New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
boot.initrd.secrets
is undocumented and appears broken
#41608
Comments
When I submitted my PR, I assumed it was ok to make a backwards incompatible to master, and that users running NixOS unstable would be willing to accept such changes. I did not create the I assume you have @joachifm Feel free to revert this until I can fix the issue. |
My bad. I've reverted it for now. However, I don't think it's well advised to run from master nor expect that it will always be in good shape, but I'll admit I should have looked closer, sorry. |
@joachifm Well I run master because I hope I can help stabilize stuff, if only by giving feedback when stuff breaks. @lopsided98 I was surprised by the straight-up removal of the existing option because ISTM that it's been in an actual release (18.03), and thus ought to see a deprecation period---but I didn't check. And I should apologize: you're right, I do see that the option is documented; for some reason the manpage for Finally, you're correct, I have /boot on the same drive as /, so Just to be clear: I would actually like this to go in, and am willing to play guinea pig on it a bit if that helps (though I'll be slow and laggy to respond, so I might not be the ideal testbed). |
@mdorman sure :) I just got the impression you were annoyed that this had broken a deployment of yours. |
|
I have a rebased version of the PR that should fix the It still isn't backwards compatible, but the change is documented in the changelog. |
(triage) @mdorman, do you want to test the new version of the PR? :) |
I can't get this to work. I can verify that the file gets copied into the initrd under |
I'm not sure I understand your problem. When is your error occurring - at boot or during activation? What are the source and destination locations of your secrets? Could you post the relevant section of your config? |
I also would like it if this could be un-reverted, because without some secrets options for grub which are executed at Activation time, I cannot build my initrd ssh. This is due the pure mode of flakes, where I would have to provide my ssh host keys as an flake, or load them after build time. |
I created #85418 |
I apologize, I thought this got closed. Yes, I found the change that was merged a while ago to provide sufficient documentation that I was able to convert over to using it without a problem. I appreciate everyone's patience in getting things to that point. |
Issue description
c06d795 introduced
boot.initrd.secrets
, in place of the priorboot.loader.grub.extraInitrd
.While I sincerely appreciate trying to handle this directly, it has four problems that I can see:
Not even a deprecation period, just suddenly I can't rebuild.
This seems like it should be a baseline requirement for a feature like this, but instead we removed a documented option in favor of one with no documentation. As a user, I'm extremely disappointed by this.
Trying what seem to me the intuitive options didn't work---you can't just give it a file, and you can't just give it an array of files. I read the code, and it appears you must give it an attribute set? I can guess that my keyfile is supposed to be one or the other, but what's the other thing supposed to be?
It appears to be assuming things about paths existing.
It seems like this could have stood more review. CC: @joachifm as committer, and @lopsided98 as author.
Steps to reproduce
Add
boot.initrd.secrets = { "" = "/luks-root.key"; };
to your/etc/nixos/configuration.nix
. Try to rebuild your system, and you'll see this error:Technical details
Please run
nix-shell -p nix-info --run "nix-info -m"
and paste theresults.
"x86_64-linux"
Linux 4.17.0, NixOS, 18.09.git.eddb6f9 (Jellyfish)
yes
yes
nix-env (Nix) 2.0
""
""
/var/nixup/nixpkgs
The text was updated successfully, but these errors were encountered: