Read-only etc #3192
Comments
|
One problem is that a lot of packages have designated config files that are not automatically generated by NixOS. For example, there's the We would need to add those functions to the those packages or else there would be no way to configure them. |
|
There's also dynamically changing stuff like |
|
Volatile files can be symlinks to /run. To follow the sidetrack, I would love it if all files used to derive the |
|
sudoers, mdadm, and zfs are all things that NixOS can generate, so I don't think those would be too much of a problem. wpa_gui and friends have options for moving the config file, probably to /run or /var. resolv.conf appears to be dynamically-generated by resolvconf and so should also move to /run. So I guess there will be problems but not too many. |
|
(triage) does anybody want to implement this? |
|
I do, see #16978 (comment). Alas, I was very busy lately and also will depart on a two-week trip in several days. |
|
Writable |
|
On the nameservers issue, I think there's a class of NixOS config that should be handled before other config: #6830 |
|
@yegortimoshenko symlinks to |
|
In fact we already solve this with symlinks for dynamic files, for example: (and yes, I know that I was suposed to work on this, shame on me ;_;) |
|
Thank you for your contributions. This has been automatically marked as stale because it has had no activity for 180 days. If this is still important to you, we ask that you leave a comment below. Your comment can be as simple as "still important to me". This lets people see that at least one person still cares about this. Someone will have to do this at most twice a year if there is no other activity. Here are suggestions that might help resolve this more quickly:
|
stale
bot
added
the
2.status: stale
|
still important to me |
stale
bot
removed
the
2.status: stale
|
still important to me
At some point I started an implementation which was sufficient for some NixOS tests: https://github.com/7c6f434c/nixpkgs/tree/readonly-etc but it did not pay off enough in case of VM tests, and I do not use NixOS mainline boot sequence on my laptop.
(I do have /etc which is a symlink into /var/current-system/global/etc on my actual system)
|
|
I marked this as stale due to inactivity. → More info |
stale
bot
added
the
2.status: stale
So maybe we could start by turning |
stale
bot
removed
the
2.status: stale
|
Ah this will not work well, because some things expect them not to be symlinks I guess.. even bind mounts don't work with e.g. the |
|
OP only take about /etc/nix*. Perhaps we can already move those to /nix/var/nix/etc ? |
|
Ah this will *not* work well, because some things expect them not to be symlinks I guess.. even bind mounts don't work with e.g. the `passwd` command, because it first creates `passwd+` and a copy of `passwd` at `passwd-`. Is there some documentation on how this works?
Actually, writing them like this is only necessary for just a few management tools, so rebuilding shadow to point to /var/auth instead of /etc just for setuid-wrappers and maybe general PATH, while letting everything use normal shadow and get the symlinks is an option.
|
ah |
|
ah `passwd` has a `chroot` option, so it could also be wrapped to chroot into a different location in /var..
Note that patching the default location will also work with setuid installation, but using chroot options is true-root-only. Funnily enough, you need more than just the auth files inside the chroot (I use this, and I ended up bind-mounting the basic tools into chroot, too — not that surprising given PAM loading DSOs with modules).
|
|
I marked this as stale due to inactivity. → More info |
stale
bot
added
the
2.status: stale
|
Still interested |
stale
bot
removed
the
2.status: stale
|
Is impermanence what you are looking for? |
|
It's certainly related. To phrase the issue in terms of that work, this is making sure that all the persistent state is stored in /var instead of /etc. So based on the example in the README it looks like |
|
I like impermanence, but it's designed for the "make a mess, then delete it" strategy, like docker. The way i see it, NixOS generally tries to avoid making a mess in the first place. |
|
Does I personally haven't tried it yet, because it does not work with secret management tools like |
|
It indeed seems to satisfy the requirements. We could leave this open as a tracking issue for defaulting to |
IMO we should open a new issue for that. |
did anyone open it? |
For purity,
/etcshould consist only of automatically-generated files and symlinks into the nix store, and be managed only by the NixOS tools. There should thus be no reason for a user to edit these files. To enforce this policy,/etcshould be remounted read-only after late boot, similar to/nix/store.This conflicts with the currently-common practice of editing
/etc/nixos/configuration.nix. I propose to deprecate this file and instead require specifying the configuration file as an argument tonixos-rebuild./etc/nixos/configuration.nixcan be removed or changed to a symlink into the nix store pointing to the config file in use and its dependencies (including e.g. the nixpkgs tree)The text was updated successfully, but these errors were encountered: