pyrox.dev / nixpkgs
lol
fork atom

Merge pull request #85225 from Izorkin/nginx-unit

nixos/unit: update service configuration and update unit to 1.17

Jörg Thalheim 5487e155 50401929

options
unified split
Changed files
+77 -100
nixos
modules
services
web-servers
unit
default.nix
tests
all-tests.nix
web-servers
unit-php.nix
pkgs
servers
http
unit
default.nix
drop_cap.patch
+18 -12
nixos/modules/services/web-servers/unit/default.nix 
···

       
91

       
91

       
 

       
      description = "Unit App Server";


     

       
92

       
92

       
 

       
      after = [ "network.target" ];


     

       
93

       
93

       
 

       
      wantedBy = [ "multi-user.target" ];


     

       
94

       

       
-

       
      path = with pkgs; [ curl ];


     

       
95

       
94

       
 

       
      preStart = ''


     

       
96

       

       
-

       
        test -f '${cfg.stateDir}/conf.json' || rm -f '${cfg.stateDir}/conf.json'


     

       

       
95

       
+

       
        [ ! -e '${cfg.stateDir}/conf.json' ] || rm -f '${cfg.stateDir}/conf.json'


     

       
97

       
96

       
 

       
      '';


     

       
98

       
97

       
 

       
      postStart = ''


     

       
99

       

       
-

       
        curl -X PUT --data-binary '@${configFile}' --unix-socket '/run/unit/control.unit.sock' 'http://localhost/config'


     

       

       
98

       
+

       
        ${pkgs.curl}/bin/curl -X PUT --data-binary '@${configFile}' --unix-socket '/run/unit/control.unit.sock' 'http://localhost/config'


     

       
100

       
99

       
 

       
      '';


     

       
101

       
100

       
 

       
      serviceConfig = {


     

       

       
101

       
+

       
        Type = "forking";


     

       

       
102

       
+

       
        PIDFile = "/run/unit/unit.pid";


     

       
102

       
103

       
 

       
        ExecStart = ''


     

       
103

       
104

       
 

       
          ${cfg.package}/bin/unitd --control 'unix:/run/unit/control.unit.sock' --pid '/run/unit/unit.pid' \


     

       
104

       

       
-

       
                                   --log '${cfg.logDir}/unit.log' --state '${cfg.stateDir}' --no-daemon \


     

       

       
105

       
+

       
                                   --log '${cfg.logDir}/unit.log' --state '${cfg.stateDir}' \


     

       
105

       
106

       
 

       
                                   --user ${cfg.user} --group ${cfg.group}


     

       
106

       
107

       
 

       
        '';


     

       
107

       

       
-

       
        # User and group


     

       
108

       

       
-

       
        User = cfg.user;


     

       
109

       

       
-

       
        Group = cfg.group;


     

       
110

       

       
-

       
        # Capabilities


     

       
111

       

       
-

       
        AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" "CAP_SETGID" "CAP_SETUID" ];


     

       

       
108

       
+

       
        ExecStop = ''


     

       

       
109

       
+

       
          ${pkgs.curl}/bin/curl -X DELETE --unix-socket '/run/unit/control.unit.sock' 'http://localhost/config'


     

       

       
110

       
+

       
        '';


     

       

       
111

       
+

       
        # Runtime directory and mode


     

       

       
112

       
+

       
        RuntimeDirectory = "unit";


     

       

       
113

       
+

       
        RuntimeDirectoryMode = "0750";


     

       

       
114

       
+

       
        # Access write directories


     

       

       
115

       
+

       
        ReadWritePaths = [ cfg.stateDir cfg.logDir ];


     

       
112

       
116

       
 

       
        # Security


     

       
113

       
117

       
 

       
        NoNewPrivileges = true;


     

       
114

       
118

       
 

       
        # Sandboxing


     

       
115

       

       
-

       
        ProtectSystem = "full";


     

       

       
119

       
+

       
        ProtectSystem = "strict";


     

       
116

       
120

       
 

       
        ProtectHome = true;


     

       
117

       

       
-

       
        RuntimeDirectory = "unit";


