Supervisor

[bluejekyll]

This will be the initial binary to implement, please see https://github.com/bluejekyll/vermilion/issues/2#issuecomment-554667565.

Requirements:

• MUST execute as a sibling, i.e., the same privileges as the supervised Process (see Biba Model)
• In the Vermilion Execution Model, the Supervisor SHOULD be untrusted and unprivileged.
• MAY restart failed Process
• MAY offer additional capability constraints on the Process, but all required constraints should be applied by the Launcher process (see #2)
• SHOULD acquire stderr/stdout from the Process and forward to Logger, this can be disabled for independent use
• MUST be capable of running the Leader (see #2), i.e. no design choices should preclude the Leader's being supervised by this tool
• MUST listen for events from the IPC (see #2), and perform the action of starting/restarting the Process.
• MUST allow for independent operation where the supervisor is functional without the suite of Vermilion
• MAY allow for partial usage of tools in Vermilion, but this is not a goal.
• When in independent operation, MUST deny usage of IPC channels.
• SHOULD be able to control processes that fork, and clean up all artifacts of those processes (may be OS dependent)
• MAY provide diagnostic and usage metrics of the Process.
• SHOULD have minimal differences in process management of the Process via independent operation and/or Vermilion operation, e.g. independent operation will probably be built around signal handling, but this should have minimal difference in the entry into the control mechanisms from that of the IPC based control.
• MUST cryptographically verify all IPC messages (signals will be implicitly trusted as coming from a sibling or more privileged user)

Questions:

• The configuration for the supervisor is distinct from the Launcher, should probably be separate files?
• The Supervisor will need access to executables for start/stop/restart scripts, how should this be exposed in the capabilities provided by the Launcher?
• What do we do with stdin, just forward it?
• How should the supervisor deal with child processes that fork?
• This will require some amount of signal handling, should the IPC system also rely on that for operations? (i'm thinking no)

Notes:

• Launcher: the privileged process capable of performing operations like setuid/setgid and launching supervisors
• Process: the process that will be supervised by this tool
• Logger: a different tool for aggregating log events and forwarding on to other locations (like a file or a remote aggregator)
• IPC: as yet undefined event bus for control of the process.

[bluejekyll]

This is not a complete list, but the stuff I could think of right now.