Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

replace deprecated usage of PermissionsStartOnly (part 1) #59389

Merged
merged 31 commits into from Apr 19, 2019
Merged

replace deprecated usage of PermissionsStartOnly (part 1) #59389

merged 31 commits into from Apr 19, 2019

Conversation

aanderse
Copy link
Member

Motivation for this change

First round of code ready for merging from #56265

ping @flokli

Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nix-review --run "nix-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Determined the impact on package closure size (by running nix path-info -S before and after)
  • Assured whether relevant documentation is up to date
  • Fits CONTRIBUTING.md.

@aanderse
nixos/collectd: replace deprecated usage of PermissionsStartOnly
09af9fc 
see NixOS#53852
@aanderse
nixos/lidarr: replace deprecated usage of PermissionsStartOnly
8fe1c5b 
see NixOS#53852
@aanderse
nixos/liquidsoap: replace deprecated usage of PermissionsStartOnly
5f9a639 
see NixOS#53852
@aanderse
nixos/memcached: replace deprecated usage of PermissionsStartOnly
2f50cd0 
see NixOS#53852
@aanderse
nixos/mesos: replace deprecated usage of PermissionsStartOnly
89081ee 
see NixOS#53852
@aanderse
nixos/minio: replace deprecated usage of PermissionsStartOnly
8c48c55 
see NixOS#53852
@aanderse
nixos/mpd: replace deprecated usage of PermissionsStartOnly
919c87a 
see NixOS#53852
@aanderse
nixos/munge: replace deprecated usage of PermissionsStartOnly
7808202 
see NixOS#53852
@aanderse
nixos/nexus: replace deprecated usage of PermissionsStartOnly
a6bbc55 
see NixOS#53852
@aanderse
nixos/nullmailer: replace deprecated usage of PermissionsStartOnly
64fdacc 
see NixOS#53852
@aanderse
nixos/postgresqlBackup: replace deprecated usage of PermissionsStartOnly
7b2be9b 
see NixOS#53852
@aanderse
nixos/rabbitmq: replace deprecated usage of PermissionsStartOnly
2ebbe39 
see NixOS#53852
@aanderse
nixos/rss2email: replace deprecated usage of PermissionsStartOnly
a585d29 
see NixOS#53852
@aanderse
nixos/stanchion: replace deprecated usage of PermissionsStartOnly
0113cc0 
see NixOS#53852
@aanderse
nixos/syncthing: replace deprecated usage of PermissionsStartOnly
cefbee3 
see NixOS#53852
@aanderse
nixos/traefik: replace deprecated usage of PermissionsStartOnly
e5d8ba5 
see NixOS#53852
@aanderse
nixos/clickhouse: replace deprecated usage of PermissionsStartOnly
e51f86a 
see NixOS#53852
@aanderse
nixos/codimd: replace deprecated usage of PermissionsStartOnly
56c7960 
see NixOS#53852
@aanderse
nixos/couchdb: replace deprecated usage of PermissionsStartOnly
062efe0 
see NixOS#53852
@aanderse
nixos/etcd: replace deprecated usage of PermissionsStartOnly
6ac630b 
see NixOS#53852
@aanderse
nixos/influxdb: replace deprecated usage of PermissionsStartOnly
b1be2f1 
see NixOS#53852
@aanderse
nixos/ipfs: replace deprecated usage of PermissionsStartOnly
b7f376c 
see NixOS#53852
@aanderse
nixos/jackett: replace deprecated usage of PermissionsStartOnly
cd46038 
see NixOS#53852
@aanderse
nixos/mxisd: replace deprecated usage of PermissionsStartOnly
89cbee4 
see NixOS#53852
@aanderse
nixos/mysql-backup: replace deprecated usage of PermissionsStartOnly
0672f86 
see NixOS#53852
@aanderse
nixos/peerflix: replace deprecated usage of PermissionsStartOnly
021b287 
see NixOS#53852
@aanderse
nixos/radarr: replace deprecated usage of PermissionsStartOnly
484e896 
see NixOS#53852
@aanderse
nixos/smokeping: replace deprecated usage of PermissionsStartOnly
bb649d9 
see NixOS#53852
@aanderse
nixos/sonarr: replace deprecated usage of PermissionsStartOnly
053c9a7 
see NixOS#53852
@aanderse
nixos/vault: replace deprecated usage of PermissionsStartOnly
a1c48c3 
see NixOS#53852
@aanderse
Copy link
Member Author

@GrahamcOfBorg test clickhouse codicmd etcd ipfs
@GrahamcOfBorg test jackett lidarr mxisd mysql-backup
@GrahamcOfBorg test peerflix radarr smokeping sonarr
@GrahamcOfBorg test vault zookeeper couchdb influxdb

@flokli
Copy link
Contributor

flokli commented Apr 15, 2019

Going through the draft PR, there was some discussion about clickhouse (which had a static data directory anyway) and mpd (with some discussion about thedataDir option exposed - which is why this directory's creation was moved to tmpfiles.d instead of StateDirectory.

