Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Dante improvements #39005

Merged
merged 3 commits into from Apr 26, 2018
Merged

Dante improvements #39005

merged 3 commits into from Apr 26, 2018

Conversation

abbradar
Copy link
Member

Motivation for this change

Continuation on https://www.theverge.com/2018/4/13/17233112/russia-telegram-ban-court-ruling

Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option build-use-sandbox in nix.conf on non-NixOS)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nox --run "nox-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Fits CONTRIBUTING.md.

cc @Shados

@abbradar
dante: add extra build inputs
e5c801b 
Add PAM, SASL and UPnP support.
@abbradar abbradar mentioned this pull request Apr 16, 2018
Merged
8 tasks
@GrahamcOfBorg
Copy link

No attempt on x86_64-darwin (full log)

The following builds were skipped because they don't evaluate on x86_64-darwin: dante

Partial log (click to expand)


a) For `nixos-rebuild` you can set
  { nixpkgs.config.allowBroken = true; }
in configuration.nix to override this.

b) For `nix-env`, `nix-build`, `nix-shell` or any other Nix command you can add
  { allowBroken = true; }
to ~/.config/nixpkgs/config.nix.

@GrahamcOfBorg
Copy link

Success on aarch64-linux (full log)

Attempted: dante

Partial log (click to expand)

shrinking /nix/store/izy08nfjja0v2pib2qx2p6gfbraramvb-dante-1.4.2/lib/libdsocks.so
shrinking /nix/store/izy08nfjja0v2pib2qx2p6gfbraramvb-dante-1.4.2/lib/libsocks.so.0.1.1
gzipping man pages under /nix/store/izy08nfjja0v2pib2qx2p6gfbraramvb-dante-1.4.2/share/man/
strip is /nix/store/j7d4mr0ikv974ig7yzhknpsq288js4bs-binutils-2.30/bin/strip
stripping (with command strip and flags -S) in /nix/store/izy08nfjja0v2pib2qx2p6gfbraramvb-dante-1.4.2/lib  /nix/store/izy08nfjja0v2pib2qx2p6gfbraramvb-dante-1.4.2/bin  /nix/store/izy08nfjja0v2pib2qx2p6gfbraramvb-dante-1.4.2/sbin
patching script interpreter paths in /nix/store/izy08nfjja0v2pib2qx2p6gfbraramvb-dante-1.4.2
/nix/store/izy08nfjja0v2pib2qx2p6gfbraramvb-dante-1.4.2/bin/socksify: interpreter directive changed from "/bin/sh -" to "/nix/store/adw9jx59wnrh5659wz43nbjya3m4b3gl-bash-4.4-p19/bin/sh -"
checking for references to /build in /nix/store/izy08nfjja0v2pib2qx2p6gfbraramvb-dante-1.4.2...
moving /nix/store/izy08nfjja0v2pib2qx2p6gfbraramvb-dante-1.4.2/sbin/* to /nix/store/izy08nfjja0v2pib2qx2p6gfbraramvb-dante-1.4.2/bin
/nix/store/izy08nfjja0v2pib2qx2p6gfbraramvb-dante-1.4.2

@GrahamcOfBorg
Copy link

Success on aarch64-linux (full log)

Attempted: dante

Partial log (click to expand)

/nix/store/izy08nfjja0v2pib2qx2p6gfbraramvb-dante-1.4.2

@GrahamcOfBorg
Copy link

No attempt on x86_64-darwin (full log)

The following builds were skipped because they don't evaluate on x86_64-darwin: dante

Partial log (click to expand)


a) For `nixos-rebuild` you can set
  { nixpkgs.config.allowBroken = true; }
in configuration.nix to override this.

b) For `nix-env`, `nix-build`, `nix-shell` or any other Nix command you can add
  { allowBroken = true; }
to ~/.config/nixpkgs/config.nix.

