Unverified Commit f800d8e4 authored by Maximilian Bosch's avatar Maximilian Bosch Committed by Martin Weinelt
Browse files

nixos/postgresql: enable private /tmp & private mounts; fix wal-receiver test 

The issue was that the old test-case used `/tmp` to share data. Using
`JoinsNamespaceOf=` wasn't a real workaround since the private `/tmp` is
recreated when a service gets stopped/started which is the case here, so
the wals were still lost.

To keep the test building with `PrivateTmp=yes`, create a dedicated
directory in `/var/cache` with tmpfiles and allow the hardened
`postgresql.service` to access it via `ReadWritePaths`.
parent 2ebffcc4

nixos/modules/services/databases/postgresql.nix

+2 −2
Original line number Diff line number Diff line
@@ -627,14 +627,14 @@ in 
            # Hardening

            CapabilityBoundingSet = [ "" ];

            DevicePolicy = "closed";

            PrivateTmp = false; #breaks wal-receiver test

            PrivateTmp = true;

            ProtectHome = true;

            ProtectSystem = "strict";

            MemoryDenyWriteExecute = true;

            NoNewPrivileges = true;

            LockPersonality = true;

            PrivateDevices = true;

            PrivateMounts = false; # breaks wal-receiver test

            PrivateMounts = true;

            ProcSubset = "pid";

            ProtectClock = true;

            ProtectControlGroups = true;

nixos/tests/postgresql-wal-receiver.nix

+7 −2
Original line number Diff line number Diff line
@@ -22,8 +22,8 @@ let 
      replicationUser = "wal_receiver_user";

      replicationSlot = "wal_receiver_slot";

      replicationConn = "postgresql://${replicationUser}@localhost";

      baseBackupDir = "/tmp/pg_basebackup";

      walBackupDir = "/tmp/pg_wal";

      baseBackupDir = "/var/cache/wals/pg_basebackup";

      walBackupDir = "/var/cache/wals/pg_wal";



      recoveryFile = pkgs.writeTextDir "recovery.signal" "";
@@ -32,6 +32,10 @@ let 
      meta.maintainers = with lib.maintainers; [ pacien ];



      nodes.machine = { ... }: {

        systemd.tmpfiles.rules = [

          "d /var/cache/wals 0750 postgres postgres - -"

        ];



        services.postgresql = {

          package = pkg;

          enable = true;
@@ -60,6 +64,7 @@ let 
        # This is only to speedup test, it isn't time racing. Service is set to autorestart always,

        # default 60sec is fine for real system, but is too much for a test

        systemd.services.postgresql-wal-receiver-main.serviceConfig.RestartSec = lib.mkForce 5;

        systemd.services.postgresql.serviceConfig.ReadWritePaths = [ "/var/cache/wals" ];

      };



      testScript = ''