Increase the system user id range #65698
Conversation
|
While not directly a problem, this is not beneficial for @jameysharp's move to all-static uid's in #64594 |
|
Is it possible and/or are there plans to unassign the existing ~300 IDs, moving them to either |
|
I believe it would be safe to switch services that don't need static uid's to |
|
Last I recall reading about (though systemd is meant to handle the transition, if nixos removes deleted users from passwd that may or may not cause problems; really depends on whether StateDirectory= is the whole story or not for a given service I guess? but even then if it's fine and then you tried rolling back... poof?) |
|
Unfortunately moving to |
|
So, after some discussion in the IRC channel, it looks line roon-server doesn't work with DynamicUser enabled, as the backup mechanism needs to be able to write to a persistent location and DynamicUser would make managing permissions for this directory impossible. |
|
Yeah so it might be the case that we can't use |
|
My understanding is that |
|
@edolstra there is some allowance for persistent data. See 'Persistent Data' section of http://0pointer.net/blog/dynamic-users-with-systemd.html |
Incorrect. It's only meant for services that don't share state between services. Persistent state is definitely possible, as long as it's defined through |
|
@volth
|
|
I'd prefer this being a proper RFC :) |
|
I made this a full RFC, see above |
|
AFAIK, systemd ignores So it seems you'd have to change this. |
|
@asymmetric Yeah, but I think this is only relevant for users created through Will do that change too |
|
FYI NixOS/rfcs#52 is in Final Comment Period |
infinisil
changed the title
infinisil
force-pushed
the
system-users
branch
from
5b3ed92
to
306e7f6
Compare
|
@asymmetric Now applied the change to the systemd build flags too. Will probably have to switch to staging because of this. @GrahamcOfBorg eval |
ofborg
bot
added
10.rebuild-darwin: 101-500
10.rebuild-linux: 501+
10.rebuild-linux: 5001+
and removed
10.rebuild-darwin: 0
10.rebuild-linux: 0
labels
infinisil
force-pushed
the
system-users
branch
from
306e7f6
to
0a94f7f
Compare
This enlarges the system uid/gid range 6-fold, from 100 to 600 ids. This is a preventative measure against running out of dynamically allocated ids for NixOS services with isSystemUser, which should become the preferred way of allocating uids for non-real users.
infinisil
force-pushed
the
system-users
branch
from
0a94f7f
to
23d920c
Compare
|
Turns out that the ranges defined in the systemd compile time options really don't matter that much, they're only used by systemd features like The ranges in And the ones in I added this info to a comment. Also added links to the issues regarding runtime configuration of systemd ranges. |
|
NixOS/rfcs#52 is now accepted and I think this is ready to be merged. |
|
@GrahamcOfBorg test systemd |
|
Hehe, the error on aarch64 is deceivingly related-looking: But really that only seems to occur as a result of heavy aarch64 builder usage, nothing with this PR. |
infinisil
added
the
significant
This is now a full RFC at NixOS/rfcs#52
This enlarges the system uid/gid range 6-fold, from 100 to 600 ids. This
is a preventative measure against running out of dynamically allocated
ids for NixOS services with
isSystemUser, which should become thepreferred way of allocating uids for non-real users if
DynamicUserisn't applicable.Motivation for this change
We're running out of static uid/gid's in the standard range from 0 to 400, only ~85 are left:
nixpkgs/nixos/modules/misc/ids.nix
Lines 341 to 344 in 9fe0552
While it might be possible to assign another range for static id's, that's just an ugly solution, and having to declare static id's has always been a bit of a pain.
A better solution is to not assign static id's for services, but to use NixOS dynamic user allocation (happening by default, when
uid/gid = null). Specifically withisSystemUser = truesuch that ids get allocated in the rangeSYS_{U,G}ID_MIN(400) -SYS_{U,G}ID_MAX(499 before this change, 999 after), meaning the range above 1000 can be used exclusively by real users.Why extend it to 999? Because a limit of 100 ids means that over the lifetime of a NixOS system, users can only ever run 100 different services, since id's aren't repurposed after a service is disabled (See a57bcd3), which is a bit on the low side. And 999 (=
{U,G}ID_MIN-1) is also the default value anyways, seeman login.defs.This means that instead of having a limit of 400 static uids for all NixOS services in nixpkgs, we have a limit of 600 dynamic uids for all NixOS services ever enable on a single system.
But isn't it bad to not use static id's for services?
I don't think so. One reason I can think of for having static id's is for some service that needs to transfer its files across NixOS machines, but this is not the case for most services. Another reason might be that loading data from backups into a new NixOS installation will make services not work due the mismatch of data and service ids. This is however not a problem if
/var/lib/{u,g}id-mapgets restored as well, and also not a problem if services useStateDirectoryorsystemd.tmpfileswhich fixes permissions on service start.See #60732 (comment) for a previous discussion
cc @ryantm @arianvp @aanderse @edolstra