Switch to Nix 2.0 #34636
Switch to Nix 2.0 #34636
Conversation
This factors out the functionality in nixos-install for running a command inside a NixOS installation (nixos-install --chroot).
The use of Nix 2.0 significantly simplifies the installer, since we can just pass a different store URI (--store /mnt) - it's no longer needed to set up a chroot environment for the build, and to bootstrap Nix into the chroot. Also, commands that need to run in the installation (namely boot loader installation and setting a root password) are now executed using nixos-enter. This also removes the need for nixos-prepare-root since any required initialisation is done by Nix or by the activation script.
It requires the existence of /proc.
The activation script already does this.
...so it appears in a new installation before rebooting the system.
The boot test now runs "nix verify" to ensure that all hashes are correct.
E.g. nixos-install --root /tmp/mnt/ --no-bootloader --no-root-passwd now works for non-root users.
This is already provided by devtmpfs.
Of course, you'll get a bunch of warnings from the activation script:
$ nixos-enter --root /tmp/mnt/
setting up /etc...
mount: /dev: permission denied.
mount: /dev/pts: permission denied.
mount: /dev/shm: permission denied.
mount: /sys: permission denied.
/nix/var/nix/profiles/system/activate: line 74: /proc/sys/kernel/modprobe: Permission denied
chown: changing ownership of '/run/wrappers/wrappers.0pKlU8JsvV/dbus-daemon-launch-helper': Invalid argument
NOTE: Under Linux, effective file capabilities must either be empty, or
exactly match the union of selected permitted and inheritable bits.
Failed to set capabilities on file `/run/wrappers/wrappers.0pKlU8JsvV/ping' (Operation not permitted)
chown: changing ownership of '/run/wrappers/wrappers.0pKlU8JsvV/unix_chkpwd': Invalid argument
[root@nixos:/]#
This is useful in tests where we don't have network access. Passing --substituters "" prevents wasting time by checking cache.nixos.org.
Since nixos-install doesn't require any special privileges anymore, this Just Works. No more need for fakeroot / nixos-prepare-root.
This is no longer needed thanks to Nix 2.0 magic.
|
Do these installer changes also fix #27307 ? |
|
|
||
| # Run the activation script. Set $LOCALE_ARCHIVE to supress some Perl locale warnings. | ||
| LOCALE_ARCHIVE=$system/sw/lib/locale/locale-archive chroot "$mountPoint" "$system/activate" >&2 || true | ||
|
|
There was a problem hiding this comment.
Bind mounting /etc/resolv.conf would be nice to have, if this tool is supposed to be a general-purpose tool.
There was a problem hiding this comment.
Yeah that would be nice.
Without this, it will be created with 700 permissions.
| # Copy the NixOS/Nixpkgs sources to the target as the initial contents | ||
| # of the NixOS channel. | ||
| if [[ -z $noChannelCopy ]]; then | ||
| if [[ -z $channelPath ]]; then |
There was a problem hiding this comment.
Ooh, does this make the channel optional? I was just thinking of adding that feature to make-disk-image.nix, since it's quite annoying in many situations.
There was a problem hiding this comment.
Well, it was already optional since we had the --no-channel-copy flag.
There was a problem hiding this comment.
Oh I guess I just haven't exposed that in the disk image machinery. I'll probably take a look after this is merged.
|
Looks like the hydra job (and of borg) have passed it?!?!?! |
|
@vcunat Jobset is all green now so this should be good to merge. |
|
Yeah, it should be up to the release managers. |
|
If you feel it's ready, I believe you can go along. I haven't found time to really read the changes yet. |
|
I haven't had a chance to test the image building changes yet, but don't let me hold you up. If something goes wrong, I'll fix it or talk to you 😄 |
|
Now that the builds are performed in the target store, should it be documented that to have |
| @@ -116,14 +116,22 @@ in rec { | |||
|
|
|||
| nix = nixStable; | |||
|
|
|||
| nixStable = (common rec { | |||
| nix1 = (common rec { | |||
| name = "nix-1.11.16"; | |||
| src = fetchurl { | |||
| url = "http://nixos.org/releases/nix/${name}/${name}.tar.xz"; | |||
| sha256 = "0ca5782fc37d62238d13a620a7b4bff6a200bab1bd63003709249a776162357c"; | |||
| }; | |||
| }) // { perl-bindings = nixStable; }; | |||
There was a problem hiding this comment.
@edolstra: is it intentional that perl-bindings for nix1 come from are nix2?
There was a problem hiding this comment.
Well, I see it's wrong, as nixStable itself has no perl stuff inside, but I still don't know surely if it should be nixStable.perl-bindings or perl-bindings { nix = nix1; }.
There was a problem hiding this comment.
Yeah that looks like a mistake. That isn't even Nix 2's perl bindings.
|
^^ hehe, GitHub confusing people again. I have reported such case to them once or twice during the past year or two, but apparently it still happens sometimes. |
|
Possibly a problem: #36268 |
|
I think these changes caused #38477. Previously, a |
Hopefully we can switch to Nix 2.0 for NixOS 18.03. Nix 2.0 should be released in the next few weeks. This PR makes 2.0 the default (by temporarily pointing
nixtonixUnstable) and updatesnixos-installto work with it. It also adds a commandnixos-enterthat factors out the functionality ofnixos-install --chroot.