* s6/s6-rc policy for Gentoo: user session tracking
@ 2024-07-11 14:53 Paul Sopka
2024-07-13 9:43 ` Peter Pentchev
0 siblings, 1 reply; 6+ messages in thread
From: Paul Sopka @ 2024-07-11 14:53 UTC (permalink / raw)
To: supervision
[-- Attachment #1.1.1: Type: text/plain, Size: 3796 bytes --]
Since I was not 100% convinced by Turnstile, I made an attempt on a very
simple alternative way to handle user session tracking.
The (currently very crude) script only runs once on each login and
logout and does the following:
On login:
- Possibly create a /run/session/${USER} directory.
- Possibly start the user supervision tree (from S6/s6-rc or OpenRC, or
anything but itself).
- If it does not exist, create a file named after the login type (e.g.
sshd) at /run/session/${USER}/${LOGIN_TYPE}.
- Write a line (any content, but just one line) to
/run/session/${USER}/${LOGIN_TYPE}.
- If the line count in /run/session/${USER}/${LOGIN_TYPE} is 1, start
the bundle corresponding to ${LOGIN_TYPE} e.g. sshd.
- Otherwise, do not do anything.
On logout:
- Delete 1 line from /run/session/${USER}/${LOGIN_TYPE}.
- If all files in sum have 0 lines, stop all user services.
- Otherwise, do not do anything.
The script can be easily adapted to e.g. stop only the corresponding
"${LOGIN_TYPE} bundle" once /run/session/${USER}/${LOGIN_TYPE} reaches 0
lines.
It is supposed to be executed by "pam_exec.so".
It currently expects a s6-rc user-tree to be running as well as
/run/session/${USER} to exist, but it can be easily adapted to prepare
both by itself.
Part of the initial idea I got from Jan Braun, here:
https://skarnet.org/lists/supervision/3132.html.
Here is the (seriously, very crude) script:
#!/bin/execlineb
multisubstitute
{
importas -Si PAM_SERVICE
importas -Si PAM_USER
importas -Si PAM_TYPE
define SESSIONDIR /run/session
}
define XDG_RUNTIME_DIR /run/user/${PAM_USER}
s6-setuidgid ${PAM_USER}
case ${PAM_TYPE}
{
open_session
{
foreground { redirfd -a 1
${SESSIONDIR}/${PAM_USER}/${PAM_SERVICE} echo "" }
backtick -ED 0 COUNTER { grep -c ^
${SESSIONDIR}/${PAM_USER}/${PAM_SERVICE} }
ifelse { test ${COUNTER} -eq 1 }
{
s6-rc -l ${XDG_RUNTIME_DIR}/s6-rc start ${PAM_SERVICE}
}
exit
}
close_session
{
foreground { sed -i $d ${SESSIONDIR}/${PAM_USER}/${PAM_SERVICE} }
elglob SESSIONS ${SESSIONDIR}/${PAM_USER}/*
backtick -ED 0 COUNTER { pipeline { cat ${SESSIONS} } grep -c ^ }
foreground { redirfd -w 1 /home/Nanderty/g6log echo ${COUNTER} }
ifelse { test ${COUNTER} -eq 0 }
{
s6-rc -l ${XDG_RUNTIME_DIR}/s6-rc stop alllogins
}
exit
}
}
I currently see the following things this approach allows, that
Turnstile does not:
- Differentiation between different login methods
- Autostart of user services at boot time, no matter the login state
(not directly enabled by the script, but possible, since the user
service tree is up whatsoever).
(Check these mails for reasons to have the two possibilities mentioned
above:
https://skarnet.org/lists/supervision/3130.html,
https://skarnet.org/lists/supervision/3114.html,
https://skarnet.org/lists/supervision/3121.html).
- Not having an additional daemon running.
- Exposing the session information through the filesystem, so that every
(privileged enough) process that needs to can make use of it.
Of course, Turnstile has a lot of other useful features this does not have.
What do you all think about this approach?
What handling of stopping the user-service bundles do you think is best,
stopping all on last logout, vs. stopping "all in the sshd bundle" on
last "sshd logout", ... ?
Any other alternatives?
