Re: [Nix-dev] Multiple instances - detecting resource collisions - nixos module system question
On 19/01/2015 10:24, Domen Kožar wrote: > This could not be PITA if systemd would have the ability to white list > ports for a process (or with network namespaces). > > It would add a burdon to maintainers of nixos modules. But since we don't have system support, I think it's overall better to avoid further complications. There are a bunch of cases where this thing is going to fail theoretically. It's incomplete in every sense. At least if this is merged, don't enable by default. ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
Re: [Nix-dev] Multiple instances - detecting resource collisions - nixos module system question
This could not be PITA if systemd would have the ability to white list ports for a process (or with network namespaces). It would add a burdon to maintainers of nixos modules. On Mon, Jan 19, 2015 at 10:08 AM, Luca Bruno wrote: > On 19/01/2015 03:44, Shea Levy wrote: > > My prediction: This will cause more headaches than it will save. > Double quote. > ___ > nix-dev mailing list > nix-dev@lists.science.uu.nl > http://lists.science.uu.nl/mailman/listinfo/nix-dev > ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
Re: [Nix-dev] Multiple instances - detecting resource collisions - nixos module system question
On 19/01/2015 03:44, Shea Levy wrote: > My prediction: This will cause more headaches than it will save. Double quote. ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
Re: [Nix-dev] Multiple instances - detecting resource collisions - nixos module system question
My prediction: This will cause more headaches than it will save.
> On Jan 14, 2015, at 10:17 PM, Marc Weber wrote:
>
> If you use multiple apaches/nginx/mysql/postgresql/whatever instances
> its likely to miss adjusting the port or whatsoever. Therefore I'd like
> to implement a simple "resource tracking" module which fails if a
> resource such as tcp/ip port or socket or such gets used multiple times.
>
> It should look like this: http://dpaste.com/10RKJSQ
>
>
> A test like this:
> resources.tcp-ports."80" = {};
>
> causes:
> The option `resources.tcp-ports.80.allowCollisions' defined in
> `/etc/nixos/nixpkgs/nixos/modules/misc/resources.nix' does not exist.
>
> which I don't get because the dpaste sets a default value for
> allowCollisions.
>
> Thus does anybody just spot what I'm doing wrong?
>
> If we are at it: Eelco Dolstra proposed "services.mysql.services" or
> such. What about services.mysqls ? We could deprecade services.mysql
> then and ask users to switch slowly. No naming collisions. Naming is
> short and could be adopted to other services.
>
> Marc Weber
> ___
> nix-dev mailing list
> nix-dev@lists.science.uu.nl
> http://lists.science.uu.nl/mailman/listinfo/nix-dev
___
nix-dev mailing list
nix-dev@lists.science.uu.nl
http://lists.science.uu.nl/mailman/listinfo/nix-dev
Re: [Nix-dev] Multiple instances - detecting resource collisions - nixos module system question
On 01/14/2015 11:17 PM, Marc Weber wrote:
> If you use multiple apaches/nginx/mysql/postgresql/whatever instances
> its likely to miss adjusting the port or whatsoever. Therefore I'd like
> to implement a simple "resource tracking" module which fails if a
> resource such as tcp/ip port or socket or such gets used multiple times.
>
> It should look like this: http://dpaste.com/10RKJSQ
>
>
> A test like this:
>resources.tcp-ports."80" = {};
>
> causes:
> The option `resources.tcp-ports.80.allowCollisions' defined in
> `/etc/nixos/nixpkgs/nixos/modules/misc/resources.nix' does not exist.
>
> which I don't get because the dpaste sets a default value for
> allowCollisions.
>
> Thus does anybody just spot what I'm doing wrong?
>
> If we are at it: Eelco Dolstra proposed "services.mysql.services" or
> such. What about services.mysqls ? We could deprecade services.mysql
> then and ask users to switch slowly. No naming collisions. Naming is
> short and could be adopted to other services.
>
> Marc Weber
> ___
> nix-dev mailing list
> nix-dev@lists.science.uu.nl
> http://lists.science.uu.nl/mailman/listinfo/nix-dev
I think you're pushing into a very interesting direction!
