ig: add daemon mode #2078
ig: add daemon mode #2078
Conversation
flyth
force-pushed
the
michael/ig-daemon
branch
4 times, most recently
from
abaf5e5
to
ada23a9
Compare
flyth
requested review from
mauriciovasquezbernal,
blanquicet,
alban and
eiffel-fl
as code owners
|
How do I specify the unix socket to connect to? It takes 30 seconds to print the error. The column line is printed immediately, leading the user to think there is no problem for 30 seconds. It needs a version command: |
I expected it to be
Thanks, will add it! |
cmd/ig/daemon.go
Outdated
|
|
||
| func addDaemonCommand(rootCmd *cobra.Command, runtime runtime.Runtime) { | ||
| daemonCmd := &cobra.Command{ | ||
| Use: "daemon", |
There was a problem hiding this comment.
I'm wondering about the meaning of daemon here. From wikipedia it's defined as "computer program that runs as a background process, rather than being under the direct control of an interactive user", but in this PR is used more like a server. Should we call it server instead of daemon? /cc @alban
There was a problem hiding this comment.
Hmm, I think in its current state "server" would indeed be a better choice, as it just serves requests and doesn't do any background running of things. With the long running gadgets that will however change again and things will indeed run in the background and you just control using what exactly that is using the socket (in addition to still be able to use it as a "server").
There was a problem hiding this comment.
What will be the daemon behaviour in the future? Will it fork and run in background? (Somehow related to Jose's comment in #2078 (comment))
Ideally the solution will be to have an gadgetd / igd and gadgetctl binaries, but we also want it to be able to work alone. I think the current solution is good enough, just be sure to document what daemon is about.
There was a problem hiding this comment.
I also agree with this comment as I tend to see daemon as software calling daemon() or following man daemon.7.
As ig daemon remains in the foreground, it does not really follow the daemon definition.
So, it depends it we want to make it a daemon in the future?
There was a problem hiding this comment.
Probably it can still be called server and the matter it's a daemon or not is controlled by systemd?, i.e. we don't provide an option to run as a daemon directly. WDYT?
/cc @alban @blanquicet pinging you folks to consolidate the discussion on this thread.
There was a problem hiding this comment.
I agree: let's call the CLI command "ig server" and let's run this in the foreground.
If ever needed later, we could add an option "ig server -d" to run in the background, but that should not be necessary with systemd, so I prefer not to add that in this PR.
There was a problem hiding this comment.
I don't have a strong opinion on this, but it seems™ like right now it's behaving the same as dockerd.
|
I also think there is something off with the timeout, |
cmd/ig/daemon.go
Outdated
| "github.com/inspektor-gadget/inspektor-gadget/pkg/runtime" | ||
| ) | ||
|
|
||
| func addDaemonCommand(rootCmd *cobra.Command, runtime runtime.Runtime) { |
There was a problem hiding this comment.
I don't know, but I was expecting this to be run in the background by default.
There was a problem hiding this comment.
You mean ig should fork itself and stay active in the background with the foreground process exiting? I think we just need a proper service definition that starts ig daemon - that way logging is also routed through systemd (or whatever).
There was a problem hiding this comment.
I agree, running ig as a server should not "daemonize" (fork/detach from terminal) by default, so it is easier to integrate with systemd.
pkg/runtime/grpc/grpc-runtime.go
Outdated
| } | ||
| targets = append(targets, target{ | ||
| name: t, | ||
| node: purl.Hostname(), |
There was a problem hiding this comment.
Mmmm, the node is always empty for me. What does node represent in the direct mode?
There was a problem hiding this comment.
Yeah, that's true for local unix socket connections (unix:///path/to/socket is missing a hostname); if you'd use tcp, this would be the IP or hostname. Should we use a hardcoded "localhost" when hostname is empty?
There was a problem hiding this comment.
This target works very well for kubernetes, there you have a pod and node, but for connection mode direct it's confusing. I'll say to leave the node empty and to udpate all debug / error messages to only include it if it's not empty.
There was a problem hiding this comment.
I've changed it so that for unix sockets it'll now say "local" and for tcp targets it will be the target hostname.
flyth
force-pushed
the
michael/ig-daemon
branch
3 times, most recently
from
c09b97b
to
a01d20d
Compare
flyth
force-pushed
the
michael/ig-daemon
branch
2 times, most recently
from
b8756aa
to
39cf7a6
Compare
pkg/gadget-service/service.go
Outdated
| // If the given path is the default, try to create it and change permissions; if it's not the default, it is | ||
| // up to the user to manage it |
There was a problem hiding this comment.
