nixos/nfs: allow setting the path to krb5.keytab #29581
Conversation
| # started. | ||
| sed -i -E "s,($out)?/etc/krb5.keytab,${keytabPath},g" \ | ||
| $out/etc/systemd/system/rpc-gssd.service \ | ||
| $out/etc/systemd/system/auth-rpcgss-module.service \ |
There was a problem hiding this comment.
it is also possible to just override default values in the service in module itself, example:
# the first empty string will reset ConditionsExists, so it can be assigned a new value
systemd.services.rpc-gssd.unitConfig.ConditionExists = [ ""
"/etc/krb5.keytab"
];
That way recompilation is not necessary. This is untested and only based on past experience. Let me know, if it does not work.
There was a problem hiding this comment.
@Mic92 thanks, I'll give that a try!
There was a problem hiding this comment.
Unfortunately it doesn't work:
eqyiel@ayanami ~ % systemctl status rpc-gssd
● rpc-gssd.service - RPC security service for NFS client and server
Loaded: loaded (/nix/store/i50nrgfy858ni0lnmr2my8hfi44ybhp0-nfs-utils-2.1.1/etc/systemd/system/rpc-gssd.service; enabled; vendor preset: enabled)
Drop-In: /nix/store/ds1y652m46301r7xck8ls3d527whi723-system-units/rpc-gssd.service.d
└─overrides.conf
Active: inactive (dead) since Wed 2017-09-20 20:13:19 ACST; 2min 46s ago
Condition: start condition failed at Wed 2017-09-20 20:14:30 ACST; 1min 35s ago
└─ ConditionPathExists=/nix/store/i50nrgfy858ni0lnmr2my8hfi44ybhp0-nfs-utils-2.1.1/etc/krb5.keytab was not met
Main PID: 747 (code=exited, status=0/SUCCESS)
That override does contain the correct path, but it doesn't seem to be used:
eqyiel@ayanami ~ % cat /nix/store/ds1y652m46301r7xck8ls3d527whi723-system-units/rpc-gssd.service.d/overrides.conf
[Unit]
ConditionPathExists=/etc/krb5.keytab
X-Restart-Triggers=/nix/store/5pgzyknq6bf809003kc5v0qcxqz7gzlg-nfs.conf
[Service]
Environment="LOCALE_ARCHIVE=/nix/store/x36zk6cx0xi71593vkk4wski2vbg3sln-glibc-locales-2.25-49/lib/locale/locale-archive"
Environment="PATH=/nix/store/v3mhywkcj5vycgclmf2j8zlpbayvxndk-coreutils-8.28/bin:/nix/store/simjpbiksmvvg2xa25v65g5hk2sr014n-findutils-4.6.0/bin:/nix/store/dlk67w96zmbh4gxi72vkxdh4pm8xdb7j-gnugrep-3.1/bin:/nix/store/c4halcrqi0dbjjd6i9av69z5brgav3pz-gnused-4.4/bin:/nix/store/xk66kbaqg4l72xpyxprwhm35dz8mzm1d-systemd-234/bin:/nix/store/v3mhywkcj5vycgclmf2j8zlpbayvxndk-coreutils-8.28/sbin:/nix/store/simjpbiksmvvg2xa25v65g5hk2sr014n-findutils-4.6.0/sbin:/nix/store/dlk67w96zmbh4gxi72vkxdh4pm8xdb7j-gnugrep-3.1/sbin:/nix/store/c4halcrqi0dbjjd6i9av69z5brgav3pz-gnused-4.4/sbin:/nix/store/xk66kbaqg4l72xpyxprwhm35dz8mzm1d-systemd-234/sbin"
Environment="TZDIR=/nix/store/ghziaza6fy9x74b9pnlc4zv8bc4cy8p2-tzdata-2016j/share/zoneinfo"
There was a problem hiding this comment.
I would much prefer to configure it this way if it were possible though.
Currently the `rpc-gssd.service` has a `ConditionPathExists` clause that can never be met, because it's looking for stateful data inside `/nix/store`. `auth-rpcgss-module.service` also only starts if this file exists. Fixes NixOS#29509.
| systemd.services.rpc-gssd = | ||
| { restartTriggers = [ nfsConfFile ]; | ||
| unitConfig.ConditionPathExists = [ "" "/etc/krb5.keytab" ]; |
There was a problem hiding this comment.
The following works for me:
● rpc-gssd.service - RPC security service for NFS client and server
Loaded: loaded (/nix/store/xi3w0cb8jrjw6kz136nljd8ayyh7zjyh-nfs-utils-2.1.1/etc/systemd/system/rpc-gssd.service; enabled; vendor preset: enabled)
Drop-In: /nix/store/l5rpm0alkscccj92rj9iv8s6slgwl7ia-system-units/rpc-gssd.service.d
└─overrides.conf
Active: active (running) since Wed 2017-09-20 15:30:24 BST; 6min ago
Main PID: 8241 (rpc.gssd)
Tasks: 1 (limit: 4915)
Memory: 1.0M
CPU: 5ms
CGroup: /system.slice/rpc-gssd.service
└─8241 /nix/store/xi3w0cb8jrjw6kz136nljd8ayyh7zjyh-nfs-utils-2.1.1/bin/rpc.gssd
There was a problem hiding this comment.
I don't understand what I'm doing wrong here, because it definitely doesn't work for me after fetching this revised PR locally: https://gist.github.com/eqyiel/c77454e9bae4ef518d3fdc4e2aa88be6
What commit is your nixos based off?
I'm running off nixos-unstable of a week or so ago plus a few other unrelated changes:
commit 4e5f2a4d160ac0dfdf57644e583b6f34c0ff4a38 (HEAD)
Author: Ruben Maher <r@rkm.id.au>
Date: Mon Sep 18 19:12:40 2017 +0930
nfs-utils: set /etc/krb5.keytab as default path for rpc-gssd
Currently the `rpc-gssd.service` has a `ConditionPathExists` clause that can
never be met, because it's looking for stateful data inside `/nix/store`.
`auth-rpcgss-module.service` also only starts if this file exists.
Fixes NixOS/nixpkgs#29509.
commit 47bb274a1bb41d77af5800babbeea057c125d7df
Author: Ruben Maher <r@rkm.id.au>
Date: Sat Sep 16 12:45:33 2017 +0930
network-manager-applet: 1.4.6 -> 1.8.2
Make `network-manager-applet` version match `network-manager` version.
Ref: https://github.com/NixOS/nixpkgs/pull/29375#issuecomment-329923662
commit 4886c7b7b52792167b76adb52591df1c12ae35a8
Author: Bastian Köcher <git@kchr.de>
Date: Thu Sep 14 15:53:39 2017 +0200
network-manager: 1.6.2 -> 1.8.2
commit 5b91f125aa58fb0243c8e7a5f9f8c06254490f16
Author: Bastian Köcher <git@kchr.de>
Date: Thu Sep 14 14:32:08 2017 +0200
mailnag: 1.1.0 -> 1.2.1
commit 49446109035a8e041dcd57759af3226ab9b0337d
Author: Peter Simons <simons@cryp.to>
Date: Thu Sep 14 14:53:47 2017 +0200
haskell-cryptol: override happy to older version to fix the build
There was a problem hiding this comment.
You are just looking at the original file. The override goes to different directory.
What is the output of: systemctl cat rpc-gssd.service after switch?
There was a problem hiding this comment.
@Mic92 it's in that gist as well, but here:
eqyiel@ayanami ~/git/personal/dotfiles/lib/nixpkgs (git)-[4e5f2a4...] % systemctl cat rpc-gssd
# /nix/store/i50nrgfy858ni0lnmr2my8hfi44ybhp0-nfs-utils-2.1.1/etc/systemd/system/rpc-gssd.service
[Unit]
Description=RPC security service for NFS client and server
DefaultDependencies=no
Conflicts=umount.target
Requires=var-lib-nfs-rpc_pipefs.mount
After=var-lib-nfs-rpc_pipefs.mount
ConditionPathExists=/nix/store/i50nrgfy858ni0lnmr2my8hfi44ybhp0-nfs-utils-2.1.1/etc/krb5.keytab
PartOf=nfs-utils.service
[Service]
Type=forking
ExecStart=/nix/store/i50nrgfy858ni0lnmr2my8hfi44ybhp0-nfs-utils-2.1.1/bin/rpc.gssd
# /nix/store/g1p37g8cwy8iw5c31f24dfya1lfqblva-system-units/rpc-gssd.service.d/overrides.conf
[Unit]
ConditionPathExists=/etc/krb5.keytab
X-Restart-Triggers=/nix/store/5pgzyknq6bf809003kc5v0qcxqz7gzlg-nfs.conf
[Service]
Environment="LOCALE_ARCHIVE=/nix/store/x36zk6cx0xi71593vkk4wski2vbg3sln-glibc-locales-2.25-49/lib/locale/locale-archive"
Environment="PATH=/nix/store/v3mhywkcj5vycgclmf2j8zlpbayvxndk-coreutils-8.28/bin:/nix/store/simjpbiksmvvg2xa25v65g5hk2sr014n-findutils-4.6.0/bin:/nix/store/dlk67w96zmbh4gxi72vkxdh4pm8xdb7j-gnugrep-3.1/bin:/nix/s
Environment="TZDIR=/nix/store/ghziaza6fy9x74b9pnlc4zv8bc4cy8p2-tzdata-2016j/share/zoneinfo"
The problem I think is that it doesn't replace the existing ConditionPathExists, but appends to it. man systemd.unit doesn't say specifically that if you use ConditionPathExists mutliple times that the conditions will be AND-ed, but it does say:
If multiple conditions are specified, the unit will be executed if all of them apply (i.e. a logical AND is applied).
There was a problem hiding this comment.
That doesn't explain why it's not failing for you though. 😬
There was a problem hiding this comment.
I am not aware of systemd module changes since then.
There was a problem hiding this comment.
@Mic92 thanks, I'll investigate your fork as soon as I get a chance.
There was a problem hiding this comment.
