]> Git — Sourcephile - julm/julm-nix.git/blob - nixpkgs/patches/syncoid/0002-nixos-syncoid-use-DynamicUser.patch
sourcephile / git / julm / julm-nix.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
blackberry: update Makefile
[julm/julm-nix.git] / nixpkgs / patches / syncoid / 0002-nixos-syncoid-use-DynamicUser.patch
1 From c911e43e341b4c0963012afa6671d508732bf165 Mon Sep 17 00:00:00 2001
2 From: Julien Moutinho <julm+nixpkgs@sourcephile.fr>
3 Date: Sat, 27 Nov 2021 02:50:39 +0100
4 Subject: [PATCH 2/3] nixos/syncoid: use DynamicUser=
5
6 The following changes were previously in separate commits
7 but have been squashed to be able to rebase them
8 onto a treewide change applying nixfmt-rfc-style
9 on nixos/modules/services/backup/syncoid.nix
10 which introduced multiple untrackable conflicts.
11
12 Changes:
13
14 - nixos/syncoid: add destroy to localTargetAllow's default
15
16 syncoid[3282027]: Resuming interrupted zfs send/receive from rpool/var/mail to losurdo/backup/mermet/var/mail (~ UNKNOWN remaining):
17 syncoid[3282885]: cannot resume send: 'rpool/var/mail@autosnap_2021-10-17_15:00:19_hourly' used in the initial send no longer exists
18 syncoid[3282897]: cannot receive: failed to read from stream
19 syncoid[3282027]: WARN: resetting partially receive state because the snapshot source no longer exists
20 syncoid[3283326]: cannot destroy 'losurdo/backup/mermet/var/mail/%recv': permission denied
21
22 - nixos/syncoid: allow @timer syscalls
23
24 - nixos/syncoid: set TZ envvar
25
26 - nixos/syncoid: test sending to multiple targets
27
28 - nixos/syncoid: don't delegate permissions to source's parent
29 See https://github.com/NixOS/nixpkgs/pull/165204
30 and https://github.com/NixOS/nixpkgs/pull/180111
31
32 - nixos/syncoid: add support for LoadCredentialEncrypted=
33
34 - nixos/syncoid: zfs-unallow unused dynamic users
35
36 - nixos/syncoid: use NFTSet=
37 ---
38 nixos/modules/services/backup/syncoid.nix | 463 +++++++++++-----------
39 nixos/tests/sanoid.nix | 78 ++--
40 2 files changed, 269 insertions(+), 272 deletions(-)
41
42 diff --git a/nixos/modules/services/backup/syncoid.nix b/nixos/modules/services/backup/syncoid.nix
43 index 8b4c59155f4d..6e92ffb707ab 100644
44 --- a/nixos/modules/services/backup/syncoid.nix
45 +++ b/nixos/modules/services/backup/syncoid.nix
46 @@ -7,7 +7,7 @@
47 let
48 cfg = config.services.syncoid;
49
50 - # Extract local dasaset names (so no datasets containing "@")
51 + # Extract local dataset names (so no datasets containing "@")
52 localDatasetName =
53 d:
54 lib.optionals (d != null) (
55 @@ -20,81 +20,9 @@ let
56 # Escape as required by: https://www.freedesktop.org/software/systemd/man/systemd.unit.html
57 escapeUnitName =
58 name:
59 - lib.concatMapStrings (s: if lib.isList s then "-" else s) (
60 + lib.concatMapStrings (s: if builtins.isList s then "-" else s) (
61 builtins.split "[^a-zA-Z0-9_.\\-]+" name
62 );
63 -
64 - # Function to build "zfs allow" commands for the filesystems we've delegated
65 - # permissions to. It also checks if the target dataset exists before
66 - # delegating permissions, if it doesn't exist we delegate it to the parent
67 - # dataset (if it exists). This should solve the case of provisoning new
68 - # datasets.
