nixos/opensearch: Use DynamicUser and StateDirectory by default

...but still allow for setting `dataDir` to a custom path. This gets rid of the use of the deprecated option PermissionsStartOnly. Also, add the ability to customize user and group, since that could be useful with a custom `dataDir`.
2023-02-15 16:11:39 +01:00 · 2023-02-15 16:11:39 +01:00 · 9e9007e45f
commit 9e9007e45f
parent 8b84a720e8
4 changed files with 147 additions and 80 deletions
--- a/nixos/modules/services/search/opensearch.nix
+++ b/nixos/modules/services/search/opensearch.nix
@ -9,6 +9,9 @@ let

  configDir = cfg.dataDir + "/config";

+  usingDefaultDataDir = cfg.dataDir == "/var/lib/opensearch";
+  usingDefaultUserAndGroup = cfg.user == "opensearch" && cfg.group == "opensearch";
+
  opensearchYml = settingsFormat.generate "opensearch.yml" cfg.settings;

  loggingConfigFilename = "log4j2.properties";
@ -20,9 +23,9 @@ in
 {

  options.services.opensearch = {
-    enable = mkEnableOption (lib.mdDoc "Whether to enable OpenSearch.");
+    enable = mkEnableOption (lib.mdDoc "OpenSearch");

-    package = lib.mkPackageOptionMD pkgs "OpenSearch package to use." {
+    package = lib.mkPackageOptionMD pkgs "OpenSearch" {
      default = [ "opensearch" ];
    };

@ -99,13 +102,37 @@ in
    dataDir = lib.mkOption {
      type = lib.types.path;
      default = "/var/lib/opensearch";
+      apply = converge (removeSuffix "/");
      description = lib.mdDoc ''
-        Data directory for opensearch.
+        Data directory for OpenSearch. If you change this, you need to
+        manually create the directory. You also need to create the
+        `opensearch` user and group, or change
+        [](#opt-services.opensearch.user) and
+        [](#opt-services.opensearch.group) to existing ones with
+        access to the directory.
+      '';
+    };
+
+    user = lib.mkOption {
+      type = lib.types.str;
+      default = "opensearch";
+      description = lib.mdDoc ''
+        The user OpenSearch runs as. Should be left at default unless
+        you have very specific needs.
+      '';
+    };
+
+    group = lib.mkOption {
+      type = lib.types.str;
+      default = "opensearch";
+      description = lib.mdDoc ''
+        The group OpenSearch runs as. Should be left at default unless
+        you have very specific needs.
      '';
    };

