Conversation
github-actions
bot
added
the
6.topic: systemd
ofborg
bot
added
10.rebuild-darwin: 101-500
flokli
left a comment
flokli
left a comment
There was a problem hiding this comment.
LGTM. CI error might be unrelated, and fix itself after another rebase to staging.
software-artificer
force-pushed
the
systemd-optional-deps
branch
from
c53e072 to
22d7c22
Compare
There was a problem hiding this comment.
I have a question on this one: what would be the preferred way to do something like that? Would it be what I have done in the change or something like this instead:
| assert withHomed -> withCryptsetup; | |
| assert withHomed -> withPam; | |
| assert withHomed -> withCryptsetup && withPam; |
software-artificer
force-pushed
the
systemd-optional-deps
branch
from
22d7c22 to
c9962a8
Compare
There was a problem hiding this comment.
I am not sure if this is necessary, but it seems that way, because if we go from kmod enable to kmod disabled or vice-versa we might have issues reloading some of the systemd units on nixos-rebuild switch. Please, correct me if I misunderstand this.
software-artificer
force-pushed
the
systemd-optional-deps
branch
2 times, most recently
from
e6c8a7b to
3aec4cd
Compare
pkgs/top-level/all-packages.nix
Outdated
There was a problem hiding this comment.
As far as I understand we only care about the libudev provided by the systemdMinimal, so I have disabled the kmod integration here, because AFAIK it is only used by the systemd-modules-load, but not in the Udev implementation (this is used instead).
There was a problem hiding this comment.
mobile-nixos at least uses the udevd from systemdMinimal, so this change breaks mobile-nixos.
I think it's fair enough to say that systemdStage1 or a full systemd should be used instead, but in that case we should probably also prevent udevd and rules from being installed at all in the minimal (libudev-only) variant of the package -- because I imagine cases where a kmod-free udevd is indeed desired should be extremely rare and if someone needs that they'll probably know it.
There was a problem hiding this comment.
(the kmod-builtin thing is only included if HAVE_KMOD is true https://github.com/systemd/systemd/blob/4f44d2c4f76922a4f48dd4473e6abaca40d7e555/src/udev/meson.build#L39 )
There was a problem hiding this comment.
@lheckemann thanks for the information. I will drop a PR later to but it back on. Do we have any tests covering mobile-nixos use case?
There was a problem hiding this comment.
Opened #224421, apologies for the inconvenience. A question I have on this: would it make sense to have systemdMobile with precisely tailored set of options enabled in order to avoid running into similar problems in the future?
pkgs/top-level/all-packages.nix
Outdated
There was a problem hiding this comment.
I assume we care about ACL and kmod in stage1, but I am not sure about the PAM stack. Can it be dropped?
There was a problem hiding this comment.
I'm not sure. It's probably needed to ssh in (?), as well as to enter the root password in case there was an error? @ElvishJerricco, any thoughts?
There was a problem hiding this comment.
To be honest I'm not entirely sure. We shouldn't need PAM, as we don't include anything else related to PAM (for instance, the ssh module in #169116 has UsePAM no). I would wager that kmod is needed for systemd-modules-load, in which case yes that is a requirement for systemd stage 1. But I'm not sure about withAcl.
There was a problem hiding this comment.
Thanks @ElvishJerricco!
If we aren't using PAM this early, I am happy to drop it and re-test relevant things.
ACL I think is needed. I am not deeply familiar with NixOS yet (I have just recently started playing around with it), but a lot of modern system use ACL to allow access to /dev/dri/ device nodes, and that's something Plymouth for example takes advantage of IIRC.
|
Hey @flokli, thanks a lot for your guidance so far. I think I have trimmed everything to the bare minimum at this point, but I have a bunch of questions that I would need your guidance on, whenever you have some time 🙏🏻 Thanks in advance. What would be the best way to test all of this? Do I need to write some tests, and if so what do we want to actually test here? I really haven't had an opportunity to figure out testing just yet, so appreciate any help on this. |
We have a bunch of tests in |
|
Just a small progress update: I am continuing to work on this, just having some trouble running tests and verifying everything (due to my LXC set-up), so needed to build a VM and a bit of infra to be able to test this properly and will come back with the results at some point soon-ish, time permitting. |
software-artificer
force-pushed
the
systemd-optional-deps
branch
from
3aec4cd to
df917ea
Compare
|
So I've got a system running NixOS now, so I can run the tests, but I am having a problem building the test dependencies to be able to run the tests: Which seems to be a problem between pygments 2.14.0 and ipython <8.8. How would one normally deal with this? Just disable the offending tests for now as they're completely unrelated to the change? Or do I just cherry-pick my change on top of the current stable channel (so I can use prebuilt dependencies) and test thing that way? Any ideas @flokli? |
|
Sorry for the delay in replying. I think you've been bitten by another unrelated regression in staging, which might be very unstable sometimes (that's what we use the staging-next stabilization cycles for). In these cases, it's probably easiest to test your changes by cherry-picking these commits on top of master (pushed to a separate branch, but still keep the PR open as-is), and once you're happy with the results, merge this PR. |
software-artificer
force-pushed
the
systemd-optional-deps
branch
2 times, most recently
from
c640c08 to
08585dd
Compare
There was a problem hiding this comment.
Missed this one initially, which was failing the build. Now fixed.
github-actions
bot
added
the
6.topic: nixos
software-artificer
force-pushed
the
systemd-optional-deps
branch
from
48a3143 to
0b27efe
Compare
|
Hey @flokli, I think I have reached the point where we can start getting ready to merge this. Do you want me to test or verify anything else before? Or do I make this PR ready for review and we work from there? |
|
@filakhtov thanks! Yes, this looks pretty good now. I think we should be running some more tests (installer tests, systemd-initrd* tests), to make sure there's no new test failures (some of these might already be broken currently). If there's no new regressions, fine for me to merge this :-) |
Expose a new `withLibidn2` flag (defauts to true for backwards compatibility) to be able to conditionally enable and disable integration with `libidn2`, which is used by the `systemd-network` and `systemd-resolved` to support internationalized domain names.
Expose a new `withAcl` flag (defaults to true for backwards compatibility) to be able to conditionally enable and disable an integration with `libacl` library, which is used by variety of systemd tools and daemon, e.g. `journald` will check ACLs in addition to regular permissions when accessing journal files and `systemd-nspawn` will update ACL entries when used with the `--private-users-chown` flag.
Expose a new `withAudit` flag (defaults to `true` for backwards compatibility) to be able to conditionally enable and disable an integration with the `libaudit` library, which is used to integrate with Linux Audit Framework for logging various security-relevant events.
Expose a new `withPam` option to allow enabling and disabling integration with PAM stack, including the `systemd-user-sessions` daemon and the associated `.service` file, as well as `pam_systemd.so` PAM module for integration with `systemd-logind` and user session registration with the systemd cgroup hierarchy.
Expose a new `withKmod` option to be able to enable and disable kmod integration, including the `systemd-modules-load` tool for automatic modules loading during the system boot sequence.
The `systemdMinimal` build is used purely for Udev and therefore does not require all the extra dependencies that are needed for normal operation. As more flags were exposed to allow disabling additional opional dependencies the `systemdMinimal` will now take advantage of those.
software-artificer
force-pushed
the
systemd-optional-deps
branch
from
0b27efe to
38bdc13
Compare
github-actions
bot
removed
the
6.topic: nixos
|
Hey @flokli thank you very much for bearing with me on this, as well as for your support and guidance! 🙇🏻♂️ |
When PAM was made optional initially, we decided to keep it enabled for stage 1, but as was later pointed out during the code review it is unnecessary, because we never use PAM in stage 1, even in network-enabled stage 1 with OpenSSH we have `UsePAM` set to `no`, so disabling it now.
|
Let's get this in, and deal with any further regressions during the next stabilization cycle. This is probably better tested than some other staging changes ;-) Thanks a lot for the work! |
4 participants
Description of changes
Allow to slim down the systemd build by:
libacloptional;libidn2optional;systemd-initrd-simpletestFixes #216461
Things done
For non-Linux: IsTesting on NixOS.sandbox = trueset innix.conf? (See Nix manual)nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage./result/bin/)Test suites
Tests were executed from the current
masterbranch with my commits cherry-picked on top in order to avoid some broken state in the currentstaging.Test logs are uploaded to pastebin due to their massive size and GH limits