Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

nixos/prometheus: Harden systemd service #162784

Merged
merged 1 commit into from
Nov 7, 2022
Merged

nixos/prometheus: Harden systemd service #162784

merged 1 commit into from
Nov 7, 2022

Conversation

amarshall
Copy link
Member

Motivation for this change

Services should be hardened when possible.

For reference:

I have omitted the Limit* as they do not appear to be commonly used in
NixOS, and, per man systemd.exec, are less preferred vs. cgroup
limits.

Things done
  • Built on platform(s)
    • x86_64-linux
    • aarch64-linux
    • x86_64-darwin
    • aarch64-darwin
  • For non-Linux: Is sandbox = true set in nix.conf? (See Nix manual)
  • Tested, as applicable:
  • Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
  • Tested basic functionality of all binary files (usually in ./result/bin/)
  • 22.05 Release Notes (or backporting 21.11 Release notes)
    • (Package updates) Added a release notes entry if the change is major or breaking
    • (Module updates) Added a release notes entry if the change is significant
    • (Module addition) Added a release notes entry if adding a new NixOS module
    • (Release notes changes) Ran nixos/doc/manual/md-to-db.sh to update generated release notes
  • Fits CONTRIBUTING.md.

@github-actions github-actions bot added 6.topic: nixos Issues or PRs affecting NixOS modules, or package usability issues specific to NixOS 8.has: module (update) This PR changes an existing module in `nixos/` labels Mar 4, 2022
@ofborg ofborg bot added 10.rebuild-darwin: 0 This PR does not cause any packages to rebuild on Darwin 10.rebuild-linux: 1-10 labels Mar 4, 2022
yayayayaka
yayayayaka approved these changes Mar 5, 2022
View reviewed changes
Copy link
Member

@yayayayaka yayayayaka left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Tested on x84_64-linux without issues.

@mweinelt mweinelt requested a review from WilliButz March 5, 2022 21:04
@Artturin Artturin added the 12.approvals: 1 This PR was reviewed and approved by one reputable person label May 11, 2022
@amarshall
nixos/prometheus: Harden systemd service
26ca4d1 
For reference:

- ./nixos/modules/services/monitoring/grafana.nix
- https://salsa.debian.org/go-team/packages/prometheus/-/blob/80192f1fe3e4b2b3a1816b4d2c4a628809acccbe/debian/service
- https://github.com/archlinux/svntogit-packages/blob/5894b9b77a63f8d1aad434e190217ba5f4ba40d4/trunk/prometheus.service

I have omitted the Limit* as they do not appear to be commonly used in
NixOS, and, per `man systemd.exec`, are less preferred vs. cgroup
limits.
@nixos-discourse
Copy link

This pull request has been mentioned on NixOS Discourse. There might be relevant details there:

https://discourse.nixos.org/t/prs-ready-for-review/3032/1042

@winterqt
Copy link
Member

@ofborg test prometheus

@amarshall
Copy link
Member Author

@winterqt Hi! Thanks for kicking off the tests. In case you missed it, they all passed so wondering if there are any other blockers for this or if you have any other comments. Thanks!

@winterqt
Copy link
Member

@amarshall I was waiting on the other reviewers, hopefully the activity will remind them 🙂

These changes do look good at a glance, though, so if nobody takes a look at it I will take a closer look.

@bobby285271 bobby285271 removed the 12.approvals: 1 This PR was reviewed and approved by one reputable person label Aug 16, 2022
@Ma27 Ma27 merged commit 58227c4 into NixOS:master Nov 7, 2022
@gkleen
Copy link
Contributor

gkleen commented Nov 8, 2022

@amarshall, @Ma27 I'm having immediate issues with prometheus being killed for saying rlimit – had to remove ~@resources from SystemCallFilter.

@Ma27
Copy link
Member

Ma27 commented Nov 8, 2022

Curious, when does it do that? But if that's causing issues, would you mind filing a PR? :)

@NickCao
Copy link
Member

NickCao commented Nov 8, 2022

This is an issue with go 1.19: #197443

@Ma27
Copy link
Member

Ma27 commented Nov 8, 2022

Meh... will file a PR for that.

Ma27 added a commit to Ma27/nixpkgs that referenced this pull request Nov 8, 2022
@Ma27
nixos/prometheus: fix startup w/hardened service
dcb32be 
See the discussion below the original PR[1] and NixOS#197443 for more
context.

I guess I missed that upon review because the branch was too old and I
cherry-picked the commit onto my deployment branch which is based on
22.05. Sorry for that!

[1] NixOS#162784 (comment)
@Ma27 Ma27 mentioned this pull request Nov 8, 2022
Merged
13 tasks
@amarshall amarshall deleted the prom-svc-harden branch November 15, 2022 14:37
rtimush pushed a commit to rtimush/nixpkgs that referenced this pull request Sep 21, 2023
@Ma27 @rtimush
nixos/prometheus: fix startup w/hardened service
939be4f 
See the discussion below the original PR[1] and NixOS#197443 for more
context.

I guess I missed that upon review because the branch was too old and I
cherry-picked the commit onto my deployment branch which is based on
22.05. Sorry for that!

[1] NixOS#162784 (comment)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@yayayayaka yayayayaka yayayayaka approved these changes

@Ma27 Ma27 Ma27 approved these changes

@WilliButz WilliButz Awaiting requested review from WilliButz

@KamilaBorowska KamilaBorowska Awaiting requested review from KamilaBorowska

Assignees
No one assigned
Labels
6.topic: nixos Issues or PRs affecting NixOS modules, or package usability issues specific to NixOS 8.has: module (update) This PR changes an existing module in `nixos/` 10.rebuild-darwin: 0 This PR does not cause any packages to rebuild on Darwin 10.rebuild-linux: 1-10
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
9 participants
@amarshall @nixos-discourse @winterqt @gkleen @Ma27 @NickCao @yayayayaka @bobby285271 @Artturin