69 - buildAllowCommand =
70 - permissions: dataset:
71 - (
72 - "-+${pkgs.writeShellScript "zfs-allow-${dataset}" ''
73 - # Here we explicitly use the booted system to guarantee the stable API needed by ZFS
74 -
75 - # Run a ZFS list on the dataset to check if it exists
76 - if ${
77 - lib.escapeShellArgs [
78 - "/run/booted-system/sw/bin/zfs"
79 - "list"
80 - dataset
81 - ]
82 - } 2> /dev/null; then
83 - ${lib.escapeShellArgs [
84 - "/run/booted-system/sw/bin/zfs"
85 - "allow"
86 - cfg.user
87 - (lib.concatStringsSep "," permissions)
88 - dataset
89 - ]}
90 - ${lib.optionalString ((builtins.dirOf dataset) != ".") ''
91 - else
92 - ${lib.escapeShellArgs [
93 - "/run/booted-system/sw/bin/zfs"
94 - "allow"
95 - cfg.user
96 - (lib.concatStringsSep "," permissions)
97 - # Remove the last part of the path
98 - (builtins.dirOf dataset)
99 - ]}
100 - ''}
101 - fi
102 - ''}"
103 - );
104 -
105 - # Function to build "zfs unallow" commands for the filesystems we've
106 - # delegated permissions to. Here we unallow both the target but also
107 - # on the parent dataset because at this stage we have no way of
108 - # knowing if the allow command did execute on the parent dataset or
109 - # not in the pre-hook. We can't run the same if in the post hook
110 - # since the dataset should have been created at this point.
111 - buildUnallowCommand =
112 - permissions: dataset:
113 - (
114 - "-+${pkgs.writeShellScript "zfs-unallow-${dataset}" ''
115 - # Here we explicitly use the booted system to guarantee the stable API needed by ZFS
116 - ${lib.escapeShellArgs [
117 - "/run/booted-system/sw/bin/zfs"
118 - "unallow"
119 - cfg.user
120 - (lib.concatStringsSep "," permissions)
121 - dataset
122 - ]}
123 - ${lib.optionalString ((builtins.dirOf dataset) != ".") (
124 - lib.escapeShellArgs [
125 - "/run/booted-system/sw/bin/zfs"
126 - "unallow"
127 - cfg.user
128 - (lib.concatStringsSep "," permissions)
129 - # Remove the last part of the path
130 - (builtins.dirOf dataset)
131 - ]
132 - )}
133 - ''}"
134 - );
135 in
136 {
137
138 @@ -106,52 +34,34 @@ in
139 package = lib.mkPackageOption pkgs "sanoid" { };
140
141 interval = lib.mkOption {
142 - type = with lib.types; either str (listOf str);
143 + type = lib.types.str;
144 default = "hourly";
145 example = "*-*-* *:15:00";
146 description = ''
147 Run syncoid at this interval. The default is to run hourly.
148
149 - Must be in the format described in {manpage}`systemd.time(7)`. This is
150 - equivalent to adding a corresponding timer unit with
151 - {option}`OnCalendar` set to the value given here.
152 -
153 - Set to an empty list to avoid starting syncoid automatically.
154 + The format is described in
155 + {manpage}`systemd.time(7)`.
156 '';
157 };
158
159 - user = lib.mkOption {
160 - type = lib.types.str;
161 - default = "syncoid";
162 - example = "backup";
163 - description = ''
164 - The user for the service. ZFS privilege delegation will be
165 - automatically configured for any local pools used by syncoid if this
166 - option is set to a user other than root. The user will be given the
167 - "hold" and "send" privileges on any pool that has datasets being sent
168 - and the "create", "mount", "receive", and "rollback" privileges on
169 - any pool that has datasets being received.
170 - '';
171 - };
172 -
173 - group = lib.mkOption {
174 - type = lib.types.str;
175 - default = "syncoid";
176 - example = "backup";
177 - description = "The group for the service.";
178 - };
179 -
180 sshKey = lib.mkOption {
181 type = with lib.types; nullOr (coercedTo path toString str);
182 default = null;
183 description = ''
184 - SSH private key file to use to login to the remote system. Can be
185 - overridden in individual commands.
186 + SSH private key file to use to login to the remote system.
187 + It can be overridden in individual commands.
