| 23 Aug 2021 |
 baloo | interesting. https://github.com/NixOS/nix/pull/5006. An alternative would be to remove systemd from the passwd entry of /etc/nsswitch.conf | 15:56:40 |
| baloo | if I understand nssswitch correctly | 15:56:56 |
| baloo | which is a stretch | 15:57:02 |
| baloo | no | 16:05:41 |
 j4m3s | If it's a DNS issue, isn't it the dns part from systemd that must be removed ? | 16:08:24 |
 davidak | j4m3s: in my case, the system dns resolution worked, only nix had issues. | 16:12:00 |
| baloo | I was thinking of leaving the nscd socket in, but nss will read it whatever we put in /etc/nssswitch.conf | 16:12:13 |
| baloo | /* builtin:fetchurl can trigger a DNS lookup, which with glibc can trigger a dynamic library load of
one of the glibc NSS libraries in a sandboxed child, which will fail unless the library's already
been loaded in the parent. So we force a lookup of an invalid domain to force the NSS machinery to
load its lookup libraries in the parent before any child gets a chance to. */
| 16:13:07 |
| baloo | there is an interesting comment in nix preloadNSS | 16:13:21 |
| baloo | is nss loaded before switching to sandbox, and then out of reach once in the sandbox? | 16:13:43 |
 andi- | As long as the file has been loaded before the sandbox has been entered it shouldn't be a problem. It is very common to open a FD, enter a sandbox and only then operate on it. | 16:15:22 |
| baloo | in this case, it's relying on nss to dlopen the libraries, but yes | 16:15:53 |
| andi- | Could it be a glibc mismatch of sorts? | 16:16:36 |
| andi- | Another glibc on the host than what is in the sandbox and does the fetching? | 16:16:49 |
| andi- | and thus it might not be "tricked" into reusing the already loaded stuff? | 16:16:59 |
| baloo | what I don't understand is that some looks must be working | 16:18:19 |
| baloo | like all the cache.nixos.org at least | 16:18:33 |
| baloo | * what I don't understand is that some lookups must be working | 16:18:48 |
| davidak | In reply to @andi:kack.it
Could it be a glibc mismatch of sorts? i was running this on a system build from a PR (master+). not sure which nixpkgs version it is using. could be a mismatch if it's an older version
nix run \
--option extra-substituters 'https://nixpkgs-update.cachix.org/' \
--option trusted-public-keys 'nixpkgs-update.cachix.org-1:6y6Z2JdoL3APdu6/+Iy8eZX2ajf09e4EE9SnxSML1W8=' \
-f https://github.com/ryantm/nixpkgs-update/archive/master.tar.gz \
-c nixpkgs-update --help
| 16:18:50 |
| andi- | Do we have a minimal reproducer for this that doesn't involve flakes, nixpkgs-update, ....? A simple derivation? | 16:18:56 |
| andi- | In reply to @davidak:matrix.org
i was running this on a system build from a PR (master+). not sure which nixpkgs version it is using. could be a mismatch if it's an older version
nix run \
--option extra-substituters 'https://nixpkgs-update.cachix.org/' \
--option trusted-public-keys 'nixpkgs-update.cachix.org-1:6y6Z2JdoL3APdu6/+Iy8eZX2ajf09e4EE9SnxSML1W8=' \
-f https://github.com/ryantm/nixpkgs-update/archive/master.tar.gz \
-c nixpkgs-update --help
It started building from bootstrap or so. How long before that error occurs? | 16:23:46 |
 @timdeh:matrix.org | In reply to @baloo_:matrix.org
I can now inject my own custom vdso to a whole process tree. And customize logic there. do you have this anywhere I could play with it 😅
or do you plan to submit a PR? I'd love to review it | 16:24:23 |
| baloo | I need to cleanup my code and document it. | 16:24:49 |
| baloo | but I'll push it on Github. although I don't recommend running it :D | 16:25:20 |
| davidak | In reply to @andi:kack.it
It started building from bootstrap or so. How long before that error occurs? few minutes. when it connects to tarballs.nixos.org or ftpmirror.gnu.org | 16:25:25 |
| andi- | And what makes this expression special? That uncached / custom nixpkgs? | 16:25:58 |
| davidak | does it get the packages from cachix on your system or build every single package? it builds 120 packages in my case which took about 2 hours | 16:26:04 |
| andi- | I don't know if it fetches from cachix. I never trusted / used it. | 16:26:18 |
| andi- | I used your command 1:1 | 16:26:22 |
| andi- | I am not a trusted user on my systems so probably not. | 16:26:36 |
