bug#42173: Nix on Guix System: can't update channels

bug#42173: Nix on Guix System: can't update channels

[Alexandru-Sergiu Marton]

Hi,

I tried to set up the Nix package manager on my Guix System 
following the instructions at 
http://guix.gnu.org/manual/en/guix.html#index-Nix . 
Unfortunately, after reconfiguring the system and adding a channel 
with `nix-channel --add 
https://nixos.org/channels/nixpkgs-unstable`, when I tried to 
update the channels (`nix-channel --update`), this is what I got:

--8<---------------cut here---------------start------------->8--- 
[brown@121408 ~]$ nix-channel --update unpacking channels... 
while setting up the build environment: executing 
'/gnu/store/pwcp239kjf7lnj5i4lkdzcfcxwcfyk72-bash-minimal-5.0.16/bin/bash': 
No such file or directory builder for 
'/nix/store/fqvvrsyznxfzckxbiz6krlykdb6w105n-nixpkgs-20.09pre232864.55668eb671b.drv' 
failed with exit code 1 error: build of 
'/nix/store/fqvvrsyznxfzckxbiz6krlykdb6w105n-nixpkgs-20.09pre232864.55668eb671b.drv' 
failed error: program 
'/gnu/store/lsixql26nig4v3icn124ja3ivjpgvn99-nix-2.3.6/bin/nix-env' 
failed with exit code 100 --8<---------------cut 
here---------------end--------------->8--- 

Any tips on how to fix this?

Cheers,
Sergiu

bug#42173: Nix on Guix System: can't update channels

[Ludovic Courtès]

Hi Alexandru-Sergiu,

Alexandru-Sergiu Marton <brown121407@posteo.ro> skribis:

> I tried to set up the Nix package manager on my Guix System following
> the instructions at http://guix.gnu.org/manual/en/guix.html#index-Nix
> . Unfortunately, after reconfiguring the system and adding a channel
> with `nix-channel --add https://nixos.org/channels/nixpkgs-unstable`,
> when I tried to update the channels (`nix-channel --update`), this is
> what I got:
>
> --8<---------------cut here---------------start------------->8--- 
> [brown@121408 ~]$ nix-channel --update unpacking channels... while setting up the build environment: executing '/gnu/store/pwcp239kjf7lnj5i4lkdzcfcxwcfyk72-bash-minimal-5.0.16/bin/bash': No such file or directory builder for '/nix/store/fqvvrsyznxfzckxbiz6krlykdb6w105n-nixpkgs-20.09pre232864.55668eb671b.drv' failed with exit code 1 error: build of '/nix/store/fqvvrsyznxfzckxbiz6krlykdb6w105n-nixpkgs-20.09pre232864.55668eb671b.drv' failed error: program '/gnu/store/lsixql26nig4v3icn124ja3ivjpgvn99-nix-2.3.6/bin/nix-env' failed with exit code 100 --8<---------------cut here---------------end--------------->8--- 
>
> Any tips on how to fix this?

It seems that the Nix binaries captured the
/gnu/store/pwcp239kjf7lnj5i4lkdzcfcxwcfyk72-bash-minimal-5.0.16/bin/bash
file name somewhere.  Does this file actually exist?

What does this return?

  guix gc --references /gnu/store/lsixql26nig4v3icn124ja3ivjpgvn99-nix-2.3.6

Thanks,
Ludo’.

bug#42173: Nix on Guix System: can't update channels

[Zhu Zihao via web]

I found that if I put "sandbox = false" to /etc/nix/nix.conf. Nix can update channel. Maybe nix's sandbox forget to import some guix binary path?

bug#42173: Nix on Guix System: can't update channels

[Ludovic Courtès]

Hi,

(+Cc: Oleg, who worked on the Nix service.)

Zhu Zihao via web <issues.guix.gnu.org@elephly.net> skribis:

> I found that if I put "sandbox = false" to /etc/nix/nix.conf. Nix can update channel. Maybe nix's sandbox forget to import some guix binary path?

Yes, probably.  There’s probably an option similar to the
‘--chroot-directory’ of ‘guix-daemon’ to specify additional directories
that must be in the “sandbox”.

If you find that option, then we can arrange and add all the
dependencies of /gnu/store/…/bin/bash there (similar to what
‘qemu-binfmt-service-type’ does).

