Merge pull request #625 from nix-community/image-fixes

Fix building images when non-binary reproducible builds are present
2024-11-10 06:14:14 +00:00 · 2024-05-07 10:26:51 +02:00 · 2024-05-07 10:26:51 +02:00 · 4677f6c534
commit 4677f6c534
parent 874c83c948 718565dfbb
6 changed files with 40 additions and 39 deletions
--- a/17
+++ b/17
@ -207,11 +207,13 @@ main() {
    --arg diskMappings "$(serialiaseArrayToNix diskMappings)" \
    --argstr extraSystemConfig "$extraSystemConfig" \
    -A installToplevel \
+    -A closureInfo \
    -A "$diskoAttr")

  IFS=$'\n' mapfile -t artifacts <<<"$outputs"
  nixos_system=${artifacts[0]}
-  disko_script=${artifacts[1]}
+  closure_info=${artifacts[1]}
+  disko_script=${artifacts[2]}

  if [[ -n ${dry_run-} ]]; then
    echo "Would run: $disko_script"
@ -227,6 +229,19 @@ main() {
    cp -ar "$source" "$mountPoint/$destination"
  done

+  # nix copy uses up a lot of memory and we work around issues with incorrect checksums in our store
+  # that can be caused by using closureInfo in combination with multiple builders and non-deterministic builds.
+  # Therefore if we have a blank store, we copy the store paths and registration from the closureInfo.
+  if [[ ! -d "${mountPoint}/nix/store" ]]; then
+    export NIX_STATE_DIR=${mountPoint}/nix/var/nix
+    echo "Copying store paths" >&2
+    mkdir -p "${mountPoint}/nix/store"
+    xargs cp --recursive --target "${mountPoint}/nix/store"  < "${closure_info}/store-paths"
+    echo "Loading nix database" >&2
+    nix-store --load-db < "${closure_info}/registration"
+    unset NIX_STATE_DIR
+  fi
+
  nixos-install --no-root-password --system "$nixos_system" --root "$mountPoint"
 }

--- a/disko-install.nix
+++ b/disko-install.nix
@ -1,26 +0,0 @@
-{ stdenvNoCC, makeWrapper, lib }:
-
-stdenvNoCC.mkDerivation {
-  name = "disko-install";
-  src = ./.;
-  nativeBuildInputs = [
-    makeWrapper
-  ];
-  installPhase = ''
-    mkdir -p $out/bin $out/share/disko
-    cp -r install-cli.nix $out/share/disko
-    sed \
-      -e "s|libexec_dir=\".*\"|libexec_dir=\"$out/share/disko\"|" \
-      -e "s|#!/usr/bin/env.*|#!/usr/bin/env bash|" \
-      disko-install > $out/bin/disko-install
-    chmod 755 $out/bin/disko-install
-    wrapProgram $out/bin/disko-install
-  '';
-  meta = with lib; {
-    description = "Disko and nixos-install in one command";
-    homepage = "https://github.com/nix-community/disko";
-    license = licenses.mit;
-    maintainers = with maintainers; [ lassulus ];
-    platforms = platforms.linux;
-  };
-}
--- a/docs/disko-install.md
+++ b/docs/disko-install.md
@ -197,9 +197,10 @@ Add this to your flake.nix output:
 { pkgs, self, ... }:
 let
  dependencies = [
-    pkgs.stdenv.drvPath
    self.nixosConfigurations.your-machine.config.system.build.toplevel
    self.nixosConfigurations.your-machine.config.system.build.diskoScript
+    self.nixosConfigurations.your-machine.pkgs.stdenv.drvPath
+    (self.nixosConfigurations.your-machine.pkgs.closureInfo { rootPaths = [ ]; }).drvPath
  ] ++ builtins.map (i: i.outPath) (builtins.attrValues self.inputs);

