Commit graph

891 commits

Author SHA1 Message Date
aszlig
dcf40f7c24
Merge pull request #57519 (systemd-confinement)
Currently if you want to properly chroot a systemd service, you could do
it using BindReadOnlyPaths=/nix/store or use a separate derivation which
gathers the runtime closure of the service you want to chroot. The
former is the easier method and there is also a method directly offered
by systemd, called ProtectSystem, which still leaves the whole store
accessible. The latter however is a bit more involved, because you need
to bind-mount each store path of the runtime closure of the service you
want to chroot.

This can be achieved using pkgs.closureInfo and a small derivation that
packs everything into a systemd unit, which later can be added to
systemd.packages.

However, this process is a bit tedious, so the changes here implement
this in a more generic way.

Now if you want to chroot a systemd service, all you need to do is:

  {
    systemd.services.myservice = {
      description = "My Shiny Service";
      wantedBy = [ "multi-user.target" ];

      confinement.enable = true;
      serviceConfig.ExecStart = "${pkgs.myservice}/bin/myservice";
    };
  }

If more than the dependencies for the ExecStart* and ExecStop* (which
btw. also includes script and {pre,post}Start) need to be in the chroot,
it can be specified using the confinement.packages option. By default
(which uses the full-apivfs confinement mode), a user namespace is set
up as well and /proc, /sys and /dev are mounted appropriately.

In addition - and by default - a /bin/sh executable is provided, which
is useful for most programs that use the system() C library call to
execute commands via shell.

Unfortunately, there are a few limitations at the moment. The first
being that DynamicUser doesn't work in conjunction with tmpfs, because
systemd seems to ignore the TemporaryFileSystem option if DynamicUser is
enabled. I started implementing a workaround to do this, but I decided
to not include it as part of this pull request, because it needs a lot
more testing to ensure it's consistent with the behaviour without
DynamicUser.

The second limitation/issue is that RootDirectoryStartOnly doesn't work
right now, because it only affects the RootDirectory option and doesn't
include/exclude the individual bind mounts or the tmpfs.

A quirk we do have right now is that systemd tries to create a /usr
directory within the chroot, which subsequently fails. Fortunately, this
is just an ugly error and not a hard failure.

The changes also come with a changelog entry for NixOS 19.03, which is
why I asked for a vote of the NixOS 19.03 stable maintainers whether to
include it (I admit it's a bit late a few days before official release,
sorry for that):

  @samueldr:

    Via pull request comment[1]:

      +1 for backporting as this only enhances the feature set of nixos,
      and does not (at a glance) change existing behaviours.

    Via IRC:

      new feature: -1, tests +1, we're at zero, self-contained, with no
      global effects without actively using it, +1, I think it's good

  @lheckemann:

    Via pull request comment[2]:

      I'm neutral on backporting. On the one hand, as @samueldr says,
      this doesn't change any existing functionality. On the other hand,
      it's a new feature and we're well past the feature freeze, which
      AFAIU is intended so that new, potentially buggy features aren't
      introduced in the "stabilisation period". It is a cool feature
      though? :)

A few other people on IRC didn't have opposition either against late
inclusion into NixOS 19.03:

  @edolstra:  "I'm not against it"
  @Infinisil: "+1 from me as well"
  @grahamc:   "IMO its up to the RMs"

So that makes +1 from @samueldr, 0 from @lheckemann, 0 from @edolstra
and +1 from @Infinisil (even though he's not a release manager) and no
opposition from anyone, which is the reason why I'm merging this right
now.

I also would like to thank @Infinisil, @edolstra and @danbst for their
reviews.

