nixos/systemd: Implement a packages option for tmpfiles #93073
Conversation
|
This is a draft since my tests are still building. |
dasJ
changed the title
| @@ -134,8 +134,7 @@ in { | |||
| CacheDirectoryMode = "0750"; | |||
| }; | |||
|
|
|||
| environment.etc."tmpfiles.d/knot-resolver.conf".source = | |||
| "${package}/lib/tmpfiles.d/knot-resolver.conf"; | |||
| systemd.tmpfiles.packages = package; | |||
There was a problem hiding this comment.
| systemd.tmpfiles.packages = package; | |
| systemd.tmpfiles.packages = [ package ]; |
| @@ -26,7 +26,7 @@ in { | |||
|
|
|||
| systemd.packages = [ pkgs.colord ]; | |||
|
|
|||
| environment.etc."tmpfiles.d/colord.conf".source = "${pkgs.colord}/lib/tmpfiles.d/colord.conf"; | |||
| systemd.tmpfiles.packages = pkgs.colord; | |||
There was a problem hiding this comment.
| systemd.tmpfiles.packages = pkgs.colord; | |
| systemd.tmpfiles.packages = [ pkgs.colord ]; |
| "tmpfiles.d".source = (pkgs.symlinkJoin { | ||
| name = "tmpfiles.d"; | ||
| paths = cfg.tmpfiles.packages; | ||
| }) + "/lib/tmpfiles.d"; |
There was a problem hiding this comment.
Could we check here every package in the list exposes a lib/tmpfiles.d and fail otherwise?
This should make it easier to spot accidentially passing in the wrong output, as described in #93006 (comment).
ajs124
force-pushed
the
tmpfiles-packages
branch
2 times, most recently
from
0dfd7b6
to
e4e2801
Compare
| for i in $(cat $pathsPath); do | ||
| test -d $i/lib/tmpfiles.d || ( | ||
| echo "ERROR: The path $i was passed to systemd.tmpfiles.packages but does not contain the folder lib/tmpfiles.d" | ||
| exit 1 |
There was a problem hiding this comment.
Is this supposed to exit the entire shell?
I think bash / sh will only exit the subshell here..
There was a problem hiding this comment.
I'm >90% sure this works and tested it with systemd.tmpfiles.packages = [ pkgs.hello ];.
Actually… yeah, this probably only exits the subshell, but all phases run with set -e, so this does fail the whole build.
There was a problem hiding this comment.
Ah right, set -e will make it fail. Sorry for the noise!
| <filename><replaceable>pkg</replaceable>/lib/tmpfiles.d</filename> | ||
| will be included. | ||
|
|
||
| If a <filename>lib</filename> output is available, rules are searched there. |
There was a problem hiding this comment.
This should somehow describe it then /only/ looks in the lib output
(and maybe explain the whole fallback depending on which outputs the package has (lib -> out -> default output)), but I'm struggling with how to write this in a more explicit and less misunderstandable way.
There was a problem hiding this comment.
How about: "If a lib output is available, rules are searched there and only there. If there is lib it will fall back to out and if that does not exist either, the default output will be used."
Although this should maybe just be documented somewhere "generically". As in, explain getOutput in some part of the manual and reference if for options like this, because there are probably a bunch of them.
There was a problem hiding this comment.
Yeah, let's refactor it to a more generic place as soon as there's more than 2 things trying to document it :-)
There was a problem hiding this comment.
#93006 isn't trying to document it right now, but it also does apply = map getLib;
There was a problem hiding this comment.
Can you change this to "If a lib output is available, rules are searched there and only there. If there is lib it will fall back to out and if that does not exist either, the default output will be used." for now?
|
|
||
| "tmpfiles.d/home.conf".source = "${systemd}/example/tmpfiles.d/home.conf"; | ||
| "tmpfiles.d/journal-nocow.conf".source = "${systemd}/example/tmpfiles.d/journal-nocow.conf"; | ||
| "tmpfiles.d/portables.conf".source = "${systemd}/example/tmpfiles.d/portables.conf"; |
There was a problem hiding this comment.
Nice catch! This isn't there as we currently build systemd with -Dportabled=false, which is fine for now.
| ln -s "${systemd}/example/tmpfiles.d/static-nodes-permissions.conf" | ||
| ln -s "${systemd}/example/tmpfiles.d/systemd.conf" | ||
| ln -s "${systemd}/example/tmpfiles.d/systemd-nologin.conf" | ||
| ln -s "${systemd}/example/tmpfiles.d/systemd-nspawn.conf" |
There was a problem hiding this comment.
We we should add this during nixos/modules/system/boot/systemd-nspawn.nix (but unconditionally, as we want to have the tmpfiles set up when running systemd-nspawn imperatively)
| ln -s "${systemd}/example/tmpfiles.d/systemd-tmp.conf" | ||
| ln -s "${systemd}/example/tmpfiles.d/tmp.conf" | ||
| ln -s "${systemd}/example/tmpfiles.d/var.conf" | ||
| ln -s "${systemd}/example/tmpfiles.d/x11.conf" |
There was a problem hiding this comment.
This should be moved to nixos/modules/services/x11/xserver.nix
There was a problem hiding this comment.
Why? It's part of the systemd package. Putting it in nixos/modules/services/x11/xserver.nix would just result in
systemd.tmpfiles.packages = [(pkgs.runCommand "x11-tmpfiles" {} ''
mkdir -p $out/lib/tmpfiles.d
cd $out/lib/tmpfiles.d
ln -s "${systemd}/example/tmpfiles.d/x11.conf"
'')];
Is that really better?
There was a problem hiding this comment.
