Commit | Line | Data |
---|---|---|
db4fdc04 | 1 | ;;; GNU Guix --- Functional package management for GNU |
4a4dd5d8 | 2 | ;;; Copyright © 2013, 2014, 2015 Ludovic Courtès <ludo@gnu.org> |
5eca9459 | 3 | ;;; Copyright © 2015 Alex Kost <alezost@gmail.com> |
4307c476 | 4 | ;;; Copyright © 2015 Mark H Weaver <mhw@netris.org> |
db4fdc04 LC |
5 | ;;; |
6 | ;;; This file is part of GNU Guix. | |
7 | ;;; | |
8 | ;;; GNU Guix is free software; you can redistribute it and/or modify it | |
9 | ;;; under the terms of the GNU General Public License as published by | |
10 | ;;; the Free Software Foundation; either version 3 of the License, or (at | |
11 | ;;; your option) any later version. | |
12 | ;;; | |
13 | ;;; GNU Guix is distributed in the hope that it will be useful, but | |
14 | ;;; WITHOUT ANY WARRANTY; without even the implied warranty of | |
15 | ;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | |
16 | ;;; GNU General Public License for more details. | |
17 | ;;; | |
18 | ;;; You should have received a copy of the GNU General Public License | |
19 | ;;; along with GNU Guix. If not, see <http://www.gnu.org/licenses/>. | |
20 | ||
21 | (define-module (gnu services base) | |
e87f0591 | 22 | #:use-module (guix store) |
db4fdc04 | 23 | #:use-module (gnu services) |
4a3b3b07 | 24 | #:use-module (gnu services networking) |
db4fdc04 LC |
25 | #:use-module (gnu system shadow) ; 'user-account', etc. |
26 | #:use-module (gnu system linux) ; 'pam-service', etc. | |
27 | #:use-module (gnu packages admin) | |
151a2c07 | 28 | #:use-module ((gnu packages linux) |
68ac258b | 29 | #:select (eudev kbd e2fsprogs lvm2 fuse alsa-utils crda)) |
db4fdc04 | 30 | #:use-module ((gnu packages base) |
bdb36958 | 31 | #:select (canonical-package glibc)) |
db4fdc04 | 32 | #:use-module (gnu packages package-management) |
2d1d2dd8 LC |
33 | #:use-module (gnu packages lsh) |
34 | #:use-module (gnu packages lsof) | |
e2f4b305 | 35 | #:use-module ((gnu build file-systems) |
2c071ce9 | 36 | #:select (mount-flags->bit-mask)) |
b5f4e686 | 37 | #:use-module (guix gexp) |
6454b333 | 38 | #:use-module (guix records) |
db4fdc04 LC |
39 | #:use-module (srfi srfi-1) |
40 | #:use-module (srfi srfi-26) | |
6454b333 | 41 | #:use-module (ice-9 match) |
db4fdc04 | 42 | #:use-module (ice-9 format) |
a00dd9fb | 43 | #:export (root-file-system-service |
023f391c | 44 | file-system-service |
d6e2a622 | 45 | user-unmount-service |
5dae0186 | 46 | device-mapping-service |
2a13d05e | 47 | swap-service |
a00dd9fb LC |
48 | user-processes-service |
49 | host-name-service | |
5eca9459 | 50 | console-keymap-service |
62ca0fdf | 51 | console-font-service |
151a2c07 | 52 | udev-service |
66e4f01c LC |
53 | |
54 | mingetty-configuration | |
55 | mingetty-configuration? | |
db4fdc04 | 56 | mingetty-service |
6454b333 LC |
57 | |
58 | %nscd-default-caches | |
59 | %nscd-default-configuration | |
60 | ||
61 | nscd-configuration | |
62 | nscd-configuration? | |
63 | ||
64 | nscd-cache | |
65 | nscd-cache? | |
66 | ||
db4fdc04 LC |
67 | nscd-service |
68 | syslog-service | |
8b198abe LC |
69 | guix-service |
70 | %base-services)) | |
db4fdc04 LC |
71 | |
72 | ;;; Commentary: | |
73 | ;;; | |
74 | ;;; Base system services---i.e., services that 99% of the users will want to | |
75 | ;;; use. | |
76 | ;;; | |
77 | ;;; Code: | |
78 | ||
a00dd9fb LC |
79 | (define (root-file-system-service) |
80 | "Return a service whose sole purpose is to re-mount read-only the root file | |
81 | system upon shutdown (aka. cleanly \"umounting\" root.) | |
82 | ||
83 | This service must be the root of the service dependency graph so that its | |
84 | 'stop' action is invoked when dmd is the only process left." | |
be1c2c54 LC |
85 | (service |
86 | (documentation "Take care of the root file system.") | |
87 | (provision '(root-file-system)) | |
88 | (start #~(const #t)) | |
89 | (stop #~(lambda _ | |
90 | ;; Return #f if successfully stopped. | |
91 | (sync) | |
92 | ||
93 | (call-with-blocked-asyncs | |
94 | (lambda () | |
95 | (let ((null (%make-void-port "w"))) | |
96 | ;; Close 'dmd.log'. | |
97 | (display "closing log\n") | |
98 | ;; XXX: Ideally we'd use 'stop-logging', but that one | |
99 | ;; doesn't actually close the port as of dmd 0.1. | |
100 | (close-port (@@ (dmd comm) log-output-port)) | |
101 | (set! (@@ (dmd comm) log-output-port) null) | |
102 | ||
103 | ;; Redirect the default output ports.. | |
104 | (set-current-output-port null) | |
105 | (set-current-error-port null) | |
106 | ||
107 | ;; Close /dev/console. | |
108 | (for-each close-fdes '(0 1 2)) | |
109 | ||
