Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support installing Nix on macOS on AWS EC2, without requiring a manual full-disk-access approval #1210

Merged
merged 9 commits into from
Oct 1, 2024

Conversation

grahamc
Copy link
Member

@grahamc grahamc commented Sep 30, 2024

Description

(wip, not yet functional, needs a dnixd update)

This PR adds a flag to the installer for macOS that allows installing and using Nix on EC2 without a manual process of enabling full disk access.

On EC2, macOS requires the user to grant Full Disk Access to the Nix daemon or determinate-nixd for it to function. However, the actual permission issue is access to removable volumes. Users can provide a macOS policy (via MDM or manually) that allows access to removable volumes, but this also requires a manual setup process.

The key insight of this pull request is that by using the internal hard disk, we escape the "removable volume" limitation.

This PR's new flag sets the default root disk target to use the internal disk, instead of the disk that macOS is running from. Note that this is feature-locked to determinate-nixd, because determinate-nixd accounts for a quirk of AWS's macOS deployment. AWS's macOS infrastructure assumes all internal disks are unmounted, and will occasionally unmount the Nix Store.

Checklist
  • Formatted with cargo fmt
  • Built with nix build
  • Ran flake checks with nix flake check
  • Added or updated relevant tests (leave unchecked if not applicable)
  • Added or updated relevant documentation (leave unchecked if not applicable)
  • Linked to related issues (leave unchecked if not applicable)
Validating with install.determinate.systems

If a maintainer has added the upload to s3 label to this PR, it will become available for installation via install.determinate.systems:

curl --proto '=https' --tlsv1.2 -sSf -L https://install.determinate.systems/nix/pr/$PR_NUMBER | sh -s -- install

src/planner/macos/mod.rs Outdated Show resolved Hide resolved
src/planner/macos/mod.rs Show resolved Hide resolved
src/planner/macos/mod.rs Outdated Show resolved Hide resolved
src/planner/macos/mod.rs Outdated Show resolved Hide resolved
@grahamc grahamc added the upload to s3 The labeled PR is allowed to upload its artifacts to S3 for easy testing label Sep 30, 2024
@grahamc grahamc marked this pull request as ready for review October 1, 2024 01:07
@grahamc grahamc changed the title Support installing Nix on macOS on AWS EC2, without requiring a manual full-disk-encryption approval Support installing Nix on macOS on AWS EC2, without requiring a manual full-disk-access approval Oct 1, 2024
This PR adds a flag to the installer for macOS that allows installing and using Nix on EC2 without a manual process of enabling full disk access.

On EC2, macOS requires the user to grant Full Disk Access to the Nix daemon or determinate-nixd for it to function.
However, the actual permission issue is access to removable volumes.
Users can provide a macOS policy (via MDM or manually) that allows access to removable volumes, but this also requires a manual setup process.

The key insight of this pull request is that by using the internal hard disk, we escape the "removable volume" limitation.

This PR's new flag sets the default root disk target to use the internal disk, instead of the disk that macOS is running from.
Note that this is feature-locked to determinate-nixd, because determinate-nixd accounts for a quirk of AWS's macOS deployment.
AWS's macOS infrastructure assumes all internal disks are unmounted, and will occasionally unmount the Nix Store.
Flake lock file updates:

• Updated input 'determinate':
    'https://api.flakehub.com/f/pinned/DeterminateSystems/determinate/0.1.110%2Brev-cb916a7dd1b85d547edd6ba2f782a578ca4ef480/01923596-e372-7668-a456-5b32177e0dda/source.tar.gz?narHash=sha256-M9Z7OMrQHAmZQnuMYxdyqzV%2B7ApIXVbA2GXl62l1GTo%3D' (2024-09-27)
  → 'https://api.flakehub.com/f/pinned/DeterminateSystems/determinate/0.1.136%2Brev-ec5f982bd53acbece1c3a72a0dbf074ab5d79e10/019244a6-0aa7-72b5-9d85-a7bb7885aad3/source.tar.gz?narHash=sha256-sSGQJP7isahkRAzlOiLJjvoz/MijCsoFa6FgQIqbcFE%3D' (2024-09-30)
• Updated input 'determinate/determinate-nixd-aarch64-darwin':
    'https://install.determinate.systems/determinate-nixd/rev/2c18a8f38492d35be64d4e497b720938f17cc9f5/macOS?narHash=sha256-tmW%2BSqn9cautArLTych0mnKXD1abtaAuJGCUCrtUmeo%3D'
  → 'https://install.determinate.systems/determinate-nixd/rev/51ecec5a3148baef87c2015536aa12dd18e4c4ad/macOS?narHash=sha256-OhG8joS/uN3Kdw4h9w8F/6ZIVTFZ8J9Fb4NGn/KK5/s%3D'
• Updated input 'determinate/determinate-nixd-aarch64-linux':
    'https://install.determinate.systems/determinate-nixd/rev/2c18a8f38492d35be64d4e497b720938f17cc9f5/aarch64-linux?narHash=sha256-z5dg%2BqwLOjA4pjiCLReESa9qNYOtMxlaPXQQWNhEymA%3D'
  → 'https://install.determinate.systems/determinate-nixd/rev/51ecec5a3148baef87c2015536aa12dd18e4c4ad/aarch64-linux?narHash=sha256-AGcHQSIdb%2BKEJlhJzMB4YyFxbjdLZEDDf6bv6Zi3wqM%3D'
• Updated input 'determinate/determinate-nixd-x86_64-linux':
    'https://install.determinate.systems/determinate-nixd/rev/2c18a8f38492d35be64d4e497b720938f17cc9f5/x86_64-linux?narHash=sha256-8sENexNuv7gsVAeQx1xuJd8IQtociheylIeEjFRYbQI%3D'
  → 'https://install.determinate.systems/determinate-nixd/rev/51ecec5a3148baef87c2015536aa12dd18e4c4ad/x86_64-linux?narHash=sha256-kU4dqHoYe3sFf4LDAUj4fyl9uGV8IHtE22%2BDdMeRN0s%3D'
• Updated input 'nixpkgs':
    'https://api.flakehub.com/f/pinned/NixOS/nixpkgs/0.1.685764%2Brev-1925c603f17fc89f4c8f6bf6f631a802ad85d784/01923479-4bef-7480-a7b0-72f6d33a5318/source.tar.gz?narHash=sha256-J%2BPeFKSDV%2BpHL7ukkfpVzCOO7mBSrrpJ3svwBFABbhI%3D' (2024-09-26)
  → 'https://api.flakehub.com/f/pinned/NixOS/nixpkgs/0.1.687049%2Brev-06cf0e1da4208d3766d898b7fdab6513366d45b9/019243b7-0a9f-79f7-b57a-4e0cfd13a578/source.tar.gz?narHash=sha256-S5kVU7U82LfpEukbn/ihcyNt2%2BEvG7Z5unsKW9H/yFA%3D' (2024-09-29)
@grahamc grahamc merged commit c70ddc7 into main Oct 1, 2024
21 checks passed
@grahamc grahamc deleted the no-fda-ec2-macos branch October 1, 2024 13:55
@cole-h cole-h added this to the 0.27.0 milestone Nov 8, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
upload to s3 The labeled PR is allowed to upload its artifacts to S3 for easy testing
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants