Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
s6
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Unsupported Software
View previous topic :: View next topic  
Author Message
rain1
n00b
n00b


Joined: 13 Apr 2018
Posts: 7

PostPosted: Sat Apr 14, 2018 3:18 pm    Post subject: s6 Reply with quote

Hello. I am interested in s6 as init/pid 1. I have installed gentoo in a qemu virtual machine to experiment with. So far I have added a grub menu which lets me boot without initramfs into stage 1 execline init script, then it hands off to the stage 2 and starts loading up the compiled database of services. It's not booting all the way yet but it's a start. I have been studying the follow sources to try to get it working:



Anyway I just wanted to make a thread on this topic, i'll update when I have more information. and hopefully see if anybody else is interested in it.

Update: Now that I have agetty set up, I can actually boot gentoo and get into a shell: https://i.imgur.com/1ENLuGB.png Good start.


Last edited by rain1 on Mon Jun 18, 2018 12:59 am; edited 2 times in total
Back to top
View user's profile Send private message
Dr.Willy
Guru
Guru


Joined: 15 Jul 2007
Posts: 453
Location: NRW, Germany

PostPosted: Wed Apr 18, 2018 7:33 pm    Post subject: Reply with quote

I have a s6+openrc configuration set up. I've been meaning to replace openrc with s6-rc, however so far that hasn't really amounted to anything presentable.
Back to top
View user's profile Send private message
rain1
n00b
n00b


Joined: 13 Apr 2018
Posts: 7

PostPosted: Thu Apr 19, 2018 9:46 pm    Post subject: Reply with quote

Dr.Willy wrote:
I have a s6+openrc configuration set up. I've been meaning to replace openrc with s6-rc, however so far that hasn't really amounted to anything presentable.


Awesome! Anything you could share would be a great help.
Back to top
View user's profile Send private message
rain1
n00b
n00b


Joined: 13 Apr 2018
Posts: 7

PostPosted: Sun Jun 17, 2018 9:36 pm    Post subject: Reply with quote

Here are some notes from today's session. I started with a fresh gentoo install, without initramfs.

step 2

Add the following to /etc/portage/package.accept_keywords so that we can install all the s6 tools
Code:

dev-libs/skalibs
dev-lang/execline
sys-apps/s6
# required by sys-apps/s6-linux-init-0.4.0.0::gentoo
# required by sys-apps/s6-linux-init (argument)
=sys-apps/s6-linux-utils-2.4.0.2 ~amd64
# required by sys-apps/s6-linux-init-0.4.0.0::gentoo
# required by sys-apps/s6-linux-init (argument)
=sys-apps/s6-portable-utils-2.2.1.1 ~amd64
# required by sys-apps/s6-linux-init (argument)
=sys-apps/s6-linux-init-0.4.0.0 ~amd64
# required by s6-rc (argument)
=sys-apps/s6-rc-0.4.0.1 ~amd64


step 3

Code:

emerge sys-apps/s6
emerge sys-apps/s6-linux-init
emerge execline
emerge s6-rc


step 4

We want to add an extra GRUB menu item so that we can pick our init system on boot. We boot into normal openrc gentoo linux to work on this stuff, then boot into the s6 init system to test our changes.


Edit /etc/grub.d/40_custom

Code:

#!/bin/sh
exec tail -n +3 $0
# This file provides an easy way to add custom menu entries.  Simply type the
# menu entries you want to add after this comment.  Be careful not to change
# the 'exec tail' line above.

menuentry "s6" {
   insmod ext2
   set root='hd0,msdos1'
   echo 'loading linux with s6'
   linux /boot/vmlinuz-4.9.95-gentoo root=/dev/sda1 init=/bin/sh ro
}


Regenerate the grub config grub-mkconfig -o /boot/grub/grub.cfg

step 5

Use s6 init maker to build up the stage1 init:

Code:
rm -rf /s6
s6-linux-init-maker -c /s6 -G '/sbin/agetty 38400 tty1' -2 /s6/scripts/rc.init -Z /s6/scripts/shutdown /s6
mkdir -p /s6/scripts
touch /s6/scripts/rc.init
touch /s6/scripts/shutdown
chmod +x /s6/scripts/shutdown /s6/scripts/rc.init


Now fill up those 2 files.

