Your message dated Sun, 09 Oct 2022 19:51:32 +0000
with message-id <[email protected]>
and subject line Bug#1021474: fixed in runit 2.1.2-49
has caused the Debian Bug report #1021474,
regarding runit: forward signals from systemd-only services
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1021474: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1021474
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: runit
Version: 2.1.2-48
Severity: wishlist
X-Debbugs-Cc: [email protected]
Solutions listed in #1021465 provide access only to sysv service but there
are other issues left:
1. can't forward signals from systemd path, socket, timers; even an override
of deb-systemd-invoke from i-s-h won't work as calls to deb-systemd-invoke
in maintscript are run only when systemd is init.
2. same problem as above for packages that ship a systemd service without a
sysvscript counterpart, either because it never existed or because it's
been removed
3. the standard upgrade sequence that happens at postinstall, or at prerem
and postrm is unfitted for runit design:
- in runit, when a service is enabled is also automatically started, and
when is disabled is also stopped, no way around it. So doing enable+ start
at postinstall and stop + disable at pre|postrm is not just pointless, but
can be racy like in #919296
Also, combo like 'enable but don't start' that are possible with debhelper
are not feasible in runit.
- the standard postinstall ( enable + rescan + start/restart ) sequence is not
efficient when more services are involved in the same upgrade, for example
if
10 packages with services are upgraded the results is
10*(enable+rescan+start/restart),
while a more conveninent sequence could be 10*(enable) + 1*(rescan) +
X*(restart),
skipping the start of newly enabled service ( to avoid te race) and doing
one
rescan for the entire upgrade.
4. the one-to-one equivalence between runit and systemd or sysv services is not
always feasible and sometimes is undesiderable:
- runit does not have a service manager, supervised services are started in
parallel
and dependencies are automatically sorted out with polling; with this
design splitting
services into several pieces like systemd does is not a great idea as it
makes relation
between services more complex to solve
- sometimes the opposite is true and one sysv or systemd service has to be
expressed
with more than one runit services ( for example the ExecStartPost systemd
directive)
Overall, 1, 2 and 4 can be resolved by merging native runscript into packages
but there
are other two problems:
* during the boot runit first runs all enabled sysv services in rc2.d (skipping
when a native
one exists), then starts all native services in parallel; so services that
are involved in a
dependency relationship should be merged in reverse order (otherwise the boot
sequence will
be broken). For example, before merging dbus runscript, all services that
depends on
dbus should be merged. This should be done without NMU as support for non
default init
is a whishlist bug. This is simply not feasible.
* there is a social issue with non default init in Debian; a certain group of
maintainer will
refuse to merge support for other init system.
So there is a need for a catch all 'runit-services' package at least for the
above two case.
As a runit-services package ships only services definition while binaries are
in separate packages
from other multiple sources, there is no established way to perform the
standard maintscripts
sequence[1]. This is not just an issue of reduced support for an alternative
init: silently
omitting to restart a runit service when a new version of the package that
ships the binary
fixes an outstanding CVE is a bad, probably RC security bug.
An optimal solution is one that:
* provide enable/disable and restart when the service definition is in a
separate
package from the one the ships the binary (without cooperation from the
latter)
* works when there a one-to-one relation with sysv or systemd services is not
possible
(basically decoupling runit services from other inits)
* provide an efficient sequence where services are first enabled/disabled, then
runsvdir
is told to rescan and finally only services that are upgraded are restarted
(decoupled from dpkg configure order)
* bonus point if the mechanism can be used by local admin to handle their
collection of
services without the need to do a deb package
Probably it can be done by writing data that is usually in maintscirpt inside
some file
that is parsed at runtime by a dpkg noawait trigger. This is kind of
reinventing the wheel,
except that if it works, it's a technical solution to workaround a social
problem.
Anyway I think this is within the scope of the "experimenting with alternative
init" of the
last init GR.
[1] something like enable/disable the runit service when the package that ships
the correspondent
binary is installed/removed and restart the service on upgrade
-- System Information:
Debian Release: bookworm/sid
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
merged-usr: no
Architecture: amd64 (x86_64)
Kernel: Linux 5.7.0-1-amd64 (SMP w/4 CPU threads)
Kernel taint flags: TAINT_FIRMWARE_WORKAROUND, TAINT_OOT_MODULE,
TAINT_UNSIGNED_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8),
LANGUAGE=en_US:en
Shell: /bin/sh linked to /bin/dash
Init: runit (via /run/runit.stopit)
LSM: AppArmor: enabled
Versions of packages runit depends on:
ii libc6 2.34-8
ii runit-helper 2.14.2
ii sysuser-helper 1.3.7+really1.4.1
Versions of packages runit recommends:
ii runit-init 2.1.2-48
Versions of packages runit suggests:
ii socklog 2.1.0+repack-4+b1
pn zsh <none>
-- Configuration Files:
/etc/default/runit changed [not included]
/etc/runit/ctrlaltdel changed [not included]
/etc/runit/runsvdir/single/sulogin/run [Errno 2] No such file or directory:
'/etc/runit/runsvdir/single/sulogin/run'
-- no debconf information
-- debsums errors found:
debsums: changed file /lib/lsb/init-functions.d/40-runit (from runit package)
debsums: changed file /lib/runit/trigger_sv (from runit package)
--- End Message ---
--- Begin Message ---
Source: runit
Source-Version: 2.1.2-49
Done: Lorenzo Puliti <[email protected]>
We believe that the bug you reported is fixed in the latest version of
runit, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Lorenzo Puliti <[email protected]> (supplier of updated runit package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 07 Oct 2022 23:27:21 +0200
Source: runit
Architecture: source
Version: 2.1.2-49
Distribution: experimental
Urgency: medium
Maintainer: Lorenzo Puliti <[email protected]>
Changed-By: Lorenzo Puliti <[email protected]>
Closes: 1021465 1021474
Changes:
runit (2.1.2-49) experimental; urgency=medium
.