110 | ;; At this point, there are no open files left, so the | |
111 | ;; root file system can be re-mounted read-only. | |
112 | (mount #f "/" #f | |
113 | (logior MS_REMOUNT MS_RDONLY) | |
114 | #:update-mtab? #f) | |
115 | ||
116 | #f))))) | |
117 | (respawn? #f))) | |
a00dd9fb | 118 | |
023f391c | 119 | (define* (file-system-service device target type |
2c071ce9 | 120 | #:key (flags '()) (check? #t) |
5dae0186 LC |
121 | create-mount-point? options (title 'any) |
122 | (requirements '())) | |
023f391c | 123 | "Return a service that mounts DEVICE on TARGET as a file system TYPE with |
d4c87617 LC |
124 | OPTIONS. TITLE is a symbol specifying what kind of name DEVICE is: 'label for |
125 | a partition label, 'device for a device file name, or 'any. When CHECK? is | |
4e469051 | 126 | true, check the file system before mounting it. When CREATE-MOUNT-POINT? is |
2c071ce9 | 127 | true, create TARGET if it does not exist yet. FLAGS is a list of symbols, |
5dae0186 LC |
128 | such as 'read-only' etc. Optionally, REQUIREMENTS may be a list of service |
129 | names such as device-mapping services." | |
be1c2c54 LC |
130 | (service |
131 | (provision (list (symbol-append 'file-system- (string->symbol target)))) | |
132 | (requirement `(root-file-system ,@requirements)) | |
133 | (documentation "Check, mount, and unmount the given file system.") | |
134 | (start #~(lambda args | |
135 | ;; FIXME: Use or factorize with 'mount-file-system'. | |
136 | (let ((device (canonicalize-device-spec #$device '#$title)) | |
137 | (flags #$(mount-flags->bit-mask flags))) | |
138 | #$(if create-mount-point? | |
139 | #~(mkdir-p #$target) | |
140 | #~#t) | |
141 | #$(if check? | |
142 | #~(begin | |
143 | ;; Make sure fsck.ext2 & co. can be found. | |
144 | (setenv "PATH" | |
145 | (string-append | |
146 | #$e2fsprogs "/sbin:" | |
147 | "/run/current-system/profile/sbin:" | |
148 | (getenv "PATH"))) | |
149 | (check-file-system device #$type)) | |
150 | #~#t) | |
151 | ||
152 | (mount device #$target #$type flags #$options) | |
153 | ||
154 | ;; For read-only bind mounts, an extra remount is needed, | |
155 | ;; as per <http://lwn.net/Articles/281157/>, which still | |
156 | ;; applies to Linux 4.0. | |
157 | (when (and (= MS_BIND (logand flags MS_BIND)) | |
158 | (= MS_RDONLY (logand flags MS_RDONLY))) | |
159 | (mount device #$target #$type | |
160 | (logior MS_BIND MS_REMOUNT MS_RDONLY)))) | |
161 | #t)) | |
162 | (stop #~(lambda args | |
163 | ;; Normally there are no processes left at this point, so | |
164 | ;; TARGET can be safely unmounted. | |
165 | ||
166 | ;; Make sure PID 1 doesn't keep TARGET busy. | |
167 | (chdir "/") | |
168 | ||
169 | (umount #$target) | |
170 | #f)))) | |
023f391c | 171 | |
d6e2a622 LC |
172 | (define (user-unmount-service known-mount-points) |
173 | "Return a service whose sole purpose is to unmount file systems not listed | |
174 | in KNOWN-MOUNT-POINTS when it is stopped." | |
be1c2c54 LC |
175 | (service |
176 | (documentation "Unmount manually-mounted file systems.") | |
177 | (provision '(user-unmount)) | |
178 | (start #~(const #t)) | |
179 | (stop #~(lambda args | |
180 | (define (known? mount-point) | |
181 | (member mount-point | |
182 | (cons* "/proc" "/sys" | |
183 | '#$known-mount-points))) | |
184 | ||
185 | ;; Make sure we don't keep the user's mount points busy. | |
186 | (chdir "/") | |
187 | ||
188 | (for-each (lambda (mount-point) | |
189 | (format #t "unmounting '~a'...~%" mount-point) | |
190 | (catch 'system-error | |
191 | (lambda () | |
192 | (umount mount-point)) | |
193 | (lambda args | |
194 | (let ((errno (system-error-errno args))) | |
195 | (format #t "failed to unmount '~a': ~a~%" | |
196 | mount-point (strerror errno)))))) | |
197 | (filter (negate known?) (mount-points))) | |
198 | #f)))) | |
d6e2a622 | 199 | |
7d57cfd3 LC |
200 | (define %do-not-kill-file |
201 | ;; Name of the file listing PIDs of processes that must survive when halting | |
202 | ;; the system. Typical example is user-space file systems. | |
203 | "/etc/dmd/do-not-kill") | |
204 | ||
7bed4df4 | 205 | (define* (user-processes-service requirements #:key (grace-delay 4)) |
a00dd9fb LC |
206 | "Return the service that is responsible for terminating all the processes so |
207 | that the root file system can be re-mounted read-only, just before | |
208 | rebooting/halting. Processes still running GRACE-DELAY seconds after SIGTERM | |
209 | has been sent are terminated with SIGKILL. | |
210 | ||
023f391c LC |
211 | The returned service will depend on 'root-file-system' and on all the services |
212 | listed in REQUIREMENTS. | |
213 | ||
a00dd9fb LC |
