[RFC 0052] Away from static IDs #52
Conversation
|
Does |
|
@Profpatsch If you need a stateful directory with |
edolstra
changed the title
|
This pull request has been mentioned on NixOS Discourse. There might be relevant details there: https://discourse.nixos.org/t/new-rfc-52-away-from-static-ids/3931/1 |
edolstra
added
status: open for nominations
|
This PR is now open for shepherd nominations. Any volunteers? |
|
I volunteer to be a shepherd. |
1 similar comment
|
I volunteer to be a shepherd. |
|
I volunteer too! |
|
I too volunteer to be a shepherd 🐑. |
|
Also nominating myself. So we have the following shepherd team: @ryantm, @arianvp, @asymmetric and @edolstra. Thanks! @ryantm do you have to lead this team? |
|
A link from the |
edolstra
added
status: in discussion
and removed
status: open for nominations
|
Sure, I will lead the shepherd team. |
| Services should make permissions of their directories are usable by them. | ||
| - The easiest way to achieve this is to use `systemd.services.<name?>.serviceConfig.StateDirectory = "myservice"`, which ensures that `/var/lib/myservice` belongs to the services user. | ||
| - `systemd.tmpfiles.rules = [ "Z '/var/lib/myservice' - myuser mygroup - -" ]` can also be used, with the disadvantage that it will only run at system activation and not when the service starts. It also recursively fixes the permissions every time, meaning it can lead to considerable slowdown with many files. | ||
| - An alternative is to assign `serviceConfig.ExecStartPre = "+${pkgs.writeScript "myservice-prestart" "..."}"` with a script to fix the permissions, where the `+` makes the script run with full root permissions as documented in `man systemd.service`. |
There was a problem hiding this comment.
Would be nice if we could have this syntax work in the preStart and postStart shorthands that we currently have in the systemd module
|
Ah yes, forgot to push the changes for those |
|
This pull request has been mentioned on NixOS Discourse. There might be relevant details there: |
|
Lucky coincidence: @dasJ just opened NixOS/nixpkgs#71055 for making all NixOS module users use |
|
The FCP has ended without any objections. @NixOS/rfc-steering-committee please merge. |
|
Note to myself: This still needs the updates to the manual |
Summary
A lot of NixOS modules are assigning static uids/gids to their users. This has resulted in less than 90 static ids left in the reserved range from 0 to 400.
This RFC deprecates the practice of doing that and instead suggests to
DynamicUserusers.users.<name?>.uid/users.groups.<name?>.gidis not set. For users,users.users.<name?>.isSystemUsershould be set so that only uids under 1000 are used by NixOS services.Only in special circumstances are static ids allowed anymore.
Rendered
Partial implementation PR: NixOS/nixpkgs#65698
cc @edolstra @aanderse @ryantm @arianvp @globin @volth @arcnmx