#nix-darwin on 2021-03-16

00:50 supersandro2000 has quit [Disconnected by services]

00:50 supersandro2000 has joined #nix-darwin

01:05 andremed- has joined #nix-darwin

01:05 Gaelan_ has joined #nix-darwin

01:07 squidgy_ has joined #nix-darwin

01:12 squidgy has quit [*.net *.split]

01:12 andremedeiros has quit [*.net *.split]

01:12 cransom has quit [*.net *.split]

01:12 Gaelan has quit [*.net *.split]

01:12 andremed- is now known as andremedeiros

01:19 cransom has joined #nix-darwin

05:33 hke has quit [Read error: Connection reset by peer]

05:34 hke has joined #nix-darwin

08:25 Chiliparrot has joined #nix-darwin

09:20 squidgy_ has quit [Quit: ZZZzzz…]

09:39 Chiliparrot has quit [Ping timeout: 260 seconds]

09:48 Chiliparrot has joined #nix-darwin

10:13 __monty__ has joined #nix-darwin

10:18 philr_ has quit [Ping timeout: 245 seconds]

10:19 philr_ has joined #nix-darwin

11:08 claudiii has quit [Quit: Connection closed for inactivity]

11:51 Chiliparrot has quit [Ping timeout: 272 seconds]

11:52 Chiliparrot has joined #nix-darwin

13:37 eraserhd has joined #nix-darwin

13:41 eraserhd has quit [Client Quit]

14:37 eraserhd has joined #nix-darwin

15:00 squidgy has joined #nix-darwin

15:20 hke has quit [Read error: Connection reset by peer]

15:21 hke has joined #nix-darwin

16:11 Chiliparrot has quit [Ping timeout: 272 seconds]

16:13 Chiliparrot has joined #nix-darwin

16:41 Chiliparrot has quit [Ping timeout: 260 seconds]

16:44 Chiliparrot has joined #nix-darwin

16:58 philr_ has quit [Ping timeout: 245 seconds]

17:44 Chiliparrot has quit [Ping timeout: 258 seconds]

17:47 Chiliparrot has joined #nix-darwin

18:00 squidgy has quit [Quit: ZZZzzz…]

18:13 Chiliparrot has quit [Ping timeout: 260 seconds]

18:15 Chiliparrot has joined #nix-darwin

18:39 Chiliparrot has quit [Ping timeout: 264 seconds]

18:46 Chiliparrot has joined #nix-darwin

18:54 Chiliparrot has quit [Quit: Textual IRC Client: www.textualapp.com]

19:06 oliver85 has joined #nix-darwin

19:06 <oliver85> hello

19:08 <abathur> hey

19:08 <abathur> sorry, helping someone out in #nixos; divided attention :)

19:09 <oliver85> all good

19:11 <abathur> I'm aware buildkite exists but not otherwise familiar with it, not sure if that'll end up being relevant

19:13 <oliver85> Its getting more popular these past couple years. Its basically a build orchestrator and you bring your own agents. In our case our agents are AWS ec2 mac1.metal instances

19:14 <abathur> did you also add the SecureToken to the buildkite user, I guess?

19:15 <abathur> (for posterity/anyone else reading, we're discussing nix#4640)

19:15 <{^_^}> https://github.com/NixOS/nix/issues/4640 (by OliverKoo, 1 day ago, open): MacOS /nix unmount when reboot. /nix ownership change to root

19:15 <oliver85> not on the AMi but yes after I booted up I ssh in and added SecureToken manually

19:18 <abathur> iirc others reported being able to skirt this issue by using a GUI session to add a security exemption (FDE, I think) for /bin/sh, in case you're under pressure to have something working yesterday here

19:18 <abathur> some of the links I listed in the previous post have a little contextual information; I haven't directly done this

19:18 <abathur> I'm not sure if that's the only path or not

19:19 <abathur> before I was thinking that this was about running ~headless systems, because all of the reports involved people trying to set up over ssh, failing, and then describing going in through the GUI

19:20 <abathur> but I'm not quite clear on how you're connected when you describe the commands at the end of your last comment in the issue

19:20 <abathur> i.e. "if I launch the daemon sudo launchctl load -w /Library/LaunchDaemons/com.buildkite.buildkite-agent.plist then I see the dyld: Library not loaded post above when build" and "but I can successfully build with nix if I invoke the agent directly after ssh into the machine

19:20 <abathur> sudo su - buildkite-agent then /usr/local/bin/buildkite-agent start"

19:21 <abathur> so if the first part of that IS with a GUI that might help rule out at least one possibility

19:22 <oliver85> ah let me clarify my last comment on the issue and give a bit more context.

19:27 <oliver85> buildkite-agent can be start (https://buildkite.com/docs/agent/v3/cli-start) by directly invoking the binary at /usr/locl/bin/buildkite-agent. Now an agent is running on my machine. from buildkite.com I can then schedule job that will be pick up by the agent. Jobs like "nix --verison"

19:27 <oliver85> If I start the buildkite agent by manuall ssh into my ec2 instance. run (. /Users/buildkite-agent/.nix-profile/etc/profile.d/nix.sh) then kick off the agent "/usr/local/bin/buildkite-agent start" as buildkite-agent user. Then the job pick up by this agent seems to run nix command just fine.

