Fix Tribes edge service startup

README.md

@@ -44,6 +44,5 @@ For pinned bootstrap usage, generate a `channels.scm` that combines upstream
 Guix with this repository's current commit.
 
 The deployment scripts default to the checked-in base-channel lock at
-`../pins/base-channels.scm`, and only fall back to the current host's
-`guix describe -f channels` output when that file is absent.  Refresh that
-lock intentionally with `scripts/update-base-channels-pin`.
+`pins/base-channels.scm`.  Refresh that lock intentionally with
+`../guix-deploy/scripts/update-base-channels-pin`.

pins/base-channels.scm

@@ -0,0 +1,12 @@
+(list (channel
+        (name 'guix)
+        (url "https://git.teralink.net/tribes/guix.git")
+        (branch "master")
+        ;; Guix v1.5.0
+        (commit
+          "230aa373f315f247852ee07dff34146e9b480aec")
+        (introduction
+          (make-channel-introduction
+            "9edb3f66fd807b096b48283debdcddccfea34bad"
+            (openpgp-fingerprint
+              "BBB0 2DDF 2CEA F6A8 0D1D  E643 A2A0 6DF2 A33A 54FA")))))

tribes/packages/mix.scm

@@ -227,6 +227,7 @@ MIX-FOD-DEPS as a pre-fetched dependency tree."
               (setenv "MIX_ENV" #$mix-env)
               (setenv "MIX_TARGET" #$mix-target)
               (setenv "MIX_OS_CONCURRENCY_LOCK" "0")
+              (setenv "MIX_OS_DEPS_COMPILE_PARTITION_COUNT" "4")
               (setenv "HEX_OFFLINE" "1")
               (setenv "MIX_REBAR" #$(file-append rebar3 "/bin/rebar3"))
               (setenv "MIX_REBAR3" #$(file-append rebar3 "/bin/rebar3"))

tribes/packages/web.scm

@@ -1,14 +1,20 @@
 (define-module (tribes packages web)
   #:use-module (gnu packages)
+  #:use-module (gnu packages bash)
   #:use-module (gnu packages base)
   #:use-module (gnu packages curl)
+  #:use-module (gnu packages jemalloc)
   #:use-module (gnu packages libevent)
   #:use-module (gnu packages linux)
   #:use-module (gnu packages lsof)
+  #:use-module (gnu packages ncurses)
+  #:use-module (gnu packages pcre)
   #:use-module (gnu packages pkg-config)
   #:use-module (gnu packages python)
+  #:use-module (gnu packages python-xyz)
+  #:use-module (gnu packages readline)
+  #:use-module (gnu packages sphinx)
   #:use-module (gnu packages tls)
-  #:use-module ((gnu packages web) #:prefix upstream:)
   #:use-module ((guix licenses) #:prefix license:)
   #:use-module (guix base32)
   #:use-module (guix build-system gnu)
@@ -112,10 +118,9 @@ multicore machines.")
 
