pyrox.dev / nixpkgs
lol
fork atom

nixos/etc-overlay: make the etc overlay compatible with nixos-enter and nixos-install

When using nixos-enter (and so also nixos-install) on a system with etc-overlay enabled,
he activation script gets called directly, and there is no systemd running.
This violates a couple of assumptions in the etc-overlay activation script which
assumed that it only ever ran when switching into a new generation and that
the very first /etc would always have been set up by the systemd initrd.

As more and more things are being moved into systemd components (initrd services,
mount units, tmpfiles, etc), I think that it is going to become increasingly
difficult to stay compatible with these tools, but at least for now there is
no real alternative and so we probably want to be able to install systems
with etc-overlay enabled.

r-vdp 2187d197 d18fae80

options
unified split
Changed files
+76 -52
nixos
modules
system
etc
etc-activation.nix
etc.nix
pkgs
by-name
ni
nixos-enter
nixos-enter.sh
+1
nixos/modules/system/etc/etc-activation.nix 
···

       
15

       
 

       
      system.activationScripts.etc = lib.stringAfter [


     

       
16

       
 

       
        "users"


     

       
17

       
 

       
        "groups"


     

       

       

       
     

       
18

       
 

       
      ] config.system.build.etcActivationCommands;


     

       
19

       
 

       
    }


     

       
20

       
 

       



     
···

       
15

       
 

       
      system.activationScripts.etc = lib.stringAfter [


     

       
16

       
 

       
        "users"


     

       
17

       
 

       
        "groups"


     

       
18

       
+

       
        "specialfs"


     

       
19

       
 

       
      ] config.system.build.etcActivationCommands;


     

       
20

       
 

       
    }


     

       
21
+72 -50
nixos/modules/system/etc/etc.nix 
···

       
250

       
 

       
        );


     

       
251

       
 

       
      in


     

       
252

       
 

       
      if config.system.etc.overlay.enable then


     

       

       

       
     

       
253

       
 

       
        ''


     

       
254

       
-

       
          # This script atomically remounts /etc when switching configuration. On a (re-)boot


     

       
255

       
-

       
          # this should not run because /etc is mounted via a systemd mount unit


     

       
256

       
-

       
          # instead. To a large extent this mimics what composefs does. Because


     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       
257

       
 

       
          # it's relatively simple, however, we avoid the composefs dependency.


     

       
258

       
 

       
          # Since this script is not idempotent, it should not run when etc hasn't


     

       
259

       
 

       
          # changed.


     

       
260

       
 

       
          if [[ ! $IN_NIXOS_SYSTEMD_STAGE1 ]] && [[ "${config.system.build.etc}/etc" != "$(readlink -f /run/current-system/etc)" ]]; then


     

       
261

       
 

       
            echo "remounting /etc..."


     

       
262

       
 

       



     

       
263

       
-

       
            tmpMetadataMount=$(mktemp --directory -t nixos-etc-metadata.XXXXXXXXXX)


     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       
264

       
 

       
            mount --type erofs -o ro ${config.system.build.etcMetadataImage} $tmpMetadataMount


     

       
265

       
 

       



     

       
266

       
-

       
            # Mount the new /etc overlay to a temporary private mount.


     

       
267

       
-

       
            # This needs the indirection via a private bind mount because you


     

       
268

       
-

       
            # cannot move shared mounts.


     

       
269

       
-

       
            tmpEtcMount=$(mktemp --directory -t nixos-etc.XXXXXXXXXX)


     

       
270

       
-

       
            mount --bind --make-private $tmpEtcMount $tmpEtcMount


     

       
271

       
-

       
            mount --type overlay overlay \


     

       
272

       
-

       
              --options lowerdir=$tmpMetadataMount::${config.system.build.etcBasedir},${etcOverlayOptions} \


     

       
273

       
-

       
              $tmpEtcMount


     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       
274

       
 

       



     

       
275

       
-

       
            # Before moving the new /etc overlay under the old /etc, we have to


     

       
276

       
-

       
            # move mounts on top of /etc to the new /etc mountpoint.


     

       
277

       
-

       
            findmnt /etc --submounts --list --noheading --kernel --output TARGET | while read -r mountPoint; do


