| 23 Aug 2021 |
 Gytis Ivaskevicius | In reply to @davidak:matrix.org
it fails to build because of lack of disk space
Gytis Ivaskevicius i guess still this issue with the build system
Where do you see that? 🤔 | 03:18:39 |
 davidak | i actually just cited a previous statement from baloo ... scroll up to see the conversation | 03:23:42 |
 baloo | I think the unchecked we’re seeing are connectivity issues | 03:24:33 |
| baloo | All of them are failed while trying to fetch a patch or a source tarball | 03:24:56 |
| baloo | My guess somewhere in between equinix metal and gnu.org | 03:25:32 |
| baloo | I used to have machines there but I don’t anymore. I should have them back in a week or so | 03:26:20 |
| baloo | The disk full issue you can see on the buildkite logs | 03:26:51 |
| baloo | nrdxp: I played with the vdso idea. I can inject one in any process now. From a ptrace/seccomp-bpf filter.
Does not work yet for a reason I still have to debug. But my vdso is loaded. | 03:31:03 |
| baloo | [vdso: 0x7f41cedf4000]
[tv.sec: 42 (rv=0)] | 04:20:17 |
| baloo | :D | 04:20:20 |
| baloo | I can now inject my own custom vdso to a whole process tree. And customize logic there. | 04:21:06 |
| baloo | $ ./emmett bash -xc "date; sleep 2; date"
+ date
Thu Jan 1 12:00:42 AM UTC 1970
+ sleep 2
+ date
Thu Jan 1 12:00:42 AM UTC 1970
| 04:23:11 |
| baloo | and that also fixes golang statics, which will actually call in the vdso too. | 04:25:11 |
| davidak | In reply to @baloo_:matrix.org
My guess somewhere in between equinix metal and gnu.org it could be related to this issue https://github.com/NixOS/nix/issues/5089 | 15:51:36 |
| baloo | timing would match, and that looks very much like the same issue indeed | 15:52:21 |
| baloo | interesting. https://github.com/NixOS/nix/pull/5006. An alternative would be to remove systemd from the passwd entry of /etc/nsswitch.conf | 15:56:40 |
| baloo | if I understand nssswitch correctly | 15:56:56 |
| baloo | which is a stretch | 15:57:02 |
| baloo | no | 16:05:41 |
 j4m3s | If it's a DNS issue, isn't it the dns part from systemd that must be removed ? | 16:08:24 |
| davidak | j4m3s: in my case, the system dns resolution worked, only nix had issues. | 16:12:00 |
| baloo | I was thinking of leaving the nscd socket in, but nss will read it whatever we put in /etc/nssswitch.conf | 16:12:13 |
| baloo | /* builtin:fetchurl can trigger a DNS lookup, which with glibc can trigger a dynamic library load of
one of the glibc NSS libraries in a sandboxed child, which will fail unless the library's already
been loaded in the parent. So we force a lookup of an invalid domain to force the NSS machinery to
load its lookup libraries in the parent before any child gets a chance to. */
| 16:13:07 |
| baloo | there is an interesting comment in nix preloadNSS | 16:13:21 |
| baloo | is nss loaded before switching to sandbox, and then out of reach once in the sandbox? | 16:13:43 |
 andi- | As long as the file has been loaded before the sandbox has been entered it shouldn't be a problem. It is very common to open a FD, enter a sandbox and only then operate on it. | 16:15:22 |
| baloo | in this case, it's relying on nss to dlopen the libraries, but yes | 16:15:53 |
| andi- | Could it be a glibc mismatch of sorts? | 16:16:36 |
| andi- | Another glibc on the host than what is in the sandbox and does the fetching? | 16:16:49 |
