remote-worker: Add ‘--user’.
* src/cuirass/scripts/remote-worker.scm (show-help, %options): Add ‘--user’. (cuirass-remote-worker): Honor it. * doc/cuirass.texi (Invocation): Document it.
This commit is contained in:
parent
6c9e9fc26f
commit
3a6abc17f9
|
@ -741,6 +741,10 @@ The list of URLs where to look for substitutes by default.
|
||||||
Use the specific @var{file}s as the public/private key pair used to sign
|
Use the specific @var{file}s as the public/private key pair used to sign
|
||||||
the store items being published.
|
the store items being published.
|
||||||
|
|
||||||
|
@item --user=@var{user}
|
||||||
|
Change privileges to @var{user} as soon as possible---i.e., once the
|
||||||
|
signing key has been read.
|
||||||
|
|
||||||
@item --version
|
@item --version
|
||||||
@itemx -V
|
@itemx -V
|
||||||
Display the actual version of @code{cuirass}.
|
Display the actual version of @code{cuirass}.
|
||||||
|
|
|
@ -27,6 +27,7 @@
|
||||||
#:use-module (cuirass logging)
|
#:use-module (cuirass logging)
|
||||||
#:use-module (cuirass remote)
|
#:use-module (cuirass remote)
|
||||||
#:use-module (cuirass ui)
|
#:use-module (cuirass ui)
|
||||||
|
#:autoload (cuirass utils) (gather-user-privileges)
|
||||||
#:use-module (gcrypt pk-crypto)
|
#:use-module (gcrypt pk-crypto)
|
||||||
#:use-module (guix avahi)
|
#:use-module (guix avahi)
|
||||||
#:use-module (guix config)
|
#:use-module (guix config)
|
||||||
|
@ -96,6 +97,8 @@ Start a remote build worker.\n" (%program-name))
|
||||||
(display (G_ "
|
(display (G_ "
|
||||||
--substitute-urls=URLS
|
--substitute-urls=URLS
|
||||||
check for available substitutes at URLS"))
|
check for available substitutes at URLS"))
|
||||||
|
(display (G_ "
|
||||||
|
-u, --user=USER change privileges to USER as soon as possible"))
|
||||||
(display (G_ "
|
(display (G_ "
|
||||||
--public-key=FILE use FILE as the public key for signatures"))
|
--public-key=FILE use FILE as the public key for signatures"))
|
||||||
(display (G_ "
|
(display (G_ "
|
||||||
|
@ -116,6 +119,9 @@ Start a remote build worker.\n" (%program-name))
|
||||||
(option '(#\V "version") #f #f
|
(option '(#\V "version") #f #f
|
||||||
(lambda _
|
(lambda _
|
||||||
(show-version-and-exit "cuirass remote-worker")))
|
(show-version-and-exit "cuirass remote-worker")))
|
||||||
|
(option '(#\u "user") #t #f
|
||||||
|
(lambda (opt name arg result)
|
||||||
|
(alist-cons 'user arg result)))
|
||||||
(option '(#\w "workers") #t #f
|
(option '(#\w "workers") #t #f
|
||||||
(lambda (opt name arg result)
|
(lambda (opt name arg result)
|
||||||
(alist-cons 'workers (string->number* arg) result)))
|
(alist-cons 'workers (string->number* arg) result)))
|
||||||
|
@ -463,6 +469,7 @@ exiting."
|
||||||
(server-address (assoc-ref opts 'server))
|
(server-address (assoc-ref opts 'server))
|
||||||
(systems (assoc-ref opts 'systems))
|
(systems (assoc-ref opts 'systems))
|
||||||
(urls (assoc-ref opts 'substitute-urls))
|
(urls (assoc-ref opts 'substitute-urls))
|
||||||
|
(user (assoc-ref opts 'user))
|
||||||
(public-key
|
(public-key
|
||||||
(read-file-sexp
|
(read-file-sexp
|
||||||
(assoc-ref opts 'public-key-file)))
|
(assoc-ref opts 'public-key-file)))
|
||||||
|
@ -470,6 +477,12 @@ exiting."
|
||||||
(read-file-sexp
|
(read-file-sexp
|
||||||
(assoc-ref opts 'private-key-file))))
|
(assoc-ref opts 'private-key-file))))
|
||||||
|
|
||||||
|
(when user
|
||||||
|
;; Now that the private key has been read, drop privileges.
|
||||||
|
(gather-user-privileges user))
|
||||||
|
(when (zero? (getuid))
|
||||||
|
(warning (G_ "running with root privileges, which is not recommended~%")))
|
||||||
|
|
||||||
;; Distinguish the worker's GC root directory so that, in case a
|
;; Distinguish the worker's GC root directory so that, in case a
|
||||||
;; 'cuirass remote-server' process runs on the same machine as a worker,
|
;; 'cuirass remote-server' process runs on the same machine as a worker,
|
||||||
;; the worker's doesn't end up deleting the server's GC roots.
|
;; the worker's doesn't end up deleting the server's GC roots.
|
||||||
|
|
Loading…
Reference in New Issue