chakerbenhamed has quit [(Ping timeout: 260 seconds)]
newhoggy has quit [(Remote host closed the connection)]
<jophish>
how does nix override uname when performing an i686 build on x86_64?
<jophish>
I've noticed that uname -m returns i686
<jophish>
sadly the same is not true for armv7 builds on aarch64
<Dezgeg>
yep, there is a kernel option (personality()) for doing that on i686/x86_64 but no equivalent for arm/aarch64 and that majorly sucks
<jophish>
Dezgeg: It's turning out to be quite an impediment to building armv7 things on aarch64
<Dezgeg>
yes, I can believe
<Dezgeg>
need to write a fake uname shell script one day that returns hardcoded values and put that into stdenv
<jophish>
I might have to do that now, I can imagine that it might not be quite as easy as that
<NixOS_GitHub>
[nixpkgs] Hodapp87 opened pull request #25103: cloud-print-connector: init at unstable-2017-01-19 (master...google_cloud_print) https://git.io/v9UK8
<hodapp>
\o/
<hodapp>
however many months it took me to write that PR
johnramsden has joined #nixos
newhoggy has joined #nixos
<johnramsden>
I'm getting a message 'error while loading shared libraries: libgio-2.0.so.0: cannot open shared object file: No such file or directory' But I can't find out library in nix packages. Does anyone know what this is and what it might be called in nix?
acarrico has quit [(Ping timeout: 260 seconds)]
<jophish>
johnramsden: it's in glib
mounty has quit [(Quit: Konversation terminated!)]
aminechikhaoui has quit [(Ping timeout: 240 seconds)]
<johnramsden>
jophish, k, thanks
nicknovitski has joined #nixos
<johnramsden>
Now I cant find libpangocairo. How do you track them down?
<pie_>
ughhh bash: cd: Tiled-0.18.2-x86_64.AppImage: Not a directory
<pie_>
this sounds familiar
* pie_
facepalms and checks if theres a package
<pie_>
of course there is :P
vaibhavsagar has joined #nixos
<johnramsden>
I've added xorg.libxkbfile as a dependency but still get ' message: 'libxkbfile.so.1: cannot open shared object file: No such file or directory' any clue why?
eacameron has quit [(Remote host closed the connection)]
eacamero_ has joined #nixos
eacamero_ has quit [(Ping timeout: 255 seconds)]
eacameron has joined #nixos
eacamero_ has joined #nixos
<hodapp>
hmm, does listing a parameter as "foo ? null" in a derivation in nixpkgs still leave it passed in by default?
mounty has quit [(Quit: Konversation terminated!)]
eacameron has quit [(Ping timeout: 255 seconds)]
eacameron has joined #nixos
mbrgm has quit [(Ping timeout: 260 seconds)]
eacamero_ has quit [(Ping timeout: 258 seconds)]
derjohn_mob has quit [(Ping timeout: 258 seconds)]
mbrgm has joined #nixos
mkoenig has quit [(Read error: Connection reset by peer)]
eacamero_ has joined #nixos
eacameron has quit [(Ping timeout: 260 seconds)]
Supersonic112 has quit [(Disconnected by services)]
aneeshusa has quit [(Ping timeout: 268 seconds)]
Supersonic112_ has joined #nixos
carlosda1 has joined #nixos
Supersonic112_ is now known as Supersonic112
mkoenig has joined #nixos
eacamero_ has quit [(Ping timeout: 240 seconds)]
eacameron has joined #nixos
carlosda1 has quit [(Ping timeout: 260 seconds)]
eacameron has quit [(Ping timeout: 240 seconds)]
bennofs1 has joined #nixos
derjohn_mob has joined #nixos
eacameron has joined #nixos
takle has quit [(Read error: Connection reset by peer)]
takle has joined #nixos
bennofs1 has quit [(Ping timeout: 240 seconds)]
bennofs has quit [(Ping timeout: 252 seconds)]
eacameron has quit [(Ping timeout: 260 seconds)]
eacameron has joined #nixos
batdog has quit [(Read error: Connection reset by peer)]
batdog has joined #nixos
newhoggy has joined #nixos
eacameron has quit [(Ping timeout: 258 seconds)]
statusbot has quit [(Remote host closed the connection)]
newhoggy has quit [(Remote host closed the connection)]
statusbot has joined #nixos
mkoenig has quit [(Ping timeout: 260 seconds)]
seagreen has joined #nixos
carlosda1 has joined #nixos
carlosda1 has quit [(Ping timeout: 260 seconds)]
batdog has quit [(Read error: Connection reset by peer)]
iyzsong has joined #nixos
sellout- has joined #nixos
batdog has joined #nixos
mounty has joined #nixos
hexagoxel has quit [(Ping timeout: 260 seconds)]
newhoggy has joined #nixos
hexagoxel has joined #nixos
eacameron has joined #nixos
eacamero_ has joined #nixos
eacameron has quit [(Ping timeout: 252 seconds)]
newhoggy has quit [(Remote host closed the connection)]
<johnramsden>
I've added xorg.libxkbfile as a dependency to a package but still get ' message: 'libxkbfile.so.1: cannot open shared object file: No such file or directory' anyone had this before?
eacamero_ has quit [(Ping timeout: 260 seconds)]
ertes has joined #nixos
dbmikus has joined #nixos
schoppenhauer has quit [(Ping timeout: 240 seconds)]
schoppenhauer has joined #nixos
pie_ has quit [(Ping timeout: 240 seconds)]
carlosda1 has joined #nixos
takle has quit [(Remote host closed the connection)]
mkoenig has joined #nixos
carlosda1 has quit [(Ping timeout: 258 seconds)]
dbmikus has quit [(Ping timeout: 260 seconds)]
newhoggy has joined #nixos
newhoggy has quit [(Remote host closed the connection)]
systemfault has joined #nixos
joncfoo has quit [(Ping timeout: 240 seconds)]
davidak has quit [(Quit: Leaving.)]
newhoggy has joined #nixos
newhoggy has quit [(Remote host closed the connection)]
Wizek_ has quit [(Ping timeout: 255 seconds)]
ericsagnes has quit [(Ping timeout: 245 seconds)]
eacameron has joined #nixos
iyzsong has quit [(Ping timeout: 240 seconds)]
newhoggy has joined #nixos
mounty has quit [(Quit: Konversation terminated!)]
newhoggy has quit [(Ping timeout: 260 seconds)]
newhoggy has joined #nixos
sophiag has joined #nixos
<sophiag>
does anyone here use petite chez scheme with emacs? i've installed both emacs and chez with nix and just want to use petite with xscheme so no emacs package is required, but scheme files still launch saying "Scheme/Guile" and run-scheme returns "cannot find chez." is it possible i need to launch emacs from inside a nix-shell? that would be very cumbersome...
ericsagnes has joined #nixos
<dmj`>
peti: pong
<dmj`>
peti: ping**
systemfault has quit [(Quit: Bye!)]
<dmj`>
peti: the HaLVM derivation works fine on my NixOS machine with useSandbox = true; I’m not sure what Hydra is doing that could possibly be any different. I’ve disabled parallel builds as well, which is what I thought previously was causing the problem
<hodapp>
people use HaLVM?
iyzsong has joined #nixos
<dmj`>
hodapp: I do
<dmj`>
:)))
<hodapp>
I've yet to but it looks like some good work
takle has joined #nixos
<dmj`>
hodapp: well you could use it just fine before it was marked as broken recently :)
* dmj`
looks at peti
dbmikus has joined #nixos
<dmj`>
hodapp: I’d show you slides of how to use it with nix
<dmj`>
but nix-build ‘<nixpkgs>’ -A haskell.compiler.integer-simple.ghcHaLVM240 is marked as teh broke
<dmj`>
it’s *very* nice with NixOS due to xen
<dmj`>
and (** bonus **), libvirtd
takle has quit [(Ping timeout: 258 seconds)]
<dmj`>
so like, if you restart NixOS, the unikernels will be restored onto Xen, if libvirtd is running
<dmj`>
the unikernels live in the /nix/store
<dmj`>
it’s pretty swag
<dmj`>
hodapp: Also, libvirtd requires XML to describe the unikernel name, path and size. So, we can use nix’s toXML
carlosda1 has joined #nixos
<dmj`>
so, put all of that into a NixOS module, and you have a real pizza
dbmikus has quit [(Ping timeout: 268 seconds)]
carlosda1 has quit [(Ping timeout: 260 seconds)]
mkoenig has quit [(Read error: Connection reset by peer)]
takle has joined #nixos
takle has quit [(Ping timeout: 260 seconds)]
newhoggy has quit [(Remote host closed the connection)]
newhoggy has joined #nixos
mkoenig has joined #nixos
vaibhavsagar has quit [(Ping timeout: 252 seconds)]
joncfoo has joined #nixos
endformationage has quit [(Quit: WeeChat 1.7)]
newhoggy has quit [(Remote host closed the connection)]
takle has joined #nixos
sellout- has quit [(Quit: Leaving.)]
takle has quit [(Ping timeout: 252 seconds)]
dmi3y has joined #nixos
ebzzry has joined #nixos
dmi3y has quit [(Ping timeout: 240 seconds)]
takle has joined #nixos
takle has quit [(Ping timeout: 260 seconds)]
jacob has joined #nixos
jacob is now known as Guest16659
takle has joined #nixos
Guest16659 has quit [(Client Quit)]
takle has quit [(Ping timeout: 258 seconds)]
jacob__ has joined #nixos
k2s has joined #nixos
k2s has quit [(Client Quit)]
carlosda1 has joined #nixos
carlosda1 has quit [(Ping timeout: 240 seconds)]
takle has joined #nixos
takle has quit [(Ping timeout: 240 seconds)]
newhoggy has joined #nixos
marsel has joined #nixos
newhoggy has quit [(Ping timeout: 258 seconds)]
mkoenig has quit [(Ping timeout: 258 seconds)]
filterfish has joined #nixos
griff_ has joined #nixos
filterfish has quit [(Read error: Connection reset by peer)]
newhoggy has joined #nixos
vaibhavsagar has joined #nixos
griff_ has quit [(Ping timeout: 258 seconds)]
takle has joined #nixos
newhoggy has quit [(Ping timeout: 268 seconds)]
takle has quit [(Ping timeout: 258 seconds)]
jacob__ has quit [(Quit: Lost terminal)]
takle has joined #nixos
takle has quit [(Ping timeout: 240 seconds)]
newhoggy has joined #nixos
simukis__ has joined #nixos
newhoggy has quit [(Ping timeout: 240 seconds)]
eacameron has quit [(Remote host closed the connection)]
lsyoyom has quit [(Ping timeout: 268 seconds)]
<NixOS_GitHub>
[nixpkgs] cpages pushed 1 new commit to release-17.03: https://git.io/v9UQB
<NixOS_GitHub>
nixpkgs/release-17.03 d5af2a6 Jean-Baptiste Giraudeau: Kodi: use kodi fork of libdvdnav/libdvdread. Fix #24153 (dvd playback)...
proteusguy has quit [(Ping timeout: 245 seconds)]
newhoggy has joined #nixos
takle has joined #nixos
marsel has quit [(Ping timeout: 240 seconds)]
carlosda1 has joined #nixos
takle has quit [(Ping timeout: 258 seconds)]
newhoggy has quit [(Ping timeout: 258 seconds)]
lsyoyom has joined #nixos
obadz has quit [(Ping timeout: 260 seconds)]
obadz has joined #nixos
carlosda1 has quit [(Ping timeout: 240 seconds)]
newhoggy has joined #nixos
nicknovitski has quit [(Ping timeout: 252 seconds)]
<joko>
Hello, could anyone tell me how to copy a derivation from a remote machine's /nix/store to the local one? scp complaining that the local store is a read-only fs
<johnramsden>
Could someone give me a hand. I'm having trouble separating a package into a separate file. Right now I keep getting error: undefined variable <package name>.
sophiag has quit [(Remote host closed the connection)]
wkennington has joined #nixos
<clever>
johnramsden: if you put ${bash} into an expression, you need to add bash to the arguments on line 1
AllanEspinosa has quit [(Ping timeout: 260 seconds)]
filterfish has quit [(Ping timeout: 240 seconds)]
<clever>
for every value you use, you must receive that as an argument, or create it somewhere nearby
<johnramsden>
clever, ahh k
sophiag has joined #nixos
takle has joined #nixos
newhoggy has joined #nixos
<clever>
johnramsden: you should generaly also remove the pkgs. on lines 20-36, and add them to the arguments
<infinisil>
I am starting to believe that clever actually lives here
faffolter has joined #nixos
faffolter has quit [(Changing host)]
faffolter has joined #nixos
<johnramsden>
clever, Yea, I was doing that before, I thought it was because I missed the pkgs
<johnramsden>
clever, working now!
taktoa has joined #nixos
takle has quit [(Ping timeout: 260 seconds)]
newhoggy has quit [(Ping timeout: 260 seconds)]
<clever>
you also dont need ... in the arguments of a package
<clever>
that makes it harder to find mistakes
<Isorkin>
Hi. how to create two php-fpm service with php56 and php71?
<johnramsden>
clever, took em out now
Svarog has joined #nixos
newhoggy has joined #nixos
<Svarog>
If I enable nix.sshServe, do I still need regular nix-serve configured? Do I still need nix-serve.secretKeyFile for the store, or is it enough to just configure nix.sshServe.keys for which users are allowed to connect?
filterfish has joined #nixos
<Svarog>
I realize they're different things, but I'm a bit confused about how to configure nix-serve so it only works with SSH
<clever>
Svarog: sshServe just configures an ssh user to only allow somebody to run nix-store --serve
<Svarog>
oh ok
<clever>
Svarog: so its just a more locked down user, that allows things like nix-copy-closure and remote nix builds
<Svarog>
So then the normal nix-serve over HTTP is still active then?
<Svarog>
Is there a way I can block that so only SSH is available?
<clever>
Isorkin: the nixos module only allows a single php-fpm package, so you would need to make your own service to run the 2nd php-fpm on a different port/unix socket
<Svarog>
I suppose I could block it by not opening the 5000 port
<clever>
Svarog: yeah, you can just turn nix-serve off in the configuration.nix
<Svarog>
ah, right. That's what I was confused about
<Svarog>
I wasn't sure if I needed to have that on for nix-serve to work at all
<clever>
Svarog: i had to dig thru the nix source for that
<clever>
Isorkin: something you added to systemPackages is a set
newhoggy has quit [(Ping timeout: 260 seconds)]
<johnramsden>
clever, So after all you're help with patchelf I was able to get my program building, and launching. Problem is now I'm getting a strange error that I have no idea about. I've added libxkb but it still seems to think it's missing.
<johnramsden>
The error when I launch it is in the commit. But the important part is "message: 'libxkbfile.so.1: cannot open shared object file: No such file or directory' "
<clever>
Isorkin: it may help to common out things in the systemPackages list and try "nixos-rebuild dry-run" and try to narrow down which one is the cause
filterfish_ has joined #nixos
<Isorkin>
clever: If change php = mypkgs.php56-libressl to php = pkgs.php56 -no error
carlosda1 has joined #nixos
filterfish has quit [(Read error: Connection reset by peer)]
<NixOS_GitHub>
[nixpkgs] edwtjo pushed 2 new commits to master: https://git.io/v9U5b
<NixOS_GitHub>
nixpkgs/master ad84b1e Edward Tjörnhammar: jackett: 0.7.1197 -> 0.7.1308
<NixOS_GitHub>
nixpkgs/master da2518f Edward Tjörnhammar: i2pd: 0.12.0 -> 0.13.0
<clever>
Isorkin: what if you try to nix-build -A php56-libressl mypkgs/default.nix
griff_ has quit [(Ping timeout: 240 seconds)]
<clever>
Isorkin: and also, what is the contents of pkgs/development/php/default_php56.nix?
filterfish_ has quit [(Ping timeout: 240 seconds)]
<clever>
johnramsden: what if you run ldd on the file after it has been patched?
<johnramsden>
clever, hmm, no libxkb
<johnramsden>
clever, I must be doing something wrong
<clever>
johnramsden: i cant see anything obviously wrong, so lets try just appending :${xorg.libxkbfile.out}/lib/ to the rpath
Infinisil_ has quit [(Ping timeout: 252 seconds)]
<johnramsden>
clever still not there
infinisil has quit [(Ping timeout: 255 seconds)]
<Isorkin>
clever: php = mypkgs.php56-test - working. php56-test min config - http://nixpaste.lbr.uno/raw/RWQC-F3E I do not know how to add configure flags
vaibhavsagar has quit [(Ping timeout: 268 seconds)]
newhoggy has joined #nixos
<clever>
Isorkin: ok, and what if you run "nix-repl mypkgs/default.nix" then type in php56-libressl, what does it return?
filterfish_ has quit [(Read error: Connection reset by peer)]
filterfish has quit [(Ping timeout: 240 seconds)]
<johnramsden>
clever, thanks for your help, I have to go.
ambro718 has joined #nixos
<clever>
Isorkin: yeah, i think i see the problem
<clever>
Isorkin: you probably need this in services.nix: php = mypkgs.php56-libressl.php56;
<clever>
Isorkin: i see you also have 2 different php56 files, pkgs/development/php/default_php56.nix and pkgs/development/php56/default.nix
<clever>
Isorkin: that may explain why the files you gave me dont make sense with the data you gave me
iyzsong-x has joined #nixos
johnramsden has quit [(Remote host closed the connection)]
iyzsong has quit [(Ping timeout: 240 seconds)]
sivteck has joined #nixos
<Isorkin>
clever: Trying to delete pkgs/development/php56/default.nix ?
Filystyn has quit [(Quit: Konversation terminated!)]
<sphalerite>
I want to make a tiny change to nix, but based on other people's experiences I'm worried about running the latest master version, particularly because I need to test it as root. Is it safe now, or will I screw up my database?
newhoggy has joined #nixos
<clever>
Isorkin: try just using php = mypkgs.php56-libressl.php56; first
<clever>
sphalerite: one option, you can just make a backup copy of /nix/var/nix/db/db.sqlite
<sphalerite>
oh, or I could do it in a VM
<clever>
sphalerite: if you dont gc after the backup, then restoring will just cause nix to delete anything made after the backup
<clever>
yeah, a vm is also an option
<clever>
sphalerite: you could also just nix.package = pkgs.nixUnstable in configuration.nix
<clever>
sphalerite: its less that it breaks the db, and more that it may be too new to be compatible with the old nix
<sphalerite>
unstable sounds too scary for me :p
<Isorkin>
clever: thanks, work
<clever>
but if you use the new nix globally, it will keep working
newhoggy has quit [(Ping timeout: 240 seconds)]
<Isorkin>
clever: but how to use new nix globally?
<clever>
Isorkin: you probably dont need the new nix, that was stuff for sphalerite
<Svarog>
How would I test that nix-serve can connect to another computer on the LAN via SSH?
xAFFE has joined #nixos
<Svarog>
Without SSH I can do curl http://<hostname>:5000/nix-cache-info, is there something similar I can do with nix-serve and SSH?
<ambro718>
I get this error when running nix-collect-garbage: error: error getting outputs of ‘/nix/store/4bc2gyg68gj1lc3xkiaap1d1686i1nyp-libpulseaudio-9.0.drv’: database disk image is malformed
<steveeJ>
Svarog: I recently installed nix-serve and it works for me, but I don't follow what you mean by SSH. are you not using the local nix store on the machine that runs nix-serve?
<Svarog>
steveeJ, I have nix-serve working over HTTP, however I want to switch it over to use SSH instead
<clever>
Svarog: yeah, if you copy package a, and it depends on b, both a&b will get copied
<Svarog>
What if I want all packages updated?
<Svarog>
Not just dependencies of a single package.
<clever>
Svarog: either configure it to use sshServe as a binary cache, or copy/paste the list from "echo /nix/store/*/" into the nix-copy-closure commandline
<Svarog>
Like in the example in the documentation they're pulling firefox across. What if I also want thunderbird and gcc and ghc and about a hundred other things?
<Svarog>
Right, so that's what I'm trying to figure out, how to configure sshServe as a binary cache.
<Svarog>
Although now I'm more confused. The other day when I was trying to get nix-serve to work, even with a root user I couldn't get it to download anything that was unsigned.
<clever>
you also need to trust the public half of the key in nix.conf
<clever>
nix.sshServe.keys is the SSH PUBLIC to let them to get in
xadi has quit [(Quit: Leaving.)]
<clever>
the client also needs some nix PUBLIC keys, to trust what is signed
<Svarog>
yes
<clever>
that is what my last gist does
<Svarog>
nix.sshServe.keys has the public keys for the users allowed to connect
<clever>
there are 3 different keypairs at play here
<Svarog>
oh
<Svarog>
sshServe.keys is for the private keys??
<Svarog>
Ok
<clever>
the first key to come into play, is the ssh server pair, the public lands in ~/.ssh/known-hosts and this pair prevents mitm (so you dont connect to a fake server)
<clever>
the 2nd keypair to come into play, is the ssh auth keys (from ssh-keygen, and ~/.ssh/id_rsa), the public must go into nix.sshServe.keys to let you login on sshd
<Svarog>
oh
<clever>
the 3rd keypair, is the nix signing keys, the secret must go into nix.extraOptions, secret-key-files on the server, and the public must go into binary-cache-public-keys on the client
carlosda1 has quit [(Ping timeout: 260 seconds)]
<clever>
nix-serve just skips the 1st and 2nd pair, and runs purely on the 3rd pair alone
dbmikus has joined #nixos
<Svarog>
Hmm. Thanks for that. I'll try that!
<clever>
but nix-serve behind an nginx reverse-proxy with https:// may add another keypair into the mix
<clever>
one for the https, and one for the pre-signed data on-disk, that it serves
<Svarog>
So do I need a fourth key pair?
<clever>
nope
<Svarog>
Ok
<clever>
you will either have 1 (nix-serve over http), 2 (nix-serve over https), or 3 (sshServe over sshd)
<clever>
and for the sshServe case, the server has 2 keys, and the client has 1 key
<Svarog>
How would I check to see if the connection is working, once it's set up?
<clever>
and all parties need to trust the public of the other party
<clever>
you can test 2 of the keys by just trying to ssh into the box
betaboon has joined #nixos
betaboon has quit [(Changing host)]
betaboon has joined #nixos
<clever>
ssh nix-ssh@server
<clever>
and then look at the error
<Svarog>
Ah right.
dbmikus has quit [(Ping timeout: 260 seconds)]
<betaboon>
hello everyone, can anyone point me into the right direction on the following problem: i need a systemd-service (for oneshot init of a packages statedirectory) to start AFTER the network is realy reachable (for tcp-database-access), but since I'm new to systemd i can't seem to figure out what I'm doing wrong. using 'after' 'network-online.target' doesn't seem to be sufficient. any thoughs or pointers here ?
<hyphon81>
Actually, I don't know detail how to use hydra. At the moment, I just check my code whether it pass to build.
<clever>
hyphon81: what else do you want to do with it?
<Svarog>
ssh nix-ssh@server returns PTY allocation request failed on channel 0 - seems that has something to do with nix-ssh user not having access to pseudo terminals
<clever>
Svarog: ok, now try ssh nix-ssh@server "nix-store --serve"
<clever>
Svarog: it sounds like those 2 keys are working
chakerbenhamed has joined #nixos
<Svarog>
There is no error or any kind of message, looks like nix-serve is running.
<Svarog>
err
<Svarog>
nix-store
<clever>
yeah, now try using nix-copy-closure --from nix-ssh@server -sign /nix/store/something
<Svarog>
seems to have worked - well.. didn't copy anything cause everything is up to date but there was no error
<clever>
Svarog: try finding something you dont have yet
<clever>
Svarog: or use nix-store --delete to get rid of something, then copy --from it again
<Svarog>
ok
<hyphon81>
clever: Hmm, I don't know it very much. I wish it will be useful for downloading nix packages from Tokyo with ipfs?
<clever>
hyphon81: one issue right now with running binary caches, is that they have to re-sign the data, and then users need to trust your keypair
<clever>
hyphon81: you cant just forward the nixos.org signature and proove it is un-modified
<clever>
hyphon81: i have also looked into using ipfs as a binary cache, and the issue is how do you map /nix/store/jl72gxms9rg3czv3wj1rskw6n0h3k6gm-hello-2.10 to an IPFS hash?
wkennington has quit [(Remote host closed the connection)]
leat has quit [(Ping timeout: 255 seconds)]
kampfschlaefer has quit [(Ping timeout: 255 seconds)]
betaboon has quit [(Quit: This computer has gone to sleep)]
griff_ has joined #nixos
betaboon has joined #nixos
<Svarog>
Which user should own the signing keys? I previously had nix-serve:root as the owner.
<clever>
Svarog: root:root i think
<clever>
Svarog: the signing will be done by nix-daemon
vaibhavsagar has quit [(Ping timeout: 240 seconds)]
* clever
heads outside
<hyphon81>
clever: Hmm, sorry, I didn't think it well. I'm just thinking the downloading nix packages from Tokyo is bit slow.... I heard at the Tokyo NixOS meetup, the nix store will use ipfs in the future, and, however there are some problems such as security. My knowlege is just a bit.
<Svarog>
Ok so I just deleted something from one of the stores and after some fiddling with the keys (for some reason the signing key was ignored and was defaulting to /etc/nix/signing-key.sec which didn't exist), and now when doing a nix-copy-closure I get unexpected end of file.
<clever>
hyphon81: the existing signing stuff can be improved to ensure you only ever get trusted code
<clever>
hyphon81: oh, and there is a secondary problem with ipfs, if you share what you currently have, you are broadcasting to the world, "i have version x of program y"
<clever>
hyphon81: and then somebody can look up any exploits for that version, and even test it, because nix lets them get an exact copy of it
<clever>
hyphon81: and because of how ipfs works, i dont even have to portscan to find out who has an old version of y
leat has joined #nixos
<clever>
hyphon81: i can just ask the ipfs network who has build z?, and i get a list of IP's i can freely exploit
<clever>
hyphon81: heading out now, i'll be back in about 1 or 2 hours
<bennylb>
So things have gotten a little quieter on channels/nixos-unstable after the release of 17.03
aminechikhaoui has quit [(Quit: leaving)]
<gchristensen>
unstable sees a flurry before a stable branch
<bennylb>
Being a noob I caught on to that gradually
<gchristensen>
:) I think it is a good thing
<gchristensen>
holy crap, we package RequestTracker :o
<hyphon81>
If I will use NixOS's logo, who can give me authorization or can not? I built Hydra server at Japan, and I wondering to make a fan site for NixOS in Japan. So, I would like to use NixOS logo.
