stage2: use atomic bind mounts #142412
stage2: use atomic bind mounts #142412
Conversation
github-actions
bot
added
6.topic: nixos
|
/cc @Ma27 (eventually useful in the context of NixOS/rfcs#108)
|
There was a problem hiding this comment.
I was able to delete store paths:
[14:08:46] jon@jon-laptop /home/jon/projects/nixpkgs (master)
$ nix-build -A hello
this path will be fetched (0.04 MiB download, 0.20 MiB unpacked):
/nix/store/15c875mwri8xx3s0gqsdkdw7sqqyv55c-hello-2.10
copying path '/nix/store/15c875mwri8xx3s0gqsdkdw7sqqyv55c-hello-2.10' from 'https://cache.nixos.org'...
/nix/store/15c875mwri8xx3s0gqsdkdw7sqqyv55c-hello-2.10
[14:08:51] jon@jon-laptop /home/jon/projects/nixpkgs (master)
$ sudo rm -r /nix/store/15c875mwri8xx3s0gqsdkdw7sqqyv55c-hello-2.10
[sudo] password for jon:
[14:09:01] jon@jon-laptop /home/jon/projects/nixpkgs (master)
$ ls /nix/store/15c875mwri8xx3s0gqsdkdw7sqqyv55c-hello-2.10
"/nix/store/15c875mwri8xx3s0gqsdkdw7sqqyv55c-hello-2.10": No such file or directory (os error 2)
ofborg
bot
added
10.rebuild-darwin: 0
| #mount /nix/store /nix/store -o bind,remount,ro | ||
| mount --bind /nix/store /nix/store | ||
| mount -o remount,ro,bind /nix/store | ||
| mount /nix/store /nix/store -o bind,remount,ro |
There was a problem hiding this comment.
this should be bind,ro, otherwise it only works when /nix/store is already a mountpoint. interestingly linux even today (running 5.14.8 here) ignores the ro in ro,bind at first, but mount itself then follows up with a bind,remount,ro of its own to get a read-only mount. not sure when mount started doing that.
There was a problem hiding this comment.
I tried with just bind,ro, but that didn't work. It fails on https://github.com/pennae/nixpkgs/blob/master/nixos/modules/system/boot/stage-2-init.sh#L74 for some reason.
I'll leave this open for other people to discuss that hopefully know more about filesystems than me.
There was a problem hiding this comment.
I think my problem is that /nix/store isn't a bind mount itself, just the paths within it, since i pass every store path with --bind-ro separately.
I wonder if there's a good way to distinguish this pattern.
There was a problem hiding this comment.
the currently proposed solution (rbind /nix/store in the container case) also seems a bit lacking; if a store path were bound read-write by accident we would entirely on the host store being read-only to make container store paths read-only (since remounting /nix/store read-only would not propagate to its child mounts in the container). rbinding the store is definitely good, but we should probably also remount all submounts in the container case.
|
Btw nspawn instances without full access to the host's /nix/store is something I hacked together within #140669 |
|
Thanks, your change to stage2 is definitely working better than mine. |
manveru
force-pushed
the
use-atomic-bind-mounts
branch
from
871bc83 to
e629023
Compare
|
Successfully created backport PR #144186 for |
|
I'm trying to understand why we special case in both container and non-container cases? It's confusing to me to have these special cases! Also I think what is meant is recursive bind mounts? not atomic ? What part of this change make things atomic? |
Motivation for this change
Stumbled over this when trying to do systemd-nspawn containers with only the requisite store paths for that system instead of mounting the full /nix/store. The second call to mount would fail to find the executable. With the atomic mounting everything works nicely again.
Kernel 4.5 was EOL in 2016, so we should be fine now :)
Things done
sandbox = trueset innix.conf? (See Nix manual)nix-shell -p nixpkgs-review --run "nixpkgs-review wip"./result/bin/)