nixos/couchdb: Prevent it from chowning /var/log to couchdb:couchdb

The default for logFile is /var/log/couchdb.log, and the tmpfile rules chown
${dirOf cfg.logFile}, which is just /var/log, to couchdb:couchdb.

This was found by Edes' report on IRC, which looked like

    Detected unsafe path transition /var/log → /var/log/journal during canonicalization of /var/log/journal

While this bug has been present since the initial couchdb module in
62438c09f7 by @garbas, this wasn't a
problem, because the initial module only created and chowned /var/log
if it didn't exist yet, which can't occur because this gets created in
the initial phases of NixOS startup.

However with the recent move from manual preStart chown scripts to
systemd.tmpfiles.rules in 062efe018d (#59389),
this chown is suddenly running unconditionally at every system
activation, therefore triggering the above error.
This commit is contained in:
Silvan Mosberger 2019-07-24 20:26:22 +02:00
parent 4ec8edaa6a
commit 5e974362be
No known key found for this signature in database
GPG Key ID: 9424360B4B85C9E7

View File

@ -160,7 +160,7 @@ in {
systemd.tmpfiles.rules = [
"d '${dirOf cfg.uriFile}' - ${cfg.user} ${cfg.group} - -"
"d '${dirOf cfg.logFile}' - ${cfg.user} ${cfg.group} - -"
"f '${cfg.logFile}' - ${cfg.user} ${cfg.group} - -"
"d '${cfg.databaseDir}' - ${cfg.user} ${cfg.group} - -"
"d '${cfg.viewIndexDir}' - ${cfg.user} ${cfg.group} - -"
];
@ -169,11 +169,9 @@ in {
description = "CouchDB Server";
wantedBy = [ "multi-user.target" ];
preStart =
''
preStart = ''
touch ${cfg.configFile}
touch -a ${cfg.logFile}
'';
'';
environment = mkIf useVersion2 {
# we are actually specifying 4 configuration files: