Skip to content

nixos/lib/make-disk-image.nix: fix to reserve correct number of inodes#280

Open
chessai-ar wants to merge 62 commits into
awakesecurity:mainfrom
chessai-ar:chessai/increase-required-inodes-in-make-disk-image
Open

nixos/lib/make-disk-image.nix: fix to reserve correct number of inodes#280
chessai-ar wants to merge 62 commits into
awakesecurity:mainfrom
chessai-ar:chessai/increase-required-inodes-in-make-disk-image

Conversation

@chessai-ar

@chessai-ar chessai-ar commented Mar 9, 2026

Copy link
Copy Markdown
Collaborator

This is a re-work of the commit at NixOS#292737.

If disk size computation is set to auto in nixos/lib/make-disk-image.nix, it computes the required space for the disk image by measuring the closure size that is to be copied onto the image. This computation takes into account the number of required inodes. However, when creating the disk image, the number of required inodes is not explicitly specified, so that mkfs.${fsType} uses the default inode ratio (which seems to be 1 inode for every 16384 bytes for ext4). This might be too low; see for example the failing example flake given in NixOS#292737. In that case, builds may fail with the error cptofs failed. diskSize might be too small for closure. during the call to cp2fs.

To avoid this, this pull request sets the number of inodes (multiplied with a factor compute_fudge that was already used in the storage calculation to add some margin) explicitly during the call to mkfs.${fsType} using the -N flag of mkfs.ext4. It also adds some additional logging output concerning the number of calculated inodes.

Things done

  • Built on platform:
    • x86_64-linux
    • aarch64-linux
    • x86_64-darwin
    • aarch64-darwin
  • Tested, as applicable:
  • Ran nixpkgs-review on this PR. See nixpkgs-review usage.
  • Tested basic functionality of all binary files, usually in ./result/bin/.
  • Nixpkgs Release Notes
    • Package update: when the change is major or breaking.
  • NixOS Release Notes
    • Module addition: when adding a new NixOS module.
    • Module update: when the change is significant.
  • Fits CONTRIBUTING.md, pkgs/README.md, maintainers/README.md and other READMEs.

Add a 👍 reaction to pull requests you find important.

cookiebaker444 and others added 30 commits January 6, 2026 11:51
To configure necessary timeouts and parameterize user/group.
To avoid the situation where a service unit file may have a [Unit] but
no valid [Service].

This warning is explicitly omitted for some services that are generated
by packages instead of by the systemd module.

Co-authored-by: Parnell Springmeyer <parnell@arista.com>
                Mel Zuser <mel.zuser@arista.com>
                Tomas Drtina <tdrtina-ext@arista.com>
Co-Authored-By: John Soo <jsoo1@users.noreply.github.com>
mailsend-go is a rewrite of mailsend in go.

mailsend is not receiving feature updates as of 2019-02-11.
Introduces clickhouse-jdbc, liquibase-clickhouse Java modules.
Uses liquibase-clickhouse local version to avoid use of obsolete clickhouse-jdbc
Make clickhouse users.xml configurable
Use `shaded` uberjar for liquibase-clickhouse to avoid managing transitive dependencies.
This change adds a derivation for the [`terraform-cloud-agent`][1]
executable and a NixOS module that defines a systemd service for
running that agent.

[1]: https://developer.hashicorp.com/terraform/cloud-docs/agents.

`stripRoot = false`

Specify the hash

Install tfc-agent binaries to `$out/bin`

Declare the `mainProgram` metadata for this package

... so that it can be used with `lib.getExe`.

Use `lib.getExe`

Suggested by @jsoo1.

Use freeformType for NixOS options that are turned into flags

Suggested by @jsoo1.

No need to guard on whether `cache-dir` and `data-dir` are null

Suggested by @jsoo1.

Ensure `/etc/terraform-cloud-agent/`

Suggested by @jsoo1.

Use the systemd-configured configuration directory

Use the standard systemd environment identifiers `%S` and `%C`

Suggested by @jsoo1.

Add `user` and `group` and drop privileges

Rider: add sandoxing arguments cribbed from the nginx module.

