kevinveenbirkenbach/pkgmgr
1
0
Fork 0
Code Issues Pull Requests Actions 24 Packages Projects Releases Wiki Activity

**Fix Nix global symlinks for sudo secure_path without overriding distro paths**
Some checks failed
Mark stable commit / test-unit (push) Has been cancelled
Details
Mark stable commit / test-integration (push) Has been cancelled
Details
Mark stable commit / test-env-virtual (push) Has been cancelled
Details
Mark stable commit / test-env-nix (push) Has been cancelled
Details
Mark stable commit / test-e2e (push) Has been cancelled
Details
Mark stable commit / test-virgin-user (push) Has been cancelled
Details
Mark stable commit / test-virgin-root (push) Has been cancelled
Details
Mark stable commit / mark-stable (push) Has been cancelled
Details

Browse Source 
* Ensure nix is reachable for sudo on CentOS by providing /usr/bin and /usr/sbin fallbacks when absent
* Keep /usr/local/bin as primary CI path without breaking non-login shells
* Never overwrite distro-managed nix binaries (Arch-safe)
* Stabilize e2e and virgin-user tests across all distros

https://chatgpt.com/share/693c6013-af2c-800f-a1bc-baed0d29fab7
This commit is contained in:
Kevin Veen-Birkenbach
2025-12-12 20:23:29 +01:00
parent 5875441b23
commit 8f38edde67
1 changed files with 41 additions and 26 deletions
Download Patch File Download Diff File Expand all files Collapse all files

