Replace simple activationScripts #263203

nikstur · 2023-10-24T18:19:43Z

This is one part of a series of PRs towards activation without Perl. See more about this larger project here: https://pad.lassul.us/nixos-perlless-activation#

This PR is part of step 1 of the larger project.

In this PR, I replace many of the simple activationScripts. I employed this strategy to remove activationScripts:

removing them without replacement because they are not needed anymore
replacing them via ExecPreStart=
replacing them via a separate service ordered correctly before the other services that need it

replacing them via a separate service that runs very early, e.g. with

wantedBy = [ "sysinit.target" ];
before = [ "sysinit.target" ];
unitConfig.DefaultDependencies = false;

One of the immediate benefits of this work is that these activationScripts now actually run after the initrd when you use the systemd initrd. The systemd initrd calls stage-2-init.sh in the initrd as ./prepare-root

Things done

The activationScript does not seem to be necessary anymore as the paths are created anyways.

nixos/modules/config/shells-environment.nix

nixos/modules/config/users-groups.nix

nixos/modules/security/wrappers/default.nix

nixos/modules/services/hardware/udev.nix

nixos/modules/system/boot/modprobe.nix

nixos/modules/system/boot/timesyncd.nix

nixos/modules/tasks/network-interfaces.nix

nixos/tests/activation/var.nix

nixos/modules/system/boot/modprobe.nix

Create the wrappers via a separate systemd service.

nixos/modules/services/monitoring/ups.nix

nixos/modules/services/networking/strongswan-swanctl/module.nix

nixos/modules/services/web-servers/stargazer.nix

nixos/modules/tasks/network-interfaces.nix

The stage-2-init.sh script has the same functionality hardcoded so we do not need it in the activationScript again.

l0b0

I've only reviewed the shell script parts of this PR.

nixos/modules/security/wrappers/default.nix

nixos/modules/services/networking/iscsi/initiator.nix

nixos/modules/system/boot/timesyncd.nix

nikstur · 2023-10-25T09:29:44Z

I've only reviewed the shell script parts of this PR.

I will not change the shell scripts themselves. I just move them into a systemd service or preStart.

Improving the shell scripts is out of scope.

Edit: Thank you for leaving these improvements here. I hope someone else can pick them up in a separate PR!

nikstur · 2023-10-26T00:14:37Z

@ofborg test wrappers mysql.mysql80 iscsi-root strongswan-swanctl mattermost systemd-binfmt systemd-timesyncd opensearch.opensearch stunnel grafana.provision activcation-nix-channel activation-var

The stargazer test seems to be broken on master

nikstur · 2023-10-27T19:00:43Z

@ElvishJerricco is this good to go now?

ElvishJerricco

I think it looks good yea

K900 · 2023-10-29T16:05:53Z

a8f50f9 broke the installer tests.

K900 · 2023-10-29T17:17:10Z

Reverting in #264200

nikstur · 2023-10-29T19:26:18Z

Reverting in #264200

Thank you for taking the time to only revert the offending commit!

NetaliDev · 2023-12-01T12:04:48Z

b5617e0 broke the MySQL auth module since it now depends on a local mysql database. Additionally, the script needs to run as root for the chown calls.

arianvp · 2023-12-15T13:55:15Z

nixos/modules/tasks/network-interfaces.nix

-    system.activationScripts.hostname = let
-        effectiveHostname = config.boot.kernel.sysctl."kernel.hostname" or cfg.hostName;
-      in optionalString (effectiveHostname != "") ''
-        hostname "${effectiveHostname}"


This is a slight regression in behaviour. Systemd refuses to set the transient hostname altogether if /etc/hostname exists. But I think that is harmless. gethostname will still return the correct thing I think

We want to get rid of specialFileSystems / earlyMountScript eventually and there is no need to run this before systemd anymore now that the wrappers themselves are set up in a systemd unit since NixOS#263203 Also this is needed to make soft-reboot work. We want to make sure that we remount /run/wrappers with the nosuid bit removed on soft-reboot but because @earlyMountScript@ happens in initrd, this wouldn't happen

