nixos/munge: run munge as user munge instead of root. (#41509)
* Added a note in release notes (incompatibilities) * Adapt slurm test * Change user to munge in service.munge
This commit is contained in:
parent
b22c1b7994
commit
96af022af5
@ -121,6 +121,12 @@ $ nix-instantiate -E '(import <nixpkgsunstable> {}).gitFull'
|
||||
<literal>gnucash24</literal>.
|
||||
</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>
|
||||
<varname>services.munge</varname> now runs as user (and group) <literal>munge</literal> instead of root.
|
||||
Make sure the key file is accessible to the daemon.
|
||||
</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
</section>
|
||||
|
||||
|
@ -35,6 +35,14 @@ in
|
||||
|
||||
environment.systemPackages = [ pkgs.munge ];
|
||||
|
||||
users.users.munge = {
|
||||
description = "Munge daemon user";
|
||||
isSystemUser = true;
|
||||
group = "munge";
|
||||
};
|
||||
|
||||
users.groups.munge = {};
|
||||
|
||||
systemd.services.munged = {
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
after = [ "network.target" ];
|
||||
@ -44,14 +52,20 @@ in
|
||||
preStart = ''
|
||||
chmod 0700 ${cfg.password}
|
||||
mkdir -p /var/lib/munge -m 0711
|
||||
chown -R munge:munge /var/lib/munge
|
||||
mkdir -p /var/log/munge -m 0700
|
||||
chown -R munge:munge /var/log/munge
|
||||
mkdir -p /run/munge -m 0755
|
||||
chown -R munge:munge /run/munge
|
||||
'';
|
||||
|
||||
serviceConfig = {
|
||||
ExecStart = "${pkgs.munge}/bin/munged --syslog --key-file ${cfg.password}";
|
||||
PIDFile = "/run/munge/munged.pid";
|
||||
ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
|
||||
PermissionsStartOnly = "true";
|
||||
User = "munge";
|
||||
Group = "munge";
|
||||
};
|
||||
|
||||
};
|
||||
|
@ -61,6 +61,7 @@ in {
|
||||
$node->succeed("mkdir /etc/munge");
|
||||
$node->succeed("echo '${mungekey}' > /etc/munge/munge.key");
|
||||
$node->succeed("chmod 0400 /etc/munge/munge.key");
|
||||
$node->succeed("chown munge:munge /etc/munge/munge.key");
|
||||
$node->succeed("systemctl restart munged");
|
||||
}
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user