188 + It is loaded using `LoadCredentialEncrypted=`
189 + when its path is prefixed by a credential name and colon,
190 + otherwise `LoadCredential=` is used.
191 + For more SSH tuning, you may use syncoid's `--sshoption`
192 + in {option}`services.syncoid.commonArgs`
193 + and/or in the `extraArgs` of a specific command.
194 '';
195 };
196
197 localSourceAllow = lib.mkOption {
198 - type = lib.types.listOf lib.types.str;
199 + type = with lib.types; listOf str;
200 # Permissions snapshot and destroy are in case --no-sync-snap is not used
201 default = [
202 "bookmark"
203 @@ -162,19 +72,22 @@ in
204 "mount"
205 ];
206 description = ''
207 - Permissions granted for the {option}`services.syncoid.user` user
208 - for local source datasets. See
209 - <https://openzfs.github.io/openzfs-docs/man/8/zfs-allow.8.html>
210 + Permissions granted for the syncoid user for local source datasets.
211 + See <https://openzfs.github.io/openzfs-docs/man/8/zfs-allow.8.html>
212 for available permissions.
213 '';
214 };
215
216 localTargetAllow = lib.mkOption {
217 - type = lib.types.listOf lib.types.str;
218 + type = with lib.types; listOf str;
219 + # Permission destroy is required to reset broken receive states (zfs receive -A),
220 + # which syncoid does when it fails to resume a receive state,
221 + # when the snapshot it refers to has been destroyed on the source.
222 default = [
223 "change-key"
224 "compression"
225 "create"
226 + "destroy"
227 "mount"
228 "mountpoint"
229 "receive"
230 @@ -187,9 +100,8 @@ in
231 "rollback"
232 ];
233 description = ''
234 - Permissions granted for the {option}`services.syncoid.user` user
235 - for local target datasets. See
236 - <https://openzfs.github.io/openzfs-docs/man/8/zfs-allow.8.html>
237 + Permissions granted for the syncoid user for local target datasets.
238 + See <https://openzfs.github.io/openzfs-docs/man/8/zfs-allow.8.html>
239 for available permissions.
240 Make sure to include the `change-key` permission if you send raw encrypted datasets,
241 the `compression` permission if you send raw compressed datasets, and so on.
242 @@ -198,7 +110,7 @@ in
243 };
244
245 commonArgs = lib.mkOption {
246 - type = lib.types.listOf lib.types.str;
247 + type = with lib.types; listOf str;
248 default = [ ];
249 example = [ "--no-sync-snap" ];
250 description = ''
251 @@ -296,13 +208,13 @@ in
252 '';
253 };
254
255 - useCommonArgs = lib.mkOption {
256 - type = lib.types.bool;
257 - default = true;
258 - description = ''
259 - Whether to add the configured common arguments to this command.
260 - '';
261 - };
262 + useCommonArgs =
263 + lib.mkEnableOption ''
264 + configured common arguments to this command
265 + ''
266 + // {
267 + default = true;
268 + };
269
270 service = lib.mkOption {
271 type = lib.types.attrs;
272 @@ -341,139 +253,216 @@ in
273 # Implementation
274
275 config = lib.mkIf cfg.enable {
276 - users = {
277 - users = lib.mkIf (cfg.user == "syncoid") {
278 - syncoid = {
279 - group = cfg.group;
280 - isSystemUser = true;
281 - # For syncoid to be able to create /var/lib/syncoid/.ssh/
282 - # and to use custom ssh_config or known_hosts.
