nixos/slurm: fix dbdserver config file handling

Since slurm-20.11.0.1 the dbd server requires slurmdbd.conf to be
in mode 600 to protect the database password. This change creates
slurmdbd.conf on-the-fly at service startup and thus avoids that
the database password ends up in the nix store.
This commit is contained in:
Markus Kowalewski 2020-11-29 15:58:58 +01:00
parent f074e879fd
commit 5df0cf7461
No known key found for this signature in database
GPG Key ID: D865C8A91D7025EB
3 changed files with 51 additions and 32 deletions

View File

@ -278,6 +278,15 @@
<xref linkend="opt-services.privoxy.enableTor" /> = true;
</programlisting>
</listitem>
<listitem>
<para>
The options <literal>services.slurm.dbdserver.storagePass</literal>
and <literal>services.slurm.dbdserver.configFile</literal> have been removed.
Use <literal>services.slurm.dbdserver.storagePassFile</literal> instead to provide the database password.
Extra config options can be given via the option <literal>services.slurm.dbdserver.extraConfig</literal>. The actual configuration file is created on the fly on startup of the service.
This avoids that the password gets exposed in the nix store.
</para>
</listitem>
</itemizedlist>
</section>

View File

@ -34,13 +34,12 @@ let
${cfg.extraCgroupConfig}
'';
slurmdbdConf = pkgs.writeTextDir "slurmdbd.conf"
slurmdbdConf = pkgs.writeText "slurmdbd.conf"
''
DbdHost=${cfg.dbdserver.dbdHost}
SlurmUser=${cfg.user}
StorageType=accounting_storage/mysql
StorageUser=${cfg.dbdserver.storageUser}
${optionalString (cfg.dbdserver.storagePass != null) "StoragePass=${cfg.dbdserver.storagePass}"}
${cfg.dbdserver.extraConfig}
'';
@ -95,26 +94,12 @@ in
'';
};
storagePass = mkOption {
type = types.nullOr types.str;
storagePassFile = mkOption {
type = with types; nullOr str;
default = null;
description = ''
Database password. Note that this password will be publicable
readable in the nix store. Use <option>configFile</option>
to store the and config file and password outside the nix store.
'';
};
configFile = mkOption {
type = types.nullOr types.str;
default = null;
description = ''
Path to <literal>slurmdbd.conf</literal>. The password for the database connection
is stored in the config file. Use this option to specfify a path
outside the nix store. If this option is unset a configuration file
will be generated. See also:
<citerefentry><refentrytitle>slurmdbd.conf</refentrytitle>
<manvolnum>8</manvolnum></citerefentry>.
Path to file with database password. The content of this will be used to
create the password for the <literal>StoragePass</literal> option.
'';
};
@ -122,7 +107,9 @@ in
type = types.lines;
default = "";
description = ''
Extra configuration for <literal>slurmdbd.conf</literal>
Extra configuration for <literal>slurmdbd.conf</literal> See also:
<citerefentry><refentrytitle>slurmdbd.conf</refentrytitle>
<manvolnum>8</manvolnum></citerefentry>.
'';
};
};
@ -292,6 +279,16 @@ in
};
imports = [
(mkRemovedOptionModule [ "services" "slurm" "dbdserver" "storagePass" ] ''
This option has been removed so that the database password is not exposed via the nix store.
Use services.slurm.dbdserver.storagePassFile to provide the database password.
'')
(mkRemovedOptionModule [ "services" "slurm" "dbdserver" "configFile" ] ''
This option has been removed. Use services.slurm.dbdserver.storagePassFile
and services.slurm.dbdserver.extraConfig instead.
'')
];
###### implementation
@ -386,23 +383,34 @@ in
'';
};
systemd.services.slurmdbd = mkIf (cfg.dbdserver.enable) {
systemd.services.slurmdbd = let
# slurm strips the last component off the path
configPath = "$RUNTIME_DIRECTORY/slurmdbd.conf";
in mkIf (cfg.dbdserver.enable) {
path = with pkgs; [ wrappedSlurm munge coreutils ];
wantedBy = [ "multi-user.target" ];
after = [ "network.target" "munged.service" "mysql.service" ];
requires = [ "munged.service" "mysql.service" ];
# slurm strips the last component off the path
environment.SLURM_CONF =
if (cfg.dbdserver.configFile == null) then
"${slurmdbdConf}/slurm.conf"
else
cfg.dbdserver.configFile;
preStart = ''
cp ${slurmdbdConf} ${configPath}
chmod 600 ${configPath}
chown ${cfg.user} ${configPath}
${optionalString (cfg.dbdserver.storagePassFile != null) ''
echo "StoragePass=$(cat ${cfg.dbdserver.storagePassFile})" \
>> ${configPath}
''}
'';
script = ''
export SLURM_CONF=${configPath}
exec ${cfg.package}/bin/slurmdbd -D
'';
serviceConfig = {
Type = "forking";
ExecStart = "${cfg.package}/bin/slurmdbd";
RuntimeDirectory = "slurmdbd";
Type = "simple";
PIDFile = "/run/slurmdbd.pid";
ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
};

View File

@ -86,14 +86,16 @@ in {
dbd =
{ pkgs, ... } :
{
let
passFile = pkgs.writeText "dbdpassword" "password123";
in {
networking.firewall.enable = false;
systemd.tmpfiles.rules = [
"f /etc/munge/munge.key 0400 munge munge - mungeverryweakkeybuteasytointegratoinatest"
];
services.slurm.dbdserver = {
enable = true;
storagePass = "password123";
storagePassFile = "${passFile}";
};
services.mysql = {
enable = true;