@GrahamcOfBorg
Copy link

Success on x86_64-linux (full log)

Attempted: dante

Partial log (click to expand)

shrinking /nix/store/frj79lydajw4ivqc9adf781688mky754-dante-1.4.2/lib/libdsocks.so
shrinking /nix/store/frj79lydajw4ivqc9adf781688mky754-dante-1.4.2/sbin/sockd
gzipping man pages under /nix/store/frj79lydajw4ivqc9adf781688mky754-dante-1.4.2/share/man/
strip is /nix/store/j75dgadrff2d1fyc4fczmcgqkid2imdx-binutils-2.30/bin/strip
stripping (with command strip and flags -S) in /nix/store/frj79lydajw4ivqc9adf781688mky754-dante-1.4.2/lib  /nix/store/frj79lydajw4ivqc9adf781688mky754-dante-1.4.2/bin  /nix/store/frj79lydajw4ivqc9adf781688mky754-dante-1.4.2/sbin
patching script interpreter paths in /nix/store/frj79lydajw4ivqc9adf781688mky754-dante-1.4.2
/nix/store/frj79lydajw4ivqc9adf781688mky754-dante-1.4.2/bin/socksify: interpreter directive changed from "/bin/sh -" to "/nix/store/xn5gv3lpfy91yvfy9b0i7klfcxh9xskz-bash-4.4-p19/bin/sh -"
checking for references to /build in /nix/store/frj79lydajw4ivqc9adf781688mky754-dante-1.4.2...
moving /nix/store/frj79lydajw4ivqc9adf781688mky754-dante-1.4.2/sbin/* to /nix/store/frj79lydajw4ivqc9adf781688mky754-dante-1.4.2/bin
/nix/store/frj79lydajw4ivqc9adf781688mky754-dante-1.4.2

@Shados
Copy link
Member

Shados commented Apr 17, 2018

@abbradar why remove Restart = "always";? In my experience using dante, it catches some corner cases with ephemeral failures, and systemd will still stop attempting restarts if too many occur in too short a timespan (5 in 10 seconds by default).

@peterhoeg
Copy link
Member

Also, can we run with DynamicUser = true; and then avoid having it try to drop permissions on its own?

@abbradar
Copy link
Member Author

@Shados Ah, so it really can abruptly stop? I should have asked before making the change -- can you give an example so that we put it into comments and someone won't try to change it again?

@peterhoeg Dante has some parts which run as privileged user, namely PAM authentication module.

@Shados
Copy link
Member

Shados commented Apr 17, 2018

@abbradar Sorry, I don't remember the specific issues I ran into, and I can't check my non-existent logs; because I'm using it as part of a micro-VPN service I run for a few mates, I have logging for it disabled unless I'm actively looking into some problem.

@abbradar
Copy link
Member Author

@Shados Got that; I'll just make a generic comment then.

@abbradar
Copy link
Member Author

@Shados Given that you have disabled logs for it logoutput by default would also create a problem, correct?

FWIW my instance doesn't log anything apart from "started up" and messages from PAM about successful authorizations.

@Shados
Copy link
Member

Shados commented Apr 17, 2018

@abbradar No, having logoutput on by default is fine, because (as you noted) dante won't log anything other than startup unless you explicitly define log levels for specific things in the configuration.

@Mic92
Copy link
Member

Mic92 commented Apr 17, 2018
edited

There is also Restart=on-abnormal or Restart=on-failure. I don't see why an service that exits normally should be restarted: https://www.freedesktop.org/software/systemd/man/systemd.service.html#Restart=

@abbradar
Copy link
Member Author

Pushed an update to only restart on failure with a comment.

@abbradar
dante service: restart only on failure
79ac88c 
Normal exit code shouldn't result in a restart.
@abbradar
dante service: default for logoutput
0519ed0 
Log to journald via syslog by default; also improve option type.
@GrahamcOfBorg
Copy link

No attempt on x86_64-darwin (full log)

The following builds were skipped because they don't evaluate on x86_64-darwin: dante

Partial log (click to expand)


a) For `nixos-rebuild` you can set
  { nixpkgs.config.allowBroken = true; }
in configuration.nix to override this.

b) For `nix-env`, `nix-build`, `nix-shell` or any other Nix command you can add
  { allowBroken = true; }
to ~/.config/nixpkgs/config.nix.

