Open nixinator opened 3 years ago
security.wrappers seems to be able to provide this functionality.
https://github.com/NixOS/nixpkgs/blob/nixos-20.09/nixos/modules/security/wrappers/default.nix
just got work out how to intergrate this with a running system?
This issue has been mentioned on NixOS Discourse. There might be relevant details there:
This issue has been mentioned on NixOS Discourse. There might be relevant details there:
I marked this as stale due to inactivity. → More info
security.wrappers seems to be able to provide this functionality.
https://github.com/NixOS/nixpkgs/blob/nixos-20.09/nixos/modules/security/wrappers/default.nix
just got work out how to intergrate this with a running system?
Hi, I'm facing similar problem, as in my local computer I'm unable to run this command:
sudo setcap cap_net_admin,cap_net_raw=ep /run/current-system/sw/bin/ubridge
As it throws:
Failed to set capabilities on file `/run/current-system/sw/bin/ubridge' (Invalid argument)
I have found this example by @imuli
security.wrappers.dumpcap = {
source = "${wireshark}/bin/dumpcap";
capabilities = "cap_net_raw+p";
owner = "root";
group = "wireshark";
permissions = "u+rx,g+x";
};
Dear Imuli, could you please have a look on this issue as well? Is there a possibility to write a wrapper for ubridge in order to apply the elevated permission for the path above?
EDIT: I have created this overrideAttr:
(gns3-gui.overrideAttrs (oldAttrs: rec {
security.wrapper.ubridge = {
source = "${ubridge}/bin/ubridge";
capabilities = "cap_net_admin,cap_net_raw=ep";
owner = "root";
group = "ubridge";
permission = "u+rx,g+x";
};
}))
However, it's not possible to run this code.
Quick FYI here (apparently I did subscribe to this issue at some point):
1) What is really required for this issue is a proper NixOS module for gns3-server
(I once had a local draft back when I played around with it but never got around to cleaning it up for Nixpkgs).
2) security.wrapper
is a NixOS option and only works inside a NixOS configuration (the new binary will then be located at /run/wrappers/bin/ubridge
). There is no way to implement this in the ubridge
package as Nix cannot allow this for security reasons.
3) gns3-server
reads a configuration file (https://docs.gns3.com/docs/using-gns3/administration/gns3-server-configuration-file/) that can refer to the correct binary (via ubridge_path
in this case).
Quick FYI here (apparently I did subscribe to this issue at some point):
1. What is really required for this issue is a proper NixOS module for `gns3-server` (I once had a local draft back when I played around with it but never got around to cleaning it up for Nixpkgs). 2. `security.wrapper` is a NixOS option and only works inside a NixOS configuration (the new binary will then be located at `/run/wrappers/bin/ubridge`). There is no way to implement this in the `ubridge` package as Nix cannot allow this for security reasons. 3. `gns3-server` reads a configuration file (https://docs.gns3.com/docs/using-gns3/administration/gns3-server-configuration-file/) that can refer to the correct binary (via `ubridge_path` in this case).
Trying to get this to work, but my gns3-server conf file is overwritten every time I try to launch the gns3-gui. Some options stay, but the ubridge_path is overwritten every time. :(
Hoping for 24.05, as gns3 seems to be a module now.
EDIT:
In the end I needed permissions = "u+rx,g+rx,o+rx";
for it to work for my user.
Describe the bug gns3 need to do a setcap on ubridge , this fails as setcap cannot work on a readonly file system /nix/store
To Reproduce
Expected behavior ubridge needs elevate capablities for gns3-gui to find interfaces on emulated devices. If it cannot then virtual 'wiring' of devices together is not possible
Screenshots
Notify maintainers
Metadata nix-shell -p nix-info --run "nix-info -m"
"x86_64-linux"
Linux 5.4.62, NixOS, 20.03.2913.4bd1938e03e (Markhor)
yes
yes
nix-env (Nix) 2.3.6
""
"nixos-20.03.2913.4bd1938e03e"
/nix/var/nix/profiles/per-user/root/channels/nixos