Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[RFC 0052] Away from static IDs #52

Merged
merged 13 commits into from Oct 21, 2019
Merged

[RFC 0052] Away from static IDs #52

merged 13 commits into from Oct 21, 2019

Conversation

@Infinisil
Copy link
Member

Infinisil commented Sep 5, 2019

Summary

A lot of NixOS modules are assigning static uids/gids to their users. This has resulted in less than 90 static ids left in the reserved range from 0 to 400.

This RFC deprecates the practice of doing that and instead suggests to

  • If applicable use systemd's DynamicUser
  • Otherwise let NixOS assign dynamic persistent ids, which happens automatically when users.users.<name?>.uid/users.groups.<name?>.gid is not set. For users, users.users.<name?>.isSystemUser should be set so that only uids under 1000 are used by NixOS services.

Only in special circumstances are static ids allowed anymore.

Rendered

Partial implementation PR: NixOS/nixpkgs#65698

cc @edolstra @aanderse @ryantm @arianvp @globin @volth @arcnmx

@Profpatsch

This comment has been minimized.

Copy link
Member

Profpatsch commented Sep 5, 2019

Does DynamicUser magically work when migrating between machines (as compared to the mapping file)?

@Infinisil

This comment has been minimized.

Copy link
Member Author

Infinisil commented Sep 5, 2019

@Profpatsch If you need a stateful directory with DynamicUser, you need to use StateDirectory for it, which ensures correct permissions, so yeah this should just work.

@edolstra edolstra added the status: new label Sep 5, 2019
@Mic92 Mic92 mentioned this pull request Sep 5, 2019
@edolstra edolstra changed the title [RFC 0052] Away from static ids [RFC 0052] Away from static IDs Sep 5, 2019
@nixos-discourse

This comment has been minimized.

Copy link

nixos-discourse commented Sep 5, 2019

This pull request has been mentioned on NixOS Discourse. There might be relevant details there:

https://discourse.nixos.org/t/new-rfc-52-away-from-static-ids/3931/1

@edolstra

This comment has been minimized.

Copy link
Member

edolstra commented Sep 5, 2019

This PR is now open for shepherd nominations. Any volunteers?

@ryantm

This comment has been minimized.

Copy link
Member

ryantm commented Sep 5, 2019

I volunteer to be a shepherd.

1 similar comment
@Mic92

This comment has been minimized.

Copy link

Mic92 commented Sep 5, 2019

I volunteer to be a shepherd.

@arianvp

This comment has been minimized.

Copy link
Member

arianvp commented Sep 5, 2019

I volunteer too!

@asymmetric

This comment has been minimized.

Copy link

asymmetric commented Sep 5, 2019

I too volunteer to be a shepherd 🐑.

rfcs/0052-dynamic-ids.md Outdated Show resolved Hide resolved
rfcs/0052-dynamic-ids.md Outdated Show resolved Hide resolved
rfcs/0052-dynamic-ids.md Outdated Show resolved Hide resolved
@edolstra edolstra mentioned this pull request Sep 12, 2019
@edolstra

This comment has been minimized.

Copy link
Member

edolstra commented Sep 12, 2019

Also nominating myself.

So we have the following shepherd team: @ryantm, @arianvp, @asymmetric and @edolstra. Thanks! @ryantm do you have to lead this team?

@arianvp

This comment has been minimized.

Copy link
Member

arianvp commented Sep 12, 2019

A link from the systemd folks on how they envision groups, users, uids and guids on a "systemd system" https://systemd.io/UIDS-GIDS.html . It's a good read and will make our lives if we adapt our RFC to be sort of in line with what they are suggesting when possible. I'm reading it as we speak and will leave some feedback from the things I learnt from it.

@ryantm

This comment has been minimized.

Copy link
Member

ryantm commented Sep 12, 2019

Sure, I will lead the shepherd team.

rfcs/0052-dynamic-ids.md Outdated Show resolved Hide resolved
rfcs/0052-dynamic-ids.md Outdated Show resolved Hide resolved
rfcs/0052-dynamic-ids.md Outdated Show resolved Hide resolved
rfcs/0052-dynamic-ids.md Outdated Show resolved Hide resolved
Services should make permissions of their directories are usable by them.
- The easiest way to achieve this is to use `systemd.services.<name?>.serviceConfig.StateDirectory = "myservice"`, which ensures that `/var/lib/myservice` belongs to the services user.
- `systemd.tmpfiles.rules = [ "Z '/var/lib/myservice' - myuser mygroup - -" ]` can also be used, with the disadvantage that it will only run at system activation and not when the service starts. It also recursively fixes the permissions every time, meaning it can lead to considerable slowdown with many files.
- An alternative is to assign `serviceConfig.ExecStartPre = "+${pkgs.writeScript "myservice-prestart" "..."}"` with a script to fix the permissions, where the `+` makes the script run with full root permissions as documented in `man systemd.service`.

