Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We鈥檒l occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

nixos-rebuild: fix issues when using --target-host #277642

Merged
merged 4 commits into from
Jan 13, 2024
Merged

nixos-rebuild: fix issues when using --target-host #277642

merged 4 commits into from
Jan 13, 2024

Conversation

Enzime
Copy link
Member

@Enzime Enzime commented Dec 30, 2023
edited
Loading

Description of changes

This PR fixes deploying to hosts that require entering a password for sudo using --target-host.

This PR changes --use-remote-sudo to use sudo as little as possible.

This PR also fixes systemd-run hanging when used with --target-host.

Replaces #109046

Things done

  • Built on platform(s)
    • x86_64-linux
    • aarch64-linux
    • x86_64-darwin
    • aarch64-darwin
  • For non-Linux: Is sandboxing enabled in nix.conf? (See Nix manual)
    • sandbox = relaxed
    • sandbox = true
  • Tested, as applicable:
  • Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
  • Tested basic functionality of all binary files (usually in ./result/bin/)
  • 24.05 Release Notes (or backporting 23.05 and 23.11 Release notes)
    • (Package updates) Added a release notes entry if the change is major or breaking
    • (Module updates) Added a release notes entry if the change is significant
    • (Module addition) Added a release notes entry if adding a new NixOS module
  • Fits CONTRIBUTING.md.

cc @FRidh @zimbatm @oxalica @bjornfor

Add a 馃憤 reaction to pull requests you find important.

@Enzime Enzime force-pushed the fix/nixos-rebuild-remote-sudo branch from 9c84bc8 to 053906e Compare December 30, 2023 05:01
@Enzime Enzime changed the title nixos-rebuild: only use sudo when necessary nixos-rebuild: fix issues when using --target-host Dec 30, 2023
@Enzime
Copy link
Member Author

Enzime commented Dec 30, 2023

cc @thiagokokada @duament @roberth

@Enzime Enzime force-pushed the fix/nixos-rebuild-remote-sudo branch from f70347f to dda66bb Compare December 30, 2023 07:26
roberth
roberth requested changes Dec 30, 2023
View reviewed changes
Copy link
Member

@roberth roberth left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Unfortunately, if you don't add a test, it will keep breaking. Please add a test.

pkgs/os-specific/linux/nixos-rebuild/nixos-rebuild.sh Outdated Show resolved Hide resolved
@duament
Copy link
Contributor

duament commented Dec 30, 2023

I tried this pr. But it didn't fix #262686.

My first switch (https://github.com/duament/flakes/actions/runs/7363818666/job/20043632674) succeeded, although there's a warning Pseudo-terminal will not be allocated because stdin is not a terminal. and the output of switch-to-configuration was not printed.

My second switch (https://github.com/duament/flakes/actions/runs/7363898397/job/20043786127) failed, but the exit code was 0 and github treated it as a success. Here's the error message: Failed to start transient service unit: Unit nixos-rebuild-switch-to-configuration.service was already loaded or has a fragment file.

@Enzime Enzime force-pushed the fix/nixos-rebuild-remote-sudo branch 2 times, most recently from 71c4560 to 9206f06 Compare January 3, 2024 11:09
@Enzime Enzime requested a review from roberth January 3, 2024 11:10
@Enzime
Copy link
Member Author

Enzime commented Jan 3, 2024

@duament could you test this PR again? I've changed the flag from -t to -tt which should hopefully fix it

@Enzime Enzime force-pushed the fix/nixos-rebuild-remote-sudo branch from 9206f06 to d9aed94 Compare January 3, 2024 11:25
@Enzime
Copy link
Member Author

Enzime commented Jan 3, 2024

-tt breaks the tests so I'm going to switch back to using -t, my last commit only fixes a systemd-run hang regression that was introduced by adding -t, I don't think it fixes #262686

@ofborg ofborg bot requested a review from Profpatsch January 3, 2024 11:53
roberth
roberth reviewed Jan 4, 2024
View reviewed changes
nixos/tests/nixos-rebuild-target-host.nix Outdated Show resolved Hide resolved
nixos/tests/nixos-rebuild-target-host.nix Outdated Show resolved Hide resolved
nixos/tests/nixos-rebuild-target-host.nix Outdated Show resolved Hide resolved
pkgs/os-specific/linux/nixos-rebuild/nixos-rebuild.8 Outdated
@@ -30,6 +30,7 @@
.Op Fl -build-host Va host
.Op Fl -target-host Va host
.Op Fl -use-remote-sudo
.Op Fl -use-remote-sudo-always
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If we really need a new behavior (do we?), maybe fix the inconsistency of "remote" vs "target"?
Not sure I like "target" because of cross compilation terminology, but target does become less relevant to users as compilers and their Nix expressions improve. "Remote" isn't great either, because both machines may be equally remote, as demonstrated by the test.
Also if you have an office with NixOS machines and you make the on site server responsible for deploying updates, arguably the deployer is more remote.

So I think I prefer target?

Suggested change
.Op Fl -use-remote-sudo-always
.Op Fl -target-use-sudo

Using target as a prefix reinforces nice grouping, and helps with discovery through shell completions.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've removed the --use-remote-sudo-always flag, opting to just make this PR an improvement on the existing --use-remote-sudo flag

@Enzime Enzime force-pushed the fix/nixos-rebuild-remote-sudo branch from d9aed94 to 9ab6b24 Compare January 5, 2024 05:27
@Enzime Enzime requested a review from roberth January 5, 2024 05:29
@Enzime Enzime force-pushed the fix/nixos-rebuild-remote-sudo branch from 9ab6b24 to ee010f8 Compare January 6, 2024 02:23
@Enzime Enzime requested a review from roberth January 6, 2024 02:24
roberth
roberth approved these changes Jan 6, 2024
View reviewed changes
nixos/tests/nixos-rebuild-target-host.nix Outdated Show resolved Hide resolved
@Enzime Enzime force-pushed the fix/nixos-rebuild-remote-sudo branch from ee010f8 to cd61094 Compare January 6, 2024 16:47
@Enzime Enzime requested a review from roberth January 8, 2024 09:42
@roberth roberth merged commit 221ad6d into NixOS:master Jan 13, 2024
25 checks passed
@Enzime Enzime deleted the fix/nixos-rebuild-remote-sudo branch January 13, 2024 17:53
@hannesg
Copy link

hannesg commented Jan 13, 2024

Hi @Enzime, Hi @roberth

I just tested the change with my nixos server and I observed a regression. When using --build-host and flakes, nixos-rebuild fails with a weird error. I added +x logging to bash and found that pathToConfig ( here ) is set to the tty output of ssh which is in my case:

'warning: you did not specify '\''--add-root'\''; the result might be removed by the garbage collector
'nix/store/ph132c4ihigcfyi86pwlmn4q12qmwyz7-nixos-system-granogayo-24.05.20240113.e0d20bf

All subsequent commands then fail with weird errors. Reverting 09fd207 fixes the issue.

@roberth roberth mentioned this pull request Jan 14, 2024
Merged
16 tasks
@roberth
Copy link
Member

roberth commented Jan 14, 2024
edited
Loading

Found an even worse problem as well, which was already caught by the tests, but not reported well by ofborg. I did check the list, but missed the single grey status this time.

Fixes available in #280842; will merge as soon as tests pass locally.

If any other issues come up, consider reverting both PRs unless trivially fixable.

TODO:

  • Add regression test for --build-host. I suggest extending the target host test for this; seems more efficient that way. Maybe rename it to -remote-hosts? Keep the existing test case in the testScript as is.

roberth added a commit that referenced this pull request Jan 14, 2024
@roberth
Revert "nixos-rebuild: fix entering sudo password over SSH"
99d3e0c 
This reverts commit 09fd207.

It caused a regression when using `--build-host` and flakes.
See #277642 (comment)
roberth added a commit that referenced this pull request Jan 14, 2024
@roberth
Merge pull request #280842 from hercules-ci/regression-277642
48ffcd6 
nixos-rebuild: Fix regression from #277642
@roberth
Copy link
Member

roberth commented Jan 15, 2024

Made a start here. Would appreciate some help.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@roberth roberth roberth approved these changes

@Profpatsch Profpatsch Awaiting requested review from Profpatsch

Assignees
No one assigned
Labels
6.topic: nixos 8.has: tests 10.rebuild-darwin: 0 10.rebuild-linux: 1-10
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@Enzime @duament @hannesg @roberth @delroth