<sphalerite>
There may be trademark requirements on top of the copyright, but I don't see anything to that effect
<bennylb>
sphalerite: Haa good find
<hodapp>
if putting "foo ? null" in a derivation's parameters still leads to foo being present by default (even if it's optional), does a way exist of having it be null by default?
newhoggy has quit [(Remote host closed the connection)]
<hyphon81>
sphalerite: Thanks!
<sphalerite>
hodapp: what do you mean?
griff_ has quit [(Quit: griff_)]
<sphalerite>
I presume you mean a function, not a parameter?
<sphalerite>
s/parameter/derivation/
<hodapp>
sphalerite: I suppose it is technically a function, but what I'm observing is how it behaves in context in nixpkgs
<hodapp>
perhaps it's because I'm not running with --pure
thebored has quit [(Ping timeout: 255 seconds)]
<hodapp>
but, for instance, I added "sqlite ? null" to gdal, and then gdal's build magically started finding sqlite without anything being overridden
proteusguy has joined #nixos
derjohn_mob has quit [(Ping timeout: 240 seconds)]
FrozenCow has joined #nixos
<sphalerite>
hodapp: The thing that you have in the file is a function. The derivation is the result of calling it, and that happens in pkgs/top-level/all-packages.nix or similar
<sphalerite>
hodapp: so what you want to do is either put sqlite = null; in the set that the package function is called with
betaboon has quit [(Quit: This computer has gone to sleep)]
ambro718 has quit [(Remote host closed the connection)]
FrozenCow has quit [(Remote host closed the connection)]
newhoggy has joined #nixos
<hodapp>
either that, or?
<hodapp>
if I'm just passing in 'null' explicitly, then why does it even require "? null"?
<hodapp>
and if null is the default value, then why must I pass it in explicitly?
<hodapp>
I see you wrote 'that callPackage', not just 'callPackage'
<clever>
hodapp: another option is to add a withSqlite ? false argument, and then override it to true later
<clever>
then a callPackage with {} works
<jophish>
Dezgeg[m]: I shouldn't have started speaking in #linux about patching uname. It's turned into a real shitshow
dbmikus has quit [(Ping timeout: 255 seconds)]
<hodapp>
ugh, I should just ignore everything that was written in the comment on one PR where I wanted postgresql support to be optional and disabled by default, and someone recommended that I just replace with "postgresql ? null" and didn't say anything else
<hodapp>
clever: does one method or another seem to be preferred more?
<clever>
jophish: there is some stuff already in the kernel that can fake part of the uname data, and nix is using it
<Dezgeg>
how so? :P
<bennofs>
clever, hodapp: yeah the code does auto = builtins.intersectAttrs (builtins.functionArgs f) autoArgs;
<joepie91>
hyphon81: fwiw, the "brand guidelines" that projects/companies have tend to be stricter than is even allowed by laws in many jurisdictions... for example, if there's no risk of confusion (ie. it's very clear that your site isn't an official site for $thing), you may use other people's brands to indicate the topic, compatibility, or whatever
<hodapp>
joepie91: #linux or ##linux?
xadi has quit [(Remote host closed the connection)]
<jophish>
clever: yeah, it doesn't work for armv7 on aarch64
<bennofs>
clever, hodapp: builtins.functionArgs does not care if you write sqlite or sqlite ? null
<hodapp>
bennofs: not sure what that "yeah" is in regards to
<jophish>
I've patched uname to always return "armv7l" for an armv7l build
<jophish>
It's working very well for me
<joepie91>
hyphon81: dependent on jurisdiction ofc, but for example I'm completely free to build an online shop with a "Bose" logo in the header, so long as it's clear that that's just a brand I'm selling, and I'm not *representing* Bose... no matter what Bose says about brand guidelines
<bennofs>
hodapp: i meant that callPackage will set sqlite, no matter if there is a default or not
<clever>
bennofs: i think functionArgs returns a set of <argname> = <bool>;, with the bool saying if it has a default or not
<joepie91>
hyphon81: so generally, just make it very clear that your site is not official and you will be fine :)
<clever>
bennofs: but the intersectAttrs drops the bool's
<hodapp>
sorry, that was to jophish, not joepie91 ^
<hodapp>
bennofs: okay, I see
<clever>
jophish: ah, that sounds very similiar to the nix code i have in mind
carlosda1 has joined #nixos
<hodapp>
I'm still not sure then why "postgresql ? null" was recommended, though in that case there were multiple possible postgresql packages that could have been used
<clever>
jophish: this makes uname lie about 64/32bit support, so a 32bit build cant see 64bit support
<clever>
jophish: i have also wanted to have an armv6l variant, because some packages put v7 opcodes into a v6 package, and poison the hydra
<jophish>
clever: I was looking at that yesterday, can't be done for arm :(
<clever>
jophish: the api around uname and personality would need to be modified to add arm support
<bennylb>
Listed under https://nixos.org/nixpkgs/manual/#sec-tools-of-stdenv are tools provided by stdenv. During the configure phase are there any additional tools such as autotools available in the environment or do we explicitly add to nativeBuildInputs?
Filystyn has quit [(Remote host closed the connection)]
<clever>
bennofs: you have to add them, and every phase runs in the same env
<clever>
bennofs: there is also a package for exactly what your wanting to do
<bennofs>
clever: meant bennylb probably ?
<clever>
bennylb: if you add autoreconfHook to the nativeBuildInputs, it will run autoreconf for you
griff_ has joined #nixos
carlosda1 has quit [(Ping timeout: 240 seconds)]
<jophish>
hodapp: ##linux
<jophish>
sorry, missed taht
<hodapp>
jophish: that channel is kind of a shitshow no matter what, to be fair
<bennylb>
bennofs: clever: Ahh ok got it
newhoggy has quit [(Remote host closed the connection)]
<hodapp>
soooo many ops who think they are the New Sheriff in Town
bennofs1 has joined #nixos
<unlmtd[m]>
instead of doing customRC = '' stuff '', can I somehow import a non-nix file there?
<jophish>
I'm building the bootstrap tarball for the second time natively (the first time was with a cross build bootstrap tarball) I'm hoping that this will result in the same hash
newhoggy has quit [(Ping timeout: 260 seconds)]
<jophish>
It's going very smoothly so far, although I don't know what aspects of linux's personalities I'm not replicating
<jophish>
hopefully it's just the uname patch and nothing interrogates the kernel directly
<clever>
jophish: ah, looks like your patching it within coreutils
<clever>
jophish: the LFS guides have done similiar, by wrapping coreutils with a script that just applies sed
<clever>
but that will obviously miss anything using the uname syscall directly
<clever>
and armv6 support is missing, it would need a 2nd patch
<clever>
jophish: my variant will make it a nix.conf entry, so you can change it after building
<jophish>
I should have used that directly perhaps
<clever>
jophish: gchristensen mentioned that the aarch64 build slaves for hydra dont have v6 or v7 support, no ability to run 32bit code
<Yaniel>
oh come on, don't tell me that windows now actively destroys data on efi partitions
<clever>
jophish: so your patch would break on the aarch64 build slaves
<bennofs1>
jophish: that won't affect the syscall though :/ I wonder if it's possible with systemtap to patch the syscall
<jophish>
clever: yeah, I know. I'd have to find out how to detect aarch32 mode support
<unlmtd[m]>
is anyone using nixos on aarch64?
<jophish>
oh
<jophish>
that could be in nix.conf
newhoggy has joined #nixos
<jophish>
unlmtd[m]: gchristensen is
<clever>
jophish: yeah, make it a runtime config, and then the admin can just set it right
<unlmtd[m]>
awesome, ill have to get a rpi
<jophish>
bennofs1: that's beyond my expertise :)
<jophish>
clever: do you have plans to open a PR to nix with that change in?
<clever>
jophish: being runtime also opens up some more portable stuff, you could make an armv6 nix build, that works on v6, v7l and aarch64, and is capable of running builds for all 3
<clever>
jophish: ive been wanting to make a pr with it for ages, but keep forgetting to do it
<unlmtd[m]>
was gonna get my nephew his first computer, a 64bit rpi with nixos installed would be a pretty cool first unix workstation
<gchristensen>
it is not an easy time right now
<jophish>
clever: Once I've got everything chugging along I'll make a PR with my changes here (modified to use your patch instead). I hope that's OK with you (credit given of course!)
<clever>
jophish: this hook will use the arm builds of binutils (x86 build doesnt work) to read the arch specific elf headers, and check for armv7 opcodes
<unlmtd[m]>
hes probably better starting on void anyhow
<clever>
jophish: and if configured right, it will cause an armv6 build to fail if it makes v7 opcodes
<jophish>
unlmtd[m]: that's cruel. He'll never be able to use other distros if he gets hooked on nixos first!
<clever>
jophish: sure :)
<unlmtd[m]>
nooo thats awesome
<jophish>
:P
<unlmtd[m]>
push him into the future
<unlmtd[m]>
fuck this imperative bullshit
<clever>
:D
takle has quit [(Remote host closed the connection)]
<NixOS_GitHub>
[nixpkgs] romildo opened pull request #25112: all-the-icons: init at 2.5.0 (master...new.all-the-icons) https://git.io/v9TJX
newhoggy has quit [(Ping timeout: 252 seconds)]
<jophish>
clever: how is enforce-arch used?
<clever>
jophish: currently, its a setup hook you have to add to the buildInputs of a package
<jophish>
I've not seen makeSetupHook before
<jophish>
ah ok
<clever>
jophish: makeSetupHook will just copy the script to $out/nix-support/setup.sh
<clever>
jophish: and the stdenv will source that if its found in the buildInputs
<clever>
jophish: this is how adding cmake to the inputs causes cmake to hijack the configurePhase
<clever>
anything you add to the inputs can mutate the bash variables/functions in the environment, and change how the build is done
<jophish>
ah, that's very cool. I didn't know about that
<clever>
the autoreconfHook i gave someone a few minutes ago is another
<clever>
it runs autoreconf before doing ./configure
<clever>
jophish: there are also other neat things like that just hidden all over the place and undocumented
<clever>
Yaniel: also, nixos-install by default, will just nix-build the configuration, then install the bootloader again
<clever>
Yaniel: so if the channel in the installer is reasonable, you can just do that directly
<Yaniel>
ah, nice
<Yaniel>
umm, except, do the channels of the installer and the installation have to match?
<clever>
if you use --chroot, then it will obey the channels inside the install
<clever>
if you dont use --chroot, it will use the channels on the installer, and might downgrade (or upgrade) the entire os
<Yaniel>
nixos-rebuild fails in the chroot :(
<Yaniel>
"Error in tempdir()"
<clever>
Yaniel: what args did you run it with?
<Yaniel>
`nixos-rebuild boot`
<clever>
Yaniel: might be simpler to just redo the bootloader without nixos-rebuild then, one sec
newhoggy has quit [(Ping timeout: 240 seconds)]
takle has quit [(Ping timeout: 240 seconds)]
<clever>
Yaniel: "/run/current-system/bin/switch-to-configuration boot", and make sure /boot and any efi things are mounted correctly inside the chroot
<jophish>
gchristensen: What's the nixops support like for packet.net?
<jophish>
You mentioned it in your mail in January
<clever>
jophish: have you seen my ideas on how to give nixops support for any datacenter that allows root and an MBR?
<gchristensen>
jophish: "not good yet"
<Yaniel>
clever: thanks, now it boots
<NixOS_GitHub>
[nixpkgs] LnL7 pushed 1 new commit to staging: https://git.io/v9TUG
<NixOS_GitHub>
nixpkgs/staging 004ecac Daiderd Jordan: perl: add patch for sw_vers on darwin...
<Yaniel>
on a related note, fuck windows
<Yaniel>
in the latest update it stopped changing UEFI settings and instead opted to "manage" the efi partition by itself
<clever>
Yaniel: i also found that my bios totally ignored the boot priority, until i turned efi off entirely
<clever>
so it refused to boot legacy linux until i just shut off efi support
<jophish>
clever: I've not seen them, but I would like to!
<Yaniel>
I should really make a separate efi partition for nixos
<clever>
luckily, win7 still boots if you chainload the MBR, but i havent actualy booted it in over a year
<gchristensen>
it also clears up ambiguities of which staging
eacameron has joined #nixos
<jophish>
Woo, my bootstrap generation has reached a fixed point
sellout- has joined #nixos
<LnL>
clever: I think perl was updated on staging and 17.03 so it's possible, I'll see if I can reproduce it
<clever>
2017-04-21 14:12:18 < clever> LnL: bisect says it was a perl update, commit 4861ab9dbea148c01f8d1c17a926046dd7aa344b
carlosda1 has joined #nixos
<LnL>
yeah I remember now, but the error looks different from the one on staging so I'm not sure
<gchristensen>
how can I do bash variable substitution in a configureFlag? I need to do something like "--with-web-group=$UID"
<clever>
ah
<clever>
gchristensen: one option ive done is preConfigure = ''configureFlags="$configureFlags --with-web-group=$UID"'';
<clever>
gchristensen: the preConfigure gets evaled later on, and it just works
<clever>
gchristensen: and i believe all other options rely on a program making a "mistake" and evaluating some of its arguments in bash
m` has joined #nixos
m` is now known as mojjo
<clever>
which can sometimes be a security hole
<gchristensen>
dirty :P
<gchristensen>
thank you
<clever>
gchristensen: only other option is to elevate $UID to be a nix variable
<gchristensen>
probably not desirablee
takle has joined #nixos
<Svarog>
clever, I managed to get unsigned nix-copy-closure to work over ssh, but signing still fails. Would you have any idea off the top of your head why I might be getting host key verification failed when using --option ssh-substituter-hosts?
carlosda1 has quit [(Ping timeout: 260 seconds)]
<clever>
Svarog: the ssh client is probably running as root, try re-running the ssh test as root to populate ~/.ssh/known-hosts
<Svarog>
Ah.
<mojjo>
hi.. I put the following line in the config, but it has no effect after rebuilding: `environment.variables = {"XYZ" = "abc";};`, in a fresh shell `echo $XYZ` returns nothing. Does somebody know the file in `/run/current-system` where it should have been written to?
<spacefrogg>
gchristensen: The following also works: preConfigure = ''eval "configureFlags=$configureFlags"'';
<clever>
mojjo: it winds upin a derivation at system.build.setEnvironment, that contains a bit of shell code with export statements
<spacefrogg>
gchristensen: This gives you the opportunity to just assign the configureFlags as normal put an evaluation step at the end to "do the neccessary things".
<gchristensen>
is there a package that uses a sort of perl wrapper I can use, in my effort to make RequestTracker work? rt doesn't have a Makefile.PL
<clever>
GiGa|Laptop: a recent change broke every display manager except sddm
<clever>
gchristensen: oh god, that mess, lol
<bennofs1>
gchristensen: you mean like perlWithPackages?
<clever>
gchristensen: it took me about 12 hours to get that to work on ubuntu, lol
<gchristensen>
yeah that sort of thing, bennofs1
<gchristensen>
clever: :|
<bennofs1>
gchristensen: I believe just buildEnv may work for this? not sure
takle has joined #nixos
<clever>
gchristensen: it has a shell script in the root that will tell you what perl packages are missing, but the apt package name isnt always obvious, and i had to cpan at least a dozen modules
<bennofs1>
gchristensen: didn't hydra use something like that?
<GiGa|Laptop>
clever, not sure that's quite identical. I don't even get a display manager load and the system is hung (I can't even login at the terminal)
<GiGa|Laptop>
clever: Although most of it fits
<clever>
GiGa|Laptop: ah, that might be different, are you able to boot an older nixos via grub and then inspect the journal?
roconnor has joined #nixos
newhoggy has joined #nixos
takle has quit [(Ping timeout: 260 seconds)]
<GiGa|Laptop>
clever: yep, I'm booted now. Looking for the logs but I've not done much troubleshooting with SystemD
<clever>
GiGa|Laptop: "journalctl -b -1" will show the entire log from the previous boot until shutdown
<clever>
GiGa|Laptop: then search thru that for things related to display-manager
newhoggy has quit [(Ping timeout: 252 seconds)]
<clever>
GiGa|Laptop: or just "journalctl -b -1 | gist -p" to send the whole thing to a gist
drasich has quit [(Ping timeout: 258 seconds)]
<mojjo>
clever: got it, I mixed up shellInit with interactiveShellInit
betaboon has joined #nixos
betaboon has quit [(Changing host)]
betaboon has joined #nixos
<GiGa|Laptop>
clever: that journal only seems to have 1 second's worth of stuff in it
<clever>
GiGa|Laptop: thats odd, how far along does the boot seem to get when you watch it?
<clever>
mojjo: it looks like bash will put both of those into /etc/profile
<GiGa|Laptop>
All the way up to where you'd expect to switch from text mode / TTY to GDM
<clever>
mojjo: and an extra copy of the interactive in /etc/bashrc
<clever>
GiGa|Laptop: did you click the power button once to recover it?, or hold the power button?
<GiGa|Laptop>
clever: held
<GiGa|Laptop>
never come across pressing once to recover it
<clever>
GiGa|Laptop: try booting it back up, and then see if hdd activity starts when you just click the power button, it may still be able to do a clean shutdown
<GiGa|Laptop>
I can reboot and try that
<clever>
depends on how badly its locked up
<GiGa|Laptop>
understood, be right back
GiGa|Laptop has quit [(Quit: Leaving)]
nicknovitski has joined #nixos
kampfschlaefer has joined #nixos
takle has joined #nixos
dmi3y has joined #nixos
mekeor has joined #nixos
<mojjo>
clever: Actually, I see it's not quite working yet. ` environment.variables = {"A" = "1";}; programs.bash.shellInit = ''export B=2;'';` Considering the lines you pointed to, those two should behave the same. but I see only the second in /etc/profile
faffolter has quit [(Remote host closed the connection)]
takle has quit [(Ping timeout: 258 seconds)]
dmi3y has quit [(Ping timeout: 268 seconds)]
takle has joined #nixos
<clever>
mojjo: checking some things...
sellout- has quit [(Quit: Leaving.)]
<mojjo>
clever: ah, no.. there is cfg and cfge, i mixed them up
<clever>
mojjo: its not embeding the A into profile, its sourcing a path
durham has joined #nixos
<clever>
mojjo: updated the gist
dbmikus has joined #nixos
FRidh has joined #nixos
<clever>
mojjo: yep, i can track down all 6 variable assignments
<GiGa>
clever: OK, pressing the power button does nothing, no HDD activity either. I can't even use magic sysrq to reboot the box - it's totally hung. Network scan shows it isn't online either
<GiGa>
I'll try switching to SDDM to see if that helps
<clever>
GiGa: ah, sounds more like a video driver problem then, something the driver/GPU is doing breaks the entire system
<mojjo>
clever: yeah, I can follow this. set-enviroment is included in /etc/profiles, and so it works!
newhoggy has joined #nixos
<GiGa>
clever: oh dear, not again. This is using bumblbee
<gchristensen>
clever: I'm finding it is probably not feasible to use rt on nixos via nix
dbmikus has quit [(Ping timeout: 240 seconds)]
<clever>
gchristensen: i have thought that writting a nix expression would solve that entire mess for good, but have just not gotten around to it
GiGa|Laptop has joined #nixos
takle has joined #nixos
newhoggy has quit [(Ping timeout: 240 seconds)]
<jophish>
Hmm, Now to figure out how to bootstrap GHC on aarch64 and armv7l
<GiGa|Laptop>
Clever: I'll disable Bumblebee and force use of the intel card, see if it makes a difference
<clever>
GiGa|Laptop: kk
<clever>
jophish: i think all of the existing stuff in nixpkgs relies on downloading a pre-built ghc
GiGa|Laptop has quit [(Remote host closed the connection)]
<NixOS_GitHub>
[nixpkgs] joachifm pushed 1 new commit to master: https://git.io/v9Tkj
<NixOS_GitHub>
nixpkgs/master 9e6c96f Joachim Fasting: grsecurity: 4.9.24-201704210851 -> 4.9.24-2201704220732
aneeshusa has joined #nixos
<NixOS_GitHub>
[nixpkgs] vcunat pushed 1 new commit to master: https://git.io/v9TIe
<NixOS_GitHub>
nixpkgs/master b72d4e1 Vladimír Čunát: kdiff3: fixup patch hash after #25059...
takle has quit [(Ping timeout: 240 seconds)]
<NixOS_GitHub>
[nixpkgs] vcunat pushed 1 new commit to release-17.03: https://git.io/v9TIU
<NixOS_GitHub>
nixpkgs/release-17.03 4fe9cf7 Vladimír Čunát: kdiff3: fixup patch hash after #25059...
aneeshusa has quit [(Client Quit)]
<jophish>
clever: yeah, there doesn't seem to be support for booting from a cross compiled stage1
<jophish>
There is an armv7 binary for 8.0.2
<GiGa>
Clever: looks like it's a problem with the bumblebee interaction
<clever>
GiGa: ah
<GiGa>
I take that bacj
<GiGa>
I now get GDM, and can login
<GiGa>
but then the system hangs again. I suppose that could be the problem you mentioned earlier of course
<clever>
the problem i mentioned results in the display manager quiting to the text console
<clever>
then systemd restarts the DM
eacameron has quit [(Remote host closed the connection)]
<jophish>
clever: yeah, no love for aarch64 though. I think if I'm to get this working it would be best to set up a cross compiler to do it
<jophish>
I already have an expression for an x86_64 -> armv7 cross compiler.
<jophish>
I think that might have been added to nixpkgs too recently, I can't remember
<GiGa>
OK, not an identical problem then. I'll have a bit more of a play around later
<GiGa>
Got my daughter wanting to play with cars
xadi has quit [(Quit: Leaving.)]
xadi has joined #nixos
GiGa has quit [(Quit: Leaving)]
xadi has quit [(Client Quit)]
derjohn_mob has joined #nixos
marsel has joined #nixos
carlosda1 has joined #nixos
takle has joined #nixos
bennylb has quit [(Quit: rcirc on GNU Emacs 25.1.1)]
carlosda1 has quit [(Ping timeout: 260 seconds)]
<mog>
my acme certs expired , and the systemctl says that the processes are active but still waiting to trigger
<mog>
is there a way i can force it
<clever>
mojjo: its possible that it already renewed, but nginx didnt reload, what happens if you manualy restart nginx?
<mog>
i just restarted httpd and still getting error
<gchristensen>
through force and hackery, I got rt working...! not good enough to send upstream, but it runs...
<mog>
all the files havent been touched since jan 22
<mog>
so it clearly is just not running or when it ran it had an error
<mog>
i dont see anything in journal though
newhoggy has joined #nixos
kahiru has quit [(Ping timeout: 240 seconds)]
iyzsong has quit [(Ping timeout: 260 seconds)]
newhoggy has quit [(Ping timeout: 252 seconds)]
<mog>
running simp_le by hand fixed problem
<clever>
mog: which channel are you on?
<NixOS_GitHub>
[nixpkgs] Hodapp87 opened pull request #25114: gdal: Add optional SQLite & Spatialite support (master...gdal_sqlite) https://git.io/v9TIh
kahiru has joined #nixos
eacameron has joined #nixos
<sphalerite>
I'm having some difficulty compiling a piece of software because g++ doesn't like its use of printf https://paste.debian.net/928859/ . I tried adding -Wno-error=format-security to the compiler flags but it's still happening. Anyone have an idea of what this could be? I suspect that this is a nixpkgs-specific issue because I haven't seen any other people complaining about it
<sphalerite>
how do people using nixops manage state, e.g. database contents?
<sphalerite>
I presume the answer is nixops ssh + putting stuff in place manually?
<sphalerite>
For example, I want to migrate a mumble server from a really crappy docker container setup to a nixops-managed server. Would I just copy over /var/lib/mumble-server manually?
<clever>
sphalerite: my plans are to modify the application so it can push/pull state backups from a central location
<simpson>
sphalerite: I simply keep the DB up and trust my upstream vendors to not make it hard to roll forward. It's easier for me since I can lose any one node and still stay up.
<clever>
then i can just sign into a gui over http, pick a recent backup, and click restore
<simpson>
(Technically I can lose like any seven nodes, globally, and still stay 100% up.)
<clever>
sphalerite: in the case of mumble, yeah, i would just manualy copy it over
puffnfresh has joined #nixos
<clever>
sphalerite: stop the mumble daemon, delete the new dir it made, copy things over, and start it back up
<sphalerite>
right
<LnL>
clever: perl was updated to 5.22.3 for 17.03 while it's 5.24.1 on staging
<sphalerite>
the previous advice sounds like it's on a bit of a different level than what I'm doing, this is just for personal use and on a small budget :D
stepcut has quit [(Remote host closed the connection)]
<clever>
LnL: ah, so its still older
newhoggy has quit [(Ping timeout: 258 seconds)]
<LnL>
that's why the error is different, my staging fix won't help with that
<clever>
sphalerite: yeah, its more for software i'm writting, and i'm building all of the new changes around nix and nixops
<clever>
LnL: 17.03 darwin isnt that important, so we can just ignore it
dmi3y has joined #nixos
<LnL>
yeah, there's nothing on hydra built with perl 5.22.3 so it's not very useful
<sphalerite>
clever: it's definitely what I'd do if I were writing any big important production software :D
<sphalerite>
Although, what would you recommend for small-scale backup of data like that?
<sphalerite>
Pretty much anything would be better than what I have now, which is nothing >_>
<clever>
sphalerite: zfs snapshots if you want local archives of changes
<clever>
maybe zfs send if you want offset copies
<sphalerite>
Sounds good, I'll give all that a shot. Thanks!
<clever>
offsite*
<eacameron>
Anyone worked with Habitat?
<eacameron>
It looks like it has a lot of overlap with Nix
<joepie91>
eacameron: link? not the most googleable thing :)
<joepie91>
eacameron: I'm not immediately spotting anything that overlaps with Nix, from a technical perspective
<joepie91>
it just seems like Yet Another Docker Management Thing to me
dmi3y has quit [(Quit: dmi3y)]
<joepie91>
except for what looks like limited declarative config capabilities
<eacameron>
joepie91: It has immutable packages that are defined with templating system. It handles package management too.
<joepie91>
eacameron: hm, this isn't clear from the site at all
<eacameron>
joepie91: Yah...it's not.
