From bbb525d541c0dc30af4885de2623f007ad58f361 Mon Sep 17 00:00:00 2001 From: Florian Klink Date: Sat, 31 Aug 2019 22:21:33 +0200 Subject: google-compute-config: remove amazon pv-grub comment --- nixos/modules/virtualisation/google-compute-config.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'nixos/modules/virtualisation') diff --git a/nixos/modules/virtualisation/google-compute-config.nix b/nixos/modules/virtualisation/google-compute-config.nix index 79766970c757..df05328b8b86 100644 --- a/nixos/modules/virtualisation/google-compute-config.nix +++ b/nixos/modules/virtualisation/google-compute-config.nix @@ -21,7 +21,7 @@ in boot.initrd.kernelModules = [ "virtio_scsi" ]; boot.kernelModules = [ "virtio_pci" "virtio_net" ]; - # Generate a GRUB menu. Amazon's pv-grub uses this to boot our kernel/initrd. + # Generate a GRUB menu. boot.loader.grub.device = "/dev/sda"; boot.loader.timeout = 0; -- cgit 1.4.1 From a811437e6ebf93d62552d0a2a7495c0f75952f59 Mon Sep 17 00:00:00 2001 From: Florian Klink Date: Sat, 31 Aug 2019 22:22:47 +0200 Subject: google-compute-config.nix: update comment about ssh login also move OS Login next to it, for better understandability --- nixos/modules/virtualisation/google-compute-config.nix | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) (limited to 'nixos/modules/virtualisation') diff --git a/nixos/modules/virtualisation/google-compute-config.nix b/nixos/modules/virtualisation/google-compute-config.nix index df05328b8b86..827e7efdb351 100644 --- a/nixos/modules/virtualisation/google-compute-config.nix +++ b/nixos/modules/virtualisation/google-compute-config.nix @@ -29,12 +29,16 @@ in # way to select them anyway. boot.loader.grub.configurationLimit = 0; - # Allow root logins only using the SSH key that the user specified - # at instance creation time. + # Allow root logins only using SSH keys + # and disable password authentication in general services.openssh.enable = true; services.openssh.permitRootLogin = "prohibit-password"; services.openssh.passwordAuthentication = mkDefault false; + # enable OS Login. This also requires setting enable-oslogin=TRUE metadata on + # instance or project level + security.googleOsLogin.enable = true; + # Use GCE udev rules for dynamic disk volumes services.udev.packages = [ gce ]; @@ -65,8 +69,6 @@ in # GC has 1460 MTU networking.interfaces.eth0.mtu = 1460; - security.googleOsLogin.enable = true; - systemd.services.google-clock-skew-daemon = { description = "Google Compute Engine Clock Skew Daemon"; after = [ -- cgit 1.4.1 From 106a1fe265b6314ee20e5f0822676e6a6877803a Mon Sep 17 00:00:00 2001 From: Florian Klink Date: Sat, 31 Aug 2019 22:42:34 +0200 Subject: google-compute-config: sync with upstream units With local-fs.target part of sysinit.target (https://github.com/NixOS/nixpkgs/pull/61321), we don't need to add it explicitly to certain units anymore, and can change dependencies like they are in other distros (I picked from Google's official CentOS 7 image here). Like them, use StandardOutput=journal+console to pipe google-*.service output to the serial console as well. --- .../virtualisation/google-compute-config.nix | 67 ++++++++++------------ 1 file changed, 30 insertions(+), 37 deletions(-) (limited to 'nixos/modules/virtualisation') diff --git a/nixos/modules/virtualisation/google-compute-config.nix b/nixos/modules/virtualisation/google-compute-config.nix index 827e7efdb351..61bced598620 100644 --- a/nixos/modules/virtualisation/google-compute-config.nix +++ b/nixos/modules/virtualisation/google-compute-config.nix @@ -69,86 +69,79 @@ in # GC has 1460 MTU networking.interfaces.eth0.mtu = 1460; - systemd.services.google-clock-skew-daemon = { - description = "Google Compute Engine Clock Skew Daemon"; - after = [ - "network.target" - "google-instance-setup.service" - "google-network-setup.service" - ]; - requires = ["network.target"]; - wantedBy = ["multi-user.target"]; - serviceConfig = { - Type = "simple"; - ExecStart = "${gce}/bin/google_clock_skew_daemon --debug"; - }; - }; - systemd.services.google-instance-setup = { description = "Google Compute Engine Instance Setup"; - after = ["local-fs.target" "network-online.target" "network.target" "rsyslog.service"]; - before = ["sshd.service"]; - wants = ["local-fs.target" "network-online.target" "network.target"]; - wantedBy = [ "sshd.service" "multi-user.target" ]; + after = [ "network-online.target" "network.target" "rsyslog.service" ]; + before = [ "sshd.service" ]; path = with pkgs; [ ethtool openssh ]; serviceConfig = { - ExecStart = "${gce}/bin/google_instance_setup --debug"; + ExecStart = "${gce}/bin/google_instance_setup"; + StandardOutput="journal+console"; Type = "oneshot"; }; + wantedBy = [ "sshd.service" "multi-user.target" ]; }; systemd.services.google-network-daemon = { description = "Google Compute Engine Network Daemon"; - after = ["local-fs.target" "network-online.target" "network.target" "rsyslog.service" "google-instance-setup.service"]; - wants = ["local-fs.target" "network-online.target" "network.target"]; - requires = ["network.target"]; - partOf = ["network.target"]; - wantedBy = [ "multi-user.target" ]; + after = [ "network-online.target" "network.target" "google-instance-setup.service" ]; path = with pkgs; [ iproute ]; serviceConfig = { - ExecStart = "${gce}/bin/google_network_daemon --debug"; + ExecStart = "${gce}/bin/google_network_daemon"; + StandardOutput="journal+console"; + Type="simple"; }; + wantedBy = [ "multi-user.target" ]; }; + systemd.services.google-clock-skew-daemon = { + description = "Google Compute Engine Clock Skew Daemon"; + after = [ "network.target" "google-instance-setup.service" "google-network-daemon.service" ]; + serviceConfig = { + ExecStart = "${gce}/bin/google_clock_skew_daemon"; + StandardOutput="journal+console"; + Type = "simple"; + }; + wantedBy = ["multi-user.target"]; + }; + + systemd.services.google-shutdown-scripts = { description = "Google Compute Engine Shutdown Scripts"; after = [ - "local-fs.target" "network-online.target" "network.target" "rsyslog.service" - "systemd-resolved.service" "google-instance-setup.service" "google-network-daemon.service" ]; - wants = [ "local-fs.target" "network-online.target" "network.target"]; - wantedBy = [ "multi-user.target" ]; serviceConfig = { ExecStart = "${pkgs.coreutils}/bin/true"; - ExecStop = "${gce}/bin/google_metadata_script_runner --debug --script-type shutdown"; - Type = "oneshot"; + ExecStop = "${gce}/bin/google_metadata_script_runner --script-type shutdown"; RemainAfterExit = true; - TimeoutStopSec = "infinity"; + StandardOutput="journal+console"; + TimeoutStopSec = "0"; + Type = "oneshot"; }; + wantedBy = [ "multi-user.target" ]; }; systemd.services.google-startup-scripts = { description = "Google Compute Engine Startup Scripts"; after = [ - "local-fs.target" "network-online.target" "network.target" "rsyslog.service" "google-instance-setup.service" "google-network-daemon.service" ]; - wants = ["local-fs.target" "network-online.target" "network.target"]; - wantedBy = [ "multi-user.target" ]; serviceConfig = { - ExecStart = "${gce}/bin/google_metadata_script_runner --debug --script-type startup"; + ExecStart = "${gce}/bin/google_metadata_script_runner --script-type startup"; KillMode = "process"; + StandardOutput = "journal+console"; Type = "oneshot"; }; + wantedBy = [ "multi-user.target" ]; }; -- cgit 1.4.1 From d658dd4ce0bf1c9b0206b1cb737ea3bfb4fdd6dd Mon Sep 17 00:00:00 2001 From: Florian Klink Date: Sun, 1 Sep 2019 00:28:28 +0200 Subject: google-compute-config.nix: add coreutils to google-instance-setup's $PATH It executes bin/google_set_multiqueue which will execute basename --- nixos/modules/virtualisation/google-compute-config.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'nixos/modules/virtualisation') diff --git a/nixos/modules/virtualisation/google-compute-config.nix b/nixos/modules/virtualisation/google-compute-config.nix index 61bced598620..41fbf4702e86 100644 --- a/nixos/modules/virtualisation/google-compute-config.nix +++ b/nixos/modules/virtualisation/google-compute-config.nix @@ -73,7 +73,7 @@ in description = "Google Compute Engine Instance Setup"; after = [ "network-online.target" "network.target" "rsyslog.service" ]; before = [ "sshd.service" ]; - path = with pkgs; [ ethtool openssh ]; + path = with pkgs; [ coreutils ethtool openssh ]; serviceConfig = { ExecStart = "${gce}/bin/google_instance_setup"; StandardOutput="journal+console"; -- cgit 1.4.1 From e95d4c734acf71813c33872c7f1a09bd13abd96d