colin/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
ffe6b959a1
nixpkgs/nixos/modules/system/boot/systemd-lib.nix

218 lines
7.0 KiB
Nix
Raw Normal View History

Fix #7476
2015-04-20 09:31:17 +00:00
{ config, lib, pkgs }:
with lib;
nixos/systemd-lib: fix conflict with dbus.service.d directory When a package contains a directory in one of the systemd directories (like flatpak does), it is symlinked into the *-units derivation. Then later, the derivation will try to create the directory, which will fail: mkdir: cannot create directory '/nix/store/…-user-units/dbus.service.d': File exists builder for '/nix/store/…-user-units.drv' failed with exit code 1 Closes: #33233
2018-01-03 10:57:29 +00:00
let
cfg = config.systemd;
lndir = "${pkgs.xorg.lndir}/bin/lndir";
in rec {
Fix #7476
2015-04-20 09:31:17 +00:00
shellEscape = s: (replaceChars [ "\\" ] [ "\\\\" ] s);
nixos: Add 'chroot' options to systemd.services Currently, if you want to properly chroot a systemd service, you could do it using BindReadOnlyPaths=/nix/store (which is not what I'd call "properly", because the whole store is still accessible) or use a separate derivation that gathers the runtime closure of the service you want to chroot. The former is the easier method and there is also a method directly offered by systemd, called ProtectSystem, which still leaves the whole store accessible. The latter however is a bit more involved, because you need to bind-mount each store path of the runtime closure of the service you want to chroot. This can be achieved using pkgs.closureInfo and a small derivation that packs everything into a systemd unit, which later can be added to systemd.packages. That's also what I did several times[1][2] in the past. However, this process got a bit tedious, so I decided that it would be generally useful for NixOS, so this very implementation was born. Now if you want to chroot a systemd service, all you need to do is: { systemd.services.yourservice = { description = "My Shiny Service"; wantedBy = [ "multi-user.target" ]; chroot.enable = true; serviceConfig.ExecStart = "${pkgs.myservice}/bin/myservice"; }; } If more than the dependencies for the ExecStart* and ExecStop* (which btw. also includes "script" and {pre,post}Start) need to be in the chroot, it can be specified using the chroot.packages option. By default (which uses the "full-apivfs"[3] confinement mode), a user namespace is set up as well and /proc, /sys and /dev are mounted appropriately. In addition - and by default - a /bin/sh executable is provided as well, which is useful for most programs that use the system() C library call to execute commands via shell. The shell providing /bin/sh is dash instead of the default in NixOS (which is bash), because it's way more lightweight and after all we're chrooting because we want to lower the attack surface and it should be only used for "/bin/sh -c something". Prior to submitting this here, I did a first implementation of this outside[4] of nixpkgs, which duplicated the "pathSafeName" functionality from systemd-lib.nix, just because it's only a single line. However, I decided to just re-use the one from systemd here and subsequently made it available when importing systemd-lib.nix, so that the systemd-chroot implementation also benefits from fixes to that functionality (which is now a proper function). Unfortunately, we do have a few limitations as well. The first being that DynamicUser doesn't work in conjunction with tmpfs, because it already sets up a tmpfs in a different path and simply ignores the one we define. We could probably solve this by detecting it and try to bind-mount our paths to that different path whenever DynamicUser is enabled. The second limitation/issue is that RootDirectoryStartOnly doesn't work right now, because it only affects the RootDirectory option and not the individual bind mounts or our tmpfs. It would be helpful if systemd would have a way to disable specific bind mounts as well or at least have some way to ignore failures for the bind mounts/tmpfs setup. Another quirk we do have right now is that systemd tries to create a /usr directory within the chroot, which subsequently fails. Fortunately, this is just an ugly error and not a hard failure. [1]: https://github.com/headcounter/shabitica/blob/3bb01728a0237ad5e7/default.nix#L43-L62 [2]: https://github.com/aszlig/avonc/blob/dedf29e092481a33dc/nextcloud.nix#L103-L124 [3]: The reason this is called "full-apivfs" instead of just "full" is to make room for a *real* "full" confinement mode, which is more restrictive even. [4]: https://github.com/aszlig/avonc/blob/92a20bece4df54625e/systemd-chroot.nix Signed-off-by: aszlig <aszlig@nix.build>
