diff options
author | Florian Klink <flokli@flokli.de> | 2019-08-19 16:32:00 +0200 |
---|---|---|
committer | GitHub <noreply@github.com> | 2019-08-19 16:32:00 +0200 |
commit | 93a03177f25d86757d484340c51745b66a88ffc6 (patch) | |
tree | d722ae814254f6e97ed67ce46b4587bf0934ec0d | |
parent | b8bee5c9b822b86731f847736b3071192bc05c31 (diff) | |
parent | 8e923dfe36c9dea007f8ff709be3d47e5d5ef8e1 (diff) | |
download | nixlib-93a03177f25d86757d484340c51745b66a88ffc6.tar nixlib-93a03177f25d86757d484340c51745b66a88ffc6.tar.gz nixlib-93a03177f25d86757d484340c51745b66a88ffc6.tar.bz2 nixlib-93a03177f25d86757d484340c51745b66a88ffc6.tar.lz nixlib-93a03177f25d86757d484340c51745b66a88ffc6.tar.xz nixlib-93a03177f25d86757d484340c51745b66a88ffc6.tar.zst nixlib-93a03177f25d86757d484340c51745b66a88ffc6.zip |
Merge pull request #66482 from flokli/systemd-sysctl
nixos/systemd: install sysctl snippets
-rw-r--r-- | nixos/doc/manual/release-notes/rl-1909.xml | 42 | ||||
-rw-r--r-- | nixos/modules/config/sysctl.nix | 10 | ||||
-rw-r--r-- | nixos/modules/module-list.nix | 1 | ||||
-rw-r--r-- | nixos/modules/profiles/hardened.nix | 16 | ||||
-rw-r--r-- | nixos/modules/rename.nix | 1 | ||||
-rw-r--r-- | nixos/modules/system/boot/coredump.nix | 66 | ||||
-rw-r--r-- | nixos/modules/system/boot/systemd.nix | 25 | ||||
-rw-r--r-- | nixos/modules/virtualisation/google-compute-config.nix | 10 | ||||
-rw-r--r-- | nixos/tests/systemd.nix | 6 |
9 files changed, 83 insertions, 94 deletions
diff --git a/nixos/doc/manual/release-notes/rl-1909.xml b/nixos/doc/manual/release-notes/rl-1909.xml index b780cba357e8..ef23099f4f3d 100644 --- a/nixos/doc/manual/release-notes/rl-1909.xml +++ b/nixos/doc/manual/release-notes/rl-1909.xml @@ -435,6 +435,48 @@ idiom or extract that anonymous mapping function to a named one. Both can still be used but <literal>lib.forEach</literal> is preferred over <literal>lib.flip map</literal>. </para> + <para> + The <literal>/etc/sysctl.d/nixos.conf</literal> file containing all the options set via + <link linkend="opt-boot.kernel.sysctl">boot.kernel.sysctl</link> was moved to + <literal>/etc/sysctl.d/60-nixos.conf</literal>, as + <citerefentry><refentrytitle>sysctl.d</refentrytitle><manvolnum>5</manvolnum></citerefentry> + recommends prefixing all filenames in <literal>/etc/sysctl.d</literal> with a + two-digit number and a dash to simplify the ordering of the files. + </para> + </listitem> + <listitem> + <para> + We now install the sysctl snippets shipped with systemd. + <itemizedlist> + <para>This enables:</para> + <listitem> + <para>Loose reverse path filtering</para> + </listitem> + <listitem> + <para>Source route filtering</para> + </listitem> + <listitem> + <para> + <literal>fq_codel</literal> as a packet scheduler (this helps to fight bufferbloat) + </para> + </listitem> + </itemizedlist> + + This also configures the kernel to pass coredumps to <literal>systemd-coredump</literal>. + These sysctl snippets can be found in <literal>/etc/sysctl.d/50-*.conf</literal>, + and overridden via <link linkend="opt-boot.kernel.sysctl">boot.kernel.sysctl</link> + (which will place the parameters in <literal>/etc/sysctl.d/60-nixos.conf</literal>). + </para> + </listitem> + <listitem> + <para> + Coredumps are now acquired by <literal>systemd-coredump</literal> by default. + <literal>systemd-coredump</literal> behaviour