<joepie91>
eacameron: reading the site I get the impression that what they call a "package" is just "a disk image"
<eacameron>
joepie91: That could be
<eacameron>
joepie91: I've not actually worked with it.
<joepie91>
which is very different from how Nix works
<joepie91>
right
<joepie91>
eacameron: anyway, based on what the site says - which may not be the most accurate, but that's what I have to go off from - it looks to me like yet another thing that builds on inherently stateful systems
<joepie91>
as opposed to reorganizing things to not be stateful
<sphalerite>
I see all these horrible things all the time. And every one makes me gladder that I can use NixOS.
<joepie91>
dmj`: hrm, one of the three does not quite belong... :P
<LnL>
I'll close it when the stdenv is finished building
<dmj`>
joepie91: hehe :)
<clever>
dmj`: i can also see how not-os could be tweaked a bit to make a ~40mb docker container
<eacameron>
dmj`: Sick
<clever>
dmj`: that would combine bullet points 1 and 3
<eacameron>
joepie91: Awesome link LOL
<joepie91>
eacameron: which? the stateless deployment or the spurious correlations one? :P
<eacameron>
joepie91: Spurious correlations...but the other looks juicy
<joepie91>
hehe
<eacameron>
So NixOS is awesome, granted, but what if I really do want a "micro-service" arch where I can fire up many instances of an app at the push of a button. It seems containerization is good for that.
<FRidh>
LnL: if I am correct you've been working with the stdenv. What do you think is a good place to have an attribute that returns the extension of a shared library for the current arch? So .so on linux and .dylib on darwin? Its very trivial but useful to have when with Python we have to patch paths to libraries.
<joepie91>
eacameron: see nixops / disnix
<simpson>
eacameron: You probably don't want them all fired up near each other, so you need orchestration as well.
<eacameron>
joepie91: I use Nixops already actually. It's great. But it's still creating full blown VMs
derjohn_mob has quit [(Ping timeout: 260 seconds)]
<joepie91>
eacameron: doesn't necessarily.
<joepie91>
it's fairly agnostic to the type of instance it creates
<joepie91>
plus there's already declarative containers for less involved scenarios if you really need containers
<eacameron>
joepie91: Can nixops deploy containers instead?
<joepie91>
but I feel that 'containers' are massively overused
<eacameron>
ekleog: Yah I mean you can manage containers on your NixOS instances manually.
<joepie91>
eacameron: theoretically could, sure. in practice, I question whether there's a reason to do so given NixOS' declarative container support, and if you want it to, you might have to add a provider plugin for it yourself
sellout- has quit [(Quit: Leaving.)]
<simpson>
eacameron: Honestly, I would *love* for somebody to add a container abstraction to nixops, so that containers on AWS or GCE were easier.
<joepie91>
there's nothing that architecturally prevents you from doing it
<simpson>
joepie91: There's an easy answer for "why", which is that the cloud providers have container subsystems now.
<joepie91>
eacameron: but whenever anybody asks me "how do I <something about micro-services or containers>?", my first response is "consider very carefully whether what you're trying to do is actually desirable", because in the vast majority of cases I've seen it's not :)
<eacameron>
simpson: joepie91: Yah I think that's what I'm getting at. I'd love to use something like AWS to manage the containers for me. I just want them running Nixos
<simpson>
eacameron: Ah, well, you can't.
<simpson>
Because putting systemd in a container is not really a thing AFAIK.
<eacameron>
simpson: Oh I see...
<joepie91>
hm, hold on
<joepie91>
eacameron: I'm not sure I follow what you're trying to do
<joepie91>
eacameron: NixOps already has AWS support, so what's the difference between what it does and what you want exactly?
<eacameron>
joepie91: I'm not actually trying...haha...by brother in law is in love with containers and I'm in love with NixOS. I'm trying to figure out how they are related and if you can use both.
<joepie91>
eacameron: I'd say that in 99.9% of cases, NixOS removes the need for containers
<simpson>
joepie91: nixops currently can't do Elastic Containers on AWS or Container Engine on GCE.
<joepie91>
eacameron: in the remaining 0.1% of cases, you probably just need local declarative containers, as opposed to container orchestration stuff
<simpson>
joepie91: It's orthogonal. Containers are cheaper than VMs. Not by much, but maybe by enough to make it worthwhile.
<clever>
eacameron: the only time i ever need a container, is when a service will collide with itself (fighting over a port or unix socket), and i need 2 instances of it running
<joepie91>
I'm not counting invalid usecases here, like people building totally unnecessary complex microservice architectures :)
<clever>
eacameron: or when i want to give potentialy untrust-worthy code shell access
<simpson>
joepie91: I do microservices on VMs. Containers are orthogonal to that concern, just like they're orthogonal to the security concerns.
<dmj`>
yea, also, docker is now called Moby, and everything is about linuxkit now, which isn’t in the moby or docker github groups
<eacameron>
clever: joepie91: Interesting. So you think containers are a way of managing state, which nix handles better anyway?
<joepie91>
simpson: you misunderstand my argument. I'm saying that in the bulk of cases where people try to use containers, they don't need _any_ kind of environment isolation _at all_ because the only problem they're really trying to solve is dependency management
mojjo has quit [(Ping timeout: 260 seconds)]
<joepie91>
so they don't need VMs nor containers, because Nix already solves the dependency problem
<simpson>
joepie91: Oh. That may be true, but I contend that environment isolation should be *mandatory*.
carlosda1 has joined #nixos
<clever>
eacameron: yeah, an example of something that typicaly needs docker, messing around with musl, there can only be 1 /lib/libc.so, and you cant just swap glibc out for musl
<joepie91>
eacameron: in *most* but not all cases, yes. people generally use containers as big bags to wrap around a ball of state, basically.
<joepie91>
eacameron: to make the state hurt less :)
<clever>
eacameron: but with nix, you can have as many libc's as you want, so there is no need for a second rootfs or docker
<eacameron>
clever: I see. I suspected that all along but it seems people are doing more with containers that *just* isolation. Something about scalability. But my complaint about microservices is that any time you have something "micro" you have to build up to the thing that's "macro". Having small pieces in and of itself isn't helpful.
<joepie91>
eacameron: note that sometimes containers *are* desirable, either for security purposes (although neither declarative NixOS containers nor Docker currently support this), or because there's a need for a virtualized interface of some sort (eg. a server that demands to run on a specific port, so you need to give each server a virtual network interface if you want to run multiple on one system)
<clever>
simpson: this heavily restricts what updatedb can read and/or write to
<clever>
simpson: and i believe it could be configured to give isolation just as good as containers
<joepie91>
eacameron: and in those cases they're not just used to wrap avoidable state, but rather for concrete technical reasons
<simpson>
clever: Nice. As you may know, I am in favor of much more aggressive and structural isolation, so I am personally looking *beyond* cgroups and containers.
<simpson>
But it is good to know that these features which many decried as unhelpful are indeed usable and used.
<bennofs1>
simpson, clever: systemd even supports syscall filtering
<joepie91>
eacameron: btw, to re-emphasize, because this is a very common misconception: none of the currently commonly used containerization tooling supports *secure* isolation against malicious users/code, that I am aware of.
<joepie91>
and that includes Docker.
<joepie91>
so if somebody is trying to use Docker to contain untrusted code, they're going to have a problem.
<bennofs1>
joepie91: escaping Docker is quite hard
<joepie91>
this is irrelevant
<bennofs1>
joepie91: at least if you don't have root in the container
<simpson>
bennofs1: Yeah, but that's not very helpful in the big scheme. Don't get me wrong, the seccomp-bpf stuff is cool, but it's expensive and inaccurate compared to more structural methods.
<joepie91>
Docker is not being explicitly designed to defend against malicious code
newhoggy has joined #nixos
<joepie91>
therefore it can not be relied upon to do so
carlosda1 has quit [(Ping timeout: 240 seconds)]
<ekleog>
bennofs1: if you don't have root outside of a container it's also quite hard to escape
<joepie91>
regardless of how hard any one individual at any given time believes it to be
<ekleog>
(ie. become root)
<simpson>
bennofs1: Containers do not provide security benefits, full stop.
<clever>
ekleog: yeah, though systemd did have a related bug a few months ago
<simpson>
It would be nice if they did, but they'd have to be designed less like they are.
<joepie91>
simpson: they can, in theory, if explicitly designed as such :P
<simpson>
And more like e.g. Capsicum.
<simpson>
joepie91: Yeah, but e.g. Capsicum can be used *outside* of containers too~
<clever>
ekleog: systemd was doing chmod -1 on a file, causing a state file to be both world writable (777), and setuid root
<joepie91>
simpson: see eg. OpenVZ which, despite its questionable implementation quality, definitely provides secure isolation and is designed to do as such
<simpson>
joepie91: OpenVZ is virtualization, right? VMs are definitely capable of isolation.
<joepie91>
ekleog: subscribed, this is relevant to my interests :P
<joepie91>
simpson: nope, containers
<joepie91>
simpson: shared kernel
<ekleog>
clever: indeed, there are privescs, I'm just saying containers often don't change much from unix privilege separation (may be slightly better, I guess)
<joepie91>
simpson: OpenVZ uses a custom kernel that provides a lot of the isolation features that have now made it into upstream kernel, which means that people can be 'root' in a container but their stuff actually just runs under a PID
<joepie91>
and aren't really root
<LnL>
FRidh: yeah that would be useful, the stdenv itself already has some attributes like shell and libc, ... that's probably the best place
<joepie91>
it's more similar to LXC than to virtualization
<clever>
ekleog: about the only thing ive seen containers have, that you cant already get via chroot and drop-root, is things like pid/uid/mount/network namespacing
<simpson>
joepie91: Sure. I'll call this containers, but only with the understanding that the normal container-level failure modes apply; shared kernel is still risky for obvious reasons.
<joepie91>
simpson: and it *does* provide some 'real' hardware virtualization, like virtual network interfaces, but these are optional and not commonly used, and typically people only use the kernel-based abstractions
<simpson>
joepie91: Like, the kind of sandbox that is correct by construction no longer looks like a sandbox, and usually has the limitation that you can't just run ordinary code in it.
<clever>
ekleog: pid namespacing blocks ps aux from seeing things outside of the container, uid namespacing can dynamicaly remap uid's, so the container may think it has 0, but it doesnt
<joepie91>
simpson: right. that's why you can't eg. load custom kernel modules in OpenVZ
<simpson>
joepie91: As a result, if you show me a tool and say "and it can run all your normal code without recompiling!" then I am instantly skeptical of its abilities.
<joepie91>
or modify the kernel at all in any way
<clever>
ekleog: network namespacing allows different services to all bind to the same port, and not collide
<joepie91>
simpson: oh no, it definitely can't
newhoggy has quit [(Ping timeout: 260 seconds)]
<joepie91>
simpson: it's just designed in such a way that *most* of what people want to do with a VM is possible in it
<joepie91>
not all, just most
<ekleog>
userns has had many issues in the kernel iirc (and has been disabled in grsec for this reason)
<clever>
joepie91: i have helped somebody on an openvz guest with abnormaly low ram, i tried to show him how to make a swapfile
<clever>
joepie91: turns out, root can be denied permission to swapon, lol
<joepie91>
clever: yeah, this has to do with the memory management model that OpenVZ used to use
<joepie91>
I believe it's possible now though
<joepie91>
using swap files
<ekleog>
netns is really great imo, just not for security purposes. things like putting a vpn-only netns, otoh, is wonderful :)
<joepie91>
or partitions if you use ploop or w/e
<simpson>
joepie91: Okay, see, that's what I mean. Capsicum will make it hard/impossible to run *any* existing userland code. Monte requires a total rewrite of all of your code into safe languages. The kind of isolation proofs I'm talking about are totally incompatible with existing systems.
<clever>
joepie91: id still consider swap files to be a potential privledge esclation exploit, if any kernel side datastructures get swapped out, you can modify them
<clever>
joepie91: and you need a way to enforce pages from container#1 only going into the swapfile made by container#1
<joepie91>
simpson: right, that's a very different category of 'limited', though. you can grab an arbitrary userland application written in whatever language and it'll *probably* run under OpenVZ, you just can't touch anything in kernel-land and there are some limitations in what you can do with iptables, etc.
<steveeJ>
can the path of the file that is called with nix-build be inferred within the nix expression?
<joepie91>
clever: such things are enforced in OpenVZ
<simpson>
joepie91: Sure, but that's frankly not interesting to me, because it means that porting from Linux to OpenVZ is as tough as porting from Linux to OpenBSD.
<joepie91>
clever: like I said, it's a custom kernel, and it's hacked to pieces :)
<clever>
ekleog: nix also uses all of those namespace features to implement its build sandboxes
<joepie91>
there's little fences put up everywhere
<simpson>
joepie91: Which is *good* for many people! It's just not good *enough* for what I desire.
<joepie91>
and abstractions
<joepie91>
simpson: oh yeah, sure, you're probably right on that
<clever>
joepie91: and how well tested are such hacks?, might it actualy be worse then containers?
<joepie91>
clever: OpenVZ *are* containers :)
<clever>
joepie91: vs mainline linux containers
<joepie91>
and predates LXC and cgroups and whatever by about two decades
<joepie91>
and has been used in production, on massive scale, for those two decades
<clever>
ah, so the age may have helped to fix all of the bugs
<joepie91>
yeah
<joepie91>
it's been around absolutely forever :P
* ekleog
disagrees
<simpson>
Doubtful.
