;;; GNU Guix --- Functional package management for GNU ;;; Copyright © 2018 Sou Bunnbu ;;; Copyright © 2018, 2019 Gábor Boskovits ;;; Copyright © 2018, 2019, 2020 Oleg Pykhalov ;;; Copyright © 2022 Marius Bakke ;;; Copyright © 2023 Bruno Victal ;;; ;;; This file is part of GNU Guix. ;;; ;;; GNU Guix is free software; you can redistribute it and/or modify it ;;; under the terms of the GNU General Public License as published by ;;; the Free Software Foundation; either version 3 of the License, or (at ;;; your option) any later version. ;;; ;;; GNU Guix is distributed in the hope that it will be useful, but ;;; WITHOUT ANY WARRANTY; without even the implied warranty of ;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ;;; GNU General Public License for more details. ;;; ;;; You should have received a copy of the GNU General Public License ;;; along with GNU Guix. If not, see . (define-module (gn
aboutsummaryrefslogtreecommitdiff
path: root/tests/guix-pack-relocatable.sh
blob: 2fc9fde0bd985bf82b92c08261e450c026f7e3f8 (about) (plain) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252

# GNU Guix --- Functional package management for GNU
# Copyright © 2018, 2019, 2020, 2023 Ludovic Courtès <ludo@gnu.org>
# Copyright © 2020 Eric Bavier <bavier@posteo.net>
#
# This file is part of GNU Guix.
#
# GNU Guix is free software; you can redistribute it and/or modify it
# under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 3 of the License, or (at
# your option) any later version.
#
# GNU Guix is distributed in the hope that it will be useful, but
# WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with GNU Guix.  If not, see <http://www.gnu.org/licenses/>.

#
# Test the 'guix pack --relocatable' using the external store, if any.
#

guix pack --version

# 'guix pack --relocatable' requires a C compiler and libc.a, which our
# bootstrap binaries don't provide.  To make the test relatively inexpensive,
# run it on the user's global store if possible, on the grounds that binaries
# may already be there or can be built or downloaded inexpensively.

storedir="`guile -c '(use-modules (guix config))(display %storedir)'`"
localstatedir="`guile -c '(use-modules (guix config))(display %localstatedir)'`"
NIX_STORE_DIR="$storedir"
GUIX_DAEMON_SOCKET="$localstatedir/guix/daemon-socket/socket"
export NIX_STORE_DIR GUIX_DAEMON_SOCKET

if ! guile -c '(use-modules (guix)) (exit (false-if-exception (open-connection)))'
then
    exit 77
fi

# Attempt to run the given command in a namespace where the store is
# invisible.  This makes sure the presence of the store does not hide
# problems.
run_without_store ()
{
    if unshare -r true		# Are user namespaces supported?
    then
	# Run that relocatable executable in a user namespace where we "erase"
	# the store by mounting an empty file system on top of it.  That way,
	# we exercise the wrapper code that creates the user namespace and
	# bind-mounts the store.
	unshare -mrf sh -c 'mount -t tmpfs -o ro none "$NIX_STORE_DIR"; '"$*"
    else
	# Run the relocatable program in the current namespaces.  This is a
	# weak test because we're going to access store items from the host
	# store.
	sh -c "$*"
    fi
}

# Wait for the given file to show up.  Error out if it doesn't show up in a
# timely fashion.
wait_for_file ()
{
    i=0
    while ! test -f "$1" && test $i -lt 20
    do
	sleep 0.3
	i=`expr $i + 1`
    done
    test -f "$1"
}

test_directory="`mktemp -d`"
export test_directory
trap 'chmod -Rf +w "$test_directory"; rm -rf "$test_directory"' EXIT

if unshare -r true
then
    # Test the 'userns' execution engine.
    tarball="`guix pack -R -S /Bin=bin sed`"
    (cd "$test_directory"; tar xvf "$tarball")

    chmod +w "$test_directory"
    run_without_store "$test_directory/Bin/sed" --version > "$test_directory/output"
    grep 'GNU sed' "$test_directory/output"