So do I understand it correctly that you want to define a framework
which checks whether the port assignments for individual services are
consistent? So the port numbers are still kept in the service definitions?
I'm wondering whether it is possible to go the other way and to
centralize the port definitions and to forward the assignments to the
individual services? I think of something where I can see in one place
which service is attached to which interface, here e.g. localhost, the
external interface, an interface secured through IPsec or maybe services
run behind tor:
attach.localhost = {
http = service.apache.privatePorts;
"8080" = service.myPrivateProxy {config = 1};
"8081" = service.myPrivateProxy {config = 2};
"8082" = service.myPrivateProxy {config = 3};
};
attach.external = {
http = services.apache.publicPorts;
smtp = services.postfix;
DEFAULT = services.dns;
...
};
attach.ipsec = {
ipsec_configuration = {...};
services = {
imap = services.cyrus;
};
};
attach.tor = {
tor_configuration = {...};
services = {
I_am_here = services.somethingHidden;
};
};
Services would only start if all necessary ports are assigned through an
attach statement. Firewall rules could be automatically set through the
attach framework, as suggested by Moritz. Moving a service e.g. from a
private to a public interface would then be achieved by just attaching
it to a different interface. Service parameters could be overwritten to
define multiple instances of a service, like for myPrivateProxy in the
example. I would also classify ports of services into e.g. public or
private ports, like for apache in the example. That would allow to
easily expose the public ports on a public interface and have the
private ones e.g. only accessible through localhost or maybe IPsec.
Maybe it's also possible to have default ports defined within a service
definition, and then attach a service using its default ports, e.g.
somehow like for dns in the example.
What do you think? It's just an idea that I wanted to share.
Thomas
___
nix-dev mailing list
nix-dev@lists.science.uu.nl
http://lists.science.uu.nl/mailman/listinfo/nix-dev
Re: [Nix-dev] Multiple instances - detecting resource collisions - nixos module system question
Marc Weber writes:
> If you use multiple apaches/nginx/mysql/postgresql/whatever instances
> its likely to miss adjusting the port or whatsoever. Therefore I'd like
> to implement a simple "resource tracking" module which fails if a
> resource such as tcp/ip port or socket or such gets used multiple times.
>
> It should look like this: http://dpaste.com/10RKJSQ
>
>
> A test like this:
>resources.tcp-ports."80" = {};
>
> causes:
> The option `resources.tcp-ports.80.allowCollisions' defined in
> `/etc/nixos/nixpkgs/nixos/modules/misc/resources.nix' does not exist.
>
> which I don't get because the dpaste sets a default value for
> allowCollisions.
>
> Thus does anybody just spot what I'm doing wrong?
>
> If we are at it: Eelco Dolstra proposed "services.mysql.services" or
> such. What about services.mysqls ? We could deprecade services.mysql
> then and ask users to switch slowly. No naming collisions. Naming is
> short and could be adopted to other services.
>
> Marc Weber
> ___
> nix-dev mailing list
> nix-dev@lists.science.uu.nl
> http://lists.science.uu.nl/mailman/listinfo/nix-dev
I really like this idea.
Another use that comes to mind is using it to open ports in the firewall
in a declarative manner. E.g.:
firewall.allowedTCPPorts = [
...
] ++ resources.mysql.tcpPorts
++ resources.httpd.tcpPorts;
(Assuming it uses a list of ports as suggested in my other reply.)