     

       
118

       

       
-

       
        RuntimeDirectoryMode = "0750";


     

       
119

       
121

       
 

       
        PrivateTmp = true;


     

       
120

       
122

       
 

       
        PrivateDevices = true;


     

       
121

       
123

       
 

       
        ProtectHostname = true;


     

       
122

       
124

       
 

       
        ProtectKernelTunables = true;


     

       
123

       
125

       
 

       
        ProtectKernelModules = true;


     

       
124

       
126

       
 

       
        ProtectControlGroups = true;


     

       

       
127

       
+

       
        RestrictAddressFamilies = [ "AF_UNIX" "AF_INET" "AF_INET6" ];


     

       
125

       
128

       
 

       
        LockPersonality = true;


     

       
126

       
129

       
 

       
        MemoryDenyWriteExecute = true;


     

       
127

       
130

       
 

       
        RestrictRealtime = true;


     

       

       
131

       
+

       
        RestrictSUIDSGID = true;


     

       
128

       
132

       
 

       
        PrivateMounts = true;


     

       

       
133

       
+

       
        # System Call Filtering


     

       

       
134

       
+

       
        SystemCallArchitectures = "native";


     

       
129

       
135

       
 

       
      };


     

       
130

       
136

       
 

       
    };


     

       
131

       
137
+1
nixos/tests/all-tests.nix 
···

       
321

       
321

       
 

       
  trickster = handleTest ./trickster.nix {};


     

       
322

       
322

       
 

       
  tuptime = handleTest ./tuptime.nix {};


     

       
323

       
323

       
 

       
  udisks2 = handleTest ./udisks2.nix {};


     

       

       
324

       
+

       
  unit-php = handleTest ./web-servers/unit-php.nix {};


     

       
324

       
325

       
 

       
  upnp = handleTest ./upnp.nix {};


     

       
325

       
326

       
 

       
  uwsgi = handleTest ./uwsgi.nix {};


     

       
326

       
327

       
 

       
  vault = handleTest ./vault.nix {};
+47
nixos/tests/web-servers/unit-php.nix 
···

       

       
1

       
+

       
import ../make-test-python.nix ({pkgs, ...}:


     

       

       
2

       
+

       
 let


     

       

       
3

       
+

       
    testdir = pkgs.writeTextDir "www/info.php" "<?php phpinfo();";


     

       

       
4

       
+

       



     

       

       
5

       
+

       
in {


     

       

       
6

       
+

       
  name = "unit-php-test";


     

       

       
7

       
+

       
  meta.maintainers = with pkgs.stdenv.lib.maintainers; [ izorkin ];


     

       

       
8

       
+

       



     

       

       
9

       
+

       
  machine = { config, lib, pkgs, ... }: {


     

       

       
10

       
+

       
    services.unit = {


     

       

       
11

       
+

       
      enable = true;


     

       

       
12

       
+

       
      config = ''


     

       

       
13

       
+

       
        {


     

       

       
14

       
+

       
          "listeners": {


     

       

       
15

       
+

       
            "*:9074": {


     

       

       
16

       
+

       
              "application": "php_74"


     

       

       
17

       
+

       
            }


     

       

       
18

       
+

       
          },


     

       

       
19

       
+

       
          "applications": {


     

       

       
20

       
+

       
            "php_74": {


     

       

       
21

       
+

       
              "type": "php 7.4",


     

       

       
22

       
+

       
              "processes": 1,


     

       

       
23

       
+

       
              "user": "testuser",


     

       

       
24

       
+

       
              "group": "testgroup",


     

       

       
25

       
+

       
              "root": "${testdir}/www",


     

       

       
26

       
+

       
              "index": "info.php"


     

       

       
27

       
+

       
            }


     

       

       
28

       
+

       
          }


     

       

       
29

       
+

       
        }


     

       

       
30

       
+

       
      '';


     

       

       
31

       
+

       
    };


     

       

       
32

       
+

       
    users = {


     

       

       
33

       
+

       
      users.testuser = {


     

       

       
34

       
+

       
        isNormalUser = false;


