The missing () caused parts of the escripts to be added to the
ExecStartPost line instead of inside the script.
This caused postgresql start to fail under certain conditions.
In certain cases, for example when custom OpenLDAP modules are
compiled into the binary, users may want to override the package used
for OpenLDAP.
This is especially common in setups where LDAP is the primary
authentication source, as good password hashing mechanisms need to be
enabled as extra modules.
The 6.0 changelog notes that systemd support was rewritten. The effects
of that seem to be twofold:
* Redis will silently fail to sd_notify if not built with libsystemd,
breaking our unit configuration.
* It also appears to misbehave if told to daemonize when running under
systemd -- note that upstream's sample unit configuration does not
daemonize:
https://github.com/antirez/redis/blob/unstable/utils/systemd-redis_server.service
Currently, sudo doesn't work in a NixOS container running inside a Nix
build, because Nix's seccomp filter doesn't allow setuid programs. In
any case, runuser is a bit lower-overhead than sudo.
By default, postgres prefixes each log line with a timestamp. On NixOS
logs are written to journal anyway, so they include an external
timestamp, so the timestamp ends up being printed twice, which clutters
the log.
* Add a module option to change the log prefix.
* Set it to upstream default sans timestamp.
This seems to have worked in 15f105d41f (5
months ago) but broke somewhere in the meantime.
The current module doesn't seem to be underdocumented and might need a
serious refactor. It requires quite some hacks to get it to work (see
https://github.com/NixOS/nixpkgs/issues/86305#issuecomment-621129942),
or how the ldap.nix test used systemd.services.openldap.preStart and
made quite some assumptions on internals.
Mic92 agreed on being added as a maintainer for the module, as he uses
it a lot and can possibly fix eventual breakages. For the most basic
startup breakages, the remaining openldap.nix test might suffice.
slapd does only print the error and not the line number.
Sometimes it is not even clear that it fails to start
due to an incorrect configuration file.
Example output of slaptest:
5e1b2179 /nix/store/gbn2v319d4qgw851sg41mcmjm5dpn39i-slapd.conf: line 134 objectClass: Missing closing parenthesis before end of input
ObjectClassDescription = "(" whsp
numericoid whsp ; ObjectClass identifier
[ "NAME" qdescrs ]
[ "DESC" qdstring ]
[ "OBSOLETE" whsp ]
[ "SUP" oids ] ; Superior ObjectClasses
[ ( "ABSTRACT" / "STRUCTURAL" / "AUXILIARY" ) whsp ]
; default structural
[ "MUST" oids ] ; AttributeTypes
[ "MAY" oids ] ; AttributeTypes
whsp ")"
slaptest: bad configuration file!
A centralized list for these renames is not good because:
- It breaks disabledModules for modules that have a rename defined
- Adding/removing renames for a module means having to find them in the
central file
- Merge conflicts due to multiple people editing the central file
The redis module currently fails to start up, most likely due to running
a chown as non-root in preStart.
While at it, I hardcoded it to use systemd's StateDirectory and
DynamicUser to manage directory permissions, removed the unused
appendOnlyFilename option, and the pidFile option.
We properly tell redis now it's daemonized, and it'll use notify support
to signal readiness.
The default for logFile is /var/log/couchdb.log, and the tmpfile rules chown
${dirOf cfg.logFile}, which is just /var/log, to couchdb:couchdb.
This was found by Edes' report on IRC, which looked like
Detected unsafe path transition /var/log → /var/log/journal during canonicalization of /var/log/journal
While this bug has been present since the initial couchdb module in
62438c09f7 by @garbas, this wasn't a
problem, because the initial module only created and chowned /var/log
if it didn't exist yet, which can't occur because this gets created in
the initial phases of NixOS startup.
However with the recent move from manual preStart chown scripts to
systemd.tmpfiles.rules in 062efe018d (#59389),
this chown is suddenly running unconditionally at every system
activation, therefore triggering the above error.
This is rework of part of https://github.com/NixOS/nixpkgs/pull/46670.
My usecase was to be able to inspect PG datadir as wheel user.
PG11 now allows starting server with 0750 mask for data dir.
`groupAccess = true` now does this automatically. The only thing you have to do
is to set group ownership.
For PG10 and below, I've described a hack how this can be done. Before this PR
hack was impossible. The hack isn't ideal, because there is short
period of time when dir mode is 0700, so I didn't want to make it official.
Test/example is present too.
In commit d43dc68db3, @Mic92 split the
rootpw option to allow specifying it in a file kept outside the Nix
store, as an alternative to specifying the password directly in the
config.
