New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Improvements for FHS user chrootenv #16030
Conversation
By analyzing the blame information on this pull request, we identified @svanderburg, @hrdinka and @bjornfor to be potential reviewers |
This takes another approach at binding FHS directory structure. We now bind-mount all the root filesystem to directory "/host" in the target tree. From that we symlink all the directories into the tree if they do not already exist in FHS structure. This probably makes `CHROOTENV_EXTRA_BINDS` unnecessary -- its main usecase was to add bound directories from the host to the sandbox, and we not just symlink all of them. I plan to get some feedback on its usage and maybe deprecate it. This also drops old `buildFHSChrootEnv` infrastructure. The main problem with it is it's very difficult to unmount a recursive-bound directory when mount is not sandboxed. This problem is a bug even without these changes -- if you have for example `/home/alice` mounted to somewhere, you wouldn't see it in `buildFHSChrootEnv` now. With the new directory structure, it's impossible to use regular bind at all. After some tackling with this I realized that the fix would be brittle and dangerous (if you don't unmount everything clearly and proceed to removing the temporary directory, bye-bye fs!). It also probably doesn't worth it because I haven't heard that someone actually uses it for a long time, and `buildFHSUserEnv` should cover most cases while being much more maintainable and safe for the end-user.
BTW I have an experimental branch which uses |
Oh, and this also takes another non-trivial chunk off |
Hi @abbradar. Although I don't understand all the code, it looks like a nice cleanup (lots of removed code)! I tested it on NixOS and Ubuntu and it works fine. I don't mind if you drop CHROOTENV_EXTRA_BINDS, because you've (bind)mounted everything already. At first I worried if more things would leak from host to env (like /usr/ or other places where binaries and libraries might be located), but it seems safe. The scary paths are handled by the env, the rest that is mapped from the host is just "convenient" (like I used CHROOTENV_EXTRA_BINDS to access extra disk before). Observations:
|
@bjornfor Yes, GCC-the-compiler is removed to save disk space, likewise absence of Concerning |
@abbradar: Thanks for info. +1 for merge. |
I'll merge it in several days to leave more room for discussion. Thanks for review! |
Do we need to update documentation? http://nixos.org/nixpkgs/manual/#sec-fhs-environments |
Yes! Thanks for the reminder. |
👍 for the changes and it doesn't break anything for me. |
I've updated the documentation. (Imaginary) timer till merge re-started ^_^ |
This pull request has been mentioned on NixOS Discourse. There might be relevant details there: https://discourse.nixos.org/t/hardcoded-opt-paths-in-binary-files/14661/4 |
Motivation for this change
This takes another approach at binding FHS directory structure. We
now bind-mount all the root filesystem to directory "/host" in the target tree.
From that we symlink all the directories into the tree if they do not already
exist in FHS structure.
This probably makes
CHROOTENV_EXTRA_BINDS
unnecessary -- its main usecase wasto add bound directories from the host to the sandbox, and we now just symlink
all of them. I plan to get some feedback on its usage and maybe deprecate it.
This also drops old
buildFHSChrootEnv
infrastructure. The main problem with itis it's very difficult to unmount a recursive-bound directory when mount is not
sandboxed. This problem is a bug even without these changes -- if
you have for example
/home/alice
mounted to somewhere, you wouldn't seeit in
buildFHSChrootEnv
now. With the new directory structure, it'simpossible to use regular bind at all. After some tackling with this I realized
that the fix would be brittle and dangerous (if you don't unmount everything
cleanly and proceed to removing the temporary directory, bye-bye fs!). It also
probably doesn't worth it because I haven't heard that someone actually uses it
for a long time, and
buildFHSUserEnv
should cover most cases while being muchmore maintainable and safe for the end-user.
Things done
(nix.useSandbox on NixOS,
or option
build-use-sandbox
innix.conf
on non-NixOS)
nix-shell -p nox --run "nox-review wip"
./result/bin/
)cc @bjornfor (concerning
CHROOTENV_EXTRA_BINDS
)