In particular it introduces character devices that are not supported by nix-store as valid files in the nix store.

Since those are within the tmpfs as you point out, can you give a specific example where this is a problem?

In particular it introduces character devices that are not supported by nix-store as valid files in the nix store.

Since those are within the tmpfs as you point out, can you give a specific example where this is a problem?

It becomes a problem if the service tries to use nix commands. i.e. I use systemd confinement to run my ci runner in a chroot: https://github.com/Mic92/dotfiles/blob/279819a5d20d281555ab679bae471faa4875eec6/nixos/eve/modules/drone.nix#L73

It is general unsound to mount stuff into store paths because it can also confuse nix-store when checking the integrity of derivations or even worse garbage collection. Also it is a bit faster when building since it saves one derivation and we create this directory with systemd.

It becomes a problem if the service tries to use nix commands. i.e. I use systemd confinement to run my ci runner in a chroot: https://github.com/Mic92/dotfiles/blob/279819a5d20d281555ab679bae471faa4875eec6/nixos/eve/modules/drone.nix#L73

Okay, granted, this is indeed a problem, for example if you want to use it to confine Hydra.

It is general unsound to mount stuff into store paths because it can also confuse nix-store when checking the integrity of derivations or even worse garbage collection.

Those bind mounts are private mounts, so applications not sharing the same namespace are unaffected.

Also it is a bit faster when building since it saves one derivation and we create this directory with systemd.

Originally I was even re-using the merged systemd units so it would be as "fast" but probably would confuse everyone, so I eventually went for a dedicated empty store path.

The reason why I refrained use /var/empty or even temporary paths was that I wanted to make sure that the path is read-only in the first place, even for the root user to prevent accidentally dropping files in that directory. Given that the service will fail whenever the tmpfs couldn't be mounted, we can however reasonably assume that something like that will never happen.

@ofborg test systemd-confinement

@SuperSandro2000: That's not the main issue because the test fails with the APIVFS changes of the last systemd update.

edit: Ah, maybe I wasn't clear here, with "visibility" I was referring to the fact that ofborg didn't mark the failures "red enough" =)

@Mic92: Just ran a working version of the test with this change and it floods the logs with Failed to create directory at /var/empty/usr: Operation not permitted. While it didn't create that directory even when running as root, the fact that systemd even tries to create it is something why we should be paranoid also add an additional check in the test to make sure /var/empty stays that way.

Now the only ugliness is the (non-fatal) failure message, which for some reason does not occur when mounting the tmpfs inside a store path.

@Mic92: Just ran a working version of the test with this change and it floods the logs with Failed to create directory at /var/empty/usr: Operation not permitted. While it didn't create that directory even when running as root, the fact that systemd even tries to create it is something why we should be paranoid also add an additional check in the test to make sure /var/empty stays that way.

Now the only ugliness is the (non-fatal) failure message, which for some reason does not occur when mounting the tmpfs inside a store path.

How about mounting it read-only?

I marked this as stale due to inactivity. → More info

@ofborg test systemd-confinement

Tests are working now!