supervision - discussion about system services, daemon supervision, init, runlevel management, and tools such as s6 and runit
 help / color / mirror / Atom feed
* gpg-agent runit run script
@ 2022-09-20 21:51 João
  2022-09-26 17:04 ` Alyssa Ross
  2022-09-28 18:46 ` Guillermo
  0 siblings, 2 replies; 10+ messages in thread
From: João @ 2022-09-20 21:51 UTC (permalink / raw)
  To: supervision

Hello everyone,

I would like to have gpg-agent running under runit supervision on a user
runsvdir, but I have been unable to write a run script that works.
Would anyone have an example run script for gpg-agent, or be able to offer any
pointers?

Many thanks,
João


^ permalink raw reply	[flat|nested] 10+ messages in thread

* Re: gpg-agent runit run script
  2022-09-20 21:51 gpg-agent runit run script João
@ 2022-09-26 17:04 ` Alyssa Ross
  2022-09-29  9:20   ` João
  2022-09-28 18:46 ` Guillermo
  1 sibling, 1 reply; 10+ messages in thread
From: Alyssa Ross @ 2022-09-26 17:04 UTC (permalink / raw)
  To: João; +Cc: supervision

[-- Attachment #1: Type: text/plain, Size: 522 bytes --]

João <phlogiston@sapo.pt> writes:

> I would like to have gpg-agent running under runit supervision on a user
> runsvdir, but I have been unable to write a run script that works.
> Would anyone have an example run script for gpg-agent, or be able to offer any
> pointers?

Not an answer to your question, but you might be interested to know
before you spend too much time on it that GnuPG is removing support for
running gpg-agent supervised:

https://dev.gnupg.org/rGca5d5142c6d6eaba4572a086f8473e4aebdd3f9e

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 832 bytes --]

^ permalink raw reply	[flat|nested] 10+ messages in thread

* Re: gpg-agent runit run script
  2022-09-20 21:51 gpg-agent runit run script João
  2022-09-26 17:04 ` Alyssa Ross
@ 2022-09-28 18:46 ` Guillermo
  2022-09-29  9:37   ` João Pedro Malhado
  1 sibling, 1 reply; 10+ messages in thread
From: Guillermo @ 2022-09-28 18:46 UTC (permalink / raw)
  To: Supervision

El mar, 20 sept 2022 a las 18:51, João escribió:
>
> I would like to have gpg-agent running under runit supervision on a user
> runsvdir, but I have been unable to write a run script that works.
> Would anyone have an example run script for gpg-agent, or be able to offer any
> pointers?

As already suggested, gpg-agent's --supervised command is probably the
closest thing that would do what you want, but in that case, gpg-agent
will:

* expect to have a properly set up environment, which runit's 'chpst
-e' could do. This includes variable GPG_TTY, which should contain the
name of a valid terminal that the supervision tree would have to make
available.
* expect to receive a bound and listening UNIX domain socket as file
descriptor 3, which runit tools alone can't do (but
s6-ipcserver-socketbinder from s6 can).

Then, also as already mentioned, this command has been deprecated
since GnuPG 2.3.6, so, in my opinion, it's better to just have
gpg-agent started by other GnuPG programs, as the manual says.

G.

^ permalink raw reply	[flat|nested] 10+ messages in thread

* Re: gpg-agent runit run script
  2022-09-26 17:04 ` Alyssa Ross
@ 2022-09-29  9:20   ` João
  2022-09-29  9:23     ` Ellenor Bjornsdottir
  0 siblings, 1 reply; 10+ messages in thread
From: João @ 2022-09-29  9:20 UTC (permalink / raw)
  To: Alyssa Ross; +Cc: supervision

Hello Alyssa,

On Mon, Sep 26, 2022 at 05:04:08PM +0000, Alyssa Ross wrote:
> Not an answer to your question, but you might be interested to know
> before you spend too much time on it that GnuPG is removing support for
> running gpg-agent supervised:
> 
> https://dev.gnupg.org/rGca5d5142c6d6eaba4572a086f8473e4aebdd3f9e

Thank you for the heads up. This seems like a deliberate regression, and it is a
pity.
Would this make it impossible to supervise gpg-agent, or would there be a way
around it?

Best regards,
João

^ permalink raw reply	[flat|nested] 10+ messages in thread

* Re: gpg-agent runit run script
  2022-09-29  9:20   ` João
@ 2022-09-29  9:23     ` Ellenor Bjornsdottir
  0 siblings, 0 replies; 10+ messages in thread
From: Ellenor Bjornsdottir @ 2022-09-29  9:23 UTC (permalink / raw)
  To: supervision, phlogiston, hi

I'd have to assume that it would be achievable by patching the support 
back in, but at that point you are effectively maintaining your own fork 
of GPG-Agent.

