<shlevy>
Ugh. nix-daemon is not linked to libnixexpr, naturally, so it fails when loading a plugin that needs libnixexpr symbols :'(
mbrgm has quit [Ping timeout: 256 seconds]
<Sonarpulse>
shlevy: hey but I'm glad we layer nix expression language on top of drv stuff :P
<shlevy>
:P
<shlevy>
The problem is there's no good way to set your Nix config to only load the plugins for eval-using things :|
mbrgm has joined #nixos-dev
<shlevy>
Bah. I'll just link the plugins to the libs
<Sonarpulse>
shlevy: eval plugins
<Sonarpulse>
for import for derivation?
<Sonarpulse>
or rather why does the daemon care?
<shlevy>
Sonarpulse: The daemon doesn't
<shlevy>
<shlevy> The problem is there's no good way to set your Nix config to only
<shlevy>
load the plugins for eval-using things :|
<shlevy>
The problem is the plugins expect libnixexpr symbols
<Sonarpulse>
shlevy: ohh i see
<shlevy>
So I'm just going to link them
<shlevy>
realistically we're only ever going to build the plugins against the same version of nix we're using
<Sonarpulse>
in principle libnixexpr and daemon are completely separate
<shlevy>
Yep
<Sonarpulse>
or rather the expr and non expr parts
<Sonarpulse>
the daemon knows nothing about exprs
<shlevy>
I know :)
<Sonarpulse>
only the untrusted user stuff knows about eval
<Sonarpulse>
well then I say it not for you but for posterity :)
<shlevy>
It's not just nix-daemon, it's also nix-store, which has untrusted user stuff
<shlevy>
otherwise I could just put it in the user-level config
<Sonarpulse>
shlevy: where/how does nix-daemon call nix-store?
<shlevy>
?
<shlevy>
No
<shlevy>
It doesn't call nix-store
<Sonarpulse>
ok whew
<shlevy>
I'm saying theoretically we could just put the plugin config in the user-level nix.conf
<shlevy>
But if the user calls nix-store, they'll hit the same problem
<Sonarpulse>
nix-store without the daemon?
<shlevy>
Doesn't matter :)
<Sonarpulse>
oh just the surface level linking problem
<Sonarpulse>
gotcha
<shlevy>
Yeah
<Sonarpulse>
I remember your per-project nix config
<Sonarpulse>
expr layer and store layer config
<Sonarpulse>
and per user config
<shlevy>
Yeah :)
<Sonarpulse>
might go over better
<Sonarpulse>
?
<shlevy>
We already do have per-user at least
<Sonarpulse>
oh really?
* Sonarpulse
knows probably like 10% of what nix 2.0 offer
<Sonarpulse>
*offers
<shlevy>
XDG_CONFIG_HOME/nix/nix.conf is spliced in to NIX_CONF_DIR/nix.conf
<Sonarpulse>
ooo nice
<Sonarpulse>
does nix-store need to read the per-user one?
<Sonarpulse>
to collapse my two axes?
<shlevy>
Yeah, it can contain settings like verbosity
<shlevy>
And if you e.g. have some company binary cache in your trusted-substituters one user might want it unconditionally in substituters
<Sonarpulse>
shlevy: hmm ok
<Sonarpulse>
then maybe just like eval subsection
<Sonarpulse>
that probably is just needed in user one
jtojnar has quit [Quit: jtojnar]
jtojnar has joined #nixos-dev
<Sonarpulse>
shlevy: I dunno if you saw my post in bgamari's hashing PR for nix
<Sonarpulse>
but the question there is legitimate
<Sonarpulse>
let me go retrieve
kmicklas has quit [Ping timeout: 260 seconds]
<zybell_>
shlevy:how about a fork()ing plugin? The daemon loads a proxy.so;proxy.so fork()s a child after setup RPCs;child loads libnix,plugin.so ... whatever.
pie_ has quit [Ping timeout: 264 seconds]
zybell_ has quit [Ping timeout: 255 seconds]
zybell_ has joined #nixos-dev
jtojnar has quit [Quit: jtojnar]
jtojnar has joined #nixos-dev
zybell_ has quit [Ping timeout: 264 seconds]
zybell_ has joined #nixos-dev
orivej has joined #nixos-dev
MichaelRaskin has quit [Quit: MichaelRaskin]
__Sander__ has joined #nixos-dev
fadenb has quit [Ping timeout: 256 seconds]
fadenb has joined #nixos-dev
__Sander__ has quit [Ping timeout: 260 seconds]
goibhniu has joined #nixos-dev
zybell_ has quit [Read error: Connection reset by peer]
<xCuri0>
How can I port NixOS to a new architecture (arm64ilp32) ?