2019-03-10 11:21:55 +00:00
mkPathSafeName = lib.replaceChars ["@" ":" "\\" "[" "]"] ["-" "-" "-" "" ""];
Fix #7476
2015-04-20 09:31:17 +00:00
makeUnit = name: unit:
if unit.enable then
nixos: Add 'chroot' options to systemd.services Currently, if you want to properly chroot a systemd service, you could do it using BindReadOnlyPaths=/nix/store (which is not what I'd call "properly", because the whole store is still accessible) or use a separate derivation that gathers the runtime closure of the service you want to chroot. The former is the easier method and there is also a method directly offered by systemd, called ProtectSystem, which still leaves the whole store accessible. The latter however is a bit more involved, because you need to bind-mount each store path of the runtime closure of the service you want to chroot. This can be achieved using pkgs.closureInfo and a small derivation that packs everything into a systemd unit, which later can be added to systemd.packages. That's also what I did several times[1][2] in the past. However, this process got a bit tedious, so I decided that it would be generally useful for NixOS, so this very implementation was born. Now if you want to chroot a systemd service, all you need to do is: { systemd.services.yourservice = { description = "My Shiny Service"; wantedBy = [ "multi-user.target" ]; chroot.enable = true; serviceConfig.ExecStart = "${pkgs.myservice}/bin/myservice"; }; } If more than the dependencies for the ExecStart* and ExecStop* (which btw. also includes "script" and {pre,post}Start) need to be in the chroot, it can be specified using the chroot.packages option. By default (which uses the "full-apivfs"[3] confinement mode), a user namespace is set up as well and /proc, /sys and /dev are mounted appropriately. In addition - and by default - a /bin/sh executable is provided as well, which is useful for most programs that use the system() C library call to execute commands via shell. The shell providing /bin/sh is dash instead of the default in NixOS (which is bash), because it's way more lightweight and after all we're chrooting because we want to lower the attack surface and it should be only used for "/bin/sh -c something". Prior to submitting this here, I did a first implementation of this outside[4] of nixpkgs, which duplicated the "pathSafeName" functionality from systemd-lib.nix, just because it's only a single line. However, I decided to just re-use the one from systemd here and subsequently made it available when importing systemd-lib.nix, so that the systemd-chroot implementation also benefits from fixes to that functionality (which is now a proper function). Unfortunately, we do have a few limitations as well. The first being that DynamicUser doesn't work in conjunction with tmpfs, because it already sets up a tmpfs in a different path and simply ignores the one we define. We could probably solve this by detecting it and try to bind-mount our paths to that different path whenever DynamicUser is enabled. The second limitation/issue is that RootDirectoryStartOnly doesn't work right now, because it only affects the RootDirectory option and not the individual bind mounts or our tmpfs. It would be helpful if systemd would have a way to disable specific bind mounts as well or at least have some way to ignore failures for the bind mounts/tmpfs setup. Another quirk we do have right now is that systemd tries to create a /usr directory within the chroot, which subsequently fails. Fortunately, this is just an ugly error and not a hard failure. [1]: https://github.com/headcounter/shabitica/blob/3bb01728a0237ad5e7/default.nix#L43-L62 [2]: https://github.com/aszlig/avonc/blob/dedf29e092481a33dc/nextcloud.nix#L103-L124 [3]: The reason this is called "full-apivfs" instead of just "full" is to make room for a *real* "full" confinement mode, which is more restrictive even. [4]: https://github.com/aszlig/avonc/blob/92a20bece4df54625e/systemd-chroot.nix Signed-off-by: aszlig <aszlig@nix.build>
2019-03-10 11:21:55 +00:00
pkgs.runCommand "unit-${mkPathSafeName name}"
Set ‘allowSubstitutes = false’ on various derivations This reduces the number of binary cache requests. See https://github.com/NixOS/nix/commit/b64988bb3585478676585a0f0aecbcf4e11d4432.
