darwin.builder: init

[Gabriella439]

Fixes #108984

This originates from:

https://github.com/Gabriella439/macos-builder

… which in turn originates from:

https://github.com/YorikSar/nixos-vm-on-macos

Once this change is built and cached, the end user only needs to run:

$ nix run nixpkgs#darwin.builder

… to create a Linux builder on macOS

Description of changes

Things done

• Built on platform(s)
  • x86_64-linux
  • aarch64-linux
  • x86_64-darwin
  • aarch64-darwin
• For non-Linux: Is sandbox = true set in nix.conf? (See Nix manual)
• Tested, as applicable:
  • NixOS test(s) (look inside nixos/tests)
  • and/or package tests
  • or, for functions and "core" functionality, tests in lib/tests or pkgs/test
  • made sure NixOS tests are linked to the relevant packages
• Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
• Tested basic functionality of all binary files (usually in ./result/bin/)
• 23.05 Release Notes (or backporting 22.11 Release notes)
  • (Package updates) Added a release notes entry if the change is major or breaking
  • (Module updates) Added a release notes entry if the change is significant
  • (Module addition) Added a release notes entry if adding a new NixOS module
  • (Release notes changes) Ran nixos/doc/manual/md-to-db.sh to update generated release notes
• Fits CONTRIBUTING.md.

[Gabriella439]

Note that this is still missing documentation, which I will complete before merging this

[domenkozar]

Thanks a lot for getting this in a frinedly state ❤️

[SuperSandro2000]

You should be able to change this via the root's ssh_config

[SuperSandro2000]

I am not in favor of hardcoding a private key. What alternatives do we have?

[Gabriella439]

I'm not aware of a good alternative here. However, in this case I think it's not an issue because this is only use as the SSH host key and not the client's key (which is still handled securely)

[SuperSandro2000]

I have turned this off since a while to reduce io load but didn't do benchmarking. Is the difference noticeable? Not sure if we should turn it on by default or not.

[Gabriella439]

I actually am not too attached to this setting. I don't remember why I added it

[SuperSandro2000]

Suggested change

	installCredentials = pkgs.writeShellScript "install-credentials" ''
	KEYS="''${1}"
	INSTALL=${hostPkgs.coreutils}/bin/install
	"''${INSTALL}" -g nixbld -m 600 "''${KEYS}/${user}_${keyType}" ${privateKey}
	"''${INSTALL}" -g nixbld -m 644 "''${KEYS}/${user}_${keyType}.pub" ${publicKey}
	installCredentials = let
	install = ${hostPkgs.coreutils}/bin/install;
	in pkgs.writeShellScript "install-credentials" ''
	"${install}" -g nixbld -m 600 "''${1}/${user}_${keyType}" ${privateKey}
	"${install}" -g nixbld -m 644 "''${1}/${user}_${keyType}.pub" ${publicKey}

If the goal is to make the script as easy as possible then this is in the end as easy as it gets.

[Gabriella439]

Yeah, I deliberately did not do it that way because I wanted the script to be easier to read. In particular, I wanted the script to fit within 80 columns

[SuperSandro2000]

Something does not get easier to read if it fits within 80 columns but has two extra lines.

[SuperSandro2000]

This should be taken from nixpkgs instead of being hardcoded here or set once on initialization.

[domenkozar]

I'm going to merge this because it improves the current state a lot and further improvements can be done once people start to use it.

[github-actions]

Successfully created backport PR #207097 for release-22.11.

[SuperSandro2000]

@domenkozar there is no time pressure here at all and new features should not be merged with barely any review just because people desperately want it.

Doing major redesigns of new features straight after they where rushed to be merged is suboptimal for anyone that started to use the feature already.

[SuperSandro2000]

Did the review comments myself in #207486

[domenkozar]

@domenkozar there is no time pressure here at all and new features should not be merged with barely any review just because people desperately want it.

Doing major redesigns of new features straight after they where rushed to be merged is suboptimal for anyone that started to use the feature already.

It's not about time pressure, it's about getting this work to the devs to test and moving the bikeshedding into a step that can happen in parallel.

[roberth]

crucially, getting hydra to put it in cache.nixos.org

[Gabriella439]

Here's the PR to disable the build for now if people need this to be reverted: #207776

[figsoda]

not sure if disabling the build is needed since Mic92/nixpkgs-review#291 is merged and nixpkgs-review users will not have to rebuild darwin.builder anymore, the only downside after nixpkgs-review is updated afaik would be the github labels which imo is not a big deal

[zowoq]

github labels which imo is not a big deal

ofborg telling contributors that a zero rebuild PR causes one rebuild on each darwin platforms is rather confusing.

[Gabriella439]

Just to clarify: is darwin.builder being rebuilt on these unrelated PRs or is it a bug in ofborg?

