movefasta/nixpkgs
0
0
Fork 0
mirror of https://github.com/NixOS/nixpkgs.git synced 2025-07-14 14:10:33 +03:00
Code Activity

cockpit: 330 -> 331

Browse source 
Signed-off-by: lucasew <lucas59356@gmail.com>
(cherry picked from commit b06a23a614)
This commit is contained in:
lucasew 2024-12-28 15:46:40 -03:00
parent dca39345b0
commit bef2bd9e17
2 changed files with 22 additions and 198 deletions
Download patch file Download diff file Expand all files Collapse all files

167
nixos/modules/services/monitoring/cockpit.nix
View file

@ -53,171 +53,8 @@ in {
networking.firewall.allowedTCPPorts = mkIf cfg.openFirewall [ cfg.port ];
# units are in reverse sort order if you ls $out/lib/systemd/system
# all these units are basically verbatim translated from upstream
# Translation from $out/lib/systemd/system/systemd-cockpithttps.slice
systemd.slices.system-cockpithttps = {
description = "Resource limits for all cockpit-ws-https@.service instances";
sliceConfig = {
TasksMax = 200;
MemoryHigh = "75%";
MemoryMax = "90%";
};
};
# Translation from $out/lib/systemd/system/cockpit-wsinstance-https@.socket
systemd.sockets."cockpit-wsinstance-https@" = {
unitConfig = {
Description = "Socket for Cockpit Web Service https instance %I";
BindsTo = [ "cockpit.service" "cockpit-wsinstance-https@%i.service" ];
# clean up the socket after the service exits, to prevent fd leak
# this also effectively prevents a DoS by starting arbitrarily many sockets, as
# the services are resource-limited by system-cockpithttps.slice
Documentation = "man:cockpit-ws(8)";
};
socketConfig = {
ListenStream = "/run/cockpit/wsinstance/https@%i.sock";
SocketUser = "root";
SocketMode = "0600";
};
};
# Translation from $out/lib/systemd/system/cockpit-wsinstance-https@.service
systemd.services."cockpit-wsinstance-https@" = {
description = "Cockpit Web Service https instance %I";
bindsTo = [ "cockpit.service"];
path = [ cfg.package ];
documentation = [ "man:cockpit-ws(8)" ];
serviceConfig = {
Slice = "system-cockpithttps.slice";
ExecStart = "${cfg.package}/libexec/cockpit-ws --for-tls-proxy --port=0";
User = "root";
Group = "";
};
};
# Translation from $out/lib/systemd/system/cockpit-wsinstance-http.socket
systemd.sockets.cockpit-wsinstance-http = {
unitConfig = {
Description = "Socket for Cockpit Web Service http instance";
BindsTo = "cockpit.service";
Documentation = "man:cockpit-ws(8)";
};
socketConfig = {
ListenStream = "/run/cockpit/wsinstance/http.sock";
SocketUser = "root";
SocketMode = "0600";
};
};
# Translation from $out/lib/systemd/system/cockpit-wsinstance-https-factory.socket
systemd.sockets.cockpit-wsinstance-https-factory = {
unitConfig = {
Description = "Socket for Cockpit Web Service https instance factory";
BindsTo = "cockpit.service";
Documentation = "man:cockpit-ws(8)";
};
socketConfig = {
ListenStream = "/run/cockpit/wsinstance/https-factory.sock";
Accept = true;
SocketUser = "root";
SocketMode = "0600";
};
};
# Translation from $out/lib/systemd/system/cockpit-wsinstance-https-factory@.service
systemd.services."cockpit-wsinstance-https-factory@" = {
description = "Cockpit Web Service https instance factory";
documentation = [ "man:cockpit-ws(8)" ];
path = [ cfg.package ];
serviceConfig = {
ExecStart = "${cfg.package}/libexec/cockpit-wsinstance-factory";
