lix-project/lix
18
47
Fork 24
Code Issues 333 Code Review (Gerrit) Projects 1 Releases Wiki Activity

Simplify multi-user installation instructions

Browse source
This commit is contained in:
Eelco Dolstra 2014-05-02 14:44:44 +02:00
parent 696f960dee
commit a8c31d5011
1 changed files with 12 additions and 49 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

61
doc/manual/installation.xml
View file

@ -308,7 +308,7 @@ a Trojan horse.</para>
<section><title>Single-user mode</title> <section><title>Single-user mode</title>
<para>In single-user mode, all Nix operations that access the database <para>In single-user mode, all Nix operations that access the database
in <filename><replaceable>prefix</replaceable>/var/nix/db</filename> in <filename><replaceable>prefix</replaceable>/var/nix/db</filename>
or modify the Nix store in or modify the Nix store in
@ -354,58 +354,21 @@ done by <systemitem class="username">root</systemitem>.</para></note>
<para>The <emphasis>build users</emphasis> are the special UIDs under <para>The <emphasis>build users</emphasis> are the special UIDs under
which builds are performed. They should all be members of the which builds are performed. They should all be members of the
<emphasis>build users group</emphasis> (usually called <emphasis>build users group</emphasis> <literal>nixbld</literal>.
<literal>nixbld</literal>). This group should have no other members. This group should have no other members. The build users should not
The build users should not be members of any other group.</para> be members of any other group. On Linux, you can create the group and
users as follows:
<para>Here is a typical <filename>/etc/group</filename> definition of
the build users group with 10 build users:
<programlisting>
nixbld:!:30000:nixbld1,nixbld2,nixbld3,nixbld4,nixbld5,nixbld6,nixbld7,nixbld8,nixbld9,nixbld10
</programlisting>
In this example the <literal>nixbld</literal> group has UID 30000, but
of course it can be anything that doesnt collide with an existing
group.</para>
<para>Here is the corresponding part of
<filename>/etc/passwd</filename>:
<programlisting>
nixbld1:x:30001:65534:Nix build user 1:/var/empty:/noshell
nixbld2:x:30002:65534:Nix build user 2:/var/empty:/noshell
nixbld3:x:30003:65534:Nix build user 3:/var/empty:/noshell
...
nixbld10:x:30010:65534:Nix build user 10:/var/empty:/noshell
</programlisting>
The home directory of the build users should not exist or should be an
empty directory to which they do not have write access.</para>
<para>The build users should have write access to the Nix store, but
they should not have the right to delete files. Thus the Nix stores
group should be the build users group, and it should have the sticky
bit turned on (like <filename>/tmp</filename>):
<screen> <screen>
$ chown root.nixbld /nix/store $ groupadd -r nixbld
$ chmod 1775 /nix/store $ for n in $(seq 1 10); do useradd -c "Nix build user $n" \
-d /var/empty -g nixbld -G nixbld -M -N -r -s "$(which nologin)" \
nixbld$n; done
</screen> </screen>
</para> This creates 10 build users. There can never be more concurrent builds
than the number of build users, so you may want to increase this if
<para>Finally, you should tell Nix to use the build users by you expect to do many builds at the same time.</para>
specifying the build users group in the <link
linkend="conf-build-users-group"><literal>build-users-group</literal>
option</link> in the <link linkend="sec-conf-file">Nix configuration
file</link> (usually <literal>/etc/nix/nix.conf</literal>):
<programlisting>
build-users-group = nixbld
</programlisting>
</para>
</section> </section>