| 13 May 2022 |
 osnyx (he/him) | Ah. good to know, the docs read otherwise. | 10:22:23 |
| osnyx (he/him) | The affected path is in the local store though:
error: access to path '/nix/store/p1w78v344m0aaajzr6a4vfy0zm1ppsiz-nix-phps/pkgs/development/interpreters/php/generic.nix' is forbidden in restricted mode | 10:22:40 |
 @linus:schreibt.jetzt | how does it get there? | 10:23:12 |
| osnyx (he/him) | Good question, because this dir should be vendored in our overlay but apparently isn't... | 10:24:18 |
 das_j | Hydra doesn't have an option to toggle this for some reason | 10:24:45 |
| das_j | https://github.com/NixOS/hydra/pull/888 | 10:25:01 |
| osnyx (he/him) | But before looking into that, back to restrict-eval: With that being off by default, I cannot find it being activated in the /etc/nix/nix.conf of the hydra host. | 10:25:06 |
| das_j | there is also some option that allows you to selectively unrestrict paths… but I have never used that | 10:25:52 |
| osnyx (he/him) | In reply to @janne.hess:helsinki-systems.de
Hydra doesn't have an option to toggle this for some reason Ah, that explains why it's on in Hydr | 10:27:45 |
| osnyx (he/him) | In reply to @janne.hess:helsinki-systems.de
Hydra doesn't have an option to toggle this for some reason * Ah, that explains why it's on in Hydra | 10:27:47 |
| das_j | ah allowed-uris is the option I was talking about but I have no idea what to do with it. Maybe set it to /nix/store? I really don't know | 10:28:42 |
| osnyx (he/him) | In reply to @linus:schreibt.jetzt
Because restrict-eval doesn't affect fixed-output derivations, which are the mechanism through which sources are usually fetched. That doesn't read like this in the nix docs: https://nixos.org/manual/nix/stable/command-ref/conf-file.html#conf-restrict-eval
So if this is true it should better be mentioned there. | 10:28:48 |
| @linus:schreibt.jetzt | the key word there is "evaluator" | 10:29:21 |
| osnyx (he/him) | I first will have a look how that directory is actually created, I guess some tracing comes in handy there. | 10:29:37 |
| osnyx (he/him) | In reply to @linus:schreibt.jetzt
the key word there is "evaluator" Ah, the component that creates the .drv files to be realised by the nix daemon later? | 10:31:32 |
| @linus:schreibt.jetzt | not necessarily the daemon, but yes | 10:31:44 |
| osnyx (he/him) | Understood. Yeah, not always the daemon (see single-user installs), but I wanted to simplify for clarity. Thx. | 10:32:27 |
| @linus:schreibt.jetzt | the evaluator also talks to the daemon on multi-user installs, in order to actually create the .drvs :) | 10:33:10 |
| osnyx (he/him) | das_j: Do you think a remark about the naming of "is forbidden in restricted mode" (Hydra error, not found in Hyfra docs) vs. "restrict-eval" (underlying Nix feature) deserves its own issue or shall I mention it in PR #888? | 10:34:29 |
| das_j | In reply to @os:matrix.flyingcircus.io
das_j: Do you think a remark about the naming of "is forbidden in restricted mode" (Hydra error, not found in Hyfra docs) vs. "restrict-eval" (underlying Nix feature) deserves its own issue or shall I mention it in PR #888? I don't know, maybe not in #888 since I doubt this will ever get merged or looked at again | 10:35:00 |
| osnyx (he/him) | It could be mentioned in the Hydra docs that the "restricted mode" is derived from "restrict-eval", or the error message could be rephrased | 10:35:40 |
| osnyx (he/him) | Or if #888 is abandoned than someone (I?) might just document that restricted mode == restrict-eval is always switched on. | 10:36:22 |
| das_j | In reply to @os:matrix.flyingcircus.io
Or if #888 is abandoned than someone (I?) might just document that restricted mode == restrict-eval is always switched on. It's not abandoned, we do rebase it to master when needed because it's one of the 20 patches we pick into our downstream hydra :D | 10:37:01 |
| das_j | In reply to @os:matrix.flyingcircus.io
It could be mentioned in the Hydra docs that the "restricted mode" is derived from "restrict-eval", or the error message could be rephrased But what would the error message say? It's not like you can just change an option to fix the issue | 10:37:25 |
| osnyx (he/him) | In reply to @janne.hess:helsinki-systems.de
But what would the error message say? It's not like you can just change an option to fix the issue Huh? I thought that's what #888 is introducing. But I honestly haven't checked where evaluator_restrict_eval comes from. | 10:39:11 |
| das_j | In reply to @os:matrix.flyingcircus.io
Huh? I thought that's what #888 is introducing. But I honestly haven't checked where evaluator_restrict_eval comes from. Yeah that is what it's introducing. But I doubt this will ever get merged so having an error message that says something else isn't really helpful. Documenting that is probably a better way to go (but in a separate PR!) | 10:40:04 |
| osnyx (he/him) | Okay.
Todolistengeräusch | 10:40:45 |
| osnyx (he/him) | In reply to @linus:schreibt.jetzt
how does it get there? Ah, one of the nix paths contained a ${nixpkgs} reference in a path. I replaced that with a relative path (possible in that particular case), but adjusting the NIX_PATH might also be a viable way. | 11:44:31 |
| @linus:schreibt.jetzt | In reply to @os:matrix.flyingcircus.io
Ah, one of the nix paths contained a ${nixpkgs} reference in a path. I replaced that with a relative path (possible in that particular case), but adjusting the NIX_PATH might also be a viable way. If anything you want it to be an input in your hydra jobset definition, because NIX_PATH doesn't apply globally in Hydra | 11:55:16 |
| osnyx (he/him) | I'll have a look, thx. | 11:56:01 |
