From nobody Sat May 13 07:02:43 2023
X-Original-To: dev-commits-ports-main@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4QJGmN0dY2z4B29w;
	Sat, 13 May 2023 07:02:44 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4QJGmN05B9z3LRd;
	Sat, 13 May 2023 07:02:44 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1683961364;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=YqKSiI2689MnwdkksBDJC4H0aibW5dUJYyHiSNkFjT8=;
	b=NvBs17YgSzgJQSOXxz76NB3MQh+s21DPRYEJwA+A/BTdLOZAYiMYQdUNZE0eVCHAjZLxLK
	wa8DOSC4NCmrj0QpzjCkULnZ579EbD/Fjdev/spfQrPFqVujnQKSgJg4L5rHlDtc8Bm3kd
	wnw6+JskXpoNOyJqbrxupcuast5OWFxNTCH4D/6pMww0esYF5QYn2f8tcxTzHtVwrBag1C
	xUDX7Tm4+gf/egtDf0PMeZmbZnL4x0CAlb04eKCW4x/o8I9QK7/BXd2CI5qFZasrrYOnSC
	ZMjTqQv40Z6k6an/TcHgkCJcmH9701WWq1EhH7xxzUWO9+/d8xlYvY2Nq4wMEg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1683961364;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=YqKSiI2689MnwdkksBDJC4H0aibW5dUJYyHiSNkFjT8=;
	b=KVsclsA5kemNpfwUoqL0QGfz48X+B1HfrX+oAHYGtncLu/DPfVVhZSxtxwUFKoOBdn8gc0
	2gisdxkfJbG/8pLVZ2eTx7pinUymYoFNPsnpd0BAx7YCz3MAmRF+QC959uiBkMzFPF7TSb
	VMAqTIeUyEx2rwfc5AhuHkt30WmeZck47hX/6qZQ0gZIMs8fMe10mxstwTPNsVPw5NSCCA
	rZDGhryW5BgbBBbYMJyRoMC6coaLySw67MICxrx1Cpt2MaaGfvUfDmxG8DkVqlWZtX7hDi
	eF7tCRLXQ8FNeo/m/KPmZDCND8hNexBy8GyS0O+7ZfVPGdPChTcW+f6/gSc89g==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1683961364; a=rsa-sha256; cv=none;
	b=oOP49XaV8xB6NrreOQu0SRWjGwG6rRedDKRtOzrULz7AD3VZTD8vubWMLqpIXr7nYqn8M6
	ZK1bndkIC8lqSv9ggWuBEVHUPTjq6xM8A665oueyGkGO91eYqrb7NZLVkxy9np6drIdAwH
	SFYD0A5VzCedoyYw7Jn5xqqUgPNr2WUlfhZZddWaa6hH9dN/paXVnyyoMpkPQyr3cUmlin
	u4rMkRArqRnbZ8cTmmTQVjPiWn1RhVKe8v0nTCFyHobZ8/sTXSvfFP7SsfgQLlVHIr1tqg
	usnW2a8Y5GpVVlUSc8rZ6E1uo00T8h4IVxEopNmOPS1xW+OiEvqpjMODes4BeQ==
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4QJGmM6HB5z170B;
	Sat, 13 May 2023 07:02:43 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from gitrepo.freebsd.org ([127.0.1.44])
	by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 34D72hPq078969;
	Sat, 13 May 2023 07:02:43 GMT
	(envelope-from git@gitrepo.freebsd.org)
Received: (from git@localhost)
	by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 34D72hLK078968;
	Sat, 13 May 2023 07:02:43 GMT
	(envelope-from git)
Date: Sat, 13 May 2023 07:02:43 GMT
Message-Id: <202305130702.34D72hLK078968@gitrepo.freebsd.org>
To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org,
        dev-commits-ports-main@FreeBSD.org
From: Gleb Popov <arrowd@FreeBSD.org>
Subject: git: 68c08c660265 - main - net-p2p/cardano-db-sync: Switch rc script to use rc.subr.jail functionality
List-Id: Commits to the main branch of the FreeBSD ports repository <dev-commits-ports-main.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-ports-main
List-Help: <mailto:dev-commits-ports-main+help@freebsd.org>
List-Post: <mailto:dev-commits-ports-main@freebsd.org>
List-Subscribe: <mailto:dev-commits-ports-main+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-ports-main+unsubscribe@freebsd.org>
Sender: owner-dev-commits-ports-main@freebsd.org
X-BeenThere: dev-commits-ports-main@freebsd.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: arrowd
X-Git-Repository: ports
X-Git-Refname: refs/heads/main
X-Git-Reftype: branch
X-Git-Commit: 68c08c6602655373b716721ab0e7c340ffafe3fe
Auto-Submitted: auto-generated
X-ThisMailContainsUnwantedMimeParts: N

