Merge pull request #85225 from Izorkin/nginx-unit

nixos/unit: update service configuration and update unit to 1.17
2020-05-06 11:34:00 +01:00 · 2020-05-06 11:34:00 +01:00 · 5487e155d7
parent 5040192913 ca2145bdfc
commit 5487e155d7
5 changed files with 77 additions and 100 deletions
--- a/nixos/modules/services/web-servers/unit/default.nix
+++ b/nixos/modules/services/web-servers/unit/default.nix
@ -91,41 +91,47 @@ in {
      description = "Unit App Server";
      after = [ "network.target" ];
      wantedBy = [ "multi-user.target" ];
-      path = with pkgs; [ curl ];
      preStart = ''
-        test -f '${cfg.stateDir}/conf.json' || rm -f '${cfg.stateDir}/conf.json'
+        [ ! -e '${cfg.stateDir}/conf.json' ] || rm -f '${cfg.stateDir}/conf.json'
      '';
      postStart = ''
-        curl -X PUT --data-binary '@${configFile}' --unix-socket '/run/unit/control.unit.sock' 'http://localhost/config'
+        ${pkgs.curl}/bin/curl -X PUT --data-binary '@${configFile}' --unix-socket '/run/unit/control.unit.sock' 'http://localhost/config'
      '';
      serviceConfig = {
+        Type = "forking";
+        PIDFile = "/run/unit/unit.pid";
        ExecStart = ''
          ${cfg.package}/bin/unitd --control 'unix:/run/unit/control.unit.sock' --pid '/run/unit/unit.pid' \
-                                   --log '${cfg.logDir}/unit.log' --state '${cfg.stateDir}' --no-daemon \
+                                   --log '${cfg.logDir}/unit.log' --state '${cfg.stateDir}' \
                                   --user ${cfg.user} --group ${cfg.group}
        '';
-        # User and group
-        User = cfg.user;
-        Group = cfg.group;
-        # Capabilities
-        AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" "CAP_SETGID" "CAP_SETUID" ];
+        ExecStop = ''
+          ${pkgs.curl}/bin/curl -X DELETE --unix-socket '/run/unit/control.unit.sock' 'http://localhost/config'
+        '';
+        # Runtime directory and mode
+        RuntimeDirectory = "unit";
+        RuntimeDirectoryMode = "0750";
+        # Access write directories
+        ReadWritePaths = [ cfg.stateDir cfg.logDir ];
        # Security
        NoNewPrivileges = true;
        # Sandboxing
-        ProtectSystem = "full";
+        ProtectSystem = "strict";
        ProtectHome = true;
-        RuntimeDirectory = "unit";
-        RuntimeDirectoryMode = "0750";
        PrivateTmp = true;
        PrivateDevices = true;
        ProtectHostname = true;
        ProtectKernelTunables = true;
        ProtectKernelModules = true;
        ProtectControlGroups = true;
+        RestrictAddressFamilies = [ "AF_UNIX" "AF_INET" "AF_INET6" ];
        LockPersonality = true;
        MemoryDenyWriteExecute = true;
        RestrictRealtime = true;
+        RestrictSUIDSGID = true;
        PrivateMounts = true;
+        # System Call Filtering
+        SystemCallArchitectures = "native";
      };
    };

