Re: [Nix-dev] Multiple instances - detecting resource collisions - nixos module system question
On 19/01/2015 10:24, Domen Kožar wrote: > This could not be PITA if systemd would have the ability to white list > ports for a process (or with network namespaces). > > It would add a burdon to maintainers of nixos modules. But since we don't have system support, I think it's overall better to avoid further complications. There are a bunch of cases where this thing is going to fail theoretically. It's incomplete in every sense. At least if this is merged, don't enable by default. ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
Re: [Nix-dev] Multiple instances - detecting resource collisions - nixos module system question
This could not be PITA if systemd would have the ability to white list ports for a process (or with network namespaces). It would add a burdon to maintainers of nixos modules. On Mon, Jan 19, 2015 at 10:08 AM, Luca Bruno wrote: > On 19/01/2015 03:44, Shea Levy wrote: > > My prediction: This will cause more headaches than it will save. > Double quote. > ___ > nix-dev mailing list > nix-dev@lists.science.uu.nl > http://lists.science.uu.nl/mailman/listinfo/nix-dev > ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
Re: [Nix-dev] Multiple instances - detecting resource collisions - nixos module system question
On 19/01/2015 03:44, Shea Levy wrote: > My prediction: This will cause more headaches than it will save. Double quote. ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
Re: [Nix-dev] Multiple instances - detecting resource collisions - nixos module system question
My prediction: This will cause more headaches than it will save. > On Jan 14, 2015, at 10:17 PM, Marc Weber wrote: > > If you use multiple apaches/nginx/mysql/postgresql/whatever instances > its likely to miss adjusting the port or whatsoever. Therefore I'd like > to implement a simple "resource tracking" module which fails if a > resource such as tcp/ip port or socket or such gets used multiple times. > > It should look like this: http://dpaste.com/10RKJSQ > > > A test like this: > resources.tcp-ports."80" = {}; > > causes: > The option `resources.tcp-ports.80.allowCollisions' defined in > `/etc/nixos/nixpkgs/nixos/modules/misc/resources.nix' does not exist. > > which I don't get because the dpaste sets a default value for > allowCollisions. > > Thus does anybody just spot what I'm doing wrong? > > If we are at it: Eelco Dolstra proposed "services.mysql.services" or > such. What about services.mysqls ? We could deprecade services.mysql > then and ask users to switch slowly. No naming collisions. Naming is > short and could be adopted to other services. > > Marc Weber > ___ > nix-dev mailing list > nix-dev@lists.science.uu.nl > http://lists.science.uu.nl/mailman/listinfo/nix-dev ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
Re: [Nix-dev] Multiple instances - detecting resource collisions - nixos module system question
On 01/14/2015 11:17 PM, Marc Weber wrote: > If you use multiple apaches/nginx/mysql/postgresql/whatever instances > its likely to miss adjusting the port or whatsoever. Therefore I'd like > to implement a simple "resource tracking" module which fails if a > resource such as tcp/ip port or socket or such gets used multiple times. > > It should look like this: http://dpaste.com/10RKJSQ > > > A test like this: >resources.tcp-ports."80" = {}; > > causes: > The option `resources.tcp-ports.80.allowCollisions' defined in > `/etc/nixos/nixpkgs/nixos/modules/misc/resources.nix' does not exist. > > which I don't get because the dpaste sets a default value for > allowCollisions. > > Thus does anybody just spot what I'm doing wrong? > > If we are at it: Eelco Dolstra proposed "services.mysql.services" or > such. What about services.mysqls ? We could deprecade services.mysql > then and ask users to switch slowly. No naming collisions. Naming is > short and could be adopted to other services. > > Marc Weber > ___ > nix-dev mailing list > nix-dev@lists.science.uu.nl > http://lists.science.uu.nl/mailman/listinfo/nix-dev I think you're pushing into a very interesting direction! So do I understand it correctly that you want to define a framework which checks whether the port assignments for individual services are consistent? So the port numbers are still kept in the service definitions? I'm wondering whether it is possible to go the other way and to centralize the port definitions and to forward the assignments to the individual services? I think of something where I can see in one place which service is attached to which interface, here e.g. localhost, the external interface, an interface secured through IPsec or maybe services run behind tor: attach.localhost = { http = service.apache.privatePorts; "8080" = service.myPrivateProxy {config = 1}; "8081" = service.myPrivateProxy {config = 2}; "8082" = service.myPrivateProxy {config = 3}; }; attach.external = { http = services.apache.publicPorts; smtp = services.postfix; DEFAULT = services.dns; ... }; attach.ipsec = { ipsec_configuration = {...}; services = { imap = services.cyrus; }; }; attach.tor = { tor_configuration = {...}; services = { I_am_here = services.somethingHidden; }; }; Services would only start if all necessary ports are assigned through an attach statement. Firewall rules could be automatically set through the attach framework, as suggested by Moritz. Moving a service e.g. from a private to a public interface would then be achieved by just attaching it to a different interface. Service parameters could be overwritten to define multiple instances of a service, like for myPrivateProxy in the example. I would also classify ports of services into e.g. public or private ports, like for apache in the example. That would allow to easily expose the public ports on a public interface and have the private ones e.g. only accessible through localhost or maybe IPsec. Maybe it's also possible to have default ports defined within a service definition, and then attach a service using its default ports, e.g. somehow like for dns in the example. What do you think? It's just an idea that I wanted to share. Thomas ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
