Commit graph

174055 commits

Author SHA1 Message Date
aszlig
dcf40f7c24
Merge pull request #57519 (systemd-confinement)
Currently if you want to properly chroot a systemd service, you could do
it using BindReadOnlyPaths=/nix/store or use a separate derivation which
gathers the runtime closure of the service you want to chroot. The
former is the easier method and there is also a method directly offered
by systemd, called ProtectSystem, which still leaves the whole store
accessible. The latter however is a bit more involved, because you need
to bind-mount each store path of the runtime closure of the service you
want to chroot.

This can be achieved using pkgs.closureInfo and a small derivation that
packs everything into a systemd unit, which later can be added to
systemd.packages.

However, this process is a bit tedious, so the changes here implement
this in a more generic way.

Now if you want to chroot a systemd service, all you need to do is:

  {
    systemd.services.myservice = {
      description = "My Shiny Service";
      wantedBy = [ "multi-user.target" ];

      confinement.enable = true;
      serviceConfig.ExecStart = "${pkgs.myservice}/bin/myservice";
    };
  }

If more than the dependencies for the ExecStart* and ExecStop* (which
btw. also includes script and {pre,post}Start) need to be in the chroot,
it can be specified using the confinement.packages option. By default
(which uses the full-apivfs confinement mode), a user namespace is set
up as well and /proc, /sys and /dev are mounted appropriately.

In addition - and by default - a /bin/sh executable is provided, which
is useful for most programs that use the system() C library call to
execute commands via shell.

Unfortunately, there are a few limitations at the moment. The first
being that DynamicUser doesn't work in conjunction with tmpfs, because
systemd seems to ignore the TemporaryFileSystem option if DynamicUser is
enabled. I started implementing a workaround to do this, but I decided
to not include it as part of this pull request, because it needs a lot
more testing to ensure it's consistent with the behaviour without
DynamicUser.

The second limitation/issue is that RootDirectoryStartOnly doesn't work
right now, because it only affects the RootDirectory option and doesn't
include/exclude the individual bind mounts or the tmpfs.

A quirk we do have right now is that systemd tries to create a /usr
directory within the chroot, which subsequently fails. Fortunately, this
is just an ugly error and not a hard failure.

The changes also come with a changelog entry for NixOS 19.03, which is
why I asked for a vote of the NixOS 19.03 stable maintainers whether to
include it (I admit it's a bit late a few days before official release,
sorry for that):

  @samueldr:

    Via pull request comment[1]:

      +1 for backporting as this only enhances the feature set of nixos,
      and does not (at a glance) change existing behaviours.

    Via IRC:

      new feature: -1, tests +1, we're at zero, self-contained, with no
      global effects without actively using it, +1, I think it's good

  @lheckemann:

    Via pull request comment[2]:

      I'm neutral on backporting. On the one hand, as @samueldr says,
      this doesn't change any existing functionality. On the other hand,
      it's a new feature and we're well past the feature freeze, which
      AFAIU is intended so that new, potentially buggy features aren't
      introduced in the "stabilisation period". It is a cool feature
      though? :)

A few other people on IRC didn't have opposition either against late
inclusion into NixOS 19.03:

  @edolstra:  "I'm not against it"
  @Infinisil: "+1 from me as well"
  @grahamc:   "IMO its up to the RMs"

So that makes +1 from @samueldr, 0 from @lheckemann, 0 from @edolstra
and +1 from @Infinisil (even though he's not a release manager) and no
opposition from anyone, which is the reason why I'm merging this right
now.

I also would like to thank @Infinisil, @edolstra and @danbst for their
reviews.

[1]: https://github.com/NixOS/nixpkgs/pull/57519#issuecomment-477322127
[2]: https://github.com/NixOS/nixpkgs/pull/57519#issuecomment-477548395
2019-03-29 04:37:53 +01:00
Maximilian Bosch
673c8193cd
Merge pull request #58489 from aanderse/mailcatcher
nixos/mailcatcher: fix test to be compatible with mailcatcher 7.x series
2019-03-29 04:01:02 +01:00
Maximilian Bosch
54e77d51b8
Merge pull request #58503 from geistesk/stellarium-v0.19.0
stellarium: 0.18.3 -> 0.19.0
2019-03-29 03:52:02 +01:00
Jan Tojnar
460d5bc0f7
sublime3-dev: 3184 → 3203 2019-03-28 23:42:52 +01:00
Florian Klink
01ed8f6cab
Merge pull request #58339 from r-ryantm/auto-update/ms-sys
ms-sys: 2.5.3 -> 2.6.0
2019-03-28 23:40:11 +01:00
Graham Christensen
8b261be37f
Revert "sublime3-dev: 3184 → 3203"
This reverts commit 85b69524bf as its
hash is invalid.
2019-03-28 18:30:24 -04:00
Florian Klink
f708c4da17
Merge pull request #58314 from delroth/ghostscript-cve-2019-6116
ghostscript: add patch for CVE-2019-6116
2019-03-28 23:29:36 +01:00
lewo
92e6251c50
Merge pull request #58476 from vdemeester/update-skaffold
skaffold: 0.25.0 -> 0.26.0
2019-03-28 23:16:08 +01:00
Jan Tojnar
85b69524bf
sublime3-dev: 3184 → 3203 2019-03-28 23:09:33 +01:00
Florian Klink
a960f9e0c5
Merge pull request #58438 from dtzWill/update/microcode-20190312
microcodeIntel: 20180807a -> 20190312 (from intel github)
2019-03-28 23:05:05 +01:00
Florian Klink
3d92872a5e
Merge pull request #58333 from r-ryantm/auto-update/matomo
matomo: 3.8.1 -> 3.9.0
2019-03-28 22:54:37 +01:00
Florian Klink
26f19430eb matomo: 3.9.0 -> 3.9.1 2019-03-28 22:53:13 +01:00
Florian Klink
4ffd3ad4fd matomo: update url 2019-03-28 22:51:56 +01:00
Silvan Mosberger
1660845954
Merge pull request #58196 from tomfitzhenry/iso-syslinux-serial-consistent
syslinux: change serial bit rate to 115200
2019-03-28 22:51:48 +01:00
Florian Klink
b243d81943
Merge pull request #56453 from averelld/jetbrains-updates
Update jetbrains editors
2019-03-28 22:22:01 +01:00
David Costa
c1f0a14b43 mailcatcher: 0.6.5 -> 0.7.1 2019-03-28 22:06:05 +01:00
Yannis Koutras
3517083062 vscode-extensions.vscodevim.vim: init at 1.2.0 (#58500) 2019-03-28 17:05:36 -04:00
Michael Weiss
009719383c
androidStudioPackages.{dev,canary}: 3.5.0.7 -> 3.5.0.8 2019-03-28 22:03:09 +01:00
Matthew Bauer
45dbb34640
Merge pull request #58472 from thefloweringash/emacs-x-darwin
emacs: only use patchelf on linux
2019-03-28 17:02:21 -04:00
geistesk
5e6273df68 stellarium: 0.18.3 -> 0.19.0 2019-03-28 21:21:54 +01:00
Vladyslav M
0f48e34ee9
Merge pull request #58397 from r-ryantm/auto-update/ngircd
ngircd: 24 -> 25
2019-03-28 22:20:23 +02:00
Florian Klink
aa2878cfcf
Merge pull request #58284 from bgamari/gitlab-rails
nixos/gitlab: Package gitlab-rails
2019-03-28 21:12:15 +01:00
Silvan Mosberger
483654e377
Merge pull request #57326 from r-ryantm/auto-update/mxml
minixml: 2.12 -> 3.0
2019-03-28 21:06:09 +01:00
Silvan Mosberger
9b6c9c5128
Merge pull request #57322 from r-ryantm/auto-update/modsecurity
modsecurity_standalone: 2.9.2 -> 2.9.3
2019-03-28 20:51:01 +01:00
Silvan Mosberger
5e00a4bd5a
Merge pull request #57351 from r-ryantm/auto-update/openvpn
openvpn: 2.4.6 -> 2.4.7
2019-03-28 20:46:55 +01:00
R. RyanTM
f9de74d28c
minixml: 2.12 -> 3.0
Semi-automatic update generated by
