Skip to content
This repository was archived by the owner on Mar 20, 2023. It is now read-only.
This repository was archived by the owner on Mar 20, 2023. It is now read-only.

Service key "expose" functionality is flaky on big changes #109

Description

@rvolosatovs

Sometimes, expose-key script (

exposeKey = pkgs: user: key:
pkgs.writeShellScript "expose-${key}.sh" ''
chmod 0400 "${key}"
chown ${user}:${user} "${key}"
'';
) run at ExecStartPre
serviceConfig.ExecStartPre = "+${expose}";

Fails with (example from sgx.equinix.try.enarx.dev):

Aug 09 11:23:36 snp rx9j1qmp42p8y4n50rbqdlsvahxwbyq3-expose--run-secrets-oidc-secret.sh[91406]: chown: invalid user: ‘benefice:benefice’

benefice:benefice should be created by systemd due to DynamicUser=true, but in some cases it is apparently not created. It could also perhaps be a race condition?
Not sure.

One of the options to work around this could be relying on https://search.nixos.org/options?channel=22.05&show=systemd.services.%3Cname%3E.script&from=0&size=50&sort=relevance&type=packages&query=systemd.services.*.script/ in our module definitions to attempt to do this step in ExecStart (the way this option works, is that add definitions of it are merged into one script and that resulting script is then set as the ExecStart). I believe that if the user/group does not exist yet at that point, then that should be Systemd bug.

To work around this issue, we currently have to temporarily disable this functionality and run services as root. On a repeated deployment this issue does not occur.

We could also, of course, poll in ExecStartPre until a user and group are created, but that's ugly and error-prone

@puiterwijk any ideas?

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't working

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    Status
    New

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions