make-disk-image: allow pre/post format files in vm #778
Conversation
| type = lib.types.attrsOf (lib.types.either lib.types.str lib.types.path); | ||
| description = '' | ||
| Files to copy into the image builder VM before disko is run. | ||
| This is useful to provide secrets like LUKS keys, or other files you need for formatting. |
There was a problem hiding this comment.
Should we not have a disclaimer, that this leaks secrets into the nix store?
For image builder that runs outside of the nix store, we have a parameter that can be used instead.
There was a problem hiding this comment.
A warning that it could leak is probably a good idea.
But the second variant of passing a shell snippet should be usable without leaking secrets into the store? i.e.
preFormatFiles."/tmp/secret" = "cat /my-secret-out-side-nix store > $out" shouldn't leak. $out is just a tempfile here, see prepareFiles above.
There was a problem hiding this comment.
"cat /my-secret-outside-nix > $out" doesn't work:
error: builder for '/nix/store/ragb6hgfl9wvdyb9g6721mfyymn3w0mg-myvm-disko-images.drv' failed with exit code 1;
last 2 log lines:
> Formatting 'main.qcow2', fmt=qcow2 cluster_size=65536 extended_l2=off compression_type=zlib size=1073741824 lazy_refcounts=off refcount_bits=16
> cat: /path/to/secret.txt: No such file or directory
I think this is because the cat command is being executed inside the builder sandbox, so it cannot access files outside the store, or something like that.
There was a problem hiding this comment.
Is it not possible to add the files outside of nix's build process (e.g. via a shell script run externally by disko)? I think leaking secrets like this is a huge footgun. Maybe we should have a new command that can perform all these necessary operations outside of nix e.g. disko-vm.
There was a problem hiding this comment.
I thought about this some more and I think this is a fatal flaw in the design of this PR. Files containing cleartext secrets necessarily introduce an impurity into the process of building the image, so they really need to be brought in the way diskoImagesScript does it, i.e. with a postprocessing step after the Nix builder is done.
| example = lib.literalExpression '' | ||
| { | ||
| "/tmp/pre/file" = pkgs.writeText "foo" "bar"; | ||
| "/tmp/pre/script" = "mkdir -p $out/foo; echo bar > $out/foo"; |
There was a problem hiding this comment.
| "/tmp/pre/script" = "mkdir -p $out/foo; echo bar > $out/foo"; | |
| "/tmp/pre/script" = "mkdir -p $out; echo bar > $out/foo"; |
...via
disko.imageBuilder.preFormatFilesanddisko.imageBuilder.postFormatFiles.This enables users to add secrets to their diskoVMs.
diskoImageScriptsdoes include--pre-format-files, butdiskoImagesdidn't supportthe same feature so far - making it harder to pre-generate encrypted disk images or to test such images in a VM.