ehmry
/
nix-processmgmt
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Add option to deployer user service with systemd

This commit is contained in:
Sander van der Burg 2020-07-19 16:28:13 +02:00 committed by Sander van der Burg
parent 5b114573df
commit 27ee798da9
3 changed files with 145 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
tests/webapps-agnostic-config.nix
View File

@ -45,7 +45,6 @@ makeTest {
pkgs.dysnomia
tools.build
tools.generate-config
tools.sysvinit
];
};

127
tests/webapps-agnostic-systemd-user.nix Normal file
View File

@ -0,0 +1,127 @@
{nixpkgs ? <nixpkgs>}:
with import "${nixpkgs}/nixos/lib/testing-python.nix" { system = builtins.currentSystem; };
let
processesEnvAuto = import ../nixproc/create-managed-process/systemd/build-systemd-env.nix {
exprFile = ../examples/webapps-agnostic/processes.nix;
stateDir = "/home/unprivileged/var";
forceDisableUserChange = true;
};
processesEnvEmpty = import ../nixproc/create-managed-process/systemd/build-systemd-env.nix {
exprFile = ../examples/webapps-agnostic/processes-empty.nix;
stateDir = "/home/unprivileged/var";
forceDisableUserChange = true;
};
tools = import ../tools {};
nix-processmgmt = ./..;
env = "NIX_PATH=nixpkgs=${nixpkgs} XDG_RUNTIME_DIR=/run/user/1000";
in
makeTest {
machine =
{pkgs, lib, ...}:
{
virtualisation.pathsInNixDB = [ pkgs.stdenv ] ++ pkgs.coreutils.all ++ [ processesEnvAuto processesEnvEmpty ];
virtualisation.writableStore = true;
virtualisation.memorySize = 1024;
# We can't download any substitutes in a test environment. To make tests
# faster, we disable substitutes so that Nix does not waste any time by
# attempting to download them.
nix.extraOptions = ''
substitute = false
'';
users.extraUsers = {
unprivileged = {
uid = 1000;
group = "users";
shell = "/bin/sh";
description = "Unprivileged user";
home = "/home/unprivileged";
createHome = true;
isNormalUser = true;
};
};
services.xserver = {
enable = true;
displayManager.lightdm = {
enable = true;
autoLogin = {
enable = true;
user = "unprivileged";
};
};
# Use IceWM as the window manager.
# Don't use a desktop manager.
displayManager.defaultSession = lib.mkDefault "none+icewm";
windowManager.icewm.enable = true;
};
# lightdm by default doesn't allow auto login for root, which is
# required by some nixos tests. Override it here.
security.pam.services.lightdm-autologin.text = lib.mkForce ''
auth requisite pam_nologin.so
auth required pam_succeed_if.so quiet
auth required pam_permit.so
account include lightdm
password include lightdm
session include lightdm
'';
environment.systemPackages = [
pkgs.stdenv
pkgs.dysnomia
tools.build
tools.systemd
];
};
testScript = ''
def check_nginx_redirection():
machine.succeed(
"curl --fail -H 'Host: webapp.local' http://localhost:8080 | grep 'listening on port: 5000'"
)
def check_system_unavailable():
machine.fail("curl --fail http://localhost:8080")
machine.fail("pgrep -f '/bin/webapp'")
start_all()
machine.wait_for_unit("display-manager.service")
machine.succeed('su - unprivileged -c "mkdir -p /home/unprivileged/var"')
# Deploy the entire system in auto mode. Should result in foreground webapp processes
machine.succeed(
'su - unprivileged -c "${env} nixproc-systemd-switch --user --state-dir /home/unprivileged/var --force-disable-user-change ${nix-processmgmt}/examples/webapps-agnostic/processes.nix"'
)
machine.succeed("sleep 1")
machine.succeed("pgrep -u unprivileged -f '/bin/webapp$'")
check_nginx_redirection()
# Undeploy the system
machine.succeed(
'su - unprivileged -c "${env} nixproc-systemd-switch --user --state-dir /home/unprivileged/var --force-disable-user-change ${nix-processmgmt}/examples/webapps-agnostic/processes-empty.nix"'
)
check_system_unavailable()
'';
}

24
tools/systemd/nixproc-systemd-switch.in
View File

@ -29,12 +29,14 @@ Options:
--extra-params=PARAMS
A string with an attribute set in the Nix expression
language propagating extra parameters to the input models
--user Deploy the units as systemd user services
-h, --help Shows the usage of this command
Environment:
NIX_STATE_DIR Overrides the location of the Nix state directory
SYSTEMD_TARGET_DIR Directory in which the unit configuration files are
managed (defaults to: /etc/systemd/system)
managed (defaults to: /etc/systemd/system or
~/.config/systemd/user)
NIXPROC_STATE_DIR Changes the directory in which the state of the
processes is stored
NIXPROC_RUNTIME_DIR Changes the directory in which the PID files are stored
@ -48,7 +50,7 @@ EOF
# Parse valid argument options
PARAMS=`@getopt@ -n $0 -o p:o:h -l profile:,old-profile:,state-dir:,runtime-dir:,log-dir:,tmp-dir:,force-disable-user-change,show-trace,extra-params:,help -- "$@"`
PARAMS=`@getopt@ -n $0 -o p:o:h -l profile:,old-profile:,state-dir:,runtime-dir:,log-dir:,tmp-dir:,force-disable-user-change,show-trace,extra-params:,user,help -- "$@"`
if [ $? != 0 ]
then
@ -90,6 +92,10 @@ do
--extra-params)
extraParamsArg=("--extra-params" "$2")
;;
--user)
systemdUserServices=1
systemdUserArg="--user"
;;
-h|--help)
showUsage
exit 0
@ -105,7 +111,13 @@ path="$1"
# Validate the given options
SYSTEMD_TARGET_DIR=${SYSTEMD_TARGET_DIR:-/etc/systemd/system}
if [ "$systemdUserServices" = "1" ]
then
SYSTEMD_TARGET_DIR=${SYSTEMD_TARGET_DIR:-~/.config/systemd/user}
mkdir -p "$SYSTEMD_TARGET_DIR"
else
SYSTEMD_TARGET_DIR=${SYSTEMD_TARGET_DIR:-/etc/systemd/system}
fi
source @commonchecks@
@ -151,7 +163,7 @@ then
do
if ! containsElement "$(readlink -f "$i")" "${newunits[@]}"
then
systemctl stop "$(basename "$i")"
systemctl $systemdUserArg stop "$(basename "$i")"
fi
done
@ -188,12 +200,12 @@ do
done
# Reload the systemd configuration
systemctl daemon-reload
systemctl $systemdUserArg daemon-reload
# Start all units in the new configuration
for i in $profilePath/etc/systemd/system/*.service
do
systemctl start "$(basename "$i")"
systemctl $systemdUserArg start "$(basename "$i")"
done
# Delete obsolete users and groups