Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

nixos/cage: init #81327

Merged
merged 1 commit into from Mar 3, 2020
Merged

nixos/cage: init #81327

merged 1 commit into from Mar 3, 2020

Conversation

flokli
Copy link
Contributor

@flokli flokli commented Feb 28, 2020

Supersedes #80561

Add a cage module to nixos. This can be used to make kiosk-style
systems that boot directly to a single application. The user (demo by
default) is automatically logged in by this service and the
program (xterm by default) is automatically started.

This is useful for some embedded, single-user systems where we want
automatic booting. To keep the system secure, the user should have
limited privileges.

Based on the service provided in the Cage wiki here:

https://github.com/Hjdskes/cage/wiki/Starting-Cage-on-boot-with-systemd

This also adds a test starting cage in a qemu VM and ensuring alice@machine is shown by xterm.

Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS linux)
  • Built on platform(s)
    • x ] NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Determined the impact on package closure size (by running nix path-info -S before and after)
  • Ensured that relevant documentation is up to date
  • Fits CONTRIBUTING.md.

@flokli flokli mentioned this pull request Feb 28, 2020
Closed
10 tasks
@jonringer
Copy link
Contributor

@GrahamcOfBorg eval

@flokli flokli force-pushed the add-cage branch 2 times, most recently from 71e1cce to 9e5776a Compare February 29, 2020 01:43
@flokli
Copy link
Contributor Author

flokli commented Feb 29, 2020

@GrahamcOfBorg test cage

@flokli
Copy link
Contributor Author

flokli commented Feb 29, 2020

It seems I don't need to modprobe drm anymore - might have been I tested with a too old nixpkgs checkout that didn't contain the fix, not sure. Tests seem to succeed ;-)

@flokli
Copy link
Contributor Author

flokli commented Feb 29, 2020

@GrahamcOfBorg test cage

flokli
flokli commented Feb 29, 2020
View reviewed changes
nixos/modules/services/wayland/cage.nix
Comment on lines +43 to +44
"plymouth-start.service"
"plymouth-quit.service"
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I had to slightly change these, as the plymouth unit files are named a bit different on NixOS - that config seemed have worked with plymouth on my system, I'm not sure if it's 100% correct.

cc @hedning @worldofpeace

@worldofpeace
Copy link
Contributor

I see you've removed plymouth conflicts 👍 I don't think conflicts work correctly in NixOS because there's bugs in our activation scripts.

It caused us serious headaches #71065 #71061

worldofpeace
worldofpeace reviewed Feb 29, 2020
View reviewed changes
nixos/tests/cage.nix Outdated Show resolved Hide resolved
@flokli
Copy link
Contributor Author

flokli commented Feb 29, 2020
edited

I see you've removed plymouth conflicts +1 I don't think conflicts work correctly in NixOS because there's bugs in our activation scripts.

It caused us serious headaches #71065 #71061

I don't really understand what was going on there TBH.

Would you like to see something changed here regarding plymouth units, or does it look fine?

worldofpeace
worldofpeace reviewed Feb 29, 2020
View reviewed changes
nixos/tests/cage.nix Outdated Show resolved Hide resolved
@worldofpeace
Copy link
Contributor

@GrahamcOfBorg test cage

@matthewbauer @flokli
nixos/cage: init
e0e4d59 
Add a cage module to nixos. This can be used to make kiosk-style
systems that boot directly to a single application. The user (demo by
default) is automatically logged in by this service and the
program (xterm by default) is automatically started.

This is useful for some embedded, single-user systems where we want
automatic booting. To keep the system secure, the user should have
limited privileges.

Based on the service provided in the Cage wiki here:

https://github.com/Hjdskes/cage/wiki/Starting-Cage-on-boot-with-systemd

Co-Authored-By: Florian Klink <flokli@flokli.de>
@flokli flokli requested a review from worldofpeace March 2, 2020 21:45
flokli referenced this pull request in Hjdskes/buildroot Mar 2, 2020
@Hjdskes
Add defconfig and board files for my RasPi 3B+ image
0186ea5 
See https://www.hjdskes.nl/projects/rpi-linux
worldofpeace
worldofpeace approved these changes Mar 3, 2020
View reviewed changes
Copy link
Contributor

@worldofpeace worldofpeace left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good

@flokli flokli merged commit 407be0a into NixOS:master Mar 3, 2020
@flokli flokli deleted the add-cage branch March 3, 2020 20:04
@matthewbauer
Copy link
Member

@flokli What's the rationale for hardcoding tty1 here? I was under the impression we could leave the name as cage@ and allow users to set whichever tty they wanted.

@matthewbauer
Copy link
Member

Also noticed this in journalctl:

Unknown key name 'ConditionPathExists' in section 'Service', ignoring.

@flokli
Copy link
Contributor Author

flokli commented Mar 4, 2020

@flokli What's the rationale for hardcoding tty1 here? I was under the impression we could leave the name as cage@ and allow users to set whichever tty they wanted.

The previous PR was also hardcoding to tty1, it just used a template unit (which caused it to try to spin up cage@graphical.service too) - see https://github.com/NixOS/nixpkgs/pull/80561/files#r384777860 for why I removed the template unit.

@flokli
Copy link
Contributor Author

flokli commented Mar 8, 2020

Also noticed this in journalctl:

Unknown key name 'ConditionPathExists' in section 'Service', ignoring.

Yeah, this should be unitConfig.ConditionPathExists. Adressed in #82080, PTAL.

Also, please let me know if you're fine with the hardcoding of tty1 for now, or how you want to see it changed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@matthewbauer matthewbauer matthewbauer approved these changes

@worldofpeace worldofpeace worldofpeace approved these changes

@infinisil infinisil Awaiting requested review from infinisil

Assignees
No one assigned
Labels
6.topic: nixos 8.has: module (update) 10.rebuild-darwin: 0 10.rebuild-linux: 1-10
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@flokli @jonringer @worldofpeace @matthewbauer