| 14 Apr 2023 |
 aciceri | if they're fetched at build times can't I simply add them to allowed-uris? | 08:06:52 |
| aciceri | and if I need the remote builder during an IFD does it work? | 08:07:17 |
 @linus:schreibt.jetzt | if they're fetched at build time it runs on the build machines, so those need to have keys and the keys somehow need to end up in the build sandbox as well | 08:07:54 |
| @linus:schreibt.jetzt | IFD is bad news, I'd suggest doing your best to avoid it | 08:08:36 |
| @linus:schreibt.jetzt | I think it will work if you have it in nix.buildMachines and the evaluator uses the daemon to access the store, but YMMV hard on IFD | 08:09:36 |
| aciceri | I know they are problematic even without Hydra | 08:11:43 |
| @linus:schreibt.jetzt | even more so with hydra :) | 08:11:52 |
| aciceri | however it doesn't work :( | 08:12:02 |
| aciceri | are you sure that I had to be able to run sudo -u hydra-queue-runner ssh rock5b.fleet? | 08:12:18 |
| aciceri | I mean, I don't even have the hydra-queue-runner on the rock5g | 08:12:35 |
| aciceri | * I mean, I don't even have the hydra-queue-runner on the rock5b | 08:12:44 |
| aciceri | wasn't root@rock5b.fleet? | 08:12:50 |
| @linus:schreibt.jetzt | then you need to adjust the machine definition accordingly | 08:12:53 |
| aciceri | how have to change it? However sudo -u hydra-queue-runner ssh rock5b.fleet doesn't work since I don't have that user on the remote builder | 08:13:51 |
| aciceri | but it works with root@rock5b.fleet now | 08:13:58 |
| @linus:schreibt.jetzt | I don't know off the top of my head. I have a layer of indirection:
buildMachinesFiles = [(pkgs.writeText "hydra-builders" ''
localhost aarch64-linux,armv7l-linux - 16 16
localhost-big-parallel aarch64-linux,armv7l-linux - 1 1 big-parallel,kvm,nixos-test
oak-hydra x86_64-linux,i686-linux - 16 16
oak-big-parallel x86_64-linux,i686-linux - 1 1 big-parallel,kvm,nixos-test
'')];
and
programs.ssh.extraConfig = ''
Host localhost-big-parallel
Hostname localhost
Host oak-hydra oak-big-parallel
Hostname oak.sphalerite.tech
User hydra
'';
| 08:14:41 |
| @linus:schreibt.jetzt | ah, there's a nix.buildMachines.*.sshUser option | 08:15:22 |
| @linus:schreibt.jetzt | so probably set that to root :) | 08:15:27 |
 das_j | we have something long the lines of ssh://nix-builder@helsinki-hydra-builder05.wg aarch64-linux /run/secrets/hydra/builders.key 8 8 kvm,nixos-test,big-parallel,benchmark - - | 08:16:09 |
| aciceri | without setting sshUser what is used? consider that I was already able to remote build using the CLI | 08:17:43 |
| @linus:schreibt.jetzt | no user is specified and ssh will use the local username | 08:17:59 |
| @linus:schreibt.jetzt | and the nix daemon runs as root so it coincidentally works | 08:18:12 |
| aciceri | btw do you use localhost as "remote" builder? | 08:19:17 |
| @linus:schreibt.jetzt | yeah, I do that so I can run 16 normal builds separately from the 1 big-parallel build | 08:19:45 |
| @linus:schreibt.jetzt | hydra special-cases "localhost" and skips the SSH connection though | 08:20:19 |
| aciceri | for this reason you have both localhost and localhost-big-parallel, right? | 08:21:03 |
| aciceri | yes I remembered that there were some hard coded conditions about being localhost in the hydra source | 08:21:32 |
| @linus:schreibt.jetzt | yes | 08:21:34 |
| aciceri | it caused me a several headaches | 08:21:38 |
| aciceri | * yes I remember that there were some hard coded conditions about being localhost in the hydra source | 08:21:49 |
