nixos/munge: run munge as user munge instead of root. (#41509)

* Added a note in release notes (incompatibilities)
* Adapt slurm test
* Change user to munge in service.munge
This commit is contained in:
markuskowa 2018-06-09 00:50:28 +02:00 committed by xeji
parent b22c1b7994
commit 96af022af5
3 changed files with 22 additions and 1 deletions

View File

@ -121,6 +121,12 @@ $ nix-instantiate -E '(import <nixpkgsunstable> {}).gitFull'
<literal>gnucash24</literal>.
</para>
</listitem>
<listitem>
<para>
<varname>services.munge</varname> now runs as user (and group) <literal>munge</literal> instead of root.
Make sure the key file is accessible to the daemon.
</para>
</listitem>
</itemizedlist>
</section>

View File

@ -35,6 +35,14 @@ in
environment.systemPackages = [ pkgs.munge ];
users.users.munge = {
description = "Munge daemon user";
isSystemUser = true;
group = "munge";
};
users.groups.munge = {};
systemd.services.munged = {
wantedBy = [ "multi-user.target" ];
after = [ "network.target" ];
@ -44,14 +52,20 @@ in
preStart = ''
chmod 0700 ${cfg.password}
mkdir -p /var/lib/munge -m 0711
chown -R munge:munge /var/lib/munge
mkdir -p /var/log/munge -m 0700
chown -R munge:munge /var/log/munge
mkdir -p /run/munge -m 0755
chown -R munge:munge /run/munge
'';
serviceConfig = {
ExecStart = "${pkgs.munge}/bin/munged --syslog --key-file ${cfg.password}";
PIDFile = "/run/munge/munged.pid";
ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
PermissionsStartOnly = "true";
User = "munge";
Group = "munge";
};
};

View File

@ -61,6 +61,7 @@ in {
$node->succeed("mkdir /etc/munge");
$node->succeed("echo '${mungekey}' > /etc/munge/munge.key");
$node->succeed("chmod 0400 /etc/munge/munge.key");
$node->succeed("chown munge:munge /etc/munge/munge.key");
$node->succeed("systemctl restart munged");
}