New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
nixos/programs.mosh: refactor #41375
Conversation
One thing to consider: I'm not 100% sure if this would trigger a hydra build with |
nixos/modules/programs/mosh.nix
Outdated
This is required so that mosh can write to /var/run/utmp (which can be queried with `who` to display currently connected user sessions). | ||
Note, this will add a suid wrapper! | ||
''; | ||
default = true; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'd prefer the default to be false
since this option adds a setuid wrapper.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Actually, it's just a setguid-wrapper, also one for a group that doesn't really have many implications. I'll definitely have to change that comment from suid
to guid
.
With that knowledge, would you still prefer the false
default?
The functionality of mosh logging to /var/run/utmp is something that I believe should be activated by default, as it is pretty much expected behaviour that you can see pending logged in users. (ssh doesn't have that problem since it's running a root daemon)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fine, let's go with true
as default.
@@ -26,6 +27,17 @@ stdenv.mkDerivation rec { | |||
|
|||
meta = { | |||
description = "Interface for terminal emulators such as screen and xterm to record user sessions to utmp and wtmp files"; | |||
longDescription = '' | |||
Requires a wrapper to work. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This explanation only makes sense for NixOS systems. Please try to document the more general requirement (also for non-NixOS systems): utempter
must be run as a user belonging to group utmp
. On NixOS systems, this can be achieved by creating a setuid wrapper...
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ah, didn't think about non-NixOs users. You're right, thanks!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I have thought about this and I think it has more implications than just documentation.
You see, I'm patching the path of utempter from /var/lib/utempter/utempter
to /run/wrappers/bin/utempter
. So, as it currently stands, there would be a file with that path required, no matter if on NixOS or any other operating system.
So this might break other systems that had /var/lib/utempter/utempter
present, maybe as part of the original operating system.
So I guess, I should also make another modification that this path is only patched for NixOs targets. Would this be the preferred way to go?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You see, I'm patching the path of utempter from /var/lib/utempter/utempter to /run/wrappers/bin/utempter.
Correct, I missed that. libutempter
should not be patched at all. nixpkgs packages must be self-contained and work on all supported systems (NixOs or other) without any implicit assumptions like the existence of such wrappers.
So I guess, I should also make another modification that this path is only patched for NixOs targets. Would this be the preferred way to go?
No, as explained above. But maybe you can patch mosh
to search for utempter
in PATH
. That would work on both NixOS and non-nixOS systems: on NixOS systems, /run/wrappers/bin
is in PATH, and on non-NixOS systems the user can add a setgit'd copy of utempter to their PATH. But you need to be able to install and use the mosh
package with or without the corresponding module.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The path to the utempter
binary is hard-coded (in libutempter itself, not in mosh) to a path that is usually not part of $PATH on other systems. So, I could patch libutempter to look in $PATH, and that would work on NixOS, but that again would fail on other systems, because on them the binary would be found on a OS-specific path like /var/lib/utempter/utempter
, which is usuallynot found on PATH :/
I fail to see a way that this will work in NixOS and other OSes. The way it currently is, it will work most likely in other OSes, but only if they didn't change the path to the utempter binary on their distribution, and libutempter is installed.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The path to the utempter binary is hard-coded (in libutempter itself, not in mosh) to a path that is usually not part of $PATH on other systems.
Looking at the libutempter source code and derivation, only a default path is hardcoded to ${out}/lib/utempter/utempter
which is in the nix store and will not work on any system.
But libutempter
provides an API function utempter_set_helper()
to set a path to the helper binary. The application must call it to set a path to a setgid version of that helper (or setgid wrapper) because the default path is useless. So you have two options:
-
patch
mosh
to callutempter_set_helper()
in a way that works on both NixOS and other systems. -
patch
libutempter
to look for the helper binary in PATH (or at a sensible location outside the nix store) by default.
The only other nixpkgs package currently using libutempter
is guake
. It doesn't do any related patching, so (without having tested it) I assume utempter
doesn't work with it anyway. But if you patch libutempter
please verify that you don't break guake
.
Anyway, it's up to you to decide if the utmp
functionality is worth the effort.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I guess I'll undo the patch to libutempter
, modify the code of mosh
to call utempter_set_helper
to use utempter
from the PATH, and wrap the generated mosh
binary, adding all three /run/wrappers/bin/utempter
, /var/lib/utempter/utempter
and ${out}/lib/utempter/utempter
(in that priority) to PATH.
I guess that should cover as many bases as possible.
But I'll be gone for the week, so I'll have to continue this the week after. So expect this to take a while.
nixos/modules/programs/mosh.nix
Outdated
}; | ||
|
||
config = mkIf cfg.enable { | ||
environment.systemPackages = with pkgs; [ mosh ]; | ||
environment.systemPackages = [ ( pkgs.mosh.override { inherit (cfg) withUtempter; } ) ]; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This will trigger a local rebuild of mosh
if withUtempter=true;
because Hydra only builds the default version.
You could add mosh-with-utempter = mosh.override { withUtempter = true; }
to pkgs/top-level/all-packages.nix
to have Hydra build that version too.
Or you can build mosh with utempter support by default, provided it doesn't break when the setuid wrapper is missing.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yup, I feared as much. Will change that, thanks :)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In any case: compiling against utempter without having the wrapper in place has no negative consequences. /var/run/utmp will not be written, but mosh continues working.
Then I believe it is better to build mosh
with utempter
support by default, so we don't have to maintain two variants. It shouldn't add much to closure size, and simplifies the module.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
fine, just ping me when it's ready.
This should cover everything discussed above. I'll check quake later today or tomorrow. Also I'll get a mac user I know to try this to make sure it doesn't break anything over there. If that went well and everything looks okay to you @xeji I'll do a final rebase. (I just did a commit so you could better review what I changed) |
feedback 1: guake compiles & runs fine. |
wrapProgram $out/bin/mosh-server \ | ||
--prefix PATH : "/run/wrappers/bin" \ | ||
--suffix PATH : "${libutempter}/lib/utempter" | ||
''; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This wrapProgram
doesn't make much sense to me, I think it can be deleted:
On NixOS systems, /run/wrappers/bin
is already in PATH
.
On non-NixOS systems, putting ${libutempter}/bin/utempter
in PATH
is useless because it's in the nix store and lacks the privileges (setgid). In this case the user must manually copy the helper program to a location in PATH but outside the nix store, and set ownership and permissions accordingly. We cannot automate this.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You're absolutely right, I was thinking way too complicated there. Removed it.
@GrahamcOfBorg build mosh libutempter |
No attempt on x86_64-darwin (full log) The following builds were skipped because they don't evaluate on x86_64-darwin: mosh, libutempter Partial log (click to expand)
|
Success on x86_64-linux (full log) Attempted: mosh, libutempter Partial log (click to expand)
|
Success on aarch64-linux (full log) Attempted: mosh, libutempter Partial log (click to expand)
|
Thank you, LGTM. |
@xeji: wait a second, we just noticed that this breaks builds for darwin (libutempter is linux-only) |
, makeWrapper, perl, openssl, autoreconfHook, openssh, bash-completion }: | ||
{ lib, stdenv, fetchurl, zlib, protobuf, ncurses, pkgconfig, IOTty | ||
, makeWrapper, perl, openssl, autoreconfHook, openssh, bash-completion | ||
, libutempter, withUtempter ? true }: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
libutempter ? null, withUtempter ? stdenv.isLinux
should fix mosh on darwin
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
thanks :) let's see if the borg builds correctly and then I'll squash this for merging :)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
you don't need to squash, I can do that when merging
@GrahamcOfBorg build mosh libutempter |
Success on aarch64-linux (full log) Attempted: mosh, libutempter Partial log (click to expand)
|
Success on x86_64-linux (full log) Attempted: mosh, libutempter Partial log (click to expand)
|
Success on x86_64-darwin (full log) Attempted: mosh The following builds were skipped because they don't evaluate on x86_64-darwin: libutempter Partial log (click to expand)
|
546a809
to
08f9410
Compare
looks like your rebase went wrong, these other commits don't belong here |
Adds programs.mosh.withUtempter (default: true). The option enables -with-utempter for mosh, allowing it to write to /var/run/utmp and thus making connected sessions appear in the output of `who -a`. For that, a guid-wrapper is required. Also, the path to the `utempter` was hardcoded in the resulting binary until now (so it could never been found), thus, libutempter was patched accordingly to point to /run/wrappers/bin/utempter which at least works when the wrapper is configured.
08f9410
to
7c34c28
Compare
yup, just noticed that myself. should be better now. |
@GrahamcOfBorg build mosh libutempter |
nah, doesn't listen to me xD |
@GrahamcOfBorg build mosh libutempter |
Success on aarch64-linux (full log) Attempted: mosh, libutempter Partial log (click to expand)
|
Success on x86_64-linux (full log) Attempted: mosh, libutempter Partial log (click to expand)
|
Success on x86_64-darwin (full log) Attempted: mosh The following builds were skipped because they don't evaluate on x86_64-darwin: libutempter Partial log (click to expand)
|
Adds programs.mosh.withUtempter (default: true).
Motivation for this change
The option enables --with-utempter for mosh, allowing it to write to
/var/run/utmp and thus making connected sessions appear in the output
of
who -a
.Things done
For that, a guid-wrapper is required. Also, the path to the
utempter
washardcoded in the resulting binary until now (so it could never been found),
thus, libutempter was patched accordingly to point to
/run/wrappers/bin/utempter which at least works when the wrapper is
configured.
I wrote it this way so that installing the package
mosh
by itself still is compiled without utempter as usually a user just installing the mosh package most likely just wants to use the client and will not have the wrapper installed.In any case: compiling against utempter without having the wrapper in place has no negative consequences. /var/run/utmp will not be written, but mosh continues working.
sandbox
innix.conf
on non-NixOS)nix-shell -p nox --run "nox-review wip"
./result/bin/
)