install: Allow to specify alternative sudo command
#11761
Conversation
It does require some one-time setup (signing up for a third party service and setting up a secret) at the moment, but you can enable CI in your own fork of the repo to generate installers with the process outlined here: https://github.com/NixOS/nix/blob/master/doc/manual/source/development/testing.md#installer-tests Then I imagine you could validate that with your local system? You can use the generated installer locally with something like: |
|
@abathur I've already installed |
| @@ -56,6 +56,9 @@ readonly NIX_INSTALLED_CACERT="@cacert@" | |||
| #readonly NIX_INSTALLED_CACERT="/nix/store/7dxhzymvy330i28ii676fl1pqwcahv2f-nss-cacert-3.49.2" | |||
| readonly EXTRACTED_NIX_PATH="$(dirname "$0")" | |||
|
|
|||
| # allow to override identity change command | |||
| readonly NIX_BECOME=${NIX_BECOME:-sudo} | |||
There was a problem hiding this comment.
I wonder if we could document this somewhere?
There was a problem hiding this comment.
Before documenting this as officially supported, need to ensure that alternatives work as expeted. Which requires CI test setup with Arch + doas, for example.
| @@ -56,6 +56,9 @@ readonly NIX_INSTALLED_CACERT="@cacert@" | |||
| #readonly NIX_INSTALLED_CACERT="/nix/store/7dxhzymvy330i28ii676fl1pqwcahv2f-nss-cacert-3.49.2" | |||
| readonly EXTRACTED_NIX_PATH="$(dirname "$0")" | |||
|
|
|||
| # allow to override identity change command | |||
| readonly NIX_BECOME=${NIX_BECOME:-sudo} | |||
There was a problem hiding this comment.
nitpick(non-blocking): The NIX_BECOME name is confusing to me. Something like NIX_SUDO_PROGRAM would convey the intent a bit better, at least to me. Or maybe the _BECOME name is just a convention I just haven't yet encountered?
There was a problem hiding this comment.
It's used in the ansible world: https://docs.ansible.com/ansible/latest/playbook_guide/playbooks_privilege_escalation.html
There was a problem hiding this comment.
At first it was NIX_SUDO, but then doas is not sudo - it doesn't support sudo config files etc. So I used Ansible way to name privilege escalation program.
Docker container could be used for testing this or this https://github.com/quickemu-project/quickemu/ |
|
Ok. I installed $ quickget archlinux latest
Downloading Arch Linux latest
...
To start your Arch Linux virtual machine run:
quickemu --vm archlinux-latest.confNow need to know what's next. |
$ quickemu --vm archlinux-latest.conf
...
- Process: Started archlinux-latest.conf as archlinux-latest (5858)Now how to test this PR? :D |
|
Sorry for the delay! Add this to your virtual machine (I believe quickemu has some file sharing somewhere): Unpack on the destination and run the |
Looks like I need to have two clean machines. Machine1 (with Then somehow pull Machine2 (with no Now testing it with containers. |
Am I doing something wrong? |
|
The command that worked (thanks to https://discourse.nixos.org/t/error-experimental-nix-feature-nix-command-is-disabled/18089/6 thread from two years ago). nix --extra-experimental-features "nix-command flakes" build ".#hydraJobs.binaryTarball.x86_64-linux" |
|
The build took 1 hour. |
|
Oh. If your computer is not fast enough you may want to get access to an x86 community builder that we have in nix-community. |
|
So installation with sudo and with doas works? |
Nope. I don't know why yet. |
|
I am trying to find the file from which this |
|
@abathur no, this is the script https://github.com/NixOS/nix/blob/master/scripts/install-nix-from-closure.sh I don't know why the fancy name - for me it should be called ✗ rg from-closure
scripts/binary-tarball.nix
26: substitute ${./install-nix-from-closure.sh} $TMPDIR/install \
maintainers/flake-module.nix
501: ''^scripts/install-nix-from-closure\.sh$'' |
|
@abitrolly you are currently running a single-user installation whereas your patch is for the multi-user nix-daemon one. |
|
@abitrolly is this ready for a test? |
|
Test setup for Arch container/VM. pacman -Syu --noconfirm doas
echo "permit setenv {PATH=/usr/local/bin:/usr/local/sbin:/usr/bin:/usr/sbin} :wheel" >> /etc/doas.conf
chmod 0400 /etc/doas.conf
useradd -m testu -G wheel
su testu |
|
@Mic92 yes, I think it is ready. $ NIX_BECOME=doas ./nix-2.25.0pre20241112_e87284b-x86_64-linux/install
Note: a multi-user installation is possible. See https://nixos.org/manual/nix/stable/installation/installing-binary.html#multi-user-installation
performing a single-user installation of Nix...
directory /nix does not exist; creating it by running 'mkdir -m 0755 /nix && chown testu /nix' using doas
doas (testu@30ace391473a) password:
copying Nix to /nix/store......................................................
installing 'nix-2.25.0pre20241112_e87284b'
building '/nix/store/64fdx62hd5nmz2plvfwq827c4jbqkj4b-user-environment.drv'...
unpacking 1 channels...
modifying /home/testu/.bash_profile...
Installation finished! To ensure that the necessary environment
variables are set, either log in again, or type
. /home/testu/.nix-profile/etc/profile.d/nix.sh
in your shell.
$ . /home/testu/.nix-profile/etc/profile.d/nix.sh
$ nix
error: no subcommand specified
Try 'nix --help' for more information. |
|
I've tried to setup automated testing using Do you know any alternative testing frameworks that run tests in isolation with containers? |
|
This pull request has been mentioned on NixOS Discourse. There might be relevant details there: https://discourse.nixos.org/t/2024-12-13-nix-team-meeting-minutes-202/57281/1 |
|
Tested single-user and multi-user with sudo and doas. |
|
@mergify queue |
✅ The pull request has been merged automaticallyThe pull request has been merged automatically at 9cf1b0c |
This allows to specify identity change command for
nixinstallation.And also prepends such command with
envto set environment variables, because not allsudoalternatives support this.Testing: I haven't found a way to test this yet. Looks like it needs building binary package, which requires
nixinstalled, and I can't install it, because I don't havesudo. :D catch22Motivation
Some systems do not use
sudobut its alternatives likedoas.Context
Prior work.
A good testing strategy would be to run CI tests with Arch box and only
doasinstalled, but I am not proficient yet withnixtesting infrastructure to add it here.Priorities and Process
Add 👍 to pull requests you find important.
The Nix maintainer team uses a GitHub project board to schedule and track reviews.