Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

nixos/mysql: enable sandbox mode #87833

Merged
merged 3 commits into from
Jun 16, 2020
Merged

nixos/mysql: enable sandbox mode #87833

merged 3 commits into from
Jun 16, 2020

Conversation

Izorkin
Copy link
Contributor

@Izorkin Izorkin commented May 14, 2020

Motivation for this change

Running mysql service in sandbox mode.
When the service startup, forced changed permissions to MySQL database folder.

cc @aanderse @flokli

Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS linux)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Determined the impact on package closure size (by running nix path-info -S before and after)
  • Ensured that relevant documentation is up to date
  • Fits CONTRIBUTING.md.

@Izorkin Izorkin changed the title Sandbox mysql nixos/mysql: enable sandbox mode May 14, 2020
@ofborg ofborg bot added 6.topic: nixos Issues or PRs affecting NixOS modules, or package usability issues specific to NixOS 8.has: changelog 8.has: documentation This PR adds or changes documentation 8.has: module (update) This PR changes an existing module in `nixos/` 10.rebuild-darwin: 0 This PR does not cause any packages to rebuild on Darwin 10.rebuild-linux: 1-10 10.rebuild-linux: 1 labels May 14, 2020
@Izorkin
Copy link
Contributor Author

Izorkin commented May 14, 2020

@GrahamcOfBorg test mariadb-galera-mariabackup
@GrahamcOfBorg test mariadb-galera-rsync
@GrahamcOfBorg test mysql
@GrahamcOfBorg test mysql-autobackup
@GrahamcOfBorg test mysql-backup
@GrahamcOfBorg test mysql-replication

@Izorkin
Copy link
Contributor Author

Izorkin commented Jun 5, 2020

cc @aanderse @flokli @Mic92

Mic92
Mic92 approved these changes Jun 5, 2020
View reviewed changes
Copy link
Member

@Mic92 Mic92 left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks safe to me. I retired my mysql database though. Maybe someone else could test this?

aanderse
aanderse requested changes Jun 5, 2020
View reviewed changes
Copy link
Member

@aanderse aanderse left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In a separate PR we should eliminate the need to run anything as root. I can do that.

nixos/modules/services/databases/mysql.nix Show resolved Hide resolved
nixos/modules/services/databases/mysql.nix Show resolved Hide resolved
@Izorkin Izorkin requested a review from aanderse June 8, 2020 14:51
aanderse
aanderse requested changes Jun 10, 2020
View reviewed changes
Copy link
Member

@aanderse aanderse left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just a couple minor requests, if you don't mind, and then we should merge this ASAP. Thanks for your never ending hard work @Izorkin!

nixos/modules/services/databases/mysql.nix Show resolved Hide resolved
nixos/modules/services/databases/mysql.nix Outdated Show resolved Hide resolved
nixos/doc/manual/release-notes/rl-2009.xml Outdated Show resolved Hide resolved
aanderse
aanderse approved these changes Jun 10, 2020
View reviewed changes
Copy link
Member

@aanderse aanderse left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for all the discussion. I was happy to learn a few things. @Mic92 I'll leave final approval and merging to you.

@aanderse
Copy link
Member

It also occurred to me that while we are doing a good job with release notes maybe we should write a section in the NixOS manual about systemd hardening in general. I have had to explain to a coworker why some of their code stopped working when they upgraded to Debian 9 - it was because of some systemd hardening that never used to exist. For people new(er) to systemd it can be fairly frustrating and confusing initially.

@Mic92 Mic92 merged commit a9a5016 into NixOS:master Jun 16, 2020
@Izorkin Izorkin deleted the sandbox-mysql branch June 16, 2020 17:37
@Izorkin
Copy link
Contributor Author

Izorkin commented Jun 16, 2020

Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@aanderse aanderse aanderse approved these changes

@Mic92 Mic92 Mic92 approved these changes

Assignees
No one assigned
Labels
6.topic: nixos Issues or PRs affecting NixOS modules, or package usability issues specific to NixOS 8.has: changelog 8.has: documentation This PR adds or changes documentation 8.has: module (update) This PR changes an existing module in `nixos/` 10.rebuild-darwin: 0 This PR does not cause any packages to rebuild on Darwin 10.rebuild-linux: 1-10 10.rebuild-linux: 1
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@Izorkin @aanderse @Mic92