nixos/systemd/initrd: follow init param symlinks

[Majiir]

Description of changes

Fixes an incompatibility between boot.initrd.systemd and boot.loader.generationsDir. Fixes #219767.

The initrd-nixos-activation service determines which system closure to activate by inspecting the init kernel parameter. It assumes that the init parameter is a full path to the system closure, such that taking dirname and appending /prepare-root will point to the right script.

However, some boot loaders pass an init path which includes symlinks. For example, on a system using boot.loader.generationsDir, init=/boot/default/init where /boot/default is a symlink to a folder like /boot/system-38, which in turn contains init, a symlink to the init script in the system closure in the Nix store. This setup breaks with boot.initrd.systemd because the initrd-nixos-activation script fails to find and activate the system.

This change resolves symlinks in the init parameter. It does this by repeatedly calling readlink -m because the filesystem is mounted at /sysroot, so absolute symlinks will terminate symlink resolution. It now uses chroot.

Testing

Tested booting with these configurations:

• systemd-boot (init = absolute path)
• generationsDir with nixos/generations-dir: Improve symlinking in /boot #198728 (init = relative link -> absolute link -> absolute path)

Things done

• Built on platform(s)
  • x86_64-linux
  • aarch64-linux
  • armv7l-linux
  • x86_64-darwin
  • aarch64-darwin
• For non-Linux: Is sandbox = true set in nix.conf? (See Nix manual)
• Tested, as applicable:
  • NixOS test(s) (look inside nixos/tests)
    • systemd-initrd-simple
    • systemd-initrd-btrfs-raid
    • systemd-initrd-networkd
  • and/or package tests
  • or, for functions and "core" functionality, tests in lib/tests or pkgs/test
  • made sure NixOS tests are linked to the relevant packages
• Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
• Tested basic functionality of all binary files (usually in ./result/bin/)
• 23.05 Release Notes (or backporting 22.11 Release notes)
  • (Package updates) Added a release notes entry if the change is major or breaking
  • (Module updates) Added a release notes entry if the change is significant
  • (Module addition) Added a release notes entry if adding a new NixOS module
  • (Release notes changes) Ran nixos/doc/manual/md-to-db.sh to update generated release notes
• Fits CONTRIBUTING.md.

[nixos-discourse]

This pull request has been mentioned on NixOS Discourse. There might be relevant details there:

https://discourse.nixos.org/t/prs-ready-for-review/3032/2467

[nixos-discourse]

This pull request has been mentioned on NixOS Discourse. There might be relevant details there:

https://discourse.nixos.org/t/prs-ready-for-review/3032/2550

[nixos-discourse]

This pull request has been mentioned on NixOS Discourse. There might be relevant details there:

https://discourse.nixos.org/t/prs-ready-for-review/3032/2683

[ElvishJerricco]

Wouldn't it be better to just chroot into /sysroot and run realpath, rather than writing a custom bash loop?

[Majiir]

Wouldn't it be better to just chroot into /sysroot and run realpath, rather than writing a custom bash loop?

Yes, I agree. I think I got stuck on what path to use for realpath inside chroot. We don't know the system closure yet, so we can't go to sw/bin. Do we mount the initrd store temporarily to get its realpath? Bake in a store path from the actual store into initrd?

[ElvishJerricco]

Well, the coreutils in use by initrd should exist in /sysroot, right? So just use the one that's already on PATH, expecting it to exist in /sysroot post-chroot?

I guess it's technically possible that the coreutils in initrd has been overriden or something like such that it isn't part of the system generation's runtime dependencies, but that seems like it isn't worth working around.

[Majiir]

Updated to use chroot and re-tested.

