Socket activation support

ogra 2017-09-15 16:27:20 UTC #12

just for the laughs btw …

ogra1/packageproxy/blob/master/run-approx

#! /bin/sh

set -e

[ -e "$SNAP_DATA/var/cache/approx" ] || \
	mkdir -p $SNAP_DATA/var/cache/approx

[ -e "$SNAP_DATA/config.yaml" ] || \
	cp $SNAP/config.yaml $SNAP_DATA/config.yaml

$SNAP/config.sh >/dev/null 2>&1

for sfx in allow deny; do
    touch $SNAP_DATA/hosts.$sfx
done

PORT="$(grep port: $SNAP_DATA/config.yaml | sed 's/^.* //')"

$SNAP/usr/bin/socat -W $SNAP_DATA/lockfile.lock \
	TCP4-LISTEN:$PORT,reuseaddr,fork,tcpwrap=script,tcpwrap-etc=$SNAP_DATA \

This file has been truncated. show original

using socat in a wrapper script also gets you nicely working socket activation
(this is particulary using port activation though, but socket is possible as well)

ack 2017-09-19 12:07:31 UTC #13

Should we define each socket in its own .socket file or have a single file associated to the .service one?

The former allows finer control on each socket; for instance the LXD snap could disable the socket on 8443 if only the local socket is enabled.

If we go with a single .socket file, then there is no real use for the socket name (lxd-unix and lxd-tcp in the example), so we could make the sockets stanza just a list, but all sockets would be started/stopped together by systemd.

chipaca 2017-09-19 12:39:34 UTC #14

@ack, How would this feature work together with snap set to allow administrators to change the addresses the service listen on?

niemeyer 2017-09-19 12:54:04 UTC #15

@ack Per comments in the review, your approach of multiple sockets sounds nice.

A few more details to figure, as described in the review.

niemeyer 2017-09-19 12:54:54 UTC #16

@chipaca Good question… I think it’s on us to answer that.

ack 2017-09-19 12:59:31 UTC #17

I don’t know much about snap set, but the current implementation won’t interact.

Basically it lets you define a set of sockets that would cause the service to be started. What I mentioned about having separate socket files would possible let the service disable the .socket if it doesn’t actually listen on a specific port.
IOW you’d have to define all possible sockets that the service could listen on.

niemeyer 2017-09-19 13:16:33 UTC #18

@ack Yeah, don’t worry too much about that. There are a few ideas to explore in terms of how to allow people and even the snap itself to tune the default value of this setting at runtime, but we can figure this out in a follow up and so it’s not a blocker for this to land.

The only real blocker we have now is figuring out how to define the snap filename in a safe way, per the review.

stgraber 2017-09-21 16:11:18 UTC #19

As a first pass can we just restrict the socket paths to be under the snap’s writable paths?
That would effectively be either:

/var/snap/NAME/current/
/var/snap/NAME/common/

Both of those should always be entirely safe and avoid any potential conflict with the host. Having this initial restriction would unblock LXD (which binds /var/snap/lxd/common/lxd/unix.socket) and would be compatible with allowing other paths (/run or such) down the line either through interfaces or another mechanism.

@jdstrand you may have some opinions on this

niemeyer 2017-09-21 16:52:00 UTC #20

@stgraber That would be the best approach actually, as it would effectively allow systemd to create anything that the snap might create anyway. The question is just how to verify it easily from that location. The vague option we discussed was to have some sort of support on snap-exec to answer that question, and then do the typical snap run → snap-confine → snap-exec dance to get an answer. It feels a bit fiddly, but I can’t see good alternatives yet. If we go that route, systemd socket files have an ExecStartPre option that runs before the socket is created. Assuming it aborts the socket creation if that command fails, we might leverage it.

niemeyer 2017-09-21 16:55:01 UTC #21

@stgraber Ah, sorry, I misunderstood your proposal. You mean allowing only $SNAP_DATA and $SNAP_COMMON. Yeah, that sounds fine as a first step. The implementation I mentioned above is likely what we should aim for, as it enables other use cases, but we can do that as a follow up and it would remain compatible with what you suggest too.

stgraber 2017-09-21 16:58:47 UTC #22

Right, that’s what I had in mind. Lets limit it to something we know is safe for now, then extend it later for more complex use cases.

ack 2017-09-21 17:02:13 UTC #23

@niemeyer should we disallow abstract unix sockets (as they’re not confined IIUC)?

niemeyer 2017-09-21 18:19:44 UTC #24

Yes, sounds like a good idea for now. We also need to get a review from @jdstrand before the final PR goes in, so he has a chance to pick up any other issues around that sort of problem.

jdstrand 2017-09-21 18:54:30 UTC #25

Actually, abstract sockets are mediated. Like so many other things, it is a matter of namespacing. Abstract sockets often look like this: @foo, but they can have the form: @/path/foo. I’m not saying the first iteration should support abstract sockets, but it could if the namespacing was right. Eg:

@snap.$SNAP_NAME.whatever (eg, @snap.foo.whatever)
@$SNAP_DATA/whatever (eg, @/var/snap/foo/x1/whatever)

Today, the default template does not allow creating abstract sockets, but this is only because we never decided on how to namespace them (it was discussed long ago, but never brought up again).

niemeyer 2017-09-21 20:10:14 UTC #26

@jdstrand Not in this case, I suspect. It’s systemd that is opening up the socket. We have the same issue described above about writing of unix sockets.

Well, unless we do enforce it at the namespacing level rather than hoping for apparmor to catch it.

jdstrand 2017-09-21 21:33:13 UTC #27

To be clear, I was not talking about Linux namespaces/containers. We can carve out abstract socket ‘paths’ that follow snappy conventions and enforce that with apparmor, in a similar fashion like we do now with the filesystem. We just have to decide how we want to carve that up (glossing over implementation details of making it work with systemd).

ack 2017-09-22 11:59:06 UTC #28

@niemeyer @jdstrand thanks for the clarification. I’ll reject abstract sockets for now in the listen-stream validation.

I’m also wondering what should be allowed in terms of TCP addresses; can we just limit to a port (which would be the same as allowing [::]:<port>) or should it be possible to specify addreses to (so that an app can, for example, bind only localhost)?

jdstrand 2017-09-22 12:34:42 UTC #29

I don’t have an opinion on the actual question, but have a related question. You mention “bind only localhost” (emphasis mine); aiui systemd is merely going to listen on these itself, start the application then hand over the fd to the service, but the service is free to open and listen on any number of other ports (or named sockets or abstract sockets) as is desired. As such, the ‘only’ here refers to the fact that the port will be open on the localhost, but not eth0. All of this is fine AFAIC. Fine-grained network mediation is on the roadmap, so at some point we will be able to enforce “you may only this port on this interface and no others”.

I ask because I want to make sure we don’t try to use ‘Socket Activated OS Containers’ (see http://0pointer.de/blog/projects/socket-activated-containers.html) since those won’t work right with snapd.

jdstrand 2017-09-22 12:40:12 UTC #30

Reading https://www.freedesktop.org/software/systemd/man/systemd.socket.html I see no reason why we could not include abstract sockets at this time. Like with named sockets, we simply limit their naming so different snaps can’t clobber each other. Eg, like I said before (feel free to suggest other ideas):

@snap.$SNAP_NAME.whatever (eg, @snap.foo.whatever)
@$SNAP_DATA/whatever (eg, @/var/snap/foo/x1/whatever)

snapd ensures the abstract sockets match our naming convention when generating the systemd unit and we add a couple of apparmor glob rules to the default template that allow unconfined to access the socket and for anything in the snap to access it. Anything beyond that is out of scope for this PR (but other snap access is obviously implemented via interfaces).

ack 2017-09-22 13:06:47 UTC #31

If that’s the case, I think @$SNAP_COMMON/whatever should be also supported (to match what would be allowed for filesystem-based unix sockets)