From dd2ce84fe54c8c421f7ec619545683084a11b2fb Mon Sep 17 00:00:00 2001 From: Maximilian Bosch Date: Tue, 21 Sep 2021 23:58:37 +0200 Subject: [PATCH] hydra-module: don't use `createHome = true;` to create Hydra's base-dir MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit In NixOS, the user generation script was changed to set the permissions `0700` to a home-directory that's specified in the `users.users`-submodule with `createHome` being set to `true`[1]. However, the home-directory of `hydra` is also the base directory of other services using other users (e.g. `hydra-queue-runner`). With permissions being `0700`, processes with such a user cannot traverse into `/var/lib/hydra` and thus not into subdirectories. I guess that this issue was kind of hidden because `hydra-init.service` ensures proper permissions[2]. However, if `hydra-init.service` is not restarted on a system-activation, the permissions of `/var/lib/hydra` will be set back to `0700` by the activation script that runs on each activation. This has lead to errors like this in `hydra-queue-runner` on my Hydra: ``` Sep 20 09:11:30 hydra hydra-queue-runner[306]: error (ignored): error: cannot unlink '/var/lib/hydra/build-logs/7h/dssz03gazrkqzfmlr5cprd0dvkg4db-squashfs.img.drv': Permission denied Sep 20 09:11:30 hydra hydra-queue-runner[306]: error (ignored): error: cannot unlink '/var/lib/hydra/build-logs/b9/350vd8jpv1f86i312c9pkdcd2z56aw-squashfs.img.drv': Permission denied Sep 20 09:11:30 hydra hydra-queue-runner[306]: error (ignored): error: cannot unlink '/var/lib/hydra/build-logs/kz/vlq4v9a1rylcp4fsqqav3lcjgskky4-squashfs.img.drv': Permission denied Sep 20 09:11:30 hydra hydra-queue-runner[306]: error (ignored): error: cannot unlink '/var/lib/hydra/build-logs/xd/hkjnbbr9jp7364pkn8zpk9v8xapj2c-nix-2.4pre20210917_37cc50f.drv': Permission denied Sep 20 09:11:30 hydra hydra-queue-runner[306]: error (ignored): error: cannot unlink '/var/lib/hydra/build-logs/zn/9df7225fl8p7iavqqfvlyay4rf0msw-nix-2.4pre20210917_37cc50f.drv': Permission denied Sep 20 09:11:30 hydra hydra-queue-runner[306]: possibly transient failure building ‘/nix/store/7hdssz03gazrkqzfmlr5cprd0dvkg4db-squashfs.img.drv’ on ‘roflmayr’: error: creating directory '/var/lib/hydra/build-logs': Permission denied Sep 20 09:11:30 hydra hydra-queue-runner[306]: will retry ‘/nix/store/7hdssz03gazrkqzfmlr5cprd0dvkg4db-squashfs.img.drv’ after 543s ``` Because of that, I decided to remove the `createHome = true;` setting and instead used `systemd-tmpfiles`[3] which can not only ensure that certain directories exist, but also proper permissions. With this change, we can also get rid of the manual setup in `hydra-init.service` since `systemd-tmpfiles` will be executed by `switch-to-configuration` before *any* systemd service gets started. On startup, `systemd-tmpfiles-setup.service` is invoked within `sysinit.target` being reached, so when `hydra-init.service` gets called in `multi-user.target`, the structure already exists. [1] https://github.com/NixOS/nixpkgs/commit/fa0d499dbfa56be0b57b5d822702c624bb434dc1 [2] https://github.com/NixOS/hydra/blob/3cec9087384620c22b5b2a94251408d93664dca0/hydra-module.nix#L260-L262 [3] https://www.freedesktop.org/software/systemd/man/systemd-tmpfiles.html --- hydra-module.nix | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/hydra-module.nix b/hydra-module.nix index e50fc4fb..f940771e 100644 --- a/hydra-module.nix +++ b/hydra-module.nix @@ -197,12 +197,15 @@ in config = mkIf cfg.enable { + systemd.tmpfiles.rules = [ + "d ${baseDir} 0750 hydra hydra" + ]; + users.extraGroups.hydra = { }; users.extraUsers.hydra = { description = "Hydra"; group = "hydra"; - createHome = true; home = baseDir; isSystemUser = true; useDefaultShell = true; @@ -257,10 +260,6 @@ in }; path = [ pkgs.utillinux ]; preStart = '' - mkdir -p ${baseDir} - chown hydra.hydra ${baseDir} - chmod 0750 ${baseDir} - ln -sf ${hydraConf} ${baseDir}/hydra.conf mkdir -m 0700 -p ${baseDir}/www