Previous: , Up: 服务   [Contents][Index]


12.9.36 其它各种服务

Fingerprint Service

The (gnu services authentication) module provides a DBus service to read and identify fingerprints via a fingerprint sensor.

Scheme Variable: fprintd-service-type

The service type for fprintd, which provides the fingerprint reading capability.

(service fprintd-service-type)

System Control Service

The (gnu services sysctl) provides a service to configure kernel parameters at boot.

Scheme Variable: sysctl-service-type

The service type for sysctl, which modifies kernel parameters under /proc/sys/. To enable IPv4 forwarding, it can be instantiated as:

(service sysctl-service-type
         (sysctl-configuration
           (settings '(("net.ipv4.ip_forward" . "1")))))

Since sysctl-service-type is used in the default lists of services, %base-services and %desktop-services, you can use modify-services to change its configuration and add the kernel parameters that you want (see modify-services).

(modify-services %base-services
  (sysctl-service-type config =>
                       (sysctl-configuration
                         (settings (append '(("net.ipv4.ip_forward" . "1"))
                                           %default-sysctl-settings)))))
Data Type: sysctl-configuration

The data type representing the configuration of sysctl.

sysctl (default: (file-append procps "/sbin/sysctl")

The sysctl executable to use.

settings (default: %default-sysctl-settings)

An association list specifies kernel parameters and their values.

Scheme Variable: %default-sysctl-settings

An association list specifying the default sysctl parameters on Guix System.

PC/SC Smart Card Daemon Service

The (gnu services security-token) module provides the following service to run pcscd, the PC/SC Smart Card Daemon. pcscd is the daemon program for pcsc-lite and the MuscleCard framework. It is a resource manager that coordinates communications with smart card readers, smart cards and cryptographic tokens that are connected to the system.

Scheme Variable: pcscd-service-type

Service type for the pcscd service. Its value must be a pcscd-configuration object. To run pcscd in the default configuration, instantiate it as:

(service pcscd-service-type)
Data Type: pcscd-configuration

The data type representing the configuration of pcscd.

pcsc-lite (default: pcsc-lite)

The pcsc-lite package that provides pcscd.

usb-drivers (default: (list ccid))

List of packages that provide USB drivers to pcscd. Drivers are expected to be under pcsc/drivers in the store directory of the package.

Lirc Service

The (gnu services lirc) module provides the following service.

Scheme Procedure: lirc-service [#:lirc lirc] [#:device #f] [#:driver #f] [#:config-file #f]  [#:extra-options '()]

Return a service that runs LIRC, a daemon that decodes infrared signals from remote controls.

Optionally, device, driver and config-file (configuration file name) may be specified. See lircd manual for details.

Finally, extra-options is a list of additional command-line options passed to lircd.

Spice Service

The (gnu services spice) module provides the following service.

Scheme Procedure: spice-vdagent-service [#:spice-vdagent]

Returns a service that runs VDAGENT, a daemon that enables sharing the clipboard with a vm and setting the guest display resolution when the graphical console window resizes.

inputattach Service

The inputattach service allows you to use input devices such as Wacom tablets, touchscreens, or joysticks with the Xorg display server.

Scheme Variable: inputattach-service-type

Type of a service that runs inputattach on a device and dispatches events from it.

Data Type: inputattach-configuration
device-type (default: "wacom")

The type of device to connect to. Run inputattach --help, from the inputattach package, to see the list of supported device types.

device (default: "/dev/ttyS0")

The device file to connect to the device.

baud-rate (default: #f)

Baud rate to use for the serial connection. Should be a number or #f.

log-file (default: #f)

If true, this must be the name of a file to log messages to.

Dictionary Service

The (gnu services dict) module provides the following service:

Scheme Variable: dicod-service-type

This is the type of the service that runs the dicod daemon, an implementation of DICT server (see Dicod in GNU Dico Manual).

Scheme Procedure: dicod-service [#:config (dicod-configuration)]

Return a service that runs the dicod daemon, an implementation of DICT server (see Dicod in GNU Dico Manual).

The optional config argument specifies the configuration for dicod, which should be a <dicod-configuration> object, by default it serves the GNU Collaborative International Dictionary of English.

