From: Dewayne Geraghty <dewayne.geraghty@heuristicsystems.com.au>
To: supervision@list.skarnet.org
Cc: Laurent Bercot <ska-supervision@skarnet.org>
Subject: Re: s6-log can create current with 640?
Date: Fri, 25 Oct 2019 19:20:31 +1100 [thread overview]
Message-ID: <62d9001a-73bd-5cfe-4c47-f561c4dfabea@heuristicsystems.com.au> (raw)
In-Reply-To: <emdb2737ee-616d-424d-8a41-8c813d7263f6@elzian>
Laurent, I've embedded responses:
On 24/10/2019 10:58 am, Laurent Bercot wrote:
>> My initial attempt
>>
>> #!/usr/local/bin/execlineb -P
>> s6-setuidgid uucp
>> redirfd -r 0 /services/ntp/fifo
>> umask 037
>> /usr/local/bin/s6-log -b n14 r7000 s100000 S3000000 !"/usr/bin/xz -7q"
>> /var/log/ntpd
>
> Hi Dewayne,
>
> - Is there a reason why you're using a manually created fifo instead
> of the built-in logging facility offered by s6-svscan? You could tell
> ntpd to log to /dev/stdout, and have the logger in a ntpd/log service
> directory, and your logs would automatically be available on your
> logger's stdin.
>
That's really testing my memory! I recall using the producer/consumer
pair; as well as s6-trig-notify and s6-ftrig-listen. But at the end of
the day, processes like apache have multiple log files, and in my case 5
access log files and one error log. So either I use one aggregated log
(input) with multiple regex expressions in an s6-log statement (which I
was advised against doing) or multiple
s6-log for each input, which I chose.
In addition the log content need to traverse different VM contexts,
where I usually use lo0; but in this case, a nullfs and fifo was the
better choice per some early benchmarks (via the wrk tool).
Re: ntp and its log file? Yes within a single machine context, one
process writes to stdout and another takes that as input for s6-log to
handle, makes sense (and easy). However the "logger" will relocate to a
separate VM, when unrelated problems with an ASLR enabled ntpd are
fixed. Again a nullfs and fifo are sufficient - one VM writes to the
fifo, a different user in a different VM reads & processes the log via
s6-log.
Aside: If someone isn't familiar with FreeBSD, it can be hard to get a
handle on FreeBSD jails, its a bit more than a simple chroot. I think
its reasonable to consider them as very lightweight VMs. Each can have
separate security levels, shared memory; multiple network interfaces and
IP addresses etc; all sharing the one kernel. The only con, is that the
first IP address is treated as routable and localhost points to it.
> - About umask: that's very strange. Can you strace, or ktrace, or
> whatever tool gives you a list of system calls, the script? It will
> show exactly what's going on.
>
Apologies for the delay. Needed to rebuild the kernel to enable ktrace.
Results for umask
rm -f /tmp/t1 ; /usr/local/bin/execlineb -Pc 'redirfd -w 1 /tmp/t1 umask
037 echo hello' ; echo $? ; ls -l /tmp/t1
0
-rw-r----- 1 root wheel 0 25 Oct 18:33 /tmp/t1
rm -f /tmp/t1 ; /usr/local/bin/execlineb -Pc 'redirfd -w 1 /tmp/t1 umask
023 echo hello' ; echo $? ; ls -l /tmp/t1
0
-rw-r----- 1 root wheel 0 25 Oct 18:36 /tmp/t1
I've placed the ktrace's dumpfile in txt format so its readable for you at
http://www.heuristicsystems.com/s6-umask/t1.kdump
The OS umask is 027.
I also tried what I thought was the more logical
# rm -f /tmp/t1 ; /usr/local/bin/execlineb -Pc 'umask 033 redirfd -w 1
/tmp/t1 echo hello' ; echo $? ; ls -l /tmp/t1
0
ls: /tmp/t1: No such file or directory
This ktrace is
http://www.heuristicsystems.com/s6-umask/t1-umask-redirfd.kdump
I think the relevant lines are
276 sh CALL umask(0)
276 sh RET umask 23/0x17
276 sh CALL umask(027<S_IWGRP|S_IROTH|S_IWOTH|S_IXOTH>)
276 sh RET umask 0
276 sh CALL umask(033<S_IWGRP|S_IXGRP|S_IWOTH|S_IXOTH>)
276 sh RET umask 23/0x17
276 sh CALL read(0xa,0x104c9d0,0x400)
Platform details:
# uname -pivKU; cc -v ; ld -v
FreeBSD 12.1-STABLE #5 r353671M: Fri Oct 25 09:12:32 AEDT 2019 amd64
hqdev-amd64-smp-vga 1201500 1201500
FreeBSD clang version 8.0.1 (tags/RELEASE_801/final 366581) (based on
LLVM 8.0.1)
Target: x86_64-unknown-freebsd12.1
Thread model: posix
InstalledDir: /usr/bin
LLD 8.0.1 (FreeBSD 366581-1200008) (compatible with GNU linkers)
If there is anything I can do to assist please let me know. (Though I
havent worked in C since 1990...)
Kind regards, Dewayne
next prev parent reply other threads:[~2019-10-25 8:20 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-10-23 2:27 Dewayne Geraghty
2019-10-23 4:53 ` Colin Booth
2019-10-23 5:39 ` Dewayne Geraghty
2019-10-23 7:15 ` Jonathan de Boyne Pollard
2019-10-23 23:03 ` Dewayne Geraghty
2019-10-23 23:58 ` Laurent Bercot
2019-10-25 8:20 ` Dewayne Geraghty [this message]
2019-10-25 17:06 ` Guillermo
2019-10-26 1:52 ` Dewayne Geraghty
2019-10-26 5:27 ` Laurent Bercot
2019-10-26 7:16 ` Dewayne Geraghty
2019-10-26 13:08 ` Laurent Bercot
2019-10-29 7:28 ` Jonathan de Boyne Pollard
[not found] ` <a8fbd02e-0265-3d59-89d1-81048665693c@ntlworld.com>
2019-10-29 8:53 ` Laurent Bercot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=62d9001a-73bd-5cfe-4c47-f561c4dfabea@heuristicsystems.com.au \
--to=dewayne.geraghty@heuristicsystems.com.au \
--cc=ska-supervision@skarnet.org \
--cc=supervision@list.skarnet.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).