Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Make /var/empty immutable (with chattr +i) #18365

Merged
merged 2 commits into from
Sep 7, 2016
Merged

Conversation

domenkozar
Copy link
Member

See #18358 and #14910 what bugs these caused.

cc @edolstra

@mention-bot
Copy link

@domenkozar, thanks for your PR! By analyzing the annotation information on this pull request, we identified @edolstra, @nathan7 and @peti to be potential reviewers

@edolstra
Copy link
Member

edolstra commented Sep 6, 2016

No, don't make it a link to the Nix store! Paths in the Nix store can have group = nixbld, which will probably cause sshd to fail. Just do chattr +i /var/empty.

Also, /var/empty is not a GC root, which might cause problems.

@domenkozar
Copy link
Member Author

@edolstra updated

@domenkozar
Copy link
Member Author

Just a side note: lots of these mkdir -m commands claim to be idempotent, but they're really not since permissions are not reset if directory exists.

@groxxda
Copy link
Contributor

groxxda commented Sep 6, 2016

Could we use a tmpfs with size=0,mode=000?

@domenkozar
Copy link
Member Author

@groxxda what advantage would that have over chattr +i?

@groxxda
Copy link
Contributor

groxxda commented Sep 6, 2016

@domenkozar it's probably just me not being a fan of chattr 😉
only advantage I can think of is file-system support. But it's probably not relevant because nobody has /var on a tmpfs

btw: Does your patch work when run twice?

Fixes #14910 and #18358

Deployed to an existing server, restarted sshd and polkit to verify
they don't fail.
@domenkozar
Copy link
Member Author

@groxxda it did, but I pushed a fix for rm: cannot remove '/var/empty': Operation not permitted

@grahamc grahamc changed the title Make /var/empty immutable (symlink to nix store) Make /var/empty immutable (with chattr +i) Sep 7, 2016
@grahamc
Copy link
Member

grahamc commented Sep 7, 2016

(Updated the title to reflect the solution)

@domenkozar
Copy link
Member Author

@edolstra any objections?

@@ -137,8 +140,13 @@ in

mkdir -m 1777 -p /var/tmp

# Make sure it's really empty
chattr -i /var/empty
rm -rf /var/empty
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This introduces a race during activation where /var/empty doesn't exist. So for example, if it gets interrupted at that point, you won't be able to log in via ssh anymore.

@domenkozar
Copy link
Member Author

@edolstra fixed

@domenkozar
Copy link
Member Author

@fpletz I've linked two issues in description of the PR for motivation what issues we fix.

I think it's safe to disable this for containers.

@domenkozar
Copy link
Member Author

@fpletz here needs to be added chattr -R -f -i: https://github.com/NixOS/nixpkgs/blob/master/pkgs/tools/virtualization/nixos-container/nixos-container.pl#L248

Any we probably should test if container deletion works in the tests.

@domenkozar
Copy link
Member Author

Ah it already is, but doesn't fail: http://hydra.nixos.org/build/40856595/log/raw

domenkozar added a commit that referenced this pull request Sep 30, 2016
domenkozar added a commit that referenced this pull request Sep 30, 2016
(cherry picked from commit 14c16f2)
Signed-off-by: Domen Kožar <domen@dev.si>
@nixos-discourse
Copy link

This pull request has been mentioned on NixOS Discourse. There might be relevant details there:

https://discourse.nixos.org/t/return-container-to-its-original-declared-state/14793/4

adrianpk added a commit to adrianpk/nixpkgs that referenced this pull request May 31, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

8 participants