Re: [Nix-dev] Using Nixpkgs outside of NixOS
http://www.freedesktop.org/wiki/Software/systemd/ControlGroupInterface/ http://cgit.freedesktop.org/systemd/systemd/tree/src/core/main.c#n1469 -- Кирилл Елагин On Wed, Jun 4, 2014 at 1:21 AM, Wout Mertens wout.mert...@gmail.com wrote: On Tue, Jun 3, 2014 at 8:30 PM, Kirill Elagin kirela...@gmail.com wrote: Obviously systemd would then have to not do things that udev etc are already doing... Just running services, opening sockets, handling cgroups... I doubt systemd can do this. First of all, with the new kernel cgroups interface only PID 1 can manage cgroups (on the kernel level). Then, to properly handle services (i.e. processes) systemd has to be PID 1, right? Because otherwise it won't be able to track dead processes and all this stuff. Are you sure about PID 1? I can't find that in https://www.kernel.org/doc/Documentation/cgroups/cgroups.txt I'm thinking systemd can run in user-mode, even if it's running as root. It's automatically turned on when it's not PID 1, I need to try it. Wout. ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
Re: [Nix-dev] Using Nixpkgs outside of NixOS
too bad :-) Thanks for the find! On Wed, Jun 4, 2014 at 8:14 AM, Kirill Elagin kirela...@gmail.com wrote: http://www.freedesktop.org/wiki/Software/systemd/ControlGroupInterface/ http://cgit.freedesktop.org/systemd/systemd/tree/src/core/main.c#n1469 -- Кирилл Елагин On Wed, Jun 4, 2014 at 1:21 AM, Wout Mertens wout.mert...@gmail.com wrote: On Tue, Jun 3, 2014 at 8:30 PM, Kirill Elagin kirela...@gmail.com wrote: Obviously systemd would then have to not do things that udev etc are already doing... Just running services, opening sockets, handling cgroups... I doubt systemd can do this. First of all, with the new kernel cgroups interface only PID 1 can manage cgroups (on the kernel level). Then, to properly handle services (i.e. processes) systemd has to be PID 1, right? Because otherwise it won't be able to track dead processes and all this stuff. Are you sure about PID 1? I can't find that in https://www.kernel.org/doc/Documentation/cgroups/cgroups.txt I'm thinking systemd can run in user-mode, even if it's running as root. It's automatically turned on when it's not PID 1, I need to try it. Wout. ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
Re: [Nix-dev] Using Nixpkgs outside of NixOS
too bad :-) Thanks for the find! By the way, note that PID-1-only cgroups management is a systemd decision, as far as I understand from the kernel mailing list posts, the interface will still be a filesystem, and apparently it is OK to implement cgroup management by multiple root processes (i.e. not a migration to a single open socket). On Wed, Jun 4, 2014 at 8:14 AM, Kirill Elagin kirela...@gmail.com wrote: http://www.freedesktop.org/wiki/Software/systemd/ControlGroupInterface/ http://cgit.freedesktop.org/systemd/systemd/tree/src/core/main.c#n1469 -- Кирилл Елагин On Wed, Jun 4, 2014 at 1:21 AM, Wout Mertens wout.mert...@gmail.com wrote: On Tue, Jun 3, 2014 at 8:30 PM, Kirill Elagin kirela...@gmail.com wrote: Obviously systemd would then have to not do things that udev etc are already doing... Just running services, opening sockets, handling cgroups... I doubt systemd can do this. First of all, with the new kernel cgroups interface only PID 1 can manage cgroups (on the kernel level). Then, to properly handle services (i.e. processes) systemd has to be PID 1, right? Because otherwise it won't be able to track dead processes and all this stuff. Are you sure about PID 1? I can't find that in https://www.kernel.org/doc/Documentation/cgroups/cgroups.txt I'm thinking systemd can run in user-mode, even if it's running as root. It's automatically turned on when it's not PID 1, I need to try it. Wout. --047d7b414174e5bf6404fafd5f90 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by 401a0bf1 id mimedecode.py div dir=ltrtoo bad :-) Thanks for the find!/divdiv class=gmail_extrabrbrdiv class=gmail_quoteOn Wed, Jun 4, 2014 at 8:14 AM, Kirill Elagin span dir=ltrlt;a href=mailto:kirela...@gmail.com; target=_blankkirela...@gmail.com/agt;/span wrote:br blockquote class=gmail_quote style=margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1exdiv dir=ltra href=http://www.freedesktop.org/wiki/Software/systemd/ControlGroupInterface/; target=_blankhttp://www.freedesktop.org/wiki/Software/systemd/ControlGroupInterface//abr bra href=http://cgit.freedesktop.org/systemd/systemd/tree/src/core/main.c#n1469; target=_blankhttp://cgit.freedesktop.org/systemd/systemd/tree/src/core/main.c#n1469/abr /divdiv class=gmail_extrabr clear=alldivdiv dir=ltrdivbr/div--brКирилл Елагин/div/divdivdiv class=h5 brbrdiv class=gmail_quoteOn Wed, Jun 4, 2014 at 1:21 AM, Wout Mertens span dir=ltrlt;a href=mailto:wout.mert...@gmail.com; target=_blankwout.mert...@gmail.com/agt;/span wrote:brblockquote class=gmail_quote style=margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex div dir=ltrdivdivdiv class=gmail_extradiv class=gmail_quoteOn Tue, Jun 3, 2014 at 8:30 PM, Kirill Elagin span dir=ltrlt;a href=mailto:kirela...@gmail.com; target=_blankkirela...@gmail.com/agt;/span wrote:br blockquote class=gmail_quote style=margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1exdiv dir=ltrdiv class=gmail_extradivdiv class=gmail_quote blockquote class=gmail_quote style=margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1exdiv dir=ltrdiv class=gmail_extradiv class=gmail_quote div class=gmail_extraObviously systemd would then have to not do things that udev etc are already doing... Just running services, opening sockets, handling cgroups.../div/div/div/div/blockquote/divbr/div I doubt systemd can do this.br First of all, with the new kernel cgroups interface only PID 1 can manage cgroups (on the kernel level).brThen, to properly handle services (i.e. processes) systemd has to be PID 1, right? Because otherwise it won#39;t be able to track dead processes and all this stuff.br /div/div /blockquote/divbr/div/div/divdiv class=gmail_extraAre you sure about PID 1? I can#39;t find that in a href=https://www.kernel.org/doc/Documentation/cgroups/cgroups.txt; target=_blankhttps://www.kernel.org/doc/Documentation/cgroups/cgroups.txt/a/div div class=gmail_extrabr/divdiv class=gmail_extraI#39;m thinking systemd can run in user-mode, even if it#39;s running as root. It#39;s automatically turned on when it#39;s not PID 1, I need to try it./div spanfont color=#88 div class=gmail_extrabr/divdiv class=gmail_extraWout./div/font/span/div /blockquote/divbr/div/div/div /blockquote/divbr/div --047d7b414174e5bf6404fafd5f90-- --===1597797028== Content-Transfer-Encoding: 7bit Content-Disposition: inline MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 X-MIME-Autoconverted: from us-ascii to utf-8 by 401a0bf1 id mimedecode.py ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev --===1597797028==--
Re: [Nix-dev] Using Nixpkgs outside of NixOS
Hm, I wasn't following the kernel ml on this, but from the systemd's document it follows that there has to be _exactly one_ writer to this filesystem and this is a restriction forced by the kernel. systemd's decision is that it will be PID 1, not some other process. On non-systemd systems that can be some other root process, not necessarily PID 1, but only one. Actually, SystemD document actually means «we know no good way to manage this in SystemD-friendly manner without having it all inside a single process» There is a general recommendation that cgroups management is reasonably coordinated, but it is not kernel style to enforce as strict a policy as a single writer process. Strict built-in policies usually come from SystemD and not from kernel, as a rule of the thumb. If we look at the work-in-progress documentation from the kernel developers http://article.gmane.org/gmane.linux.kernel.containers/27701/ the last chapter explicitly discusses much weaker measures. Putting a planned changes section with « Requiring CAP is not a complete solution but should serve as a significant deterrent against spraying cgroup usages in non-privileged programs. » doesn't sound like «a single writer process» to me. too bad :-) Thanks for the find! By the way, note that PID-1-only cgroups management is a systemd decision, as far as I understand from the kernel mailing list posts, the interface will still be a filesystem, and apparently it is OK to implement cgroup management by multiple root processes (i.e. not a migration to a single open socket). On Wed, Jun 4, 2014 at 8:14 AM, Kirill Elagin kirela...@gmail.com wrote: http://www.freedesktop.org/wiki/Software/systemd/ControlGroupInterface/ ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
Re: [Nix-dev] Using Nixpkgs outside of NixOS
Hi, For single-user implementations we have this: https://github.com/nilcons/ceh In our startup we actively use this on several workstations and servers with Debian/Ubuntu base systems. This is less ambitious than your ideas, but worked very well for us. Gergely On Thu, 29 May 2014 17:28:48 +0200, Wout Mertens wout.mert...@gmail.com writes: I think there is room for improvement for installing and using nixpkgs on another distribution. I see two big problems: 1. installation 2. environment variables Installation: The single-user installation is cute, but realistically you need root anyway to create /nix so it would be nice if there was a script that set up the proper environment, with the correct permissions under /nix/var/nix, the system-wide shell profiles, nixbld users, a users-that-are-allowed-to-use-nix-env group and the nix-daemon startup script for the popular distros. Right now you need to manually do these things, and some are not obvious like having to change your ~/.nix-profile dir to a per-user one (/etc/profile.d/nix.sh points it to /nix/var/nix/profiles/default which doesn't exist, and nix-env -i doesn't seem to handle that case). The end goal should be run this script and you'll have full access to everything in Nixpkgs with per-user profiles and secure defaults. All barriers to adoption should be removed as much as possible. Environment Variables: = There are several packages that rely on environment variables to work correctly, like glibc ($TZ_DIR) and curl ($CURL_CA_BUNDLE). Those aren't defined when you're not on NixOS. For the regular $NIX_PATH, $PATH etc, sourcing nix.sh from /etc/profile isn't enough, because for example ssh doesn't start a bash login shell. For those cases, it needs to be sourced from /etc/bash.bashrc as well. Similar issues are probably happening with tcsh, zsh etc. Thoughts? Wout. ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
Re: [Nix-dev] Using Nixpkgs outside of NixOS
Obviously systemd would then have to not do things that udev etc are already doing... Just running services, opening sockets, handling cgroups... I doubt systemd can do this. First of all, with the new kernel cgroups interface only PID 1 can manage cgroups (on the kernel level). Then, to properly handle services (i.e. processes) systemd has to be PID 1, right? Because otherwise it won't be able to track dead processes and all this stuff. ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
Re: [Nix-dev] Using Nixpkgs outside of NixOS
On Tue, Jun 3, 2014 at 8:30 PM, Kirill Elagin kirela...@gmail.com wrote: Obviously systemd would then have to not do things that udev etc are already doing... Just running services, opening sockets, handling cgroups... I doubt systemd can do this. First of all, with the new kernel cgroups interface only PID 1 can manage cgroups (on the kernel level). Then, to properly handle services (i.e. processes) systemd has to be PID 1, right? Because otherwise it won't be able to track dead processes and all this stuff. Are you sure about PID 1? I can't find that in https://www.kernel.org/doc/Documentation/cgroups/cgroups.txt I'm thinking systemd can run in user-mode, even if it's running as root. It's automatically turned on when it's not PID 1, I need to try it. Wout. ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
Re: [Nix-dev] Using Nixpkgs outside of NixOS
Wout Mertens wout.mert...@gmail.com writes: I think there is room for improvement for installing and using nixpkgs on another distribution. I see two big problems: 1. installation 2. environment variables Also: setting up services to run when the system boots. For example, Homebrew tells you how to add a symlinks in ~/Library/LaunchAgents so that PostgreSQL can start when the machine boots (it simply prints the command to the terminal as an informational message). We can do the same thing with Nix, it's just a question of informing the user how. John ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