  closureInfo = pkgs.closureInfo { rootPaths = dependencies; };
--- a/install-cli.nix
+++ b/install-cli.nix
@ -62,5 +62,8 @@ let
 in
 {
  installToplevel = installSystem.config.system.build.toplevel;
+  closureInfo = installSystem.pkgs.closureInfo {
+    rootPaths = [ installSystem.config.system.build.toplevel ];
+  };
  inherit (diskoSystem.config.system.build) formatScript mountScript diskoScript;
 }
--- a/lib/make-disk-image.nix
+++ b/lib/make-disk-image.nix
@ -38,6 +38,10 @@ let
    ${lib.concatMapStringsSep "\n" (disk: "mv ${disk.name}.raw \"$out\"/${disk.name}.raw") (lib.attrValues nixosConfig.config.disko.devices.disk)}
    ${extraPostVM}
  '';
+
+  closureInfo = pkgs.closureInfo {
+    rootPaths = [ systemToInstall.config.system.build.toplevel ];
+  };
  partitioner = ''
    # running udev, stolen from stage-1.sh
    echo "running udev..."
@ -53,16 +57,19 @@ let
    udevadm trigger --action=add
    udevadm settle

-    # populate nix db, so nixos-install doesn't complain
-    export NIX_STATE_DIR=$TMPDIR/state
-    nix-store --load-db < ${pkgs.closureInfo {
-      rootPaths = [ systemToInstall.config.system.build.toplevel ];
-    }}/registration
-
    ${systemToInstall.config.system.build.diskoScript}
  '';
+
  installer = ''
-    ${systemToInstall.config.system.build.nixos-install}/bin/nixos-install --system ${systemToInstall.config.system.build.toplevel} --keep-going --no-channel-copy -v --no-root-password --option binary-caches ""
+    # populate nix db, so nixos-install doesn't complain
+    export NIX_STATE_DIR=${systemToInstall.config.disko.rootMountPoint}/nix/var/nix
+    nix-store --load-db < "${closureInfo}/registration"
+
+    # We copy files with cp because `nix copy` seems to have a large memory leak
+    mkdir -p ${systemToInstall.config.disko.rootMountPoint}/nix/store
+    xargs cp --recursive --target ${systemToInstall.config.disko.rootMountPoint}/nix/store < ${closureInfo}/store-paths
+
+    ${systemToInstall.config.system.build.nixos-install}/bin/nixos-install --root ${systemToInstall.config.disko.rootMountPoint} --system ${systemToInstall.config.system.build.toplevel} --keep-going --no-channel-copy -v --no-root-password --option binary-caches ""
    umount -Rv ${systemToInstall.config.disko.rootMountPoint}
  '';
  QEMU_OPTS = lib.concatMapStringsSep " " (disk: "-drive file=${disk.name}.raw,if=virtio,cache=unsafe,werror=report,format=raw") (lib.attrValues nixosConfig.config.disko.devices.disk);
--- a/tests/disko-install/default.nix
+++ b/tests/disko-install/default.nix
@ -1,9 +1,10 @@
 { pkgs ? import <nixpkgs> { }, self }:
 let
-  disko-install = pkgs.callPackage ../../disko-install.nix { };
+  disko = pkgs.callPackage ../../package.nix { };

  dependencies = [
-    pkgs.stdenv.drvPath
+    self.nixosConfigurations.testmachine.pkgs.stdenv.drvPath
+    (self.nixosConfigurations.testmachine.pkgs.closureInfo { rootPaths = []; }).drvPath
    self.nixosConfigurations.testmachine.config.system.build.toplevel
    self.nixosConfigurations.testmachine.config.system.build.diskoScript
  ] ++ builtins.map (i: i.outPath) (builtins.attrValues self.inputs);
@ -36,9 +37,9 @@ pkgs.nixosTest {
    permission = machine.succeed("stat -c %a /tmp/age.key").strip()
    assert permission == "600", f"expected permission 600 on /tmp/age.key, got {permission}"

-    machine.succeed("${disko-install}/bin/disko-install --disk main /dev/vdb --extra-files /tmp/age.key /var/lib/secrets/age.key --flake ${../..}#testmachine")
+    machine.succeed("${disko}/bin/disko-install --disk main /dev/vdb --extra-files /tmp/age.key /var/lib/secrets/age.key --flake ${../..}#testmachine")
    # test idempotency
-    machine.succeed("${disko-install}/bin/disko-install --mode mount --disk main /dev/vdb --flake ${../..}#testmachine")
+    machine.succeed("${disko}/bin/disko-install --mode mount --disk main /dev/vdb --flake ${../..}#testmachine")
    machine.shutdown()

    new_machine = create_test_machine(oldmachine=machine, args={ "name": "after_install" })