How to execute code in the normal OS when I am inside a `buildFHSUserEnv`?

schlichtanders · July 24, 2021, 9:26pm

Hi all,

to understand the limitations and usages of buildFHSUserEnv I would like to ask whether it is possible to somehow elevate the execution context from the custom file system out to the original operating system.

One application is the usage of vscode-fhs to change configuration.nix and then run sudo nixos-rebuild switch, which seems to break. I am interested in the general question, whether we somehow can get out of the inner file system and work on the normal operating system.

jtojnar · August 28, 2021, 9:40pm

The outer file system mounted to /host (/real-host when running in a nested chroot):

github.com

NixOS/nixpkgs/blob/ae75e98913b4f1dd60f24e7bcda5519e32ef34b1/pkgs/build-support/build-fhs-userenv/chrootenv/chrootenv.c#L133-L149


      
          // If there is a /host directory, assume this is nested chrootenv and use it as host instead.
          gboolean nested_host = g_file_test("/host", G_FILE_TEST_EXISTS | G_FILE_TEST_IS_DIR);
          g_autofree const gchar *host = nested_host ? "/host" : "/";
          
          
bind(host, prefix);
          
          
// Replace /host by an actual (inner) /host.
          if (nested_host) {
            fail_if(g_mkdir("/real-host", 0755));
            fail_if(mount("/host/host", "/real-host", NULL, MS_BIND | MS_REC, NULL));
            // For some reason umount("/host") returns EBUSY even immediately after
            // pivot_root. We detach it at least to keep `/proc/mounts` from blowing
            // up in nested cases.
            fail_if(umount2("/host", MNT_DETACH));
            fail_if(mount("/real-host", "/host", NULL, MS_MOVE, NULL));
            fail_if(rmdir("/real-host"));
          }

hmenke · August 29, 2021, 8:25am

This gets asked like once a week. Quoting my answer from another thread:

schlichtanders · August 29, 2021, 3:34pm

Hi @hmenke this question has nothing todo with sudo, it only asks about file system accessibility.

The phrase “This gets asked like once a week” discourages people to ask questions which in its own is inappropriate on a page like discourse. Please consider your choice of words.

schlichtanders · August 29, 2021, 3:35pm

neither /host nor /real-host exist in my vscode buildFHSUserEnv, so unfortunately that does not work

hmenke · August 29, 2021, 3:48pm

Really? Quoting your original post:

It’s a matter of fact that this gets asked once a week. I think the documentation around FHS environments should be better. I’ll see whether I can write something up.

schlichtanders · August 29, 2021, 4:14pm

yes really, when I asked this question I was not aware that sudo is any special command and just wanted to see the original system in the inner one.
Unfortunately that does not seem possible.

hmenke · August 29, 2021, 4:21pm

I’ve had a look at the source. The problem is basically only with stuff in /etc because the FHS does not bind-mount all of /etc but only individual files.

github.com

NixOS/nixpkgs/blob/8d8a28b47b7c41aeb4ad01a2bd8b7d26986c3512/pkgs/build-support/build-fhs-userenv/env.nix#L75-L129


      
          # Compose /etc for the chroot environment
          etcPkg = stdenv.mkDerivation {
            name         = "${name}-chrootenv-etc";
            buildCommand = ''
              mkdir -p $out/etc
              cd $out/etc
          
          
    # environment variables
              ln -s ${etcProfile} profile
          
          
    # compatibility with NixOS
              ln -s /host/etc/static static
          
          
    # symlink nix config
              ln -s /host/etc/nix nix
          
          
    # symlink some NSS stuff
              ln -s /host/etc/passwd passwd
              ln -s /host/etc/group group
              ln -s /host/etc/shadow shadow

This file has been truncated. show original

I don’t really know why that is done. Probably because it makes it easier to merge with all the /etc directories coming from the derivations to be enclosed in the FHS.

Regarding vscode, there is also a non-FHS version of the derivation. Could you use that instead?

schlichtanders · August 31, 2021, 12:26pm

yes I could and had used it. However if you want to use vscode to install vscode extensions it seems like the FHS version has best support for this. Also a couple of other bugs I run into haven’t occured in the FHS version which hence looks much stabler.

on the other hand it seems nix buildFHSUserEnv is not designed for editors and IDEs like Visual Studio Code.

hmenke · August 31, 2021, 12:56pm

What you could do is monkey-patch the vscode-fhs derivation to include /etc/nixos in the bind mounts like this (assuming you are on NixOS):

{ config, lib, pkgs, ... }: {
  environment.systemPackages = [
    (pkgs.runCommandLocal "vscode-fhs-bind-host" { } ''
      mkdir -p "$out/bin/"
      substitute \
        "${pkgs.vscode-fhs}/bin/code" \
        "$out/bin/code" \
        --replace "declare -a auto_mounts" "auto_mounts=(--bind-try /etc/nixos /etc/nixos)"
      chmod 555 "$out/bin/code"
    '')
  ];
}