     

       

       
35

       
+

       
        uid = 1074;


     

       

       
36

       
+

       
        group = "testgroup";


     

       

       
37

       
+

       
      };


     

       

       
38

       
+

       
      groups.testgroup = {


     

       

       
39

       
+

       
        gid= 1074;


     

       

       
40

       
+

       
      };


     

       

       
41

       
+

       
    };


     

       

       
42

       
+

       
  };


     

       

       
43

       
+

       
  testScript = ''


     

       

       
44

       
+

       
    machine.wait_for_unit("unit.service")


     

       

       
45

       
+

       
    assert "PHP Version ${pkgs.php74.version}" in machine.succeed("curl -vvv -s http://127.0.0.1:9074/")


     

       

       
46

       
+

       
  '';


     

       

       
47

       
+

       
})
+11 -9
pkgs/servers/http/unit/default.nix 
···

       
1

       

       
-

       
{ stdenv, fetchFromGitHub, which


     

       

       
1

       
+

       
{ stdenv, fetchFromGitHub, nixosTests, which


     

       
2

       
2

       
 

       
, withPython2 ? false, python2


     

       
3

       
3

       
 

       
, withPython3 ? true, python3, ncurses


     

       
4

       
4

       
 

       
, withPHP72 ? false, php72


     

       
5

       

       
-

       
, withPHP73 ? true, php73


     

       

       
5

       
+

       
, withPHP73 ? false, php73


     

       

       
6

       
+

       
, withPHP74 ? true, php74


     

       
6

       
7

       
 

       
, withPerl528 ? false, perl528


     

       
7

       
8

       
 

       
, withPerl530 ? true, perl530


     

       
8

       
9

       
 

       
, withPerldevel ? false, perldevel


     
···

       
28

       
29

       
 

       



     

       
29

       
30

       
 

       
  php72-unit = php72.override phpConfig;


     

       
30

       
31

       
 

       
  php73-unit = php73.override phpConfig;


     

       

       
32

       
+

       
  php74-unit = php74.override phpConfig;


     

       

       
33

       
+

       



     

       
31

       
34

       
 

       
in stdenv.mkDerivation rec {


     

       
32

       

       
-

       
  version = "1.16.0";


     

       

       
35

       
+

       
  version = "1.17.0";


     

       
33

       
36

       
 

       
  pname = "unit";


     

       
34

       
37

       
 

       



     

       
35

       
38

       
 

       
  src = fetchFromGitHub {


     

       
36

       
39

       
 

       
    owner = "nginx";


     

       
37

       
40

       
 

       
    repo = "unit";


     

       
38

       
41

       
 

       
    rev = version;


     

       
39

       

       
-

       
    sha256 = "19gclqhwccpi7y4386ap33ycwhylv4s4kwfc6ik8scmc4pw3sj9l";


     

       

       
42

       
+

       
    sha256 = "1q3659vw8rxv4fk7ljkjav8ga72sb3arljfxcqw8b080f9hvi7hh";


     

       
40

       
43

       
 

       
  };


     

       
41

       

       
-

       



     

       
42

       

       
-

       
  patches = [


     

       
43

       

       
-

       
    # https://github.com/nginx/unit/issues/357


     

       
44

       

       
-

       
    ./drop_cap.patch


     

       
45

       

       
-

       
  ];


     

       
46

       
44

       
 

       



     

       
47

       
45

       
 

       
  nativeBuildInputs = [ which ];


     

       
48

       
46

       
 

       



     
···

       
51

       
49

       
 

       
    ++ optionals withPython3 [ python3 ncurses ]


     

       
52

       
50

       
 

       
    ++ optional withPHP72 php72-unit


     

       
53

       
51

       
 

       
    ++ optional withPHP73 php73-unit


     

       

       
52

       
+

       
    ++ optional withPHP73 php74-unit


     

       
54

       
53

       
 

       
    ++ optional withPerl528 perl528


     

       
55

       
54

       
 

       
    ++ optional withPerl530 perl530


     

       
56

       
55

       
 

       
    ++ optional withPerldevel perldevel


     
···

       
73

       
72

       
 

