-
Notifications
You must be signed in to change notification settings - Fork 56
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support installing Nix on macOS on AWS EC2, without requiring a manual full-disk-access approval #1210
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
cole-h
reviewed
Sep 30, 2024
grahamc
force-pushed
the
no-fda-ec2-macos
branch
from
September 30, 2024 19:33
448b989
to
2bcc104
Compare
grahamc
added
the
upload to s3
The labeled PR is allowed to upload its artifacts to S3 for easy testing
label
Sep 30, 2024
grahamc
force-pushed
the
no-fda-ec2-macos
branch
from
September 30, 2024 20:38
9ab8a70
to
454bdea
Compare
grahamc
changed the title
Support installing Nix on macOS on AWS EC2, without requiring a manual full-disk-encryption approval
Support installing Nix on macOS on AWS EC2, without requiring a manual full-disk-access approval
Oct 1, 2024
This PR adds a flag to the installer for macOS that allows installing and using Nix on EC2 without a manual process of enabling full disk access. On EC2, macOS requires the user to grant Full Disk Access to the Nix daemon or determinate-nixd for it to function. However, the actual permission issue is access to removable volumes. Users can provide a macOS policy (via MDM or manually) that allows access to removable volumes, but this also requires a manual setup process. The key insight of this pull request is that by using the internal hard disk, we escape the "removable volume" limitation. This PR's new flag sets the default root disk target to use the internal disk, instead of the disk that macOS is running from. Note that this is feature-locked to determinate-nixd, because determinate-nixd accounts for a quirk of AWS's macOS deployment. AWS's macOS infrastructure assumes all internal disks are unmounted, and will occasionally unmount the Nix Store.
Flake lock file updates: • Updated input 'determinate': 'https://api.flakehub.com/f/pinned/DeterminateSystems/determinate/0.1.110%2Brev-cb916a7dd1b85d547edd6ba2f782a578ca4ef480/01923596-e372-7668-a456-5b32177e0dda/source.tar.gz?narHash=sha256-M9Z7OMrQHAmZQnuMYxdyqzV%2B7ApIXVbA2GXl62l1GTo%3D' (2024-09-27) → 'https://api.flakehub.com/f/pinned/DeterminateSystems/determinate/0.1.136%2Brev-ec5f982bd53acbece1c3a72a0dbf074ab5d79e10/019244a6-0aa7-72b5-9d85-a7bb7885aad3/source.tar.gz?narHash=sha256-sSGQJP7isahkRAzlOiLJjvoz/MijCsoFa6FgQIqbcFE%3D' (2024-09-30) • Updated input 'determinate/determinate-nixd-aarch64-darwin': 'https://install.determinate.systems/determinate-nixd/rev/2c18a8f38492d35be64d4e497b720938f17cc9f5/macOS?narHash=sha256-tmW%2BSqn9cautArLTych0mnKXD1abtaAuJGCUCrtUmeo%3D' → 'https://install.determinate.systems/determinate-nixd/rev/51ecec5a3148baef87c2015536aa12dd18e4c4ad/macOS?narHash=sha256-OhG8joS/uN3Kdw4h9w8F/6ZIVTFZ8J9Fb4NGn/KK5/s%3D' • Updated input 'determinate/determinate-nixd-aarch64-linux': 'https://install.determinate.systems/determinate-nixd/rev/2c18a8f38492d35be64d4e497b720938f17cc9f5/aarch64-linux?narHash=sha256-z5dg%2BqwLOjA4pjiCLReESa9qNYOtMxlaPXQQWNhEymA%3D' → 'https://install.determinate.systems/determinate-nixd/rev/51ecec5a3148baef87c2015536aa12dd18e4c4ad/aarch64-linux?narHash=sha256-AGcHQSIdb%2BKEJlhJzMB4YyFxbjdLZEDDf6bv6Zi3wqM%3D' • Updated input 'determinate/determinate-nixd-x86_64-linux': 'https://install.determinate.systems/determinate-nixd/rev/2c18a8f38492d35be64d4e497b720938f17cc9f5/x86_64-linux?narHash=sha256-8sENexNuv7gsVAeQx1xuJd8IQtociheylIeEjFRYbQI%3D' → 'https://install.determinate.systems/determinate-nixd/rev/51ecec5a3148baef87c2015536aa12dd18e4c4ad/x86_64-linux?narHash=sha256-kU4dqHoYe3sFf4LDAUj4fyl9uGV8IHtE22%2BDdMeRN0s%3D' • Updated input 'nixpkgs': 'https://api.flakehub.com/f/pinned/NixOS/nixpkgs/0.1.685764%2Brev-1925c603f17fc89f4c8f6bf6f631a802ad85d784/01923479-4bef-7480-a7b0-72f6d33a5318/source.tar.gz?narHash=sha256-J%2BPeFKSDV%2BpHL7ukkfpVzCOO7mBSrrpJ3svwBFABbhI%3D' (2024-09-26) → 'https://api.flakehub.com/f/pinned/NixOS/nixpkgs/0.1.687049%2Brev-06cf0e1da4208d3766d898b7fdab6513366d45b9/019243b7-0a9f-79f7-b57a-4e0cfd13a578/source.tar.gz?narHash=sha256-S5kVU7U82LfpEukbn/ihcyNt2%2BEvG7Z5unsKW9H/yFA%3D' (2024-09-29)
grahamc
force-pushed
the
no-fda-ec2-macos
branch
from
October 1, 2024 11:29
454bdea
to
9c28b81
Compare
colemickens
approved these changes
Oct 1, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
(wip, not yet functional, needs a dnixd update)
This PR adds a flag to the installer for macOS that allows installing and using Nix on EC2 without a manual process of enabling full disk access.
On EC2, macOS requires the user to grant Full Disk Access to the Nix daemon or determinate-nixd for it to function. However, the actual permission issue is access to removable volumes. Users can provide a macOS policy (via MDM or manually) that allows access to removable volumes, but this also requires a manual setup process.
The key insight of this pull request is that by using the internal hard disk, we escape the "removable volume" limitation.
This PR's new flag sets the default root disk target to use the internal disk, instead of the disk that macOS is running from. Note that this is feature-locked to determinate-nixd, because determinate-nixd accounts for a quirk of AWS's macOS deployment. AWS's macOS infrastructure assumes all internal disks are unmounted, and will occasionally unmount the Nix Store.
Checklist
cargo fmt
nix build
nix flake check
Validating with
install.determinate.systems
If a maintainer has added the
upload to s3
label to this PR, it will become available for installation viainstall.determinate.systems
: