Merge pull request #625 from nix-community/image-fixes

Fix building images when non-binary reproducible builds are present

Author: Lassulus

disko-install

@@ -207,11 +207,13 @@ main() {
     --arg diskMappings "$(serialiaseArrayToNix diskMappings)" \
     --argstr extraSystemConfig "$extraSystemConfig" \
     -A installToplevel \
+    -A closureInfo \
     -A "$diskoAttr")
 
   IFS=$'\n' mapfile -t artifacts <<<"$outputs"
   nixos_system=${artifacts[0]}
-  disko_script=${artifacts[1]}
+  closure_info=${artifacts[1]}
+  disko_script=${artifacts[2]}
 
   if [[ -n ${dry_run-} ]]; then
     echo "Would run: $disko_script"
@@ -227,6 +229,19 @@ main() {
     cp -ar "$source" "$mountPoint/$destination"
   done
 
+  # nix copy uses up a lot of memory and we work around issues with incorrect checksums in our store
+  # that can be caused by using closureInfo in combination with multiple builders and non-deterministic builds.
+  # Therefore if we have a blank store, we copy the store paths and registration from the closureInfo.
+  if [[ ! -d "${mountPoint}/nix/store" ]]; then
+    export NIX_STATE_DIR=${mountPoint}/nix/var/nix
+    echo "Copying store paths" >&2
+    mkdir -p "${mountPoint}/nix/store"
+    xargs cp --recursive --target "${mountPoint}/nix/store"  < "${closure_info}/store-paths"
+    echo "Loading nix database" >&2
+    nix-store --load-db < "${closure_info}/registration"
+    unset NIX_STATE_DIR
+  fi
+
   nixos-install --no-root-password --system "$nixos_system" --root "$mountPoint"
 }
 

disko-install.nix

@@ -197,9 +197,10 @@ Add this to your flake.nix output:
 { pkgs, self, ... }:
 let
   dependencies = [
-    pkgs.stdenv.drvPath
     self.nixosConfigurations.your-machine.config.system.build.toplevel
     self.nixosConfigurations.your-machine.config.system.build.diskoScript
+    self.nixosConfigurations.your-machine.pkgs.stdenv.drvPath
+    (self.nixosConfigurations.your-machine.pkgs.closureInfo { rootPaths = [ ]; }).drvPath
   ] ++ builtins.map (i: i.outPath) (builtins.attrValues self.inputs);
 
   closureInfo = pkgs.closureInfo { rootPaths = dependencies; };

docs/disko-install.md

@@ -62,5 +62,8 @@ let
 in
 {
   installToplevel = installSystem.config.system.build.toplevel;
+  closureInfo = installSystem.pkgs.closureInfo {
+    rootPaths = [ installSystem.config.system.build.toplevel ];
+  };
   inherit (diskoSystem.config.system.build) formatScript mountScript diskoScript;
 }

install-cli.nix

@@ -38,6 +38,10 @@ let
     ${lib.concatMapStringsSep "\n" (disk: "mv ${disk.name}.raw \"$out\"/${disk.name}.raw") (lib.attrValues nixosConfig.config.disko.devices.disk)}
     ${extraPostVM}
   '';
+
+  closureInfo = pkgs.closureInfo {
+    rootPaths = [ systemToInstall.config.system.build.toplevel ];
+  };
   partitioner = ''
     # running udev, stolen from stage-1.sh
     echo "running udev..."
@@ -53,16 +57,19 @@ let
     udevadm trigger --action=add
     udevadm settle
 
-    # populate nix db, so nixos-install doesn't complain
-    export NIX_STATE_DIR=$TMPDIR/state
-    nix-store --load-db < ${pkgs.closureInfo {
-      rootPaths = [ systemToInstall.config.system.build.toplevel ];
-    }}/registration
-
     ${systemToInstall.config.system.build.diskoScript}
   '';
+
   installer = ''
-    ${systemToInstall.config.system.build.nixos-install}/bin/nixos-install --system ${systemToInstall.config.system.build.toplevel} --keep-going --no-channel-copy -v --no-root-password --option binary-caches ""
+    # populate nix db, so nixos-install doesn't complain
+    export NIX_STATE_DIR=${systemToInstall.config.disko.rootMountPoint}/nix/var/nix
+    nix-store --load-db < "${closureInfo}/registration"
+
+    # We copy files with cp because `nix copy` seems to have a large memory leak
+    mkdir -p ${systemToInstall.config.disko.rootMountPoint}/nix/store
+    xargs cp --recursive --target ${systemToInstall.config.disko.rootMountPoint}/nix/store < ${closureInfo}/store-paths
+
+    ${systemToInstall.config.system.build.nixos-install}/bin/nixos-install --root ${systemToInstall.config.disko.rootMountPoint} --system ${systemToInstall.config.system.build.toplevel} --keep-going --no-channel-copy -v --no-root-password --option binary-caches ""
     umount -Rv ${systemToInstall.config.disko.rootMountPoint}
   '';
   QEMU_OPTS = lib.concatMapStringsSep " " (disk: "-drive file=${disk.name}.raw,if=virtio,cache=unsafe,werror=report,format=raw") (lib.attrValues nixosConfig.config.disko.devices.disk);

lib/make-disk-image.nix

@@ -1,9 +1,10 @@
 { pkgs ? import <nixpkgs> { }, self }:
 let
-  disko-install = pkgs.callPackage ../../disko-install.nix { };
+  disko = pkgs.callPackage ../../package.nix { };
 
   dependencies = [
-    pkgs.stdenv.drvPath
+    self.nixosConfigurations.testmachine.pkgs.stdenv.drvPath
+    (self.nixosConfigurations.testmachine.pkgs.closureInfo { rootPaths = []; }).drvPath
     self.nixosConfigurations.testmachine.config.system.build.toplevel
     self.nixosConfigurations.testmachine.config.system.build.diskoScript
   ] ++ builtins.map (i: i.outPath) (builtins.attrValues self.inputs);
@@ -36,9 +37,9 @@ pkgs.nixosTest {
     permission = machine.succeed("stat -c %a /tmp/age.key").strip()
     assert permission == "600", f"expected permission 600 on /tmp/age.key, got {permission}"
 
-    machine.succeed("${disko-install}/bin/disko-install --disk main /dev/vdb --extra-files /tmp/age.key /var/lib/secrets/age.key --flake ${../..}#testmachine")
+    machine.succeed("${disko}/bin/disko-install --disk main /dev/vdb --extra-files /tmp/age.key /var/lib/secrets/age.key --flake ${../..}#testmachine")
     # test idempotency
-    machine.succeed("${disko-install}/bin/disko-install --mode mount --disk main /dev/vdb --flake ${../..}#testmachine")
+    machine.succeed("${disko}/bin/disko-install --mode mount --disk main /dev/vdb --flake ${../..}#testmachine")
     machine.shutdown()
 
     new_machine = create_test_machine(oldmachine=machine, args={ "name": "after_install" })