public/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge pull request #30312 from florianjacob/locatedb-fix-systemd-path-capabilities

Browse Source 
locatedb: fix startup fail due to systemd path capabilities
This commit is contained in:
Jörg Thalheim 2017-10-11 14:59:13 +01:00 committed by GitHub
commit 659c7484d1
1 changed files with 12 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
nixos/modules/misc/locate.nix
View File

@ -125,13 +125,16 @@ in {
warnings = optional (isMLocate && cfg.localuser != null) "mlocate does not support searching as user other than root" warnings = optional (isMLocate && cfg.localuser != null) "mlocate does not support searching as user other than root"
++ optional (isFindutils && cfg.pruneNames != []) "findutils locate does not support pruning by directory component" ++ optional (isFindutils && cfg.pruneNames != []) "findutils locate does not support pruning by directory component"
++ optional (isFindutils && cfg.pruneBindMounts) "findutils locate does not support skipping bind mounts"; ++ optional (isFindutils && cfg.pruneBindMounts) "findutils locate does not support skipping bind mounts";
# directory creation needs to be separated from main service
# because ReadWritePaths fails when the directory doesn't already exist
systemd.tmpfiles.rules = [ "d ${dirOf cfg.output} 0755 root root -" ];
systemd.services.update-locatedb = systemd.services.update-locatedb =
{ description = "Update Locate Database"; { description = "Update Locate Database";
path = mkIf (!isMLocate) [ pkgs.su ]; path = mkIf (!isMLocate) [ pkgs.su ];
script = script =
'' ''
mkdir -m 0755 -p ${dirOf cfg.output}
exec ${cfg.locate}/bin/updatedb \ exec ${cfg.locate}/bin/updatedb \
${optionalString (cfg.localuser != null && ! isMLocate) ''--localuser=${cfg.localuser}''} \ ${optionalString (cfg.localuser != null && ! isMLocate) ''--localuser=${cfg.localuser}''} \
--output=${toString cfg.output} ${concatStringsSep " " cfg.extraFlags} --output=${toString cfg.output} ${concatStringsSep " " cfg.extraFlags}
@ -147,8 +150,13 @@ in {
serviceConfig.PrivateTmp = "yes"; serviceConfig.PrivateTmp = "yes";
serviceConfig.PrivateNetwork = "yes"; serviceConfig.PrivateNetwork = "yes";
serviceConfig.NoNewPrivileges = "yes"; serviceConfig.NoNewPrivileges = "yes";
serviceConfig.ReadOnlyDirectories = "/"; serviceConfig.ReadOnlyPaths = "/";
serviceConfig.ReadWriteDirectories = dirOf cfg.output; # Use dirOf cfg.output because mlocate creates temporary files next to
# the actual database. We could specify and create them as well,
# but that would make this quite brittle when they change something.
# NOTE: If /var/cache does not exist, this leads to the misleading error message:
# update-locatedb.service: Failed at step NAMESPACE spawning …/update-locatedb-start: No such file or directory
serviceConfig.ReadWritePaths = dirOf cfg.output;
}; };
systemd.timers.update-locatedb = systemd.timers.update-locatedb =