Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

transmission: apply RFC0042 and harden the service #92106

Merged
merged 1 commit into from Aug 7, 2020
Merged

Conversation

@ju1m
Copy link
Contributor

ju1m commented Jul 2, 2020

Motivation for this change

This is an attempt at applying RFC0042 and hardening params to services.transmission.

Things done
  • Use RFC0042 settings, ensuring that port never differs from settings.rpc-port.
  • Ensure that home, download-dir and incomplete-dir are absolute paths.
  • No longer use systemd-tmpfiles on home (which does not work, see comments) but use activationScripts.transmission-daemon and BindPaths for settingsDir, download-dir and incomplete-dir.
  • Revert to the 20.03 settingsDir directory ${home}/.config/transmission-daemon/.
  • Add hardening parameters removing rights unused by Transmission, using systemd-analyze security transmission.
  • Add option credentialsFile to set settings from a file outside the Nix store.
  • Add option openFirewall (false by default) to open the peer port(s).
  • Add option performanceNetParameters enabling kernel parameters recommended here: https://blog.ipredator.se/howto/restricting-transmission-to-the-vpn-interface-on-ubuntu-linux.html.
  • Fix allowed paths in the AppArmor profile (but AppArmor needs a better integration into NixOS, see comments).
  • Fix nixos/tests/bittorent.nix to not expect downloaded files in /tmp which is now private to systemd.services.transmission.
  • Fix CURL_CA_BUNDLE to check trackers.
  • Add myself as a maintainer of services.transmission.
  • Set sysctl net.core.rmem_max=4MB and net.core.wmem_max=1MB as requested (in the logs) by Transmission when settings.utp-enabled is set.
  • Make systemd-analyze security transmission return OK
  NAME                                                        DESCRIPTION                                                                   EXPOSURE
✗ PrivateNetwork=                                             Service has access to the host's network                                           0.5
✓ User=/DynamicUser=                                          Service runs under a static non-root user identity                                    
✓ CapabilityBoundingSet=~CAP_SET(UID|GID|PCAP)                Service cannot change UID/GID identities/capabilities                                 
✓ CapabilityBoundingSet=~CAP_SYS_ADMIN                        Service has no administrator privileges                                               
✓ CapabilityBoundingSet=~CAP_SYS_PTRACE                       Service has no ptrace() debugging abilities                                           
✗ RestrictAddressFamilies=~AF_(INET|INET6)                    Service may allocate Internet sockets                                              0.3
✓ RestrictNamespaces=~CLONE_NEWUSER                           Service cannot create user namespaces                                                 
✓ RestrictAddressFamilies=~…                                  Service cannot allocate exotic sockets                                                
✓ CapabilityBoundingSet=~CAP_(CHOWN|FSETID|SETFCAP)           Service cannot change file ownership/access mode/capabilities                         
✓ CapabilityBoundingSet=~CAP_(DAC_*|FOWNER|IPC_OWNER)         Service cannot override UNIX file/IPC permission checks                               
✓ CapabilityBoundingSet=~CAP_NET_ADMIN                        Service has no network configuration privileges                                       
✓ CapabilityBoundingSet=~CAP_RAWIO                            Service has no raw I/O access                                                         
✓ CapabilityBoundingSet=~CAP_SYS_MODULE                       Service cannot load kernel modules                                                    
✓ CapabilityBoundingSet=~CAP_SYS_TIME                         Service processes cannot change the system clock                                      
✗ DeviceAllow=                                                Service has a device ACL with some special devices                                 0.1
✗ IPAddressDeny=                                              Service does not define an IP address whitelist                                    0.2
✓ KeyringMode=                                                Service doesn't share key material with other services                                
✓ NoNewPrivileges=                                            Service processes cannot acquire new privileges                                       
✓ NotifyAccess=                                               Service child processes cannot alter service state                                    
✓ PrivateDevices=                                             Service has no access to hardware devices                                             
✓ PrivateMounts=                                              Service cannot install system mounts                                                  
✓ PrivateTmp=                                                 Service has no access to other software's temporary files                             
✓ PrivateUsers=                                               Service does not have access to other users                                           
✓ ProtectClock=                                               Service cannot write to the hardware clock or system clock                            
✓ ProtectControlGroups=                                       Service cannot modify the control group file system                                   
✗ ProtectHome=                                                Service has read-only access to home directories                                   0.1
✓ ProtectKernelLogs=                                          Service cannot read from or write to the kernel log ring buffer                       
✓ ProtectKernelModules=                                       Service cannot load or read kernel modules                                            
✓ ProtectKernelTunables=                                      Service cannot alter kernel tunables (/proc/sys, …)                                   
✓ ProtectSystem=                                              Service has strict read-only access to the OS file hierarchy                          
✓ RestrictAddressFamilies=~AF_PACKET                          Service cannot allocate packet sockets                                                
✓ RestrictSUIDSGID=                                           SUID/SGID file creation by service is restricted                                      
✓ SystemCallArchitectures=                                    Service may execute system calls only with native ABI                                 