[1]: https://github.com/NixOS/nixpkgs/pull/57519#issuecomment-477322127
[2]: https://github.com/NixOS/nixpkgs/pull/57519#issuecomment-477548395
2019-03-29 04:37:53 +01:00
Matthew Bauer
73be6fba8b
Merge pull request #54625 from FlorianFranzen/efi32
grub: Support 32bit EFI on 64bit platforms
2019-03-21 11:39:45 -04:00
Florian Franzen
e51a840259 grub: Support 32bit EFI on 64bit x86 platforms 2019-03-18 10:38:07 +01:00
aszlig
ac64ce9945
nixos: Add 'chroot' options to systemd.services
Currently, if you want to properly chroot a systemd service, you could
do it using BindReadOnlyPaths=/nix/store (which is not what I'd call
"properly", because the whole store is still accessible) or use a
separate derivation that gathers the runtime closure of the service you
want to chroot. The former is the easier method and there is also a
method directly offered by systemd, called ProtectSystem, which still
leaves the whole store accessible. The latter however is a bit more
involved, because you need to bind-mount each store path of the runtime
closure of the service you want to chroot.

This can be achieved using pkgs.closureInfo and a small derivation that
packs everything into a systemd unit, which later can be added to
systemd.packages. That's also what I did several times[1][2] in the
past.

However, this process got a bit tedious, so I decided that it would be
generally useful for NixOS, so this very implementation was born.

Now if you want to chroot a systemd service, all you need to do is:

  {
    systemd.services.yourservice = {
      description = "My Shiny Service";
      wantedBy = [ "multi-user.target" ];

      chroot.enable = true;
      serviceConfig.ExecStart = "${pkgs.myservice}/bin/myservice";
    };
  }

If more than the dependencies for the ExecStart* and ExecStop* (which
btw. also includes "script" and {pre,post}Start) need to be in the
chroot, it can be specified using the chroot.packages option. By
default (which uses the "full-apivfs"[3] confinement mode), a user
namespace is set up as well and /proc, /sys and /dev are mounted
appropriately.

In addition - and by default - a /bin/sh executable is provided as well,
which is useful for most programs that use the system() C library call
to execute commands via shell. The shell providing /bin/sh is dash
instead of the default in NixOS (which is bash), because it's way more
lightweight and after all we're chrooting because we want to lower the
attack surface and it should be only used for "/bin/sh -c something".

Prior to submitting this here, I did a first implementation of this
outside[4] of nixpkgs, which duplicated the "pathSafeName" functionality
from systemd-lib.nix, just because it's only a single line.

However, I decided to just re-use the one from systemd here and
subsequently made it available when importing systemd-lib.nix, so that
the systemd-chroot implementation also benefits from fixes to that
functionality (which is now a proper function).

Unfortunately, we do have a few limitations as well. The first being
that DynamicUser doesn't work in conjunction with tmpfs, because it
already sets up a tmpfs in a different path and simply ignores the one
we define. We could probably solve this by detecting it and try to
bind-mount our paths to that different path whenever DynamicUser is
enabled.

The second limitation/issue is that RootDirectoryStartOnly doesn't work
right now, because it only affects the RootDirectory option and not the
individual bind mounts or our tmpfs. It would be helpful if systemd
would have a way to disable specific bind mounts as well or at least
have some way to ignore failures for the bind mounts/tmpfs setup.

Another quirk we do have right now is that systemd tries to create a
/usr directory within the chroot, which subsequently fails. Fortunately,
this is just an ugly error and not a hard failure.

[1]: https://github.com/headcounter/shabitica/blob/3bb01728a0237ad5e7/default.nix#L43-L62
[2]: https://github.com/aszlig/avonc/blob/dedf29e092481a33dc/nextcloud.nix#L103-L124
[3]: The reason this is called "full-apivfs" instead of just "full" is
     to make room for a *real* "full" confinement mode, which is more
     restrictive even.
[4]: https://github.com/aszlig/avonc/blob/92a20bece4df54625e/systemd-chroot.nix

Signed-off-by: aszlig <aszlig@nix.build>
2019-03-14 19:14:01 +01:00
Silvan Mosberger
bcda0e37f6
Merge pull request #56012 from matix2267/logind-lid-switch-external-power
nixos/logind: Add defaultText to config option since it's not static value.
2019-02-22 20:55:46 +01:00
Symphorien Gibol
a915b33315 nixos: add preferLocalBuild=true; on derivations for config files 2019-02-22 20:11:27 +01:00
Mateusz Gołębiewski
ddcf485386 nixos/logind: Add defaultText to config option since it's not static value. 2019-02-18 20:37:02 +01:00
Mateusz Gołębiewski
fb9619ca03 nixos/logind: Add option for HandleLidSwitchExternalPower
The default according to `man logind.conf` is to perform the same action as in
HandleLidSwitch.
2019-02-16 23:56:22 +01:00
Sharif Olorin
3755577ba6 nixos/systemd: update max line length in systemd units
The length check was introduced[0] to match systemd's max line
length. This limit has been increased[1][2] to 1MiB, starting with
systemd v235.

