From 3108f741fe671905cf66c046556ead8429b6204f Mon Sep 17 00:00:00 2001 From: Brian Olsen Date: Fri, 28 Sep 2018 04:00:24 +0200 Subject: [PATCH] nixos/rspamd: Remove non-working socket activation The socket activation I added to the rspamd module doesn't actually work and can't be made to work without changes to rspamd. See: #47421 See: rspamd/rspamd#2035 (cherry picked from commit 783a58f363fd1ccfa1817ed3f030eaef59cfde9d) --- nixos/modules/services/mail/rspamd.nix | 84 +++----------------------- nixos/tests/rspamd.nix | 54 ++--------------- 2 files changed, 11 insertions(+), 127 deletions(-) diff --git a/nixos/modules/services/mail/rspamd.nix b/nixos/modules/services/mail/rspamd.nix index 5ecdd3ef6cf4e5..bba11796a3d33c 100644 --- a/nixos/modules/services/mail/rspamd.nix +++ b/nixos/modules/services/mail/rspamd.nix @@ -115,36 +115,10 @@ let }; }; - indexOf = default: start: list: e: - if list == [] - then default - else if (head list) == e then start - else (indexOf default (start + (length (listenStreams (head list).socket))) (tail list) e); - - systemdSocket = indexOf (abort "Socket not found") 0 allSockets; - isUnixSocket = socket: hasPrefix "/" (if (isString socket) then socket else socket.socket); - isPort = hasPrefix "*:"; - isIPv4Socket = hasPrefix "*v4:"; - isIPv6Socket = hasPrefix "*v6:"; - isLocalHost = hasPrefix "localhost:"; - listenStreams = socket: - if (isLocalHost socket) then - let port = (removePrefix "localhost:" socket); - in [ "127.0.0.1:${port}" ] ++ (if config.networking.enableIPv6 then ["[::1]:${port}"] else []) - else if (isIPv6Socket socket) then [removePrefix "*v6:" socket] - else if (isPort socket) then [removePrefix "*:" socket] - else if (isIPv4Socket socket) then - throw "error: IPv4 only socket not supported in rspamd with socket activation" - else if (length (splitString " " socket)) != 1 then - throw "error: string options not supported in rspamd with socket activation" - else [socket]; - - mkBindSockets = enabled: socks: concatStringsSep "\n " (flatten (map (each: - if cfg.socketActivation && enabled != false then - let systemd = (systemdSocket each); - in (imap (idx: e: "bind_socket = \"systemd:${toString (systemd + idx - 1)}\";") (listenStreams each.socket)) - else "bind_socket = \"${each.rawEntry}\";") socks)); + + mkBindSockets = enabled: socks: concatStringsSep "\n " + (flatten (map (each: "bind_socket = \"${each.rawEntry}\";") socks)); rspamdConfFile = pkgs.writeText "rspamd.conf" '' @@ -175,18 +149,6 @@ let ${cfg.extraConfig} ''; - allMappedSockets = flatten (mapAttrsToList (name: value: - if value.enable != false - then imap (idx: each: { - name = "${name}"; - index = idx; - value = each; - }) value.bindSockets - else []) cfg.workers); - allSockets = map (e: e.value) allMappedSockets; - - allSocketNames = map (each: "rspamd-${each.name}-${toString each.index}.socket") allMappedSockets; - in { @@ -205,13 +167,6 @@ in description = "Whether to run the rspamd daemon in debug mode."; }; - socketActivation = mkOption { - type = types.bool; - description = '' - Enable systemd socket activation for rspamd. - ''; - }; - workers = mkOption { type = with types; attrsOf (submodule workerOpts); description = '' @@ -272,13 +227,6 @@ in config = mkIf cfg.enable { - services.rspamd.socketActivation = mkDefault (!opts.bindSocket.isDefined && !opts.bindUISocket.isDefined); - - assertions = [ { - assertion = !cfg.socketActivation || !(opts.bindSocket.isDefined || opts.bindUISocket.isDefined); - message = "Can't use socketActivation for rspamd when using renamed bind socket options"; - } ]; - # Allow users to run 'rspamc' and 'rspamadm'. environment.systemPackages = [ pkgs.rspamd ]; @@ -299,18 +247,14 @@ in systemd.services.rspamd = { description = "Rspamd Service"; - wantedBy = mkIf (!cfg.socketActivation) [ "multi-user.target" ]; - after = [ "network.target" ] ++ - (if cfg.socketActivation then allSocketNames else []); - requires = mkIf cfg.socketActivation allSocketNames; + wantedBy = [ "multi-user.target" ]; + after = [ "network.target" ]; serviceConfig = { ExecStart = "${pkgs.rspamd}/bin/rspamd ${optionalString cfg.debug "-d"} --user=${cfg.user} --group=${cfg.group} --pid=/run/rspamd.pid -c ${rspamdConfFile} -f"; Restart = "always"; RuntimeDirectory = "rspamd"; - RuntimeDirectoryPreserve = mkIf cfg.socketActivation true; PrivateTmp = true; - Sockets = mkIf cfg.socketActivation (concatStringsSep " " allSocketNames); }; preStart = '' @@ -318,24 +262,10 @@ in ${pkgs.coreutils}/bin/chown ${cfg.user}:${cfg.group} /var/lib/rspamd ''; }; - systemd.sockets = mkIf cfg.socketActivation - (listToAttrs (map (each: { - name = "rspamd-${each.name}-${toString