2015-07-07 13:01:36 +00:00
{ preferLocalBuild = true;
allowSubstitutes = false;
inherit (unit) text;
}
Fix #7476
2015-04-20 09:31:17 +00:00
''
mkdir -p $out
echo -n "$text" > $out/${shellEscape name}
''
else
nixos: Add 'chroot' options to systemd.services Currently, if you want to properly chroot a systemd service, you could do it using BindReadOnlyPaths=/nix/store (which is not what I'd call "properly", because the whole store is still accessible) or use a separate derivation that gathers the runtime closure of the service you want to chroot. The former is the easier method and there is also a method directly offered by systemd, called ProtectSystem, which still leaves the whole store accessible. The latter however is a bit more involved, because you need to bind-mount each store path of the runtime closure of the service you want to chroot. This can be achieved using pkgs.closureInfo and a small derivation that packs everything into a systemd unit, which later can be added to systemd.packages. That's also what I did several times[1][2] in the past. However, this process got a bit tedious, so I decided that it would be generally useful for NixOS, so this very implementation was born. Now if you want to chroot a systemd service, all you need to do is: { systemd.services.yourservice = { description = "My Shiny Service"; wantedBy = [ "multi-user.target" ]; chroot.enable = true; serviceConfig.ExecStart = "${pkgs.myservice}/bin/myservice"; }; } If more than the dependencies for the ExecStart* and ExecStop* (which btw. also includes "script" and {pre,post}Start) need to be in the chroot, it can be specified using the chroot.packages option. By default (which uses the "full-apivfs"[3] confinement mode), a user namespace is set up as well and /proc, /sys and /dev are mounted appropriately. In addition - and by default - a /bin/sh executable is provided as well, which is useful for most programs that use the system() C library call to execute commands via shell. The shell providing /bin/sh is dash instead of the default in NixOS (which is bash), because it's way more lightweight and after all we're chrooting because we want to lower the attack surface and it should be only used for "/bin/sh -c something". Prior to submitting this here, I did a first implementation of this outside[4] of nixpkgs, which duplicated the "pathSafeName" functionality from systemd-lib.nix, just because it's only a single line. However, I decided to just re-use the one from systemd here and subsequently made it available when importing systemd-lib.nix, so that the systemd-chroot implementation also benefits from fixes to that functionality (which is now a proper function). Unfortunately, we do have a few limitations as well. The first being that DynamicUser doesn't work in conjunction with tmpfs, because it already sets up a tmpfs in a different path and simply ignores the one we define. We could probably solve this by detecting it and try to bind-mount our paths to that different path whenever DynamicUser is enabled. The second limitation/issue is that RootDirectoryStartOnly doesn't work right now, because it only affects the RootDirectory option and not the individual bind mounts or our tmpfs. It would be helpful if systemd would have a way to disable specific bind mounts as well or at least have some way to ignore failures for the bind mounts/tmpfs setup. Another quirk we do have right now is that systemd tries to create a /usr directory within the chroot, which subsequently fails. Fortunately, this is just an ugly error and not a hard failure. [1]: https://github.com/headcounter/shabitica/blob/3bb01728a0237ad5e7/default.nix#L43-L62 [2]: https://github.com/aszlig/avonc/blob/dedf29e092481a33dc/nextcloud.nix#L103-L124 [3]: The reason this is called "full-apivfs" instead of just "full" is to make room for a *real* "full" confinement mode, which is more restrictive even. [4]: https://github.com/aszlig/avonc/blob/92a20bece4df54625e/systemd-chroot.nix Signed-off-by: aszlig <aszlig@nix.build>
2019-03-10 11:21:55 +00:00
pkgs.runCommand "unit-${mkPathSafeName name}-disabled"
Set ‘allowSubstitutes = false’ on various derivations This reduces the number of binary cache requests. See https://github.com/NixOS/nix/commit/b64988bb3585478676585a0f0aecbcf4e11d4432.
2015-07-07 13:01:36 +00:00
{ preferLocalBuild = true;
allowSubstitutes = false;
}
Fix #7476
2015-04-20 09:31:17 +00:00
''
mkdir -p $out
ln -s /dev/null $out/${shellEscape name}
'';
networkd: Fix evaluation of systemd.network units. During the refactor of the networkd stuff in f8dbe5f, a lot of the options are now needed by systemd.nix as well as networkd.nix but weren't moved by that commit as well. For now, this fixes all networkd VM tests except for the macvlan one and thus it should fix #7505 for at least DHCP-based configuration. Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2015-04-30 04:44:25 +00:00
boolValues = [true false "yes" "no"];
digits = map toString (range 0 9);
isByteFormat = s:
let
l = reverseList (stringToCharacters s);