67
scripts/init-nix.sh
View File

@@ -43,7 +43,6 @@ real_exe() {
local p="${1:-}" local p="${1:-}"
[[ -z "$p" ]] && return 1 [[ -z "$p" ]] && return 1
# readlink -f may fail on some minimal systems; fall back to the given path
local r local r
r="$(readlink -f "$p" 2>/dev/null || echo "$p")" r="$(readlink -f "$p" 2>/dev/null || echo "$p")"
@@ -87,7 +86,12 @@ resolve_nix_bin() {
} }
# --------------------------------------------------------------------------- # ---------------------------------------------------------------------------
# Ensure globally reachable nix symlink (CI / non-login shells) - root only # Ensure globally reachable nix symlink(s) (CI / non-login shells) - root only
#
# Key rule:
# - Never overwrite distro-managed nix locations (Arch may ship nix in /usr/sbin).
# - But for sudo secure_path (CentOS), /usr/local/bin is often NOT included.
# Therefore: also create /usr/bin/nix (and /usr/sbin/nix) ONLY if they do not exist.
# --------------------------------------------------------------------------- # ---------------------------------------------------------------------------
ensure_global_nix_symlinks() { ensure_global_nix_symlinks() {
local nix_bin="${1:-}" local nix_bin="${1:-}"
@@ -95,34 +99,51 @@ ensure_global_nix_symlinks() {
[[ -z "$nix_bin" ]] && nix_bin="$(resolve_nix_bin 2>/dev/null || true)" [[ -z "$nix_bin" ]] && nix_bin="$(resolve_nix_bin 2>/dev/null || true)"
if [[ -z "$nix_bin" || ! -x "$nix_bin" ]]; then if [[ -z "$nix_bin" || ! -x "$nix_bin" ]]; then
echo "[init-nix] WARNING: nix binary not found, cannot create global symlink." echo "[init-nix] WARNING: nix binary not found, cannot create global symlink(s)."
return 0 return 0
fi fi
# Always link to the real executable to avoid /usr/local/bin/nix -> /usr/local/bin/nix # Always link to the real executable to avoid /usr/local/bin/nix -> /usr/local/bin/nix
nix_bin="$(real_exe "$nix_bin" 2>/dev/null || echo "$nix_bin")" nix_bin="$(real_exe "$nix_bin" 2>/dev/null || echo "$nix_bin")"
local targets=()
# Always provide /usr/local/bin/nix for CI shells
mkdir -p /usr/local/bin 2>/dev/null || true mkdir -p /usr/local/bin 2>/dev/null || true
targets+=("/usr/local/bin/nix")
# Do NOT touch /usr/bin/nix or /bin/nix (distro-managed paths). # Provide sudo-friendly locations only if they are NOT present (do not override distro paths)
# Only provide a convenient /usr/local/bin/nix for CI shells. if [[ ! -e /usr/bin/nix ]]; then
local target="/usr/local/bin/nix" targets+=("/usr/bin/nix")
local current_real="" fi
if [[ -e "$target" ]]; then if [[ ! -e /usr/sbin/nix ]]; then
current_real="$(real_exe "$target" 2>/dev/null || true)" targets+=("/usr/sbin/nix")
fi fi
# If it already points to the same real binary, do nothing local target current_real
if [[ -n "$current_real" && "$current_real" == "$nix_bin" ]]; then for target in "${targets[@]}"; do
echo "[init-nix] /usr/local/bin/nix already points to: $nix_bin" current_real=""
return 0 if [[ -e "$target" ]]; then
fi current_real="$(real_exe "$target" 2>/dev/null || true)"
fi
if ln -sf "$nix_bin" "$target" 2>/dev/null; then if [[ -n "$current_real" && "$current_real" == "$nix_bin" ]]; then
echo "[init-nix] Ensured $target -> $nix_bin" echo "[init-nix] $target already points to: $nix_bin"
else continue
echo "[init-nix] WARNING: Failed to ensure /usr/local/bin/nix symlink." fi
fi
# If something exists but is not the same (and we promised not to override), skip.
if [[ -e "$target" && "$target" != "/usr/local/bin/nix" ]]; then
echo "[init-nix] WARNING: $target exists; not overwriting."
continue
fi
if ln -sf "$nix_bin" "$target" 2>/dev/null; then
echo "[init-nix] Ensured $target -> $nix_bin"
else
echo "[init-nix] WARNING: Failed to ensure $target symlink."
fi
done
} }
# --------------------------------------------------------------------------- # ---------------------------------------------------------------------------
@@ -145,11 +166,9 @@ ensure_user_nix_symlink() {
echo "[init-nix] Ensured $HOME/.local/bin/nix -> $nix_bin" echo "[init-nix] Ensured $HOME/.local/bin/nix -> $nix_bin"
# Make current process work immediately
PATH="$HOME/.local/bin:$PATH" PATH="$HOME/.local/bin:$PATH"
export PATH export PATH
# Best-effort persist (helps interactive, harmless for CI)
if [[ -w "$HOME/.profile" ]] && ! grep -q 'init-nix.sh' "$HOME/.profile" 2>/dev/null; then if [[ -w "$HOME/.profile" ]] && ! grep -q 'init-nix.sh' "$HOME/.profile" 2>/dev/null; then
cat >>"$HOME/.profile" <<'EOF' cat >>"$HOME/.profile" <<'EOF'
@@ -197,7 +216,6 @@ install_nix_with_retry() {
esac esac
installer="$(mktemp -t nix-installer.XXXXXX)" installer="$(mktemp -t nix-installer.XXXXXX)"
# mktemp creates 0600; if we run as another user, it must be readable
chmod 0644 "$installer" chmod 0644 "$installer"
echo "[init-nix] Downloading Nix installer from $NIX_INSTALL_URL (max ${NIX_DOWNLOAD_MAX_TIME}s)..." echo "[init-nix] Downloading Nix installer from $NIX_INSTALL_URL (max ${NIX_DOWNLOAD_MAX_TIME}s)..."
@@ -245,11 +263,9 @@ main() {
echo "[init-nix] Nix already available on PATH: $(command -v nix)" echo "[init-nix] Nix already available on PATH: $(command -v nix)"
ensure_nix_on_path ensure_nix_on_path
# Root: ensure global symlink for CI/non-login shells
if [[ "${EUID:-0}" -eq 0 ]]; then if [[ "${EUID:-0}" -eq 0 ]]; then
ensure_global_nix_symlinks "$(resolve_nix_bin 2>/dev/null || true)" ensure_global_nix_symlinks "$(resolve_nix_bin 2>/dev/null || true)"
else else
# User: ensure we have a stable path too
ensure_user_nix_symlink "$(resolve_nix_bin 2>/dev/null || true)" ensure_user_nix_symlink "$(resolve_nix_bin 2>/dev/null || true)"
fi fi
@@ -310,7 +326,7 @@ main() {
ensure_nix_on_path ensure_nix_on_path
# Ensure stable global symlink (so non-login shells find nix) # Ensure stable global symlink(s) (sudo secure_path friendly)
ensure_global_nix_symlinks "/home/nix/.nix-profile/bin/nix" ensure_global_nix_symlinks "/home/nix/.nix-profile/bin/nix"
# Ensure non-root users can traverse and execute nix user profile # Ensure non-root users can traverse and execute nix user profile
@@ -334,7 +350,6 @@ main() {
else else
echo "[init-nix] No systemd detected: using single-user install (--no-daemon)." echo "[init-nix] No systemd detected: using single-user install (--no-daemon)."
if [[ "${EUID:-0}" -eq 0 ]]; then if [[ "${EUID:-0}" -eq 0 ]]; then
# Root on a minimal host still benefits from nixbld users
ensure_nix_build_group ensure_nix_build_group
fi fi
install_nix_with_retry "no-daemon" install_nix_with_retry "no-daemon"