I do totally agree with you but maybe an improved error message like:
return nil, fmt.Errorf("listening address %q, got: %w\nMaybe you forgot to create the socket?", address, err)To indicate the user a potential problem.
There was a problem hiding this comment.
You mean for listener, err := net.Listen(network, address)? There could be several reasons for that to fail (permissions, missing dir, ...), but you're right, it's missing the info on what it tried to do, so changing it to:
return nil, fmt.Errorf("creating listener of type %q at %q: %w", network, address, err)
|
I tested it and got this behavior: It is OK, but it should rather explode yelling I should be root? |
pkg/gadget-service/service.go
Outdated
| return fmt.Errorf("creating unix listener: %w", err) | ||
| } | ||
| s.listener = listener | ||
| default: |
There was a problem hiding this comment.
I think it's fine to have this default here, but them comment on L45 (SocketType) should be updated.
There was a problem hiding this comment.
Actually, I think it's better to have a "tcp" case here and make the default return an error. (Will leave the default case at the bottom ;))
pkg/runtime/grpc/grpc-runtime.go
Outdated
| } | ||
| targets = append(targets, target{ | ||
| name: t, | ||
| node: purl.Hostname(), |
There was a problem hiding this comment.
This target works very well for kubernetes, there you have a pod and node, but for connection mode direct it's confusing. I'll say to leave the node empty and to udpate all debug / error messages to only include it if it's not empty.
flyth
force-pushed
the
michael/ig-daemon
branch
2 times, most recently
from
8632162
to
974736c
Compare
I'm not sure I fully understand the issue here. Did you specify a valid user group like this:
That should now work again: ./ig daemon -H tcp://127.0.0.1:9999./gadgetctl trace open --remote-address tcp://127.0.0.1:9999 |
flyth
force-pushed
the
michael/ig-daemon
branch
from
974736c
to
17ef30f
Compare
I ran
OK, I will take a look. |
There was a problem hiding this comment.
EDIT 2: Apply the following and it does the trick:
diff --git a/cmd/ig/daemon.go b/cmd/ig/daemon.go
index f7624294..461894a6 100644
--- a/cmd/ig/daemon.go
+++ b/cmd/ig/daemon.go
@@ -67,13 +67,13 @@ func newDaemonCommand(runtime runtime.Runtime) *cobra.Command {
}
gid := 0
- if tmpGroup, err := user.LookupGroup(group); err == nil {
+ if tmpGid, err := strconv.Atoi(group); err == nil {
+ gid = tmpGid
+ } else if tmpGroup, err := user.LookupGroup(group); err == nil {
gid, err = strconv.Atoi(tmpGroup.Gid)
if err != nil {
return fmt.Errorf("unexpected non-numeric group id %q for group %q", tmpGroup.Gid, group)
}
- } else if tmpGid, err := strconv.Atoi(group); err == nil {
- gid = tmpGid
} else {
return fmt.Errorf("group %q not found", group)
}I will take a look to see if there is a problem upstream.
I tried using -G and I am getting this error:
francis@pwmachine:~/Codes/kinvolk/inspektor-gadget$ sudo ./ig daemon -G 42 michael/ig-daemon *% u=
fatal error: unexpected signal during runtime execution
[signal SIGFPE: floating-point exception code=0x1 addr=0x7f376a375d69 pc=0x7f376a375d69]
runtime stack:
runtime.throw({0x2bae339?, 0x215bd1a?})
/usr/local/go/src/runtime/panic.go:1047 +0x5d fp=0x7ffdecb4d260 sp=0x7ffdecb4d230 pc=0x43cadd
runtime.sigpanic()
/usr/local/go/src/runtime/signal_unix.go:823 +0x369 fp=0x7ffdecb4d2b0 sp=0x7ffdecb4d260 pc=0x453549
goroutine 1 [syscall]:
runtime.cgocall(0x20cd6b0, 0xc0008bfa00)
/usr/local/go/src/runtime/cgocall.go:158 +0x5c fp=0xc0008bf9d8 sp=0xc0008bf9a0 pc=0x40597c
os/user._Cfunc_mygetgrnam_r(0xc0003fd250, 0xc000712920, 0x5a02ee0, 0x400, 0xc000598ac8)
_cgo_gotypes.go:126 +0x4c fp=0xc0008bfa00 sp=0xc0008bf9d8 pc=0x51a22c
os/user.lookupGroup.func1.1({0xc0003fd250, 0x10?, 0x49d66a0?}, 0xc0003fd250?, 0x0?, 0x40f9a7?)
