@Not_Oles said:
Install of LXC
What additional changes might be required, if any?
cgroups user delegation
subuid and subgid files
network bridge and lxc-usernet file
Thank you! I am happy to Google around for these and see what I can learn. If you want to provide hints, things might go a little faster, but whatever happens is fine.
@terrorgen said:
The issue in the second link is closed and someone mentioned that they are able to run sh <(curl -L https://nixos.org/nix/install to install nix on their alpine box. However, I am sure you need sudo and the person who installed it would own /nix so it may not work for metalvps if more than one user wants to use it.
Installing nix using the apk method would end up with an older version of it and I am unsure if it can be upgraded to the latest version.
The 3rd link hosts a dockerfile to create a docker container of alpine+nix.
The forth link may be dated since it says it is not possible to run nix in alpine. However, it is dated 2021 and there are at least two instances where nix has successfully worked in Alpine Linux.
What's your recommendation about what we should do at this time to enable Nix for everyone?
@terrorgen said: Thank you! looks like I need to be added to the nix group to do anything meaningful
Hi @terrorgen! You are more than welcome! Can you please give me a specific example of something you want to do that doesn't work? I am confused because the nix binary seems executable by everyone:
fmt:~# which nix
/usr/bin/nix
fmt:~# ls -l $(which nix)
-rwxr-xr-x 1 root root 3292400 Oct 9 14:45 /usr/bin/nix
fmt:~#
Thanks for any comments and insights! Best wishes!
Your password is in a file in your home directory. Please feel free to change it.
Please feel free to continue posting here in the thread if you have any questions or concerns. We are delighted to have you with us! Welcome to MetalVPS!
Rootless Docker can run by one none root user,rootless Podman run by more than one none root user.
For each user that will be allowed to create containers using Podman.
@terrorgen said: Thank you! looks like I need to be added to the nix group to do anything meaningful
Hi @terrorgen! You are more than welcome! Can you please give me a specific example of something you want to do that doesn't work? I am confused because the nix binary seems executable by everyone:
fmt:~# which nix
/usr/bin/nix
fmt:~# ls -l $(which nix)
-rwxr-xr-x 1 root root 3292400 Oct 9 14:45 /usr/bin/nix
fmt:~#
Thanks for any comments and insights! Best wishes!
To allow a Nix store to be shared safely among multiple users, it is important that users are not able to run builders that modify the Nix store or database in arbitrary ways, or that interfere with builds started by other users. If they could do so, they could install a Trojan horse in some package and compromise the accounts of other users.
To prevent this, when a unprivileged user runs a Nix command, actions that operate on the Nix store (such as builds) are forwarded to a Nix daemon running under the owner of the Nix store/database that performs the operation.
To limit which users can perform Nix operations, you can use the permissions on the directory /nix/var/nix/daemon-socket.
In alpine, /nix/var/nix/daemon-socket is owned by root:nix, so whoever wanting to run nix would need to be in the nix group.
@fluttershy said: I did want to thank @Not_Oles for always being so friendly. Makes me smile seeing how nice you are to everyone here.
Hi @fluttershy! Thanks for your kind words! Hope you do not mind, but I couldn't resist adding them to my OP. If you ever decide you want an account, you're more than welcome! Cheers! Tom
@terrorgen said: Thank you! looks like I need to be added to the nix group to do anything meaningful
Hi @terrorgen! You are more than welcome! Can you please give me a specific example of something you want to do that doesn't work? I am confused because the nix binary seems executable by everyone:
fmt:~# which nix
/usr/bin/nix
fmt:~# ls -l $(which nix)
-rwxr-xr-x 1 root root 3292400 Oct 9 14:45 /usr/bin/nix
fmt:~#
Thanks for any comments and insights! Best wishes!
To allow a Nix store to be shared safely among multiple users, it is important that users are not able to run builders that modify the Nix store or database in arbitrary ways, or that interfere with builds started by other users. If they could do so, they could install a Trojan horse in some package and compromise the accounts of other users.
To prevent this, when a unprivileged user runs a Nix command, actions that operate on the Nix store (such as builds) are forwarded to a Nix daemon running under the owner of the Nix store/database that performs the operation.
To limit which users can perform Nix operations, you can use the permissions on the directory /nix/var/nix/daemon-socket.
In alpine, /nix/var/nix/daemon-socket is owned by root:nix, so whoever wanting to run nix would need to be in the nix group.
Thanks for your helpful post! What do you and other guys here think of what I did below?
fmt:~# which usermod
fmt:~#
[Some googling. . . .]
fmt:~# addgroup
BusyBox v1.35.0 (2022-11-19 10:13:10 UTC) multi-call binary.
Usage: addgroup [-g GID] [-S] [USER] GROUP
Add a group or add a user to a group
-g GID Group id
-S Create a system group
fmt:~# ls -l /nix/var/nix/daemon-socket
total 0 # Not running now? Does root need to start it? Maybe it starts when someone calls `nix`?
fmt:~# grep nix /etc/group
nix:x:102:
nixbld:x:103:nixbld0,nixbld1,nixbld2,nixbld3
fmt:~# addgroup terrorgen nix
fmt:~# grep nix /etc/group
nix:x:102:terrorgen
nixbld:x:103:nixbld0,nixbld1,nixbld2,nixbld3
fmt:~#
Comments
Reminder about upcoming maintenance!
