From 5df0cf7461d09e38c81c3eb6a1e6393c0c40850a Mon Sep 17 00:00:00 2001 From: Markus Kowalewski Date: Sun, 29 Nov 2020 15:58:58 +0100 Subject: [PATCH] nixos/slurm: fix dbdserver config file handling Since slurm-20.11.0.1 the dbd server requires slurmdbd.conf to be in mode 600 to protect the database password. This change creates slurmdbd.conf on-the-fly at service startup and thus avoids that the database password ends up in the nix store. --- nixos/doc/manual/release-notes/rl-2103.xml | 9 +++ .../services/computing/slurm/slurm.nix | 68 +++++++++++-------- nixos/tests/slurm.nix | 6 +- 3 files changed, 51 insertions(+), 32 deletions(-) diff --git a/nixos/doc/manual/release-notes/rl-2103.xml b/nixos/doc/manual/release-notes/rl-2103.xml index 458170e803b3..2b0144a69c22 100644 --- a/nixos/doc/manual/release-notes/rl-2103.xml +++ b/nixos/doc/manual/release-notes/rl-2103.xml @@ -278,6 +278,15 @@ = true; + + + The options services.slurm.dbdserver.storagePass + and services.slurm.dbdserver.configFile have been removed. + Use services.slurm.dbdserver.storagePassFile instead to provide the database password. + Extra config options can be given via the option services.slurm.dbdserver.extraConfig. The actual configuration file is created on the fly on startup of the service. + This avoids that the password gets exposed in the nix store. + + diff --git a/nixos/modules/services/computing/slurm/slurm.nix b/nixos/modules/services/computing/slurm/slurm.nix index 705390a21d4e..302f058926c8 100644 --- a/nixos/modules/services/computing/slurm/slurm.nix +++ b/nixos/modules/services/computing/slurm/slurm.nix @@ -34,13 +34,12 @@ let ${cfg.extraCgroupConfig} ''; - slurmdbdConf = pkgs.writeTextDir "slurmdbd.conf" + slurmdbdConf = pkgs.writeText "slurmdbd.conf" '' DbdHost=${cfg.dbdserver.dbdHost} SlurmUser=${cfg.user} StorageType=accounting_storage/mysql StorageUser=${cfg.dbdserver.storageUser} - ${optionalString (cfg.dbdserver.storagePass != null) "StoragePass=${cfg.dbdserver.storagePass}"} ${cfg.dbdserver.extraConfig} ''; @@ -95,26 +94,12 @@ in ''; }; - storagePass = mkOption { - type = types.nullOr types.str; + storagePassFile = mkOption { + type = with types; nullOr str; default = null; description = '' - Database password. Note that this password will be publicable - readable in the nix store. Use - to store the and config file and password outside the nix store. - ''; - }; - - configFile = mkOption { - type = types.nullOr types.str; - default = null; - description = '' - Path to slurmdbd.conf. The password for the database connection - is stored in the config file. Use this option to specfify a path - outside the nix store. If this option is unset a configuration file - will be generated. See also: - slurmdbd.conf - 8. + Path to file with database password. The content of this will be used to + create the password for the StoragePass option. ''; }; @@ -122,7 +107,9 @@ in type = types.lines; default = ""; description = '' - Extra configuration for slurmdbd.conf + Extra configuration for slurmdbd.conf See also: + slurmdbd.conf + 8. ''; }; }; @@ -292,6 +279,16 @@ in }; + imports = [ + (mkRemovedOptionModule [ "services" "slurm" "dbdserver" "storagePass" ] '' + This option has been removed so that the database password is not exposed via the nix store. + Use services.slurm.dbdserver.storagePassFile to provide the database password. + '') + (mkRemovedOptionModule [ "services" "slurm" "dbdserver" "configFile" ] '' + This option has been removed. Use services.slurm.dbdserver.storagePassFile + and services.slurm.dbdserver.extraConfig instead. + '') + ]; ###### implementation @@ -386,23 +383,34 @@ in ''; }; - systemd.services.slurmdbd = mkIf (cfg.dbdserver.enable) { + systemd.services.slurmdbd = let + # slurm strips the last component off the path + configPath = "$RUNTIME_DIRECTORY/slurmdbd.conf"; + in mkIf (cfg.dbdserver.enable) { path = with pkgs; [ wrappedSlurm munge coreutils ]; wantedBy = [ "multi-user.target" ]; after = [ "network.target" "munged.service" "mysql.service" ]; requires = [ "munged.service" "mysql.service" ]; - # slurm strips the last component off the path - environment.SLURM_CONF = - if (cfg.dbdserver.configFile == null) then - "${slurmdbdConf}/slurm.conf" - else - cfg.dbdserver.configFile; + preStart = '' + cp ${slurmdbdConf} ${configPath} + chmod 600 ${configPath} + chown ${cfg.user} ${configPath} + ${optionalString (cfg.dbdserver.storagePassFile != null) '' + echo "StoragePass=$(cat ${cfg.dbdserver.storagePassFile})" \ + >> ${configPath} + ''} + ''; + + script = '' + export SLURM_CONF=${configPath} + exec ${cfg.package}/bin/slurmdbd -D + ''; serviceConfig = { - Type = "forking"; - ExecStart = "${cfg.package}/bin/slurmdbd"; + RuntimeDirectory = "slurmdbd"; + Type = "simple"; PIDFile = "/run/slurmdbd.pid"; ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; }; diff --git a/nixos/tests/slurm.nix b/nixos/tests/slurm.nix index a54c5d9db482..97e031a62793 100644 --- a/nixos/tests/slurm.nix +++ b/nixos/tests/slurm.nix @@ -86,14 +86,16 @@ in { dbd = { pkgs, ... } : - { + let + passFile = pkgs.writeText "dbdpassword" "password123"; + in { networking.firewall.enable = false; systemd.tmpfiles.rules = [ "f /etc/munge/munge.key 0400 munge munge - mungeverryweakkeybuteasytointegratoinatest" ]; services.slurm.dbdserver = { enable = true; - storagePass = "password123"; + storagePassFile = "${passFile}"; }; services.mysql = { enable = true;