Expand description
Activation pipeline (RFC-0005 §4). The runtime worker
(runtime/workers/activation.rs) is the wire-layer entry point;
this module owns the seven LOADBEARING operational steps the
activation must preserve:
realise.rs—nix-store --realiseforces fetch + signature verification of the target closure with trust-failure detection distinct from generic failure (SignatureMismatch outcome).profile.rs::set—nix-env --setflips/nix/var/nix/profiles/systemto point at the target. Required before fire becauseswitch-to-configurationreads that profile to derive the generation number it writes into bootloader entries.- Pre-switch basename read — captured for
verify_poll’s flip-to-unexpected detection (third basename = symlink got switched to something OTHER than expected OR previous; caller rolls back). linux::fire_switch/darwin::fire_switch— per-OS detached subprocess invocation. Linux usessystemd-run --unit(cgroup isolation so agent SIGTERM cannot kill mid-switch); Darwin usessetsid()to detach from agent’s process group (launchd reload sends SIGTERM to the whole group).verify_poll.rs— polls/run/current-systemuntil expected, with three outcomes: Settled, Timeout, FlippedToUnexpected. POLL_BUDGET (300s) locked to CP’s DEFAULT_CONFIRM_DEADLINE_SECS (360s) minus slack — exceeding splits state.profile::self_correct_profile— recovers when the activation script re-pointed the profile (some closures do this). Non-fatal if self-correction itself fails (the live switch still happened).linux::detect_switch_inhibitors— detects critical-component swaps (dbus, systemd, kernel) that nixos-rebuild refuses to live-switch. DeferredPendingReboot outcome triggersswitch-to-configuration boot(writes bootloader entries) so the next reboot lands on the new generation.
The legacy v0.1-shaped activate(target: &EvaluatedTarget) entry
point + comms::confirm() post-activation report are NOT restored —
they belonged to the pre-v0.2 architecture. The v0.2 entry is
runtime::workers::activation::handle_intent(ActivationIntent),
which constructs an ActivationTarget from the intent and calls
activate_with(&DEFAULT_BACKEND, &target). Completion / failure
flows back through the existing Event::LocalActivation* reducer
events; CP reads from the outbound queue (no separate confirm HTTP
call needed in v0.2).
Re-exports§
pub use pipeline::activate_with;pub use rollback::rollback_with;pub use types::ActivationBackend;pub use types::ActivationOutcome;pub use types::ActivationTarget;pub use types::DEFAULT_BACKEND;pub use types::DefaultBackend;pub use types::POLL_BUDGET;pub use types::POLL_INTERVAL;pub use types::RollbackOutcome;
Modules§
- darwin
- Darwin (nix-darwin) activation primitives.
setsid-detached children survive launchd’s process-group SIGTERM during plist reload;nohupdoesn’t work in launchd’s no-controlling-tty context. - linux
- Linux (NixOS) activation primitives. fire_* uses
systemd-run --unit=...so the agent’s SIGTERM can’t kill the activation mid-run. - pipeline
- Main activate pipeline: realise -> set-profile -> fire -> poll -> self-correct.
- profile
- Profile-flip helpers: self-correction after a concurrent profile-mutator, and resolution of the rolled-back target’s basename.
- realise
nix-store --realisewrapper. Signature-error detection is a stderr string match because nix has no distinct exit code for trust-failure; per-phrasing tests guard against silent downgrade to RealiseFailed.- rollback
- Rollback pipeline: nix-env –rollback -> discover target -> fire -> poll.
- types
- Activation outcome types +
ActivationBackendtrait + cfg-selected default. - verify_
poll - Post-switch verify: poll
/run/current-systemuntil expected, or terminal.