* bug#46297: nix-service-configuration is missing the default /bin/sh
@ 2021-02-04 16:00 John Soo
2021-02-04 18:54 ` John Soo
0 siblings, 1 reply; 8+ messages in thread
From: John Soo @ 2021-02-04 16:00 UTC (permalink / raw)
To: 46297
[-- Attachment #1: Type: text/plain, Size: 583 bytes --]
Hi guix,
I am working with nix at work and I found some issues with the sandbox configuration for nix. The docs say that the default sandbox-paths should have a default mount for /bin/sh
https://nixos.org/manual/nix/unstable/command-ref/conf-file.html?highlight=Sandbox-paths#description
Default:/bin/sh=/nix/store/zi90rxslsm4mlr46l2xws1rm94g7pk8p-busybox-1.31.1-x86_64-unknown-linux-musl/bin/busybox
I think that means we should add that option to the configuration file.
Thanks!
John
[-- Attachment #2: Type: text/html, Size: 6843 bytes --]
^ permalink raw reply [flat|nested] 8+ messages in thread
* bug#46297: nix-service-configuration is missing the default /bin/sh
2021-02-04 16:00 bug#46297: nix-service-configuration is missing the default /bin/sh John Soo
@ 2021-02-04 18:54 ` John Soo
2021-04-21 15:00 ` pukkamustard
0 siblings, 1 reply; 8+ messages in thread
From: John Soo @ 2021-02-04 18:54 UTC (permalink / raw)
To: 46297
After some review and testing, I am not sure we need build-sandbox-paths
either.
^ permalink raw reply [flat|nested] 8+ messages in thread
* bug#46297: nix-service-configuration is missing the default /bin/sh
2021-02-04 18:54 ` John Soo
@ 2021-04-21 15:00 ` pukkamustard
2021-04-22 6:59 ` Oleg Pykhalov
0 siblings, 1 reply; 8+ messages in thread
From: pukkamustard @ 2021-04-21 15:00 UTC (permalink / raw)
To: John Soo; +Cc: 46297
[-- Attachment #1: Type: text/plain, Size: 235 bytes --]
I ran into the same issue and agree with your conclusion that we
may not need build-sandbox-paths.
Attached a patch that removes the `build-sandbox-paths` option.
This causes nix to use the default value which seems to work fine.
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: 0001-services-nix-Remove-build-sandbox-items-configuratio.patch --]
[-- Type: text/x-patch, Size: 3251 bytes --]
From 886410216c7b1fb6572e7cfdd83dcbd6836e78e4 Mon Sep 17 00:00:00 2001
From: pukkamustard <pukkamustard@posteo.net>
Date: Wed, 21 Apr 2021 17:19:36 +0200
Subject: [PATCH] services: nix: Remove build-sandbox-items configuration.
* gnu/services/nix.scm (<nix-configuration>)[build-sandbox-items]: Remove field.
* doc/guix.texi (Miscellaneous Services)[Nix service]: Remove build-sandbox-items.
---
doc/guix.texi | 4 ----
gnu/services/nix.scm | 30 ++++++++++--------------------
2 files changed, 10 insertions(+), 24 deletions(-)
diff --git a/doc/guix.texi b/doc/guix.texi
index b9019d5550..44e545952f 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -31993,10 +31993,6 @@ The Nix package to use.
@item @code{sandbox} (default: @code{#t})
Specifies whether builds are sandboxed by default.
-@item @code{build-sandbox-items} (default: @code{'()})
-This is a list of strings or objects appended to the
-@code{build-sandbox-items} field of the configuration file.
-
@item @code{extra-config} (default: @code{'()})
This is a list of strings or objects appended to the configuration file.
It is used to pass extra text to be added verbatim to the configuration
diff --git a/gnu/services/nix.scm b/gnu/services/nix.scm
index 1aef47db0a..537555596c 100644
--- a/gnu/services/nix.scm
+++ b/gnu/services/nix.scm
@@ -53,8 +53,6 @@
(default nix))
(sandbox nix-configuration-sandbox ;boolean
(default #t))
- (build-sandbox-items nix-configuration-build-sandbox-items ;list of strings
- (default '()))
(extra-config nix-configuration-extra-config ;list of strings
(default '()))
(extra-options nix-configuration-extra-options ;list of strings
@@ -106,24 +104,16 @@ GID."
(define nix-service-etc
(match-lambda
(($ <nix-configuration> package sandbox build-sandbox-items extra-config)
- (let ((ref-file (references-file package)))
- `(("nix/nix.conf"
- ,(computed-file
- "nix.conf"
- #~(begin
- (use-modules (srfi srfi-26)
- (ice-9 format))
- (with-output-to-file #$output
- (lambda _
- (define internal-sandbox-paths
- (call-with-input-file #$ref-file read))
-
- (format #t "sandbox = ~a~%" (if #$sandbox "true" "false"))
- ;; config.nix captures store file names.
- (format #t "build-sandbox-paths = ~{~a ~}~%"
- (append internal-sandbox-paths
- '#$build-sandbox-items))
- (for-each (cut display <>) '#$extra-config)))))))))))
+ `(("nix/nix.conf"
+ ,(computed-file
+ "nix.conf"
+ #~(begin
+ (use-modules (srfi srfi-26)
+ (ice-9 format))
+ (with-output-to-file #$output
+ (lambda _
+ (format #t "sandbox = ~a~%" (if #$sandbox "true" "false"))
+ (for-each (cut display <>) '#$extra-config))))))))))
(define nix-shepherd-service
;; Return a <shepherd-service> for Nix.
--
2.31.1
[-- Attachment #3: Type: text/plain, Size: 76 bytes --]
CC: Oleg Pykhalov who seems to have worked on this.
Thanks,
pukkamustard
^ permalink raw reply related [flat|nested] 8+ messages in thread
* bug#46297: nix-service-configuration is missing the default /bin/sh
2021-04-21 15:00 ` pukkamustard
@ 2021-04-22 6:59 ` Oleg Pykhalov
2021-04-22 7:30 ` pukkamustard
0 siblings, 1 reply; 8+ messages in thread
From: Oleg Pykhalov @ 2021-04-22 6:59 UTC (permalink / raw)
To: pukkamustard; +Cc: John Soo, 46297
[-- Attachment #1: Type: text/plain, Size: 4985 bytes --]
Hi,
The ‘make check-system TESTS=nix’ doesn't succeeded with patch applied
on 13c4a377f5a2e1240790679f3d5643385b6d7635:
--8<---------------cut here---------------start------------->8---
building of '/nix/store/nvx13nribwnd47hs6frbq61vlq2n3nzh-guix-test.drv': woken up
substitution of '/nix/store/30xf8m13vrk3n8hfi9q4mkjmxvhqi4g4-guix-test': goal destroyed
building of '/nix/store/nvx13nribwnd47hs6frbq61vlq2n3nzh-guix-test.drv': all outputs substituted (maybe)
building of '/nix/store/nvx13nribwnd47hs6frbq61vlq2n3nzh-guix-test.drv': all inputs realised
building path '/nix/store/30xf8m13vrk3n8hfi9q4mkjmxvhqi4g4-guix-test'
added input paths
building of '/nix/store/nvx13nribwnd47hs6frbq61vlq2n3nzh-guix-test.drv': woken up
building of '/nix/store/nvx13nribwnd47hs6frbq61vlq2n3nzh-guix-test.drv': trying to build
locking path '/nix/store/30xf8m13vrk3n8hfi9q4mkjmxvhqi4g4-guix-test'
lock acquired on '/nix/store/30xf8m13vrk3n8hfi9q4mkjmxvhqi4g4-guix-test.lock'
removing invalid path '/nix/store/30xf8m13vrk3n8hfi9q4mkjmxvhqi4g4-guix-test'
starting build hook '/gnu/store/0xgj4bz1ac973pw9wr8rhg3z1qc0phf8-nix-2.3.10/libexec/nix/build-remote'
cannot find machines file '/etc/nix/machines'
got 0 remote builders
hook reply is 'decline-permanently'
killing process 186
found build user 'nixbld01'
found build user 'nixbld02'
found build user 'nixbld03'
found build user 'nixbld04'
found build user 'nixbld05'
found build user 'nixbld06'
found build user 'nixbld07'
found build user 'nixbld08'
found build user 'nixbld09'
found build user 'nixbld10'
trying user 'nixbld01'
killing all processes running under uid '989'
setting up chroot environment in '/nix/store/nvx13nribwnd47hs6frbq61vlq2n3nzh-guix-test.drv.chroot'
executing builder '/gnu/store/pwcp239kjf7lnj5i4lkdzcfcxwcfyk72-bash-minimal-5.0.16/bin/bash'
bind mounting '/tmp/nix-build-guix-test.drv-0' to '/nix/store/nvx13nribwnd47hs6frbq61vlq2n3nzh-guix-test.drv.chroot/build'
bind mounting '/dev/full' to '/nix/store/nvx13nribwnd47hs6frbq61vlq2n3nzh-guix-test.drv.chroot/dev/full'
bind mounting '/dev/null' to '/nix/store/nvx13nribwnd47hs6frbq61vlq2n3nzh-guix-test.drv.chroot/dev/null'
bind mounting '/dev/random' to '/nix/store/nvx13nribwnd47hs6frbq61vlq2n3nzh-guix-test.drv.chroot/dev/random'
bind mounting '/dev/tty' to '/nix/store/nvx13nribwnd47hs6frbq61vlq2n3nzh-guix-test.drv.chroot/dev/tty'
bind mounting '/dev/urandom' to '/nix/store/nvx13nribwnd47hs6frbq61vlq2n3nzh-guix-test.drv.chroot/dev/urandom'
bind mounting '/dev/zero' to '/nix/store/nvx13nribwnd47hs6frbq61vlq2n3nzh-guix-test.drv.chroot/dev/zero'
closing leaked FD 3
closing leaked FD 4
closing leaked FD 5
closing leaked FD 6
closing leaked FD 7
closing leaked FD 8
closing leaked FD 9
closing leaked FD 10
closing leaked FD 11
closing leaked FD 12
closing leaked FD 13
building '/nix/store/nvx13nribwnd47hs6frbq61vlq2n3nzh-guix-test.drv'...
while setting up the build environment: executing '/gnu/store/pwcp239kjf7lnj5i4lkdzcfcxwcfyk72-bash-minimal-5.0.16/bin/bash': No such file or directory
building of '/nix/store/nvx13nribwnd47hs6frbq61vlq2n3nzh-guix-test.drv': got EOF
building of '/nix/store/nvx13nribwnd47hs6frbq61vlq2n3nzh-guix-test.drv': woken up
building of '/nix/store/nvx13nribwnd47hs6frbq61vlq2n3nzh-guix-test.drv': build done
killing process 190
builder process for '/nix/store/nvx13nribwnd47hs6frbq61vlq2n3nzh-guix-test.drv' finished
killing all processes running under uid '989'
builder for '/nix/store/nvx13nribwnd47hs6frbq61vlq2n3nzh-guix-test.drv' failed with exit code 1
lock released on '/nix/store/30xf8m13vrk3n8hfi9q4mkjmxvhqi4g4-guix-test.lock'
building of '/nix/store/nvx13nribwnd47hs6frbq61vlq2n3nzh-guix-test.drv': done
building of '/nix/store/nvx13nribwnd47hs6frbq61vlq2n3nzh-guix-test.drv': goal destroyed
error: build of '/nix/store/nvx13nribwnd47hs6frbq61vlq2n3nzh-guix-test.drv' failed
QEMU runs as PID 14
connected to QEMU's monitor
read QEMU monitor prompt
connected to guest REPL
%%%% Starting test nix (Writing full log to "nix.log")
marionette is ready
/gnu/store/xmnqlhxlbywkp688im5kpwr6q4mbil4g-nix-test-builder:1: FAIL Nix daemon running
# of expected passes 1
# of unexpected failures 1
note: keeping build directory `/tmp/guix-build-nix-test.drv-0'
builder for `/gnu/store/bl5gryai81zxmdhs6zzkb17nbpypyhsw-nix-test.drv' failed with exit code 1
build of /gnu/store/bl5gryai81zxmdhs6zzkb17nbpypyhsw-nix-test.drv failed
View build log at '/var/log/guix/drvs/bl/5gryai81zxmdhs6zzkb17nbpypyhsw-nix-test.drv.bz2'.
