glusterfs: add service #22225
glusterfs: add service #22225
Conversation
There was a problem hiding this comment.
I don't know how strict our style enforcement is but there is a lot more whitespace then I am used to seeing. For example opening brace of set on the same line as the last code.
{ config, lib, pkgs, ... }:
with lib;
let
...
in {Looks good to me otherwise though.
|
The steucture was taken from the IPFS module and thats also where the style comes from. |
|
Most modules in the Any other concernes? |
This service is only limited in configuration options. But it is sufficient to run glusterd and configure it using the gluster command
bachp
force-pushed
the
glusterfs-service
branch
from
50556f0
to
ff3f339
Compare
|
I rerbased it on master. |
|
No other concerns. I'm happy with it. |
|
Is it feasible to constrain the daemon a bit or does it need to run with full root capabilities? |
|
I didn't find distro where gluster isn't running as root. I haven't tried it tough. |
|
Looking more into glusterfs, I get the impression that you wouldn't ordinarily deploy it on a desktop or anywhere with direct access to the external network, so it's not that much of a concern that it runs unconstrained. |
|
I did some digging and I couldn't get gluster running as non root. The main reason as stated here is that gluster uses the underlying filesystem to store ACL etc. So it needs to be able to create and delete files as any user. Further it is also required to disable the firewall or at least open a port range as gluster doesn't only use some fixed ports. |
|
I see. If it needs root only to perform file operations as any user, it ought to be possible to limit the capabilities somewhat at least, but, again, only bother if it's likely to be deployed on anything but a dedicated closed-off system. |
|
@joachifm It's unlikely. It is mostly used in a closed environment with fast interconnects. |
| config = mkIf cfg.enable { | ||
| environment.systemPackages = [ pkgs.glusterfs ]; | ||
|
|
||
| services.rpcbind.enable = true; |
There was a problem hiding this comment.
Note rpcbind is not necessarily something you want to have running unless you need to use NFS. I filed an issue about this upstream here, hopefully soon the dependency on rpcbind will be removed.
There was a problem hiding this comment.
Thanks for the input. I think NFS could be added as an option (disabled by default) and this can be used to determine if rpcbind should be started.
…mon. See also NixOS#22225 (review) (cherry picked from commit bd54b72)
…mon. See also #22225 (review) (cherry picked from commit bd54b72)
Motivation for this change
Run GlusterFS as a service and allow to mount GlusterFS volumes via configuration.nix
Fixes #9877
Things done
(nix.useSandbox on NixOS,
or option
build-use-sandboxinnix.confon non-NixOS)
nix-shell -p nox --run "nox-review wip"