| 8 Feb 2026 |
 hexa | iirc only lix has a working implementation at this time | 19:27:56 |
| hexa | commit ae6761b9fea22ac802ead7757d034665cb4e795e
Author: Martin Weinelt <hexa@darmstadt.ccc.de>
Date: Sun Mar 2 23:04:26 2025 +0100
builders: stop using cgroups for now
They currently break the build of nixosTests.systemd-boot.extraEntries on
lix 2.91.1 and nix 2.25.2 after the edk2 202502 upgrade.
The test hangs in nixos-disk-image-aarch64-linux with
> Press ESC in 5 seconds to skip startup.nsh or any other key to continue.
> Press ESC in 4 seconds to skip startup.nsh or any other key to continue.
> Press ESC in 3 seconds to skip startup.nsh or any other key to continue.
> Press ESC in 2 seconds to skip startup.nsh or any other key to continue.
> Press ESC in 1 seconds to skip startup.nsh or any other key to continue.
> [hangs here]
And aborting the test after it times out fails with
> Aborted: error: deleting cgroup '/sys/fs/cgroup/system.slice/nix-daemon.service/nix-build-uid-30022': [Device or resource busy]
| 19:28:35 |
 K900 | Ugh | 19:29:02 |
| K900 | Not a fan of the whole thing at all tbh | 19:29:03 |
| K900 | Bolting on more wacky nonsense on the test driver is not the way | 19:29:04 |
| K900 | But rewriting it to be actually good is spoons | 19:29:06 |
| hexa | have you looked at the implementation and is it wacky? | 19:30:05 |
| hexa | * have you looked at the implementation and are you considering it wacky? | 19:30:11 |
| K900 | A little and yes | 19:30:19 |
| hexa | more lightweight tests would surely be appreciated | 19:30:21 |
 raitobezarius | the biggest problem of this is not cgroups | 19:32:56 |
| raitobezarius | it's auto-allocate-uids and uid-range | 19:32:59 |
| raitobezarius | there's no implementation ready for that in any interpreter | 19:33:08 |
| raitobezarius | notably blocked on https://github.com/NixOS/nixpkgs/pull/404864 | 19:33:15 |
| raitobezarius | (and sure, there's a PR for nsresourced integration in cppnix) | 19:34:22 |
 Arian | Yeh for now this means running tests outside of nix right? | 19:48:44 |
| Arian | Honestly my dream setup would be new test driver and then we can just use vmspan or nspawn (they have basically identical interfaces) | 19:51:31 |
| Arian | But yeh that's .. work | 19:51:40 |
| Arian | Especially driver that integrates with all the systemd goodies like the notify vsock stuff would be great | 19:52:25 |
| raitobezarius | In reply to @arianvp:matrix.org
Yeh for now this means running tests outside of nix right? That code uses uid-range | 19:52:49 |
| raitobezarius | So you cannot run it outside of Nix | 19:53:00 |
| Arian | Oooh | 20:01:34 |
 ma27 | fwiw I think the implementation improved quite a lot with the latest few commits and doesn't walk into a wrong direction design-wise. So, IMHO it's perfectly fine to start with this and iterate on that once we actually can use nsresourced (I've heard about ideas to implement this since ~2017). | 20:49:57 |
| K900 | I may need to skim it again | 20:50:13 |
| ma27 | excuse my ignorance, but now that I think of it, how feasible is it to have nsresourced et al. inside a sandbox? | 20:50:42 |
|  @corngood:corngood.com left the room. | 21:23:29 |
| raitobezarius | In reply to @ma27:nicht-so.sexy
excuse my ignorance, but now that I think of it, how feasible is it to have nsresourced et al. inside a sandbox? By some alignment of all the stars, we, at Lix, need uid-range stabilized to enable xattrs in the store, coincidentally, getting nspawn for our own test suite would make us happier as well, nsresourced is already mentioned in https://git.lix.systems/lix-project/lix/issues/387#issuecomment-12929 (and this is an idea that has been floating back when the systemd crew introduced it at some ASG before that comment) | 21:42:42 |
| raitobezarius | That being said, after the hard packaging (eBPF) problems are fixed, integrating nsresourced in the sandbox is fairly easy; what is not easy is to stabilize cgroups
Stabilizing UID range without cgroups is probably a bad idea albeit possible because killing process tree in Linux without cgroups is annoyingly hard, so there would be an increase of deadlocked builds if they don't terminate well in the sandbox because process group killing is well not that good | 21:45:14 |
|  Kierán joined the room. | 21:45:57 |
| raitobezarius | Obviously macOS is its own open question as it does not enjoy clear system APIs to get ranges of UIDs locked properly, but that's not my department :D | 21:46:12 |
