Merge pull request #66482 from flokli/systemd-sysctl

nixos/systemd: install sysctl snippets

nixos/doc/manual/release-notes/rl-1909.xml

@@ -435,6 +435,48 @@
      idiom or extract that anonymous mapping function to a named one. Both can still be used
      but <literal>lib.forEach</literal> is preferred over <literal>lib.flip map</literal>.
     </para>
+    <para>
+      The <literal>/etc/sysctl.d/nixos.conf</literal> file containing all the options set via
+      <link linkend="opt-boot.kernel.sysctl">boot.kernel.sysctl</link> was moved to
+      <literal>/etc/sysctl.d/60-nixos.conf</literal>, as
+      <citerefentry><refentrytitle>sysctl.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>
+      recommends prefixing all filenames in <literal>/etc/sysctl.d</literal> with a
+      two-digit number and a dash to simplify the ordering of the files.
+    </para>
+   </listitem>
+   <listitem>
+    <para>
+      We now install the sysctl snippets shipped with systemd.
+    <itemizedlist>
+     <para>This enables:</para>
+     <listitem>
+      <para>Loose reverse path filtering</para>
+     </listitem>
+     <listitem>
+      <para>Source route filtering</para>
+     </listitem>
+     <listitem>
+      <para>
+       <literal>fq_codel</literal> as a packet scheduler (this helps to fight bufferbloat)
+      </para>
+     </listitem>
+    </itemizedlist>
+
+     This also configures the kernel to pass coredumps to <literal>systemd-coredump</literal>.
+     These sysctl snippets can be found in <literal>/etc/sysctl.d/50-*.conf</literal>,
+     and overridden via <link linkend="opt-boot.kernel.sysctl">boot.kernel.sysctl</link>
+     (which will place the parameters in <literal>/etc/sysctl.d/60-nixos.conf</literal>).
+     </para>
+   </listitem>
+   <listitem>
+    <para>
+      Coredumps are now acquired by <literal>systemd-coredump</literal> by default.
+      <literal>systemd-coredump</literal> behaviour can still be modified via
+      <option>systemd.coredump.extraConfig</option>.
+      To stick to the old behaviour (having the kernel dump to a file called <literal>core</literal>
+      in the working directory), without piping it through <literal>systemd-coredump</literal>, set
+      <option>boot.kernel.sysctl."kernel.core_pattern"</option> to <literal>"core"</literal>.
+    </para>
    </listitem>
   <listitem>
    <para>

nixos/modules/config/sysctl.nix

@@ -42,22 +42,16 @@ in
 
   config = {
 
-    environment.etc."sysctl.d/nixos.conf".text =
+    environment.etc."sysctl.d/60-nixos.conf".text =
       concatStrings (mapAttrsToList (n: v:
         optionalString (v != null) "${n}=${if v == false then "0" else toString v}\n"
       ) config.boot.kernel.sysctl);
 
     systemd.services.systemd-sysctl =
       { wantedBy = [ "multi-user.target" ];
-        restartTriggers = [ config.environment.etc."sysctl.d/nixos.conf".source ];
+        restartTriggers = [ config.environment.etc."sysctl.d/60-nixos.conf".source ];
       };
 
-    # Enable hardlink and symlink restrictions.  See
-    # https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=800179c9b8a1e796e441674776d11cd4c05d61d7
-    # for details.
-    boot.kernel.sysctl."fs.protected_hardlinks" = true;
-    boot.kernel.sysctl."fs.protected_symlinks" = true;
-
     # Hide kernel pointers (e.g. in /proc/modules) for unprivileged
     # users as these make it easier to exploit kernel vulnerabilities.
     boot.kernel.sysctl."kernel.kptr_restrict" = 1;

nixos/modules/module-list.nix

@@ -863,7 +863,6 @@
   ./system/activation/activation-script.nix
   ./system/activation/top-level.nix
   ./system/boot/binfmt.nix
-  ./system/boot/coredump.nix
   ./system/boot/emergency-mode.nix
   ./system/boot/grow-partition.nix
   ./system/boot/initrd-network.nix

nixos/modules/profiles/hardened.nix

@@ -95,23 +95,17 @@ with lib;
   # Disable ftrace debugging
   boot.kernel.sysctl."kernel.ftrace_enabled" = mkDefault false;
 
