From patchwork Fri Feb 24 00:12:10 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Bruno Victal X-Patchwork-Id: 47247 Return-Path: X-Original-To: patchwork@mira.cbaines.net Delivered-To: patchwork@mira.cbaines.net Received: by mira.cbaines.net (Postfix, from userid 113) id A5D3516B9B; Fri, 24 Feb 2023 00:13:40 +0000 (GMT) X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on mira.cbaines.net X-Spam-Level: X-Spam-Status: No, score=-2.0 required=5.0 tests=MAILING_LIST_MULTI, RCVD_IN_MSPIKE_H2,SPF_HELO_PASS,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.6 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mira.cbaines.net (Postfix) with ESMTPS id 9E9C31678D for ; Fri, 24 Feb 2023 00:13:37 +0000 (GMT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1pVLhy-00017o-QR; Thu, 23 Feb 2023 19:13:06 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1pVLhw-00017N-Ey for guix-patches@gnu.org; Thu, 23 Feb 2023 19:13:04 -0500 Received: from debbugs.gnu.org ([209.51.188.43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1pVLhv-000447-7P; Thu, 23 Feb 2023 19:13:03 -0500 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1pVLhu-0008GS-JJ; Thu, 23 Feb 2023 19:13:02 -0500 X-Loop: help-debbugs@gnu.org Subject: [bug#61744] [PATCH] services: base: Deprecate 'pam-limits-service' procedure. Resent-From: Bruno Victal Original-Sender: "Debbugs-submit" Resent-CC: ludo@gnu.org, guix-patches@gnu.org Resent-Date: Fri, 24 Feb 2023 00:13:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: report 61744 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 61744@debbugs.gnu.org Cc: Bruno Victal , ludo@gnu.org X-Debbugs-Original-To: guix-patches@gnu.org X-Debbugs-Original-Xcc: ludo@gnu.org Received: via spool by submit@debbugs.gnu.org id=B.167719756131737 (code B ref -1); Fri, 24 Feb 2023 00:13:02 +0000 Received: (at submit) by debbugs.gnu.org; 24 Feb 2023 00:12:41 +0000 Received: from localhost ([127.0.0.1]:35613 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1pVLhY-0008Fp-CG for submit@debbugs.gnu.org; Thu, 23 Feb 2023 19:12:40 -0500 Received: from lists.gnu.org ([209.51.188.17]:55930) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1pVLhV-0008Fg-Kx for submit@debbugs.gnu.org; Thu, 23 Feb 2023 19:12:39 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1pVLhV-00014I-FJ for guix-patches@gnu.org; Thu, 23 Feb 2023 19:12:37 -0500 Received: from smtpm7.myservices.hosting ([185.26.105.208]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1pVLhS-0003zn-PO for guix-patches@gnu.org; Thu, 23 Feb 2023 19:12:36 -0500 Received: from mail1.netim.hosting (unknown [185.26.106.173]) by smtpm7.myservices.hosting (Postfix) with ESMTP id 2986320D16 for ; Fri, 24 Feb 2023 01:12:27 +0100 (CET) Received: from localhost (localhost [127.0.0.1]) by mail1.netim.hosting (Postfix) with ESMTP id CB64880097; Fri, 24 Feb 2023 01:12:27 +0100 (CET) X-Virus-Scanned: Debian amavisd-new at mail1.netim.hosting Received: from mail1.netim.hosting ([127.0.0.1]) by localhost (mail1-2.netim.hosting [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id oO1jCdl9ITqi; Fri, 24 Feb 2023 01:12:27 +0100 (CET) Received: from guix-nuc.home.arpa (bl9-119-177.dsl.telepac.pt [85.242.119.177]) (Authenticated sender: lumen@makinata.eu) by mail1.netim.hosting (Postfix) with ESMTPSA id D6BE780079; Fri, 24 Feb 2023 01:12:26 +0100 (CET) From: Bruno Victal Date: Fri, 24 Feb 2023 00:12:10 +0000 Message-Id: X-Mailer: git-send-email 2.39.1 MIME-Version: 1.0 tags: patch Received-SPF: pass client-ip=185.26.105.208; envelope-from=mirai@makinata.eu; helo=smtpm7.myservices.hosting X-Spam_score_int: -18 X-Spam_score: -1.9 X-Spam_bar: - X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org X-getmail-retrieved-from-mailbox: Patches * doc/guix.texi (Base Services): Replace pam-limits-service with pam-limits-service-type. * gnu/packages/benchmark.scm (python-locust)[description]: Update index anchor to manual. * gnu/services/base.scm (pam-limits-service-type): Accept both lists and file-like objects for compatibility. (pam-limits-service): Deprecate procedure. --- Sending this one for review now since this service is a bit unusual compared to the other ones. doc/guix.texi | 18 ++++++++--------- gnu/packages/benchmark.scm | 2 +- gnu/services/base.scm | 41 +++++++++++++++++++++++++++----------- 3 files changed, 39 insertions(+), 22 deletions(-) base-commit: 5d10644371abd54d0edcd638691113f0a92de743 diff --git a/doc/guix.texi b/doc/guix.texi index a7ef00f421..9127090d44 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -18926,7 +18926,6 @@ Base Services @var{device} does not exist. @end deffn -@anchor{pam-limits-service} @cindex session limits @cindex ulimit @cindex priority @@ -18934,19 +18933,20 @@ Base Services @cindex jackd @cindex nofile @cindex