214 | All the services that spawn processes must depend on this one so that they are |
215 | stopped before 'kill' is called." | |
be1c2c54 LC |
216 | (service |
217 | (documentation "When stopped, terminate all user processes.") | |
218 | (provision '(user-processes)) | |
219 | (requirement (cons 'root-file-system requirements)) | |
220 | (start #~(const #t)) | |
221 | (stop #~(lambda _ | |
222 | (define (kill-except omit signal) | |
223 | ;; Kill all the processes with SIGNAL except those | |
224 | ;; listed in OMIT and the current process. | |
225 | (let ((omit (cons (getpid) omit))) | |
226 | (for-each (lambda (pid) | |
227 | (unless (memv pid omit) | |
228 | (false-if-exception | |
229 | (kill pid signal)))) | |
230 | (processes)))) | |
231 | ||
232 | (define omitted-pids | |
233 | ;; List of PIDs that must not be killed. | |
234 | (if (file-exists? #$%do-not-kill-file) | |
235 | (map string->number | |
236 | (call-with-input-file #$%do-not-kill-file | |
237 | (compose string-tokenize | |
238 | (@ (ice-9 rdelim) read-string)))) | |
239 | '())) | |
240 | ||
241 | (define (now) | |
242 | (car (gettimeofday))) | |
243 | ||
244 | (define (sleep* n) | |
245 | ;; Really sleep N seconds. | |
246 | ;; Work around <http://bugs.gnu.org/19581>. | |
247 | (define start (now)) | |
248 | (let loop ((elapsed 0)) | |
249 | (when (> n elapsed) | |
250 | (sleep (- n elapsed)) | |
251 | (loop (- (now) start))))) | |
252 | ||
253 | (define lset= (@ (srfi srfi-1) lset=)) | |
254 | ||
255 | (display "sending all processes the TERM signal\n") | |
256 | ||
257 | (if (null? omitted-pids) | |
258 | (begin | |
259 | ;; Easy: terminate all of them. | |
260 | (kill -1 SIGTERM) | |
261 | (sleep* #$grace-delay) | |
262 | (kill -1 SIGKILL)) | |
263 | (begin | |
264 | ;; Kill them all except OMITTED-PIDS. XXX: We | |
265 | ;; would like to (kill -1 SIGSTOP) to get a fixed | |
266 | ;; list of processes, like 'killall5' does, but | |
267 | ;; that seems unreliable. | |
268 | (kill-except omitted-pids SIGTERM) | |
269 | (sleep* #$grace-delay) | |
270 | (kill-except omitted-pids SIGKILL) | |
271 | (delete-file #$%do-not-kill-file))) | |
272 | ||
273 | (let wait () | |
274 | (let ((pids (processes))) | |
275 | (unless (lset= = pids (cons 1 omitted-pids)) | |
276 | (format #t "waiting for process termination\ | |
d656c14e | 277 | (processes left: ~s)~%" |
be1c2c54 LC |
278 | pids) |
279 | (sleep* 2) | |
280 | (wait)))) | |
d656c14e | 281 | |
be1c2c54 LC |
282 | (display "all processes have been terminated\n") |
283 | #f)) | |
284 | (respawn? #f))) | |
a00dd9fb | 285 | |
db4fdc04 | 286 | (define (host-name-service name) |
51da7ca0 | 287 | "Return a service that sets the host name to @var{name}." |
be1c2c54 LC |
288 | (service |
289 | (documentation "Initialize the machine's host name.") | |
290 | (provision '(host-name)) | |
291 | (start #~(lambda _ | |
292 | (sethostname #$name))) | |
293 | (respawn? #f))) | |
db4fdc04 | 294 | |
62ca0fdf LC |
295 | (define (unicode-start tty) |
296 | "Return a gexp to start Unicode support on @var{tty}." | |
297 | ||
298 | ;; We have to run 'unicode_start' in a pipe so that when it invokes the | |
299 | ;; 'tty' command, that command returns TTY. | |
300 | #~(begin | |
301 | (let ((pid (primitive-fork))) | |
302 | (case pid | |
303 | ((0) | |
304 | (close-fdes 0) | |
305 | (dup2 (open-fdes #$tty O_RDONLY) 0) | |
306 | (close-fdes 1) | |
307 | (dup2 (open-fdes #$tty O_WRONLY) 1) | |
308 | (execl (string-append #$kbd "/bin/unicode_start") | |
309 | "unicode_start")) | |
310 | (else | |
311 | (zero? (cdr (waitpid pid)))))))) | |
312 | ||
5eca9459 AK |
313 | (define (console-keymap-service file) |
314 | "Return a service to load console keymap from @var{file}." | |
be1c2c54 LC |
315 | (service |
316 | (documentation (string-append "Load console keymap (loadkeys).")) | |
317 | (provision '(console-keymap)) | |
318 | (start #~(lambda _ | |
319 | (zero? (system* (string-append #$kbd "/bin/loadkeys") | |
320 | #$file)))) | |
321 | (respawn? #f))) | |
5eca9459 | 322 | |
62ca0fdf LC |
323 | (define* (console-font-service tty #:optional (font "LatGrkCyr-8x16")) |
324 | "Return a service that sets up Unicode support in @var{tty} and loads | |
325 | @var{font} for that tty (fonts are per virtual console in Linux.)" | |
326 | ;; Note: 'LatGrkCyr-8x16' has the advantage of providing three common | |
327 | ;; scripts as well as glyphs for em dash, quotation marks, and other Unicode | |
328 | ;; codepoints notably found in the UTF-8 manual. | |
329 | (let ((device (string-append "/dev/" tty))) | |
be1c2c54 LC |
330 | (service |
331 | (documentation "Load a Unicode console font.") | |
332 | (provision (list (symbol-append 'console-font- | |
333 | (string->symbol tty)))) | |
334 | ||
335 | ;; Start after mingetty has been started on TTY, otherwise the | |
336 | ;; settings are ignored. | |
337 | (requirement (list (symbol-append 'term- | |
338 | (string->symbol tty)))) | |
339 | ||
340 | (start #~(lambda _ | |
341 | (and #$(unicode-start device) | |
342 | (zero? | |
343 | (system* (string-append #$kbd "/bin/setfont") | |
344 | "-C" #$device #$font))))) | |
345 | (stop #~(const #t)) | |
346 | (respawn? #f)))) | |
62ca0fdf | 347 | |
66e4f01c LC |
348 | (define-record-type* <mingetty-configuration> |
349 | mingetty-configuration make-mingetty-configuration | |
350 | mingetty-configuration? | |
351 | (mingetty mingetty-configuration-mingetty ;<package> | |
352 | (default mingetty)) | |
353 | (tty mingetty-configuration-tty) ;string | |
354 | (motd mingetty-configuration-motd ;file-like | |
355 | (default (plain-file "motd" "Welcome.\n"))) | |
356 | (auto-login mingetty-auto-login ;string | #f | |
357 | (default #f)) | |
358 | (login-program mingetty-login-program ;gexp | |
359 | (default #f)) | |
360 | (login-pause? mingetty-login-pause? ;Boolean | |
361 | (default #f)) | |
362 | ||
363 | ;; Allow empty passwords by default so that first-time users can log in when | |
364 | ;; the 'root' account has just been created. | |
365 | (allow-empty-passwords? mingetty-configuration-allow-empty-passwords? | |
366 | (default #t))) ;Boolean | |
367 | ||
368 | (define* (mingetty-service config) | |
369 | "Return a service to run mingetty according to @var{config}, a | |
370 | @code{<mingetty-configuration>} object, which specifies the tty to run, among | |
371 | other things." | |
372 | (match config | |
373 | (($ <mingetty-configuration> mingetty tty motd auto-login login-program | |
374 | login-pause? allow-empty-passwords?) | |
375 | (service | |
376 | (documentation "Run mingetty on an tty.") | |
377 | (provision (list (symbol-append 'term- (string->symbol tty)))) | |
378 | ||
379 | ;; Since the login prompt shows the host name, wait for the 'host-name' | |
380 | ;; service to be done. Also wait for udev essentially so that the tty | |
381 | ;; text is not lost in the middle of kernel messages (XXX). | |
382 | (requirement '(user-processes host-name udev)) | |
383 | ||
384 | (start #~(make-forkexec-constructor | |
385 | (list (string-append #$mingetty "/sbin/mingetty") | |
386 | "--noclear" #$tty | |
387 | #$@(if auto-login | |
388 | #~("--autologin" #$auto-login) | |
389 | #~()) | |
390 | #$@(if login-program | |
391 | #~("--loginprog" #$login-program) | |
392 | #~()) | |
393 | #$@(if login-pause? | |
394 | #~("--loginpause") | |
395 | #~())))) | |
396 | (stop #~(make-kill-destructor)) | |
397 | ||
398 | (pam-services | |
399 | ;; Let 'login' be known to PAM. All the mingetty services will have | |
400 | ;; that PAM service, but that's fine because they're all identical and | |
401 | ;; duplicates are removed. | |
402 | (list (unix-pam-service "login" | |
403 | #:allow-empty-passwords? allow-empty-passwords? | |
404 | #:motd motd))))))) | |
db4fdc04 | 405 | |
6454b333 LC |
406 | (define-record-type* <nscd-configuration> nscd-configuration |
407 | make-nscd-configuration | |
408 | nscd-configuration? | |
409 | (log-file nscd-configuration-log-file ;string | |
410 | (default "/var/log/nscd.log")) | |
411 | (debug-level nscd-debug-level ;integer | |
412 | (default 0)) | |
413 | ;; TODO: See nscd.conf in glibc for other options to add. | |
414 | (caches nscd-configuration-caches ;list of <nscd-cache> | |
b893f1ae LC |
415 | (default %nscd-default-caches)) |
416 | (name-services nscd-configuration-name-services ;list of <packages> | |
417 | (default '())) | |
418 | (glibc nscd-configuration-glibc ;<package> | |
419 | (default (canonical-package glibc)))) | |
6454b333 LC |
420 | |
421 | (define-record-type* <nscd-cache> nscd-cache make-nscd-cache | |
422 | nscd-cache? | |
423 | (database nscd-cache-database) ;symbol | |
424 | (positive-time-to-live nscd-cache-positive-time-to-live) ;integer | |
425 | (negative-time-to-live nscd-cache-negative-time-to-live | |
426 | (default 20)) ;integer | |
427 | (suggested-size nscd-cache-suggested-size ;integer ("default module | |
428 | ;of hash table") | |
429 | (default 211)) | |
430 | (check-files? nscd-cache-check-files? ;Boolean | |
431 | (default #t)) | |
432 | (persistent? nscd-cache-persistent? ;Boolean | |
433 | (default #t)) | |
434 | (shared? nscd-cache-shared? ;Boolean | |
435 | (default #t)) | |
