Skip to content

nixos/doc: recommend usage of --use-remote-sudo when switching configurations#342338

Merged
cafkafk merged 2 commits intoNixOS:masterfrom
SigmaSquadron:use-remote-sudo
Sep 17, 2024
Merged

nixos/doc: recommend usage of --use-remote-sudo when switching configurations#342338
cafkafk merged 2 commits intoNixOS:masterfrom
SigmaSquadron:use-remote-sudo

Conversation

@SigmaSquadron
Copy link
Copy Markdown
Contributor

@SigmaSquadron SigmaSquadron commented Sep 16, 2024

Description of changes

Recommends the usage of --use-remote-sudo on the changing-config chapter. This is based on a discussion in Matrix with a new user to discourage building system configurations through the root user, and only escalate when necessary.

This has some hastily-made wording changes. Please review the grammar and cohesion of the altered phrases.

Things done

  • Built on platform(s)
    • x86_64-linux
    • aarch64-linux
    • x86_64-darwin
    • aarch64-darwin
  • For non-Linux: Is sandboxing enabled in nix.conf? (See Nix manual)
    • sandbox = relaxed
    • sandbox = true
  • Fits CONTRIBUTING.md.

Add a 👍 reaction to pull requests you find important.

@SigmaSquadron
nixos/doc: replace nixos-rebuild commands running as root by --use-re…
116f14e 
…mote-sudo

After a discussion on Matrix, it has become clear that building as root
is discouraged, and the (inappropriately named) --use-remote-sudo flag
should be enouraged as the de-facto way to selectively escalate to root
after a system build has finished.

Signed-off-by: Fernando Rodrigues <alpha@sigmasquadron.net>
@github-actions github-actions bot added 6.topic: nixos Issues or PRs affecting NixOS modules, or package usability issues specific to NixOS 8.has: documentation This PR adds or changes documentation labels Sep 16, 2024
Aleksanaa
Aleksanaa reviewed Sep 16, 2024
View reviewed changes
nixos/doc/manual/installation/changing-config.chapter.md Outdated
Copy link
Copy Markdown
Member

@Aleksanaa Aleksanaa Sep 16, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Simply changing it to --use-remote-sudo may be a bit hassle, because it is difficult to explain to users why "remote" sudo appears here when we are obviously switching local machine. I haven't thought of a good solution yet (maybe modifying the flag is one)

Copy link
Copy Markdown
Member

@cafkafk cafkafk Sep 16, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

modifying the flag is mildly expensive since it's a breaking change, may be possible to just create another flag that aliases it and name it e.g. --sudo?

I feel like this adding such a flag should be taken up in a separate issue, but I do agree that a slight explanation of the flag name being so odd would be helpful to include in this PR.

Copy link
Copy Markdown
Contributor Author

@SigmaSquadron SigmaSquadron Sep 16, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, I don't think we should expand this PR to changing the flag name.

When we do so in another PR, I'm not exactly sure if --sudo is the best replacement. The script itself should probably use Polkit to match systemd's authentication system, and the flag could be a generic --authenticate-when-needed (but worded more concisely)

cafkafk
cafkafk reviewed Sep 16, 2024
View reviewed changes
Copy link
Copy Markdown
Member

@cafkafk cafkafk left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think a slight clarification here can make a big difference for the reader, else LGTM (and this isn't really a blocker, so LMK if you don't want to fix it)

@ofborg ofborg bot added 10.rebuild-darwin: 0 This PR does not cause any packages to rebuild on Darwin. 10.rebuild-linux: 1-10 This PR causes between 1 and 10 packages to rebuild on Linux. labels Sep 16, 2024
@SigmaSquadron
nixos/doc: alter wording to explain the usage of --use-remote-sudo
8bf0396 
Also recommends the usage of sudo's -E flag if --use-remote-sudo cannot
be used. This should still be discouraged IMO, as it means Nix may write
root-owned files to the user's home directory.

Signed-off-by: Fernando Rodrigues <alpha@sigmasquadron.net>
cafkafk
cafkafk approved these changes Sep 17, 2024
View reviewed changes
Copy link
Copy Markdown
Member

@cafkafk cafkafk left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think all issues have been addressed, thanks for improving the docs!

@cafkafk cafkafk merged commit a011aa9 into NixOS:master Sep 17, 2024
@SigmaSquadron SigmaSquadron deleted the use-remote-sudo branch September 17, 2024 09:58
@Andrew15-5 Andrew15-5 mentioned this pull request Sep 17, 2024
Closed
@Andrew15-5 Andrew15-5 mentioned this pull request Feb 13, 2025
Open
@SigmaSquadron SigmaSquadron mentioned this pull request Mar 18, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Aleksanaa Aleksanaa Aleksanaa left review comments

@cafkafk cafkafk cafkafk approved these changes

@K900 K900 Awaiting requested review from K900

Assignees

No one assigned

Labels

6.topic: nixos Issues or PRs affecting NixOS modules, or package usability issues specific to NixOS 8.has: documentation This PR adds or changes documentation 10.rebuild-darwin: 0 This PR does not cause any packages to rebuild on Darwin. 10.rebuild-linux: 1-10 This PR causes between 1 and 10 packages to rebuild on Linux.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@SigmaSquadron @Aleksanaa @cafkafk