You can add open localhost to your ~/.dico file to make localhost the default server for dico client (see Initialization File in GNU Dico Manual).

Data Type: dicod-configuration

Data type representing the configuration of dicod.

dico (default: dico)

Package object of the GNU Dico dictionary server.

interfaces (default: ’("localhost"))

This is the list of IP addresses and ports and possibly socket file names to listen to (see listen directive in GNU Dico Manual).

handlers (default: ’())

List of <dicod-handler> objects denoting handlers (module instances).

databases (default: (list %dicod-database:gcide))

List of <dicod-database> objects denoting dictionaries to be served.

Data Type: dicod-handler

Data type representing a dictionary handler (module instance).

名字

Name of the handler (module instance).

module (default: #f)

Name of the dicod module of the handler (instance). If it is #f, the module has the same name as the handler. (see Modules in GNU Dico Manual).

options

List of strings or gexps representing the arguments for the module handler

Data Type: dicod-database

Data type representing a dictionary database.

名字

Name of the database, will be used in DICT commands.

handler

Name of the dicod handler (module instance) used by this database (see Handlers in GNU Dico Manual).

complex? (default: #f)

Whether the database configuration complex. The complex configuration will need a corresponding <dicod-handler> object, otherwise not.

options

List of strings or gexps representing the arguments for the database (see Databases in GNU Dico Manual).

Scheme Variable: %dicod-database:gcide

A <dicod-database> object serving the GNU Collaborative International Dictionary of English using the gcide package.

The following is an example dicod-service configuration.

(dicod-service #:config
  (dicod-configuration
   (handlers (list (dicod-handler
                    (name "wordnet")
                    (module "dictorg")
                    (options
                     (list #~(string-append "dbdir=" #$wordnet))))))
   (databases (list (dicod-database
                     (name "wordnet")
                     (complex? #t)
                     (handler "wordnet")
                     (options '("database=wn")))
                    %dicod-database:gcide))))

Docker Service

The (gnu services docker) module provides the following services.

Scheme Variable: docker-service-type

This is the type of the service that runs Docker, a daemon that can execute application bundles (sometimes referred to as “containers”) in isolated environments.

Data Type: docker-configuration

This is the data type representing the configuration of Docker and Containerd.

docker (default: docker)

The Docker daemon package to use.

docker-cli (default: docker-cli)

The Docker client package to use.

containerd (default: containerd)

The Containerd package to use.

proxy (default docker-libnetwork-cmd-proxy)

The Docker user-land networking proxy package to use.

enable-proxy? (default #t)

Enable or disable the use of the Docker user-land networking proxy.

debug? (default #f)

Enable or disable debug output.

enable-iptables? (default #t)

Enable or disable the addition of iptables rules.

environment-variables (default: ())

List of environment variables to set for dockerd.

This must be a list of strings where each string has the form ‘key=value’ as in this example:

(list "LANGUAGE=eo:ca:eu"
      "TMPDIR=/tmp/dockerd")
Scheme Variable: singularity-service-type

This is the type of the service that allows you to run Singularity, a Docker-style tool to create and run application bundles (aka. “containers”). The value for this service is the Singularity package to use.

The service does not install a daemon; instead, it installs helper programs as setuid-root (see setuid程序) such that unprivileged users can invoke singularity run and similar commands.

Auditd Service

The (gnu services auditd) module provides the following service.

Scheme Variable: auditd-service-type

This is the type of the service that runs auditd, a daemon that tracks security-relevant information on your system.

Examples of things that can be tracked:

  1. File accesses
  2. System calls
  3. Invoked commands
  4. Failed login attempts
  5. Firewall filtering
  6. Network access

auditctl from the audit package can be used in order to add or remove events to be tracked (until the next reboot). In order to permanently track events, put the command line arguments of auditctl into a file called audit.rules in the configuration directory (see below). aureport from the audit package can be used in order to view a report of all recorded events. The audit daemon by default logs into the file /var/log/audit.log.

Data Type: auditd-configuration

This is the data type representing the configuration of auditd.

audit (default: audit)

The audit package to use.

configuration-directory (default: %default-auditd-configuration-directory)

The directory containing the configuration file for the audit package, which must be named auditd.conf, and optionally some audit rules to instantiate on startup.