Hmm, it contains x11-specific tmpfile rules, which we probably don't really want on a nongraphical system. But eh, this specific one only removes files, so 🤷
ajs124
force-pushed
the
tmpfiles-packages
branch
from
e4e2801
to
037d81f
Compare
| <filename><replaceable>pkg</replaceable>/lib/tmpfiles.d</filename> | ||
| will be included. | ||
|
|
||
| If a <filename>lib</filename> output is available, rules are searched there and only there. If there is no <filename>lib</filename> output it will fall back to <filename>out</filename> and if that does not exist either, the default output will be used. |
|
|
||
| All found files in | ||
| <filename><replaceable>pkg</replaceable>/lib/tmpfiles.d</filename> | ||
| will be included. |
There was a problem hiding this comment.
I'd add "If none of these files can be found, this will return an error."
There was a problem hiding this comment.
Hm, right now we actually check if this folder exist, not if any files are in there. Maybe we should change that check (in addition to documenting it).
Also drop the `portables` tmpfiles because the file is missing in the systemd derivation.
ajs124
force-pushed
the
tmpfiles-packages
branch
from
037d81f
to
a44b2cd
Compare
| "tmpfiles.d/systemd-tmp.conf".source = "${systemd}/example/tmpfiles.d/systemd-tmp.conf"; | ||
| "tmpfiles.d/tmp.conf".source = "${systemd}/example/tmpfiles.d/tmp.conf"; | ||
| "tmpfiles.d/var.conf".source = "${systemd}/example/tmpfiles.d/var.conf"; | ||
| "tmpfiles.d/x11.conf".source = "${systemd}/example/tmpfiles.d/x11.conf"; |
There was a problem hiding this comment.
Previously I could disable tmp.conf (to keep /tmp across reboots) with environment.etc."tmpfiles.d/tmp.conf".text = "# disabled by me";. This does not work anymore. How shall I achieve that now? May these .source lines be restored? (I do not see the benefit of the new way.)
There was a problem hiding this comment.
Oof. @ajs124 Can files be overridden with a package that is later in the list?
There was a problem hiding this comment.
@ajs124 I see the purpose of systemd.tmpfiles.packages in general, but I do not see the benefit of the new synthetic packages "systemd-default-tmpfiles" and "nixos-tmpfiles.d" over the old environment.etc."tmpfiles.d/00-nixos.conf".text = …; "tmpfiles.d/tmp.conf".source = .
There was a problem hiding this comment.
I suppose that using solely systemd.tmpfiles.packages for managing /etc/tmpfiles.d is good for uniformity, but it looses the well thought out infrastructure for customizing /etc via environment.etc settings. I think that systemd.tmpfiles.packages should be empty by default to allow the user an easy choice between using unmodified upstream tmpfiles.d and custom alternatives.
There was a problem hiding this comment.
A simple solution would be maintaining a exclude list of .conf files, which shouldn't be added to /etc in the end.
This sounds good if we would exclude all files in environment.etc.
There was a problem hiding this comment.
You could also lib.mkForce the list to get rid of the default packages.
This is not acceptable because I want to keep all other systemd tmpfiles.d installed.
There was a problem hiding this comment.
This sounds good if we would exclude all files in environment.etc.
Not sure if I understand. /etc/tmpfiles.d would still symlink into the nix store, but the code assembling it could have an exclusion list.
Also, what do you think about using buildEnv, and its priorities mechanism?
There was a problem hiding this comment.
I've just opened #96755 to track this.
Also, what do you think about using buildEnv, and its priorities mechanism?
Sounds like an improvement to me as it doesn't require Nixpkgs patches anymore but it's likely still a pretty verbose solution that isn't that use friendly (though I would be ok with it and I'm not sure if we could easily do better).
I guess a pretty compact snipped to use this would look something like this:
systemd.tmpfiles.packages = [
(lib.hiPrio (pkgs.writeTextDir "lib/tmpfiles.d/tmp.conf" ''
# Disabled
''))
];
…nt.etc This allows the user to configure systemd tmpfiles.d via `environment.etc."tmpfiles.d/X.conf".text = "..."`, which after NixOS#93073 causes permission denied (with new X.conf): ``` ln: failed to create symbolic link '/nix/store/...-etc/etc/tmpfiles.d/X.conf': Permission denied builder for '/nix/store/...-etc.drv' failed with exit code 1 ``` or collision between environment.etc and systemd-default-tmpfiles packages (with existing X.conf, such as tmp.conf): ``` duplicate entry tmpfiles.d/tmp.conf -> /nix/store/...-etc-tmp.conf mismatched duplicate entry /nix/store/...-systemd-246/example/tmpfiles.d/tmp.conf <-> /nix/store/...-etc-tmp.conf builder for '/nix/store/...-etc.drv' failed with exit code 1 ``` Fixes NixOS#96755
…nt.etc (#96766) This allows the user to configure systemd tmpfiles.d via `environment.etc."tmpfiles.d/X.conf".text = "..."`, which after #93073 causes permission denied (with new X.conf): ``` ln: failed to create symbolic link '/nix/store/...-etc/etc/tmpfiles.d/X.conf': Permission denied builder for '/nix/store/...-etc.drv' failed with exit code 1 ``` or collision between environment.etc and systemd-default-tmpfiles packages (with existing X.conf, such as tmp.conf): ``` duplicate entry tmpfiles.d/tmp.conf -> /nix/store/...-etc-tmp.conf mismatched duplicate entry /nix/store/...-systemd-246/example/tmpfiles.d/tmp.conf <-> /nix/store/...-etc-tmp.conf builder for '/nix/store/...-etc.drv' failed with exit code 1 ``` Fixes #96755
Motivation for this change
#66856 (comment)
Things done
sandboxinnix.confon non-NixOS linux)nix-shell -p nixpkgs-review --run "nixpkgs-review wip"./result/bin/)nix path-info -Sbefore and after)cc @flokli