pyrox.dev / nixpkgs
lol
fork atom

nixos/etc-overlay: always create the metadata mountpoints in /run

This avoids the dependence on the presence of /tmp, which causes issues
with nixos-install

r-vdp df7c405f 2187d197

options
unified split
Changed files
+26 -18
nixos
modules
system
etc
etc-activation.nix
etc.nix
tests
activation
etc-overlay-immutable.nix
etc-overlay-mutable.nix
+3 -3
nixos/modules/system/etc/etc-activation.nix 
···

       
47

       
 

       
      boot.initrd.systemd = {


     

       
48

       
 

       
        mounts = [


     

       
49

       
 

       
          {


     

       
50

       
-

       
            where = "/run/etc-metadata";


     

       
51

       
 

       
            what = "/etc-metadata-image";


     

       
52

       
 

       
            type = "erofs";


     

       
53

       
 

       
            options = "loop,ro";


     
···

       
82

       
 

       
                "relatime"


     

       
83

       
 

       
                "redirect_dir=on"


     

       
84

       
 

       
                "metacopy=on"


     

       
85

       
-

       
                "lowerdir=/run/etc-metadata::/etc-basedir"


     

       
86

       
 

       
              ]


     

       
87

       
 

       
              ++ lib.optionals config.system.etc.overlay.mutable [


     

       
88

       
 

       
                "rw"


     
···

       
112

       
 

       
            unitConfig = {


     

       
113

       
 

       
              RequiresMountsFor = [


     

       
114

       
 

       
                "/sysroot/nix/store"


     

       
115

       
-

       
                "/run/etc-metadata"


     

       
116

       
 

       
              ];


     

       
117

       
 

       
              DefaultDependencies = false;


     

       
118

       
 

       
            };


     
···

       
47

       
 

       
      boot.initrd.systemd = {


     

       
48

       
 

       
        mounts = [


     

       
49

       
 

       
          {


     

       
50

       
+

       
            where = "/run/nixos-etc-metadata";


     

       
51

       
 

       
            what = "/etc-metadata-image";


     

       
52

       
 

       
            type = "erofs";


     

       
53

       
 

       
            options = "loop,ro";


     
···

       
82

       
 

       
                "relatime"


     

       
83

       
 

       
                "redirect_dir=on"


     

       
84

       
 

       
                "metacopy=on"


     

       
85

       
+

       
                "lowerdir=/run/nixos-etc-metadata::/etc-basedir"


     

       
86

       
 

       
              ]


     

       
87

       
 

       
              ++ lib.optionals config.system.etc.overlay.mutable [


     

       
88

       
 

       
                "rw"


     
···

       
112

       
 

       
            unitConfig = {


     

       
113

       
 

       
              RequiresMountsFor = [


     

       
114

       
 

       
                "/sysroot/nix/store"


     

       
115

       
+

       
                "/run/nixos-etc-metadata"


     

       
116

       
 

       
              ];


     

       
117

       
 

       
              DefaultDependencies = false;


     

       
118

       
 

       
            };
+3 -3
nixos/modules/system/etc/etc.nix 
···

       
274

       
 

       
              chmod --recursive 0755 /.rw-etc


     

       
275

       
 

       
            ''}


     

       
276

       
 

       



     

       
277

       
-

       
            tmpMetadataMount=$(TMPDIR="" mktemp --tmpdir=/tmp --directory -t nixos-etc-metadata.XXXXXXXXXX)


     

       
278

       
 

       
            mount --type erofs -o ro ${config.system.build.etcMetadataImage} $tmpMetadataMount


     

       
279

       
 

       



     

       
280

       
 

       
            # There was no previous /etc mounted. This happens when we're called


     
···

       
287

       
 

       
              # Mount the new /etc overlay to a temporary private mount.


     

       
288

       
 

       
              # This needs the indirection via a private bind mount because you


     

       
289

       
 

       
              # cannot move shared mounts.


     

       
290

       
-

       
              tmpEtcMount=$(TMPDIR="" mktemp --tmpdir=/tmp --directory -t nixos-etc.XXXXXXXXXX)


     

       
291

       
 

       
              mount --bind --make-private $tmpEtcMount $tmpEtcMount


     

       
292

       
 

       
              mount --type overlay overlay \


     

       
293

       
 

       
                --options lowerdir=$tmpMetadataMount::${config.system.build.etcBasedir},${etcOverlayOptions} \


     
···

       
341

       
 

       
            # mounts. So we'll just find all mounts of type erofs and filter on the


     

       
342

       
 

       
            # name of the mountpoint.


     

       
343

       
 

       
            findmnt --type erofs --list --kernel --output TARGET | while read -r mountPoint; do


     

