Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

nixos: add functions and documentation for escaping systemd Exec* directives #154113

Merged
merged 1 commit into from
Mar 13, 2022
Merged

nixos: add functions and documentation for escaping systemd Exec* directives #154113

merged 1 commit into from
Mar 13, 2022

Conversation

pennae
Copy link
Contributor

@pennae pennae commented Jan 9, 2022

Motivation for this change

we've seen a couple new modules recently that came with subtly wrong ExecStart directives. while they'd work most of the time they could fail in surprising ways if users were to add a % or $ in a module argument.

to make it easier to avoid such problems this adds a few escaping functions specifically for systemd Exec directives and some documentation on how to use them.

Things done
  • Built on platform(s)
    • x86_64-linux
    • aarch64-linux
    • x86_64-darwin
    • aarch64-darwin
  • For non-Linux: Is sandbox = true set in nix.conf? (See Nix manual)
  • Tested, as applicable:
  • Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
  • Tested basic functionality of all binary files (usually in ./result/bin/)
  • 22.05 Release Notes (or backporting 21.11 Release notes)
    • (Package updates) Added a release notes entry if the change is major or breaking
    • (Module updates) Added a release notes entry if the change is significant
    • (Module addition) Added a release notes entry if adding a new NixOS module
    • (Release notes changes) Ran nixos/doc/manual/md-to-db.sh to update generated release notes
  • Fits CONTRIBUTING.md.

@github-actions github-actions bot added 6.topic: nixos Issues or PRs affecting NixOS modules, or package usability issues specific to NixOS 8.has: documentation This PR adds or changes documentation labels Jan 9, 2022
@ofborg ofborg bot added 10.rebuild-darwin: 0 This PR does not cause any packages to rebuild on Darwin 10.rebuild-linux: 1-10 labels Jan 9, 2022
@roberth roberth mentioned this pull request Jan 9, 2022
Open
roberth
roberth reviewed Jan 9, 2022
View reviewed changes
Copy link
Member

@roberth roberth left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is very good to have.

I think we should have a safe, submodule representation. Here's a design if you're interested #154123

nixos/doc/manual/development/writing-modules.chapter.md Show resolved Hide resolved
nixos/doc/manual/development/writing-modules.chapter.md Outdated Show resolved Hide resolved
nixos/lib/utils.nix Outdated Show resolved Hide resolved
nixos/lib/utils.nix Outdated Show resolved Hide resolved
nixos/doc/manual/development/writing-modules.chapter.md Outdated Show resolved Hide resolved
This was referenced Jan 10, 2022
Closed
Merged
Merged
jtojnar
jtojnar reviewed Mar 11, 2022
View reviewed changes
nixos/tests/systemd-escaping.nix Outdated
testScript = ''
machine.wait_for_unit("multi-user.target")
machine.succeed("systemctl start echo.service")
logs = machine.succeed("journalctl -u echo.service -o cat")
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we maybe have .splitlines() here, to ensure it does not match e.g. semicolon in the middle of a line?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

that sounds sensible. there's a slight catch that toString for floats produces six fractional digits where one might expect less, but that's easy enough to work around.

@pennae
nixos: add functions and documentation for escaping systemd Exec* dir…
40a3529 
…ectives

it's really easy to accidentally write the wrong systemd Exec* directive, ones
that works most of the time but fails when users include systemd metacharacters
in arguments that are interpolated into an Exec* directive. add a few functions
analogous to escapeShellArg{,s} and some documentation on how and when to use them.
@pennae pennae merged commit aa7b129 into NixOS:master Mar 13, 2022
@pennae pennae deleted the systemd-escaping branch March 24, 2022 08:03
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jtojnar jtojnar jtojnar left review comments

@roberth roberth roberth left review comments

@LunNova LunNova LunNova approved these changes

Assignees
No one assigned
Labels
6.topic: nixos Issues or PRs affecting NixOS modules, or package usability issues specific to NixOS 8.has: documentation This PR adds or changes documentation 10.rebuild-darwin: 0 This PR does not cause any packages to rebuild on Darwin 10.rebuild-linux: 1-10
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@pennae @roberth @jtojnar @LunNova