On 9/29/22 09:20, João wrote:
> Hello Alyssa,
>
> On Mon, Sep 26, 2022 at 05:04:08PM +0000, Alyssa Ross wrote:
>> Not an answer to your question, but you might be interested to know
>> before you spend too much time on it that GnuPG is removing support for
>> running gpg-agent supervised:
>>
>> https://dev.gnupg.org/rGca5d5142c6d6eaba4572a086f8473e4aebdd3f9e
> Thank you for the heads up. This seems like a deliberate regression, and it is a
> pity.
> Would this make it impossible to supervise gpg-agent, or would there be a way
> around it?
>
> Best regards,
> João

-- 
Ellenor Agnes Bjornsdottir (she)
sysadmin umbrellix.net
jabber: ellenor ~on~ umbrellix.net


^ permalink raw reply	[flat|nested] 10+ messages in thread

* Re: gpg-agent runit run script
  2022-09-28 18:46 ` Guillermo
@ 2022-09-29  9:37   ` João Pedro Malhado
  2022-09-29 12:12     ` Alexis
  0 siblings, 1 reply; 10+ messages in thread
From: João Pedro Malhado @ 2022-09-29  9:37 UTC (permalink / raw)
  To: Guillermo; +Cc: Supervision

Hello Guillermo,

On Wed, Sep 28, 2022 at 03:46:01PM -0300, Guillermo wrote:
> El mar, 20 sept 2022 a las 18:51, João escribió:
> >
> > I would like to have gpg-agent running under runit supervision on a user
> > runsvdir, but I have been unable to write a run script that works.
> > Would anyone have an example run script for gpg-agent, or be able to offer any
> > pointers?
> 
> As already suggested, gpg-agent's --supervised command is probably the
> closest thing that would do what you want, but in that case, gpg-agent
> will:
> 
> * expect to have a properly set up environment, which runit's 'chpst
> -e' could do. This includes variable GPG_TTY, which should contain the
> name of a valid terminal that the supervision tree would have to make
> available.
> * expect to receive a bound and listening UNIX domain socket as file
> descriptor 3, which runit tools alone can't do (but
> s6-ipcserver-socketbinder from s6 can).

Thank you for this. It is this latter aspect of setting up the sockets which I'm
struggling with. You mention that s6 tools can do this. Would I be right to
presume this could be setup in the runit run script in some other way without
s6?
The Void linux manual shows gpg-agent running as an example, but they don't show
the run script, so I don't know how they set it up.
https://docs.voidlinux.org/config/services/user-services.html

Any examples or pointers would be appreciated.


> Then, also as already mentioned, this command has been deprecated
> since GnuPG 2.3.6, so, in my opinion, it's better to just have
> gpg-agent started by other GnuPG programs, as the manual says.
> 

This is a pity as gpg-agent is a long running process which is the sort of thing
you would want to run under supervision.
I guess it is not possible to supervise a process if the rebel thing does not
want to be supervised?

Best regards,
João

^ permalink raw reply	[flat|nested] 10+ messages in thread

* Re: gpg-agent runit run script
  2022-09-29  9:37   ` João Pedro Malhado
@ 2022-09-29 12:12     ` Alexis
  2022-09-29 21:56       ` Guillermo
  2022-09-30  9:06       ` João
  0 siblings, 2 replies; 10+ messages in thread
From: Alexis @ 2022-09-29 12:12 UTC (permalink / raw)
  To: João Pedro Malhado; +Cc: Guillermo, supervision


João Pedro Malhado <phlogiston@sapo.pt> writes:

> The Void linux manual shows gpg-agent running as an example, but 
> they
> don't show
> the run script, so I don't know how they set it up.
> https://docs.voidlinux.org/config/services/user-services.html

Duncaen's run script for gpg-agent is here:

https://github.com/Duncaen/dotfiles/blob/master/sv/gpg-agent/run

It's actually an execline script that makes use of 
s6-ipcserver-socketbinder. Also note that the script calls 
gpg-agent with `--supervise`.

> This is a pity as gpg-agent is a long running process which is 
> the
> sort of thing
> you would want to run under supervision.

Well, the typical reason we want to run something under 
supervision is to ensure it's up, because (a) there are processes 
relying on it being up, and (b) those processes aren't themselves 
able to start the relevant process. But this isn't the case with 
gpg-agent: the main programs that utilise it know how to start it 
themselves if necessary, so it doesn't matter if a gpg-agent 
process exits abnormally, as a new one will get created when 
required.


Alexis.

