!LemuOOvbWqRXodtSsw:nixos.org

NixOS Reproducible Builds

545 Members
Report: https://reproducible.nixos.org Project progress: https://github.com/orgs/NixOS/projects/30123 Servers

Load older messages

SenderMessageTime
23 Aug 2021
@baloo_:matrix.orgbaloo 
    /* builtin:fetchurl can trigger a DNS lookup, which with glibc can trigger a dynamic library load of
       one of the glibc NSS libraries in a sandboxed child, which will fail unless the library's already
       been loaded in the parent. So we force a lookup of an invalid domain to force the NSS machinery to
       load its lookup libraries in the parent before any child gets a chance to. */
16:13:07
@baloo_:matrix.orgbaloothere is an interesting comment in nix preloadNSS16:13:21
@baloo_:matrix.orgbaloo is nss loaded before switching to sandbox, and then out of reach once in the sandbox? 16:13:43
@andi:kack.itandi-As long as the file has been loaded before the sandbox has been entered it shouldn't be a problem. It is very common to open a FD, enter a sandbox and only then operate on it.16:15:22
@baloo_:matrix.orgbalooin this case, it's relying on nss to dlopen the libraries, but yes16:15:53
@andi:kack.itandi-Could it be a glibc mismatch of sorts?16:16:36
@andi:kack.itandi-Another glibc on the host than what is in the sandbox and does the fetching?16:16:49
@andi:kack.itandi-and thus it might not be "tricked" into reusing the already loaded stuff?16:16:59
@baloo_:matrix.orgbaloo what I don't understand is that some looks must be working 16:18:19
@baloo_:matrix.orgbaloolike all the cache.nixos.org at least16:18:33
@baloo_:matrix.orgbaloo * what I don't understand is that some lookups must be working 16:18:48
@davidak:matrix.orgdavidak
In reply to @andi:kack.it
Could it be a glibc mismatch of sorts?

i was running this on a system build from a PR (master+). not sure which nixpkgs version it is using. could be a mismatch if it's an older version

nix run \
  --option extra-substituters 'https://nixpkgs-update.cachix.org/' \
  --option trusted-public-keys 'nixpkgs-update.cachix.org-1:6y6Z2JdoL3APdu6/+Iy8eZX2ajf09e4EE9SnxSML1W8=' \
  -f https://github.com/ryantm/nixpkgs-update/archive/master.tar.gz \
  -c nixpkgs-update --help
16:18:50
@andi:kack.itandi-Do we have a minimal reproducer for this that doesn't involve flakes, nixpkgs-update, ....? A simple derivation?16:18:56
@andi:kack.itandi-
In reply to @davidak:matrix.org

i was running this on a system build from a PR (master+). not sure which nixpkgs version it is using. could be a mismatch if it's an older version

nix run \
  --option extra-substituters 'https://nixpkgs-update.cachix.org/' \
  --option trusted-public-keys 'nixpkgs-update.cachix.org-1:6y6Z2JdoL3APdu6/+Iy8eZX2ajf09e4EE9SnxSML1W8=' \
  -f https://github.com/ryantm/nixpkgs-update/archive/master.tar.gz \
  -c nixpkgs-update --help
It started building from bootstrap or so. How long before that error occurs? 		16:23:46
@timdeh:matrix.orgnrdxp
In reply to @baloo_:matrix.org
I can now inject my own custom vdso to a whole process tree. And customize logic there.
do you have this anywhere I could play with it 😅
or do you plan to submit a PR? I'd love to review it 		16:24:23
@baloo_:matrix.orgbalooI need to cleanup my code and document it.16:24:49
@baloo_:matrix.orgbaloobut I'll push it on Github. although I don't recommend running it :D16:25:20
@davidak:matrix.orgdavidak
In reply to @andi:kack.it
It started building from bootstrap or so. How long before that error occurs?
few minutes. when it connects to tarballs.nixos.org or ftpmirror.gnu.org 		16:25:25
@andi:kack.itandi-And what makes this expression special? That uncached / custom nixpkgs?16:25:58
@davidak:matrix.orgdavidakdoes it get the packages from cachix on your system or build every single package? it builds 120 packages in my case which took about 2 hours16:26:04
@andi:kack.itandi-I don't know if it fetches from cachix. I never trusted / used it.16:26:18
@andi:kack.itandi-I used your command 1:116:26:22
@andi:kack.itandi-I am not a trusted user on my systems so probably not.16:26:36
@davidak:matrix.orgdavidakyes, in that case not. but i added my user to trustedUsers, but it still builds everything. that's a bit strange. not used cachix before, so i'm not sure if the cache is maybe outdated16:28:13
@andi:kack.itandi-

try reproducing the error with this:

let pkgs = import <nixpkgs> {}; in
pkgs.fetchurl {
  url = "mirror://gnu/whatever/something-v1234.tar.gz";
  sha256 = "0000000000000000000000000000000000000000000000000000000000000000";
}
16:31:43
@andi:kack.itandi- It might also be a case of many downloads happening at the same time where some of them are then causing the DNS thing to fall over? 16:33:14
@andi:kack.itandi-Looking at the Nix issue that pretty much looks like it is fetching all the (missing) sources.16:33:34
@baloo_:matrix.orgbaloo nrdxp: https://github.com/baloo/emmett for now 16:37:48
@andi:kack.itandi-

Use this to verify the latter:

let
  pkgs = import <nixpkgs> { };
  d = "0000000000000000000000000000000000000000000000000000000000000000";
in
pkgs.symlinkJoin {
  name = "whatever";
  paths = builtins.genList
    (x:
      let s = toString x; in
      pkgs.fetchurl {
        url = "mirror://gnu/whatever/something-v${s}.tar.gz";
        sha256 = s + (builtins.substring 0 (builtins.stringLength d - builtins.stringLength s) d);
      }) 1000;
}
``
16:37:55
@andi:kack.itandi-that just tries to fetch 1000 imaginary packages that will never exist and should stress the fetching code out.16:38:19

Show newer messages

Back to Room ListRoom Version: 6