Packaging request: chrome remote desktop

[balsoft]

Issue description

There is no google remote desktop host package in nixpkgs. It seems like it would be possible to add it: AUR. I could try although I have very little experience with writing nix package expressions.

[jtojnar]

Would adding the following to your configuration work?

programs.chromium = {
    enable = true;
    extensions = [ "gbchcmhmhahfdphkhkmpfmihenigjmpp" ];
};

See chromium module.

[balsoft]

@jtojnar , thanks for the reply. The chromium extension installs fine, but it requires host app installed. I've already tried to package that, but it doesn't work. Failed attempt When I try to setup chromium extension, it tells me to "download and install the chrome remote desktop host" (or close to that; I'm trying to translate from russian to english), and doesn't allow me to continue. By the way, this is only my second attempt on writing nix expressions, so if it is terrible please correct me.

[jtojnar]

Right. This one be a pickle to package – the package relies on quite a few imperative changes.

I can see several issues with that expression:

1. The src URL ins not version specific, it will break in the future. Maybe the source code could be used https://chromium.googlesource.com/chromium/chromium/+/trunk/remoting
2. The fetchgit is missing rev and sha256 attributes.
3. The crd file will not work with declarative users, you will need a NixOS module.
4. Also the policy files will not be picked up, see this module, for example.
5. $out/usr/ should be just $out/.
6. patchShebangs should not be necessary, it is run automatically in fixupOutputHooks.
7. Finally, patchelf can only work on one file at a time. You need to loop over the files to fix the issue you are having.

[balsoft]

Thanks for helping. 1) I believe that would actually require fetching all of chromium sources (around 2.1 GB) 2) Ok, will fix 3) 4) How exactly do I edit my nixos modules? Is it safe? Can I roll back if something goes wrong? 5) There's only docs in $out/usr, should I just move the share folder to the $out? 6) Ok, I was just messing around with it, will fix 7) Thanks, will do

• [ ] Fix src url issue
• [x] Fix fetchgit
• [x] Create a module
• [x] Move docs somewhere
• [x] Fix patchelf

I updated the gist

[jtojnar]

4. You add a file somewhere in nixos/modules and then add the path to module-list.nix. Modules are just a way to extend your configuration – you could just as well paste their contents to your configuration.nix and then rebuild, so it can be rolled back just like any other configuration change. If you want to just try without rebuilding your system, you can save the configuration to a file and then run nixos-rebuild build-vm -I nixpkgs=path-to-your-nixpkgs -I nixos-config=test-crd.nix.

For example, I use something like the following for testing NixOS modules:

{ pkgs, ... }:
{
  environment.systemPackages = with pkgs; [
    gdb
    binutils # readelf
    rr
    file
    htop
    less
    dbus
    dfeet
    # Packages I want to test
    firefox
  ];

  nixpkgs.config.firefox.enableGnomeExtensions = true;
  services.gnome3.chrome-gnome-shell.enable = true;

  services.openssh.enable = true;

  services.xserver = {
    enable = true;
    layout = "cz";
    xkbVariant = "qwerty";

    desktopManager.gnome3 = {
      enable = true;
    };
};

  hardware.opengl.enable = true;

  users.extraUsers.u = {
    isNormalUser = true;
    uid = 1000;
    extraGroups = [ "wheel" "networkmanager" ];
    password = "";
    openssh.authorizedKeys.keys = ["mysshkey"];
  };

  systemd.coredump.enable = true;
  virtualisation.memorySize = 1024;
}

5. I also see $out/usr/lib, which should definitely be $out/lib.

[balsoft]

5) Ok, just removed systemd service - no point of it being there, it should probably go in the module.

[balsoft]

Well, I believe that there is a problem: user-session wants to have suid, and nix-build user isn't allowed to set that. What do I do?

[sifmelcara]

@balsoft maybe see NixOS option: security.wrappers ?

[balsoft]

@sifmelcara Thanks.

