nix-installer
nix-installer copied to clipboard
DeterminateSystems
SELinux `nix` doesn't work after upgrade, needs `restorecon`
After running the suggested upgrade step the nix is not available with the following error:
error: cannot connect to socket at '/nix/var/nix/daemon-socket/socket': Connection refused
And nix-daemon.service is not available after upgrade.
$ sudo systemctl status nix-daemon
Unit nix-daemon.service could not be found.
I am running this on Fedora 39, and can reproduce it with uninstall/install/upgrade steps. Though, it's highly disruptive to re-download whole nix store after reinstall.
Still happening with 0.16.1 (forget to mention, before I was using 0.16.0).
I would appreciate any pointers on where to look why the service being removed/inaccessible.
The service is present before the update:
~ $ sudo systemctl status nix-daemon.service
○ nix-daemon.service - Nix Daemon
Loaded: loaded (/etc/systemd/system/nix-daemon.service; linked; preset: disabled)
Drop-In: /usr/lib/systemd/system/service.d
└─10-timeout-abort.conf
Active: inactive (dead)
TriggeredBy: ● nix-daemon.socket
Docs: man:nix-daemon
https://nixos.org/manual
Feb 09 22:20:32 fw systemd[1]: Started nix-daemon.service - Nix Daemon.
But immediately after the upgrade:
~ $ sudo systemctl status nix-daemon.service
Warning: The unit file, source configuration file or drop-ins of nix-daemon.service changed on disk. Run 'systemctl daemon-reload' to reload units.
○ nix-daemon.service - Nix Daemon
Loaded: loaded (/etc/systemd/system/nix-daemon.service; linked; preset: disabled)
Drop-In: /usr/lib/systemd/system/service.d
└─10-timeout-abort.conf
Active: inactive (dead)
TriggeredBy: ● nix-daemon.socket
Docs: man:nix-daemon
https://nixos.org/manual
Feb 09 22:20:32 fw systemd[1]: Started nix-daemon.service - Nix Daemon.
And after daemon-reload it's missing, but!, the service file present:
~ $ ls -laZ /etc/systemd/system/nix-daemon.service
lrwxrwxrwx. 1 root root unconfined_u:object_r:systemd_unit_file_t:s0 67 Feb 9 22:32 /etc/systemd/system/nix-daemon.service -> /nix/var/nix/profiles/default/lib/systemd/system/nix-daemon.service
Not sure what's going on...
Ok, I narrowed down it to SELinux permissions, running fixes the installation:
restorecon -Rv /nix/
systemctl daemon-reload
systemctl enable nix-daemon.service
It would be nice if sudo -i nix upgrade-nix will somehow fix the SELinux labels.
Thanks for reporting this! That does seem a bug. Unfortunately upstream doesn't support SELinux so we may need to be a big creative about how we resolve this...
Yes, I was checking upstream and it doesn't have anything to support SELinux (also, I appreciate that this installer does have proper support).
I'd like having some | sh -s -- update command for installer, but even documenting this step in README would be beneficial.
I've also fell into this. Thanks for the workaround @m0nhawk :heart:
What's interesting is that this also happens when no upgrade is done, e.g.,
replacing old 'nix-2.20.3'
installing 'nix-2.20.3'
Well as replacing implies, it's probably doing something :sweat_smile:
I'm experiencing a similar issue, but the workaround doesn't work for me. I'm still getting denials after running restorecon. The nix SELinux module is loaded.
@YTG1234 I can try to help.
Are you having the same error cannot connect to socket?
What is the output of (running from root):
systemctl status nix-daemon.service # to check the status of the nix daemon
ls -laZ /etc/systemd/system/nix-daemon.service # to see the SELinux labels for the daemon
And what Linux do you use?