can still be modified via + <option>systemd.coredump.extraConfig</option>. + To stick to the old behaviour (having the kernel dump to a file called <literal>core</literal> + in the working directory), without piping it through <literal>systemd-coredump</literal>, set + <option>boot.kernel.sysctl."kernel.core_pattern"</option> to <literal>"core"</literal>. + </para> </listitem> <listitem> <para> diff --git a/nixos/modules/config/sysctl.nix b/nixos/modules/config/sysctl.nix index 0c6a7e2431aa..fb2b58eed720 100644 --- a/nixos/modules/config/sysctl.nix +++ b/nixos/modules/config/sysctl.nix @@ -42,22 +42,16 @@ in config = { - environment.etc."sysctl.d/nixos.conf".text = + environment.etc."sysctl.d/60-nixos.conf".text = concatStrings (mapAttrsToList (n: v: optionalString (v != null) "${n}=${if v == false then "0" else toString v}\n" ) config.boot.kernel.sysctl); systemd.services.systemd-sysctl = { wantedBy = [ "multi-user.target" ]; - restartTriggers = [ config.environment.etc."sysctl.d/nixos.conf".source ]; + restartTriggers = [ config.environment.etc."sysctl.d/60-nixos.conf".source ]; }; - # Enable hardlink and symlink restrictions. See - # https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=800179c9b8a1e796e441674776d11cd4c05d61d7 - # for details. - boot.kernel.sysctl."fs.protected_hardlinks" = true; - boot.kernel.sysctl."fs.protected_symlinks" = true; - # Hide kernel pointers (e.g. in /proc/modules) for unprivileged # users as these make it easier to exploit kernel vulnerabilities. boot.kernel.sysctl."kernel.kptr_restrict" = 1; diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index e5f29a4eb582..bcf1f38ac8d2 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -863,7 +863,6 @@ ./system/activation/activation-script.nix ./system/activation/top-level.nix ./system/boot/binfmt.nix - ./system/boot/coredump.nix ./system/boot/emergency-mode.nix ./system/boot/grow-partition.nix ./system/boot/initrd-network.nix diff --git a/nixos/modules/profiles/hardened.nix b/nixos/modules/profiles/hardened.nix index 3ff9a2b4fde0..46417579352c 100644 --- a/nixos/modules/profiles/hardened.nix +++ b/nixos/modules/profiles/hardened.nix @@ -95,23 +95,17 @@ with lib; # Disable ftrace debugging boot.kernel.sysctl."kernel.ftrace_enabled" = mkDefault false; - # Enable reverse path filtering (that is, do not attempt to route packets - # that "obviously" do not belong to the iface's network; dropped packets are - # logged as martians). + # Enable strict reverse path filtering (that is, do not attempt to route + # packets that "obviously" do not belong to the iface's network; dropped + # packets are logged as martians). boot.kernel.sysctl."net.ipv4.conf.all.log_martians" = mkDefault true; - boot.kernel.sysctl."net.ipv4.conf.all.rp_filter" = mkDefault true; + boot.kernel.sysctl."net.ipv4.conf.all.rp_filter" = mkDefault "1"; boot.kernel.sysctl."net.ipv4.conf.default.log_martians" = mkDefault true; - boot.kernel.sysctl."net.ipv4.conf.default.rp_filter" = mkDefault true; + boot.kernel.sysctl."net.ipv4.conf.default.rp_filter" = mkDefault "1"; # Ignore broadcast ICMP (mitigate SMURF) boot.kernel.sysctl."net.ipv4.icmp_echo_ignore_broadcasts" = mkDefault true; - # Ignore route information from sender - boot.kernel.sysctl."net.ipv4.conf.all.accept_source_route" = mkDefault