!DkNkhjPMwKVMKgmGYw:nixos.org

Nix Installer

78 Members
19 Servers

Load older messages


SenderMessageTime
8 May 2024
@pxc:matrix.orgpxcagreed, although Apple is basically inscrutable and liable to break anything at any time15:51:57
@abathur:matrix.orgabathurcan you confirm whether doing it interactively as non-root outside of a launchagent works?15:53:53
@abathur:matrix.orgabathurI see someone asserting on the apple dev forum that it works w/o sudo15:54:10
@pxc:matrix.orgpxcyep, I've observed that as well15:54:32
@abathur:matrix.orgabathurbut it seems a little strange to me that they'd restrict this for root but let normal users do it (unless maybe it's only actually affecting user processes and not root ones?)15:54:49
@pxc:matrix.orgpxcbased on my testing I might venture a guess that what the SIP protection protects against is one user using elevated privileges to change the environment variable of another user's session in real-time, because those global LaunchAgents only affect new sessions but I'm not totally convinced of my own guess15:55:39
@pxc:matrix.orgpxcmaybe there's some way to make the global LaunchAgent take effect immediately, like the per-user ones do15:56:03
@pxc:matrix.orgpxc

I've been having Nix-Darwin generate the LaunchAgents I've been using to test. Here's what they look like, this example being the per-user one:

  launchd.user.agents.setenv.serviceConfig = {
    LimitLoadToSessionType = "Aqua";
    ProgramArguments = [
      "/bin/sh"
      "-pc"
      ''launchctl setenv FOO bar''
    ];
    RunAtLoad = true;
  };
15:57:58
@pxc:matrix.orgpxc when I enable that one and run darwin-rebuild switch, I can see its effects immediately, in the same session 15:58:34
@pxc:matrix.orgpxc
In reply to @pxc:matrix.org
based on my testing I might venture a guess that what the SIP protection protects against is one user using elevated privileges to change the environment variable of another user's session in real-time, because those global LaunchAgents only affect new sessions

but I'm not totally convinced of my own guess

I guess one way to test this hypothesis would be to disable SIP and see if an interactive sudo setenv immediately changes my environment, too

and maybe also if logging in as a different user, elevating up to root, and then using sudo -u <other_user> launchctl setenv does anything

16:00:01
@pxc:matrix.orgpxc
In reply to @abathur:matrix.org
can you confirm whether doing it interactively as non-root outside of a launchagent works?
mhm
16:05:25
@abathur:matrix.orgabathur?16:05:48
@pxc:matrix.orgpxcit does work16:06:25
@pxc:matrix.orgpxc
In reply to @abathur:matrix.org
but if you've got it working on a newer macOS, perhaps they caused trouble for someone important and had to back off from the change?

it does look like using LaunchAgents to call launchtl setenv via /bin/sh is (or used to be?) a somewhat common/known pattern, if not a super popular one:

https://github.com/search?q=path%3A*.plist%20%22launchctl%20setenv%22&type=code

16:07:57
@pxc:matrix.orgpxcbut not super popular, and many of those repos aren't applications16:10:55
@pxc:matrix.orgpxcsetting aside macOS for a moment, what do you think about the systemd case?16:17:21
@abathur:matrix.orgabathur

zooming out, speaking only for myself, and using lots of weasel words:

I can at least tentatively agree that being able to do everything we need via the init system would be a win as long as it doesn't break in other contexts and it doesn't end up fracturing the install base in a way that makes it much harder to help people troubleshoot installs.

Probably not exhaustive and I'm not trying to reason very thoroughly about them, but a few things that I could imagine shifting around:

  • other non-nix daemons/agents/applications that haven't been getting tested by having our mods in their environment (for example, something that assumes default apple-shipped tools on the PATH and now they're getting GNU ones)
  • at least with zsh, a problem that's come up with most of the workarounds we've tried here is that the default shell profiles run /usr/libexec/path_helper and hard-set PATH to whatever its opinion was--and this will shift our stuff down-PATH and keep anything Nix-installed from shadowing the system utils (some people want the system utils to be first, but I suspect most people want the nix-installed stuff to win); it isn't entirely on-topic, but off the top of my head https://github.com/NixOS/nix/pull/9243 probably documents a fair amount of that context
  • Our shell profiles might be getting run in some contexts that are otherwise clearing all or part of their inherited environment, in which case moving up to the init layer might leave those without envs they have been running with
  • race conditions? (probably just for other daemons? perhaps restoring/auto-opening apps? maybe a non-issue? not thinking that deeply)
  • kinda doubt this is the case, but anything that actually diverges between shell implementations in a mutually-exclusive way? (at least, in a way we can't abstract around?)