/usr/local/go/src/os/user/cgo_lookup_unix.go:143 +0xbb fp=0xc0008bfa60 sp=0xc0008bfa00 pc=0x51b6fb
os/user.lookupGroup.func1()
/usr/local/go/src/os/user/cgo_lookup_unix.go:143 +0x31 fp=0xc0008bfaa0 sp=0xc0008bfa60 pc=0x51b611
os/user.retryWithBuffer(0xc00061b660, 0xc0008bfb90)
/usr/local/go/src/os/user/cgo_lookup_unix.go:244 +0x39 fp=0xc0008bfae8 sp=0xc0008bfaa0 pc=0x51c0f9
os/user.lookupGroup({0x7ffdecb4e897, 0x2})
/usr/local/go/src/os/user/cgo_lookup_unix.go:138 +0x169 fp=0xc0008bfbe0 sp=0xc0008bfae8 pc=0x51b409
os/user.LookupGroup(...)
/usr/local/go/src/os/user/lookup.go:51
main.newDaemonCommand.func1(0xc0005bd200?, {0xc000712900?, 0x2?, 0x2?})
/go/src/github.com/inspektor-gadget/inspektor-gadget/cmd/ig/daemon.go:71 +0x1f9 fp=0xc0008bfd08 sp=0xc0008bfbe0 pc=0x20cd019
github.com/spf13/cobra.(*Command).execute(0xc0005bd200, {0xc0007128e0, 0x2, 0x2})
/go/pkg/mod/github.com/spf13/cobra@v1.7.0/command.go:940 +0x862 fp=0xc0008bfe40 sp=0xc0008bfd08 pc=0x615162
github.com/spf13/cobra.(*Command).ExecuteC(0xc0003e2300)
/go/pkg/mod/github.com/spf13/cobra@v1.7.0/command.go:1068 +0x3bd fp=0xc0008bfef8 sp=0xc0008bfe40 pc=0x615a5d
github.com/spf13/cobra.(*Command).Execute(...)
/go/pkg/mod/github.com/spf13/cobra@v1.7.0/command.go:992
main.main()
/go/src/github.com/inspektor-gadget/inspektor-gadget/cmd/ig/main.go:72 +0x239 fp=0xc0008bff80 sp=0xc0008bfef8 pc=0x20cd5f9
runtime.main()
/usr/local/go/src/runtime/proc.go:250 +0x212 fp=0xc0008bffe0 sp=0xc0008bff80 pc=0x43f752
runtime.goexit()
/usr/local/go/src/runtime/asm_amd64.s:1594 +0x1 fp=0xc0008bffe8 sp=0xc0008bffe0 pc=0x46f581
goroutine 2 [force gc (idle)]:
runtime.gopark(0x0?, 0x0?, 0x0?, 0x0?, 0x0?)
/usr/local/go/src/runtime/proc.go:363 +0xd6 fp=0xc000084fb0 sp=0xc000084f90 pc=0x43fb16
runtime.goparkunlock(...)
/usr/local/go/src/runtime/proc.go:369
runtime.forcegchelper()
/usr/local/go/src/runtime/proc.go:302 +0xad fp=0xc000084fe0 sp=0xc000084fb0 pc=0x43f9ad
runtime.goexit()
/usr/local/go/src/runtime/asm_amd64.s:1594 +0x1 fp=0xc000084fe8 sp=0xc000084fe0 pc=0x46f581
created by runtime.init.6
/usr/local/go/src/runtime/proc.go:290 +0x25
goroutine 18 [GC sweep wait]:
runtime.gopark(0x1?, 0x0?, 0x0?, 0x0?, 0x0?)
/usr/local/go/src/runtime/proc.go:363 +0xd6 fp=0xc000080790 sp=0xc000080770 pc=0x43fb16
runtime.goparkunlock(...)
/usr/local/go/src/runtime/proc.go:369
runtime.bgsweep(0x0?)
/usr/local/go/src/runtime/mgcsweep.go:297 +0xd7 fp=0xc0000807c8 sp=0xc000080790 pc=0x4297b7
runtime.gcenable.func1()
/usr/local/go/src/runtime/mgc.go:178 +0x26 fp=0xc0000807e0 sp=0xc0000807c8 pc=0x41e346
runtime.goexit()
/usr/local/go/src/runtime/asm_amd64.s:1594 +0x1 fp=0xc0000807e8 sp=0xc0000807e0 pc=0x46f581
created by runtime.gcenable
/usr/local/go/src/runtime/mgc.go:178 +0x6b
goroutine 19 [GC scavenge wait]:
runtime.gopark(0xc00010e000?, 0x30dad28?, 0x0?, 0x0?, 0x0?)
/usr/local/go/src/runtime/proc.go:363 +0xd6 fp=0xc000080f70 sp=0xc000080f50 pc=0x43fb16
runtime.goparkunlock(...)
/usr/local/go/src/runtime/proc.go:369
runtime.(*scavengerState).park(0x49d54e0)
/usr/local/go/src/runtime/mgcscavenge.go:389 +0x53 fp=0xc000080fa0 sp=0xc000080f70 pc=0x427793
runtime.bgscavenge(0x0?)
/usr/local/go/src/runtime/mgcscavenge.go:622 +0x65 fp=0xc000080fc8 sp=0xc000080fa0 pc=0x427da5
runtime.gcenable.func2()
/usr/local/go/src/runtime/mgc.go:179 +0x26 fp=0xc000080fe0 sp=0xc000080fc8 pc=0x41e2e6
runtime.goexit()
/usr/local/go/src/runtime/asm_amd64.s:1594 +0x1 fp=0xc000080fe8 sp=0xc000080fe0 pc=0x46f581
created by runtime.gcenable
/usr/local/go/src/runtime/mgc.go:179 +0xaa
goroutine 3 [finalizer wait]:
runtime.gopark(0x49d66a0?, 0xc000007520?, 0x0?, 0x0?, 0xc000084770?)
/usr/local/go/src/runtime/proc.go:363 +0xd6 fp=0xc000084628 sp=0xc000084608 pc=0x43fb16
runtime.goparkunlock(...)
/usr/local/go/src/runtime/proc.go:369
runtime.runfinq()
/usr/local/go/src/runtime/mfinal.go:180 +0x10f fp=0xc0000847e0 sp=0xc000084628 pc=0x41d3cf
runtime.goexit()
/usr/local/go/src/runtime/asm_amd64.s:1594 +0x1 fp=0xc0000847e8 sp=0xc0000847e0 pc=0x46f581
created by runtime.createfing
/usr/local/go/src/runtime/mfinal.go:157 +0x45
goroutine 4 [GC worker (idle)]:
runtime.gopark(0x0?, 0x0?, 0x0?, 0x0?, 0x0?)
/usr/local/go/src/runtime/proc.go:363 +0xd6 fp=0xc000085750 sp=0xc000085730 pc=0x43fb16
runtime.gcBgMarkWorker()
/usr/local/go/src/runtime/mgc.go:1235 +0xf1 fp=0xc0000857e0 sp=0xc000085750 pc=0x420491
runtime.goexit()
/usr/local/go/src/runtime/asm_amd64.s:1594 +0x1 fp=0xc0000857e8 sp=0xc0000857e0 pc=0x46f581
created by runtime.gcBgMarkStartWorkers
/usr/local/go/src/runtime/mgc.go:1159 +0x25
goroutine 20 [GC worker (idle)]:
runtime.gopark(0x621af85e9e1?, 0x0?, 0x0?, 0x0?, 0x0?)
/usr/local/go/src/runtime/proc.go:363 +0xd6 fp=0xc000081750 sp=0xc000081730 pc=0x43fb16
runtime.gcBgMarkWorker()
/usr/local/go/src/runtime/mgc.go:1235 +0xf1 fp=0xc0000817e0 sp=0xc000081750 pc=0x420491
runtime.goexit()
/usr/local/go/src/runtime/asm_amd64.s:1594 +0x1 fp=0xc0000817e8 sp=0xc0000817e0 pc=0x46f581
created by runtime.gcBgMarkStartWorkers
/usr/local/go/src/runtime/mgc.go:1159 +0x25
goroutine 21 [GC worker (idle)]:
runtime.gopark(0x621af86b3df?, 0x0?, 0x0?, 0x0?, 0x0?)
/usr/local/go/src/runtime/proc.go:363 +0xd6 fp=0xc000081f50 sp=0xc000081f30 pc=0x43fb16
runtime.gcBgMarkWorker()
/usr/local/go/src/runtime/mgc.go:1235 +0xf1 fp=0xc000081fe0 sp=0xc000081f50 pc=0x420491
runtime.goexit()
/usr/local/go/src/runtime/asm_amd64.s:1594 +0x1 fp=0xc000081fe8 sp=0xc000081fe0 pc=0x46f581
created by runtime.gcBgMarkStartWorkers
/usr/local/go/src/runtime/mgc.go:1159 +0x25
goroutine 5 [GC worker (idle)]:
runtime.gopark(0x621af85e367?, 0x0?, 0x0?, 0x0?, 0x0?)
/usr/local/go/src/runtime/proc.go:363 +0xd6 fp=0xc000085f50 sp=0xc000085f30 pc=0x43fb16
runtime.gcBgMarkWorker()
/usr/local/go/src/runtime/mgc.go:1235 +0xf1 fp=0xc000085fe0 sp=0xc000085f50 pc=0x420491
runtime.goexit()
/usr/local/go/src/runtime/asm_amd64.s:1594 +0x1 fp=0xc000085fe8 sp=0xc000085fe0 pc=0x46f581
created by runtime.gcBgMarkStartWorkers
/usr/local/go/src/runtime/mgc.go:1159 +0x25
goroutine 6 [GC worker (idle)]:
runtime.gopark(0x621af85aafc?, 0x0?, 0x0?, 0x0?, 0x0?)
/usr/local/go/src/runtime/proc.go:363 +0xd6 fp=0xc000086750 sp=0xc000086730 pc=0x43fb16
runtime.gcBgMarkWorker()
/usr/local/go/src/runtime/mgc.go:1235 +0xf1 fp=0xc0000867e0 sp=0xc000086750 pc=0x420491
runtime.goexit()
/usr/local/go/src/runtime/asm_amd64.s:1594 +0x1 fp=0xc0000867e8 sp=0xc0000867e0 pc=0x46f581
created by runtime.gcBgMarkStartWorkers
/usr/local/go/src/runtime/mgc.go:1159 +0x25
goroutine 34 [GC worker (idle)]:
runtime.gopark(0x621af875b6a?, 0x0?, 0x0?, 0x0?, 0x0?)
/usr/local/go/src/runtime/proc.go:363 +0xd6 fp=0xc000508750 sp=0xc000508730 pc=0x43fb16
runtime.gcBgMarkWorker()
/usr/local/go/src/runtime/mgc.go:1235 +0xf1 fp=0xc0005087e0 sp=0xc000508750 pc=0x420491
runtime.goexit()
/usr/local/go/src/runtime/asm_amd64.s:1594 +0x1 fp=0xc0005087e8 sp=0xc0005087e0 pc=0x46f581
created by runtime.gcBgMarkStartWorkers
/usr/local/go/src/runtime/mgc.go:1159 +0x25
goroutine 35 [GC worker (idle)]:
runtime.gopark(0x621af85a5ce?, 0x0?, 0x0?, 0x0?, 0x0?)
/usr/local/go/src/runtime/proc.go:363 +0xd6 fp=0xc000508f50 sp=0xc000508f30 pc=0x43fb16
runtime.gcBgMarkWorker()
/usr/local/go/src/runtime/mgc.go:1235 +0xf1 fp=0xc000508fe0 sp=0xc000508f50 pc=0x420491
runtime.goexit()
/usr/local/go/src/runtime/asm_amd64.s:1594 +0x1 fp=0xc000508fe8 sp=0xc000508fe0 pc=0x46f581
created by runtime.gcBgMarkStartWorkers
/usr/local/go/src/runtime/mgc.go:1159 +0x25
goroutine 36 [GC worker (idle)]:
runtime.gopark(0x621af85f2ca?, 0x0?, 0x0?, 0x0?, 0x0?)
/usr/local/go/src/runtime/proc.go:363 +0xd6 fp=0xc000509750 sp=0xc000509730 pc=0x43fb16
runtime.gcBgMarkWorker()
/usr/local/go/src/runtime/mgc.go:1235 +0xf1 fp=0xc0005097e0 sp=0xc000509750 pc=0x420491
runtime.goexit()
/usr/local/go/src/runtime/asm_amd64.s:1594 +0x1 fp=0xc0005097e8 sp=0xc0005097e0 pc=0x46f581
created by runtime.gcBgMarkStartWorkers
/usr/local/go/src/runtime/mgc.go:1159 +0x25Note that, I got this with any group ID.
I do not know if this on our side or not...
It comes from here but I do not see anything wrong:
b9691f9#diff-9d3ae444cb907b9257ef6dfc4124c9b9df6bf3562f3bac164be73b06765292e9R70
EDIT: I also got it without the option, i.e. sudo ig daemon.
|
OK, it works well for the francis@pwmachine:~/Codes/kinvolk/inspektor-gadget$ ./gadgetctl trace open --host michael/ig-daemon *% u=
Error: unknown flag: --hostThis can be addressed later, as it would mean porting I also tried the |
flyth
force-pushed
the
michael/ig-daemon
branch
from
ae2c211
to
e91f814
Compare
flyth
force-pushed
the
michael/ig-daemon
branch
from
e91f814
to
aa13921
Compare
Global runtime flags have previously not been used but they will be used by gadgetctl for now. However, gadgetctl will register those flags on the root command level and not per-gadget. This change exports AddFlags so that it is available to the main packages and removes registering it in AddCommandFromRegistry to avoid duplicate params. Signed-off-by: Michael Friese <mfriese@microsoft.com>
…ckets This adds a RunConfig, which allows to configure the service to listen on a tcp socket instead of just a previously used unix socket. In addition, this now allows specifying a group id, which will then be used as the gid for the unix socket to allow access to it using a usergroup. Signed-off-by: Michael Friese <mfriese@microsoft.com>
The version and sync commands will be used in multiple binaries. In order to reduce code, this moves the commands to the common package. Signed-off-by: Michael Friese <mfriese@microsoft.com>
This adds a daemon mode to ig; ig will listen on either a unix or tcp socket for incoming gRPC requests that it will then execute. This allows using ig as a service rather than starting it individually for every gadget. A new binary will be added to be able to serve as a client. Signed-off-by: Michael Friese <mfriese@microsoft.com>
Prior to this change, we'd always tunnel connections to our gRPC service through the k8s API server. This allows a "direct mode" that will instead directly connect to one or multiple gRPC endpoints. Signed-off-by: Michael Friese <mfriese@microsoft.com>
flyth
force-pushed
the
michael/ig-daemon
branch
from
aa13921
to
0df4c6b
Compare
This change introduces a new binary (for now called `gadgetctl`), to serve as the client for ig that is run in daemon mode. The connection is handled by the grpc-runtime, that has been extended to allow direct connections to gRPC endpoints in addition to proxied connections through the kubernetes API server. Signed-off-by: Michael Friese <mfriese@microsoft.com>
Signed-off-by: Michael Friese <mfriese@microsoft.com>
This adds explanations on how to use ig in combination with gadgetctl, both using unix sockets (with an unprivileged user) and tcp sockets. Signed-off-by: Michael Friese <mfriese@microsoft.com>
flyth
force-pushed
the
michael/ig-daemon
branch
from
0df4c6b
to
7825426
Compare
|
Thanks for the reviews! |
| } | ||
| client := api.NewGadgetManagerClient(conn) | ||
| defer conn.Close() |
There was a problem hiding this comment.
When is conn closed? I think getClientFromRandomTarget should return the connection instead of the client, so the caller has the opportunity to call defer conn.Close(). (opened #2092 to fix it)
This adds support to run
igin daemon mode as a service. A new binary calledgadgetctlhas been added to serve as a client forigrunning in said daemon mode. By default, ig listens on a unix socket when started with./ig daemonandgadgetctluses that same socket to connect to by default.The
grpc-runtimehas been changed to also allow direct gRPC connections - still: most of the code is shared.Running as root
First terminal
Second terminal
Daemon as root, gadgetctl as other user
Use the gid of a group that you want to have access to the service.
First terminal (as root)
Second terminal (as member of group 1000)
Todos:
Resolves #1681
Requires #2067