nix icon indicating copy to clipboard operation
nix copied to clipboard
verified publisher icon NixOS

Don't have root bypass the daemon by default

Open thufschmitt opened this issue 1 year ago • 6 comments

Is your feature request related to a problem? Please describe.

When the store option is set to auto (the default), Nix will guess whether to use the daemon or the local store. However, this detection logic will use the local store if Nix has access to it, even if there's a daemon socket available. This reduces the isolation that the clent-daemon logic provides. Some examples from a quick issue search:

  • https://github.com/NixOS/nix/issues/10139
  • https://github.com/NixOS/nix/issues/7154
  • https://github.com/NixOS/nix/issues/6083
  • https://github.com/NixOS/nix/issues/4337

Describe the solution you'd like

Have the logic be: “If there's a socket I can connect to, use the daemon that listens there, otherwise try to directly access the store”.

Describe alternatives you've considered

  • Keep the statu-quo
  • Have the multi-user installer configure nix.conf to set store = daemon (and pass --store local to the daemon invocation). That would reduce the breaking change, at the cost of more complexity on the installations in the long run.

Additional context

  • IIRC @edolstra mentioned somewhere (couldn't find the source again), that directly connecting to the store as root was an optimisation for some systems (like hydra) where the overhead of the daemon was noticeable. I think that can be avoided by just configuring these systems to use forcibly use the local store

Priorities

Add :+1: to issues you find important.

thufschmitt avatar Mar 04 '24 06:03 thufschmitt

Extra issue due to that: https://github.com/NixOS/nix/issues/10158

thufschmitt avatar Mar 05 '24 17:03 thufschmitt

Issues like #10158 will still happen in a use case like nixos-enter. I don't think we can get rid of the non-daemon use case completely, and by switching to daemon by default, we risk letting it bitrot. The status quo could be considered anti-fragile.

roberth avatar Mar 22 '24 12:03 roberth

This issue has been mentioned on NixOS Discourse. There might be relevant details there:

https://discourse.nixos.org/t/2024-03-11-nix-team-meeting-132/42960/1

nixos-discourse avatar Apr 08 '24 15:04 nixos-discourse

Bypassing the daemon is also useful when trying out a build feature, such as described here https://github.com/NixOS/nixpkgs/issues/318013#issuecomment-2156819571.

roberth avatar Jun 09 '24 22:06 roberth

Relevant Nixpkgs PR

  • https://github.com/NixOS/nixpkgs/pull/415701

roberth avatar Jun 11 '25 19:06 roberth

This default causes recurring issues: e.g. the NixOS Hydra infra has to override the SSH command to make sure to pick up ulimits from the daemon and there is a steady trickle of users having build issues from sudo nixos-rebuild and so on. In nix-darwin we have explicitly set NIX_REMOTE=daemon by default in darwin-rebuild to fix proxy configuration being ignored, but this really ought to be fixed on the Nix end. I think --store local is a perfectly acceptable option for when you do want this and people are surprised by root being a special case here.

emilazy avatar Jun 12 '25 14:06 emilazy