However, it’d still be good to find where that /gnu/store/…/bin/bash
file name is captured.

Thanks,
Ludo’.

bug#42173: Nix on Guix System: can't update channels

[Alexandru-Sergiu Marton]

Ludovic Courtès <ludo@gnu.org> writes:

> It seems that the Nix binaries captured the
> /gnu/store/pwcp239kjf7lnj5i4lkdzcfcxwcfyk72-bash-minimal-5.0.16/bin/bash
> file name somewhere.  Does this file actually exist?
>
> What does this return?
>
>   guix gc --references /gnu/store/lsixql26nig4v3icn124ja3ivjpgvn99-nix-2.3.6

Sorry for the delay.

The bash thing exists, indeed:

--8<---------------cut here---------------start------------->8---
[brown@121408 ~]$ ls -lah /gnu/store/pwcp239kjf7lnj5i4lkdzcfcxwcfyk72-bash-minimal-5.0.16/bin/bash
-r-xr-xr-x 2 root root 800K Jan  1  1970 /gnu/store/pwcp239kjf7lnj5i4lkdzcfcxwcfyk72-bash-minimal-5.0.16/bin/bash
--8<---------------cut here---------------end--------------->8---

And here's the output for that gc command:

--8<---------------cut here---------------start------------->8---
[brown@121408 ~]$ guix gc --references /gnu/store/lsixql26nig4v3icn124ja3ivjpgvn99-nix-2.3.6
/gnu/store/01b4w3m6mp55y531kyi1g8shh722kwqm-gcc-7.5.0-lib
/gnu/store/57xj5gcy1jbl9ai2lnrqnpr0dald9i65-coreutils-8.32
/gnu/store/5gc93y4n3f9p5sivp0i4f7ixqmqz3zpv-libseccomp-2.4.3
/gnu/store/5i02vg0pdmvv38kyqvbima2m5nknzpdi-brotli-1.0.7
/gnu/store/807c6g9xqrxdjyhm8wm1r6jjjmc8q4vs-sqlite-3.31.1
/gnu/store/a9f7wmc75hbpg520phw9z4l9asm3qvsw-bzip2-1.0.8
/gnu/store/fa6wj5bxkj5ll1d7292a70knmyl7a0cr-glibc-2.31
/gnu/store/hcxpkksmbql6s4al8yy2myr25kh4cic0-openssl-1.1.1g
/gnu/store/k55975qhhph9a42f3ps1xq3jxyscd681-editline-1.17.1
/gnu/store/lsixql26nig4v3icn124ja3ivjpgvn99-nix-2.3.6
/gnu/store/m9rv4r32gnvpbmsd9m5b1mqs1i6fnqdk-curl-7.71.0
/gnu/store/ncydgq2znms5n1d2k5yqshhf58nsixwv-gzip-1.10
/gnu/store/pwcp239kjf7lnj5i4lkdzcfcxwcfyk72-bash-minimal-5.0.16
/gnu/store/r7k859hmcnkazf492fasqvk25jflnfk6-xz-5.2.4
/gnu/store/s54c6rbl40416ll0krrr52m3yivxcl3x-libsodium-1.0.18
/gnu/store/v6f44zccwh9z5zk3pjlywjybbi8n2hjh-tar-1.32
/gnu/store/wgk6wwmcbrb2mw2aj7lzd861gsnkz1an-boost-1.72.0
--8<---------------cut here---------------end--------------->8---

--
Sergiu

bug#42173: Nix on Guix System: can't update channels

[Zhu Zihao via web]

We can add the path to bash to build-sandbox-path in /etc/nix.conf, described in https://nixos.wiki/wiki/FAQ.

bug#42173: Nix on Guix System: can't update channels

[Oleg Pykhalov]

[-- Attachment #1: Type: text/plain, Size: 2611 bytes --]

Hi,

Ludovic Courtès <ludo@gnu.org> writes:

> Hi,
>
> (+Cc: Oleg, who worked on the Nix service.)
>
> Zhu Zihao via web <issues.guix.gnu.org@elephly.net> skribis:
>
>> I found that if I put "sandbox = false" to /etc/nix/nix.conf. Nix can update channel. Maybe nix's sandbox forget to import some guix binary path?
>
> Yes, probably.  There’s probably an option similar to the
> ‘--chroot-directory’ of ‘guix-daemon’ to specify additional directories
> that must be in the “sandbox”.
>
> If you find that option, then we can arrange and add all the
> dependencies of /gnu/store/…/bin/bash there (similar to what
> ‘qemu-binfmt-service-type’ does).