suffix = head l;
nums = tail l;
in elem suffix (["K" "M" "G" "T"] ++ digits)
&& all (num: elem num digits) nums;
assertByteFormat = name: group: attr:
optional (attr ? ${name} && ! isByteFormat attr.${name})
"Systemd ${group} field `${name}' must be in byte format [0-9]+[KMGT].";
hexChars = stringToCharacters "0123456789abcdefABCDEF";
isMacAddress = s: stringLength s == 17
&& flip all (splitString ":" s) (bytes:
all (byte: elem byte hexChars) (stringToCharacters bytes)
);
assertMacAddress = name: group: attr:
optional (attr ? ${name} && ! isMacAddress attr.${name})
"Systemd ${group} field `${name}' must be a valid mac address.";
assertValueOneOf = name: values: group: attr:
optional (attr ? ${name} && !elem attr.${name} values)
nixos/systemd-lib: fix assertValueOneOf when value is not a string
2018-09-20 11:40:50 +00:00
"Systemd ${group} field `${name}' cannot have value `${toString attr.${name}}'.";
networkd: Fix evaluation of systemd.network units. During the refactor of the networkd stuff in f8dbe5f, a lot of the options are now needed by systemd.nix as well as networkd.nix but weren't moved by that commit as well. For now, this fixes all networkd VM tests except for the macvlan one and thus it should fix #7505 for at least DHCP-based configuration. Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2015-04-30 04:44:25 +00:00
assertHasField = name: group: attr:
optional (!(attr ? ${name}))
"Systemd ${group} field `${name}' must exist.";
assertRange = name: min: max: group: attr:
optional (attr ? ${name} && !(min <= attr.${name} && max >= attr.${name}))
"Systemd ${group} field `${name}' is outside the range [${toString min},${toString max}]";
nixos/networkd: fix range assertions on 32 bit Nix
2018-08-28 22:31:45 +00:00
assertMinimum = name: min: group: attr:
optional (attr ? ${name} && attr.${name} < min)
"Systemd ${group} field `${name}' must be greater than or equal to ${toString min}";
networkd: Fix evaluation of systemd.network units. During the refactor of the networkd stuff in f8dbe5f, a lot of the options are now needed by systemd.nix as well as networkd.nix but weren't moved by that commit as well. For now, this fixes all networkd VM tests except for the macvlan one and thus it should fix #7505 for at least DHCP-based configuration. Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2015-04-30 04:44:25 +00:00
assertOnlyFields = fields: group: attr:
let badFields = filter (name: ! elem name fields) (attrNames attr); in
optional (badFields != [ ])
"Systemd ${group} has extra fields [${concatStringsSep " " badFields}].";
nixos/networkd: fix range assertions on 32 bit Nix
2018-08-28 22:31:45 +00:00
assertInt = name: group: attr:
optional (attr ? ${name} && !isInt attr.${name})
"Systemd ${group} field `${name}' is not an integer";
nixos/systemd: Allow to override serviceConfig This has been reported by @qknight in his Stack Overflow question: https://stackoverflow.com/q/50678639 The correct way to override a single value would be to use something like this: systemd.services.nagios.serviceConfig.Restart = lib.mkForce "no"; However, this doesn't work because the check is applied for the attrsOf type and thus the attribute values might still contain the attribute set created by mkOverride. The unitOption type however did already account for this, but at this stage it's already too late. So now the actual value is unpacked while checking the values of the attribute set, which should allow us to override values in serviceConfig. Signed-off-by: aszlig <aszlig@nix.build> Cc: @edolstra, @qknight
2018-06-04 13:34:21 +00:00
checkUnitConfig = group: checks: attrs: let
# We're applied at the top-level type (attrsOf unitOption), so the actual
# unit options might contain attributes from mkOverride that we need to
# convert into single values before checking them.
defs = mapAttrs (const (v:
if v._type or "" == "override" then v.content else v
)) attrs;
errors = concatMap (c: c group defs) checks;
in if errors == [] then true
else builtins.trace (concatStringsSep "\n" errors) false;
networkd: Fix evaluation of systemd.network units. During the refactor of the networkd stuff in f8dbe5f, a lot of the options are now needed by systemd.nix as well as networkd.nix but weren't moved by that commit as well. For now, this fixes all networkd VM tests except for the macvlan one and thus it should fix #7505 for at least DHCP-based configuration. Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2015-04-30 04:44:25 +00:00
toOption = x:
if x == true then "true"
else if x == false then "false"
else toString x;
attrsToSection = as:
concatStrings (concatLists (mapAttrsToList (name: value:
map (x: ''
${name}=${toOption x}
'')
(if isList value then value else [value]))
as));
Fix #7476
2015-04-20 09:31:17 +00:00
generateUnits = type: units: upstreamUnits: upstreamWants:
Set ‘allowSubstitutes = false’ on various derivations This reduces the number of binary cache requests. See https://github.com/NixOS/nix/commit/b64988bb3585478676585a0f0aecbcf4e11d4432.
