Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

install: Allow to specify alternative sudo command #11761

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

install: Allow to specify alternative sudo command #11761

wants to merge 1 commit into from
+9 −4

Conversation

abitrolly
Copy link

@abitrolly abitrolly commented Oct 28, 2024
edited
Loading

This allows to specify identity change command for nix installation.

And also prepends such command with env to set environment variables, because not all sudo alternatives support this.

Testing: I haven't found a way to test this yet. Looks like it needs building binary package, which requires nix installed, and I can't install it, because I don't have sudo. :D catch22

Motivation

Some systems do not use sudo but its alternatives like doas.

Context

Prior work.

A good testing strategy would be to run CI tests with Arch box and only doas installed, but I am not proficient yet with nix testing infrastructure to add it here.

Priorities and Process

Add 👍 to pull requests you find important.

The Nix maintainer team uses a GitHub project board to schedule and track reviews.

@abathur
Copy link
Member

abathur commented Oct 28, 2024
edited
Loading

Testing: I haven't found a way to test this yet. Looks like it needs building binary package, which requires nix installed, and I can't install it, because I don't have sudo. :D catch22

It does require some one-time setup (signing up for a third party service and setting up a secret) at the moment, but you can enable CI in your own fork of the repo to generate installers with the process outlined here:

https://github.com/NixOS/nix/blob/master/doc/manual/source/development/testing.md#installer-tests

Then I imagine you could validate that with your local system?

You can use the generated installer locally with something like:

sh <(curl -L https://<username>-nix-install-tests.cachix.org/serve/<hash-that-you-fish-out-of-the-installer-test-job's-install-step>/install) --tarball-url-prefix https://<username>-nix-install-tests.cachix.org/serve

@abitrolly
Copy link
Author

@abathur I've already installed nix from Arch official package, so it is hard for me to get that involved now. If it is possible to make install scripts self-sufficient, I could test them locally.

Mic92
Mic92 reviewed Oct 30, 2024
View reviewed changes
scripts/install-multi-user.sh
@@ -56,6 +56,9 @@ readonly NIX_INSTALLED_CACERT="@cacert@"
#readonly NIX_INSTALLED_CACERT="/nix/store/7dxhzymvy330i28ii676fl1pqwcahv2f-nss-cacert-3.49.2"
readonly EXTRACTED_NIX_PATH="$(dirname "$0")"

# allow to override identity change command
readonly NIX_BECOME=${NIX_BECOME:-sudo}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I wonder if we could document this somewhere?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Before documenting this as officially supported, need to ensure that alternatives work as expeted. Which requires CI test setup with Arch + doas, for example.

bryanhonof
bryanhonof reviewed Nov 4, 2024
View reviewed changes
scripts/install-multi-user.sh
@@ -56,6 +56,9 @@ readonly NIX_INSTALLED_CACERT="@cacert@"
#readonly NIX_INSTALLED_CACERT="/nix/store/7dxhzymvy330i28ii676fl1pqwcahv2f-nss-cacert-3.49.2"
readonly EXTRACTED_NIX_PATH="$(dirname "$0")"

# allow to override identity change command
readonly NIX_BECOME=${NIX_BECOME:-sudo}
Copy link
Member

@bryanhonof bryanhonof Nov 4, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nitpick(non-blocking): The NIX_BECOME name is confusing to me. Something like NIX_SUDO_PROGRAM would convey the intent a bit better, at least to me. Or maybe the _BECOME name is just a convention I just haven't yet encountered?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's used in the ansible world: https://docs.ansible.com/ansible/latest/playbook_guide/playbooks_privilege_escalation.html

scripts/install-multi-user.sh
@@ -343,7 +346,7 @@ __sudo() {

echo "I am executing:"
echo ""
printf " $ sudo %s\\n" "$cmd"
printf " $ $NIX_BECOME %s\\n" "$cmd"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
printf " $ $NIX_BECOME %s\\n" "$cmd"
printf " $ %s %s\\n" "$NIX_BECOME" "$cmd"

@Mic92
Copy link
Member

Mic92 commented Nov 4, 2024

@abathur I've already installed nix from Arch official package, so it is hard for me to get that involved now. If it is possible to make install scripts self-sufficient, I could test them locally.

Docker container could be used for testing this or this https://github.com/quickemu-project/quickemu/

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bryanhonof bryanhonof bryanhonof left review comments

@Mic92 Mic92 Mic92 left review comments

@edolstra edolstra Awaiting requested review from edolstra edolstra is a code owner

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@abitrolly @abathur @Mic92 @bryanhonof