1
0
Fork 1
mirror of https://github.com/NixOS/nixpkgs.git synced 2024-11-24 14:41:17 +00:00
Commit graph

51 commits

Author SHA1 Message Date
Florian Klink 4c8bdd1c4f nixos/filesystems: don't chown /run/keys recursively
3c74e48d9c was a bit too much, it updated
permissions of all files recursively, causing files to be readable by
the group.

This isn't a problem immediately after bootup, but on a new activation,
as tmpfiles.d get restarted then, updating the permission bits of
now-existing files.

This updates the `Z` to be a `z` (the non-recursive variant), and adds a
`d` to ensure a directory is created (which should be covered by the
initrd shell script anyway)
2020-02-11 21:52:27 +01:00
Florian Klink 3c74e48d9c nixos/filesystems: ensure keys gid on /run/keys mountpoint
boot.specialFileSystems is used to describe mount points to be set up in
stage 1 and 2.

We use it to create /run/keys already there, so sshd-in-initrd scenarios
can consume keys sent over through nixops send-keys.

However, it seems the kernel only supports the gid=… option for tmpfs,
not ramfs, causing /run/keys to be owned by the root group, not keys
group.

This was/is worked around in nixops by running a chown root:keys
/run/keys whenever pushing keys [1], and as machines had to have pushed keys
to be usable, this was pretty much always the case.

This is causing regressions in setups not provisioned via nixops, that
still use /run/keys for secrets (through cloud provider startup scripts
for example), as suddenly being an owner of the "keys" group isn't
enough to access the folder.

This PR removes the defunct gid=… option in the mount script called in
stage 1 and 2, and introduces a tmpfiles rule which takes care of fixing
up permissions as part of sysinit.target (very early in systemd bootup,
so before regular services are started).

In case of nixops deployments, this doesn't change anything.
nixops-based deployments receiving secrets from nixops send-keys in
initrd will simply have the permissions already set once tmpfiles is
started.

Fixes #42344

[1]: 884d6c3994/nixops/backends/__init__.py (L267-L269)
2020-02-05 01:53:26 +01:00
volth 35d68ef143 treewide: remove redundant quotes 2019-08-26 21:40:19 +00:00
talyz 0eb6d0735f filesystems: Add autoResize assertion
Assert that autoResize is only used when fsType is explicitly set to a
supported filesystem: if it's set to "auto", the default, the required
resizing tools won't be copied into the initrd even if the actual
filesystem is supported.
2019-03-16 13:01:35 +01:00
aanderse c01eeda8e9 nixos-generate-config: account for mount points & devices with spaces & tabs in the name (#50234) 2019-02-03 14:33:31 +01:00
Aaron Andersen 36d695f696 filesystems: escape spaces in fstab with \040 2018-10-28 20:49:34 -04:00
Pavel Goran e3f97e514d filesystems: use non-interactive formatOptions by default
When autoFormat is enabled, in order to successfully create a filesystem,
certain filesystems require specific options to be passed to mkfs to prevent
it from asking questions. This commit sets default formatOptions to "-q"
for "jfs" and "reiserfs" filesystems for this purpose.

Resolves #29140.
2017-10-12 09:53:43 +07:00
Michael Weiss 351f5fc585 fuse3: init at 3.1.1
This includes fuse-common (fusePackages.fuse_3.common) as recommended by
upstream. But while fuse(2) and fuse3 would normally depend on
fuse-common we can't do that in nixpkgs while fuse-common is just
another output from the fuse3 multiple-output derivation (i.e. this
would result in a circular dependency). To avoid building fuse3 twice I
decided it would be best to copy the shared files (i.e. the ones
provided by fuse(2) and fuse3) from fuse-common to fuse (version 2) and
avoid collision warnings by defining priorities. Now it should be
possible to install an arbitrary combination of "fuse", "fuse3", and
"fuse-common" without getting any collision warnings. The end result
should be the same and all changes should be backwards compatible
(assuming that mount.fuse from fuse3 is backwards compatible as stated
by upstream [0] - if not this might break some /etc/fstab definitions
but that should be very unlikely).

My tests with sshfs (version 2 and 3) didn't show any problems.

See #28409 for some additional information.

[0]: https://github.com/libfuse/libfuse/releases/tag/fuse-3.0.0
2017-09-21 23:59:46 +02:00
Richard Yang 64994b3638 tasks/filesystems: Make sure /dev/pts/ptmx is 0666 (#28490)
This is required for running commands likes screen and tmux, especially inside containers.

See also : https://www.kernel.org/doc/Documentation/filesystems/devpts.txt
2017-08-30 01:50:29 +02:00
0xABAB 58fbf4a44e nixos/filesystems: skip filesystem check for bindfs (#24671)
Bindfs (FUSE) provides a pseudo-filesystem and as such does not benefit from a file system check.
2017-04-06 12:35:25 +01:00
Nikolay Amiantov 2cc4703a2d wrappers service: make /run/wrappers a mountpoint
Also remove some compatibility code because the directory in question would be
shadowed by a mountpoint anyway.
2017-02-21 12:13:35 +03:00
Profpatsch 91d0260feb modules/filesystems: disallow non-empty fstab fields (#22803)
It was possible to pass empty strings / strings with only separator characters;
this lead to broken fstab formatting.
2017-02-15 13:22:48 +01:00
Pascal Bach ff3f3399ae filesystems: add support to mount glusterfs 2017-02-02 23:16:52 +01:00
Eelco Dolstra 7e8eb6a7c3 Fix "undefined variable ‘device’" using autoFormat 2016-09-30 15:04:36 +02:00
Nikolay Amiantov 79d4636d50 stage-2 init: move /run/keys mount to boot.specialFileSystems 2016-09-17 15:39:24 +03:00
Nikolay Amiantov aed2cd32f8 nixos containers: hopefully fix test failures
Closes #18377.
2016-09-07 02:55:48 +03:00
Karn Kallio 8d977ead38
setuid-wrappers : Prepare permissions for running wrappers
The new setuid-wrappers in /run cannot be executed by users due to:

1) the temporary directory does not allow access
2) the /run is mounted nosuid
2016-09-04 03:19:32 +02:00
Tuomas Tynkkynen d02e5a7d8f nixos/filesystems: Drop compat code for filesystems.*.options type 2016-09-01 12:18:33 +03:00
Nikolay Amiantov 7fa8c424bd nixos filesystems: move special filesystems to a dedicated option
Fixes #18159.
2016-08-31 16:50:13 +03:00
Nikolay Amiantov 6efcfe03ae nixos filesystems: unify early filesystems handling
A new internal config option `fileSystems.<name>.early` is added to indicate
that the filesystem needs to be loaded very early (i.e. in initrd). They are
transformed to a shell script in `system.build.earlyMountScript` with calls to
an undefined `specialMount` function, which is expected to be caller-specific.
This option is used by stage-1, stage-2 and activation script to set up and
remount those filesystems.  Options for them are updated according to systemd
defaults.
2016-08-27 13:38:20 +03:00
Nikolay Amiantov 3f70fcd4c1 Merge pull request #11484 from oxij/nixos-toposort-filesystems
lib: add toposort, nixos: use toposort for fileSystems to properly support bind and move mounts
2016-08-27 14:34:55 +04:00
Bjørn Forsman 6cd8f48327 nixos/filesystems: update /etc/fstab comment header 2016-08-24 20:40:58 +02:00
Jan Malakhovski 65d26c4dc1 nixos: apply toposort to fileSystems to support bind and move mounts
And use new `config.system.build.fileSystems` property everywhere.
2016-08-23 18:14:05 +00:00
Jan Malakhovski 2c8ca0d1bd nixos: tasks/fileSystems: cleanup 2016-08-23 18:02:07 +00:00
Scott Olson 6d5ed7d971 Make fileSystems example literal.
This fixes the attribute names showing up unquoted in the options documentation.
2016-06-19 01:21:22 -06:00
Rickard Nilsson 6ff5821be6 nixos/filesystems: Fix fs options type error 2016-03-14 17:24:36 +01:00
Aneesh Agrawal 3c5fca9618 filesystems: use list of strings for fs options
Allow usage of list of strings instead of a comma-separated string
for filesystem options. Deprecate the comma-separated string style
with a warning message; convert this to a hard error after 16.09.
15.09 was just released, so this provides a deprecation period during
the 16.03 release.