     

       
278

       
-

       
              if [[ "$mountPoint" = "/etc" ]]; then


     

       
279

       
-

       
                continue


     

       
280

       
-

       
              fi


     

       
281

       
 

       



     

       
282

       
-

       
              tmpMountPoint="$tmpEtcMount/''${mountPoint:5}"


     

       
283

       
-

       
                ${


     

       
284

       
-

       
                  if config.system.etc.overlay.mutable then


     

       
285

       
-

       
                    ''


     

       
286

       
-

       
                      if [[ -f "$mountPoint" ]]; then


     

       
287

       
-

       
                        touch "$tmpMountPoint"


     

       
288

       
-

       
                      elif [[ -d "$mountPoint" ]]; then


     

       
289

       
-

       
                        mkdir -p "$tmpMountPoint"


     

       
290

       
-

       
                      fi


     

       
291

       
-

       
                    ''


     

       
292

       
-

       
                  else


     

       
293

       
-

       
                    ''


     

       
294

       
-

       
                      if [[ ! -e "$tmpMountPoint" ]]; then


     

       
295

       
-

       
                        echo "Skipping undeclared mountpoint in environment.etc: $mountPoint"


     

       
296

       
-

       
                        continue


     

       
297

       
-

       
                      fi


     

       
298

       
-

       
                    ''


     

       
299

       
-

       
                }


     

       
300

       
-

       
              mount --bind "$mountPoint" "$tmpMountPoint"


     

       
301

       
-

       
            done


     

       
302

       
 

       



     

       
303

       
-

       
            # Move the new temporary /etc mount underneath the current /etc mount.


     

       
304

       
-

       
            #


     

       
305

       
-

       
            # This should eventually use util-linux to perform this move beneath,


     

       
306

       
-

       
            # however, this functionality is not yet in util-linux. See this


     

       
307

       
-

       
            # tracking issue: https://github.com/util-linux/util-linux/issues/2604


     

       
308

       
-

       
            ${pkgs.move-mount-beneath}/bin/move-mount --move --beneath $tmpEtcMount /etc


     

       
309

       
 

       



     

       
310

       
-

       
            # Unmount the top /etc mount to atomically reveal the new mount.


     

       
311

       
-

       
            umount --lazy --recursive /etc


     

       
312

       
 

       



     

       
313

       
-

       
            # Unmount the temporary mount


     

       
314

       
-

       
            umount --lazy "$tmpEtcMount"


     

       
315

       
-

       
            rmdir "$tmpEtcMount"


     

       

       

       
     

       
316

       
 

       



     

       
317

       
 

       
            # Unmount old metadata mounts


     

       
318

       
 

       
            # For some reason, `findmnt /tmp --submounts` does not show the nested


     
···

       
321

       
 

       
            findmnt --type erofs --list --kernel --output TARGET | while read -r mountPoint; do


     

       
322

       
 

       
              if [[ "$mountPoint" =~ ^/tmp/nixos-etc-metadata\..{10}$ &&


     

       
323

       
 

       
                    "$mountPoint" != "$tmpMetadataMount" ]]; then


     

       
324

       
-

       
                umount --lazy $mountPoint


     

       
325

       
 

       
                rmdir "$mountPoint"


     

       
326

       
 

       
              fi


     

       
327

       
 

       
            done


     
···

       
250

       
 

       
        );


     

       
251

       
 

       
      in


     

       
252

       
 

       
      if config.system.etc.overlay.enable then


     

       
253

       
+

       
        #bash


     

       
254

       
 

       
        ''


     

       
255

       
+

       
          # This script atomically remounts /etc when switching configuration.


     

       
256

       
+

       
          # On a (re-)boot this should not run because /etc is mounted via a


     

       
257

       
+

       
          # systemd mount unit instead.


     

       
258

       
+

       
          # The activation script can also be called in cases where we didn't have


     

       
259

       
+

       
          # an initrd though, like for instance when using  nixos-enter,


     

       
260

       
+

       
          # so we cannot assume that /etc has already been mounted.


     

       
261

       
+

       
          #


     

       
262

       
+

       
          # To a large extent this mimics what composefs does. Because


     

       
263

       
 

       
          # it's relatively simple, however, we avoid the composefs dependency.


     

       
264

       
 

       
          # Since this script is not idempotent, it should not run when etc hasn't


     

       
265

       
 

       
          # changed.


     

       
266

       
 

       
          if [[ ! $IN_NIXOS_SYSTEMD_STAGE1 ]] && [[ "${config.system.build.etc}/etc" != "$(readlink -f /run/current-system/etc)" ]]; then


     

       
267

       
 

       
            echo "remounting /etc..."


