New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
nixos/dnsdist: init module #37289
nixos/dnsdist: init module #37289
Conversation
No attempt on x86_64-darwin The following builds were skipped because they don't evaluate on x86_64-darwin: dnsdist, powerdns No log is available. |
I also think this should go into 18.03 since the recursor options have been removed from authoritative powerdns server. |
Success on aarch64-linux (full log) Attempted: dnsdist The following builds were skipped because they don't evaluate on aarch64-linux: powerdns Partial log (click to expand)
|
Success on x86_64-linux (full log) Attempted: dnsdist, powerdns Partial log (click to expand)
|
PrivateTmp=true; | ||
PrivateDevices=true; | ||
CapabilityBoundingSet="CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID"; | ||
ExecStart = "${pkgs.dnsdist}/bin/dnsdist --uid=nobody --gid=nogroup --supervised --disable-syslog --config ${configFile}"; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can you look into systemd's DynamicUser
instead of nobody? If we run every service as nobody the user separation is undermined.
I'll test that and update pr tomorrow. Should I make that suggestion for
upstream unit as well? They don't set uid or gid in upstream.
Thanks,
Sam
…On Sun, Mar 18, 2018, 04:42 Jörg Thalheim ***@***.***> wrote:
***@***.**** commented on this pull request.
------------------------------
In nixos/modules/services/networking/dnsdist.nix
<#37289 (comment)>:
> + };
+
+ config = mkIf config.services.dnsdist.enable {
+ systemd.services.dnsdist = {
+ description = "dnsdist load balancer";
+ wantedBy = [ "multi-user.target" ];
+ after = ["network.target"];
+
+ serviceConfig = {
+ Restart="on-failure";
+ RestartSec="1";
+ StartLimitInterval="0";
+ PrivateTmp=true;
+ PrivateDevices=true;
+ CapabilityBoundingSet="CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID";
+ ExecStart = "${pkgs.dnsdist}/bin/dnsdist --uid=nobody --gid=nogroup --supervised --disable-syslog --config ${configFile}";
Can you look into systemd's DynamicUser instead of nobody? If we run
every service as nobody the user separation is undermined.
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<#37289 (review)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AAnvxQqKpcAB25bZSSrjvmhfmfjYn5Yvks5tfh4JgaJpZM4SvBUg>
.
|
@disassembler yes. |
Still interested in this? A dnsdist expression was merged in #38658, though without a service. |
No attempt on aarch64-linux (full log) The following builds were skipped because they don't evaluate on aarch64-linux: powerdns Partial log (click to expand)
|
Success on x86_64-linux (full log) Attempted: powerdns Partial log (click to expand)
|
No attempt on x86_64-darwin (full log) The following builds were skipped because they don't evaluate on x86_64-darwin: powerdns Partial log (click to expand)
|
Motivation for this change
Adds dnsdist which is now the recommended way to run an authoritative and recursor DNS service using powerdns if you need ACL's.
Things done
build-use-sandbox
innix.conf
on non-NixOS)nix-shell -p nox --run "nox-review wip"
./result/bin/
)