283 - home = "/var/lib/syncoid";
284 - createHome = false;
285 - };
286 - };
287 - groups = lib.mkIf (cfg.group == "syncoid") {
288 - syncoid = { };
289 - };
290 - };
291 -
292 systemd.services = lib.mapAttrs' (
293 name: c:
294 + let
295 + sshKeyCred = builtins.split ":" c.sshKey;
296 + in
297 lib.nameValuePair "syncoid-${escapeUnitName name}" (
298 lib.mkMerge [
299 {
300 description = "Syncoid ZFS synchronization from ${c.source} to ${c.target}";
301 after = [ "zfs.target" ];
302 startAt = cfg.interval;
303 - # syncoid may need zpool to get feature@extensible_dataset
304 - path = [ "/run/booted-system/sw/bin/" ];
305 - serviceConfig = {
306 - ExecStartPre =
307 - (map (buildAllowCommand c.localSourceAllow) (localDatasetName c.source))
308 - ++ (map (buildAllowCommand c.localTargetAllow) (localDatasetName c.target));
309 - ExecStopPost =
310 - (map (buildUnallowCommand c.localSourceAllow) (localDatasetName c.source))
311 - ++ (map (buildUnallowCommand c.localTargetAllow) (localDatasetName c.target));
312 - ExecStart = lib.escapeShellArgs (
313 - [ "${cfg.package}/bin/syncoid" ]
314 - ++ lib.optionals c.useCommonArgs cfg.commonArgs
315 - ++ lib.optional c.recursive "-r"
316 - ++ lib.optionals (c.sshKey != null) [
317 - "--sshkey"
318 - c.sshKey
319 - ]
320 - ++ c.extraArgs
321 - ++ [
322 - "--sendoptions"
323 - c.sendOptions
324 - "--recvoptions"
325 - c.recvOptions
326 - "--no-privilege-elevation"
327 - c.source
328 - c.target
329 - ]
330 - );
331 - User = cfg.user;
332 - Group = cfg.group;
333 - StateDirectory = [ "syncoid" ];
334 - StateDirectoryMode = "700";
335 - # Prevent SSH control sockets of different syncoid services from interfering
336 - PrivateTmp = true;
337 - # Permissive access to /proc because syncoid
338 - # calls ps(1) to detect ongoing `zfs receive`.
339 - ProcSubset = "all";
340 - ProtectProc = "default";
341 + # Here we explicitly use the booted system to guarantee the stable API needed by ZFS.
342 + # Moreover syncoid may need zpool to get feature@extensible_dataset.
343 + path = [ "/run/booted-system/sw" ];
344 + # Prevents missing snapshots during DST changes
345 + environment.TZ = "UTC";
346 + # A custom LD_LIBRARY_PATH is needed to access in `getent passwd`
347 + # the systemd's entry about the DynamicUser=,
348 + # so that ssh won't fail with: "No user exists for uid $UID".
349 + environment.LD_LIBRARY_PATH = config.system.nssModules.path;
350 + serviceConfig =
351 + {
352 + ExecStartPre =
353 + # Recursively remove any residual permissions
354 + # given on local+descendant datasets (source, target or target's parent)
355 + # to any currently unknown (hence unused) systemd dynamic users (UID/GID range 61184…65519),
356 + # which happens when a crash has occurred
357 + # during any previous run of a syncoid-*.service (not only this one).
358 + map
359 + (
360 + dataset:
361 + "+"
362 + + pkgs.writeShellScript "zfs-unallow-unused-dynamic-users" ''
363 + set -eu
364 + zfs allow "$1" |
365 + sed -ne 's/^\t\(user\|group\) (unknown: \([0-9]\+\)).*/\1 \2/p' |
366 + {
367 + declare -a uids
368 + while read -r role id; do
369 + if [ "$id" -ge 61184 ] && [ "$id" -le 65519 ]; then
370 + case "$role" in
371 + (user) uids+=("$id");;
372 + esac
373 + fi
374 + done
375 + zfs unallow -r -u "$(printf %s, "''${uids[@]}")" "$1"
376 + }
377 + ''
378 + + " "
379 + + lib.escapeShellArg dataset
380 + )
381 + (
382 + localDatasetName c.source
383 + ++ localDatasetName c.target
384 + ++ map builtins.dirOf (localDatasetName c.target)
385 + )
386 + ++
387 + # For a local source, allow the localSourceAllow ZFS permissions.
388 + map (
389 + dataset:
390 + "+/run/booted-system/sw/bin/zfs allow $USER "
391 + + lib.escapeShellArgs [
392 + (lib.concatStringsSep "," c.localSourceAllow)
393 + dataset
394 + ]
395 + ) (localDatasetName c.source)
396 + ++
397 + # For a local target, check if the dataset exists before delegating permissions,
398 + # and if it doesn't exist, delegate it to the parent dataset.
