-
-
Notifications
You must be signed in to change notification settings - Fork 14.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
nixos/users-groups: move home dir creation to systemd tmpfiles #223932
base: master
Are you sure you want to change the base?
Conversation
I tried to solve the same issue in #204290 and @ElvishJerricco wrote some very helpful advice in #204290 (comment). He may be interested in reviewing this. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't think I like having one unit per user like this. Seems very cluttered.
I was looking at systemd-sysusers
, hoping it had something for automatic home directory creation that we could use for inspiration, and the man page for sysusers.d
says this:
systemd-sysusers only sets the home directory record in the user database. To actually create the directory, consider adding a corresponding tmpfiles.d(5) fragment.
I wonder if a tmpfiles thing is correct here? Sounds odd given the "tmp" in the name, but I think would get the job done.
Ah right. edit: after some perusal of the manpage, I am also concerned about the "volatile" description of the files meant to be managed by |
... but it seems like tmpfiles.d should do the trick. Pushed the change @ElvishJerricco |
Fixes NixOS#6481 When the home directory is on a separate mount the user home directories were not created. Using systemd tmpfiles solves the race condition.
Well that's certainly much simpler :) Though, I'm intrigued by the ordering relationships on
So it will wait for all |
True. A quick grep also says that no service with |
Another question: does |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That's great then! Assuming we can find some tests to pass (or make one), I like the look of this! Solves a noticeable problem that if there's a mountpoint between /
and $HOME
, the activation script doesn't create the directory correctly.
As a tangential addendum, I wonder if we could have the activation script generate a systemd-sysusers
config file instead of doing what it does. I dunno if that would actually have much benefit, but it'd be interesting to look into.
Oh that's an interesting question. It looks like
|
Seems like nfs could be a problem: systemd/systemd#1959 |
I think that specific issue is not exactly related, but I think there is a sort of issue. That seems to be more of an issue with systemd will take care of it in most cases, because of the implicit ordering of mount units and because it does create intermediate directories when needed, but here's the problem that could come up:
|
I see... Perhaps the oneshot services are the best way to go, here... what do you think? |
FWIW, this is still objectively an improvement over the existing code. This problem also existed, but more severely, before this change. |
Hm. Would oneshot services fix both the automount and nfs problems @ElvishJerricco ? |
Well, one thing that concerned me was that neither solution would recreate user home directories if they were deleted and then a system config was activated. So I added this to test it out, expecting for it to fail with this PR but succeed without it: diff --git a/nixos/tests/mutable-users.nix b/nixos/tests/mutable-users.nix
index ebe32e6487e..d9025295934 100644
--- a/nixos/tests/mutable-users.nix
+++ b/nixos/tests/mutable-users.nix
@@ -69,5 +69,9 @@ import ./make-test-python.nix ({ pkgs, ...} : {
for file in files_to_check:
assert machine.succeed(f"sha256sum {file}") == expected_hashes[file]
assert machine.succeed(f"stat {file}") == expected_stats[file]
+
+ with subtest("activate does change things"):
+ machine.succeed("/run/current-system/bin/switch-to-configuration test")
+ machine.succeed('test -e /home/dry-test') # home WAS recreated
'';
}) Above this diff, the test removes the home directory so that it can make sure Between that, the fact that creating a oneshot per user seems excessive, and the fact that this problem has always existed for users of remote-fs homes, I think the tmpfiles solution is probably the right way to go. I would also recommend adding that diff to this PR. Once that's done I'll ask ofborg to tests |
Co-authored-by: Will Fancher <elvishjerricco@gmail.com>
Adding one formatting commit along with your patch. Thank you very much @ElvishJerricco ! |
@ofborg test mutableUsers user-home-mode |
This pull request has been mentioned on NixOS Discourse. There might be relevant details there: https://discourse.nixos.org/t/prs-ready-for-review/3032/2018 |
systemd.tmpfiles.rules = lib.concatLists (lib.mapAttrsToList | ||
(_: user: | ||
lib.optionals user.createHome [ | ||
"d ${lib.escapeShellArg user.home} ${user.homeMode} ${user.name} ${user.group}" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this is incorrect. tmpfile paths do not respect shell escaping rules, in fact the escaping rules documented in the manpage are not even correct (systemd/systemd#26955). until that is sorted out we'd better be very careful with using tmpfiles to create arbitrary paths. user names themselves are fine, but there is no restriction on the parent directory. until systemd is fixed to actually follow its escaping rules we had better leave it as is.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ok good call, thank you!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is there a library function to c-escape a string that you know of, on that topic?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
don't think so, almost certainly not by the rules systemd requires (tmpfiles also processes %<x>
directives, so those need escaped as well)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I see. Well it's probably not impossible...
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Well crap. Lets hold off on this until we have a solution or at least an answer to that bug. I'll be looking into it.
This pull request has been mentioned on NixOS Discourse. There might be relevant details there: https://discourse.nixos.org/t/users-users-name-createhome-not-creating-home-directory/30779/4 |
Looks like that systemd bug is fixed at least as of Systemd v254. This PR merged & fixed it. Nixpkgs 23.11 includes that version of Systemd, so this should be unblocked. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
mutable-users.nix
and user-home-mounts.nix
tests do pass, is there anything else here in need of fixup before being merged?
- `users.users.<name>.home` directories are created with systemd tmpfiles rules instead of activation scripts. This fixes a bug where home directories were not created when home directories were on a separate mount. (See issue [#6481](https://github.com/NixOS/nixpkgs/issues/6481)) | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should be moved to new release notes.
@jsoo1 Can you rebase on unstable? Personally, I'd prefer to see the PR without the reformat to make it easier to review. I think there are plans to auto-format all of nixpkgs once the nixfmt RFC 166 lands. @nikstur Is there anything about this PR that would conflict with or need adaptation for the merge of #270727 and its very similar approach to the home directory? |
Think it would be better to reopen clone this & rebase it and then open another PR since it doesn't seem the author is responsive, |
Sorry I am listening but I don't have bandwidth for this. @ixmatus and @bacchanalia can you help please? |
bump |
It might be some time before I have the personal bandwidth to push this forward. If I have some free-time in $JOB to push this along I'll try, maybe @bacchanalia and I can try working on it together a bit. |
Fixes #6481
When the home directory is on a separate mount the user home directories were not created.
Using systemd tmpfiles solves the race condition.
Description of changes
Things done
sandbox = true
set innix.conf
? (See Nix manual)nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD"
. Note: all changes have to be committed, also see nixpkgs-review usage./result/bin/
)