Skip to content

systemd: remote journal requires gnutls to accept --trust#297870

Closed
r-vdp wants to merge 2 commits intoNixOS:stagingfrom
r-vdp:systemd-remote-journal-gnutls
Closed

systemd: remote journal requires gnutls to accept --trust#297870
r-vdp wants to merge 2 commits intoNixOS:stagingfrom
r-vdp:systemd-remote-journal-gnutls

Conversation

@r-vdp
Copy link
Contributor

@r-vdp r-vdp commented Mar 21, 2024
edited
Loading

Description of changes

The systemd-journal-gatewayd test fails because of this.
See https://github.com/systemd/systemd/blob/ec0bc263d7d250d4029e8ffe7e3a888c12453331/src/journal-remote/journal-gatewayd.c#L1046-L1062

An alternative would be to either introduce a new option to selectively enable gnutls for those who need it (and for our VM test), but that's also not great in terms of discoverability.

I added a second commit to use LoadCredentials to make the secrets available to the service instead of needing to set file system permissions to give access to the systemd-journal-gateway user. This might also in the future allow us to set DynamicUser = true for this service.

Things done

  • Built on platform(s)
    • x86_64-linux
    • aarch64-linux
    • x86_64-darwin
    • aarch64-darwin
  • For non-Linux: Is sandboxing enabled in nix.conf? (See Nix manual)
    • sandbox = relaxed
    • sandbox = true
  • Tested, as applicable:
  • Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
  • Tested basic functionality of all binary files (usually in ./result/bin/)
  • 24.05 Release Notes (or backporting 23.05 and 23.11 Release notes)
    • (Package updates) Added a release notes entry if the change is major or breaking
    • (Module updates) Added a release notes entry if the change is significant
    • (Module addition) Added a release notes entry if adding a new NixOS module
  • Fits CONTRIBUTING.md.

Add a 👍 reaction to pull requests you find important.

@r-vdp r-vdp requested a review from a team as a code owner March 21, 2024 23:10
@github-actions github-actions bot added 6.topic: nixos Issues or PRs affecting NixOS modules, or package usability issues specific to NixOS 6.topic: systemd Software suite that provides an array of system components for Linux operating systems. labels Mar 21, 2024
@r-vdp r-vdp mentioned this pull request Mar 21, 2024
Merged
13 tasks
@ofborg ofborg bot requested review from flokli and kloenk March 21, 2024 23:37
@ofborg ofborg bot added 10.rebuild-darwin: 101-500 This PR causes between 101 and 500 packages to rebuild on Darwin. 10.rebuild-linux: 501+ This PR causes many rebuilds on Linux and should normally target the staging branches. 10.rebuild-linux: 5001+ This PR causes many rebuilds on Linux and must target the staging branches. labels Mar 21, 2024
@github-actions github-actions bot added the 8.has: module (update) This PR changes an existing module in `nixos/` label Mar 22, 2024
r-vdp added 2 commits March 22, 2024 01:21
@r-vdp
systemd: remote journal requires gnutls to accept --trust
3b1e5bf 
The systemd-journal-gatewayd test fails because of this.
See
https://github.com/systemd/systemd/blob/ec0bc263d7d250d4029e8ffe7e3a888c12453331/src/journal-remote/journal-gatewayd.c#L1046-L1062

An alternative would be to either introduce a new option to selectively
enable gnutls for those who need it (and for our VM test), but that's
also not great in terms of discoverability.
@r-vdp
systemd-journal-gateway: use LoadCredentials instead of depending on …
09065c5 
…file system permissions
@r-vdp r-vdp marked this pull request as draft March 22, 2024 00:21
@r-vdp r-vdp force-pushed the systemd-remote-journal-gnutls branch from 789982d to 09065c5 Compare March 22, 2024 00:21
@r-vdp r-vdp changed the base branch from master to staging March 22, 2024 00:21
@r-vdp r-vdp marked this pull request as ready for review March 22, 2024 00:22
@ofborg ofborg bot added 10.rebuild-darwin-stdenv This PR causes stdenv to rebuild on Darwin and must target a staging branch. 10.rebuild-linux-stdenv This PR causes stdenv to rebuild on Linux and must target a staging branch. 8.has: package (new) This PR adds a new package 10.rebuild-darwin: 501+ This PR causes many rebuilds on Darwin and should normally target the staging branches. 10.rebuild-darwin: 5001+ This PR causes many rebuilds on Darwin and must target the staging branches. 10.rebuild-darwin: 101-500 This PR causes between 101 and 500 packages to rebuild on Darwin. and removed 10.rebuild-darwin-stdenv This PR causes stdenv to rebuild on Darwin and must target a staging branch. 10.rebuild-linux-stdenv This PR causes stdenv to rebuild on Linux and must target a staging branch. 10.rebuild-darwin: 101-500 This PR causes between 101 and 500 packages to rebuild on Darwin. 10.rebuild-darwin: 501+ This PR causes many rebuilds on Darwin and should normally target the staging branches. 10.rebuild-darwin: 5001+ This PR causes many rebuilds on Darwin and must target the staging branches. labels Mar 22, 2024
@arianvp
Copy link
Member

arianvp commented Mar 22, 2024

urgh I really don't want to link systemd with gnutls. I want upstream to fix the migration to openssl for all component instead.

@flokli
Copy link
Member

flokli commented Mar 22, 2024

@arianvp is there already an upstream issue about it? Maybe we can link to here for context.

@r-vdp r-vdp marked this pull request as draft May 13, 2024 18:59
@Scrumplex
Copy link
Member

Scrumplex commented May 20, 2024

I just stumbled upon this too. I think we should definitely have an upstream issue about this.

@philiptaron
Copy link
Contributor

philiptaron commented Sep 12, 2024

selectively enable gnutls for those who need it (and for our VM test)

I like this. I would not have thought that withRemote would link with gnutls.

@Princemachiavelli Princemachiavelli mentioned this pull request Nov 16, 2024
Merged
@wegank wegank added the 2.status: merge conflict This PR has merge conflicts with the target branch label Dec 10, 2024
@r-vdp r-vdp mentioned this pull request Dec 13, 2024
Merged
13 tasks
@wegank wegank added the 2.status: stale https://github.com/NixOS/nixpkgs/blob/master/.github/STALE-BOT.md label Jan 2, 2025
@r-vdp r-vdp closed this Jan 31, 2026
@r-vdp r-vdp deleted the systemd-remote-journal-gnutls branch January 31, 2026 20:06
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kloenk kloenk Awaiting requested review from kloenk

@flokli flokli Awaiting requested review from flokli

Assignees

No one assigned

Labels

2.status: merge conflict This PR has merge conflicts with the target branch 2.status: stale https://github.com/NixOS/nixpkgs/blob/master/.github/STALE-BOT.md 6.topic: nixos Issues or PRs affecting NixOS modules, or package usability issues specific to NixOS 6.topic: systemd Software suite that provides an array of system components for Linux operating systems. 8.has: module (update) This PR changes an existing module in `nixos/` 8.has: package (new) This PR adds a new package 10.rebuild-darwin: 101-500 This PR causes between 101 and 500 packages to rebuild on Darwin. 10.rebuild-linux: 501+ This PR causes many rebuilds on Linux and should normally target the staging branches. 10.rebuild-linux: 5001+ This PR causes many rebuilds on Linux and must target the staging branches.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@r-vdp @arianvp @flokli @Scrumplex @philiptaron @wegank