Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Sysusers only for sysusers #328926

Merged
merged 3 commits into from
Jul 22, 2024
Merged

Sysusers only for sysusers #328926

merged 3 commits into from
Jul 22, 2024

Conversation

nikstur
Copy link
Contributor

@nikstur nikstur commented Jul 21, 2024
edited by eclairevoyant
Loading

d43e323 fixes #325052
2710a49 fixes #318365
2ca0453 fixes #307159

The most important change is that sysusers now will only create system users. You cannot use this when you have normal users! I plan to add a perlless mode to add normal users via systemd-homed in the future.

Also, sysusers is now always executed at runtime even when /etc is immutable and when mutableUsers = false.

closes #328727

Description of changes

Things done

  • Built on platform(s)
    • x86_64-linux
    • aarch64-linux
    • x86_64-darwin
    • aarch64-darwin
  • For non-Linux: Is sandboxing enabled in nix.conf? (See Nix manual)
    • sandbox = relaxed
    • sandbox = true
  • Tested, as applicable:
  • Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
  • Tested basic functionality of all binary files (usually in ./result/bin/)
  • 24.11 Release Notes (or backporting 23.11 and 24.05 Release notes)
    • (Package updates) Added a release notes entry if the change is major or breaking
    • (Module updates) Added a release notes entry if the change is significant
    • (Module addition) Added a release notes entry if adding a new NixOS module
  • Fits CONTRIBUTING.md.

Add a 👍 reaction to pull requests you find important.

nikstur added 3 commits July 21, 2024 16:22
@nikstur
nixos/systemd-sysusers: only create systemusers
d43e323 
systemd-sysusers cannot create normal users (i.e. with a UID > 1000).
Thus we stop trying an explitily only use systemd-sysusers when there
are no normal users on the system (e.g. appliances).
@nikstur
nixos/systemd-sysusers: stop creating users statically
2710a49 
On Linux we cannot feasbibly generate users statically because we need
to take care to not change or re-use UIDs over the lifetime of a machine
(i.e. over multiple generations). This means we need the context of the
running machine.

Thus, stop creating users statically and instead generate them at
runtime irrespective of mutableUsers.

When /etc is immutable, the password files (e.g. /etc/passwd etc.) are
created in a separate directory (/var/lib/nixos/etc). /etc will be
pre-populated with symlinks to this separate directory.

Immutable users are now implemented by bind-mounting the password files
read-only onto themselves and only briefly re-mounting them writable to
re-execute sysusers. The biggest limitation of this design is that you
now need to manually unmount this bind mount to change passwords because
sysusers cannot change passwords for you. This shouldn't be too much of
an issue because system users should only rarely need to change their
passwords.
@nikstur
nixos/systemd-sysusers: assert against password and hashedPassword
2ca0453 
Regardless of mutable or immutable users, systemd-sysupdate never
updates existing user records and thus will for example never change
passwords for you.

It only support initial passwords and now actively asserts agains other
paswords.
@nikstur nikstur requested review from RaitoBezarius and arianvp July 21, 2024 14:27
@nikstur nikstur requested a review from a team as a code owner July 21, 2024 14:27
@nikstur nikstur requested a review from Mic92 July 21, 2024 14:27
@github-actions github-actions bot added 6.topic: nixos Issues or PRs affecting NixOS modules, or package usability issues specific to NixOS 8.has: module (update) This PR changes an existing module in `nixos/` 6.topic: systemd labels Jul 21, 2024
@nikstur nikstur requested a review from Lassulus July 21, 2024 14:30
@ofborg ofborg bot added 10.rebuild-darwin: 0 This PR does not cause any packages to rebuild on Darwin 10.rebuild-linux: 1-10 labels Jul 21, 2024
@Shawn8901 Shawn8901 mentioned this pull request Jul 21, 2024
Closed
@arianvp
Copy link
Member

arianvp commented Jul 22, 2024

How will the root user be handled in the homed case?

@nikstur
Copy link
Contributor Author

nikstur commented Jul 22, 2024

How will the root user be handled in the homed case?

The root user will always be handled by sysusers

@nikstur
Copy link
Contributor Author

nikstur commented Jul 22, 2024

@ofborg test systemd-sysusers-immutable systemd-sysusers-mutable activation-etc-overlay-immutable activation-etc-overlay-mutable

@nikstur nikstur merged commit be0df72 into NixOS:master Jul 22, 2024
29 of 31 checks passed
@nikstur nikstur mentioned this pull request Jul 29, 2024
Open
13 tasks
@evrim
Copy link
Contributor

evrim commented Aug 2, 2024

Hi there,

I am afraid this patch has some problems within.

       assertion = !opts.isNormalUser;
        message = "systemd-sysusers doesn't create normal users. You can currently only use it to create system users.";

First of all, the above assertion is pretty cruel to devs, I had no idea which user is blocking my build so adding "${_username}" as a prefix mite be kind to all of us.

Another problem is I build a kexec image with nixos-images by the modules noninteractive and kexec-installer. The former uses perlless and the latter insert users.user.nixos. I do not know any means to remove the nixos user from the installer hence the following uglyness.

 users.users.nixos = {                                                                                                                                                                                                                      
    isSystemUser = true;                                                                                                                                                                                                                     
    isNormalUser = lib.mkForce false;                                                                                                                                                                                                        
  };                                                                                                                                                                                                                                         
  users.users.nixos.group = "nixos";                                                                                                                                                                                                         
  users.groups.nixos = {};

I think there must be an agreement btw the installer in nixos and the perlless otherwise the above error message mite bite us on the long run.

best,
evrim.

@Mic92
Copy link
Member

Mic92 commented Aug 2, 2024 

       assertion = !opts.isNormalUser;
        message = "systemd-sysusers doesn't create normal users. You can currently only use it to create system users.";

First of all, the above assertion is pretty cruel to devs, I had no idea which user is blocking my build so adding "${_username}" as a prefix mite be kind to all of us.

Makes sense. Could you make a pull request?

@Mic92
Copy link
Member

Mic92 commented Aug 2, 2024

I also added your patch to nixos-images: nix-community/nixos-images#261

@evrim evrim mentioned this pull request Aug 5, 2024
Merged
This was referenced Aug 5, 2024
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@arianvp arianvp arianvp approved these changes

@Lassulus Lassulus Lassulus approved these changes

@RaitoBezarius RaitoBezarius Awaiting requested review from RaitoBezarius

@Mic92 Mic92 Awaiting requested review from Mic92

Assignees
No one assigned
Labels
6.topic: nixos Issues or PRs affecting NixOS modules, or package usability issues specific to NixOS 6.topic: systemd 8.has: module (update) This PR changes an existing module in `nixos/` 10.rebuild-darwin: 0 This PR does not cause any packages to rebuild on Darwin 10.rebuild-linux: 1-10
Projects
None yet
Milestone
No milestone
5 participants
@nikstur @arianvp @evrim @Mic92 @Lassulus