       
344

       
-

       
              if [[ "$mountPoint" =~ ^/tmp/nixos-etc-metadata\..{10}$ &&


     

       
345

       
 

       
                    "$mountPoint" != "$tmpMetadataMount" ]]; then


     

       
346

       
 

       
                umount --lazy "$mountPoint"


     

       
347

       
 

       
                rmdir "$mountPoint"


     
···

       
274

       
 

       
              chmod --recursive 0755 /.rw-etc


     

       
275

       
 

       
            ''}


     

       
276

       
 

       



     

       
277

       
+

       
            tmpMetadataMount=$(TMPDIR="/run" mktemp --directory -t nixos-etc-metadata.XXXXXXXXXX)


     

       
278

       
 

       
            mount --type erofs -o ro ${config.system.build.etcMetadataImage} $tmpMetadataMount


     

       
279

       
 

       



     

       
280

       
 

       
            # There was no previous /etc mounted. This happens when we're called


     
···

       
287

       
 

       
              # Mount the new /etc overlay to a temporary private mount.


     

       
288

       
 

       
              # This needs the indirection via a private bind mount because you


     

       
289

       
 

       
              # cannot move shared mounts.


     

       
290

       
+

       
              tmpEtcMount=$(TMPDIR="/run" mktemp --directory -t nixos-etc.XXXXXXXXXX)


     

       
291

       
 

       
              mount --bind --make-private $tmpEtcMount $tmpEtcMount


     

       
292

       
 

       
              mount --type overlay overlay \


     

       
293

       
 

       
                --options lowerdir=$tmpMetadataMount::${config.system.build.etcBasedir},${etcOverlayOptions} \


     
···

       
341

       
 

       
            # mounts. So we'll just find all mounts of type erofs and filter on the


     

       
342

       
 

       
            # name of the mountpoint.


     

       
343

       
 

       
            findmnt --type erofs --list --kernel --output TARGET | while read -r mountPoint; do


     

       
344

       
+

       
              if [[ ("$mountPoint" =~ ^/run/nixos-etc-metadata\..{10}$ || "$mountPoint" =~ ^/run/nixos-etc-metadata$ ) &&


     

       
345

       
 

       
                    "$mountPoint" != "$tmpMetadataMount" ]]; then


     

       
346

       
 

       
                umount --lazy "$mountPoint"


     

       
347

       
 

       
                rmdir "$mountPoint"
+10 -6
nixos/tests/activation/etc-overlay-immutable.nix 
···

       
39

       
 

       
    ''


     

       
40

       
 

       
      newergen = machine.succeed("realpath /run/current-system/specialisation/newer-generation/bin/switch-to-configuration").rstrip()


     

       
41

       
 

       



     

       
42

       
-

       
      with subtest("/run/etc-metadata/ is mounted"):


     

       
43

       
-

       
        print(machine.succeed("mountpoint /run/etc-metadata"))


     

       
44

       
 

       



     

       
45

       
 

       
      with subtest("No temporary files leaked into stage 2"):


     

       
46

       
 

       
        machine.succeed("[ ! -e /etc-metadata-image ]")


     
···

       
91

       
 

       



     

       
92

       
 

       
        machine.succeed(f"{newergen} switch")


     

       
93

       
 

       



     

       
94

       
-

       
        tmpMounts = machine.succeed("find /tmp -maxdepth 1 -type d -regex '/tmp/nixos-etc\\..*' | wc -l").rstrip()


     

       
95

       
-

       
        metaMounts = machine.succeed("find /tmp -maxdepth 1 -type d -regex '/tmp/nixos-etc-metadata\\..*' | wc -l").rstrip()


     

       

       

       
     

       

       

       
     

       
96

       
 

       



     

       
97

       
-

       
        assert tmpMounts == "0", f"Found {tmpMounts} remaining tmpmounts"


     

       
98

       
-

       
        assert metaMounts == "1", f"Found {metaMounts} remaining metamounts"


     

       

       

       
     

       

       

       
     

       
99

       
 

       
    '';


     

       
100

       
 

       
}


     
···

       
39

       
 

       
    ''


     

       
40

       
 

       
      newergen = machine.succeed("realpath /run/current-system/specialisation/newer-generation/bin/switch-to-configuration").rstrip()


     

       
41

       
 

       



     

       
42

       
+

       
      with subtest("/run/nixos-etc-metadata/ is mounted"):


     

       
43

       
+

       
        print(machine.succeed("mountpoint /run/nixos-etc-metadata"))


     

       
44

       
 

       



     

       
45

       
 

       
      with subtest("No temporary files leaked into stage 2"):


     

       
46

       
 

       
        machine.succeed("[ ! -e /etc-metadata-image ]")


     
···

       
91

       
 

       



     

