New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
nixos-install: error out if $mountPoint has bad permissions #90431
Conversation
The nix store more-or-less requires o+rx on all parent directories. This is primarily because nix runs builders in a uid/gid mapped user-namespace, and those builders have to be able to operate on the nix store. This check is especially helpful because nix does not produce a helpful error on its own (rather, creating directories and such works, it's not until 'mount --bind' that it gets an EACCES). Helps users who run into this opaque error, such as in NixOS#67465. Possibly fixes that issue if bad permissions were the only cause.
9b2784b
to
460c0d6
Compare
Updated per your comment, good catch. I'm not totally sure this is the right place to include this logic though. One other option that might be able to help would be for the Alternatively, it's possible we could build a trivial expression somewhere early in |
If I'm not mistaken, this broke nixos-unstable: https://hydra.nixos.org/build/123682920 (https://hydra.nixos.org/build/123683808). Seems like something needs to be fixed in the ova or ova builder. |
Alright - it looks like we need to add chmod 755 to nixpkgs/nixos/lib/make-disk-image.nix Line 185 in 869dfc0
|
I suspect that it never was able to build things - make-disk-image.nix already has |
This was broken in 460c0d6 (PR #90431); now the nixos-unstable channel should get unblocked. vcunat modified this commit to use env-var instead of hardcoding /build
FYI: this was addressed in 8d05772, and https://hydra.nixos.org/build/123766752 was successful. Thanks, @vcunat! |
The nix store more-or-less requires o+rx on all parent directories.
This is primarily because nix runs builders in a uid/gid mapped
user-namespace, and those builders have to be able to operate on the nix
store.
This check is especially helpful because nix does not produce a helpful
error on its own (rather, creating directories and such works, it's not
until 'mount --bind' that it gets an EACCES).
This is meant to help users who run into this opaque error, such as in #67465.
This check is slightly overly cautious. It is possible to do some installs on an incorrectly permissioned tree. This can happen if either sandboxing is disabled, or if all derivations can be copied from a cache (and thus no builders run).
However, it still seems like it's a reasonable thing to assert even in cases where it's overly cautious.
Motivation for this change
Things done
The specific testing I did of this were to manually run
nixos-install --root /mnt/test --no-bootloader
(with/test
being loopback device mounted there if it matters).With this change, I get a warning if I
chmod 750 /mnt
, and get a successful run if I don't.sandbox
innix.conf
on non-NixOS linux)nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
./result/bin/
)nix path-info -S
before and after)