New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
avahi: set service directory and refactor module #62153
Conversation
@GrahamcOfBorg test avahi |
Good initiative! Couple of things: a. avahi upstream provides a systemd unit file - we don't need our own service def (except for the activation) |
Regarding
As I am not quite sure what you meant, could you maybe elaborate on why we don't need our own service definition?
The service doesn't handle a lot of files and the ones that are handled by avahi don't rely on a static uid. Also, as the user was not even in the avahi group until now, the gid was never used - instead the group Maybe you thought of a reason to keep the static uid? |
We can get the unit files from upstream avahi by doing this:
And then simply override the bits that we want to change and leave the rest as-is.
The problem is that the uid could (would) be something else on another system which isn't great. We either want to keep it the same across the board (hence the ids.nix) or ideally use |
The avahi service does not manage any persistent state so it shouldn't really matter. Why are different uids a problem?
Avahi drops the privileges itself to a user with a username that is compiled in. It has to be run as root and the user has to exist. Avahi does support running as non-root but the code still expects the hardcoded username to exist. That's why we can't switch to
The upstream systemd service unit is pretty basic and in that case I actually prefer defining the whole service in the NixOS module. When avahi will eventually support DynamicUser or other systemd shenanigans we have to touch our service definition anyway. |
@worldofpeace Do you have any remarks since you requested self-review? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
just a few typos :)
I added the suggested changes and rebased on staging. |
Yes, it was in queue to review. I have the time now so it's incoming shortly if it's still needed. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just some more cleanup should be done to the options.
Feedback on the release note also.
description = '' | ||
Extra config to append to avahi-daemon.conf. | ||
''; | ||
domain = mkOption { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nitpick: this option's name is pretty ambiguous. There's already domainName
to be confusing so perhaps
domain = mkOption { | |
announceDomain = mkOption { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sounds like a good idea to me, though these option names come from avahi and I think it would therefore be better to keep them.
Regarding the ambiguity, I think this is not much of a problem, because the two options are on different levels.
|
||
cacheEntriesMax = mkOption { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
cacheEntriesMax = mkOption { | |
maxCacheEntries = mkOption { |
Feels backwards to me. Options renamed should use mkRenamedOptionModule
btw.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Same as with the other option.
c2b4fdc
to
ede8f45
Compare
I updated the PR to include most of the suggested changes. I'd like to wait for feedback on the renaming of the two options before adding these changes. |
The renaming of the options were essentially nitpicks and didn't really need a response. Lastly, it's always a good idea to actually test the service. And specifically |
Actually, perhaps https://github.com/NixOS/nixpkgs/blob/bac6f67aaa8fa87425b6f5cc046534ba4b734d9c/nixos/tests/avahi.nix should be updated to test |
Avahi now uses `/etc/avahi/services` instead of its store path to look for files with service definitions.
Types are now specified for all options. The fixed uid and gid for the avahi user have been removed and the user avahi is now in the group avahi. The the generic opening of the firewall for UDP port 5353 is now optional, but still defaults to true. The option `extraServiceFiles` was added to specify avahi service definitions, which are then placed in `/etc/avahi/services`.
@worldofpeace done. Took me a while to build staging after rebasing though :) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
On my side of things this looks good 🌸
It isn't a problem per se, but currently we have this nice guarantee that the ids are all the same across systems which is no longer the case for no gain.
Fully agree.
I think as a matter of principle, we should use upstream - we really don't gain anything by maintaining our own. |
Only comment left that may be blocking is this is a principal of whether to use I generally tend to prefer if there's a service upstream that we could use, and they're practically identical...
No real loss in leaving it as is, no? |
IMHO, the best kind of code is the one you don't have to write. |
I think this PR is definitely ready enough to be merged, any further minor issues like using the systemd unit from upstream can be addressed in a follow-up PR. This should not have to be blocked as it definitely improves the module a lot already. |
Re-opened PR against staging, includes changes proposed in #61945.
Motivation for this change
Before this PR avahi used to look for service definitions in
etc/avahi/services
in its store path.First this leads to the situation mentioned in #60939 and it also makes adding custom services quite user-unfriendly, because they would have to be added to the build output of avahi.
Things done
Package:
For the build
AVAHI_SERVICE_DIR
is now set to/etc/avahi/services
.Module:
Types are now specified for all options.
The fixed uid and gid for the avahi user have been removed
and the avahi user is now in the avahi group.
The the generic opening of the firewall for UDP port 5353 is
now optional, but still defaults to true.
The option
extraServiceFiles
was added to specify avahiservice definitions, which are then placed in
/etc/avahi/services
.Manual:
Added a section mentioning the changes for avahi.
sandbox
innix.conf
on non-NixOS)nix-shell -p nix-review --run "nix-review wip"
./result/bin/
)nix path-info -S
before and after)fixes #60939
/cc @infinisil