-  # Enable reverse path filtering (that is, do not attempt to route packets
+  # Enable strict reverse path filtering (that is, do not attempt to route
-  # that "obviously" do not belong to the iface's network; dropped packets are
+  # packets that "obviously" do not belong to the iface's network; dropped
-  # logged as martians).
+  # packets are logged as martians).
   boot.kernel.sysctl."net.ipv4.conf.all.log_martians" = mkDefault true;
-  boot.kernel.sysctl."net.ipv4.conf.all.rp_filter" = mkDefault true;
+  boot.kernel.sysctl."net.ipv4.conf.all.rp_filter" = mkDefault "1";
   boot.kernel.sysctl."net.ipv4.conf.default.log_martians" = mkDefault true;
-  boot.kernel.sysctl."net.ipv4.conf.default.rp_filter" = mkDefault true;
+  boot.kernel.sysctl."net.ipv4.conf.default.rp_filter" = mkDefault "1";
 
   # Ignore broadcast ICMP (mitigate SMURF)
   boot.kernel.sysctl."net.ipv4.icmp_echo_ignore_broadcasts" = mkDefault true;
 
-  # Ignore route information from sender
-  boot.kernel.sysctl."net.ipv4.conf.all.accept_source_route" = mkDefault false;
-  boot.kernel.sysctl."net.ipv4.conf.default.accept_source_route" = mkDefault false;
-  boot.kernel.sysctl."net.ipv6.conf.all.accept_source_route" = mkDefault false;
-  boot.kernel.sysctl."net.ipv6.conf.default.accept_source_route" = mkDefault false;
-
   # Ignore incoming ICMP redirects (note: default is needed to ensure that the
   # setting is applied to interfaces added after the sysctls are set)
   boot.kernel.sysctl."net.ipv4.conf.all.accept_redirects" = mkDefault false;

nixos/modules/rename.nix

@@ -226,6 +226,7 @@ with lib;
     (mkRemovedOptionModule [ "services" "mysql" "rootPassword" ] "Use socket authentication or set the password outside of the nix store.")
     (mkRemovedOptionModule [ "services" "zabbixServer" "dbPassword" ] "Use services.zabbixServer.database.passwordFile instead.")
     (mkRemovedOptionModule [ "systemd" "generator-packages" ] "Use systemd.packages instead.")
+    (mkRemovedOptionModule [ "systemd" "coredump" "enable" ] "Enabled by default. Set boot.kernel.sysctl.\"kernel.core_pattern\" = \"core\"; to disable.")
 
     # ZSH
     (mkRenamedOptionModule [ "programs" "zsh" "enableSyntaxHighlighting" ] [ "programs" "zsh" "syntaxHighlighting" "enable" ])

nixos/modules/system/boot/coredump.nix

@@ -1,66 +0,0 @@
-{ config, lib, pkgs, ... }:
-
-with lib;
-
-{
-
-  options = {
-
-    systemd.coredump = {
-
-      enable = mkOption {
-        default = false;
-        type = types.bool;
-        description = ''
-          Enables storing core dumps in systemd.
-          Note that this alone is not enough to enable core dumps. The maximum
-          file size for core dumps must be specified in limits.conf as well. See
-          <option>security.pam.loginLimits</option> and the limits.conf(5)
-          man page (these specify the core dump limits for user login sessions)
-          and <option>systemd.extraConfig</option> (where e.g.
-          <literal>DefaultLimitCORE=1000000</literal> can be specified to set
-          the core dump limit for systemd system-level services).
-        '';
-      };
-
-      extraConfig = mkOption {
-        default = "";
-        type = types.lines;
-        example = "Storage=journal";
-        description = ''
-          Extra config options for systemd-coredump. See coredump.conf(5) man page
-          for available options.
-        '';
-      };
-    };
-
-  };
-
-  config = mkMerge [
-    (mkIf config.systemd.coredump.enable {
-
-      systemd.additionalUpstreamSystemUnits = [ "systemd-coredump.socket" "systemd-coredump@.service" ];
-
-      environment.etc."systemd/coredump.conf".text =
-        ''
-          [Coredump]
-          ${config.systemd.coredump.extraConfig}
-        '';
-
-      # Have the kernel pass core dumps to systemd's coredump helper binary.
-      # From systemd's 50-coredump.conf file. See:
-      # <https://github.com/systemd/systemd/blob/v218/sysctl.d/50-coredump.conf.in>
-      boot.kernel.sysctl."kernel.core_pattern" = "|${pkgs.systemd}/lib/systemd/systemd-coredump %P %u %g %s %t %c %e";
-    })
-
-    (mkIf (!config.systemd.coredump.enable) {
-      boot.kernel.sysctl."kernel.core_pattern" = mkDefault "core";
-
-      systemd.extraConfig =
-        ''
-          DefaultLimitCORE=0:infinity
-        '';
-    })
-  ];
-
-}