     

       
268

       
 

       



     

       
269

       
+

       
            ${lib.optionalString config.system.etc.overlay.mutable ''


     

       
270

       
+

       
              # These directories are usually created in initrd,


     

       
271

       
+

       
              # but we need to create them here when we didn't we're called directly,


     

       
272

       
+

       
              # for instance by nixos-enter


     

       
273

       
+

       
              mkdir --parents /.rw-etc/upper /.rw-etc/work


     

       
274

       
+

       
              chmod --recursive 0755 /.rw-etc


     

       
275

       
+

       
            ''}


     

       
276

       
+

       



     

       
277

       
+

       
            tmpMetadataMount=$(TMPDIR="" mktemp --tmpdir=/tmp --directory -t nixos-etc-metadata.XXXXXXXXXX)


     

       
278

       
 

       
            mount --type erofs -o ro ${config.system.build.etcMetadataImage} $tmpMetadataMount


     

       
279

       
 

       



     

       
280

       
+

       
            # There was no previous /etc mounted. This happens when we're called


     

       
281

       
+

       
            # directly without an initrd, like with nixos-enter.


     

       
282

       
+

       
            if ! mountpoint -q /etc; then


     

       
283

       
+

       
              mount --type overlay overlay \


     

       
284

       
+

       
                --options lowerdir=$tmpMetadataMount::${config.system.build.etcBasedir},${etcOverlayOptions} \


     

       
285

       
+

       
                /etc


     

       
286

       
+

       
            else


     

       
287

       
+

       
              # Mount the new /etc overlay to a temporary private mount.


     

       
288

       
+

       
              # This needs the indirection via a private bind mount because you


     

       
289

       
+

       
              # cannot move shared mounts.


     

       
290

       
+

       
              tmpEtcMount=$(TMPDIR="" mktemp --tmpdir=/tmp --directory -t nixos-etc.XXXXXXXXXX)


     

       
291

       
+

       
              mount --bind --make-private $tmpEtcMount $tmpEtcMount


     

       
292

       
+

       
              mount --type overlay overlay \


     

       
293

       
+

       
                --options lowerdir=$tmpMetadataMount::${config.system.build.etcBasedir},${etcOverlayOptions} \


     

       
294

       
+

       
                $tmpEtcMount


     

       
295

       
 

       



     

       
296

       
+

       
              # Before moving the new /etc overlay under the old /etc, we have to


     

       
297

       
+

       
              # move mounts on top of /etc to the new /etc mountpoint.


     

       
298

       
+

       
              findmnt /etc --submounts --list --noheading --kernel --output TARGET | while read -r mountPoint; do


     

       
299

       
+

       
                if [[ "$mountPoint" = "/etc" ]]; then


     

       
300

       
+

       
                  continue


     

       
301

       
+

       
                fi


     

       
302

       
 

       



     

       
303

       
+

       
                tmpMountPoint="$tmpEtcMount/''${mountPoint:5}"


     

       
304

       
+

       
                  ${


     

       
305

       
+

       
                    if config.system.etc.overlay.mutable then


     

       
306

       
+

       
                      ''


     

       
307

       
+

       
                        if [[ -f "$mountPoint" ]]; then


     

       
308

       
+

       
                          touch "$tmpMountPoint"


     

       
309

       
+

       
                        elif [[ -d "$mountPoint" ]]; then


     

       
310

       
+

       
                          mkdir -p "$tmpMountPoint"


     

       
311

       
+

       
                        fi


     

       
312

       
+

       
                      ''


     

       
313

       
+

       
                    else


     

       
314

       
+

       
                      ''


     

