Lix Development - Public Room Timeline

	Lix Development	255 Members
	(Technical) development of Lix, the package manager, a Nix implementation. Please be mindful of ongoing technical conversations in this channel.	100 Servers

Load older messages

Sender	Message	Time
10 Oct 2024
V. 🏳️‍⚧️	Yeah sorry, though I didn't deem those messages relevant	16:07:00
V. 🏳️‍⚧️	In reply to @aloisw:kde.org I can reproduce the issue on that system, let's see if I can get somewhere. Oh right, the GHA runner is Ubuntu 24.04 as well	16:08:14
aloisw	Yeah but the weird thing is that it's happening inside the sandbox, so it's likely somehow related to the kernel.	16:09:42
aloisw	Oct 10 18:21:02 xubuntu kernel: audit: type=1400 audit(1728577262.035:1054): apparmor="AUDIT" operation="userns_create" class="namespace" info="Userns create - transitioning profile" profile="unconfined" pid=97402 comm="unshare" requested="userns_create" target="unprivileged_userns" Oct 10 18:21:02 xubuntu kernel: audit: type=1400 audit(1728577262.110:1055): apparmor="AUDIT" operation="userns_create" class="namespace" info="Userns create - transitioning profile" profile="unconfined" pid=97425 comm="unshare" requested="userns_create" target="unprivileged_userns" Oct 10 18:21:02 xubuntu kernel: audit: type=1400 audit(1728577262.233:1056): apparmor="AUDIT" operation="userns_create" class="namespace" info="Userns create - transitioning profile" profile="unconfined" pid=97439 comm="nix-store" requested="userns_create" target="unprivileged_userns" Oct 10 18:21:02 xubuntu kernel: audit: type=1400 audit(1728577262.235:1057): apparmor="AUDIT" operation="userns_create" class="namespace" info="Userns create - transitioning profile" profile="unconfined" pid=97439 comm="nix-store" requested="userns_create" target="unprivileged_userns" Oct 10 18:21:02 xubuntu kernel: audit: type=1400 audit(1728577262.236:1058): apparmor="DENIED" operation="mount" class="mount" info="failed mntpnt match" error=-13 profile="unprivileged_userns" name="/" pid=97445 comm="nix-store" flags="rw, rprivate" Oct 10 18:21:02 xubuntu kernel: audit: type=1400 audit(1728577262.273:1059): apparmor="AUDIT" operation="userns_create" class="namespace" info="Userns create - transitioning profile" profile="unconfined" pid=97444 comm="nix" requested="userns_create" target="unprivileged_userns" Oct 10 18:21:02 xubuntu kernel: audit: type=1400 audit(1728577262.274:1060): apparmor="AUDIT" operation="userns_create" class="namespace" info="Userns create - transitioning profile" profile="unconfined" pid=97444 comm="nix" requested="userns_create" target="unprivileged_userns" Oct 10 18:21:02 xubuntu kernel: audit: type=1400 audit(1728577262.276:1061): apparmor="DENIED" operation="mount" class="mount" info="failed mntpnt match" error=-13 profile="unprivileged_userns" name="/" pid=97451 comm="nix" flags="rw, rprivate" These show up in the kernel log, and probably something inside Lix mishandles these denials.	16:22:14
K900	Mmm apparmor	16:26:06
aloisw	Yeah but we should just fail outright instead of doing weird stuff (that eventually fails anyway) when the mount is denied.	16:27:01
aloisw	It seems that Ubuntu deliberately breaks unprivileged user namespaces since 23.10 using AppArmor.	16:36:15
KFears (tragedy arc)	But why...	16:41:00
V. 🏳️‍⚧️	https://ubuntu.com/blog/ubuntu-23-10-restricted-unprivileged-user-namespaces	16:41:49
jade_	In reply to @vigress9:matrix.org https://ubuntu.com/blog/ubuntu-23-10-restricted-unprivileged-user-namespaces i would say this is an ubuntu bug or an installer bug then. it is effectively not possible to know where the nix binary is besides perhaps by allowlisting the entire nix store or somehow using the profile link (which then still is jacked for local dev)	20:54:29
jade_	can either of you please file an issue on lix mentioning this so that someone can find it in the future	20:55:04
