nixos/munge: run munge as user munge instead of root. (#41509)

* Added a note in release notes (incompatibilities) * Adapt slurm test * Change user to munge in service.munge
2018-06-09 00:50:28 +02:00 · 2018-06-09 00:50:28 +02:00 · 96af022af5
parent b22c1b7994
commit 96af022af5
3 changed files with 22 additions and 1 deletions
--- a/nixos/doc/manual/release-notes/rl-1809.xml
+++ b/nixos/doc/manual/release-notes/rl-1809.xml
@ -121,6 +121,12 @@ $ nix-instantiate -E '(import &lt;nixpkgsunstable&gt; {}).gitFull'
     <literal>gnucash24</literal>.
    </para>
   </listitem>
+   <listitem>
+    <para>
+     <varname>services.munge</varname> now runs as user (and group) <literal>munge</literal> instead of root.
+     Make sure the key file is accessible to the daemon.
+    </para>
+   </listitem>
  </itemizedlist>
 </section>

--- a/nixos/modules/services/security/munge.nix
+++ b/nixos/modules/services/security/munge.nix
@ -35,7 +35,15 @@ in

    environment.systemPackages = [ pkgs.munge ];

-    systemd.services.munged = { 
+    users.users.munge = {
+      description   = "Munge daemon user";
+      isSystemUser  = true;
+      group         = "munge";
+    };
+
+    users.groups.munge = {};
+
+    systemd.services.munged = {
      wantedBy = [ "multi-user.target" ];
      after = [ "network.target" ];

@ -44,14 +52,20 @@ in
      preStart = ''
        chmod 0700 ${cfg.password}
        mkdir -p /var/lib/munge -m 0711
+        chown -R munge:munge /var/lib/munge
        mkdir -p /var/log/munge -m 0700
+        chown -R munge:munge /var/log/munge
        mkdir -p /run/munge -m 0755
+        chown -R munge:munge /run/munge
      '';

      serviceConfig = {
        ExecStart = "${pkgs.munge}/bin/munged --syslog --key-file ${cfg.password}";
        PIDFile = "/run/munge/munged.pid";
        ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
+        PermissionsStartOnly = "true";
+        User = "munge";
+        Group = "munge";
      };

    };
--- a/nixos/tests/slurm.nix
+++ b/nixos/tests/slurm.nix
@ -61,6 +61,7 @@ in {
    $node->succeed("mkdir /etc/munge");
    $node->succeed("echo '${mungekey}' > /etc/munge/munge.key");
    $node->succeed("chmod 0400 /etc/munge/munge.key");
+    $node->succeed("chown munge:munge /etc/munge/munge.key");
    $node->succeed("systemctl restart munged");
  }