✓ SystemCallFilter=~@clock                                    System call whitelist defined for service, and @clock is not included                 
✓ SystemCallFilter=~@debug                                    System call whitelist defined for service, and @debug is not included                 
✓ SystemCallFilter=~@module                                   System call whitelist defined for service, and @module is not included                
✓ SystemCallFilter=~@mount                                    System call whitelist defined for service, and @mount is not included                 
✓ SystemCallFilter=~@raw-io                                   System call whitelist defined for service, and @raw-io is not included                
✓ SystemCallFilter=~@reboot                                   System call whitelist defined for service, and @reboot is not included                
✓ SystemCallFilter=~@swap                                     System call whitelist defined for service, and @swap is not included                  
✗ SystemCallFilter=~@privileged                               System call whitelist defined for service, and @privileged is included             0.2
✓ SystemCallFilter=~@resources                                System call whitelist defined for service, and @resources is not included             
✓ AmbientCapabilities=                                        Service process does not receive ambient capabilities                                 
✓ CapabilityBoundingSet=~CAP_AUDIT_*                          Service has no audit subsystem access                                                 
✓ CapabilityBoundingSet=~CAP_KILL                             Service cannot send UNIX signals to arbitrary processes                               
✓ CapabilityBoundingSet=~CAP_MKNOD                            Service cannot create device nodes                                                    
✓ CapabilityBoundingSet=~CAP_NET_(BIND_SERVICE|BROADCAST|RAW) Service has no elevated networking privileges                                         
✓ CapabilityBoundingSet=~CAP_SYSLOG                           Service has no access to kernel logging                                               
✓ CapabilityBoundingSet=~CAP_SYS_(NICE|RESOURCE)              Service has no privileges to change resource use parameters                           
✓ RestrictNamespaces=~CLONE_NEWCGROUP                         Service cannot create cgroup namespaces                                               
✓ RestrictNamespaces=~CLONE_NEWIPC                            Service cannot create IPC namespaces                                                  
✓ RestrictNamespaces=~CLONE_NEWNET                            Service cannot create network namespaces                                              
✓ RestrictNamespaces=~CLONE_NEWNS                             Service cannot create file system namespaces                                          
✓ RestrictNamespaces=~CLONE_NEWPID                            Service cannot create process namespaces                                              
✓ RestrictRealtime=                                           Service realtime scheduling access is restricted                                      
✓ SystemCallFilter=~@cpu-emulation                            System call whitelist defined for service, and @cpu-emulation is not included         
✓ SystemCallFilter=~@obsolete                                 System call whitelist defined for service, and @obsolete is not included              
✓ RestrictAddressFamilies=~AF_NETLINK                         Service cannot allocate netlink sockets                                               
✓ RootDirectory=/RootImage=                                   Service has its own root directory/image                                              
✓ SupplementaryGroups=                                        Service has no supplementary groups                                                   
✓ CapabilityBoundingSet=~CAP_MAC_*                            Service cannot adjust SMACK MAC                                                       
✓ CapabilityBoundingSet=~CAP_SYS_BOOT                         Service cannot issue reboot()                                                         
✓ Delegate=                                                   Service does not maintain its own delegated control group subtree                     
✓ LockPersonality=                                            Service cannot change ABI personality                                                 
✓ MemoryDenyWriteExecute=                                     Service cannot create writable executable memory mappings                             
✓ RemoveIPC=                                                  Service user cannot leave SysV IPC objects around                                     
✓ RestrictNamespaces=~CLONE_NEWUTS                            Service cannot create hostname namespaces                                             
✓ UMask=                                                      Files created by service are accessible only by service's own user by default         
✓ CapabilityBoundingSet=~CAP_LINUX_IMMUTABLE                  Service cannot mark files immutable                                                   
✓ CapabilityBoundingSet=~CAP_IPC_LOCK                         Service cannot lock memory into RAM                                                   
✓ CapabilityBoundingSet=~CAP_SYS_CHROOT                       Service cannot issue chroot()                                                         
✓ ProtectHostname=                                            Service cannot change system host/domainname                                          
✓ CapabilityBoundingSet=~CAP_BLOCK_SUSPEND                    Service cannot establish wake locks                                                   
✓ CapabilityBoundingSet=~CAP_LEASE                            Service cannot create file leases                                                     
✓ CapabilityBoundingSet=~CAP_SYS_PACCT                        Service cannot use acct()                                                             
✓ CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG                   Service cannot issue vhangup()                                                        
✓ CapabilityBoundingSet=~CAP_WAKE_ALARM                       Service cannot program timers that wake up the system                                 
✗ RestrictAddressFamilies=~AF_UNIX                            Service may allocate local sockets                                                 0.1

→ Overall exposure level for transmission.service: 1.3 OK 🙂
  • Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS linux)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Determined the impact on package closure size (by running nix path-info -S before and after)
  • Ensured that relevant documentation is up to date
  • Fits CONTRIBUTING.md.
Copy link
Contributor

aanderse left a comment

My comments are mostly just questions that I'm too lazy to lookup myself...

This looks nice. I have thought this module needs some work for some time now, I'm happy to see it move in this direction. Thanks for your work.

Another problem is that I'm sure a number of users run this as their own user account which is not a good thing. Unrelated to this PR though.

nixos/modules/services/torrent/transmission.nix Outdated Show resolved Hide resolved
nixos/modules/services/torrent/transmission.nix Outdated Show resolved Hide resolved
nixos/modules/services/torrent/transmission.nix Outdated Show resolved Hide resolved
nixos/modules/services/torrent/transmission.nix Outdated Show resolved Hide resolved
nixos/modules/services/torrent/transmission.nix Outdated Show resolved Hide resolved
nixos/modules/services/torrent/transmission.nix Outdated Show resolved Hide resolved
@ju1m ju1m force-pushed the ju1m:transmission branch from 3ca7ac3 to e32ffe8 Jul 5, 2020
Copy link
Contributor

doronbehar left a comment

Great work @ju1m, you've almost completed an item from my TODO list. I tried to test your changes with nixos-rebuild on my personal system and I hit this error:

building Nix...
building the system configuration...
error: The option `services.transmission.port' is used but not defined.
(use '--show-trace' to show detailed location information)
nixos/modules/services/torrent/transmission.nix Outdated Show resolved Hide resolved
nixos/modules/services/torrent/transmission.nix Outdated Show resolved Hide resolved
nixos/modules/services/torrent/transmission.nix Outdated Show resolved Hide resolved
@ju1m ju1m force-pushed the ju1m:transmission branch from e32ffe8 to 2837824 Jul 5, 2020
@ju1m
Copy link
Contributor Author

ju1m commented Jul 5, 2020

@doronbehar, well, I had forgotten to test for options.services.transmission.port.isDefined when settings.rpc-port, this is fixed in the last push. This said, this PR removes the default of port, so if it is used somewhere by the user without being defined by the user, it will still raises this error :\

