!DkNkhjPMwKVMKgmGYw:nixos.org

Nix Installer

53 Members
15 Servers

Load older messages

SenderMessageTime
6 May 2024
@nick_kadutskyi:matrix.org@nick_kadutskyi:matrix.org changed their display name from nick_kadutskyi to nickkadutskyi.17:33:25
@nick_kadutskyi:matrix.org@nick_kadutskyi:matrix.org left the room.17:35:38
8 May 2024
@abathur:matrix.orgabathur Matthew Kenigsberg & cole-h: given the events that were unfolding week before last I have not tried to pester the infra team or made other noteworthy progress on open issues--so I'm thinking we can skip this session unless either of you have something specific? 02:02:24
@cole-h:matrix.orgcole-h I'm fine with eitherĀ  02:03:02
@matthewkenigsberg:matrix.org@matthewkenigsberg:matrix.orgI did https://github.com/NixOS/experimental-nix-installer/pull/15 today - looks like we may need to tweak the actions so I could use input on those02:05:43
@matthewkenigsberg:matrix.org@matthewkenigsberg:matrix.orgI also wasn't 100% sure on the tarball stuff02:06:24
@abathur:matrix.orgabathurok, sounds like we'll have stuff to look at04:00:19
@pxc:matrix.orgpxc

how nutty would it be to have a Nix installer attempt to get nix-daemon.sh's environment changes handled by an init system/session manager, if available, rather than plugging directly into a shell?

Fish users who are Nix novices (and maybe also Unix novices) have struggled getting their shell to 'nixify' properly forever. I've tried to work on it, and helped get something usable going for NixOS which is now also used in Nix-Darwin. But people still struggle, many years later, and other fun new shells (Elvish, Nushell, PowerShell, Xonsh, idk) face similar problems with Nix's POSIX initialization scripts

I think we could easily have the Nix stuff happen before the user session starts with systemd on Linux and launchd on macOS

06:37:25
@pxc:matrix.orgpxc *

how nutty would it be to have a Nix installer attempt to get nix-daemon.sh's environment changes handled by an init system/session manager, if available, rather than plugging directly into a shell?

Fish users who are Nix novices (and maybe also Unix novices) have struggled getting their shell to 'nixify' properly forever. I've tried to work on it, and helped get something usable going for NixOS which is now also used in Nix-Darwin. But people still struggle, many years later, on foreign Linux and macOS. Other fun new shells (Elvish, Nushell, PowerShell, Xonsh, idk) face similar problems with Nix's POSIX initialization scripts

I think we could easily have the Nix stuff happen before the user session starts with systemd on Linux and launchd on macOS

06:38:13
@pxc:matrix.orgpxcThe experimental new installer is already willing to get creative with this kind of stuff to avoid breakage on macOS, and I think it was a good choice.06:39:06
@abathur:matrix.orgabathur

Have you tried setting this up with launchctl (and on what macOS version?)

It sounds like (thanks to cole-h for finding my own past comments about this :)) we are hemmed in on the global environment point by macOS these days, see for example:

  • https://github.com/canonical/multipass/issues/2417#issuecomment-1553437799
  • https://github.com/cachix/install-nix-action/issues/183#issuecomment-1595055643
14:38:41
@abathur:matrix.orgabathurbut if you've got it working on a newer macOS, perhaps they caused trouble for someone important and had to back off from the change?14:39:37
@pxc:matrix.orgpxc
In reply to @abathur:matrix.org
but if you've got it working on a newer macOS, perhaps they caused trouble for someone important and had to back off from the change?

I do, but I don't think that's quite it, since I actually do get that error on my system (macOS 14.4.1)

This works:

  • setting per-user session variables interactively with launchctl setenv via LaunchAgents as my user (works immediately; close and relaunch your terminal emulator and it'll pick up the variables)
  • settting per-user session variables interactively with launchctl setenv in LaunchAgents that run as root
  • setting global session variables with launchctl setenv in LaunchAgents that run as root (takes effect with next session)

but this doesn't work:

  • interactively using launchctl setenv as root, which yields the message Could not set environment: 150: Operation not permitted while System Integrity Protection is engaged
15:46:35
@pxc:matrix.orgpxc I was assuming the restriction of launchctl setenv was limited this way from the start, but now that I think of it, maybe it was totally removed, then only partially backed off 15:48:15
@abathur:matrix.orgabathurI'm less sure if anyone who encountered/reported the problem would've been doing it through the indirection of a launchagent/daemon15:49:44
@abathur:matrix.orgabathurthough I'm also less confident that it isn't a bug/loophole apple will notice and close15:50:32
@pxc:matrix.orgpxcagreed, although Apple is basically inscrutable and liable to break anything at any time15:51:57
@abathur:matrix.orgabathurcan you confirm whether doing it interactively as non-root outside of a launchagent works?15:53:53
@abathur:matrix.orgabathurI see someone asserting on the apple dev forum that it works w/o sudo15:54:10
@pxc:matrix.orgpxcyep, I've observed that as well15:54:32
@abathur:matrix.orgabathurbut it seems a little strange to me that they'd restrict this for root but let normal users do it (unless maybe it's only actually affecting user processes and not root ones?)15:54:49
@pxc:matrix.orgpxcbased on my testing I might venture a guess that what the SIP protection protects against is one user using elevated privileges to change the environment variable of another user's session in real-time, because those global LaunchAgents only affect new sessions but I'm not totally convinced of my own guess15:55:39
@pxc:matrix.orgpxcmaybe there's some way to make the global LaunchAgent take effect immediately, like the per-user ones do15:56:03
@pxc:matrix.orgpxc

I've been having Nix-Darwin generate the LaunchAgents I've been using to test. Here's what they look like, this example being the per-user one:

  launchd.user.agents.setenv.serviceConfig = {
    LimitLoadToSessionType = "Aqua";
    ProgramArguments = [
      "/bin/sh"
      "-pc"
      ''launchctl setenv FOO bar''
    ];
    RunAtLoad = true;
  };
15:57:58
@pxc:matrix.orgpxc when I enable that one and run darwin-rebuild switch, I can see its effects immediately, in the same session 15:58:34
@pxc:matrix.orgpxc
In reply to @pxc:matrix.org
based on my testing I might venture a guess that what the SIP protection protects against is one user using elevated privileges to change the environment variable of another user's session in real-time, because those global LaunchAgents only affect new sessions

but I'm not totally convinced of my own guess

I guess one way to test this hypothesis would be to disable SIP and see if an interactive sudo setenv immediately changes my environment, too

and maybe also if logging in as a different user, elevating up to root, and then using sudo -u <other_user> launchctl setenv does anything

16:00:01
@pxc:matrix.orgpxc
In reply to @abathur:matrix.org
can you confirm whether doing it interactively as non-root outside of a launchagent works?
mhm 		16:05:25
@abathur:matrix.orgabathur?16:05:48
@pxc:matrix.orgpxcit does work16:06:25
@pxc:matrix.orgpxc
In reply to @abathur:matrix.org
but if you've got it working on a newer macOS, perhaps they caused trouble for someone important and had to back off from the change?

it does look like using LaunchAgents to call launchtl setenv via /bin/sh is (or used to be?) a somewhat common/known pattern, if not a super popular one:

https://github.com/search?q=path%3A*.plist%20%22launchctl%20setenv%22&type=code

16:07:57

Show newer messages

Back to Room ListRoom Version: 9