From a8c31d501185c42de477a7e833af956d68e095c3 Mon Sep 17 00:00:00 2001 From: Eelco Dolstra Date: Fri, 2 May 2014 14:44:44 +0200 Subject: [PATCH] Simplify multi-user installation instructions --- doc/manual/installation.xml | 61 ++++++++----------------------------- 1 file changed, 12 insertions(+), 49 deletions(-) diff --git a/doc/manual/installation.xml b/doc/manual/installation.xml index a714091060..423bef5e22 100644 --- a/doc/manual/installation.xml +++ b/doc/manual/installation.xml @@ -308,7 +308,7 @@ a Trojan horse.
Single-user mode - + In single-user mode, all Nix operations that access the database in prefix/var/nix/db or modify the Nix store in @@ -354,58 +354,21 @@ done by root. The build users are the special UIDs under which builds are performed. They should all be members of the -build users group (usually called -nixbld). This group should have no other members. -The build users should not be members of any other group. - -Here is a typical /etc/group definition of -the build users group with 10 build users: - - -nixbld:!:30000:nixbld1,nixbld2,nixbld3,nixbld4,nixbld5,nixbld6,nixbld7,nixbld8,nixbld9,nixbld10 - - -In this example the nixbld group has UID 30000, but -of course it can be anything that doesn’t collide with an existing -group. - -Here is the corresponding part of -/etc/passwd: - - -nixbld1:x:30001:65534:Nix build user 1:/var/empty:/noshell -nixbld2:x:30002:65534:Nix build user 2:/var/empty:/noshell -nixbld3:x:30003:65534:Nix build user 3:/var/empty:/noshell -... -nixbld10:x:30010:65534:Nix build user 10:/var/empty:/noshell - - -The home directory of the build users should not exist or should be an -empty directory to which they do not have write access. - -The build users should have write access to the Nix store, but -they should not have the right to delete files. Thus the Nix store’s -group should be the build users group, and it should have the sticky -bit turned on (like /tmp): +build users group nixbld. +This group should have no other members. The build users should not +be members of any other group. On Linux, you can create the group and +users as follows: -$ chown root.nixbld /nix/store -$ chmod 1775 /nix/store +$ groupadd -r nixbld +$ for n in $(seq 1 10); do useradd -c "Nix build user $n" \ + -d /var/empty -g nixbld -G nixbld -M -N -r -s "$(which nologin)" \ + nixbld$n; done - - -Finally, you should tell Nix to use the build users by -specifying the build users group in the build-users-group -option in the Nix configuration -file (usually /etc/nix/nix.conf): - - -build-users-group = nixbld - - - +This creates 10 build users. There can never be more concurrent builds +than the number of build users, so you may want to increase this if +you expect to do many builds at the same time.