nixos/slurm: fix dbdserver config file handling
Since slurm-20.11.0.1 the dbd server requires slurmdbd.conf to be in mode 600 to protect the database password. This change creates slurmdbd.conf on-the-fly at service startup and thus avoids that the database password ends up in the nix store.
This commit is contained in:
parent
f074e879fd
commit
5df0cf7461
|
@ -278,6 +278,15 @@
|
|||
<xref linkend="opt-services.privoxy.enableTor" /> = true;
|
||||
</programlisting>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>
|
||||
The options <literal>services.slurm.dbdserver.storagePass</literal>
|
||||
and <literal>services.slurm.dbdserver.configFile</literal> have been removed.
|
||||
Use <literal>services.slurm.dbdserver.storagePassFile</literal> instead to provide the database password.
|
||||
Extra config options can be given via the option <literal>services.slurm.dbdserver.extraConfig</literal>. The actual configuration file is created on the fly on startup of the service.
|
||||
This avoids that the password gets exposed in the nix store.
|
||||
</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
</section>
|
||||
|
||||
|
|
|
@ -34,13 +34,12 @@ let
|
|||
${cfg.extraCgroupConfig}
|
||||
'';
|
||||
|
||||
slurmdbdConf = pkgs.writeTextDir "slurmdbd.conf"
|
||||
slurmdbdConf = pkgs.writeText "slurmdbd.conf"
|
||||
''
|
||||
DbdHost=${cfg.dbdserver.dbdHost}
|
||||
SlurmUser=${cfg.user}
|
||||
StorageType=accounting_storage/mysql
|
||||
StorageUser=${cfg.dbdserver.storageUser}
|
||||
${optionalString (cfg.dbdserver.storagePass != null) "StoragePass=${cfg.dbdserver.storagePass}"}
|
||||
${cfg.dbdserver.extraConfig}
|
||||
'';
|
||||
|
||||
|
@ -95,26 +94,12 @@ in
|
|||
'';
|
||||
};
|
||||
|
||||
storagePass = mkOption {
|
||||
type = types.nullOr types.str;
|
||||
storagePassFile = mkOption {
|
||||
type = with types; nullOr str;
|
||||
default = null;
|
||||
description = ''
|
||||
Database password. Note that this password will be publicable
|
||||
readable in the nix store. Use <option>configFile</option>
|
||||
to store the and config file and password outside the nix store.
|
||||
'';
|
||||
};
|
||||
|
||||
configFile = mkOption {
|
||||
type = types.nullOr types.str;
|
||||
default = null;
|
||||
description = ''
|
||||
Path to <literal>slurmdbd.conf</literal>. The password for the database connection
|
||||
is stored in the config file. Use this option to specfify a path
|
||||
outside the nix store. If this option is unset a configuration file
|
||||
will be generated. See also:
|
||||
<citerefentry><refentrytitle>slurmdbd.conf</refentrytitle>
|
||||
<manvolnum>8</manvolnum></citerefentry>.
|
||||
Path to file with database password. The content of this will be used to
|
||||
create the password for the <literal>StoragePass</literal> option.
|
||||
'';
|
||||
};
|
||||
|
||||
|
@ -122,7 +107,9 @@ in
|
|||
type = types.lines;
|
||||
default = "";
|
||||
description = ''
|
||||
Extra configuration for <literal>slurmdbd.conf</literal>
|
||||
Extra configuration for <literal>slurmdbd.conf</literal> See also:
|
||||
<citerefentry><refentrytitle>slurmdbd.conf</refentrytitle>
|
||||
<manvolnum>8</manvolnum></citerefentry>.
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
@ -292,6 +279,16 @@ in
|
|||
|
||||
};
|
||||
|
||||
imports = [
|
||||
(mkRemovedOptionModule [ "services" "slurm" "dbdserver" "storagePass" ] ''
|
||||
This option has been removed so that the database password is not exposed via the nix store.
|
||||
Use services.slurm.dbdserver.storagePassFile to provide the database password.
|
||||
'')
|
||||
(mkRemovedOptionModule [ "services" "slurm" "dbdserver" "configFile" ] ''
|
||||
This option has been removed. Use services.slurm.dbdserver.storagePassFile
|
||||
and services.slurm.dbdserver.extraConfig instead.
|
||||
'')
|
||||
];
|
||||
|
||||
###### implementation
|
||||
|
||||
|
@ -386,23 +383,34 @@ in
|
|||
'';
|
||||
};
|
||||
|
||||
systemd.services.slurmdbd = mkIf (cfg.dbdserver.enable) {
|
||||
systemd.services.slurmdbd = let
|
||||
# slurm strips the last component off the path
|
||||
configPath = "$RUNTIME_DIRECTORY/slurmdbd.conf";
|
||||
in mkIf (cfg.dbdserver.enable) {
|
||||
path = with pkgs; [ wrappedSlurm munge coreutils ];
|
||||
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
after = [ "network.target" "munged.service" "mysql.service" ];
|
||||
requires = [ "munged.service" "mysql.service" ];
|
||||
|
||||
# slurm strips the last component off the path
|
||||
environment.SLURM_CONF =
|
||||
if (cfg.dbdserver.configFile == null) then
|
||||
"${slurmdbdConf}/slurm.conf"
|
||||
else
|
||||
cfg.dbdserver.configFile;
|
||||
preStart = ''
|
||||
cp ${slurmdbdConf} ${configPath}
|
||||
chmod 600 ${configPath}
|
||||
chown ${cfg.user} ${configPath}
|
||||
${optionalString (cfg.dbdserver.storagePassFile != null) ''
|
||||
echo "StoragePass=$(cat ${cfg.dbdserver.storagePassFile})" \
|
||||
>> ${configPath}
|
||||
''}
|
||||
'';
|
||||
|
||||
script = ''
|
||||
export SLURM_CONF=${configPath}
|
||||
exec ${cfg.package}/bin/slurmdbd -D
|
||||
'';
|
||||
|
||||
serviceConfig = {
|
||||
Type = "forking";
|
||||
ExecStart = "${cfg.package}/bin/slurmdbd";
|
||||
RuntimeDirectory = "slurmdbd";
|
||||
Type = "simple";
|
||||
PIDFile = "/run/slurmdbd.pid";
|
||||
ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
|
||||
};
|
||||
|
|
|
@ -86,14 +86,16 @@ in {
|
|||
|
||||
dbd =
|
||||
{ pkgs, ... } :
|
||||
{
|
||||
let
|
||||
passFile = pkgs.writeText "dbdpassword" "password123";
|
||||
in {
|
||||
networking.firewall.enable = false;
|
||||
systemd.tmpfiles.rules = [
|
||||
"f /etc/munge/munge.key 0400 munge munge - mungeverryweakkeybuteasytointegratoinatest"
|
||||
];
|
||||
services.slurm.dbdserver = {
|
||||
enable = true;
|
||||
storagePass = "password123";
|
||||
storagePassFile = "${passFile}";
|
||||
};
|
||||
services.mysql = {
|
||||
enable = true;
|
||||
|
|
Loading…
Reference in New Issue