[Nix-dev] In multi-user Nix, let the daemon handle creation of GC roots

sbaugh at catern.com sbaugh at catern.com
Mon Jun 19 00:58:49 CEST 2017 

Kevin Cox <kevincox at kevincox.ca> writes:
> So are you also going to stop the user from building new things? You
> would also have the problem if the user was inside their quota then
> started building something very large.

Hmm, in that situation the build should fail, and that failure would be
propagated back up to the user. Though that could be difficult to
implement, I agree, because builds don't necessarily take place using
the user's resource quota.

Things can get better if/when we use an intensional store, where the
user can perform the build themselves rather than have the nix-daemon
perform it on their behalf.

> I guess it wouldn't be bad to start allowing this sort of enforcement
> but I'm not sure how useful it would be in practice.

It's true, thinking it over more, I guess Unix traditionally doesn't
control creating new GC roots: You can hardlink anything you can read,
and dup() any file descriptor at all. So this kind of store quota policy
would be somewhat unnatural in Unix. I don't actually need/want it
myself, it was just an idea that I thought would be neat to support.
(The other uses of creating-store-roots-over-IPC still stand)

> If you have two requests from the same user how do you segment them into
> container or some other division? If you can restrict the containers in
> some way couldn't you do this yourself by putting the links somewhere
> the container can't access?

You would pass in a proxy to the container. That is, you'd mount the
store into the container, as well as a socket which points to a
policy-implementing daemon. That policy-implementing daemon would
forward requests on to the real daemon.

> Same question as above, these sound like great goals but I don't see how
> the Nix daemon is going to be able to divide the requests according to
> capability.

Again, we could do this through proxying requests through a
policy-implementing daemon, which could identify requests based on
whatever authentication mechanism it wants.

To be clear I'm not suggesting we actually add a ton of policy-logic to
nix-daemon itself, sorry for not saying that at the start.  But if we
added the ability for GC roots to be created through IPC requests, that
would allow others to put policy in between, through whatever means they
wish.

More information about the nix-dev mailing list