search

NixOS / nixpkgs

Nix Packages collection & NixOS
MIT License
17.93k stars 13.96k forks source link

system.etc.overlay when combined with environment.etc does not apply users and groups #345518

Open 0xf09f95b4 opened 3 weeks ago

0xf09f95b4 commented 3 weeks ago

Describe the bug

When using system.etc.overlay in combination with environment.etc, file ownership does not seem to be applied to the created files.

For example, when combining:

system.etc.overlay.enable = true;
environment.etc = {
  "testfile" = {
    text = "test";
    mode = "0600";
    user = "messagebus";
    group = "messagebus";
  };
};

The file is created but has incorrect ownership:

-rw------- 1 root root 4 Jan  1  1970 /etc/testfile

The messagebus user was used as an example as it generally exists in most systems.

Steps To Reproduce

Steps to reproduce the behavior:

You can easily reproduce this behavior by extending existing tests.

For example, extend the nixos/tests/activation/etc-overlay-immutable.nix in the following way:

diff --git a/nixos/tests/activation/etc-overlay-immutable.nix b/nixos/tests/activation/etc-overlay-immutable.nix
index 6d56db43f0b2..b83b39ff3c2a 100644
--- a/nixos/tests/activation/etc-overlay-immutable.nix
+++ b/nixos/tests/activation/etc-overlay-immutable.nix
@@ -18,6 +18,12 @@
     environment.etc = {
       "mountpoint/.keep".text = "keep";
       "filemount".text = "keep";
+      "testfile" = {
+        text = "test";
+        mode = "0600";
+        user = "messagebus";
+        group = "messagebus";
+      };
     };

     specialisation.new-generation.configuration = {
@@ -32,6 +38,12 @@
     with subtest("direct symlinks point to the target without indirection"):
       assert machine.succeed("readlink -n /etc/localtime") == "/etc/zoneinfo/Utc"

+    with subtest("file in etc exists and belongs to messagebus"):
+      result = machine.succeed("ls -lah /etc/testfile")
+      print(result)
+      assert "messagebus" in result
+
     with subtest("/etc/mtab points to the right file"):
       assert "/proc/mounts" == machine.succeed("readlink --no-newline /etc/mtab")

This fails with the following message:

(finished: must succeed: ls -lah /etc/testfile, in 0.07 seconds)
-rw------- 1 root root 4 Jan  1  1970 /etc/testfile

Test "file in etc exists and belongs to messagebus" failed with error: ""

Expected behavior

A clear and concise description of what you expected to happen.

Files created with environment.etc should have correct ownership.

Screenshots

If applicable, add screenshots to help explain your problem.

Additional context

Add any other context about the problem here.

Notify maintainers

@nikstur

Metadata

Please run nix-shell -p nix-info --run "nix-info -m" and paste the result.

[user@system:~]$ nix-shell -p nix-info --run "nix-info -m"
output here

Add a :+1: reaction to issues you find important.

nikstur commented 1 week ago

It turns out that composefs doesn't support textual user names and groups at all. It makes sense because the metadata image is assembled statically and doesn't have any knowledge of the UIDs allocated on the system.

So instead, you have to assign UIDs and GIDs.

If this is not possible, you need to dynamically create these files via a systemd service ordered after userborn. You could for example use systemd-tmpfiles to do that.