nixpkgs/nixos/modules/virtualisation/google-compute-image.nix
c74d a4ac5506f5 google-compute-image: fix Yama LSM option conflict
Having fixed the Google Compute Engine image build process's copying
of store paths in PR #24264, I ran `nixos-rebuild --upgrade switch`...
and the GCE image broke again, because it sets the NixOS configuration
option for the sysctl variable `kernel.yama.ptrace_scope` to
`mkDefault "1"`, i.e., with override priority 1000, and now the
`sysctl` module sets the same option to `mkDefault "0"` (this was
changed in commit 86721a5f78).

This patch raises the override priority of the Google Compute Engine
image configuration's definition of the Yama sysctl option to 500
(still lower than the priority of an unmodified option definition).

I have tested that this patch allows the Google Compute Engine image
to again build successfully for me.
2017-03-26 21:09:58 +02:00

272 lines
9.7 KiB
Nix

{ config, lib, pkgs, ... }:
with lib;
let
diskSize = "100G";
in
{
imports = [ ../profiles/headless.nix ../profiles/qemu-guest.nix ];
# https://cloud.google.com/compute/docs/tutorials/building-images
networking.firewall.enable = mkDefault false;
system.build.googleComputeImage =
pkgs.vmTools.runInLinuxVM (
pkgs.runCommand "google-compute-image"
{ preVM =
''
mkdir $out
diskImage=$out/$diskImageBase
truncate $diskImage --size ${diskSize}
mv closure xchg/
'';
postVM =
''
PATH=$PATH:${pkgs.stdenv.lib.makeBinPath [ pkgs.gnutar pkgs.gzip ]}
pushd $out
mv $diskImageBase disk.raw
tar -Szcf $diskImageBase.tar.gz disk.raw
rm $out/disk.raw
popd
'';
diskImageBase = "nixos-image-${config.system.nixosLabel}-${pkgs.stdenv.system}.raw";
buildInputs = [ pkgs.utillinux pkgs.perl ];
exportReferencesGraph =
[ "closure" config.system.build.toplevel ];
}
''
# Create partition table
${pkgs.parted}/sbin/parted /dev/vda mklabel msdos
${pkgs.parted}/sbin/parted /dev/vda mkpart primary ext4 1 ${diskSize}
${pkgs.parted}/sbin/parted /dev/vda print
. /sys/class/block/vda1/uevent
mknod /dev/vda1 b $MAJOR $MINOR
# Create an empty filesystem and mount it.
${pkgs.e2fsprogs}/sbin/mkfs.ext4 -L nixos /dev/vda1
${pkgs.e2fsprogs}/sbin/tune2fs -c 0 -i 0 /dev/vda1
mkdir /mnt
mount /dev/vda1 /mnt
# The initrd expects these directories to exist.
mkdir /mnt/dev /mnt/proc /mnt/sys
mount --bind /proc /mnt/proc
mount --bind /dev /mnt/dev
mount --bind /sys /mnt/sys
# Copy all paths in the closure to the filesystem.
storePaths=$(perl ${pkgs.pathsFromGraph} /tmp/xchg/closure)
mkdir -p /mnt/nix/store
echo "copying everything (will take a while)..."
${pkgs.rsync}/bin/rsync -a $storePaths /mnt/nix/store/
# Register the paths in the Nix database.
printRegistration=1 perl ${pkgs.pathsFromGraph} /tmp/xchg/closure | \
chroot /mnt ${config.nix.package.out}/bin/nix-store --load-db --option build-users-group ""
# Create the system profile to allow nixos-rebuild to work.
chroot /mnt ${config.nix.package.out}/bin/nix-env \
-p /nix/var/nix/profiles/system --set ${config.system.build.toplevel} \
--option build-users-group ""
# `nixos-rebuild' requires an /etc/NIXOS.
mkdir -p /mnt/etc
touch /mnt/etc/NIXOS
# `switch-to-configuration' requires a /bin/sh
mkdir -p /mnt/bin
ln -s ${config.system.build.binsh}/bin/sh /mnt/bin/sh
# Install a configuration.nix.
mkdir -p /mnt/etc/nixos /mnt/boot/grub
cp ${./google-compute-config.nix} /mnt/etc/nixos/configuration.nix
# Generate the GRUB menu.
ln -s vda /dev/sda
chroot /mnt ${config.system.build.toplevel}/bin/switch-to-configuration boot
umount /mnt/proc /mnt/dev /mnt/sys
umount /mnt
''
);
fileSystems."/".label = "nixos";
boot.kernelParams = [ "console=ttyS0" "panic=1" "boot.panic_on_fail" ];
boot.initrd.kernelModules = [ "virtio_scsi" ];
boot.kernelModules = [ "virtio_pci" "virtio_net" ];
# Generate a GRUB menu. Amazon's pv-grub uses this to boot our kernel/initrd.
boot.loader.grub.device = "/dev/sda";
boot.loader.timeout = 0;
# Don't put old configurations in the GRUB menu. The user has no
# way to select them anyway.
boot.loader.grub.configurationLimit = 0;
# Allow root logins only using the SSH key that the user specified
# at instance creation time.
services.openssh.enable = true;
services.openssh.permitRootLogin = "prohibit-password";
services.openssh.passwordAuthentication = mkDefault false;
# Force getting the hostname from Google Compute.
networking.hostName = mkDefault "";
# Always include cryptsetup so that NixOps can use it.
environment.systemPackages = [ pkgs.cryptsetup ];
# Configure default metadata hostnames
networking.extraHosts = ''
169.254.169.254 metadata.google.internal metadata
'';
networking.timeServers = [ "metadata.google.internal" ];
networking.usePredictableInterfaceNames = false;
systemd.services.fetch-ssh-keys =
{ description = "Fetch host keys and authorized_keys for root user";
wantedBy = [ "sshd.service" ];
before = [ "sshd.service" ];
after = [ "network-online.target" ];
wants = [ "network-online.target" ];
script = let wget = "${pkgs.wget}/bin/wget --retry-connrefused -t 15 --waitretry=10 --header='Metadata-Flavor: Google'";
mktemp = "mktemp --tmpdir=/run"; in
''
# When dealing with cryptographic keys, we want to keep things private.
umask 077
# Don't download the SSH key if it has already been downloaded
if ! [ -s /root/.ssh/authorized_keys ]; then
echo "obtaining SSH key..."
mkdir -m 0700 -p /root/.ssh
AUTH_KEYS=$(${mktemp})
${wget} -O $AUTH_KEYS http://metadata.google.internal/0.1/meta-data/authorized-keys
if [ -s $AUTH_KEYS ]; then
KEY_PUB=$(${mktemp})
cat $AUTH_KEYS | cut -d: -f2- > $KEY_PUB
if ! grep -q -f $KEY_PUB /root/.ssh/authorized_keys; then
cat $KEY_PUB >> /root/.ssh/authorized_keys
echo "New key added to authorized_keys."
fi
chmod 600 /root/.ssh/authorized_keys
rm -f $KEY_PUB
else
echo "Downloading http://metadata.google.internal/0.1/meta-data/authorized-keys failed."
false
fi
rm -f $AUTH_KEYS
fi
countKeys=0
${flip concatMapStrings config.services.openssh.hostKeys (k :
let kName = baseNameOf k.path; in ''
PRIV_KEY=$(${mktemp})
echo "trying to obtain SSH private host key ${kName}"
${wget} -O $PRIV_KEY http://metadata.google.internal/0.1/meta-data/attributes/${kName} && :
if [ $? -eq 0 -a -s $PRIV_KEY ]; then
countKeys=$((countKeys+1))
mv -f $PRIV_KEY ${k.path}
echo "Downloaded ${k.path}"
chmod 600 ${k.path}
${config.programs.ssh.package}/bin/ssh-keygen -y -f ${k.path} > ${k.path}.pub
chmod 644 ${k.path}.pub
else
echo "Downloading http://metadata.google.internal/0.1/meta-data/attributes/${kName} failed."
fi
rm -f $PRIV_KEY
''
)}
if [[ $countKeys -le 0 ]]; then
echo "failed to obtain any SSH private host keys."
false
fi
'';
serviceConfig.Type = "oneshot";
serviceConfig.RemainAfterExit = true;
serviceConfig.StandardError = "journal+console";
serviceConfig.StandardOutput = "journal+console";
};
# Setings taken from https://cloud.google.com/compute/docs/tutorials/building-images#providedkernel
boot.kernel.sysctl = {
# enables syn flood protection
"net.ipv4.tcp_syncookies" = mkDefault "1";
# ignores source-routed packets
"net.ipv4.conf.all.accept_source_route" = mkDefault "0";
# ignores source-routed packets
"net.ipv4.conf.default.accept_source_route" = mkDefault "0";
# ignores ICMP redirects
"net.ipv4.conf.all.accept_redirects" = mkDefault "0";
# ignores ICMP redirects
"net.ipv4.conf.default.accept_redirects" = mkDefault "0";
# ignores ICMP redirects from non-GW hosts
"net.ipv4.conf.all.secure_redirects" = mkDefault "1";
# ignores ICMP redirects from non-GW hosts
"net.ipv4.conf.default.secure_redirects" = mkDefault "1";
# don't allow traffic between networks or act as a router
"net.ipv4.ip_forward" = mkDefault "0";
# don't allow traffic between networks or act as a router
"net.ipv4.conf.all.send_redirects" = mkDefault "0";
# don't allow traffic between networks or act as a router
"net.ipv4.conf.default.send_redirects" = mkDefault "0";
# reverse path filtering - IP spoofing protection
"net.ipv4.conf.all.rp_filter" = mkDefault "1";
# reverse path filtering - IP spoofing protection
"net.ipv4.conf.default.rp_filter" = mkDefault "1";
# ignores ICMP broadcasts to avoid participating in Smurf attacks
"net.ipv4.icmp_echo_ignore_broadcasts" = mkDefault "1";
# ignores bad ICMP errors
"net.ipv4.icmp_ignore_bogus_error_responses" = mkDefault "1";
# logs spoofed, source-routed, and redirect packets
"net.ipv4.conf.all.log_martians" = mkDefault "1";
# log spoofed, source-routed, and redirect packets
"net.ipv4.conf.default.log_martians" = mkDefault "1";
# implements RFC 1337 fix
"net.ipv4.tcp_rfc1337" = mkDefault "1";
# randomizes addresses of mmap base, heap, stack and VDSO page
"kernel.randomize_va_space" = mkDefault "2";
# provides protection from ToCToU races
"fs.protected_hardlinks" = mkDefault "1";
# provides protection from ToCToU races
"fs.protected_symlinks" = mkDefault "1";
# makes locating kernel addresses more difficult
"kernel.kptr_restrict" = mkDefault "1";
# set ptrace protections
"kernel.yama.ptrace_scope" = mkOverride 500 "1";
# set perf only available to root
"kernel.perf_event_paranoid" = mkDefault "2";
};
}