<Dezgeg>
is there a way of getting .drv file from hydra?
pie_ has joined #nixos-dev
kgz is now known as kragniz
<Mic92>
xCuri0: you probably need to start with the boostrap toolchain
<aminechikhaoui>
Dezgeg: probably impossible without ssh access
kragniz is now known as kgz
propumpkin is now known as contrapumpkin
<__Sander__>
hurraay
* __Sander__
finally got nix working on cygwin again
zybell_ has joined #nixos-dev
viric has joined #nixos-dev
<xCuri0>
Mic92, is there a wiki page on this ?
<Mic92>
xCuri0: I don't think so. maybe you could ask people, who did this in the past or read the code in pkgs/stdenv/linux/bootstrap-tools
<xCuri0>
how do i bootstrap then ?
<xCuri0>
has anyone else done ilp32 port ?
<Dezgeg>
I don't think so
<Dezgeg>
aarch64 and risc-v are the latest ones in the last few years
<Mic92>
Maybe starting with cross-compiling is easier these days rather a full boostrap?
<Dezgeg>
it was always the best way really
<shlevy>
Yeah, cross-compiling is the best way if it's possible
<shlevy>
we have a make-bootstrap-cross or whatever it's called
olto has quit [Remote host closed the connection]
<xCuri0>
any wiki article or something about how to do it ?
kmicklas has joined #nixos-dev
<xCuri0>
hi
alp has left #nixos-dev ["Leaving"]
alp has joined #nixos-dev
{^_^} has quit [Remote host closed the connection]
{^_^} has joined #nixos-dev
{^_^} has quit [Changing host]
{^_^} has joined #nixos-dev
ma27 has quit [Ping timeout: 246 seconds]
<xCuri0>
Mic92, regarding trying to sandbox stuff using apparmor I added user-environment folders to the list of allowed folders but it still gives the library error
<xCuri0>
i also successfully sandboxed bastet (which is a very simple game)
<page>
__Sander__: what was failing?
<__Sander__>
page: many things
<__Sander__>
nix 2.0 does not compile
<__Sander__>
I cherry picked a patch from the master branch to make it work
<__Sander__>
also, you need permissions to create NTFS symlinks
<__Sander__>
in windows 10, they can be created by enabling "developer mode"
<__Sander__>
nixpkgs master and 18.03 are still broken
<viric>
__Sander__: hm I think I used nix 2.0 in cygwin, having solved the threadlocal thing
<page>
good to know, thanks
<viric>
I don't remember permission things
<__Sander__>
because the stdenv-native environment does not propagate the mandatory bintools parameter
<__Sander__>
17.09 works
<__Sander__>
oh yeah
<__Sander__>
and this "rebase script"
<__Sander__>
it starts with an offset of 0x20000000
<__Sander__>
but
<__Sander__>
that is not allowed
<__Sander__>
it should be bigger than 0x2000000
<viric>
you mean cygwin64, isn't it?
<__Sander__>
so I changed it to 0x2000001
<__Sander__>
viric: yes cygwin64
<viric>
I thought it worked for me. Maybe I did not test it enough.
<__Sander__>
I'm still investigating how to fix stdenv-native
<viric>
I still use the latest 1.11
<__Sander__>
but there are a bunch of assertion rules and stuff
<__Sander__>
actually I manually obtained the diff
<__Sander__>
and applied that to the unpacked nix-2.0 source tarball
<__Sander__>
viric: another thing you should keep in mind is to install the libsodium-dev package
<__Sander__>
it is not a mandatory dependency of nix, but without it it is pretty useless
<gchristensen>
it should probably be a mandatory dependency
ma27 has joined #nixos-dev
<__Sander__>
gchristensen: yes
<viric>
__Sander__: it libsodium is only for the hydr acache.
<viric>
__Sander__: libsodium is only for the hydra cache, to check signatures. "Only" maybe a lot though. We don't use the hydra cache for our nix uses in cygwin64 though.
<viric>
__Sander__: I'm happy to hear that you are working on it :) I have no idea about the ntfs thing you said.
<__Sander__>
viric: yes also good to hear that other's are taking interest
<__Sander__>
anyway
<__Sander__>
for me personally, I don't care that much about cygwin/windows support
<__Sander__>
but it would still be great if we can universally use Nix for common OSes
<__Sander__>
it's great for build support
<__Sander__>
and for disnix as well
<__Sander__>
that you can show, hey: pick the best OS for running a service
<__Sander__>
for example, put some security-constained stuff on an OpenBSD server, other stuff on Linux
<__Sander__>
pick windows if you have to hehe
__Sander__ has quit [Ping timeout: 260 seconds]
<Sonarpulse>
Dezgeg: are you there?
<Sonarpulse>
I should just tell you how all the *System and *Platform works
goibhniu has quit [Ping timeout: 256 seconds]
Synthetica has quit [Quit: Connection closed for inactivity]
<coconnor>
question - I have a change that fixes a bug. Should I create an issue for that bug and pull against that? Or just pull without the issue first?
