Skip to content

opam: put the whole /nix in OPAM_USER_PATH_RO #57118

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Mar 23, 2019
Merged

opam: put the whole /nix in OPAM_USER_PATH_RO #57118

merged 1 commit into from
Mar 23, 2019
+2 −2

Conversation

umazalakain
Copy link
Contributor

@umazalakain umazalakain commented Mar 9, 2019
edited
Loading

Motivation for this change

Opam uses bubblewrap to limit access to certain parts of the system. Currently, read-only access is given to \nix/store. User installed software is found under the /home/user/.nix-profile/bin component of the path, however /home/user/.nix-profile itself is a symlink to /nix/var/nix/profiles/per-user/user. This results in user-installed software not being found by opam. Granting access to /nix/var by registering the whole /nix directory with bubblewrap solves this.

Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nox --run "nox-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Determined the impact on package closure size (by running nix path-info -S before and after)
  • Assured whether relevant documentation is up to date
  • Fits CONTRIBUTING.md.

Sorry, something went wrong.

@umazalakain
Copy link
Contributor Author

Comes from ocaml/opam#3773

@umazalakain
opam: put the whole /nix in OPAM_USER_PATH_RO
83e6a1c 
Some symlinks point to /nix/var/profiles/per-user/…, these have be
readable too.
@umazalakain umazalakain changed the title opam: add ~/.nix-profile/bin to OPAM_USER_PATH_RO opam: put the whole /nix in OPAM_USER_PATH_RO Mar 11, 2019
@mpetruska
Copy link

I'm also interested in making this happen. Can I help in some way to make progress on this PR?

@srhb
Copy link
Contributor

srhb commented Mar 23, 2019

@umazalakain Thanks for the description. Am I understanding correctly that opam won't try to ever write into any of these paths?

@umazalakain
Copy link
Contributor Author

umazalakain commented Mar 23, 2019
edited
Loading

@srhb That's right, and they are mounted as read-only by bubblewrap

@srhb
Copy link
Contributor

srhb commented Mar 23, 2019

cc @henrytill for review

Barring any complaints, I don't know any good reason not to do this, but I have little experience with the ecosystem. Let's give this a week or so for review.

henrytill
henrytill approved these changes Mar 23, 2019
View reviewed changes
Copy link
Member

@henrytill henrytill left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍 LGTM

@srhb srhb merged commit a7a4fc2 into NixOS:master Mar 23, 2019
@tg-x
Copy link
Member

tg-x commented Apr 3, 2019

Seems like this change was still not enough, /run/current-system/sw/lib is missing and opam won't find libraries there.

This works:
--set OPAM_USER_PATH_RO /run/current-system/sw:/nix

@tg-x tg-x mentioned this pull request Apr 3, 2019
Closed
10 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@henrytill henrytill

Assignees
No one assigned
Labels
10.rebuild-darwin: 1-10 10.rebuild-linux: 1-10
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
6 participants
@umazalakain @mpetruska @srhb @tg-x @henrytill @GrahamcOfBorg