NixOS systemd - Public Room Timeline

	NixOS systemd	614 Members
	NixOS ❤️ systemd	164 Servers

Load older messages

Sender	Message	Time
19 Aug 2021
andi-	I am thinking: why all the manual confinement code that we have if there is that. E.g. if I point it at /nix/store/....-nginx that contains the minimal required dirs	18:16:24
andi-	And then tmpfiles + bindmount + state dir/logdir/...	18:16:45
aanderse	andi-: sounds like some fun experiments	22:51:16
20 Aug 2021
andi-	Running my systems on v249 now. Can't say things are any different than before.	09:00:54
princemachiavelli	Looking forward to v249, hopefully systemd-cryptenroll makes TPM unlocking LUKs drives a bit simpler.	16:20:40
21 Aug 2021
andi-	That will still require some work. I haven't actually looked at any of the new features. It is already enough to try to keep things running.	11:42:39
andi-	That being said I also have a few local patches around resolved and enabling DNS-over-TLS etc..	11:43:07
andi-	things we just don't allow right now	11:43:13
Arian	Yeh TPM won't work yet. We haven't enabled it in the default config. For TPM root partitions we need systemd-initrd. Which we don't have yet	12:00:13
Arian	So you could only use it to mount secondary partitions	12:00:23
andi-	what do you mean with TPM root partitions?	12:10:15
andi-	FWIW there is currently an open PR that adds TPM luks decryption to NixOS. I haven't looked in detail but that should work for root partitions.	12:11:14
Arian	As in. If you want to unlock your root partitions with the systemd-cryptenroll stuff you need systemd in initrd	12:23:01
andi-	I would be thinking about this systemd tpm integration more positively if they wouldn't use those weird user space bindings...	13:08:45
Arian	What do you mean?	13:18:01
Arian	Tpm2-tss?	13:18:08
andi-	yeah	13:20:07
andi-	supposedly the code is mostly generated from the spec yet it feels a bit clunky and their approach to testing breaks if run on ZFS for random reasons...	13:21:46
22 Aug 2021
andi-	If `coccinelle` wouldn't be written in OCaml (but e.g. C) I'd pull it into our systemd build to replace the hacky sed-based dlopen replacement... :(	11:02:31
Arian	Yeh that sucks	11:39:09
andi-	And even then coccinelle doesn't support the C extensions used by systemd:	11:46:56
andi-	* And even then coccinelle doesn't support the C extensions used by systemd: `bad: int dlopen_idn(void) { BAD:!!!!! _cleanup_(dlclosep) void *dl = NULL;`	11:47:01
andi-	So I thought about writing an "updater" that would produce a patch that replaced all of the unhandled locations with something that we can grep for later an but since `_cleanup_` isn't properly recognized that doesn't work. I don't feel like writing multi-line regex that are aware of the C cornercases..	11:48:27
andi-	* So I thought about writing an "updater" that would produce a patch that replaced all of the unhandled locations with something that we can grep for later but since `_cleanup_` isn't properly recognized that doesn't work. I don't feel like writing multi-line regex that are aware of the C cornercases..	11:51:30
andi-	Supporting libbpf requires clangd in the build environment.. Soon we will have another dependency cycle...	12:29:35
andi-	And even then it doesn't work: FAILED: src/core/bpf/socket_bind/socket-bind.skel.h /build/source/tools/build-bpf-skel.py --clang_exec /nix/store/x1bi2mkapk1m0zq2g02nr018qyjkdn7a-clang-wrapper-12.0.1/bin/clang --llvm_strip_exec /nix/store/zm0kqan9qc77x219yihmmisi9g3sg8ns-llvm-12.0.1/bin/llvm-strip --bpftool_exec /nix/store/l6dg8jlbh8qnqa58mshh3d8r6999dk0p-bpftools-5.13.11/bin/bpftool --arch x86_64 ../src/core/bpf/socket_bind/socket-bind.bpf.c src/core/bpf/socket_bind/socket-bind.skel.h libbpf: elf: socket_bind_bpf is not a valid eBPF object file Error: failed to open BPF object file: BPF object format invalid Traceback (most recent call last): File "/build/source/tools/build-bpf-skel.py", line 128, in <module> bpf_build(args) File "/build/source/tools/build-bpf-skel.py", line 92, in bpf_build gen_bpf_skeleton(bpftool_exec=args.bpftool_exec, File "/build/source/tools/build-bpf-skel.py", line 63, in gen_bpf_skeleton skel = subprocess.check_output(bpftool_args, universal_newlines=True) File "/nix/store/81lwy2hfqj4c1943b1x8a0qsivjhdhw9-python3-3.9.6/lib/python3.9/subprocess.py", line 424, in check_output return run(*popenargs, stdout=PIPE, timeout=timeout, check=True, File "/nix/store/81lwy2hfqj4c1943b1x8a0qsivjhdhw9-python3-3.9.6/lib/python3.9/subprocess.py", line 528, in run raise CalledProcessError(retcode, process.args, subprocess.CalledProcessError: Command '['/nix/store/l6dg8jlbh8qnqa58mshh3d8r6999dk0p-bpftools-5.13.11/bin/bpftool', 'g', 's', '../src/core/bpf/socket_bind/socket-bind.bpf.o']' returned non-zero exit status 255. [102/1457] Compiling C object src/journal/libjournal-core.a.p/journald-server.c.oapture output)put)ut) ninja: build stopped: subcommand failed. builder for '/nix/store/av7jszj1jsdv5hvg75am7s32b50s1qvc-systemd-249.3.drv' failed with exit code 1 error: build of '/nix/store/av7jszj1jsdv5hvg75am7s32b50s1qvc-systemd-249.3.drv' failed I'll skip this for now.	12:52:24
andi-	A good example of a waaaay too complex test setup for actual debugging a test without having written it is this: https://github.com/NixOS/nixpkgs/blob/master/nixos/tests/systemd-confinement.nix	13:25:41
andi-	Also relies on side-effects of the previous test executing such that the shell script actually does the right thing..	13:26:28
andi-	* Also relies on side-effects of the previous test execution such that the shell script actually does the right thing..	13:26:52
andi-	Most underrated systemd debug tool: systemd-nspawn. Just ptrace that instead of your (VMs) pid 1.	15:37:41

Show newer messages

Back to Room ListRoom Version: 6