[raphaelr]

I can reproduce this locally:

$ nix show-derivation -f . darwin.builder --system aarch64-darwin > a
$ git commit --allow-empty -m test
$ nix show-derivation -f . darwin.builder --system aarch64-darwin > b
$ diff -u a b
--- a   2022-12-26 23:11:31.175857599 +0100
+++ b   2022-12-26 23:11:53.008634417 +0100
@@ -1,5 +1,5 @@
 {
-  "/nix/store/9fgpywcl1qgk5yrwwq9b829pncw4jrhi-create-builder.drv": {
+  "/nix/store/qj88p4c8b9nw8z6cg4cf425l5y4d1hah-create-builder.drv": {
     "args": [
       "-e",
       "/nix/store/9krlzvny65gdc8s7kpb6lkx8cd02c25b-default-builder.sh"
@@ -34,7 +34,7 @@
       "mesonFlags": "",
       "name": "create-builder",
       "nativeBuildInputs": "",
-      "out": "/nix/store/5ggib8k7z9k6ryzpnhijah8apsc071la-create-builder",
+      "out": "/nix/store/cxb5sjl4klf0l8b0r3qh5z4r1a9ldzqa-create-builder",
       "outputs": "out",
       "passAsFile": "buildCommand text",
       "patches": "",
@@ -44,13 +44,13 @@
       "stdenv": "/nix/store/s5rvpdf77v47cqy1n56wr5xlj3b7vzmm-stdenv-darwin",
       "strictDeps": "",
       "system": "aarch64-darwin",
-      "text": "#!/nix/store/x380x9d7gqh4ig9h50a7wx08p0s6622f-bash-5.1-p16/bin/bash\nKEYS=\"${KEYS:-./keys}\"\n/nix/store/npcq66nqv2wpzp3ma5s63vafnnivphxb-coreutils-9.1/bin/mkdir --parent \"${KEYS}\"\nPRIVATE_KEY=\"${KEYS}/builder_ed25519\"\nPUBLIC_KEY=\"${PRIVATE_KEY}.pub\"\nif [ ! -e \"${PRIVATE_KEY}\" ] || [ ! -e \"${PUBLIC_KEY}\" ]; then\n    /nix/store/npcq66nqv2wpzp3ma5s63vafnnivphxb-coreutils-9.1/bin/rm --force -- \"${PRIVATE_KEY}\" \"${PUBLIC_KEY}\"\n    /nix/store/kgp4br70j8w4k4lgsv8sk22hb51km36s-openssh-9.1p1/bin/ssh-keygen -q -f \"${PRIVATE_KEY}\" -t ed25519 -N \"\" -C 'builder@localhost'\nfi\nif ! /nix/store/2m2jha21jq3f51g0rd42y385v5vfkgih-diffutils-3.8/bin/cmp \"${PUBLIC_KEY}\" /etc/nix/builder_ed25519.pub; then\n  (set -x; sudo --reset-timestamp /nix/store/grd27v1gb7s0hqq7wrnqw88m60mlr8wk-install-credentials \"${KEYS}\")\nfi\nKEYS=\"$(nix-store --add \"$KEYS\")\" /nix/store/pd3vpvsg7sqri0pr9qpjr38g61wik1rz-nixos-vm/bin/run-nixos-vm\n\n"
+      "text": "#!/nix/store/x380x9d7gqh4ig9h50a7wx08p0s6622f-bash-5.1-p16/bin/bash\nKEYS=\"${KEYS:-./keys}\"\n/nix/store/npcq66nqv2wpzp3ma5s63vafnnivphxb-coreutils-9.1/bin/mkdir --parent \"${KEYS}\"\nPRIVATE_KEY=\"${KEYS}/builder_ed25519\"\nPUBLIC_KEY=\"${PRIVATE_KEY}.pub\"\nif [ ! -e \"${PRIVATE_KEY}\" ] || [ ! -e \"${PUBLIC_KEY}\" ]; then\n    /nix/store/npcq66nqv2wpzp3ma5s63vafnnivphxb-coreutils-9.1/bin/rm --force -- \"${PRIVATE_KEY}\" \"${PUBLIC_KEY}\"\n    /nix/store/kgp4br70j8w4k4lgsv8sk22hb51km36s-openssh-9.1p1/bin/ssh-keygen -q -f \"${PRIVATE_KEY}\" -t ed25519 -N \"\" -C 'builder@localhost'\nfi\nif ! /nix/store/2m2jha21jq3f51g0rd42y385v5vfkgih-diffutils-3.8/bin/cmp \"${PUBLIC_KEY}\" /etc/nix/builder_ed25519.pub; then\n  (set -x; sudo --reset-timestamp /nix/store/grd27v1gb7s0hqq7wrnqw88m60mlr8wk-install-credentials \"${KEYS}\")\nfi\nKEYS=\"$(nix-store --add \"$KEYS\")\" /nix/store/yphpd9i8w0vg0p3p70yck0vmmcdzq4fi-nixos-vm/bin/run-nixos-vm\n\n"
     },
     "inputDrvs": {
-      "/nix/store/7a0chkp8maxy1j20f3f937ikmxjkxisi-nixos-vm.drv": [
+      "/nix/store/c47v02plj8ziz3j0x13p7hdz8j0d7cxr-openssh-9.1p1.drv": [
         "out"
       ],
-      "/nix/store/c47v02plj8ziz3j0x13p7hdz8j0d7cxr-openssh-9.1p1.drv": [
+      "/nix/store/cn0bc111q4ha76ggmpfhywwpw411x3id-nixos-vm.drv": [
         "out"
       ],
       "/nix/store/g2npqs9fic2vvrxf117czf1j1936d63c-install-credentials.drv": [
@@ -74,7 +74,7 @@
     ],
     "outputs": {
       "out": {
-        "path": "/nix/store/5ggib8k7z9k6ryzpnhijah8apsc071la-create-builder"
+        "path": "/nix/store/cxb5sjl4klf0l8b0r3qh5z4r1a9ldzqa-create-builder"
       }
     },
     "system": "aarch64-darwin"