guix build: error: build of `/gnu/store/bl5gryai81zxmdhs6zzkb17nbpypyhsw-nix-test.drv' failed
make: *** [Makefile:6894: check-system] Error 1
--8<---------------cut here---------------end--------------->8---
It doens't fail without the patch. Could I ask what issue the
build-sandbox-paths introduce for you? Also it would be helpful if you
provide terminal output with an error you occurred.
Thanks,
Oleg.
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 861 bytes --]
^ permalink raw reply [flat|nested] 8+ messages in thread
* bug#46297: nix-service-configuration is missing the default /bin/sh
2021-04-22 6:59 ` Oleg Pykhalov
@ 2021-04-22 7:30 ` pukkamustard
2021-04-22 16:50 ` Oleg Pykhalov
0 siblings, 1 reply; 8+ messages in thread
From: pukkamustard @ 2021-04-22 7:30 UTC (permalink / raw)
To: Oleg Pykhalov; +Cc: John Soo, 46297
Oleg Pykhalov <go.wigust@gmail.com> writes:
> It doens't fail without the patch. Could I ask what issue the
> build-sandbox-paths introduce for you? Also it would be helpful
> if you
> provide terminal output with an error you occurred.
Ah, sorry I didn't see that there where system tests.
This is how I ran into the issue (nixpkgs/ folder is a checkout of
the nixpkgs repo).
```
$ nix-build nixpkgs/ -A ocaml-ng.ocamlPackages_4_11.ocaml
building
'/nix/store/075nqnnbsgz2frmg5fzhj3ql8lajvgq3-ocaml-4.11.2.tar.xz.drv'...
trying
http://caml.inria.fr/pub/distrib/ocaml-4.11/ocaml-4.11.2.tar.xz
% Total % Received % Xferd Average Speed Time Time
Time Current
Dload Upload Total Spent
Left Speed
100 3418k 100 3418k 0 0 2553k 0 0:00:01 0:00:01
--:--:-- 2555k
building
'/nix/store/p4b4shz2alnb2zpiyx44rf7yn5k30m32-ocaml-4.11.2.drv'...
unpacking sources
unpacking source archive
/nix/store/9harmbwn44004ylalfnvlic4qp5ppvi4-ocaml-4.11.2.tar.xz
source root is ocaml-4.11.2
setting SOURCE_DATE_EPOCH to timestamp 1614163229 of file
ocaml-4.11.2/yacc/wstr.c
patching sources
configuring
fixing libtool script ./build-aux/ltmain.sh
configure flags: --disable-static -prefix
/nix/store/gvwnh8wn0ib40fd6k3wa4xf7ja1y17l9-ocaml-4.11.2
/nix/store/bmnhfb10m2s3whl6478dmqhcrkjwk77y-stdenv-linux/setup:
./configure: /bin/sh: bad interpreter: No such file or directory
builder for
'/nix/store/p4b4shz2alnb2zpiyx44rf7yn5k30m32-ocaml-4.11.2.drv'
failed with exit code 126
error: build of
'/nix/store/p4b4shz2alnb2zpiyx44rf7yn5k30m32-ocaml-4.11.2.drv'
failed
````
The build succeeds if I do following:
```
$ sudo nix-build nixpkgs/ -A ocaml-ng.ocamlPackages_4_11.ocaml
--option build-sandbox-paths
"/bin/sh=//nix/store/0xrjvxvh3wvdbf8pc2850jry1fcx292g-busybox-1.32.1/bin/busybox"
these derivations will be built:
/nix/store/p4b4shz2alnb2zpiyx44rf7yn5k30m32-ocaml-4.11.2.drv
building
'/nix/store/p4b4shz2alnb2zpiyx44rf7yn5k30m32-ocaml-4.11.2.drv'...
unpacking sources
unpacking source archive
/nix/store/9harmbwn44004ylalfnvlic4qp5ppvi4-ocaml-4.11.2.tar.xz
source root is ocaml-4.11.2
setting SOURCE_DATE_EPOCH to timestamp 1614163229 of file
ocaml-4.11.2/yacc/wstr.c
patching sources
configuring
fixing libtool script ./build-aux/ltmain.sh
configure flags: --disable-static -prefix
/nix/store/gvwnh8wn0ib40fd6k3wa4xf7ja1y17l9-ocaml-4.11.2
configure: Configuring OCaml version 4.11.2
checking build system type... x86_64-pc-linux-gnu
checking host system type... x86_64-pc-linux-gnu
checking target system type... x86_64-pc-linux-gnu
checking how to print strings... printf
checking for gcc... gcc
checking whether the C compiler works... yes
.
.
.
/nix/store/gvwnh8wn0ib40fd6k3wa4xf7ja1y17l9-ocaml-4.11.2
```
Note that I need to use sudo as otherwise Nix would simply ignore
my request to override system configurations. And I had to run
`nix-build -A busybox` to make sure busybox was in the /nix/store.
The build-sandbox-paths I manually supplied seem to be the
defaults (as stated in documentation linked in John Soo's mail),
so I assumed that just removing the build-sandbox-path setting
from the nix.conf would solve the issue. I was a bit sloppy with
testing it completely...
This might be an upstream issue with how OCaml is built in Nix. I
think Nix builders should use ${stdenv.shell} instead of /bin/sh
(https://github.com/NixOS/nixpkgs/issues/183). But maybe good if
we can fix it in the Guix nix-service as well.
-pukkamustard
^ permalink raw reply [flat|nested] 8+ messages in thread
* bug#46297: nix-service-configuration is missing the default /bin/sh
2021-04-22 7:30 ` pukkamustard
@ 2021-04-22 16:50 ` Oleg Pykhalov
2021-04-26 7:21 ` pukkamustard
0 siblings, 1 reply; 8+ messages in thread
From: Oleg Pykhalov @ 2021-04-22 16:50 UTC (permalink / raw)
To: pukkamustard; +Cc: John Soo, 46297
[-- Attachment #1.1: Type: text/plain, Size: 415 bytes --]
pukkamustard <pukkamustard@posteo.net> writes:
[…]
> The build succeeds if I do following:
>
> ```
> $ sudo nix-build nixpkgs/ -A ocaml-ng.ocamlPackages_4_11.ocaml --option
> build-sandbox-paths
> "/bin/sh=//nix/store/0xrjvxvh3wvdbf8pc2850jry1fcx292g-busybox-1.32.1/bin/busybox"
Could you apply the following patch on
13c4a377f5a2e1240790679f3d5643385b6d7635 and run the command again,
please?
[-- Attachment #1.2: [PATCH] services: nix: Add /bin/sh to build-sandbox-paths. --]
[-- Type: text/x-patch, Size: 1736 bytes --]
From 1aa675482fa1aaba02ac1d8599198ec0aa8c2201 Mon Sep 17 00:00:00 2001
From: Oleg Pykhalov <go.wigust@gmail.com>
Date: Thu, 22 Apr 2021 19:46:23 +0300
Subject: [PATCH] services: nix: Add /bin/sh to build-sandbox-paths.
* gnu/services/nix.scm (nix-service-etc): Add /bin/sh to build-sandbox-paths.
---
gnu/services/nix.scm | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/gnu/services/nix.scm b/gnu/services/nix.scm
index 1aef47db0a..619e3cae54 100644
--- a/gnu/services/nix.scm
+++ b/gnu/services/nix.scm
@@ -1,5 +1,5 @@
;;; GNU Guix --- Functional package management for GNU
-;;; Copyright © 2019, 2020 Oleg Pykhalov <go.wigust@gmail.com>
+;;; Copyright © 2019, 2020, 2021 Oleg Pykhalov <go.wigust@gmail.com>
;;; Copyright © 2020 Peng Mei Yu <i@pengmeiyu.com>
;;;
;;; This file is part of GNU Guix.
@@ -19,6 +19,7 @@
(define-module (gnu services nix)
#:use-module (gnu packages admin)
+ #:use-module (gnu packages bash)
#:use-module (gnu packages package-management)
#:use-module (gnu services base)
#:use-module (gnu services configuration)
@@ -121,7 +122,8 @@ GID."
(format #t "sandbox = ~a~%" (if #$sandbox "true" "false"))
;; config.nix captures store file names.
(format #t "build-sandbox-paths = ~{~a ~}~%"
- (append internal-sandbox-paths
+ (append (list (string-append "/bin/sh=" #$bash-minimal "/bin/sh"))
+ internal-sandbox-paths
'#$build-sandbox-items))
(for-each (cut display <>) '#$extra-config)))))))))))
--
2.31.1
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 861 bytes --]
^ permalink raw reply related [flat|nested] 8+ messages in thread
* bug#46297: nix-service-configuration is missing the default /bin/sh
2021-04-22 16:50 ` Oleg Pykhalov
@ 2021-04-26 7:21 ` pukkamustard
2021-04-26 17:06 ` Oleg Pykhalov
0 siblings, 1 reply; 8+ messages in thread
From: pukkamustard @ 2021-04-26 7:21 UTC (permalink / raw)
To: Oleg Pykhalov; +Cc: John Soo, 46297
Oleg Pykhalov <go.wigust@gmail.com> writes:
[…]
> Could you apply the following patch on
> 13c4a377f5a2e1240790679f3d5643385b6d7635 and run the command
> again,
> please?
Applied and tested in a virtual machine. Your patch seems to fix
the issue I was having. Thank you!
Also tested again in a VM without your patches and was able to
reproduce the error as reported.
For completeness the commands I ran in the VM:
```
$ nix-channel add https://nixos.org/channels/nixpkgs-unstable
nixpkgs
$ nix-channel --update
$ nix-build '<nixpkgs>' -I .nix-defexpr/channels -A
ocaml-ng.ocamlPackages_4_11.ocaml
/nix/store/gvwnh8wn0ib40fd6k3wa4xf7ja1y17l9-ocaml-4.11.2
```
-pukkamustard
^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2021-04-26 17:07 UTC | newest]
Thread overview: 8+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2021-02-04 16:00 bug#46297: nix-service-configuration is missing the default /bin/sh John Soo
2021-02-04 18:54 ` John Soo
2021-04-21 15:00 ` pukkamustard
2021-04-22 6:59 ` Oleg Pykhalov
2021-04-22 7:30 ` pukkamustard
2021-04-22 16:50 ` Oleg Pykhalov
2021-04-26 7:21 ` pukkamustard
2021-04-26 17:06 ` Oleg Pykhalov
Code repositories for project(s) associated with this external index
https://git.savannah.gnu.org/cgit/guix.git
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.