nixos/modules/system/boot/systemd.nix

@@ -76,6 +76,10 @@ let
       "systemd-journald-dev-log.socket"
       "syslog.socket"
 
+      # Coredumps.
+      "systemd-coredump.socket"
+      "systemd-coredump@.service"
+
       # SysV init compatibility.
       "systemd-initctl.socket"
       "systemd-initctl.service"
@@ -540,6 +544,16 @@ in
       '';
     };
 
+    systemd.coredump.extraConfig = mkOption {
+      default = "";
+      type = types.lines;
+      example = "Storage=journal";
+      description = ''
+        Extra config options for systemd-coredump. See coredump.conf(5) man page
+        for available options.
+      '';
+    };
+
     systemd.extraConfig = mkOption {
       default = "";
       type = types.lines;
@@ -795,6 +809,7 @@ in
           DefaultMemoryAccounting=yes
           DefaultTasksAccounting=yes
         ''}
+        DefaultLimitCORE=infinity
         ${config.systemd.extraConfig}
       '';
 
@@ -818,6 +833,12 @@ in
         ${config.services.journald.extraConfig}
       '';
 
+      "systemd/coredump.conf".text =
+        ''
+          [Coredump]
+          ${config.systemd.coredump.extraConfig}
+        '';
+
       "systemd/logind.conf".text = ''
         [Login]
         KillUserProcesses=${if config.services.logind.killUserProcesses then "yes" else "no"}
@@ -831,6 +852,10 @@ in
         [Sleep]
       '';
 
+      # install provided sysctl snippets
+      "sysctl.d/50-coredump.conf".source = "${systemd}/example/sysctl.d/50-coredump.conf";
+      "sysctl.d/50-default.conf".source = "${systemd}/example/sysctl.d/50-default.conf";
+
       "tmpfiles.d/systemd.conf".source = "${systemd}/example/tmpfiles.d/systemd.conf";
       "tmpfiles.d/x11.conf".source = "${systemd}/example/tmpfiles.d/x11.conf";
 

nixos/modules/virtualisation/google-compute-config.nix

@@ -159,12 +159,6 @@ in
     # functionality/features (e.g. TCP Window scaling).
     "net.ipv4.tcp_syncookies" = mkDefault "1";
 
-    # ignores source-routed packets
-    "net.ipv4.conf.all.accept_source_route" = mkDefault "0";
-
-    # ignores source-routed packets
-    "net.ipv4.conf.default.accept_source_route" = mkDefault "0";
-
     # ignores ICMP redirects
     "net.ipv4.conf.all.accept_redirects" = mkDefault "0";
 
@@ -186,10 +180,10 @@ in
     # don't allow traffic between networks or act as a router
     "net.ipv4.conf.default.send_redirects" = mkDefault "0";
 
-    # reverse path filtering - IP spoofing protection
+    # strict reverse path filtering - IP spoofing protection
     "net.ipv4.conf.all.rp_filter" = mkDefault "1";
 
-    # reverse path filtering - IP spoofing protection
+    # strict path filtering - IP spoofing protection
     "net.ipv4.conf.default.rp_filter" = mkDefault "1";
 
     # ignores ICMP broadcasts to avoid participating in Smurf attacks

nixos/tests/systemd.nix

@@ -83,5 +83,11 @@ import ./make-test.nix ({ pkgs, ... }: {
       $machine->waitForUnit('multi-user.target');
       $machine->succeed('test -e /tmp/shared/shutdown-test');
     };
+
+   # Test settings from /etc/sysctl.d/50-default.conf are applied
+   subtest "systemd sysctl settings are applied", sub {
+     $machine->waitForUnit('multi-user.target');
+     $machine->succeed('sysctl net.core.default_qdisc | grep -q "fq_codel"');
+   };
   '';
 })