From mboxrd@z Thu Jan 1 00:00:00 1970 X-Msuck: nntp://news.gmane.io/gmane.comp.sysutils.supervision.general/2691 Path: news.gmane.org!.POSTED.blaine.gmane.org!not-for-mail From: Dewayne Geraghty Newsgroups: gmane.comp.sysutils.supervision.general Subject: Re: s6-log can create current with 640? Date: Fri, 25 Oct 2019 19:20:31 +1100 Message-ID: <62d9001a-73bd-5cfe-4c47-f561c4dfabea@heuristicsystems.com.au> References: <6f3a28f8-798c-9a55-e79b-2e54b37edf2e@heuristicsystems.com.au> <01b8c564-887f-16cf-405c-8bcfc52c02b1@heuristicsystems.com.au> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit Injection-Info: blaine.gmane.org; posting-host="blaine.gmane.org:195.159.176.226"; logging-data="155989"; mail-complaints-to="usenet@blaine.gmane.org" User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:60.0) Gecko/20100101 Thunderbird/60.8.0 Cc: Laurent Bercot To: supervision@list.skarnet.org Original-X-From: supervision-return-2280-gcsg-supervision=m.gmane.org@list.skarnet.org Fri Oct 25 10:22:38 2019 Return-path: Envelope-to: gcsg-supervision@m.gmane.org Original-Received: from alyss.skarnet.org ([95.142.172.232]) by blaine.gmane.org with smtp (Exim 4.89) (envelope-from ) id 1iNuri-000eOy-Mz for gcsg-supervision@m.gmane.org; Fri, 25 Oct 2019 10:22:36 +0200 Original-Received: (qmail 29701 invoked by uid 89); 25 Oct 2019 08:22:57 -0000 Mailing-List: contact supervision-help@list.skarnet.org; run by ezmlm Original-Sender: Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Original-Received: (qmail 29694 invoked from network); 25 Oct 2019 08:22:56 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=heuristicsystems.com.au; s=hsa; t=1571991632; x=1572596433; bh=8o2mfA1936KF9Hczsi04GsFF7iQf8NYiLJLASP3mLJU=; h=From:Subject:To:Cc:Message-ID:Date; b=NohnL/pLGYUrxPv6P4OEXx1Yru+mho3Sa/MlFDnrOS4mJowUbPnZ2yUWsFr4/UvZY ZdijUgJeGBBVcK+IIMLVTOfdD4Z7cKUjMv1peZXL5bubpqLy1Y5wFuye8n2dE3JqQA Y3p+ROiECfP/tJRcctY87ozHxJDAKUYPvYOYDDH2/ffUMwTng2fWI X-Authentication-Warning: b3.hs: Host noddy.hs [10.0.5.3] claimed to be [10.0.5.3] Openpgp: preference=signencrypt In-Reply-To: Content-Language: en-AU Xref: news.gmane.org gmane.comp.sysutils.supervision.general:2691 Archived-At: Laurent, I've embedded responses: On 24/10/2019 10:58 am, Laurent Bercot wrote: >> My initial attempt >> >> #!/usr/local/bin/execlineb -P >> s6-setuidgid uucp >> redirfd -r 0 /services/ntp/fifo >> umask 037 >> /usr/local/bin/s6-log -b n14 r7000 s100000 S3000000 !"/usr/bin/xz -7q" >> /var/log/ntpd > >  Hi Dewayne, > >  - Is there a reason why you're using a manually created fifo instead > of the built-in logging facility offered by s6-svscan? You could tell > ntpd to log to /dev/stdout, and have the logger in a ntpd/log service > directory, and your logs would automatically be available on your > logger's stdin. > That's really testing my memory! I recall using the producer/consumer pair; as well as s6-trig-notify and s6-ftrig-listen. But at the end of the day, processes like apache have multiple log files, and in my case 5 access log files and one error log. So either I use one aggregated log (input) with multiple regex expressions in an s6-log statement (which I was advised against doing) or multiple s6-log for each input, which I chose. In addition the log content need to traverse different VM contexts, where I usually use lo0; but in this case, a nullfs and fifo was the better choice per some early benchmarks (via the wrk tool). Re: ntp and its log file? Yes within a single machine context, one process writes to stdout and another takes that as input for s6-log to handle, makes sense (and easy). However the "logger" will relocate to a separate VM, when unrelated problems with an ASLR enabled ntpd are fixed. Again a nullfs and fifo are sufficient - one VM writes to the fifo, a different user in a different VM reads & processes the log via s6-log. Aside: If someone isn't familiar with FreeBSD, it can be hard to get a handle on FreeBSD jails, its a bit more than a simple chroot. I think its reasonable to consider them as very lightweight VMs. Each can have separate security levels, shared memory; multiple network interfaces and IP addresses etc; all sharing the one kernel. The only con, is that the first IP address is treated as routable and localhost points to it. >  - About umask: that's very strange. Can you strace, or ktrace, or > whatever tool gives you a list of system calls, the script? It will > show exactly what's going on. > Apologies for the delay. Needed to rebuild the kernel to enable ktrace. Results for umask rm -f /tmp/t1 ; /usr/local/bin/execlineb -Pc 'redirfd -w 1 /tmp/t1 umask 037 echo hello' ; echo $? ; ls -l /tmp/t1 0 -rw-r----- 1 root wheel 0 25 Oct 18:33 /tmp/t1 rm -f /tmp/t1 ; /usr/local/bin/execlineb -Pc 'redirfd -w 1 /tmp/t1 umask 023 echo hello' ; echo $? ; ls -l /tmp/t1 0 -rw-r----- 1 root wheel 0 25 Oct 18:36 /tmp/t1 I've placed the ktrace's dumpfile in txt format so its readable for you at http://www.heuristicsystems.com/s6-umask/t1.kdump The OS umask is 027. I also tried what I thought was the more logical # rm -f /tmp/t1 ; /usr/local/bin/execlineb -Pc 'umask 033 redirfd -w 1 /tmp/t1 echo hello' ; echo $? ; ls -l /tmp/t1 0 ls: /tmp/t1: No such file or directory This ktrace is http://www.heuristicsystems.com/s6-umask/t1-umask-redirfd.kdump I think the relevant lines are 276 sh CALL umask(0) 276 sh RET umask 23/0x17 276 sh CALL umask(027) 276 sh RET umask 0 276 sh CALL umask(033) 276 sh RET umask 23/0x17 276 sh CALL read(0xa,0x104c9d0,0x400) Platform details: # uname -pivKU; cc -v ; ld -v FreeBSD 12.1-STABLE #5 r353671M: Fri Oct 25 09:12:32 AEDT 2019 amd64 hqdev-amd64-smp-vga 1201500 1201500 FreeBSD clang version 8.0.1 (tags/RELEASE_801/final 366581) (based on LLVM 8.0.1) Target: x86_64-unknown-freebsd12.1 Thread model: posix InstalledDir: /usr/bin LLD 8.0.1 (FreeBSD 366581-1200008) (compatible with GNU linkers) If there is anything I can do to assist please let me know. (Though I havent worked in C since 1990...) Kind regards, Dewayne