From e5965bd4897310d1f99ad75f51ef99f1f0e2c274 Mon Sep 17 00:00:00 2001 From: Florian Klink Date: Sun, 11 Aug 2019 15:38:20 +0200 Subject: [PATCH 1/4] nixos/sysctl: rename /etc/sysctl.d/nixos.conf -> 60-nixos.conf sysctl.d(5) recommends prefixing all filenames in /etc/sysctl.d with a two-digit number and a dash, to simplify the ordering of the files. Some packages provide custom files, often with "50-" prefix. To ensure user-supplied configuration takes precedence over the one specified via `boot.kernel.sysctl`, prefix the file generated there with "60-". --- nixos/doc/manual/release-notes/rl-1909.xml | 8 ++++++++ nixos/modules/config/sysctl.nix | 4 ++-- 2 files changed, 10 insertions(+), 2 deletions(-) diff --git a/nixos/doc/manual/release-notes/rl-1909.xml b/nixos/doc/manual/release-notes/rl-1909.xml index ca2f26ec4a8..4fe82e10ae6 100644 --- a/nixos/doc/manual/release-notes/rl-1909.xml +++ b/nixos/doc/manual/release-notes/rl-1909.xml @@ -435,6 +435,14 @@ idiom or extract that anonymous mapping function to a named one. Both can still be used but lib.forEach is preferred over lib.flip map. + + The /etc/sysctl.d/nixos.conf file containing all the options set via + boot.kernel.sysctl was moved to + /etc/sysctl.d/60-nixos.conf, as + sysctl.d5 + recommends prefixing all filenames in /etc/sysctl.d with a + two-digit number and a dash to simplify the ordering of the files. + diff --git a/nixos/modules/config/sysctl.nix b/nixos/modules/config/sysctl.nix index 0c6a7e2431a..112e5e744d4 100644 --- a/nixos/modules/config/sysctl.nix +++ b/nixos/modules/config/sysctl.nix @@ -42,14 +42,14 @@ in config = { - environment.etc."sysctl.d/nixos.conf".text = + environment.etc."sysctl.d/60-nixos.conf".text = concatStrings (mapAttrsToList (n: v: optionalString (v != null) "${n}=${if v == false then "0" else toString v}\n" ) config.boot.kernel.sysctl); systemd.services.systemd-sysctl = { wantedBy = [ "multi-user.target" ]; - restartTriggers = [ config.environment.etc."sysctl.d/nixos.conf".source ]; + restartTriggers = [ config.environment.etc."sysctl.d/60-nixos.conf".source ]; }; # Enable hardlink and symlink restrictions. See From 9be0327a4975e219957d5108b3753a7640c4a9e0 Mon Sep 17 00:00:00 2001 From: Florian Klink Date: Sun, 11 Aug 2019 13:32:24 +0200 Subject: [PATCH 2/4] nixos/systemd: install sysctl snippets systemd provides two sysctl snippets, 50-coredump.conf and 50-default.conf. These enable: - Loose reverse path filtering - Source route filtering - `fq_codel` as a packet scheduler (this helps to fight bufferbloat) This also configures the kernel to pass coredumps to `systemd-coredump`. These sysctl snippets can be found in `/etc/sysctl.d/50-*.conf`, and overridden via `boot.kernel.sysctl` (which will place the parameters in `/etc/sysctl.d/60-nixos.conf`. Let's start using these, like other distros already do for quite some time, and remove those duplicate `boot.kernel.sysctl` options we previously did set. In the case of rp_filter (which systemd would set to 2 (loose)), make our overrides to "1" more explicit. --- nixos/doc/manual/release-notes/rl-1909.xml | 24 +++++++++++++++++++ nixos/modules/config/sysctl.nix | 6 ----- nixos/modules/profiles/hardened.nix | 16 ++++--------- nixos/modules/system/boot/systemd.nix | 4 ++++ .../virtualisation/google-compute-config.nix | 10 ++------ 5 files changed, 35 insertions(+), 25 deletions(-) diff --git a/nixos/doc/manual/release-notes/rl-1909.xml b/nixos/doc/manual/release-notes/rl-1909.xml index 4fe82e10ae6..e63a6d10a86 100644 --- a/nixos/doc/manual/release-notes/rl-1909.xml +++ b/nixos/doc/manual/release-notes/rl-1909.xml @@ -444,6 +444,30 @@ two-digit number and a dash to simplify the ordering of the