Paul
[-- Attachment #1.1.2: OpenPGP public key --]
[-- Type: application/pgp-keys, Size: 3195 bytes --]
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 840 bytes --]
^ permalink raw reply [flat|nested] 6+ messages in thread* Re: s6/s6-rc policy for Gentoo: user session tracking
2024-07-11 14:53 s6/s6-rc policy for Gentoo: user session tracking Paul Sopka
@ 2024-07-13 9:43 ` Peter Pentchev
2024-07-13 10:22 ` Paul Sopka
0 siblings, 1 reply; 6+ messages in thread
From: Peter Pentchev @ 2024-07-13 9:43 UTC (permalink / raw)
To: Paul Sopka; +Cc: supervision
[-- Attachment #1: Type: text/plain, Size: 1701 bytes --]
On Thu, Jul 11, 2024 at 04:53:51PM +0200, Paul Sopka wrote:
> Since I was not 100% convinced by Turnstile, I made an attempt on a very
> simple alternative way to handle user session tracking.
>
> The (currently very crude) script only runs once on each login and logout
> and does the following:
>
> On login:
>
> - Possibly create a /run/session/${USER} directory.
>
> - Possibly start the user supervision tree (from S6/s6-rc or OpenRC, or
> anything but itself).
>
> - If it does not exist, create a file named after the login type (e.g. sshd)
> at /run/session/${USER}/${LOGIN_TYPE}.
>
> - Write a line (any content, but just one line) to
> /run/session/${USER}/${LOGIN_TYPE}.
>
> - If the line count in /run/session/${USER}/${LOGIN_TYPE} is 1, start the
> bundle corresponding to ${LOGIN_TYPE} e.g. sshd.
These two last points, if you really decide to implement them like that in
the final version, may require some synchronization, e.g. via file locking.
It is not impossible (I mean, it is quite unlikely, but especially with
automated CI systems not impossible *at all*) for two SSH sessions to
come in practically at once, and I have indeed seen shell startup scripts
run the same program at the same time.
It would be... interesting to have one login session write the first line,
then another session immediately write the second one, and then neither of
them will find exactly one line in the file :) And same for logout.
G'luck,
Peter
--
Peter Pentchev roam@ringlet.net roam@debian.org peter@morpheusly.com
PGP key: https://www.ringlet.net/roam/roam.key.asc
Key fingerprint 2EE7 A7A5 17FC 124C F115 C354 651E EFB0 2527 DF13
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
^ permalink raw reply [flat|nested] 6+ messages in thread* Re: s6/s6-rc policy for Gentoo: user session tracking
2024-07-13 9:43 ` Peter Pentchev
@ 2024-07-13 10:22 ` Paul Sopka
2024-07-14 11:41 ` Laurent Bercot
0 siblings, 1 reply; 6+ messages in thread
From: Paul Sopka @ 2024-07-13 10:22 UTC (permalink / raw)
To: Peter Pentchev, supervision
[-- Attachment #1.1.1: Type: text/plain, Size: 810 bytes --]
> These two last points, if you really decide to implement them like that in
> the final version, may require some synchronization, e.g. via file locking.
> It is not impossible (I mean, it is quite unlikely, but especially with
> automated CI systems not impossible *at all*) for two SSH sessions to
> come in practically at once, and I have indeed seen shell startup scripts
> run the same program at the same time.
Good point. If I understood everything correctly, this can be easily
solved by the "flock" command, right?
> It would be... interesting to have one login session write the first line,
> then another session immediately write the second one, and then neither of
> them will find exactly one line in the file 🙂 And same for logout.
Indeed.
Have a nice weekend!
Paul
[-- Attachment #1.1.2: OpenPGP public key --]
[-- Type: application/pgp-keys, Size: 3195 bytes --]
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 840 bytes --]
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2024-07-15 15:34 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2024-07-11 14:53 s6/s6-rc policy for Gentoo: user session tracking Paul Sopka
2024-07-13 9:43 ` Peter Pentchev
2024-07-13 10:22 ` Paul Sopka
2024-07-14 11:41 ` Laurent Bercot
2024-07-14 21:00 ` Paul Sopka
2024-07-15 15:34 ` Laurent Bercot
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).