436 | (max-database-size nscd-cache-max-database-size ;integer | |
437 | (default (* 32 (expt 2 20)))) | |
438 | (auto-propagate? nscd-cache-auto-propagate? ;Boolean | |
439 | (default #t))) | |
440 | ||
441 | (define %nscd-default-caches | |
442 | ;; Caches that we want to enable by default. Note that when providing an | |
443 | ;; empty nscd.conf, all caches are disabled. | |
444 | (list (nscd-cache (database 'hosts) | |
445 | ||
446 | ;; Aggressively cache the host name cache to improve | |
447 | ;; privacy and resilience. | |
448 | (positive-time-to-live (* 3600 12)) | |
449 | (negative-time-to-live 20) | |
450 | (persistent? #t)) | |
451 | ||
452 | (nscd-cache (database 'services) | |
453 | ||
454 | ;; Services are unlikely to change, so we can be even more | |
455 | ;; aggressive. | |
456 | (positive-time-to-live (* 3600 24)) | |
457 | (negative-time-to-live 3600) | |
458 | (check-files? #t) ;check /etc/services changes | |
459 | (persistent? #t)))) | |
460 | ||
461 | (define %nscd-default-configuration | |
462 | ;; Default nscd configuration. | |
463 | (nscd-configuration)) | |
464 | ||
465 | (define (nscd.conf-file config) | |
466 | "Return the @file{nscd.conf} configuration file for @var{config}, an | |
467 | @code{<nscd-configuration>} object." | |
468 | (define cache->config | |
469 | (match-lambda | |
be1c2c54 LC |
470 | (($ <nscd-cache> (= symbol->string database) |
471 | positive-ttl negative-ttl size check-files? | |
472 | persistent? shared? max-size propagate?) | |
473 | (string-append "\nenable-cache\t" database "\tyes\n" | |
474 | ||
475 | "positive-time-to-live\t" database "\t" | |
476 | (number->string positive-ttl) "\n" | |
477 | "negative-time-to-live\t" database "\t" | |
478 | (number->string negative-ttl) "\n" | |
479 | "suggested-size\t" database "\t" | |
480 | (number->string size) "\n" | |
481 | "check-files\t" database "\t" | |
482 | (if check-files? "yes\n" "no\n") | |
483 | "persistent\t" database "\t" | |
484 | (if persistent? "yes\n" "no\n") | |
485 | "shared\t" database "\t" | |
486 | (if shared? "yes\n" "no\n") | |
487 | "max-db-size\t" database "\t" | |
488 | (number->string max-size) "\n" | |
489 | "auto-propagate\t" database "\t" | |
490 | (if propagate? "yes\n" "no\n"))))) | |
6454b333 LC |
491 | |
492 | (match config | |
493 | (($ <nscd-configuration> log-file debug-level caches) | |
be1c2c54 LC |
494 | (plain-file "nscd.conf" |
495 | (string-append "\ | |
6454b333 | 496 | # Configuration of libc's name service cache daemon (nscd).\n\n" |
be1c2c54 LC |
497 | (if log-file |
498 | (string-append "logfile\t" log-file) | |
499 | "") | |
500 | "\n" | |
501 | (if debug-level | |
502 | (string-append "debug-level\t" | |
503 | (number->string debug-level)) | |
504 | "") | |
505 | "\n" | |
506 | (string-concatenate | |
507 | (map cache->config caches))))))) | |
6454b333 | 508 | |
b893f1ae | 509 | (define* (nscd-service #:optional (config %nscd-default-configuration)) |
6454b333 | 510 | "Return a service that runs libc's name service cache daemon (nscd) with the |
b893f1ae LC |
511 | given @var{config}---an @code{<nscd-configuration>} object. @xref{Name |
512 | Service Switch}, for an example." | |
be1c2c54 LC |
513 | (let ((nscd.conf (nscd.conf-file config))) |
514 | (service | |
515 | (documentation "Run libc's name service cache daemon (nscd).") | |
516 | (provision '(nscd)) | |
517 | (requirement '(user-processes)) | |
518 | ||
519 | (activate #~(begin | |
520 | (use-modules (guix build utils)) | |
521 | (mkdir-p "/var/run/nscd") | |
522 | (mkdir-p "/var/db/nscd"))) ;for the persistent cache | |
523 | ||
524 | (start #~(make-forkexec-constructor | |
b893f1ae LC |
525 | (list (string-append #$(nscd-configuration-glibc config) |
526 | "/sbin/nscd") | |
be1c2c54 LC |
527 | "-f" #$nscd.conf "--foreground") |
528 | ||
529 | #:environment-variables | |
530 | (list (string-append "LD_LIBRARY_PATH=" | |
531 | (string-join | |
532 | (map (lambda (dir) | |
533 | (string-append dir "/lib")) | |
b893f1ae LC |
534 | (list |
535 | #$@(nscd-configuration-name-services | |
536 | config))) | |
be1c2c54 LC |
537 | ":"))))) |
538 | (stop #~(make-kill-destructor)) | |
539 | ||
540 | (respawn? #f)))) | |
541 | ||
542 | ;; Snippet adapted from the GNU inetutils manual. | |
543 | (define %default-syslog.conf | |
544 | (plain-file "syslog.conf" " | |
1f3fc60d | 545 | # Log all error messages, authentication messages of |
db4fdc04 LC |
546 | # level notice or higher and anything of level err or |
547 | # higher to the console. | |
548 | # Don't log private authentication messages! | |
6a191274 | 549 | *.alert;auth.notice;authpriv.none /dev/console |