As far as any risk of complicating the install-base, I'll just focus first on the fact that we'd still want to support non-systemd daemon installs (and that'll probably become increasingly true since I know some people have been working on improving our BSD-friendliness).

So I guess my next question is whether this can work beyond macOS and systemd? (shooting from the hip, I am a little leery of an outcome that looks like: we still end up having to maintain N daemon shell profiles for every shell someone would like to see supported and we also gain N separate processes for different init systems?)

16:39:06
@abathur:matrix.orgabathurOn the latter point I'll also disclaim that I'm neither a gatekeeper nor is it a "no" from me. Just a concern. A big reliability boost is probably worth a small complexity boost, etc.16:40:24
@abathur:matrix.orgabathur * On the latter point I'll also disclaim that I'm neither a gatekeeper nor is it a "no" from me even if I were. Just a concern. A big reliability boost is probably worth a small complexity boost, etc.16:40:38
@abathur:matrix.orgabathur * On the latter point I'll also disclaim that I'm neither a gatekeeper nor is it a "no" from me even if I were. Just a concern. A big reliability boost is probably worth a small complexity boost, a big reliability boost might save more support effort than we lose to divergent install types, etc.16:46:07
@pxc:matrix.orgpxc
In reply to @abathur:matrix.org

zooming out, speaking only for myself, and using lots of weasel words:

I can at least tentatively agree that being able to do everything we need via the init system would be a win as long as it doesn't break in other contexts and it doesn't end up fracturing the install base in a way that makes it much harder to help people troubleshoot installs.

Probably not exhaustive and I'm not trying to reason very thoroughly about them, but a few things that I could imagine shifting around:

  • other non-nix daemons/agents/applications that haven't been getting tested by having our mods in their environment (for example, something that assumes default apple-shipped tools on the PATH and now they're getting GNU ones)
  • at least with zsh, a problem that's come up with most of the workarounds we've tried here is that the default shell profiles run /usr/libexec/path_helper and hard-set PATH to whatever its opinion was--and this will shift our stuff down-PATH and keep anything Nix-installed from shadowing the system utils (some people want the system utils to be first, but I suspect most people want the nix-installed stuff to win); it isn't entirely on-topic, but off the top of my head https://github.com/NixOS/nix/pull/9243 probably documents a fair amount of that context
  • Our shell profiles might be getting run in some contexts that are otherwise clearing all or part of their inherited environment, in which case moving up to the init layer might leave those without envs they have been running with
  • race conditions? (probably just for other daemons? perhaps restoring/auto-opening apps? maybe a non-issue? not thinking that deeply)
  • kinda doubt this is the case, but anything that actually diverges between shell implementations in a mutually-exclusive way? (at least, in a way we can't abstract around?)

As far as any risk of complicating the install-base, I'll just focus first on the fact that we'd still want to support non-systemd daemon installs (and that'll probably become increasingly true since I know some people have been working on improving our BSD-friendliness).

So I guess my next question is whether this can work beyond macOS and systemd? (shooting from the hip, I am a little leery of an outcome that looks like: we still end up having to maintain N daemon shell profiles for every shell someone would like to see supported and we also gain N separate processes for different init systems?)

at least with zsh, a problem that's come up with most of the workarounds we've tried here is that the default shell profiles run /usr/libexec/path_helper and hard-set PATH to whatever its opinion was--and this will shift our stuff down-PATH and keep anything Nix-installed from shadowing the system utils (some people want the system utils to be first, but I suspect most people want the nix-installed stuff to win); it isn't entirely on-topic, but off the top of my head https://github.com/NixOS/nix/pull/9243 probably documents a fair amount of that context

this is something important to me and yes, path_helpers has made a bit of a mess of things, incl. for Fish with Nix-Darwin, because by going out of our way to make sure the Nix stuff is sourced early, we also now ensure that it is overridden by whatever is in paths_helper.d. (Years ago, Fish did not consult the path 'helpers', now it does just after where we've injected nixification for it in nixpkgs' fish)

