services: pam-limits-service-type: Deprecate file-like object support in favour for lists as service value.

* doc/guix.texi (Base Services): Document it.
* gnu/local.mk: Register test.
* gnu/services/base.scm (pam-limits-service-type): Accept both lists and
file-like objects. Deprecate file-like object support.
* gnu/tests/pam.scm: New file.

Signed-off-by: Ludovic Courtès <ludo@gnu.org>
This commit is contained in:
Bruno Victal 2023-03-04 21:17:39 +00:00 committed by Ludovic Courtès
parent ed50531885
commit 6d0ad93020
No known key found for this signature in database
GPG key ID: 090B11993D9AEBB5
4 changed files with 134 additions and 27 deletions

View file

@ -18971,23 +18971,18 @@ will fail if @var{device} does not exist.
Type of the service that installs a configuration file for the Type of the service that installs a configuration file for the
@uref{http://linux-pam.org/Linux-PAM-html/sag-pam_limits.html, @uref{http://linux-pam.org/Linux-PAM-html/sag-pam_limits.html,
@code{pam_limits} module}. The value for this service type is @code{pam_limits} module}. The value for this service type is
a file-like object containing a list of @code{pam-limits-entry} values a list of @code{pam-limits-entry} values, which can be used to specify
which can be used to specify @code{ulimit} limits and @code{nice} @code{ulimit} limits and @code{nice} priority limits to user sessions.
priority limits to user sessions. By default, the value is the empty list.
The following limits definition sets two hard and soft limits for all The following limits definition sets two hard and soft limits for all
login sessions of users in the @code{realtime} group: login sessions of users in the @code{realtime} group:
@lisp @lisp
(service (service pam-limits-service-type
pam-limits-service-type (list
(plain-file (pam-limits-entry "@@realtime" 'both 'rtprio 99)
"limits.conf"
(string-join
(map pam-limits-entry->string
(list (pam-limits-entry "@@realtime" 'both 'rtprio 99)
(pam-limits-entry "@@realtime" 'both 'memlock 'unlimited))) (pam-limits-entry "@@realtime" 'both 'memlock 'unlimited)))
"\n")))
@end lisp @end lisp
The first entry increases the maximum realtime priority for The first entry increases the maximum realtime priority for
@ -18999,11 +18994,9 @@ Another useful example is raising the maximum number of open file
descriptors that can be used: descriptors that can be used:
@lisp @lisp
(service (service pam-limits-service-type
pam-limits-service-type (list
(plain-file (pam-limits-entry "*" 'both 'nofile 100000)))
"limits.conf"
(pam-limits-entry->string (pam-limits-entry "*" 'both 'nofile 100000))))
@end lisp @end lisp
In the above example, the asterisk means the limit should apply to any In the above example, the asterisk means the limit should apply to any

View file

@ -782,6 +782,7 @@ GNU_SYSTEM_MODULES = \
%D%/tests/messaging.scm \ %D%/tests/messaging.scm \
%D%/tests/networking.scm \ %D%/tests/networking.scm \
%D%/tests/package-management.scm \ %D%/tests/package-management.scm \
%D%/tests/pam.scm \
%D%/tests/reconfigure.scm \ %D%/tests/reconfigure.scm \
%D%/tests/rsync.scm \ %D%/tests/rsync.scm \
%D%/tests/samba.scm \ %D%/tests/samba.scm \