If it's git commits that's causing this, then I assume the darwin.builder needs to hard code a git revision, like in release.nix.

[Gabriella439]

@raphaelr: Thank you! I can reproduce now, too. I think the reason I could not originally reproduce was that I was using nix path-info --derivation instead of nix-instantiate

[Gabriella439]

This should fix the gratuitous rebuilds: #207902

[NiklasGollenstede]

Just a few thoughts when I read the new manual entry:

• The manual entry says that port 22 needs to be free on the host, which I think it true in the current implementation. But it should work to set virtualisation.forwardPorts.*.host.address to 127.0.0.42 (any address starting with 127. (or maybe even a single IPv6?)) and use that address in the builder spec. Any other address (including localhost and any external interfaces) would have port 22 available for other SSH things.

• If qemu ist started with serial on the local terminal (which I am not sure if it is a good idea here) one might as well auto-login for debugging purposes (otherwise the TTY is kinda pointless): services.getty.autologinUser = "root".
  Also, with the TTY open, ctrl-a + x immediately kills the VM.

• And since I read the term bikeshedding above: darwin.builder does not at all imply that it builds NixOS things, only that it is a builder that has something to do with darwin/MacOS

[Gabriella439]

@NiklasGollenstede: The only reason it says port 22 is required is because I thought it was a limitation of Nix's remote builder functionality (rather than a limitation of the VM). Are you saying that there's a way for Nix to specify a non-default port for a remote builder in the builder spec?

I like the autologinUser idea, though, and created a pull request: #208772

[NiklasGollenstede]

Are you saying that there's a way for Nix to specify a non-default port for a remote builder in the builder spec?

That would be nice, but no. I am pretty sure that such an option would be defined in either of these two files:
https://github.com/NixOS/nix/blob/master/src/libstore/ssh-store.cc
https://github.com/NixOS/nix/blob/master/src/libstore/legacy-ssh-store.cc
(I don't really understand why Nix doesn't allow some way of just supplying verbatim options to openssh (at least with nix-build, it is simply calling ssh, which needs to be on the PATH that nix-build get's called with). Maybe to not commit to using the openssh CLI?)

What I was saying is that currently (I assume this is the default when not supplying virtualisation.forwardPorts.*.host.address) qemu is binding (and thus blocking) port 22 on all IPv4 (and v6?) addresses and interfaces, while a single (v4 or v6) address on only the loopback is enough for a local nix command to connect to. Even without a firewall, others in your network will no longer be able to use your VM, and other services can listen on TCP port 22, as long as they specify an interfacee/address other than the one used by the VM (or (implicitly) a wildcard that includes it, like "", *, 0.0.0.0, etc, depending on the API).

[Gabriella439]

@NiklasGollenstede: It turns out that an unprivileged qemu process attempting to bind a privileged port can bind to an host address of 0.0.0.0 but not 127.0.0.1, which is pretty cursed:

https://developer.apple.com/forums/thread/674179

The good news is that you don't actually need to open up the firewall, so I put up a PR to document that: #208792

[NiklasGollenstede]

macOS: You can have all the addresses.
developer: That's cool. I'd like to have that one!
macOS: no.

There may be an implementation reason, but looking from the outside, that's incredibly weird behavior.

If macOS has some mechanism to prompt for firewall exceptions, (and it is now documented to deny that), then at least the security aspect of not binding all addresses is largely a mute point (assuming that on macOS users don't usually (or can't) disable the firewall).
While the port does not need to be "open" in the firewall, it still needs to be "free", as in "not bound to on and address by any process" (e.g. you can't have sshd running on its default port).

[roberth]

I thought it was a limitation of Nix's remote builder functionality (rather than a limitation of the VM)

I've configured Port in the ssh_config before. You may want to use the global client config, /etc/ssh/ssh_config, for this, or you may have to configure it for both root (the nix-daemon) and the user.

[NiklasGollenstede]

I've configured Port in the ssh_config before.

Right. That should work. (When I was researching this previously, modifying config files was not an option (and it is quite contrary to Nix's philosophy that it is required).)

To do this without also modifying /etc/hosts (or whatever it takes to locally define a host name on macOS), you can define the builder's address as 127.x.y.z (where x.y.z is anything other than 0.0.1 and then use that address in the ssh_config.