[balsoft]

Ok, I found a hacky way to write stuff to homedirs.

                system.activationScripts.crd-setup = {
                    text = ''
                        if [[ -z $(cat ${cfg.user.home}/.chrome-remote-desktop-session) ]]; then
                            # Create the file
                            echo "export $(dbus-launch)" > ${cfg.user.home}/.chrome-remote-desktop-session
                            echo "${cfg.session}" >> ${cfg.user.home}/.chrome-remote-desktop-session
                        fi
                        if [[ -z $(cat ${cfg.user.home}/.config/chrome-remote-desktop/Size) ]]; then
                            echo "${cfg.screenSize}" > ${cfg.user.home}/.config/chrome-remote-desktop/Size
                        fi
                    '';
                };

Is this ok?

[jtojnar]

The size seems to be only used as the nixos module so you probably do not need to store it to a file. As for the rest, I do not seem a better way with a program like this one.

[balsoft]

@jtojnar wait, as I see it the cfg.size is the option the user would set with services.chrome-remote-desktop.size and it is the screen resolution of remote desktop (check out the script from aur for details). Does this conflict with some internal part of nix? I'll change it to screenSize then.

[jtojnar]

Yes, but it only seems to be used by the script itself (e.g. chrome-remote-desktop --size="$crd_size") so you can use cfg.size right in your service definition.

[balsoft]

Oh, ok. I didn't notice that. Thanks

[balsoft]

Created a module. Updated gist

[balsoft]

It doesn't seem to build though.

$ nixos-rebuild build-vm -I nixpkgs=./nixpkgs -I nixos-config=./test.nix 
building Nix...
building the system configuration...
error: value is a function while a set was expected, at /home/balsoft/Документы/nixpkgs/lib/modules.nix:450:12
(use ‘--show-trace’ to show detailed location information)

test.nix:

{ pkgs, ... }:
{
  environment.systemPackages = with pkgs; [
    binutils
  ];
  services.xserver = {
    enable = true;
    desktopManager.xfce = {
      enable = true;
    };
  };
  users.extraUsers.u = {
    isNormalUser = true;
    uid = 1000;
    extraGroups = [ "wheel" "networkmanager" ];
    password = "";
  };
}

[balsoft]

Created a fork. Still doesn't build, but with new errors.

[balsoft]

Ok, --show-trace helped to pin down the errors.

[balsoft]

This is now what I'm stuck at. The python script chrome-remote-desktop tries to launch user-session from its own script dir:

USER_SESSION_PATH = os.path.join(SCRIPT_DIR, "user-session")

Of course there is no good functional way to overwrite the file with suid. How to solve the problem? One solution I see is to write the location of a wrapped user-session to /etc/chrome-remote-desktop-user-session and then substituteInPlace.

[balsoft]

I think that we should move the conversation to the fork? BTW, I've solved the issues @jtojnar have pointed out.

[klassm]

@balsoft Anything new to this issue? I'd also like to have chrome-remote-desktop installed :-)

[balsoft]

@klassm Currently, I don't know how to solve the problem of needing SUID file in nix store, which is not allowed. If somebody would help me, that would be great as I don't know Nix ecosystem to this extent.

[jtojnar]

@balsoft In a NixOS module, you can use security.wrappers and then refer to /run/wrappers/bin/crd in the package.

[balsoft]

Thanks @jtojnar . Can you please elaborate on that? Using security.wrappers still doesn't allow arbitrary file in a derivation to have SUID bit on. What's the proper way to solve this?

[jtojnar]

Sorry, did not finish the comment. The module cannot update Nix store since it is immutable and it probably would not be very safe. Instead the SUID file is placed to /run/wrappers/bin so you need to use this path in the derivation instead of $out/bin.

[balsoft]

@jtojnar Thanks a lot! I'll try to do that.

[balsoft]

Currently I'm working on it, but right now I can't test it as I run Wayland on my laptop (and it doesn' seem to support it), and I don't have enough RAM to test it in VM w\ Xorg.

On Sun, 15 Apr 2018 at 12:38 Jan Tojnar notifications@github.com wrote:

Sorry, did not finish the comment. The module cannot update Nix store since it is immutable and it probably would not be very safe. Instead the SUID file is placed to /run/wrappers/bin so you need to use this path in the derivation instead of $out/bin.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/NixOS/nixpkgs/issues/34084#issuecomment-381393138, or mute the thread https://github.com/notifications/unsubscribe-auth/ARnLUzNOdMAH4DXFmQ97OkOV6T-n-t0Pks5toxUxgaJpZM4RlgyW .