/gnu/store/…/bin/bash (we need a static-bash) is not enough, we also
should handle all packages (and closures in case binaries are not
static) listed in:

$(guix build --no-grafts nix)/share/nix/corepkgs/config.nix
--8<---------------cut here---------------start------------->8---
let
  fromEnv = var: def:
    let val = builtins.getEnv var; in
    if val != "" then val else def;
in rec {
  shell = "/gnu/store/pwcp239kjf7lnj5i4lkdzcfcxwcfyk72-bash-minimal-5.0.16/bin/bash";
  coreutils = "/gnu/store/57xj5gcy1jbl9ai2lnrqnpr0dald9i65-coreutils-8.32/bin";
  bzip2 = "/gnu/store/a9f7wmc75hbpg520phw9z4l9asm3qvsw-bzip2-1.0.8/bin/bzip2";
  gzip = "/gnu/store/ncydgq2znms5n1d2k5yqshhf58nsixwv-gzip-1.10/bin/gzip";
  xz = "/gnu/store/r7k859hmcnkazf492fasqvk25jflnfk6-xz-5.2.4/bin/xz";
  tar = "/gnu/store/v6f44zccwh9z5zk3pjlywjybbi8n2hjh-tar-1.32/bin/tar";
  tarFlags = "--warning=no-timestamp";
  tr = "/gnu/store/57xj5gcy1jbl9ai2lnrqnpr0dald9i65-coreutils-8.32/bin/tr";
  nixBinDir = fromEnv "NIX_BIN_DIR" "/gnu/store/2x4qyarbmhi3dqcqhkkia6l491yjnf11-nix-2.3.6/bin";
  nixPrefix = "/gnu/store/2x4qyarbmhi3dqcqhkkia6l491yjnf11-nix-2.3.6";
  nixLibexecDir = fromEnv "NIX_LIBEXEC_DIR" "/gnu/store/2x4qyarbmhi3dqcqhkkia6l491yjnf11-nix-2.3.6/libexec";
  nixLocalstateDir = "/nix/var";
  nixSysconfDir = "/etc";
  nixStoreDir = fromEnv "NIX_STORE_DIR" "/nix/store";

  # If Nix is installed in the Nix store, then automatically add it as
  # a dependency to the core packages. This ensures that they work
  # properly in a chroot.
  chrootDeps =
    if dirOf nixPrefix == builtins.storeDir then
      [ (builtins.storePath nixPrefix) ]
    else
      [ ];
}
--8<---------------cut here---------------end--------------->8---

Currently I don't see a way to mount
/gnu/store/57xj5gcy1jbl9ai2lnrqnpr0dald9i65-coreutils-8.32
dependencies (and other packages) inside the Nix sandbox.

Oleg.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 832 bytes --]

bug#42173: Nix on Guix System: can't update channels

[Oleg Pykhalov]

[-- Attachment #1: Type: text/plain, Size: 822 bytes --]

Oleg Pykhalov <go.wigust@gmail.com> writes:

[…]

> Currently I don't see a way to mount
> /gnu/store/57xj5gcy1jbl9ai2lnrqnpr0dald9i65-coreutils-8.32
> dependencies (and other packages) inside the Nix sandbox.

Found one way:
--8<---------------cut here---------------start------------->8---
(with-output-to-file "/etc/nix/nix.conf"
  (lambda _
    (display "sandbox = true")
    (newline)
    (format #t "build-sandbox-paths = ~{~a ~}~%"
            '#$(package-closure (map (match-lambda ((name package) package))
                                     (package-inputs nix))))))
--8<---------------cut here---------------end--------------->8---

But I fail to pass a self-written test. :-) Bind mounts are existing
according to nix-daemon with ‘--debug’ flag.  Should investigate more.

Oleg.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 832 bytes --]

bug#42173: Nix on Guix System: can't update channels

[Ludovic Courtès]

Hi!