closes #10518

Signed-off-by: Robin Gloster <mail@glob.in>
2016-02-06 19:48:30 +00:00
Jaka Hudoklin 22c61d3bfc Merge pull request #10218 from offlinehacker/nixos/format_options
add support for auto format, format options
2015-11-18 22:33:01 +01:00
Nikolay Amiantov de8b8b35a4 nixos/swap: refactor, add randomEncryption option 2015-10-20 15:56:12 +03:00
Jaka Hudoklin 8a63ae526f add support for auto format, format options 2015-10-04 03:15:29 +02:00
Eelco Dolstra 9d92bd7845 Add filesystem option to automatically grow to the maximum size
This is primarily for EC2 and other cloud environments, where the disk
may be bigger than the original image.
2015-09-24 19:59:44 +02:00
Eelco Dolstra f40c7ed143 Remove relatime mount option
This has been the kernel default for a long time.
2015-09-24 19:58:41 +02:00
aszlig f9766f885d
nixos/filesystems: Skip check for vboxsf.
We don't even have any means to check a VirtualBox shared folder, so
let's not even try to.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2015-09-21 22:32:14 +02:00
aszlig cd4caed35a
nixos/filesystems: Improve vboxsf default options.
The default options for all file systems currently are
"defaults.relatime", which works well on file systems which support the
relatime option.

Unfortunately, this is not the case for the VirtualBox shared folder
filesystem, so until now, you need to set something like:

fileSystems."/foo" = {
  device = "foo";
  fsType = "vboxsf";
  options = "defaults";
};

Otherwise mounting the file system would fail.

Now, we provide only the "defaults" option to the "vboxsf" file system,
so something like this is enough:

fileSystems."/foo" = {
  device = "foo";
  fsType = "vboxsf";
};

An alternative to that could be to document that you need to set default
options, but we really should do what users expect instead of forcing
them to look up the documentation as to why this has failed.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2015-09-21 22:32:14 +02:00
Jan Malakhovski 6eadb16022 nixos: fix some types 2015-09-18 18:48:50 +00:00
Eelco Dolstra 6e6a96d42c Some more type cleanup 2015-06-15 18:18:46 +02:00
Eelco Dolstra 57b05765c9 Don't include ntfs-3g by default
Issue #7117.
2015-04-19 22:06:45 +02:00
Ricardo M. Correia 1b66077205 nixos: Don't do filesystem checks on ZFS or NFS filesystems 2015-01-21 17:39:53 +01:00
Eelco Dolstra e68b0c7f5f Mount unionfs-fuse filesystems using the normal fileSystems option 2014-07-30 16:04:15 +02:00
Eelco Dolstra f94f659a31 Don't require a device for tmpfs filesystems 2014-07-30 13:18:33 +02:00
Eelco Dolstra 94ce6ec866 Print a sensible error message if no device is specified for a filesystem 2014-07-30 13:18:33 +02:00
Eelco Dolstra b7c543136a Move CIFS support into a separate module 2014-07-30 12:39:35 +02:00
Eelco Dolstra cb7b871bd6 initrd: Include filesystem support for /nix, /var etc. 2014-07-28 22:31:18 +02:00
Rickard Nilsson b87b6870f8 When auto-formatting ext devices, use the -F flag to make it work with unpartioned disks 2014-05-09 16:49:03 +02:00
Eelco Dolstra 29027fd1e1 Rewrite ‘with pkgs.lib’ -> ‘with lib’
Using pkgs.lib on the spine of module evaluation is problematic
because the pkgs argument depends on the result of module
evaluation. To prevent an infinite recursion, pkgs and some of the
modules are evaluated twice, which is inefficient. Using ‘with lib’
prevents this problem.
2014-04-14 16:26:48 +02:00
Shea Levy 8b5c617237 Add fuse to env by default
Fixes #458
2014-04-03 21:36:13 -04:00
Eelco Dolstra dc87f8e080 Check whether fileSystems defines the root FS 2013-11-18 18:04:16 +01:00
Eelco Dolstra 862e3dd977 Substitute "types.uniq types.string" -> "types.str" 2013-10-30 14:57:42 +01:00
Eelco Dolstra d5047faede Remove uses of the "merge" option attribute
It's redundant because you can (and should) specify an option type, or
an apply function.
2013-10-28 22:45:56 +01:00
Eelco Dolstra 7cf0e0bda8 Manual: Fix bad \" characters 2013-10-28 22:45:56 +01:00