-- С уважением, ученик МБОУ "Гимназия №2 "Квантор" Бантьев Александр balsoft@yandex.ru balsoft75@gmail.com

Best regards, Alexander Bantyev aka balsoft balsoft@yandex.ru balsoft75@gmail.com

[klassm]

Well how can I test it? :-)

[mlen]

@balsoft hey, is this code available anywhere?

[mexisme]

@balsoft hey, is this code available anywhere?

I think it's here, @mlen?

• https://gist.github.com/balsoft/997fae0c1b454353ca46d4a16a68ef41

[stale[bot]]

Hello, I'm a bot and I thank you in the name of the community for opening this issue.

To help our human contributors focus on the most-relevant reports, I check up on old issues to see if they're still relevant. This issue has had no activity for 180 days, and so I marked it as stale, but you can rest assured it will never be closed by a non-human.

The community would appreciate your effort in checking if the issue is still valid. If it isn't, please close it.

If the issue persists, and you'd like to remove the stale label, you simply need to leave a comment. Your comment can be as simple as "still important to me". If you'd like it to get more attention, you can ask for help by searching for maintainers and people that previously touched related code and @ mention them in a comment. You can use Git blame or GitHub's web interface on the relevant files to find them.

Lastly, you can always ask for help at our Discourse Forum or at #nixos' IRC channel.

[maxdeviant]

I found myself in want of this package today.

I may take a stab at trying to get this to work, we'll see.

[cgallay]

@maxdeviant, @balsoft any news on the issue? I would also be interested at ruining chrome-remote-desktop on NixOS.

[maxdeviant]

@cgallay I never did get around to working on this, sorry 😕

[mlen]

I got it working, but it is very bespoke (involves running sed over a binary). I'll try to clean it up and post in a gist.

Another pain point is that the hash of the latest .deb changes from time to time and requires updates.

[mlen]

Here's the gist https://gist.github.com/mlen/b82b8f53d4084686d0f004664a095edb.

I'm using a custom package overlay, where I pull the default.nix file in. After everything is configured you still need to run chrome-remote-desktop --start. I think I used the headless setup to get it running.

[stale[bot]]

I marked this as stale due to inactivity. → More info

[sepiabrown]

@mlen I'm almost done. From your gist, on default.nix I added mesa,libdrm,libxkbcommon,waylad packages to the libPath under preFixup and now the button on the chromium allows me to set pin numbers. However, when i press confirm after putting in my pin numbers, an error occurs.

[0107/070729.942682:ERROR:daemon_controller_delegate_linux.cc(98)] Failed to enable unit: Unit file chrome-remote-desktop@sepiabrown.service does not exist. [0107/070729.942888:ERROR:daemon_controller_delegate_linux.cc(204)] Failed to start host. How did you fix the problem?

[jtojnar]

@sepiabrown Maybe the NixOS module also needs systemd.packages = [ pkgs.chrome-remote-desktop ];

[sepiabrown]

@jtojnar Wow it somehow made an effect. The error message changed to

[0107/111426.778860:ERROR:daemon_controller_delegate_linux.cc(98)] Failed to enable unit: File /etc/systemd/system/multi-user.target.wants/chrome-remote-desktop@sepiabrown.service: Read-only file system [0107/111426.778976:ERROR:daemon_controller_delegate_linux.cc(204)] Failed to start host.

So I had added the code below in my NixOS module(configuration.nix). I copied the basic form from ${pkgs.chrome-remote-desktop}/lib/systemd/system/chrome-remote-desktop@.service

systemd.services.chrome-remote-desktop = {
      enable = true;
      unitConfig = {
        Description = "Chrome Remote Desktop instance for ${cfg.user}";
        After = [ "network.target" ];
      };
      serviceConfig = {
        Type = "simple";
        User = cfg.user;
        Environment = "XDG_SESSION_CLASS=user XDG_SESSION_TYPE=x11";
        # Environment = { 
        #   XDG_SESSION_CLASS = "user";
        #   XDG_SESSION_TYPE = "x11";
        # };
        PAMName = "chrome-remote-desktop";
        TTYPath = "/dev/chrome-remote-desktop";
        ExecStart = "${pkgs.chrome-remote-desktop}/opt/google/chrome-remote-desktop/chrome-remote-desktop --start --new-session";
        ExecReload = "${pkgs.chrome-remote-desktop}/opt/google/chrome-remote-desktop/chrome-remote-desktop --reload";
        ExecStop = "${pkgs.chrome-remote-desktop}/opt/google/chrome-remote-desktop/chrome-remote-desktop --stop";
        # Log output to the journal
        StandardOutput = "journal";
        # Use same fd as stdout
        StandardError = "inherit";
        # Must be kept in sync with RELAUNCH_EXIT_CODE in linux_me2me_host.py
        RestartForceExitStatus = "41";
      };
      wantedBy = [ "multi-user.target" ];
};

But the error message doesn't change.

It feels like I'm just a step away!

P.S. How did you diagnosed my error such that it may be related to systemd? If you searched, what was the keyword? Or is it from your abundunt experience related to the nix packaging errors?

[jtojnar]

How did you diagnosed my error such that it may be related to systemd? If you searched, what was the keyword? Or is it from your abundunt experience related to the nix packing errors?

I got it from “Unit file chrome-remote-desktop@sepiabrown.service does not exist”.

Unit file is systemd terminology for services and other similar objects. The @ in the name means it is a template instance. The reason services typically do not exist are because systemd is not aware of a package and systemd.packages option is a method to link package’s units into systemd directory tree.

The error message changed to

[0107/111426.778860:ERROR:daemon_controller_delegate_linux.cc(98)] Failed to enable unit: File /etc/systemd/system/multi-user.target.wants/chrome-remote-desktop@sepiabrown.service: Read-only file system [0107/111426.778976:ERROR:daemon_controller_delegate_linux.cc(204)] Failed to start host.

I guess that means the program is trying to run systemctl enable chrome-remote-desktop@sepiabrown.service or something like that, which will obviously fail. You can see the full imperative process in https://ibug.io/blog/2019/07/systemd-service-template/ but I am not completely sure how to translate it to declarative config. Maybe something like https://github.com/NixOS/nixpkgs/issues/80933#issuecomment-821226075.

I assume the program or systemd will not try to enable (and thus try to create the symlink) for already enabled service. But if it does, we would need to patch the program.

[sepiabrown]

I've finally succeeded in making chrome-remote-desktop work. Here is the gist. https://gist.github.com/sepiabrown/0dbca7da5610055991ad04bbeb461fed

Help from @jtojnar was crucial. I really appreciate your help! i cannot thank you enough :)

I have a few question though.

1. In default.nix, I have added the following 6 lines in patchPhase which allow me to access into the existing local X-session.

   substituteInPlace $out/$replacePrefix/chrome-remote-desktop --replace "FIRST_X_DISPLAY_NUMBER = 20" "FIRST_X_DISPLAY_NUMBER = 0"
   substituteInPlace $out/$replacePrefix/chrome-remote-desktop --replace "while os.path.exists(X_LOCK_FILE_TEMPLATE % display):" "# while os.path.exists(X_LOCK_FILE_TEMPLATE % display):"
   substituteInPlace $out/$replacePrefix/chrome-remote-desktop --replace "display += 1" "# display += 1"
   substituteInPlace $out/$replacePrefix/chrome-remote-desktop --replace "self._launch_x_server(x_args)" "display = self.get_unused_display_number()"
   substituteInPlace $out/$replacePrefix/chrome-remote-desktop --replace "if not self._launch_pre_session():" "self.child_env[\"DISPLAY\"] = \":%d\" % display"
   substituteInPlace $out/$replacePrefix/chrome-remote-desktop --replace "self.launch_x_session()" "# self.launch_x_session()"

   So when I remotely access my laptop through iPad, what I see and control in iPad is identical to labtop and vice-versa.

Without the above 6 lines, if I remotely access my laptop through iPad, I can't see any applications already opened in laptop. Controlling the new session through iPad has no effect on laptop.

