* nixos-install: Ensure that builds are done by the nixbld users

  rather than root.  Also copy all manifests into the chroot so that
  any nix-pull done outside the chroot is "inherited".

svn path=/nixos/trunk/; revision=33725

1 files changed, 40 insertions, 18 deletions

diff --git a/modules/installer/tools/nixos-install.sh b/modules/installer/tools/nixos-install.sh
index 0d24dd6a8e1..d539b8bb014 100644
--- a/modules/installer/tools/nixos-install.sh
+++ b/modules/installer/tools/nixos-install.sh
@@ -10,6 +10,7 @@
 #   * run the activation script of the configuration (also installs Grub)
 
 set -e
+shopt -s nullglob
 
 if test -z "$mountPoint"; then
     mountPoint=/mnt
@@ -35,27 +36,30 @@ if ! test -e "$NIXOS_CONFIG"; then
 fi
     
 
-# Enable networking in the chroot.
-mkdir -m 0755 -p $mountPoint/etc
-touch /etc/resolv.conf 
-cp -f /etc/resolv.conf $mountPoint/etc/
-rm -f $mountPoint/etc/hosts
-cat /etc/hosts > $mountPoint/etc/hosts
-rm -f $mountPoint/etc/nsswitch.conf
-cat /etc/nsswitch.conf > $mountPoint/etc/nsswitch.conf
-
-# Mount some stuff in the target root directory.
-mkdir -m 0755 -p $mountPoint/dev $mountPoint/proc $mountPoint/sys $mountPoint/mnt
+# Do a nix-pull to speed up building.
+if test -n "@nixpkgsURL@" -a ${NIXOS_PULL:-1} != 0; then
+    @nix@/bin/nix-pull @nixpkgsURL@/MANIFEST || true
+fi
+
+
+# Mount some stuff in the target root directory.  We bind-mount /etc
+# into the chroot because we need networking and the nixbld user
+# accounts in /etc/passwd.  But we do need the target's /etc/nixos.
+mkdir -m 0755 -p $mountPoint/dev $mountPoint/proc $mountPoint/sys $mountPoint/mnt $mountPoint/etc
 mount --rbind /dev $mountPoint/dev
 mount --rbind /proc $mountPoint/proc
 mount --rbind /sys $mountPoint/sys
 mount --rbind / $mountPoint/mnt
+mount --bind /etc $mountPoint/etc
+mount --bind $mountPoint/mnt/$mountPoint/etc/nixos $mountPoint/etc/nixos
 
 cleanup() {
+    set +e
     umount -l $mountPoint/mnt
     umount -l $mountPoint/dev
     umount -l $mountPoint/proc
     umount -l $mountPoint/sys
+    mountpoint -q $mountPoint/etc && umount -l $mountPoint/etc
 }
 
 trap "cleanup" EXIT
@@ -75,8 +79,15 @@ mkdir -m 0755 -p \
     $mountPoint/nix/var/nix/db \
     $mountPoint/nix/var/log/nix/drvs
 
-mkdir -m 1777 -p \
-    $mountPoint/nix/store \
+mkdir -m 1775 -p $mountPoint/nix/store
+chown root.nixbld $mountPoint/nix/store
+
+
+# Make manifests available in the chroot.
+rm -f $mountPoint/nix/var/nix/manifests/*
+for i in /nix/var/nix/manifests/*.nixmanifest; do
+    cp "$(readlink -f "$i")" $mountPoint/nix/var/nix/manifests
+done
 
 
 # Get the store paths to copy from the references graph.
@@ -97,6 +108,12 @@ export LC_ALL=
 export LC_TIME=
 
 
+# Create a temporary Nix config file that causes the nixbld users to
+# be used.
+echo "build-users-group = nixbld" > /mnt/tmp/nix.conf
+export NIX_CONF_DIR=/tmp
+
+
 # Register the paths in the Nix closure as valid.  This is necessary
 # to prevent them from being deleted the first time we install
 # something.  (I.e., Nix will see that, e.g., the glibc path is not
@@ -117,11 +134,6 @@ ln -sf @shell@ $mountPoint/bin/sh
 export NIX_OTHER_STORES=/mnt/nix:$NIX_OTHER_STORES
 
 
-# Do a nix-pull to speed up building.
-if test -n "@nixpkgsURL@" -a ${NIXOS_PULL:-1} != 0; then
-    chroot $mountPoint @nix@/bin/nix-pull @nixpkgsURL@/MANIFEST || true
-fi
-
 if test -n "$NIXOS_PREPARE_CHROOT_ONLY"; then
     echo "User requested only to prepare chroot. Exiting."
     exit 0;
@@ -135,6 +147,16 @@ NIX_PATH=nixpkgs=/mnt/etc/nixos/nixpkgs:nixos=/mnt/etc/nixos/nixos:nixos-config=
     -p /nix/var/nix/profiles/system -f '<nixos>' --set -A system --show-trace
 
 
+# Get rid of the manifests.
+rm -f $mountPoint/nix/var/nix/manifests/*
+
+
+# We're done building/downloading, so we don't need the /etc bind
+# mount anymore.  In fact, below we want to modify the target's /etc.
+umount $mountPoint/etc/nixos
+umount $mountPoint/etc
+
+
 # Make a backup of the old NixOS/Nixpkgs sources.
 echo "copying NixOS/Nixpkgs sources to /etc/nixos...."