Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Perlless Activation #270727

Merged
merged 12 commits into from
Jan 22, 2024
Merged

Perlless Activation #270727

merged 12 commits into from
Jan 22, 2024

Conversation

nikstur
Copy link
Contributor

@nikstur nikstur commented Nov 28, 2023

Introduces the bits and pieces necessary to build a fully perlless system (i.e. a system without the perl interpreter.)

Acknowledgement

Even if this is not necessarily reflected in the commits or code, this was a team effort. Thank you for your help!

Started at OceanSprint 2023 with bootstrapping help from @lheckemann and @blitz.

Mounting /etc via an overlayfs was @arianvp's original idea. @RaitoBezarius pointed out that we can use composefs to get modes and permissions into this overlay.

This is also part of the broader Boot Security Work

Description of changes

Design Document: https://pad.lassul.us/nixos-perlless-activation

This change consists of three parts:

  1. Introduce the ability to create users and groups with systemd-sysusers instead of via update-users-groups.pl
  2. Introduce the ability to mount /etc via an overlay (using mkcomposefs and other ideas stolen from composefs)
  3. Add the perlless profile, tying this all together and proving that you can have a fully perlless system.

Furthermore it depends on two more PRs:

The commits from these PRs are also contained in this PR and are marked with rebase:.

This change doesn't remove any of the current mechanisms to create users and /etc but only adds opt-in mechanism do it all without perl. I see this as the only way to introduce the new functionality. Straight up replacing the existing ones is too risky as test coverage is generally poor (or very depedent on the implementation) and this is a critical path. This way we can start live testing these features and incrementally improving them until they are mature enough to fully replace the existing mechanisms.

I'm pretty confident that you can use the new mechanisms even for a normal switchable system (but then you will have Perl because of switch-to-configuration.pl!).

Closes #267982

Things done

  • Built on platform(s)
    • x86_64-linux
    • aarch64-linux
    • x86_64-darwin
    • aarch64-darwin
  • For non-Linux: Is sandboxing enabled in nix.conf? (See Nix manual)
    • sandbox = relaxed
    • sandbox = true
  • Tested, as applicable:
  • Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
  • Tested basic functionality of all binary files (usually in ./result/bin/)
  • 23.11 Release Notes (or backporting 23.05 Release notes)
    • (Package updates) Added a release notes entry if the change is major or breaking
    • (Module updates) Added a release notes entry if the change is significant
    • (Module addition) Added a release notes entry if adding a new NixOS module
  • Fits CONTRIBUTING.md.

Priorities

Add a 👍 reaction to pull requests you find important.

@nikstur nikstur requested review from a team and dasJ as code owners November 28, 2023 20:23
@github-actions github-actions bot added 6.topic: nixos Issues or PRs affecting NixOS modules, or package usability issues specific to NixOS 8.has: documentation This PR adds or changes documentation 8.has: changelog 8.has: module (update) This PR changes an existing module in `nixos/` 6.topic: systemd labels Nov 28, 2023
@nikstur
Copy link
Contributor Author

nikstur commented Nov 28, 2023

Test systemd-sysusers:
@ofborg test systemd-sysusers-mutable systemd-sysusers-immutable

Test etc overlay:
@ofborg test activation-etc-overlay-mutable activation-etc-overlay-immutable

Test perlless profiles:
@orborg test activation-perlless

Prove that I broke nothing:
@ofborg test switchTest mutableUsers

@Kiskae
Copy link
Contributor

Kiskae commented Nov 28, 2023

Feel free to link the relevant nixosTests into the composefs package tests so I don't forget to check whether an update breaks this.

@nikstur nikstur force-pushed the nixos-perlless-activation branch from e8cbcba to 27b1bcb Compare November 28, 2023 20:34
@nikstur nikstur changed the title Perlless activation Perlless Activation Nov 28, 2023
@nikstur nikstur added the significant Novel ideas, large API changes, notable refactorings, issues with RFC potential, etc. label Nov 28, 2023
Copy link
Member

@SuperSandro2000 SuperSandro2000 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The composefs trick is only required so that we can have permissions on files in /etc and also because we are missing mutable and immutable files.

Was it considered to just rewrite the perl script in a compiled language and why was that discarded?

