Skip to content

Enable users thanks to userborn #266

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 8 commits into
base: main
Choose a base branch
from
Draft

Enable users thanks to userborn #266

wants to merge 8 commits into from

Conversation

@JulienMalka
Copy link

@JulienMalka JulienMalka commented Sep 8, 2025
edited
Loading

Note: This is still a WIP

Essentially, we load the userborn module, and add the sysinit-reactivation target in a similar manner to NixOS. We restart that target at the beginning of the activation.

  • We are also bringing on sysusers, I am not sure if we should, as far as I understand it's because evaluating the userborn module requires it.

I also tried stripping the activationScripts feature from this PR but without much success so far.

jfroche and others added 3 commits August 22, 2025 11:27
@jfroche
Enable system activation scripts
d0be84d 
refs #221
@jfroche
Non functional POC for user/group management
f7fbba5 
Eval works.

Work done until now:

- add missing `system.etc` and `systemd.sysusers` options.
- vendored nixpkgs/nixos/modules/config/users-groups.nix and comment `boot.initrd`
and `environment.profiles` configs.
- import user ids and userborn modules from nixpkgs.

Currently failing on:

vm-test> [2025-08-26T09:45:23Z INFO  system_manager::activate::etc_files] Done
vm-test> [2025-08-26T09:45:23Z INFO  system_manager::activate] Activating tmp files...
vm-test> /etc/tmpfiles.d/home-directories.conf:1: Failed to resolve user 'zimbatm': No such process

Most probably because we don't create the users/group before trying to create tmpfiles.

This PR is based on #258
because `user-groups.nix` and `userborn.nix` depend on
`system.activationScripts`.
@JulienMalka
Add userborn
f35f51d
@JulienMalka JulienMalka marked this pull request as draft September 8, 2025 20:41
@r-vdp
Copy link
Member

r-vdp commented Sep 9, 2025

Great stuff!

I have some minor questions, maybe we can have a chat tomorrow?

@r-vdp
Copy link
Member

r-vdp commented Sep 9, 2025

This might be an issue though:

https://github.com/nikstur/userborn/blob/main/rust%2Fuserborn%2Fsrc%2Fmain.rs#L129-146

@JulienMalka
Copy link
Author

JulienMalka commented Sep 9, 2025
edited
Loading

This might be an issue though:

https://github.com/nikstur/userborn/blob/main/rust%2Fuserborn%2Fsrc%2Fmain.rs#L129-146

I agree. I am not sure I 100% understand how userborn handles "impure" users/groups, I am trying to get a better understanding.
This test show that is does in some way, but I am not sure exactly how yet. Available tomorrow to look at this if you want, I'll contact you privately for this.

@JulienMalka JulienMalka mentioned this pull request Sep 15, 2025
Draft
@jfroche
Copy link
Member

jfroche commented Sep 17, 2025

I have just realized that we end with a broken /etc/passwd (as we don't have /run/current-system [yet?]):

root:x:0:0:System administrator:/root:/run/current-system/sw/bin/bash
nobody:x:65534:65534:Unprivileged account (don't use!):/var/empty:/run/current-system/sw/bin/nologin

@r-vdp
Copy link
Member

r-vdp commented Sep 17, 2025

I have just realized that we end with a broken /etc/passwd (as we don't have /run/current-system [yet?]):

root:x:0:0:System administrator:/root:/run/current-system/sw/bin/bash
nobody:x:65534:65534:Unprivileged account (don't use!):/var/empty:/run/current-system/sw/bin/nologin

There is an equivalent directory, but not the same because we want to support running system manager on nixos (mainly for easier testing).
So we should just use the right path there.

@JulienMalka
Copy link
Author

JulienMalka commented Sep 18, 2025

Interesting, I wonder where this thing is set in the module system. I wouldn't expect this to be hardcoded neither in userborn or in the users module, will check.

@zimbatm zimbatm added this to the First release milestone Oct 31, 2025
@JulienMalka
add test for stateful users preservation
dcea841 
This new test impurely add a new user to the system and verifies that
the user is not garbage collected by userborn.
@JulienMalka
Copy link
Author

JulienMalka commented Nov 2, 2025

This might be an issue though:

https://github.com/nikstur/userborn/blob/main/rust%2Fuserborn%2Fsrc%2Fmain.rs#L129-146

To this point, this is correct. I just pushed a commit with a failing test case that covers this issue. I also have a modification of userborn for which the test case succeeds, that I'll be submitting today upstream.

@JulienMalka
Copy link
Author

JulienMalka commented Nov 2, 2025

I have just realized that we end with a broken /etc/passwd (as we don't have /run/current-system [yet?]):

root:x:0:0:System administrator:/root:/run/current-system/sw/bin/bash
nobody:x:65534:65534:Unprivileged account (don't use!):/var/empty:/run/current-system/sw/bin/nologin

To this point, I see that we can change the nologin path in userborn thanks to an env variable, but I think for the shell it may come for the module system directly, not sure exactly where it is set.

@JulienMalka
Copy link
Author

JulienMalka commented Nov 2, 2025

Userborn change that introduces stateful users is submitted upstream: nikstur/userborn#36

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

First release

Development

Successfully merging this pull request may close these issues.

5 participants

@JulienMalka @r-vdp @jfroche @zimbatm