    extraCmdLineOptions = lib.mkOption {
-      description = lib.mdDoc "Extra command line options for the opensearch launcher.";
+      description = lib.mdDoc "Extra command line options for the OpenSearch launcher.";
      default = [ ];
      type = lib.types.listOf lib.types.str;
    };
@ -142,69 +169,76 @@ in
        OPENSEARCH_PATH_CONF = configDir;
      };
      serviceConfig = {
+        ExecStartPre =
+          let
+            startPreFullPrivileges = ''
+              set -o errexit -o pipefail -o nounset -o errtrace
+              shopt -s inherit_errexit
+            '' + (optionalString (!config.boot.isContainer) ''
+              # Only set vm.max_map_count if lower than ES required minimum
+              # This avoids conflict if configured via boot.kernel.sysctl
+              if [ $(${pkgs.procps}/bin/sysctl -n vm.max_map_count) -lt 262144 ]; then
+                ${pkgs.procps}/bin/sysctl -w vm.max_map_count=262144
+              fi
+            '');
+            startPreUnprivileged = ''
+              set -o errexit -o pipefail -o nounset -o errtrace
+              shopt -s inherit_errexit
+
+              # Install plugins
+              ln -sfT ${cfg.package}/lib ${cfg.dataDir}/lib
+              ln -sfT ${cfg.package}/modules ${cfg.dataDir}/modules
+
+              # opensearch needs to create the opensearch.keystore in the config directory
+              # so this directory needs to be writable.
+              mkdir -p ${configDir}
+              chmod 0700 ${configDir}
+
+              # Note that we copy config files from the nix store instead of symbolically linking them
+              # because otherwise X-Pack Security will raise the following exception:
+              # java.security.AccessControlException:
+              # access denied ("java.io.FilePermission" "/var/lib/opensearch/config/opensearch.yml" "read")
+
+              cp ${opensearchYml} ${configDir}/opensearch.yml
+
+              # Make sure the logging configuration for old OpenSearch versions is removed:
+              rm -f "${configDir}/logging.yml"
+              cp ${loggingConfigFile} ${configDir}/${loggingConfigFilename}
+              mkdir -p ${configDir}/scripts
+              cp ${cfg.package}/config/jvm.options ${configDir}/jvm.options
+
+              # redirect jvm logs to the data directory
+              mkdir -p ${cfg.dataDir}/logs
+              chmod 0700 ${cfg.dataDir}/logs
+              sed -e '#logs/gc.log#${cfg.dataDir}/logs/gc.log#' -i ${configDir}/jvm.options
+            '';
+          in [
+            "+${pkgs.writeShellScript "opensearch-start-pre-full-privileges" startPreFullPrivileges}"
+            "${pkgs.writeShellScript "opensearch-start-pre-unprivileged" startPreUnprivileged}"
+          ];
+        ExecStartPost = pkgs.writeShellScript "opensearch-start-post" ''
+          set -o errexit -o pipefail -o nounset -o errtrace
+          shopt -s inherit_errexit
+
+          # Make sure opensearch is up and running before dependents
+          # are started
+          while ! ${pkgs.curl}/bin/curl -sS -f http://${cfg.settings."network.host"}:${toString cfg.settings."http.port"} 2>/dev/null; do
+            sleep 1
+          done
+        '';
        ExecStart = "${cfg.package}/bin/opensearch ${toString cfg.extraCmdLineOptions}";
-        User = "opensearch";
-        Group = "opensearch";
-        StateDirectory = cfg.dataDir;
-        StateDirectoryMode = "0700";
-        PermissionsStartOnly = true;
+        User = cfg.user;
+        Group = cfg.group;
        LimitNOFILE = "1024000";
        Restart = "always";
        TimeoutStartSec = "infinity";
-      };
-      preStart = optionalString (!config.boot.isContainer) ''
-        # Only set vm.max_map_count if lower than ES required minimum
-        # This avoids conflict if configured via boot.kernel.sysctl
-        if [ $(${pkgs.procps}/bin/sysctl -n vm.max_map_count) -lt 262144 ]; then
-          ${pkgs.procps}/bin/sysctl -w vm.max_map_count=262144
-        fi
-     '' + ''
-        mkdir -m 0700 -p ${cfg.dataDir}
-
-        # Install plugins
-        ln -sfT ${cfg.package}/lib ${cfg.dataDir}/lib
-        ln -sfT ${cfg.package}/modules ${cfg.dataDir}/modules
-
-        # opensearch needs to create the opensearch.keystore in the config directory
-        # so this directory needs to be writable.
-        mkdir -m 0700 -p ${configDir}
-
-        # Note that we copy config files from the nix store instead of symbolically linking them
-        # because otherwise X-Pack Security will raise the following exception:
-        # java.security.AccessControlException:
-        # access denied ("java.io.FilePermission" "/var/lib/opensearch/config/opensearch.yml" "read")
-
-        cp ${opensearchYml} ${configDir}/opensearch.yml
-        # Make sure the logging configuration for old opensearch versions is removed:
-        rm -f "${configDir}/logging.yml"
-        cp ${loggingConfigFile} ${configDir}/${loggingConfigFilename}
-        mkdir -p ${configDir}/scripts
-        cp ${cfg.package}/config/jvm.options ${configDir}/jvm.options
-        # redirect jvm logs to the data directory
-        mkdir -m 0700 -p ${cfg.dataDir}/logs
-        sed -e '#logs/gc.log#${cfg.dataDir}/logs/gc.log#' -i ${configDir}/jvm.options \
-
-        if [ "$(id -u)" = 0 ]; then chown -R opensearch:opensearch ${cfg.dataDir}; fi
-      '';
-      postStart = ''
-        # Make sure opensearch is up and running before dependents
-        # are started
-        while ! ${pkgs.curl}/bin/curl -sS -f http://${cfg.settings."network.host"}:${toString cfg.settings."http.port"} 2>/dev/null; do
-          sleep 1
-        done
-      '';
+        DynamicUser = usingDefaultUserAndGroup && usingDefaultDataDir;
+      } // (optionalAttrs (usingDefaultDataDir) {
+        StateDirectory = "opensearch";
+        StateDirectoryMode = "0700";
+      });
    };