       
315

       
+

       
                        if [[ ! -e "$tmpMountPoint" ]]; then


     

       
316

       
+

       
                          echo "Skipping undeclared mountpoint in environment.etc: $mountPoint"


     

       
317

       
+

       
                          continue


     

       
318

       
+

       
                        fi


     

       
319

       
+

       
                      ''


     

       
320

       
+

       
                  }


     

       
321

       
+

       
                mount --bind "$mountPoint" "$tmpMountPoint"


     

       
322

       
+

       
              done


     

       
323

       
 

       



     

       
324

       
+

       
              # Move the new temporary /etc mount underneath the current /etc mount.


     

       
325

       
+

       
              #


     

       
326

       
+

       
              # This should eventually use util-linux to perform this move beneath,


     

       
327

       
+

       
              # however, this functionality is not yet in util-linux. See this


     

       
328

       
+

       
              # tracking issue: https://github.com/util-linux/util-linux/issues/2604


     

       
329

       
+

       
              ${pkgs.move-mount-beneath}/bin/move-mount --move --beneath $tmpEtcMount /etc


     

       
330

       
 

       



     

       
331

       
+

       
              # Unmount the top /etc mount to atomically reveal the new mount.


     

       
332

       
+

       
              umount --lazy --recursive /etc


     

       
333

       
 

       



     

       
334

       
+

       
              # Unmount the temporary mount


     

       
335

       
+

       
              umount --lazy "$tmpEtcMount"


     

       
336

       
+

       
              rmdir "$tmpEtcMount"


     

       
337

       
+

       
            fi


     

       
338

       
 

       



     

       
339

       
 

       
            # Unmount old metadata mounts


     

       
340

       
 

       
            # For some reason, `findmnt /tmp --submounts` does not show the nested


     
···

       
343

       
 

       
            findmnt --type erofs --list --kernel --output TARGET | while read -r mountPoint; do


     

       
344

       
 

       
              if [[ "$mountPoint" =~ ^/tmp/nixos-etc-metadata\..{10}$ &&


     

       
345

       
 

       
                    "$mountPoint" != "$tmpMetadataMount" ]]; then


     

       
346

       
+

       
                umount --lazy "$mountPoint"


     

       
347

       
 

       
                rmdir "$mountPoint"


     

       
348

       
 

       
              fi


     

       
349

       
 

       
            done
+3 -2
pkgs/by-name/ni/nixos-enter/nixos-enter.sh 
···

       
58

       
 

       
    exit 126


     

       
59

       
 

       
fi


     

       
60

       
 

       



     

       
61

       
-

       
mkdir -p "$mountPoint/dev" "$mountPoint/sys"


     

       
62

       
-

       
chmod 0755 "$mountPoint/dev" "$mountPoint/sys"


     

       
63

       
 

       
mount --rbind /dev "$mountPoint/dev"


     

       
64

       
 

       
mount --rbind /sys "$mountPoint/sys"


     

       

       

       
     

       
65

       
 

       



     

       
66

       
 

       
# modified from https://github.com/archlinux/arch-install-scripts/blob/bb04ab435a5a89cd5e5ee821783477bc80db797f/arch-chroot.in#L26-L52


     

       
67

       
 

       
chroot_add_resolv_conf() {


     
···

       
58

       
 

       
    exit 126


     

       
59

       
 

       
fi


     

       
60

       
 

       



     

       
61

       
+

       
mkdir -p "$mountPoint/dev" "$mountPoint/sys" "$mountPoint/proc"


     

       
62

       
+

       
chmod 0755 "$mountPoint/dev" "$mountPoint/sys" "$mountPoint/proc"


     

       
63

       
 

       
mount --rbind /dev "$mountPoint/dev"


     

       
64

       
 

       
mount --rbind /sys "$mountPoint/sys"


     

       
65

       
+

       
mount --rbind /proc "$mountPoint/proc"


     

       
66

       
 

       



     

       
67

       
 

       
# modified from https://github.com/archlinux/arch-install-scripts/blob/bb04ab435a5a89cd5e5ee821783477bc80db797f/arch-chroot.in#L26-L52


     

       
68

       
 

       
chroot_add_resolv_conf() {