R-Shiny service

The (gnu services science) module provides the following service.

Scheme Variable: rshiny-service-type

This is a type of service which is used to run a webapp created with r-shiny. This service sets the R_LIBS_USER environment variable and runs the provided script to call runApp.

Data Type: rshiny-configuration

This is the data type representing the configuration of rshiny.

package (default: r-shiny)

The package to use.

binary (default "rshiny")

The name of the binary or shell script located at package/bin/ to run when the service is run.

The common way to create this file is as follows:


(let* ((out       (assoc-ref %outputs "out"))
       (targetdir (string-append out "/share/" ,name))
       (app       (string-append out "/bin/" ,name))
       (Rbin      (search-input-file %build-inputs "/bin/Rscript")))
  ;; …
  (mkdir-p (string-append out "/bin"))
  (call-with-output-file app
    (lambda (port)
      (format port
"#!~a
library(shiny)
setwd(\"~a\")
runApp(launch.browser=0, port=4202)~%\n"
      Rbin targetdir))))

Nix service

The (gnu services nix) module provides the following service.

Scheme Variable: nix-service-type

This is the type of the service that runs build daemon of the Nix package manager. Here is an example showing how to use it:

(use-modules (gnu))
(use-service-modules nix)
(use-package-modules package-management)

(operating-system
  ;; …
  (packages (append (list nix)
                    %base-packages))

  (services (append (list (service nix-service-type))
                    %base-services)))

After guix system reconfigure configure Nix for your user:

$ ln -s "/nix/var/nix/profiles/per-user/$USER/profile" ~/.nix-profile
$ source /run/current-system/profile/etc/profile.d/nix.sh
Data Type: nix-configuration

This data type represents the configuration of the Nix daemon.

nix (default: nix)

The Nix package to use.

sandbox (default: #t)

Specifies whether builds are sandboxed by default.

build-sandbox-items (default: '())

This is a list of strings or objects appended to the build-sandbox-items field of the configuration file.

extra-config (default: '())

This is a list of strings or objects appended to the configuration file. It is used to pass extra text to be added verbatim to the configuration file.

extra-options (default: '())

Extra command line options for nix-service-type.

Fail2Ban service

fail2ban scans log files (e.g. /var/log/apache/error_log) and bans IP addresses that show malicious signs – repeated password failures, attempts to make use of exploits, etc.

fail2ban-service-type service type is provided by the (gnu services security) module.

This service type runs the fail2ban daemon. It can be configured in various ways, which are:

Basic configuration

The basic parameters of the Fail2Ban service can be configured via its fail2ban configuration, which is documented below.

User-specified jail extensions

The fail2ban-jail-service function can be used to add new Fail2Ban jails.

Shepherd extension mechanism

Service developers can extend the fail2ban-service-type service type itself via the usual service extension mechanism.

Scheme Variable: fail2ban-service-type

This is the type of the service that runs fail2ban daemon. Below is an example of a basic, explicit configuration:

(append
 (list
  (service fail2ban-service-type
           (fail2ban-configuration
            (extra-jails
             (list
              (fail2ban-jail-configuration
               (name "sshd")
               (enabled? #t))))))
  ;; There is no implicit dependency on an actual SSH
  ;; service, so you need to provide one.
  (service openssh-service-type))
 %base-services)
Scheme Procedure: fail2ban-jail-service svc-type jail

Extend svc-type, a <service-type> object with jail, a fail2ban-jail-configuration object.

For example:

(append
 (list
  (service
   ;; The 'fail2ban-jail-service' procedure can extend any service type
   ;; with a fail2ban jail.  This removes the requirement to explicitly
   ;; extend services with fail2ban-service-type.
   (fail2ban-jail-service
    openssh-service-type
    (fail2ban-jail-configuration
     (name "sshd")
     (enabled? #t)))
   (openssh-configuration ...))))

Below is the reference for the different jail-service-type configuration records.

