Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

nixos/stage-1: fix initrd secrets with custom compressor #92964

Merged
merged 1 commit into from Aug 13, 2020
Merged

nixos/stage-1: fix initrd secrets with custom compressor #92964

merged 1 commit into from Aug 13, 2020

Conversation

lopsided98
Copy link
Contributor

Motivation for this change

Makes the initrd secrets appender respect the boot.initrd.compressor option, as well as making the initrd reproducible (although I didn't verify reproducibility).

For any compressor other than gzip, you must use an absolute path. xz works for the main initrd because it is available in stdenv, but will need an absolute path to work with initrd secrets.

Using a absolute path will break cross-compiling because the compressor is needed both at build and run time.

I tested this PR with the initrd-network-ssh test that uses initrd secrets (needs #91744 to build successfully).

Fixes #90352

Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS linux)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Determined the impact on package closure size (by running nix path-info -S before and after)
  • Ensured that relevant documentation is up to date
  • Fits CONTRIBUTING.md.

cc @S-NA @Mic92

@lopsided98 lopsided98 mentioned this pull request Jul 11, 2020
Closed
@Mic92 Mic92 merged commit 2822451 into NixOS:master Aug 13, 2020
@lopsided98 lopsided98 deleted the initrd-secrets-compressor branch August 13, 2020 16:02
@xaverdh
Copy link
Contributor

xaverdh commented Aug 22, 2020

For any compressor other than gzip, you must use an absolute path. xz works for the main initrd because it is available in stdenv, but will need an absolute path to work with initrd secrets.

Using a absolute path will break cross-compiling because the compressor is needed both at build and run time.

What would be the right thing to do here, take the compressor binary from buildPackages for makeInitrd and from pkgs for the initialRamdiskSecretAppender script?

@xaverdh xaverdh mentioned this pull request Aug 22, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
6.topic: nixos 8.has: module (update) 10.rebuild-darwin: 0 10.rebuild-linux: 1-10
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

nixos/stage-1: initialRamdiskSecretAppender does not respect boot.initrd.compressor
3 participants
@lopsided98 @xaverdh @Mic92