Support for privileged processes/capabilities?

[xbreak]

This looks really interesting and for me the "USP" is that it does not require NixOS.

Does nix-processmgmt address or plan to address the issue that some packages requires Linux capabilities, like CAP_SYS_NICE or CAP_SYS_TIME et.c? I'm aware that in some cases capabilities can be avoided in the running service by performing actions requiring capabilities before exec'ing the service. In other cases this is not possible (as with mostly our cases).

For us this is a blocker in our adoption of Nix on CentOS.

Cheers

[svanderburg]

@xbreak This can already be done, but not in a standardized way -- the universal createManagedProcess function only takes portable/high-level concepts as parameters, and Linux capabilities is not something you can express (yet) on a high level (for that we still need to invent something, if that would be possible).

However that should not be a limitation: the createManagedProcess function allows you to define process manager-specific overrides that augments/overrides the generated parameters allowing you to use any feature of a certain process manager.

You can use, for example, a systemd override to get the capabilities configured, since I believe that is the service manager that CentOS uses.

[xbreak]

Ok, I think I understand. It's essentially up to the process manager, not set capabilities of the executable.

I wasn't very clear in my original question, but I was actually looking for a solution that essentially allow use of capabilities set by setcap(8), which would require a super-user to set the capabilities, but allow a non-privileged user to deploy services with the set capabilities.

Since Nix-store don't allow file-capabilities attributes, this is not possible to use directly and requires workarounds. I have to research how NixOS does this.