[0] https://github.com/nixos/nixpkgs/issues/3403
[1] e6dde451a5
    (relevant systemd commit)
[2] https://github.com/systemd/systemd/issues/3302
    (more context on systemd change)
2019-02-10 00:39:29 +00:00
Jeff Slight
c95407b327 boot/raspberrypi: replace deprecated configuration option 2019-02-08 11:36:09 -08:00
danbst
27982b408e types.optionSet: deprecate and remove last usages 2019-01-31 00:41:10 +02:00
Silvan Mosberger
51d2eed83b
Merge pull request #42838 from teto/kernel_autoconf
[RFC] add ability to merge structured configs
2019-01-28 10:38:00 +01:00
Craig Younkins
6f6287fbf9 nixos/systemd: add StartLimitIntervalSec to unit config 2019-01-28 00:29:43 +00:00
Matthieu Coudron
3bb7b3f02e linux: ability to merge structured configs
This should make the composability of kernel configurations more straigthforward.

- now distinguish freeform options from tristate ones
- will look for a structured config in kernelPatches too
one can now access the structuredConfig from a kernel via linux_test.configfile.structuredConfig
in order to reinject it into another kernel, no need to rewrite the config from scratch

The following merge strategies are used in case of conflict:
-- freeform items must be equal or they conflict (mergeEqualOption)
-- for tristate (y/m/n) entries, I use the mergeAnswer strategy which takes the best available value, "best" being defined by the user (by default "y" > "m" > "n", e.g. if one entry is both marked "y" and "n", "y" wins)
-- if one item is both marked optional/mandatory, mandatory wins (mergeFalseByDefault)
2019-01-28 09:06:33 +09:00
Jörg Thalheim
a6b97bd1bb
Merge pull request #42183 from kisik21/master
nixos/stage-1, nixos/f2fs: added F2FS resizing
2019-01-17 07:42:32 +00:00
Vladimír Čunát
287144e342
Merge branch 'master' into staging-next 2019-01-10 13:07:21 +01:00
Claudio Bley
cb0b629894 nixos/luksroot: Fix typo Verifiying -> Verifying 2019-01-08 15:45:02 -05:00
Jörg Thalheim
ba9f589180
Merge pull request #53446 from Mic92/systemd-udev-settle
nixos/systemd-udev-settle: don't restart on upgrades
2019-01-08 13:05:25 +01:00
Matthew Bauer
751c03e8fd
Merge pull request #47665 from erikarvstedt/initrd-improvements
Minor initrd improvements
2019-01-06 21:48:26 -06:00
Jörg Thalheim
0a2c8cc1db
nixos/systemd-udev-settle: don't restart on upgrades
The idea is that we only need this target during boot,
however there is no point on restarting it on every upgrade.

