Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

nixos/gitea: Fix startup #74852

Merged
merged 2 commits into from Dec 5, 2019
Merged

nixos/gitea: Fix startup #74852

merged 2 commits into from Dec 5, 2019

Conversation

@srhb
Copy link
Contributor

srhb commented Dec 2, 2019

Motivation for this change

Fixes #74849 hopefully.

I'm tempted to revert to a much more lenient sandbox than what this gives us, but I'd like to discuss how we can test that these are sufficient permissions @dasJ

This is just what I needed to remove to restore enough functionality to make very basic testing succeed in a real setup with postgres as the database. It's hard to tell whether more things are broken.

Thoughts?

Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS linux)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nix-review --run "nix-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Determined the impact on package closure size (by running nix path-info -S before and after)
  • Ensured that relevant documentation is up to date
  • Fits CONTRIBUTING.md.
Notify maintainers

cc @

@srhb srhb requested a review from dasJ Dec 2, 2019
@srhb srhb changed the title Gitea fix start nixos/gitea: Fix startup Dec 2, 2019
@flokli

This comment has been minimized.

Copy link
Contributor

flokli commented Dec 4, 2019

@srhb how should the "hopefully" be understood?

We already have some gitea tests, including one with postgres, so it should be easy to verify.

@srhb srhb mentioned this pull request Dec 4, 2019
5 of 10 tasks complete
@srhb

This comment has been minimized.

Copy link
Contributor Author

srhb commented Dec 5, 2019

@srhb how should the "hopefully" be understood?

As in I don't know whether something is subtly broken or just changed without documentation still, but I have not found anything yet. The test passed simply by fixing up the systemd unit, but the rest of the changes I made after noticing that my real setup was still broken, eg. with nginx being unable to talk to the socket. :)

If you have a better method to verify things, I'm all ears.

@flokli

This comment has been minimized.

Copy link
Contributor

flokli commented Dec 5, 2019

I don't operate a gitea installation currently, sorry. Because of #74849 (comment) I'd assume it improves things, but maybe @petabyteboy can comment here?

@petabyteboy

This comment has been minimized.

Copy link
Contributor

petabyteboy commented Dec 5, 2019

Yes, the change of SystemCallFilter which is included here does fix the problem most people will have.
I am running into additional problems because I was using AmbientCapabilities to allow gitea to bind to port 22, and I can not make it work with these new settings (with and without this fix).

But this PR would definitely improve the situation and fix it for most people.

@kolaente kolaente mentioned this pull request Dec 5, 2019
4 of 10 tasks complete
@srhb

This comment has been minimized.

Copy link
Contributor Author

srhb commented Dec 5, 2019

OK, let's go for it and hopefully there are no more traps.

@flokli flokli merged commit 77f26cc into NixOS:master Dec 5, 2019
12 checks passed
12 checks passed
Evaluation Performance Report Evaluator Performance Report
Details
grahamcofborg-eval ^.^!
Details
grahamcofborg-eval-check-meta config.nix: checkMeta = true
Details
grahamcofborg-eval-darwin nix-instantiate --arg nixpkgs { outPath=./.; revCount=999999; shortRev="ofborg"; } ./pkgs/top-level/release.nix -A darwin-tested
Details
grahamcofborg-eval-nixos nix-instantiate --arg nixpkgs { outPath=./.; revCount=999999; shortRev="ofborg"; } ./nixos/release-combined.nix -A tested
Details
grahamcofborg-eval-nixos-manual nix-instantiate --arg nixpkgs { outPath=./.; revCount=999999; shortRev="ofborg"; } ./nixos/release.nix -A manual
Details
grahamcofborg-eval-nixos-options nix-instantiate --arg nixpkgs { outPath=./.; revCount=999999; shortRev="ofborg"; } ./nixos/release.nix -A options
Details
grahamcofborg-eval-nixpkgs-manual nix-instantiate --arg nixpkgs { outPath=./.; revCount=999999; shortRev="ofborg"; } ./pkgs/top-level/release.nix -A manual
Details
grahamcofborg-eval-nixpkgs-tarball nix-instantiate --arg nixpkgs { outPath=./.; revCount=999999; shortRev="ofborg"; } ./pkgs/top-level/release.nix -A tarball
Details
grahamcofborg-eval-nixpkgs-unstable-jobset nix-instantiate --arg nixpkgs { outPath=./.; revCount=999999; shortRev="ofborg"; } ./pkgs/top-level/release.nix -A unstable
Details
grahamcofborg-eval-package-list nix-env -qa --json --file .
Details
grahamcofborg-eval-package-list-no-aliases nix-env -qa --json --file . --arg config { allowAliases = false; }
Details
@srhb srhb deleted the srhb:gitea-fix-start branch Dec 5, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked issues

Successfully merging this pull request may close these issues.

3 participants
You can’t perform that action at this time.