History

Oliver Schmidt e362fe9c6d security/acme: limit concurrent certificate generations fixes #232505 Implements the new option `security.acme.maxConcurrentRenewals` to limit the number of certificate generation (or renewal) jobs that can run in parallel. This avoids overloading the system resources with many certificates or running into acme registry rate limits and network timeouts. Architecture considerations: - simplicity, lightweight: Concerns have been voiced about making this already rather complex module even more convoluted. Additionally, locking solutions shall not significantly increase performance and footprint of individual job runs. To accomodate these concerns, this solution is implemented purely in Nix, bash, and using the light-weight `flock` util. To reduce complexity, jobs are already assigned their lockfile slot at system build time instead of dynamic locking and retrying. This comes at the cost of not always maxing out the permitted concurrency at runtime. - no stale locks: Limiting concurrency via locking mechanism is usually approached with semaphores. Unfortunately, both SysV as well as POSIX-Semaphores are not released when the process currently locking them is SIGKILLed. This poses the danger of stale locks staying around and certificate renewal being blocked from running altogether. `flock` locks though are released when the process holding the file descriptor of the lock file is KILLed or terminated. - lockfile generation: Lock files could either be created at build time in the Nix store or at script runtime in a idempotent manner. While the latter would be simpler to achieve, we might exceed the number of permitted concurrent runs during a system switch: Already running jobs are still locked on the existing lock files, while jobs started after the system switch will acquire locks on freshly created files, not being blocked by the still running services. For this reason, locks are generated and managed at runtime in the shared state directory `/var/lib/locks/`. nixos/security/acme: move locks to /run also, move over permission and directory management to systemd-tmpfiles nixos/security/acme: fix some linter remarks in my code there are some remarks left for existing code, not touching that nixos/security/acme: redesign script locking flow - get rid of subshell - provide function for wrapping scripts in a locked environment nixos/acme: improve visibility of blocking on locks nixos/acme: add smoke test for concurrency limitation heavily inspired by m1cr0man nixos/acme: release notes entry on new concurrency limits nixos/acme: cleanup, clarifications		2023-09-09 20:13:18 +02:00
..
doc/manual	security/acme: limit concurrent certificate generations	2023-09-09 20:13:18 +02:00
lib	Merge pull request #250318 from Artturin/copycrossfix	2023-09-06 00:37:15 +03:00
maintainers	nixos/lxd: add virtual-machine support, image and module	2023-09-03 20:06:44 -04:00
modules	security/acme: limit concurrent certificate generations	2023-09-09 20:13:18 +02:00
tests	security/acme: limit concurrent certificate generations	2023-09-09 20:13:18 +02:00
COPYING
default.nix
README.md	CONTRIBUTING.md: Move boot loader-specific sentence to pkgs/README.md	2023-08-14 19:50:02 +02:00
release-combined.nix	nixos/release-combined.nix: Build pkgs/by-name tester	2023-08-29 16:35:07 +02:00
release-small.nix	Merge pull request #209870 from amjoseph-nixpkgs/pr/stdenv/external-gcc-bootstrap	2023-04-03 08:19:03 -07:00
release.nix	Merge pull request #244093 from adamcstephens/lxd/vm	2023-09-03 22:02:54 -05:00

README.md

NixOS

NixOS is a Linux distribution based on the purely functional package management system Nix. More information can be found at https://nixos.org/nixos and in the manual in doc/manual.

Testing changes

You can add new module to your NixOS configuration file (usually it’s /etc/nixos/configuration.nix). And do sudo nixos-rebuild test -I nixpkgs=<path to your local nixpkgs folder> --fast.

Reviewing contributions

When changing the bootloader installation process, extra care must be taken. Grub installations cannot be rolled back, hence changes may break people’s installations forever. For any non-trivial change to the bootloader please file a PR asking for review, especially from @edolstra.

Module updates

Module updates are submissions changing modules in some ways. These often contains changes to the options or introduce new options.

Reviewing process:

Ensure that the module maintainers are notified.
- CODEOWNERS will make GitHub notify users based on the submitted changes, but it can happen that it misses some of the package maintainers.
Ensure that the module tests, if any, are succeeding.
Ensure that the introduced options are correct.
- Type should be appropriate (string related types differs in their merging capabilities, loaOf and string types are deprecated).
- Description, default and example should be provided.
Ensure that option changes are backward compatible.
- mkRenamedOptionModuleWith provides a way to make option changes backward compatible.
Ensure that removed options are declared with mkRemovedOptionModule
Ensure that changes that are not backward compatible are mentioned in release notes.
Ensure that documentations affected by the change is updated.

Sample template for a module update review is provided below.

##### Reviewed points

- [ ] changes are backward compatible
- [ ] removed options are declared with `mkRemovedOptionModule`
- [ ] changes that are not backward compatible are documented in release notes
- [ ] module tests succeed on ARCHITECTURE
- [ ] options types are appropriate
- [ ] options description is set
- [ ] options example is provided
- [ ] documentation affected by the changes is updated

##### Possible improvements

##### Comments

New modules

New modules submissions introduce a new module to NixOS.