-
-
Notifications
You must be signed in to change notification settings - Fork 13.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
nixos/gns3-server: fix ubridge support #303442
base: master
Are you sure you want to change the base?
Conversation
@ofborg test gns3-server |
I am still getting
Seems to be this line of code: It looks like GNS3 depends on a I guess it might require a patch to the package in order to work. Or it has to be available in the environment.
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Apart from above, those changes do fix the ubridge problem in the issue.
Unfortunately there seemed to many layers of problems hidden under each other, and it might be quite tricky to get GNS3 fully working with docker on NixOS. Perhaps a more general issue to get GNS3 to work with docker is needed. |
16d688a
to
bf31ddf
Compare
bf31ddf
to
f104bc7
Compare
This pull request has been mentioned on NixOS Discourse. There might be relevant details there: https://discourse.nixos.org/t/prs-ready-for-review/3032/3859 |
I did some testing. This is the minimal set of hardening to remove to make uBridge work.
Might as well keep any protections that can be on turned on. |
Please implement the above suggestion |
services.gns3-server.enable = true;
services.gns3-server.ubridge.enable = true;
services.gns3-server.vpcs.enable = true;
services.gns3-server.settings = {
Server.ubridge_path = pkgs.lib.mkForce "/run/wrappers/bin/ubridge";
};
users.groups.gns3 = { };
users.users.gns3 = {
group = "gns3";
isSystemUser = true;
};
systemd.services.gns3-server.serviceConfig = {
User = "gns3";
DynamicUser = pkgs.lib.mkForce false;
NoNewPrivileges = pkgs.lib.mkForce false;
RestrictSUIDSGID = pkgs.lib.mkForce false;
}; tried with this in my config but ended up with
EDIT: using the web gui on localhost:3080 when i try start a docker container node |
I just tried this in a container too, It also requires PrivateUsers = lib.mkForce false; |
DeviceAllow = [
"/dev/net/tun rw"
"/dev/net/tap rw"
] ++ lib.optionals flags.enableLibvirtd [
"/dev/kvm"
]; is also required for ubridge to work (because it requires access to nio tap devices). I will also check whether this configuration works with KVM, QEMU and Docker. |
alright tyvm this works for me for now until this pr gets merged: services.gns3-server.ubridge.enable = true;
services.gns3-server.settings = {
Server.ubridge_path = pkgs.lib.mkForce "/run/wrappers/bin/ubridge";
};
users.groups.gns3 = { };
users.users.gns3 = {
group = "gns3";
isSystemUser = true;
};
systemd.services.gns3-server.serviceConfig = {
User = "gns3";
DynamicUser = pkgs.lib.mkForce false;
NoNewPrivileges = pkgs.lib.mkForce false;
RestrictSUIDSGID = pkgs.lib.mkForce false;
PrivateUsers = pkgs.lib.mkForce false;
DeviceAllow = [
"/dev/net/tun rw"
"/dev/net/tap rw"
] ++ pkgs.lib.optionals config.virtualisation.libvirtd.enable [
"/dev/kvm"
];
}; |
f104bc7
to
2049db3
Compare
Unfortunately, these changes are not backwards compatible. Here are the commands I use to migrate the GNS3 state files out of /var/lib/private: rm /var/lib/gns3
mv /var/lib/private/gns3 /var/lib/gns3
chown -R gns3:gns3 /var/lib/gns3
rm /var/log/gns3
mv /var/log/private/gns3 /var/log/gns3
chown -R gns3:gns3 /var/log/gns3
chown -R gns3:gns3 /etc/gns3 I could add a Or just raise a warning to the user to let him know, the state files of GNS3 Server needs manual intervention to make GNS3 Server works. What do you think? |
I was trying to run some docker services with this thing and came to the conclusion that UMask needs to be "0022" or something along those lines. UMask = pkgs.lib.mkForce "0022"; |
2049db3
to
81d46d7
Compare
@haras-unicorn Thanks for the review. I changed UMask to its default value (0022). |
Will this be taken into account for the 24.11 release? |
81d46d7
to
b3b12bc
Compare
|
b3b12bc
to
b12bc80
Compare
This pull request has been mentioned on NixOS Discourse. There might be relevant details there: https://discourse.nixos.org/t/prs-ready-for-review/3032/4601 |
DynamicUser = lib.mkForce false; | ||
NoNewPrivileges = lib.mkForce false; | ||
RestrictSUIDSGID = lib.mkForce false; | ||
PrivateUsers = lib.mkForce false; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why are these using lib.mkForce
? If users have to change them to adapt their needs, do they have to use lib.mkVmOverride
? Just false
would be okay.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you for your review! :)
We set this to false with mkForce
because GNS3 is incompatible with these hardening flags.
I changed these flags to:
DynamicUser = lib.mkForce false; | |
NoNewPrivileges = lib.mkForce false; | |
RestrictSUIDSGID = lib.mkForce false; | |
PrivateUsers = lib.mkForce false; | |
DynamicUser = false; | |
NoNewPrivileges = false; | |
RestrictSUIDSGID = false; | |
PrivateUsers = false; |
Usage of DynamicUser is compatible with SUID wrappers. GNS3 needs to call ubridge via its SUID Wrapper to work.
b12bc80
to
c1104ae
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ubridge seems to work correctly now as far I have tested.
Although there are many other problems I have discovered with docker based appliances, but I think it's better to merge this PR, and start a separate issue/pr for those problems.
Description of changes
Fixes #292258
See this comment for explanations.
The usage of SUID wrappers is incompatible with SystemD DynamicUser & hardenings.
And GNS3 needs to call ubridge via its SUID Wrapper to work.
chown -R gns3:gns3 /var/lib/gns3 /etc/gns3 /var/log/gns3
to fix the permissions (see release notes).Things done
nix.conf
? (See Nix manual)sandbox = relaxed
sandbox = true
nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD"
. Note: all changes have to be committed, also see nixpkgs-review usage./result/bin/
)Add a 👍 reaction to pull requests you find important.