Skip to content

nixos/systemd: pick more upstream tmpfiles confs#69295

Merged
edolstra merged 1 commit intoNixOS:masterfrom
mayflower:fix/pick-more-systemd-tmpfiles-examples
Sep 23, 2019
Merged

nixos/systemd: pick more upstream tmpfiles confs#69295
edolstra merged 1 commit intoNixOS:masterfrom
mayflower:fix/pick-more-systemd-tmpfiles-examples

Conversation

@fpletz
Copy link
Member

@fpletz fpletz commented Sep 23, 2019

Motivation for this change

In #68792 it was discovered that /dev/fuse doesn't have
wordl-read-writeable permissions anymore. The cause of this is that the
tmpfiles examples in systemd were reorganized and split into more files.
We thus lost some of the configuration we were depending on.

In this commit some of the new tmpfiles configuration that are
applicable to us are added which also makes wtmp/lastlog in the pam
module not necessary anymore.

Rationale for the new tmpfile configs:

  • journal-nowcow.conf: Contains chattr +C for journald logs which
    makes sense on copy-on-write filesystems like Btrfs. Other filesystems
    shouldn't do anything funny when that flag is set.

  • static-nodes-permissions.conf: Contains some permission overrides
    for some device nodes like audio, loop, tun, fuse and kvm.

  • systemd-nspawn.conf: Makes sure /var/lib/machines exists and old
    snapshots are properly removed.

  • systemd-tmp.conf: Removes systemd services related private tmp
    folders and temporary coredump files.

  • var.conf: Creates some useful directories in /var which we would
    create anyway at some point. Also includes
    /var/log/{wtmp,btmp,lastlog}.

Fixes #68792.

Things done

Ran systemd & installer tests successfully.

@fpletz
nixos/systemd: pick more upstream tmpfiles confs
0dc4fe0 
In NixOS#68792 it was discovered that /dev/fuse doesn't have
wordl-read-writeable permissions anymore. The cause of this is that the
tmpfiles examples in systemd were reorganized and split into more files.
We thus lost some of the configuration we were depending on.

In this commit some of the new tmpfiles configuration that are
applicable to us are added which also makes wtmp/lastlog in the pam
module not necessary anymore.

Rationale for the new tmpfile configs:

  - `journal-nowcow.conf`: Contains chattr +C for journald logs which
  makes sense on copy-on-write filesystems like Btrfs. Other filesystems
  shouldn't do anything funny when that flag is set.

  - `static-nodes-permissions.conf`: Contains some permission overrides
  for some device nodes like audio, loop, tun, fuse and kvm.

  - `systemd-nspawn.conf`: Makes sure `/var/lib/machines` exists and old
  snapshots are properly removed.

  - `systemd-tmp.conf`: Removes systemd services related private tmp
  folders and temporary coredump files.

  - `var.conf`: Creates some useful directories in `/var` which we would
  create anyway at some point. Also includes
  `/var/log/{wtmp,btmp,lastlog}`.

Fixes NixOS#68792.
@fpletz fpletz added the 9.needs: port to stable A PR needs a backport to the stable release. label Sep 23, 2019
@fpletz fpletz requested review from a user, andir, edolstra and flokli September 23, 2019 13:27
@fpletz
Copy link
Member Author

fpletz commented Sep 23, 2019

cc @arianvp @mat8913

@fpletz
Copy link
Member Author

fpletz commented Sep 23, 2019

Here's the direct link to the tmpfiles for easier review: https://github.com/NixOS/systemd/tree/nixos-v243/tmpfiles.d

@ofborg ofborg bot added 6.topic: nixos Issues or PRs affecting NixOS modules, or package usability issues specific to NixOS 8.has: module (update) This PR changes an existing module in `nixos/` labels Sep 23, 2019
@edolstra edolstra merged commit 38bb1c3 into NixOS:master Sep 23, 2019
@fpletz fpletz deleted the fix/pick-more-systemd-tmpfiles-examples branch September 23, 2019 13:37
@ofborg ofborg bot added 10.rebuild-darwin: 0 This PR does not cause any packages to rebuild on Darwin. 10.rebuild-linux: 0 This PR does not cause any packages to rebuild on Linux. labels Sep 23, 2019
ghost
ghost reviewed Sep 23, 2019
View reviewed changes
Copy link

@ghost ghost left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Works fine for me, thanks!

flokli
flokli reviewed Sep 24, 2019
View reviewed changes
nixos/modules/system/boot/systemd.nix
"tmpfiles.d/systemd.conf".source = "${systemd}/example/tmpfiles.d/systemd.conf";
"tmpfiles.d/systemd-nspawn.conf".source = "${systemd}/example/tmpfiles.d/system-nspawn.conf";
"tmpfiles.d/systemd-tmp.conf".source = "${systemd}/example/tmpfiles.d/system-tmp.conf";
"tmpfiles.d/var.conf".source = "${systemd}/example/tmpfiles.d/var.conf";
Copy link
Member

@flokli flokli Sep 24, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We probably should add some logic extracting tmpfiles.d from common locations into the systemd module, like we already do for udev files for everything added to systemd.packages.

This would be useful for #66856 (comment), too.

Copy link
Member

@arianvp arianvp Sep 30, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That is a great idea @flokli . Lets open a new issue for that?

Copy link
Member

@flokli flokli Oct 4, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Seems there already is an issue for that: #40594

@mat8913
Copy link
Contributor

mat8913 commented Sep 30, 2019

For 19.09, can this just be cherry-picked or is there more to it?

@lheckemann
Copy link
Member

lheckemann commented Sep 30, 2019

Done: ad36169

@flokli flokli mentioned this pull request Oct 4, 2019
Closed
@B4dM4n B4dM4n mentioned this pull request Oct 9, 2019
Merged
10 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@flokli flokli flokli left review comments

@arianvp arianvp arianvp left review comments

@andir andir Awaiting requested review from andir

@edolstra edolstra Awaiting requested review from edolstra

@lheckemann lheckemann Awaiting requested review from lheckemann

@disassembler disassembler Awaiting requested review from disassembler

+1 more reviewer
Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

6.topic: nixos Issues or PRs affecting NixOS modules, or package usability issues specific to NixOS 8.has: module (update) This PR changes an existing module in `nixos/` 9.needs: port to stable A PR needs a backport to the stable release. 10.rebuild-darwin: 0 This PR does not cause any packages to rebuild on Darwin. 10.rebuild-linux: 0 This PR does not cause any packages to rebuild on Linux.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

/dev/fuse permissions are too restrictive

6 participants

@fpletz @mat8913 @lheckemann @flokli @arianvp @edolstra