Skip to content

systemd: enable sysusers by default#264879

Merged
nikstur merged 1 commit intoNixOS:stagingfrom
nikstur:systemd-sysusers-staging
Nov 2, 2023
Merged

systemd: enable sysusers by default#264879
nikstur merged 1 commit intoNixOS:stagingfrom
nikstur:systemd-sysusers-staging

Conversation

@nikstur
Copy link
Contributor

@nikstur nikstur commented Nov 1, 2023

Description of changes

Build systemd-sysusers by default. This is part of a larger project to remove Perl from the activation. See more details on this project here: https://pad.lassul.us/nixos-perlless-activation

I intend on using systemd-sysusers to create users and groups instead of users-groups.pl. Because changing the systemd derivation will cause a mass rebuild, I factored this into a separate PR.

Things done

  • Built on platform(s)
    • x86_64-linux
    • aarch64-linux
    • x86_64-darwin
    • aarch64-darwin
  • For non-Linux: Is sandboxing enabled in nix.conf? (See Nix manual)
    • sandbox = relaxed
    • sandbox = true
  • Tested, as applicable:
  • Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
  • Tested basic functionality of all binary files (usually in ./result/bin/)
  • 23.11 Release Notes (or backporting 23.05 Release notes)
    • (Package updates) Added a release notes entry if the change is major or breaking
    • (Module updates) Added a release notes entry if the change is significant
    • (Module addition) Added a release notes entry if adding a new NixOS module
  • Fits CONTRIBUTING.md.

@github-actions github-actions bot added the 6.topic: systemd Software suite that provides an array of system components for Linux operating systems. label Nov 1, 2023
@nikstur nikstur requested a review from blitz November 1, 2023 20:03
@nikstur nikstur marked this pull request as ready for review November 1, 2023 20:03
@nikstur nikstur requested a review from a team as a code owner November 1, 2023 20:03
@aanderse
Copy link
Member

aanderse commented Nov 1, 2023

i just read through the notes you provided... sounds really cool 👍

systemd-sysusers isn't nearly as feature filled as our perl scripts... but most of that gap magically goes away with /etc as an overlayfs - awesome stuff!

@ofborg ofborg bot added 10.rebuild-darwin: 101-500 This PR causes between 101 and 500 packages to rebuild on Darwin. 10.rebuild-linux: 501+ This PR causes many rebuilds on Linux and should normally target the staging branches. 10.rebuild-linux: 5001+ This PR causes many rebuilds on Linux and must target the staging branches. labels Nov 1, 2023
@delroth delroth added the 12.approvals: 1 This PR was reviewed and approved by one person. label Nov 2, 2023
@aanderse aanderse mentioned this pull request Nov 2, 2023
Open
12 tasks
@nikstur nikstur merged commit 6e4099c into NixOS:staging Nov 2, 2023
@aanderse
Copy link
Member

aanderse commented Nov 2, 2023

@nikstur - is there anywhere i can keep up to date on the developments mentioned in that pad? i would love to follow along with what y'all are working on there... 🤩

@nikstur
Copy link
Contributor Author

nikstur commented Nov 2, 2023

@aanderse I'll list all the associated PRs in the Pad. Otherwise, you can just follow my Nixpkgs activity I guess :D

@RaitoBezarius RaitoBezarius mentioned this pull request Nov 5, 2023
Open
@nikstur nikstur mentioned this pull request Nov 16, 2023
Closed
@jtojnar jtojnar mentioned this pull request Apr 3, 2024
Merged
13 tasks
@anna328p
Copy link
Member

anna328p commented Aug 6, 2024
edited
Loading

Broken by d43e323

@nikstur
Copy link
Contributor Author

nikstur commented Aug 7, 2024

Broken by d43e323

What exactly is broken?

@anna328p
Copy link
Member

anna328p commented Aug 17, 2024

It is now impossible to enable sysusers on a system that has "normal users", meaning that any system that uses perlless activation and/or immutable /etc will fail to build.

@Mic92
Copy link
Member

Mic92 commented Aug 18, 2024

It is now impossible to enable sysusers on a system that has "normal users", meaning that any system that uses perlless activation and/or immutable /etc will fail to build.

They were not actual normal users because their uids was < 1000. So the "normal users" were a lie.

@anna328p
Copy link
Member

anna328p commented Aug 18, 2024

Not if the uid was set manually, which was the case in my configuration.

@nikstur nikstur deleted the systemd-sysusers-staging branch August 18, 2024 20:22
@nikstur
Copy link
Contributor Author

nikstur commented Aug 18, 2024

Irrespective of any workarounds, systemd-sysusers is not designed to create "normal" users. This PR makes this explicit.

However, there is another solution to this problem. Once #332719 is merged, you can use Userborn to manage your users without Perl.

@anna328p
Copy link
Member

anna328p commented Aug 18, 2024
edited
Loading

It is still the case that before d43e323, upon setting systemd.sysusers.enable = true; my configuration built and activated without issue; I did not notice any problems with UID assignment or password changes because, due to using a tmpfs as /, my configuration had set the UID explicitly and set the user's password using the initialHashedPassword option. After d43e323, my config did not build anymore and I needed to spend an hour tracking down a chain of poorly documented changes that had caused it.

(I was not present in whatever discussions led to this change; it feels like the general assumption is that I should have known this would happen.)

I would like to request the following changes to the assertion added in d43e323 to avoid unexpectedly breaking people's configs with no warning:

  • if possible, a stopgap solution: make the assertion conditional on all normal users' options being compatible with sysusers, such as using only initialHashedPassword or equivalent and setting the UID explicitly.
  • a better error message that explains what happened and what needs to be changed.

@nikstur
Copy link
Contributor Author

nikstur commented Aug 19, 2024

I would like to request the following changes to the assertion

I'll happily review a PR.

Please understand, however, that my focus going forward will be Userborn as that's the solution to systemd-sysusers limitations.

it feels like the general assumption is that I should have known this would happen

With experimental features some breakage unfortunately has to be expected.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@arianvp arianvp arianvp approved these changes

@RaitoBezarius RaitoBezarius Awaiting requested review from RaitoBezarius

@lheckemann lheckemann Awaiting requested review from lheckemann

@blitz blitz Awaiting requested review from blitz

@kloenk kloenk Awaiting requested review from kloenk

@anthonyroussel anthonyroussel Awaiting requested review from anthonyroussel

@flokli flokli Awaiting requested review from flokli

@Mic92 Mic92 Awaiting requested review from Mic92

@gbtb gbtb Awaiting requested review from gbtb

@WilliButz WilliButz Awaiting requested review from WilliButz

@prusnak prusnak Awaiting requested review from prusnak

Assignees

No one assigned

Labels

6.topic: systemd Software suite that provides an array of system components for Linux operating systems. 10.rebuild-darwin: 101-500 This PR causes between 101 and 500 packages to rebuild on Darwin. 10.rebuild-linux: 501+ This PR causes many rebuilds on Linux and should normally target the staging branches. 10.rebuild-linux: 5001+ This PR causes many rebuilds on Linux and must target the staging branches. 12.approvals: 1 This PR was reviewed and approved by one person.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@nikstur @aanderse @anna328p @Mic92 @arianvp @delroth