diff options
-rw-r--r-- | debian/changelog | 8 | ||||
-rw-r--r-- | propellor.cabal | 2 | ||||
-rw-r--r-- | src/Propellor/Property/Chroot.hs | 22 | ||||
-rw-r--r-- | src/Propellor/Property/DiskImage.hs | 5 | ||||
-rw-r--r-- | src/Propellor/Property/Service.hs | 33 |
5 files changed, 40 insertions, 30 deletions
diff --git a/debian/changelog b/debian/changelog index 78115eb3..f7bc48c3 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,13 +1,13 @@ -propellor (4.9.1) UNRELEASED; urgency=medium +propellor (5.0.0) UNRELEASED; urgency=medium * Debootstrap.built now supports bootstrapping chroots for foreign OS's, using qemu-user-static. * Machine: New module collecting machine-specific properties for building bootable images for ARM boards. Tested working boards: Olimex Lime, CubieTruck, Banana Pi, SheevaPlug. - * Service: Changed to use invoke-rc.d rather than the service command for - starting services. This notably means that in chroots, services will - not be started. + * Chroot.noServices moved to Service.noServices and its type changed. + (API change) + * Service: Avoid starting services when noServices is used. * Add Typeable instance to OriginUrl, fixing build with old versions of ghc. * Added Propellor.Property.impossible diff --git a/propellor.cabal b/propellor.cabal index 239a00e6..9bafd2fb 100644 --- a/propellor.cabal +++ b/propellor.cabal @@ -1,5 +1,5 @@ Name: propellor -Version: 4.9.0 +Version: 5.0.0 Cabal-Version: >= 1.20 License: BSD2 Maintainer: Joey Hess <id@joeyh.name> diff --git a/src/Propellor/Property/Chroot.hs b/src/Propellor/Property/Chroot.hs index ea8b1407..0dd1f05a 100644 --- a/src/Propellor/Property/Chroot.hs +++ b/src/Propellor/Property/Chroot.hs @@ -9,7 +9,6 @@ module Propellor.Property.Chroot ( ChrootBootstrapper(..), Debootstrapped(..), ChrootTarball(..), - noServices, inChroot, exposeTrueLocaldir, -- * Internal use @@ -32,7 +31,6 @@ import qualified Propellor.Property.Systemd.Core as Systemd import qualified Propellor.Property.File as File import qualified Propellor.Shim as Shim import Propellor.Property.Mount -import Utility.FileMode import Utility.Split import qualified Data.Map as M @@ -257,26 +255,6 @@ mungeloc = replace "/" "_" chrootDesc :: Chroot -> String -> String chrootDesc (Chroot loc _ _ _) desc = "chroot " ++ loc ++ " " ++ desc --- | Adding this property to a chroot prevents daemons and other services --- from being started, which is often something you want to prevent when --- building a chroot. --- --- On Debian, this is accomplished by installing a </usr/sbin/policy-rc.d> --- script that does not let any daemons be started by packages that use --- invoke-rc.d. Reverting the property removes the script. --- --- This property has no effect on non-Debian systems. -noServices :: RevertableProperty UnixLike UnixLike -noServices = setup <!> teardown - where - f = "/usr/sbin/policy-rc.d" - script = [ "#!/bin/sh", "exit 101" ] - setup = combineProperties "no services started" $ toProps - [ File.hasContent f script - , File.mode f (combineModes (readModes ++ executeModes)) - ] - teardown = File.notPresent f - -- | Check if propellor is currently running within a chroot. -- -- This allows properties to check and avoid performing actions that diff --git a/src/Propellor/Property/DiskImage.hs b/src/Propellor/Property/DiskImage.hs index 68b34412..f0e1602e 100644 --- a/src/Propellor/Property/DiskImage.hs +++ b/src/Propellor/Property/DiskImage.hs @@ -24,6 +24,7 @@ import Propellor.Property.Chroot (Chroot) import Propellor.Property.Chroot.Util (removeChroot) import Propellor.Property.Mount import qualified Propellor.Property.Chroot as Chroot +import qualified Propellor.Property.Service as Service import qualified Propellor.Property.Grub as Grub import qualified Propellor.Property.File as File import qualified Propellor.Property.Apt as Apt @@ -103,7 +104,7 @@ instance DiskImage VirtualBoxPointer where -- to avoid expensive IO to generate a new one. And, it's updated in-place, -- so its contents are undefined during the build process. -- --- Note that the `Chroot.noServices` property is automatically added to the +-- Note that the `Service.noServices` property is automatically added to the -- chroot while the disk image is being built, which should prevent any -- daemons that are included from being started on the system that is -- building the disk image. @@ -185,7 +186,7 @@ imageBuilt' rebuild img mkchroot tabletype partspec = in setContainerProps c $ containerProps c -- Before ensuring any other properties of the chroot, -- avoid starting services. Reverted by imageFinalized. - &^ Chroot.noServices + &^ Service.noServices & cachesCleaned -- Only propagate privdata Info from this chroot, nothing else. propprivdataonly (Chroot.Chroot d b ip h) = diff --git a/src/Propellor/Property/Service.hs b/src/Propellor/Property/Service.hs index e6a69eb5..0bcfdb93 100644 --- a/src/Propellor/Property/Service.hs +++ b/src/Propellor/Property/Service.hs @@ -1,6 +1,11 @@ +{-# LANGUAGE DeriveDataTypeable #-} + module Propellor.Property.Service where import Propellor.Base +import Propellor.Types.Info +import qualified Propellor.Property.File as File +import Utility.FileMode type ServiceName = String @@ -23,5 +28,31 @@ reloaded = signaled "reload" "reloaded" signaled :: String -> Desc -> ServiceName -> Property DebianLike signaled cmd desc svc = tightenTargets $ p `describe` (desc ++ " " ++ svc) where - p = scriptProperty ["invoke-rc.d " ++ shellEscape svc ++ " " ++ cmd ++ " >/dev/null 2>&1 || true"] + p = scriptProperty ["service " ++ shellEscape svc ++ " " ++ cmd ++ " >/dev/null 2>&1 || true"] `assume` NoChange + +-- | This property prevents daemons and other services from being started, +-- which is often something you want to prevent when building a chroot. +-- +-- When this is set, `running` and `restarted` will not start services. +-- +-- On Debian this installs a </usr/sbin/policy-rc.d> script to further +-- prevent any packages that get installed from starting daemons. +-- Reverting the property removes the script. +noServices :: RevertableProperty (HasInfo + UnixLike) UnixLike +noServices = (setup `setInfoProperty` toInfo (InfoVal NoServices)) <!> teardown + where + f = "/usr/sbin/policy-rc.d" + script = [ "#!/bin/sh", "exit 101" ] + setup = combineProperties "no services started" $ toProps + [ File.hasContent f script + , File.mode f (combineModes (readModes ++ executeModes)) + ] + teardown = File.notPresent f + +-- | Check if the noServices property is in effect. +checkNoServices :: Propellor Bool +checkNoServices = isJust . fromInfoVal + <$> (askInfo :: Propellor (InfoVal NoServices)) + +data NoServices = NoServices deriving (Eq, Show, Typeable) |