db4fdc04 LC |
550 | |
551 | # Log anything (except mail) of level info or higher. | |
552 | # Don't log private authentication messages! | |
553 | *.info;mail.none;authpriv.none /var/log/messages | |
554 | ||
555 | # Same, in a different place. | |
556 | *.info;mail.none;authpriv.none /dev/tty12 | |
557 | ||
558 | # The authpriv file has restricted access. | |
559 | authpriv.* /var/log/secure | |
560 | ||
561 | # Log all the mail messages in one place. | |
562 | mail.* /var/log/maillog | |
be1c2c54 LC |
563 | ")) |
564 | (define* (syslog-service #:key (config-file %default-syslog.conf)) | |
565 | "Return a service that runs @code{syslogd}. | |
566 | If configuration file name @var{config-file} is not specified, use some | |
567 | reasonable default settings." | |
568 | (service | |
569 | (documentation "Run the syslog daemon (syslogd).") | |
570 | (provision '(syslogd)) | |
571 | (requirement '(user-processes)) | |
572 | (start #~(make-forkexec-constructor | |
573 | (list (string-append #$inetutils "/libexec/syslogd") | |
574 | "--no-detach" "--rcfile" #$config-file))) | |
575 | (stop #~(make-kill-destructor)))) | |
db4fdc04 LC |
576 | |
577 | (define* (guix-build-accounts count #:key | |
ab6a279a | 578 | (group "guixbuild") |
db4fdc04 | 579 | (first-uid 30001) |
db4fdc04 LC |
580 | (shadow shadow)) |
581 | "Return a list of COUNT user accounts for Guix build users, with UIDs | |
582 | starting at FIRST-UID, and under GID." | |
5250a4f2 LC |
583 | (unfold (cut > <> count) |
584 | (lambda (n) | |
585 | (user-account | |
586 | (name (format #f "guixbuilder~2,'0d" n)) | |
587 | (system? #t) | |
588 | (uid (+ first-uid n -1)) | |
589 | (group group) | |
590 | ||
591 | ;; guix-daemon expects GROUP to be listed as a | |
592 | ;; supplementary group too: | |
593 | ;; <http://lists.gnu.org/archive/html/bug-guix/2013-01/msg00239.html>. | |
594 | (supplementary-groups (list group "kvm")) | |
595 | ||
596 | (comment (format #f "Guix Build User ~2d" n)) | |
597 | (home-directory "/var/empty") | |
598 | (shell #~(string-append #$shadow "/sbin/nologin")))) | |
599 | 1+ | |
600 | 1)) | |
db4fdc04 | 601 | |
2c5c696c LC |
602 | (define (hydra-key-authorization guix) |
603 | "Return a gexp with code to register the hydra.gnu.org public key with | |
604 | GUIX." | |
605 | #~(unless (file-exists? "/etc/guix/acl") | |
606 | (let ((pid (primitive-fork))) | |
607 | (case pid | |
608 | ((0) | |
609 | (let* ((key (string-append #$guix | |
610 | "/share/guix/hydra.gnu.org.pub")) | |
611 | (port (open-file key "r0b"))) | |
612 | (format #t "registering public key '~a'...~%" key) | |
613 | (close-port (current-input-port)) | |
2c5c696c LC |
614 | (dup port 0) |
615 | (execl (string-append #$guix "/bin/guix") | |
616 | "guix" "archive" "--authorize") | |
617 | (exit 1))) | |
618 | (else | |
619 | (let ((status (cdr (waitpid pid)))) | |
620 | (unless (zero? status) | |
621 | (format (current-error-port) "warning: \ | |
622 | failed to register hydra.gnu.org public key: ~a~%" status)))))))) | |
623 | ||
db4fdc04 | 624 | (define* (guix-service #:key (guix guix) (builder-group "guixbuild") |
02bb6b45 | 625 | (build-accounts 10) (authorize-hydra-key? #t) |
c11a6eb1 | 626 | (use-substitutes? #t) |
2d1d2dd8 LC |
627 | (extra-options '()) |
628 | (lsof lsof) (lsh lsh)) | |
51da7ca0 LC |
629 | "Return a service that runs the build daemon from @var{guix}, and has |
630 | @var{build-accounts} user accounts available under @var{builder-group}. | |
2c5c696c | 631 | |
51da7ca0 LC |
632 | When @var{authorize-hydra-key?} is true, the @code{hydra.gnu.org} public key |
633 | provided by @var{guix} is authorized upon activation, meaning that substitutes | |
c11a6eb1 LC |
634 | from @code{hydra.gnu.org} are used by default. |
635 | ||
636 | If @var{use-substitutes?} is false, the daemon is run with | |
637 | @option{--no-substitutes} (@pxref{Invoking guix-daemon, | |
638 | @option{--no-substitutes}}). | |
639 | ||
640 | Finally, @var{extra-options} is a list of additional command-line options | |
641 | passed to @command{guix-daemon}." | |
185f6691 | 642 | (define activate |
e97c5be9 LC |
643 | ;; Assume that the store has BUILDER-GROUP as its group. We could |
644 | ;; otherwise call 'chown' here, but the problem is that on a COW unionfs, | |
645 | ;; chown leads to an entire copy of the tree, which is a bad idea. | |
185f6691 | 646 | |
e97c5be9 LC |
647 | ;; Optionally authorize hydra.gnu.org's key. |
648 | (and authorize-hydra-key? | |
649 | (hydra-key-authorization guix))) | |
185f6691 | 650 | |
be1c2c54 LC |
651 | (service |
652 | (documentation "Run the Guix daemon.") | |