       
92

       
 

       
        machine.succeed(f"{newergen} switch")


     

       
93

       
 

       



     

       
94

       
+

       
        tmpMounts = machine.succeed("find /run -maxdepth 1 -type d -regex '/run/nixos-etc\\..*'").rstrip()


     

       
95

       
+

       
        print(tmpMounts)


     

       
96

       
+

       
        metaMounts = machine.succeed("find /run -maxdepth 1 -type d -regex '/run/nixos-etc-metadata.*'").rstrip()


     

       
97

       
+

       
        print(metaMounts)


     

       
98

       
 

       



     

       
99

       
+

       
        numOfTmpMounts = len(tmpMounts.splitlines())


     

       
100

       
+

       
        numOfMetaMounts = len(metaMounts.splitlines())


     

       
101

       
+

       
        assert numOfTmpMounts == 0, f"Found {numOfTmpMounts} remaining tmpmounts"


     

       
102

       
+

       
        assert numOfMetaMounts == 1, f"Found {numOfMetaMounts} remaining metamounts"


     

       
103

       
 

       
    '';


     

       
104

       
 

       
}
+10 -6
nixos/tests/activation/etc-overlay-mutable.nix 
···

       
27

       
 

       
    ''


     

       
28

       
 

       
      newergen = machine.succeed("realpath /run/current-system/specialisation/newer-generation/bin/switch-to-configuration").rstrip()


     

       
29

       
 

       



     

       
30

       
-

       
      with subtest("/run/etc-metadata/ is mounted"):


     

       
31

       
-

       
        print(machine.succeed("mountpoint /run/etc-metadata"))


     

       
32

       
 

       



     

       
33

       
 

       
      with subtest("No temporary files leaked into stage 2"):


     

       
34

       
 

       
        machine.succeed("[ ! -e /etc-metadata-image ]")


     
···

       
68

       
 

       
        machine.succeed(f"{newergen} switch")


     

       
69

       
 

       
        assert machine.succeed("cat /etc/newergen") == "newergen"


     

       
70

       
 

       



     

       
71

       
-

       
        tmpMounts = machine.succeed("find /tmp -maxdepth 1 -type d -regex '/tmp/nixos-etc\\..*' | wc -l").rstrip()


     

       
72

       
-

       
        metaMounts = machine.succeed("find /tmp -maxdepth 1 -type d -regex '/tmp/nixos-etc-metadata\\..*' | wc -l").rstrip()


     

       

       

       
     

       

       

       
     

       
73

       
 

       



     

       
74

       
-

       
        assert tmpMounts == "0", f"Found {tmpMounts} remaining tmpmounts"


     

       
75

       
-

       
        assert metaMounts == "1", f"Found {metaMounts} remaining metamounts"


     

       

       

       
     

       

       

       
     

       
76

       
 

       
    '';


     

       
77

       
 

       
}


     
···

       
27

       
 

       
    ''


     

       
28

       
 

       
      newergen = machine.succeed("realpath /run/current-system/specialisation/newer-generation/bin/switch-to-configuration").rstrip()


     

       
29

       
 

       



     

       
30

       
+

       
      with subtest("/run/nixos-etc-metadata/ is mounted"):


     

       
31

       
+

       
        print(machine.succeed("mountpoint /run/nixos-etc-metadata"))


     

       
32

       
 

       



     

       
33

       
 

       
      with subtest("No temporary files leaked into stage 2"):


     

       
34

       
 

       
        machine.succeed("[ ! -e /etc-metadata-image ]")


     
···

       
68

       
 

       
        machine.succeed(f"{newergen} switch")


     

       
69

       
 

       
        assert machine.succeed("cat /etc/newergen") == "newergen"


     

       
70

       
 

       



     

       
71

       
+

       
        tmpMounts = machine.succeed("find /run -maxdepth 1 -type d -regex '/run/nixos-etc\\..*'").rstrip()


     

       
72

       
+

       
        print(tmpMounts)


     

       
73

       
+

       
        metaMounts = machine.succeed("find /run -maxdepth 1 -type d -regex '/run/nixos-etc-metadata.*'").rstrip()


     

       
74

       
+

       
        print(metaMounts)


     

       
75

       
 

       



     

       
76

       
+

       
        numOfTmpMounts = len(tmpMounts.splitlines())


     

       
77

       
+

       
        numOfMetaMounts = len(metaMounts.splitlines())


     

       
78

       
+

       
        assert numOfTmpMounts == 0, f"Found {numOfTmpMounts} remaining tmpmounts"


     

       
79

       
+

       
        assert numOfMetaMounts == 1, f"Found {numOfMetaMounts} remaining metamounts"


     

       
80

       
 

       
    '';


     

       
81

       
 

       
}