--- a/nixos/tests/all-tests.nix
+++ b/nixos/tests/all-tests.nix
@ -321,6 +321,7 @@ in
  trickster = handleTest ./trickster.nix {};
  tuptime = handleTest ./tuptime.nix {};
  udisks2 = handleTest ./udisks2.nix {};
+  unit-php = handleTest ./web-servers/unit-php.nix {};
  upnp = handleTest ./upnp.nix {};
  uwsgi = handleTest ./uwsgi.nix {};
  vault = handleTest ./vault.nix {};
--- a/nixos/tests/web-servers/unit-php.nix
+++ b/nixos/tests/web-servers/unit-php.nix
@ -0,0 +1,47 @@
+import ../make-test-python.nix ({pkgs, ...}:
+ let
+    testdir = pkgs.writeTextDir "www/info.php" "<?php phpinfo();";
+
+in {
+  name = "unit-php-test";
+  meta.maintainers = with pkgs.stdenv.lib.maintainers; [ izorkin ];
+
+  machine = { config, lib, pkgs, ... }: {
+    services.unit = {
+      enable = true;
+      config = ''
+        {
+          "listeners": {
+            "*:9074": {
+              "application": "php_74"
+            }
+          },
+          "applications": {
+            "php_74": {
+              "type": "php 7.4",
+              "processes": 1,
+              "user": "testuser",
+              "group": "testgroup",
+              "root": "${testdir}/www",
+              "index": "info.php"
+            }
+          }
+        }
+      '';
+    };
+    users = {
+      users.testuser = {
+        isNormalUser = false;
+        uid = 1074;
+        group = "testgroup";
+      };
+      groups.testgroup = {
+        gid= 1074;
+      };
+    };
+  };
+  testScript = ''
+    machine.wait_for_unit("unit.service")
+    assert "PHP Version ${pkgs.php74.version}" in machine.succeed("curl -vvv -s http://127.0.0.1:9074/")
+  '';
+})
--- a/pkgs/servers/http/unit/default.nix
+++ b/pkgs/servers/http/unit/default.nix
@ -1,8 +1,9 @@
-{ stdenv, fetchFromGitHub, which
+{ stdenv, fetchFromGitHub, nixosTests, which
 , withPython2 ? false, python2
 , withPython3 ? true, python3, ncurses
 , withPHP72 ? false, php72
-, withPHP73 ? true, php73
+, withPHP73 ? false, php73
+, withPHP74 ? true, php74
 , withPerl528 ? false, perl528
 , withPerl530 ? true, perl530
 , withPerldevel ? false, perldevel
@ -28,22 +29,19 @@ let

  php72-unit = php72.override phpConfig;
  php73-unit = php73.override phpConfig;
+  php74-unit = php74.override phpConfig;
+
 in stdenv.mkDerivation rec {
-  version = "1.16.0";
+  version = "1.17.0";
  pname = "unit";

  src = fetchFromGitHub {
    owner = "nginx";
    repo = "unit";
    rev = version;
-    sha256 = "19gclqhwccpi7y4386ap33ycwhylv4s4kwfc6ik8scmc4pw3sj9l";
+    sha256 = "1q3659vw8rxv4fk7ljkjav8ga72sb3arljfxcqw8b080f9hvi7hh";
  };

-  patches = [
-    # https://github.com/nginx/unit/issues/357
-    ./drop_cap.patch
-  ];
-
  nativeBuildInputs = [ which ];

  buildInputs = [ ]
@ -51,6 +49,7 @@ in stdenv.mkDerivation rec {
    ++ optionals withPython3 [ python3 ncurses ]
    ++ optional withPHP72 php72-unit
    ++ optional withPHP73 php73-unit
+    ++ optional withPHP73 php74-unit
    ++ optional withPerl528 perl528
    ++ optional withPerl530 perl530
    ++ optional withPerldevel perldevel
@ -73,6 +72,7 @@ in stdenv.mkDerivation rec {
    ${optionalString withPython3    "./configure python --module=python3  --config=${python3}/bin/python3-config  --lib-path=${python3}/lib"}
    ${optionalString withPHP72      "./configure php    --module=php72    --config=${php72-unit.unwrapped.dev}/bin/php-config --lib-path=${php72-unit}/lib"}
    ${optionalString withPHP73      "./configure php    --module=php73    --config=${php73-unit.unwrapped.dev}/bin/php-config --lib-path=${php73-unit}/lib"}
+    ${optionalString withPHP74      "./configure php    --module=php74    --config=${php74-unit.unwrapped.dev}/bin/php-config --lib-path=${php74-unit}/lib"}
    ${optionalString withPerl528    "./configure perl   --module=perl528  --perl=${perl528}/bin/perl"}
    ${optionalString withPerl530    "./configure perl   --module=perl530  --perl=${perl530}/bin/perl"}
    ${optionalString withPerldevel  "./configure perl   --module=perldev  --perl=${perldevel}/bin/perl"}
@ -81,6 +81,8 @@ in stdenv.mkDerivation rec {
    ${optionalString withRuby_2_7   "./configure ruby   --module=ruby27   --ruby=${ruby_2_7}/bin/ruby"}
  '';