Oleg Pykhalov <go.wigust@gmail.com> skribis:

> Ludovic Courtès <ludo@gnu.org> writes:
>
>> Hi,
>>
>> (+Cc: Oleg, who worked on the Nix service.)
>>
>> Zhu Zihao via web <issues.guix.gnu.org@elephly.net> skribis:
>>
>>> I found that if I put "sandbox = false" to /etc/nix/nix.conf. Nix can update channel. Maybe nix's sandbox forget to import some guix binary path?
>>
>> Yes, probably.  There’s probably an option similar to the
>> ‘--chroot-directory’ of ‘guix-daemon’ to specify additional directories
>> that must be in the “sandbox”.
>>
>> If you find that option, then we can arrange and add all the
>> dependencies of /gnu/store/…/bin/bash there (similar to what
>> ‘qemu-binfmt-service-type’ does).
>
> /gnu/store/…/bin/bash (we need a static-bash) is not enough, we also
> should handle all packages (and closures in case binaries are not
> static) listed in:
>
> $(guix build --no-grafts nix)/share/nix/corepkgs/config.nix
>
> let
>   fromEnv = var: def:
>     let val = builtins.getEnv var; in
>     if val != "" then val else def;
> in rec {
>   shell = "/gnu/store/pwcp239kjf7lnj5i4lkdzcfcxwcfyk72-bash-minimal-5.0.16/bin/bash";
>   coreutils = "/gnu/store/57xj5gcy1jbl9ai2lnrqnpr0dald9i65-coreutils-8.32/bin";
>   bzip2 = "/gnu/store/a9f7wmc75hbpg520phw9z4l9asm3qvsw-bzip2-1.0.8/bin/bzip2";
>   gzip = "/gnu/store/ncydgq2znms5n1d2k5yqshhf58nsixwv-gzip-1.10/bin/gzip";
>   xz = "/gnu/store/r7k859hmcnkazf492fasqvk25jflnfk6-xz-5.2.4/bin/xz";
>   tar = "/gnu/store/v6f44zccwh9z5zk3pjlywjybbi8n2hjh-tar-1.32/bin/tar";
>   tarFlags = "--warning=no-timestamp";
>   tr = "/gnu/store/57xj5gcy1jbl9ai2lnrqnpr0dald9i65-coreutils-8.32/bin/tr";
>   nixBinDir = fromEnv "NIX_BIN_DIR" "/gnu/store/2x4qyarbmhi3dqcqhkkia6l491yjnf11-nix-2.3.6/bin";
>   nixPrefix = "/gnu/store/2x4qyarbmhi3dqcqhkkia6l491yjnf11-nix-2.3.6";
>   nixLibexecDir = fromEnv "NIX_LIBEXEC_DIR" "/gnu/store/2x4qyarbmhi3dqcqhkkia6l491yjnf11-nix-2.3.6/libexec";
>   nixLocalstateDir = "/nix/var";
>   nixSysconfDir = "/etc";
>   nixStoreDir = fromEnv "NIX_STORE_DIR" "/nix/store";
>
>   # If Nix is installed in the Nix store, then automatically add it as
>   # a dependency to the core packages. This ensures that they work
>   # properly in a chroot.
>   chrootDeps =
>     if dirOf nixPrefix == builtins.storeDir then
>       [ (builtins.storePath nixPrefix) ]
>     else
>       [ ];
> }
>
> Currently I don't see a way to mount
> /gnu/store/57xj5gcy1jbl9ai2lnrqnpr0dald9i65-coreutils-8.32
> dependencies (and other packages) inside the Nix sandbox.

In ‘chrootDeps’ above (IIUC), you could add the closure of all these
things.  To do that, you need to pass #:references-graphs.  Then, on the
build side, you can use ‘read-reference-graph’ to parse the graph file,
get the closures, and add it to ‘chrootDeps’ instead of the empty list.

Does that make sense?

HTH,
Ludo’.

bug#42173: [PATCH 1/2] services: base: Export references-file.

