Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

nixos-rebuild: support sudo + --target-host #71143

Merged
merged 1 commit into from Oct 22, 2019
Merged

nixos-rebuild: support sudo + --target-host #71143

merged 1 commit into from Oct 22, 2019

Conversation

bjornfor
Copy link
Contributor

Motivation for this change

This adds support for deploying to remote hosts without being root:

sudo nixos-rebuild --target-host non-root@host

Without this change, only root@host is able to deploy.

The idea is that if the local command is run with sudo, so should the
remote one, thus there is no need for adding any CLI options.

Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests): nix-build ./nixos/tests/installer.nix passes
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nix-review --run "nix-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Determined the impact on package closure size (by running nix path-info -S before and after)
  • Ensured that relevant documentation is up to date
  • Fits CONTRIBUTING.md.
Notify maintainers

cc @jtojnar @matthewbauer @LnL7 @Mic92 (last few people to touch nixos-rebuild)

@bjornfor
nixos-rebuild: support sudo + --target-host
c7a252c 
This adds support for deploying to remote hosts without being root:

  sudo nixos-rebuild --target-host non-root@host

Without this change, only root@host is able to deploy.

The idea is that if the local command is run with sudo, so should the
remote one, thus there is no need for adding any CLI options.
jtojnar
jtojnar reviewed Oct 14, 2019
View reviewed changes
nixos/modules/installer/tools/nixos-rebuild.sh
@@ -111,17 +115,17 @@ buildHostCmd() {
if [ -z "$buildHost" ]; then
"$@"
elif [ -n "$remoteNix" ]; then
ssh $SSHOPTS "$buildHost" env PATH="$remoteNix:$PATH" "$@"
ssh $SSHOPTS "$buildHost" env PATH="$remoteNix:$PATH" "$maybeSudo$@"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Security policies might prevent sudo from passing PATH, so maybe something like @edolstra suggested might be needed after all.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good point. At least this works well with NixOS, I tested with my setup:

  security.sudo = {
    enable = true;
    wheelNeedsPassword = false;
  };

(I don't want to do change how PATH is handled here, as I feel it's orthogonal to this PR.)

@bjornfor
Copy link
Contributor Author

I plan to merge this in 2 days (monday evening), if no other comments.

@bjornfor bjornfor merged commit 263a81e into NixOS:master Oct 22, 2019
@bjornfor bjornfor deleted the nixos-rebuild-retain-sudo branch October 22, 2019 18:44
@Mic92
Copy link
Member

Mic92 commented Oct 23, 2019

I just find the assumption a bit weird, why would I want to use sudo remotely because it was used locally and the other way around?
Somebody might use sudo locally because the configuration is not owned by the current user. Somebody might not want to type in a sudo password locally while it might be needed when deploying remotely.

@bjornfor
Copy link
Contributor Author

I did it because of simplicity. But I agree there are use cases for local sudo != remote sudo.

I initially wanted to have a flag like --nixos-rebuild-path="sudo nixos-rebuild" (this matches rsync and borg), but nixos-rebuild doesn't call itself on the remote side, it calls nix-build, nix-env etc.

How about --use-sudo=0/1 that is only accepted when --target-host is set?

@Mic92
Copy link
Member

Mic92 commented Oct 23, 2019

@bjornfor that sounds like a plan.

@Mic92 Mic92 mentioned this pull request Oct 23, 2019
Closed
10 tasks
@Mic92
Copy link
Member

Mic92 commented Oct 23, 2019

I opened a revert PR: #71788 so we don't forget to change that.

@bjornfor bjornfor mentioned this pull request Oct 23, 2019
Merged
10 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jtojnar jtojnar jtojnar left review comments

Assignees
No one assigned
Labels
0.kind: enhancement 6.topic: nixos 8.has: module (update) 10.rebuild-darwin: 0 10.rebuild-linux: 0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@bjornfor @Mic92 @jtojnar