[Nix-dev] Bind mounts are Evil(TM)

Wed Oct 8 15:20:49 CEST 2008

On Wed, Oct 08, 2008 at 12:55:43PM +0000, Ludovic Courtès wrote:
> Hello!
> 
> There are days when one had better stay in bed.  Today was one of these
> for me.
> 
> This morning, I decided I'd "rm -rf" some of the things under /tmp.
> Among these things were `chroot-*' directories.  After that "rm -rf"
> succeeded, I started to stumble upon "Command not found" messages.  This
> reminded me that earlier in the morning, for some reason, `nix-env' had
> failed to unmount a bind mount in a chroot...
> 
> IOW, my harmless-looking "rm -rf" had deleted the contents of
> /nix/store, which, needless to say, is a Bad Thing.  :-)
> 
> 
> Of course, PEBKAC, but I wonder if there is something we could do to
> avoid it.  An improvement would be to have the boot scripts clear /tmp
> upon startup, like Debian does.  As for bind mounts, I don't think much
> can be done since we can't bind-mount /nix/store read-only anyway, for
> example.
> 
> Thoughts?

I'm sorry for this.. I've seen the big fat warning somewhere in the C
code that this could happen. Hi Murphy's law!

Why can they be left in place?
aplication crash or pc crash (removing power supply or something like
that)
Cleaning up on boot will only fit the second cause

I can imagine 
* telling nix to put everything chrooted into
  /tmp-nix-chroot/ so that you know that you have to take care when
  removing those files
* writing a daemon cleaning up periodically (?) in case nix crashd but
  didn't clean up poperly.
* use some extended file flags (don't remember when, where, wether they work)
  to protect store paths against deletion (man chattr)

Maybe there are other ways but I think using a different special tmp dir
and cleaning up on reboot would give most protection.

Marc