* gpg-agent runit run script @ 2022-09-20 21:51 João 2022-09-26 17:04 ` Alyssa Ross 2022-09-28 18:46 ` Guillermo 0 siblings, 2 replies; 10+ messages in thread From: João @ 2022-09-20 21:51 UTC (permalink / raw) To: supervision Hello everyone, I would like to have gpg-agent running under runit supervision on a user runsvdir, but I have been unable to write a run script that works. Would anyone have an example run script for gpg-agent, or be able to offer any pointers? Many thanks, João ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: gpg-agent runit run script 2022-09-20 21:51 gpg-agent runit run script João @ 2022-09-26 17:04 ` Alyssa Ross 2022-09-29 9:20 ` João 2022-09-28 18:46 ` Guillermo 1 sibling, 1 reply; 10+ messages in thread From: Alyssa Ross @ 2022-09-26 17:04 UTC (permalink / raw) To: João; +Cc: supervision [-- Attachment #1: Type: text/plain, Size: 522 bytes --] João <phlogiston@sapo.pt> writes: > I would like to have gpg-agent running under runit supervision on a user > runsvdir, but I have been unable to write a run script that works. > Would anyone have an example run script for gpg-agent, or be able to offer any > pointers? Not an answer to your question, but you might be interested to know before you spend too much time on it that GnuPG is removing support for running gpg-agent supervised: https://dev.gnupg.org/rGca5d5142c6d6eaba4572a086f8473e4aebdd3f9e [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 832 bytes --] ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: gpg-agent runit run script 2022-09-26 17:04 ` Alyssa Ross @ 2022-09-29 9:20 ` João 2022-09-29 9:23 ` Ellenor Bjornsdottir 0 siblings, 1 reply; 10+ messages in thread From: João @ 2022-09-29 9:20 UTC (permalink / raw) To: Alyssa Ross; +Cc: supervision Hello Alyssa, On Mon, Sep 26, 2022 at 05:04:08PM +0000, Alyssa Ross wrote: > Not an answer to your question, but you might be interested to know > before you spend too much time on it that GnuPG is removing support for > running gpg-agent supervised: > > https://dev.gnupg.org/rGca5d5142c6d6eaba4572a086f8473e4aebdd3f9e Thank you for the heads up. This seems like a deliberate regression, and it is a pity. Would this make it impossible to supervise gpg-agent, or would there be a way around it? Best regards, João ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: gpg-agent runit run script 2022-09-29 9:20 ` João @ 2022-09-29 9:23 ` Ellenor Bjornsdottir 0 siblings, 0 replies; 10+ messages in thread From: Ellenor Bjornsdottir @ 2022-09-29 9:23 UTC (permalink / raw) To: supervision, phlogiston, hi I'd have to assume that it would be achievable by patching the support back in, but at that point you are effectively maintaining your own fork of GPG-Agent. On 9/29/22 09:20, João wrote: > Hello Alyssa, > > On Mon, Sep 26, 2022 at 05:04:08PM +0000, Alyssa Ross wrote: >> Not an answer to your question, but you might be interested to know >> before you spend too much time on it that GnuPG is removing support for >> running gpg-agent supervised: >> >> https://dev.gnupg.org/rGca5d5142c6d6eaba4572a086f8473e4aebdd3f9e > Thank you for the heads up. This seems like a deliberate regression, and it is a > pity. > Would this make it impossible to supervise gpg-agent, or would there be a way > around it? > > Best regards, > João -- Ellenor Agnes Bjornsdottir (she) sysadmin umbrellix.net jabber: ellenor ~on~ umbrellix.net ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: gpg-agent runit run script 2022-09-20 21:51 gpg-agent runit run script João 2022-09-26 17:04 ` Alyssa Ross @ 2022-09-28 18:46 ` Guillermo 2022-09-29 9:37 ` João Pedro Malhado 1 sibling, 1 reply; 10+ messages in thread From: Guillermo @ 2022-09-28 18:46 UTC (permalink / raw) To: Supervision El mar, 20 sept 2022 a las 18:51, João escribió: > > I would like to have gpg-agent running under runit supervision on a user > runsvdir, but I have been unable to write a run script that works. > Would anyone have an example run script for gpg-agent, or be able to offer any > pointers? As already suggested, gpg-agent's --supervised command is probably the closest thing that would do what you want, but in that case, gpg-agent will: * expect to have a properly set up environment, which runit's 'chpst -e' could do. This includes variable GPG_TTY, which should contain the name of a valid terminal that the supervision tree would have to make available. * expect to receive a bound and listening UNIX domain socket as file descriptor 3, which runit tools alone can't do (but s6-ipcserver-socketbinder from s6 can). Then, also as already mentioned, this command has been deprecated since GnuPG 2.3.6, so, in my opinion, it's better to just have gpg-agent started by other GnuPG programs, as the manual says. G. ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: gpg-agent runit run script 2022-09-28 18:46 ` Guillermo @ 2022-09-29 9:37 ` João Pedro Malhado 2022-09-29 12:12 ` Alexis 0 siblings, 1 reply; 10+ messages in thread From: João Pedro Malhado @ 2022-09-29 9:37 UTC (permalink / raw) To: Guillermo; +Cc: Supervision Hello Guillermo, On Wed, Sep 28, 2022 at 03:46:01PM -0300, Guillermo wrote: > El mar, 20 sept 2022 a las 18:51, João escribió: > > > > I would like to have gpg-agent running under runit supervision on a user > > runsvdir, but I have been unable to write a run script that works. > > Would anyone have an example run script for gpg-agent, or be able to offer any > > pointers? > > As already suggested, gpg-agent's --supervised command is probably the > closest thing that would do what you want, but in that case, gpg-agent > will: > > * expect to have a properly set up environment, which runit's 'chpst > -e' could do. This includes variable GPG_TTY, which should contain the > name of a valid terminal that the supervision tree would have to make > available. > * expect to receive a bound and listening UNIX domain socket as file > descriptor 3, which runit tools alone can't do (but > s6-ipcserver-socketbinder from s6 can). Thank you for this. It is this latter aspect of setting up the sockets which I'm struggling with. You mention that s6 tools can do this. Would I be right to presume this could be setup in the runit run script in some other way without s6? The Void linux manual shows gpg-agent running as an example, but they don't show the run script, so I don't know how they set it up. https://docs.voidlinux.org/config/services/user-services.html Any examples or pointers would be appreciated. > Then, also as already mentioned, this command has been deprecated > since GnuPG 2.3.6, so, in my opinion, it's better to just have > gpg-agent started by other GnuPG programs, as the manual says. > This is a pity as gpg-agent is a long running process which is the sort of thing you would want to run under supervision. I guess it is not possible to supervise a process if the rebel thing does not want to be supervised? Best regards, João ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: gpg-agent runit run script 2022-09-29 9:37 ` João Pedro Malhado @ 2022-09-29 12:12 ` Alexis 2022-09-29 21:56 ` Guillermo 2022-09-30 9:06 ` João 0 siblings, 2 replies; 10+ messages in thread From: Alexis @ 2022-09-29 12:12 UTC (permalink / raw) To: João Pedro Malhado; +Cc: Guillermo, supervision João Pedro Malhado <phlogiston@sapo.pt> writes: > The Void linux manual shows gpg-agent running as an example, but > they > don't show > the run script, so I don't know how they set it up. > https://docs.voidlinux.org/config/services/user-services.html Duncaen's run script for gpg-agent is here: https://github.com/Duncaen/dotfiles/blob/master/sv/gpg-agent/run It's actually an execline script that makes use of s6-ipcserver-socketbinder. Also note that the script calls gpg-agent with `--supervise`. > This is a pity as gpg-agent is a long running process which is > the > sort of thing > you would want to run under supervision. Well, the typical reason we want to run something under supervision is to ensure it's up, because (a) there are processes relying on it being up, and (b) those processes aren't themselves able to start the relevant process. But this isn't the case with gpg-agent: the main programs that utilise it know how to start it themselves if necessary, so it doesn't matter if a gpg-agent process exits abnormally, as a new one will get created when required. Alexis. ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: gpg-agent runit run script 2022-09-29 12:12 ` Alexis @ 2022-09-29 21:56 ` Guillermo 2022-09-30 2:00 ` Alexis 2022-09-30 9:06 ` João 1 sibling, 1 reply; 10+ messages in thread From: Guillermo @ 2022-09-29 21:56 UTC (permalink / raw) To: supervision El jue, 29 sept 2022 a las 9:22, Alexis escribió: > > João Pedro Malhado writes: > > > The Void linux manual shows gpg-agent running as an example, but > > they > > don't show > > the run script, so I don't know how they set it up. > > https://docs.voidlinux.org/config/services/user-services.html > > Duncaen's run script for gpg-agent is here: > > https://github.com/Duncaen/dotfiles/blob/master/sv/gpg-agent/run The combination of Duncaen's run script, and the Void Handbook's example /etc/sv/runsvdir-<username>/run script, at least if used verbatim, does not appear to set up GPG_TTY. gpg-agent might start, but I'm not sure if things will work well if, e.g., it wants to run the pinentry program... G. ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: gpg-agent runit run script 2022-09-29 21:56 ` Guillermo @ 2022-09-30 2:00 ` Alexis 0 siblings, 0 replies; 10+ messages in thread From: Alexis @ 2022-09-30 2:00 UTC (permalink / raw) To: Guillermo; +Cc: supervision Guillermo <gdiazhartusch@gmail.com> writes: > The combination of Duncaen's run script, and the Void Handbook's > example /etc/sv/runsvdir-<username>/run script, at least if used > verbatim, does not appear to set up GPG_TTY. gpg-agent might > start, > but I'm not sure if things will work well if, e.g., it wants to > run > the pinentry program... Yeah. Trying to get a program to run in ways it's not intended to be run can get complex at the best of times, but i'd be particularly wary of trying to do so with a program that's security infrastructure; i'd worry about accidentally creating vulnerabilities not present when the program is used in the intended manner. Alexis. ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: gpg-agent runit run script 2022-09-29 12:12 ` Alexis 2022-09-29 21:56 ` Guillermo @ 2022-09-30 9:06 ` João 1 sibling, 0 replies; 10+ messages in thread From: João @ 2022-09-30 9:06 UTC (permalink / raw) To: Alexis; +Cc: supervision Hello Alexis, On Thu, Sep 29, 2022 at 10:12:49PM +1000, Alexis wrote: > João <phlogiston@sapo.pt> writes: > > > The Void linux manual shows gpg-agent running as an example, but they > > don't show > > the run script, so I don't know how they set it up. > > https://docs.voidlinux.org/config/services/user-services.html > > Duncaen's run script for gpg-agent is here: > > https://github.com/Duncaen/dotfiles/blob/master/sv/gpg-agent/run > > It's actually an execline script that makes use of > s6-ipcserver-socketbinder. Also note that the script calls gpg-agent with > `--supervise`. Thank you for this. It is helpful to look at an example. > > This is a pity as gpg-agent is a long running process which is the > > sort of thing > > you would want to run under supervision. > > Well, the typical reason we want to run something under supervision is to > ensure it's up, because (a) there are processes relying on it being up, and > (b) those processes aren't themselves able to start the relevant process. > But this isn't the case with gpg-agent: the main programs that utilise it > know how to start it themselves if necessary, so it doesn't matter if a > gpg-agent process exits abnormally, as a new one will get created when > required. You have a point. But I guess you still loose a common consistent way of checking the status and controlling the processes in your system. Best regards, João ^ permalink raw reply [flat|nested] 10+ messages in thread
end of thread, other threads:[~2022-09-30 9:06 UTC | newest] Thread overview: 10+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2022-09-20 21:51 gpg-agent runit run script João 2022-09-26 17:04 ` Alyssa Ross 2022-09-29 9:20 ` João 2022-09-29 9:23 ` Ellenor Bjornsdottir 2022-09-28 18:46 ` Guillermo 2022-09-29 9:37 ` João Pedro Malhado 2022-09-29 12:12 ` Alexis 2022-09-29 21:56 ` Guillermo 2022-09-30 2:00 ` Alexis 2022-09-30 9:06 ` João
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).