https://github.com/ryantm/nixpkgs-update tools. This update was made
based on information from
https://repology.org/metapackage/mxml/versions
2019-03-28 20:45:04 +01:00
Daniel Peebles
d46bf208b6
Merge pull request #58461 from DzmitrySudnik/tf
terraform-providers: bump versions
2019-03-28 15:40:05 -04:00
Silvan Mosberger
b92431831e
Merge pull request #57346 from r-ryantm/auto-update/opaline
opaline: 0.3.1 -> 0.3.2
2019-03-28 20:37:31 +01:00
Silvan Mosberger
c71220c331
Merge pull request #57356 from aepsil0n/bump-kompose-1.18.0
kompose: 1.9.0 -> 1.18.0
2019-03-28 20:19:31 +01:00
Silvan Mosberger
96c286b413
Merge pull request #57362 from r-ryantm/auto-update/phonon-backend-vlc-qt5
libsForQt5.phonon-backend-vlc: 0.10.1 -> 0.10.2
2019-03-28 20:08:48 +01:00
Silvan Mosberger
c76f00f759
Merge pull request #57682 from bkchr/dtc_1_5_0
dtc: 1.4.7 -> 1.5.0
2019-03-28 19:55:04 +01:00
Silvan Mosberger
9d4a6cceb7
Merge pull request #57550 from florianjacob/typed-mysql-options
nixos/mysql: specify option types, add tests
2019-03-28 18:55:53 +01:00
Silvan Mosberger
2b06732781
Merge pull request #57626 from dtzWill/update/cgmanager-0.42
cgmanager: 0.41 -> 0.42
2019-03-28 18:44:56 +01:00
Silvan Mosberger
32d67ef2a9
Merge pull request #58459 from xeji/p/qtikz
qtikz: fix build
2019-03-28 18:40:12 +01:00
Vladyslav M
2dfb25121e
Merge pull request #58440 from dtzWill/update/oxipng-2.2.1
oxipng: 2.2.0 -> 2.2.1
2019-03-28 19:35:23 +02:00
Silvan Mosberger
be2f711342
Merge pull request #58487 from bgamari/gitlab-gitaly-procpc
gitaly: Run gitaly with procps in scope
2019-03-28 18:22:27 +01:00
markuskowa
403aa2dfed
Merge pull request #58180 from luzpaz/gmsh4.2.2
gmsh 4.2.1->4.2.2
2019-03-28 18:11:58 +01:00
Markus Kowalewski
3c19324e2a
octopus: 8.3 -> 8.4 2019-03-28 18:00:41 +01:00
Markus Kowalewski
e52a4ea317
libxc: 4.2.3 -> 4.3.4 2019-03-28 18:00:23 +01:00
Markus Kowalewski
6ea9c0243b
molden: 5.9.3 -> 5.9.5 2019-03-28 17:39:15 +01:00
Ben Gamari
af909b3238 nixos/gitlab: Package gitlab-rails
This utility (particularly `gitlab-rails console`) is packaged by GitLab
Omnibus and is used for diagnostics and maintenance operations.
2019-03-28 11:45:31 -04:00
d10n
37f416a9cd sublime3: Fix python api locale 2019-03-28 11:41:58 -04:00
lewo
dc3ed336df
Merge pull request #58345 from xtruder/pkgs/dockerTools/pullImage/finalImageName
dockerTools: add finalImageName parameter for pullImage
2019-03-28 16:25:01 +01:00
Averell Dalton
6c011a0f2f jetbrains-jdk: 152b1248.6 -> 202b1483.37 2019-03-28 16:20:58 +01:00
Aaron Andersen
417da42c02 nixos/mailcatcher: fix test to be compatible with mailcatcher 7.x series 2019-03-28 11:15:20 -04:00
Averell Dalton
9bba3e7835 jetbrains.webstorm: 2018.3.4 -> 2019.1 2019-03-28 15:50:36 +01:00
Averell Dalton
973117496a jetbrains.pycharm-professional: 2018.3.4 -> 2019.1 2019-03-28 15:50:27 +01:00
Ben Gamari
b90f5f03c2 nixos/gitaly: Run gitaly with procps in scope
Gitaly uses `ps` to track the RSS of `gitlab-ruby` and kills it when it
detects excessive memory leakage. See
https://gitlab.com/gitlab-org/gitaly/issues/1562.
2019-03-28 10:48:51 -04:00
Averell Dalton
70c57c24c4 jetbrains.pycharm-community: 2018.3.4 -> 2019.1 2019-03-28 15:44:20 +01:00
Averell Dalton
a2f6e40cc4 jetbrains.ruby-mine: 2018.3.3 -> 2018.3.5 2019-03-28 15:44:19 +01:00