This comment has been minimized.

Copy link
@arianvp

arianvp Sep 16, 2019

Member

Would be nice if we could have this syntax work in the preStart and postStart shorthands that we currently have in the systemd module

@Mic92 Mic92 mentioned this pull request Sep 17, 2019
rfcs/0052-dynamic-ids.md Outdated Show resolved Hide resolved
rfcs/0052-dynamic-ids.md Outdated Show resolved Hide resolved
rfcs/0052-dynamic-ids.md Outdated Show resolved Hide resolved
rfcs/0052-dynamic-ids.md Outdated Show resolved Hide resolved
rfcs/0052-dynamic-ids.md Outdated Show resolved Hide resolved
rfcs/0052-dynamic-ids.md Outdated Show resolved Hide resolved
rfcs/0052-dynamic-ids.md Outdated Show resolved Hide resolved
rfcs/0052-dynamic-ids.md Outdated Show resolved Hide resolved
rfcs/0052-dynamic-ids.md Outdated Show resolved Hide resolved
rfcs/0052-dynamic-ids.md Outdated Show resolved Hide resolved
rfcs/0052-dynamic-ids.md Show resolved Hide resolved
@ryantm

This comment has been minimized.

Copy link
Member

ryantm commented Oct 8, 2019

@asymmetric 's GitHub profile says he is on vacation and he hasn't replied in 6 days, and the rest of us are unanimous that we would like to enter FCP with disposition to merge, so I'm going to proceed to publicize the FCP after checking with @Infinisil.

@nixos-discourse

This comment has been minimized.

Copy link

nixos-discourse commented Oct 8, 2019

This pull request has been mentioned on NixOS Discourse. There might be relevant details there:

https://discourse.nixos.org/t/rfc-0052-fcp-away-from-static-ids/4291/1

@ryantm

This comment has been minimized.

Copy link
Member

ryantm commented Oct 8, 2019

The Final Comment Period for this RFC has started and, barring any blocking issues, will be merged after 2019-10-18. Your opinions, comments, and approvals are welcome!

@globin
globin approved these changes Oct 8, 2019
Copy link

asymmetric left a comment

A couple of nits, but otherwise 👍

rfcs/0052-dynamic-ids.md Outdated Show resolved Hide resolved
rfcs/0052-dynamic-ids.md Show resolved Hide resolved
@Infinisil

This comment has been minimized.

Copy link
Member Author

Infinisil commented Oct 9, 2019

Ah yes, forgot to push the changes for those

@globin globin mentioned this pull request Oct 10, 2019
@nixos-discourse

This comment has been minimized.

Copy link

nixos-discourse commented Oct 10, 2019

This pull request has been mentioned on NixOS Discourse. There might be relevant details there:

https://discourse.nixos.org/t/nixos-weekly-13-nixos-19-09-release-cache-nixos-org-improvements-github-actions-for-nix-a-number-of-talks/4322/1

Infinisil added 2 commits Oct 10, 2019
I hope
@Infinisil Infinisil mentioned this pull request Oct 12, 2019
1 of 10 tasks complete
@Infinisil

This comment has been minimized.

Copy link
Member Author

Infinisil commented Oct 12, 2019

Lucky coincidence: @dasJ just opened NixOS/nixpkgs#71055 for making all NixOS module users use isSystemUser = true which I planned to do after this RFC. With NixOS/nixpkgs#65698 the system user limit of 100 ids will be increased to non-problematic levels.

@edolstra edolstra mentioned this pull request Oct 17, 2019
@ryantm

This comment has been minimized.

Copy link
Member

ryantm commented Oct 19, 2019

The FCP has ended without any objections. @NixOS/rfc-steering-committee please merge.

@globin globin merged commit 698b1ca into NixOS:master Oct 21, 2019
@globin globin added status: accepted and removed status: FCP labels Oct 21, 2019
@Infinisil Infinisil deleted the Infinisil:dynamic-ids branch Oct 21, 2019
@Infinisil Infinisil restored the Infinisil:dynamic-ids branch Oct 27, 2019
@shlevy shlevy mentioned this pull request Nov 1, 2019
@Infinisil

This comment has been minimized.

Copy link
Member Author

Infinisil commented Nov 14, 2019

Note to myself: This still needs the updates to the manual

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked issues

Successfully merging this pull request may close these issues.

None yet

You can’t perform that action at this time.