19:27 <oliver85> But if I have launchctl kick off the agent (agent is set to start on boot), then jobs picked up by this agent shows the dyld error

19:29 <oliver85> I am not sure what you meant by "GUI session to add a security exemption"

19:30 <abathur> well, it's a good sign that it will run over ssh if set up correctly

19:32 <abathur> I guess it might be failing for some reason related to the system not having a logged-in user, or something about the launchd context compared to how you're invoking it

19:35 <abathur> re: GUI; sorry, I said FDE instead of FDA earlier :) if I understood correctly they did something like literally VNC in to the desktop, open the system preferences > security & privacy > privacy > Full Disk Acces, unlock, and then add /bin/sh

19:41 <oliver85> ah gotcha, Yah VNC into desktop will be hard to incorporate with the AMI creation process. (i.e pause the process, VNC in, then continue)

19:42 <oliver85> when you say `iirc others reported being able to skirt this issue` which issue you referring to? dyld?

19:45 <abathur> yeah; for example https://logs.nix.samueldr.com/nix-darwin/2020-11-30#1606760211-1606761743

19:46 <abathur> and a few of the other links in my earlier comment on the issue

19:47 <abathur> I have at least two ideas I guess

19:48 <abathur> sandro's comments about it working if he didn't use /bin/sh makes me wonder if buildkite-agent is a /bin/sh shell script

19:49 <abathur> and nix-daemon's launchd does use /bin/sh, I think maybe to get around argument weirdness in plist

19:50 <abathur> though looking at the buildkite/agent repo makes me think it's a go binary

19:54 <abathur> it does look like it uses /bin/sh internally though https://github.com/buildkite/agent/pull/448/files

20:03 <oliver85> wait a second, when I created buildkite-user on my machine I had bin/bash as my default shell `sudo sysadminctl -addUser buildkite-agent -shell /bin/bash`

20:03 <oliver85> if I have the buildkite daemon run job `echo $SHELL` I get bin/bash as well.

20:03 <oliver85> I should switch to bin/sh?

20:04 <oliver85> so they are compatable and bin/sh have access to the entire disk (somehow?)

20:13 <abathur> worth a try

20:14 <abathur> it does seem like the difference between works/doesn't is just some permission grant that happens in a normal gui login session, and apparently happens in a ssh session

20:14 <abathur> but which isn't happening for these launchd jobs

20:14 <abathur> oh huh, that reminds me...

20:22 <abathur> ah; nm; was thinking of a launchd setting, but it looks like it should be enabled by default in this case

20:38 <oliver85> cool cool.

20:38 <oliver85> changed default shell to `chsh -s /bin/sh`

20:38 <oliver85> if I run `echo $SHELL` I see /bin/sh

20:39 <oliver85> but if I run nix --version......I see its using /bin/bash trapping?! (huh) I am digging to see where this trap comming from

20:39 <oliver85> ```

20:39 <oliver85> $ trap 'kill -- $$' INT TERM QUIT; nix --version

20:39 <oliver85> dyld: Library not loaded: /nix/store/i1cg0wfns9j4lmfzvx5dz6rc436vs6ms-libsodium-1.0.18/lib/libsodium.23.dylib

20:39 <oliver85> Referenced from: /Users/buildkite-agent/.nix-profile/bin/nix

20:39 <oliver85> Reason: no suitable image found. Did find:

20:39 <oliver85> file system sandbox blocked open() of '/nix/store/i1cg0wfns9j4lmfzvx5dz6rc436vs6ms-libsodium-1.0.18/lib/libsodium.23.dylib'

20:39 <oliver85> /nix/store/i1cg0wfns9j4lmfzvx5dz6rc436vs6ms-libsodium-1.0.18/lib/libsodium.23.dylib: stat() failed with errno=1

20:39 <oliver85> file system sandbox blocked open() of '/nix/store/i1cg0wfns9j4lmfzvx5dz6rc436vs6ms-libsodium-1.0.18/lib/libsodium.23.dylib'

20:39 <oliver85> ```

20:42 <abathur> not sure I follow, but chsh alone won't change the shell for your current session; you might need to run /bin/sh or start a new one

20:44 <oliver85> yeah I started a new one.

20:44 <oliver85> sorry the above log wasn't complete

20:45 <oliver85> if the buildkite-agent daemon echo SHELL we get bin/sh but if the daemon runs `nix --version` I seee it erorr out with indication using bin/bash. strange..