files. + + + We now install the sysctl snippets shipped with systemd. + + This enables: + + Loose reverse path filtering + + + Source route filtering + + + + fq_codel as a packet scheduler (this helps to fight bufferbloat) + + + + + This also configures the kernel to pass coredumps to systemd-coredump. + These sysctl snippets can be found in /etc/sysctl.d/50-*.conf, + and overridden via boot.kernel.sysctl + (which will place the parameters in /etc/sysctl.d/60-nixos.conf). + + diff --git a/nixos/modules/config/sysctl.nix b/nixos/modules/config/sysctl.nix index 112e5e744d4..fb2b58eed72 100644 --- a/nixos/modules/config/sysctl.nix +++ b/nixos/modules/config/sysctl.nix @@ -52,12 +52,6 @@ in restartTriggers = [ config.environment.etc."sysctl.d/60-nixos.conf".source ]; }; - # Enable hardlink and symlink restrictions. See - # https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=800179c9b8a1e796e441674776d11cd4c05d61d7 - # for details. - boot.kernel.sysctl."fs.protected_hardlinks" = true; - boot.kernel.sysctl."fs.protected_symlinks" = true; - # Hide kernel pointers (e.g. in /proc/modules) for unprivileged # users as these make it easier to exploit kernel vulnerabilities. boot.kernel.sysctl."kernel.kptr_restrict" = 1; diff --git a/nixos/modules/profiles/hardened.nix b/nixos/modules/profiles/hardened.nix index 3ff9a2b4fde..46417579352 100644 --- a/nixos/modules/profiles/hardened.nix +++ b/nixos/modules/profiles/hardened.nix @@ -95,23 +95,17 @@ with lib; # Disable ftrace debugging boot.kernel.sysctl."kernel.ftrace_enabled" = mkDefault false; - # Enable reverse path filtering (that is, do not attempt to route packets - # that "obviously" do not belong to the iface's network; dropped packets are - # logged as martians). + # Enable strict reverse path filtering (that is, do not attempt to route + # packets that "obviously" do not belong to the iface's network; dropped + # packets are logged as martians). boot.kernel.sysctl."net.ipv4.conf.all.log_martians" = mkDefault true; - boot.kernel.sysctl."net.ipv4.conf.all.rp_filter" = mkDefault true; + boot.kernel.sysctl."net.ipv4.conf.all.rp_filter" = mkDefault "1"; boot.kernel.sysctl."net.ipv4.conf.default.log_martians" = mkDefault true; - boot.kernel.sysctl."net.ipv4.conf.default.rp_filter" = mkDefault true; + boot.kernel.sysctl."net.ipv4.conf.default.rp_filter" = mkDefault "1"; # Ignore broadcast ICMP (mitigate SMURF) boot.kernel.sysctl."net.ipv4.icmp_echo_ignore_broadcasts" = mkDefault true; - # Ignore route information from sender - boot.kernel.sysctl."net.ipv4.conf.all.accept_source_route" = mkDefault false; - boot.kernel.sysctl."net.ipv4.conf.default.accept_source_route" = mkDefault false; - boot.kernel.sysctl."net.ipv6.conf.all.accept_source_route" = mkDefault false; - boot.kernel.sysctl."net.ipv6.conf.default.accept_source_route" = mkDefault false; - # Ignore incoming ICMP redirects (note: default is needed to ensure that the # setting is applied to interfaces added after the sysctls are set) boot.kernel.sysctl."net.ipv4.conf.all.accept_redirects" = mkDefault false; diff --git a/nixos/modules/system/boot/systemd.nix b/nixos/modules/system/boot/systemd.nix index 1914827d0e5..e84b1ffbfc1 100644 --- a/nixos/modules/system/boot/systemd.nix +++ b/nixos/modules/system/boot/systemd.nix @@ -831,6 +831,10 @@ in [Sleep] ''; + # install provided sysctl snippets + "sysctl.d/50-coredump.conf".source = "${systemd}/example/sysctl.d/50-coredump.conf"; + "sysctl.d/50-default.conf".source = "${systemd}/example/sysctl.d/50-default.conf"; + "tmpfiles.d/systemd.conf".source = "${systemd}/example/tmpfiles.d/systemd.conf"; "tmpfiles.d/x11.conf".source = "${systemd}/example/tmpfiles.d/x11.conf"; diff --git