MetalVPS
You know Imma lose millions with this downtime. I can't believe you would do this to me. Imma be ruined and it is all my fault.
"I would have gotten away with it too, if it wasn't for that meddling Frankz and Mason!!"
Some Amazonian creatures can update their databases with Zero downtime. Metallic antiquities are equally shiny but in different ways, n'est ce pas? 🍫
MetalVPS
Oui!
"I would have gotten away with it too, if it wasn't for that meddling Frankz and Mason!!"
@AuroraZero
Having read a few of your posts in other threads, I genuinely and deeply admire your facility with language! And your sense of humor!
Your sense of humor reminds me of some of my very favorite people, the Porkers. 🐷 Oink! 🐷
May I please ask, are you, by any chance, a Porker? 🐷
MetalVPS
Nah but it has been awhile since I have heard of them. I am just a Yeti mucking about and being myself that is all.
"I would have gotten away with it too, if it wasn't for that meddling Frankz and Mason!!"
Install of LXC
@yoursunny and @everyone Probably /etc/network/interfaces needs to be changed. Right now:
What additional changes might be required, if any?
Friendly greetings!
Tom
MetalVPS
Webhosting24 aff best VPS; ServerFactory aff best VDS; Cloudie best ASN; Huel aff best brotein.
Thank you! I am happy to Google around for these and see what I can learn. If you want to provide hints, things might go a little faster, but whatever happens is fine.
Also, only if you have both time and interest, may I please bump a previous set of questions that I asked?
Best wishes from Sonora! 🏜️
MetalVPS
Docker
Have fun!
MetalVPS
GCC
Have fun!
MetalVPS
Go
Vim
Yaaay!
MetalVPS
User must be in the
docker
group in order to use Docker.Otherwise, all we get is:
However, adding someone to the
docker
group is equivalent to granting them root privilege.For BGP daemon, either LXC or KVM can work.
Webhosting24 aff best VPS; ServerFactory aff best VDS; Cloudie best ASN; Huel aff best brotein.
Python3 + Vim upgrade
Thanks to @yoursunny for his comment above concerning the Docker install.
Additional questions and comments on any of today's installs are respectfully requested! Thank you!
MetalVPS
@Not_Oles Just bumping up incase you missed my comment
https://lowendspirit.com/discussion/comment/116210#Comment_116210
Thank you! looks like I need to be added to the
nix
group to do anything meaningfulThe all seeing eye sees everything...
Not trying to argue with you, cuz I admit to being clueless™ about Docker. However, there seems to be: https://docs.docker.com/engine/security/rootless/
If anybody is interested in running Docker, we can talk about this topic some more.
Now that I had a moment to think about it, I believe I recall seeing some of this in the LXC install instructions. I will take another look tomorrow.
Thanks again! Friendly greetings!
MetalVPS
Hi @terrorgen! You are more than welcome! Can you please give me a specific example of something you want to do that doesn't work? I am confused because the
nix
binary seems executable by everyone:Thanks for any comments and insights! Best wishes!
MetalVPS
Hi!
Thanks for the bump! You are right that I missed your comment! So sorry!
Please try something like:
ssh [email protected] -p 42365
Please let us know if you can get in.
Your password is in a file in your home directory. Please feel free to change it.
Please feel free to continue posting here in the thread if you have any questions or concerns. We are delighted to have you with us! Welcome to MetalVPS!
Kindest regards,
Tom
MetalVPS
Podman is similar to Docker.
Without root privilege,maybe we can run container with the Rootless Podman instead of Docker.
https://github.com/containers/podman/blob/main/docs/tutorials/rootless_tutorial.md
What advantages does podman over docker?
Even docker offers rootless containers I believe
@Not_Oles it would be worth a try for rootless docker.
Would love to try the rootles Docker @Not_Oles 😅
https://microlxc.net/
Even docker offers rootless containers I believe
Rootless Docker can run by one none root user,rootless Podman run by more than one none root user.
For each user that will be allowed to create containers using Podman.
From https://nixos.org/manual/nix/stable/installation/multi-user.html#multi-user-mode, cherry picking information relevant to the discussion here:
In alpine,
/nix/var/nix/daemon-socket
is owned byroot:nix
, so whoever wanting to run nix would need to be in the nix group.The all seeing eye sees everything...
This morning's updates
MetalVPS
I don't want an account, but I did want to thank @Not_Oles for always being so friendly. Makes me smile seeing how nice you are to everyone here.
Hi @fluttershy! Thanks for your kind words! Hope you do not mind, but I couldn't resist adding them to my OP. If you ever decide you want an account, you're more than welcome! Cheers! Tom
MetalVPS
Hi @terrorgen!
Thanks for your helpful post! What do you and other guys here think of what I did below?
What else needs to be done?
Best wishes and kindest regards,
Tom
MetalVPS
rc-update add nix-daemon
rc-service nix-daemon start
The all seeing eye sees everything...
Good morning everyone! Today's updates, including Nix update. Also, I enabled and started nix-daemon per @terrorgen's request. Have a great day! 🌅
@terrorgen When you have time, please let us know if Nix now works okay for you. Thank you very much!
MetalVPS