From 0d917271ec018955691fec428d32bf7252e0b9fd Mon Sep 17 00:00:00 2001 From: Sander van der Burg Date: Sun, 7 Mar 2021 17:19:27 +0100 Subject: [PATCH] Assign stable UIDs and GIDs, expose targetEPR property --- example-deployments/disnix/idresources.nix | 8 ++++++ .../disnix/ids-apache-mysql.nix | 21 ++++++++++++++++ example-deployments/disnix/ids-bare.nix | 17 +++++++++++++ .../ids-tomcat-mysql-multi-instance.nix | 25 +++++++++++++++++++ .../disnix/ids-tomcat-mysql.nix | 23 +++++++++++++++++ example-deployments/disnix/processes-bare.nix | 10 +++++++- .../disnix/processes-with-apache-mysql.nix | 17 ++++++++++--- ...esses-with-tomcat-mysql-multi-instance.nix | 16 ++++++++++-- .../disnix/processes-with-tomcat-mysql.nix | 23 ++++++++++++++--- services-agnostic/constructors.nix | 4 +-- services-agnostic/dbus-daemon/default.nix | 8 ++++-- services-agnostic/disnix-service/default.nix | 6 +++-- 12 files changed, 163 insertions(+), 15 deletions(-) create mode 100644 example-deployments/disnix/idresources.nix create mode 100644 example-deployments/disnix/ids-apache-mysql.nix create mode 100644 example-deployments/disnix/ids-bare.nix create mode 100644 example-deployments/disnix/ids-tomcat-mysql-multi-instance.nix create mode 100644 example-deployments/disnix/ids-tomcat-mysql.nix diff --git a/example-deployments/disnix/idresources.nix b/example-deployments/disnix/idresources.nix new file mode 100644 index 0000000..35d8096 --- /dev/null +++ b/example-deployments/disnix/idresources.nix @@ -0,0 +1,8 @@ +rec { + uids = { + min = 2000; + max = 3000; + }; + + gids = uids; +} diff --git a/example-deployments/disnix/ids-apache-mysql.nix b/example-deployments/disnix/ids-apache-mysql.nix new file mode 100644 index 0000000..b761943 --- /dev/null +++ b/example-deployments/disnix/ids-apache-mysql.nix @@ -0,0 +1,21 @@ +{ + "ids" = { + "gids" = { + "apache" = 2000; + "dbus-daemon" = 2001; + "disnix-service" = 2002; + "mysql" = 2003; + "sshd" = 2004; + }; + "uids" = { + "apache" = 2000; + "dbus-daemon" = 2001; + "mysql" = 2002; + "sshd" = 2003; + }; + }; + "lastAssignments" = { + "gids" = 2004; + "uids" = 2003; + }; +} \ No newline at end of file diff --git a/example-deployments/disnix/ids-bare.nix b/example-deployments/disnix/ids-bare.nix new file mode 100644 index 0000000..0dfec2a --- /dev/null +++ b/example-deployments/disnix/ids-bare.nix @@ -0,0 +1,17 @@ +{ + "ids" = { + "gids" = { + "dbus-daemon" = 2000; + "disnix-service" = 2001; + "sshd" = 2002; + }; + "uids" = { + "dbus-daemon" = 2000; + "sshd" = 2001; + }; + }; + "lastAssignments" = { + "gids" = 2002; + "uids" = 2001; + }; +} \ No newline at end of file diff --git a/example-deployments/disnix/ids-tomcat-mysql-multi-instance.nix b/example-deployments/disnix/ids-tomcat-mysql-multi-instance.nix new file mode 100644 index 0000000..aad3d16 --- /dev/null +++ b/example-deployments/disnix/ids-tomcat-mysql-multi-instance.nix @@ -0,0 +1,25 @@ +{ + "ids" = { + "gids" = { + "dbus-daemon" = 2000; + "disnix-service" = 2001; + "mysql-primary" = 2002; + "mysql-secondary" = 2003; + "sshd" = 2004; + "tomcat-primary" = 2005; + "tomcat-secondary" = 2006; + }; + "uids" = { + "dbus-daemon" = 2000; + "mysql-primary" = 2001; + "mysql-secondary" = 2002; + "sshd" = 2003; + "tomcat-primary" = 2004; + "tomcat-secondary" = 2005; + }; + }; + "lastAssignments" = { + "gids" = 2006; + "uids" = 2005; + }; +} \ No newline at end of file