| 5 Sep 2021 |
 baloo | running the same strace here, and it looks like you're correct, it does not execve curl | 19:59:10 |
| baloo | but ... I still see: | 19:59:16 |
| baloo | [pid 137791] openat(AT_FDCWD, "/nix/store/9bh3986bpragfjmr32gay8p95k91q4gy-glibc-2.33-47/lib/libnss_dns.so.2", O_RDONLY|O_CLOEXEC) = 10
| 19:59:23 |
| baloo | that works fine ... | 19:59:28 |
| baloo | huuum | 19:59:41 |
| baloo | could you share the output of mount? | 19:59:52 |
| baloo | is /nix/store in the same filesystem than /? | 20:00:11 |
 Zhaofeng Li | No, different filesystem | 20:00:35 |
| baloo | ha! | 20:00:47 |
 tomberek | would using nixUstable to run the build help? | 20:00:55 |
| Zhaofeng Li | @tomberek I'm using nixUnstable | 20:01:11 |
| baloo | tomberek: https://github.com/NixOS/nix/issues/5089#issuecomment-905193921 tried both in a nix tests here | 20:01:27 |
| baloo | both were working fine | 20:01:35 |
| baloo | but the filesystem of /nix/store being different than /, that could be a mount namespace issue | 20:02:13 |
| Zhaofeng Li | Ok, I looked at the logs a bit closer, and it looks like the NSS loading hack didn't really work. getaddrinfo doesn't seem to load libnss_dns | 20:04:58 |
| Zhaofeng Li | It opens a socket to nscd and doesn't load libnss_dns at all. | 20:05:32 |
 Rick (Mindavi) | I'm also using different filesystems for / and for /nix/store | 20:05:48 |
| Zhaofeng Li | So when the builder runs it's already sandboxed and won't be able to load in the library | 20:05:55 |
| Zhaofeng Li | * So when the builder calls libcurl it's already sandboxed and won't be able to load in the library | 20:06:23 |
| baloo | yup, that would make sense. | 20:06:27 |
| baloo | [pid 137783] socket(AF_UNIX, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK, 0) = 12
[pid 137783] connect(12, {sa_family=AF_UNIX, sun_path="/var/run/nscd/socket"}, 110) = 0
[pid 137783] sendto(12, "\2\0\0\0\16\0\0\0000\0\0\0this.pre-initializes.the.dns.resolvers.invalid.\0", 60, MSG_NOSIGNAL, NULL, 0) = 60
[pid 137783] poll([{fd=12, events=POLLIN|POLLERR|POLLHUP}], 1, 5000) = 1 ([{fd=12, revents=POLLIN}])
[pid 137783] read(12, "\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 24) = 24
[pid 137783] close(12) = 0
here (where it works), and similar on your log
| 20:08:35 |
| Zhaofeng Li | I think it's actually a bug that it worked with / and /nix/store in the same filesystem. It shouldn't have worked with the sandbox. | 20:09:57 |
| baloo | In reply to @zhaofeng:zhaofeng.li
I think it's actually a bug that it worked with / and /nix/store in the same filesystem. It shouldn't have worked with the sandbox. I think so too. | 20:10:13 |
| Zhaofeng Li | So it seems we need a better hack to pull in libnss | 20:10:16 |
| baloo | I have to run, but I'll have a look at it a bit later | 20:10:42 |
| baloo | thank you so much for the log! | 20:10:51 |
| 6 Sep 2021 |
| baloo | I think I found an ... ugly fix | 22:59:46 |
| baloo | #include <sys/types.h>
#include <sys/socket.h>
#include <netdb.h>
#include <stddef.h>
void preloadNSS() {
struct addrinfo *res = NULL;
char * previous_env = getenv("LOCALDOMAIN");
setenv("LOCALDOMAIN", "invalid", 1);
if (getaddrinfo("this.pre-initializes.the.dns.resolvers.invalid.", "http", NULL, &res) != 0) {
if (res) freeaddrinfo(res);
}
if (previous_env)
setenv("LOCALDOMAIN", previous_env, 1);
else
unsetenv("LOCALDOMAIN");
}
int main() {
preloadNSS();
}
This forces nss to make a dns lookup, and to load the nss_dns.so
| 23:03:27 |
| baloo | (ugly because, I need to change the environment, so there is a slight delay during which it gets modified) | 23:04:36 |
| baloo | anyone willing to try a proper patch? :D | 23:06:13 |
