Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

nixos/nomad: enforce specific data_dir semantics #109768

Merged
merged 12 commits into from Jan 24, 2021
Merged

nixos/nomad: enforce specific data_dir semantics #109768

merged 12 commits into from Jan 24, 2021

Conversation

cpcloud
Copy link
Contributor

@cpcloud cpcloud commented Jan 18, 2021
edited

Motivation for this change

This PR enforces the semantics discussed here: #105739 (comment)

In summary, the data_dir value of the nomad service must be set to
a specific value if dropPrivileges is set to true.

The updated unit also includes additional documentation describing
the responsibilities of the nomad cluster manager given these
constraints as well as a suggestion for how to go about satisfying them.

Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS linux)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Determined the impact on package closure size (by running nix path-info -S before and after)
  • Ensured that relevant documentation is up to date
  • Fits CONTRIBUTING.md.

aanderse
aanderse reviewed Jan 19, 2021
View reviewed changes
Copy link
Member

@aanderse aanderse left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Left a few thoughts. Ignore the StateDirectory comment... I read this commit by commit 😄

nixos/modules/services/networking/nomad.nix Outdated Show resolved Hide resolved
nixos/modules/services/networking/nomad.nix Outdated Show resolved Hide resolved
nixos/modules/services/networking/nomad.nix Outdated Show resolved Hide resolved
nixos/modules/services/networking/nomad.nix Outdated Show resolved Hide resolved
Phillip Cloud added 12 commits January 23, 2021 19:44
nixos/nomad: add assertion for the value of dropPrivileges and its re…
3e00482 
…lation to data_dir
nixos/nomad: describe the nomad cluster manager responsibilities
f3aa71b
nixos/nomad: move serviceConfig into mkMerge and mkIf for docker Supp…
58fe459 
…lementaryGroups
nixos/nomad: add mkIf for StateDirectory
b80c454
nixos/nomad: reformat SupplementaryGroups expression
b72a467
nixos/nomad: fix typo and spell out ExecStartPre usage
bddb7ac
nixos/nomad: fix markup and remove suggestion
5d0b3b7
nixos/nomad: unconditionally set user to nomad
12b9249
nixos/nomad: make formatting consistent in mkMerge call
5ce4ce6
nixos/tests: add test for custom nomad state directory
de71f5b
nixos/nomad: only set User if privileges are dropped
2a3cb40
nixos/nomad: remove User setting entirely
c7c3b9e
@cpcloud
Copy link
Contributor Author

cpcloud commented Jan 24, 2021

@aanderse Is this okay to merge?

aanderse
aanderse approved these changes Jan 24, 2021
View reviewed changes
Copy link
Member

@aanderse aanderse left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM 👍

I'll defer to @lovesegfault for merge, preferably, though. I'm not a nomad user.

@cpcloud
Copy link
Contributor Author

cpcloud commented Jan 24, 2021

Roger that! Thanks.

@lovesegfault lovesegfault merged commit 105b9eb into NixOS:master Jan 24, 2021
@cpcloud cpcloud deleted the nomad-datadir-cleanup branch January 24, 2021 19:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@lovesegfault lovesegfault lovesegfault approved these changes

@aanderse aanderse aanderse approved these changes

@nh2 nh2 Awaiting requested review from nh2

Assignees
No one assigned
Labels
6.topic: nixos 8.has: module (update) 10.rebuild-darwin: 0 10.rebuild-linux: 1-10 10.rebuild-linux: 1
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@cpcloud @lovesegfault @aanderse