each.index}"; - value = { - description = "Rspamd socket ${toString each.index} for worker ${each.name}"; - wantedBy = [ "sockets.target" ]; - listenStreams = (listenStreams each.value.socket); - socketConfig = { - BindIPv6Only = mkIf (isIPv6Socket each.value.socket) "ipv6-only"; - Service = "rspamd.service"; - SocketUser = mkIf (isUnixSocket each.value.socket) each.value.owner; - SocketGroup = mkIf (isUnixSocket each.value.socket) each.value.group; - SocketMode = mkIf (isUnixSocket each.value.socket) each.value.mode; - }; - }; - }) allMappedSockets)); }; imports = [ + (mkRemovedOptionModule [ "services" "rspamd" "socketActivation" ] + "Socket activation never worked correctly and could at this time not be fixed and so was removed") (mkRenamedOptionModule [ "services" "rspamd" "bindSocket" ] [ "services" "rspamd" "workers" "normal" "bindSockets" ]) (mkRenamedOptionModule [ "services" "rspamd" "bindUISocket" ] [ "services" "rspamd" "workers" "controller" "bindSockets" ]) ]; diff --git a/nixos/tests/rspamd.nix b/nixos/tests/rspamd.nix index 6b2e2dd3a53179..a12622b6aa0b84 100644 --- a/nixos/tests/rspamd.nix +++ b/nixos/tests/rspamd.nix @@ -13,13 +13,10 @@ let $machine->succeed("[[ \"\$(stat -c %G ${socket})\" == \"${group}\" ]]"); $machine->succeed("[[ \"\$(stat -c %a ${socket})\" == \"${mode}\" ]]"); ''; - simple = name: socketActivation: enableIPv6: makeTest { + simple = name: enableIPv6: makeTest { name = "rspamd-${name}"; machine = { - services.rspamd = { - enable = true; - socketActivation = socketActivation; - }; + services.rspamd.enable = true; networking.enableIPv6 = enableIPv6; }; testScript = '' @@ -32,13 +29,6 @@ let sleep 10; $machine->log($machine->succeed("cat /etc/rspamd.conf")); $machine->log($machine->succeed("systemctl cat rspamd.service")); - ${if socketActivation then '' - $machine->log($machine->succeed("systemctl cat rspamd-controller-1.socket")); - $machine->log($machine->succeed("systemctl cat rspamd-normal-1.socket")); - '' else '' - $machine->fail("systemctl cat rspamd-controller-1.socket"); - $machine->fail("systemctl cat rspamd-normal-1.socket"); - ''} $machine->log($machine->succeed("curl http://localhost:11334/auth")); $machine->log($machine->succeed("curl http://127.0.0.1:11334/auth")); ${optionalString enableIPv6 '' @@ -48,10 +38,8 @@ let }; in { - simple = simple "simple" false true; - ipv4only = simple "ipv4only" false false; - simple-socketActivated = simple "simple-socketActivated" true true; - ipv4only-socketActivated = simple "ipv4only-socketActivated" true false; + simple = simple "simple" true; + ipv4only = simple "ipv4only" false; deprecated = makeTest { name = "rspamd-deprecated"; machine = { @@ -68,7 +56,6 @@ in ${checkSocket "/run/rspamd.sock" "root" "root" "600" } ${checkSocket "/run/rspamd-worker.sock" "root" "root" "666" } $machine->log($machine->succeed("cat /etc/rspamd.conf")); - $machine->fail("systemctl cat rspamd-normal-1.socket"); $machine->log($machine->succeed("rspamc -h /run/rspamd-worker.sock stat")); $machine->log($machine->succeed("curl --unix-socket /run/rspamd-worker.sock http://localhost/ping")); ''; @@ -79,7 +66,6 @@ in machine = { services.rspamd = { enable = true; - socketActivation = false; workers.normal.bindSockets = [{ socket = "/run/rspamd.sock"; mode = "0600"; @@ -101,38 +87,6 @@ in ${checkSocket "/run/rspamd.sock" "root" "root" "600" } ${checkSocket "/run/rspamd-worker.sock" "root" "root" "666" } $machine->log($machine->succeed("cat /etc/rspamd.conf")); - $machine->fail("systemctl cat rspamd-normal-1.socket"); - $machine->log($machine->succeed("rspamc -h /run/rspamd-worker.sock stat")); - $machine->log($machine->succeed("curl --unix-socket /run/rspamd-worker.sock http://localhost/ping")); - ''; - }; - socketActivated = makeTest { - name = "rspamd-socketActivated"; - machine = { - services.rspamd = { - enable = true; - workers.normal.bindSockets = [{ - socket = "/run/rspamd.sock"; - mode = "0600"; - owner = "root"; - group = "root"; - }]; - workers.controller.bindSockets = [{ - socket = "/run/rspamd-worker.sock"; - mode = "0666"; - owner = "root"; - group = "root"; - }]; - }; - }; - - testScript = '' - startAll - $machine->waitForFile("/run/rspamd.sock"); - ${checkSocket "/run/rspamd.sock" "root" "root" "600" } - ${checkSocket "/run/rspamd-worker.sock" "root" "root" "666" } - $machine->log($machine->succeed("cat /etc/rspamd.conf")); - $machine->log($machine->succeed("systemctl cat rspamd-normal-1.socket")); $machine->log($machine->succeed("rspamc -h /run/rspamd-worker.sock stat")); $machine->log($machine->succeed("curl --unix-socket /run/rspamd-worker.sock http://localhost/ping")); '';