nixops icon indicating copy to clipboard operation
nixops copied to clipboard

Published 20 hours ago verified publisher icon NixOS

permissions problems

Open teto opened this issue 6 years ago • 8 comments

I regularly seem to have ownership problems when using nixops. For instance journalctl -b would show

Cannot execute '/etc/NetworkManager/dispatcher.d/02overridedns': not owned by root. or when setting zsh as a shell https://github.com/NixOS/nixpkgs/issues/39189 Output from the nixops VM:

[root@client:~]# ls -lL /etc/NetworkManager/dispatcher.d/
total 12
-r-xr-xr-x 1 nobody nogroup  511 Jan  1  1970 02overridedns
-r-xr-xr-x 1 root   root    1251 Jan  1  1970 03userscript0001
-r-xr-xr-x 1 root   root     288 Jan  1  1970 03userscript0002

I configure the libvirtd service with

    qemuVerbatimConfig = ''
      namespaces = []
      # # Whether libvirt should dynamically change file ownership
      # # dynamic_ownership = 1
      user="teto"
      group="libvirtd"
    '';

teto avatar Apr 23 '18 03:04 teto

Try this fix I've got on IRC (looks like bug during VM store init):

mount -o remount,rw /nix/store
chown -R root:root /nix/store

sorki avatar May 01 '18 12:05 sorki

Seems like I missed your answer. It worked great but if anyone has a hint on the root cause, it would be nice to fix. I've started to stack up a few patches on top of nixops to fix various things and would enjoy a better out of the box experience.

NB: this permission problem also prevents the use of sudo which is quite annoying.

teto avatar Jul 20 '18 01:07 teto

seeing this as well on a fresh nixos 18.09 + nixops + libvirt

within (any freshly installed) guests:

sudo: error in /etc/sudo.conf, line 0 while loading plugin "sudoers_policy"
sudo: /nix/store/kqb1mmkmacysi9whzqjwqlmi3dqr5r5y-sudo-1.8.24/libexec/sudo/sudoers.so must be owned by uid 0
sudo: fatal error, unable to load plugins

leshy avatar Sep 29 '18 10:09 leshy

I have this in my defaults section as a nasty workaround:

system.activationScripts.nixops-vm-fix-931 = {
  text = ''
    if ls -l /nix/store | grep sudo | grep -q nogroup; then
      mount -o remount,rw  /nix/store
      chown -R root:nixbld /nix/store
    fi
  '';
  deps = [];
};

pjones avatar Dec 13 '18 22:12 pjones

The libvirtd image for nixops gets built within a qemu VM (see nix/libvirtd-image.nix). The problem stems from that the qemu runs within the nix-bld environment, and that makes /nix/store appear as uid=nobody(65534) gid=100. This gets propagated to the VM image by using "cp -p" to copy from the /nix/store mounted via 9p.

clefru avatar Dec 24 '18 20:12 clefru

https://github.com/NixOS/nix/pull/2602 fixes this.

clefru avatar Dec 25 '18 21:12 clefru

Opened a PR to move us to the image builder of <nixpkgs/nixos/lib/make-disk-image.nix> which does not copy the jailed-distorted ownership view of /nix/store to the image. This should fix this issue.

clefru avatar Jul 30 '19 16:07 clefru

This issue has been mentioned on NixOS Discourse. There might be relevant details there:

https://discourse.nixos.org/t/nixos-generators-from-single-user-nix-install-has-ownership-issues/18216/1

nixos-discourse avatar Mar 16 '22 17:03 nixos-discourse