[Oleg Pykhalov]

* gnu/services/base.scm (references-file): Export procedure.
---
 gnu/services/base.scm | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/gnu/services/base.scm b/gnu/services/base.scm
index 83dc406aac..491f35702a 100644
--- a/gnu/services/base.scm
+++ b/gnu/services/base.scm
@@ -177,6 +177,8 @@
             pam-limits-service-type
             pam-limits-service
 
+            references-file
+
             %base-services))
 
 ;;; Commentary:
-- 
2.27.0

bug#42173: [PATCH 2/2] services: nix: Fix sandbox.

[Oleg Pykhalov]

* gnu/tests/package-management.scm: New file.
* gnu/local.mk: Add this.
* gnu/services/nix.scm (<nix-configuration>): New record.
(nix-activation): Generate Nix config file.
(nix-service-type): Add default value.
(nix-shepherd-service): Allow provide Nix package.
* doc/guix.texi (Miscellaneous Services)[Nix service]<nix-configuration>:
Document record.
---
 doc/guix.texi                    |  21 +++++
 gnu/local.mk                     |   1 +
 gnu/services/nix.scm             |  90 +++++++++++++--------
 gnu/tests/package-management.scm | 131 +++++++++++++++++++++++++++++++
 4 files changed, 211 insertions(+), 32 deletions(-)
 create mode 100644 gnu/tests/package-management.scm

diff --git a/doc/guix.texi b/doc/guix.texi
index 26ef937604..5639a360be 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -27597,6 +27597,27 @@ $ source /run/current-system/profile/etc/profile.d/nix.sh
 
 @end defvr
 
+@deftp {Data Type} nix-configuration
+This data type represents the configuration of the Nix daemon.
+
+@table @asis
+@item @code{nix} (default: @code{nix})
+The Nix package to use.
+
+@item @code{sandbox} (default: @code{#t})
+Specifies whether builds are sandboxed by default.
+
+@item @code{build-sandbox-paths} (default: @code{'()})
+This is a list of strings or objects appended to the
+@code{build-sandbox-paths} field of the configuration file.
+
+@item @code{extra-config} (default: @code{'()})
+This is a list of strings or objects appended to the configuration file.
+It is used to pass extra text to be added verbatim to the configuration
+file.
+@end table
+@end deftp
+
 @node Setuid Programs
 @section Setuid Programs
 
diff --git a/gnu/local.mk b/gnu/local.mk
index 0eac01d72d..2c19562171 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -674,6 +674,7 @@ GNU_SYSTEM_MODULES =				\
   %D%/tests/mail.scm				\
   %D%/tests/messaging.scm			\
   %D%/tests/networking.scm			\
+  %D%/tests/package-management.scm		\
   %D%/tests/reconfigure.scm			\
   %D%/tests/rsync.scm				\
   %D%/tests/security-token.scm			\
diff --git a/gnu/services/nix.scm b/gnu/services/nix.scm
index 3c0065207d..04e7726e4d 100644
--- a/gnu/services/nix.scm
+++ b/gnu/services/nix.scm
@@ -1,5 +1,5 @@
 ;;; GNU Guix --- Functional package management for GNU
-;;; Copyright © 2019 Oleg Pykhalov <go.wigust@gmail.com>
+;;; Copyright © 2019, 2020 Oleg Pykhalov <go.wigust@gmail.com>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -31,7 +31,9 @@
   #:use-module (guix store)
   #:use-module (srfi srfi-1)
   #:use-module (srfi srfi-26)
+  #:use-module (ice-9 match)
   #:use-module (ice-9 format)
+  #:use-module (guix modules)
   #:export (nix-service-type))
 
 ;;; Commentary:
@@ -40,10 +42,17 @@
 ;;;
 ;;; Code:
 
-\f
-;;;
-;;; Accounts
-;;;
+(define-record-type* <nix-configuration>
+  nix-configuration make-nix-configuration
+  nix-configuration?
+  (package             nix-configuration-package ;package
+                       (default nix))
+  (sandbox             nix-configuration-sandbox ;boolean
+                       (default #t))
+  (build-sandbox-paths nix-configuration-build-sandbox-paths ;list of strings
+                       (default '()))
+  (extra-config        nix-configuration-extra-options ;list of strings
+                       (default '())))
 
 ;; Copied from gnu/services/base.scm
 (define* (nix-build-accounts count #:key
@@ -74,32 +83,49 @@ GID."
          (id 40000))
         (nix-build-accounts 10 #:group "nixbld")))
 
-(define (nix-activation _)
-  "Return the activation gexp."
-  (with-imported-modules '((guix build utils))
-    #~(begin
-        (use-modules (guix build utils)
-                     (srfi srfi-26))
-        (for-each (cut mkdir-p <>) '("/nix/store" "/nix/var/log"
-                                     "/nix/var/nix/gcroots/per-user"
-                                     "/nix/var/nix/profiles/per-user"))
-        (chown "/nix/store"
-               (passwd:uid (getpw "root")) (group:gid (getpw "nixbld01")))
-        (chmod "/nix/store" #o775)
-        (for-each (cut chmod <> #o777) '("/nix/var/nix/profiles"
-                                         "/nix/var/nix/profiles/per-user")))))
+(define nix-activation
+  ;; Return the activation gexp.
+  (match-lambda
+    (($ <nix-configuration> package sandbox build-sandbox-paths extra-config)
+     (with-imported-modules (source-module-closure
+                             '((guix build store-copy)))
+       #~(begin
+           (use-modules (guix build utils)
+                        (ice-9 format)
+                        (srfi srfi-1)
+                        (srfi srfi-26))
+           (for-each (cut mkdir-p <>) '("/nix/store" "/nix/var/log"
+                                        "/nix/var/nix/gcroots/per-user"
+                                        "/nix/var/nix/profiles/per-user"))
+           (chown "/nix/store"
+                  (passwd:uid (getpw "root")) (group:gid (getpw "nixbld01")))
+           (chmod "/nix/store" #o775)
+           (for-each (cut chmod <> #o777) '("/nix/var/nix/profiles"
+                                            "/nix/var/nix/profiles/per-user"))
+           (mkdir-p "/etc/nix")
+           (with-output-to-file "/etc/nix/nix.conf"
+             (lambda _
+               (format #t "sandbox = ~a~%" (if #$sandbox "true" "false"))
+               (format #t "build-sandbox-paths = ~{~a ~}~%"
+                       (append (append-map (cut call-with-input-file <> read)
+                                           '#$(map references-file
+                                                   (list package)))
+                               '#$build-sandbox-paths))
+               (for-each (cut display <>) '#$extra-config))))))))
 
-(define (nix-shepherd-service _)
-  "Return a <shepherd-service> for Nix."
-  (list
-   (shepherd-service
-    (provision '(nix-daemon))
-    (documentation "Run nix-daemon.")
-    (requirement '())
-    (start #~(make-forkexec-constructor
-              (list (string-append #$nix "/bin/nix-daemon"))))
-    (respawn? #f)
-    (stop #~(make-kill-destructor)))))
+(define nix-shepherd-service
+  ;; Return a <shepherd-service> for Nix.
+  (match-lambda
+    (($ <nix-configuration> package _ ...)
+     (list
+      (shepherd-service
+       (provision '(nix-daemon))
+       (documentation "Run nix-daemon.")
+       (requirement '())
+       (start #~(make-forkexec-constructor
+                 (list (string-append #$package "/bin/nix-daemon"))))
+       (respawn? #f)
+       (stop #~(make-kill-destructor)))))))
 
 (define nix-service-type
   (service-type
@@ -108,7 +134,7 @@ GID."
     (list (service-extension shepherd-root-service-type nix-shepherd-service)
           (service-extension account-service-type nix-accounts)
           (service-extension activation-service-type nix-activation)))
-   (default-value '())
-   (description "Run the Nix daemon.")))
+   (description "Run the Nix daemon.")
+   (default-value (nix-configuration))))
 
 ;;; nix.scm ends here
diff --git a/gnu/tests/package-management.scm b/gnu/tests/package-management.scm
new file mode 100644
index 0000000000..dbb9df22df
--- /dev/null
+++ b/gnu/tests/package-management.scm
@@ -0,0 +1,131 @@
+;;; GNU Guix --- Functional package management for GNU
+;;; Copyright © 2020 Oleg Pykhalov <go.wigust@gmail.com>
+;;;
+;;; This file is part of GNU Guix.
+;;;
+;;; GNU Guix is free software; you can redistribute it and/or modify it
+;;; under the terms of the GNU General Public License as published by
+;;; the Free Software Foundation; either version 3 of the License, or (at
+;;; your option) any later version.
+;;;
+;;; GNU Guix is distributed in the hope that it will be useful, but
+;;; WITHOUT ANY WARRANTY; without even the implied warranty of
+;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+;;; GNU General Public License for more details.
+;;;
+;;; You should have received a copy of the GNU General Public License
+;;; along with GNU Guix.  If not, see <http://www.gnu.org/licenses/>.
+
+(define-module (gnu tests package-management)
+  #:use-module (gnu packages base)
+  #:use-module (gnu packages package-management)
+  #:use-module (gnu services)
+  #:use-module (gnu services networking)
+  #:use-module (gnu services nix)
+  #:use-module (gnu system)
+  #:use-module (gnu system vm)
+  #:use-module (gnu tests)
+  #:use-module (guix gexp)
+  #:use-module (guix git-download)
+  #:use-module (guix packages)
+  #:export (%test-nix))
+
+;;; Commentary:
+;;;
+;;; This module provides a test definition for the nix-daemon
+;;;
+;;; Code:
+
+(define* (run-nix-test name test-os)
+  "Run tests in %NIX-OS Guix operating system, which has nix-daemon running."
+  (define os
+    (marionette-operating-system
+     test-os
+     #:imported-modules '((gnu services herd))))
+
+  (define vm
+    (virtual-machine
+     (operating-system os)
+     (port-forwardings '((8080 . 80)))
+     (memory-size 1024)))
+
+  (define test
+    (with-imported-modules '((gnu build marionette))
+      #~(begin
+          (use-modules (srfi srfi-11)
+                       (srfi srfi-64)
+                       (gnu build marionette)
+                       (web client)
+                       (web response))
+
+          (define marionette
+            (make-marionette (list #$vm)))
+
+          (mkdir #$output)
+          (chdir #$output)
+
+          (test-begin #$name)
+
+          ;; XXX: Shepherd reads the config file *before* binding its control
+          ;; socket, so /var/run/shepherd/socket might not exist yet when the
+          ;; 'marionette' service is started.
+          (test-assert "shepherd socket ready"
+            (marionette-eval
+             `(begin
+                (use-modules (gnu services herd))
+                (let loop ((i 10))
+                  (cond ((file-exists? (%shepherd-socket-file))
+                         #t)
+                        ((> i 0)
+                         (sleep 1)
+                         (loop (- i 1)))
+                        (else
+                         'failure))))
+             marionette))
+
+          (test-assert "Nix daemon running"
+            (marionette-eval
+             '(begin
+                ;; Wait for nix-daemon to be up and running.
+                (start-service 'nix-daemon)
+                (with-output-to-file "guix-test.nix"
+                  (lambda ()
+                    (display "\
+with import <nix/config.nix>;
+
+derivation {
+  system = builtins.currentSystem;
+  name = \"guix-test\";
+  builder = shell;
+  args = [\"-c\" \"mkdir $out\\necho FOO > $out/foo\"];
+  PATH = coreutils;
+}
+")))
+                (zero? (system* (string-append #$nix "/bin/nix-build")
+                                "--substituters" "" "--debug" "--no-out-link"
+                                "guix-test.nix")))
+             marionette))
+
+	  (test-end)
+
+          (exit (= (test-runner-fail-count (test-runner-current)) 0)))))
+
+  (gexp->derivation (string-append name "-test") test))
+
+(define %nix-os
+  ;; Return operating system under test.
+  (let ((base-os
+         (simple-operating-system
+          (service nix-service-type)
+	  (service dhcp-client-service-type))))
+    (operating-system
+      (inherit base-os)
+      (packages (cons nix (operating-system-packages base-os))))))
+
+(define %test-nix
+  (system-test
+   (name "nix")
+   (description "Connect to a running nix-daemon")
+   (value (run-nix-test name %nix-os))))
+
+;;; package-management.scm ends here
-- 
2.27.0

bug#42173: Nix on Guix System: can't update channels

[Ludovic Courtès]

Hi Oleg,

Oleg Pykhalov <go.wigust@gmail.com> skribis:

> Oleg Pykhalov <go.wigust@gmail.com> writes:
>
> […]
>
>> Currently I don't see a way to mount
>> /gnu/store/57xj5gcy1jbl9ai2lnrqnpr0dald9i65-coreutils-8.32
>> dependencies (and other packages) inside the Nix sandbox.
>
> Found one way:
>
> (with-output-to-file "/etc/nix/nix.conf"
>   (lambda _
>     (display "sandbox = true")
>     (newline)
>     (format #t "build-sandbox-paths = ~{~a ~}~%"
>             '#$(package-closure (map (match-lambda ((name package) package))
>                                      (package-inputs nix))))))

That’s inaccurate: ‘package-closure’ does not capture non-package
inputs, and it’s the set of build-time dependencies, not references.

