Sender | Message | Time |
---|---|---|
10 Oct 2024 | ||
V. 🏳️⚧️ | Redacted or Malformed Event | 11:52:27 |
V. 🏳️⚧️ | In reply to @vigress9:matrix.orgNvm I'm cursed, they fail on 2.91 too | 13:11:35 |
V. 🏳️⚧️ | Both on GHA and locally | 13:11:51 |
aloisw | Locally as in the devshell, or even if you build them using nix? | 13:12:15 |
V. 🏳️⚧️ | In the devshell | 13:13:12 |
V. 🏳️⚧️ | I don't think I'll get a different result if I nix build locally, since a nix build on GHA fails | 13:13:39 |
aloisw | Do you have special options in your nix.conf ? IIRC the global configuration leaks into the tests. | 13:14:01 |
aloisw | In reply to @vigress9:matrix.orgIs the GHA repository public? | 13:14:28 |
V. 🏳️⚧️ | https://github.com/vigress8/lix-snapshot/blob/main/.github/workflows/build-lix.yml | 13:15:07 |
V. 🏳️⚧️ | In reply to @aloisw:kde.orgWhen I do the environment variable fix to make it ignore global config, the pipe-operator test works, but the rest of the failures are unaffected | 13:17:59 |
aloisw | What operating system and filesystem is your local setup? | 13:35:09 |
V. 🏳️⚧️ | In reply to @aloisw:kde.orgXubuntu 24.04, ext4 | 13:53:20 |
aloisw | I can reproduce the issue on that system, let's see if I can get somewhere. | 16:02:18 |
aloisw | Also in general it's better to not delete messages willy-nilly. | 16:03:14 |
V. 🏳️⚧️ | Yeah sorry, though I didn't deem those messages relevant | 16:07:00 |
V. 🏳️⚧️ | In reply to @aloisw:kde.orgOh right, the GHA runner is Ubuntu 24.04 as well | 16:08:14 |
aloisw | Yeah but the weird thing is that it's happening inside the sandbox, so it's likely somehow related to the kernel. | 16:09:42 |
aloisw |
These show up in the kernel log, and probably something inside Lix mishandles these denials. | 16:22:14 |
K900 | Mmm apparmor | 16:26:06 |
aloisw | Yeah but we should just fail outright instead of doing weird stuff (that eventually fails anyway) when the mount is denied. | 16:27:01 |
aloisw | It seems that Ubuntu deliberately breaks unprivileged user namespaces since 23.10 using AppArmor. | 16:36:15 |
KFears (tragedy arc) | But why... | 16:41:00 |
V. 🏳️⚧️ | https://ubuntu.com/blog/ubuntu-23-10-restricted-unprivileged-user-namespaces | 16:41:49 |
jade_ | In reply to @vigress9:matrix.orgi would say this is an ubuntu bug or an installer bug then. it is effectively not possible to know where the nix binary is besides perhaps by allowlisting the entire nix store or somehow using the profile link (which then still is jacked for local dev) | 20:54:29 |
jade_ | can either of you please file an issue on lix mentioning this so that someone can find it in the future | 20:55:04 |
jade_ | the other thing that nix could do if it is running as a privileged daemon is to inject apparmor that disables this into the sandbox | 20:56:20 |
jade_ | but in general we allow userns in the sandbox, even though it is somewhat of a magnet for kernel bugs. it is rather important for testing ourselves! maybe in a future version of the derivation specification you would have to explicitly allow userns access that applies to all systems, but IMO the only reasonable way to proceed now is to eliminate differences between systems tbh. | 20:58:01 |
11 Oct 2024 | ||
aloisw | In reply to @jade_:matrix.orgThe Lix bug is that it fails weirdly though. Ideally the error should be caught properly and Lix would do something sensible about it (fail, or disable the sandbox if sandbox-fallback is enabled) instead of doing weird things. | 06:58:49 |
KFears (tragedy arc) | Regarding Flake lockfiles: I think we can solve the long-term issue by taking the same approach as OpenTofu: We can create | 12:22:35 |
K900 | Hm, I'm not sure if this actually affects anything | 14:40:47 |