-
-
Notifications
You must be signed in to change notification settings - Fork 14.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Perlless Activation #270727
Perlless Activation #270727
Conversation
Test systemd-sysusers: Test etc overlay: Test perlless profiles: Prove that I broke nothing: |
Feel free to link the relevant |
e8cbcba
to
27b1bcb
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The composefs trick is only required so that we can have permissions on files in /etc and also because we are missing mutable and immutable files.
Was it considered to just rewrite the perl script in a compiled language and why was that discarded?
Also relying on an one of toy program in The critical chain with lots and lots of very specific define conditions does not feel great.
I agree that this is not correct. I decided to fix both in this PR: #284508 |
size=os.stat(source).st_size, | ||
filetype=FileType.file, | ||
mode=mode, | ||
payload=target, |
This comment was marked as outdated.
This comment was marked as outdated.
Sorry, something went wrong.
This comment was marked as outdated.
This comment was marked as outdated.
Sorry, something went wrong.
Failing to find the New York time zone in the sandbox for some reason. Any solutions? |
It looks like that path comes directly from EDIT: nixpkgs/nixos/modules/config/locale.nix Lines 88 to 89 in 237e778
What is mode = "direct-symlink" supposed to indicate, this looks like it involves some very old code.
|
Interesting so it comes from the locale module, also no idea what direct-symlink is trying to indicate, maybe ask one of the maintainers? |
#284641 is attempting to drop |
Wouldn't the systemd patch need to be updated too? nixpkgs/pkgs/os-specific/linux/systemd/0007-Change-usr-share-zoneinfo-to-etc-zoneinfo.patch Line 73 in a5ae45e
|
with
During activation
dmesg
|
@mlyxshi did you reboot, or attempt to switch from a running non-overlay-etc system? I don't think the latter is reasonable to invest a lot of effort to support. |
Still broken with |
Still broken as of May 15th :P |
Thanks for working on this! I tried it out but disabled because activating without reboot regularly fails with Also suggestions for what's user visible:
EDIT: Oh and I also had the time zone issue and used the workaround mentioned above. |
#307159 for cross reference |
Introduces the bits and pieces necessary to build a fully perlless system (i.e. a system without the perl interpreter.)
Acknowledgement
Even if this is not necessarily reflected in the commits or code, this was a team effort. Thank you for your help!
Started at OceanSprint 2023 with bootstrapping help from @lheckemann and @blitz.
Mounting
/etc
via an overlayfs was @arianvp's original idea. @RaitoBezarius pointed out that we can use composefs to get modes and permissions into this overlay.This is also part of the broader Boot Security Work
Description of changes
Design Document: https://pad.lassul.us/nixos-perlless-activation
This change consists of three parts:
update-users-groups.pl
/etc
via an overlay (usingmkcomposefs
and other ideas stolen from composefs)Furthermore it depends on two more PRs:
The commits from these PRs are also contained in this PR and are marked with
rebase:
.This change doesn't remove any of the current mechanisms to create users and
/etc
but only adds opt-in mechanism do it all without perl. I see this as the only way to introduce the new functionality. Straight up replacing the existing ones is too risky as test coverage is generally poor (or very depedent on the implementation) and this is a critical path. This way we can start live testing these features and incrementally improving them until they are mature enough to fully replace the existing mechanisms.I'm pretty confident that you can use the new mechanisms even for a normal switchable system (but then you will have Perl because of switch-to-configuration.pl!).
Closes #267982
Things done
nix.conf
? (See Nix manual)sandbox = relaxed
sandbox = true
nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD"
. Note: all changes have to be committed, also see nixpkgs-review usage./result/bin/
)Priorities
Add a 👍 reaction to pull requests you find important.