<simpson>
My example: OpenSSL.
<joepie91>
well
<joepie91>
s/all/most/
<ekleog>
like 2 yrs ago, container escape in openvz
<joepie91>
and a lot of the mainline LXC features are actually based on OpenVZ code
<clever>
ekleog: oh, and nix can also use some namespace features to change the hostname inside a sandbox, and even claim the cpu is 32bit only
<simpson>
"most" is an approximation. You can't claim that software is free of a class of bugs without a proof. It's nigh-impossible to generate useful proofs about C, certainly not on the scale of Linux.
<joepie91>
sure
<bennofs1>
but aren't quite a lot of people relying on docker for security? (well at least as far as escaping from the container goes)
<simpson>
(This is why correct-by-construction languages are great; their safety guarantees *cannot* be invalidated, regardless of how much code is written in the language.)
<ekleog>
an exploit published in exploit-db allowed people to reach other VPSs fs for some months before it got fixed (not naming the specific company I'm thinking of just because)
<joepie91>
to define 'most' more clearly: it's very unlikely that a garden variety attacker will be able to escape from an OpenVZ container
<simpson>
bennofs1: Many Docker users say this and they are wrong to rely on Docker this way.
<ekleog>
clever: I'm feeling like namespaces are great, but not really jails like BSDs' jails
<ekleog>
like, separation but no isolation, etc.
<bennofs1>
simpson: but if many people rely on it, then there's probably quite some effort to make it secure
<joepie91>
bennofs1: that's a very dangerous assumption.
<simpson>
bennofs1: False. My example: Literally every piece of user-facing software sold or proffered to users today.
<ekleog>
bennofs1: aren't quite a lot of people relying on C for security? does that mean C is an adequate language for secure software?
<joepie91>
key takeaway: "When we feel comfortable saying that Docker out-of-the-box can safely contain untrusted uid0 programs, we will say so clearly."
<simpson>
bennofs1: "quite some effort" does not denote any useful results.
<joepie91>
I have not seen such a statement as of yet
<steveeJ>
ekleog: you enforce isolation by tweaking capabilities, eg. forbid another namespace switch. and further use something like selinux to prevent file access
<bennofs1>
joepie91: well what about non-uid0 programs?
<clever>
bennofs1: or row-hammer?
dmi3y has joined #nixos
<hodapp>
can someone try installing pypi2nix, putting "pypotrace" in requirements.txt, and running "pypi2nix -r requirements.txt -V 2.7" for me... and explaining what exactly it is complaining about because I can't make sense of it?
<ekleog>
steveeJ: I'd say a selinux-only system is way more secure than a container-only system, intuitively (among other reasons because it can run along with grsec without issues)
<joepie91>
bennofs1: thing is, non-uid0 programs already can't really do meaningful things
<joepie91>
docker or no docker
<joepie91>
(beyond their own fenced off bit of the system, that is)
<bennofs1>
even safe by construction can only be safe by construction up to a point. at some point, you have to rely on necessarily not-100%-perfect models of how things work which will cause unforseen issues
<steveeJ>
ekleog: this all depends on the definition of "container".
<simpson>
hodapp: I don't have a working pypi2nix but I can read any trackback which you pastebin.
<joepie91>
bennofs1: nor can you assume that just because something runs as non-uid0, it won't *become* uid0
<clever>
joepie91: that reminds me of a fuse exploit
<bennofs1>
joepie91: well, you should at least put a network namespace around your non-uid0 untrusted program
<clever>
joepie91: when you try to mount something via fuse, it will use a setuid wrapper to do the actual mounting
<simpson>
bennofs1: Well, yes, but we have security models which cover the entirety of distributed systems, including full modeling of humans as agents within the system.
<clever>
joepie91: and that setuid program will "modprobe fuse" if fuse isnt loaded
<joepie91>
bennofs1: therefore, it's reasonable to assume that any isolation system that cannot contain untrusted uid0 code, is not designed to provide secure isolation, and therefore cannot be trusted as a secure isolation solution
<clever>
joepie91: and modprobe will obey an env variable as for what config to obey
<joepie91>
clever: ...
<clever>
joepie91: and that config can say "just run X instead of loading fuse.ko"
<simpson>
bennofs1: So sure, we can be correct-by-construction up to theoretical results about information theory and guesses about which cryptographic algorithms are one-way. Which is a pretty good point to be secure up to!
* joepie91
facedesk
<clever>
joepie91: modprobe was never designed to be used via setuid stuff, and fuse didnt sanitize the environment enough
<joepie91>
clever: how do people not realize "oh this might not always be a good idea"
<joepie91>
while implementing this setuff
<joepie91>
stuff*
<clever>
joepie91: id blame the fuse guys for not knowing about that edge-case in setuid
<ekleog>
steveeJ: my definition of "container" is "what docker/openvz/lxc do out of the box", just like my definition for "VM" is "what qemu/xen do out of the box", adding security features to this would make it "hardened [previous name]" imo
<clever>
joepie91: and also, by default, sudo on some distros will heavily sanitize the env
<bennofs1>
simpson: hmm, in theory you are right. but what do you do if you cannot rewrite the world? you need a solution that can run existing programs
<joepie91>
I generally define "container" as "managed in kernel space" whereas a "VM" involves "emulating the physical hardware in its entirety"
<simpson>
hodapp: You need Cython in the build inputs.
<simpson>
bennofs1: I am currently rewriting the world. It's a lot of work, but it is 100% possible.
<bennofs1>
clever: execing another program in a setuid program.... always a good idea
<simpson>
bennofs1: Solutions which run existing programs are able to do things like load OpenSSL into memory. This is unacceptable in 2017. Therefore, it is not only okay to not be able to run existing programs, but *desirable for security*.
<joepie91>
clever: have a link for more reading about that, by any chance?
<joepie91>
the vuln
<ekleog>
joepie91: you can do VMs with eg. PCI passthrough (and I've heard of docker unikernels, but no idea what this exactly encompasses)
<simpson>
ekleog: "VM" has a better definition that can help make it clear when something is definitely a VM; it's synoymous with "emulator".
batdog has quit [(Remote host closed the connection)]
<joepie91>
ekleog: sure, but passthrough isn't the same as fencing things off
<joepie91>
ekleog: once you passthrough something to a guest you can't use it on the host or another guest anymore
<joepie91>
this is unlike containers, where resources are - by default - not allocated in their entirety
<clever>
joepie91: part of the exploit, is that the setuid program will check /proc/filesystems to see if fuse.ko needs to be loaded or not
<ekleog>
and if you don't have an IOMMU you're dead
<joepie91>
but rather split up in some manner
<clever>
joepie91: so you just open a crap-ton of files and make that fail
newhoggy has quit [(Ping timeout: 252 seconds)]
<bennofs1>
hmm what happens when you modprobe in a container? surely that fails, right?
<hodapp>
simpson: "pypi2nix -r requirements.txt -V 2.7 -E python2Packages.cython" is doing the same
<clever>
bennofs1: i would expect that to have been disabled, along with /dev/mem
<NixOS_GitHub>
[nixpkgs] rvl opened pull request #25116: Gogs service password handling improvements (master...gogs) https://git.io/v9Tms
sivteck has quit [(Quit: Leaving)]
dbmikus has joined #nixos
<joepie91>
clever: thanks, will read
<ekleog>
<simpson> ekleog: "VM" has a better definition that can help make it clear when something is definitely a VM; it's synoymous with "emulator". <-- then HVMs aren't VMs because they use VT-x for performance?
<clever>
joepie91: i have also been interested in how nixos can possibly implement FHS user envs safely, it appears to be a setuid wrapper that just runs X under root Y
<clever>
joepie91: and at that point, i can make my own /etc/shadow, pop in a copy of sudo, and i have root!
<bennofs1>
clever: fhs user envs use user namespaces afaik
<joepie91>
clever: not sure which functionality you're referring to there
<ekleog>
(defining the words is hard work I think, then it's maybe not the one most important thing in this discussion)
<joepie91>
ekleog: mind that defining things like "VM vs. container" is only useful so long as the concepts do not diverge too strongly, as an aid for making snap judgments
<joepie91>
ekleog: you still need to care about the technical differences once you actually use them
<hodapp>
definitions can be a bit weird when it comes to virtualization. processes, in the proper early form, were meant completely as "virtual machines".
<hodapp>
virtualization encompasses a whole lot of things.
<ekleog>
joepie91: my definition of VM vs container is one kernel vs many kernels, and it turns out it seems to work most of the time :)
<joepie91>
ekleog: and just like how "editor vs. IDE" has become a meaningless distinction because the two have converged together, and how "programming language vs. scripting language" or "compiled vs. interpreted" have become meaningless for much the same reason, this is likely to eventually happen with "VM vs. container" as well :)
<clever>
bennofs1: ah, but i did also hear about how selinux locks namespaces like that down to only root
<joepie91>
though for now there's still a fairly clear line in the sand
<hodapp>
they're not meaningless, but there is not really a clear distinction for a lot of those
<clever>
bennofs1: that broke chromium security a while back
<joepie91>
ekleog: yeah, that's a simplified version of what I'm describing I think
<bennofs1>
clever: nixos does not use SELinux afaik
dbmikus has quit [(Ping timeout: 268 seconds)]
<clever>
bennofs1: as for why selinux did it, to reduce the attack surface area, non-root rarely needs that code, turning it off is simpler then auditing
<joepie91>
hodapp: they're meaningless in the sense that nothing is gained by using the term anymore, the lines have become too blurred for the words to become useful for snap judgments
<ekleog>
clever: chromium has both a setuid-based sandbox and a userns-based sandbox, or they removed the setuid-based one already?
<bennofs1>
clever: yeah user namespaces have a lot of tricky security implications
Svarog has quit [(Quit: Ex-Chat)]
<clever>
bennofs1: oh correction, grsecurity, not selinux
<clever>
ekleog: nix doesnt allow any setuid programs in /nix/store, and chromium expects the setuid program to be in $out
<joepie91>
hodapp: add a debugger plugin to your editor and suddenly it's an IDE, according to one of the more popular definitions of "IDE", despite this obviously making no sense when you ask somebody "are you using an editor or an IDE?" or "is $thing an editor or an IDE?"
<clever>
ekleog: it had to be patched to look in /run/wrappers/bin
<ekleog>
oh true, that wouldn't work out well out-of-the-box
<bennofs1>
clever: not /var/setuid-wrappers ?
<joepie91>
hodapp: similarly, depending on runtime Python may be either compiled, interpreted, or something else entirely
<bennofs1>
clever: oh, that was the old code perhaps
<joepie91>
yet the code doesn't change
<clever>
bennofs1: that was renamed recently
<joepie91>
etc. etc.
<ekleog>
there were talks about dropping support for non-userns at some point, so...
<ekleog>
(in chromium*)
<joepie91>
hodapp: in other words; they were words that once had meaning but have now lost their purpose because of technologies converging
<bennofs1>
clever: tbh, I think for desktop systems, there are much worse problems than kernel exploits. just look at how secure DBus is (dbus has support for authentication, but almost noone uses that)
systemfault has joined #nixos
<clever>
ekleog: oh, and libredirect also was breaking chromium, that fix also made it into that commit
<clever>
bennofs1: yeah, ive found dbus to just be a giant pain
<ekleog>
bennofs1: for desktop systems, X11 is the source of most awful problems
<clever>
bennofs1: for example, i cant even start pulseaudio in a sandbox, because it needs dbus, and dbus needs x11
<bennofs1>
ekleog: wayland
derjohn_mob has joined #nixos
<joepie91>
ekleog: don't forget the undocumented ball of 'stuff' that is freedesktop...
<bennofs1>
clever: dbus does need x11?
<ekleog>
like, get access to any program and you've got almost root
<clever>
bennofs1: and the whole reason i was using the sandbox was to avoid needing an xorg server
<clever>
bennofs1: to start in certain session modes
<ekleog>
bennofs1: do people actually use it without a Xwayland server?
<clever>
ekleog: oh yeah, and some GPU drivers are implemented by just mmap'ing chunks of physical ram into xorg, or possibly the opengl clients
<joepie91>
ekleog: and that's about polkit, the thing supposed to manage authorization for system actions
* ekleog
plans on switching to qubesos as a desktop system to mitigate xorg-based vulns
<clever>
ekleog: want to place bets you can just tweak the address a bit, and get arb write to any memory address? lol
<ekleog>
clever: yay xorg
<clever>
ekleog: and before kms (kernel mode switchin) was a thing, xorg would just hijack the entire gpu and make destructive mode changes, such that the kernel cant recover if xorg ever quits un-cleanly
<bennofs1>
clever: hmm. but isn't x11 in dbus just to register some properties?
<clever>
ekleog: kms allows the kernel to restore text-mode in the event of xorg crashing, or a kernel panic needing to display the error
<clever>
bennofs1: yeah, but i havent been able to find an option to just turn it off
<bennofs1>
clever: isn't the user dbus instance nowadays managed by the systemd user daemon?
<bennofs1>
clever: and the systemd user daemon definitely does not have access to Xorg
<clever>
bennofs1: i believe the systemd-user daemon gets started by pam, as a child of the process doing the login (your display-manager, after it dropped root to your user)
<bennofs1>
clever: yes, but it also gets started if I login via tty
<bennofs1>
clever: and systemd does not export DISPLAY or anything to identify the x server
<bennofs1>
clever: and it will continue running even if I kill the x server as long as I still have any open session (for example a tty session)
<bennofs1>
unlmtd[m]: does it use the wayland protocol?
