New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
build-fhs-userenv: change to using bubblewrap over chrootenv #55973
Conversation
The build error is from this line: |
1b36ffb
to
6eebb6a
Compare
ofborg only evaluates things and it's not able to evaluate the buildFHSUserEnv without building due to |
6eebb6a
to
7d101f2
Compare
7d101f2
to
88812e6
Compare
did some more tests, most things didn't run because my host system's |
@GrahamcOfBorg build houdini lightworks conda |
@hedning what do I need to merge this? |
It would be good to get an OK from @yegortimoshenko or @abbradar first. |
doc/functions/fhs-environments.xml
Outdated
</term> | ||
<listitem> | ||
<para> | ||
Any extra arguments tp pass to bubblewrap (which is now the underlying |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
typo: tp -> to
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would prefer if bwrap
replacement were to replace chrootenv
without extending API.
doc/functions/fhs-environments.xml
Outdated
@@ -50,6 +50,58 @@ | |||
</para> | |||
</listitem> | |||
</varlistentry> | |||
<varlistentry> | |||
<term> | |||
<literal>automount</literal> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't think this should be an option, not for buildFHSUserEnv
, that is: it should really be the only behavior, because isolation is not the goal (FHS compat is).
Later, we can get to sandboxing of individual derivations, XDG portals, etc. That said, it will certainly require a complete redesign of buildFHSUserEnv
and will have to be carefully thought out.
doc/functions/fhs-environments.xml
Outdated
</term> | ||
<listitem> | ||
<para> | ||
Set to <literal>"$(pwd)"</literal> by default, this option determines |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This seems to be orthogonal to FHS emulation (and can be/is implemented in wrappers).
@yegortimoshenko if I wanted to edit the bwrap options for my own uses, how should I implement this to make that possible? Maybe I should include it as an arg in the derivation and use |
It's just that I worry that we might need to switch back at some point, if we ever need anything bubblewrap doesn't implement or if it proves to be suboptimal in some regard. If we were to expose bubblewrap options, we will never be able to change underlying implementation without breaking reverse compat. |
Yeah, that's what I fear too so my current idea is to proceed with caution and 1) don't expose the implementation 2) look at bubblewrap's code to see if it's hackable enough.
…On May 28, 2019 12:13:58 PM GMT+03:00, Yegor Timoshenko ***@***.***> wrote:
It's just that I worry that we might need to switch back at some point,
if we ever need anything bubblewrap doesn't implement. If we were to
expose bubblewrap options, we will never be able to change underlying
implementation without breaking reverse compat.
--
You are receiving this because you were mentioned.
Reply to this email directly or view it on GitHub:
#55973 (comment)
--
Nikolay.
|
I didn't yet review the PR itself yet, only bubblewrap -- it's quite more complicated but we should definitely try using it; the code is readable too. One concern of mine is if nested bubblewrap would work okay, especially if it would blow Another thing -- we explicitly don't want any kind of isolation that bubblewrap does, including no automount, any other namespaces etc, and we also don't want to expose it as an implementation. I think we could hit both birds by adding |
Wrt naming: |
Maybe; don't have big preferences here. @illegalprime can choose the naming ~_^ |
For reference, the |
88812e6
to
1a77224
Compare
I'm back! |
1a77224
to
ef3373e
Compare
OK Fedora stores its SSL certs in |
I added a commit which removes This helps avoid weird symlink bugs when nesting chroots like in this commit 06f27dc and in general simplifies things (IMO) |
4fca62f
to
6221036
Compare
👍 really cool work. What can I do to help finish this PR? |
@illegalprime Are you still working on this. Looks very promising |
Rebased on top of nixos-unstable here: https://github.com/Atemu/nixpkgs/tree/chrootenv2bubblewrap |
--unshare-all \ | ||
--share-net \ | ||
--die-with-parent \ | ||
--ro-bind /nix /nix \ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Would this break single user nix?
Nice!
(I don't really feel qualified to review the rest so this is just a comment ;) ) |
Since the compatibility is not 100% yet, perhaps we should limit bubblewrap use to the programs which are known to work first and move over the rest in later PRs. Making all of these work feels like too large of a scope to me. |
We could call it v2 and migrate everything to it and at some point delete the old version. |
I did some rebase magic to do just that in a transparent manner https://github.com/Atemu/nixpkgs/tree/buildFHSUserEnvBw Should I open a new PR? Once we've ported all packages over, we can simply rename the function to the old name. This name should be temporary. |
bring it on. |
With #94442 merged, should this be closed now? |
#94442 seems to subsume this PR, closing. |
Motivation for this change
this makes FHS envs use bubblewrap over Nix's custom
chrootenv.c
which might fix issues such as #33106 but more generally gives us the ability to add many new configuration options with bwrap's added power. Maybe using bwrap will be more stable as well since it seems widely used.I have tested this by building Yocto images by running bitbake in an FHSUserEnv but I have yet to run steam which is likely the most complicated package that utilizes this.
This comes with fixes from a lot of experience using FHS env for Yocto and attempting to run it in various environments. Namely:
/host/etc
is now/host-etc
because systemd symlinks/etc/resolv.conf
to../run/systemd/resolve/resolv.conf
so keeping/host-etc
on the same level as/etc
helps with that./etc/pki
is now included so fedora users can get SSL within the env/host-etc
(/host/etc
) and directly bind-mounting all etc files and dirs, then allowing directories ofetc
from the generated rootfs to override the one from the host.Applications that work:
applications/blockchains/mist
applications/editors/android-studio
applications/science/electronics/bitscope
applications/misc/houdini
applications/misc/lutris
applications/misc/sidequest
applications/networking/dropbox
applications/video/lightworks
development/arduino/platformio
games/steam
servers/plex
build-support/appimage
tools/package-management/appimage-run
tools/package-management/conda
Things done
sandbox
innix.conf
on non-NixOS)nix-shell -p nox --run "nox-review wip"
./result/bin/
)nix path-info -S
before and after)