653 | (provision '(guix-daemon)) | |
654 | (requirement '(user-processes)) | |
655 | (start | |
656 | #~(make-forkexec-constructor | |
657 | (list (string-append #$guix "/bin/guix-daemon") | |
658 | "--build-users-group" #$builder-group | |
659 | #$@(if use-substitutes? | |
660 | '() | |
661 | '("--no-substitutes")) | |
662 | #$@extra-options) | |
663 | ||
664 | ;; Add 'lsof' (for the GC) and 'lsh' (for offloading) to the | |
665 | ;; daemon's $PATH. | |
666 | #:environment-variables | |
667 | (list (string-append "PATH=" #$lsof "/bin:" #$lsh "/bin")))) | |
668 | (stop #~(make-kill-destructor)) | |
669 | (user-accounts (guix-build-accounts build-accounts | |
670 | #:group builder-group)) | |
671 | (user-groups (list (user-group | |
672 | (name builder-group) | |
673 | (system? #t) | |
674 | ||
675 | ;; Use a fixed GID so that we can create the | |
676 | ;; store with the right owner. | |
677 | (id 30000)))) | |
678 | (activate activate))) | |
db4fdc04 | 679 | |
ecd06ca9 LC |
680 | (define (udev-rules-union packages) |
681 | "Return the union of the @code{lib/udev/rules.d} directories found in each | |
682 | item of @var{packages}." | |
683 | (define build | |
684 | #~(begin | |
685 | (use-modules (guix build union) | |
686 | (guix build utils) | |
687 | (srfi srfi-1) | |
688 | (srfi srfi-26)) | |
689 | ||
690 | (define %standard-locations | |
691 | '("/lib/udev/rules.d" "/libexec/udev/rules.d")) | |
692 | ||
693 | (define (rules-sub-directory directory) | |
694 | ;; Return the sub-directory of DIRECTORY containing udev rules, or | |
695 | ;; #f if none was found. | |
696 | (find directory-exists? | |
697 | (map (cut string-append directory <>) %standard-locations))) | |
698 | ||
699 | (mkdir-p (string-append #$output "/lib/udev")) | |
700 | (union-build (string-append #$output "/lib/udev/rules.d") | |
701 | (filter-map rules-sub-directory '#$packages)))) | |
702 | ||
be1c2c54 LC |
703 | (computed-file "udev-rules" build |
704 | #:modules '((guix build union) | |
705 | (guix build utils)))) | |
ecd06ca9 | 706 | |
7f28bf9a LC |
707 | (define* (kvm-udev-rule) |
708 | "Return a directory with a udev rule that changes the group of | |
709 | @file{/dev/kvm} to \"kvm\" and makes it #o660." | |
710 | ;; Apparently QEMU-KVM used to ship this rule, but now we have to add it by | |
711 | ;; ourselves. | |
be1c2c54 LC |
712 | (computed-file "kvm-udev-rules" |
713 | #~(begin | |
714 | (use-modules (guix build utils)) | |
715 | ||
716 | (define rules.d | |
717 | (string-append #$output "/lib/udev/rules.d")) | |
718 | ||
719 | (mkdir-p rules.d) | |
720 | (call-with-output-file | |
721 | (string-append rules.d "/90-kvm.rules") | |
722 | (lambda (port) | |
723 | ;; Build users are part of the "kvm" group, so we | |
724 | ;; can fearlessly make /dev/kvm 660 (see | |
725 | ;; <http://bugs.gnu.org/18994>, for background.) | |
726 | (display "\ | |
64720891 | 727 | KERNEL==\"kvm\", GROUP=\"kvm\", MODE=\"0660\"\n" port)))) |
be1c2c54 | 728 | #:modules '((guix build utils)))) |
7f28bf9a | 729 | |
8a7330fd | 730 | (define* (udev-service #:key (udev eudev) (rules '())) |
ecd06ca9 LC |
731 | "Run @var{udev}, which populates the @file{/dev} directory dynamically. Get |
732 | extra rules from the packages listed in @var{rules}." | |
be1c2c54 LC |
733 | (let* ((rules (udev-rules-union (cons* udev |
734 | (kvm-udev-rule) | |
735 | rules))) | |
736 | (udev.conf (computed-file "udev.conf" | |
737 | #~(call-with-output-file #$output | |
738 | (lambda (port) | |
739 | (format port | |
740 | "udev_rules=\"~a/lib/udev/rules.d\"\n" | |
741 | #$rules)))))) | |
742 | (service | |
743 | (provision '(udev)) | |
744 | ||
745 | ;; Udev needs /dev to be a 'devtmpfs' mount so that new device nodes can | |
746 | ;; be added: see | |
747 | ;; <http://www.linuxfromscratch.org/lfs/view/development/chapter07/udev.html>. | |
748 | (requirement '(root-file-system)) | |
749 | ||
750 | (documentation "Populate the /dev directory, dynamically.") | |
751 | (start #~(lambda () | |
752 | (define find | |
753 | (@ (srfi srfi-1) find)) | |
754 | ||
755 | (define udevd | |
756 | ;; Choose the right 'udevd'. | |
757 | (find file-exists? | |
758 | (map (lambda (suffix) | |
759 | (string-append #$udev suffix)) | |
760 | '("/libexec/udev/udevd" ;udev | |
761 | "/sbin/udevd")))) ;eudev | |
762 | ||
763 | (define (wait-for-udevd) | |
764 | ;; Wait until someone's listening on udevd's control | |
765 | ;; socket. | |
766 | (let ((sock (socket AF_UNIX SOCK_SEQPACKET 0))) | |
767 | (let try () | |
768 | (catch 'system-error | |
769 | (lambda () | |
770 | (connect sock PF_UNIX "/run/udev/control") | |
