Commits on Feb 5, 2020

1. nixos/filesystems: ensure keys gid on /run/keys mountpoint …

   boot.specialFileSystems is used to describe mount points to be set up in
   stage 1 and 2.
   
   We use it to create /run/keys already there, so sshd-in-initrd scenarios
   can consume keys sent over through nixops send-keys.
   
   However, it seems the kernel only supports the gid=… option for tmpfs,
   not ramfs, causing /run/keys to be owned by the root group, not keys
   group.
   
   This was/is worked around in nixops by running a chown root:keys
   /run/keys whenever pushing keys [1], and as machines had to have pushed keys
   to be usable, this was pretty much always the case.
   
   This is causing regressions in setups not provisioned via nixops, that
   still use /run/keys for secrets (through cloud provider startup scripts
   for example), as suddenly being an owner of the "keys" group isn't
   enough to access the folder.
   
   This PR removes the defunct gid=… option in the mount script called in
   stage 1 and 2, and introduces a tmpfiles rule which takes care of fixing
   up permissions as part of sysinit.target (very early in systemd bootup,
   so before regular services are started).
   
   In case of nixops deployments, this doesn't change anything.
   nixops-based deployments receiving secrets from nixops send-keys in
   initrd will simply have the permissions already set once tmpfiles is
   started.
   
   Fixes NixOS#42344
   
   [1]: https://github.com/NixOS/nixops/blob/884d6c3994b227eb09c307e5d25d6885c9af8220/nixops/backends/__init__.py#L267-L269

   

   flokli committed Feb 5, 2020
   Copy the full SHA

   3c74e48 View commit details

   Browse the repository at this point in the history