false; - boot.kernel.sysctl."net.ipv4.conf.default.accept_source_route" = mkDefault false; - boot.kernel.sysctl."net.ipv6.conf.all.accept_source_route" = mkDefault false; - boot.kernel.sysctl."net.ipv6.conf.default.accept_source_route" = mkDefault false; - # Ignore incoming ICMP redirects (note: default is needed to ensure that the # setting is applied to interfaces added after the sysctls are set) boot.kernel.sysctl."net.ipv4.conf.all.accept_redirects" = mkDefault false; diff --git a/nixos/modules/rename.nix b/nixos/modules/rename.nix index 3ea139fc5ce4..e32fa6fded4a 100644 --- a/nixos/modules/rename.nix +++ b/nixos/modules/rename.nix @@ -226,6 +226,7 @@ with lib; (mkRemovedOptionModule [ "services" "mysql" "rootPassword" ] "Use socket authentication or set the password outside of the nix store.") (mkRemovedOptionModule [ "services" "zabbixServer" "dbPassword" ] "Use services.zabbixServer.database.passwordFile instead.") (mkRemovedOptionModule [ "systemd" "generator-packages" ] "Use systemd.packages instead.") + (mkRemovedOptionModule [ "systemd" "coredump" "enable" ] "Enabled by default. Set boot.kernel.sysctl.\"kernel.core_pattern\" = \"core\"; to disable.") # ZSH (mkRenamedOptionModule [ "programs" "zsh" "enableSyntaxHighlighting" ] [ "programs" "zsh" "syntaxHighlighting" "enable" ]) diff --git a/nixos/modules/system/boot/coredump.nix b/nixos/modules/system/boot/coredump.nix deleted file mode 100644 index 30f367da7666..000000000000 --- a/nixos/modules/system/boot/coredump.nix +++ /dev/null @@ -1,66 +0,0 @@ -{ config, lib, pkgs, ... }: - -with lib; - -{ - - options = { - - systemd.coredump = { - - enable = mkOption { - default = false; - type = types.bool; - description = '' - Enables storing core dumps in systemd. - Note that this alone is not enough to enable core dumps. The maximum - file size for core dumps must be specified in limits.conf as well. See - <option>security.pam.loginLimits</option> and the limits.conf(5) - man page (these specify the core dump limits for user login sessions) - and <option>systemd.extraConfig</option> (where e.g. - <literal>DefaultLimitCORE=1000000</literal> can be specified to set - the core dump limit for systemd system-level services). - ''; - }; - - extraConfig = mkOption { - default = ""; - type = types.lines; - example = "Storage=journal"; - description = '' - Extra config options for systemd-coredump. See coredump.conf(5) man page - for available options. - ''; - }; - }; - - }; - - config = mkMerge [ - (mkIf config.systemd.coredump.enable { - - systemd.additionalUpstreamSystemUnits = [ "systemd-coredump.socket" "systemd-coredump@.service" ]; - - environment.etc."systemd/coredump.conf".text = - '' - [Coredump] - ${config.systemd.coredump.extraConfig} - ''; - - # Have the kernel pass core dumps to systemd's coredump helper binary. - # From systemd's 50-coredump.conf file. See: - # <https://github.com/systemd/systemd/blob/v218/sysctl.d/50-coredump.conf.in> - boot.kernel.sysctl."kernel.core_pattern" = "|${pkgs.systemd}/lib/systemd/systemd-coredump %P %u %g %s %t %c %e"; - }) - - (mkIf (!config.systemd.coredump.enable) { - boot.kernel.sysctl."kernel.core_pattern" = mkDefault "core"; - - systemd.extraConfig = - '' - DefaultLimitCORE=0:infinity - ''; - }) - ]; - -} diff --git a/nixos/modules/system/boot/systemd.nix b/nixos/modules/system/boot/systemd.nix