-
Notifications
You must be signed in to change notification settings - Fork 40
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[sled-agent] NTP zone config set up via zone-setup CLI #5440
Changes from all commits
11e39aa
746f36a
44e5a91
64c6c6b
218f9b4
17fc8cd
19d47b5
bb15ccc
8afbf7b
3cbf2cc
45deb92
f83fc3f
a2abd3b
a285290
91732b7
dd6ab17
f2ffd52
ed87a35
ff9cc6a
94a50d8
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,21 @@ | ||
// This Source Code Form is subject to the terms of the Mozilla Public | ||
// License, v. 2.0. If a copy of the MPL was not distributed with this | ||
// file, You can obtain one at https://mozilla.org/MPL/2.0/. | ||
|
||
//! Utilities for manipulating SMF services. | ||
|
||
use crate::zone::SVCADM; | ||
use crate::{execute, ExecutionError, PFEXEC}; | ||
|
||
/// Wraps commands for interacting with svcadm. | ||
pub struct Svcadm {} | ||
|
||
#[cfg_attr(any(test, feature = "testing"), mockall::automock)] | ||
impl Svcadm { | ||
pub fn refresh_logadm_upgrade() -> Result<(), ExecutionError> { | ||
let mut cmd = std::process::Command::new(PFEXEC); | ||
let cmd = cmd.args(&[SVCADM, "refresh", "logadm-upgrade"]); | ||
execute(cmd)?; | ||
Ok(()) | ||
} | ||
} |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,46 @@ | ||
<?xml version="1.0"?> | ||
<!DOCTYPE service_bundle SYSTEM "/usr/share/lib/xml/dtd/service_bundle.dtd.1"> | ||
|
||
<service_bundle type='manifest' name='chrony-setup'> | ||
|
||
<service name='oxide/chrony-setup' type='service' version='1'> | ||
<create_default_instance enabled='true' /> | ||
|
||
<dependency name='multi_user' grouping='require_all' restart_on='none' | ||
type='service'> | ||
<service_fmri value='svc:/milestone/multi-user:default' /> | ||
</dependency> | ||
|
||
<exec_method type='method' name='start' | ||
exec='/opt/oxide/zone-setup-cli/bin/zone-setup chrony-setup -b %{config/boundary} -s %{config/server} -a %{config/allow}' | ||
timeout_seconds='0'> | ||
<method_context security_flags="aslr"> | ||
<method_credential user="root" group="root" | ||
privileges="basic,file_chown" /> | ||
</method_context> | ||
</exec_method> | ||
|
||
|
||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. This ties into my comment on the dependency's If, for example, the control plane will update the There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Sounds good, I'll change the file |
||
<property_group name='startd' type='framework'> | ||
<propval name='duration' type='astring' value='transient' /> | ||
</property_group> | ||
|
||
<property_group name="config" type="application"> | ||
<propval name="boundary" type="boolean" value="false" /> | ||
<propval name="server" type="astring" value="" /> | ||
<propval name="allow" type="astring" value="" /> | ||
</property_group> | ||
|
||
<stability value='Unstable' /> | ||
|
||
<template> | ||
<common_name> | ||
<loctext xml:lang='C'>Oxide Chrony Setup</loctext> | ||
</common_name> | ||
<description> | ||
<loctext xml:lang='C'>Configures chronyd for the NTP zone</loctext> | ||
</description> | ||
</template> | ||
</service> | ||
|
||
</service_bundle> |
This file was deleted.
This file was deleted.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not a blocker, but you could choose to reduce privileges here to just what is needed for the service. It's only writing out some config files so there are a lot it doesn't need. I'm happy to help with that if you want to consider it.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sounds good! Not sure which permissions these would be though. I'm guessing
file_chown_self
,file_dac_search
andfile_dac_write
; any others?There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The
ppriv
utility has a handy debugging mode to show you which privileges are missing.So we need at least
basic,file_chown
. Since/etc/inet
and/etc/inet/chrony*
are owned by root, that might actually be all.The
_dac_
privileges allow access to things you don't own.Basic expands out to a few too, so:
is actually:
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nice, thanks for doing this part!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
As always, thanks for the detailed information. That utility is really handy!