2015-07-07 13:01:36 +00:00
pkgs.runCommand "${type}-units"
{ preferLocalBuild = true;
allowSubstitutes = false;
} ''
Fix #7476
2015-04-20 09:31:17 +00:00
mkdir -p $out
# Copy the upstream systemd units we're interested in.
for i in ${toString upstreamUnits}; do
fn=${cfg.package}/example/systemd/${type}/$i
if ! [ -e $fn ]; then echo "missing $fn"; false; fi
if [ -L $fn ]; then
target="$(readlink "$fn")"
if [ ''${target:0:3} = ../ ]; then
ln -s "$(readlink -f "$fn")" $out/
else
cp -pd $fn $out/
fi
else
ln -s $fn $out/
fi
done
# Copy .wants links, but only those that point to units that
# we're interested in.
for i in ${toString upstreamWants}; do
fn=${cfg.package}/example/systemd/${type}/$i
if ! [ -e $fn ]; then echo "missing $fn"; false; fi
x=$out/$(basename $fn)
mkdir $x
for i in $fn/*; do
y=$x/$(basename $i)
cp -pd $i $y
if ! [ -e $y ]; then rm $y; fi
done
done
# Symlink all units provided listed in systemd.packages.
for i in ${toString cfg.packages}; do
for fn in $i/etc/systemd/${type}/* $i/lib/systemd/${type}/*; do
if ! [[ "$fn" =~ .wants$ ]]; then
nixos/systemd-lib: fix conflict with dbus.service.d directory When a package contains a directory in one of the systemd directories (like flatpak does), it is symlinked into the *-units derivation. Then later, the derivation will try to create the directory, which will fail: mkdir: cannot create directory '/nix/store/…-user-units/dbus.service.d': File exists builder for '/nix/store/…-user-units.drv' failed with exit code 1 Closes: #33233
2018-01-03 10:57:29 +00:00
if [[ -d "$fn" ]]; then
targetDir="$out/$(basename "$fn")"
mkdir -p "$targetDir"
${lndir} "$fn" "$targetDir"
else
ln -s $fn $out/
fi
Fix #7476
2015-04-20 09:31:17 +00:00
fi
done
done
# Symlink all units defined by systemd.units. If these are also
# provided by systemd or systemd.packages, then add them as
# <unit-name>.d/overrides.conf, which makes them extend the
# upstream unit.
for i in ${toString (mapAttrsToList (n: v: v.unit) units)}; do
fn=$(basename $i/*)
if [ -e $out/$fn ]; then
if [ "$(readlink -f $i/$fn)" = /dev/null ]; then
ln -sfn /dev/null $out/$fn
else
nixos/systemd-lib: fix conflict with dbus.service.d directory When a package contains a directory in one of the systemd directories (like flatpak does), it is symlinked into the *-units derivation. Then later, the derivation will try to create the directory, which will fail: mkdir: cannot create directory '/nix/store/…-user-units/dbus.service.d': File exists builder for '/nix/store/…-user-units.drv' failed with exit code 1 Closes: #33233
2018-01-03 10:57:29 +00:00
mkdir -p $out/$fn.d
Fix #7476
2015-04-20 09:31:17 +00:00
ln -s $i/$fn $out/$fn.d/overrides.conf
fi
else
ln -fs $i/$fn $out/
fi
done
systemd service: add aliases option
2017-02-01 21:51:16 +00:00
# Create service aliases from aliases option.
${concatStrings (mapAttrsToList (name: unit:
concatMapStrings (name2: ''
ln -sfn '${name}' $out/'${name2}'
'') unit.aliases) units)}
# Create .wants and .requires symlinks from the wantedBy and
Fix #7476
2015-04-20 09:31:17 +00:00
# requiredBy options.
${concatStrings (mapAttrsToList (name: unit:
concatMapStrings (name2: ''
mkdir -p $out/'${name2}.wants'
ln -sfn '../${name}' $out/'${name2}.wants'/
'') unit.wantedBy) units)}
${concatStrings (mapAttrsToList (name: unit:
concatMapStrings (name2: ''
mkdir -p $out/'${name2}.requires'
ln -sfn '../${name}' $out/'${name2}.requires'/
'') unit.requiredBy) units)}
${optionalString (type == "system") ''
# Stupid misc. symlinks.
ln -s ${cfg.defaultUnit} $out/default.target
systemd: make ctrl-alt-del target configurable. (#16911) We currently only allow upstream's default of "reboot.target" due to the way the symlinks are initialized. I made this configurable similar to the default unit.
2016-07-19 07:42:53 +00:00
ln -s ${cfg.ctrlAltDelUnit} $out/ctrl-alt-del.target
Fix #7476
2015-04-20 09:31:17 +00:00
ln -s rescue.target $out/kbrequest.target
mkdir -p $out/getty.target.wants/
ln -s ../autovt@tty1.service $out/getty.target.wants/
multi-user.target should not pull network.target
2016-09-09 02:33:33 +00:00
ln -s ../local-fs.target ../remote-fs.target \
Fix #7476
2015-04-20 09:31:17 +00:00
../nss-lookup.target ../nss-user-lookup.target ../swap.target \
$out/multi-user.target.wants/
''}
''; # */
}
Reference in New Issue Copy Permalink