The branch main has been updated by arrowd:

URL: https://cgit.FreeBSD.org/ports/commit/?id=68c08c6602655373b716721ab0e7c340ffafe3fe

commit 68c08c6602655373b716721ab0e7c340ffafe3fe
Author:     Alexey Yushkin <636808@mail.ru>
AuthorDate: 2023-03-03 11:47:34 +0000
Commit:     Gleb Popov <arrowd@FreeBSD.org>
CommitDate: 2023-05-13 07:02:19 +0000

    net-p2p/cardano-db-sync: Switch rc script to use rc.subr.jail functionality
    
    Co-authored-by: Alexey Donskov <voxnod@gmail.com>
---
 net-p2p/cardano-db-sync/Makefile                 |   5 +-
 net-p2p/cardano-db-sync/files/cardano_db_sync.in | 184 ++++++++++++++++++-----
 2 files changed, 146 insertions(+), 43 deletions(-)

diff --git a/net-p2p/cardano-db-sync/Makefile b/net-p2p/cardano-db-sync/Makefile
index b608290320b7..fc6cf338cce3 100644
--- a/net-p2p/cardano-db-sync/Makefile
+++ b/net-p2p/cardano-db-sync/Makefile
@@ -1,6 +1,6 @@
 PORTNAME=	cardano-db-sync
 PORTVERSION=	13.1.0.0
-PORTREVISION=	1
+PORTREVISION=	2
 CATEGORIES=	net-p2p databases
 
 PATCH_SITES=	https://arrowd.name/:freebsd_compat
@@ -14,7 +14,8 @@ LICENSE=	APACHE20
 
 BUILD_DEPENDS=	ghc-8.10.7:lang/ghc810
 RUN_DEPENDS=	cardano-node:net-p2p/cardano-node \
-		bash:shells/bash
+		bash:shells/bash \
+		${LOCALBASE}/share/rc-subr-jail/rc.subr.jail:ports-mgmt/rc-subr-jail
 
 USES=		autoreconf:build cabal gmake libtool pkgconfig pgsql:14
 
diff --git a/net-p2p/cardano-db-sync/files/cardano_db_sync.in b/net-p2p/cardano-db-sync/files/cardano_db_sync.in
index 9465443c4703..79b9d5714a0b 100644
--- a/net-p2p/cardano-db-sync/files/cardano_db_sync.in
+++ b/net-p2p/cardano-db-sync/files/cardano_db_sync.in
@@ -9,6 +9,9 @@
 # cardano_db_sync_enable:          Set to YES to enable cardano_db_sync.
 #                               Default: "NO"
 #
+# cardano_db_sync_jail_enable:     Set to YES to run the service in a minimal jail.
+#                               Default: "NO"
+#
 # cardano_db_sync_net:             A network name to connect to.
 #                               Default: "mainnet"
 #
@@ -17,7 +20,7 @@
 #                               Default: "/var/db/cardano_db_sync"
 #
 # cardano_db_sync_cnode_socket:    An absolute path to the cardano-node socket file.
-#                               Default: "/var/db/cardano_node/jail/socket/cardano-node.sock"
+#                               Default: "/var/db/cardano_node/cardano-node.sock"
 #
 # Advanced settings that usually don't need to be changed for simple usage cases:
 #
@@ -38,59 +41,130 @@
 