       
    ${optionalString withPython3    "./configure python --module=python3  --config=${python3}/bin/python3-config  --lib-path=${python3}/lib"}


     

       
74

       
73

       
 

       
    ${optionalString withPHP72      "./configure php    --module=php72    --config=${php72-unit.unwrapped.dev}/bin/php-config --lib-path=${php72-unit}/lib"}


     

       
75

       
74

       
 

       
    ${optionalString withPHP73      "./configure php    --module=php73    --config=${php73-unit.unwrapped.dev}/bin/php-config --lib-path=${php73-unit}/lib"}


     

       

       
75

       
+

       
    ${optionalString withPHP74      "./configure php    --module=php74    --config=${php74-unit.unwrapped.dev}/bin/php-config --lib-path=${php74-unit}/lib"}


     

       
76

       
76

       
 

       
    ${optionalString withPerl528    "./configure perl   --module=perl528  --perl=${perl528}/bin/perl"}


     

       
77

       
77

       
 

       
    ${optionalString withPerl530    "./configure perl   --module=perl530  --perl=${perl530}/bin/perl"}


     

       
78

       
78

       
 

       
    ${optionalString withPerldevel  "./configure perl   --module=perldev  --perl=${perldevel}/bin/perl"}


     
···

       
80

       
80

       
 

       
    ${optionalString withRuby_2_6   "./configure ruby   --module=ruby26   --ruby=${ruby_2_6}/bin/ruby"}


     

       
81

       
81

       
 

       
    ${optionalString withRuby_2_7   "./configure ruby   --module=ruby27   --ruby=${ruby_2_7}/bin/ruby"}


     

       
82

       
82

       
 

       
  '';


     

       

       
83

       
+

       



     

       

       
84

       
+

       
  passthru.tests.unit-php = nixosTests.unit-php;


     

       
83

       
85

       
 

       



     

       
84

       
86

       
 

       
  meta = {


     

       
85

       
87

       
 

       
    description = "Dynamic web and application server, designed to run applications in multiple languages.";
-79
pkgs/servers/http/unit/drop_cap.patch 
···

       
1

       

       
-

       
diff -r ed17ce89119f src/nxt_capability.c


     

       
2

       

       
-

       
--- a/src/nxt_capability.c      Fri Dec 06 17:02:23 2019 +0000


     

       
3

       

       
-

       
+++ b/src/nxt_capability.c      Mon Dec 09 23:23:00 2019 +0000


     

       
4

       

       
-

       
@@ -93,6 +93,26 @@ nxt_capability_specific_set(nxt_task_t *


     

       
5

       

       
-

       
     return NXT_OK;


     

       
6

       

       
-

       
 }


     

       
7

       

       
-

       
 


     

       
8

       

       
-

       
+


     

       
9

       

       
-

       
+nxt_int_t


     

       
10

       

       
-

       
+nxt_capability_drop_all(nxt_task_t *task)


     

       
11

       

       
-

       
+{


     

       
12

       

       
-

       
+    struct __user_cap_header_struct hdr;


     

       
13

       

       
-

       
+    struct __user_cap_data_struct data[2];


     

       
14

       

       
-

       
+


     

       
15

       

       
-

       
+    hdr.version = nxt_capability_linux_get_version();


     

       
16

       

       
-

       
+    hdr.pid = nxt_pid;


     

       
17

       

       
-

       
+


     

       
18

       

       
-

       
+    nxt_memset(data, 0, sizeof(data));


     

       
19

       

       
-

       
+


     

       
20

       

       
-

       
+    if (nxt_slow_path(nxt_capset(&hdr, data) == -1)) {


     

       
21

       

       
-

       
+        nxt_alert(task, "failed to drop capabilities %E", nxt_errno);


     

       
22

       

       
-

       
+        return NXT_ERROR;


     

       
23

       

       
-

       
+    }


     

       
24

       

       
-

       
+


     

       
25

       

       
-

       
+    return NXT_OK;


     

       
26

       

       
-

       
+}


     

       
27

       

       
-

       
+


     

       
28

       

       
-

       
 #else


     

       
29

       

       
-

       
 


     

       
30

       

       
-

       
 static nxt_int_t


     

       
31

       

       
-

       
diff -r ed17ce89119f src/nxt_capability.h


     

       
32

       

       
-

       
--- a/src/nxt_capability.h      Fri Dec 06 17:02:23 2019 +0000


     

       
33

       

       
-

       
+++ b/src/nxt_capability.h      Mon Dec 09 23:23:00 2019 +0000


     

       
34

       

       
-

       
@@ -14,4 +14,6 @@ typedef struct {


     

       
35

       

       
-

       
 NXT_EXPORT nxt_int_t nxt_capability_set(nxt_task_t *task,


     

       
36

       

       
-

       
     nxt_capabilities_t *cap);


     

       
37

       

       
-

       
 


     

       
38

       

       
-

       
+NXT_EXPORT nxt_int_t nxt_capability_drop_all(nxt_task_t *task);


     

       
39

       

       
-

       
+


     

       
40

       

       
-

       
 #endif /* _NXT_CAPABILITY_INCLUDED_ */


     

       
41

       

       
-

       
diff -r ed17ce89119f src/nxt_process.c


     

       
42

       

       
-

       
--- a/src/nxt_process.c Fri Dec 06 17:02:23 2019 +0000


     

       
43

       

       
-

       
+++ b/src/nxt_process.c Mon Dec 09 23:23:00 2019 +0000


     

       
44

       

       
-

       
@@ -264,7 +264,7 @@ cleanup:


     

       
45

       

       
-

       
 static void


     

       
46

       

       
-

       
 nxt_process_start(nxt_task_t *task, nxt_process_t *process)


     

       
47

       

       
-

       
 {


     

       
48

       

       
-

       
-    nxt_int_t                    ret, cap_setid;


     

       
49

       

       
-

       
+    nxt_int_t                    ret, cap_setid, drop_caps;


     

       
50

       

       
-

       
     nxt_port_t                   *port, *main_port;


     

       
51

       

       
-

       
     nxt_thread_t                 *thread;


     

       
52

       

       
-

       
     nxt_runtime_t                *rt;


     

       
53

       

       
-

       
@@ -285,9 +285,12 @@ nxt_process_start(nxt_task_t *task, nxt_


     

       
54

       

       
-

       
 


     

       
55

       

       
-

       
     cap_setid = rt->capabilities.setid;


     

       
56

       

       
-

       
 


     

       
57

       

       
-

       
+    drop_caps = cap_setid;


     

       
58

       

       
-

       
+


     

       
59

       

       
-

       
 #if (NXT_HAVE_CLONE_NEWUSER)


     

       
60

       

       
-

       
-    if (!cap_setid && NXT_CLONE_USER(init->isolation.clone.flags)) {


     

       
61

       

       
-

       
+    if (NXT_CLONE_USER(init->isolation.clone.flags)) {


     

       
62

       

       
-

       
         cap_setid = 1;


     

       
63

       

       
-

       
+        drop_caps = 0;


     

       
64

       

       
-

       
     }


     

       
65

       

       
-

       
 #endif


     

       
66

       

       
-

       
 


     

       
67

       

       
-

       
@@ -301,6 +304,12 @@ nxt_process_start(nxt_task_t *task, nxt_


     

       
68

       

       
-

       
         if (nxt_slow_path(ret != NXT_OK)) {


     

       
69

       

       
-

       
             goto fail;


     

       
70

       

       
-

       
         }


     

       
71

       

       
-

       
+


     

       
72

       

       
-

       
+#if (NXT_HAVE_LINUX_CAPABILITY)


     

       
73

       

       
-

       
+        if (drop_caps && nxt_capability_drop_all(task) != NXT_OK) {


     

       
74

       

       
-

       
+            goto fail;


     

       
75

       

       
-

       
+        }


     

       
76

       

       
-

       
+#endif


     

       
77

       

       
-

       
     }


     

       
78

       

       
-

       
 


     

       
79

       

       
-

       
     rt->type = init->type;