View file

@ -40,7 +40,7 @@
(define-module (gnu services base) (define-module (gnu services base)
#:use-module (guix store) #:use-module (guix store)
#:use-module (guix deprecation) #:use-module (guix deprecation)
#:autoload (guix diagnostics) (warning &fix-hint) #:autoload (guix diagnostics) (warning formatted-message &fix-hint)
#:autoload (guix i18n) (G_) #:autoload (guix i18n) (G_)
#:use-module (guix combinators) #:use-module (guix combinators)
#:use-module (gnu services) #:use-module (gnu services)
@ -1588,17 +1588,13 @@ (define-deprecated (syslog-service #:optional (config (syslog-configuration)))
(define pam-limits-service-type (define pam-limits-service-type
(let ((security-limits (let ((pam-extension
;; Create /etc/security containing the provided "limits.conf" file.
(lambda (limits-file)
`(("security/limits.conf"
,limits-file))))
(pam-extension
(lambda (pam) (lambda (pam)
(let ((pam-limits (pam-entry (let ((pam-limits (pam-entry
(control "required") (control "required")
(module "pam_limits.so") (module "pam_limits.so")
(arguments '("conf=/etc/security/limits.conf"))))) (arguments
'("conf=/etc/security/limits.conf")))))
(if (member (pam-service-name pam) (if (member (pam-service-name pam)
'("login" "greetd" "su" "slim" "gdm-password" "sddm" '("login" "greetd" "su" "slim" "gdm-password" "sddm"
"sudo" "sshd")) "sudo" "sshd"))
@ -1606,7 +1602,27 @@ (module "pam_limits.so")
(inherit pam) (inherit pam)
(session (cons pam-limits (session (cons pam-limits
(pam-service-session pam)))) (pam-service-session pam))))
pam))))) pam))))
;; XXX: Using file-like objects is deprecated, use lists instead.
;; This is to be reduced into the list? case when the deprecated
;; code gets removed.
;; Create /etc/security containing the provided "limits.conf" file.
(security-limits
(match-lambda
((? file-like? obj)
(warning (G_ "Using file-like value for \
'pam-limits-service-type' is deprecated~%"))
`(("security/limits.conf" ,obj)))
((? list? lst)
`(("security/limits.conf"
,(plain-file "limits.conf"
(string-join (map pam-limits-entry->string lst)
"\n" 'suffix)))))
(_ (raise
(formatted-message
(G_ "invalid input for 'pam-limits-service-type'~%")))))))
(service-type (service-type
(name 'limits) (name 'limits)
(extensions (extensions
@ -1617,7 +1633,7 @@ (module "pam_limits.so")
"Install the specified resource usage limits by populating "Install the specified resource usage limits by populating
@file{/etc/security/limits.conf} and using the @code{pam_limits} @file{/etc/security/limits.conf} and using the @code{pam_limits}
authentication module.") authentication module.")
(default-value (plain-file "limits.conf" ""))))) (default-value '()))))
(define-deprecated (pam-limits-service #:optional (limits '())) (define-deprecated (pam-limits-service #:optional (limits '()))
pam-limits-service-type pam-limits-service-type

97
gnu/tests/pam.scm Normal file
View file

@ -0,0 +1,97 @@
;;; GNU Guix --- Functional package management for GNU
;;; Copyright © 2023 Bruno Victal <mirai@makinata.eu>
;;;
;;; This file is part of GNU Guix.
;;;
;;; GNU Guix is free software; you can redistribute it and/or modify it
;;; under the terms of the GNU General Public License as published by
;;; the Free Software Foundation; either version 3 of the License, or (at
;;; your option) any later version.
;;;
;;; GNU Guix is distributed in the hope that it will be useful, but
;;; WITHOUT ANY WARRANTY; without even the implied warranty of
;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
;;; GNU General Public License for more details.
;;;
;;; You should have received a copy of the GNU General Public License
;;; along with GNU Guix. If not, see <http://www.gnu.org/licenses/>.
(define-module (gnu tests pam)
#:use-module (gnu tests)
#:use-module (gnu services)
#:use-module (gnu services base)
#:use-module (gnu system)
#:use-module (gnu system pam)
#:use-module (gnu system vm)
#:use-module (guix gexp)
#:use-module (ice-9 format)
#:export (%test-pam-limits
%test-pam-limits-deprecated))
;;;
;;; pam-limits-service-type
;;;
(define pam-limit-entries
(list
(pam-limits-entry "@realtime" 'both 'rtprio 99)
(pam-limits-entry "@realtime" 'both 'memlock 'unlimited)))
(define (run-test-pam-limits config)
"Run tests in a os with pam-limits-service-type configured."
(define os
(marionette-operating-system
(simple-operating-system
(service pam-limits-service-type config))))
(define vm
(virtual-machine os))
(define name (format #f "pam-limit-service~:[~;-deprecated~]"
(file-like? config)))
(define test
(with-imported-modules '((gnu build marionette))
#~(begin
(use-modules (gnu build marionette)
(srfi srfi-64))
(let ((marionette (make-marionette (list #$vm))))
(test-runner-current (system-test-runner #$output))
(test-begin #$name)
(test-assert "/etc/security/limits.conf ready"
(wait-for-file "/etc/security/limits.conf" marionette))
(test-equal "/etc/security/limits.conf content matches"
#$(string-join (map pam-limits-entry->string pam-limit-entries)
"\n" 'suffix)
(marionette-eval
'(call-with-input-file "/etc/security/limits.conf"
get-string-all)
marionette))
(test-end)))))
(gexp->derivation (string-append name "-test") test))
(define %test-pam-limits
(system-test
(name "pam-limits-service")
(description "Test that pam-limits-service can serialize its config
(as a list) to @file{limits.conf}.")
(value (run-test-pam-limits pam-limit-entries))))
(define %test-pam-limits-deprecated
(system-test
(name "pam-limits-service-deprecated")
(description "Test that pam-limits-service can serialize its config
(as a file-like object) to @file{limits.conf}.")
(value (run-test-pam-limits
(plain-file "limits.conf"
(string-join (map pam-limits-entry->string
pam-limit-entries)
"\n" 'suffix))))))