New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add support for non-root deployments #1270
Conversation
3b5c6e5
to
10cc86e
Compare
7674ab1
to
f14c152
Compare
This pull request has been mentioned on NixOS Discourse. There might be relevant details there: |
6822468
to
7196d19
Compare
I'm thinking we should make two things more configurable, and less "baked-in":
|
7196d19
to
f91daf8
Compare
Done! The option is in
This is now called |
nixops/backends/__init__.py
Outdated
@@ -137,6 +145,8 @@ def set_common_state(self, defn) -> None: | |||
if not self.has_fast_connection: | |||
self.ssh.enable_compression() | |||
|
|||
self.ssh.privilege_escalation_command_set(defn.privilege_escalation_command) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should we put set_
first? What is more pythonic?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't know what's more pythonic. Personally I tend to like suffixing the operation so editor completion will suggest related operations.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The most Pythonic way would actually be not to use setters/getters at all but just mutate the attribute.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Let's leave it like this for now and reconsider in the future SSH
/SSHMaster
refactor you and me discussed.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hi! I made some comments/suggestions. None of them should be considered blockers; feel free to disregard or delay acting on them.
Thanks for chipping away at nixops!
6cad1f0
to
9586880
Compare
I gave this a go on a regular ol' server and it worked well. I then tried it on
I think we're going to need to go back to the drawing board a bit and plan this a bit more. In particular:
Leaving me with a couple questions:
I'm sorry to drag this PR out. |
c94af80
to
9210af6
Compare
This will allow us to pass options to openssh and escalate privileges (see NixOS#1270) more easily. Closes NixOS#1322
…e escalation command with --
This is so that we won't get inconsistencies between different subcommands like `nixops send-keys` (which doesn't eval) the deployment attributes. This change should be reverted at a later date when we have made these commands evaluate the configuration.
1851d54
to
e3937f9
Compare
…chine Also extend `nixops mount` with full support for all SSH arguments.
e3937f9
to
03663db
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Also note that the headers aren't formatted correctly: https://github.com/NixOS/nixops/blob/a577be5eb5b82e1ef533c9348f61b3996c446988/doc/guides/deploy-without-root.rst
e862347
to
c2d9d73
Compare
f655a38
to
9f32108
Compare
91d19d3
to
7d9e7d2
Compare
Co-authored-by: Cole Helbling <cole.e.helbling@outlook.com>
Co-authored-by: Cole Helbling <cole.e.helbling@outlook.com>
254b40f
to
8818250
Compare
🎉 🚀 |
This pull request has been mentioned on NixOS Discourse. There might be relevant details there: |
This adds a new
deployment
configuration attribute (targetUser
).To inherit the username from the local user issuing the deployment
set:
Setting this to a string will deploy as that user. This option
defaults to "root".
We assume the following for non-root deploys:
I'm using the following NixOS configuration
For this use-case I've introduced:
This is required because of nix-copy-closure.
Closes #730