worldofpeace_ changed the topic of #nixos-dev to: #nixos-dev NixOS Development (#nixos for questions) | NixOS stable: 20.03 ✨ https://discourse.nixos.org/t/nixos-20-03-release/6785 | https://hydra.nixos.org/jobset/nixos/trunk-combined https://channels.nix.gsc.io/graph.html | https://r13y.com | 19.09 RMs: disasm, sphalerite; 20.03: worldofpeace, disasm | https://logs.nix.samueldr.com/nixos-dev
alp has quit [Ping timeout: 272 seconds]
alp has joined #nixos-dev
alp has quit [Ping timeout: 272 seconds]
orivej has joined #nixos-dev
Emantor has quit [Quit: ZNC - http://znc.in]
Emantor has joined #nixos-dev
orivej has quit [Ping timeout: 256 seconds]
orivej has joined #nixos-dev
johnny101m2 has quit [Quit: -a- Connection Timed Out]
johnny101m has joined #nixos-dev
_ris has quit [Ping timeout: 246 seconds]
rajivr has joined #nixos-dev
mdlayher has quit [Read error: Connection reset by peer]
mdlayher has joined #nixos-dev
drakonis has quit [Quit: WeeChat 2.8]
<cole-h> Notice: ofborg evaluators and x86_64-linux builders are down. Buildkite seems to be having trouble, so I can't try to redeploy, either. Sory for the inconvenience.
cole-h has quit [Quit: Goodbye]
bachp has quit [Ping timeout: 256 seconds]
Ox4A6F1 has joined #nixos-dev
Ox4A6F has quit [Ping timeout: 256 seconds]
bachp has joined #nixos-dev
alp has joined #nixos-dev
alp has quit [Ping timeout: 272 seconds]
justan0theruser has quit [Ping timeout: 246 seconds]
justan0theruser has joined #nixos-dev
ixxie has joined #nixos-dev
alp has joined #nixos-dev
alp has quit [Ping timeout: 272 seconds]
bennofs has joined #nixos-dev
<eyJhb> Is this channel also regarding how to do package updates etc.?
bennofs_ has quit [Ping timeout: 258 seconds]
orivej has quit [Ping timeout: 260 seconds]
orivej has joined #nixos-dev
<ixxie> eyJhb: I think you can ask here as well as in #nixos
<eyJhb> Perfect :D
<eyJhb> Anyone up for a PR? :p
<ixxie> eyJhb: I think if you make it, someone will find it :D
<ixxie> eyJhb: there are actually a lot of automatic reviewer assignment stuff in nixpkgs
evils has quit [Quit: Lost terminal]
<eyJhb> ixxie: I usually end up pinging worldofpeace of my stuff, when it doesn't get merged within a few days :p The problem with DisplayLink stuff is, that we are few that use it
<eyJhb> So not many will pick up the PRs
evils has joined #nixos-dev
<ixxie> right
<ixxie> good luck :D
xwvvvvwx- has joined #nixos-dev
xwvvvvwx has quit [Ping timeout: 246 seconds]
xwvvvvwx- is now known as xwvvvvwx
__monty__ has joined #nixos-dev
FRidh has joined #nixos-dev
ixxie has quit [Quit: Lost terminal]
alp has joined #nixos-dev
alp has quit [Ping timeout: 272 seconds]
_ris has joined #nixos-dev
<eyJhb> If I have a module, which provides a option "home", is it then OK for me to do something like if home == "" then home = "something" ?
<clever> eyJhb: just provide a default value
<eyJhb> I realised my error as well, would have never worked
FRidh has quit [Quit: Konversation terminated!]
alp has joined #nixos-dev
<eyJhb> Anyone that can tell me why this syntax is incorrect? https://termbin.com/uod9
<eyJhb> `value is a set while a list was expected, at /etc/nixos/modules/nsjail.nix:179:28`
<eyJhb> Basically this - https://termbin.com/4dpm
<eyJhb> Ah, not using ++ helps :)
alp has quit [Ping timeout: 272 seconds]
orivej has quit [Ping timeout: 265 seconds]
alp has joined #nixos-dev
xwvvvvwx has quit [Remote host closed the connection]
xwvvvvwx- has joined #nixos-dev
xwvvvvwx- is now known as xwvvvvwx
justan0theruser has quit [Ping timeout: 256 seconds]
alp has quit [Ping timeout: 272 seconds]
cole-h has joined #nixos-dev
justan0theruser has joined #nixos-dev
johnny101m has quit [Read error: Connection reset by peer]
peelz has quit [Remote host closed the connection]
orivej has joined #nixos-dev
orivej has quit [Ping timeout: 256 seconds]
orivej_ has joined #nixos-dev
justan0theruser has quit [Ping timeout: 246 seconds]
johnny101m has joined #nixos-dev
justan0theruser has joined #nixos-dev
drakonis has joined #nixos-dev
<arianvp> IF i bind-mount the nix-daemon socket into a container, and im root inthat container, does that make me a trusted user according to the nix-daemon socket?