Cheers,
Moritz
signature.asc
Description: PGP signature
___
nix-dev mailing list
nix-dev@lists.science.uu.nl
http://lists.science.uu.nl/mailman/listinfo/nix-dev
Re: [Nix-dev] Multiple instances - detecting resource collisions - nixos module system question
Luca Bruno writes: > On 15/01/2015 01:23, Nicolas Pierron wrote: >> On Wed, Jan 14, 2015 at 11:17 PM, Marc Weber wrote: >>> If you use multiple apaches/nginx/mysql/postgresql/whatever instances >>> its likely to miss adjusting the port or whatsoever. Therefore I'd like >>> to implement a simple "resource tracking" module which fails if a >>> resource such as tcp/ip port or socket or such gets used multiple times. >> This is awesome! > This is a mess: > 1) A service can bind to multiple ip and ports. So we can just use a list of ports instead of a single one. > 2) There's not only tcp. So two lists? UDP and TCP ports. > 3) A service could start listening dynamically on other ports at > runtime. This is a valid point. An approach like this needs to trust the services not to lie about their list of used ports. > > This is enough for saying it's going to be too complicated to check for > conflicts with little gain and many false positives. > ___ > nix-dev mailing list > nix-dev@lists.science.uu.nl > http://lists.science.uu.nl/mailman/listinfo/nix-dev -- signature.asc Description: PGP signature ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
Re: [Nix-dev] Multiple instances - detecting resource collisions - nixos module system question
On 15/01/2015 01:23, Nicolas Pierron wrote: > On Wed, Jan 14, 2015 at 11:17 PM, Marc Weber wrote: >> If you use multiple apaches/nginx/mysql/postgresql/whatever instances >> its likely to miss adjusting the port or whatsoever. Therefore I'd like >> to implement a simple "resource tracking" module which fails if a >> resource such as tcp/ip port or socket or such gets used multiple times. > This is awesome! This is a mess: 1) A service can bind to multiple ip and ports. 2) There's not only tcp. 3) A service could start listening dynamically on other ports at runtime. This is enough for saying it's going to be too complicated to check for conflicts with little gain and many false positives. ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
Re: [Nix-dev] Multiple instances - detecting resource collisions - nixos module system question
On Wed, Jan 14, 2015 at 11:17 PM, Marc Weber wrote:
> If you use multiple apaches/nginx/mysql/postgresql/whatever instances
> its likely to miss adjusting the port or whatsoever. Therefore I'd like
> to implement a simple "resource tracking" module which fails if a
> resource such as tcp/ip port or socket or such gets used multiple times.
This is awesome!
> It should look like this: http://dpaste.com/10RKJSQ
>
>
> A test like this:
>resources.tcp-ports."80" = {};
>
> causes:
> The option `resources.tcp-ports.80.allowCollisions' defined in
> `/etc/nixos/nixpkgs/nixos/modules/misc/resources.nix' does not exist.
>
> which I don't get because the dpaste sets a default value for
> allowCollisions.
Apparently, the submodules are no longer option sets by default, so
you should wrap the options under an "options = { … };" attribute.
> If we are at it: Eelco Dolstra proposed "services.mysql.services" or
> such.
I would prefer "services.mysql.instances.". These is what httpd
does with virtual hosts.
> What about services.mysqls ? We could deprecade services.mysql
> then and ask users to switch slowly. No naming collisions. Naming is
> short and could be adopted to other services.
the "s" is shorter than ".instances" or ".services", but it might be
confusing & typo friendly.
--
Nicolas Pierron
http://www.linkedin.com/in/nicolasbpierron - http://nbp.name/
___
nix-dev mailing list
nix-dev@lists.science.uu.nl
http://lists.science.uu.nl/mailman/listinfo/nix-dev
[Nix-dev] Multiple instances - detecting resource collisions - nixos module system question
If you use multiple apaches/nginx/mysql/postgresql/whatever instances
its likely to miss adjusting the port or whatsoever. Therefore I'd like
to implement a simple "resource tracking" module which fails if a
resource such as tcp/ip port or socket or such gets used multiple times.
It should look like this: http://dpaste.com/10RKJSQ
A test like this:
resources.tcp-ports."80" = {};
causes:
The option `resources.tcp-ports.80.allowCollisions' defined in
`/etc/nixos/nixpkgs/nixos/modules/misc/resources.nix' does not exist.
which I don't get because the dpaste sets a default value for
allowCollisions.
Thus does anybody just spot what I'm doing wrong?
If we are at it: Eelco Dolstra proposed "services.mysql.services" or
such. What about services.mysqls ? We could deprecade services.mysql
then and ask users to switch slowly. No naming collisions. Naming is
short and could be adopted to other services.
Marc Weber
___
nix-dev mailing list
nix-dev@lists.science.uu.nl
http://lists.science.uu.nl/mailman/listinfo/nix-dev