^ permalink raw reply	[flat|nested] 10+ messages in thread

* Re: gpg-agent runit run script
  2022-09-29 12:12     ` Alexis
@ 2022-09-29 21:56       ` Guillermo
  2022-09-30  2:00         ` Alexis
  2022-09-30  9:06       ` João
  1 sibling, 1 reply; 10+ messages in thread
From: Guillermo @ 2022-09-29 21:56 UTC (permalink / raw)
  To: supervision

El jue, 29 sept 2022 a las 9:22, Alexis escribió:
>
> João Pedro Malhado writes:
>
> > The Void linux manual shows gpg-agent running as an example, but
> > they
> > don't show
> > the run script, so I don't know how they set it up.
> > https://docs.voidlinux.org/config/services/user-services.html
>
> Duncaen's run script for gpg-agent is here:
>
> https://github.com/Duncaen/dotfiles/blob/master/sv/gpg-agent/run

The combination of Duncaen's run script, and the Void Handbook's
example /etc/sv/runsvdir-<username>/run script, at least if used
verbatim, does not appear to set up GPG_TTY.  gpg-agent might start,
but I'm not sure if things will work well if, e.g., it wants to run
the pinentry program...

G.

^ permalink raw reply	[flat|nested] 10+ messages in thread

* Re: gpg-agent runit run script
  2022-09-29 21:56       ` Guillermo
@ 2022-09-30  2:00         ` Alexis
  0 siblings, 0 replies; 10+ messages in thread
From: Alexis @ 2022-09-30  2:00 UTC (permalink / raw)
  To: Guillermo; +Cc: supervision


Guillermo <gdiazhartusch@gmail.com> writes:

> The combination of Duncaen's run script, and the Void Handbook's
> example /etc/sv/runsvdir-<username>/run script, at least if used
> verbatim, does not appear to set up GPG_TTY.  gpg-agent might 
> start,
> but I'm not sure if things will work well if, e.g., it wants to 
> run
> the pinentry program...

Yeah. Trying to get a program to run in ways it's not intended to 
be run can get complex at the best of times, but i'd be 
particularly wary of trying to do so with a program that's 
security infrastructure; i'd worry about accidentally creating 
vulnerabilities not present when the program is used in the 
intended manner.


Alexis.

^ permalink raw reply	[flat|nested] 10+ messages in thread

* Re: gpg-agent runit run script
  2022-09-29 12:12     ` Alexis
  2022-09-29 21:56       ` Guillermo
@ 2022-09-30  9:06       ` João
  1 sibling, 0 replies; 10+ messages in thread
From: João @ 2022-09-30  9:06 UTC (permalink / raw)
  To: Alexis; +Cc: supervision

Hello Alexis,

On Thu, Sep 29, 2022 at 10:12:49PM +1000, Alexis wrote:
> João <phlogiston@sapo.pt> writes:
> 
> > The Void linux manual shows gpg-agent running as an example, but they
> > don't show
> > the run script, so I don't know how they set it up.
> > https://docs.voidlinux.org/config/services/user-services.html
> 
> Duncaen's run script for gpg-agent is here:
> 
> https://github.com/Duncaen/dotfiles/blob/master/sv/gpg-agent/run
> 
> It's actually an execline script that makes use of
> s6-ipcserver-socketbinder. Also note that the script calls gpg-agent with
> `--supervise`.

Thank you for this. It is helpful to look at an example.

> > This is a pity as gpg-agent is a long running process which is the
> > sort of thing
> > you would want to run under supervision.
> 
> Well, the typical reason we want to run something under supervision is to
> ensure it's up, because (a) there are processes relying on it being up, and
> (b) those processes aren't themselves able to start the relevant process.
> But this isn't the case with gpg-agent: the main programs that utilise it
> know how to start it themselves if necessary, so it doesn't matter if a
> gpg-agent process exits abnormally, as a new one will get created when
> required.

You have a point. But I guess you still loose a common consistent way of
checking the status and controlling the processes in your system.

Best regards,
João

^ permalink raw reply	[flat|nested] 10+ messages in thread

end of thread, other threads:[~2022-09-30  9:06 UTC | newest]

Thread overview: 10+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-09-20 21:51 gpg-agent runit run script João
2022-09-26 17:04 ` Alyssa Ross
2022-09-29  9:20   ` João
2022-09-29  9:23     ` Ellenor Bjornsdottir
2022-09-28 18:46 ` Guillermo
2022-09-29  9:37   ` João Pedro Malhado
2022-09-29 12:12     ` Alexis
2022-09-29 21:56       ` Guillermo
2022-09-30  2:00         ` Alexis
2022-09-30  9:06       ` João

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).