[philiptaron]

$ journalctl -b -u initrd-nixos-activation
Feb 21 08:16:34 localhost systemd[1]: initrd-nixos-activation.service: starting held back, waiting for: initrd-fs.target
Feb 21 08:16:37 localhost systemd[1]: initrd-nixos-activation.service: Reinstalled deserialized job initrd-nixos-activation.service/start as 33
Feb 21 08:16:37 localhost systemd[1]: initrd-nixos-activation.service: starting held back, waiting for: initrd-fs.target
Feb 21 08:16:37 localhost systemd[1]: initrd-nixos-activation.service: AssertPathExists=/etc/initrd-release succeeded.
Feb 21 08:16:37 localhost systemd[1]: initrd-nixos-activation.service: Will spawn child (service_enter_start): /nix/store/ck5cf7fg48r7jh1w8fxgri5kqs5gy1hn-unit-script-initrd-nixos-activation-start/bin/initrd-nixos-activation-start
Feb 21 08:16:37 localhost systemd[1]: initrd-nixos-activation.service: Passing 0 fds to service
Feb 21 08:16:37 localhost systemd[1]: initrd-nixos-activation.service: About to execute: /nix/store/ck5cf7fg48r7jh1w8fxgri5kqs5gy1hn-unit-script-initrd-nixos-activation-start/bin/initrd-nixos-activation-start
Feb 21 08:16:37 localhost systemd[1]: initrd-nixos-activation.service: Forked /nix/store/ck5cf7fg48r7jh1w8fxgri5kqs5gy1hn-unit-script-initrd-nixos-activation-start/bin/initrd-nixos-activation-start as 486
Feb 21 08:16:37 localhost systemd[1]: initrd-nixos-activation.service: Changed dead -> start
Feb 21 08:16:37 localhost systemd[1]: Starting NixOS Activation...
Feb 21 08:16:37 localhost (on-start)[486]: Found cgroup2 on /sys/fs/cgroup/, full unified hierarchy
Feb 21 08:16:37 localhost (on-start)[486]: Found cgroup2 on /sys/fs/cgroup/, full unified hierarchy
Feb 21 08:16:37 localhost initrd-nixos-activation-start[486]: booting system configuration /nix/store/vh11rbcx3w3innm2q2x2rsnydlynlg1p-nixos-system-zebul-24.05.20240218.58a3738
Feb 21 08:16:37 localhost initrd-nixos-activation-start[486]: running activation script...
Feb 21 08:16:38 localhost initrd-nixos-activation-start[517]: setting up /etc...
Feb 21 08:16:38 localhost systemd[1]: initrd-nixos-activation.service: Child 486 belongs to initrd-nixos-activation.service.
Feb 21 08:16:38 localhost systemd[1]: initrd-nixos-activation.service: Main process exited, code=exited, status=0/SUCCESS (success)
Feb 21 08:16:38 localhost systemd[1]: initrd-nixos-activation.service: Deactivated successfully.
Feb 21 08:16:38 localhost systemd[1]: initrd-nixos-activation.service: Service will not restart (restart setting)
Feb 21 08:16:38 localhost systemd[1]: initrd-nixos-activation.service: Changed start -> dead
Feb 21 08:16:38 localhost systemd[1]: initrd-nixos-activation.service: Job 33 initrd-nixos-activation.service/start finished, result=done
Feb 21 08:16:38 localhost systemd[1]: Finished NixOS Activation.
Feb 21 08:16:38 localhost systemd[1]: initrd-nixos-activation.service: Consumed 136ms CPU time.
Feb 21 08:16:38 localhost systemd[1]: initrd-nixos-activation.service: Releasing resources...
Feb 21 08:16:38 zebul systemd[1]: initrd-nixos-activation.service: Collecting.

[Majiir]

I ran into errors related to the chroot change while setting up a new Raspberry Pi. Marking this as draft until I can figure out the cause.

[Majiir]

Nevermind, the issue was something else. And now I've tested this change with extlinux.

[philiptaron]

Is there anything that prevents this PR from being merged?

[ElvishJerricco]

@ofborg test systemd-initrd-simple

[philiptaron]

Unrelated error, but otherwise successful.

machine # [ 6.995250] dbus-daemon[610]: dbus[610]: Unknown username "systemd-timesync" in message bus configuration file