[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: spiped process matching on OpenBSD

To: "Colin Percival" <cperciva@tarsnap.com>, "Graham Percival" <gperciva@tarsnap.com>
Subject: Re: spiped process matching on OpenBSD
From: "Jared Harper" <jared@hrpr.us>
Date: Sun, 09 Apr 2023 10:02:49 -0700
Cc: spiped@tarsnap.com
Feedback-id: i0f19468b:Fastmail
In-reply-to: <76a1c27f-a8f2-dac3-cbe4-0ce2b2bdd605@tarsnap.com>
References: <ba4a0ee2-3e92-4f2c-83e4-44290cf76dd8@app.fastmail.com> <ZDIjs/QWKJQQGC/w@beastie.local> <54add678-a471-4e4c-96ae-28caf7a88601@app.fastmail.com> <76a1c27f-a8f2-dac3-cbe4-0ce2b2bdd605@tarsnap.com>

Good information, thank you. I'm not surprised djb has a utility for
this. Links are actually a reasonably elegant workaround here.

On Sat, Apr 8, 2023, at 11:56 PM, Colin Percival wrote:
> Aside from "make OpenBSD support pid files" (which I'm guessing is not an
> option) and "match the source address", the other option which occurs to me
> is to fake argv[0].  The spiped daemon doesn't care what you put there (aside
> from using it when printing warnings) so if you have something like djb's
> argv0 utility you could have several spiped processes with different "daemon
> names".  (For that matter, even without argv0 you could create links to let
> you invoke spiped with different names.)
>
> But yes, setproctitle is ugly and not likely to happen.
>
> Colin Percival
>
> On 4/8/23 20:33, Jared Harper wrote:
>> Yes, I ended up successfully escaping the square brackets before. However,
>> your suggestion makes me realize that my target of matching the whole
>> daemon+daemon_flags set is probably unnecessary, all I need to match is the
>> -s, which should be unique on the host.
>> 
>> Thanks!
>> 
>> P.S. I looked at `setproctitle` a bit more and realized that it's really,
>> _really_ un-portable so that's definitely not an option.
>> 
>> On Sat, Apr 8, 2023, at 7:32 PM, Graham Percival wrote:
>>> Hi Jared,
>>>
>>> Sorry if this seems like "too obvious" of a solution, but have you tried
>>> escaping the square brackets with \ ?  i.e.
>>>
>>>      pexp="${daemon} -s \[127.0.0.1\] .*"
>>>
>>> or something like that?
>>>
>>> I'm not familiar with rc files, so it's possible that they use a different
>>> character for escaping, but I'm certain they have that capability somehow.
>>>
>>> Cheers,
>>> - Graham
>>>
>>> On Sat, Apr 08, 2023 at 03:22:25PM -0700, Jared Harper wrote:
>>>> I have spiped running on two OpenBSD 7.2 hosts, installed via `pkg_add`,
>>>> and it works great.
>>>>
>>>> The port's rc script for spiped, however, is only usable for a single
>>>> instance because it sets `pexp="${daemon} .*"`[1], which will match
>>>> every running instance of spiped.
>>>>
>>>> (For those unfamiliar with `pexp`, it is the regex used to identify a
>>>> running process via `pgrep`. OpenBSD's rc system relies on this process
>>>> matching method and does not support pid files.)
>>>>
>>>> I spent some time trying to configure the pexp to not be so greedy by
>>>> using the default `${daemon} ${daemon_flags}`.  This approach is
>>>> unsuccessful due to the brackets surrounding the IP address (e.g.,
>>>> `[127.0.0.1]`) becoming a regex matching list.
>>>>
>>>> Some options I could use to workaround this limitation:
>>>>
>>>> 1) Use hostnames and no brackets; This apparently works but it limits
>>>> usefulness.
>>>>
>>>> 2) Manually set `pexp`; This does work but requires that I remember to
>>>> update it whenever the `daemon_flags` change. Also, across multiple
>>>> processes this becomes borderline umaintainable.
>>>>
>>>> (Unfortunately, using the pidfile is a no-go because of how the rc
>>>> subroutines use `pexp` in multiple places.)
>>>>
>>>> Since the primary author of spiped is a long-time contributor to
>>>> FreeBSD, and FreeBSD supports pidfiles in their rc-system[2], I want to
>>>> be clear I'm not saying that spiped does anything wrong, or that OpenBSD
>>>> is doing something right. I just want to come up with a solution that I
>>>> can contribute to the OpenBSD port so that we don't have to have this
>>>> issue.
>>>>
>>>> A potential solution I can see would be to support `setproctitle(3)`[3]
>>>> via a flag, such as `--name <name>`, which could result in a process
>>>> title like `spiped: myname`.  What's the appetite for this sort of
>>>> change?
>>>>
>>>> However, since I'm new to a lot of these technologies, I'm fairly
>>>> certain I've missed something obvious or easy (other than "switch to
>>>> FreeBSD" ;). Do you have any other ideas?
>>>>
>>>> Thanks in advance.
>>>>
>>>> [1]: https://github.com/openbsd/ports/blob/master/security/spiped/pkg/spiped.rc#L9
>>>> [2]: https://man.freebsd.org/cgi/man.cgi?rc.subr(8)
>>>> [3]: https://man.freebsd.org/cgi/man.cgi?query=setproctitle&sektion=3&format=html
>>>>
>>>> -jh
>> 
>
> -- 
> Colin Percival
> FreeBSD Deputy Release Engineer & EC2 platform maintainer
> Founder, Tarsnap | www.tarsnap.com | Online backups for the truly paranoid

-- 
-jh

References:
- spiped process matching on OpenBSD
  - From: "Jared Harper" <jared@hrpr.us>
- Re: spiped process matching on OpenBSD
  - From: Graham Percival <gperciva@tarsnap.com>
- Re: spiped process matching on OpenBSD
  - From: "Jared Harper" <jared@hrpr.us>
- Re: spiped process matching on OpenBSD
  - From: Colin Percival <cperciva@tarsnap.com>

Prev by Date: Re: spiped process matching on OpenBSD
Previous by thread: Re: spiped process matching on OpenBSD
Index(es):
- Date
- Thread