We didn't receive any feedback on the changes proposed to the following services/modules:

  • liquidsoap
  • mesos
  • stanchion
  • rss2email
  • rabbitmq
  • nullmailer
  • codimd
  • couchdb
  • jackett
  • ipfs
  • etcd
  • influxdb
  • radarr
  • mysql-backup
  • peerflix
  • smokeping
  • mxisd
  • sonarr
  • zookeeper

Given these are pretty mechanical, and this is unstable, I tend to merge it anyway - it's very granular commits, and we can revert them individually in case of any problems.

@infinisil, what do you think?

@infinisil
Copy link
Member

I think we should double-check these services, but in general I'm fine with merging this soon, the chance of this causing breakage shouldn't be high and the change is quite nice. Considering that systemd-tmpfiles (I think) recursively changes permissions, this might even fix some problems.

@flokli
Copy link
Contributor

flokli commented Apr 17, 2019
edited

@infinisil I did review the services, and they LGTM.

systemd-tmpfiles doesn't change permissions (except if explicitly requested), StateDirectory= etc. only do it in some cases:

Except in case of ConfigurationDirectory=, the innermost specified directories will be owned
by the user and group specified in User= and Group=. If the specified directories already
exist and their owning user or group do not match the configured ones, all files and
directories below the specified directories as well as the directories themselves will have
their file ownership recursively changed to match what is configured. As an optimization, if
the specified directories are already owned by the right user and group, files and
directories below of them are left as-is, even if they do not match what is requested. The
innermost specified directories will have their access mode adjusted to the what is
specified in RuntimeDirectoryMode=, StateDirectoryMode=, CacheDirectoryMode=,
LogsDirectoryMode= and ConfigurationDirectoryMode=.

@aanderse aanderse merged commit 3464b50 into NixOS:master Apr 19, 2019
@aanderse aanderse deleted the issue/53853-1 branch April 19, 2019 00:56
@flokli
Copy link
Contributor

flokli commented Apr 19, 2019

🚀

@flokli flokli mentioned this pull request Apr 30, 2019
Closed
flokli referenced this pull request Jun 25, 2019
@domenkozar
duplicati: allow changing the user
e8916cc
infinisil added a commit to infinisil/nixpkgs that referenced this pull request Jul 24, 2019
@infinisil
nixos/couchdb: Prevent it from chowning /var/log to couchdb:couchdb
5e97436 
The default for logFile is /var/log/couchdb.log, and the tmpfile rules chown
${dirOf cfg.logFile}, which is just /var/log, to couchdb:couchdb.

This was found by Edes' report on IRC, which looked like

    Detected unsafe path transition /var/log → /var/log/journal during canonicalization of /var/log/journal

While this bug has been present since the initial couchdb module in
62438c0 by @garbas, this wasn't a
problem, because the initial module only created and chowned /var/log
if it didn't exist yet, which can't occur because this gets created in
the initial phases of NixOS startup.

However with the recent move from manual preStart chown scripts to
systemd.tmpfiles.rules in 062efe0 (NixOS#59389),
this chown is suddenly running unconditionally at every system
activation, therefore triggering the above error.
@infinisil infinisil mentioned this pull request Jul 24, 2019
Merged
10 tasks
@aanderse
Copy link
Member Author

aanderse commented Sep 3, 2019

@volth That is unfortunate. Sorry for the inconvenience. Given what you said I believe the fix should be to add an additional entry to systemd.tmpfiles.rules: "Z '${cfg.dataDir}' 0700 zookeeper - - -".

If you would be willing to test that would be appreciated.

@aanderse aanderse mentioned this pull request Sep 3, 2019
Merged
10 tasks
@infinisil infinisil mentioned this pull request Aug 7, 2020
Merged
9 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@flokli flokli flokli approved these changes

@infinisil infinisil infinisil approved these changes

Assignees
No one assigned
Labels
6.topic: nixos 8.has: module (update) 10.rebuild-darwin: 0 10.rebuild-linux: 1-10
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@aanderse @flokli @infinisil @GrahamcOfBorg