New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
local-store: do not remove system.nfs4_acl #1584
Conversation
Fixes NixOS/nixpkgs#29778 Removal of this ACL breaks nix if the store resides on an NFSv 4.1 mount.
Do ACLs still get removed with this patch? |
You mean the nfs4 ones in question? After running
and the acls seem to be there. |
Can you please try this:
The result should be
This does require the |
From inside the install prefix:
Where |
Is that with the |
Yes, I rebased the patch on top of yours and recompiled nix before In strace I observe this:
|
Could we also do this for Lustre file systems?
|
Ping! cc NixOS/nixpkgs#29778 |
@edolstra maybe instead of playing whac-a-mole with these whitelisted attributes, we should just make a nix.conf option for them? It's going to be impossible to predict all the weird special cases people have locally and having a conf option seems like it allows people to fix their own issues. Of course, we might still want |
With filter-syscalls shouldn't we just leave ACLs alone? |
I'd rather not rely exclusively on the seccomp filter. |
I just reproduced the setup with the proposed patch. As reported earlier, the patch seems to work, but the test with 'setfacl' fails with 'Operation not supported'. I'm not an expert on ACL nor NFS, but it seems to me that the "Operation not supported" is due to NFS4 not supporting setfacl (but nfs4_setacl). Running The following gist fix-fs-attrs.nix contains all the steps to reproduce/test the patch. The acls are removed as expected if As the 'acl' package is not available on darwin, I run it with the current lnl7/nix docker image (nix-2.1.2, nixpkgs-unstable-2018-09-21) and the script is successfull. On a nixops deployed host, I had to replace the Does this help to make progress on this issue?
|
This patch was mentioned in https://rgoswami.me/posts/local-nix-no-root/ |
I just ran into this bug on a NFS /home using unprivileged userns. |
This pull request has been mentioned on NixOS Discourse. There might be relevant details there: https://discourse.nixos.org/t/error-invalidpath-nix-env/10851/1 |
This pull request has been mentioned on NixOS Discourse. There might be relevant details there: https://discourse.nixos.org/t/building-a-statically-linked-nix-for-hpc-environments/10865/6 |
This pull request has been mentioned on NixOS Discourse. There might be relevant details there: |
This is now part of https://github.com/DavHau/nix-portable/ |
I marked this as stale due to inactivity. → More info |
Still needed. |
Could this profit from the recent ACL design ideas? https://gist.github.com/edolstra/afa5a41d4acbc0d6c8cccfede7fd4792 |
Fixes NixOS/nixpkgs#29778
Removal of this ACL breaks nix if the store resides on an
NFSv 4.1 mount.