New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
nixos/libvirtd: extraConfig goes first #119353
base: master
Are you sure you want to change the base?
Conversation
In case of duplicate config names, libvirtd only uses the first value found. This prevents users from defining auth_unix_ro and auth_unix_rw configs in extraConfig. The commit fixes this issue by putting extraConfig first.
It looks like replacing the |
That's probably a better options. However, I'm not sure how removing the extraConfig option would affect existing configurations. And I didn't want to reduce the changes of this PR being accepted. The |
Perhaps I should have mentioned it previously, but, the motivation for this change is to permit improving security for accessing the libvirt socket. Since accessing the libvirt socket can basically give users root access, (like the docker socket does), and, because due to the way the module is currently written, the only way of accessing the socket as a non-root user, is to add it to the libvirt group, which basically makes The change I proposed, fixes this by allowing the necessary settings to be made so that libvirt can do SASL authentication, using PAM, which means adding a user to the libvirt group doesn't automatically give the user non-authenticated root access |
Certainly could be if you're not interested in tackling that now. I'm not overly familiar with this software so I can't speak to whether the original module author made a mistake or not. So I'll trust your judgement on whether a more flexible approach provides value or not: With that change you could do something like this:
Again, I don't know the software so there might be no value in this... just thought I'd ask 🤷♂️ |
That works for me, however, what happens when existing configurations use this?
Will the original content (setting the auth to polkit) be replaced? That means polkit will not be used any more, which is a breaking change, and probably a serious security flaw. |
With |
Perfect. That implementation would be better then. |
Cool. Let me know what you want to do. Feel free to copy/paste the code I posted if you like. |
I don't mind merging your commits. Or, do you want me to pull them into this PR? |
I thought you might just rewrite your commit to be like mine, but whatever you want to do. Please make sure you run a quick test... I have not! |
I marked this as stale due to inactivity. → More info |
Motivation for this change
In case of duplicate config names, libvirtd only uses the first value found.
This prevents users from defining auth_unix_ro and auth_unix_rw configs in
extraConfig.
Things done
The commit fixes this issue by putting extraConfig first.
sandbox
innix.conf
on non-NixOS linux)nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
./result/bin/
)nix path-info -S
before and after)