@ju1m ju1m force-pushed the ju1m:transmission branch 3 times, most recently from 24dcaa5 to f3c31b0 Jul 14, 2020
@aanderse aanderse mentioned this pull request Jul 17, 2020
1 of 11 tasks complete
@bb2020
Copy link
Contributor

bb2020 commented Jul 17, 2020

I think openFirewall should be disabled by default.

@doronbehar
Copy link
Contributor

doronbehar commented Jul 17, 2020

I think openFirewall should be disabled by default.

I agree. Besides that I'm running this PR in one of it's previous forms and everything is running OK.

@bb2020
Copy link
Contributor

bb2020 commented Jul 17, 2020

Also I failed to understand how a system service loads its config from home directory here:

Revert to the 20.03 settingsDir directory ~/.config/transmission-daemon/.
@ju1m ju1m mentioned this pull request Jul 19, 2020
16 of 23 tasks complete
@ju1m ju1m force-pushed the ju1m:transmission branch from f3c31b0 to 28922d0 Jul 20, 2020
Copy link
Contributor

aanderse left a comment

Couple minor things.

nixos/modules/services/torrent/transmission.nix Outdated Show resolved Hide resolved
nixos/modules/services/torrent/transmission.nix Outdated Show resolved Hide resolved
nixos/modules/services/torrent/transmission.nix Outdated Show resolved Hide resolved
nixos/modules/services/torrent/transmission.nix Outdated Show resolved Hide resolved
@Mic92
Copy link
Contributor

Mic92 commented Jul 22, 2020

@Lassulus Can you test this on your server?

@Mic92 Mic92 requested a review from Lassulus Jul 22, 2020
@Lassulus
Copy link
Contributor

Lassulus commented Jul 22, 2020

will test it tomorrow

@Lassulus
Copy link
Contributor

Lassulus commented Jul 23, 2020

Tested this on top of 20.03. Everything seems to work fine. the default listen-port of the rpc changed so I had to add rpc-bind-address = "0.0.0.0"; to my transmisson settings. This change of default behavior should probably be mentioned in the release-notes.

@ju1m
Copy link
Contributor Author

ju1m commented Jul 24, 2020

Tested this on top of 20.03. Everything seems to work fine. the default listen-port of the rpc changed so I had to add rpc-bind-address = "0.0.0.0"; to my transmisson settings. This change of default behavior should probably be mentioned in the release-notes.

Hmm, services.transmission.port default was 9091 and so the new services.transmission.settings.rpc-port has the same default, what I can see that has changed is that now services.transmission.port can no longer have a default, and thus must be defined if used (eg. in a firewall). But I don't understand why changing rpc-bind-address would fix something related to the listening port.

On another topic, in SystemCallFilter= I will try to replace "@system.service" which is arguably too big, by smaller groups of syscalls, using perf as I've done there for another service: 4b852dc#diff-ebc01032412e785b55086856203a35b5R53 This has the potential to break the service because I won't be able to test all the features of transmission-daemon.

@ju1m ju1m force-pushed the ju1m:transmission branch from e53b63b to 672f391 Aug 3, 2020
@Lassulus
Copy link
Contributor

Lassulus commented Aug 3, 2020

will test later today or tomorrow

@Lassulus
Copy link
Contributor

Lassulus commented Aug 4, 2020

EDIT: whupps, made an error during rebasing my changes. Need to review again

serviceConfig = {
# Use "+" because credentialsFile may not be accessible to User= or Group=.
ExecStartPre = "+" + pkgs.writeShellScript "transmission-prestart" ''
set -eux

This comment has been minimized.