20:45 <oliver85> file system sandbox blocked open() of '/nix/store/i1cg0wfns9j4lmfzvx5dz6rc436vs6ms-libsodium-1.0.18/lib/libsodium.23.dylib'

20:45 <oliver85> 🚨 Error: The command exited with status 134

20:46 <oliver85> in/bash: line 1: 1426 Abort trap: 6 nix --version

20:47 <oliver85> uh ignore the above, not sure why my copy pasting is been weird

20:47 <abathur> I wonder if that's buildkite

20:47 <oliver85> see below =============

20:47 <oliver85> $ trap 'kill -- $$' INT TERM QUIT; nix --version

20:47 <oliver85> dyld: Library not loaded: /nix/store/i1cg0wfns9j4lmfzvx5dz6rc436vs6ms-libsodium-1.0.18/lib/libsodium.23.dylib

20:47 <oliver85> Referenced from: /Users/buildkite-agent/.nix-profile/bin/nix

20:47 <oliver85> Reason: no suitable image found. Did find:

20:47 <oliver85> file system sandbox blocked open() of '/nix/store/i1cg0wfns9j4lmfzvx5dz6rc436vs6ms-libsodium-1.0.18/lib/libsodium.23.dylib'

20:47 <oliver85> /nix/store/i1cg0wfns9j4lmfzvx5dz6rc436vs6ms-libsodium-1.0.18/lib/libsodium.23.dylib: stat() failed with errno=1

20:47 <oliver85> file system sandbox blocked open() of '/nix/store/i1cg0wfns9j4lmfzvx5dz6rc436vs6ms-libsodium-1.0.18/lib/libsodium.23.dylib'

20:47 <oliver85> 🚨 Error: The command exited with status 134

20:48 <abathur> I do see that trap you're pasting in buildkite https://github.com/buildkite/agent/blob/c089744be97b61aa986795b4933eb7eb85eee288/bootstrap/bootstrap.go#L1665

20:48 <oliver85> the paste keeps ignoring this line `/bin/bash: line 1: 1426 Abort trap: 6 nix --version` <---- that should appear above the line of red siren

20:50 <abathur> so I think that's probably a red herring here

20:51 <abathur> but still probably worth making it use /bin/sh at least once, just in case

20:52 <oliver85> hmm not sure whats the best way of forcing it to. probably should change the plist?

20:53 <oliver85> to something like

20:53 <oliver85> <key>ProgramArguments</key>

20:53 <oliver85> <array>

20:53 <oliver85> <string>/bin/sh</string>

20:53 <oliver85> <string>-c</string>

20:53 <oliver85> <string>/usr/local/bin/buildkite-agent</string>

20:53 <oliver85> <string>start</string>

20:53 <oliver85> </array>

20:55 <abathur> I think it's set at some other level

20:55 <abathur> it seems from the code like the variable it is using suggests it has a concept of a "bootstrap shell"

20:56 <oliver85> ah

20:56 <abathur> but it's not immediately obvious if there

20:56 <oliver85> --shell value The shell command used to interpret build commands, e.g /bin/bash -e -c (default: "/bin/bash -e -c") [$BUILDKITE_SHELL]

20:56 <abathur> sis config for that

20:56 <abathur> aha

20:56 <oliver85> let me set that

20:56 <abathur> yeah, that looks right :)

21:00 <oliver85> ayyy the error went away so progress kind of?

21:00 <oliver85> no more dylib

21:00 <oliver85> but now seeing this

21:00 <oliver85> ```

21:00 <oliver85> trap 'kill -- $$' INT TERM QUIT; nix --version

21:00 <oliver85> ```

21:01 <oliver85> ugh let me paste please

21:01 <abathur> heh, can use a gist or paste site, or the issue

21:01 <oliver85> let me paste to the issue

21:02 <abathur> sure; I'm afk a few but I'll go ahead and get it open

21:02 <oliver85> https://github.com/NixOS/nix/issues/4640#issuecomment-800602684

21:07 squidgy has joined #nix-darwin

21:09 <abathur> ah, I guess that's probably a PATH error

21:10 <abathur> is it doing the `. /Users/buildkite-agent/.nix-profile/etc/profile.d/nix.sh` thing?

21:11 <abathur> oh right, you said you set that in the plist

21:18 <oliver85> right....and it was showing up before

21:18 <oliver85> then now is gone

21:18 <oliver85> $ trap 'kill -- $$' INT TERM QUIT; echo $NIX_PATH

21:18 <oliver85> 🚨 Error: The command exited with status 127

21:18 <oliver85> let me post to issue

21:19 <oliver85> one moment

21:23 <oliver85> https://github.com/NixOS/nix/issues/4640#issuecomment-800615740

21:37 <oliver85> something going on with the shell, even running something simple like 'whoami' errors out with whoami: No such file or directory

21:37 <oliver85> also $PATH is not set as well

21:38 <oliver85> I need to step away to get some air, be back later. Thanks for the help so far!

22:05 philr_ has joined #nix-darwin

22:14 <abathur> oliver85: ok--I need to head out for dinner anyways; I'll check back after

22:29 hke_ has joined #nix-darwin

22:31 squidgy_ has joined #nix-darwin

22:35 squidgy has quit [*.net *.split]

22:35 hke has quit [*.net *.split]

23:04 __monty__ has quit [Quit: leaving]