Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

nixos-rebuild: fix --install-bootloader flag with systemd-run #262724

Merged
merged 4 commits into from
Oct 23, 2023
Merged

nixos-rebuild: fix --install-bootloader flag with systemd-run #262724

merged 4 commits into from
Oct 23, 2023

Conversation

thiagokokada
Copy link
Contributor

@thiagokokada thiagokokada commented Oct 22, 2023
edited
Loading

Description of changes

With #258571 nixos-rebuild --install-bootloader flag is broken because we don't preserve the NIXOS_INSTALL_BOOTLOADER flag.

This PR fixes this issue.

Things done

  • Built on platform(s)
    • x86_64-linux
    • aarch64-linux
    • x86_64-darwin
    • aarch64-darwin
  • For non-Linux: Is sandboxing enabled in nix.conf? (See Nix manual)
    • sandbox = relaxed
    • sandbox = true
  • Tested, as applicable:
  • Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
  • Tested basic functionality of all binary files (usually in ./result/bin/)
  • 23.11 Release Notes (or backporting 23.05 Release notes)
    • (Package updates) Added a release notes entry if the change is major or breaking
    • (Module updates) Added a release notes entry if the change is significant
    • (Module addition) Added a release notes entry if adding a new NixOS module
  • Fits CONTRIBUTING.md.

@thiagokokada
Copy link
Contributor Author

CC @roberth.

@thiagokokada
Copy link
Contributor Author

thiagokokada commented Oct 22, 2023
edited
Loading

Before this PR:

$ sudo nixos-rebuild switch --install-bootloader
building the system configuration...
activating the configuration...
setting up /etc...
reloading user units for thiagoko...
setting up tmpfiles
reloading the following units: dbus-broker.service
restarting the following units: polkit.service
the following new units were started: libvirtd.service

After

$ sudo nixos-rebuild switch --install-bootloader
Copied "/nix/store/1zmmnm0r0bdga398rl7fc7s4hkyqxjk4-systemd-254.3/lib/systemd/boot/efi/systemd-bootx64.efi" to "/boot/EFI/systemd/systemd-bootx64.efi".
Copied "/nix/store/1zmmnm0r0bdga398rl7fc7s4hkyqxjk4-systemd-254.3/lib/systemd/boot/efi/systemd-bootx64.efi" to "/boot/EFI/BOOT/BOOTX64.EFI".
⚠️ Mount point '/boot' which backs the random seed file is world accessible, which is a security hole! ⚠️
⚠️ Random seed file '/boot/loader/random-seed' is world accessible, which is a security hole! ⚠️
Random seed file /boot/loader/random-seed successfully refreshed (32 bytes).
Created EFI boot entry "Linux Boot Manager".
activating the configuration...
setting up /etc...
reloading user units for thiagoko...
setting up tmpfiles
reloading the following units: dbus-broker.service
restarting the following units: polkit.service

@thiagokokada thiagokokada mentioned this pull request Oct 22, 2023
Closed
@arianvp
Copy link
Member

arianvp commented Oct 22, 2023

There should definitely be a nixos test to test this regression and we should add it to the tested job to catch such regressions in the future

@thiagokokada
Copy link
Contributor Author

There should definitely be a nixos test to test this regression and we should add it to the tested job to catch such regressions in the future

I added it. Not sure if I did everything correctly with the tested job, can you double check?

@ofborg ofborg bot requested a review from Profpatsch October 22, 2023 22:10
roberth
roberth reviewed Oct 23, 2023
View reviewed changes
Copy link
Member

@roberth roberth left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Answering your question, and maybe the question of whoever needs this test later and expects the bootloader to be tested.

I don't want to block this, so if you apply the suggestions, that's good enough. Though ideally we make the test a bit more complete.

nixos/tests/nixos-rebuild-install-bootloader.nix Outdated Show resolved Hide resolved
nixos/tests/nixos-rebuild-install-bootloader.nix Show resolved Hide resolved
@thiagokokada
Copy link
Contributor Author

thiagokokada commented Oct 23, 2023
edited
Loading

Hope the tests still works in OfBorg, because I can't run it locally anymore for some reason (it is trying to build attr and acl and it is failing to download them from the mirrors).

I tried to add the libarchive (the dependency that is calling them) to the system.extraDependencies and even them it fails to work.

@roberth
Copy link
Member

roberth commented Oct 23, 2023

@ofborg test nixos-rebuild-install-bootloader

@roberth roberth merged commit 4bf1366 into NixOS:master Oct 23, 2023
25 of 27 checks passed
@thiagokokada thiagokokada deleted the fix-install-bootloader branch October 23, 2023 13:26
@mweinelt
Copy link
Member

I think this change broke the tested set evaluation.

