GNS3 needs to setcap on ubridge

[nixinator]

Describe the bug gns3 need to do a setcap on ubridge , this fails as setcap cannot work on a readonly file system /nix/store

To Reproduce

1. nix-shell -p gns3-gui gns3-server dynamips ubridge telnet qemu
2. gns3sever &
3. gns3

Expected behavior ubridge needs elevate capablities for gns3-gui to find interfaces on emulated devices. If it cannot then virtual 'wiring' of devices together is not possible

Screenshots

gns3
2020-11-02 15:44:06 INFO root:126 Log level: INFO
2020-11-02 15:44:06 INFO main:256 GNS3 GUI version 2.2.5
2020-11-02 15:44:06 INFO main:257 Copyright (c) 2007-2020 GNS3 Technologies Inc.
2020-11-02 15:44:06 INFO main:259 Application started with /nix/store/lk0l19l9q7n8bhc0q63lss1hiqmlnbxp-python3.7-gns3-gui-2.2.5/bin/gns3
Failed to set capabilities on file `/nix/store/1c40kqycq37wqrgg6qnajczhxlqm1r77-ubridge-0.9.16/bin/ubridge' (Read-only file system)

2020-11-02 15:44:22 CRITICAL utils.progress_dialog:181 WaitForCommandWorker thread stopping with an error: Could not execute command "sudo setcap cap_net_admin,cap_net_raw=ep /nix/store/1c40kqycq37wqrgg6qnajczhxlqm1r77-ubridge-0.9.16/bin/ubridge": Command '['sudo', 'setcap', 'cap_net_admin,cap_net_raw=ep', '/nix/store/1c40kqycq37wqrgg6qnajczhxlqm1r77-ubridge-0.9.16/bin/ubridge']' returned non-zero exit status 1.
2020-11-02 15:44:22 CRITICAL progress_dialog.py:183 Could not execute command "sudo setcap cap_net_admin,cap_net_raw=ep /nix/store/1c40kqycq37wqrgg6qnajczhxlqm1r77-ubridge-0.9.16/bin/ubridge": Command '['sudo', 'setcap', 'cap_net_admin,cap_net_raw=ep', '/nix/store/1c40kqycq37wqrgg6qnajczhxlqm1r77-ubridge-0.9.16/bin/ubridge']' returned non-zero exit status 1

Notify maintainers

Metadata nix-shell -p nix-info --run "nix-info -m"

• system: "x86_64-linux"
• host os: Linux 5.4.62, NixOS, 20.03.2913.4bd1938e03e (Markhor)
• multi-user?: yes
• sandbox: yes
• version: nix-env (Nix) 2.3.6
• channels(user): ""
• channels(root): "nixos-20.03.2913.4bd1938e03e"
• nixpkgs: /nix/var/nix/profiles/per-user/root/channels/nixos

[nixinator]

security.wrappers seems to be able to provide this functionality.

https://github.com/NixOS/nixpkgs/blob/nixos-20.09/nixos/modules/security/wrappers/default.nix

just got work out how to intergrate this with a running system?

[nixos-discourse]

This issue has been mentioned on NixOS Discourse. There might be relevant details there:

https://discourse.nixos.org/t/systemd-permissions/10150/5

[nixos-discourse]

This issue has been mentioned on NixOS Discourse. There might be relevant details there:

https://discourse.nixos.org/t/systemd-permissions/10150/15

[stale[bot]]

I marked this as stale due to inactivity. → More info

[c0d33p]

security.wrappers seems to be able to provide this functionality.

https://github.com/NixOS/nixpkgs/blob/nixos-20.09/nixos/modules/security/wrappers/default.nix

just got work out how to intergrate this with a running system?

Hi, I'm facing similar problem, as in my local computer I'm unable to run this command:

sudo setcap cap_net_admin,cap_net_raw=ep /run/current-system/sw/bin/ubridge

As it throws:

Failed to set capabilities on file `/run/current-system/sw/bin/ubridge' (Invalid argument)

I have found this example by @imuli

security.wrappers.dumpcap = {
  source = "${wireshark}/bin/dumpcap";
  capabilities = "cap_net_raw+p";
  owner = "root";
  group = "wireshark";
  permissions = "u+rx,g+x";
};

Dear Imuli, could you please have a look on this issue as well? Is there a possibility to write a wrapper for ubridge in order to apply the elevated permission for the path above?

EDIT: I have created this overrideAttr:

    (gns3-gui.overrideAttrs (oldAttrs: rec {
      security.wrapper.ubridge = {
        source = "${ubridge}/bin/ubridge";
        capabilities = "cap_net_admin,cap_net_raw=ep";
        owner = "root";
        group = "ubridge";
        permission = "u+rx,g+x";
      };
    }))

However, it's not possible to run this code.

[primeos]

Quick FYI here (apparently I did subscribe to this issue at some point):

1) What is really required for this issue is a proper NixOS module for gns3-server (I once had a local draft back when I played around with it but never got around to cleaning it up for Nixpkgs). 2) security.wrapper is a NixOS option and only works inside a NixOS configuration (the new binary will then be located at /run/wrappers/bin/ubridge). There is no way to implement this in the ubridge package as Nix cannot allow this for security reasons. 3) gns3-server reads a configuration file (https://docs.gns3.com/docs/using-gns3/administration/gns3-server-configuration-file/) that can refer to the correct binary (via ubridge_path in this case).

[TafkaMax]

Quick FYI here (apparently I did subscribe to this issue at some point):

1. What is really required for this issue is a proper NixOS module for `gns3-server` (I once had a local draft back when I played around with it but never got around to cleaning it up for Nixpkgs).

2. `security.wrapper` is a NixOS option and only works inside a NixOS configuration (the new binary will then be located at `/run/wrappers/bin/ubridge`). There is no way to implement this in the `ubridge` package as Nix cannot allow this for security reasons.

3. `gns3-server` reads a configuration file (https://docs.gns3.com/docs/using-gns3/administration/gns3-server-configuration-file/) that can refer to the correct binary (via `ubridge_path` in this case).

Trying to get this to work, but my gns3-server conf file is overwritten every time I try to launch the gns3-gui. Some options stay, but the ubridge_path is overwritten every time. :(

Hoping for 24.05, as gns3 seems to be a module now.

EDIT:

In the end I needed permissions = "u+rx,g+rx,o+rx"; for it to work for my user.