Data Type: fail2ban-configuration

Available fail2ban-configuration fields are:

fail2ban (default: fail2ban) (type: package)

The fail2ban package to use. It is used for both binaries and as base default configuration that is to be extended with <fail2ban-jail-configuration> objects.

run-directory (default: "/var/run/fail2ban") (type: string)

The state directory for the fail2ban daemon.

jails (default: ()) (type: list-of-fail2ban-jail-configurations)

Instances of <fail2ban-jail-configuration> collected from extensions.

extra-jails (default: ()) (type: list-of-fail2ban-jail-configurations)

Instances of <fail2ban-jail-configuration> explicitly provided.

extra-content (default: ()) (type: text-config)

Extra raw content to add to the end of the jail.local file, provided as a list of file-like objects.

Data Type: fail2ban-ignore-cache-configuration

Available fail2ban-ignore-cache-configuration fields are:

key (type: string)

Cache key.

max-count (type: integer)

Cache size.

max-time (type: integer)

Cache time.

Data Type: fail2ban-jail-action-configuration

Available fail2ban-jail-action-configuration fields are:

name (type: string)

Action name.

arguments (default: ()) (type: list-of-arguments)

Action arguments.

Data Type: fail2ban-jail-configuration

Available fail2ban-jail-configuration fields are:

name (type: string)

Required name of this jail configuration.

enabled? (default: #t) (type: boolean)

Whether this jail is enabled.

backend (type: maybe-symbol)

Backend to use to detect changes in the log-path. The default is ’auto. To consult the defaults of the jail configuration, refer to the /etc/fail2ban/jail.conf file of the fail2ban package.

max-retry (type: maybe-integer)

The number of failures before a host get banned (e.g. (max-retry 5)).

max-matches (type: maybe-integer)

The number of matches stored in ticket (resolvable via tag <matches>) in action.

find-time (type: maybe-string)

The time window during which the maximum retry count must be reached for an IP address to be banned. A host is banned if it has generated max-retry during the last find-time seconds (e.g. (find-time "10m")). It can be provided in seconds or using Fail2Ban’s "time abbreviation format", as described in man 5 jail.conf.

ban-time (type: maybe-string)

The duration, in seconds or time abbreviated format, that a ban should last. (e.g. (ban-time "10m")).

ban-time-increment? (type: maybe-boolean)

Whether to consider past bans to compute increases to the default ban time of a specific IP address.

ban-time-factor (type: maybe-string)

The coefficient to use to compute an exponentially growing ban time.

ban-time-formula (type: maybe-string)

This is the formula used to calculate the next value of a ban time.

ban-time-multipliers (type: maybe-string)

Used to calculate next value of ban time instead of formula.

ban-time-max-time (type: maybe-string)

The maximum number of seconds a ban should last.

ban-time-rnd-time (type: maybe-string)

The maximum number of seconds a randomized ban time should last. This can be useful to stop “clever” botnets calculating the exact time an IP address can be unbanned again.

ban-time-overall-jails? (type: maybe-boolean)

When true, it specifies the search of an IP address in the database should be made across all jails. Otherwise, only the current jail of the ban IP address is considered.

ignore-self? (type: maybe-boolean)

Never ban the local machine’s own IP address.

ignore-ip (default: ()) (type: list-of-strings)

A list of IP addresses, CIDR masks or DNS hosts to ignore. fail2ban will not ban a host which matches an address in this list.

ignore-cache (type: maybe-fail2ban-ignore-cache-configuration)

Provide cache parameters for the ignore failure check.

filter (type: maybe-fail2ban-jail-filter-configuration)

The filter to use by the jail, specified via a <fail2ban-jail-filter-configuration> object. By default, jails have names matching their filter name.

log-time-zone (type: maybe-string)

The default time zone for log lines that do not have one.

log-encoding (type: maybe-symbol)

The encoding of the log files handled by the jail. Possible values are: 'ascii, 'utf-8 and 'auto.

log-path (default: ()) (type: list-of-strings)

The file names of the log files to be monitored.

action (default: ()) (type: list-of-fail2ban-jail-actions)

A list of <fail2ban-jail-action-configuration>.

extra-content (default: ()) (type: text-config)

Extra content for the jail configuration, provided as a list of file-like objects.

Data Type: fail2ban-jail-filter-configuration

Available fail2ban-jail-filter-configuration fields are:

name (type: string)

Filter to use.

mode (type: maybe-string)

Mode for filter.


Previous: Hurd Services, Up: 服务   [Contents][Index]