Running mandos in a container without dbus: small code change request

Teddy Hogeborn teddy at recompile.se
Sun Sep 22 19:56:52 CEST 2024 

Mike Klein <mike at kleinnet.com> writes:

> Mandos is distributed in .deb packages. I have an AWS EC2 instance
> running Amazon Linux whose package manager is yum-based (or dnf). I
> wanted to get Mandos running on this instance. Instead of building
> from scratch in the instance it I decided to try to run it in a Docker
> container that is based on a Debian image. It took a while but is now
> working.

If you want to try to follow the ancient rituals and install it from
source, then retrieve the source tree, edit the Makefile and uncomment
the section where it says "Use these settings for a traditional
/usr/local install", and comment out the following section titled "These
settings are for a package-type install".  Then a simple "make
install-server" should install the Mandos server in /usr/local,
/etc/mandos, /var/lib/mandos, and /etc/dbus-1/system.d.

> I am writing this because there is one code change in the main
> /usr/sbin/mandos program that needs to be made. The main issue is that
> getting dbus running in a container is some extra work, and if the
> Mandos configuration file sets the port, and disables use_dbus and
> zeroconf, it should work. However, there is one line of code in
> /usr/sbin/mandos that calls dbus.SystemBus whether or not use_dbus or
> zeroconf are set, and this causes an exception when dbus is not
> available. Protecting that call with “if use_dbus or zeroconf:” fixes
> this exception, and Mandos is running perfectly within this instance.
>
> Would it be possible to update mandos with this change? It is around
> line 3240-3250 in /usr/sbin/mandos depending on the specific
> version. Note that just about 20 lines after this, a call using the
> dbus instance is protected by “if use_dbus:”.
>
> Here is the patch fragment for the change I made on my version (1.8.17):
>
> --- mandos	2024-09-21 12:12:37.993323770 -0700
> +++ mandos.orig	2024-09-21 12:11:56.483110574 -0700
> @@ -3243,8 +3243,7 @@
>      # From the Avahi example code
>      DBusGMainLoop(set_as_default=True)
>      main_loop = GLib.MainLoop()
> -    if use_dbus or zeroconf:
> -        bus = dbus.SystemBus()
> +    bus = dbus.SystemBus()
>      # End of Avahi example code
>      if use_dbus:
>          try:

Thank you!  Applied in trunk (reversed).

> BTW the Dockerfile that builds the image that runs is below, in case
> anyone else wants to try. It has dbus in it because the mandos package
> lists python3-dbus as a dependency. In the Dockerfile I’m commenting
> out the offending line.

Do you mean that the Mandos server is running without python3-dbus
installed?  I don't see how that is possible; we "import dbus" and use
the dbus module all over the place, even if we don't connect to the
D-Bus unless use_dbus or zeroconf is set (using your patch).

/Teddy Hogeborn

-- 
The Mandos Project
https://www.recompile.se/mandos
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 861 bytes
Desc: not available
URL: <http://mail.recompile.se/pipermail/mandos-dev/attachments/20240922/03ee58fe/attachment.sig>

More information about the Mandos-Dev mailing list