open file descriptors -@deffn {Scheme Procedure} pam-limits-service [#:limits @code{'()}] - -Return a service that installs a configuration file for the +@anchor{pam-limits-service-type} +@defvar pam-limits-service-type +Type of the service that installs a configuration file for the @uref{http://linux-pam.org/Linux-PAM-html/sag-pam_limits.html, -@code{pam_limits} module}. The procedure optionally takes a list of -@code{pam-limits-entry} values, which can be used to specify +@code{pam_limits} module}. The value for this service type is +a list of @code{pam-limits-entry} values, which can be used to specify @code{ulimit} limits and @code{nice} priority limits to user sessions. +By default, the value is the empty list. The following limits definition sets two hard and soft limits for all login sessions of users in the @code{realtime} group: @lisp -(pam-limits-service +(service pam-limits-service-type (list (pam-limits-entry "@@realtime" 'both 'rtprio 99) (pam-limits-entry "@@realtime" 'both 'memlock 'unlimited))) @@ -18961,7 +18961,7 @@ Base Services descriptors that can be used: @lisp -(pam-limits-service +(service pam-limits-service-type (list (pam-limits-entry "*" 'both 'nofile 100000))) @end lisp @@ -18972,7 +18972,7 @@ Base Services else the users would be prevented from login in. For more information about the Pluggable Authentication Module (PAM) limits, refer to the @samp{pam_limits} man page from the @code{linux-pam} package. -@end deffn +@end defvar @defvar greetd-service-type @uref{https://git.sr.ht/~kennylevinsen/greetd, @code{greetd}} is a minimal and diff --git a/gnu/packages/benchmark.scm b/gnu/packages/benchmark.scm index 33e2466da9..fd8513f41d 100644 --- a/gnu/packages/benchmark.scm +++ b/gnu/packages/benchmark.scm @@ -458,7 +458,7 @@ (define-public python-locust Note: Locust will complain if the available open file descriptors limit for the user is too low. To raise such limit on a Guix System, refer to -@samp{info guix --index-search=pam-limits-service}.") +@samp{info guix --index-search=pam-limits-service-type}.") (license license:expat))) (define-public interbench diff --git a/gnu/services/base.scm b/gnu/services/base.scm index 35b03a877b..5a2e0263e4 100644 --- a/gnu/services/base.scm +++ b/gnu/services/base.scm @@ -40,7 +40,7 @@ (define-module (gnu services base) #:use-module (guix store) #:use-module (guix deprecation) - #:autoload (guix diagnostics) (warning &fix-hint) + #:autoload (guix diagnostics) (warning report-error &fix-hint) #:autoload (guix i18n) (G_) #:use-module (guix combinators) #:use-module (gnu services) @@ -245,7 +245,7 @@ (define-module (gnu services base) kmscon-service-type pam-limits-service-type - pam-limits-service + pam-limits-service ; deprecated greetd-service-type greetd-configuration @@ -1570,17 +1570,13 @@ (define* (syslog-service #:optional (config (syslog-configuration))) (define pam-limits-service-type - (let ((security-limits - ;; Create /etc/security containing the provided "limits.conf" file. - (lambda (limits-file) - `(("security/limits.conf" - ,limits-file)))) - (pam-extension + (let ((pam-extension (lambda (pam) (let ((pam-limits (pam-entry (control "required") (module "pam_limits.so") - (arguments '("conf=/etc/security/limits.conf"))))) + (arguments + '("conf=/etc/security/limits.conf"))))) (if (member (pam-service-name pam) '("login" "greetd" "su" "slim" "gdm-password" "sddm" "sudo" "sshd")) @@ -1588,7 +1584,26 @@ (define pam-limits-service-type (inherit pam) (session (cons pam-limits (pam-service-session pam)))) - pam))))) + pam)))) + + ;; XXX: Using file-like objects is deprecated, use lists instead. + ;; This is to be reduced into the list? case when the deprecated + ;; code gets removed. + ;; Create /etc/security containing the provided "limits.conf" file. + (security-limits + (match-lambda + ((? file-like? obj) + (warning (G_ "Using file-like value for 'pam-limits-service-type' +is deprecated~%")) + obj) + ((? list? lst) + `(("security/limits.conf" + ,(plain-file "limits.conf" + (string-join (map pam-limits-entry->string lst) + "\n" 'suffix))))) + (_ (report-error + (G_ "invalid input for 'pam-limits-service-type'~%")))))) + (service-type (name 'limits) (extensions @@ -1598,9 +1613,11 @@ (define pam-limits-service-type (description "Install the specified resource usage limits by populating @file{/etc/security/limits.conf} and using the @code{pam_limits} -authentication module.")))) +authentication module.") + (default-value '())))) -(define* (pam-limits-service #:optional (limits '())) +(define-deprecated (pam-limits-service #:optional (limits '())) + pam-limits-service-type "Return a service that makes selected programs respect the list of pam-limits-entry specified in LIMITS via pam_limits.so." (service pam-limits-service-type