<arianvp> so not root on the host
<arianvp> because if that's the case my idea of mounting nix-daemon socket into CI jobs is not as safe as I thought :D it's actually a privelege esclatation exploit? =)
<LnL> interesting question, I would expect not unless root inside the container is mapped to to root outside
<LnL> well or maybe not
<LnL> :/
drakonis has quit [Quit: WeeChat 2.8]
<clever> arianvp: i think the outer nix-daemon will see whatever uid the namespace maps 0 to, which may not be root on the host
<LnL> I hope it's not the client that checks the user
fpletz has quit [Quit: ^D]
<clever> LnL: unix sockets have a special feature, where either part can ask the kernel about the uid of the remote party
<clever> either party*
<LnL> ah was hoping something like that
<LnL> but that means it doesn't work in conjunction with namespaces?
<clever> i think the uid namespacing will then map the uid over to what the host uid is
<clever> so it behaves the same as when that program tries to access the FS
<LnL> based on what I see not
orivej_ has quit [Ping timeout: 246 seconds]
<clever> LnL: hmmm, yeah, that could maybe be a bug in linux?
<clever> LnL: is that on linux or darwin?
<LnL> no containers on darwin
<clever> docker on darwin cheats, by running a linux VM
<clever> and that complicates how its sharing such things with the host
<LnL> and I'm just running the default kernel from stable so should be easy to reproduce
lopsided98 has quit [Quit: Disconnected]
lopsided98 has joined #nixos-dev
alp has joined #nixos-dev
rajivr has quit [Quit: Connection closed for inactivity]
<cole-h> Notice: ofborg evaluators and x86_64-linux builders are back online. The evaluation queue is huge (~75), so it will take a bit to catch up.
<arianvp> clever: I think you're right. I was scared ther for a bit
<arianvp> LnL: note in your log that root isn't "trusted"
<arianvp> hmm at least when running an unprivelged container using podman nix-daemon doesnt see root connecting to it; but the guest
<arianvp> Jul 11 22:50:15 t490s nix-daemon[4335]: accepted connection from pid 15414, user guest
<arianvp> so that's ... good I guess
<clever> arianvp: what uid is guest on the host? what uid was doing the connection within the guest?
<arianvp> 1003 on host, the connection was made from uid 0
<clever> yeah, sounds like its definitely being mapped over
<arianvp> in docker instead of podman I get:
<arianvp> # /nix/store/csrmkvlyfikij2h0kdqsgbkmqlsjspwg-nix-2.3.6/bin/nix build --option sandbox-paths /etc/passwd
<arianvp> error: setting up a private mount namespace: Operation not permitted
<arianvp> instead of warning: ignoring the user-specified setting 'sandbox-paths', because it is a restricted setting and you are not a trusted user
<arianvp> which sounds a bit more worrying
<arianvp> ah it gets that error always; no matter what flags I pass to it; interesting
<clever> oh, also
<clever> if you run nix as root, and/or it has write to some dir (not sure on the exact rule), it will try to just setup the sandbox itself
<clever> and not talk to the daemon
<clever> `--store daemon` or `export NIX_REMOTE=daemon` will force the use of the daemon
<LnL> yeah, that's what I did in the gist I posed
<LnL> even tho it's readonly it was still trying to use the store directly
<arianvp> hmm
<arianvp> okay lets move this discussion
_scott has joined #nixos-dev
__monty__ has quit [Quit: leaving]
<{^_^}> firing: RootPartitionLowDiskSpace: https://status.nixos.org/prometheus/alerts
<{^_^}> resolved: RootPartitionLowDiskSpace: https://status.nixos.org/prometheus/alerts