This hopefully fixes #21954
2019-01-05 13:57:29 +01:00
Matthew Bauer
921a47bc92 treewide: remove cross assertions
sd-image-raspberrypi, sd-image-aarch64, and
sd-image-armv7l-multiplatform can all be cross compiled now.
2019-01-02 23:02:50 -06:00
Matthew Bauer
35af6e3605 treewide: use buildPackages for config builders 2019-01-02 23:02:50 -06:00
Matthew Bauer
92840ab944
Merge pull request #51600 from eburimu/fix/cross-extlinux-conf-builder
extlinux-conf: fix cross compilation
2018-12-19 11:01:31 -06:00
volth
fed7914539
Merge branch 'staging' into make-perl-pathd 2018-12-18 17:13:27 +00:00
volth
bb9557eb7c lib.makePerlPath -> perlPackages.makePerlPath 2018-12-15 03:50:31 +00:00
Benjamin Staffin
1181d6153e
logind: make killUserProcesses an option (#51426)
Right now it's not at all obvious that one can override this option
using `services.logind.extraConfig`; we might as well add an option
for `killUserProcesses` directly so it's clear and documented.
2018-12-11 16:51:16 -05:00
Renaud
53218d4a39
nixos/systemd-nspawn: accept all Exec and Files options
See: https://www.freedesktop.org/software/systemd/man/systemd.nspawn.html
Closes #49712
2018-12-08 14:41:37 +01:00
eburimu
f17dd04f12 extlinux-conf: fix cross compilation 2018-12-06 03:42:02 +03:00
Jörg Thalheim
50071c4475
Revert "nixos/luksroot: Check whether the device already exists"
This reverts commit 9cd4ce98bf.

This might be broken for some people: https://github.com/NixOS/nixpkgs/pull/50281#issuecomment-443516289
2018-12-02 17:27:35 +00:00
Janne Heß
9cd4ce98bf nixos/luksroot: Check whether the device already exists
The new reuse behaviour is cool and really useful but it breaks one of
my use cases. When using kexec, I have a script which will unlock the
disks in my initrd. However, do_open_passphrase will fail if the disk is
already unlocked.
2018-12-01 23:42:51 +01:00
Arian van Putten
7ce4cd4470 nixos/nspawn: Fix small typo (#51077)
This has slipped through review in my previous PR it seems
2018-11-26 22:05:13 +01:00
hyperfekt
482228919c nixos/bcachefs: remove superfluous fsck from initrd
bcachefs checks the filesystem at mount time, therefore no separate fsck binary is needed in initrd.
2018-11-03 18:07:32 +01:00
Jörg Thalheim
553e0d81ee
Merge pull request #48771 from arianvp/container-tweaks
nixos/containers: Introduce several tweaks to systemd-nspawn from upstream systemd
2018-10-31 16:08:16 +00:00
Will Dietz
2d0ec8b288 stage1 boot: use stdenv.cc.libc
(cherry picked from commit d3ae884c9eeb4a6f66ac4e57764c04db16ea7c71)
2018-10-30 19:47:06 -05:00
Silvan Mosberger
04b4ca37bd
Merge pull request #49360 from tadfisher/logind-suspend-then-hibernate
nixos/systemd: support "suspend-then-hibernate" logind option
2018-10-28 22:18:39 +01:00
Tad Fisher
8520839b6a nixos/systemd: support "suspend-then-hibernate" logind option 2018-10-28 13:41:21 -07:00
aanderse
1381019e49 nixos/rsyslogd & nixos/syslog-ng: fix broken module (#47306)
* journald: forward message to syslog by default if a syslog implementation is installed

* added a test to ensure rsyslog is receiving messages when expected

* added rsyslogd tests to release.nix
2018-10-27 19:01:30 +02:00
Arian van Putten
9f72791516 nixos/containers: Introduce several tweaks to systemd-nspawn from upstream systemd
* Lets container@.service  be activated by machines.target instead of
  multi-user.target

  According to the systemd manpages, all containers that are registered
  by machinectl, should be inside machines.target for easy stopping
  and starting container units altogether

* make sure container@.service and container.slice instances are
  actually located in machine.slice

  https://plus.google.com/112206451048767236518/posts/SYAueyXHeEX
  See original commit: https://github.com/NixOS/systemd/commit/45d383a3b8

* Enable Cgroup delegation for nixos-containers

  Delegate=yes should be set for container scopes where a systemd instance
  inside the container shall manage the hierarchies below its own cgroup
  and have access to all controllers.

