Merge branch 'master' into staging

3 files changed, 32 insertions, 22 deletions

diff --git a/gnu/services/docker.scm b/gnu/services/docker.scm
index 846ebe8334..741bab5a8c 100644
--- a/gnu/services/docker.scm
+++ b/gnu/services/docker.scm
@@ -98,6 +98,8 @@ loop-back communications.")
                      ;; For finding containerd-shim binary.
                      #:environment-variables
                      (list (string-append "PATH=" #$containerd "/bin"))
+                     #:pid-file "/run/containerd/containerd.pid"
+                     #:pid-file-timeout 300
                      #:log-file "/var/log/containerd.log"))
            (stop #~(make-kill-destructor)))))
 
@@ -135,7 +137,8 @@ loop-back communications.")
                                   '("--userland-proxy=false"))
                            (if #$enable-iptables?
                                "--iptables"
-                               "--iptables=false"))
+                               "--iptables=false")
+                           "--containerd" "/run/containerd/containerd.sock")
                      #:environment-variables
                      (list #$@environment-variables)
                      #:pid-file "/var/run/docker.pid"
diff --git a/gnu/services/guix.scm b/gnu/services/guix.scm
index 338e027245..dac1e5841a 100644
--- a/gnu/services/guix.scm
+++ b/gnu/services/guix.scm
@@ -652,8 +652,6 @@ ca-certificates.crt file in the system profile."
                 #:user #$user
                 #:group #$group
                 #:pid-file "/var/run/guix-data-service/pid"
-                ;; Allow time for migrations to run
-                #:pid-file-timeout 120
                 #:environment-variables
                 `(,(string-append
                     "GUIX_LOCPATH=" #$glibc-utf8-locales "/lib/locale")
diff --git a/gnu/services/networking.scm b/gnu/services/networking.scm
index a9560db66b..b555c46040 100644
--- a/gnu/services/networking.scm
+++ b/gnu/services/networking.scm
@@ -918,9 +918,7 @@ applications in communication.  It is used by Jami, for example.")))
               (lambda (port)
                 (display "\
 ### These lines were generated from your system configuration:
-User tor
 DataDirectory /var/lib/tor
-PidFile /var/run/tor/tor.pid
 Log notice syslog\n" port)
                 (when (eq? 'unix '#$socks-socket-type)
                   (display "\
@@ -960,7 +958,25 @@ HiddenServicePort ~a ~a~%"
   "Return a <shepherd-service> running Tor."
   (match config
     (($ <tor-configuration> tor)
-     (let ((torrc (tor-configuration->torrc config)))
+     (let* ((torrc (tor-configuration->torrc config))
+            (tor   (least-authority-wrapper
+                    (file-append tor "/bin/tor")
+                    #:name "tor"
+                    #:mappings (list (file-system-mapping
+                                      (source "/var/lib/tor")
+                                      (target source)
+                                      (writable? #t))
+                                     (file-system-mapping
+                                      (source "/dev/log") ;for syslog
+                                      (target source))
+                                     (file-system-mapping
+                                      (source "/var/run/tor")
+                                      (target source)
+                                      (writable? #t))
+                                     (file-system-mapping
+                                      (source torrc)
+                                      (target source)))
+                    #:namespaces (delq 'net %namespaces))))
        (with-imported-modules (source-module-closure
                                '((gnu build shepherd)
                                  (gnu system file-systems)))
@@ -974,22 +990,15 @@ HiddenServicePort ~a ~a~%"
                 (modules '((gnu build shepherd)
                            (gnu system file-systems)))
 
-                (start #~(make-forkexec-constructor/container
-                          (list #$(file-append tor "/bin/tor") "-f" #$torrc)
-
-                          #:log-file "/var/log/tor.log"
-                          #:mappings (list (file-system-mapping
-                                            (source "/var/lib/tor")
-                                            (target source)
-                                            (writable? #t))
-                                           (file-system-mapping
-                                            (source "/dev/log") ;for syslog
-                                            (target source))
-                                           (file-system-mapping
-                                            (source "/var/run/tor")
-                                            (target source)
-                                            (writable? #t)))
-                          #:pid-file "/var/run/tor/tor.pid"))
+                ;; XXX: #:pid-file won't work because the wrapped 'tor'
+                ;; program would print its PID within the user namespace
+                ;; instead of its actual PID outside.  There's no inetd or
+                ;; systemd socket activation support either (there's
+                ;; 'sd_notify' though), so we're stuck with that.
+                (start #~(make-forkexec-constructor
+                          (list #$tor "-f" #$torrc)
+                          #:user "tor" #:group "tor"
+                          #:log-file "/var/log/tor.log"))
                 (stop #~(make-kill-destructor))
                 (documentation "Run the Tor anonymous network overlay."))))))))