Oh, @Mic92 when I built your fork and it still didn't work I realised it was because I had this line in configuration.nix:
systemd.services.rpc-gssd.unitConfig.ConditionPathExists = lib.mkForce "/etc/krb5.keytab";
Which was clobbering your solution.
I don't understand why the first empty string resets ConditionPathExists, but your solution works for me:
eqyiel@ayanami ~ % systemctl cat rpc-gssd
# /nix/store/i50nrgfy858ni0lnmr2my8hfi44ybhp0-nfs-utils-2.1.1/etc/systemd/system/rpc-gssd.service
[Unit]
Description=RPC security service for NFS client and server
DefaultDependencies=no
Conflicts=umount.target
Requires=var-lib-nfs-rpc_pipefs.mount
After=var-lib-nfs-rpc_pipefs.mount
ConditionPathExists=/nix/store/i50nrgfy858ni0lnmr2my8hfi44ybhp0-nfs-utils-2.1.1/etc/krb5.keytab
PartOf=nfs-utils.service
[Service]
Type=forking
ExecStart=/nix/store/i50nrgfy858ni0lnmr2my8hfi44ybhp0-nfs-utils-2.1.1/bin/rpc.gssd
# /nix/store/5k85as002j1bbjb74lxvlixqr9mhbqsc-system-units/rpc-gssd.service.d/overrides.conf
[Unit]
ConditionPathExists=
ConditionPathExists=/etc/krb5.keytab
X-Restart-Triggers=/nix/store/5pgzyknq6bf809003kc5v0qcxqz7gzlg-nfs.conf
[Service]
Environment="LOCALE_ARCHIVE=/nix/store/x36zk6cx0xi71593vkk4wski2vbg3sln-glibc-locales-2.25-49/lib/locale/locale-archive"
Environment="PATH=/nix/store/v3mhywkcj5vycgclmf2j8zlpbayvxndk-coreutils-8.28/bin:/nix/store/simjpbiksmvvg2xa25v65g5hk2sr014n-findutils-4.6.0/bin:/nix/store/dlk67w96zmbh4gxi72vkxdh4pm8xdb7j-gnugrep-3.1/bin:/nix/s
Environment="TZDIR=/nix/store/ghziaza6fy9x74b9pnlc4zv8bc4cy8p2-tzdata-2016j/share/zoneinfo"
eqyiel@ayanami ~ % systemctl status rpc-gssd
● rpc-gssd.service - RPC security service for NFS client and server
Loaded: loaded (/nix/store/i50nrgfy858ni0lnmr2my8hfi44ybhp0-nfs-utils-2.1.1/etc/systemd/system/rpc-gssd.service; enabled; vendor preset: enabled)
Drop-In: /nix/store/5k85as002j1bbjb74lxvlixqr9mhbqsc-system-units/rpc-gssd.service.d
└─overrides.conf
Active: active (running) since Fri 2017-09-22 09:28:05 ACST; 6min ago
Process: 744 ExecStart=/nix/store/i50nrgfy858ni0lnmr2my8hfi44ybhp0-nfs-utils-2.1.1/bin/rpc.gssd (code=exited, status=0/SUCCESS)
Main PID: 750 (rpc.gssd)
Tasks: 1 (limit: 4915)
CGroup: /system.slice/rpc-gssd.service
└─750 /nix/store/i50nrgfy858ni0lnmr2my8hfi44ybhp0-nfs-utils-2.1.1/bin/rpc.gssd
Sep 22 09:28:05 ayanami.maher.fyi systemd[1]: Starting RPC security service for NFS client and server...
Sep 22 09:28:05 ayanami.maher.fyi systemd[1]: Started RPC security service for NFS client and server.
If you have no other concerns, I would say that this ready to merge. Thank you for your help!
There was a problem hiding this comment.
The reset on empty strings is a feature of systemd to allow overriding default values defined in other files i.e. by upstream service files.
Mic92
added
the
9.needs: port to stable
|
Now that I've had a chance to use this a bit, I realise that the actual keytab path that rpc-gssd will use is configurable using So even if this PR is applied, changing the location of the I will try to do this in a future PR though, I'd like this one to address the fact that it doesn't start at all! |
samueldr
removed
the
9.needs: port to stable
Motivation for this change
Currently the
rpc-gssd.servicehas aConditionPathExistsclause that cannever be met, because it's looking for stateful data inside
/nix/store.auth-rpcgss-module.servicealso only starts if this file exists.Fixes #29509.
Things done
Tested using sandboxing (nix.useSandbox on NixOS, or option
build-use-sandboxinnix.confon non-NixOS)Built on platform(s)
Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
Tested compilation of all pkgs that depend on this change using
nix-shell -p nox --run "nox-review wip"Tested execution of all binary files (usually in
./result/bin/)Fits CONTRIBUTING.md.
Added an argument
keytabPathto thenfs-utilsexpression, which defaults to/etc/krb5.keytab(the path that nfs-utils uses by default)Added a
keytabPathconfiguration option atservices.nfs.keytabPathwhich is passed to thenfs-utilsexpression.At first I tried setting
systemd.services.rpc-gssd.unitConfig.ConditionPathExists = /etc/krb5.keytab;, but it didn't work.I'm not sure this is the best way to do it but it seems to work for me.