Version 257.1 of systemd changed[1] the PrivateTmp setting for the
systemd-timesyncd service from "yes" to "disconnected", which broke our
systemd-timesyncd test.
The reason for this is because the systemd-tmpfiles-setup.service is
*only*[2] added as a dependency of systemd-timesyncd.service if
PrivateTmp is set to "yes" but not when it is set to "disconnected"
(which would make sense given that the tmpfiles.d mechanism was
originally designed for temporary files).
Commit 339a866b7c switched the activation
script to using systemd-tmpfiles, but the commit in question doesn't
provide an explanation why this was necessary in this particular case.
However the pull request[3] lists an ongoing effort to get rid of Perl
and in the future get also rid of BASH for activation. The reasons for
doing this are outlined in the document[4]:
> The simple presence of interpreters on a system pose a security risk.
> An attacker that gains access to a system can abuse them to execute
> arbitrary commands. Mitre lists this as technique T1059. The most
> radical yet simple solution to mitigate this exploit is to remove all
> interpreters from a system (Mitre M1042). This radical solution is
> only really feasible and/or interesting for appliances (i.e.
> non-interactive) systems. Especially for high-security solutions this
> mitigtation is interesting.
I personally don't think this is a very compelling reason, at least for
our activation scripts, since an attacker could simply drop an
executable binary. Nevertheless, getting rid of additional dependencies
on eg. Perl or BASH is something worth pursuing to trim down moving
parts.
To address this, I decided to implement this as a normal systemd service
unit, since we need to guarantee that it's started before
systemd-timesyncd.service and with a dedicated unit we can ensure
explicit ordering. This has the advantage that we don't interfere with
the effort of getting rid of Perl/BASH for activation/boot and also
don't risk running into race conditions (again) because it's very
unlikely that systemd will change/deprecate explicit unit ordering in
the near future.
[1]: 1f6e192848
[2]: 30675a6ee9/src/core/unit.c (L1274)
[3]: https://github.com/NixOS/nixpkgs/pull/263203
[4]: https://pad.lassul.us/nixos-perlless-activation
Signed-off-by: aszlig <aszlig@nix.build>
After final improvements to the official formatter implementation,
this commit now performs the first treewide reformat of Nix files using it.
This is part of the implementation of RFC 166.
Only "inactive" files are reformatted, meaning only files that
aren't being touched by any PR with activity in the past 2 months.
This is to avoid conflicts for PRs that might soon be merged.
Later we can do a full treewide reformat to get the rest,
which should not cause as many conflicts.
A CI check has already been running for some time to ensure that new and
already-formatted files are formatted, so the files being reformatted here
should also stay formatted.
This commit was automatically created and can be verified using
nix-build a08b3a4d19.tar.gz \
--argstr baseRev b32a094368
result/bin/apply-formatting $NIXPKGS_PATH
Somewhen between systemd v239 and v242 upstream decided to no longer run
a few system services with `DyanmicUser=1` but failed to provide a
migration path for all the state those services left behind.
For the case of systemd-timesync the state has to be moved from
/var/lib/private/systemd/timesync to /var/lib/systemd/timesync if
/var/lib/systemd/timesync is currently a symlink.
We only do this if the stateVersion is still below 19.09 to avoid
starting to have an ever growing activation script for (then) ancient
systemd migrations that are no longer required.
See https://github.com/systemd/systemd/issues/12131 for details about
the missing migration path and related discussion.