Re: [Nix-dev] Using Nixpkgs outside of NixOS
Another issue I just remembered is that of setuid binaries. NixOS has a mechanism for it, and it could just as easily be used elsewhere. Without it, you can't easily use qemu for example. Wout. On Thu, May 29, 2014 at 5:28 PM, Wout Mertens wout.mert...@gmail.comwrote: I think there is room for improvement for installing and using nixpkgs on another distribution. I see two big problems: 1. installation 2. environment variables Installation: The single-user installation is cute, but realistically you need root anyway to create /nix so it would be nice if there was a script that set up the proper environment, with the correct permissions under /nix/var/nix, the system-wide shell profiles, nixbld users, a users-that-are-allowed-to-use-nix-env group and the nix-daemon startup script for the popular distros. Right now you need to manually do these things, and some are not obvious like having to change your ~/.nix-profile dir to a per-user one (/etc/profile.d/nix.sh points it to /nix/var/nix/profiles/default which doesn't exist, and nix-env -i doesn't seem to handle that case). The end goal should be run this script and you'll have full access to everything in Nixpkgs with per-user profiles and secure defaults. All barriers to adoption should be removed as much as possible. Environment Variables: = There are several packages that rely on environment variables to work correctly, like glibc ($TZ_DIR) and curl ($CURL_CA_BUNDLE). Those aren't defined when you're not on NixOS. For the regular $NIX_PATH, $PATH etc, sourcing nix.sh from /etc/profile isn't enough, because for example ssh doesn't start a bash login shell. For those cases, it needs to be sourced from /etc/bash.bashrc as well. Similar issues are probably happening with tcsh, zsh etc. Thoughts? Wout. ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
Re: [Nix-dev] Using Nixpkgs outside of NixOS
On May 29, 2014 6:58 PM, Eelco Dolstra eelco.dols...@logicblox.com wrote: Hi, On 29/05/14 18:34, Wout Mertens wrote: Another issue I just remembered is that of setuid binaries. NixOS has a mechanism for it, and it could just as easily be used elsewhere. Without it, you can't easily use qemu for example. Why? Qemu does not need to be setuid. Oops I meant VirtualBox. fping is another example. Or anything really. Setuid and nix don't mix without help. ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
Re: [Nix-dev] Using Nixpkgs outside of NixOS
Wout Mertens wout.mert...@gmail.com writes: I think there is room for improvement for installing and using nixpkgs on another distribution. I see two big problems: 1. installation 2. environment variables Also: setting up services to run when the system boots. For example, Homebrew tells you how to add a symlinks in ~/Library/LaunchAgents so that PostgreSQL can start when the machine boots (it simply prints the command to the terminal as an informational message). We can do the same thing with Nix, it's just a question of informing the user how. John ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
Re: [Nix-dev] Using Nixpkgs outside of NixOS
On Thu, May 29, 2014 at 10:23 PM, John Wiegley jo...@newartisans.com wrote: Wout Mertens wout.mert...@gmail.com writes: I think there is room for improvement for installing and using nixpkgs on another distribution. I see two big problems: 1. installation 2. environment variables Also: setting up services to run when the system boots. For example, Homebrew tells you how to add a symlinks in ~/Library/LaunchAgents so that PostgreSQL can start when the machine boots (it simply prints the command to the terminal as an informational message). We can do the same thing with Nix, it's just a question of informing the user how. Is there anybody that knows how to set up systemd as non-PID-1 but still as root? That would be awesome++, I could turn my Ubuntu 12.04 servers into lean mean partially Nix-based service running machines. Obviously systemd would then have to not do things that udev etc are already doing... Just running services, opening sockets, handling cgroups... Wout. ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