Code:

curl -o /s6/scripts/rc.init https://raw.githubusercontent.com/skarnet/s6-linux-init/master/examples/rc.init

/s6/scripts/shutdown
#!/bin/sh
# https://skarnet.org/software/s6-linux-init/quickstart.html
exec s6-rc -da change


and then you can edit the grub config to /s6/init and regen it.[/code]
Back to top
View user's profile Send private message
rain1
n00b
n00b


Joined: 13 Apr 2018
Posts: 7

PostPosted: Sun Jun 17, 2018 9:40 pm    Post subject: Reply with quote

step 6

that should boot up, but you wont have /proc or a writable filesystem. To get these parts working we need to build an s6 stage2 compiled s6-rc script folder.

I will make a git repo called `gentoo-s6-services` with more useful things in it, but for starting we are copying parts from lh-bootstrap:

on the host:
Code:

$ mkdir gentoo-s6-services
$ cp -r lh-bootstrap/layout/rootfs/etc/s6-rc/source-base/00/ gentoo-s6-services/
$ cp -r lh-bootstrap/layout/rootfs/etc/s6-rc/source-base/mount-proc/ gentoo-s6-services/


scp it in to /root then in the host:

Code:

s6-rc-compile /run/services /root/gentoo-s6-services


and update /s6/rc.init to point to the compiled service dir

Code:

if { s6-rc-init -c /s6/scripts/compiled/ /run/service }[/b]


This should give you /proc mounted, I have written service to remount the rootfs as writable too, and start up static eth0 networking. Working on sshd and dhcp next.
Back to top
View user's profile Send private message
rain1
n00b
n00b


Joined: 13 Apr 2018
Posts: 7

PostPosted: Mon Jun 18, 2018 2:53 pm    Post subject: Reply with quote

I have made a repo for the gentoo s6 services that I am working on. It is very bare at the moment because I'm still learning a lot about how s6 works. https://github.com/rain-1/gentoo-s6-services

ssh
Today I've got sshd starting up correctly supervised by s6 and also a special logging service for it. It was important to pass the -e flag to sshd so that it would log to stderr in order that s6 log can capture it. By default it logs to the system log. This may be a common pitfall when writing service dirs.

I was shown the commans ps afuxww (or alternatively s6-ps -H) which are very useful for visualizing the service tree and seeing which service failed to start.

Another thing of note is that the 00 service (and eth0) use an env variable directory to load up custom options for the service. In this case the computers hostname.

ssh killer
One of the issues with ssh is that when i reboot, the terminals that were ssh'ing in get jammed and if you wait a while you may get a broken pipe error. What is much nicer is when the shutdown process cleanly terminates all ssh sessions before taking down networking and rebooting.

I created an ssh-killer service to do this: It uses pkill which isn't the ideal solution but it works so I'll leave it at that for now. Using pkill isn't great becaues it has to pause every process on the system (including pid 1) then kill, then unpause.

Gentoo bug on this same issue https://bugs.gentoo.org/259183 I think systemd does it using dbus.[/b]
Back to top
View user's profile Send private message
rain1
n00b
n00b


Joined: 13 Apr 2018
Posts: 7

PostPosted: Tue Jun 19, 2018 7:38 pm    Post subject: Reply with quote

I stop working on this over disagreements with lead dev on security.

https://skarnet.org/software/s6/s6-log.html
s6 log uses the executable bit on the log files to signal 1 bit of information: whether or not the log is currently being written
but an attacker can often influence the content of log files (e.g. ssh in with `nastycommand` as username)
so it feels like abusing the +x bit for this purpose opens up a potential security weakness similar to httpd log poisoning
it is similar to a standard http log poisoning lfi to shell attack.

they just reject that this is an issue and are insulting about my bug report.
Back to top
View user's profile Send private message
Hu
Moderator
Moderator


Joined: 06 Mar 2007
Posts: 12619

PostPosted: Wed Jun 20, 2018 2:11 am    Post subject: Reply with quote

Setting +x on a file to represent temporary state is horrible and wrong. However, rather than abandon the project, you could apply an ebuild patch to remove that bit of trouble.
Back to top
View user's profile Send private message
khayyam
Watchman
Watchman


Joined: 07 Jun 2012
Posts: 5950
Location: Room 101

PostPosted: Wed Jun 20, 2018 12:19 pm    Post subject: Reply with quote

rain1 wrote:
I stop working on this over disagreements with lead dev on security.

rain1 ... that's a shame, as I was interested/following.

best ... khay
Back to top
View user's profile Send private message
rain1
n00b
n00b


Joined: 13 Apr 2018
Posts: 7

PostPosted: Wed Jun 20, 2018 7:01 pm    Post subject: Reply with quote

sorry folks I didn't realize there were so many people interested in it. I am disappointed too. Mostly that we were not able to resolve the issue by discussion and it went into name calling and insults. It isn't a good sign if other flaws were found would they be ignored too..