User = "root";
};
};
# Translation from $out/lib/systemd/system/cockpit-wsinstance-http.service
systemd.services."cockpit-wsinstance-http" = {
description = "Cockpit Web Service http instance";
bindsTo = [ "cockpit.service" ];
path = [ cfg.package ];
documentation = [ "man:cockpit-ws(8)" ];
serviceConfig = {
ExecStart = "${cfg.package}/libexec/cockpit-ws --no-tls --port=0";
User = "root";
Group = "";
};
};
# Translation from $out/lib/systemd/system/cockpit.socket
systemd.sockets."cockpit" = {
unitConfig = {
Description = "Cockpit Web Service Socket";
Documentation = "man:cockpit-ws(8)";
Wants = "cockpit-motd.service";
};
socketConfig = {
ListenStream = cfg.port;
ExecStartPost = [
"-${cfg.package}/share/cockpit/motd/update-motd \"\" localhost"
"-${pkgs.coreutils}/bin/ln -snf active.motd /run/cockpit/motd"
];
ExecStopPost = "-${pkgs.coreutils}/bin/ln -snf inactive.motd /run/cockpit/motd";
};
wantedBy = [ "sockets.target" ];
};
# Translation from $out/lib/systemd/system/cockpit.service
systemd.services."cockpit" = {
description = "Cockpit Web Service";
documentation = [ "man:cockpit-ws(8)" ];
restartIfChanged = true;
path = with pkgs; [ coreutils cfg.package ];
requires = [ "cockpit.socket" "cockpit-wsinstance-http.socket" "cockpit-wsinstance-https-factory.socket" ];
after = [ "cockpit-wsinstance-http.socket" "cockpit-wsinstance-https-factory.socket" ];
environment = {
G_MESSAGES_DEBUG = "cockpit-ws,cockpit-bridge";
};
serviceConfig = {
RuntimeDirectory="cockpit/tls";
ExecStartPre = [
# cockpit-tls runs in a more constrained environment, these + means that these commands
# will run with full privilege instead of inside that constrained environment
# See https://www.freedesktop.org/software/systemd/man/systemd.service.html#ExecStart= for details
"+${cfg.package}/libexec/cockpit-certificate-ensure --for-cockpit-tls"
];
ExecStart = "${cfg.package}/libexec/cockpit-tls";
User = "root";
Group = "";
NoNewPrivileges = true;
ProtectSystem = "strict";
ProtectHome = true;
PrivateTmp = true;
PrivateDevices = true;
ProtectKernelTunables = true;
RestrictAddressFamilies = [ "AF_UNIX" "AF_INET" "AF_INET6" ];
MemoryDenyWriteExecute = true;
};
};
# Translation from $out/lib/systemd/system/cockpit-motd.service
# This part basically implements a motd state machine:
# - If cockpit.socket is enabled then /run/cockpit/motd points to /run/cockpit/active.motd
# - If cockpit.socket is disabled then /run/cockpit/motd points to /run/cockpit/inactive.motd
# - As cockpit.socket is disabled by default, /run/cockpit/motd points to /run/cockpit/inactive.motd
# /run/cockpit/active.motd is generated dynamically by cockpit-motd.service
systemd.services."cockpit-motd" = {
path = with pkgs; [ nettools ];
serviceConfig = {
Type = "oneshot";
ExecStart = "${cfg.package}/share/cockpit/motd/update-motd";
};
description = "Cockpit motd updater service";
documentation = [ "man:cockpit-ws(8)" ];
wants = [ "network.target" ];
after = [ "network.target" "cockpit.socket" ];
};
systemd.packages = [ cfg.package ];
systemd.sockets.cockpit.wantedBy = [ "multi-user.target" ];
systemd.tmpfiles.rules = [ # From $out/lib/tmpfiles.d/cockpit-tmpfiles.conf
"C /run/cockpit/inactive.motd 0640 root root - ${cfg.package}/share/cockpit/motd/inactive.motd"