    # Same with an explicit engine.
    run_without_store GUIX_EXECUTION_ENGINE="userns" \
		      "$test_directory/Bin/sed" --version > "$test_directory/output"
    grep 'GNU sed' "$test_directory/output"

    # Check whether the exit code is preserved.
    run_without_store "$test_directory/Bin/sed" --does-not-exist && false

    chmod -Rf +w "$test_directory"; rm -rf "$test_directory"/*
else
    echo "'userns' execution tests skipped" >&2
fi

case "`uname -m`" in
    x86_64|i?86)
	# Try '-RR' and PRoot.
	tarball="`guix pack -RR -S /Bin=bin sed`"
	tar tvf "$tarball" | grep /bin/proot
	(cd "$test_directory"; tar xf "$tarball")
	chmod +w "$test_directory"
	run_without_store GUIX_EXECUTION_ENGINE="proot" \
	"$test_directory/Bin/sed" --version > "$test_directory/output"
	grep 'GNU sed' "$test_directory/output"

	# Now with fakechroot.
	run_without_store GUIX_EXECUTION_ENGINE="fakechroot" \
	"$test_directory/Bin/sed" --version > "$test_directory/output"
	grep 'GNU sed' "$test_directory/output"
	unset GUIX_EXECUTION_ENGINE

	chmod -Rf +w "$test_directory"; rm -rf "$test_directory"/*

	if unshare -r true
	then
	    # Check whether the store contains everything it should.  Check
	    # once when erasing $STORE_PARENT ("/gnu") and once when erasing
	    # $NIX_STORE_DIR ("/gnu/store").
	    tarball="`guix pack -RR -S /bin=bin bash-minimal`"
	    (cd "$test_directory"; tar xf "$tarball")

	    STORE_PARENT="`dirname $NIX_STORE_DIR`"
	    export STORE_PARENT

	    for engine in userns proot fakechroot
	    do
		for i in $(guix gc -R $(guix build bash-minimal | grep -v -e '-doc$'))
		do
		    unshare -mrf sh -c "mount -t tmpfs none \"$NIX_STORE_DIR\"; GUIX_EXECUTION_ENGINE=$engine $test_directory/bin/sh -c 'echo $NIX_STORE_DIR/*'" | grep $(basename $i)
		    unshare -mrf sh -c "mount -t tmpfs none \"$STORE_PARENT\";  GUIX_EXECUTION_ENGINE=$engine $test_directory/bin/sh -c 'echo $NIX_STORE_DIR/*'" | grep $(basename $i)
		done
	    done

	    chmod -Rf +w "$test_directory"; rm -rf "$test_directory"/*
	fi
	;;
    *)
	echo "skipping PRoot and Fakechroot tests" >&2
	;;
esac

if unshare -r true
then
    # Check what happens if the wrapped binary forks and leaves child
    # processes behind, like a daemon.  The root file system should remain
    # available to those child processes.  See <https://bugs.gnu.org/44261>.
    cat > "$test_directory/manifest.scm" <<EOF
(use-modules (guix))

(define daemon
  (program-file "daemon"
                #~(begin
                    (use-modules (ice-9 match)
                                 (ice-9 ftw))

                    (call-with-output-file "parent-store"
                      (lambda (port)
                        (write (scandir (ungexp (%store-prefix)))
                               port)))

                    (match (primitive-fork)
                      (0 (sigaction SIGHUP (const #t))
                         (call-with-output-file "pid"
                           (lambda (port)
                             (display (getpid) port)))
                         (pause)
                         (call-with-output-file "child-store"
                           (lambda (port)
                             (write (scandir (ungexp (%store-prefix)))
                                    port))))
                      (_ #t)))))

(define package
  (computed-file "package"
                 #~(let ((out (ungexp output)))
                     (mkdir out)
                     (mkdir (string-append out "/bin"))
                     (symlink (ungexp daemon)
                              (string-append out "/bin/daemon")))))

(manifest (list (manifest-entry
                  (name "daemon")
                  (version "0")
                  (item package))))
EOF

    tarball="$(guix pack -S /bin=bin -R -m "$test_directory/manifest.scm")"
    (cd "$test_directory"; tar xf "$tarball")