diff --git a/example-deployments/disnix/ids-tomcat-mysql.nix b/example-deployments/disnix/ids-tomcat-mysql.nix new file mode 100644 index 0000000..3c4a56e --- /dev/null +++ b/example-deployments/disnix/ids-tomcat-mysql.nix @@ -0,0 +1,23 @@ +{ + "ids" = { + "gids" = { + "apache" = 2000; + "dbus-daemon" = 2001; + "disnix-service" = 2002; + "mysql" = 2003; + "sshd" = 2004; + "tomcat" = 2005; + }; + "uids" = { + "apache" = 2000; + "dbus-daemon" = 2001; + "mysql" = 2002; + "sshd" = 2003; + "tomcat" = 2004; + }; + }; + "lastAssignments" = { + "gids" = 2005; + "uids" = 2004; + }; +} \ No newline at end of file diff --git a/example-deployments/disnix/processes-bare.nix b/example-deployments/disnix/processes-bare.nix index 32896c6..8eb608e 100644 --- a/example-deployments/disnix/processes-bare.nix +++ b/example-deployments/disnix/processes-bare.nix @@ -11,8 +11,10 @@ }: let + ids = if builtins.pathExists ./ids-bare.nix then (import ./ids-bare.nix).ids else {}; + constructors = import ../../services-agnostic/constructors.nix { - inherit pkgs stateDir runtimeDir logDir tmpDir cacheDir spoolDir forceDisableUserChange processManager; + inherit pkgs stateDir runtimeDir logDir tmpDir cacheDir spoolDir forceDisableUserChange processManager ids; }; in rec { @@ -22,17 +24,23 @@ rec { UsePAM yes ''; }; + + requiresUniqueIdsFor = [ "uids" "gids" ]; }; dbus-daemon = { pkg = constructors.dbus-daemon { services = [ disnix-service ]; }; + + requiresUniqueIdsFor = [ "uids" "gids" ]; }; disnix-service = { pkg = constructors.disnix-service { inherit dbus-daemon; }; + + requiresUniqueIdsFor = [ "gids" ]; }; } diff --git a/example-deployments/disnix/processes-with-apache-mysql.nix b/example-deployments/disnix/processes-with-apache-mysql.nix index aab1d65..29417e7 100644 --- a/example-deployments/disnix/processes-with-apache-mysql.nix +++ b/example-deployments/disnix/processes-with-apache-mysql.nix @@ -11,12 +11,14 @@ }: let + ids = if builtins.pathExists ./ids-apache-mysql.nix then (import ./ids-apache-mysql.nix).ids else {}; + constructors = import ../../services-agnostic/constructors.nix { - inherit pkgs stateDir runtimeDir logDir tmpDir cacheDir spoolDir forceDisableUserChange processManager; + inherit pkgs stateDir runtimeDir logDir tmpDir cacheDir spoolDir forceDisableUserChange processManager ids; }; containerProviderConstructors = import ../../service-containers-agnostic/constructors.nix { - inherit pkgs stateDir runtimeDir logDir tmpDir cacheDir spoolDir forceDisableUserChange processManager; + inherit pkgs stateDir runtimeDir logDir tmpDir cacheDir spoolDir forceDisableUserChange processManager ids; }; in rec { @@ -26,26 +28,35 @@ rec { UsePAM yes ''; }; + + requiresUniqueIdsFor = [ "uids" "gids" ]; }; dbus-daemon = { pkg = constructors.dbus-daemon { services = [ disnix-service ]; }; + + requiresUniqueIdsFor = [ "uids" "gids" ]; }; apache = containerProviderConstructors.simpleWebappApache { serverAdmin = "root@localhost"; documentRoot = "/var/www"; enablePHP = true; + properties.requiresUniqueIdsFor = [ "uids" "gids" ]; }; - mysql = containerProviderConstructors.mysql {}; + mysql = containerProviderConstructors.mysql { + properties.requiresUniqueIdsFor = [ "uids" "gids" ]; + }; disnix-service = { pkg = constructors.disnix-service { inherit dbus-daemon; containerProviders = [ apache mysql ]; }; + + requiresUniqueIdsFor = [ "gids" ]; }; } diff --git