diff options
| author | Jörg Thalheim <Mic92@users.noreply.github.com> | 2022-02-27 09:48:04 +0000 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2022-02-27 09:48:04 +0000 |
| commit | c219935f5e83113a5c136568f7a3bff868946a3a (patch) | |
| tree | 5a8f0bdc5be18fc26c6e8d6d0b0a17a7e7bc0390 /nixos | |
| parent | f231f397c5425cd5a27e9ec77849062bceee9038 (diff) | |
| parent | 6e389e63678fe13660bcc9f708649e64eae6bb05 (diff) | |
Merge pull request #162056 from NickCao/bird-reload
nixos/bird: run service as non-root user, add test for reload
Diffstat (limited to 'nixos')
| -rw-r--r-- | nixos/modules/services/networking/bird.nix | 20 | ||||
| -rw-r--r-- | nixos/tests/bird.nix | 1 |
2 files changed, 8 insertions, 13 deletions
diff --git a/nixos/modules/services/networking/bird.nix b/nixos/modules/services/networking/bird.nix index 4a51924248195..3049c4f2bce9d 100644 --- a/nixos/modules/services/networking/bird.nix +++ b/nixos/modules/services/networking/bird.nix @@ -4,6 +4,7 @@ let inherit (lib) mkEnableOption mkIf mkOption optionalString types; cfg = config.services.bird2; + caps = [ "CAP_NET_ADMIN" "CAP_NET_BIND_SERVICE" "CAP_NET_RAW" ]; in { ###### interface @@ -72,21 +73,14 @@ in serviceConfig = { Type = "forking"; Restart = "on-failure"; - # We need to start as root so bird can open netlink sockets i.e. for ospf - ExecStart = "${pkgs.bird}/bin/bird -c /etc/bird/bird2.conf -u bird2 -g bird2"; - ExecReload = "/bin/sh -c '${pkgs.bird}/bin/bird -c /etc/bird/bird2.conf -p && ${pkgs.bird}/bin/birdc configure'"; + User = "bird2"; + Group = "bird2"; + ExecStart = "${pkgs.bird}/bin/bird -c /etc/bird/bird2.conf"; + ExecReload = "${pkgs.bird}/bin/birdc configure"; ExecStop = "${pkgs.bird}/bin/birdc down"; RuntimeDirectory = "bird"; - CapabilityBoundingSet = [ - "CAP_CHOWN" - "CAP_FOWNER" - "CAP_SETUID" - "CAP_SETGID" - "CAP_NET_ADMIN" - "CAP_NET_BROADCAST" - "CAP_NET_BIND_SERVICE" - "CAP_NET_RAW" - ]; + CapabilityBoundingSet = caps; + AmbientCapabilities = caps; ProtectSystem = "full"; ProtectHome = "yes"; ProtectKernelTunables = true; diff --git a/nixos/tests/bird.nix b/nixos/tests/bird.nix index befcf4fb8acf7..822a7caea9ba3 100644 --- a/nixos/tests/bird.nix +++ b/nixos/tests/bird.nix @@ -110,6 +110,7 @@ makeTest { host1.wait_for_unit("bird2.service") host2.wait_for_unit("bird2.service") + host1.succeed("systemctl reload bird2.service") with subtest("Waiting for advertised IPv4 routes"): host1.wait_until_succeeds("ip --json r | jq -e 'map(select(.dst == \"10.10.0.2\")) | any'") |