@Lassulus

Lassulus Aug 4, 2020 Contributor

the x here does just generate log entries

Suggested change
set -eux
set -eu
@Lassulus
Copy link
Contributor

Lassulus commented Aug 4, 2020

So, I couldn't get this to run by now. It worked fine with the default group. But when I changed It I got errors.

This is my config:

  users.groups.download.members = [ "transmission" ];
  services.transmission = {
    enable = true;
    group = "download";
    settings = {
      download-dir = "/var/download/finished/unsorted";
      incomplete-dir = "/var/download/incoming";
      incomplete-dir-enable = true;
      message-level = 1;
      umask = "002";
      rpc-whitelist-enabled = false;
      rpc-host-whitelist-enabled = false;
    };
  };

this is the error I got:

● transmission.service - Transmission BitTorrent Service
   Loaded: loaded (/nix/store/1rsgbg7b7597pqi1dw983yvh908djvgv-unit-transmission.service/transmission.service; enabled; vendor preset: enabled)
   Active: failed (Result: exit-code) since Tue 2020-08-04 19:47:29 UTC; 3min 57s ago
  Process: 15678 ExecStartPre=/nix/store/m7jslzddw7z6cfd43kgkq3447n6pvwdw-transmission-prestart (code=exited, status=0/SUCCESS)
  Process: 15681 ExecStart=/nix/store/09xnsjvhpa1ng77pb0ms0ypn84jj8a7n-transmission-2.94/bin/transmission-daemon -f (code=exited, status=203/EXEC)
 Main PID: 15681 (code=exited, status=203/EXEC)

Aug 04 19:47:29 yellow systemd[1]: Starting Transmission BitTorrent Service...
Aug 04 19:47:29 yellow m7jslzddw7z6cfd43kgkq3447n6pvwdw-transmission-prestart[15678]: + /nix/store/ghvr5vcnk3b7c8cfx5byda39ha5ssby4-jq-1.6-bin/bin/jq --slurp add /nix/store/akmzval33pj6qdgqfc7dakkdcwfhwfiz-settings.jso>
Aug 04 19:47:29 yellow m7jslzddw7z6cfd43kgkq3447n6pvwdw-transmission-prestart[15678]: + install -D -m 600 -o transmission -g download /dev/stdin /var/lib/transmission/.config/transmission-daemon/settings.json
Aug 04 19:47:29 yellow systemd[1]: Started Transmission BitTorrent Service.
Aug 04 19:47:29 yellow systemd[1]: transmission.service: Main process exited, code=exited, status=203/EXEC
Aug 04 19:47:29 yellow systemd[1]: transmission.service: Failed with result 'exit-code'.
@doronbehar
Copy link
Contributor

doronbehar commented Aug 4, 2020

Hmm, I can't figure out what's wrong there, My config works fine:

    services.transmission.enable = true;
    services.transmission.settings = {
      download-dir = "/var/lib/transmission/downloads";
      incomplete-dir = "/var/lib/transmission/incomplete";
      incomplete-dir-enabled = true;
      lpd-enabled = true;
      watch-dir = "/var/lib/transmission/watchdir";
      watch-dir-enabled = true;
      rpc-whitelist = "127.0.0.*,192.168.*.*";
    };
    services.transmission.credentialsFile = "/var/lib/secrets/transmission.json";

Maybe the .config directory doesn't exist?

@Lassulus
Copy link
Contributor

Lassulus commented Aug 4, 2020

Hmm, I can't figure out what's wrong there, My config works fine:
...
Maybe the .config directory doesn't exist?
It works fine for me to, as long as I don't specify another user with services.transmission.group

@ju1m ju1m force-pushed the ju1m:transmission branch from 672f391 to 9b15e68 Aug 4, 2020
@ju1m
Copy link
Contributor Author

ju1m commented Aug 4, 2020

@Lassulus, sorry, I had not anticipated that leftovers in /run/transmission could cause troubles (here systemd's could not run the ExecStart= because /run/transmission/nix was still belonging to the previous group you used.
I first thought about adding a systemd.tmpfiles rule like R ${rootDir} or Z ${rootDir} 2755 root ${cfg.group}, but I found a way to avoid using systemd.tmpfiles completely by using RuntimeDirectory= which will take care of cleaning /run/transmission without mounting it in the private mount namespace: InaccessiblePaths = ["-+${rootDir}"].
I've also decided to avoid using the SETGUID trick altogether by relaxing more UMask=, because it does not feel right to have those intermediate files owned by cfg.group, I wrongly thought that systemd-analyze security transmission would complain about this, but it's not the case.
I've also fixed a bug in setting boot.kernel.sysctl: mkMerge must be used instead of // to merge attributes guarded by mkIf.
Thanks for the report!

@ju1m
Copy link
Contributor Author

ju1m commented Aug 4, 2020

AFAIU, the ofBorg check currently failing is on the file nixos/doc/manual/release-notes/rl-2009.xml modified by this PR, but it is not this PR which is introducing the problem (a trailing whitespace). I prefer not to interfere and causing potential merge conflicts.

@ju1m ju1m force-pushed the ju1m:transmission branch from 9b15e68 to 8cd0f23 Aug 6, 2020
@ju1m ju1m force-pushed the ju1m:transmission branch from 8cd0f23 to 2a49db6 Aug 7, 2020
@Mic92
Copy link
Contributor

Mic92 commented Aug 7, 2020

Hmm, I can't figure out what's wrong there, My config works fine:
...
Maybe the .config directory doesn't exist?
It works fine for me to, as long as I don't specify another user with services.transmission.group

Is this working for you now?

@Lassulus
Copy link
Contributor

Lassulus commented Aug 7, 2020

Everything seems to be working now for me

@Mic92
Copy link
Contributor

Mic92 commented Aug 7, 2020

@GrahamcOfBorg test transmission

@Mic92 Mic92 merged commit e879d83 into NixOS:master Aug 7, 2020
20 checks passed
20 checks passed
tests tests
Details
tests
Details
Evaluation Performance Report Evaluator Performance Report
Details
grahamcofborg-eval ^.^!
Details
grahamcofborg-eval-check-maintainers matching changed paths to changed attrs...
Details
grahamcofborg-eval-check-meta config.nix: checkMeta = true
Details
grahamcofborg-eval-darwin nix-instantiate --arg nixpkgs { outPath=./.; revCount=999999; shortRev="2a49db6"; rev="2a49db6a89efb8825379aa2211b183f734164b31"; } ./pkgs/t
Details
grahamcofborg-eval-lib-tests nix-build --arg pkgs import ./. {} ./lib/tests/release.nix
Details
grahamcofborg-eval-nixos nix-instantiate --arg nixpkgs { outPath=./.; revCount=999999; shortRev="2a49db6"; rev="2a49db6a89efb8825379aa2211b183f734164b31"; } ./nixos/
Details
grahamcofborg-eval-nixos-manual nix-instantiate --arg nixpkgs { outPath=./.; revCount=999999; shortRev="2a49db6"; rev="2a49db6a89efb8825379aa2211b183f734164b31"; } ./nixos/
Details
grahamcofborg-eval-nixos-options nix-instantiate --arg nixpkgs { outPath=./.; revCount=999999; shortRev="2a49db6"; rev="2a49db6a89efb8825379aa2211b183f734164b31"; } ./nixos/
Details
grahamcofborg-eval-nixpkgs-manual nix-instantiate --arg nixpkgs { outPath=./.; revCount=999999; shortRev="2a49db6"; rev="2a49db6a89efb8825379aa2211b183f734164b31"; } ./pkgs/t
Details
grahamcofborg-eval-nixpkgs-tarball nix-instantiate --arg nixpkgs { outPath=./.; revCount=999999; shortRev="2a49db6"; rev="2a49db6a89efb8825379aa2211b183f734164b31"; } ./pkgs/t
Details
grahamcofborg-eval-nixpkgs-unstable-jobset nix-instantiate --arg nixpkgs { outPath=./.; revCount=999999; shortRev="2a49db6"; rev="2a49db6a89efb8825379aa2211b183f734164b31"; } ./pkgs/t
Details
grahamcofborg-eval-package-list nix-env -qa --json --file .
Details
grahamcofborg-eval-package-list-no-aliases nix-env -qa --json --file . --arg config { allowAliases = false; }
Details
tests.transmission on aarch64-linux Success
Details
tests.transmission on x86_64-linux Success
Details
transmission, transmission.passthru.tests on aarch64-linux Success
Details
transmission, transmission.passthru.tests on x86_64-linux Success
Details
doronbehar added a commit to doronbehar/nixpkgs that referenced this pull request Aug 16, 2020
`watch-dir` was neglected after NixOS#92106 - this change makes using this
setting work.
doronbehar added a commit to doronbehar/nixpkgs that referenced this pull request Aug 16, 2020
`watch-dir` was neglected after NixOS#92106 - this change makes using this
setting work.
@meck
Copy link