Also relying on an one of toy program in The critical chain with lots and lots of very specific define conditions does not feel great.

nixos/modules/system/boot/systemd/tmpfiles.nix Outdated Show resolved Hide resolved
nixos/modules/config/users-groups.nix Show resolved Hide resolved
nixos/doc/manual/configuration/user-mgmt.chapter.md Outdated Show resolved Hide resolved
nixos/modules/system/etc/etc.nix Outdated Show resolved Hide resolved
nixos/modules/system/etc/etc.nix Show resolved Hide resolved
@ofborg ofborg bot added 8.has: package (new) This PR adds a new package 11.by: package-maintainer This PR was created by the maintainer of the package it changes 10.rebuild-darwin: 1-10 10.rebuild-linux: 1-10 labels Nov 29, 2023
@nikstur
Copy link
Contributor Author

nikstur commented Jan 28, 2024

Maybe they should, can't you otherwise define both environment.etc."/X11/xorg.conf.d/10-evdev.conf" and environment.etc."X11/xorg.conf.d/10-evdev.conf" at the same time? (What would that do?)

I agree that this is not correct.

I decided to fix both in this PR: #284508

size=os.stat(source).st_size,
filetype=FileType.file,
mode=mode,
payload=target,

This comment was marked as outdated.

This comment was marked as outdated.

@nyabinary
Copy link
Contributor

@nyabinary @oluceps you're errors both stem from some third party dependency hooking into the activationScripts, expecting the users script to exist. This then of course fails. The third party tools need to interoperate with the new perlless mechanisms to work.

What about this one? This happens when I enable system.etc.overlay.enable (also on that topic what does making the etc overlay immutable offer, what benefits and drawbacks?

warning: Git tree '/etc/nixos' is dirty
building the system configuration...
warning: Git tree '/etc/nixos' is dirty
error: builder for '/nix/store/y6z4q64j3pmrbrgdd2v6h5mm59knrd8d-etc-lowerdir.drv' failed with exit code 1;
       last 1 log lines:
       > cp: cannot stat '/etc/zoneinfo/America/New_York': No such file or directory
       For full logs, run 'nix log /nix/store/y6z4q64j3pmrbrgdd2v6h5mm59knrd8d-etc-lowerdir.drv'.
warning: killing stray builder process 368527 (bash -e /nix/store/v6x3cs394jgqfbi0a42pam708flxaphh-default-builder.sh)...
error: 1 dependencies of derivation '/nix/store/g1fdfsym5m5db66bc4wn5li5yllwfdlv-nixos-system-nyan-24.05.20240125.ae5c332.drv' failed to build

Failing to find the New York time zone in the sandbox for some reason. Any solutions?

@Kiskae
Copy link
Contributor

Kiskae commented Feb 2, 2024

@nyabinary @oluceps you're errors both stem from some third party dependency hooking into the activationScripts, expecting the users script to exist. This then of course fails. The third party tools need to interoperate with the new perlless mechanisms to work.

What about this one? This happens when I enable system.etc.overlay.enable (also on that topic what does making the etc overlay immutable offer, what benefits and drawbacks?

warning: Git tree '/etc/nixos' is dirty
building the system configuration...
warning: Git tree '/etc/nixos' is dirty
error: builder for '/nix/store/y6z4q64j3pmrbrgdd2v6h5mm59knrd8d-etc-lowerdir.drv' failed with exit code 1;
       last 1 log lines:
       > cp: cannot stat '/etc/zoneinfo/America/New_York': No such file or directory
       For full logs, run 'nix log /nix/store/y6z4q64j3pmrbrgdd2v6h5mm59knrd8d-etc-lowerdir.drv'.
warning: killing stray builder process 368527 (bash -e /nix/store/v6x3cs394jgqfbi0a42pam708flxaphh-default-builder.sh)...
error: 1 dependencies of derivation '/nix/store/g1fdfsym5m5db66bc4wn5li5yllwfdlv-nixos-system-nyan-24.05.20240125.ae5c332.drv' failed to build

Failing to find the New York time zone in the sandbox for some reason. Any solutions?

It looks like that path comes directly from environment.etc."<something>".source, so the question becomes why that would be configured that way. But in the builder there is pretty much only /nix/store and /build, no other directories will be visible.

EDIT:

localtime.source = "/etc/zoneinfo/${config.time.timeZone}";
localtime.mode = "direct-symlink";

What is mode = "direct-symlink" supposed to indicate, this looks like it involves some very old code.

@nyabinary
Copy link
Contributor

@nyabinary @oluceps you're errors both stem from some third party dependency hooking into the activationScripts, expecting the users script to exist. This then of course fails. The third party tools need to interoperate with the new perlless mechanisms to work.

What about this one? This happens when I enable system.etc.overlay.enable (also on that topic what does making the etc overlay immutable offer, what benefits and drawbacks?

warning: Git tree '/etc/nixos' is dirty
building the system configuration...
warning: Git tree '/etc/nixos' is dirty
error: builder for '/nix/store/y6z4q64j3pmrbrgdd2v6h5mm59knrd8d-etc-lowerdir.drv' failed with exit code 1;
       last 1 log lines:
       > cp: cannot stat '/etc/zoneinfo/America/New_York': No such file or directory
       For full logs, run 'nix log /nix/store/y6z4q64j3pmrbrgdd2v6h5mm59knrd8d-etc-lowerdir.drv'.
warning: killing stray builder process 368527 (bash -e /nix/store/v6x3cs394jgqfbi0a42pam708flxaphh-default-builder.sh)...
error: 1 dependencies of derivation '/nix/store/g1fdfsym5m5db66bc4wn5li5yllwfdlv-nixos-system-nyan-24.05.20240125.ae5c332.drv' failed to build

Failing to find the New York time zone in the sandbox for some reason. Any solutions?

It looks like that path comes directly from environment.etc."<something>".source, so the question becomes why that would be configured that way. But in the builder there is pretty much only /nix/store and /build, no other directories will be visible.

EDIT:

localtime.source = "/etc/zoneinfo/${config.time.timeZone}";
localtime.mode = "direct-symlink";

What is mode = "direct-symlink" supposed to indicate, this looks like it involves some very old code.

Interesting so it comes from the locale module, also no idea what direct-symlink is trying to indicate, maybe ask one of the maintainers?

@MinerSebas
Copy link
Contributor

#284641 is attempting to drop direct-symlink here.

@nyabinary
Copy link
Contributor

#284641 is attempting to drop direct-symlink here.

Wouldn't the systemd patch need to be updated too?
Here:

+ e = PATH_STARTSWITH_SET(t, "/etc/zoneinfo/", "../etc/zoneinfo/");

@mlyxshi
Copy link
Contributor

mlyxshi commented Feb 4, 2024

with

# time.timeZone = "";
system.etc.overlay.enable = true;
systemd.sysusers.enable = true;

During activation

remounting /etc...
mount: /tmp/tmp.aNpgBX4W8F: special device overlay does not exist.
       dmesg(1) may have more information after failed mount system call.
Moving mount
Mounting beneath top mount
Invalid argument | move-mount.c: 546: main: mount_setattr
Attaching mount /tmp/tmp.aNpgBX4W8F -> /etc
Moving single attached mount
umount: /etc: not mounted.

dmesg

overlayfs: failed to resolve '/.rw-etc/upper': -2

@lheckemann
Copy link
Member

@mlyxshi did you reboot, or attempt to switch from a running non-overlay-etc system? I don't think the latter is reasonable to invest a lot of effort to support.

@nyabinary
Copy link
Contributor

Still broken with time.timeZone set as of March 16th.

@nyabinary
Copy link
Contributor

Still broken with time.timeZone set as of March 16th.

Still broken as of May 15th :P

@ThinkChaos
Copy link
Contributor

ThinkChaos commented May 17, 2024

Thanks for working on this!

I tried it out but disabled because activating without reboot regularly fails with umount: /etc: target is busy.
Maybe using umount --lazy would be good enough.

Also suggestions for what's user visible:

  • use descriptive prefixes instead of the default mktemp template
  • cleanup the activation script output which is quite noisy from a user perspective
    Sample output when switching between two identical generations:
    # /nix/var/nix/profiles/system-1409-link/activate
    remounting /etc...
    mount: /tmp/tmp.zHIII1Polh: WARNING: source write-protected, mounted read-only.
    Moving mount
    Mounting beneath top mount
    Attaching mount /tmp/tmp.DN6phFNZrA -> /etc
    Moving single attached mount
    umount: /etc: target is busy.
    Activation script snippet 'etc' failed (32)
    <<< /nix/var/nix/profiles/system-1408-link
    >>> /nix/var/nix/profiles/system-1409-link
    No version or selection state changes.
    Closure size: 2118 -> 2118 (10 paths added, 10 paths removed, delta +0, disk usage -24.5KiB).
    
    (the last bit is nvd)

EDIT: Oh and I also had the time zone issue and used the workaround mentioned above.

@con-f-use
Copy link
Contributor

#307159 for cross reference

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
6.topic: nixos Issues or PRs affecting NixOS modules, or package usability issues specific to NixOS 6.topic: systemd 8.has: changelog 8.has: documentation This PR adds or changes documentation 8.has: module (update) This PR changes an existing module in `nixos/` 8.has: package (new) This PR adds a new package 10.rebuild-darwin: 1-10 10.rebuild-linux: 1-10 11.by: package-maintainer This PR was created by the maintainer of the package it changes significant Novel ideas, large API changes, notable refactorings, issues with RFC potential, etc.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Perlless Activation - Tracking Issue