Re: [Nix-dev] Multiple instances - detecting resource collisions - nixos module system question
Marc Weber writes: > If you use multiple apaches/nginx/mysql/postgresql/whatever instances > its likely to miss adjusting the port or whatsoever. Therefore I'd like > to implement a simple "resource tracking" module which fails if a > resource such as tcp/ip port or socket or such gets used multiple times. > > It should look like this: http://dpaste.com/10RKJSQ > > > A test like this: >resources.tcp-ports."80" = {}; > > causes: > The option `resources.tcp-ports.80.allowCollisions' defined in > `/etc/nixos/nixpkgs/nixos/modules/misc/resources.nix' does not exist. > > which I don't get because the dpaste sets a default value for > allowCollisions. > > Thus does anybody just spot what I'm doing wrong? > > If we are at it: Eelco Dolstra proposed "services.mysql.services" or > such. What about services.mysqls ? We could deprecade services.mysql > then and ask users to switch slowly. No naming collisions. Naming is > short and could be adopted to other services. > > Marc Weber > ___ > nix-dev mailing list > nix-dev@lists.science.uu.nl > http://lists.science.uu.nl/mailman/listinfo/nix-dev I really like this idea. Another use that comes to mind is using it to open ports in the firewall in a declarative manner. E.g.: firewall.allowedTCPPorts = [ ... ] ++ resources.mysql.tcpPorts ++ resources.httpd.tcpPorts; (Assuming it uses a list of ports as suggested in my other reply.) Cheers, Moritz signature.asc Description: PGP signature ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
Re: [Nix-dev] Multiple instances - detecting resource collisions - nixos module system question
Luca Bruno writes: > On 15/01/2015 01:23, Nicolas Pierron wrote: >> On Wed, Jan 14, 2015 at 11:17 PM, Marc Weber wrote: >>> If you use multiple apaches/nginx/mysql/postgresql/whatever instances >>> its likely to miss adjusting the port or whatsoever. Therefore I'd like >>> to implement a simple "resource tracking" module which fails if a >>> resource such as tcp/ip port or socket or such gets used multiple times. >> This is awesome! > This is a mess: > 1) A service can bind to multiple ip and ports. So we can just use a list of ports instead of a single one. > 2) There's not only tcp. So two lists? UDP and TCP ports. > 3) A service could start listening dynamically on other ports at > runtime. This is a valid point. An approach like this needs to trust the services not to lie about their list of used ports. > > This is enough for saying it's going to be too complicated to check for > conflicts with little gain and many false positives. > ___ > nix-dev mailing list > nix-dev@lists.science.uu.nl > http://lists.science.uu.nl/mailman/listinfo/nix-dev -- signature.asc Description: PGP signature ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
Re: [Nix-dev] Multiple instances - detecting resource collisions - nixos module system question
On 15/01/2015 01:23, Nicolas Pierron wrote: > On Wed, Jan 14, 2015 at 11:17 PM, Marc Weber wrote: >> If you use multiple apaches/nginx/mysql/postgresql/whatever instances >> its likely to miss adjusting the port or whatsoever. Therefore I'd like >> to implement a simple "resource tracking" module which fails if a >> resource such as tcp/ip port or socket or such gets used multiple times. > This is awesome! This is a mess: 1) A service can bind to multiple ip and ports. 2) There's not only tcp. 3) A service could start listening dynamically on other ports at runtime. This is enough for saying it's going to be too complicated to check for conflicts with little gain and many false positives. ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
Re: [Nix-dev] Multiple instances - detecting resource collisions - nixos module system question
On Wed, Jan 14, 2015 at 11:17 PM, Marc Weber wrote: > If you use multiple apaches/nginx/mysql/postgresql/whatever instances > its likely to miss adjusting the port or whatsoever. Therefore I'd like > to implement a simple "resource tracking" module which fails if a > resource such as tcp/ip port or socket or such gets used multiple times. This is awesome! > It should look like this: http://dpaste.com/10RKJSQ > > > A test like this: >resources.tcp-ports."80" = {}; > > causes: > The option `resources.tcp-ports.80.allowCollisions' defined in > `/etc/nixos/nixpkgs/nixos/modules/misc/resources.nix' does not exist. > > which I don't get because the dpaste sets a default value for > allowCollisions. Apparently, the submodules are no longer option sets by default, so you should wrap the options under an "options = { … };" attribute. > If we are at it: Eelco Dolstra proposed "services.mysql.services" or > such. I would prefer "services.mysql.instances.". These is what httpd does with virtual hosts. > What about services.mysqls ? We could deprecade services.mysql > then and ask users to switch slowly. No naming collisions. Naming is > short and could be adopted to other services. the "s" is shorter than ".instances" or ".services", but it might be confusing & typo friendly. -- Nicolas Pierron http://www.linkedin.com/in/nicolasbpierron - http://nbp.name/ ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
[Nix-dev] Multiple instances - detecting resource collisions - nixos module system question
If you use multiple apaches/nginx/mysql/postgresql/whatever instances its likely to miss adjusting the port or whatsoever. Therefore I'd like to implement a simple "resource tracking" module which fails if a resource such as tcp/ip port or socket or such gets used multiple times. It should look like this: http://dpaste.com/10RKJSQ A test like this: resources.tcp-ports."80" = {}; causes: The option `resources.tcp-ports.80.allowCollisions' defined in `/etc/nixos/nixpkgs/nixos/modules/misc/resources.nix' does not exist. which I don't get because the dpaste sets a default value for allowCollisions. Thus does anybody just spot what I'm doing wrong? If we are at it: Eelco Dolstra proposed "services.mysql.services" or such. What about services.mysqls ? We could deprecade services.mysql then and ask users to switch slowly. No naming collisions. Naming is short and could be adopted to other services. Marc Weber ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev