New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
glusterfs: add service #22225
glusterfs: add service #22225
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't know how strict our style enforcement is but there is a lot more whitespace then I am used to seeing. For example opening brace of set on the same line as the last code.
{ config, lib, pkgs, ... }:
with lib;
let
...
in {
Looks good to me otherwise though.
The steucture was taken from the IPFS module and thats also where the style comes from. |
Most modules in the Any other concernes? |
This service is only limited in configuration options. But it is sufficient to run glusterd and configure it using the gluster command
50556f0
to
ff3f339
Compare
I rerbased it on master. |
No other concerns. I'm happy with it. |
Is it feasible to constrain the daemon a bit or does it need to run with full root capabilities? |
I didn't find distro where gluster isn't running as root. I haven't tried it tough. |
Looking more into glusterfs, I get the impression that you wouldn't ordinarily deploy it on a desktop or anywhere with direct access to the external network, so it's not that much of a concern that it runs unconstrained. |
I did some digging and I couldn't get gluster running as non root. The main reason as stated here is that gluster uses the underlying filesystem to store ACL etc. So it needs to be able to create and delete files as any user. Further it is also required to disable the firewall or at least open a port range as gluster doesn't only use some fixed ports. |
I see. If it needs root only to perform file operations as any user, it ought to be possible to limit the capabilities somewhat at least, but, again, only bother if it's likely to be deployed on anything but a dedicated closed-off system. |
@joachifm It's unlikely. It is mostly used in a closed environment with fast interconnects. |
config = mkIf cfg.enable { | ||
environment.systemPackages = [ pkgs.glusterfs ]; | ||
|
||
services.rpcbind.enable = true; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Note rpcbind
is not necessarily something you want to have running unless you need to use NFS. I filed an issue about this upstream here, hopefully soon the dependency on rpcbind will be removed.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the input. I think NFS could be added as an option (disabled by default) and this can be used to determine if rpcbind should be started.
…mon. See also NixOS#22225 (review) (cherry picked from commit bd54b72)
…mon. See also #22225 (review) (cherry picked from commit bd54b72)
Motivation for this change
Run GlusterFS as a service and allow to mount GlusterFS volumes via configuration.nix
Fixes #9877
Things done
(nix.useSandbox on NixOS,
or option
build-use-sandbox
innix.conf
on non-NixOS)
nix-shell -p nox --run "nox-review wip"