Connections
Connection chain specifications
The normalised form is a list of lists, where the car of each inner list is a keyword symbol identifying a connection type, and the cdr of each inner list is arguments to that connection, e.g.:
((:ssh :foo foo :bar bar) (:sudo :baz baz :quux quux))
There are two notational simplifications permitted when passing connection chain specifications to properties, functions and macros. Firstly, for each inner list which contains only a single keyword identifying a connection type and no arguments, this list may be replaced with only the keyword identifying the connection type, e.g.:
(:ssh (:sudo :baz baz :quux quux))
Secondly, when there is exactly one connection and it takes no arguments, you
may specify just the keyword identifying the connection type, e.g. :ssh.
Note that if there is a single connection but it takes arguments, you will need two sets of parentheses, i.e.:
((:ssh :foo foo :bar bar))
rather than:
(:ssh :foo foo :bar bar)
which is invalid.
Defining connection types
The code which establishes connections (i.e., implementations of the
ESTABLISH-CONNECTION generic) is like code in :posix properties – it
should restrict its I/O to RUN, RUNLINES, READ-REMOTE-FILE and
WRITE-REMOTE-FILE, functions which access the currently active connection.
This is in order to permit the arbitrary nesting of connections. If
establishing a connection really does require more I/O, such as in the case of
:CHROOT.FORK connections, code can call LISP-CONNECTION-P, and either
signal an error, or fall back to another connection type.
Connection attributes (“connattrs”)
Information about hosts which cannot be known without looking at the host, or
for other reasons should not be recorded in consfigs, can be stored as
connection attributes, associated with the current connection. Typically
property combinators set and unset connattrs, and property :APPLY and
:UNAPPLY subroutines read them. They can be used to create context for
the application of properties. Connection attributes are stored in a plist.
Property combinators use the WITH-CONNATTRS macro to set them, and
properties use GET-CONNATTR to read them.
Like hostattrs, connection attributes are identified by keywords for connattrs which are expected to be used in many contexts, and by other symbols for connattrs which will be used only among a co-operating group of properties and property combinators. However, unlike hostattrs, each connattr need not be a list to which new items are pushed.
By default the list of connattrs is reset when establishing a new connection
within the context of an existing connection. However, for some connattrs it
makes sense to propagate them along to the new connection. For example, a
list of connected hardware of a particular type might still be useful in the
context of a connection which chroots, as /dev might still give access to this
hardware. Implementations of the PROPAGATE-CONNATTR generic function can
be used to enable propagation where it makes sense. Methods can copy and
modify connattrs as appropriate; in the chroot example, paths might be updated
so that they are relative to the new filesystem root.
The propagation of connattrs is currently limited to the establishing of connections within the same Lisp image; i.e., connection types which start up new Lisp images never propagate any existing connattrs.
Reserved names for connection attributes
The semantics of connattrs identified by keywords are documented here.
[list incomplete]
Notes on particular connection types
:SUDO
Passing the :AS option to this connection means that Consfigurator will
assume a password is required for all commands, and not passing :AS means
that Consfigurator will assume a password is not required for any commands.
Consfigurator sends your sudo password on stdin, so if the assumption that a
password is required is violated, your sudo password will end up in the stdin
to whatever command is being run using sudo. There is no facility for
directly passing in a passphrase; you must use :AS to obtain passwords
from sources of prerequisite data. The passphrase will be written to a
private temporary file which is deleted when the :SUDO connection is torn
down.
If any connection types which start up remote Lisp images occur before a
:SUDO entry in your connection chain, ESTABLISH-CONNECTION will need
to inform the newly-started remote Lisp image of any sudo passwords needed for
establishing the remaining hops. Depending on how the connection type feeds
instructions to the remote Lisp image, this may involve writing your sudo
password to a file under ~/.cache on the machine which runs the remote
Lisp image. At least :SBCL avoids this by sending your password in on
stdin. Even with :SBCL, if the Lisp image dumps a copy of itself to disk,
e.g. for the purposes of cronjobs, then your sudo password will be contained
in that saved image. Typically a :SUDO connection hop is used before hops
which start up remote Lisp images, so these issues will not arise for most
users.
:SETUID
As this connection type subclasses FORK-CONNECTION, it shouldn’t leak root-accessible secrets to a process running under the unprivileged UID. However, when using the :AS connection type, the unprivileged process will have access to all the hostattrs of the host. Potentially, something like ptrace(2) could be used to extract those. But hostattrs should not normally contain any secrets, and at least on Linux, the unprivileged process will not be ptraceable because it was once privileged.
Connections which fork: :CHROOT.FORK, :SETUID
These connection types cannot be used as the first hop, i.e., directly out of the root Lisp. This is because they must call fork(2), and Consfigurator only makes this system call in contexts in which there shouldn’t ever be more than one thread (excluding Lisp implementation finaliser threads and the like). The root Lisp is not such a context, because it is often multithreaded due to the use of SLIME. This is, however, not much of a restriction, because typically the root Lisp is running under a UID which cannot use system calls like chroot(2) and setuid(2) anyway. Thus, typical usage on localhost would be something like:
(deploy (:sudo :sbcl (:chroot.fork :into "...")) ...)
Connections which use setns(2) to enter containers
When the current connection is a Lisp-type connection, connection types which
enter Linux containers, such as :LXC and :SYSTEMD-MACHINED, invoke the
setns(2) system call directly. The implementation of this is the connection
type CONSFIGURATOR.CONNECTION.LINUX-NAMESPACE::SETNS. The implementation
of the POST-FORK generic for that connection type is structured similarly
to the nsenter(1) command from util-linux. This has the advantage that
CONSFIGURATOR.CONNECTION.LINUX-NAMESPACE::SETNS should be reusable for
implementing connection types which enter other kinds of Linux container; the
container runtime-specific code is limited to determining the PID of the
container’s leading process. However, there are some security implications to
this approach.
Firstly, the current implementation does not join the control group of the container’s leading process, and thus the Consfigurator process running inside the container is not subject to resource limits applied to the container. It might be possible for a process in the container to exploit this to escape its resource limits.
Secondly, we do not attempt to enter the LSM security context of the container, such as the container’s SELinux execution context or AppArmor profile. This is because LSM usage is container runtime-specific. In the case of unprivileged containers which make use of user namespaces, however, failing to enter the LSM security context typically does not breach container security. For such containers, employment of an LSM serves as an extra layer of protection against kernel exploits, not as part of the enforcement of the container’s basic security model.