`nixos-generators` from single user `nix` install has ownership issues

Pamplemousse · March 16, 2022, 5:44pm

The problem

On a laptop, I am using a single user install nix on a non-NixOS Linux distro.

I am trying to use nixos-generators to declaratively setup Qemu virtual machines.

# flake.nix
{
  inputs.nixpkgs.url = "nixpkgs/nixos-unstable";
  inputs.nixos-generators = {
    url = "github:nix-community/nixos-generators";
    inputs.nixpkgs.follows = "nixpkgs";
  };

  outputs = { self, nixpkgs, nixos-generators, ... }:
    {
      packages.x86_64-linux = {
        testMachine = nixos-generators.nixosGenerate {
          pkgs = nixpkgs.legacyPackages.x86_64-linux;
          modules = [ ./configuration.nix ];
          format = "vm";
        };
      };
    };
}

# configuration.nix
let
  user = rec {
    name = "rpaulson";
    value = {
      password = "rp";
      extraGroups = [ "networkmanager" "wheel" ];
      home = "/home/${user.name}";
      isNormalUser = true;
    };
  };
in
{
  users = {
    extraUsers = builtins.listToAttrs [ user ];
  };
}

I can build and run my VM with the following commands:

$ nix build .#testMachine
$ ./result/bin/run-nixos-vm

However, in this VM, I can’t use sudo

$ sudo ls
sudo: error in /etc/sudo.conf, line 0 while loading plugin "sudoers_policy"
sudo: /nix/store/6zv1v6i11s295rc5z6p84f62cpvhlmn3-sudo-1.9.10/libexec/sudo/sudoers.so must be owned by uid 0
sudo: fatal error, unable to load plugins

Indeed, everything under /nix/store/ is owned by 1000:1000.
AFAICT, this is because the Qemu starting command uses -virtfs to mount the host’s /nix/store (which is owned by 1000:1000 - my user and group) to the guest’s.

github.com

NixOS/nixpkgs/blob/b13005f62433e5689c0d7b51606f2edacb035578/nixos/modules/virtualisation/qemu-vm.nix#L162-L177

    
      
            # Start QEMU.
            exec ${qemu-common.qemuBinary qemu} \
                -name ${config.system.name} \
                -m ${toString config.virtualisation.memorySize} \
                -smp ${toString config.virtualisation.cores} \
                -device virtio-rng-pci \
                ${concatStringsSep " " config.virtualisation.qemu.networkingOptions} \
                ${concatStringsSep " \\\n    "
                  (mapAttrsToList
                    (tag: share: "-virtfs local,path=${share.source},security_model=none,mount_tag=${tag}")
                    config.virtualisation.sharedDirectories)} \
                ${drivesCmdLine config.virtualisation.qemu.drives} \
                ${concatStringsSep " \\\n    " config.virtualisation.qemu.options} \
                $QEMU_OPTS \
                "$@"
          '';

Searching for a solution

I couldn’t find any option to change the mountpoint permissions from the Qemu CLI in the documentation.

Without success, I search for a place where the /nix/store is explicitely mounted, but I believe it’s not anywhere because the -virtfs seems to automagically do it.

Does anyone have any tips, ideas, or tricks on how to solve this issue?
(Sadly, changing the host OS or nix install is not an option).

Similar issues

github.com/NixOS/nixpkgs

sudoers.so permission problem

opened 09:38AM - 03 Jun 19 UTC

blitz

## Issue description I'm deploying a postgresql server using NixOps and the p…ostgres post-start script times out. I'm deploying from a Fedora system running a single-user installation of Nix. The underlying issue is this: ```sh # /nix/store/6jdr28mzyhdl3ca1l4xlvfhp19q1a1y4-sudo-1.8.27/bin/sudo -u postgres psql --port=5432 -d postg res -c sudo: error in /etc/sudo.conf, line 0 while loading plugin "sudoers_policy" sudo: /nix/store/6jdr28mzyhdl3ca1l4xlvfhp19q1a1y4-sudo-1.8.27/libexec/sudo/sudoers.so must be owned by uid 0 sudo: fatal error, unable to load plugins ``` And indeed sudoers.so is not owned by root: ```sh # ls -lh /nix/store/6jdr28mzyhdl3ca1l4xlvfhp19q1a1y4-sudo-1.8.27/libexec/sudo/sudoers.so -r--r--r-- 1 1000 users 386K Jan 1 1970 /nix/store/6jdr28mzyhdl3ca1l4xlvfhp19q1a1y4-sudo-1.8.27/libexec/sudo/sudoers. so ``` The issue seems to be that the permissions from my Fedora system bleed through. The uid/gid of sudoers.so is the same as on my Fedora system (1000/1000). I assume this is a problem in the Nix expression for "sudo", but I'm not sure. ### Steps to reproduce 1. Install Nix as a single-user installation (the default) on any non-Nix Linux distro. 2. Use NixOps to deploy postgres to a Nix system 3. See postgres init script time out. ## Technical details ```sh # On the system where I run NixOps % nix-shell -p nix-info --run "nix-info -m" - system: `"x86_64-linux"` - host os: `Linux 5.0.17-200.fc29.x86_64, Fedora, 29 (Workstation Edition)` - multi-user?: `no` - sandbox: `yes` - version: `nix-env (Nix) 2.2.2` - channels(julian): `"nixpkgs-19.09pre181045.61f0936d1cd"` - nixpkgs: `/home/julian/.nix-defexpr/channels/nixpkgs` ``` cc: @tfc

github.com/NixOS/nixops

permissions problems

opened 03:01AM - 23 Apr 18 UTC

teto

backends/libvirtd

I regularly seem to have ownership problems when using nixops. For instance` jou…rnalctl -b` would show ` Cannot execute '/etc/NetworkManager/dispatcher.d/02overridedns': not owned by root.` or when setting zsh as a shell https://github.com/NixOS/nixpkgs/issues/39189 Output from the nixops VM: ``` [root@client:~]# ls -lL /etc/NetworkManager/dispatcher.d/ total 12 -r-xr-xr-x 1 nobody nogroup 511 Jan 1 1970 02overridedns -r-xr-xr-x 1 root root 1251 Jan 1 1970 03userscript0001 -r-xr-xr-x 1 root root 288 Jan 1 1970 03userscript0002 ``` I configure the libvirtd service with ``` qemuVerbatimConfig = '' namespaces = [] # # Whether libvirt should dynamically change file ownership # # dynamic_ownership = 1 user="teto" group="libvirtd" ''; ```