#nixops on 2020-03-11

2019-08-31 02:51 samueldr changed the topic of #nixops to: NixOps related talk | logs: https://logs.nix.samueldr.com/nixops/

00:46 lordcirth_ has quit [Remote host closed the connection]

02:32 abathur has quit [Ping timeout: 255 seconds]

05:00 abathur has joined #nixops

05:05 abathur has quit [Ping timeout: 265 seconds]

11:38 <dhess> clever: ever seen anything like what I described above? Do you use any private S3 nix caches at IOHK?

11:39 <clever> dhess: i believe the S3 caches are all public

11:39 <dhess> ok

11:39 <clever> dhess: but in theory, if ~/.aws has the right credentials, and you use an s3:// URI, it may work

11:39 <dhess> It does work when .aws has the right creds, the issue is that then NixOps tries to reference narinfo files that don't exist in the cache

11:40 <dhess> which is really perplexing.

11:40 <dhess> might have something to do with the Hydra and NARs

11:40 <dhess> I don't really understand how that all works.

11:40 <dhess> but what's frustrating is if I just disable the S3 nix cache *on the target* (not on the deployment host) it works fine

11:41 <dhess> so I don't get why enabling the S3 nix cache on the target suddenly means that the deployment host can't find narinfo files in the cache.

12:00 abathur has joined #nixops

12:04 abathur has quit [Ping timeout: 240 seconds]

12:44 <clever> dhess: did you garbage collect the s3 bucket?

12:45 <dhess> clever: no, not even once.

12:47 <clever> dhess: try deleting ~/.cache/nix/binary-cache* anyways and see if it helps

12:49 <dhess> clever: our hydra config looks like this (the hostname has been changed but that's it):

12:49 <dhess> https://gist.github.com/dhess/ebc56eeb83d0f9b41cdb3b794fdba18b

12:49 <dhess> clever: delete that in my home dir on the deployment host, you mean?

12:50 <clever> try nuking it on both your user, and root, on both machines

12:50 <clever> nix will re-create it any time its missing

12:50 <dhess> oh ok

12:51 <clever> dhess: looks like it should be fine

13:00 <dhess> clever: ok here is something that just occurred to me. I run this NixOps command on my deployment host. It's a Mac, so it builds the product on one of our remote NixOS builders, then copies it from there back to its own Nix store

13:00 <dhess> now of course the product isn't in the binary cache because neither the builder nor the Mac write products to the cache

13:00 <dhess> only the Hydra does

13:00 <dhess> so why is NixOps assuming it's there?

13:00 <clever> anything nix needs to build, will obviously fail to be found in the s3 bucket

13:00 <clever> what error is it giving exactly?

13:01 <dhess> error (ignored): AWS error fetching 'sg4m8f3qj1pgp4wigxw2grwbpzwzxgmw.narinfo': Access Denied

13:01 <dhess>

13:01 <dhess> in this particular case, about 4 of those errors, then it gives up

13:01 <dhess> and from my Mac:

13:01 <clever> that implies you dont have the right credentials in ~/.aws, on one of the machines

13:01 <dhess> aws s3 ls s3://hackworth-nix-cache/sg4m8f3qj1pgp4wigxw2grwbpzwzxgmw.narinfo

13:01 <dhess>

13:01 <dhess> echo $?

13:01 <dhess> 1

13:01 <dhess>

13:01 <dhess> it's not there

13:02 <clever> which machine actually gave the error? from which user?

13:02 <dhess> both of these are from the Mac

13:02 <clever> is the mac single or multi-user?

13:02 <dhess> I can see the nix-copy-closure command running:

13:02 <dhess> nix-copy-closure --to root@harry-b.example.com /nix/store/wb2j6w560kgwzc6slj321al7r93iq7gb-nixos-system-harry-b-20.09pre-git --use-substitutes

13:02 <dhess> that happens when I run the deploy

13:03 <dhess> both machines can read the S3 nix cache because when I build a derivation on them, nix says it's downloading products from the cache

13:03 <dhess> The Mac is multi-user

13:03 <dhess> the daemon has the creds

13:04 <clever> dhess: nix might attempt to query the cache from a non-root user, double-check that user also has keys

13:04 <dhess> all works fine during a nix-build and a nixops deploy, up to the part where it tries to copy the closures to the target host

13:04 <dhess> clever: right, that nix-copy-closure is running as my user

13:04 <dhess> I have the creds

13:04 <dhess> let me double check that

13:05 <dhess> $ aws s3 ls s3://hackworth-nix-cache/05sss8cvbyzdd8i85wvd2q9fvwhsf9z5.narinfo

13:05 <dhess> 2019-10-14 17:36:42 4042 05sss8cvbyzdd8i85wvd2q9fvwhsf9z5.narinfo

13:05 <dhess> yep, ran that as the same user that's doing the deploy

13:05 <dhess> worked fine

13:05 <dhess> so: those products aren't in the S3 nix cache

13:05 <dhess> but NixOps is assuming they are

13:07 <dhess> just to prove it, running as root on the same Mac:

13:07 <dhess> $ sudo -i aws s3 ls s3://hackworth-nix-cache/05sss8cvbyzdd8i85wvd2q9fvwhsf9z5.narinfo

13:07 <dhess> 2019-10-14 17:36:42 4042 05sss8cvbyzdd8i85wvd2q9fvwhsf9z5.narinfo

13:07 <dhess> it also has the creds

13:07 <clever> brb

13:09 <dhess> seems to me here the issue is as I summarized above: the builders (Mac & its remote NixOS build host) don't write to the S3 nix cache, only the Hydra does. But whenever I enable the S3 nix cache on a remote NixOS machine, NixOps for some reason starts looking in the S3 nix cache for narinfo files upon deployment, but they're not there.

13:10 <dhess> and in this case the *only* thing that has changed is that I've enabled the S3 nix cache on the target NixOS machine

13:10 <dhess> (the target NixOS machine is not the same as the remote NixOS build machine, though in the past I had the same issue when I tried to enable the S3 nix cache on the remote NixOS build machine.)

14:03 abathur has joined #nixops

14:10 abathur has quit [Ping timeout: 240 seconds]

19:04 aanderse has joined #nixops

20:12 Cadey has joined #nixops

20:13 <Cadey> how do i have nixops machines refer to other machines in the network?

20:18 <gchristensen> look for nodes.gollum.config on https://nixos.org/nixops/manual

20:18 <gchristensen> hbac kin 1h

22:41 kalbasit has joined #nixops

22:41 sevanspowell has joined #nixops

22:56 dmj` has quit [Remote host closed the connection]

22:59 dmj` has joined #nixops

23:01 davidtwco has joined #nixops