#nixops on 2020-03-10

2019-08-31 02:51 samueldr changed the topic of #nixops to: NixOps related talk | logs: https://logs.nix.samueldr.com/nixops/

00:21 {^_^} has quit [Remote host closed the connection]

00:22 {^_^} has joined #nixops

06:04 myskran has quit [Ping timeout: 256 seconds]

10:54 psyanticy has joined #nixops

12:54 myskran has joined #nixops

12:58 abathur has joined #nixops

12:59 myskran has quit [Ping timeout: 265 seconds]

16:46 myskran has joined #nixops

16:48 abathur has quit [Ping timeout: 265 seconds]

16:56 dhess has joined #nixops

16:57 <dhess> Anyone around? I'm running into a really strange NixOps issue related to S3 binary caches

16:57 <gchristensen> ohL

16:57 <gchristensen> ?

16:57 <dhess> hi gchristensen :)

16:57 <dhess> got a few min to try to help me figure something out?

16:58 <gchristensen> I can try..!

16:59 <dhess> thank you kind sir

17:00 <dhess> so we have a private S3 Nix binary cache. It works great. Our hydra pushes products to it, and our Macs use it as a substituter

17:01 <dhess> We can also use it as a substituter on our NixOS machines

17:01 <dhess> Until we try to nixops deploy to them from the Macs, that is

17:01 <dhess> as soon as I enable the S3 Nix binary cache on the NixOS machines, the next nixops deploy gets erros like these:

17:01 <dhess> error (ignored): AWS error fetching '4x1ibz5ha6q4vsyggs5chsiqyfmr7m65.narinfo': Access Denied

17:02 <dhess> On the Mac that's trying to deploy, I'm seeing processes like this: nix-copy-closure --to root@foo.example.com /nix/store/i0sprws679zg1qpavfjymc1fgfamqdpi-nixos-system-foo-a-20.09pre-git --use-substitutes

17:03 <dhess> (the hashes don't match there... these are examples from 2 different attempts so don't mind that)

17:03 <dhess> now the AWS creds to read the S3 nix binary cache on the Mac are owned by root because it's the one running nix-daemon. (These are multi-user Nix installs on the Macs BTW)

17:04 <dhess> and my user account that's running the nix-copy-closure process doesn't have any AWS creds

17:04 <dhess> so I guess that makes sense, my user account is trying to read from the S3 binary cache I guess?

17:05 <dhess> but then I add creds to enable that and it still doesn't work

17:05 <dhess> because some of the narinfo files it's trying to read don't exist :(

17:05 <dhess> it's really strange

17:06 <dhess> as I said this *only* happens once I enable the S3 binary cache on the target NixOS host. If it's not enabled on the NixOS target host, everything works fine.

17:06 <dhess> any thoughts?

17:07 <dhess> as a workaround, I'd be happy to just disable whatever it is that NixOps is doing to try to be clever and copy the closure from the S3 binary cache

17:08 myskran has quit [Quit: myskran]

17:09 <gchristensen> hrm

17:09 <dhess> it seems to me that NixOps should probably tell the target host to grab the derivations from the S3 binary cache itself, rather than copying them from the deployment host. Maybe this has to do with hasFastConnection or whatever that setting is?

18:23 abathur has joined #nixops

19:03 abathur has quit [Quit: abathur]

19:15 abathur has joined #nixops

19:46 psyanticy has quit [Quit: Connection closed for inactivity]

23:26 mikky has joined #nixops