771 | (close-port sock)) | |
772 | (lambda args | |
773 | (format #t "waiting for udevd...~%") | |
774 | (usleep 500000) | |
775 | (try)))))) | |
776 | ||
777 | ;; Allow udev to find the modules. | |
778 | (setenv "LINUX_MODULE_DIRECTORY" | |
779 | "/run/booted-system/kernel/lib/modules") | |
780 | ||
781 | ;; The first one is for udev, the second one for eudev. | |
782 | (setenv "UDEV_CONFIG_FILE" #$udev.conf) | |
783 | (setenv "EUDEV_RULES_DIRECTORY" | |
784 | (string-append #$rules "/lib/udev/rules.d")) | |
785 | ||
786 | (let ((pid (primitive-fork))) | |
787 | (case pid | |
788 | ((0) | |
789 | (exec-command (list udevd))) | |
790 | (else | |
791 | ;; Wait until udevd is up and running. This | |
792 | ;; appears to be needed so that the events | |
793 | ;; triggered below are actually handled. | |
794 | (wait-for-udevd) | |
795 | ||
796 | ;; Trigger device node creation. | |
797 | (system* (string-append #$udev "/bin/udevadm") | |
798 | "trigger" "--action=add") | |
799 | ||
800 | ;; Wait for things to settle down. | |
801 | (system* (string-append #$udev "/bin/udevadm") | |
802 | "settle") | |
803 | pid))))) | |
804 | (stop #~(make-kill-destructor)) | |
805 | ||
806 | ;; When halting the system, 'udev' is actually killed by | |
807 | ;; 'user-processes', i.e., before its own 'stop' method was | |
808 | ;; called. Thus, make sure it is not respawned. | |
809 | (respawn? #f)))) | |
151a2c07 | 810 | |
722554a3 | 811 | (define (device-mapping-service target open close) |
5dae0186 | 812 | "Return a service that maps device @var{target}, a string such as |
722554a3 LC |
813 | @code{\"home\"} (meaning @code{/dev/mapper/home}). Evaluate @var{open}, a |
814 | gexp, to open it, and evaluate @var{close} to close it." | |
be1c2c54 LC |
815 | (service |
816 | (provision (list (symbol-append 'device-mapping- (string->symbol target)))) | |
817 | (requirement '(udev)) | |
818 | (documentation "Map a device node using Linux's device mapper.") | |
819 | (start #~(lambda () #$open)) | |
820 | (stop #~(lambda _ (not #$close))) | |
821 | (respawn? #f))) | |
5dae0186 | 822 | |
2a13d05e LC |
823 | (define (swap-service device) |
824 | "Return a service that uses @var{device} as a swap device." | |
825 | (define requirement | |
826 | (if (string-prefix? "/dev/mapper/" device) | |
827 | (list (symbol-append 'device-mapping- | |
828 | (string->symbol (basename device)))) | |
829 | '())) | |
830 | ||
be1c2c54 LC |
831 | (service |
832 | (provision (list (symbol-append 'swap- (string->symbol device)))) | |
833 | (requirement `(udev ,@requirement)) | |
834 | (documentation "Enable the given swap device.") | |
835 | (start #~(lambda () | |
836 | (restart-on-EINTR (swapon #$device)) | |
837 | #t)) | |
838 | (stop #~(lambda _ | |
839 | (restart-on-EINTR (swapoff #$device)) | |
840 | #f)) | |
841 | (respawn? #f))) | |
2a13d05e | 842 | |
8b198abe LC |
843 | (define %base-services |
844 | ;; Convenience variable holding the basic services. | |
ce8a6dfc | 845 | (let ((motd (plain-file "motd" " |
8b198abe | 846 | This is the GNU operating system, welcome!\n\n"))) |
62ca0fdf LC |
847 | (list (console-font-service "tty1") |
848 | (console-font-service "tty2") | |
849 | (console-font-service "tty3") | |
850 | (console-font-service "tty4") | |
851 | (console-font-service "tty5") | |
852 | (console-font-service "tty6") | |
853 | ||
66e4f01c LC |
854 | (mingetty-service (mingetty-configuration |
855 | (tty "tty1") (motd motd))) | |
856 | (mingetty-service (mingetty-configuration | |
857 | (tty "tty2") (motd motd))) | |
858 | (mingetty-service (mingetty-configuration | |
859 | (tty "tty3") (motd motd))) | |
860 | (mingetty-service (mingetty-configuration | |
861 | (tty "tty4") (motd motd))) | |
862 | (mingetty-service (mingetty-configuration | |
863 | (tty "tty5") (motd motd))) | |
864 | (mingetty-service (mingetty-configuration | |
865 | (tty "tty6") (motd motd))) | |
866 | ||
4a3b3b07 LC |
867 | (static-networking-service "lo" "127.0.0.1" |
868 | #:provision '(loopback)) | |
8b198abe LC |
869 | (syslog-service) |
870 | (guix-service) | |
151a2c07 | 871 | (nscd-service) |
ecd06ca9 | 872 | |
52bd5734 LC |
873 | ;; The LVM2 rules are needed as soon as LVM2 or the device-mapper is |
874 | ;; used, so enable them by default. The FUSE and ALSA rules are | |
875 | ;; less critical, but handy. | |
4307c476 MW |
876 | ;; |
877 | ;; XXX Keep this in sync with the 'udev-service' call in | |
878 | ;; %desktop-services. | |
68ac258b | 879 | (udev-service #:rules (list lvm2 fuse alsa-utils crda))))) |
8b198abe | 880 | |
db4fdc04 | 881 | ;;; base.scm ends here |