| 23 May 2023 |
 Arian | Note that systemd-repart does not change the UIDs/GIDs of any copied files and directories. When running systemd-repart as an unprivileged user to build an image of files and directories owned
by the same user, you can run systemd-repart in a user namespace with the current user mapped to the root user to make sure the files and directories in the image are owned by the root user. | 14:03:31 |
| Arian | we don't support user namespaces inside the build sandbox do we? or do we these days? | 14:03:53 |
| Arian | because I want th uid to be 0. not the uid of nixbld | 14:04:30 |
| Arian | for files in the image | 14:04:36 |
 @nikstur:matrix.org | I call systemd-repart with fakeroot | 14:05:35 |
| @nikstur:matrix.org | And then there are quite a few things you need to do to make it reproducibleish | 14:05:58 |
| Arian | you have this code somewhere? | 14:06:14 |
| @nikstur:matrix.org | Not yet in the wild. This is what I currently do:
fakeroot systemd-repart \
--dry-run=no \
--empty=create \
--size=auto \
--root=buildroot \
--definitions="$repartDefinitions" \
--split=true \
image.raw
which is definetely not enough for reproducibility
| 14:07:33 |
| Arian | what is unreproducible about it? | 14:07:43 |
 @elvishjerricco:matrix.org | In reply to @arianvp:matrix.org
we don't support user namespaces inside the build sandbox do we? or do we these days? we do | 14:07:51 |
| @nikstur:matrix.org | If there is no machine-id systemd-repart creates random UUIDs for partitions | 14:08:06 |
| @nikstur:matrix.org | and I think timestamps might be an issue | 14:08:13 |
| @elvishjerricco:matrix.org | in fact I've used that to do FHS style builds in a nix build | 14:08:14 |
| @elvishjerricco:matrix.org | In reply to @nikstur:matrix.org
If there is no machine-id systemd-repart creates random UUIDs for partitions You can also pass --seed | 14:09:04 |
| Arian | oh yeh that stuff. Just put a /buildroot/etc/machine-id file . should work | 14:09:28 |
| Arian | or --seed. yheh | 14:09:33 |
| Arian | hmmmm without fakeroot my build fails with:
> Failed to copy symlink 'sbin', ignoring: Permission denied
> Failed to copy '/nix/store/049705cr0z1mzjfngjr4vlybp3z5n1wx-bcache-tools-1.0.7' to '/build/.#repartabde6bac7950c286/nix/store/049705cr0z1mzjfngjr4vlybp3z5n1wx-bcache-tools-1.0.7': Invalid argument
| 14:11:01 |
| Arian | but works with fakeroot woohoo. (What does fakeroot do? | 14:14:06 |
 @janne.hess:helsinki-systems.de | In reply to @arianvp:matrix.org
but works with fakeroot woohoo. (What does fakeroot do? It pretends you're root | 14:15:06 |
| Arian | that I understand. but how does it do that? | 14:15:25 |
| @janne.hess:helsinki-systems.de | In reply to @arianvp:matrix.org
that I understand. but how does it do that?
This is done by setting LD_PRELOAD to libfakeroot.so, which provides wrappers around getuid, chown, chmod, mknod, stat, and so on, thereby creating a fake root environment.
| 14:15:56 |
 @mberndt:matrix.org | ElvishJerricco, thanks for your review. I've responded to your comments…
https://github.com/NixOS/nixpkgs/pull/229767 | 14:19:15 |
| @elvishjerricco:matrix.org | user namespaces are better though. Are there still holdout distros that disable that? | 14:21:27 |
 @aloisw:kde.org | In reply to @elvishjerricco:matrix.org
user namespaces are better though. Are there still holdout distros that disable that? Our own "hardened" kernel does that, at least. | 14:36:43 |
| @aloisw:kde.org | There's also proot -0. | 14:37:49 |
| @elvishjerricco:matrix.org |
No, Stratis is unrelated to LVM and a simpler design
mberndt Huh. For some reason I thought stratis was a management tool for a variety of underlying tech like lvm
| 16:16:08 |
 @gdamjan:spodeli.org | stratis is an opinionated subset of LVM + XFS (I think) | 18:11:14 |
| @gdamjan:spodeli.org | doesn't even do raid :/ | 18:11:24 |
| @mberndt:matrix.org | In reply to @gdamjan:spodeli.org
stratis is an opinionated subset of LVM + XFS (I think) It's not based on LVM. | 18:56:12 |
| @mberndt:matrix.org | It uses DM though. | 18:56:23 |