Obviously, the original version of the program should be respected. So when going through patchPhase, it should be possible to switch between the version with and without the above 6 lines. I have tried declaring new boolean option newSession in chrome-remote-desktop.nix and use lib.optionalString (!config.services.xserver.chrome-remote-desktop.newSession) but it failed. What is the standard way to implement this?

2. Based on my gist, Is it enough to add the package to Nixpkgs or do I need to improve the code?

3. If it is enough, then where would you recommend to put them? For default.nix, maybe https://github.com/NixOS/nixpkgs/tree/nixos-unstable/pkgs/applications/networking/browsers/chromium here? For chrome-remote-desktop.nix, maybe https://github.com/NixOS/nixpkgs/tree/master/nixos/modules/programs here? I've never added any package so I don't want to ruin the consistency of where the packages and module goes.

[jtojnar]

Obviously, the original version of the program should be respected. So I want to be able to switch between the version with and without the above 6 lines. I have tried declaring new boolean option newSession in chrome-remote-desktop.nix and use lib.optionalString (!config.services.xserver.chrome-remote-desktop.newSession) but it failed. What is the standard way to implement this?

You would have default.nix accept enableNewSession ? false argument and then have the NixOS module use pkgs.chrome-romete-desktop.override { enableNewSession = cfg.newSession; }.

2. Based on my gist, Is it enough to add the package to Nixpkgs or do I need to improve the code?

I still see many issues with the code but those are best hashed out in PR review.

3. If it is enough, then where would you recommend to put them?

I would use pkgs/applications/networking/remote for the package and maybe nixos/modules/services/networking for the module. But nixos/modules/programs would probably also work. Categorization is hard.

[sepiabrown]

Thank you for your detailed answer!

I have two additional questions.

1. Without those 6 lines (substituteInPlace ~~), you need to configure ~/.chrome-remote-desktop-session to make it work. Configuring ~/.chrome-remote-desktop-session was already done by @mlen here https://gist.github.com/mlen/b82b8f53d4084686d0f004664a095edb#file-chrome-remote-desktop-session. But the code depends heavily on awk which made the code not applicable to plasma setting. Both lightdm and sddm have the necessary code parts for ~/.chrome-remote-desktop-session in nixos/modules/services/x11/display-managers/default.nix at Exec=${script} which is elaborated in xsession = dm: wm: pkgs.writeScript "xsession" '' Is there any method to refer to the xsession script file generated in the /nix/store? The best way that I can think of is by finding (builtins.elemAt nixosConfigurations.MyFlakeName.config.services.xserver.displayManager.sessionPackages 0).outPath in nix repl and from there, you cd into the path and vim share/xsessions/plasma5.desktop and find Exec = part.. which is not an easy solution.

2. This question is not directly related to the issue. In the code apply = val: { in nixos/modules/services/x11/display-managers/default.nix, why are variables wrapper, desktops, sessionNames, autologinSession under apply? Since val is used nowhere, I don't understand why apply should be used. There seems to be lack of documentation for apply. Can you explain or direct me to the documentation on how apply works and the reason why apply is used here?

[jtojnar]

2. In the code apply = val: { in nixos/modules/services/x11/display-managers/default.nix, why are variables wrapper, desktops, sessionNames, autologinSession under apply? Since val is used nowhere, I don't understand why apply should be used. There seems to be lack of documentation for apply. Can you explain or direct me to the documentation on how apply works and the reason why apply is used here?

apply is simply a method to transform the merged value of an option definitions:

https://github.com/NixOS/nixpkgs/blob/acbc33e84f7ceddccd689b89a85829fa29034b79/lib/modules.nix#L602-L604

Since val is ignored, it will always return the same value, no matter what we pass the option. It is basically a hack for storing data in the module system like you would with a let binding.

[sepiabrown]

@jtojnar Hi! I have few more questions!

1. chrome-remote-desktop requires the system to have ~/.config/chrome-remote-desktop. In what phase should the mkdir -p ~/.config/chrome-remote-desktop command be put in default.nix?

2. Is it ok to put mkdir -p ~/.config/chrome-remote-desktop in default.nix? I have a feeling that it is wrong because it is interacting with my home directory. Any suggestion or standard way to proceed?

3. The code works well with nixpkgs.url = "github:nixos/nixpkgs/nixos-21.05" and nixos-21.11 in my flake.nix but not with nixos-unstable. With nixos-unstable, symptoms are as follows. The chrome-remote-desktop service runs well on my laptop since the setting of device name and password works well as the below picture. Even other devices (iPad, Android phone) recognize that the service in the laptop is running. When I change the name of the laptop ( sepiabrown-nnix in the picture), other devices recognize the change of the name. But the problem is when I enter the correct pin when accessing with other devices, access fails with the error that "The access code is invalid. Please try again.". In this situation, how do I debug? Do I have to make overlays with different releases (nixos-21.11 and nixos-unstable) of preFixup packages and test each packages? For example, try a overlay with glib of release nixos-unstable where other packages are fixed to nixos-21.11. If it works, then go onto the next package pam of release nixos-unstable where other packages are fixed to nixos-21.11 , so on and so forth. (BTW, I have changed gnome3.gtk gnome3.dconf to gtk3 and dconf according to your commit. nixos-21.05, nixos-21.11 worked but nixos-unstable didn't work)

Thank you for your kind help in advance!

[jtojnar]

1. chrome-remote-desktop requires the system to have ~/.config/chrome-remote-desktop. In what phase should the mkdir -p ~/.config/chrome-remote-desktop command be put in default.nix?
2. Is it ok to put mkdir -p ~/.config/chrome-remote-desktop in default.nix? I have a feeling that it is wrong because it is interacting with my home directory. Any suggestion or standard way to proceed?

Applications are typically responsible for creating their user configuration directories. Nix builds are run in sandbox so they cannot really write to user’s directory. It would be completely against the goals of Nix since it would no longer be reproducible.

3. The code works well with nixpkgs.url = "github:nixos/nixpkgs/nixos-21.05" and nixos-21.11 in my flake.nix but not with nixos-unstable. With nixos-unstable, symptoms are as follows. The chrome-remote-desktop service runs well on my laptop since the setting of device name and password works well as the below picture.

You would typically start by trying to enable the application’s debugging facilities.

I would not really recommend mixing libraries from different versions of Nixpkgs. While it may work in most cases, there can be subtle rough edges (e.g. caused by desktop platform libraries using dynamically loaded modules with different ABI), which are not worth the hassle when you can trivially avoid them by using the same versions of libraries as on your system.

[sepiabrown]

1. chrome-remote-desktop requires the system to have ~/.config/chrome-remote-desktop. In what phase should the mkdir -p ~/.config/chrome-remote-desktop command be put in default.nix?
2. Is it ok to put mkdir -p ~/.config/chrome-remote-desktop in default.nix? I have a feeling that it is wrong because it is interacting with my home directory. Any suggestion or standard way to proceed?

Fixed by disabling program from checking ~/.config/chrome-remote-desktop. Not neccessary for the programe to work.

3. The code works well with nixpkgs.url = "github:nixos/nixpkgs/nixos-21.05" and nixos-21.11 in my flake.nix but not with nixos-unstable.

It was due to recent change in linux-pam (#153104). Many other applications were affected by the change. I've checked that chrome-remote-desktop works normally with the fix #156974.

[shajra]

@sepiabrown it seems like you were driving most of this work a year and a half ago. Curious, have you been using chrome-remote-desktop on NixOS since then? Curious how much work you think might be remaining.

I've gotten xrdp working pretty well. But I think chrome-remote-desktop might be the better experience by a little. For instance, I couldn't get MacOS/Linux clipboard redirection working with xrdp. But that seemed to work well with chrome-remote-desktop when I tried it against an Ubuntu machine.

I might be in over my head, but I thought I'd ask how I might help.

[sepiabrown]

Curious, have you been using chrome-remote-desktop on NixOS since then?

I was using it 6 months ago at my graduate school lab machine. But after graduation, I had no time to package chrome-remote-desktop because I was adapting to my first job.

Curious how much work you think might be remaining.

The remaining problem is that https://dl.google.com/linux/direct/chrome-remote-desktop_current_amd64.deb is a moving target which means 1) its sha256 changes often and 2) one needs a bit of knowledge to fix the nix code to adapt to the changes in the deb file. I heard that there are packages with similar problems but I had no time to invest further.