399 + # This should solve the case of provisioning new datasets.
400 + map (
401 + dataset:
402 + "+"
403 + + pkgs.writeShellScript "zfs-allow-target" ''
404 + dataset="$1"
405 + # Run a ZFS list on the dataset to check if it exists
406 + zfs list "$dataset" >/dev/null 2>/dev/null ||
407 + dataset="$(dirname "$dataset")"
408 + zfs allow "$USER" ${lib.escapeShellArg (lib.concatStringsSep "," c.localTargetAllow)} "$dataset"
409 + ''
410 + + " "
411 + + lib.escapeShellArg dataset
412 + ) (localDatasetName c.target);
413 + ExecStopPost =
414 + let
415 + zfsUnallow = dataset: "+/run/booted-system/sw/bin/zfs unallow $USER " + lib.escapeShellArg dataset;
416 + in
417 + map zfsUnallow (localDatasetName c.source)
418 + ++
419 + # For a local target, unallow both the dataset and its parent,
420 + # because at this stage we have no way of knowing if the allow command
421 + # did execute on the parent dataset or not in the ExecStartPre=.
422 + # We can't run the same if-then-else in the post hook
423 + # since the dataset should have been created at this point.
424 + lib.concatMap (dataset: [
425 + (zfsUnallow dataset)
426 + (zfsUnallow (builtins.dirOf dataset))
427 + ]) (localDatasetName c.target);
428 + ExecStart = lib.escapeShellArgs (
429 + [ "${cfg.package}/bin/syncoid" ]
430 + ++ lib.optionals c.useCommonArgs cfg.commonArgs
431 + ++ lib.optional c.recursive "--recursive"
432 + ++ lib.optionals (c.sshKey != null) [
433 + "--sshkey"
434 + "\${CREDENTIALS_DIRECTORY}/${if lib.length sshKeyCred > 1 then lib.head sshKeyCred else "sshKey"}"
435 + ]
436 + ++ c.extraArgs
437 + ++ [
438 + "--sendoptions"
439 + c.sendOptions
440 + "--recvoptions"
441 + c.recvOptions
442 + "--no-privilege-elevation"
443 + c.source
444 + c.target
445 + ]
446 + );
447 + DynamicUser = true;
448 + NFTSet = lib.optional config.networking.nftables.enable "user:inet:filter:nixos_syncoid_uids";
449 + # Prevent SSH control sockets of different syncoid services from interfering
450 + PrivateTmp = true;
451 + # Permissive access to /proc because syncoid
452 + # calls ps(1) to detect ongoing `zfs receive`.
453 + ProcSubset = "all";
454 + ProtectProc = "default";
455
456 - # The following options are only for optimizing:
457 - # systemd-analyze security | grep syncoid-'*'
458 - AmbientCapabilities = "";
459 - CapabilityBoundingSet = "";
460 - DeviceAllow = [ "/dev/zfs" ];
461 - LockPersonality = true;
462 - MemoryDenyWriteExecute = true;
463 - NoNewPrivileges = true;
464 - PrivateDevices = true;
465 - PrivateMounts = true;
466 - PrivateNetwork = lib.mkDefault false;
467 - PrivateUsers = false; # Enabling this breaks on zfs-2.2.0
468 - ProtectClock = true;
469 - ProtectControlGroups = true;
470 - ProtectHome = true;
471 - ProtectHostname = true;
472 - ProtectKernelLogs = true;
473 - ProtectKernelModules = true;
474 - ProtectKernelTunables = true;
475 - ProtectSystem = "strict";
476 - RemoveIPC = true;
477 - RestrictAddressFamilies = [
478 - "AF_UNIX"
479 - "AF_INET"
480 - "AF_INET6"
481 - ];
482 - RestrictNamespaces = true;
483 - RestrictRealtime = true;
484 - RestrictSUIDSGID = true;
485 - RootDirectory = "/run/syncoid/${escapeUnitName name}";
486 - RootDirectoryStartOnly = true;
487 - BindPaths = [ "/dev/zfs" ];
488 - BindReadOnlyPaths = [
489 - builtins.storeDir
490 - "/etc"
491 - "/run"
492 - "/bin/sh"
493 - ];
494 - # Avoid useless mounting of RootDirectory= in the own RootDirectory= of ExecStart='s mount namespace.
495 - InaccessiblePaths = [ "-+/run/syncoid/${escapeUnitName name}" ];
496 - MountAPIVFS = true;
497 - # Create RootDirectory= in the host's mount namespace.
498 - RuntimeDirectory = [ "syncoid/${escapeUnitName name}" ];
499 - RuntimeDirectoryMode = "700";
500 - SystemCallFilter = [
501 - "@system-service"
502 - # Groups in @system-service which do not contain a syscall listed by:
503 - # perf stat -x, 2>perf.log -e 'syscalls:sys_enter_*' syncoid …
504 - # awk >perf.syscalls -F "," '$1 > 0 {sub("syscalls:sys_enter_","",$3); print $3}' perf.log
505 - # systemd-analyze syscall-filter | grep -v -e '#' | sed -e ':loop; /^[^ ]/N; s/\n //; t loop' | grep $(printf ' -e \\<%s\\>' $(cat perf.syscalls)) | cut -f 1 -d ' '
506 - "~@aio"
507 - "~@chown"
508 - "~@keyring"
509 - "~@memlock"
510 - "~@privileged"
511 - "~@resources"
512 - "~@setuid"
513 - "~@timer"
514 - ];
515 - SystemCallArchitectures = "native";
516 - # This is for BindPaths= and BindReadOnlyPaths=
517 - # to allow traversal of directories they create in RootDirectory=.
518 - UMask = "0066";
519 - };
520 + # The following options are only for optimizing:
521 + # systemd-analyze security | grep syncoid-'*'
522 + AmbientCapabilities = "";
523 + CapabilityBoundingSet = "";
524 + DeviceAllow = [ "/dev/zfs" ];
525 + LockPersonality = true;
526 + MemoryDenyWriteExecute = true;
527 + NoNewPrivileges = true;
528 + PrivateDevices = true;
529 + PrivateMounts = true;
530 + PrivateNetwork = lib.mkDefault false;
531 + PrivateUsers = false; # Enabling this breaks on zfs-2.2.0
532 + ProtectClock = true;
533 + ProtectControlGroups = true;
534 + ProtectHome = true;
535 + ProtectHostname = true;
536 + ProtectKernelLogs = true;
537 + ProtectKernelModules = true;
538 + ProtectKernelTunables = true;
539 + ProtectSystem = "strict";
540 + RemoveIPC = true;
541 + RestrictAddressFamilies = [
542 + "AF_UNIX"
543 + "AF_INET"
544 + "AF_INET6"
545 + ];
546 + RestrictNamespaces = true;
547 + RestrictRealtime = true;
548 + RestrictSUIDSGID = true;
549 + RootDirectory = "/run/syncoid/${escapeUnitName name}";
550 + BindPaths = [ "/dev/zfs" ];
551 + BindReadOnlyPaths = [
552 + builtins.storeDir
553 + "/etc"
554 + "/run"
555 + # Some programs hardcode /var/run
556 + # eg. /var/run/avahi-daemon/socket to resolve *.local mDNS domains
557 + "/var/run"
558 + "/bin/sh"
559 + ];
560 + # Avoid useless mounting of RootDirectory= in the own RootDirectory= of ExecStart='s mount namespace.
561 + InaccessiblePaths = [ "-+/run/syncoid/${escapeUnitName name}" ];
562 + MountAPIVFS = true;
563 + # Create RootDirectory= in the host's mount namespace.