 (define-public vinyl
   (package
-    (inherit upstream:varnish)
     (name "vinyl")
-    (home-page "https://vinyl-cache.org/")
     (version "9.0.0")
+    (home-page "https://vinyl-cache.org/")
     (source
      (origin
        (method url-fetch)
@@ -124,52 +129,80 @@ multicore machines.")
                            ".tgz"))
        (sha256
         (base32 "05xxhgs1r9zwanx5arafrd7hkjn3kmsnrbfh1zajfxm7q88c4h4p"))))
+    (build-system gnu-build-system)
     (arguments
-     (substitute-keyword-arguments (package-arguments upstream:varnish)
-       ((#:phases phases)
-        #~(modify-phases %standard-phases
-            (add-after 'unpack 'use-absolute-file-names
-              (lambda _
-                (substitute* '("bin/vinyltest/vtc_vinyl.c"
-                               "bin/vinyltest/vtest2/src/vtc_process.c"
-                               "bin/vinyltest/vtest2/src/vtc_haproxy.c"
-                               "bin/vinyltest/tests/u00014.vtc"
-                               "bin/vinyld/mgt/mgt_vcc.c")
-                  (("/bin/sh") (which "bash")))
-                (let ((rm (which "rm")))
-                  (substitute* "bin/vinyld/mgt/mgt_shmem.c"
-                    (("rm -rf") (string-append rm " -rf")))
-                  (substitute* "bin/vinyltest/vtest2/src/vtc_main.c"
-                    (("/bin/rm") rm))
-                  (substitute* "bin/vinyld/mgt/mgt_main.c"
-                    (("rm -rf") (string-append rm " -rf"))))
-                (substitute* "bin/vinyltest/tests/u00000.vtc"
-                  (("/bin/echo") (which "echo")))))
-            (add-after 'unpack 'remove-failing-tests
-              (lambda _
-                ;; This test still trips on name resolution in the build
-                ;; container.
-                (delete-file "bin/vinyltest/tests/b00085.vtc")))
-            (add-before 'install 'patch-Makefile
-              (lambda _
-                (substitute* "Makefile"
-                  (("^install-data-am: install-data-local")
-                   "install-data-am: "))))
-            (add-after 'install 'wrap-vinyld
-              ;; Vinyl uses GCC to compile VCL, so wrap it with the required
-              ;; toolchain environment instead of propagating GCC globally.
-              (lambda* (#:key inputs #:allow-other-keys)
-                (wrap-program (string-append #$output "/sbin/vinyld")
-                  `("PATH" ":" prefix (,(dirname (which "as"))))
-                  `("LIBRARY_PATH" ":" prefix
-                    (,(dirname
-                       (search-input-file inputs "lib/libc.so")))))))))))
+     (append
+      (if (target-x86-32?)
+          '(#:make-flags
+            (list "CFLAGS+=-fexcess-precision=standard"))
+          '())
+      (list
+       #:configure-flags
+       #~(list (string-append "LDFLAGS=-Wl,-rpath=" #$output "/lib")
+               (string-append "CC=" #$(cc-for-target))
+               ;; Use absolute path of GCC so it's found at runtime.
+               (string-append "PTHREAD_CC="
+                              (search-input-file %build-inputs
+                                                 "/bin/gcc"))
+               "--localstatedir=/var")
+       #:phases
+       #~(modify-phases %standard-phases
+           (add-after 'unpack 'use-absolute-file-names
+             (lambda _
+               (substitute* '("bin/vinyltest/vtc_vinyl.c"
+                              "bin/vinyltest/vtest2/src/vtc_process.c"
+                              "bin/vinyltest/vtest2/src/vtc_haproxy.c"
+                              "bin/vinyltest/tests/u00014.vtc"
+                              "bin/vinyld/mgt/mgt_vcc.c")
+                 (("/bin/sh") (which "bash")))
+               (let ((rm (which "rm")))
+                 (substitute* "bin/vinyld/mgt/mgt_shmem.c"
+                   (("rm -rf") (string-append rm " -rf")))
+                 (substitute* "bin/vinyltest/vtest2/src/vtc_main.c"
+                   (("/bin/rm") rm))
+                 (substitute* "bin/vinyld/mgt/mgt_main.c"
+                   (("rm -rf") (string-append rm " -rf"))))
+               (substitute* "bin/vinyltest/tests/u00000.vtc"
+                 (("/bin/echo") (which "echo")))))
+           (add-after 'unpack 'remove-failing-tests
+             (lambda _
+               ;; This test still trips on name resolution in the build
+               ;; container.
+               (delete-file "bin/vinyltest/tests/b00085.vtc")))
+           (add-before 'install 'patch-Makefile
+             (lambda _
+               (substitute* "Makefile"
+                 ;; Do not create /var/varnish during install.
+                 (("^install-data-am: install-data-local")
+                  "install-data-am: "))))
+           (add-after 'install 'wrap-vinyld
+             ;; Vinyl uses GCC to compile VCL, so wrap it with the required
+             ;; toolchain environment instead of propagating GCC globally.
+             (lambda* (#:key inputs #:allow-other-keys)
+               (wrap-program (string-append #$output "/sbin/vinyld")
+                 `("PATH" ":" prefix (,(dirname (which "as"))))
+                 `("LIBRARY_PATH" ":" prefix
+                   (,(dirname
+                      (search-input-file inputs "lib/libc.so")))))))))))
+    (native-inputs
+     (list pkg-config
+           python-sphinx
+           python-docutils))
+    (inputs
+     (list bash-minimal
+           coreutils-minimal
+           jemalloc
+           ncurses
+           pcre2
+           python-minimal
+           readline))
     (synopsis "Web application accelerator")
     (description
      "Vinyl Cache is a high-performance HTTP accelerator.  It acts as a
 caching reverse proxy and load balancer.  You install it in front of any
 server that speaks HTTP and configure it to cache content through an
 extensive configuration language.")
+    (license license:bsd-2)
     (properties
      '((release-monitoring-url . "https://vinyl-cache.org/releases/")))))
 

tribes/services/lego.scm

@@ -21,6 +21,7 @@
             lego-certificate-configuration-webroot
             lego-certificate-configuration-key-type
             lego-certificate-configuration-renew-days
+            lego-certificate-configuration-requirement
             lego-certificate-configuration-reload-services
             lego-certificate-directory
             lego-certificate-full-pem
@@ -51,6 +52,8 @@
             (default "ec256"))
   (renew-days lego-certificate-configuration-renew-days
               (default #f))
+  (requirement lego-certificate-configuration-requirement
+               (default '()))
   (reload-services lego-certificate-configuration-reload-services
                    (default '())))
 
@@ -263,7 +266,9 @@
          (provision
           (list (lego-certificate-service-symbol "lego-renewal"
                                                  certificate)))
-         (requirement '(user-processes networking))
+         (requirement
+          (append '(user-processes networking)
+                  (lego-certificate-configuration-requirement certificate)))
          (modules '((shepherd service timer)))
          (start
           #~(let ((minutes '#$(lego-configuration-renew-minutes config))
@@ -286,7 +291,9 @@
          (provision
           (list (lego-certificate-service-symbol "lego-bootstrap"
                                                  certificate)))
-         (requirement '(user-processes networking))
+         (requirement
+          (append '(user-processes networking)
+                  (lego-certificate-configuration-requirement certificate)))
          (one-shot? #t)
          (start #~(lambda _
                     (zero? (system* #$program))))

tribes/services/tribes.scm

@@ -36,6 +36,9 @@
             tribes-configuration-database-host
             tribes-configuration-secret-key-base-file
             tribes-configuration-token-signing-secret-file
+            tribes-configuration-release-cookie-file
+            tribes-configuration-release-distribution
+            tribes-configuration-release-node
             tribes-configuration-dns-cluster-query
             tribes-configuration-extra-environment-variables
             tribes-configuration-log-file
@@ -84,6 +87,12 @@
                         (default "/var/lib/tribes/secrets/secret_key_base"))
   (token-signing-secret-file tribes-configuration-token-signing-secret-file
                              (default "/var/lib/tribes/secrets/token_signing_secret"))
+  (release-cookie-file tribes-configuration-release-cookie-file
+                       (default "/var/lib/tribes/secrets/release_cookie"))
+  (release-distribution tribes-configuration-release-distribution
+                        (default "none"))
+  (release-node tribes-configuration-release-node
+                (default #f))
   (dns-cluster-query tribes-configuration-dns-cluster-query
                      (default #f))
   (extra-environment-variables tribes-configuration-extra-environment-variables
@@ -135,9 +144,15 @@
                        "/"
                        database-name))))
 
+(define (tribes-release-node config)
+  (or (tribes-configuration-release-node config)
+      (string-append "tribes@" (tribes-configuration-host config))))
+
 (define (tribes-launcher config command args)
   (define package
     (tribes-configuration-package config))
+  (define distribution
+    (tribes-configuration-release-distribution config))
   (define env-setters
     (append
      (list
@@ -163,8 +178,12 @@
                 #$(string-join
                    (tribes-configuration-admin-pubkeys config)
                    ","))
+      #~(setenv "RELEASE_DISTRIBUTION" #$distribution)
       #~(setenv "SSL_CERT_DIR" "/etc/ssl/certs")
       #~(setenv "SSL_CERT_FILE" "/etc/ssl/certs/ca-certificates.crt"))
+     (if (string=? distribution "none")
+         '()
+         (list #~(setenv "RELEASE_NODE" #$(tribes-release-node config))))
      (if (tribes-configuration-listen-address config)
          (list #~(setenv "BIND_ADDRESS"
                          #$(tribes-configuration-listen-address config)))
@@ -197,6 +216,8 @@
          #$(tribes-configuration-secret-key-base-file config))
        (define token-file
          #$(tribes-configuration-token-signing-secret-file config))
+       (define release-cookie-file
+         #$(tribes-configuration-release-cookie-file config))
 
        (unless (file-exists? secret-key-file)
          (format (current-error-port)
@@ -212,6 +233,13 @@
 
        (setenv "SECRET_KEY_BASE" (read-secret secret-key-file))
        (setenv "TOKEN_SIGNING_SECRET" (read-secret token-file))
+       (unless (string=? #$distribution "none")
+         (unless (file-exists? release-cookie-file)
+           (format (current-error-port)
+                   "missing Tribes release cookie file: ~a~%"
+                   release-cookie-file)
+           (exit 1))
+         (setenv "RELEASE_COOKIE" (read-secret release-cookie-file)))
        #$@env-setters
        (apply execl
               #$(file-append package "/bin/tribes")
@@ -230,6 +258,7 @@
                          #$(tribes-configuration-plugin-directory config)
                          (dirname #$(tribes-configuration-log-file config))
                          (dirname #$(tribes-configuration-secret-key-base-file config))
+                         (dirname #$(tribes-configuration-release-cookie-file config))
                          (dirname #$(tribes-configuration-token-signing-secret-file config)))))
         (for-each
          (lambda (dir)

tribes/services/vinyl.scm

@@ -75,7 +75,8 @@
      (match config
        (($ <vinyl-configuration> package name backend vcl listen storage
                                  parameters extra-options)
-        (let ((pid-file (string-append (vinyl-state-directory name) "/_.pid")))
+        (let ((state-dir (vinyl-state-directory name))
+              (pid-file (string-append (vinyl-state-directory name) "/_.pid")))
           (list
            (shepherd-service
             (documentation (string-append "Run the Vinyl cache service (" name ")."))
@@ -84,7 +85,9 @@
             (start
              #~(make-forkexec-constructor
                 (list #$(file-append package "/sbin/vinyld")
-                      "-n" #$name
+                      "-n" #$state-dir
+                      "-i" #$name
+                      "-P" #$pid-file
                       #$@(if vcl
                              #~("-f" #$vcl)
                              #~("-b" #$backend))
@@ -101,8 +104,6 @@
                                                      (cdr parameter))))
                                      parameters)
                       #$@extra-options)
-                ;; Vinyl drops privileges on its own after binding the listeners,
-                ;; so keep the Shepherd service itself unprivileged here.
                 #:pid-file #$pid-file))
             (stop #~(make-kill-destructor))))))))
    configs))

tribes/system/node.scm

@@ -98,6 +98,7 @@
               (tribes-edge-configuration-challenge-address edge)
               (tribes-edge-configuration-challenge-port edge)))
      (renew-days (tribes-edge-configuration-renew-days edge))
+     (requirement '(vinyl-tribes-http))
      (reload-services '(hitch)))))
 
 (define (edge-http-vcl edge)