* make_svlink: create links also when CPSV_DIR is not /etc/sv
* make the default directory for runsvdir configurable
* stage 1: setup to experiment with a runtime service layout
* /lib/lsb/init-functions.d/40-runit: mask sysv services and
forward signals to runscripts; this can be tuned with flag files if
start-stop-daemon wrapper is preferred. (Closes: #1021465)
* add an sv_wtime utility needed for triggered upgrade of services
* support triggered upgrade for runit services; this mode requires
metafiles that are usually produced by dh-runit (Closes: #1021474)
* invoke-run:
- check for new metafile path inside the service directory
- remove hardcoded path when 'chpst -e' is used
- avoid loop when signals for sysv script are forwarded
* cpsv:
- improve readability of -d with colored diff
- improve heuristic on sysvinit scripts
* update-service:
- add policy compliant commands
- update manpage
* run_sysv_scripts: small optimizations
* svlogd: copy pkg metafile inside the log directory
* Add a purge fallback for runit package, to fix piuparts
sporadic failure
Checksums-Sha1:
844f7daf8a4cfec2f0796ea5328d2d1a95667a57 2274 runit_2.1.2-49.dsc
a07cb454c55b79648c3a9210b597a3d1eebb5be9 59372 runit_2.1.2-49.debian.tar.xz
a499d76e2b2e29b9621797550de6cd186ffd1233 5898 runit_2.1.2-49_source.buildinfo
Checksums-Sha256:
656a686151e9b8379d54aabaf00bb783d69636a4adccf989e153d9d74db3fcbe 2274
runit_2.1.2-49.dsc
df372f8958714abc2a093c13f918e3c675497daee31ed54a8087db9dce1a8946 59372
runit_2.1.2-49.debian.tar.xz
2465173e8d3deb93ba732d657bc39db9060b085ace5979d1162ef39e511fe72b 5898
runit_2.1.2-49_source.buildinfo
Files:
709005d56c7ab1610d72028a6f268b03 2274 admin optional runit_2.1.2-49.dsc
87eacfa074b2b5c6f3e7a1a92181b946 59372 admin optional
runit_2.1.2-49.debian.tar.xz
344d2288f06a0c68f0b4168491f4ca20 5898 admin optional
runit_2.1.2-49_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEkjZVexcMh/iCHArDweDZLphvfH4FAmNDIrAACgkQweDZLphv
fH4Jhw//aYPLS/mUrkfWat82K8Vdtzw8drcw9VmcYyLb7iOKWZ6yw9weIVAHlMCY
CsC54d73iRI2ziZY3V0BMV+QlE+LmmPdQrhT/G5cJtQSkanYxPmY6PfPkFgd6Qpk
sieIPM6yOkTcp7dugsJmcxwEYXA6vNL6DSrC3cNduM+imBn9IFHv8T5jRBz8wksv
tocfu1RhLK2tFCXgjQ1RXl3RADL+YsmgKYCXt18Ph0+cI+JYMJxr8XQnlop3mDjA
LNpyPxgKFgO5E/CXWxXntuULeeXYpv7oJl0jTpd8z8bY64K4cyNdhGxQE0drxyY3
PDtWKKCKBRU9eaePEGlrzr0XrTBYAVa0fcyiq4Wgah4fgokvmmjjRx+j+Di9mz3P
ZZRobK7TCfGt4iDlIeOyZo803v05f3dI/fJ8A9D/qiHM6zf6qUE9NzqOWLXoc/Av
zS9cyqwPsX28jCI4U1C0c/ggS8QjY8VaaVcepU5Bpbt7ctBgWApS6lveIWYX+Acg
gkmIN2MwbDlqWHrHs87+ZSkVYRh642SRl0YvrajjSZs4sqoVqOOXJ1tpbZ88XhaH
jor6rXtXeuSPDZV5sfT8lO8aTW9iIbuiNuq7Qbgd3V/DeSihDWtMeqDVgpM53ml6
BnqDnzzgXOy6W2y7lyC7yLeVR2rKBsTNGWX460zP7FueY9qFJe8=
=euDA
-----END PGP SIGNATURE-----
--- End Message ---
