Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support targeting installs to Determinate Nix Enterprise Edition. #905

Merged
merged 29 commits into from
Apr 15, 2024
Merged

Support targeting installs to Determinate Nix Enterprise Edition. #905

merged 29 commits into from
Apr 15, 2024

Conversation

grahamc
Copy link
Member

@grahamc grahamc commented Apr 1, 2024
edited

Description

Passing --enterprise will disable the upstream launchd daemons and use ours. Requires the user separately coordinate the installation of Determinate Nix for macOS ahead of time.

Checklist
  • Formatted with cargo fmt
  • Built with nix build
  • Ran flake checks with nix flake check
  • Added or updated relevant tests (leave unchecked if not applicable)
  • Added or updated relevant documentation (leave unchecked if not applicable)
  • Linked to related issues (leave unchecked if not applicable)
Validating with install.determinate.systems

If a maintainer has added the upload to s3 label to this PR, it will become available for installation via install.determinate.systems:

curl --proto '=https' --tlsv1.2 -sSf -L https://install.determinate.systems/nix/pr/$PR_NUMBER | sh -s -- install

@grahamc grahamc added the upload to s3 The labeled PR is allowed to upload its artifacts to S3 for easy testing label Apr 1, 2024
flexiondotorg
flexiondotorg approved these changes Apr 2, 2024
View reviewed changes
Copy link
Member

@flexiondotorg flexiondotorg left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM: I've seen the run-through, this is a great step forward to deliver custom Nix on macOS for enterprise customers 👍

@flexiondotorg
Copy link
Member

When the public Nix installer for macOS is run with --nix-enterprise, it will fail as the public version doesn't know how to activate an enterprise install. In this event, it should sign-post the appropriate page on https://determinate.systems as a potential sales funnel.

cole-h
cole-h previously requested changes Apr 2, 2024
View reviewed changes
src/action/common/configure_init_service.rs Outdated Show resolved Hide resolved
src/action/common/configure_init_service.rs Outdated Show resolved Hide resolved
src/action/common/configure_init_service.rs Outdated Show resolved Hide resolved
src/action/macos/create_nix_volume.rs Outdated Show resolved Hide resolved
@grahamc grahamc changed the title Support targeting installs to Determinate's enterprise offering via Determinate Nix for macOS. Support targeting installs to Determinate Nix Enterprise Edition. Apr 4, 2024
cole-h
cole-h reviewed Apr 4, 2024
View reviewed changes
src/planner/macos.rs Outdated Show resolved Hide resolved
src/action/common/configure_init_service.rs Outdated Show resolved Hide resolved
cole-h
cole-h reviewed Apr 5, 2024
View reviewed changes
tests/fixtures/macos/macos.json Outdated Show resolved Hide resolved
src/action/common/configure_enterprise_edition_init_service.rs
}

#[tracing::instrument(level = "debug", skip_all)]
async fn execute(&mut self) -> Result<(), ActionError> {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It would be nice to share more code with configure_init_service, but we can do that in a follow-up PR.

src/action/macos/encrypt_apfs_volume.rs
@@ -57,7 +59,11 @@ impl EncryptApfsVolume {
// The user has a password matching what we would create.
if planned_create_apfs_volume.state == ActionState::Completed {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I wonder if this is still true in the case of this "enterprise edition" -- since we add specific access to another binary, isn't it possible that if we take the current volume as-is, we'll not have that access and things will break?

(I think all of these completed branches need to be audited to ensure that this is OK)

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

All the other branches look good to me ... one option is to unconditionally add our program to the access list. I don't know how else we can detect a fault here.

cole-h
cole-h reviewed Apr 9, 2024
View reviewed changes
src/action/common/configure_enterprise_edition_init_service.rs
impl ConfigureEnterpriseEditionInitService {
#[tracing::instrument(level = "debug", skip_all)]
pub async fn plan(start_daemon: bool) -> Result<StatefulAction<Self>, ActionError> {
Ok(Self { start_daemon }.into())
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These EE-specific steps should probably ensure that the "enablement" binary is present, or otherwise mark it as Skipped (or error). Additionally, this seems to be causing some issues in CI where it just.... hangs at some point (why is the CI test trying to enable EE mode? surely that's wrong). That hang will probably rear its ugly head outside of CI too.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I had accidentally inverted the bool in the planner: 045f388

The root macos planner does make the check that the binary is present. I'm not sure we should duplicate the behavior in the actions ... what do you think?

@grahamc
Drop riff support
04529ab
@grahamc
Relocate the darwin diskutil structs to make room for keychain
0ef8eb7
@grahamc
Clean up a few warnings
ede41b6
@grahamc
Initial support for Determinate Nix Enterprise
318bced
@grahamc
Don't create the org.nixos.darwin-store service under enterprise nix.
624b9f3
@grahamc
Only write out systems.determinate.nix-daemon under nix enterprise
06a8e7e
@grahamc
Bump the nix crate from 0.27.0 to 0.28.0 for nix-rust/nix#2304
f93f0bd
@grahamc
Fixup the test fixture for macos
45bb56e
@grahamc
Correct ConfigureInitService on Linux
b3c1ed4
@grahamc
Fixup fixtures for linux
14f3e12
@grahamc
Use Determinate Nix for macOS to perform the mount during installation.
978f8a6
@grahamc
Force-enable encryption for Nix Enterprise on macOS
2ef4ed3
@grahamc
fixup
6da3660
@grahamc
drop extraneous comment
bf67b0e
@grahamc
Create a separate CreateNixEnterpriseVolume to simplify CreateNixVolume.
04f1c8b
@grahamc
fixup
00e8dea
@grahamc
Relocate the nix-enterprise flag down into the macOS planner, since o…
98c2f79 
…ur planning requires no changes on other targets at the moment.
@grahamc
Fail the install if --nix-enterprise is passed but isn't available
e40159c
@grahamc
fixup nix_enterprise bits
44a688c
@grahamc
I hate this.
2e4c85b
@grahamc
Rename to be Determinate Nix Enterprise Edition, to be more consisten…
128ba24 
…t across tools and products.
@grahamc grahamc requested a review from cole-h April 15, 2024 15:13
@cole-h cole-h dismissed their stale review April 15, 2024 15:57

resolved

@cole-h cole-h merged commit 1c4976a into main Apr 15, 2024
13 checks passed
@cole-h cole-h deleted the ee branch April 15, 2024 16:06
This was referenced May 23, 2024
Merged
Merged
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@flexiondotorg flexiondotorg flexiondotorg approved these changes

@cole-h cole-h Awaiting requested review from cole-h

Assignees
No one assigned
Labels
upload to s3 The labeled PR is allowed to upload its artifacts to S3 for easy testing
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@grahamc @flexiondotorg @cole-h