New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
nixos/systemd-confinement: Fix DynamicUser support #64405
base: master
Are you sure you want to change the base?
Conversation
Problem was that if you enabled DynamicUser, it would remount / as read-only which wouldn't work, as we were using the fact that / was read-write to set up all the mounts. We work around this by actually making sure all the directories that will be mount points exist apriori. For things for which mount points are dynamically generated on the fly, we use TemporaryFileSystem (cache, log, state). We also use TemporaryFileSystm for /nix/store. However, we might not actually need it, as we know all the mount points apriori. TODO: * See how we interact with APIVFS * See if we can get rid of the TemporaryFileSystem for /nix/store, because currently /nix/store _itself_ is read/write in the container (it already was) and that's surely not something we want!
Make sure that /nix/store, /usr, /bin /var and friends are read-only inside the container. Especially for /nix/store this should defenitely be read-only as otherwise we can break invariants (not good!). /bin and /usr/bin being read-only also makes sense to me; however it currently breaks some tests. The test differentiated between chroot-only mode and fullapivfs mode by testing whether it could chown /bin. We should test this in another way? /var/{lib,cache,log} are also mount read only. This means the only way to create directories here is to use StateDirectory/CacheDirectory/LogDirectory directives. This is a tradeoff. Perhaps we should keep them read/write, as not all our services use these options yet, and it might hinder adoption of confinement. However when you enable confinement you could as well just add these options. We defenitely need to give this some thought. Perhaps put it behind an option? I think the others being read-only makes sense; but this one might be a bit controversial
fad4c9d
to
d978228
Compare
I rebased #63863 on this and enabled
Here's the rebased branch and the only configuration needed is |
Thanks. I'll have a look by what this is caused later. Probably need to
make more things read/write. Setting `systemd-analyze log-level debug` will
print more detailed info about why the mount failed. If you're in the mood
to investigate yourself.
…On Sun, Jul 7, 2019, 17:41 gazally ***@***.***> wrote:
I rebased #63863 <#63863> on this
and enabled confinement with mode = "chroot-only". I had to add
yggdrasil's config file to BindReadOnlyPaths, and then got this error:
Jul 07 08:23:13 sockeye systemd[1]: Starting Yggdrasil Network Service...
Jul 07 08:23:13 sockeye systemd[8035]: yggdrasil.service: Failed to set up mount namespacing: No such file or directory
Jul 07 08:23:13 sockeye systemd[8035]: yggdrasil.service: Failed at step NAMESPACE spawning /nix/store/xwbhik24q3f909mhygk7cyr9grnbxmas-unit-script-yggdrasil-pre-start: No such file or directory
Jul 07 08:23:13 sockeye systemd[1]: yggdrasil.service: Control process exited, code=exited status=226
Jul 07 08:23:13 sockeye systemd[1]: yggdrasil.service: Failed with result 'exit-code'.
Jul 07 08:23:13 sockeye systemd[1]: Failed to start Yggdrasil Network Service.
Here's the rebased branch
<https://github.com/gazally/nixpkgs/tree/yggdrasil-64405> and the only
configuration needed is service.yggdrasil.enable = true if you want to
try it out.
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<#64405?email_source=notifications&email_token=AAEZNI3JJEPJRVSQX3M7NSTP6IFD3A5CNFSM4H6UP55KYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGODZLN4GI#issuecomment-509009433>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AAEZNI3CZNM6ZEL2NYISG33P6IFD3ANCNFSM4H6UP55A>
.
|
@arianvp: Just came back from vacation and need to catch up on a few other things, can you ping me again once this is no longer WIP? |
Thank you for your contributions.
|
I marked this as stale due to inactivity. → More info |
Problem was that if you enabled DynamicUser, it would remount
/ as read-only which wouldn't work, as we were using
the fact that / was read-write to set up all the mounts.
We work around this by actually making sure all the directories
that will be mount points exist apriori. For things
for which mount points are dynamically generated on the fly,
we use TemporaryFileSystem (cache, log, state).
We also use TemporaryFileSystm for /nix/store. However,
we might not actually need it, as we know all the mount points
apriori.
TODO:
because currently /nix/store itself is read/write in the container (it
already was) and that's surely not something we want!
Motivation for this change
Things done
sandbox
innix.conf
on non-NixOS)nix-shell -p nix-review --run "nix-review wip"
./result/bin/
)nix path-info -S
before and after)