+  passthru.tests.unit-php = nixosTests.unit-php;
+
  meta = {
    description = "Dynamic web and application server, designed to run applications in multiple languages.";
    homepage    = "https://unit.nginx.org/";
--- a/pkgs/servers/http/unit/drop_cap.patch
+++ b/pkgs/servers/http/unit/drop_cap.patch
@ -1,79 +0,0 @@
-diff -r ed17ce89119f src/nxt_capability.c
--- a/src/nxt_capability.c      Fri Dec 06 17:02:23 2019 +0000
-+++ b/src/nxt_capability.c      Mon Dec 09 23:23:00 2019 +0000
-@@ -93,6 +93,26 @@ nxt_capability_specific_set(nxt_task_t *
-     return NXT_OK;
- }
- 
-+
-+nxt_int_t
-+nxt_capability_drop_all(nxt_task_t *task)
-+{
-+    struct __user_cap_header_struct hdr;
-+    struct __user_cap_data_struct data[2];
-+
-+    hdr.version = nxt_capability_linux_get_version();
-+    hdr.pid = nxt_pid;
-+
-+    nxt_memset(data, 0, sizeof(data));
-+
-+    if (nxt_slow_path(nxt_capset(&hdr, data) == -1)) {
-+        nxt_alert(task, "failed to drop capabilities %E", nxt_errno);
-+        return NXT_ERROR;
-+    }
-+
-+    return NXT_OK;
-+}
-+
- #else
- 
- static nxt_int_t
-diff -r ed17ce89119f src/nxt_capability.h
--- a/src/nxt_capability.h      Fri Dec 06 17:02:23 2019 +0000
-+++ b/src/nxt_capability.h      Mon Dec 09 23:23:00 2019 +0000
-@@ -14,4 +14,6 @@ typedef struct {
- NXT_EXPORT nxt_int_t nxt_capability_set(nxt_task_t *task,
-     nxt_capabilities_t *cap);
- 
-+NXT_EXPORT nxt_int_t nxt_capability_drop_all(nxt_task_t *task);
-+
- #endif /* _NXT_CAPABILITY_INCLUDED_ */
-diff -r ed17ce89119f src/nxt_process.c
--- a/src/nxt_process.c Fri Dec 06 17:02:23 2019 +0000
-+++ b/src/nxt_process.c Mon Dec 09 23:23:00 2019 +0000
-@@ -264,7 +264,7 @@ cleanup:
- static void
- nxt_process_start(nxt_task_t *task, nxt_process_t *process)
- {
-    nxt_int_t                    ret, cap_setid;
-+    nxt_int_t                    ret, cap_setid, drop_caps;
-     nxt_port_t                   *port, *main_port;
-     nxt_thread_t                 *thread;
-     nxt_runtime_t                *rt;
-@@ -285,9 +285,12 @@ nxt_process_start(nxt_task_t *task, nxt_
- 
-     cap_setid = rt->capabilities.setid;
- 
-+    drop_caps = cap_setid;
-+
- #if (NXT_HAVE_CLONE_NEWUSER)
-    if (!cap_setid && NXT_CLONE_USER(init->isolation.clone.flags)) {
-+    if (NXT_CLONE_USER(init->isolation.clone.flags)) {
-         cap_setid = 1;
-+        drop_caps = 0;
-     }
- #endif
- 
-@@ -301,6 +304,12 @@ nxt_process_start(nxt_task_t *task, nxt_
-         if (nxt_slow_path(ret != NXT_OK)) {
-             goto fail;
-         }
-+
-+#if (NXT_HAVE_LINUX_CAPABILITY)
-+        if (drop_caps && nxt_capability_drop_all(task) != NXT_OK) {
-+            goto fail;
-+        }
-+#endif
-     }
- 
-     rt->type = init->type;