diff options
author | Jörg Thalheim <Mic92@users.noreply.github.com> | 2020-05-06 11:34:00 +0100 |
---|---|---|
committer | GitHub <noreply@github.com> | 2020-05-06 11:34:00 +0100 |
commit | 5487e155d7888c9cb5d777acbb600b11c16c4bf1 (patch) | |
tree | a7d26e3d464950c87077d4820d989fb09f762ea2 | |
parent | 50401929137cdd1f681c59615602d4118f0b1eb4 (diff) | |
parent | ca2145bdfc83382ba7ec83a275734040a2a7fddc (diff) | |
download | nixlib-5487e155d7888c9cb5d777acbb600b11c16c4bf1.tar nixlib-5487e155d7888c9cb5d777acbb600b11c16c4bf1.tar.gz nixlib-5487e155d7888c9cb5d777acbb600b11c16c4bf1.tar.bz2 nixlib-5487e155d7888c9cb5d777acbb600b11c16c4bf1.tar.lz nixlib-5487e155d7888c9cb5d777acbb600b11c16c4bf1.tar.xz nixlib-5487e155d7888c9cb5d777acbb600b11c16c4bf1.tar.zst nixlib-5487e155d7888c9cb5d777acbb600b11c16c4bf1.zip |
Merge pull request #85225 from Izorkin/nginx-unit
nixos/unit: update service configuration and update unit to 1.17
-rw-r--r-- | nixos/modules/services/web-servers/unit/default.nix | 30 | ||||
-rw-r--r-- | nixos/tests/all-tests.nix | 1 | ||||
-rw-r--r-- | nixos/tests/web-servers/unit-php.nix | 47 | ||||
-rw-r--r-- | pkgs/servers/http/unit/default.nix | 20 | ||||
-rw-r--r-- | pkgs/servers/http/unit/drop_cap.patch | 79 |
5 files changed, 77 insertions, 100 deletions
diff --git a/nixos/modules/services/web-servers/unit/default.nix b/nixos/modules/services/web-servers/unit/default.nix index f8a18954fc99..989866144e1e 100644 --- a/nixos/modules/services/web-servers/unit/default.nix +++ b/nixos/modules/services/web-servers/unit/default.nix @@ -91,41 +91,47 @@ in { description = "Unit App Server"; after = [ "network.target" ]; wantedBy = [ "multi-user.target" ]; - path = with pkgs; [ curl ]; preStart = '' - test -f '${cfg.stateDir}/conf.json' || rm -f '${cfg.stateDir}/conf.json' + [ ! -e '${cfg.stateDir}/conf.json' ] || rm -f '${cfg.stateDir}/conf.json' ''; postStart = '' - curl -X PUT --data-binary '@${configFile}' --unix-socket '/run/unit/control.unit.sock' 'http://localhost/config' + ${pkgs.curl}/bin/curl -X PUT --data-binary '@${configFile}' --unix-socket '/run/unit/control.unit.sock' 'http://localhost/config' ''; serviceConfig = { + Type = "forking"; + PIDFile = "/run/unit/unit.pid"; ExecStart = '' ${cfg.package}/bin/unitd --control 'unix:/run/unit/control.unit.sock' --pid '/run/unit/unit.pid' \ - --log '${cfg.logDir}/unit.log' --state '${cfg.stateDir}' --no-daemon \ + --log '${cfg.logDir}/unit.log' --state '${cfg.stateDir}' \ --user ${cfg.user} --group ${cfg.group} ''; - # User and group - User = cfg.user; - Group = cfg.group; - # Capabilities - AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" "CAP_SETGID" "CAP_SETUID" ]; + ExecStop = '' + ${pkgs.curl}/bin/curl -X DELETE --unix-socket '/run/unit/control.unit.sock' 'http://localhost/config' + ''; + # Runtime directory and mode + RuntimeDirectory = "unit"; + RuntimeDirectoryMode = "0750"; + # Access write directories + ReadWritePaths = [ cfg.stateDir cfg.logDir ]; # Security NoNewPrivileges = true; # Sandboxing - ProtectSystem = "full"; + ProtectSystem = "strict"; ProtectHome = true; - RuntimeDirectory = "unit"; - RuntimeDirectoryMode = "0750"; PrivateTmp = true; PrivateDevices = true; ProtectHostname = true; ProtectKernelTunables = true; ProtectKernelModules = true; ProtectControlGroups = true; + RestrictAddressFamilies = [ "AF_UNIX" "AF_INET" "AF_INET6" ]; LockPersonality = true; MemoryDenyWriteExecute = true; RestrictRealtime = true; + RestrictSUIDSGID = true; PrivateMounts = true; + # System Call Filtering + SystemCallArchitectures = "native"; }; }; diff --git a/nixos/tests/all-tests.nix b/nixos/tests/all-tests.nix index 46f552b26a46..d1b1acc292d0 100644 --- a/nixos/tests/all-tests.nix +++ b/nixos/tests/all-tests.nix @@ -321,6 +321,7 @@ in trickster = handleTest ./trickster.nix {}; tuptime = handleTest ./tuptime.nix {}; udisks2 = handleTest ./udisks2.nix {}; + unit-php = handleTest ./web-servers/unit-php.nix {}; upnp = handleTest ./upnp.nix {}; uwsgi = handleTest ./uwsgi.nix {}; vault = handleTest ./vault.nix {}; diff --git a/nixos/tests/web-servers/unit-php.nix b/nixos/tests/web-servers/unit-php.nix new file mode 100644 index 000000000000..c6327a1f825d --- /dev/null +++ b/nixos/tests/web-servers/unit-php.nix @@ -0,0 +1,47 @@ +import ../make-test-python.nix ({pkgs, ...}: + let + testdir = pkgs.writeTextDir "www/info.php" "<?php phpinfo();"; + +in { + name = "unit-php-test"; + meta.maintainers = with pkgs.stdenv.lib.maintainers; [ izorkin ]; + + machine = { config, lib, pkgs, ... }: { + services.unit = { + enable = true; + config = '' + { + "listeners": { + "*:9074": { + "application": "php_74" + } + }, + "applications": { + "php_74": { + "type": "php 7.4", + "processes": 1, + "user": "testuser", + "group": "testgroup", + "root": "${testdir}/www", + "index": "info.php" + } + } + } + ''; + }; + users = { + users.testuser = { + isNormalUser = false; + uid = 1074; + group = "testgroup"; + }; + groups.testgroup = { + gid= 1074; + }; + }; + }; + testScript = '' + machine.wait_for_unit("unit.service") + assert "PHP Version ${pkgs.php74.version}" in machine.succeed("curl -vvv -s http://127.0.0.1:9074/") + ''; +}) diff --git a/pkgs/servers/http/unit/default.nix b/pkgs/servers/http/unit/default.nix index 0779a31f1064..c161566d329f 100644 --- a/pkgs/servers/http/unit/default.nix +++ b/pkgs/servers/http/unit/default.nix @@ -1,8 +1,9 @@ -{ stdenv, fetchFromGitHub, which +{ stdenv, fetchFromGitHub, nixosTests, which , withPython2 ? false, python2 , withPython3 ? true, python3, ncurses , withPHP72 ? false, php72 -, withPHP73 ? true, php73 +, withPHP73 ? false, php73 +, withPHP74 ? true, php74 , withPerl528 ? false, perl528 , withPerl530 ? true, perl530 , withPerldevel ? false, perldevel @@ -28,22 +29,19 @@ let php72-unit = php72.override phpConfig; php73-unit = php73.override phpConfig; + php74-unit = php74.override phpConfig; + in stdenv.mkDerivation rec { - version = "1.16.0"; + version = "1.17.0"; pname = "unit"; src = fetchFromGitHub { owner = "nginx"; repo = "unit"; rev = version; - sha256 = "19gclqhwccpi7y4386ap33ycwhylv4s4kwfc6ik8scmc4pw3sj9l"; + sha256 = "1q3659vw8rxv4fk7ljkjav8ga72sb3arljfxcqw8b080f9hvi7hh"; }; - patches = [ - # https://github.com/nginx/unit/issues/357 - ./drop_cap.patch - ]; - nativeBuildInputs = [ which ]; buildInputs = [ ] @@ -51,6 +49,7 @@ in stdenv.mkDerivation rec { ++ optionals withPython3 [ python3 ncurses ] ++ optional withPHP72 php72-unit ++ optional withPHP73 php73-unit + ++ optional withPHP73 php74-unit ++ optional withPerl528 perl528 ++ optional withPerl530 perl530 ++ optional withPerldevel perldevel @@ -73,6 +72,7 @@ in stdenv.mkDerivation rec { ${optionalString withPython3 "./configure python --module=python3 --config=${python3}/bin/python3-config --lib-path=${python3}/lib"} ${optionalString withPHP72 "./configure php --module=php72 --config=${php72-unit.unwrapped.dev}/bin/php-config --lib-path=${php72-unit}/lib"} ${optionalString withPHP73 "./configure php --module=php73 --config=${php73-unit.unwrapped.dev}/bin/php-config --lib-path=${php73-unit}/lib"} + ${optionalString withPHP74 "./configure php --module=php74 --config=${php74-unit.unwrapped.dev}/bin/php-config --lib-path=${php74-unit}/lib"} ${optionalString withPerl528 "./configure perl --module=perl528 --perl=${perl528}/bin/perl"} ${optionalString withPerl530 "./configure perl --module=perl530 --perl=${perl530}/bin/perl"} ${optionalString withPerldevel "./configure perl --module=perldev --perl=${perldevel}/bin/perl"} @@ -81,6 +81,8 @@ in stdenv.mkDerivation rec { ${optionalString withRuby_2_7 "./configure ruby --module=ruby27 --ruby=${ruby_2_7}/bin/ruby"} ''; + passthru.tests.unit-php = nixosTests.unit-php; + meta = { description = "Dynamic web and application server, designed to run applications in multiple languages."; homepage = "https://unit.nginx.org/"; diff --git a/pkgs/servers/http/unit/drop_cap.patch b/pkgs/servers/http/unit/drop_cap.patch deleted file mode 100644 index 87caf77904e2..000000000000 --- a/pkgs/servers/http/unit/drop_cap.patch +++ /dev/null @@ -1,79 +0,0 @@ -diff -r ed17ce89119f src/nxt_capability.c ---- a/src/nxt_capability.c Fri Dec 06 17:02:23 2019 +0000 -+++ b/src/nxt_capability.c Mon Dec 09 23:23:00 2019 +0000 -@@ -93,6 +93,26 @@ nxt_capability_specific_set(nxt_task_t * - return NXT_OK; - } - -+ -+nxt_int_t -+nxt_capability_drop_all(nxt_task_t *task) -+{ -+ struct __user_cap_header_struct hdr; -+ struct __user_cap_data_struct data[2]; -+ -+ hdr.version = nxt_capability_linux_get_version(); -+ hdr.pid = nxt_pid; -+ -+ nxt_memset(data, 0, sizeof(data)); -+ -+ if (nxt_slow_path(nxt_capset(&hdr, data) == -1)) { -+ nxt_alert(task, "failed to drop capabilities %E", nxt_errno); -+ return NXT_ERROR; -+ } -+ -+ return NXT_OK; -+} -+ - #else - - static nxt_int_t -diff -r ed17ce89119f src/nxt_capability.h ---- a/src/nxt_capability.h Fri Dec 06 17:02:23 2019 +0000 -+++ b/src/nxt_capability.h Mon Dec 09 23:23:00 2019 +0000 -@@ -14,4 +14,6 @@ typedef struct { - NXT_EXPORT nxt_int_t nxt_capability_set(nxt_task_t *task, - nxt_capabilities_t *cap); - -+NXT_EXPORT nxt_int_t nxt_capability_drop_all(nxt_task_t *task); -+ - #endif /* _NXT_CAPABILITY_INCLUDED_ */ -diff -r ed17ce89119f src/nxt_process.c ---- a/src/nxt_process.c Fri Dec 06 17:02:23 2019 +0000 -+++ b/src/nxt_process.c Mon Dec 09 23:23:00 2019 +0000 -@@ -264,7 +264,7 @@ cleanup: - static void - nxt_process_start(nxt_task_t *task, nxt_process_t *process) - { -- nxt_int_t ret, cap_setid; -+ nxt_int_t ret, cap_setid, drop_caps; - nxt_port_t *port, *main_port; - nxt_thread_t *thread; - nxt_runtime_t *rt; -@@ -285,9 +285,12 @@ nxt_process_start(nxt_task_t *task, nxt_ - - cap_setid = rt->capabilities.setid; - -+ drop_caps = cap_setid; -+ - #if (NXT_HAVE_CLONE_NEWUSER) -- if (!cap_setid && NXT_CLONE_USER(init->isolation.clone.flags)) { -+ if (NXT_CLONE_USER(init->isolation.clone.flags)) { - cap_setid = 1; -+ drop_caps = 0; - } - #endif - -@@ -301,6 +304,12 @@ nxt_process_start(nxt_task_t *task, nxt_ - if (nxt_slow_path(ret != NXT_OK)) { - goto fail; - } -+ -+#if (NXT_HAVE_LINUX_CAPABILITY) -+ if (drop_caps && nxt_capability_drop_all(task) != NXT_OK) { -+ goto fail; -+ } -+#endif - } - - rt->type = init->type; \ No newline at end of file |