Detect Port Conflicts in NixOS Services

LorenzBischof · March 12, 2025, 10:26pm

mightyiam · March 13, 2025, 1:41am

Haven’t looked into the implementation, but this sounds like a good candidate for nixpkgs.

bryango · March 13, 2025, 2:40am

Wow this is great and it would be even better if it could be upstreamed to nixpkgs (also nix-darwin and home-manager)!

ehmry · March 13, 2025, 8:40am

Unix has a nearly forgotten feature for registering port assignments - /etc/services. It can’t detect conflicts but it does provide a system-wide registry that can be accessed via getservbyname and getservbyport. This is useful for monitoring tools because they can use your port assignments to label traffic flows.

I had a PR to update the services file but it went stale and I wasn’t sure it was worth the eval overhead by itself. If it could be bolted onto conflict detection then I think it would be worth it.

github.com/NixOS/nixpkgs

nixos: add networking.services overrides for /etc/services

NixOS:master ← ehmry:etc-services

opened 09:10AM - 30 Aug 23 UTC

ehmry

+78 -1

## Description of changes The `/etc/services` file is full of cruft. We can o…verride it. ## Things done - Built on platform(s) - [x] x86_64-linux - [ ] aarch64-linux - [ ] x86_64-darwin - [ ] aarch64-darwin - [ ] For non-Linux: Is `sandbox = true` set in `nix.conf`? (See [Nix manual](https://nixos.org/manual/nix/stable/command-ref/conf-file.html)) - [x] Tested, as applicable: - [NixOS test(s)](https://nixos.org/manual/nixos/unstable/index.html#sec-nixos-tests) (look inside [nixos/tests](https://github.com/NixOS/nixpkgs/blob/master/nixos/tests)) - and/or [package tests](https://nixos.org/manual/nixpkgs/unstable/#sec-package-tests) - or, for functions and "core" functionality, tests in [lib/tests](https://github.com/NixOS/nixpkgs/blob/master/lib/tests) or [pkgs/test](https://github.com/NixOS/nixpkgs/blob/master/pkgs/test) - made sure NixOS tests are [linked](https://nixos.org/manual/nixpkgs/unstable/#ssec-nixos-tests-linking) to the relevant packages - [ ] Tested compilation of all packages that depend on this change using `nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD"`. Note: all changes have to be committed, also see [nixpkgs-review usage](https://github.com/Mic92/nixpkgs-review#usage) - [ ] Tested basic functionality of all binary files (usually in `./result/bin/`) - [23.11 Release Notes](https://github.com/NixOS/nixpkgs/blob/master/nixos/doc/manual/release-notes/rl-2311.section.md) (or backporting [23.05 Release notes](https://github.com/NixOS/nixpkgs/blob/master/nixos/doc/manual/release-notes/rl-2305.section.md)) - [ ] (Package updates) Added a release notes entry if the change is major or breaking - [ ] (Module updates) Added a release notes entry if the change is significant - [ ] (Module addition) Added a release notes entry if adding a new NixOS module - [ ] Fits [CONTRIBUTING.md](https://github.com/NixOS/nixpkgs/blob/master/CONTRIBUTING.md).

LorenzBischof · March 13, 2025, 8:02pm

Interesting. I’m not sure how much eval overhead this would generate, since every NixOS service would have to set an additional option. I implemented it for my own homelab, but would also be interested in upstreaming.

crertel · March 13, 2025, 8:15pm

Whoa, I’d never heard of that. TIL. Thanks sir.

aanderse · March 13, 2025, 9:28pm

i hadn’t seen that PR

recently this file came up in another thread… maybe there is more interest than i had anticipated

i had a different take than you had on what we could do with that file… see How to add extra ports to /etc/services? - #10 by aanderse for the rough idea

maybe worth investigating?

vcunat · March 14, 2025, 9:11am

/etc/services is about protocols, not about particular daemons/services. That’s how I view it.

bew · March 16, 2025, 11:58pm

May be time to revive that port allocator RFC?

And/or the more generic allocator RFC?

github.com/NixOS/rfcs

[RFC 0159] General purpose allocator module

NixOS:master ← lucasew:general-purpose-allocator-module

opened 04:13PM - 11 Aug 23 UTC

lucasew

+151 -0

# Summary This RFC is a rescope of #151. This RFC defines a function that …returns a customized NixOS-like module that other modules can use to ask for allocated values and the module will check for invalid or undefined values or conflicts and suggest a value that solves the issue. [Rendered](https://github.com/lucasew/rfcs/blob/general-purpose-allocator-module/rfcs/0159-general-purpose-allocator-module.md)

This Nix PR also has good inputs

github.com/NixOS/nix

builtins.port: manage dynamic port number allocation in nix

NixOS:master ← nixcloud:builtins.port

opened 05:43PM - 03 Apr 17 UTC

qknight

+15571 -0

# RFC Using `builtins.port "myIdentifierString" one can allocated a dynamic a…mount of `ports` but still be able to retrieve an assignement given a `identifier`. ``` services.nixcloud.apache.a = { enable = true; proxyOptions = { port = builtins.port "my_identifier"; path = "/"; domain = "nix.a"; }; }; ``` In the example above `port` would be assigned to `50000` and each time this `port` is referenced using `builtins.port "my_identifier"` it would return the same number `50000`. A different configuration might use `builtins.port "webserver1"` and it would return `50001` since `"my_identifier"` already uses `50000`. This PR still lacks documentation and is meant as a RFC. **Note:** I couldn't find a way to express the `builtins.port` property in `nixpkgs/lib` as `nix` does not allow state in functions. [ ] check if this is true: `eval-config.nix` can generate configurations for several VMs but `builtins.port` is global in the sense that it ignores that distinctive property, acting as a global singleton.

LorenzBischof · March 28, 2025, 10:08pm

Thanks for sharing those links. Like I wrote in my blog post, dynamically generating the ports was also my first idea. However the more I think about it, the more I am questioning if that is really the approach we want to take. NixOS configurations are pretty static and everything is known at evaluation. A dynamic allocator would add additional complexity in implementation, but also understanding which port was chosen and why. I like the predictability that enabling a service uses the default port of the service. The same port that is documented in the respective official service documentation.

One thing I would like to improve is to print the respective options that can be used to modify the port in the error message. Because if my variant would be integrated into nixpkgs, the error would include the file paths of the nixpkgs module, not the users source code. The user would then have to figure out how to change the port. However they probably already know how, because they are passing it to a (nginx) reverse proxy.

Since we have the filepath I wonder if it would be possible to parse the Nix code and somehow retrieve the variable, instead of the evaluated port number. This would be required, because not all services use services.<service>.port.

What are your thoughts on static (evaluation error) versus dynamic (allocator)?

edit: even a dynamic port allocator would have to default to the current nixpkgs values, otherwise it would be a breaking change.