Create a profile suitable for multi-user installs (for master) #1455
Conversation
(cherry picked from commit 3e0a503)
grahamc
changed the title
|
|
||
| # Set up the per-user profile. | ||
| mkdir -m 0755 -p $NIX_USER_PROFILE_DIR | ||
| if test "$(stat -f '%u' $NIX_USER_PROFILE_DIR)" != "$(id -u)"; then |
There was a problem hiding this comment.
I seem to remember from the last attempt to have a multi-user-capable nix-profile that stat had issues on some platforms. But maybe we don't need to care if we're only going to use this on Linux and macOS.
There was a problem hiding this comment.
I think I'm inclined to go ahead with it and as-is, and work on cross-platform support if someone becomes interested in it. Since indeed this will only be used (by default) on macOS, I think it is safe.
There was a problem hiding this comment.
Yep, if you have coreutils installed (even on Mac) it will give you:
stat: cannot read file system information for '%u': No such file or directory
WARNING: bad ownership on /nix/var/nix/profiles/per-user/...
stat: cannot read file system information for '%u': No such file or directory
WARNING: bad ownership on /nix/var/nix/gcroots/per-user/...
Maybe we should hardcode "/usr/bin/stat" to it, so that we get the MacOS/BSD version of stat?
There was a problem hiding this comment.
BTW, this works on all platforms:
"$(ls -ld "$NIX_USER_PROFILE_DIR" | awk '{print $3}')" != "$USER"
There was a problem hiding this comment.
I'm not a fan of this option, as it strictly is the UID we care about, not the username.
What do you think about thisoption:
if [ -n "$(find "$NIX_USER_PROFILE_DIR" -mindepth 0 -maxdepth 0 -type d -not -uid $(id -u))" ]
There was a problem hiding this comment.
Looks good. Another option might be:
test -O "$NIX_USER_PROFILE_DIR"
There was a problem hiding this comment.
I tested ! test -O "$NIX_USER_PROFILE_DIR" and it does fix the problems discussed in issue #1496, including nix-shell -p bash --run bash and nested nix-shell invocations. It's also simpler and shorter.
However, it looks like it's not in the POSIX standard.
|
|
||
| # Set up the per-user profile. | ||
| mkdir -m 0755 -p $NIX_USER_PROFILE_DIR | ||
| if test "$(stat -f '%u' $NIX_USER_PROFILE_DIR)" != "$(id -u)"; then |
There was a problem hiding this comment.
Yep, if you have coreutils installed (even on Mac) it will give you:
stat: cannot read file system information for '%u': No such file or directory
WARNING: bad ownership on /nix/var/nix/profiles/per-user/...
stat: cannot read file system information for '%u': No such file or directory
WARNING: bad ownership on /nix/var/nix/gcroots/per-user/...
Maybe we should hardcode "/usr/bin/stat" to it, so that we get the MacOS/BSD version of stat?
|
|
||
| # Set up the per-user profile. | ||
| mkdir -m 0755 -p $NIX_USER_PROFILE_DIR | ||
| if test "$(stat -f '%u' $NIX_USER_PROFILE_DIR)" != "$(id -u)"; then |
There was a problem hiding this comment.
BTW, this works on all platforms:
"$(ls -ld "$NIX_USER_PROFILE_DIR" | awk '{print $3}')" != "$USER"
| fi | ||
| fi | ||
|
|
||
| export NIX_SSL_CERT_FILE="@localstatedir@/nix/profiles/default/etc/ssl/certs/ca-bundle.crt" |
There was a problem hiding this comment.
Is this needed with recent SSL changes to Nix?
| echo "WARNING: bad ownership on $NIX_USER_PROFILE_DIR" >&2 | ||
| fi | ||
|
|
||
| if test -w $HOME; then |
There was a problem hiding this comment.
Why use test here when you could just use "[" and "]" ?
| rm -f $HOME/.nix-defexpr | ||
| mkdir -p $HOME/.nix-defexpr | ||
| if [ "$USER" != root ]; then | ||
| ln -s @localstatedir@/nix/profiles/per-user/root/channels $HOME/.nix-defexpr/channels_root |
There was a problem hiding this comment.
I believe @localstatedir@/nix/profiles/per-user/root/channels won't exist until you run nix-channel --update, maybe that should be added?
| @@ -0,0 +1,54 @@ | |||
| # Only execute this file once per shell. | |||
| if [ -n "$__ETC_PROFILE_NIX_SOURCED" ]; then return; fi | |||
| __ETC_PROFILE_NIX_SOURCED=1 | |||
There was a problem hiding this comment.
I don't think this is necessary. None of the below actions have too many side effects. This could make things confusing to someone who has for instance modified their NIX_PATH value and wants to "reset" it. They have to unset __ETC_PROFILE_NIX_SOURCED for that to work.
There was a problem hiding this comment.
Okay, I guess this is because nix-daemon.sh is put in multiple places?
There was a problem hiding this comment.
There are lots of side effects below, although most of them do look to me like they are written to be idempotent.
Setting the PATH is not idempotent, however, as it prepends to ${PATH}, so running this multiple times would result in a PATH with multiple copies of the directories added by this script.
| $(d)/nix-reduce-build | ||
|
|
||
| noinst-scripts += $(nix_noinst_scripts) | ||
|
|
||
| profiledir = $(sysconfdir)/profile.d | ||
|
|
||
| $(eval $(call install-file-as, $(d)/nix-profile.sh, $(profiledir)/nix.sh, 0644)) | ||
| $(eval $(call install-file-as, $(d)/nix-profile-daemon.sh, $(profiledir)/nix-daemon.sh, 0644)) |
There was a problem hiding this comment.
I've got the following code in my environment script:
if [ -d @out@/etc/profile.d ]; then
for i in @out@/etc/profile.d/*.sh; do
if [ -r $i ]; then
. $i
fi
done
fi
Because of the ordering nix.sh will be called after nix-daemon.sh. I'm not sure of a fix but it seems worth mentioning and a legitimate use case.
|
Yes! Much more elegant! Great find.
…On Thu, Aug 3, 2017 at 11:10 PM Matthew Justin Bauer < ***@***.***> wrote:
***@***.**** commented on this pull request.
------------------------------
In scripts/nix-profile-daemon.sh.in
<#1455 (comment)>:
> +# Only execute this file once per shell.
+if [ -n "$__ETC_PROFILE_NIX_SOURCED" ]; then return; fi
+__ETC_PROFILE_NIX_SOURCED=1
+
+# Set up secure multi-user builds: non-root users build through the
+# Nix daemon.
+if [ "$USER" != root -o ! -w @localstatedir@/nix/db ]; then
+ export NIX_REMOTE=daemon
+fi
+
+export ***@***.***@/nix/profiles/per-user/$USER"
+export ***@***.***@/nix/profiles/default $HOME/.nix-profile"
+
+# Set up the per-user profile.
+mkdir -m 0755 -p $NIX_USER_PROFILE_DIR
+if test "$(stat -f '%u' $NIX_USER_PROFILE_DIR)" != "$(id -u)"; then
Looks good. Another option might be:
test -O "$NIX_USER_PROFILE_DIR "
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<#1455 (comment)>, or mute
the thread
<https://github.com/notifications/unsubscribe-auth/AAErrN5if2Yr-rSZQaR4wyuUMOTiNVY8ks5sUouxgaJpZM4OSLns>
.
|
| fi | ||
|
|
||
| export NIX_SSL_CERT_FILE="@localstatedir@/nix/profiles/default/etc/ssl/certs/ca-bundle.crt" | ||
| export NIX_PATH="@localstatedir@/nix/profiles/per-user/root/channels" |
There was a problem hiding this comment.
Can we also get a backup if NIX_PATH has already been set? (like in PATH below)
(cherry picked from commit 3e0a503)
#1454