* flaresolverr: init at 3.3.21 * nixos/flaresolverr: initial commit * minio: 2024-07-04T14-25-45Z -> 2024-07-16T23-46-41Z * cargo-make: 0.37.13 -> 0.37.14 * vscode-extensions.nefrob.vscode-just-syntax: 0.3.0 -> 0.5.1 * python312Packages.tencentcloud-sdk-python: 3.0.1190 -> 3.0.1192 Diff: TencentCloud/tencentcloud-sdk-python@refs/tags/3.0.1190...3.0.1192 Changelog: https://github.com/TencentCloud/tencentcloud-sdk-python/blob/3.0.1192/CHANGELOG.md * python312Packages.tencentcloud-sdk-python: 3.0.1192 -> 3.0.1193 Diff: TencentCloud/tencentcloud-sdk-python@refs/tags/3.0.1192...3.0.1193 Changelog: https://github.com/TencentCloud/tencentcloud-sdk-python/blob/3.0.1193/CHANGELOG.md * python312Packages.boto3-stubs: 1.34.144 -> 1.34.145 * python312Packages.botocore-stubs: 1.34.144 -> 1.34.145 * phraze: Add updateScript and version test * files-cli: 2.13.85 -> 2.13.96 * lbreakouthd: 1.1.8 -> 1.1.9 * kdePackages.kio: 6.4.0 -> 6.4.1 * kdePackages.kwidgetsaddons: 6.4.0 -> 6.4.1 * home-assistant-custom-lovelace-modules.android-tv-card: 3.8.1 -> 3.8.2 Diff: Nerwyn/android-tv-card@3.8.1...3.8.2 * strictdoc: 0.0.57 -> 0.0.58 * nh: 3.5.18 -> 3.5.19 * steampipe: 0.23.2 -> 0.23.3 * numix-icon-theme-circle: 24.04.22 -> 24.07.19 * srm-cuarzo: 0.6.1-1 -> 0.6.3-1 * python312Packages.gpytorch: 1.11 -> 1.12 * haven-cli: 4.0.0 -> 4.0.2 * android-studio: 2024.1.1.11 -> 2024.1.1.12 * androidStudioPackages.canary: 2024.1.2.8 -> 2024.1.3.1 * ntpd-rs: 1.2.0 -> 1.2.2 * go: support FreeBSD * python312Packages.app-model: 0.2.7 -> 0.2.8 * python312Packages.lmfit: 1.3.1 -> 1.3.2 * kustomize: 5.4.2 -> 5.4.3 * cargo-modules: 0.16.3 -> 0.16.6 * safeeyes: add missing setuptools dependency Fixes: Traceback (most recent call last): File "/nix/store/km8nzjccd4r0g704is31q18qzl101g89-safeeyes-2.1.9/bin/.safeeyes-wrapped", line 6, in <module> from safeeyes.__main__ import main File "/nix/store/km8nzjccd4r0g704is31q18qzl101g89-safeeyes-2.1.9/lib/python3.12/site-packages/safeeyes/__main__.py", line 32, in <module> from safeeyes import utility File "/nix/store/km8nzjccd4r0g704is31q18qzl101g89-safeeyes-2.1.9/lib/python3.12/site-packages/safeeyes/utility.py", line 35, in <module> from distutils.version import LooseVersion ModuleNotFoundError: No module named 'distutils' * python312Packages.holidays: 0.52 -> 0.53 https://github.com/vacanza/python-holidays/releases/tag/v0.53 * python312Packages.pytedee-async: 0.2.17 -> 0.2.20 Diff: zweckj/aiotedee@refs/tags/v0.2.17...v0.2.20 Changelog: https://github.com/zweckj/pytedee_async/releases/tag/v0.2.20 * python312Packages.python-kasa: 0.7.0.3 -> 0.7.0.5 Diff: python-kasa/python-kasa@refs/tags/0.7.0.3...0.7.0.5 Changelog: https://github.com/python-kasa/python-kasa/blob/0.7.0.5/CHANGELOG.md Co-Authored-By: Martin Weinelt <hexa@darmstadt.ccc.de> * python312Packages.upb-lib: 0.5.7 -> 0.5.8 Diff: gwww/upb-lib@refs/tags/0.5.7...0.5.8 Changelog: https://github.com/gwww/upb-lib/releases/tag/0.5.8 * obs-studio-plugins.obs-move-transition: 3.0.1 -> 3.0.2 * home-assistant: 2024.7.2 -> 2024.7.3 https://github.com/home-assistant/core/releases/tag/2024.7.3 * python312Packages.homeassistant-stubs: 2024.7.2 -> 2024.7.3 https://github.com/KapJI/homeassistant-stubs/releases/tag/2024.7.3 * mark: 9.12.0 -> 9.13.0 * ntpd-rs: disable testsuite, too flaky * python312Packages.yfinance: 0.2.40 -> 0.2.41 * emacsPackages.ott-mode: trivialBuild -> melpaBuild Also fix homepage and license. * python312Packages.distributed: 2024.7.0 -> 2024.7.1 * python312Packages.rotary-embedding-torch: 0.6.2 -> 0.6.4 * beanhub-cli: 1.2.2 -> 1.2.3 * open-scq30: add CoreBluetooth framework on Darwin * doc: Remove indefinite article and ending period from example meta.description so that meta.description examples shown in the documentation align with recommendations given in the "Meta attributes" section in pkgs/README.md. The changes were made with the following commands: nix run nixpkgs#silver-searcher -- -l0 'description\s*=\s*"([Aa]n?|[Tt]he)\s' doc \ | xargs -0 nix run nixpkgs#gnused -- -i '' -Ee '/description/s/"([Aa]n?|[Tt]he)\s(.)/"\U\2/' nix run nixpkgs#silver-searcher -- -l0 'description\s*=\s*".*\."' doc \ | xargs -0 nix run nixpkgs#gnused -- -i '' -Ee '/description/s/\."/"/' * python312Packages.gtts: 2.5.1 -> 2.5.2 * virtiofsd: 1.11.0 -> 1.11.1 * llvm: fix broken llvm-config-native for canExecute Since a0b4b85 ("llvm: Avoid cross compiling if the build platform can execute host binaries"), the flags to get a working llvm-config-native are not used when the build platform can execute host binaries, resulting in a broken llvm-config-native, and therefore a broken mesa, but since build can execute host, we don't need a separate llvm-config-native at all — we can just use the normal llvm-config. Fixes: a0b4b85 ("llvm: Avoid cross compiling if the build platform can execute host binaries") * linuxPackages_latest.rust-out-of-tree-module.updateScript: init Added a version to the package to make the update script happy. * linuxPackages_latest.rust-out-of-tree-module: 0-unstable-2023-08-29 -> 0-unstable-2024-05-06 Updated for breaking changes in Linux 6.10. * androidStudioPackages.beta: 2024.1.1.10 -> 2024.1.2.9 * python312Packages.quaternion: 2023.0.3 -> 2023.0.4 * erigon: 2.60.2 -> 2.60.4 * python312Packages.cohere: 5.6.0 -> 5.6.1 * osu-lazer-bin: 2024.718.0 -> 2024.718.1 * vscode-extensions.42crunch.vscode-openapi: 4.25.3 -> 4.27.0 - Changelog: https://github.com/42Crunch/vscode-openapi/blob/master/CHANGELOG.md#version-4270-june-27-2024 - Comparing changes: 42Crunch/vscode-openapi@v4.25.3...v4.27.0 * osu-lazer: 2024.718.0 -> 2024.718.1 * silice: 0-unstable-2024-06-23 -> 0-unstable-2024-07-15 * cudaPackages.writeGpuTestPython: allow a selector for `libraries` to accommodate different python versions * bemenu: 0.6.22 -> 0.6.23 * cudaPackages.writeGpuTestPython: sync the attr and the filesystem paths * python312Packages.python-smarttub: 0.0.36 -> 0.0.37 * gnome-font-viewer: fix build with clang 16 * cudaPackages.writeGpuTestPython: accept makeWrapperArgs * python311Packages.torch.tests.tester-*Available: unbreak for non-default python package sets * python3Packages.torch.tests.*compile*: init * bustle: use gettext from nixpkgs The vendored gettext fails to build with clang 16 on Darwin. The gettext in nixpkgs works. * incus: fix OVMF path backward compatibility incus 6.3.0 changed the OVMF path, but our module needs to support LTS as well. Also move the newer OCI deps to be conditional on version. * vscodium: 1.90.2.24171 -> 1.91.1.24193 * nixos/wrappers: use normal mount for /run/wrappers We want to get rid of specialFileSystems / earlyMountScript eventually and there is no need to run this before systemd anymore now that the wrappers themselves are set up in a systemd unit since NixOS#263203 Also this is needed to make soft-reboot work. We want to make sure that we remount /run/wrappers with the nosuid bit removed on soft-reboot but because @earlyMountScript@ happens in initrd, this