  This is equivalent to enabling all accounting options on the systemd
  process inside the system container.  This means that systemd inside
  the container is responsible for managing Cgroup resources for
  unit files that enable accounting options inside.  Without this
  option, units that make use of cgroup features within system
  containers might misbehave

  See original commit: https://github.com/NixOS/systemd/commit/a931ad47a8

  from the manpage:
    Turns on delegation of further resource control partitioning to
    processes of the unit. Units where this is enabled may create and
    manage their own private subhierarchy of control groups below the
    control group of the unit itself. For unprivileged services (i.e.
    those using the User= setting) the unit's control group will be made
    accessible to the relevant user. When enabled the service manager
    will refrain from manipulating control groups or moving processes
    below the unit's control group, so that a clear concept of ownership
    is established: the control group tree above the unit's control
    group (i.e. towards the root control group) is owned and managed by
    the service manager of the host, while the control group tree below
    the unit's control group is owned and managed by the unit itself.
    Takes either a boolean argument or a list of control group
    controller names. If true, delegation is turned on, and all
    supported controllers are enabled for the unit, making them
    available to the unit's processes for management. If false,
    delegation is turned off entirely (and no additional controllers are
    enabled). If set to a list of controllers, delegation is turned on,
    and the specified controllers are enabled for the unit. Note that
    additional controllers than the ones specified might be made
    available as well, depending on configuration of the containing
    slice unit or other units contained in it. Note that assigning the
    empty string will enable delegation, but reset the list of
    controllers, all assignments prior to this will have no effect.
    Defaults to false.

    Note that controller delegation to less privileged code is only safe
    on the unified control group hierarchy. Accordingly, access to the
    specified controllers will not be granted to unprivileged services
    on the legacy hierarchy, even when requested.

    The following controller names may be specified: cpu, cpuacct, io,
    blkio, memory, devices, pids. Not all of these controllers are
    available on all kernels however, and some are specific to the
    unified hierarchy while others are specific to the legacy hierarchy.
    Also note that the kernel might support further controllers, which
    aren't covered here yet as delegation is either not supported at all
    for them or not defined cleanly.
2018-10-22 22:36:08 +02:00
Arian van Putten
3be00fa60c nixos/systemd-nspawn: Remove dependency on bogus "machine.target"
"machine.target" doesn't actually exist, it's misspelled version
of "machines.target".  However, the "systemd-nspawn@.service"
unit already has a default dependency on "machines.target"
2018-10-21 21:51:51 +02:00
Ben Wolsieffer
eadb9c822b raspberrypi-bootloader: pass initrd to kernel
NixOS is unable to boot using the RPi bootloader (w/o U-Boot) unless the initrd
is configured.
2018-10-21 17:44:11 +03:00
Ben Wolsieffer
e2fbada6f8 raspberrypi-bootloader: uboot: allow specification of target directory 2018-10-21 17:44:11 +03:00
Ben Wolsieffer
1afff7c10b raspberrypi-bootloader: support Raspberry Pi 3 w/o U-Boot and explicitly support
Raspberry Pi Zero
2018-10-21 17:44:11 +03:00
Ben Wolsieffer
bcb9e17bba raspberrypi-bootloader: allow specification of target directory 2018-10-21 17:44:11 +03:00
volth
b3dff39105
bootStage1: fix cross build (@matthewbauer's solution) 2018-10-12 09:24:00 +00:00
volth
9dd5dc57a7
bootStage1: fix cross build 2018-10-12 00:45:59 +00:00
Ben Wolsieffer
76977590fa nixos: initrd/luks: fix detection of devices by UUID 2018-10-11 16:02:41 -04:00
Ben Wolsieffer
264cb7407c nixos: initrd/luks: make script indentation consistent 2018-10-11 15:53:53 -04:00
Matthew Bauer
bd3c840301
Merge pull request #46964 from florianjacob/systemd-assert-value-tostring
nixos/systemd-lib: fix assertValueOneOf
2018-10-05 23:00:41 -05:00
Matthew Bauer
357d32e2b3
Merge pull request #46459 from volth/volth-patch-3
nixos/initrd-network: multiple DHCP fixes
2018-10-05 22:47:45 -05:00
Márton Boros
d8a555d819
Fix systemd timer unit documentation
Fixes #36210
2018-10-03 14:39:36 +02:00