diff options
| author | Gregor Kleen <gkleen@yggdrasil.li> | 2022-02-17 17:19:46 +0100 |
|---|---|---|
| committer | Gregor Kleen <gkleen@yggdrasil.li> | 2022-02-17 17:19:46 +0100 |
| commit | a741c57c6053b6a8f3c87499df0ff5c71b3c0fd9 (patch) | |
| tree | 24f2bb2aec9c94673ec8f66080e4d1ed6fd4ff3a | |
| parent | 8de2cd094454068ffbff6f27095ab914409e30fe (diff) | |
| download | nixos-a741c57c6053b6a8f3c87499df0ff5c71b3c0fd9.tar nixos-a741c57c6053b6a8f3c87499df0ff5c71b3c0fd9.tar.gz nixos-a741c57c6053b6a8f3c87499df0ff5c71b3c0fd9.tar.bz2 nixos-a741c57c6053b6a8f3c87499df0ff5c71b3c0fd9.tar.xz nixos-a741c57c6053b6a8f3c87499df0ff5c71b3c0fd9.zip | |
vidhar: ...
| -rwxr-xr-x | hosts/vidhar/borg/copy.py | 32 | ||||
| -rw-r--r-- | hosts/vidhar/borg/default.nix | 9 | ||||
| -rw-r--r-- | hosts/vidhar/borg/pyprctl-packages.nix | 21 |
3 files changed, 12 insertions, 50 deletions
diff --git a/hosts/vidhar/borg/copy.py b/hosts/vidhar/borg/copy.py index 96426682..6adaa817 100755 --- a/hosts/vidhar/borg/copy.py +++ b/hosts/vidhar/borg/copy.py | |||
| @@ -21,7 +21,6 @@ from xdg import xdg_runtime_dir | |||
| 21 | import pathlib | 21 | import pathlib |
| 22 | 22 | ||
| 23 | import unshare | 23 | import unshare |
| 24 | import pyprctl | ||
| 25 | 24 | ||
| 26 | import signal | 25 | import signal |
| 27 | from time import sleep | 26 | from time import sleep |
| @@ -94,38 +93,21 @@ def copy_archive(src_repo_path, dst_repo_path, entry): | |||
| 94 | child = os.fork() | 93 | child = os.fork() |
| 95 | if child == 0: | 94 | if child == 0: |
| 96 | # print('unshare/chroot', file=stderr) | 95 | # print('unshare/chroot', file=stderr) |
| 97 | uid, gid = os.geteuid(), os.getegid() | 96 | unshare.unshare(unshare.CLONE_NEWNS) |
| 98 | unshare.unshare(unshare.CLONE_NEWNS | unshare.CLONE_NEWUSER) | ||
| 99 | ps_effective = set() # {pyprctl.Cap.SETUID, pyprctl.Cap.SETGID} | ||
| 100 | ps_ambient = {pyprctl.Cap.SYS_ADMIN} | ||
| 101 | pyprctl.cap_permitted.add(*(ps_effective | ps_ambient)) | ||
| 102 | pyprctl.cap_effective.add(*(ps_effective | ps_ambient)) | ||
| 103 | pyprctl.cap_inheritable.add(*ps_ambient) | ||
| 104 | pyprctl.cap_ambient.add(*ps_ambient) | ||
| 105 | with open('/proc/self/setgroups', 'w') as setgroups: | ||
| 106 | setgroups.write('deny') | ||
| 107 | with open('/proc/self/uid_map', 'w') as uid_map: | ||
| 108 | uid_map.write(f'0 {uid} 1') | ||
| 109 | with open('/proc/self/gid_map', 'w') as gid_map: | ||
| 110 | gid_map.write(f'0 {gid} 1') | ||
| 111 | subprocess.run(['mount', '--make-rprivate', '/'], check=True) | 97 | subprocess.run(['mount', '--make-rprivate', '/'], check=True) |
| 112 | chroot = pathlib.Path(tmpdir) / 'chroot' | 98 | chroot = pathlib.Path(tmpdir) / 'chroot' |
| 113 | chroot.mkdir() | 99 | upper = pathlib.Path(tmpdir) / 'upper' |
| 114 | # upper = pathlib.Path(tmpdir) / 'upper' | 100 | work = pathlib.Path(tmpdir) / 'work' |
| 115 | # work = pathlib.Path(tmpdir) / 'work' | 101 | for path in [chroot,upper,work]: |
| 116 | # for path in [chroot,upper,work]: | 102 | path.mkdir() |
| 117 | # path.mkdir() | 103 | subprocess.run(['mount', '-t', 'overlay', 'overlay', '-o', f'lowerdir=/,upperdir={upper},workdir={work}', chroot], check=True) |
| 118 | # print(f'euid={os.getuid()}', file=stderr) | 104 | bindMounts = ['nix', 'run', 'proc', 'dev', 'sys', pathlib.Path(os.path.expanduser('~')).relative_to('/')] |
| 119 | # subprocess.run(['stat', '/', upper, work, chroot], check=True) | ||
| 120 | # subprocess.run(['mount', '-t', 'overlay', 'overlay', '-o', f'lowerdir=/,upperdir={upper},workdir={work}', chroot], check=True) | ||
| 121 | bindMounts = ['etc', 'nix', 'run', 'proc', 'dev', 'sys', pathlib.Path(os.path.expanduser('~')).relative_to('/')] | ||
| 122 | if not ":" in src_repo_path: | 105 | if not ":" in src_repo_path: |
| 123 | bindMounts.append(pathlib.Path(src_repo_path).relative_to('/')) | 106 | bindMounts.append(pathlib.Path(src_repo_path).relative_to('/')) |
| 124 | if 'SSH_AUTH_SOCK' in os.environ: | 107 | if 'SSH_AUTH_SOCK' in os.environ: |
| 125 | bindMounts.append(pathlib.Path(os.environ['SSH_AUTH_SOCK']).parent.relative_to('/')) | 108 | bindMounts.append(pathlib.Path(os.environ['SSH_AUTH_SOCK']).parent.relative_to('/')) |
| 126 | for bindMount in bindMounts: | 109 | for bindMount in bindMounts: |
| 127 | (chroot / bindMount).mkdir(parents=True,exist_ok=True) | 110 | (chroot / bindMount).mkdir(parents=True,exist_ok=True) |
| 128 | print(*['mount', '--bind', pathlib.Path('/') / bindMount, chroot / bindMount], file=stderr) | ||
| 129 | subprocess.run(['mount', '--bind', pathlib.Path('/') / bindMount, chroot / bindMount], check=True) | 111 | subprocess.run(['mount', '--bind', pathlib.Path('/') / bindMount, chroot / bindMount], check=True) |
| 130 | os.chroot(chroot) | 112 | os.chroot(chroot) |
| 131 | os.chdir('/') | 113 | os.chdir('/') |
diff --git a/hosts/vidhar/borg/default.nix b/hosts/vidhar/borg/default.nix index b1bdde04..74f4a827 100644 --- a/hosts/vidhar/borg/default.nix +++ b/hosts/vidhar/borg/default.nix | |||
| @@ -22,8 +22,8 @@ let | |||
| 22 | serviceConfig = { | 22 | serviceConfig = { |
| 23 | Type = "oneshot"; | 23 | Type = "oneshot"; |
| 24 | ExecStart = "${copyBorg}/bin/copy ${escapeShellArg repo} yggdrasil.borgbase:repo"; | 24 | ExecStart = "${copyBorg}/bin/copy ${escapeShellArg repo} yggdrasil.borgbase:repo"; |
| 25 | User = "borg"; | 25 | # User = "borg"; |
| 26 | Group = "borg"; | 26 | # Group = "borg"; |
| 27 | StateDirectory = "borg"; | 27 | StateDirectory = "borg"; |
| 28 | RuntimeDirectory = "copy-borg"; | 28 | RuntimeDirectory = "copy-borg"; |
| 29 | Environment = [ | 29 | Environment = [ |
| @@ -44,8 +44,9 @@ let | |||
| 44 | }; | 44 | }; |
| 45 | 45 | ||
| 46 | copyBorg = pkgs.stdenv.mkDerivation (let | 46 | copyBorg = pkgs.stdenv.mkDerivation (let |
| 47 | packageOverrides = pkgs.callPackage ./pyprctl-packages.nix {}; | 47 | # packageOverrides = pkgs.callPackage ./pyprctl-packages.nix {}; |
| 48 | inpPython = pkgs.python39.override { inherit packageOverrides; }; | 48 | # inpPython = pkgs.python39.override { inherit packageOverrides; }; |
| 49 | inpPython = pkgs.python39; | ||
| 49 | in rec { | 50 | in rec { |
| 50 | name = "copy"; | 51 | name = "copy"; |
| 51 | src = ./copy.py; | 52 | src = ./copy.py; |
diff --git a/hosts/vidhar/borg/pyprctl-packages.nix b/hosts/vidhar/borg/pyprctl-packages.nix deleted file mode 100644 index d3b4256a..00000000 --- a/hosts/vidhar/borg/pyprctl-packages.nix +++ /dev/null | |||
| @@ -1,21 +0,0 @@ | |||
| 1 | # Generated by pip2nix 0.8.0.dev1 | ||
| 2 | # See https://github.com/nix-community/pip2nix | ||
| 3 | |||
| 4 | { pkgs, fetchurl, fetchgit, fetchhg }: | ||
| 5 | |||
| 6 | self: super: { | ||
| 7 | "pyprctl" = super.buildPythonPackage rec { | ||
| 8 | pname = "pyprctl"; | ||
| 9 | version = "0.1.3"; | ||
| 10 | src = fetchurl { | ||
| 11 | url = "https://files.pythonhosted.org/packages/bf/5e/62765de39bbce8111fb1f4453a4a804913bf49179fa265fb713ed66c9d15/pyprctl-0.1.3-py3-none-any.whl"; | ||
| 12 | sha256 = "1pgif990r92za5rx12mjnq5iiz72d455v0wrawzb73q79w8ya0k3"; | ||
| 13 | }; | ||
| 14 | format = "wheel"; | ||
| 15 | doCheck = false; | ||
| 16 | buildInputs = []; | ||
| 17 | checkInputs = []; | ||
| 18 | nativeBuildInputs = []; | ||
| 19 | propagatedBuildInputs = []; | ||
| 20 | }; | ||
| 21 | } | ||