From 3fcbbeb759829f53372a338fff3389677961b0f4 Mon Sep 17 00:00:00 2001 From: Steffen Beyer Date: Wed, 1 Apr 2026 18:17:57 +0200 Subject: [PATCH] Fix Tribes edge service startup --- tribes/packages/web.scm | 117 ++++++++++++++++++++++++------------- tribes/services/lego.scm | 11 +++- tribes/services/tribes.scm | 29 +++++++++ tribes/services/vinyl.scm | 9 +-- tribes/system/node.scm | 1 + 5 files changed, 119 insertions(+), 48 deletions(-) diff --git a/tribes/packages/web.scm b/tribes/packages/web.scm index d5068ab..8d8a012 100644 --- a/tribes/packages/web.scm +++ b/tribes/packages/web.scm @@ -1,14 +1,20 @@ (define-module (tribes packages web) #:use-module (gnu packages) + #:use-module (gnu packages bash) #:use-module (gnu packages base) #:use-module (gnu packages curl) + #:use-module (gnu packages jemalloc) #:use-module (gnu packages libevent) #:use-module (gnu packages linux) #:use-module (gnu packages lsof) + #:use-module (gnu packages ncurses) + #:use-module (gnu packages pcre) #:use-module (gnu packages pkg-config) #:use-module (gnu packages python) + #:use-module (gnu packages python-xyz) + #:use-module (gnu packages readline) + #:use-module (gnu packages sphinx) #:use-module (gnu packages tls) - #:use-module ((gnu packages web) #:prefix upstream:) #:use-module ((guix licenses) #:prefix license:) #:use-module (guix base32) #:use-module (guix build-system gnu) @@ -112,10 +118,9 @@ multicore machines.") (define-public vinyl (package - (inherit upstream:varnish) (name "vinyl") - (home-page "https://vinyl-cache.org/") (version "9.0.0") + (home-page "https://vinyl-cache.org/") (source (origin (method url-fetch) @@ -124,52 +129,80 @@ multicore machines.") ".tgz")) (sha256 (base32 "05xxhgs1r9zwanx5arafrd7hkjn3kmsnrbfh1zajfxm7q88c4h4p")))) + (build-system gnu-build-system) (arguments - (substitute-keyword-arguments (package-arguments upstream:varnish) - ((#:phases phases) - #~(modify-phases %standard-phases - (add-after 'unpack 'use-absolute-file-names - (lambda _ - (substitute* '("bin/vinyltest/vtc_vinyl.c" - "bin/vinyltest/vtest2/src/vtc_process.c" - "bin/vinyltest/vtest2/src/vtc_haproxy.c" - "bin/vinyltest/tests/u00014.vtc" - "bin/vinyld/mgt/mgt_vcc.c") - (("/bin/sh") (which "bash"))) - (let ((rm (which "rm"))) - (substitute* "bin/vinyld/mgt/mgt_shmem.c" - (("rm -rf") (string-append rm " -rf"))) - (substitute* "bin/vinyltest/vtest2/src/vtc_main.c" - (("/bin/rm") rm)) - (substitute* "bin/vinyld/mgt/mgt_main.c" - (("rm -rf") (string-append rm " -rf")))) - (substitute* "bin/vinyltest/tests/u00000.vtc" - (("/bin/echo") (which "echo"))))) - (add-after 'unpack 'remove-failing-tests - (lambda _ - ;; This test still trips on name resolution in the build - ;; container. - (delete-file "bin/vinyltest/tests/b00085.vtc"))) - (add-before 'install 'patch-Makefile - (lambda _ - (substitute* "Makefile" - (("^install-data-am: install-data-local") - "install-data-am: ")))) - (add-after 'install 'wrap-vinyld - ;; Vinyl uses GCC to compile VCL, so wrap it with the required - ;; toolchain environment instead of propagating GCC globally. - (lambda* (#:key inputs #:allow-other-keys) - (wrap-program (string-append #$output "/sbin/vinyld") - `("PATH" ":" prefix (,(dirname (which "as")))) - `("LIBRARY_PATH" ":" prefix - (,(dirname - (search-input-file inputs "lib/libc.so"))))))))))) + (append + (if (target-x86-32?) + '(#:make-flags + (list "CFLAGS+=-fexcess-precision=standard")) + '()) + (list + #:configure-flags + #~(list (string-append "LDFLAGS=-Wl,-rpath=" #$output "/lib") + (string-append "CC=" #$(cc-for-target)) + ;; Use absolute path of GCC so it's found at runtime. + (string-append "PTHREAD_CC=" + (search-input-file %build-inputs + "/bin/gcc")) + "--localstatedir=/var") + #:phases + #~(modify-phases %standard-phases + (add-after 'unpack 'use-absolute-file-names + (lambda _ + (substitute* '("bin/vinyltest/vtc_vinyl.c" + "bin/vinyltest/vtest2/src/vtc_process.c" + "bin/vinyltest/vtest2/src/vtc_haproxy.c" + "bin/vinyltest/tests/u00014.vtc" + "bin/vinyld/mgt/mgt_vcc.c") + (("/bin/sh") (which "bash"))) + (let ((rm (which "rm"))) + (substitute* "bin/vinyld/mgt/mgt_shmem.c" + (("rm -rf") (string-append rm " -rf"))) + (substitute* "bin/vinyltest/vtest2/src/vtc_main.c" + (("/bin/rm") rm)) + (substitute* "bin/vinyld/mgt/mgt_main.c" + (("rm -rf") (string-append rm " -rf")))) + (substitute* "bin/vinyltest/tests/u00000.vtc" + (("/bin/echo") (which "echo"))))) + (add-after 'unpack 'remove-failing-tests + (lambda _ + ;; This test still trips on name resolution in the build + ;; container. + (delete-file "bin/vinyltest/tests/b00085.vtc"))) + (add-before 'install 'patch-Makefile + (lambda _ + (substitute* "Makefile" + ;; Do not create /var/varnish during install. + (("^install-data-am: install-data-local") + "install-data-am: ")))) + (add-after 'install 'wrap-vinyld + ;; Vinyl uses GCC to compile VCL, so wrap it with the required + ;; toolchain environment instead of propagating GCC globally. + (lambda* (#:key inputs #:allow-other-keys) + (wrap-program (string-append #$output "/sbin/vinyld") + `("PATH" ":" prefix (,(dirname (which "as")))) + `("LIBRARY_PATH" ":" prefix + (,(dirname + (search-input-file inputs "lib/libc.so"))))))))))) + (native-inputs + (list pkg-config + python-sphinx + python-docutils)) + (inputs + (list bash-minimal + coreutils-minimal + jemalloc + ncurses + pcre2 + python-minimal + readline)) (synopsis "Web application accelerator") (description "Vinyl Cache is a high-performance HTTP accelerator. It acts as a caching reverse proxy and load balancer. You install it in front of any server that speaks HTTP and configure it to cache content through an extensive configuration language.") + (license license:bsd-2) (properties '((release-monitoring-url . "https://vinyl-cache.org/releases/"))))) diff --git a/tribes/services/lego.scm b/tribes/services/lego.scm index 2484cad..b84b76d 100644 --- a/tribes/services/lego.scm +++ b/tribes/services/lego.scm @@ -21,6 +21,7 @@ lego-certificate-configuration-webroot lego-certificate-configuration-key-type lego-certificate-configuration-renew-days + lego-certificate-configuration-requirement lego-certificate-configuration-reload-services lego-certificate-directory lego-certificate-full-pem @@ -51,6 +52,8 @@ (default "ec256")) (renew-days lego-certificate-configuration-renew-days (default #f)) + (requirement lego-certificate-configuration-requirement + (default '())) (reload-services lego-certificate-configuration-reload-services (default '()))) @@ -263,7 +266,9 @@ (provision (list (lego-certificate-service-symbol "lego-renewal" certificate))) - (requirement '(user-processes networking)) + (requirement + (append '(user-processes networking) + (lego-certificate-configuration-requirement certificate))) (modules '((shepherd service timer))) (start #~(let ((minutes '#$(lego-configuration-renew-minutes config)) @@ -286,7 +291,9 @@ (provision (list (lego-certificate-service-symbol "lego-bootstrap" certificate))) - (requirement '(user-processes networking)) + (requirement + (append '(user-processes networking) + (lego-certificate-configuration-requirement certificate))) (one-shot? #t) (start #~(lambda _ (zero? (system* #$program)))) diff --git a/tribes/services/tribes.scm b/tribes/services/tribes.scm index af8af5d..7759a1b 100644 --- a/tribes/services/tribes.scm +++ b/tribes/services/tribes.scm @@ -36,6 +36,9 @@ tribes-configuration-database-host tribes-configuration-secret-key-base-file tribes-configuration-token-signing-secret-file + tribes-configuration-release-cookie-file + tribes-configuration-release-distribution + tribes-configuration-release-node tribes-configuration-dns-cluster-query tribes-configuration-extra-environment-variables tribes-configuration-log-file @@ -84,6 +87,12 @@ (default "/var/lib/tribes/secrets/secret_key_base")) (token-signing-secret-file tribes-configuration-token-signing-secret-file (default "/var/lib/tribes/secrets/token_signing_secret")) + (release-cookie-file tribes-configuration-release-cookie-file + (default "/var/lib/tribes/secrets/release_cookie")) + (release-distribution tribes-configuration-release-distribution + (default "none")) + (release-node tribes-configuration-release-node + (default #f)) (dns-cluster-query tribes-configuration-dns-cluster-query (default #f)) (extra-environment-variables tribes-configuration-extra-environment-variables @@ -135,9 +144,15 @@ "/" database-name)))) +(define (tribes-release-node config) + (or (tribes-configuration-release-node config) + (string-append "tribes@" (tribes-configuration-host config)))) + (define (tribes-launcher config command args) (define package (tribes-configuration-package config)) + (define distribution + (tribes-configuration-release-distribution config)) (define env-setters (append (list @@ -163,8 +178,12 @@ #$(string-join (tribes-configuration-admin-pubkeys config) ",")) + #~(setenv "RELEASE_DISTRIBUTION" #$distribution) #~(setenv "SSL_CERT_DIR" "/etc/ssl/certs") #~(setenv "SSL_CERT_FILE" "/etc/ssl/certs/ca-certificates.crt")) + (if (string=? distribution "none") + '() + (list #~(setenv "RELEASE_NODE" #$(tribes-release-node config)))) (if (tribes-configuration-listen-address config) (list #~(setenv "BIND_ADDRESS" #$(tribes-configuration-listen-address config))) @@ -197,6 +216,8 @@ #$(tribes-configuration-secret-key-base-file config)) (define token-file #$(tribes-configuration-token-signing-secret-file config)) + (define release-cookie-file + #$(tribes-configuration-release-cookie-file config)) (unless (file-exists? secret-key-file) (format (current-error-port) @@ -212,6 +233,13 @@ (setenv "SECRET_KEY_BASE" (read-secret secret-key-file)) (setenv "TOKEN_SIGNING_SECRET" (read-secret token-file)) + (unless (string=? #$distribution "none") + (unless (file-exists? release-cookie-file) + (format (current-error-port) + "missing Tribes release cookie file: ~a~%" + release-cookie-file) + (exit 1)) + (setenv "RELEASE_COOKIE" (read-secret release-cookie-file))) #$@env-setters (apply execl #$(file-append package "/bin/tribes") @@ -230,6 +258,7 @@ #$(tribes-configuration-plugin-directory config) (dirname #$(tribes-configuration-log-file config)) (dirname #$(tribes-configuration-secret-key-base-file config)) + (dirname #$(tribes-configuration-release-cookie-file config)) (dirname #$(tribes-configuration-token-signing-secret-file config))))) (for-each (lambda (dir) diff --git a/tribes/services/vinyl.scm b/tribes/services/vinyl.scm index 0108a0f..b62e0a6 100644 --- a/tribes/services/vinyl.scm +++ b/tribes/services/vinyl.scm @@ -75,7 +75,8 @@ (match config (($ package name backend vcl listen storage parameters extra-options) - (let ((pid-file (string-append (vinyl-state-directory name) "/_.pid"))) + (let ((state-dir (vinyl-state-directory name)) + (pid-file (string-append (vinyl-state-directory name) "/_.pid"))) (list (shepherd-service (documentation (string-append "Run the Vinyl cache service (" name ").")) @@ -84,7 +85,9 @@ (start #~(make-forkexec-constructor (list #$(file-append package "/sbin/vinyld") - "-n" #$name + "-n" #$state-dir + "-i" #$name + "-P" #$pid-file #$@(if vcl #~("-f" #$vcl) #~("-b" #$backend)) @@ -101,8 +104,6 @@ (cdr parameter)))) parameters) #$@extra-options) - ;; Vinyl drops privileges on its own after binding the listeners, - ;; so keep the Shepherd service itself unprivileged here. #:pid-file #$pid-file)) (stop #~(make-kill-destructor)))))))) configs)) diff --git a/tribes/system/node.scm b/tribes/system/node.scm index 9c84dcd..20d76b2 100644 --- a/tribes/system/node.scm +++ b/tribes/system/node.scm @@ -98,6 +98,7 @@ (tribes-edge-configuration-challenge-address edge) (tribes-edge-configuration-challenge-port edge))) (renew-days (tribes-edge-configuration-renew-days edge)) + (requirement '(vinyl-tribes-http)) (reload-services '(hitch))))) (define (edge-http-vcl edge)