a/example-deployments/disnix/processes-with-tomcat-mysql-multi-instance.nix b/example-deployments/disnix/processes-with-tomcat-mysql-multi-instance.nix index 51dc5eb..02902a5 100644 --- a/example-deployments/disnix/processes-with-tomcat-mysql-multi-instance.nix +++ b/example-deployments/disnix/processes-with-tomcat-mysql-multi-instance.nix @@ -11,12 +11,14 @@ }: let + ids = if builtins.pathExists ./ids-tomcat-mysql-multi-instance.nix then (import ./ids-tomcat-mysql-multi-instance.nix).ids else {}; + constructors = import ../../services-agnostic/constructors.nix { - inherit pkgs stateDir runtimeDir logDir tmpDir cacheDir spoolDir forceDisableUserChange processManager; + inherit pkgs stateDir runtimeDir logDir tmpDir cacheDir spoolDir forceDisableUserChange processManager ids; }; containerProviderConstructors = import ../../service-containers-agnostic/constructors.nix { - inherit pkgs stateDir runtimeDir logDir tmpDir cacheDir spoolDir forceDisableUserChange processManager; + inherit pkgs stateDir runtimeDir logDir tmpDir cacheDir spoolDir forceDisableUserChange processManager ids; }; in rec { @@ -26,12 +28,16 @@ rec { UsePAM yes ''; }; + + requiresUniqueIdsFor = [ "uids" "gids" ]; }; dbus-daemon = { pkg = constructors.dbus-daemon { services = [ disnix-service ]; }; + + requiresUniqueIdsFor = [ "uids" "gids" ]; }; tomcat-primary = containerProviderConstructors.disnixAppservingTomcat { @@ -44,6 +50,7 @@ rec { webapps = [ pkgs.tomcat9.webapps # Include the Tomcat example and management applications ]; + properties.requiresUniqueIdsFor = [ "uids" "gids" ]; }; tomcat-secondary = containerProviderConstructors.disnixAppservingTomcat { @@ -56,16 +63,19 @@ rec { webapps = [ pkgs.tomcat9.webapps # Include the Tomcat example and management applications ]; + properties.requiresUniqueIdsFor = [ "uids" "gids" ]; }; mysql-primary = containerProviderConstructors.mysql { instanceSuffix = "-primary"; port = 3306; + properties.requiresUniqueIdsFor = [ "uids" "gids" ]; }; mysql-secondary = containerProviderConstructors.mysql { instanceSuffix = "-secondary"; port = 3307; + properties.requiresUniqueIdsFor = [ "uids" "gids" ]; }; disnix-service = { @@ -74,5 +84,7 @@ rec { containerProviders = [ tomcat-primary tomcat-secondary mysql-primary mysql-secondary ]; authorizedUsers = [ tomcat-primary.name tomcat-secondary.name ]; }; + + requiresUniqueIdsFor = [ "gids" ]; }; } diff --git a/example-deployments/disnix/processes-with-tomcat-mysql.nix b/example-deployments/disnix/processes-with-tomcat-mysql.nix index eea6f50..9f3dd7f 100644 --- a/example-deployments/disnix/processes-with-tomcat-mysql.nix +++ b/example-deployments/disnix/processes-with-tomcat-mysql.nix @@ -11,12 +11,14 @@ }: let + ids = if builtins.pathExists ./ids-tomcat-mysql.nix then (import ./ids-tomcat-mysql.nix).ids else {}; + constructors = import ../../services-agnostic/constructors.nix { - inherit pkgs stateDir runtimeDir logDir tmpDir cacheDir spoolDir forceDisableUserChange processManager; + inherit pkgs stateDir runtimeDir logDir tmpDir cacheDir spoolDir forceDisableUserChange processManager ids; }; containerProviderConstructors = import ../../service-containers-agnostic/constructors.nix { - inherit pkgs stateDir runtimeDir logDir tmpDir cacheDir spoolDir forceDisableUserChange processManager; + inherit pkgs stateDir runtimeDir logDir tmpDir cacheDir spoolDir forceDisableUserChange processManager