wouldn't happen * xdg-desktop-portal-xapp: 1.0.7 -> 1.0.8 * cinnamon.pix: 3.4.1 -> 3.4.2 Also enable optional brasero / colord support. linuxmint/pix@3.4.1...3.4.2 * cinnamon.cinnamon-session: 6.2.0 -> 6.2.1 * applet-window-buttons6: init at 0.13.0 * python312Packages.formulae: 0.5.3 -> 0.5.4 * python312Packages.tplink-omada-client: 1.4.0 -> 1.4.1 * tui-journal: 0.9.0 -> 0.9.1 * wstunnel: 9.7.2 -> 9.7.4 * iosevka: 30.3.2 -> 30.3.3 --------- Co-authored-by: Pavel Sobolev <contact@paveloom.dev> Co-authored-by: Peder Bergebakken Sundt <pbsds@hotmail.com> Co-authored-by: Emily <git@emilylange.de> Co-authored-by: Martin Weinelt <mweinelt@users.noreply.github.com> Co-authored-by: R. Ryantm <ryantm-bot@ryantm.com> Co-authored-by: Robert Scott <code@humanleg.org.uk> Co-authored-by: Johannes Jöns <34899572+jopejoe1@users.noreply.github.com> Co-authored-by: nixpkgs-merge-bot[bot] <148217876+nixpkgs-merge-bot[bot]@users.noreply.github.com> Co-authored-by: abysssol <abysssol@pm.me> Co-authored-by: uncenter <47499684+uncenter@users.noreply.github.com> Co-authored-by: Fabian Affolter <mail@fabian-affolter.ch> Co-authored-by: Fabian Affolter <fabian@affolter-engineering.ch> Co-authored-by: Jörg Thalheim <Mic92@users.noreply.github.com> Co-authored-by: José Romildo Malaquias <malaquias@gmail.com> Co-authored-by: x123 <x123@users.noreply.github.com> Co-authored-by: Thomas Gerbet <thomas@gerbet.me> Co-authored-by: Artturin <Artturin@artturin.com> Co-authored-by: K900 <me@0upti.me> Co-authored-by: Adam C. Stephens <2071575+adamcstephens@users.noreply.github.com> Co-authored-by: Nick Cao <nickcao@nichi.co> Co-authored-by: Emily Trau <13267947+emilytrau@users.noreply.github.com> Co-authored-by: Weijia Wang <9713184+wegank@users.noreply.github.com> Co-authored-by: Yt <raphael@megzari.com> Co-authored-by: Lin Jian <me@linj.tech> Co-authored-by: Franz Pletz <fpletz@fnordicwalking.de> Co-authored-by: Audrey Dutcher <audrey@rhelmot.io> Co-authored-by: Cole Helbling <cole.e.helbling@outlook.com> Co-authored-by: Martin Weinelt <hexa@darmstadt.ccc.de> Co-authored-by: Robert Schütz <mail@dotlambda.de> Co-authored-by: Marcus Ramberg <marcus@means.no> Co-authored-by: Randy Eckenrode <randy@largeandhighquality.com> Co-authored-by: Pol Dellaiera <pol.dellaiera@protonmail.com> Co-authored-by: Alexis Hildebrandt <afh@surryhill.net> Co-authored-by: lassulus <github@lassul.us> Co-authored-by: Robert Schütz <nix@dotlambda.de> Co-authored-by: Alyssa Ross <hi@alyssa.is> Co-authored-by: Masum Reza <50095635+JohnRTitor@users.noreply.github.com> Co-authored-by: Thiago Kenji Okada <thiagokokada@gmail.com> Co-authored-by: Sandro <sandro.jaeckel@gmail.com> Co-authored-by: Gutyina Gergő <gutyina.gergo.2@gmail.com> Co-authored-by: Benedikt Hiemer <ben.email@posteo.de> Co-authored-by: Maximilian Bosch <maximilian@mbosch.me> Co-authored-by: Aleksana <me@aleksana.moe> Co-authored-by: Guillaume Girol <symphorien@users.noreply.github.com> Co-authored-by: Someone Serge <sergei.kozlukov@aalto.fi> Co-authored-by: ❄️ <5861043+superherointj@users.noreply.github.com> Co-authored-by: Yorick <yorick@yorickvanpelt.nl> Co-authored-by: Adam Stephens <adam@valkor.net> Co-authored-by: Leona Maroni <dev@leona.is> Co-authored-by: Arian van Putten <arian.vanputten@gmail.com> Co-authored-by: A1ca7raz <7345998+A1ca7raz@users.noreply.github.com> Co-authored-by: John Ericson <git@JohnEricson.me> Co-authored-by: Bobby Rong <rjl931189261@126.com> Co-authored-by: Someone <else@someonex.net>

