nixos/opensearch: Use DynamicUser and StateDirectory by default
...but still allow for setting `dataDir` to a custom path. This gets rid of the use of the deprecated option PermissionsStartOnly. Also, add the ability to customize user and group, since that could be useful with a custom `dataDir`.
This commit is contained in:
parent
8b84a720e8
commit
9e9007e45f
@ -9,6 +9,9 @@ let
|
||||
|
||||
configDir = cfg.dataDir + "/config";
|
||||
|
||||
usingDefaultDataDir = cfg.dataDir == "/var/lib/opensearch";
|
||||
usingDefaultUserAndGroup = cfg.user == "opensearch" && cfg.group == "opensearch";
|
||||
|
||||
opensearchYml = settingsFormat.generate "opensearch.yml" cfg.settings;
|
||||
|
||||
loggingConfigFilename = "log4j2.properties";
|
||||
@ -20,9 +23,9 @@ in
|
||||
{
|
||||
|
||||
options.services.opensearch = {
|
||||
enable = mkEnableOption (lib.mdDoc "Whether to enable OpenSearch.");
|
||||
enable = mkEnableOption (lib.mdDoc "OpenSearch");
|
||||
|
||||
package = lib.mkPackageOptionMD pkgs "OpenSearch package to use." {
|
||||
package = lib.mkPackageOptionMD pkgs "OpenSearch" {
|
||||
default = [ "opensearch" ];
|
||||
};
|
||||
|
||||
@ -99,13 +102,37 @@ in
|
||||
dataDir = lib.mkOption {
|
||||
type = lib.types.path;
|
||||
default = "/var/lib/opensearch";
|
||||
apply = converge (removeSuffix "/");
|
||||
description = lib.mdDoc ''
|
||||
Data directory for opensearch.
|
||||
Data directory for OpenSearch. If you change this, you need to
|
||||
manually create the directory. You also need to create the
|
||||
`opensearch` user and group, or change
|
||||
[](#opt-services.opensearch.user) and
|
||||
[](#opt-services.opensearch.group) to existing ones with
|
||||
access to the directory.
|
||||
'';
|
||||
};
|
||||
|
||||
user = lib.mkOption {
|
||||
type = lib.types.str;
|
||||
default = "opensearch";
|
||||
description = lib.mdDoc ''
|
||||
The user OpenSearch runs as. Should be left at default unless
|
||||
you have very specific needs.
|
||||
'';
|
||||
};
|
||||
|
||||
group = lib.mkOption {
|
||||
type = lib.types.str;
|
||||
default = "opensearch";
|
||||
description = lib.mdDoc ''
|
||||
The group OpenSearch runs as. Should be left at default unless
|
||||
you have very specific needs.
|
||||
'';
|
||||
};
|
||||
|
||||
extraCmdLineOptions = lib.mkOption {
|
||||
description = lib.mdDoc "Extra command line options for the opensearch launcher.";
|
||||
description = lib.mdDoc "Extra command line options for the OpenSearch launcher.";
|
||||
default = [ ];
|
||||
type = lib.types.listOf lib.types.str;
|
||||
};
|
||||
@ -142,69 +169,76 @@ in
|
||||
OPENSEARCH_PATH_CONF = configDir;
|
||||
};
|
||||
serviceConfig = {
|
||||
ExecStartPre =
|
||||
let
|
||||
startPreFullPrivileges = ''
|
||||
set -o errexit -o pipefail -o nounset -o errtrace
|
||||
shopt -s inherit_errexit
|
||||
'' + (optionalString (!config.boot.isContainer) ''
|
||||
# Only set vm.max_map_count if lower than ES required minimum
|
||||
# This avoids conflict if configured via boot.kernel.sysctl
|
||||
if [ $(${pkgs.procps}/bin/sysctl -n vm.max_map_count) -lt 262144 ]; then
|
||||
${pkgs.procps}/bin/sysctl -w vm.max_map_count=262144
|
||||
fi
|
||||
'');
|
||||
startPreUnprivileged = ''
|
||||
set -o errexit -o pipefail -o nounset -o errtrace
|
||||
shopt -s inherit_errexit
|
||||
|
||||
# Install plugins
|
||||
ln -sfT ${cfg.package}/lib ${cfg.dataDir}/lib
|
||||
ln -sfT ${cfg.package}/modules ${cfg.dataDir}/modules
|
||||
|
||||
# opensearch needs to create the opensearch.keystore in the config directory
|
||||
# so this directory needs to be writable.
|
||||
mkdir -p ${configDir}
|
||||
chmod 0700 ${configDir}
|
||||
|
||||
# Note that we copy config files from the nix store instead of symbolically linking them
|
||||
# because otherwise X-Pack Security will raise the following exception:
|
||||
# java.security.AccessControlException:
|
||||
# access denied ("java.io.FilePermission" "/var/lib/opensearch/config/opensearch.yml" "read")
|
||||
|
||||
cp ${opensearchYml} ${configDir}/opensearch.yml
|
||||
|
||||
# Make sure the logging configuration for old OpenSearch versions is removed:
|
||||
rm -f "${configDir}/logging.yml"
|
||||
cp ${loggingConfigFile} ${configDir}/${loggingConfigFilename}
|
||||
mkdir -p ${configDir}/scripts
|
||||
cp ${cfg.package}/config/jvm.options ${configDir}/jvm.options
|
||||
|
||||
# redirect jvm logs to the data directory
|
||||
mkdir -p ${cfg.dataDir}/logs
|
||||
chmod 0700 ${cfg.dataDir}/logs
|
||||
sed -e '#logs/gc.log#${cfg.dataDir}/logs/gc.log#' -i ${configDir}/jvm.options
|
||||
'';
|
||||
in [
|
||||
"+${pkgs.writeShellScript "opensearch-start-pre-full-privileges" startPreFullPrivileges}"
|
||||
"${pkgs.writeShellScript "opensearch-start-pre-unprivileged" startPreUnprivileged}"
|
||||
];
|
||||
ExecStartPost = pkgs.writeShellScript "opensearch-start-post" ''
|
||||
set -o errexit -o pipefail -o nounset -o errtrace
|
||||
shopt -s inherit_errexit
|
||||
|
||||
# Make sure opensearch is up and running before dependents
|
||||
# are started
|
||||
while ! ${pkgs.curl}/bin/curl -sS -f http://${cfg.settings."network.host"}:${toString cfg.settings."http.port"} 2>/dev/null; do
|
||||
sleep 1
|
||||
done
|
||||
'';
|
||||
ExecStart = "${cfg.package}/bin/opensearch ${toString cfg.extraCmdLineOptions}";
|
||||
User = "opensearch";
|
||||
Group = "opensearch";
|
||||
StateDirectory = cfg.dataDir;
|
||||
StateDirectoryMode = "0700";
|
||||
PermissionsStartOnly = true;
|
||||
User = cfg.user;
|
||||
Group = cfg.group;
|
||||
LimitNOFILE = "1024000";
|
||||
Restart = "always";
|
||||
TimeoutStartSec = "infinity";
|
||||
};
|
||||
preStart = optionalString (!config.boot.isContainer) ''
|
||||
# Only set vm.max_map_count if lower than ES required minimum
|
||||
# This avoids conflict if configured via boot.kernel.sysctl
|
||||
if [ $(${pkgs.procps}/bin/sysctl -n vm.max_map_count) -lt 262144 ]; then
|
||||
${pkgs.procps}/bin/sysctl -w vm.max_map_count=262144
|
||||
fi
|
||||
'' + ''
