The problem
On a laptop, I am using a single user install nix
on a non-NixOS Linux distro.
I am trying to use nixos-generators
to declaratively setup Qemu virtual machines.
# flake.nix
{
inputs.nixpkgs.url = "nixpkgs/nixos-unstable";
inputs.nixos-generators = {
url = "github:nix-community/nixos-generators";
inputs.nixpkgs.follows = "nixpkgs";
};
outputs = { self, nixpkgs, nixos-generators, ... }:
{
packages.x86_64-linux = {
testMachine = nixos-generators.nixosGenerate {
pkgs = nixpkgs.legacyPackages.x86_64-linux;
modules = [ ./configuration.nix ];
format = "vm";
};
};
};
}
# configuration.nix
let
user = rec {
name = "rpaulson";
value = {
password = "rp";
extraGroups = [ "networkmanager" "wheel" ];
home = "/home/${user.name}";
isNormalUser = true;
};
};
in
{
users = {
extraUsers = builtins.listToAttrs [ user ];
};
}
I can build and run my VM with the following commands:
$ nix build .#testMachine
$ ./result/bin/run-nixos-vm
However, in this VM, I can’t use sudo
$ sudo ls
sudo: error in /etc/sudo.conf, line 0 while loading plugin "sudoers_policy"
sudo: /nix/store/6zv1v6i11s295rc5z6p84f62cpvhlmn3-sudo-1.9.10/libexec/sudo/sudoers.so must be owned by uid 0
sudo: fatal error, unable to load plugins
Indeed, everything under /nix/store/
is owned by 1000:1000
.
AFAICT, this is because the Qemu starting command uses -virtfs
to mount the host’s /nix/store
(which is owned by 1000:1000
- my user and group) to the guest’s.
# Start QEMU.
exec ${qemu-common.qemuBinary qemu} \
-name ${config.system.name} \
-m ${toString config.virtualisation.memorySize} \
-smp ${toString config.virtualisation.cores} \
-device virtio-rng-pci \
${concatStringsSep " " config.virtualisation.qemu.networkingOptions} \
${concatStringsSep " \\\n "
(mapAttrsToList
(tag: share: "-virtfs local,path=${share.source},security_model=none,mount_tag=${tag}")
config.virtualisation.sharedDirectories)} \
${drivesCmdLine config.virtualisation.qemu.drives} \
${concatStringsSep " \\\n " config.virtualisation.qemu.options} \
$QEMU_OPTS \
"$@"
'';
Searching for a solution
I couldn’t find any option to change the mountpoint permissions from the Qemu CLI in the documentation .
Without success, I search for a place where the /nix/store
is explicitely mount
ed, but I believe it’s not anywhere because the -virtfs
seems to automagically do it.
Does anyone have any tips, ideas, or tricks on how to solve this issue?
(Sadly, changing the host OS or nix
install is not an option).
Similar issues
opened 09:38AM - 03 Jun 19 UTC
## Issue description
I'm deploying a postgresql server using NixOps and the p… ostgres post-start script times out. I'm deploying from a Fedora system running a single-user installation of Nix. The underlying issue is this:
```sh
# /nix/store/6jdr28mzyhdl3ca1l4xlvfhp19q1a1y4-sudo-1.8.27/bin/sudo -u postgres psql --port=5432 -d postg
res -c
sudo: error in /etc/sudo.conf, line 0 while loading plugin "sudoers_policy"
sudo: /nix/store/6jdr28mzyhdl3ca1l4xlvfhp19q1a1y4-sudo-1.8.27/libexec/sudo/sudoers.so must be owned by uid 0
sudo: fatal error, unable to load plugins
```
And indeed sudoers.so is not owned by root:
```sh
# ls -lh /nix/store/6jdr28mzyhdl3ca1l4xlvfhp19q1a1y4-sudo-1.8.27/libexec/sudo/sudoers.so
-r--r--r-- 1 1000 users 386K Jan 1 1970 /nix/store/6jdr28mzyhdl3ca1l4xlvfhp19q1a1y4-sudo-1.8.27/libexec/sudo/sudoers.
so
```
The issue seems to be that the permissions from my Fedora system bleed through. The uid/gid of sudoers.so is the same as on my Fedora system (1000/1000). I assume this is a problem in the Nix expression for "sudo", but I'm not sure.
### Steps to reproduce
1. Install Nix as a single-user installation (the default) on any non-Nix Linux distro.
2. Use NixOps to deploy postgres to a Nix system
3. See postgres init script time out.
## Technical details
```sh
# On the system where I run NixOps
% nix-shell -p nix-info --run "nix-info -m"
- system: `"x86_64-linux"`
- host os: `Linux 5.0.17-200.fc29.x86_64, Fedora, 29 (Workstation Edition)`
- multi-user?: `no`
- sandbox: `yes`
- version: `nix-env (Nix) 2.2.2`
- channels(julian): `"nixpkgs-19.09pre181045.61f0936d1cd"`
- nixpkgs: `/home/julian/.nix-defexpr/channels/nixpkgs`
```
cc: @tfc
opened 03:01AM - 23 Apr 18 UTC
backends/libvirtd
I regularly seem to have ownership problems when using nixops. For instance` jou… rnalctl -b` would show
` Cannot execute '/etc/NetworkManager/dispatcher.d/02overridedns': not owned by root.`
or when setting zsh as a shell https://github.com/NixOS/nixpkgs/issues/39189
Output from the nixops VM:
```
[root@client:~]# ls -lL /etc/NetworkManager/dispatcher.d/
total 12
-r-xr-xr-x 1 nobody nogroup 511 Jan 1 1970 02overridedns
-r-xr-xr-x 1 root root 1251 Jan 1 1970 03userscript0001
-r-xr-xr-x 1 root root 288 Jan 1 1970 03userscript0002
```
I configure the libvirtd service with
```
qemuVerbatimConfig = ''
namespaces = []
# # Whether libvirt should dynamically change file ownership
# # dynamic_ownership = 1
user="teto"
group="libvirtd"
'';
```