a/nixos/modules/virtualisation/google-compute-config.nix b/nixos/modules/virtualisation/google-compute-config.nix index 5c59188b68b..79766970c75 100644 --- a/nixos/modules/virtualisation/google-compute-config.nix +++ b/nixos/modules/virtualisation/google-compute-config.nix @@ -159,12 +159,6 @@ in # functionality/features (e.g. TCP Window scaling). "net.ipv4.tcp_syncookies" = mkDefault "1"; - # ignores source-routed packets - "net.ipv4.conf.all.accept_source_route" = mkDefault "0"; - - # ignores source-routed packets - "net.ipv4.conf.default.accept_source_route" = mkDefault "0"; - # ignores ICMP redirects "net.ipv4.conf.all.accept_redirects" = mkDefault "0"; @@ -186,10 +180,10 @@ in # don't allow traffic between networks or act as a router "net.ipv4.conf.default.send_redirects" = mkDefault "0"; - # reverse path filtering - IP spoofing protection + # strict reverse path filtering - IP spoofing protection "net.ipv4.conf.all.rp_filter" = mkDefault "1"; - # reverse path filtering - IP spoofing protection + # strict path filtering - IP spoofing protection "net.ipv4.conf.default.rp_filter" = mkDefault "1"; # ignores ICMP broadcasts to avoid participating in Smurf attacks From bafc25691596caf2f6e034cbe5933fdd90a92b6a Mon Sep 17 00:00:00 2001 From: Florian Klink Date: Fri, 16 Aug 2019 11:29:41 +0200 Subject: [PATCH 3/4] nixos/systemd: remove separate coredump module --- nixos/doc/manual/release-notes/rl-1909.xml | 10 ++++ nixos/modules/module-list.nix | 1 - nixos/modules/rename.nix | 1 + nixos/modules/system/boot/coredump.nix | 66 ---------------------- nixos/modules/system/boot/systemd.nix | 21 +++++++ 5 files changed, 32 insertions(+), 67 deletions(-) delete mode 100644 nixos/modules/system/boot/coredump.nix diff --git a/nixos/doc/manual/release-notes/rl-1909.xml b/nixos/doc/manual/release-notes/rl-1909.xml index e63a6d10a86..4ad81f42b4b 100644 --- a/nixos/doc/manual/release-notes/rl-1909.xml +++ b/nixos/doc/manual/release-notes/rl-1909.xml @@ -468,6 +468,16 @@ (which will place the parameters in /etc/sysctl.d/60-nixos.conf). + + + Coredumps are now acquired by systemd-coredump by default. + systemd-coredump behaviour can still be modified via + . + To stick to the old behaviour (having the kernel dump to a file called core + in the working directory), without piping it through systemd-coredump, set + to "core". + + diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index a167336c156..d2de162f70c 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -862,7 +862,6 @@ ./system/activation/activation-script.nix ./system/activation/top-level.nix ./system/boot/binfmt.nix - ./system/boot/coredump.nix ./system/boot/emergency-mode.nix ./system/boot/grow-partition.nix ./system/boot/initrd-network.nix diff --git a/nixos/modules/rename.nix b/nixos/modules/rename.nix index 3ea139fc5ce..e32fa6fded4 100644 --- a/nixos/modules/rename.nix +++ b/nixos/modules/rename.nix @@ -226,6 +226,7 @@ with lib; (mkRemovedOptionModule [ "services" "mysql" "rootPassword" ] "Use socket authentication or set the password outside of the nix store.") (mkRemovedOptionModule [ "services" "zabbixServer" "dbPassword" ] "Use services.zabbixServer.database.passwordFile instead.") (mkRemovedOptionModule [ "systemd" "generator-packages" ] "Use systemd.packages instead.") + (mkRemovedOptionModule [ "systemd" "coredump" "enable" ] "Enabled by default. Set boot.kernel.sysctl.\"kernel.core_pattern\" = \"core\"; to disable.") # ZSH (mkRenamedOptionModule [ "programs" "zsh" "enableSyntaxHighlighting" ] [ "programs" "zsh" "syntaxHighlighting" "enable" ]) diff --git a/nixos/modules/system/boot/coredump.nix b/nixos/modules/system/boot/coredump.nix deleted file mode 100644 index 30f367da766..00000000000 --- a/nixos/modules/system/boot/coredump.nix +++ /dev/null @@ -1,66 +0,0 @@ -{ config, lib, pkgs, ... }: - -with lib; - -{ - - options = { - - systemd.coredump = { - - enable = mkOption { - default = false; - type = types.bool; - description = '' - Enables storing core dumps in systemd. - Note that this alone is not enough to enable core dumps. The maximum - file size for core dumps must be specified in limits.conf as well. See - and the limits.conf(5) - man page (these specify the core dump limits for user login sessions) - and (where e.g. - DefaultLimitCORE=1000000 can be specified to set - the core dump limit for systemd system-level services). - ''; - }; - - extraConfig = mkOption { - default = ""; - type = types.lines; - example = "Storage=journal"; - description = '' - Extra config options for systemd-coredump. See coredump.conf(5) man page - for available options. - ''; - }; - }; - - }; - - config = mkMerge [ - (mkIf config.systemd.coredump.enable { - - systemd.additionalUpstreamSystemUnits = [ "systemd-coredump.socket" "systemd-coredump@.service" ]; - - environment.etc."systemd/coredump.conf".text = - '' - [Coredump] - ${config.systemd.coredump.extraConfig} - ''; - - # Have the kernel pass core dumps to systemd's coredump helper binary. - # From systemd's 50-coredump.conf file. See: - # - boot.kernel.sysctl."kernel.core_pattern" = "|${pkgs.systemd}/lib/systemd/systemd-coredump %P %u %g %s %t %c %e"; - }) - - (mkIf (!config.systemd.coredump.enable) { - boot.kernel.sysctl."kernel.core_pattern" = mkDefault "core"; - - systemd.extraConfig = - '' - DefaultLimitCORE=0:infinity - ''; - }) - ]; - -} diff --git a/nixos/modules/system/boot/systemd.nix b/nixos/modules/system/boot/systemd.nix index e84b1ffbfc1..23a2dd45d49 100644 --- a/nixos/modules/system/boot/systemd.nix +++ b/nixos/modules/system/boot/systemd.nix @@ -76,6 +76,10 @@ let "systemd-journald-dev-log.socket" "syslog.socket" + # Coredumps. + "systemd-coredump.socket" + "systemd-coredump@.service" + # SysV init compatibility. "systemd-initctl.socket" "systemd-initctl.service" @@ -540,6 +544,16 @@ in ''; }; + systemd.coredump.extraConfig = mkOption { + default = ""; + type = types.lines; + example = "Storage=journal"; + description = '' + Extra config options for systemd-coredump. See coredump.conf(5) man page + for available options. + ''; + }; + systemd.extraConfig = mkOption { default = ""; type = types.lines; @@ -795,6 +809,7 @@ in DefaultMemoryAccounting=yes DefaultTasksAccounting=yes ''} + DefaultLimitCORE=infinity ${config.systemd.extraConfig} ''; @@ -818,6 +833,12 @@ in ${config.services.journald.extraConfig} ''; + "systemd/coredump.conf".text = + '' + [Coredump] + ${config.systemd.coredump.extraConfig} + ''; + "systemd/logind.conf".text = '' [Login] KillUserProcesses=${if config.services.logind.killUserProcesses then "yes" else "no"} From 8e923dfe36c9dea007f8ff709be3d47e5d5ef8e1 Mon Sep 17 00:00:00 2001 From: Florian Klink Date: Sun, 18 Aug 2019 13:19:01 +0200 Subject: [PATCH 4/4] nixosTests.systemd: add fq_codel test --- nixos/tests/systemd.nix | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/nixos/tests/systemd.nix b/nixos/tests/systemd.nix index 344d675c5fe..3168c026d51 100644 --- a/nixos/tests/systemd.nix +++ b/nixos/tests/systemd.nix @@ -83,5 +83,11 @@ import ./make-test.nix ({ pkgs, ... }: { $machine->waitForUnit('multi-user.target'); $machine->succeed('test -e /tmp/shared/shutdown-test'); }; + + # Test settings from /etc/sysctl.d/50-default.conf are applied + subtest "systemd sysctl settings are applied", sub { + $machine->waitForUnit('multi-user.target'); + $machine->succeed('sysctl net.core.default_qdisc | grep -q "fq_codel"'); + }; ''; })