New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
systemd-confinement: use /var/empty as chroot mountpoint #108028
Conversation
Since those are within the |
It becomes a problem if the service tries to use nix commands. i.e. I use systemd confinement to run my ci runner in a chroot: https://github.com/Mic92/dotfiles/blob/279819a5d20d281555ab679bae471faa4875eec6/nixos/eve/modules/drone.nix#L73 It is general unsound to mount stuff into store paths because it can also confuse nix-store when checking the integrity of derivations or even worse garbage collection. Also it is a bit faster when building since it saves one derivation and we create this directory with systemd. |
Okay, granted, this is indeed a problem, for example if you want to use it to confine Hydra.
Those bind mounts are private mounts, so applications not sharing the same namespace are unaffected.
Originally I was even re-using the merged systemd units so it would be as "fast" but probably would confuse everyone, so I eventually went for a dedicated empty store path. The reason why I refrained use |
@ofborg test systemd-confinement |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Temporarily blocked, since the test currently fails and the status by ofborg isn't very visible here.
|
@SuperSandro2000: That's not the main issue because the test fails with the APIVFS changes of the last systemd update. edit: Ah, maybe I wasn't clear here, with "visibility" I was referring to the fact that ofborg didn't mark the failures "red enough" =) |
@Mic92: Just ran a working version of the test with this change and it floods the logs with Now the only ugliness is the (non-fatal) failure message, which for some reason does not occur when mounting the |
How about mounting it read-only? |
I marked this as stale due to inactivity. → More info |
bind mounting directories into the nix-store breaks nix commands. In particular it introduces character devices that are not supported by nix-store as valid files in the nix store. Use `/var/empty` instead which is designated for these kind of use cases. We won't create any files beause of the tmpfs mounted.
@ofborg test systemd-confinement |
Tests are working now! |
bind mounting directories into the nix-store breaks nix commands.
In particular it introduces character devices that are not supported
by nix-store as valid files in the nix store. Use
/var/empty
insteadwhich is designated for these kind of use cases. We won't create any
files beause of the tmpfs mounted.
Motivation for this change
Things done
sandbox
innix.conf
on non-NixOS linux)nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
./result/bin/
)nix path-info -S
before and after)