| 14 Apr 2023 |
 @linus:schreibt.jetzt | zrsk: does sudo -u hydra-queue-runner ssh rock5b.fleet work? | 08:03:22 |
| @linus:schreibt.jetzt | note that the builds are triggered by the hydra-queue-runner user, not hydra | 08:03:49 |
 aciceri | In reply to @linus:schreibt.jetzt
zrsk: does sudo -u hydra-queue-runner ssh rock5b.fleet work? nope, has to be the hydra-queue-runner to be able to access the remote builder? | 08:04:08 |
| @linus:schreibt.jetzt | yep | 08:04:15 |
| @linus:schreibt.jetzt | hydra doesn't need it, but hydra-queue-runner does | 08:04:31 |
| aciceri | Instead for fetching private repos I need to give ssh access to repos to hydra, right? | 08:05:20 |
| @linus:schreibt.jetzt | yes | 08:05:26 |
| aciceri | I'm trying btw :) | 08:05:34 |
| @linus:schreibt.jetzt | if they're fetched at build time it gets tricky, but if they're flake inputs or jobset inputs it should be fine | 08:06:04 |
| aciceri | if they're fetched at build times can't I simply add them to allowed-uris? | 08:06:52 |
| aciceri | and if I need the remote builder during an IFD does it work? | 08:07:17 |
| @linus:schreibt.jetzt | if they're fetched at build time it runs on the build machines, so those need to have keys and the keys somehow need to end up in the build sandbox as well | 08:07:54 |
| @linus:schreibt.jetzt | IFD is bad news, I'd suggest doing your best to avoid it | 08:08:36 |
| @linus:schreibt.jetzt | I think it will work if you have it in nix.buildMachines and the evaluator uses the daemon to access the store, but YMMV hard on IFD | 08:09:36 |
| aciceri | I know they are problematic even without Hydra | 08:11:43 |
| @linus:schreibt.jetzt | even more so with hydra :) | 08:11:52 |
| aciceri | however it doesn't work :( | 08:12:02 |
| aciceri | are you sure that I had to be able to run sudo -u hydra-queue-runner ssh rock5b.fleet? | 08:12:18 |
| aciceri | I mean, I don't even have the hydra-queue-runner on the rock5g | 08:12:35 |
| aciceri | * I mean, I don't even have the hydra-queue-runner on the rock5b | 08:12:44 |
| aciceri | wasn't root@rock5b.fleet? | 08:12:50 |
| @linus:schreibt.jetzt | then you need to adjust the machine definition accordingly | 08:12:53 |
| aciceri | how have to change it? However sudo -u hydra-queue-runner ssh rock5b.fleet doesn't work since I don't have that user on the remote builder | 08:13:51 |
| aciceri | but it works with root@rock5b.fleet now | 08:13:58 |
| @linus:schreibt.jetzt | I don't know off the top of my head. I have a layer of indirection:
buildMachinesFiles = [(pkgs.writeText "hydra-builders" ''
localhost aarch64-linux,armv7l-linux - 16 16
localhost-big-parallel aarch64-linux,armv7l-linux - 1 1 big-parallel,kvm,nixos-test
oak-hydra x86_64-linux,i686-linux - 16 16
oak-big-parallel x86_64-linux,i686-linux - 1 1 big-parallel,kvm,nixos-test
'')];
and
programs.ssh.extraConfig = ''
Host localhost-big-parallel
Hostname localhost
Host oak-hydra oak-big-parallel
Hostname oak.sphalerite.tech
User hydra
'';
| 08:14:41 |
| @linus:schreibt.jetzt | ah, there's a nix.buildMachines.*.sshUser option | 08:15:22 |
| @linus:schreibt.jetzt | so probably set that to root :) | 08:15:27 |
 das_j | we have something long the lines of ssh://nix-builder@helsinki-hydra-builder05.wg aarch64-linux /run/secrets/hydra/builders.key 8 8 kvm,nixos-test,big-parallel,benchmark - - | 08:16:09 |
| aciceri | without setting sshUser what is used? consider that I was already able to remote build using the CLI | 08:17:43 |
| @linus:schreibt.jetzt | no user is specified and ssh will use the local username | 08:17:59 |