Version 257.1 of systemd changed[1] the PrivateTmp setting for the systemd-timesyncd service from "yes" to "disconnected", which broke our systemd-timesyncd test. The reason for this is because the systemd-tmpfiles-setup.service is *only*[2] added as a dependency of systemd-timesyncd.service if PrivateTmp is set to "yes" but not when it is set to "disconnected" (which would make sense given that the tmpfiles.d mechanism was originally designed for temporary files). Commit 339a866 switched the activation script to using systemd-tmpfiles, but the commit in question doesn't provide an explanation why this was necessary in this particular case. However the pull request[3] lists an ongoing effort to get rid of Perl and in the future get also rid of BASH for activation. The reasons for doing this are outlined in the document[4]: > The simple presence of interpreters on a system pose a security risk. > An attacker that gains access to a system can abuse them to execute > arbitrary commands. Mitre lists this as technique T1059. The most > radical yet simple solution to mitigate this exploit is to remove all > interpreters from a system (Mitre M1042). This radical solution is > only really feasible and/or interesting for appliances (i.e. > non-interactive) systems. Especially for high-security solutions this > mitigtation is interesting. I personally don't think this is a very compelling reason, at least for our activation scripts, since an attacker could simply drop an executable binary. Nevertheless, getting rid of additional dependencies on eg. Perl or BASH is something worth pursuing to trim down moving parts. To address this, I decided to implement this as a normal systemd service unit, since we need to guarantee that it's started before systemd-timesyncd.service and with a dedicated unit we can ensure explicit ordering. This has the advantage that we don't interfere with the effort of getting rid of Perl/BASH for activation/boot and also don't risk running into race conditions (again) because it's very unlikely that systemd will change/deprecate explicit unit ordering in the near future. [1]: systemd/systemd@1f6e192 [2]: https://github.com/systemd/systemd/blob/30675a6ee98540a02bd1d6afcf80f0c0aa8c0910/src/core/unit.c#L1274 [3]: #263203 [4]: https://pad.lassul.us/nixos-perlless-activation Signed-off-by: aszlig <aszlig@nix.build>

nixos/nix-daemon: remove activationScript

f015440

The activationScript does not seem to be necessary anymore as the paths are created anyways.

nikstur requested review from blitz, RaitoBezarius, lheckemann, Lassulus and arianvp October 24, 2023 18:19

nikstur requested a review from dasJ as a code owner October 24, 2023 18:19

github-actions bot added 6.topic: nixos Issues or PRs affecting NixOS modules, or package usability issues specific to NixOS 8.has: module (update) This PR changes an existing module in `nixos/` labels Oct 24, 2023

nikstur force-pushed the replace-activation branch from 0b039b6 to 0c4ee3d Compare October 24, 2023 18:24

nikstur requested a review from ElvishJerricco October 24, 2023 18:51

ofborg bot added 10.rebuild-darwin: 1-10 10.rebuild-linux: 1-10 labels Oct 24, 2023

ElvishJerricco reviewed Oct 24, 2023

View reviewed changes