Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Don't have root bypass the daemon by default #10140

Open
thufschmitt opened this issue Mar 4, 2024 · 4 comments
Open

Don't have root bypass the daemon by default #10140

thufschmitt opened this issue Mar 4, 2024 · 4 comments
Labels
feature Feature request or proposal store Issues and pull requests concerning the Nix store

Comments

@thufschmitt
Copy link
Member

Is your feature request related to a problem? Please describe.

When the store option is set to auto (the default), Nix will guess whether to use the daemon or the local store.
However, this detection logic will use the local store if Nix has access to it, even if there's a daemon socket available. This reduces the isolation that the clent-daemon logic provides. Some examples from a quick issue search:

Describe the solution you'd like

Have the logic be: “If there's a socket I can connect to, use the daemon that listens there, otherwise try to directly access the store”.

Describe alternatives you've considered

  • Keep the statu-quo
  • Have the multi-user installer configure nix.conf to set store = daemon (and pass --store local to the daemon invocation). That would reduce the breaking change, at the cost of more complexity on the installations in the long run.

Additional context

  • IIRC @edolstra mentioned somewhere (couldn't find the source again), that directly connecting to the store as root was an optimisation for some systems (like hydra) where the overhead of the daemon was noticeable. I think that can be avoided by just configuring these systems to use forcibly use the local store

Priorities

Add 👍 to issues you find important.
@thufschmitt thufschmitt added the feature Feature request or proposal label Mar 4, 2024
@thufschmitt thufschmitt mentioned this issue Mar 4, 2024
Open
@thufschmitt
Copy link
Member Author

Extra issue due to that: #10158

@github-project-automation github-project-automation bot moved this to To triage in Nix team Mar 6, 2024
@thufschmitt thufschmitt removed this from Nix team Mar 11, 2024
@roberth
Copy link
Member

roberth commented Mar 22, 2024

Issues like #10158 will still happen in a use case like nixos-enter.
I don't think we can get rid of the non-daemon use case completely, and by switching to daemon by default, we risk letting it bitrot.
The status quo could be considered anti-fragile.

@roberth roberth added the store Issues and pull requests concerning the Nix store label Mar 22, 2024
@nixos-discourse
Copy link

This issue has been mentioned on NixOS Discourse. There might be relevant details there:

https://discourse.nixos.org/t/2024-03-11-nix-team-meeting-132/42960/1

@roberth roberth mentioned this issue May 28, 2024
Open
@roberth
Copy link
Member

roberth commented Jun 9, 2024

Bypassing the daemon is also useful when trying out a build feature, such as described here NixOS/nixpkgs#318013 (comment).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
feature Feature request or proposal store Issues and pull requests concerning the Nix store
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@roberth @thufschmitt @nixos-discourse