From cdade8e6c5ef4e02f9eaf7047248d00fae7fd805 Mon Sep 17 00:00:00 2001 From: Gregor Kleen Date: Thu, 17 Feb 2022 14:08:29 +0100 Subject: vidhar: ... --- hosts/vidhar/borg/copy.py | 13 +++++++++---- hosts/vidhar/borg/default.nix | 9 ++++++--- hosts/vidhar/borg/pyprctl-packages.nix | 21 +++++++++++++++++++++ 3 files changed, 36 insertions(+), 7 deletions(-) create mode 100644 hosts/vidhar/borg/pyprctl-packages.nix (limited to 'hosts/vidhar/borg') diff --git a/hosts/vidhar/borg/copy.py b/hosts/vidhar/borg/copy.py index 4bfae1cb..9dac86ae 100755 --- a/hosts/vidhar/borg/copy.py +++ b/hosts/vidhar/borg/copy.py @@ -21,6 +21,7 @@ from xdg import xdg_runtime_dir import pathlib import unshare +import pyprctl import signal from time import sleep @@ -93,15 +94,19 @@ def copy_archive(src_repo_path, dst_repo_path, entry): child = os.fork() if child == 0: # print('unshare/chroot', file=stderr) - uid_map_content = f'0 {os.getuid()} 1\n0 0 1' - gid_map_content = f'0 {os.getgid()} 1\n0 0 1' + uid, gid = os.getuid(), os.getgid() unshare.unshare(unshare.CLONE_NEWNS | unshare.CLONE_NEWUSER) with open('/proc/self/setgroups', 'w') as setgroups: setgroups.write('deny') with open('/proc/self/uid_map', 'w') as uid_map: - uid_map.write(uid_map_content) + uid_map.write(f'0 {uid} 1') with open('/proc/self/gid_map', 'w') as gid_map: - gid_map.write(gid_map_content) + gid_map.write(f'0 {gid} 1') + pyprctl.cap_ambient_raise(pyprctl.Cap.SYS_ADMIN) + with open('/proc/self/uid_map', 'w') as uid_map: + uid_map.write(f'{uid} {uid} 1') + with open('/proc/self/gid_map', 'w') as gid_map: + gid_map.write(f'{gid} {gid} 1') subprocess.run(['mount', '--make-rprivate', '/'], check=True) chroot = pathlib.Path(tmpdir) / 'chroot' upper = pathlib.Path(tmpdir) / 'upper' diff --git a/hosts/vidhar/borg/default.nix b/hosts/vidhar/borg/default.nix index 170ef65d..71c0da26 100644 --- a/hosts/vidhar/borg/default.nix +++ b/hosts/vidhar/borg/default.nix @@ -43,7 +43,10 @@ let }; }; - copyBorg = pkgs.stdenv.mkDerivation rec { + copyBorg = pkgs.stdenv.mkDerivation (let + packageOverrides = pkgs.callPackage ./pyprctl-packages.nix {}; + inpPython = pkgs.python39.override { inherit packageOverrides; }; + in rec { name = "copy"; src = ./copy.py; @@ -51,7 +54,7 @@ let buildInputs = with pkgs; [makeWrapper]; - python = pkgs.python39.withPackages (ps: with ps; [humanize tqdm dateutil xdg python-unshare halo]); + python = pkgs.python39.withPackages (ps: with ps; [humanize tqdm dateutil xdg python-unshare pyprctl halo]); buildPhase = '' substitute $src copy \ @@ -70,7 +73,7 @@ let wrapProgram $out/bin/copy \ --prefix PATH : ${makeBinPath (with pkgs; [utillinux borgbackup])} ''; - }; + }); in { config = { services.borgbackup.repos.jotnar = { diff --git a/hosts/vidhar/borg/pyprctl-packages.nix b/hosts/vidhar/borg/pyprctl-packages.nix new file mode 100644 index 00000000..d3b4256a --- /dev/null +++ b/hosts/vidhar/borg/pyprctl-packages.nix @@ -0,0 +1,21 @@ +# Generated by pip2nix 0.8.0.dev1 +# See https://github.com/nix-community/pip2nix + +{ pkgs, fetchurl, fetchgit, fetchhg }: + +self: super: { + "pyprctl" = super.buildPythonPackage rec { + pname = "pyprctl"; + version = "0.1.3"; + src = fetchurl { + url = "https://files.pythonhosted.org/packages/bf/5e/62765de39bbce8111fb1f4453a4a804913bf49179fa265fb713ed66c9d15/pyprctl-0.1.3-py3-none-any.whl"; + sha256 = "1pgif990r92za5rx12mjnq5iiz72d455v0wrawzb73q79w8ya0k3"; + }; + format = "wheel"; + doCheck = false; + buildInputs = []; + checkInputs = []; + nativeBuildInputs = []; + propagatedBuildInputs = []; + }; +} -- cgit v1.2.3