 name=cardano_db_sync
 desc="Cardano DB-Sync daemon"
-rcvar=cardano_db_sync_enable
+rcvar="cardano_db_sync_enable"
 command=%%PREFIX%%/bin/cardano-db-sync
 
 cardano_deployment_url="https://raw.githubusercontent.com/cardano-bsd-alliance/freebsd-ports-cardano-artifacts/master/cardano-db-sync"
 cardano_config_files="config db-sync-config byron-genesis shelley-genesis alonzo-genesis"
 cardano_networks="mainnet preview preprod"
 
-start_cmd="${name}_start"
-start_precmd="${name}_prestart"
-stop_cmd="${name}_stop"
-status_cmd="${name}_status"
-fetch_cmd="${name}_fetch"
+start_cmd="cardano_db_sync_start"
+start_precmd="cardano_db_sync_prestart"
+stop_cmd="cardano_db_sync_stop"
+status_cmd="cardano_db_sync_status"
+fetch_cmd="cardano_db_sync_fetch"
 
 extra_commands="status fetch"
 
 load_rc_config $name
 : ${cardano_db_sync_enable:=NO}
+: ${cardano_db_sync_jail_enable:=NO}
 : ${cardano_db_sync_net:="mainnet"}
 : ${cardano_db_sync_home:="/var/db/cardano_db_sync"}
-: ${cardano_db_sync_cnode_socket:="/var/db/cardano_node/jail/socket/cardano-node.sock"}
+: ${cardano_db_sync_cnode_socket:="/var/db/cardano_node/cardano-node.sock"}
 : ${cardano_db_sync_pgpass:="${cardano_db_sync_home}/${cardano_db_sync_net}-configs/.pgpass"}
 : ${cardano_db_sync_config:="${cardano_db_sync_home}/${cardano_db_sync_net}-configs/db-sync-config.json"}
-: ${cardano_db_sync_schema:="%%LOCALBASE%%/share/cardano-db-sync/schema"}
+: ${cardano_db_sync_schema:="%%PREFIX%%/share/cardano-db-sync/schema"}
 : ${cardano_db_sync_flags:=""}
 
 cardano_db_sync_state="${cardano_db_sync_home}/${cardano_db_sync_net}-state"
-export PGPASSFILE=${cardano_db_sync_pgpass}
+
+# aliases
+_home=${cardano_db_sync_home}
+_net=${cardano_db_sync_net}
+_socket=${cardano_db_sync_cnode_socket}
+_pgpass=${cardano_db_sync_pgpass}
+_config=${cardano_db_sync_config}
+_schema=${cardano_db_sync_schema}
+_state=${cardano_db_sync_state}
+_flags=${cardano_db_sync_flags}
+
+jail_schema="/schema"
+jail_config="/${_net}-configs/`basename ${_config}`"
+jail_pgpass="/${_net}-configs/`basename ${_pgpass}`"
+jail_socket="/socket/`basename ${_socket}`"
+jail_state="/${_net}-state"
+jail_args="name=cardano_db_sync_jail exec.jail_user=cardano exec.system_jail_user host=inherit"
+jail_command=/bin/cardano-db-sync
+
+jail_root="${_home}/jail"
+jail_copy_resolv_conf=yes
+jail_copy_services=yes
+jail_copy_programs="$command /usr/sbin/nologin /bin/sh %%LOCALBASE%%/bin/psql"
+jail_ip_inherit=yes
+jail_prepare_inside_cmds="mkdir ./tmp ;\
+                          chmod +s ./bin/cardano-db-sync"
+jail_nullfs_mounts="`dirname ${_config}` ./${_net}-configs ro \
+                    ${_schema} ./schema ro \
+                    ${_state} ./${_net}-state ro"
+
+if checkyesno "cardano_db_sync_jail_enable"; then
+    export PGPASSFILE=${jail_pgpass}
+    _schema_arg="${jail_schema}"
+    _state_arg="${jail_state}"
+    _socket_arg="${jail_socket}"
+    _config_arg="${jail_config}"
+    # We need to override ${command} to make check_pidfile work correctly when
+    # rc.subr calls it as "check_pidfile ${pidfile} ${command}"
+    command=/usr/sbin/jail
+else
+    export PGPASSFILE=${_pgpass}
+    _schema_arg="${_schema}"
+    _state_arg="${_state}"
+    _socket_arg="${_socket}"
+    _config_arg="${_config}"
+fi
+
 pidfile="/var/run/cardano-db-sync.pid"
-logfile="/var/log/cardano-db-sync.log"
-flags=" --schema-dir ${cardano_db_sync_schema} \
-        --state-dir ${cardano_db_sync_state} \
-        --socket-path ${cardano_db_sync_cnode_socket} \
-        --config ${cardano_db_sync_config} \
-        ${cardano_db_sync_flags}"
+flags=" --schema-dir ${_schema_arg} \
+        --state-dir ${_state_arg} \
+        --socket-path ${_socket_arg} \
+        --config ${_config_arg} \
+        ${_flags}"
+
+. %%LOCALBASE%%/share/rc-subr-jail/rc.subr.jail
+
+# dirname_realpath path
+# Return an absolute dirname for a given path
+# Correctly handles symlinks pointing to a non-existant files
+dirname_realpath()
+{
+    local _path _dirname _realpath
+    _path=$1
+    _dirname=$(dirname ${_path})
+
+    _realpath=$(/bin/sh -c "cd $_dirname && readlink ${_path}" 2> /dev/null)
+    if [ $? = "0" ]; then
+        _dirname=$(dirname ${_realpath})
+        if [ $_dirname == "." ]; then
+            echo $(dirname ${_path})
+        else
+            echo $(/bin/sh -c "cd ${_dirname} && pwd" 2> /dev/null)
+        fi
+        return 0
+    fi
+    echo $(dirname ${_path})
+}
 
 sanity_check()
 {
-    if [ ! -f ${cardano_db_sync_config} ]
-    then
-        echo "Invalid value for cardano_db_sync_config: missing file ${cardano_db_sync_config}"
+    if [ ! -f ${_config} ]; then
+        echo "Invalid value for cardano_db_sync_config: missing file ${_config}"
         echo "You might want to run service cardano_db_sync onefetch"
         exit 1
     fi
-    if [ ! -f ${cardano_db_sync_pgpass} ]
-    then
-        echo "Invalid value for cardano_db_sync_pgpass: missing file ${cardano_db_sync_pgpass}"
+    if [ ! -f ${_pgpass} ]; then
+        echo "Invalid value for cardano_db_sync_pgpass: missing file ${_pgpass}"
         echo "Did you setup postgresql database access?"
         exit 1
     fi
-    if [ ! -d `dirname ${cardano_db_sync_cnode_socket}` ]
-    then
-        echo "The directory for the socket file ${cardano_db_sync_cnode_socket} is missing"
-        echo "Cardano-node is not running and/or wrong path specified for /jail/socket/ dir"
+    if [ ! \( -L ${_socket} -o -S ${_socket} \) ]; then
+        echo "Invalid value for cardano_db_sync_cnode_socket: ${_socket} is not a socket or a symlink"
+        echo "cardano_node might be not running and/or wrong path specified for the socket file"
+        exit 1
+    fi
+    if [ ! -d `dirname ${_schema}` ]; then
+        echo "The directory for the database schema ${_schema} is missing"
         exit 1
     fi
     return 0
@@ -99,12 +173,14 @@ sanity_check()
 cardano_db_sync_prestart()
 {
     # Create cardano_db_sync home directory, if not exists
-    if [ ! -d "${cardano_db_sync_home}" ]; then
-        mkdir -p "${cardano_db_sync_home}"
+    if [ ! -d "${_home}" ]; then
+        mkdir -p "${_home}"
+        chown cardano:cardano "${_home}"
     fi
     # Create cardano_db_sync state directory, if not exists
-    if [ ! -d "${cardano_db_sync_state}" ]; then
-        mkdir -p "${cardano_db_sync_state}"
+    if [ ! -d "${_state}" ]; then
+        mkdir -p "${_state}"
+        chown cardano:cardano "${_state}"
     fi
 