meck commented Aug 17, 2020

@ju1m This one did bite me a bit, Using a machine with a static IP i coulden't get DNS for transmission to work, had to add resolv.conf to the filesystem:
systemd.services.transmission.serviceConfig.BindReadOnlyPaths = [ "-/etc/resolv.conf" ]
I don't know if it should be added to the service?

@bb2020
Copy link
Contributor

bb2020 commented Aug 17, 2020

It is probably because of network service being initialized after transmission. You can try running local dnsmasq cache service.

services.dnsmasq.enable = true;
services.dnsmasq.resolveLocalQueries = true;

@meck
Copy link

meck commented Aug 17, 2020

Good idea but i don't think it works for my setup as i move transmission to a separate network namespace with its own connection and /etc/resolv.conf and i don't want it to use the default namespace resolvers and connection. However all is working fine for me with the above fix 👍

@ju1m
Copy link
Contributor Author

ju1m commented Aug 17, 2020

@meck This is an error of my part, sorry. I did asked myself whether or not to add /etc/resolv.conf to the BindReadOnlyPaths=, but eventually forgot about it because it was working without it for me. Actually more files should be added, as hinted by AppArmor's abstractions/nameservice so I guess it would be better to expose all /etc and let such fine-grained ACL job to tools like AppArmor. I'm also concerned that not exposing all /etc could break usual things done in script-torrent-done-filename.

@ju1m ju1m mentioned this pull request Aug 17, 2020
5 of 11 tasks complete
@doronbehar
Copy link
Contributor

doronbehar commented Aug 17, 2020

I can also testify that one of the alternative downloads directory used by me, besides the watch-dir (handled at #95522 ) was inaccessible to transmission. Thus I had to add (besides the watch-dir) yet another path to BindPaths.

I didn't like all of the hardening at the beginning, but I wasn't sure why.. This was discussed here at #92106 (comment)

wchresta added a commit to wchresta/nixpkgs that referenced this pull request Aug 17, 2020
`watch-dir` was neglected after NixOS#92106 - this change makes using this
setting work.
pbogdan added a commit to pbogdan/nixpkgs that referenced this pull request Aug 23, 2020
`watch-dir` was neglected after NixOS#92106 - this change makes using this
setting work.
@ju1m ju1m deleted the ju1m:transmission branch Aug 30, 2020
@minijackson minijackson mentioned this pull request Sep 17, 2020
4 of 10 tasks complete
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked issues

Successfully merging this pull request may close these issues.

None yet

9 participants
You can’t perform that action at this time.