Prior to that, rootpw's type was `str`, but in order to allow both
alternatives, it had to become `nullOr str` with a default of `null`. So
I can see why this assertion, that either rootpw or rootpwFile are
specified, makes sense to add here.
However, these options aren't used if the configDir option is set, so as
written this assertion breaks valid configurations, including the
configuration used by nixos/tests/ldap.nix.
So this patch fixes the assertion so that it doesn't fire if configDir
is set.
The change to "NixOS Test Cluster" in #59179 broke startup of existing clusters
that used the previously-default cluster name "Test Cluster":
ERROR 23:00:47 Fatal exception during initialization
org.apache.cassandra.exceptions.ConfigurationException: Saved cluster name Test Cluster != configured name NixOS Test Cluster
Fixes#63388.
Manual build broken by 79f7f89442, which
is part of pull request #59179 (Fix Cassandra, improve config and
tests).
The issue was just a small error because of an unbalanced <literal/>
tag, so only a "/" was missing :-)
Signed-off-by: aszlig <aszlig@nix.build>
Cc: @aanderse
If the `seedAddresses` is not set, don't force `SimpleSeedProvider` to
be in `seed_provider`. This could cause problems in a multi-datacenter
deployment when a different seed provider is preferred.
If you're on a multi user system you don't want to have the password in
the nix-store. With the new jmxRolesFile option you can specify your own
protected file instead.
mysql already has its socket path hardcoded to to
/run/mysqld/mysqld.sock.
There's not much value in making the pidDir configurable, which also
points to /run/mysqld by default.
We only seem to use `services.mysql.pidDir` in the wordpress startup
script, to wait for mysql to boot up, but we can also simply wait on the
(hardcoded) socket location too.
A much nicer way to accomplish that would be to properly describe a
dependency on mysqld.service. This however is not easily doable, due to
how the apache-httpd module was designed.
As we don't need to setup data directories from ExecStartPre= scripts
anymore, which required root, but use systemd.tmpfiles.rules instead,
everything can be run as just the mysql user.
define commands like "waiting for the mysql socket to appear" or "setup
initial databases" in a let expression, so the main control flow becomes
more readable.
We need to keep using `RuntimeDirectory=mysqld`, which translates to
`/run/mysqld`, as this is used for the location of the file socket, that
could differ with what is configured via `cfg.pidDir`.
This was a testing oversight that came from #61009 -- I forgot to test
the new traceFormat option with older server versions while I was
working on FDB 6.1.
Since trace_format is only available in 6.1+, emitting it
unconditionally caused older versions of the database fail to start,
reporting an error. We simply gate it behind a version check instead,
and assert the format is always XML on older versions. This avoids the
case where the user has an old version, changes traceFormat willingly,
and then is confused by why it didn't work.
As reported by @TimothyKlim in the comments on commit
c55b9236f0. See
c55b9236f0 (r33566132)
Signed-off-by: Austin Seipp <aseipp@pobox.com>
This is needed because some PostgreSQL plugins don't have a bin
directory. If only these plugins are listed in cfg.extraPlugins buildEnv
will turn $out/bin into a symbolic link to ${pg}/bin. Lateron we try to
rm $out/bin/{pg_config,postgres,pg_ctl} which will then fail because
$out/bin will be read-only.
which was wrongly specified as types.lines
Prevent it from getting copied to nix store as people might use it for
credentials, and make the tests cover it.
The default, which is /tmp, has a few issues associated with it:
One being that it makes it easy for users on the system to spoof a
PostgreSQL server if it's not running, causing applications to connect
to their provided sockets instead of just failing to connect.
Another one is that it makes sandboxing of PostgreSQL and other services
unnecessarily difficult. This is already the case if only PrivateTmp is
used in a systemd service, so in order for such a service to be able to
connect to PostgreSQL, a bind mount needs to be done from /tmp to some
other path, so the service can access it. This pretty much defeats the
whole purpose of PrivateTmp.
We regularily run into issues with this in the past already (one example
would be https://github.com/NixOS/nixpkgs/pull/24317) and with the new
systemd-confinement mode upcoming in
https://github.com/NixOS/nixpkgs/pull/57519, it makes it even more
tedious to sandbox services.
I've tested this change against all the postgresql NixOS VM tests and
they still succeed and I also grepped through the source tree to replace
other occasions where we might have /tmp hardcoded. Luckily there were
very few occasions.
Signed-off-by: aszlig <aszlig@nix.build>
Cc: @ocharles, @thoughtpolice, @danbst