Anyway, there are a couple ways to remedy it. One could maintain a hardening patchset but that can become a lot of work. Another option would be to mount the log partition noexec, openbsd style. I may look into implementing this. A shame that it requires repartitioning the disk though.
Back to top
View user's profile Send private message
Hu
Moderator
Moderator


Joined: 06 Mar 2007
Posts: 12619

PostPosted: Thu Jun 21, 2018 1:18 am    Post subject: Reply with quote

rain1 wrote:
sorry folks I didn't realize there were so many people interested in it.
I am not interested in it. I just don't like seeing people run off from a project over political issues.
rain1 wrote:
It isn't a good sign if other flaws were found would they be ignored too..
Agreed.
rain1 wrote:
Another option would be to mount the log partition noexec, openbsd style. I may look into implementing this. A shame that it requires repartitioning the disk though.
Why would you need to repartition for this?
Back to top
View user's profile Send private message
khayyam
Watchman
Watchman


Joined: 07 Jun 2012
Posts: 5950
Location: Room 101

PostPosted: Thu Jun 21, 2018 8:12 am    Post subject: Reply with quote

rain1 wrote:
sorry folks I didn't realize there were so many people interested in it. I am disappointed too. Mostly that we were not able to resolve the issue by discussion and it went into name calling and insults. It isn't a good sign if other flaws were found would they be ignored too.

rain1 ... I looked for the discussion on the supervision mailing list but it seems this occurred on irc. I find Laurent mostly amiable, and I agree with most of what he has to say (he has an account here, and has engaged in various discussions), so I wonder what it is/was that would set you at loggerheads, or why he wouldn't see +x as a rather odd way of setting status. Anyhow, I doubt this is a sign of his unwillingness to consider criticism in general, you may have caught him on a bad day, who knows.

One criticism I could make myself (from the perspective of trying to understand s6 as a novice) is that the lack of a standard namespace for service directories makes it very difficult when looking at how people are using it, you see all manner of "service" setups that it makes it hard to digest the underlying methodology. I understand the rational behind "seperation of mechanism from policy" but were there some attempt to standardise naming it might make adoption, and comprehension, somewhat less of a struggle. If I look at, and compare, the stuff out there there is no "aha!" moment, why use "00" (as I've seen in various places) and then not follow with something that would make the runlevel obvious (or at least structured to make what follows make sense from that perspective). Not all hosts are the same, obviously, but what needs to happen can be reduced to some kind of structure, at least where names are concerned.

best ... khay
Back to top
View user's profile Send private message
Dr.Willy
Guru
Guru


Joined: 15 Jul 2007
Posts: 453
Location: NRW, Germany

PostPosted: Mon Jul 02, 2018 12:21 pm    Post subject: Reply with quote

khayyam wrote:
One criticism I could make myself (from the perspective of trying to understand s6 as a novice) is that the lack of a standard namespace for service directories makes it very difficult when looking at how people are using it, you see all manner of "service" setups that it makes it hard to digest the underlying methodology. I understand the rational behind "seperation of mechanism from policy" but were there some attempt to standardise naming it might make adoption, and comprehension, somewhat less of a struggle. If I look at, and compare, the stuff out there there is no "aha!" moment, why use "00" (as I've seen in various places) and then not follow with something that would make the runlevel obvious (or at least structured to make what follows make sense from that perspective). Not all hosts are the same, obviously, but what needs to happen can be reduced to some kind of structure, at least where names are concerned.

Well for a start you could just copy the scheme from openrc.
Back to top
View user's profile Send private message
fxkrait
n00b
n00b


Joined: 30 Jul 2018
Posts: 6
Location: DRPK

PostPosted: Thu Aug 02, 2018 4:13 am    Post subject: Reply with quote

I just came from Obarun, which is Arch + S6 init. Would be really cool if Gentoo supported this. From what I've gathered it is a pretty decent init, even better than runit.
_________________
A great painter does not content himself by affecting us with his masterpieces; ultimately, he succeeds in changing the landscape of our minds. Once a miniaturist's artistry enters our souls this way, it becomes the criterion for the beauty of our world.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Unsupported Software All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum