search

NixOS / nixops

NixOps is a tool for deploying to NixOS machines in a network or cloud.
https://nixos.org/nixops
GNU Lesser General Public License v3.0
1.84k stars 363 forks source link

permissions problems #931

Open teto opened 6 years ago

teto commented 6 years ago

I regularly seem to have ownership problems when using nixops. For instancejournalctl -b would show

Cannot execute '/etc/NetworkManager/dispatcher.d/02overridedns': not owned by root. or when setting zsh as a shell https://github.com/NixOS/nixpkgs/issues/39189 Output from the nixops VM:

[root@client:~]# ls -lL /etc/NetworkManager/dispatcher.d/
total 12
-r-xr-xr-x 1 nobody nogroup  511 Jan  1  1970 02overridedns
-r-xr-xr-x 1 root   root    1251 Jan  1  1970 03userscript0001
-r-xr-xr-x 1 root   root     288 Jan  1  1970 03userscript0002

I configure the libvirtd service with

    qemuVerbatimConfig = ''
      namespaces = []
      # # Whether libvirt should dynamically change file ownership
      # # dynamic_ownership = 1
      user="teto"
      group="libvirtd"
    '';
sorki commented 6 years ago

Try this fix I've got on IRC (looks like bug during VM store init):

mount -o remount,rw /nix/store
chown -R root:root /nix/store
teto commented 6 years ago

Seems like I missed your answer. It worked great but if anyone has a hint on the root cause, it would be nice to fix. I've started to stack up a few patches on top of nixops to fix various things and would enjoy a better out of the box experience.

NB: this permission problem also prevents the use of sudo which is quite annoying.

leshy commented 6 years ago

seeing this as well on a fresh nixos 18.09 + nixops + libvirt

within (any freshly installed) guests:

sudo: error in /etc/sudo.conf, line 0 while loading plugin "sudoers_policy"
sudo: /nix/store/kqb1mmkmacysi9whzqjwqlmi3dqr5r5y-sudo-1.8.24/libexec/sudo/sudoers.so must be owned by uid 0
sudo: fatal error, unable to load plugins
pjones commented 5 years ago

I have this in my defaults section as a nasty workaround:

system.activationScripts.nixops-vm-fix-931 = {
  text = ''
    if ls -l /nix/store | grep sudo | grep -q nogroup; then
      mount -o remount,rw  /nix/store
      chown -R root:nixbld /nix/store
    fi
  '';
  deps = [];
};
clefru commented 5 years ago

The libvirtd image for nixops gets built within a qemu VM (see nix/libvirtd-image.nix). The problem stems from that the qemu runs within the nix-bld environment, and that makes /nix/store appear as uid=nobody(65534) gid=100. This gets propagated to the VM image by using "cp -p" to copy from the /nix/store mounted via 9p.

clefru commented 5 years ago

https://github.com/NixOS/nix/pull/2602 fixes this.

clefru commented 5 years ago

Opened a PR to move us to the image builder of <nixpkgs/nixos/lib/make-disk-image.nix> which does not copy the jailed-distorted ownership view of /nix/store to the image. This should fix this issue.

nixos-discourse commented 2 years ago

This issue has been mentioned on NixOS Discourse. There might be relevant details there:

https://discourse.nixos.org/t/nixos-generators-from-single-user-nix-install-has-ownership-issues/18216/1