Just give the `flags` attrset as an argument

Sequence after `network-online.target` instead

... since that's what we really mean.

Add doc strings and examples
- preActivationHook is inserted after: nix-build before:
switch-to-configuration
- postActivationHook is inserted after: switch-to-configuration before:
reboot
Since the configuration assumes nscd.conf exists and nss is configured
Ma27 and others added 22 commits February 5, 2026 23:03
Creating the build directory in `..` may be OK in a sandbox, but this
makes it unnecessarily annoying when trying to work with this in a
source-checkout.

Hence, move the `build/` directory into the source tree.
Closes NixOS#482394

Seems like low-severity, given

> There is no known application impact for this CVE, and the
> feature is generally non-functional with the two flags.

(from https://sourceware.org/bugzilla/show_bug.cgi?id=33814)
The string returned by confstr(_CS_PATH)[*1], which is also the
output of the command 'getconf PATH'[*2], contains a default path
that is guaranteed to find (at least) all POSIX standard utilities.
The current value is:

    /run/current-system/sw/bin:/bin:/usr/bin

The default profile binaries directory is not in it. This is a problem
because the default NixOS installation lacks several mandatory standard
POSIX utilities. The command recommended by the system's error message
for a missing command to install a missing package foo is 'nix-env -iA
nixos.foo'. When this is done as root, the corresponding binaries are
installed for all users in /nix/var/nix/profiles/default/bin.

This commit fixes these problems as follows:

pkgs/development/libraries/glibc/fix_path_attribute_in_getconf.patch:
- CS_PATH: Add default profile path '/nix/var/nix/profiles/default/bin'
  at the end.
- Retain /bin:/usr/bin; it is necessary for third-party sytems that use
  nixpkgs, linking against the nixpkgs version of glibc. It is retained
  *before* the profile directory to avoid overriding native system
  utilities on these systems (at least those that in fact store them in
  /bin and /usr/bin).

[*1] https://pubs.opengroup.org/onlinepubs/9799919799/functions/confstr.html
[*2] https://pubs.opengroup.org/onlinepubs/9799919799/utilities/getconf.html

Fixes: NixOS#65512
Failing Hydra build: https://hydra.nixos.org/build/308320851

Upstream bug report: https://bugs.openjdk.org/browse/JDK-8354941
Only patching JDK8, newer versions received backports.
The second item (severity: High) has possible unauthenticated RCE:
https://www.openwall.com/lists/oss-security/2026/01/27/5
https://github.com/openssl/openssl/blob/openssl-3.6.1/CHANGES.md#openssl-36

The patches differ in whitespace only, as that's what upstream changed.
@chessai-ar chessai-ar marked this pull request as draft March 9, 2026 16:41
If disk size computation is set to auto in nixos/lib/make-disk-image.nix, it computes the required space for the disk image by measuring the closure size that is to be copied onto the image. This computation takes into account the number of required inodes. However, when creating the disk image, the number of required inodes is not explicitly specified, so that mkfs.${fsType} uses the default inode ratio (which seems to be 1 inode for every 16384 bytes for ext4). This might be too low; see for example the failing example flake given in NixOS#292737. In that case, builds may fail with the error cptofs failed. diskSize might be too small for closure. during the call to cp2fs.

To avoid this, this pull request sets the number of inodes (multiplied with a factor compute_fudge that was already used in the storage calculation to add some margin) explicitly during the call to mkfs.${fsType} using the -N flag of mkfs.ext4. It also adds some additional logging output concerning the number of calculated inodes.

Co-authored-by: chessai <chessai@arista.com>
@chessai-ar chessai-ar force-pushed the chessai/increase-required-inodes-in-make-disk-image branch from 5bbbc14 to 5c0532e Compare March 9, 2026 17:06
@chessai-ar chessai-ar marked this pull request as ready for review March 9, 2026 17:51
}

echo "copying staging root to image..."
cptofs -p ${lib.optionalString (partitionTableType != "none") "-P ${rootPartition}"} \

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Did you want to add any flags to cptofs?

Copy link
Copy Markdown
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This will be a subsequent PR after patching nixpkgs, this version of lkl is about 6 months too old for that

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.