-setuidgid uucp
redirfd -r 0 /services/ntp/fifo
/usr/local/bin/s6-log -b n28 r7000 s20 S700 !"/usr/bin/xz -7q"
/var/log/ntpd

This is a big deal as I'm about to move my audit processing under s6-rc.

(Aside: Actually I write to a fifo and then redirfd for s6-log to pick
up the content and manage the log files.  All works very nicely :) )

Re: A better method than daisy-chaining logging files?

2019-06-19 Thread Dewayne Geraghty 
Thanks Pica.  I've sent the ktraces to Laurent and will update when
possible.

Re: A better method than daisy-chaining logging files?

2019-06-18 Thread Dewayne Geraghty 
Good point.
# ls -lrtha /var/log/httpd | grep error; ls -lrtha /var/log/httpd/error"
drwx--   2 mylogger  www 512B Jun 18 17:31 error
total 12
-rw-r--r--  1 mylogger  www 0B Jun 18 17:31 state
-rw-r--r--  1 mylogger  www 0B Jun 18 17:31 lock
drwxrwxrwx  6 mylogger  www   512B Jun 18 17:31 ..
drwx--  2 mylogger  www   512B Jun 18 17:31 .
-rw-r--r--  1 mylogger  www   329B Jun 18 17:32 current

Reflects my effort in previous testing that I forgot to reset! :)
And there are no mandatory security labels in effect, for completeness ;)

Re: A better method than daisy-chaining logging files?

2019-06-18 Thread Dewayne Geraghty 
Thanks Joan, I appreciate the advise, unfortunately the box I'm working
returns:

# ps -axw | grep s6-l|grep erro
83417  -  Is 0:00.01 s6-log n14 r7000 s10 S300 n14 -.*
+fatal: 2 -.* +^STAT =/var/log/httpd/error/status f !/usr/bi

# ktrace -f /tmp/s-log.txt -p 83417
ktrace: /tmp/s-log.txt: Function not implemented

Its a preproduction box, everything optimised and stripped (no debug
symbols).

I've worked with nullfs since 2004, probably a little delicate then, but
I've used extensively on customer sites and its proven to be ok. :)  The
nullfs component is where the files are piped through, and not the
end-point destination which is ufs2 on an SSD.
Regards, Dewayne.

Re: A better method than daisy-chaining logging files?

2019-06-18 Thread Dewayne Geraghty 
Sure.  I don't think the permissions are particularly weird? ;)

Remember we're effectively talking about two VM's one running apache and
the other being a log recipient, so priv's aren't a big deal in this
latter's context.  On the logger, the files, as requested are:

# ls -lrth /var/log/httpd | grep error ; ls -lrth  /var/log/httpd/error
drwx--  2 mylogger  www   512B Jun 18 15:06 error/
total 44
-rw-r--r--  1 mylogger  www 0B Jun 18 15:06 state
-rw-r--r--  1 mylogger  www 0B Jun 18 15:06 lock
-rw-r--r--  1 mylogger  www41K Jun 18 16:04 current

When I send
s6-svc -a /run/scan/apache24-error-log
the processor does its job correctly.

And while the systems are all running, and simply remove mylogger from
the www group, then sending an alarm to the service works correctly.

-rw-r--r--  1 mylogger  www 0B Jun 18 15:06 lock
-rwxr--r--  1 mylogger  www   2.7K Jun 18 16:59 @40005d088c11012cc9f4.s*
-rw-r--r--  1 mylogger  www 0B Jun 18 17:03 state
-rw-r--r--  1 mylogger  www 0B Jun 18 17:03 current
-rwxr--r--  1 mylogger  www64B Jun 18 17:03 @40005d088cd6113d5a5c.s*

However when I remove mylogger from the www group and restart (into a
relatively pristine test environment), it all works well but we return
to the original problem:

# s6-svc -a /run/scan/apache24-error-log
 # lh /var/log/httpd | grep error ; lh
/var/log/httpd/error
drwx--  2 mylogger  www   512B Jun 18 17:05 error/
total 4
-rw-r--r--  1 mylogger  www 0B Jun 18 17:04 lock
-rw-r--r--  1 mylogger  www 0B Jun 18 17:05 state
-rwxr--r--  1 mylogger  www   304B Jun 18 17:05 processed*
-rw-r--r--  1 mylogger  www 0B Jun 18 17:05 current

with the resulting
s6-log: warning: unable to finish processed .s to logdir
/var/log/httpd/error: Operation not permitted

This is on a box that lacks development tools, so tracing will take some
time to sort out; sorry. :/

FreeBSD does have tweakable knobs to prevent seeing other uids or gids
which were enabled, but disabling made no difference (I thought we were
onto something for a minute there).
Cheers, Dewayne

Re: A better method than daisy-chaining logging files?

2019-06-17 Thread Dewayne Geraghty 
Laurent, if you keep this up, I'm going to think you're mystical.

Putting mylogger into the www group did fix the "problem".  And not
without a sigh of relief!

FYI: The fifo queue permissions, which the jail sees
pr---w  1 mylogger  www 0B May 31 13:27 apache24-error|

The final log repository, in the logging jail
# ls -lrth /var/log/httpd/error
-rw-r--r--  1 mylogger  www 0B Jun 18 07:43 state
-rw-r--r--  1 mylogger  www 0B Jun 18 07:43 lock
-rw-r--r--  1 mylogger  www 0B Jun 18 07:43 current
-rwxr--r--  1 mylogger  www   329B Jun 18 07:43 @40005d08099e33134f4c.s*
but now with
www:*:80:mylogger

Thank-you.
Regards, Dewayne
PS. I'll investigate the u:x and o:r permissions later.

A better method than daisy-chaining logging files?

2019-05-30 Thread Dewayne Geraghty 
I'm still working the Apache problem, and I'm using s6-log to manage the
logs.

I just attempted to link an apache24 instance to its log files via a
bundle, which isn't acceptable to s6-rc-compile.

The approach attempted was to chain:
1. apache24 (longrun) and is a producer-for apache24-log
2. apache24-log (bundle) is a consumer-for apache24, with contents, the
following, two longrun's for logging)
3. apache24-access-log (longrun) & apache24-error-log (longrun)

Is it envisaged that s6-rc would enable something like this in the
future, or will the following method remain:

1. apache24 (longrun) and is a producer-for apache24-access-log
-. apache24-log (bundle) [ only for admin, though largely redundant ]
2. apache24-access-log (longrun) consumer-for apache24, producer-for
apache24-error-log
3. apache24-error-log (longrun) consumer-for apache24-access-log

The link between items 2 and 3 is fictional as is the absence of a
connection between 1 and 3.

Ideally having:
apache24 as producer-for (both) apache24-access-log and
apache24-error-log  might be another option as it reflects reality.  But
this also isn't acceptable to the s6-rc-compile.

This is a very simplified example as I have 6 sites to manage, and its
seems wrong to complicate the setup with artificial links with s6-rc?

I'm very interested to understand the reasoning.

Kind regards, Dewayne

Re: s6-log problem with +regex

2019-05-09 Thread Dewayne Geraghty 
Thank-you Guillermo & Laurent.  I appreciate the detail, being a virgin
to daemontools this is a steep learning curve as I'm trying to ween off
monit.

The solution works nicely (& as intended) when using the workaround regex:

redirfd -r 0 /tmp/af
/usr/local/bin/s6-log n3 -.* +^a /tmp/a-only -.* +^b /tmp/b-only  -.*
+^c /tmp/c-only -.* +^\\\[ /tmp/date-only f /tmp/default

However without any control directive, the result is:
s6-log: usage: s6-log [ -d notif ] [ -q | -v ] [ -b ] [ -p ] [ -t ] [ -e
] [ -l linelimit ] logging_script

Though running s6-log without a control directive is probably a little
silly, perhaps the requirement to have one may be worthwhile mentioning
in the doc.

Aside: I had orginally placed
ErrorLog "|/usr/local/bin/s6-log -b n32 s5 S700
/var/log/httpd-error T !'/usr/bin/xz -7q' /var/log/httpd-error"
into apache24 which worked well in testing (one httpd), but of course in
production there are lots of httpd that do NOT use the parent for
logging errors, so locking is a problem.

Because I have three websites (3x error files, 3x access files) I was
looking at using 6 pipelines into two s6-log processes and regex's to
route the content. (hence my original example).  Is this a good use of
resources or better to pipeline (funnel) to their own s6-log?

Kind regards, Dewayne.

s6-log problem with +regex

2019-05-09 Thread Dewayne Geraghty 
Thank-you for s6-rc and friends.  I came across two items:
1. the s6-log in testing requires a control directive. In my testing
without a T, t, n $VALUE for example, the s6-log command failed.
2. The regular expression preceded by a + unintentionally matches
everything, which was surprising as I intended to maintain separate logs
 which emanated from the same process (apache24)

So to testing.  My test comprised an input /tmp/af with the intention of
four separate s6-log managed logdirs. The logdirs' structure was
correctly created, however three contained the same content, and the
default contained nothing.  So the reduced form of testing looks like this:
# cat /tmp/af   # a file of text to be processed
a line of text not selected
b nother line of text
c more lines
[date] with line of text

The intention is to create a separate log based on a regex of the first
character.  Unfortunately the selection mechanism failed and the entire
content of the test file (/tmp/af) was duplicated, ie unselectively.

The following places the content of /tmp/af into /tmp/date-only.

#!/usr/local/bin/execlineb -P ; # The testing script
redirfd -r 0 /tmp/af
/usr/local/bin/s6-log -b n3 +^\\\[ /tmp/date-only  f s100 S1500 T
/tmp/default

The following works correctly, in that date-only does not contain the
[date] line.  It does contain the rest of /tmp/af, while /tmp/default
does contain only the date (input line).

# cat s6-test.sh
#!/usr/local/bin/execlineb -P
redirfd -r 0 /tmp/af
/usr/local/bin/s6-log -b n3 -^\\\[ /tmp/date-only  f s100 S1500 T
/tmp/default

Incidentally using the s6-log command
/usr/local/bin/s6-log -b n3 +^\\\[ /tmp/date-only  s10 S150 T +^b
/tmp/b-only  f s100 S1500 T /tmp/default
results in both
/tmp/date-only/current and /tmp/b-only/current
containing all of /tmp/af, /tmp/default had the expected structure but
empty current file.

The platform is amd64 FreeBSD 11.2Stable built May 6, clang v7.0.0 and
clang 8.0.0

PS I haven't made sense of the hyphen in the example, after "E500 - " on
page https://www.skarnet.org/software/s6/s6-log.html.  Testing resulted in
s6-log: fatal: unrecognized directive: -