index 1914827d0e5d..23a2dd45d492 100644 --- a/nixos/modules/system/boot/systemd.nix +++ b/nixos/modules/system/boot/systemd.nix @@ -76,6 +76,10 @@ let "systemd-journald-dev-log.socket" "syslog.socket" + # Coredumps. + "systemd-coredump.socket" + "systemd-coredump@.service" + # SysV init compatibility. "systemd-initctl.socket" "systemd-initctl.service" @@ -540,6 +544,16 @@ in ''; }; + systemd.coredump.extraConfig = mkOption { + default = ""; + type = types.lines; + example = "Storage=journal"; + description = '' + Extra config options for systemd-coredump. See coredump.conf(5) man page + for available options. + ''; + }; + systemd.extraConfig = mkOption { default = ""; type = types.lines; @@ -795,6 +809,7 @@ in DefaultMemoryAccounting=yes DefaultTasksAccounting=yes ''} + DefaultLimitCORE=infinity ${config.systemd.extraConfig} ''; @@ -818,6 +833,12 @@ in ${config.services.journald.extraConfig} ''; + "systemd/coredump.conf".text = + '' + [Coredump] + ${config.systemd.coredump.extraConfig} + ''; + "systemd/logind.conf".text = '' [Login] KillUserProcesses=${if config.services.logind.killUserProcesses then "yes" else "no"} @@ -831,6 +852,10 @@ in [Sleep] ''; + # install provided sysctl snippets + "sysctl.d/50-coredump.conf".source = "${systemd}/example/sysctl.d/50-coredump.conf"; + "sysctl.d/50-default.conf".source = "${systemd}/example/sysctl.d/50-default.conf"; + "tmpfiles.d/systemd.conf".source = "${systemd}/example/tmpfiles.d/systemd.conf"; "tmpfiles.d/x11.conf".source = "${systemd}/example/tmpfiles.d/x11.conf"; diff --git a/nixos/modules/virtualisation/google-compute-config.nix b/nixos/modules/virtualisation/google-compute-config.nix index 5c59188b68b2..79766970c757 100644 --- a/nixos/modules/virtualisation/google-compute-config.nix +++ b/nixos/modules/virtualisation/google-compute-config.nix @@ -159,12 +159,6 @@ in # functionality/features (e.g. TCP Window scaling). "net.ipv4.tcp_syncookies" = mkDefault "1"; - # ignores source-routed packets - "net.ipv4.conf.all.accept_source_route" = mkDefault "0"; - - # ignores source-routed packets - "net.ipv4.conf.default.accept_source_route" = mkDefault "0"; - # ignores ICMP redirects "net.ipv4.conf.all.accept_redirects" = mkDefault "0"; @@ -186,10 +180,10 @@ in # don't allow traffic between networks or act as a router "net.ipv4.conf.default.send_redirects" = mkDefault "0"; - # reverse path filtering - IP spoofing protection + # strict reverse path filtering - IP spoofing protection "net.ipv4.conf.all.rp_filter" = mkDefault "1"; - # reverse path filtering - IP spoofing protection + # strict path filtering - IP spoofing protection "net.ipv4.conf.default.rp_filter" = mkDefault "1"; # ignores ICMP broadcasts to avoid participating in Smurf attacks diff --git a/nixos/tests/systemd.nix b/nixos/tests/systemd.nix index 344d675c5fe2..3168c026d514 100644 --- a/nixos/tests/systemd.nix +++ b/nixos/tests/systemd.nix @@ -83,5 +83,11 @@ import ./make-test.nix ({ pkgs, ... }: { $machine->waitForUnit('multi-user.target'); $machine->succeed('test -e /tmp/shared/shutdown-test'); }; + + # Test settings from /etc/sysctl.d/50-default.conf are applied + subtest "systemd sysctl settings are applied", sub { + $machine->waitForUnit('multi-user.target'); + $machine->succeed('sysctl net.core.default_qdisc | grep -q "fq_codel"'); + }; ''; }) |