nix-daemon.conf.in: add tmpfiles file to create nix/daemon-socket directory #6285
Conversation
…ectory nix-daemon.socket is used to socket-activate nix-daemon.service when /nix/var/nix/daemon-socket/socket is accessed. In container usecases, sometimes /nix/var/nix/daemon-socket is bind-mounted read-only into the container. In these cases, we want to skip starting nix-daemon.socket. However, since systemd 250, `ConditionPathIsReadWrite` is also not met if /nix/var/nix/daemon-socket doesn't exist at all. This means, a regular NixOS system will skip starting nix-daemon.socket: > [ 237.187747] systemd[1]: Nix Daemon Socket was skipped because of a failed condition check (ConditionPathIsReadWrite=/nix/var/nix/daemon-socket). To prevent this from happening, ship a tmpfiles file that'll cause the directory to be created if it doesn't exist already. In the case of NixOS, we can just add Nix to `systemd.tmpfiles.packages` and have these files picked up automatically.
|
@flokli this line of thinking makes sense to me, but I am never up to date on the systemd details I don't take my own judgement here very seriously :). |
|
As the the container stuff, I like how this ignores it. It would be good to reach out the systemd people on this, but I think there ought to be something more explicit about when a service inside the container is to be provided by outside the container. E.g. perhaps the inner one should have a different |
What regressed was that the unit file is now getting skipped on the host, because The tmpfiles file here will now make sure a directory is present on the host, and will still properly skip as intended inside the container (and leave the read-only bind mount alone) |
|
@flokli If the container has its own systemd, shouldn't it also have its own unit files (or "active" unit files?)? I would want the inner systemd to one of:
|
|
1. Not know about the `nix-daemon` service at all. The socket just exists, and socket activation will stil lwork.
2. Know it is provided by the external systemd, so in addition to the above, there could be a limited protocol also for the inside being able to request that the outside systemd start the service, recreate the socket, etc.
Yes, we could introduce an option to not install the nix-daemon, and corresponding unit files, and default to using this in non-NixOS, and then possibly drop the "skip if something else provides the socket".
But this is somewhat orthogonal to this PR. With systemd 250, nix-daemon on the host gets skipped (on non-NixOS too), and the tmpfile config introduced here makes sure the folder is present, so the socket unit isn't skipping anymore.
|
|
Yeah agreed it is orthogonal. I leave it to @edolstra to review this, but this seems like a good thing to do. I made it so it is possible to disable the nix daemon in NixOS, and that should probably be used instead until systemd has the extra magic. |
The Nix-provided `nix-daemon.socket` file has a
> ConditionPathIsReadWrite=/nix/var/nix/daemon-socket/socket
line, to skip that unit if /nix/var/nix/daemon-socket/socket is
read-only (which is the case in some nixos-containers with that folder
bind-ro-mounted from the host).
In these cases, the unit was skipped.
Systemd 250 (rightfully) started to also skip in these cases:
> [ 237.187747] systemd[1]: Nix Daemon Socket was skipped because of a failed condition check (ConditionPathIsReadWrite=/nix/var/nix/daemon-socket).
However, systemd < 250 didn't skip if /nix/var/nix/daemon-socket/socket
didn't /exist at all/, and we were relying on this bug in the case for
fresh NixOS systems, to have /nix/var/nix/daemon-socket/socket created
initially.
Move the creation of that folder to systemd-tmpfiles, by shipping an
appropriate file in `${nixPackage}/lib/tmpfiles.d/nix-daemon.conf`
(NixOS/nix#6285).
In the meantime, set a systemd tmpfiles rule manually in NixOS.
This has been tested to still work with read-only bind-mounted
/nix/var/nix/daemon-socket/socket in containers, it'll keep them
read-only ;-)
systemd doesn't need any extra magic for this. We just need to have something creating that folder, other than the Shipping a tmpfiles file via |
...into staging
|
@edolstra can you review this? Something equivalent ended up downstream in nixpkgs, but other distros packaging Nix might run into the same issues if they use our provided |
|
Should |
|
I wasn't aware of that script. I think so, yes. We should install it to |
|
No, I read Its |
|
Shouldn't it run |
|
However, we can duplicate this in I made an attempt, assuming I lack the tooling to test this, review welcome. |
…emon.conf, too While `create_directories()` from install-multi-user.sh seems to already create parts of the directory structure, it's marked as deprecated, and it won't hurt also copying over the tmpfiles config and have it execute once.
|
@edolstra can you make a call here? |
|
Thanks! I assume this should be backported to the What's the process here? Can you do a cherry-pick, or do I open individual PRs? |
|
Before backporting, it would be great if somebody can test the installer with |
| ln -sfn /nix/var/nix/profiles/default/$TMPFILES_SRC $TMPFILES_DEST | ||
|
|
||
| _sudo "to run systemd-tmpfiles once to pick that path up" \ | ||
| sytemd-tmpfiles create --prefix=/nix/var/nix |
4 participants
nix-daemon.socket is used to socket-activate nix-daemon.service when
/nix/var/nix/daemon-socket/socket is accessed.
In container usecases, sometimes /nix/var/nix/daemon-socket is
bind-mounted read-only into the container.
In these cases, we want to skip starting nix-daemon.socket.
However, since systemd 250,
ConditionPathIsReadWriteis also not metif /nix/var/nix/daemon-socket doesn't exist at all. This means, a
regular NixOS system will skip starting nix-daemon.socket:
To prevent this from happening, ship a tmpfiles file that'll cause the
directory to be created if it doesn't exist already.
In the case of NixOS, we can just add Nix to
systemd.tmpfiles.packagesand have these files picked up automatically.