nixos/programs.mosh: refactor #41375
Conversation
|
One thing to consider: I'm not 100% sure if this would trigger a hydra build with |
nixos/modules/programs/mosh.nix
Outdated
| This is required so that mosh can write to /var/run/utmp (which can be queried with `who` to display currently connected user sessions). | ||
| Note, this will add a suid wrapper! | ||
| ''; | ||
| default = true; |
There was a problem hiding this comment.
I'd prefer the default to be false since this option adds a setuid wrapper.
There was a problem hiding this comment.
Actually, it's just a setguid-wrapper, also one for a group that doesn't really have many implications. I'll definitely have to change that comment from suid to guid.
With that knowledge, would you still prefer the false default?
The functionality of mosh logging to /var/run/utmp is something that I believe should be activated by default, as it is pretty much expected behaviour that you can see pending logged in users. (ssh doesn't have that problem since it's running a root daemon)
There was a problem hiding this comment.
Fine, let's go with true as default.
| @@ -26,6 +27,17 @@ stdenv.mkDerivation rec { | |||
|
|
|||
| meta = { | |||
| description = "Interface for terminal emulators such as screen and xterm to record user sessions to utmp and wtmp files"; | |||
| longDescription = '' | |||
| Requires a wrapper to work. | |||
There was a problem hiding this comment.
This explanation only makes sense for NixOS systems. Please try to document the more general requirement (also for non-NixOS systems): utempter must be run as a user belonging to group utmp. On NixOS systems, this can be achieved by creating a setuid wrapper...
There was a problem hiding this comment.
Ah, didn't think about non-NixOs users. You're right, thanks!
There was a problem hiding this comment.
I have thought about this and I think it has more implications than just documentation.
You see, I'm patching the path of utempter from /var/lib/utempter/utempter to /run/wrappers/bin/utempter. So, as it currently stands, there would be a file with that path required, no matter if on NixOS or any other operating system.
So this might break other systems that had /var/lib/utempter/utempter present, maybe as part of the original operating system.
So I guess, I should also make another modification that this path is only patched for NixOs targets. Would this be the preferred way to go?
There was a problem hiding this comment.
You see, I'm patching the path of utempter from /var/lib/utempter/utempter to /run/wrappers/bin/utempter.
Correct, I missed that. libutempter should not be patched at all. nixpkgs packages must be self-contained and work on all supported systems (NixOs or other) without any implicit assumptions like the existence of such wrappers.
So I guess, I should also make another modification that this path is only patched for NixOs targets. Would this be the preferred way to go?
No, as explained above. But maybe you can patch mosh to search for utempter in PATH. That would work on both NixOS and non-nixOS systems: on NixOS systems, /run/wrappers/bin is in PATH, and on non-NixOS systems the user can add a setgit'd copy of utempter to their PATH. But you need to be able to install and use the mosh package with or without the corresponding module.
There was a problem hiding this comment.
The path to the utempter binary is hard-coded (in libutempter itself, not in mosh) to a path that is usually not part of $PATH on other systems. So, I could patch libutempter to look in $PATH, and that would work on NixOS, but that again would fail on other systems, because on them the binary would be found on a OS-specific path like /var/lib/utempter/utempter, which is usuallynot found on PATH :/
I fail to see a way that this will work in NixOS and other OSes. The way it currently is, it will work most likely in other OSes, but only if they didn't change the path to the utempter binary on their distribution, and libutempter is installed.
There was a problem hiding this comment.
The path to the utempter binary is hard-coded (in libutempter itself, not in mosh) to a path that is usually not part of $PATH on other systems.
Looking at the libutempter source code and derivation, only a default path is hardcoded to ${out}/lib/utempter/utempter which is in the nix store and will not work on any system.
But libutempter provides an API function utempter_set_helper() to set a path to the helper binary. The application must call it to set a path to a setgid version of that helper (or setgid wrapper) because the default path is useless. So you have two options:
-
patch
moshto callutempter_set_helper()in a way that works on both NixOS and other systems. -
patch
libutempterto look for the helper binary in PATH (or at a sensible location outside the nix store) by default.
The only other nixpkgs package currently using libutempter is guake. It doesn't do any related patching, so (without having tested it) I assume utempter doesn't work with it anyway. But if you patch libutempter please verify that you don't break guake.
Anyway, it's up to you to decide if the utmp functionality is worth the effort.
There was a problem hiding this comment.
I guess I'll undo the patch to libutempter, modify the code of mosh to call utempter_set_helperto use utempter from the PATH, and wrap the generated mosh binary, adding all three /run/wrappers/bin/utempter, /var/lib/utempter/utempterand ${out}/lib/utempter/utempter (in that priority) to PATH.
I guess that should cover as many bases as possible.
But I'll be gone for the week, so I'll have to continue this the week after. So expect this to take a while.
nixos/modules/programs/mosh.nix
Outdated
| }; | ||
|
|
||
| config = mkIf cfg.enable { | ||
| environment.systemPackages = with pkgs; [ mosh ]; | ||
| environment.systemPackages = [ ( pkgs.mosh.override { inherit (cfg) withUtempter; } ) ]; |
There was a problem hiding this comment.
This will trigger a local rebuild of mosh if withUtempter=true; because Hydra only builds the default version.
You could add mosh-with-utempter = mosh.override { withUtempter = true; } to pkgs/top-level/all-packages.nix to have Hydra build that version too.
Or you can build mosh with utempter support by default, provided it doesn't break when the setuid wrapper is missing.
There was a problem hiding this comment.
Yup, I feared as much. Will change that, thanks :)
There was a problem hiding this comment.
In any case: compiling against utempter without having the wrapper in place has no negative consequences. /var/run/utmp will not be written, but mosh continues working.
Then I believe it is better to build mosh with utempter support by default, so we don't have to maintain two variants. It shouldn't add much to closure size, and simplifies the module.
There was a problem hiding this comment.
fine, just ping me when it's ready.
|
This should cover everything discussed above. I'll check quake later today or tomorrow. Also I'll get a mac user I know to try this to make sure it doesn't break anything over there. If that went well and everything looks okay to you @xeji I'll do a final rebase. (I just did a commit so you could better review what I changed) |
|
feedback 1: guake compiles & runs fine. |
| wrapProgram $out/bin/mosh-server \ | ||
| --prefix PATH : "/run/wrappers/bin" \ | ||
| --suffix PATH : "${libutempter}/lib/utempter" | ||
| ''; |
There was a problem hiding this comment.
This wrapProgram doesn't make much sense to me, I think it can be deleted:
On NixOS systems, /run/wrappers/bin is already in PATH.
On non-NixOS systems, putting ${libutempter}/bin/utempter in PATH is useless because it's in the nix store and lacks the privileges (setgid). In this case the user must manually copy the helper program to a location in PATH but outside the nix store, and set ownership and permissions accordingly. We cannot automate this.
There was a problem hiding this comment.
You're absolutely right, I was thinking way too complicated there. Removed it.
|
@GrahamcOfBorg build mosh libutempter |
|
No attempt on x86_64-darwin (full log) The following builds were skipped because they don't evaluate on x86_64-darwin: mosh, libutempter Partial log (click to expand)
|
|
Success on x86_64-linux (full log) Attempted: mosh, libutempter Partial log (click to expand)
|
|
Success on aarch64-linux (full log) Attempted: mosh, libutempter Partial log (click to expand)
|
|
Thank you, LGTM. |
|
@xeji: wait a second, we just noticed that this breaks builds for darwin (libutempter is linux-only) |
| , makeWrapper, perl, openssl, autoreconfHook, openssh, bash-completion }: | ||
| { lib, stdenv, fetchurl, zlib, protobuf, ncurses, pkgconfig, IOTty | ||
| , makeWrapper, perl, openssl, autoreconfHook, openssh, bash-completion | ||
| , libutempter, withUtempter ? true }: |
There was a problem hiding this comment.
libutempter ? null, withUtempter ? stdenv.isLinux should fix mosh on darwin
There was a problem hiding this comment.
thanks :) let's see if the borg builds correctly and then I'll squash this for merging :)
There was a problem hiding this comment.
you don't need to squash, I can do that when merging
|
@GrahamcOfBorg build mosh libutempter |
|
Success on aarch64-linux (full log) Attempted: mosh, libutempter Partial log (click to expand)
|
|
Success on x86_64-linux (full log) Attempted: mosh, libutempter Partial log (click to expand)
|
|
Success on x86_64-darwin (full log) Attempted: mosh The following builds were skipped because they don't evaluate on x86_64-darwin: libutempter Partial log (click to expand)
|
phryneas
force-pushed
the
mosh-with-libutempter
branch
from
546a809
to
08f9410
Compare
|
looks like your rebase went wrong, these other commits don't belong here |
Adds programs.mosh.withUtempter (default: true). The option enables -with-utempter for mosh, allowing it to write to /var/run/utmp and thus making connected sessions appear in the output of `who -a`. For that, a guid-wrapper is required. Also, the path to the `utempter` was hardcoded in the resulting binary until now (so it could never been found), thus, libutempter was patched accordingly to point to /run/wrappers/bin/utempter which at least works when the wrapper is configured.
phryneas
force-pushed
the
mosh-with-libutempter
branch
from
08f9410
to
7c34c28
Compare
|
yup, just noticed that myself. should be better now. |
|
@GrahamcOfBorg build mosh libutempter |
|
nah, doesn't listen to me xD |
|
@GrahamcOfBorg build mosh libutempter |
|
Success on aarch64-linux (full log) Attempted: mosh, libutempter Partial log (click to expand)
|
|
Success on x86_64-linux (full log) Attempted: mosh, libutempter Partial log (click to expand)
|
|
Success on x86_64-darwin (full log) Attempted: mosh The following builds were skipped because they don't evaluate on x86_64-darwin: libutempter Partial log (click to expand)
|
Adds programs.mosh.withUtempter (default: true).
Motivation for this change
The option enables --with-utempter for mosh, allowing it to write to
/var/run/utmp and thus making connected sessions appear in the output
of
who -a.Things done
For that, a guid-wrapper is required. Also, the path to the
utempterwashardcoded in the resulting binary until now (so it could never been found),
thus, libutempter was patched accordingly to point to
/run/wrappers/bin/utempter which at least works when the wrapper is
configured.
I wrote it this way so that installing the package
moshby itself still is compiled without utempter as usually a user just installing the mosh package most likely just wants to use the client and will not have the wrapper installed.In any case: compiling against utempter without having the wrapper in place has no negative consequences. /var/run/utmp will not be written, but mosh continues working.
sandboxinnix.confon non-NixOS)nix-shell -p nox --run "nox-review wip"./result/bin/)