movefasta/nixpkgs
1
0
Fork 0
mirror of https://github.com/NixOS/nixpkgs.git synced 2025-06-12 12:45:27 +03:00
Code Issues Projects Releases Packages Wiki Activity

nixos/postgresql: enable private /tmp & private mounts; fix wal-receiver test

Browse source 
The issue was that the old test-case used `/tmp` to share data. Using
`JoinsNamespaceOf=` wasn't a real workaround since the private `/tmp` is
recreated when a service gets stopped/started which is the case here, so
the wals were still lost.

To keep the test building with `PrivateTmp=yes`, create a dedicated
directory in `/var/cache` with tmpfiles and allow the hardened
`postgresql.service` to access it via `ReadWritePaths`.
This commit is contained in:
Maximilian Bosch 2024-09-30 17:23:10 +02:00 committed by Martin Weinelt
parent 2ebffcc4c7
commit f800d8e42b
No known key found for this signature in database
GPG key ID: 87C1E9888F856759
2 changed files with 9 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

4
nixos/modules/services/databases/postgresql.nix
View file

@ -627,14 +627,14 @@ in
# Hardening # Hardening
CapabilityBoundingSet = [ "" ]; CapabilityBoundingSet = [ "" ];
DevicePolicy = "closed"; DevicePolicy = "closed";
PrivateTmp = false; #breaks wal-receiver test PrivateTmp = true;
ProtectHome = true; ProtectHome = true;
ProtectSystem = "strict"; ProtectSystem = "strict";
MemoryDenyWriteExecute = true; MemoryDenyWriteExecute = true;
NoNewPrivileges = true; NoNewPrivileges = true;
LockPersonality = true; LockPersonality = true;
PrivateDevices = true; PrivateDevices = true;
PrivateMounts = false; # breaks wal-receiver test PrivateMounts = true;
ProcSubset = "pid"; ProcSubset = "pid";
ProtectClock = true; ProtectClock = true;
ProtectControlGroups = true; ProtectControlGroups = true;

9
nixos/tests/postgresql-wal-receiver.nix
View file

@ -22,8 +22,8 @@ let
replicationUser = "wal_receiver_user"; replicationUser = "wal_receiver_user";
replicationSlot = "wal_receiver_slot"; replicationSlot = "wal_receiver_slot";
replicationConn = "postgresql://${replicationUser}@localhost"; replicationConn = "postgresql://${replicationUser}@localhost";
baseBackupDir = "/tmp/pg_basebackup"; baseBackupDir = "/var/cache/wals/pg_basebackup";
walBackupDir = "/tmp/pg_wal"; walBackupDir = "/var/cache/wals/pg_wal";
recoveryFile = pkgs.writeTextDir "recovery.signal" ""; recoveryFile = pkgs.writeTextDir "recovery.signal" "";
@ -32,6 +32,10 @@ let
meta.maintainers = with lib.maintainers; [ pacien ]; meta.maintainers = with lib.maintainers; [ pacien ];
nodes.machine = { ... }: { nodes.machine = { ... }: {
systemd.tmpfiles.rules = [
"d /var/cache/wals 0750 postgres postgres - -"
];
services.postgresql = { services.postgresql = {
package = pkg; package = pkg;
enable = true; enable = true;
@ -60,6 +64,7 @@ let
# This is only to speedup test, it isn't time racing. Service is set to autorestart always, # This is only to speedup test, it isn't time racing. Service is set to autorestart always,
# default 60sec is fine for real system, but is too much for a test # default 60sec is fine for real system, but is too much for a test
systemd.services.postgresql-wal-receiver-main.serviceConfig.RestartSec = lib.mkForce 5; systemd.services.postgresql-wal-receiver-main.serviceConfig.RestartSec = lib.mkForce 5;
systemd.services.postgresql.serviceConfig.ReadWritePaths = [ "/var/cache/wals" ];
}; };
testScript = '' testScript = ''