    # Run '/bin/daemon', which forks, then wait for the child, send it SIGHUP
    # so that it dumps its view of the store, and make sure the child and
    # parent both see the same store contents.
    chmod +w "$test_directory"
    (cd "$test_directory"; run_without_store ./bin/daemon)
    wait_for_file "$test_directory/pid"
    kill -HUP $(cat "$test_directory/pid")
    wait_for_file "$test_directory/child-store"
    diff -u "$test_directory/parent-store" "$test_directory/child-store"

    chmod -Rf +w "$test_directory"; rm -rf "$test_directory"/*
fi

# Ensure '-R' works with outputs other than "out".
tarball="`guix pack -R -S /share=share groff:doc`"
(cd "$test_directory"; tar xf "$tarball")
test -d "$test_directory/share/doc/groff/html"
chmod -Rf +w "$test_directory"; rm -rf "$test_directory"/*

# Ensure '-R' applies to propagated inputs.  Failing to do that, it would fail
# with a profile collision error in this case because 'python-scipy'
# propagates 'python-numpy'.  See <https://bugs.gnu.org/42510>.
guix pack -RR python-numpy python-scipy --no-grafts -n

# Check that packages that mix executable and support files (e.g. git) in the
# "binary" directories still work after wrapped.
cat >"$test_directory/manifest.scm" <<'EOF'
(use-modules (guix) (guix profiles) (guix search-paths)
             (gnu packages bootstrap))
(manifest
 (list (manifest-entry
        (name "test") (version "0")
        (item (file-union "test"
                          `(("bin/hello"
                             ,(program-file
                               "hello"
                               #~(begin
                                   (add-to-load-path (getenv "HELLO_EXEC_PATH"))
                                   (display (load-from-path "msg"))(newline))
                               #:guile %bootstrap-guile))
                            ("libexec/hello/msg"
                             ,(plain-file "msg" "42")))))
        (search-paths
         (list (search-path-specification
                (variable "HELLO_EXEC_PATH")
                (files '("libexec/hello"))
                (separator #f)))))))
EOF
tarball="`guix pack -RR -S /opt= -m $test_directory/manifest.scm`"
(cd "$test_directory"; tar xvf "$tarball")
chmod +w "$test_directory"
( export GUIX_PROFILE=$test_directory/opt
  . $GUIX_PROFILE/etc/profile
  run_without_store "$test_directory/opt/bin/hello" > "$test_directory/output" )
cat "$test_directory/output"
test "`cat $test_directory/output`" = "42"
generated by cgit
on process startup. During daemon startup, only database, log and pid files will be modified if the user or group change feature ( @var{daemon-user} or @var{daemon-group} ) is enabled and the files don't match the requested user or group. During manual database creation, this option will cause file ownership to be inherited from the database directory if the directory already exists. This option only has effect when the process is started as root or via sudo.") (update-interval (maybe-integer 20) "\ How often in seconds the interface data is updated. Value range: @var{poll-interval}..@samp{300}") (use-logging (maybe-integer 2) "\ Enable or disable logging. Accepted values are: @code{0} = disabled, @code{1} = logfile and @code{2} = syslog.") (use-utc? maybe-boolean "\ Enable or disable using UTC as timezone in the database for all entries. When enabled, all entries added to the database will use UTC regardless of the configured system timezone. When disabled, the configured system timezone will be used. Changing this setting will not result in already existing data to be modified." (serializer (lambda (_ value) (if (maybe-value-set? value) (vnstat-serialize-boolean 'use-UTC value) "")))) (yearly-years (maybe-integer -1) "\ Data retention duration for the one year resolution entries. The configuration defines for how many past years entries will be stored. Set to @code{-1} for unlimited entries or to @code{0} to disable the data collection of this resolution.") (prefix vnstat-)) (define (vnstat-serialize-configuration config) (mixed-text-file "vnstat.conf" (serialize-configuration config vnstat-configuration-fields))) (define (vnstat-shepherd-service config) (let ((config-file (vnstat-serialize-configuration config))) (match-record config (package pid-file) (shepherd-service (documentation "Run vnstatd.") (requirement `(networking file-systems)) (provision '(vnstatd)) (start #~(make-forkexec-constructor (list #$(file-append package "/sbin/vnstatd") "--daemon" "--config" #$config-file) #:pid-file #$pid-file)) (stop #~(make-kill-destructor)) (actions (list (shepherd-configuration-action config-file) (shepherd-action (name 'reload) (documentation "Reload vnstatd.") (procedure #~(lambda (pid) (if pid (begin (kill pid SIGHUP) (format #t "Issued SIGHUP to vnstatd (PID ~a)." pid)) (format #t "vnstatd is not running."))))))))))) (define (vnstat-account-service config) (match-record config (daemon-group daemon-user) (filter-map maybe-value (list daemon-group daemon-user)))) (define vnstat-service-type (service-type (name 'vnstat) (description "vnStat network-traffic monitor service.") (extensions (list (service-extension shepherd-root-service-type (compose list vnstat-shepherd-service)) (service-extension account-service-type vnstat-account-service))) (default-value (vnstat-configuration)))) ;;; ;;; Zabbix server ;;; (define (uglify-field-name field-name) (apply string-append (map (lambda (str) (if (member (string->symbol str) '(ca db ssl)) (string-upcase str) (string-capitalize str))) (string-split (string-delete #\? (symbol->string field-name)) #\-)))) (define (serialize-field field-name val) #~(format #f "~a=~a~%" #$(uglify-field-name field-name) #$val)) (define (serialize-number field-name val) (serialize-field field-name (number->string val))) (define (serialize-list field-name val) #~(if (null? '#$val) "" #$(serialize-field field-name (string-join val ",")))) (define (serialize-string field-name val) (if (or (eq? 'user field-name) (eq? 'group field-name) (and (string? val) (string=? val ""))) "" (serialize-field field-name val))) (define include-files? list?) (define (serialize-include-files field-name val) #~(string-append #$@(map (cut serialize-field 'include <>) val))) (define extra-options? string?) (define (serialize-extra-options field-name val) #~(if (= 0 (string-length #$val)) "" #$(format #f "~a~%" val))) (define (nginx-server-configuration-list? val) (and (list? val) (and-map nginx-server-configuration? val))) (define (serialize-nginx-server-configuration-list field-name val) "") (define-configuration zabbix-server-configuration (zabbix-server (file-like zabbix-server) "The zabbix-server package.") (user (string "zabbix") "User who will run the Zabbix server.") (group (string "zabbix") "Group who will run the Zabbix server.") (db-host (string "127.0.0.1") "Database host name.") (db-name (string "zabbix") "Database name.") (db-user (string "zabbix") "Database user.") (db-password (string "") "Database password. Please, use @code{include-files} with @code{DBPassword=SECRET} inside a specified file instead.") (db-port (number 5432) "Database port.") (log-type (string "") "Specifies where log messages are written to: @itemize @item @code{system} - syslog. @item @code{file} - file specified with @code{log-file} parameter. @item @code{console} - standard output. @end itemize\n") (log-file (string "/var/log/zabbix/server.log") "Log file name for @code{log-type} @code{file} parameter.") (pid-file (string "/var/run/zabbix/zabbix_server.pid") "Name of PID file.") (ssl-ca-location (string "/etc/ssl/certs/ca-certificates.crt") "The location of certificate authority (CA) files for SSL server certificate verification.") (ssl-cert-location (string "/etc/ssl/certs") "Location of SSL client certificates.") (extra-options (extra-options "") "Extra options will be appended to Zabbix server configuration file.") (include-files (include-files '()) "You may include individual files or all files in a directory in the configuration file.")) (define (zabbix-server-account config) "Return the user accounts and user groups for CONFIG." (let ((zabbix-user (zabbix-server-configuration-user config)) (zabbix-group (zabbix-server-configuration-group config))) (list (user-group (name zabbix-group) (system? #t)) (user-account (name zabbix-user) (system? #t) (group zabbix-group) (comment "zabbix privilege separation user") (home-directory (string-append "/var/run/" zabbix-user)) (shell (file-append shadow "/sbin/nologin")))))) (define (zabbix-server-config-file config) "Return the zabbix-server configuration file corresponding to CONFIG." (computed-file "zabbix_server.conf" #~(begin (call-with-output-file #$output (lambda (port) (format port "# Generated by 'zabbix-server-service'.~%") (format port #$(serialize-configuration config zabbix-server-configuration-fields))))))) (define (zabbix-server-activation config) "Return the activation gexp for CONFIG." (with-imported-modules '((guix build utils)) #~(begin (use-modules (guix build utils) (ice-9 rdelim)) (let ((user (getpw #$(zabbix-server-configuration-user config)))) (for-each (lambda (file) (let ((directory (dirname file))) (mkdir-p directory) (chown directory (passwd:uid user) (passwd:gid user)) (chmod directory #o755))) (list #$(zabbix-server-configuration-log-file config) #$(zabbix-server-configuration-pid-file config) "/etc/zabbix/maintenance.inc.php")))))) (define (zabbix-server-runtime-control-procedure zabbix-server config command) ;; XXX: This is duplicated from mcron; factorize. #~(lambda (_ . args) ;; Run 'zabbix_server' in a pipe so we can explicitly redirect its output ;; to 'current-output-port', which at this stage is bound to the client ;; connection. (let ((pipe (apply open-pipe* OPEN_READ #$zabbix-server "--config" #$config "-R" #$command args))) (let loop () (match (read-line pipe 'concat) ((? eof-object?) (catch 'system-error (lambda () (zero? (close-pipe pipe))) (lambda args ;; There's a race with the SIGCHLD handler, which could ;; call 'waitpid' before 'close-pipe' above does. If we ;; get ECHILD, that means we lost the race; in that case, we ;; cannot tell what the exit code was (FIXME). (or (= ECHILD (system-error-errno args)) (apply throw args))))) (line (display line) (loop))))))) ;; Provide shepherd actions for common "zabbix_server -R" commands ;; mainly for a convenient way to use the correct configuration file. (define (zabbix-server-actions zabbix-server config) (list (shepherd-action (name 'reload-config-cache) (documentation "Reload the configuration cache.") (procedure (zabbix-server-runtime-control-procedure zabbix-server config "config_cache_reload"))) (shepherd-action (name 'reload-snmp-cache) (documentation "Reload SNMP cache.") (procedure (zabbix-server-runtime-control-procedure zabbix-server config "snmp_cache_reload"))))) (define (zabbix-server-shepherd-service config) "Return a for Zabbix server with CONFIG." (let ((zabbix-server (file-append (zabbix-server-configuration-zabbix-server config) "/sbin/zabbix_server")) (config-file (zabbix-server-config-file config))) (list (shepherd-service (provision '(zabbix-server)) (requirement '(user-processes)) (documentation "Run the Zabbix server daemon.") (actions (zabbix-server-actions zabbix-server config-file)) (start #~(make-forkexec-constructor (list #$zabbix-server "--config" #$config-file "--foreground") #:user #$(zabbix-server-configuration-user config) #:group #$(zabbix-server-configuration-group config) #:pid-file #$(zabbix-server-configuration-pid-file config) #:environment-variables (list "SSL_CERT_DIR=/run/current-system/profile\ /etc/ssl/certs" "SSL_CERT_FILE=/run/current-system/profile\ /etc/ssl/certs/ca-certificates.crt"))) (stop #~(make-kill-destructor ;; The server needs to finish database work on shutdown ;; which can take a while for big or busy databases. #:grace-period 60)))))) (define zabbix-server-service-type (service-type (name 'zabbix-server) (extensions (list (service-extension shepherd-root-service-type zabbix-server-shepherd-service) (service-extension account-service-type zabbix-server-account) (service-extension activation-service-type zabbix-server-activation))) (default-value (zabbix-server-configuration)) (description "Run the Zabbix server, a high-performance monitoring system that can collect data about machines from a variety of sources and provide the results in a Web interface."))) (define (generate-zabbix-server-documentation) (generate-documentation `((zabbix-server-configuration ,zabbix-server-configuration-fields)) 'zabbix-server-configuration)) (define-configuration zabbix-agent-configuration (zabbix-agent (file-like zabbix-agentd) "The zabbix-agent package.") (user (string "zabbix") "User who will run the Zabbix agent.") (group (string "zabbix") "Group who will run the Zabbix agent.") (hostname (string "") "Unique, case sensitive hostname which is required for active checks and must match hostname as configured on the server.") (log-type (string "") "Specifies where log messages are written to: @itemize @item @code{system} - syslog. @item @code{file} - file specified with @code{log-file} parameter. @item @code{console} - standard output. @end itemize\n") (log-file (string "/var/log/zabbix/agent.log") "Log file name for @code{log-type} @code{file} parameter.") (pid-file (string "/var/run/zabbix/zabbix_agent.pid") "Name of PID file.") (server (list '("127.0.0.1")) "List of IP addresses, optionally in CIDR notation, or hostnames of Zabbix servers and Zabbix proxies. Incoming connections will be accepted only from the hosts listed here.") (server-active (list '("127.0.0.1")) "List of IP:port (or hostname:port) pairs of Zabbix servers and Zabbix proxies for active checks. If port is not specified, default port is used. If this parameter is not specified, active checks are disabled.") (extra-options (extra-options "") "Extra options will be appended to Zabbix server configuration file.") (include-files (include-files '()) "You may include individual files or all files in a directory in the configuration file.")) (define (zabbix-agent-account config) "Return the user accounts and user groups for CONFIG." (let ((zabbix-user (zabbix-agent-configuration-user config)) (zabbix-group (zabbix-agent-configuration-group config))) (list (user-group (name zabbix-group) (system? #t)) (user-account (name zabbix-user) (system? #t) (group zabbix-group) (comment "zabbix privilege separation user") (home-directory (string-append "/var/run/" zabbix-user)) (shell (file-append shadow "/sbin/nologin")))))) (define (zabbix-agent-activation config) "Return the activation gexp for CONFIG." (with-imported-modules '((guix build utils)) #~(begin (use-modules (guix build utils) (ice-9 rdelim)) (let ((user (getpw #$(zabbix-agent-configuration-user config)))) (for-each (lambda (file) (let ((directory (dirname file))) (mkdir-p directory) (chown directory (passwd:uid user) (passwd:gid user)) (chmod directory #o755))) (list #$(zabbix-agent-configuration-log-file config) #$(zabbix-agent-configuration-pid-file config))))))) (define (zabbix-agent-config-file config) "Return the zabbix-agent configuration file corresponding to CONFIG." (computed-file "zabbix_agent.conf" #~(begin (call-with-output-file #$output (lambda (port) (format port "# Generated by 'zabbix-agent-service'.~%") (format port #$(serialize-configuration config zabbix-agent-configuration-fields))))))) (define (zabbix-agent-arguments config) #~(let* ((config-file #$(zabbix-agent-config-file config)) (agent #$(zabbix-agent-configuration-zabbix-agent config)) (agent2? (file-exists? (string-append agent "/sbin/zabbix_agent2")))) (if agent2? (list (string-append agent "/sbin/zabbix_agent2") "-config" config-file "-foreground") (list (string-append agent "/sbin/zabbix_agentd") "--config" config-file "--foreground")))) (define (zabbix-agent-shepherd-service config) "Return a for Zabbix agent with CONFIG." (list (shepherd-service (provision '(zabbix-agent)) (requirement '(user-processes)) (documentation "Run Zabbix agent daemon.") (start #~(make-forkexec-constructor #$(zabbix-agent-arguments config) #:user #$(zabbix-agent-configuration-user config) #:group #$(zabbix-agent-configuration-group config) #:pid-file #$(zabbix-agent-configuration-pid-file config) #:environment-variables (list "SSL_CERT_DIR=/run/current-system/profile\ /etc/ssl/certs" "SSL_CERT_FILE=/run/current-system/profile\ /etc/ssl/certs/ca-certificates.crt" "PATH=/run/setuid-programs:\ /run/current-system/profile/bin:/run/current-system/profile/sbin"))) (stop #~(make-kill-destructor))))) (define zabbix-agent-service-type (service-type (name 'zabbix-agent) (extensions (list (service-extension shepherd-root-service-type zabbix-agent-shepherd-service) (service-extension account-service-type zabbix-agent-account) (service-extension activation-service-type zabbix-agent-activation))) (default-value (zabbix-agent-configuration)) (description "Run the Zabbix agent, @command{zabbix_agentd}, which gathers information about the running system for the Zabbix monitoring server."))) (define (generate-zabbix-agent-documentation) (generate-documentation `((zabbix-agent-configuration ,zabbix-agent-configuration-fields)) 'zabbix-agent-configuration)) (define %zabbix-front-end-configuration-nginx (nginx-server-configuration (root #~(string-append #$zabbix-server:front-end "/share/zabbix/php")) (index '("index.php")) (locations (let ((php-location (nginx-php-location))) (list (nginx-location-configuration (inherit php-location) (body (append (nginx-location-configuration-body php-location) (list " fastcgi_param PHP_VALUE \"post_max_size = 16M max_execution_time = 300\"; "))))))) (listen '("80")))) (define (zabbix-front-end-nginx-extension config) (match config (($ server nginx) (if (null? nginx) (list (nginx-server-configuration (inherit %zabbix-front-end-configuration-nginx) (root #~(string-append #$server:front-end "/share/zabbix/php")))) nginx)))) (define-configuration zabbix-front-end-configuration (zabbix-server (file-like zabbix-server) "The Zabbix server package to use.") (nginx (list '()) "List of @ref{nginx-server-configuration,@code{nginx-server-configuration}} blocks for the Zabbix front-end. When empty, a default that listens on port 80 is used.") (db-host (string "localhost") "Database host name.") (db-port (number 5432) "Database port.") (db-name (string "zabbix") "Database name.") (db-user (string "zabbix") "Database user.") (db-password (string "") "Database password. Please, use @code{db-secret-file} instead.") (db-secret-file (string "") "Secret file which will be appended to @file{zabbix.conf.php} file. This file contains credentials for use by Zabbix front-end. You are expected to create it manually.") (zabbix-host (string "localhost") "Zabbix server hostname.") (zabbix-port (number 10051) "Zabbix server port.")) (define (zabbix-front-end-config config) (match-record config (db-host db-port db-name db-user db-password db-secret-file zabbix-host zabbix-port %location) (mixed-text-file "zabbix.conf.php" "\ string db-port) "'; $DB['DATABASE'] = '" db-name "'; $DB['USER'] = '" db-user "'; $DB['PASSWORD'] = " (let ((file (location-file %location)) (line (location-line %location)) (column (location-column %location))) (if (string-null? db-password) (if (string-null? db-secret-file) (raise (make-compound-condition (condition (&message (message (format #f "no '~A' or '~A' field in your '~A' record" 'db-secret-file 'db-password 'zabbix-front-end-configuration)))) (condition (&error-location (location %location))))) (string-append "trim(file_get_contents('" db-secret-file "'));\n")) (begin (display-hint (G_ "~a:~a:~a: ~a: Consider using @code{db-secret-file} instead of @code{db-password} for better security.") file line column 'zabbix-front-end-configuration) (format #f "'~a';~%" db-password)))) " // Schema name. Used for IBM DB2 and PostgreSQL. $DB['SCHEMA'] = ''; // Use IEEE754 compatible value range for 64-bit Numeric (float) history values. $DB['DOUBLE_IEEE754'] = true; $ZBX_SERVER = '" zabbix-host "'; $ZBX_SERVER_PORT = '" (number->string zabbix-port) "'; $ZBX_SERVER_NAME = ''; $IMAGE_FORMAT_DEFAULT = IMAGE_FORMAT_PNG; "))) (define %maintenance.inc.php ;; Empty php file to allow us move zabbix-frontend configs to ‘/etc/zabbix’ ;; directory. See ‘install-front-end’ phase in ;; (@ (gnu packages monitoring) zabbix-server) package. "\