ids; }; in rec { @@ -26,12 +28,16 @@ rec { UsePAM yes ''; }; + + requiresUniqueIdsFor = [ "uids" "gids" ]; }; dbus-daemon = { pkg = constructors.dbus-daemon { services = [ disnix-service ]; }; + + requiresUniqueIdsFor = [ "uids" "gids" ]; }; tomcat = containerProviderConstructors.disnixAppservingTomcat { @@ -40,6 +46,8 @@ rec { pkgs.tomcat9.webapps # Include the Tomcat example and management applications ]; enableAJP = true; + + properties.requiresUniqueIdsFor = [ "uids" "gids" ]; }; apache = { @@ -60,15 +68,24 @@ rec { }; requireUser = "admin"; }; + + requiresUniqueIdsFor = [ "uids" "gids" ]; }; - mysql = containerProviderConstructors.mysql {}; + mysql = containerProviderConstructors.mysql { + properties.requiresUniqueIdsFor = [ "uids" "gids" ]; + }; disnix-service = { pkg = constructors.disnix-service { inherit dbus-daemon; containerProviders = [ tomcat mysql ]; authorizedUsers = [ tomcat.name ]; + dysnomiaProperties = { + targetEPR = "http://$(hostname)/DisnixWebService/services/DisnixWebService"; + }; }; + + requiresUniqueIdsFor = [ "gids" ]; }; } diff --git a/services-agnostic/constructors.nix b/services-agnostic/constructors.nix index a4db4ff..a0f3827 100644 --- a/services-agnostic/constructors.nix +++ b/services-agnostic/constructors.nix @@ -52,12 +52,12 @@ in }; dbus-daemon = import ./dbus-daemon { - inherit createManagedProcess stateDir runtimeDir; + inherit createManagedProcess stateDir runtimeDir ids; inherit (pkgs) lib dbus writeTextFile; }; disnix-service = import ./disnix-service { - inherit createManagedProcess processManager nix-processmgmt; + inherit createManagedProcess processManager nix-processmgmt ids; inherit (pkgs) stdenv lib writeTextFile nix disnix dysnomia inetutils findutils; }; diff --git a/services-agnostic/dbus-daemon/default.nix b/services-agnostic/dbus-daemon/default.nix index 45cdc64..3e09dcc 100644 --- a/services-agnostic/dbus-daemon/default.nix +++ b/services-agnostic/dbus-daemon/default.nix @@ -1,4 +1,4 @@ -{createManagedProcess, lib, writeTextFile, dbus, stateDir, runtimeDir}: +{createManagedProcess, lib, writeTextFile, dbus, stateDir, runtimeDir, ids ? {}}: {extraConfig ? "", busType ? "system", services ? []}: let @@ -112,13 +112,17 @@ createManagedProcess { credentials = { groups = { - "${group}" = {}; + "${group}" = lib.optionalAttrs (ids ? gids && ids.gids ? dbus-daemon) { + gid = ids.gids.dbus-daemon; + }; }; users = { "${user}" = { inherit group; homeDir = dbusRuntimeDir; description = "D-Bus system message bus daemon user"; + } // lib.optionalAttrs (ids ? uids && ids.uids ? dbus-daemon) { + uid = ids.uids.dbus-daemon; }; }; }; diff --git a/services-agnostic/disnix-service/default.nix b/services-agnostic/disnix-service/default.nix index 0d4474f..4dd83ba 100644 --- a/services-agnostic/disnix-service/default.nix +++ b/services-agnostic/disnix-service/default.nix @@ -1,4 +1,4 @@ -{createManagedProcess, stdenv, lib, writeTextFile, nix, disnix, dysnomia, inetutils, findutils, processManager, nix-processmgmt}: +{createManagedProcess, stdenv, lib, writeTextFile, nix, disnix, dysnomia, inetutils, findutils, processManager, nix-processmgmt, ids ? {}}: { dbus-daemon ? null , dysnomiaProperties ? {} @@ -32,7 +32,9 @@ createManagedProcess { credentials = { groups = { - "${group}" = {}; + "${group}" = lib.optionalAttrs (ids ? gids && ids.gids ? disnix-service) { + gid = ids.gids.disnix-service; + }; }; };