From 5e2815dfb733ea042cd64188cd91158356ca1a11 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Niklas=20Hamb=C3=BCchen?= Date: Sun, 7 May 2017 00:30:29 +0200 Subject: [PATCH 1/5] glusterfs service: Don't make it a prerequisite of network-online.target. This introduces dependency cycles. A network file system to be running is not required for a network connection to be available. https://github.com/NixOS/nixpkgs/commit/19759cfeab0b749666dafdf52a0aad79123a2126#commitcomment-22044519 --- nixos/modules/services/network-filesystems/glusterfs.nix | 1 - 1 file changed, 1 deletion(-) diff --git a/nixos/modules/services/network-filesystems/glusterfs.nix b/nixos/modules/services/network-filesystems/glusterfs.nix index e7f52bc4a7d..518ae74ee5a 100644 --- a/nixos/modules/services/network-filesystems/glusterfs.nix +++ b/nixos/modules/services/network-filesystems/glusterfs.nix @@ -106,7 +106,6 @@ in requires = [ "rpcbind.service" ]; after = [ "rpcbind.service" "network.target" "local-fs.target" ]; - before = [ "network-online.target" ]; preStart = '' install -m 0755 -d /var/log/glusterfs From bd54b72676893d1519b217b23b3b868c8421d04a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Niklas=20Hamb=C3=BCchen?= Date: Sun, 7 May 2017 00:32:41 +0200 Subject: [PATCH 2/5] glusterfs service: Add settings to disable rpcbind and the events daemon. See also https://github.com/NixOS/nixpkgs/pull/22225#pullrequestreview-26459886 --- .../network-filesystems/glusterfs.nix | 27 ++++++++++++++++--- 1 file changed, 23 insertions(+), 4 deletions(-) diff --git a/nixos/modules/services/network-filesystems/glusterfs.nix b/nixos/modules/services/network-filesystems/glusterfs.nix index 518ae74ee5a..a697bb25da5 100644 --- a/nixos/modules/services/network-filesystems/glusterfs.nix +++ b/nixos/modules/services/network-filesystems/glusterfs.nix @@ -41,6 +41,25 @@ in default = "INFO"; }; + useRpcbind = mkOption { + type = types.bool; + description = '' + Enable use of rpcbind. This is required for Gluster's NFS functionality. + + You may want to turn it off to reduce the attack surface for DDoS reflection attacks. + + See https://davelozier.com/glusterfs-and-rpcbind-portmap-ddos-reflection-attacks/ + and https://bugzilla.redhat.com/show_bug.cgi?id=1426842 for details. + ''; + default = true; + }; + + enableGlustereventsd = mkOption { + type = types.bool; + description = "Whether to enable the GlusterFS Events Daemon"; + default = true; + }; + extraFlags = mkOption { type = types.listOf types.str; description = "Extra flags passed to the GlusterFS daemon"; @@ -89,7 +108,7 @@ in config = mkIf cfg.enable { environment.systemPackages = [ pkgs.glusterfs ]; - services.rpcbind.enable = true; + services.rpcbind.enable = cfg.useRpcbind; environment.etc = mkIf (cfg.tlsSettings != null) { "ssl/glusterfs.pem".source = cfg.tlsSettings.tlsPem; @@ -104,8 +123,8 @@ in wantedBy = [ "multi-user.target" ]; - requires = [ "rpcbind.service" ]; - after = [ "rpcbind.service" "network.target" "local-fs.target" ]; + requires = lib.optional cfg.useRpcbind "rpcbind.service"; + after = [ "network.target" "local-fs.target" ] ++ lib.optional cfg.useRpcbind [ "rpcbind.service" ]; preStart = '' install -m 0755 -d /var/log/glusterfs @@ -133,7 +152,7 @@ in }; }; - systemd.services.glustereventsd = { + systemd.services.glustereventsd = mkIf cfg.enableGlustereventsd { inherit restartTriggers; description = "Gluster Events Notifier"; From e233a518bdd72ec2c8783faa6d8bddef1e47c0bd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Niklas=20Hamb=C3=BCchen?= Date: Mon, 15 May 2017 03:03:13 +0200 Subject: [PATCH 3/5] glusterfs service: Add killMode and stopKillTimeout options --- .../network-filesystems/glusterfs.nix | 35 ++++++++++++++++++- 1 file changed, 34 insertions(+), 1 deletion(-) diff --git a/nixos/modules/services/network-filesystems/glusterfs.nix b/nixos/modules/services/network-filesystems/glusterfs.nix index a697bb25da5..f888ae36d98 100644 --- a/nixos/modules/services/network-filesystems/glusterfs.nix +++ b/nixos/modules/services/network-filesystems/glusterfs.nix @@ -60,6 +60,38 @@ in default = true; }; + killMode = mkOption { + type = types.enum ["control-group" "process" "mixed" "none"]; + description = '' + The systemd KillMode to use for glusterd. + + glusterd spawns other daemons like gsyncd. + If you want these to stop when glusterd is stopped (e.g. to ensure + that NixOS config changes are reflected even for these sub-daemons), + set this to 'control-group'. + If however you want running volume processes (glusterfsd) and thus + gluster mounts not be interrupted when glusterd is restarted + (for example, when you want to restart them manually at a later time), + set this to 'process'. + ''; + default = "process"; + }; + + stopKillTimeout = mkOption { + type = types.str; + description = '' + The systemd TimeoutStopSec to use. + + After this time after having been asked to shut down, glusterd + (and depending on the killMode setting also its child processes) + are killed by systemd. + + The default is set low because GlusterFS (as of 3.10) is known to + not tell its children (like gsyncd) to terminate at all. + ''; + default = "5s"; + }; + extraFlags = mkOption { type = types.listOf types.str; description = "Extra flags passed to the GlusterFS daemon"; @@ -148,7 +180,8 @@ in PIDFile="/run/glusterd.pid"; LimitNOFILE=65536; ExecStart="${glusterfs}/sbin/glusterd -p /run/glusterd.pid --log-level=${cfg.logLevel} ${toString cfg.extraFlags}"; - KillMode="process"; + KillMode=cfg.killMode; + TimeoutStopSec=cfg.stopKillTimeout; }; }; From 08f7e4516c2dcc03813c767642327aa7c92ef189 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Niklas=20Hamb=C3=BCchen?= Date: Wed, 2 Aug 2017 23:07:23 +0200 Subject: [PATCH 4/5] glusterfs service: Ensure log directory exists for glustereventsd. Prevents glustereventsd failing at startup in case it starts before glusterd has started (whose `preStart` would also create the needed directory). --- nixos/modules/services/network-filesystems/glusterfs.nix | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/nixos/modules/services/network-filesystems/glusterfs.nix b/nixos/modules/services/network-filesystems/glusterfs.nix index f888ae36d98..e7f2de0a2dc 100644 --- a/nixos/modules/services/network-filesystems/glusterfs.nix +++ b/nixos/modules/services/network-filesystems/glusterfs.nix @@ -194,6 +194,10 @@ in after = [ "syslog.target" "network.target" ]; + preStart = '' + install -m 0755 -d /var/log/glusterfs + ''; + serviceConfig = { Type="simple"; Environment="PYTHONPATH=${glusterfs}/usr/lib/python2.7/site-packages"; From 18eecae4b620dc345c10b0af804591d635b4b358 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Niklas=20Hamb=C3=BCchen?= Date: Wed, 27 Sep 2017 20:54:13 +0200 Subject: [PATCH 5/5] glusterfs service: Change default killMode to "control-group". This is a better default for NixOS because it ensures that config changes happen fully when NixOS users expect it. --- nixos/modules/services/network-filesystems/glusterfs.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nixos/modules/services/network-filesystems/glusterfs.nix b/nixos/modules/services/network-filesystems/glusterfs.nix index e7f2de0a2dc..15777d45f78 100644 --- a/nixos/modules/services/network-filesystems/glusterfs.nix +++ b/nixos/modules/services/network-filesystems/glusterfs.nix @@ -74,7 +74,7 @@ in (for example, when you want to restart them manually at a later time), set this to 'process'. ''; - default = "process"; + default = "control-group"; }; stopKillTimeout = mkOption {