I see this as a related concern that I'm also directly interested in helping address

18:30:04
@pxc:matrix.orgpxc
In reply to @abathur:matrix.org
On the latter point I'll also disclaim that I'm neither a gatekeeper nor is it a "no" from me even if I were. Just a concern. A big reliability boost is probably worth a small complexity boost, a big reliability boost might save more support effort than we lose to divergent install types, etc.
I asked you because I know you've worked on the old shell-based installer here and there, and because of your work on resholve. I figure you're just generally well-attuned to weird shit shells and env vars do :)
18:31:08
@pxc:matrix.orgpxc
In reply to @abathur:matrix.org

zooming out, speaking only for myself, and using lots of weasel words:

I can at least tentatively agree that being able to do everything we need via the init system would be a win as long as it doesn't break in other contexts and it doesn't end up fracturing the install base in a way that makes it much harder to help people troubleshoot installs.

Probably not exhaustive and I'm not trying to reason very thoroughly about them, but a few things that I could imagine shifting around:

  • other non-nix daemons/agents/applications that haven't been getting tested by having our mods in their environment (for example, something that assumes default apple-shipped tools on the PATH and now they're getting GNU ones)
  • at least with zsh, a problem that's come up with most of the workarounds we've tried here is that the default shell profiles run /usr/libexec/path_helper and hard-set PATH to whatever its opinion was--and this will shift our stuff down-PATH and keep anything Nix-installed from shadowing the system utils (some people want the system utils to be first, but I suspect most people want the nix-installed stuff to win); it isn't entirely on-topic, but off the top of my head https://github.com/NixOS/nix/pull/9243 probably documents a fair amount of that context
  • Our shell profiles might be getting run in some contexts that are otherwise clearing all or part of their inherited environment, in which case moving up to the init layer might leave those without envs they have been running with
  • race conditions? (probably just for other daemons? perhaps restoring/auto-opening apps? maybe a non-issue? not thinking that deeply)
  • kinda doubt this is the case, but anything that actually diverges between shell implementations in a mutually-exclusive way? (at least, in a way we can't abstract around?)

As far as any risk of complicating the install-base, I'll just focus first on the fact that we'd still want to support non-systemd daemon installs (and that'll probably become increasingly true since I know some people have been working on improving our BSD-friendliness).

So I guess my next question is whether this can work beyond macOS and systemd? (shooting from the hip, I am a little leery of an outcome that looks like: we still end up having to maintain N daemon shell profiles for every shell someone would like to see supported and we also gain N separate processes for different init systems?)

race conditions? (probably just for other daemons? perhaps restoring/auto-opening apps? maybe a non-issue? not thinking that deeply)

yes, I think race conditions are possible. One example that does things in a way that evinces this possibility is this AppleScript implementation of a GUI ssh-askpass for macOS. They restart the built-in SSH agent after setting their env vars because if their thing runs after it, those vars won't get picked up by the agent:

18:34:05
@pxc:matrix.orgpxcthanks for your thoughts! I've saved a copy of my notes and I'll try to make sure that my experiments consider all those points, including the ones I didn't reply to18:39:49
@pxc:matrix.orgpxc * thanks for your thoughts! I've saved a copy for my notes and I'll try to make sure that my experiments consider all those points, including the ones I didn't reply to18:43:42
22 May 2024
@mjolnir:nixos.orgNixOS Moderation Botchanged room power levels.15:26:05
@mjolnir:nixos.orgNixOS Moderation Botchanged room power levels.15:28:18
29 May 2024
@raitobezarius:matrix.orgraitobezarius changed their display name from raitobezarius to raitobezarius (DECT: 7248).17:10:21
4 Jun 2024
@raitobezarius:matrix.orgraitobezarius changed their display name from raitobezarius (DECT: 7248) to raitobezarius.11:14:04
5 Jun 2024
@matthewkenigsberg:matrix.orgMatthew KenigsbergSorry I forgot to say sooner but I'm on PTO this week so won't be able to make the meeting 13:39:13

Show newer messages


Back to Room ListRoom Version: 9