53
pkgs/by-name/co/cockpit/package.nix
View file

@ -39,7 +39,7 @@
stdenv.mkDerivation rec {
pname = "cockpit";
version = "328";
version = "331";
src = fetchFromGitHub {
owner = "cockpit-project";
@ -104,12 +104,13 @@ stdenv.mkDerivation rec {
test/common/pixel-tests \
test/common/run-tests \
test/common/tap-cdp \
test/static-code \
tools/escape-to-c \
tools/make-compile-commands \
tools/node-modules \
tools/termschutz \
tools/webpack-make.js
tools/webpack-make.js \
tools/test-driver \
test/common/static-code
for f in node_modules/.bin/*; do
patchShebangs $(realpath $f)
@ -129,10 +130,16 @@ stdenv.mkDerivation rec {
substituteInPlace src/common/Makefile-common.am \
--replace 'TEST_PROGRAM += test-pipe' "" # skip test-pipe because it hangs the build
substituteInPlace src/ws/Makefile-ws.am \
--replace 'TEST_PROGRAM += test-compat' ""
substituteInPlace test/pytest/*.py \
--replace "'bash" "'${bashInteractive}/bin/bash"
echo "m4_define(VERSION_NUMBER, [${version}])" > version.m4
# hardcode libexecdir, I am assuming that cockpit only use it to find it's binaries
printf 'def get_libexecdir() -> str:\n\treturn "%s"' "$out/libexec" >> src/cockpit/packages.py
'';
configureFlags = [
@ -140,34 +147,15 @@ stdenv.mkDerivation rec {
"--disable-pcp" # TODO: figure out how to package its dependency
"--with-default-session-path=/run/wrappers/bin:/run/current-system/sw/bin"
"--with-admin-group=root" # TODO: really? Maybe "wheel"?
"--enable-old-bridge=yes"
];
enableParallelBuilding = true;
preBuild = ''
patchShebangs \
tools/test-driver
'';
postBuild = ''
chmod +x \
src/systemd/update-motd \
src/tls/cockpit-certificate-helper \
src/ws/cockpit-desktop
patchShebangs \
src/systemd/update-motd \
src/tls/cockpit-certificate-helper \
src/ws/cockpit-desktop
substituteInPlace src/ws/cockpit-desktop \
--replace ' /bin/bash' ' ${runtimeShell}'
'';
fixupPhase = ''
runHook preFixup
patchShebangs $out/libexec/*
wrapProgram $out/libexec/cockpit-certificate-helper \
--prefix PATH : ${
lib.makeBinPath [
@ -177,9 +165,6 @@ stdenv.mkDerivation rec {
} \
--run 'cd $(mktemp -d)'
wrapProgram $out/share/cockpit/motd/update-motd \
--prefix PATH : ${lib.makeBinPath [ gnused ]}
wrapProgram $out/bin/cockpit-bridge \
--prefix PYTHONPATH : $out/${python3Packages.python.sitePackages}
@ -189,29 +174,31 @@ stdenv.mkDerivation rec {
substituteInPlace $out/share/polkit-1/actions/org.cockpit-project.cockpit-bridge.policy \
--replace-fail /usr $out
substituteInPlace $out/lib/systemd/*/* \
--replace /bin /run/current-system/sw/bin
runHook postFixup
'';
doCheck = true;
checkInputs = [
bashInteractive
cacert
dbus
glib-networking
openssh
python3Packages.pytest
python3Packages.pytestCheckHook
];
checkPhase = ''
preCheck = ''
export GIO_EXTRA_MODULES=$GIO_EXTRA_MODULES:${glib-networking}/lib/gio/modules
export G_DEBUG=fatal-criticals
export G_MESSAGES_DEBUG=cockpit-ws,cockpit-wrapper,cockpit-bridge
export PATH=$PATH:$(pwd)
make pytest -j$NIX_BUILD_CORES || true
# make pytest -j$NIX_BUILD_CORES || true
make check -j$NIX_BUILD_CORES || true
test/static-code
npm run eslint
npm run stylelint || true
npm run stylelint
'';
passthru = {