564 + RuntimeDirectory = [ "syncoid/${escapeUnitName name}" ];
565 + RuntimeDirectoryMode = "700";
566 + SystemCallFilter = [
567 + "@system-service"
568 + # Groups in @system-service which do not contain a syscall listed by:
569 + # perf stat -x, 2>perf.log -e 'syscalls:sys_enter_*' syncoid …
570 + # awk >perf.syscalls -F "," '$1 > 0 {sub("syscalls:sys_enter_","",$3); print $3}' perf.log
571 + # systemd-analyze syscall-filter | grep -v -e '#' | sed -e ':loop; /^[^ ]/N; s/\n //; t loop' | grep $(printf ' -e \\<%s\\>' $(cat perf.syscalls)) | cut -f 1 -d ' '
572 + "~@aio"
573 + "~@chown"
574 + "~@keyring"
575 + "~@memlock"
576 + "~@privileged"
577 + "~@resources"
578 + "~@setuid"
579 + ];
580 + SystemCallArchitectures = "native";
581 + # This is for BindPaths= and BindReadOnlyPaths=
582 + # to allow traversal of directories they create in RootDirectory=.
583 + UMask = "0066";
584 + }
585 + // (
586 + if lib.length sshKeyCred > 1 then
587 + { LoadCredentialEncrypted = [ c.sshKey ]; }
588 + else
589 + { LoadCredential = [ "sshKey:${c.sshKey}" ]; }
590 + );
591 }
592 cfg.service
593 c.service
594 ]
595 )
596 ) cfg.commands;
597 +
598 + networking.nftables.ruleset = lib.mkBefore ''
599 + table inet filter {
600 + # A set containing the dynamic UIDs of the syncoid services currently active
601 + set nixos_syncoid_uids { typeof meta skuid; }
602 + }
603 + '';
604 };
605
606 meta.maintainers = with lib.maintainers; [
607 diff --git a/nixos/tests/sanoid.nix b/nixos/tests/sanoid.nix
608 index 227a95e9471d..9f5d52c2c527 100644
609 --- a/nixos/tests/sanoid.nix
610 +++ b/nixos/tests/sanoid.nix
611 @@ -51,17 +51,21 @@ import ./make-test-python.nix (
612 enable = true;
613 sshKey = "/var/lib/syncoid/id_ecdsa";
614 commands = {
615 - # Sync snapshot taken by sanoid
616 - "pool/sanoid" = {
617 - target = "root@target:pool/sanoid";
618 - extraArgs = [
619 - "--no-sync-snap"
620 - "--create-bookmark"
621 - ];
622 - };
623 # Take snapshot and sync
624 "pool/syncoid".target = "root@target:pool/syncoid";
625
626 + # Sync the same dataset to different targets
627 + "pool/sanoid1" = {
628 + source = "pool/sanoid";
629 + target = "root@target:pool/sanoid1";
630 + extraArgs = [ "--no-sync-snap" "--create-bookmark" ];
631 + };
632 + "pool/sanoid2" = {
633 + source = "pool/sanoid";
634 + target = "root@target:pool/sanoid2";
635 + extraArgs = [ "--no-sync-snap" "--create-bookmark" ];
636 + };
637 +
638 # Test pool without parent (regression test for https://github.com/NixOS/nixpkgs/pull/180111)
639 "pool".target = "root@target:pool/full-pool";
640
641 @@ -95,6 +99,7 @@ import ./make-test-python.nix (
642 "zfs create pool/syncoid",
643 "udevadm settle",
644 )
645 +
646 target.succeed(
647 "mkdir /mnt",
648 "parted --script /dev/vdb -- mklabel msdos mkpart primary 1024M -1s",
649 @@ -107,42 +112,45 @@ import ./make-test-python.nix (
650 "mkdir -m 700 -p /var/lib/syncoid",
651 "cat '${snakeOilPrivateKey}' > /var/lib/syncoid/id_ecdsa",
652 "chmod 600 /var/lib/syncoid/id_ecdsa",
653 - "chown -R syncoid:syncoid /var/lib/syncoid/",
654 )
655
656 - assert len(source.succeed("zfs allow pool")) == 0, "Pool shouldn't have delegated permissions set before snapshotting"
657 - assert len(source.succeed("zfs allow pool/sanoid")) == 0, "Sanoid dataset shouldn't have delegated permissions set before snapshotting"
658 - assert len(source.succeed("zfs allow pool/syncoid")) == 0, "Syncoid dataset shouldn't have delegated permissions set before snapshotting"
659 + with subtest("Take snapshots with sanoid"):
660 + source.succeed("touch /mnt/pool/sanoid/test.txt")
661 + source.succeed("touch /mnt/pool/compat/test.txt")
662 + source.systemctl("start --wait sanoid.service")
663
664 - # Take snapshot with sanoid
665 - source.succeed("touch /mnt/pool/sanoid/test.txt")
666 - source.succeed("touch /mnt/pool/compat/test.txt")
667 - source.systemctl("start --wait sanoid.service")
668 + # Add some unused dynamic users to the stateful allow list of ZFS datasets,
669 + # simulating a state where they remain after the system crashed,
670 + # to check they'll be correctly removed by the syncoid services.