@GrahamcOfBorg
Copy link

Success on x86_64-linux (full log)

Attempted: dante

Partial log (click to expand)

shrinking /nix/store/frj79lydajw4ivqc9adf781688mky754-dante-1.4.2/lib/libdsocks.so
shrinking /nix/store/frj79lydajw4ivqc9adf781688mky754-dante-1.4.2/lib/libsocks.so.0.1.1
gzipping man pages under /nix/store/frj79lydajw4ivqc9adf781688mky754-dante-1.4.2/share/man/
strip is /nix/store/j75dgadrff2d1fyc4fczmcgqkid2imdx-binutils-2.30/bin/strip
stripping (with command strip and flags -S) in /nix/store/frj79lydajw4ivqc9adf781688mky754-dante-1.4.2/lib  /nix/store/frj79lydajw4ivqc9adf781688mky754-dante-1.4.2/bin  /nix/store/frj79lydajw4ivqc9adf781688mky754-dante-1.4.2/sbin
patching script interpreter paths in /nix/store/frj79lydajw4ivqc9adf781688mky754-dante-1.4.2
/nix/store/frj79lydajw4ivqc9adf781688mky754-dante-1.4.2/bin/socksify: interpreter directive changed from "/bin/sh -" to "/nix/store/xn5gv3lpfy91yvfy9b0i7klfcxh9xskz-bash-4.4-p19/bin/sh -"
checking for references to /build in /nix/store/frj79lydajw4ivqc9adf781688mky754-dante-1.4.2...
moving /nix/store/frj79lydajw4ivqc9adf781688mky754-dante-1.4.2/sbin/* to /nix/store/frj79lydajw4ivqc9adf781688mky754-dante-1.4.2/bin
/nix/store/frj79lydajw4ivqc9adf781688mky754-dante-1.4.2

@GrahamcOfBorg
Copy link

Success on aarch64-linux (full log)

Attempted: dante

Partial log (click to expand)

shrinking /nix/store/izy08nfjja0v2pib2qx2p6gfbraramvb-dante-1.4.2/lib/libdsocks.so
shrinking /nix/store/izy08nfjja0v2pib2qx2p6gfbraramvb-dante-1.4.2/lib/libsocks.so.0.1.1
gzipping man pages under /nix/store/izy08nfjja0v2pib2qx2p6gfbraramvb-dante-1.4.2/share/man/
strip is /nix/store/j7d4mr0ikv974ig7yzhknpsq288js4bs-binutils-2.30/bin/strip
stripping (with command strip and flags -S) in /nix/store/izy08nfjja0v2pib2qx2p6gfbraramvb-dante-1.4.2/lib  /nix/store/izy08nfjja0v2pib2qx2p6gfbraramvb-dante-1.4.2/bin  /nix/store/izy08nfjja0v2pib2qx2p6gfbraramvb-dante-1.4.2/sbin
patching script interpreter paths in /nix/store/izy08nfjja0v2pib2qx2p6gfbraramvb-dante-1.4.2
/nix/store/izy08nfjja0v2pib2qx2p6gfbraramvb-dante-1.4.2/bin/socksify: interpreter directive changed from "/bin/sh -" to "/nix/store/adw9jx59wnrh5659wz43nbjya3m4b3gl-bash-4.4-p19/bin/sh -"
checking for references to /build in /nix/store/izy08nfjja0v2pib2qx2p6gfbraramvb-dante-1.4.2...
moving /nix/store/izy08nfjja0v2pib2qx2p6gfbraramvb-dante-1.4.2/sbin/* to /nix/store/izy08nfjja0v2pib2qx2p6gfbraramvb-dante-1.4.2/bin
/nix/store/izy08nfjja0v2pib2qx2p6gfbraramvb-dante-1.4.2

@abbradar
Copy link
Member Author

Merging this in several days if no problems are found.

@abbradar abbradar merged commit b827307 into NixOS:master Apr 26, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Mic92 Mic92 Mic92 approved these changes

Assignees
No one assigned
Labels
6.topic: nixos 8.has: module (update) 10.rebuild-darwin: 0 10.rebuild-linux: 1-10
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@abbradar @GrahamcOfBorg @Shados @peterhoeg @Mic92