<samueldr>
AFAIK no need to open an issue before making a PR
<coconnor>
I haven't yet, but I know some projects like having bug fixes 1:1 with issues
<samueldr>
nothing specifies the issue number has to be lower than the PR number :^)
<coconnor>
I'll just open a PR only
<Sonarpulse>
gchristensen: have the link to your installer again?
<Sonarpulse>
/ is there a PR?
<gchristensen>
There is a PR and it is merged but not released
<gchristensen>
You can build ./release.nix -A binaryTarball.x86_64-linux and extract the terball and ./install
MichaelRaskin has joined #nixos-dev
jtojnar_ has joined #nixos-dev
jtojnar has quit [Ping timeout: 265 seconds]
jtojnar_ is now known as jtojnar
<Sonarpulse>
gchristensen: oh great
<Sonarpulse>
has this changed significantly from the RC1 btw
<Sonarpulse>
I'm mid install again
<gchristensen>
No don't think so
<Sonarpulse>
cool
orivej has quit [Ping timeout: 268 seconds]
Sonarpulse has quit [Ping timeout: 260 seconds]
olto has joined #nixos-dev
orivej has joined #nixos-dev
Sonarpulse has joined #nixos-dev
<gchristensen>
despite all the cases I tested, including a few selinux distros, the new installer fails at the final steps on fedora27 :(
<Dezgeg>
what's different there?
<gchristensen>
I'm guessing a tighter policy, but I don't know. I've never debugged selinux, so am cutting my teeth on it now
<gchristensen>
10 minutes in and all joy has been sucked from my life
<MichaelRaskin>
Ah, SELinux
<simpson>
setenforce to victory?
<simpson>
Do you *want* SELinux?
<MichaelRaskin>
I would guess he wants SELinux support for people who are forced by administrative policy to use SELinux
<gchristensen>
yeah, this isn't about me
<simpson>
Oh, I see.
<gchristensen>
first advice from #fedora: maybe just disable it? ... bad look :P
<simpson>
This is a non-trivial part of why I stopped running Fedora. It's tough. :c
<MichaelRaskin>
SBCL.org SBCL binaries don't even start on RHEL
<Dezgeg>
what's the error?
<gchristensen>
sudo systemctl link /nix/var/nix/profiles/default/lib/systemd/system/nix-daemon.service -> "Failed to link unit: Access denied" and that is all I have
<Dezgeg>
selinux denials go in dmesg
<MichaelRaskin>
I don't remember. Just asked to allow EPEL.
<gchristensen>
Dezgeg: ix.io/17CY
xeji has joined #nixos-dev
<MichaelRaskin>
gchristensen: is this inode number one of the entries in the path to nix-daemon.service ?
<gchristensen>
I actually don't know
<gchristensen>
I'll use `find` to find out
<gchristensen>
ah, that inode is /nix/var/nix/profiles/default
<MichaelRaskin>
Argh. This is a thing with constantly changing inode
<Dezgeg>
that means systemd isn't allowed to read SELinux-unlabeled files
<gchristensen>
... my bare-bones install has a semodule loaded for mediawiki ...
<gchristensen>
Dezgeg: this sounds like a rabbit hole I'm not going to be able to solve
<Dezgeg>
so I presume you need to actually install them to /usr
<ekleog>
hmm, is a command run in a $machine->succeed("foo") run in a different environment from the one of the same command run in the tty of the machine after a ./result/bin/nixos-test-driver and a local root login?
<gchristensen>
installing to /usr seems like a non-option
<MichaelRaskin>
Can you wrap the entire thing in a script that will also set SELinux labels?
<ekleog>
oh nvm just had to somehow wait ~1min for something to happen
<gchristensen>
might should revert the multi-user for linux installer
<gchristensen>
or, a different option, a --single-user flag to skip being punted to the multi-user option
jtojnar_ has joined #nixos-dev
jtojnar has quit [Ping timeout: 264 seconds]
Sonarpulse has quit [Ping timeout: 256 seconds]
jtojnar_ is now known as jtojnar
Sonarpulse has joined #nixos-dev
jtojnar_ has joined #nixos-dev
jtojnar has quit [Ping timeout: 264 seconds]
jtojnar_ is now known as jtojnar
olto has quit [Quit: hasta luego]
<zybell_>
gchristensen:SElinux has a warning mode where it logs all errors, but doesn't give EACCESS. I believe there existed a script to convert the warnings into settings.
<gchristensen>
audit2allow?
<zybell_>
could be,did never run fedora myself, was talked about in LUG
<gchristensen>
cool
<gchristensen>
I looked at that, it seemed to be a slightly safer feeling setenforce 0, with how generic its sugestions were :?
ma27 has quit [Ping timeout: 265 seconds]
<zybell_>
the idea is of course to look at the allow script, to see if it doesn't allow too much.
<zybell_>
before running it
<zybell_>
and edit,edit,edith;-)
taktoa has joined #nixos-dev
jtojnar_ has joined #nixos-dev
jtojnar has quit [Read error: Connection reset by peer]