In systemd we started to do more and more Varlink IPC (instead of or 9n addition to D-Bus), and you might wonder what that is all about. In this AllSystemsGo talk I try to explain things a bit, enjoy: https://media.ccc.de/v/all-systems-go-2024-276-varl...
-
In systemd we started to do more and more Varlink IPC (instead of or 9n addition to D-Bus), and you might wonder what that is all about. In this AllSystemsGo talk I try to explain things a bit, enjoy: https://media.ccc.de/v/all-systems-go-2024-276-varlink-now-
-
Sebastian Wickreplied to Lennart Poettering last edited by
@pid_eins I didn't quite catch it: polkit does varlink?
-
Lennart Poetteringreplied to Sebastian Wick last edited by
@swick nope. it would be good if polkit was accessible via varlink, and we'd not have to involve dbus for it. But you can authenticate non-dbus stuff with polkit just fine, and we use that for our varlink services that shall check polkit for authorization: they just fire a short lived dbus connection to polkit.
Given that polkit is a an optional and late boot component we generally treat it's (or dbus') unavailability as a reason to return EPERM.
-
Lennart Poetteringreplied to Lennart Poettering last edited by
@swick or in other words: the fact that we have to use dbus to get an answer from polkit when we need to check some varlink client for authorization is entirely hidden.
-
Sebastian Wickreplied to Lennart Poettering last edited by
@pid_eins makes sense but is just a bit awkward I guess.
The observability issue is real though. There needs to be a tool which can capture and show both dbus and varlink at the same time. There is also no support in glib yet and the rust implementation doesn't do async, only works with codegen via the IDL and I couldn't figure out how to get a pidfd from the API which made it impossible to authenticate anything...
-
Lennart Poetteringreplied to Sebastian Wick last edited by
@swick well, for varlink "strace" is pretty fantastic, to see what's going on. it's one of the reasons i love varlink: my straces tell me exactly what is going on, directly readable.
Cannot comment on the rust bindings. And yes, pretty sure they predated pidfd being a thing.
-
-
@pid_eins @swick (for my use case I don’t need PID - UID suffices)