    environment.systemPackages = [ cfg.package ];
-
-    users = {
-      groups.opensearch = {};
-      users.opensearch = {
-        description = "OpenSearch daemon user";
-        home = cfg.dataDir;
-        group = "opensearch";
-        isSystemUser = true;
-      };
-    };
  };
 }
--- a/nixos/tests/all-tests.nix
+++ b/nixos/tests/all-tests.nix
@ -490,7 +490,7 @@ in {
  ombi = handleTest ./ombi.nix {};
  openarena = handleTest ./openarena.nix {};
  openldap = handleTest ./openldap.nix {};
-  opensearch = handleTest ./opensearch.nix {};
+  opensearch = discoverTests (import ./opensearch.nix);
  openresty-lua = handleTest ./openresty-lua.nix {};
  opensmtpd = handleTest ./opensmtpd.nix {};
  opensmtpd-rspamd = handleTest ./opensmtpd-rspamd.nix {};
--- a/nixos/tests/opensearch.nix
+++ b/nixos/tests/opensearch.nix
@ -1,19 +1,52 @@
-import ./make-test-python.nix ({ pkgs, ... }: {
-  name = "opensearch";
-  meta.maintainers = with pkgs.lib.maintainers; [ shyim ];
+let
+  opensearchTest =
+    import ./make-test-python.nix (
+      { pkgs, lib, extraSettings ? {} }: {
+        name = "opensearch";
+        meta.maintainers = with pkgs.lib.maintainers; [ shyim ];

-  nodes.machine = {
-    virtualisation.memorySize = 2048;
-    services.opensearch.enable = true;
+        nodes.machine = lib.mkMerge [
+          {
+            virtualisation.memorySize = 2048;
+            services.opensearch.enable = true;
+          }
+          extraSettings
+        ];
+
+        testScript = ''
+          machine.start()
+          machine.wait_for_unit("opensearch.service")
+          machine.wait_for_open_port(9200)
+
+          machine.succeed(
+              "curl --fail localhost:9200"
+          )
+        '';
+      });
+in
+{
+  opensearch = opensearchTest {};
+  opensearchCustomPathAndUser = opensearchTest {
+    extraSettings = {
+      services.opensearch.dataDir = "/var/opensearch_test";
+      services.opensearch.user = "open_search";
+      services.opensearch.group = "open_search";
+      system.activationScripts.createDirectory = {
+        text = ''
+          mkdir -p "/var/opensearch_test"
+          chown open_search:open_search /var/opensearch_test
+          chmod 0700 /var/opensearch_test
+        '';
+        deps = [ "users" "groups" ];
+      };
+      users = {
+        groups.open_search = {};
+        users.open_search = {
+          description = "OpenSearch daemon user";
+          group = "open_search";
+          isSystemUser = true;
+        };
+      };
+    };
  };
-
-  testScript = ''
-    machine.start()
-    machine.wait_for_unit("opensearch.service")
-    machine.wait_for_open_port(9200)
-
-    machine.succeed(
-        "curl --fail localhost:9200"
-    )
-  '';
-})
+}
--- a/pkgs/servers/search/opensearch/default.nix
+++ b/pkgs/servers/search/opensearch/default.nix
@ -42,7 +42,7 @@ stdenvNoCC.mkDerivation rec {
    runHook postInstall
  '';

-  passthru.tests = { inherit (nixosTests) opensearch; };
+  passthru.tests = nixosTests.opensearch;

  meta = {
    description = "Open Source, Distributed, RESTful Search Engine";