Mon Sep 17 00:00:00 2001 From: Florian Klink Date: Sun, 1 Sep 2019 02:55:28 +0200 Subject: google-compute-config.nix: use sysctl snippets from gce We make them available at ${gce}/sysctl.d and add them to environments.etc, like we do with the systemd ones. --- .../virtualisation/google-compute-config.nix | 78 +--------------------- .../google-compute-engine/default.nix | 4 ++ 2 files changed, 5 insertions(+), 77 deletions(-) (limited to 'nixos/modules/virtualisation') diff --git a/nixos/modules/virtualisation/google-compute-config.nix b/nixos/modules/virtualisation/google-compute-config.nix index 41fbf4702e86..327324f2921d 100644 --- a/nixos/modules/virtualisation/google-compute-config.nix +++ b/nixos/modules/virtualisation/google-compute-config.nix @@ -144,81 +144,5 @@ in wantedBy = [ "multi-user.target" ]; }; - - # Settings taken from https://github.com/GoogleCloudPlatform/compute-image-packages/blob/master/google_config/sysctl/11-gce-network-security.conf - boot.kernel.sysctl = { - # Turn on SYN-flood protections. Starting with 2.6.26, there is no loss - # of TCP functionality/features under normal conditions. When flood - # protections kick in under high unanswered-SYN load, the system - # should remain more stable, with a trade off of some loss of TCP - # functionality/features (e.g. TCP Window scaling). - "net.ipv4.tcp_syncookies" = mkDefault "1"; - - # ignores ICMP redirects - "net.ipv4.conf.all.accept_redirects" = mkDefault "0"; - - # ignores ICMP redirects - "net.ipv4.conf.default.accept_redirects" = mkDefault "0"; - - # ignores ICMP redirects from non-GW hosts - "net.ipv4.conf.all.secure_redirects" = mkDefault "1"; - - # ignores ICMP redirects from non-GW hosts - "net.ipv4.conf.default.secure_redirects" = mkDefault "1"; - - # don't allow traffic between networks or act as a router - "net.ipv4.ip_forward" = mkDefault "0"; - - # don't allow traffic between networks or act as a router - "net.ipv4.conf.all.send_redirects" = mkDefault "0"; - - # don't allow traffic between networks or act as a router - "net.ipv4.conf.default.send_redirects" = mkDefault "0"; - - # strict reverse path filtering - IP spoofing protection - "net.ipv4.conf.all.rp_filter" = mkDefault "1"; - - # strict path filtering - IP spoofing protection - "net.ipv4.conf.default.rp_filter" = mkDefault "1"; - - # ignores ICMP broadcasts to avoid participating in Smurf attacks - "net.ipv4.icmp_echo_ignore_broadcasts" = mkDefault "1"; - - # ignores bad ICMP errors - "net.ipv4.icmp_ignore_bogus_error_responses" = mkDefault "1"; - - # logs spoofed, source-routed, and redirect packets - "net.ipv4.conf.all.log_martians" = mkDefault "1"; - - # log spoofed, source-routed, and redirect packets - "net.ipv4.conf.default.log_martians" = mkDefault "1"; - - # implements RFC 1337 fix - "net.ipv4.tcp_rfc1337" = mkDefault "1"; - - # randomizes addresses of mmap base, heap, stack and VDSO page - "kernel.randomize_va_space" = mkDefault "2"; - - # Reboot the machine soon after a kernel panic. - "kernel.panic" = mkDefault "10"; - - ## Not part of the original config - - # provides protection from ToCToU races - "fs.protected_hardlinks" = mkDefault "1"; - - # provides protection from ToCToU races - "fs.protected_symlinks" = mkDefault "1"; - - # makes locating kernel addresses more difficult - "kernel.kptr_restrict" = mkDefault "1"; - - # set ptrace protections - "kernel.yama.ptrace_scope" = mkOverride 500 "1"; - - # set perf only available to root - "kernel.perf_event_paranoid" = mkDefault "2"; - - }; - + environment.etc."sysctl.d/11-gce-network-security.conf".source = "${gce}/sysctl.d/11-gce-network-security.conf"; } diff --git a/pkgs/tools/virtualization/google-compute-engine/default.nix b/pkgs/tools/virtualization/google-compute-engine/default.nix index d4c817b7ecb7..48255ca68a73 100644 --- a/pkgs/tools/virtualization/google-compute-engine/default.nix +++ b/pkgs/tools/virtualization/google-compute-engine/default.nix @@ -46,6 +46,10 @@ buildPythonApplication rec { mkdir -p $out/lib/udev/rules.d cp -r google_config/udev/*.rules $out/lib/udev/rules.d + # sysctl snippets will be used by google-compute-config.nix + mkdir -p $out/sysctl.d + cp google_config/sysctl/*.conf $out/sysctl.d + patchShebangs $out/bin/* ''; -- cgit 1.4.1