|
||||
mkdir -m 0700 -p ${cfg.dataDir}
|
||||
|
||||
# Install plugins
|
||||
ln -sfT ${cfg.package}/lib ${cfg.dataDir}/lib
|
||||
ln -sfT ${cfg.package}/modules ${cfg.dataDir}/modules
|
||||
|
||||
# opensearch needs to create the opensearch.keystore in the config directory
|
||||
# so this directory needs to be writable.
|
||||
mkdir -m 0700 -p ${configDir}
|
||||
|
||||
# Note that we copy config files from the nix store instead of symbolically linking them
|
||||
# because otherwise X-Pack Security will raise the following exception:
|
||||
# java.security.AccessControlException:
|
||||
# access denied ("java.io.FilePermission" "/var/lib/opensearch/config/opensearch.yml" "read")
|
||||
|
||||
cp ${opensearchYml} ${configDir}/opensearch.yml
|
||||
# Make sure the logging configuration for old opensearch versions is removed:
|
||||
rm -f "${configDir}/logging.yml"
|
||||
cp ${loggingConfigFile} ${configDir}/${loggingConfigFilename}
|
||||
mkdir -p ${configDir}/scripts
|
||||
cp ${cfg.package}/config/jvm.options ${configDir}/jvm.options
|
||||
# redirect jvm logs to the data directory
|
||||
mkdir -m 0700 -p ${cfg.dataDir}/logs
|
||||
sed -e '#logs/gc.log#${cfg.dataDir}/logs/gc.log#' -i ${configDir}/jvm.options \
|
||||
|
||||
if [ "$(id -u)" = 0 ]; then chown -R opensearch:opensearch ${cfg.dataDir}; fi
|
||||
'';
|
||||
postStart = ''
|
||||
# Make sure opensearch is up and running before dependents
|
||||
# are started
|
||||
while ! ${pkgs.curl}/bin/curl -sS -f http://${cfg.settings."network.host"}:${toString cfg.settings."http.port"} 2>/dev/null; do
|
||||
sleep 1
|
||||
done
|
||||
'';
|
||||
DynamicUser = usingDefaultUserAndGroup && usingDefaultDataDir;
|
||||
} // (optionalAttrs (usingDefaultDataDir) {
|
||||
StateDirectory = "opensearch";
|
||||
StateDirectoryMode = "0700";
|
||||
});
|
||||
};
|
||||
|
||||
environment.systemPackages = [ cfg.package ];
|
||||
|
||||
users = {
|
||||
groups.opensearch = {};
|
||||
users.opensearch = {
|
||||
description = "OpenSearch daemon user";
|
||||
home = cfg.dataDir;
|
||||
group = "opensearch";
|
||||
isSystemUser = true;
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
||||
|
@ -490,7 +490,7 @@ in {
|
||||
ombi = handleTest ./ombi.nix {};
|
||||
openarena = handleTest ./openarena.nix {};
|
||||
openldap = handleTest ./openldap.nix {};
|
||||
opensearch = handleTest ./opensearch.nix {};
|
||||
opensearch = discoverTests (import ./opensearch.nix);
|
||||
openresty-lua = handleTest ./openresty-lua.nix {};
|
||||
opensmtpd = handleTest ./opensmtpd.nix {};
|
||||
opensmtpd-rspamd = handleTest ./opensmtpd-rspamd.nix {};
|
||||
|
@ -1,19 +1,52 @@
|
||||
import ./make-test-python.nix ({ pkgs, ... }: {
|
||||
name = "opensearch";
|
||||
meta.maintainers = with pkgs.lib.maintainers; [ shyim ];
|
||||
let
|
||||
opensearchTest =
|
||||
import ./make-test-python.nix (
|
||||
{ pkgs, lib, extraSettings ? {} }: {
|
||||
name = "opensearch";
|
||||
meta.maintainers = with pkgs.lib.maintainers; [ shyim ];
|
||||
|
||||
nodes.machine = {
|
||||
virtualisation.memorySize = 2048;
|
||||
services.opensearch.enable = true;
|
||||
nodes.machine = lib.mkMerge [
|
||||
{
|
||||
virtualisation.memorySize = 2048;
|
||||
services.opensearch.enable = true;
|
||||
}
|
||||
extraSettings
|
||||
];
|
||||
|
||||
testScript = ''
|
||||
machine.start()
|
||||
machine.wait_for_unit("opensearch.service")
|
||||
machine.wait_for_open_port(9200)
|
||||
|
||||
machine.succeed(
|
||||
"curl --fail localhost:9200"
|
||||
)
|
||||
'';
|
||||
});
|
||||
in
|
||||
{
|
||||
opensearch = opensearchTest {};
|
||||
opensearchCustomPathAndUser = opensearchTest {
|
||||
extraSettings = {
|
||||
services.opensearch.dataDir = "/var/opensearch_test";
|
||||
services.opensearch.user = "open_search";
|
||||
services.opensearch.group = "open_search";
|
||||
system.activationScripts.createDirectory = {
|
||||
text = ''
|
||||
mkdir -p "/var/opensearch_test"
|
||||
chown open_search:open_search /var/opensearch_test
|
||||
chmod 0700 /var/opensearch_test
|
||||
'';
|
||||
deps = [ "users" "groups" ];
|
||||
};
|
||||
users = {
|
||||
groups.open_search = {};
|
||||
users.open_search = {
|
||||
description = "OpenSearch daemon user";
|
||||
group = "open_search";
|
||||
isSystemUser = true;
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
testScript = ''
|
||||
machine.start()
|
||||
machine.wait_for_unit("opensearch.service")
|
||||
machine.wait_for_open_port(9200)
|
||||
|
||||
machine.succeed(
|
||||
"curl --fail localhost:9200"
|
||||
)
|
||||
'';
|
||||
})
|
||||
}
|
||||
|
@ -42,7 +42,7 @@ stdenvNoCC.mkDerivation rec {
|
||||
runHook postInstall
|
||||
'';
|
||||
|
||||
passthru.tests = { inherit (nixosTests) opensearch; };
|
||||
passthru.tests = nixosTests.opensearch;
|
||||
|
||||
meta = {
|
||||
description = "Open Source, Distributed, RESTful Search Engine";
|
||||
|
Loading…
Reference in New Issue
Block a user