 | Hydra | 390 Members |
| 108 Servers |
| Hydra | 390 Members |
| 108 Servers |
| Sender | Message | Time |
|---|---|---|
| 13 May 2022 | ||
 osnyx (he/him) joined the room. | 10:17:33 | |
| osnyx (he/him) | Hi there. Question: My Hydra is complaining about is forbidden in restricted mode a eval time. What kind of restricted mode is this referring to?I cannot find the term restrict* in the hydra docs at all. And while there is the Nix feature of restrict-eval, this is probably not meant here as that feature disables access to network for source fetching (except for an allow list), but my Hydra is doing such fetches just fine. | 10:20:37 |
 @linus:schreibt.jetzt | Oliver Schmidt: it probably is restrict-eval, or are you actually fetching sources during evaluation time? | 10:21:33 |
| @linus:schreibt.jetzt | Because restrict-eval doesn't affect fixed-output derivations, which are the mechanism through which sources are usually fetched. | 10:22:04 |
| osnyx (he/him) | Ah. good to know, the docs read otherwise. | 10:22:23 |
| osnyx (he/him) | The affected path is in the local store though:error: access to path '/nix/store/p1w78v344m0aaajzr6a4vfy0zm1ppsiz-nix-phps/pkgs/development/interpreters/php/generic.nix' is forbidden in restricted mode | 10:22:40 |
| @linus:schreibt.jetzt | how does it get there? | 10:23:12 |
| osnyx (he/him) | Good question, because this dir should be vendored in our overlay but apparently isn't... | 10:24:18 |
 das_j | Hydra doesn't have an option to toggle this for some reason | 10:24:45 |
| das_j | https://github.com/NixOS/hydra/pull/888 | 10:25:01 |
| osnyx (he/him) | But before looking into that, back to restrict-eval: With that being off by default, I cannot find it being activated in the /etc/nix/nix.conf of the hydra host. | 10:25:06 |
| das_j | there is also some option that allows you to selectively unrestrict paths… but I have never used that | 10:25:52 |
| osnyx (he/him) | In reply to @janne.hess:helsinki-systems.deAh, that explains why it's on in Hydr | 10:27:45 |
| osnyx (he/him) | In reply to @janne.hess:helsinki-systems.de* Ah, that explains why it's on in Hydra | 10:27:47 |
| das_j | ah allowed-uris is the option I was talking about but I have no idea what to do with it. Maybe set it to /nix/store? I really don't know | 10:28:42 |
| osnyx (he/him) | In reply to @linus:schreibt.jetztThat doesn't read like this in the nix docs: https://nixos.org/manual/nix/stable/command-ref/conf-file.html#conf-restrict-eval So if this is true it should better be mentioned there. | 10:28:48 |
| @linus:schreibt.jetzt | the key word there is "evaluator" | 10:29:21 |
| osnyx (he/him) | I first will have a look how that directory is actually created, I guess some tracing comes in handy there. | 10:29:37 |
| osnyx (he/him) | In reply to @linus:schreibt.jetztAh, the component that creates the .drv files to be realised by the nix daemon later? | 10:31:32 |
| @linus:schreibt.jetzt | not necessarily the daemon, but yes | 10:31:44 |
| osnyx (he/him) | Understood. Yeah, not always the daemon (see single-user installs), but I wanted to simplify for clarity. Thx. | 10:32:27 |
| @linus:schreibt.jetzt | the evaluator also talks to the daemon on multi-user installs, in order to actually create the .drvs :) | 10:33:10 |
| osnyx (he/him) | das_j: Do you think a remark about the naming of "is forbidden in restricted mode" (Hydra error, not found in Hyfra docs) vs. "restrict-eval" (underlying Nix feature) deserves its own issue or shall I mention it in PR #888? | 10:34:29 |
| das_j | In reply to @os:matrix.flyingcircus.ioI don't know, maybe not in #888 since I doubt this will ever get merged or looked at again | 10:35:00 |
| osnyx (he/him) | It could be mentioned in the Hydra docs that the "restricted mode" is derived from "restrict-eval", or the error message could be rephrased | 10:35:40 |
| osnyx (he/him) | Or if #888 is abandoned than someone (I?) might just document that restricted mode == restrict-eval is always switched on. | 10:36:22 |
| das_j | In reply to @os:matrix.flyingcircus.ioIt's not abandoned, we do rebase it to master when needed because it's one of the 20 patches we pick into our downstream hydra :D | 10:37:01 |
| das_j | In reply to @os:matrix.flyingcircus.ioBut what would the error message say? It's not like you can just change an option to fix the issue | 10:37:25 |
| osnyx (he/him) | In reply to @janne.hess:helsinki-systems.deHuh? I thought that's what #888 is introducing. But I honestly haven't checked where evaluator_restrict_eval comes from. | 10:39:11 |
| das_j | In reply to @os:matrix.flyingcircus.ioYeah that is what it's introducing. But I doubt this will ever get merged so having an error message that says something else isn't really helpful. Documenting that is probably a better way to go (but in a separate PR!) | 10:40:04 |