[Nix-dev] Twistd cache

[Thomas Bereknyei]

I am trying to add Kippo [1] (SSH honeypot) to NixOS. The executable
is actually just a script that runs twisted with some arguments.  The
first problem was with things like log files, filesystems, pids, etc,
being read only. I have been able to get past that by placing some of
it in /var. Some hardcoded paths in the source are fixed using
substituteInPlace.  I'm not sure if this is the last problem, but I
some logs [2] suggest it is related to the comment located in
python-packages.nix:

 # Generate Twisted's plug-in cache.  Twited users must do it as well.  See
6724     # http://twistedmatrix.com/documents/current/core/howto/plugin.html#auto3
6725     # and http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=477103 for
6726     # details.
6727     postInstall = "$out/bin/twistd --help > /dev/null";

I have attempted something similar and looked at the nevow package
which seems to have a similar dependency, but this doesn't seem to be
working.

I guess another way to approach the problem is to not even consider
Kippo: are there any other medium to high interaction SSH honeypot
solutions? Perhaps leveraging some NixOS specific tools? a VM? Create
an expression of a simple build, build-vm, then route traffic to it?
but I don't know the specifics about the security and preventing
information and my Nix store from being read.

-Tom

[1] https://code.google.com/p/kippo/

[2]
twistd[11962]: exceptions.OSError: [Errno 30] Read-only file system:
'/nix/store/xsy4qrw8r77hbl6ncd8hz6xd743kvisi-python2.7-twisted-10.2.0/lib/python2.7/site-packages/Twisted-10.2.0-py2.7-linux-x86_64.egg/twisted/plugins/6XC4rz_Y6ka_p9v-dropin.cache.new'

and in the twistd log itself, this is the last entry:

 twistd 10.2.0 (/nix/store/1i5rd0mp4x57gzjii9z2pg3mjgzj95q6-python-2.7.5/bin/python2.7
2.7.5) starting up.
reactor class: twisted.internet.selectreactor.SelectReactor.