Using #:references-graphs solves that problem because it gives you
precisely the closure of each package, as returned by ‘guix gc -R’.

HTH!

Ludo’.

bug#42173: [PATCH 2/2] services: nix: Fix sandbox.

[Ludovic Courtès]

Hi!

Oleg Pykhalov <go.wigust@gmail.com> skribis:

> * gnu/tests/package-management.scm: New file.
> * gnu/local.mk: Add this.
> * gnu/services/nix.scm (<nix-configuration>): New record.
> (nix-activation): Generate Nix config file.
> (nix-service-type): Add default value.
> (nix-shepherd-service): Allow provide Nix package.
> * doc/guix.texi (Miscellaneous Services)[Nix service]<nix-configuration>:
> Document record.

Nice!  You can add a “Fixes” line too.

> +@item @code{build-sandbox-paths} (default: @code{'()})
> +This is a list of strings or objects appended to the
> +@code{build-sandbox-paths} field of the configuration file.

I’d use “files” or “items” instead of “paths”, for consistency.

> +           (mkdir-p "/etc/nix")
> +           (with-output-to-file "/etc/nix/nix.conf"
> +             (lambda _
> +               (format #t "sandbox = ~a~%" (if #$sandbox "true" "false"))
> +               (format #t "build-sandbox-paths = ~{~a ~}~%"
> +                       (append (append-map (cut call-with-input-file <> read)
> +                                           '#$(map references-file
> +                                                   (list package)))
> +                               '#$build-sandbox-paths))
> +               (for-each (cut display <>) '#$extra-config))))))))

Here you’re adding the closure of Nix itself, which is a bit more than
needed I guess, but maybe it’s OK (perhaps with a comment explaining
that ‘config.nix’ captures store file names.)

Actually I thought this would have to be addressed in the ‘nix’ package
itself because this is where those store file names are captured.  But
maybe it’s OK to do it in the service.  WDYT?

> +(define* (run-nix-test name test-os)
> +  "Run tests in %NIX-OS Guix operating system, which has nix-daemon running."
                   ^
TEST-OS

> +(define %nix-os

Pretty fun.  :-)

> +(define %test-nix
> +  (system-test
> +   (name "nix")
> +   (description "Connect to a running nix-daemon")
> +   (value (run-nix-test name %nix-os))))

Great that you were able to write a test for that!

Thanks,
Ludo’.

bug#42173: [PATCH 2/2] services: nix: Fix sandbox.

[Oleg Pykhalov]

[-- Attachment #1: Type: text/plain, Size: 1130 bytes --]

Hi,

Ludovic Courtès <ludo@gnu.org> writes:

[…]

>> +           (with-output-to-file "/etc/nix/nix.conf"
>> +             (lambda _
>> +               (format #t "sandbox = ~a~%" (if #$sandbox "true" "false"))
>> +               (format #t "build-sandbox-paths = ~{~a ~}~%"
>> +                       (append (append-map (cut call-with-input-file <> read)
>> +                                           '#$(map references-file
>> +                                                   (list package)))
>> +                               '#$build-sandbox-paths))
>> +               (for-each (cut display <>) '#$extra-config))))))))
>
> Actually I thought this would have to be addressed in the ‘nix’ package
> itself because this is where those store file names are captured.  But
> maybe it’s OK to do it in the service.  WDYT?

I think it's good enough for now to fix the issue.  We could delete
prepending ‘build-sandbox-paths’ with ‘nix’ closure in future.

>> +(define %nix-os
>
> Pretty fun.  :-)

Yea, :-).

Pushed to master as 4656180d5de1fef2846bea9af27ae509f32376ba

Oleg.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 832 bytes --]