nixos-install: error out if $mountPoint has bad permissions #90431
Conversation
The nix store more-or-less requires o+rx on all parent directories. This is primarily because nix runs builders in a uid/gid mapped user-namespace, and those builders have to be able to operate on the nix store. This check is especially helpful because nix does not produce a helpful error on its own (rather, creating directories and such works, it's not until 'mount --bind' that it gets an EACCES). Helps users who run into this opaque error, such as in NixOS#67465. Possibly fixes that issue if bad permissions were the only cause.
euank
force-pushed
the
nixos-install-warn
branch
from
9b2784b
to
460c0d6
Compare
|
Updated per your comment, good catch. I'm not totally sure this is the right place to include this logic though. One other option that might be able to help would be for the Alternatively, it's possible we could build a trivial expression somewhere early in |
|
If I'm not mistaken, this broke nixos-unstable: https://hydra.nixos.org/build/123682920 (https://hydra.nixos.org/build/123683808). Seems like something needs to be fixed in the ova or ova builder. |
|
Alright - it looks like we need to add chmod 755 to nixpkgs/nixos/lib/make-disk-image.nix Line 185 in 869dfc0 |
|
I suspect that it never was able to build things - make-disk-image.nix already has |
This was broken in 460c0d6 (PR #90431); now the nixos-unstable channel should get unblocked. vcunat modified this commit to use env-var instead of hardcoding /build
|
FYI: this was addressed in 8d05772, and https://hydra.nixos.org/build/123766752 was successful. Thanks, @vcunat! |
The nix store more-or-less requires o+rx on all parent directories.
This is primarily because nix runs builders in a uid/gid mapped
user-namespace, and those builders have to be able to operate on the nix
store.
This check is especially helpful because nix does not produce a helpful
error on its own (rather, creating directories and such works, it's not
until 'mount --bind' that it gets an EACCES).
This is meant to help users who run into this opaque error, such as in #67465.
This check is slightly overly cautious. It is possible to do some installs on an incorrectly permissioned tree. This can happen if either sandboxing is disabled, or if all derivations can be copied from a cache (and thus no builders run).
However, it still seems like it's a reasonable thing to assert even in cases where it's overly cautious.
Motivation for this change
Things done
The specific testing I did of this were to manually run
nixos-install --root /mnt/test --no-bootloader(with/testbeing loopback device mounted there if it matters).With this change, I get a warning if I
chmod 750 /mnt, and get a successful run if I don't.sandboxinnix.confon non-NixOS linux)nix-shell -p nixpkgs-review --run "nixpkgs-review wip"./result/bin/)nix path-info -Sbefore and after)