New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
nixos/postgresql: run ExecStartPost as an unprivileged user #95294
Conversation
@GrahamcOfBorg test postgresql postgresql-wal-receiver |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM. Can't really test this against a live-system though since I don't have a postgresql instance anymore that is old enough to be owned by root :)
53917c5
to
8e045b4
Compare
@GrahamcOfBorg test postgresql postgresql-wal-receiver |
LGTM. I don't currently have any postgres deployments outside of my gitlab server and for that the gitlab test should suffice. @GrahamcOfBorg test gitlab |
Thanks @talyz! Any final issues/comments/concerns before merge? We're approaching feature freeze and I still have a PR or two I'd like to get in for this module. |
Not from me, it looks ready to me :) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM. @aanderse feel free to merge, just wondering though if this change was tested against an old postgresql
-instance from 17.03
or before.
@Ma27 that's one of the problems with |
superUser = mkOption { | ||
type = types.str; | ||
default= if versionAtLeast config.system.stateVersion "17.09" then "postgres" else "root"; | ||
default = "postgres"; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This breaks systems (like hydra.nixos.org) that use root
as the superuser. Starting postgresql
fails with
Oct 17 20:50:45 haumea postgres[19691]: [19691] FATAL: role "postgres" does not exist
Oct 17 20:50:45 haumea postgres[19694]: [19694] FATAL: role "postgres" does not exist
Oct 17 20:50:45 haumea postgres[19698]: [19698] FATAL: role "postgres" does not exist
Oct 17 20:50:45 haumea systemd[1]: postgresql.service: start-post operation timed out. Terminating.
Oct 17 20:50:45 haumea postgres[6462]: [6462] LOG: received fast shutdown request
Oct 17 20:50:45 haumea postgres[6462]: [6462] LOG: aborting any active transactions
Oct 17 20:50:45 haumea postgres[7740]: [7740] FATAL: terminating connection due to administrator command
Oct 17 20:50:45 haumea postgres[6462]: [6462] LOG: background worker "logical replication launcher" (PID 6471) exited with exit code 1
Oct 17 20:50:45 haumea postgres[6466]: [6466] LOG: shutting down
Oct 17 20:50:45 haumea postgres[6462]: [6462] LOG: database system is shut down
and since this option is marked as readOnly
, I can't even override it.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@edolstra thanks for your feedback. The migration path, while manual, is fairly trivial: https://nixos.org/manual/nixos/unstable/release-notes.html#sec-release-20.09
You should be able to add this to your configuration:
services.postgresql.dataDir = "/var/db/postgresql";
And run the following as your existing super user account before upgrading:
CREATE ROLE postgres LOGIN SUPERUSER;
The trade off of running postgresql
entirely as an unprivileged user (added security, simplification of module, etc..) is having long time users add 1 line of configuration and imperatively run a single command. Certainly opinions can vary, but to me this is a fair trade off.
Please let me know if you think the release notes aren't sufficient, or if you continue to disagree with this change.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Further to this, while stateVersion
is great and I appreciate that it exists, when stateVersion
starts introducing lower security standards or code that isn't manageable I would argue that having long time users run a migration step or two (minimal effort) seems to be worthwhile, at least in my opinion.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@aanderse Thanks for the explanation!
Motivation for this change
root
Things done
sandbox
innix.conf
on non-NixOS linux)nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
./result/bin/
)nix path-info -S
before and after)