networkmanager: use PATH to search for binaries instead of hard-coding store paths

[0xf09f95b4]

Hi,

this PR is a set of changes to NetworkManager with the general goal of reducing closure size. The default size of NetworkManager's closure is currently 500 MB, half of that closure being openconnect which pulls in all of GTK3, including X and wayland libs.

The main reason for the closure size is the general behavior of NetworkManager and its libs to search for needed binaries in standard FHS paths.

This was already remarked upon when the package was originally built many years ago.

These needed binaries include:

• openconnect
• iptables
• nftables
• dnsmasq
• dhcpcd
• ...

The approach of this PR is to patch NetworkManager so needed binaries are searched for in the $PATH of the running binary instead of some pre-defined and hard-coded dependency paths. It adds a nm_utils_find_in_path_env function to nm_utils.h which searches for binaries in the path. Additionally, the firewall-helper functions in nm-firewall-utils.c were modified to allow runtime-detection of nftables or iptables binaries.

To make this work, the NetworkManager NixOS module also needed to be touched to add missing paths to the systemd service's $PATH variable and to the general environment's system packages. The reason for the global addition is that the
nmcli or nmtui tools pull in the NetworkManager library and use those functions to search for binaries. If you then, for example, add an openconnect VPN and try to connect, they will search for the openconnect binary in their PATH as well.

Alternatively, we could consider using a wrapper instead and add those paths directly.

With the given changes, the closure size is halved to about 250 MB. By disabling modemmanager, another 25MB can be saved. One additional, smaller change, is the ability to build the NetworkManager package without modemmanager. This would fit nicely with #316824.

I've also extended existing tests for NetworkManager to test that the given changes work correctly (meaning the needed binaries are found).

Some additional work is still required on this PR but I'm very interested in feedback towards this approach before continuing to work on this. Some of the required work is:

• Modifying plugins and services (such as the NetworkManager-ensure-profiles service) to improve compatibility with this approach.
• Adding a few additional tests to make sure that openconnect and other plugins continue to work properly.
• Check that dependencies that might start or interact with NM or its libs are still functioning properly.
• Document extensively ;)

Our main use-case for this change is that we use NetworkManager in a constrained environment without a graphical user interface. Currently, we rebuild NM to be more minimal but with this approach we could start using the upstream NM again.

In a future PR, I'd would also be interested in modularizing the nm-module further to allow us to disable more features generally, such as openconnect.

Thanks!

Things done

• Built on platform(s)
  • x86_64-linux
  • aarch64-linux
  • x86_64-darwin
  • aarch64-darwin
• For non-Linux: Is sandboxing enabled in nix.conf? (See Nix manual)
  • sandbox = relaxed
  • sandbox = true
• Tested, as applicable:
  • NixOS test(s) (look inside nixos/tests)
  • and/or package tests
  • or, for functions and "core" functionality, tests in lib/tests or pkgs/test
  • made sure NixOS tests are linked to the relevant packages
• Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
• Tested basic functionality of all binary files (usually in ./result/bin/)
• 24.11 Release Notes (or backporting 23.11 and 24.05 Release notes)
  • (Package updates) Added a release notes entry if the change is major or breaking
  • (Module updates) Added a release notes entry if the change is significant
  • (Module addition) Added a release notes entry if adding a new NixOS module
• Fits CONTRIBUTING.md.

---

Add a 👍 reaction to pull requests you find important.

[0xf09f95b4]

This is related to a quite a few existing issues and discussions such as:

#24860
https://discourse.nixos.org/t/networkmanager-plugins-installed-by-default/39682

I've been daily driving this branch for a few days now on KDE plasma and haven't encountered any issues with NetworkManager, the plasma applet or connections, including a wireguard VPN and a few manual tests with openconnect.