#nixos-borg on 2020-04-12

2018-04-19 20:36 gchristensen changed the topic of #nixos-borg to: https://www.patreon.com/ofborg https://monitoring.nix.ci/dashboard/db/ofborg?refresh=10s&orgId=1&from=now-1h&to=now "I get to skip reviewing the PHP code and just wait until it is rewritten in something sane, like POSIX shell. || https://logs.nix.samueldr.com/nixos-borg

00:17 orivej has quit [Ping timeout: 240 seconds]

00:18 evanjs has quit [Quit: ZNC 1.7.5 - https://znc.in]

00:19 evanjs has joined #nixos-borg

03:32 orivej has joined #nixos-borg

06:47 cole-h has quit [Quit: Goodbye]

10:53 <srk> github--

10:54 <srk> I wonder what to emit to create these statuses from ofborg

11:12 <srk> is it safe to assume tasks can access paths produced by builders?

11:24 <gchristensen> hm?

11:30 <{^_^}> [ofborg] @sorki opened pull request #459 → Cachix → https://git.io/JvjmA

11:30 <srk> ^

11:31 <gchristensen> oh cool

11:31 <srk> it might be completely wrong but it's start

11:31 <gchristensen> nicely done, srk! very cool

11:31 <gchristensen> but no, this won't work :x

11:33 <srk> hence the question if paths are accessible :D kind-of assumed hydra model with distributed builders

11:33 <gchristensen> the built paths are only on the build machines, and this message would arrive at a bunch of machines

11:34 <gchristensen> a single build job is handled by a single build machine -- no distributed building per nix-build job. but there are many builders

11:34 <srk> ok! will take closer look how the builds are distributed

11:36 <gchristensen> probably the thing to do would be have the builder call cachix upload after nix-build completes

11:36 <srk> can you point me to the right file?

11:37 <srk> tasks/build.rs I guess

11:38 <gchristensen> https://github.com/NixOS/ofborg/blob/released/ofborg/src/tasks/build.rs#L349-L358

11:38 <gchristensen> those lines are where the build is actually executing

11:39 <srk> yeah, missed that previously, thanks

11:39 <srk> should be easy to move cachix call there, now the question is should it run async?

11:39 <gchristensen> is the cachix upload slow? :)

11:40 <srk> depends on closure size :)

11:40 <srk> maybe call it after actions.build_finished(status, can_build, cannot_build_attrs); ?

11:40 <srk> so it won't block status report

11:41 <gchristensen> hmm we might want to include in the finished report "and uploaded to cachix"

11:41 <gchristensen> or "and the upload to cachix failed"

11:42 <gchristensen> yeah, I think that kind of status report would be useful

11:43 <srk> yup, that was my very first question ;) - how to report this

11:43 <gchristensen> let's block, and if cachix fails (or the cachix binary doesn't exist) just report the error and otherwise suceed

11:44 <srk> ok!

11:44 <gchristensen> I'd add your stuff right before here https://github.com/NixOS/ofborg/blob/released/ofborg/src/tasks/build.rs#L385

11:44 <gchristensen> and extend buidl_finished to include some info about cachix

11:45 <gchristensen> you'll need to edit some messages, make sure to add them as Optional fields otherwise we can't upgrade the system :)

11:45 <gchristensen> looking good so far!

11:46 <srk> ack, thanks for pointers

11:46 <gchristensen> thanks fo rthe code!

12:48 <tilpner> srk: I don't understand the whole amqp setup, but does this allow untrusted builders to upload anything?

12:50 <srk> tilpner: it has to run on a builder and yes

12:50 <tilpner> Is that a problem?

12:51 <srk> which part?

12:51 <srk> gchristensen: pushed builder PoC

12:51 <tilpner> For r13y, graham considered handing out upload tokens to builders, but that probably doesn't work with cachix

12:52 <tilpner> I have almost no context, so feel free to tell me to go away

12:52 <srk> cachix only has one token, not sure if it's a problem

12:52 <tilpner> But I assume this cachix cache is to be used by maintainers, to benefit from ofborg infrastructure while testing changes

12:52 <gchristensen> ofborg doesn't have any untrusted builders anymore :)

12:52 <tilpner> Oh, then nevermind

12:53 <srk> tilpner: yes but with big red warning :)

12:53 <tilpner> I remembered it having community-contributed machines

12:53 <gchristensen> yeah it used to

12:53 <srk> tilpner: to run only reviewed stuff and only virtualized

12:53 <gchristensen> at the time I didn't want to upload stuff to the cache because I didn't want anyone to be able to accidentally trick ofborg in to uploading their secret stuff

12:54 <tilpner> srk: If you make it convenient for people to compromise their workstation security, they will

12:54 <srk> yeah, good luck preventing people shooting themselves into their feet

12:54 <tilpner> But it's not as scary anymore, if it's only official builders

12:55 <srk> my plane was to make it convenient to run in qemu but not directly

12:55 <srk> *plan

16:49 cole-h has joined #nixos-borg

17:47 <cole-h> gchristensen: Since nix1 has been removed from nixpkgs, should it be removed from ofborg's CI and `shell.nix`?

17:48 <gchristensen> yep

17:52 <cole-h> Now we don't have to worry about how `useNix1 = true` always fails 13 tests on my machine :D

17:52 <gchristensen> nice

17:52 <gchristensen> good

18:07 <{^_^}> [ofborg] @cole-h opened pull request #460 → Nix1 removal → https://git.io/Jvjl0

18:07 <cole-h> ^ also fixes a failing test due to 2.3.4 changing the assertion message

18:07 <gchristensen> nice

18:07 <cole-h> (now shows the actual assertion that failed)

19:44 tilpner_ has joined #nixos-borg

19:46 tilpner has quit [Ping timeout: 240 seconds]

19:46 tilpner_ is now known as tilpner

20:14 tilpner_ has joined #nixos-borg

20:16 tilpner has quit [Ping timeout: 258 seconds]

20:16 tilpner_ is now known as tilpner

21:42 orivej has quit [Ping timeout: 265 seconds]

21:47 orivej has joined #nixos-borg

22:07 tilpner has quit [Remote host closed the connection]

22:08 tilpner has joined #nixos-borg

22:11 tilpner has quit [Remote host closed the connection]

22:11 tilpner_ has joined #nixos-borg

22:13 tilpner_ is now known as tilpner