mirror of
https://github.com/ilyakooo0/nixpkgs.git
synced 2024-09-11 07:15:54 +03:00
nixos/bird: run service as non-root user, add test for reload
This commit is contained in:
parent
dc23e69491
commit
6e389e6367
@ -4,6 +4,7 @@ let
|
|||||||
inherit (lib) mkEnableOption mkIf mkOption optionalString types;
|
inherit (lib) mkEnableOption mkIf mkOption optionalString types;
|
||||||
|
|
||||||
cfg = config.services.bird2;
|
cfg = config.services.bird2;
|
||||||
|
caps = [ "CAP_NET_ADMIN" "CAP_NET_BIND_SERVICE" "CAP_NET_RAW" ];
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
###### interface
|
###### interface
|
||||||
@ -72,21 +73,14 @@ in
|
|||||||
serviceConfig = {
|
serviceConfig = {
|
||||||
Type = "forking";
|
Type = "forking";
|
||||||
Restart = "on-failure";
|
Restart = "on-failure";
|
||||||
# We need to start as root so bird can open netlink sockets i.e. for ospf
|
User = "bird2";
|
||||||
ExecStart = "${pkgs.bird}/bin/bird -c /etc/bird/bird2.conf -u bird2 -g bird2";
|
Group = "bird2";
|
||||||
ExecReload = "/bin/sh -c '${pkgs.bird}/bin/bird -c /etc/bird/bird2.conf -p && ${pkgs.bird}/bin/birdc configure'";
|
ExecStart = "${pkgs.bird}/bin/bird -c /etc/bird/bird2.conf";
|
||||||
|
ExecReload = "${pkgs.bird}/bin/birdc configure";
|
||||||
ExecStop = "${pkgs.bird}/bin/birdc down";
|
ExecStop = "${pkgs.bird}/bin/birdc down";
|
||||||
RuntimeDirectory = "bird";
|
RuntimeDirectory = "bird";
|
||||||
CapabilityBoundingSet = [
|
CapabilityBoundingSet = caps;
|
||||||
"CAP_CHOWN"
|
AmbientCapabilities = caps;
|
||||||
"CAP_FOWNER"
|
|
||||||
"CAP_SETUID"
|
|
||||||
"CAP_SETGID"
|
|
||||||
"CAP_NET_ADMIN"
|
|
||||||
"CAP_NET_BROADCAST"
|
|
||||||
"CAP_NET_BIND_SERVICE"
|
|
||||||
"CAP_NET_RAW"
|
|
||||||
];
|
|
||||||
ProtectSystem = "full";
|
ProtectSystem = "full";
|
||||||
ProtectHome = "yes";
|
ProtectHome = "yes";
|
||||||
ProtectKernelTunables = true;
|
ProtectKernelTunables = true;
|
||||||
|
@ -110,6 +110,7 @@ makeTest {
|
|||||||
|
|
||||||
host1.wait_for_unit("bird2.service")
|
host1.wait_for_unit("bird2.service")
|
||||||
host2.wait_for_unit("bird2.service")
|
host2.wait_for_unit("bird2.service")
|
||||||
|
host1.succeed("systemctl reload bird2.service")
|
||||||
|
|
||||||
with subtest("Waiting for advertised IPv4 routes"):
|
with subtest("Waiting for advertised IPv4 routes"):
|
||||||
host1.wait_until_succeeds("ip --json r | jq -e 'map(select(.dst == \"10.10.0.2\")) | any'")
|
host1.wait_until_succeeds("ip --json r | jq -e 'map(select(.dst == \"10.10.0.2\")) | any'")
|
||||||
|
Loading…
Reference in New Issue
Block a user