jade_	the other thing that nix could do if it is running as a privileged daemon is to inject apparmor that disables this into the sandbox	20:56:20
jade_	but in general we allow userns in the sandbox, even though it is somewhat of a magnet for kernel bugs. it is rather important for testing ourselves! maybe in a future version of the derivation specification you would have to explicitly allow userns access that applies to all systems, but IMO the only reasonable way to proceed now is to eliminate differences between systems tbh.	20:58:01
11 Oct 2024
aloisw	In reply to @jade_:matrix.org i would say this is an ubuntu bug or an installer bug then. it is effectively not possible to know where the nix binary is besides perhaps by allowlisting the entire nix store or somehow using the profile link (which then still is jacked for local dev) The Lix bug is that it fails weirdly though. Ideally the error should be caught properly and Lix would do something sensible about it (fail, or disable the sandbox if sandbox-fallback is enabled) instead of doing weird things.	06:58:49
KFears (tragedy arc)	Regarding Flake lockfiles: I think we can solve the long-term issue by taking the same approach as OpenTofu: https://opentofu.org/docs/intro/whats-new/#override-files-for-opentofu-keeping-compatibility We can create `flake.lix.lock` or `flake.ice` or `flake.lixfile` or whatever that CppNix will for sure never read, and then we change Lix to read this new lockfile instead. If it doesn't exist, we copy the `flake.lock` to new lockfile and read the new lockfile. That way, after a few releases, we can remove the fallback behavior and introduce changes to the lockfile format, like having semver versions instead of int versions	12:22:35
K900	Hm, I'm not sure if this actually affects anything	14:40:47
K900	But nix-daemon reaps build processes after refscanning	14:41:07
K900	So you can end up with a zombie process just sitting there for a while	14:41:18
Linux Hackerman	I just opened https://git.lix.systems/lix-project/lix/issues/544 -- I'll try to make and send a fix this evening. I'm a bit confused about the stack trace though -- I'm building with `meson build -C build` (having run `meson setup build`) then running `build/src/nix/nix` and the stack trace looks pretty much the same (barring file paths). Any ideas why more of the frames can't be resolved into symbols?	14:47:25
Linux Hackerman	ok, found it without the computer telling me where the exception comes from: https://gerrit.lix.systems/c/lix/+/2057	15:25:38
V. 🏳️‍⚧️	In reply to @jade_:matrix.org can either of you please file an issue on lix mentioning this so that someone can find it in the future Done	15:43:20
V. 🏳️‍⚧️	In reply to @kfears:matrix.org Regarding Flake lockfiles: I think we can solve the long-term issue by taking the same approach as OpenTofu: https://opentofu.org/docs/intro/whats-new/#override-files-for-opentofu-keeping-compatibility We can create `flake.lix.lock` or `flake.ice` or `flake.lixfile` or whatever that CppNix will for sure never read, and then we change Lix to read this new lockfile instead. If it doesn't exist, we copy the `flake.lock` to new lockfile and read the new lockfile. That way, after a few releases, we can remove the fallback behavior and introduce changes to the lockfile format, like having semver versions instead of int versions `flake.lick` is right there	16:06:09
K900	lewd	16:06:29
KFears (tragedy arc)	Very memorable, though	16:10:22
KFears (tragedy arc)	One issue: i and o are adjacent on qwerty keyboard	16:10:39
K900	The true multiverse brain would be to then rename flakes to flicks	16:11:41
K900	So the filename is flick.lick	16:11:47
K900	(or, if we really want to mess with people, flick.lock)	16:12:02
KFears (tragedy arc)	drop.kick	16:21:12
oli	In reply to @vigress9:matrix.org `flake.lick` is right there mmm tasty ice cream	17:07:37

Show newer messages

Back to Room ListRoom Version: 10