671 + # Each syncoid service run from now may reuse at most one of them for itself.
672 + source.succeed(
673 + "zfs allow -u $(printf %s, {61184..61200})65519 dedup pool",
674 + "zfs allow -u $(printf %s, {61184..61200})65519 dedup pool/sanoid",
675 + "zfs allow -u $(printf %s, {61184..61200})65519 dedup pool/syncoid",
676 + )
677 +
678 + with subtest("sync snapshots"):
679 + target.wait_for_open_port(22)
680 + source.succeed("touch /mnt/pool/syncoid/test.txt")
681 +
682 + source.systemctl("start --wait syncoid-pool-syncoid.service")
683 + target.succeed("cat /mnt/pool/syncoid/test.txt")
684 +
685 + source.systemctl("start --wait syncoid-pool-sanoid{1,2}.service")
686 + target.succeed("cat /mnt/pool/sanoid1/test.txt")
687 + target.succeed("cat /mnt/pool/sanoid2/test.txt")
688 +
689 + source.systemctl("start --wait syncoid-pool.service")
690 + target.succeed("[[ -d /mnt/pool/full-pool/syncoid ]]")
691 +
692 + source.systemctl("start --wait syncoid-pool-compat.service")
693 + target.succeed("cat /mnt/pool/compat/test.txt")
694
695 assert len(source.succeed("zfs allow pool")) == 0, "Pool shouldn't have delegated permissions set after snapshotting"
696 assert len(source.succeed("zfs allow pool/sanoid")) == 0, "Sanoid dataset shouldn't have delegated permissions set after snapshotting"
697 assert len(source.succeed("zfs allow pool/syncoid")) == 0, "Syncoid dataset shouldn't have delegated permissions set after snapshotting"
698 -
699 - # Sync snapshots
700 - target.wait_for_open_port(22)
701 - source.succeed("touch /mnt/pool/syncoid/test.txt")
702 - source.systemctl("start --wait syncoid-pool-sanoid.service")
703 - target.succeed("cat /mnt/pool/sanoid/test.txt")
704 - source.systemctl("start --wait syncoid-pool-syncoid.service")
705 - source.systemctl("start --wait syncoid-pool-syncoid.service")
706 - target.succeed("cat /mnt/pool/syncoid/test.txt")
707 -
708 assert(len(source.succeed("zfs list -H -t snapshot pool/syncoid").splitlines()) == 1), "Syncoid should only retain one sync snapshot"
709
710 - source.systemctl("start --wait syncoid-pool.service")
711 - target.succeed("[[ -d /mnt/pool/full-pool/syncoid ]]")
712 -
713 - source.systemctl("start --wait syncoid-pool-compat.service")
714 - target.succeed("cat /mnt/pool/compat/test.txt")
715 -
716 - assert len(source.succeed("zfs allow pool")) == 0, "Pool shouldn't have delegated permissions set after syncing snapshots"
717 - assert len(source.succeed("zfs allow pool/sanoid")) == 0, "Sanoid dataset shouldn't have delegated permissions set after syncing snapshots"
718 - assert len(source.succeed("zfs allow pool/syncoid")) == 0, "Syncoid dataset shouldn't have delegated permissions set after syncing snapshots"
719 '';
720 }
721 )
722 --
723 2.49.0
724
julm's NixOS and home-manager configs