     sanity_check
@@ -114,33 +190,58 @@ cardano_db_sync_start()
 {
     check_startmsgs && echo "Starting ${name}."
 
-    cd $cardano_db_sync_home && /usr/bin/env PATH=$PATH:%%LOCALBASE%%/bin /usr/sbin/daemon -p $pidfile -S -T cardano-db-sync \
-        ${command} ${flags} 2>&1 > /dev/null
+    local _socketdir=$(dirname_realpath ${_socket})
+    jail_nullfs_mounts="$jail_nullfs_mounts ${_socketdir} ./socket ro"
+
+    if checkyesno "cardano_db_sync_jail_enable"; then
+        prepare_jail $jail_root
+        if [ "$?" != "0" ]; then
+            echo "Failed to start ${name}: jail creation error"
+            return 1
+        fi
+
+        cd ${_home} && /bin/sh -c "/usr/sbin/daemon -p $pidfile -S -T cardano-db-sync \
+            ${command} -c ${jail_prepared_args} ${jail_args} command=${jail_command} ${flags}"
+    else
+        cd ${_home} && /usr/bin/env "PATH=${PATH}:%%LOCALBASE%%/bin" /usr/sbin/daemon -p $pidfile -S -T cardano-db-sync \
+            ${command} ${flags}
+    fi
 }
 
 cardano_db_sync_stop()
 {
-    pid=$(check_pidfile "${pidfile}" "${command}")
+    local _ret
+    local _socketdir=$(dirname_realpath ${_socket})
+    jail_nullfs_mounts="$jail_nullfs_mounts ${_socketdir} ./socket ro"
+
+    pid=$(check_pidfile "${pidfile}" "$command")
+
     if [ -z "${pid}" ]
     then
         echo "${name} is not running"
-        return 1
+        _ret=1
     else
         echo "Stopping ${name}."
-        /bin/kill -INT "$pid"
+        kill_jail "$pid" -INT "cardano_db_sync_jail_enable"
         wait_for_pids "$pid"
+        _ret=0
+    fi
+
+    if checkyesno "cardano_db_sync_jail_enable"; then
+            destroy_jail $jail_root 2> /dev/null
     fi
 }
 
 cardano_db_sync_status()
 {
-    pid=$(check_pidfile "${pidfile}" "${command}")
+    pid=$(check_pidfile "${pidfile}" "$command")
+
     if [ -z "${pid}" ]
     then
-      echo "${name} is not running"
-      return 1
+        echo "${name} is not running"
+        return 1
     else
-      echo ${name} is running as pid $pid
+        echo ${name} is running as pid $pid
     fi
 }
 
@@ -149,9 +250,10 @@ cardano_db_sync_fetch()
     for net in ${cardano_networks}
     do
         echo "Fetching configuration files for ${net}"
-        mkdir -p "${cardano_db_sync_home}/${net}-configs"
+        mkdir -p "${_home}/${net}-configs"
         /usr/bin/apply "/usr/bin/fetch -a -o \
-        ${cardano_db_sync_home}/${net}-configs ${cardano_deployment_url}/${net}-configs/%1.json" $cardano_config_files
+        ${_home}/${net}-configs ${cardano_deployment_url}/${net}-configs/%1.json" $cardano_config_files
+        chown -R cardano:cardano "${_home}/${net}-configs"
     done
 }