Conversation
thufschmitt
force-pushed
the
rootless-daemon
branch
2 times, most recently
from
ffe4be5 to
26355d3
Compare
|
This pull request has been mentioned on NixOS Discourse. There might be relevant details there: |
thufschmitt
force-pushed
the
rootless-daemon
branch
from
5421ae6 to
9cd313c
Compare
thufschmitt
force-pushed
the
rootless-daemon
branch
2 times, most recently
from
2fceae5 to
6345401
Compare
thufschmitt
force-pushed
the
rootless-daemon
branch
from
6c2dc6f to
18def5b
Compare
|
Discussed in Nix team meeting on 2022-12-19:
|
|
This pull request has been mentioned on NixOS Discourse. There might be relevant details there: |
|
This pull request has been mentioned on NixOS Discourse. There might be relevant details there: |
|
🎉 All dependencies have been resolved ! |
thufschmitt
force-pushed
the
rootless-daemon
branch
from
18def5b to
8e785f3
Compare
github-actions
bot
added
store
thufschmitt
force-pushed
the
rootless-daemon
branch
from
8e785f3 to
3b4bc32
Compare
thufschmitt
force-pushed
the
rootless-daemon
branch
from
3531cc1 to
12f16d9
Compare
|
This pull request has been mentioned on NixOS Discourse. There might be relevant details there: |
github-actions
bot
removed
the
with-tests
github-actions
bot
added
the
with-tests
Not really needed since it's configurable from the config (and people can always use `$NIX_CONFIG` if they really need to configure it from the CLI)
Based on an offline review by @mopleen (thanks!)
It is no longer needed. See f4a8426 which did the same thing in the rest of Nix.
The test plan is taken from https://github.com/thufschmitt/rootless-nix-daemon-test. That intentionally used non-NixOS to get around the ambient Nix daemon, but with newer NixOS we can in fact disable the ambient Nix daemon an run our own! A few things which are needed to make this nicer in the future - NixOS/nixpkgs#3702 A now-fixed issue, but won't be available until 23.05 - NixOS/nixpkgs#263248 NixOS/nixpkgs#263250 Newly opened issues inspired by the process of writing this test.
I misunderstand what was going on and NixOS/nixpkgs#263248 is a non-issue. That means we can improve the code right away. Thank you @eclairevoyant for tipping me off that I was mistaken!
Otherwise the tests get stuck when using the daemon (I didn't understand why though, so this is a dirty patch more than a proper fix, but at least it works now)
Move its definition before a loop that might change `$!`
thufschmitt
force-pushed
the
rootless-daemon
branch
from
545e88b to
1dbba94
Compare
|
Oh there was the matter of docs from @roberth too. |
Not supported by the installer because there are many moving parts, but a rough installation guide can help be used for people to get a custom installation for their needs
That would defeat the whole purpose of the thing as it would provide a nice escalation path from a Nix vulnerability to root access
We got rid of them in the rest of the code, so let's do the same here.
Has been made a bit more lenient upstream, so match that
Co-Authored-By: Robert Hensing <[email protected]>
| @@ -0,0 +1,138 @@ | |||
| # Using Nix in multi-user mode with a non-root daemon | |||
|
|
|||
| > Experimental blurb | |||
There was a problem hiding this comment.
This looks like a placeholder. Was this WIP?
| sudo systemctl start nix-daemon.socket | ||
| sudo systemctl start nix-find-roots.socket | ||
| ``` | ||
| 10. Profit |
There was a problem hiding this comment.
| 10. Profit | |
| The daemons are now set up. You may try it: | |
| ```sh | |
| head -c 20 /dev/urandom >test.data | |
| nix store add-file test.data | |
| nix store gc --dry-run | |
| ``` |
To my surprise nix store gc --dry-run seems to be real.
It is horribly slow on my store though, so I've interrupted it.
| WantedBy=sockets.target | ||
| EOF | ||
| ``` | ||
| 7. Install the systemd services for the tracing daemon: |
There was a problem hiding this comment.
Is it a "gc roots" or "tracing" daemon?
We should use one name everywhere.
| # No root daemon | ||
| nix.enable = false; |
There was a problem hiding this comment.
non-blocking:
Exposing a module for this kind of setup would be nice, but needs a few improvements.
I think you could blacklist the daemon module, at least on recent enough NixOS the daemon-specific stuff is separate from the Nix installation and config file.
I think we need a nix.daemon.enable in NixOS to be sure.
|
Is there anything still blocking progress on this PR? GHSA-h4vv-h3jq-v493 has shown that getting to a rootless daemon is still important. |
Needs a rebase, some attention, and someone to shepherd it forward. I'm not aware of any fundamental blockers. |
|
This pull request has been mentioned on NixOS Discourse. There might be relevant details there: |
|
|
||
| systemd.user.sockets.nix-daemon = { | ||
| }; | ||
| systemd.user.services.nix-daemon = { |
There was a problem hiding this comment.
You probably don't want user services, those will only start on a user's first login session. This should be a system service running as the user nix-daemon
10 participants
Depends on #5226
This PR adds the possibility to defer the collection of the gc roots to an external daemon (communicating with it through a UNIX socket).
The motivation for that is that (excluding #5226), finding the GC roots is the only part of Nix that strictly requires root. So deferring that part to an external tool means that it’s possible to run the Nix daemon as a non-root user (with the obvious security gains that come with it).
Along with it is included such an external tracing deamon (under
src/nix-find-roots), written in such a way that it doesn’t depend on anything but the c++ stl.https://github.com/regnat/rootless-nix-daemon-test provides a sample setup in which the nix-daemon is running as a normal
nix-daemonuser.Using this feature is currently guarded behind the
external-gc-daemonexperimental flagFix #5208