BoomMicrophone/nixpkgs-suyu
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

influxdb2 service: don't use dynamic user

Browse source 
It breaks something inside of influxdb2, which results in flurry of errors like these:

> ts=2021-12-21T18:19:35.513910Z lvl=info msg="Write failed" log_id=0YZYwvV0000 service=storage-engine service=write shard=50 error="[shard 50] unlinkat ./L1-00000055.tsi: read-only file system"

I believe this is somehow caused by a mount namespace that systemd creates for
the service, but I didn't investigate this deeper.
This commit is contained in:
Nikolay Amiantov 2021-12-21 21:24:00 +03:00
parent 4d6b67b968
commit 9027a59f7a
1 changed files with 15 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

17
nixos/modules/services/databases/influxdb2.nix
View file

@ -1,5 +1,7 @@
{ config, lib, pkgs, ... }: { config, lib, pkgs, ... }:
with lib; with lib;
let let
format = pkgs.formats.json { }; format = pkgs.formats.json { };
cfg = config.services.influxdb2; cfg = config.services.influxdb2;
@ -9,12 +11,14 @@ in
options = { options = {
services.influxdb2 = { services.influxdb2 = {
enable = mkEnableOption "the influxdb2 server"; enable = mkEnableOption "the influxdb2 server";
package = mkOption { package = mkOption {
default = pkgs.influxdb2-server; default = pkgs.influxdb2-server;
defaultText = literalExpression "pkgs.influxdb2"; defaultText = literalExpression "pkgs.influxdb2";
description = "influxdb2 derivation to use."; description = "influxdb2 derivation to use.";
type = types.package; type = types.package;
}; };
settings = mkOption { settings = mkOption {
default = { }; default = { };
description = ''configuration options for influxdb2, see <link xlink:href="https://docs.influxdata.com/influxdb/v2.0/reference/config-options"/> for details.''; description = ''configuration options for influxdb2, see <link xlink:href="https://docs.influxdata.com/influxdb/v2.0/reference/config-options"/> for details.'';
@ -28,18 +32,20 @@ in
assertion = !(builtins.hasAttr "bolt-path" cfg.settings) && !(builtins.hasAttr "engine-path" cfg.settings); assertion = !(builtins.hasAttr "bolt-path" cfg.settings) && !(builtins.hasAttr "engine-path" cfg.settings);
message = "services.influxdb2.config: bolt-path and engine-path should not be set as they are managed by systemd"; message = "services.influxdb2.config: bolt-path and engine-path should not be set as they are managed by systemd";
}]; }];
systemd.services.influxdb2 = { systemd.services.influxdb2 = {
description = "InfluxDB is an open-source, distributed, time series database"; description = "InfluxDB is an open-source, distributed, time series database";
documentation = [ "https://docs.influxdata.com/influxdb/" ]; documentation = [ "https://docs.influxdata.com/influxdb/" ];
wantedBy = [ "multi-user.target" ]; wantedBy = [ "multi-user.target" ];
after = [ "network.target" ]; after = [ "network.target" ];
environment = { environment = {
INFLUXD_CONFIG_PATH = "${configFile}"; INFLUXD_CONFIG_PATH = configFile;
}; };
serviceConfig = { serviceConfig = {
ExecStart = "${cfg.package}/bin/influxd --bolt-path \${STATE_DIRECTORY}/influxd.bolt --engine-path \${STATE_DIRECTORY}/engine"; ExecStart = "${cfg.package}/bin/influxd --bolt-path \${STATE_DIRECTORY}/influxd.bolt --engine-path \${STATE_DIRECTORY}/engine";
StateDirectory = "influxdb2"; StateDirectory = "influxdb2";
DynamicUser = true; User = "influxdb2";
Group = "influxdb2";
CapabilityBoundingSet = ""; CapabilityBoundingSet = "";
SystemCallFilter = "@system-service"; SystemCallFilter = "@system-service";
LimitNOFILE = 65536; LimitNOFILE = 65536;
@ -47,6 +53,13 @@ in
Restart = "on-failure"; Restart = "on-failure";
}; };
}; };
users.extraUsers.influxdb2 = {
isSystemUser = true;
group = "influxdb2";
};
users.extraGroups.influxdb2 = {};
}; };
meta.maintainers = with lib.maintainers; [ nickcao ]; meta.maintainers = with lib.maintainers; [ nickcao ];