{UNKNOWN}: aggregate job ‘tested’ failed with the error: nixos.tests.nixos-rebuild-specialisations.x86_64-linux: does not exist at /nix/store/2cdksj9bxidws5ykb9v4pf8bghf5855j-hydra-perl-deps/lib/perl5/site_perl/5.36.0/Catalyst/Model/DBIC/Schema.pm line 526

mweinelt
mweinelt reviewed Oct 23, 2023
View reviewed changes
nixos/tests/all-tests.nix
@@ -569,7 +569,8 @@ in {
nix-serve-ssh = handleTest ./nix-serve-ssh.nix {};
nixops = handleTest ./nixops/default.nix {};
nixos-generate-config = handleTest ./nixos-generate-config.nix {};
nixos-rebuild-specialisations = handleTest ./nixos-rebuild-specialisations.nix {};
nixos-rebuild-install-bootloader = handleTestOn ["x86_64-linux"] ./nixos-rebuild-install-bootloader.nix {};
nixos-rebuild-specialisations = handleTest ["x86_64-linux"] ./nixos-rebuild-specialisations.nix {};
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This should have been handleTestOn.

@mweinelt mweinelt mentioned this pull request Oct 23, 2023
Merged
13 tasks
@vcunat
Copy link
Member

vcunat commented Oct 24, 2023

The test can't build on Hydra. It exceeds the 3 GiB output limit. https://hydra.nixos.org/build/239312800

You know... perhaps it would be better to first let tests build for some time before making them channel blockers?

@vcunat vcunat mentioned this pull request Oct 24, 2023
Merged
vcunat added a commit that referenced this pull request Oct 24, 2023
@vcunat
nixos/release-combined: drop nixos-rebuild-install-bootloader
1ec4e9d 
... at least until it's fixed.  /cc PR #262724 again.
@vcunat
Copy link
Member

vcunat commented Oct 24, 2023

Also, don't add channel blockers without maintainers:

$ nix eval -f. nixosTests.nixos-rebuild-specialisations.meta.maintainers
[ ]

@vcunat
Copy link
Member

vcunat commented Oct 24, 2023

system.includeBuildDependencies = true; is the culprit of the huge image, apparently.

@trofi
Copy link
Contributor

trofi commented Oct 24, 2023

Looks like the real culprit is missing dependencies to rebuild initrd from within a VM (if we flip back to system.includeBuildDependencies = false;):

$ nix build --no-link -f. nixosTests.nixos-rebuild-install-bootloader -L ``` vm-test-run-nixos-rebuild-install-bootloader> machine # building '/nix/store/48kwl0adwbwlzw7x261v7w846pq48m3v-users-groups.json.drv'... vm-test-run-nixos-rebuild-install-bootloader> machine # Checking that Nix store paths of all wrapped programs exist... OK vm-test-run-nixos-rebuild-install-bootloader> machine # building '/nix/store/x30m3rvz7j39imcm6i25mf444kiavlbp-acl-2.3.1.tar.gz.drv'... vm-test-run-nixos-rebuild-install-bootloader> machine # building '/nix/store/hbd9bkhy0x7qfnl8p85793hh45yzdzsy-attr-2.5.1.tar.gz.drv'... vm-test-run-nixos-rebuild-install-bootloader> machine # warning: error: unable to download 'https://mirror.easyname.at/nongnu/acl/acl-2.3.1.tar.gz': Couldn't resolve host name (6); retrying in 311 ms vm-test-run-nixos-rebuild-install-bootloader> machine # warning: error: unable to download 'https://mirror.easyname.at/nongnu/attr/attr-2.5.1.tar.gz': Couldn't resolve host name (6); retrying in 301 ms vm-test-run-nixos-rebuild-install-bootloader> machine # warning: error: unable to download 'https://mirror.easyname.at/nongnu/acl/acl-2.3.1.tar.gz': Couldn't resolve host name (6); retrying in 550 ms vm-test-run-nixos-rebuild-install-bootloader> machine # warning: error: unable to download 'https://mirror.easyname.at/nongnu/attr/attr-2.5.1.tar.gz': Couldn't resolve host name (6); retrying in 540 ms vm-test-run-nixos-rebuild-install-bootloader> machine # warning: error: unable to download 'https://mirror.easyname.at/nongnu/acl/acl-2.3.1.tar.gz': Couldn't resolve host name (6); retrying in 1250 ms vm-test-run-nixos-rebuild-install-bootloader> machine # warning: error: unable to download 'https://mirror.easyname.at/nongnu/attr/attr-2.5.1.tar.gz': Couldn't resolve host name (6); retrying in 1090 ms vm-test-run-nixos-rebuild-install-bootloader> machine # warning: error: unable to download 'https://mirror.easyname.at/nongnu/acl/acl-2.3.1.tar.gz': Couldn't resolve host name (6); retrying in 2201 ms vm-test-run-nixos-rebuild-install-bootloader> machine # warning: error: unable to download 'https://mirror.easyname.at/nongnu/attr/attr-2.5.1.tar.gz': Couldn't resolve host name (6); retrying in 2341 ms vm-test-run-nixos-rebuild-install-bootloader> machine # error: vm-test-run-nixos-rebuild-install-bootloader> machine # … writing file '/nix/store/y3yiminrckvhf35fh9q42vjwi0npznji-acl-2.3.1.tar.gz' vm-test-run-nixos-rebuild-install-bootloader> machine # vm-test-run-nixos-rebuild-install-bootloader> machine # error: unable to download 'https://mirror.easyname.at/nongnu/acl/acl-2.3.1.tar.gz': Couldn't resolve host name (6) vm-test-run-nixos-rebuild-install-bootloader> machine # error: builder for '/nix/store/x30m3rvz7j39imcm6i25mf444kiavlbp-acl-2.3.1.tar.gz.drv' failed with exit code 1 vm-test-run-nixos-rebuild-install-bootloader> machine # error: 1 dependencies of derivation '/nix/store/61ldkx9h66hvmfyksplgks3080dp2m3g-acl-2.3.1.drv' failed to build vm-test-run-nixos-rebuild-install-bootloader> machine # building '/nix/store/c99ihlhb2lh875spzsl6rnc4058grxvn-autoconf-2.71.tar.xz.drv'... vm-test-run-nixos-rebuild-install-bootloader> machine # error: 1 dependencies of derivation '/nix/store/ywar7rckmkvkdn7yiw52kh31k4vnyv8p-libarchive-3.7.2.drv' failed to build vm-test-run-nixos-rebuild-install-bootloader> machine # error: 1 dependencies of derivation '/nix/store/rjk5kgwkr7d51s41kcbvz5q0rpq5vrq0-cmake-3.26.4.drv' failed to build vm-test-run-nixos-rebuild-install-bootloader> machine # error: 1 dependencies of derivation '/nix/store/myqqk3a5av187qavd79ba61qcl06113r-initrd-linux-6.1.59.drv' failed to build vm-test-run-nixos-rebuild-install-bootloader> machine # error: 1 dependencies of derivation '/nix/store/nly2ma5j7dksc2c6nb9zccgdwy6a898k-nixos-system-nixos-23.11pre-git.drv' failed to build ```

Perhaps it's worth adding systemdMinimal (and friends) to installation-device? (Or base?)

@thiagokokada
Copy link
Contributor Author

Looks like the real culprit is missing dependencies to rebuild initrd from within a VM (if we flip back to system.includeBuildDependencies = false;):
$ nix build --no-link -f. nixosTests.nixos-rebuild-install-bootloader -L
vm-test-run-nixos-rebuild-install-bootloader> machine # building '/nix/store/48kwl0adwbwlzw7x261v7w846pq48m3v-users-groups.json.drv'... vm-test-run-nixos-rebuild-install-bootloader> machine # Checking that Nix store paths of all wrapped programs exist... OK vm-test-run-nixos-rebuild-install-bootloader> machine # building '/nix/store/x30m3rvz7j39imcm6i25mf444kiavlbp-acl-2.3.1.tar.gz.drv'... vm-test-run-nixos-rebuild-install-bootloader> machine # building '/nix/store/hbd9bkhy0x7qfnl8p85793hh45yzdzsy-attr-2.5.1.tar.gz.drv'... vm-test-run-nixos-rebuild-install-bootloader> machine # warning: error: unable to download 'https://mirror.easyname.at/nongnu/acl/acl-2.3.1.tar.gz': Couldn't resolve host name (6); retrying in 311 ms vm-test-run-nixos-rebuild-install-bootloader> machine # warning: error: unable to download 'https://mirror.easyname.at/nongnu/attr/attr-2.5.1.tar.gz': Couldn't resolve host name (6); retrying in 301 ms vm-test-run-nixos-rebuild-install-bootloader> machine # warning: error: unable to download 'https://mirror.easyname.at/nongnu/acl/acl-2.3.1.tar.gz': Couldn't resolve host name (6); retrying in 550 ms vm-test-run-nixos-rebuild-install-bootloader> machine # warning: error: unable to download 'https://mirror.easyname.at/nongnu/attr/attr-2.5.1.tar.gz': Couldn't resolve host name (6); retrying in 540 ms vm-test-run-nixos-rebuild-install-bootloader> machine # warning: error: unable to download 'https://mirror.easyname.at/nongnu/acl/acl-2.3.1.tar.gz': Couldn't resolve host name (6); retrying in 1250 ms vm-test-run-nixos-rebuild-install-bootloader> machine # warning: error: unable to download 'https://mirror.easyname.at/nongnu/attr/attr-2.5.1.tar.gz': Couldn't resolve host name (6); retrying in 1090 ms vm-test-run-nixos-rebuild-install-bootloader> machine # warning: error: unable to download 'https://mirror.easyname.at/nongnu/acl/acl-2.3.1.tar.gz': Couldn't resolve host name (6); retrying in 2201 ms vm-test-run-nixos-rebuild-install-bootloader> machine # warning: error: unable to download 'https://mirror.easyname.at/nongnu/attr/attr-2.5.1.tar.gz': Couldn't resolve host name (6); retrying in 2341 ms vm-test-run-nixos-rebuild-install-bootloader> machine # error: vm-test-run-nixos-rebuild-install-bootloader> machine # … writing file '/nix/store/y3yiminrckvhf35fh9q42vjwi0npznji-acl-2.3.1.tar.gz' vm-test-run-nixos-rebuild-install-bootloader> machine # vm-test-run-nixos-rebuild-install-bootloader> machine # error: unable to download 'https://mirror.easyname.at/nongnu/acl/acl-2.3.1.tar.gz': Couldn't resolve host name (6) vm-test-run-nixos-rebuild-install-bootloader> machine # error: builder for '/nix/store/x30m3rvz7j39imcm6i25mf444kiavlbp-acl-2.3.1.tar.gz.drv' failed with exit code 1 vm-test-run-nixos-rebuild-install-bootloader> machine # error: 1 dependencies of derivation '/nix/store/61ldkx9h66hvmfyksplgks3080dp2m3g-acl-2.3.1.drv' failed to build vm-test-run-nixos-rebuild-install-bootloader> machine # building '/nix/store/c99ihlhb2lh875spzsl6rnc4058grxvn-autoconf-2.71.tar.xz.drv'... vm-test-run-nixos-rebuild-install-bootloader> machine # error: 1 dependencies of derivation '/nix/store/ywar7rckmkvkdn7yiw52kh31k4vnyv8p-libarchive-3.7.2.drv' failed to build vm-test-run-nixos-rebuild-install-bootloader> machine # error: 1 dependencies of derivation '/nix/store/rjk5kgwkr7d51s41kcbvz5q0rpq5vrq0-cmake-3.26.4.drv' failed to build vm-test-run-nixos-rebuild-install-bootloader> machine # error: 1 dependencies of derivation '/nix/store/myqqk3a5av187qavd79ba61qcl06113r-initrd-linux-6.1.59.drv' failed to build vm-test-run-nixos-rebuild-install-bootloader> machine # error: 1 dependencies of derivation '/nix/store/nly2ma5j7dksc2c6nb9zccgdwy6a898k-nixos-system-nixos-23.11pre-git.drv' failed to build

Perhaps it's worth adding systemdMinimal (and friends) to installation-device? (Or base?)

If this is true nixos-rebuild-specialisations test (also added to the channel blocker in this PR) will also break the Hydra: https://github.com/NixOS/nixpkgs/blob/master/nixos/tests/nixos-rebuild-specialisations.nix#L17

CC @vcunat since you already removed nixos-rebuild-install-bootloader.

@vcunat
Copy link
Member

vcunat commented Oct 24, 2023

Hydra says it's OK: https://hydra.nixos.org/job/nixos/trunk-combined/nixos.tests.nixos-rebuild-specialisations.x86_64-linux

@trofi
Copy link
Contributor

trofi commented Oct 24, 2023

Hydra says it's OK: https://hydra.nixos.org/job/nixos/trunk-combined/nixos.tests.nixos-rebuild-specialisations.x86_64-linux

Interestingly this one does not have nixos-disk-image in it's build dependencies: https://hydra.nixos.org/build/239318925#tabs-build-deps

While install-bootloader does: https://hydra.nixos.org/build/239312800#tabs-build-deps

@roberth
Copy link
Member

roberth commented Oct 24, 2023

Most tests don't use a boot loader but boot into the kernel directly. I think it would have to enable virtualisation.useBootLoader. To get a nixos-disk-image.

@nixos-discourse
Copy link

This pull request has been mentioned on NixOS Discourse. There might be relevant details there:

https://discourse.nixos.org/t/nixos-install-with-custom-flake-results-in-boot-being-world-accessible/34555/17

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mweinelt mweinelt mweinelt left review comments

@roberth roberth roberth approved these changes

@Profpatsch Profpatsch Awaiting requested review from Profpatsch

Assignees
No one assigned
Labels
6.topic: nixos 10.rebuild-darwin: 1-10 10.rebuild-darwin: 1 10.rebuild-linux: 1-10
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
7 participants
@thiagokokada @arianvp @roberth @mweinelt @vcunat @trofi @nixos-discourse