<unlmtd[m]>
i was planning on switching to wayland, but now I want to try this
<clever>
unlmtd[m]: the kernel, initrd, and rootfs are all signed with a cert and keypair, and the cert is embeded into the ipxe binary
<unlmtd[m]>
no its a full stack to egl
<unlmtd[m]>
in makes wayland look like a joke
<bennofs1>
unlmtd[m]: hmm wouldn't it make sense if it supported wayland? wayland is based on egl as well afaik
<unlmtd[m]>
nonono, it doesnt want wayland
<clever>
unlmtd[m]: ah, i just have signed boot with a read-only fs and sshd
<unlmtd[m]>
clever: gotcha. so he signs is all the way up to the window manager
<clever>
unlmtd[m]: my original goal was to have firmware like images for an embeded server cluster
newhoggy has quit [(Ping timeout: 240 seconds)]
<bennofs1>
unlmtd[m]: i guess i don't really understand it. how's it better than wayland?
* bennofs1
needs to use wayland in every sentence
<clever>
unlmtd[m]: i'm signing the rootfs image, but the binaries within are fully unsigned
<unlmtd[m]>
bennofs1: if youre into security
<unlmtd[m]>
the freaking display manager/windowmanager is signed!
<unlmtd[m]>
lol
<unlmtd[m]>
well thats what I read
<bennofs1>
unlmtd[m]: well but would that not be possible if it implemented the wayland protocol as well?
<bennofs1>
unlmtd[m]: after all, wayland is only a protocol, not a "server" as the x server was
<unlmtd[m]>
bennofs1: he plans on supporting it but it would just be more overhead
<spacefrogg>
hrhr, he said it again…
<clever>
unlmtd[m]: in my mind, if you can sign the kernel and rootfs, and the os within never runs untrusted files, there is no need to sign the binaries inside the rootfs
<simpson>
unlmtd[m]: Signatures only protect integrity of the binary; they make no promises about what the binary can do.
<bennofs1>
unlmtd[m]: the advantage would be that you can automatically run many programs when they get ported
<unlmtd[m]>
he must be doing it to make sure the login screen is authentic
zraexy has quit [(Ping timeout: 268 seconds)]
<unlmtd[m]>
the display is the most privileged 'part' of our OS
<unlmtd[m]>
thats where you punch in your password
<clever>
unlmtd[m]: windows made it such that ctrl+alt+del cant be captured by normal programs, and always brings up a trustable gui
<clever>
unlmtd[m]: linux has a similiar thing under sysrq, that will -9 everything in the current tty
<bennofs1>
spacefrogg: what do I need to do on nixos to have dbus be managed by systemd? i can't figure out how that unit is disabled/enabled in systemd
zraexy has joined #nixos
<bennofs1>
clever: sysrq+k
newhoggy has joined #nixos
<unlmtd[m]>
bennofs1: no hes not making a wayland 'top-layer' bridge, but to run it 'on top' of wayland rather
<clever>
bennofs1: yep
<clever>
bennofs1: but if kms isnt working 100%, sysrq+k will bork the gpu state, and now you need to reboot
carlosda1 has joined #nixos
<bennofs1>
clever: i'm using kmscon so kms should work or else everything is borked anyway .)
<unlmtd[m]>
this is the most 'clean slate' display attempt iv seen
<spacefrogg>
bennofs1: Write a user systemd unit and patch the xinitrc.
<clever>
bennofs1: i also have kmscon, and have found that ctrl+alt+f1 from xorg->"tty1" breaks the gpu, i then have to alt+f2 to get kmscon to re-initialize it
<unlmtd[m]>
ill try and bring it to nixos
<bennofs1>
spacefrogg: hmm, but it appears that systemd ships with a dbus unit by default
<clever>
bennofs1: but kmscon has internaly saved the broken state of tty1, so alt+f1 restores the breakage
<NixOS_GitHub>
[nixpkgs] lucas8 opened pull request #25117: cubicle: init at 1.0.2 (master...cubicle) https://git.io/v9TOO
<bennofs>
spacefrogg: any idea what causes this: Loaded: loaded (/nix/store/bghlifzi2lcajyr5wmvxxq0csyk3gv01-dbus-1.10.16/etc/systemd/user/dbus.socket; disabled; vendor preset: enabled)
<bennofs>
spacefrogg: vendor present says enabled, but unit is disabled
<clever>
but how is the dbus.service file telling dbus to use that path?
bennofs has joined #nixos
bennofs has quit [(Client Quit)]
<spacefrogg>
the dbus@foo.socket starts the dbus@foo.service which gets the socket handed over by systemd
alx741_ has joined #nixos
<clever>
ah, so its actualy receiving a pre-opened socket as its started
<spacefrogg>
you need to communicate the correct socket to the applications that ought to use dbus by setting DBUS_SESSION_BUS_ADDRESS
bennofs has joined #nixos
<clever>
yeah
<bennofs1>
does anyone here have an idea how to deal with shutdown errors? I.e. if a network FS cannot be unmounted when the system shuts down due to no network connection, it would be nice if there was a way to "recover"
<spacefrogg>
yes, when you start dbus-daemon with --systemd-activation
<clever>
bennofs1: ive been wanting that as well, every time the power goes out, it takes the network switch with it, and i have no way to do a clean shutdown
<Profpatsch>
bennofs1: fyi, `ag(1)` can search through nixpkgs in less than 5s (even faster incrementally) on an SSD.
<bennofs1>
Profpatsch: yes?
<bennofs1>
Profpatsch: i use rg
<Profpatsch>
I heard `ripgrep` is even up to five times faster than that.
<bennofs1>
Profpatsch: but it cannot find files inside packages if you're taling about that
alx741 has quit [(Ping timeout: 260 seconds)]
<Profpatsch>
bennofs1: Why then the index file?
<Profpatsch>
s/file/program/
<steveeJ>
shouldn't makeWrapper support multiple --set arguments?
<bennofs1>
Profpatsch: if you want to fid a package that provides include/foo-header.h, rg won't help you
<spacefrogg>
clever: socket activation only works with systemd
<clever>
spacefrogg: i cant see why it wouldnt work elsewhere, but it may need a custom c program to open the unix socket and pass it via the correct fd#
<Profpatsch>
bennofs1: Oh, huh. I thought you meant searching through nixpkgs
<clever>
spacefrogg: i have written systemd services before that are on the receiving side of it
<Profpatsch>
So you mean the nix store?
<Profpatsch>
Or can it find stuff that isn’t even installed?
<bennofs1>
Profpatsch: it can find everything that is build by hydra
<spacefrogg>
clever: You would have to do that. Should be easy as it is standardized.
<eacameron>
Just a quick question: Do any of you all work on large scale systems? Like 1mil concurrent users globally?
<clever>
bennofs1: ah, is it scanning the .ls files and making a programs.sqlite like db without any filter?
newhoggy has joined #nixos
<bennofs>
clever: yes
<steveeJ>
OH! you mustn't use `=` between the key and value
<bennofs>
clever: it is just a plain zstd compressed locatedb-like file
<Profpatsch>
bennofs: So it indexes hydra?
<bennofs>
clever: ~15mb in size
<clever>
bennofs: dang!
<bennofs>
Profpatsch: it indexes all store paths that were build by hydra in a given channel
<clever>
hydra has a url that will spit out every storepath in a given eval (built or not), and the binary cache has .ls files for every storepath in the cache
<clever>
combine the 2, and you have every file in an eval, from all passing jobs
<bennofs>
clever: it actually doesn't use store-paths, as that would not give use attributes
<clever>
ah
<bennofs>
clever: it'll use nix-env --query --available --out-path --xml and parse that, and then fetch the closure of all those paths
<clever>
ahh, so it skips hydra and directly evals
<bennofs>
clever: this has the advantage that we don't get darwin/x86/x86_64 versions of every path as well
<clever>
you might also be able to use the json from one of the hydra utils
<bennofs>
clever: i looked into that, but there is no way to get a store path -> attribute mapping from hydra (apart from fetching every single build in an evaluation, which would probably not be friendly to the hydra server as it won't be cached by cloudflare)
newhoggy has quit [(Ping timeout: 240 seconds)]
<clever>
bennofs: this will return a list of job names (attrpath relative to release.nix) and .drv files
<clever>
bennofs: this lets you perform the eval on your end
<clever>
so you can just query the nixpkgs revision from hydra(or a channel), and then make your own eval
<bennofs>
clever: yeah. but I think the current solution works just as well, and has the advantage of giving us the real attribute path and not just the job name
<clever>
you can also change the value of system passed to release.nix, and omit platforms like darwin
<clever>
yeah
<clever>
things like foo."bar.baz" can be hard to deal with
<sphalerite>
Are there any technical obstacles, besides there not being an implementation, to deploying to NixOS containers in NixOps?
<bennofs>
clever: I also manually run nix-env again with -A haskellPackages and -A xlibs, if there's any other i have missed that are build by hydra I'd be interested to know
<clever>
bennofs: xfce4, and pythonPackages are 2 i can think of right away
<bennofs>
i guess parts of pythonPackages etc may be build as dependencies of other packages
<bennofs>
clever: I don't think all of pythonPackages gets build by hydra?
<clever>
bennofs: xfce.xfce4-screenshooter for example
<bennofs>
clever: is xfce not recurseForDerivations?
<bennofs>
clever: yeah looks like xfce is already included
dustmote has joined #nixos
<ryantrinkle>
does anyone have an example of converting a nix-shell environment to a docker image?
<ryantrinkle>
using dockerTools
<clever>
bennofs: looks like the python stuff is disabled in hydra, but if you over-eval, you may catch python that was in the closure of other stuff, and built anyways
<ryantrinkle>
i think i'm not quite familiar enough with docker to see all the stuff i need to do
<bennofs>
clever: yeah I just realized that
<bennofs>
clever: I mean, I already catch it since I fetch the closure, but I won't display an exact attribute path as a result
mudri has quit [(Ping timeout: 240 seconds)]
<clever>
yeah
dustmote has quit [(Client Quit)]
ixxie has quit [(Ping timeout: 240 seconds)]
<bennofs>
clever: I guess it won't hurt too much to add them
<clever>
yeah
newhoggy has joined #nixos
mekeor has quit [(Ping timeout: 260 seconds)]
newhoggy has quit [(Ping timeout: 240 seconds)]
frankpf has joined #nixos
guillaum2 has joined #nixos
frankpf_ has joined #nixos
frankpf_ has quit [(Client Quit)]
newhoggy has joined #nixos
<NixOS_GitHub>
[nixpkgs] dmjio opened pull request #25118: HaLVM: Shebang fix for Hydra (master...patch-1) https://git.io/v9T37
newhoggy has quit [(Ping timeout: 245 seconds)]
aKriJcz has quit [(Ping timeout: 240 seconds)]
shadow-x has joined #nixos
shadow-x has quit [(Remote host closed the connection)]
newhoggy has joined #nixos
<eacameron>
Is Nix/NixOS used in any big web contexts? Like 1million concurrent users globally?
newhoggy has quit [(Ping timeout: 260 seconds)]
xadi has joined #nixos
<mdash>
eacameron: let's say yes
<eacameron>
mdash: That's an odd way of saying yes.
<mdash>
eacameron: how would it change your life if the answer was yes?-)
newhoggy has joined #nixos
<joepie91>
eacameron: Nix{,OS} just do system management, I don't really see how that relates to concurrent user activity?
<eacameron>
mdash: It would help me know whether or not it's worth debating with my brother-in-law about nix's viability in large scale contexts.
<eacameron>
joepie91: Yah but my brother-in-law argues that mass container orchestration is the way to go for large scale apps.
<joepie91>
eacameron: I suspect your brother-in-law has drunk the hype-aid :)
<eacameron>
And nixos community seems to disagree.
<eacameron>
joepie91: Yah but how would I know? He does actually do that stuff IRL
<ryantrinkle>
eacameron, joepie91: also, nixos can do container stuff pretty well :P
<spacefrogg>
eacameron: Prove him wrong and hope for the best.
<ryantrinkle>
in fact, i'm writing a nix expression to generate a docker container right now :P
<eacameron>
spacefrogg: Haha I wish.
jophish has quit [(Quit: Lost terminal)]
<joepie91>
eacameron: it's, uh, a tiring topic to discuss. because for any technical argument you make on how scalability doesn't really relate to the tooling used, you're likely to get a response that's 50% buzzwords and Docker-specific jargon
<eacameron>
ryantrinkle: I think I know what for! Sweet! ;)
<joepie91>
(I have this discussion with people regularly, not just in the context of Nix)
<ryantrinkle>
eacameron: yep :)
<eacameron>
joepie91: Hit the nail on the head.
<sphalerite>
How do disnix and nixops relate to each other?
<joepie91>
eacameron: and in the end... Nix{,OS} just puts things in the right place and patches some paths, so what does that really have to do with orchestration or scalability? you can build any abstraction you want on that, it doesn't really directly relate to it
newhoggy has quit [(Ping timeout: 240 seconds)]
jophish has joined #nixos
<joepie91>
eacameron: it's akin to saying "yeah well apt-get can't scale for applications with 1 million concurrent users"
<joepie91>
there's just no relation between the two concepts
<eacameron>
joepie91: Yah that's what I thought. But it seems people around here (see above discussion which you and I had) don't really like container orchestration in the first place.
<eacameron>
But maybe that's just a different discussion entirely.
myndzl has quit [(Ping timeout: 260 seconds)]
<eacameron>
And largely unrelated to Nixos
<symphorien>
hello, I have hardware.sane.extraBackends = [ pkgs.hplip ]; in my configuration.nix but nix-store --query --requisites $(readlink -f $(where scanimage)) doesn't list hplip as a dependency and strace scanimage -L suggests scanimage is opening the wrong /nix/store/sane-config.../etc/sane.d without hplip. Any idea why ?
<ryantrinkle>
eacameron: well, container orchestration seems like a fine enough tool, but what's the problem it's solving?
<joepie91>
eacameron: yeah, different discussion. that's more about people abusing containers to wrap up a bunch of state and pretend it's "stateless"
<joepie91>
eacameron: but that doesn't really have anything to do with scalability either :)
<ryantrinkle>
one of the big ones is: i've got a ton of stuff that's messy and assumes it's running as a system-level service on linux
<ryantrinkle>
i need to treat that stuff as a purer, more self-contained thing
ambro718 has joined #nixos
pmade has quit [(Ping timeout: 252 seconds)]
<ryantrinkle>
sometimes, that's really what you've got
bennofs1 has quit [(Ping timeout: 260 seconds)]
<ryantrinkle>
e.g. if you have to run some horrible proprietary binary blob that you can't package in a nicer way
<ryantrinkle>
but with nix, things are packaged very nicely already
<ryantrinkle>
so you don't need to plaster over them quite so much to make them smooth
<joepie91>
eacameron: btw, even if you leave NixOS out of the equation entirely, people *still* abuse containerization systems because of hype :) lots of people who believe that you can't run N = >1 deployments without containers for some reason
<joepie91>
which uh, is misleading at best
<joepie91>
like, sure, compared to no isolation, containers *do* have benefits
<eacameron>
ryantrinkle: Ahhh yes that's a very good point.
<joepie91>
they're just rarely the *optimal* solution, and people also ascribe a bunch of benefits to them that they simply don't have
<NixOS_GitHub>
[nixpkgs] rlupton20 opened pull request #25119: emacs-all-the-icons-fonts: init at 2.5.0 (master...emacs-all-the-icons) https://git.io/v9TGs
<eacameron>
ryantrinkle: And in a world without Nix and Haskell...that's basically the only experience to be had, so *of course* you need containers.
<ryantrinkle>
eacameron: right
<ryantrinkle>
there are *some* other decent package managers
<ryantrinkle>
the one on solaris back in the day springs to mind
myndzi has joined #nixos
<ryantrinkle>
(though i never used it heavily)
<eacameron>
joepie91: I see. That's helpful.
<ryantrinkle>
but largely you've got this sort of "do a crazy thing, then make a tarball" approach
<eacameron>
ryantrinkle: Right...been there done that.
* joepie91
was having a discussion about Docker overuse *just now*
<joepie91>
(elsewhere)
pmade has joined #nixos
newhoggy has joined #nixos
<joepie91>
eacameron: anyway, to more directly answer the question that we started out with, even though the premise is false -- I cannot think of anything that would make Nix{,OS} *not* suitable for large-scale deployments
<joepie91>
architecturally speaking
<joepie91>
the stage of development is such that you'll probably need to roll some custom tooling, but you *can*
<eacameron>
joepie91: I see. Well that's good news.
<joepie91>
or well, custom abstractions *
<joepie91>
eacameron: now whether I'd currently *recommend* using Nix{,OS} for a large-scale deployment is a separate matter :P and more dependent on circumstances
<joepie91>
because then you start having to consider the cost of developing said custom abstractions, the knowledge within the organization, existing deployments, requirements, certifications, and the interoperability concerns that come with it, etc. etc.
<eacameron>
joepie91: I see. Well I'm not in the need (yet!) so this is good for just general awareness.
<joepie91>
there's just no general answer to that, but if the answer there were to be a "no", it'd likely be due to cost of switching, not inherently because of Nix{,OS}
<joepie91>
:)
newhoggy has quit [(Ping timeout: 260 seconds)]
dupin has joined #nixos
<dupin>
disk is full and I don´t know how to clean it to perform upgrade
<dupin>
it is vbox but still...
<dupin>
I trie with rollback but no joy
bennofs1 has joined #nixos
<NixOS_GitHub>
[nixpkgs] domenkozar pushed 2 new commits to master: https://git.io/v9TGN
<NixOS_GitHub>
nixpkgs/master bcd5865 David Johnson: HaLVM: Shebang fix for Hydra...
<NixOS_GitHub>
nixpkgs/master e30b5c1 Domen Kožar: Merge pull request #25118 from dmjio/patch-1...
<clever>
dupin: does this command help some?, "nix-collect-garbage --max-freed 10M"
<barrucadu>
`nix-store --optimise` may also save a bit of space
<clever>
ah, and optimize may work even with 0 bytes free, since its making hardlinks and deleting
<clever>
though zfs still wont like that, it cant do in-place changes to dir metadata
* taktoa
coincidentally started a `nix-store --optimise` about 10 minutes ago :^)
<spacefrogg>
dupin: try cat /dev/null > /some/large/file. This frees up blocks without the need for meta data changes.
<clever>
spacefrogg: the truncate command can also do that
<spacefrogg>
clever: Sure, didn't want to get into details, here. :)
<clever>
spacefrogg: truncate file -s 0
<spacefrogg>
: > /some/file
<taktoa>
ugh it feels like every damn haskell derivation depends on tasty-ant-xml
alx741_ has quit [(Quit: alx741_)]
alx741 has joined #nixos
<dupin>
clever, nix-collect-garbage --max-freed 10M seams to clear something :)
xadi has quit [(Quit: Leaving.)]
<dupin>
I will reboot now
<clever>
dupin: you can also re-run it, with bigger numbers, to free up as much as you want
<dmj`>
eacameron: that’s the thing, NixOS uses mainline linux kernel, the rest is just differences in packaging (and maybe a few other things ) If it were a different kernel, then maybe there would be some concern in using it for “large enterprise deployment"
<dmj`>
maybe docker will fork NixOS to WhaleOS
<clever>
dupin: i usualy try to limit how much it can free, because it will wreck the cached data from a partialy ran nixos-rebuild, forcing you to re-download it all
<joepie91>
dmj`: I'd actually be quite happy with that.
<joepie91>
:)
<dupin>
clever, I run that command several times
durham has quit [(Ping timeout: 260 seconds)]
<joepie91>
I'd like to see more Nix-based things pop up in different applications
<dupin>
now I can not pass login screen :(
reinzelmann has joined #nixos
<steveeJ>
is it possible to retrieve the string that was passed to "nix-build" from within the expression? e.g. if I have a $PWD/default.nix and I run "nix-build -f . $PWD", I want to access the string that contains the extended $PWD
<clever>
steveeJ: you can get it by manipulating ./. in a nix expression
<spacefrogg>
dupin: Try repairing your store. Did it fail during installing something?
<clever>
steveeJ: that would be relative to the file its in, rather then the file on the cmdline
<steveeJ>
clever: what if I pass a URL and the archive is downloaded and unpacked?
<dmj`>
joepie91: heh, all the gravitation towards docker in a short amount of time shows how quickly everyone abandoned what they were doing for dev ops.
<steveeJ>
it'll be the path on the filesystem?
<clever>
steveeJ: yeah
newhoggy has joined #nixos
<joepie91>
dmj`: well, to be fair, Docker *is* in various ways an improvement on what there was before it
<joepie91>
in common use anyway
<clever>
steveeJ: if you just directly use it (say like "${./.}") then nix will force a snapshot of that directory into /nix/store (if it isnt already there)
<clever>
steveeJ: so you will get a copy of the directory, rather then the original path
<joepie91>
dmj`: since it rules out a whole category of problems by way of just throwing away the disk image and starting over
<dupin>
spacefrogg, it was during upgrade
<dmj`>
joepie91: oh, for sure
<joepie91>
which, while crude, is reasonably effective :p
<joepie91>
so it's not _entirely_ surprising to me that Docker got so popular so fast
<joepie91>
dmj`: I'm in the irritating position of considering containerization to be a useful and valid technology but simultaneously having a strong dislike of the way it's (mis-)applied in real-world deployments. this means that 99% of my conversations about it consist of either a) Docker fanboys accusing me that I'm "just hating" on it, or b) Docker/containerization "haters" accusing me of being a fanboy :|
<joepie91>
the discussion in here today is actually the first discussion about containerization that I've had in a _long_ time that doesn't fall into those two categories :P
<systemfault>
Moby fanboy? </troll>
andymandias has quit [(Ping timeout: 252 seconds)]
<joepie91>
(I generally find discussions here to be technically sound, even if I don't always agree :) )
<gchristensen>
joepie91: as we grow more, you'll likely find #nixos falls in line :P
newhoggy has joined #nixos
<clever>
joepie91: one use-case of containers ive had recently, was spawning 3 nixos containers, each with identical custom modules, that had their own nginx:80, and mysql unix socket
<mitchty>
slightly confused, if i do nix-env -i zlib, why would zlib.h not end up in ~/.nix-profile/include?
<clever>
joepie91: and all on the same private lan, so they can emulate 3 real servers working together over the internet
stepcut has joined #nixos
<dmj`>
joepie91: docker containers are useful for testing nix expressions on other linuxes besides NixOS :P
<joepie91>
gchristensen: idk about that, I've been in channels with similar activity and similar community size/involvement, and they tend to be a lot less informed than #nixos -- I think it might be in part because NixOS' reason for existence is pretty much "let's fix <thing that is pretty crap>"
<joepie91>
which naturally tends to attract the involvement of people who recognize the issues :)
<gchristensen>
fair enough :)
<clever>
mitchty: nix will skip development files when installing things, you want nix-shell -p zlib
<joepie91>
clever: yep, that's a completely valid case for containers - might even want full-blown VMs depending on the type of networking (eg. for P2P stuff that uses raw sockets)
<clever>
joepie91: its all http level stuff
<mitchty>
ok, but what if i want zlib.h outside of nix-shell?
<joepie91>
dmj`: I'd use a VM for that, not a container
<joepie91>
dmj`: so that you're testing against a "true" system
<joepie91>
clever: yeah, then containers are probably sufficient
stepcut has quit [(Read error: Connection reset by peer)]
<clever>
mitchty: some things like pkgconfig, will only work right under nix-shell
stepcut_ has joined #nixos
<mitchty>
clever: ok, so then how should i get emacs to be able to run intero, which will run stack, which will build ghc dependencies to be able to build ghc libraries that depend on zlib?
<mitchty>
rather, are there examples of how other people use things like this together and their development workflows?
<mitchty>
i feel like i'm mostly yak shaving with all this at this point
<MarcWeber>
I verified 56 and 71 packages do all build
newhoggy has quit [(Ping timeout: 258 seconds)]
ertes has quit [(Ping timeout: 255 seconds)]
ertesx is now known as ertes
newhoggy has joined #nixos
praduca has joined #nixos
ryanartecona has joined #nixos
sellout- has quit [(Quit: Leaving.)]
newhoggy has quit [(Ping timeout: 255 seconds)]
<praduca>
Hi, anyone knows how to solve this "Missing C library: GL" problem? tried a lot of things and I'm getting pretty sad now :)
<ericnoan>
praduca: what are you trying to run or build?
<praduca>
Hi, an example of game from hackage, and other simple apps
byteflame has quit [(Ping timeout: 255 seconds)]
<praduca>
this particularly is called "boring-game"
<praduca>
build the code,not running it
<praduca>
I opened a shell, but only ghc with packages
<praduca>
worked for a lot of things, but for the ones that need gl, it just dont go
newhoggy has joined #nixos
<ericnoan>
praduca: did you add the GL library to your nix derivation?
<praduca>
hm, no, I assumed it will find it
schoppenhauer has quit [(Ping timeout: 255 seconds)]
<praduca>
let me try it
<praduca>
tks!
<ericnoan>
well... im just a noob helping a noob
newhoggy has quit [(Ping timeout: 255 seconds)]
<praduca>
thats the way to do :)
<perebor>
I'm trying to install hmatrix but it fails to find the libgfortran .so. The gfortran packages don't come with it, so I don't know what to add to the derivation. how do I find that out?
schoppenhauer has joined #nixos
<praduca>
gfortran is installed? i ask because it is a package itself
<ericnoan>
it is funny, after learning about nix, i start seeing it everywhere
<yumbox>
sorry, copy-pasting sometimes makes irssi freeze
aneeshusa has joined #nixos
<yumbox>
does that mean unstable channel?
wkennington has joined #nixos
<dash>
yumbox: what does 'nix-channel --list' say?
newhoggy has joined #nixos
<yumbox>
nothing
sellout- has joined #nixos
darlan has joined #nixos
ryanartecona has quit [(Quit: ryanartecona)]
newhoggy has quit [(Ping timeout: 240 seconds)]
dmi3y has joined #nixos
hiratara has quit [(Ping timeout: 258 seconds)]
<perebor>
the exact problem I'm having is that if I compile something with ghc that uses hmatrix and then execute it I get: ./test2: error while loading shared libraries: libgfortran.so.3: cannot open shared object [..]
<perebor>
how do I find which nix package will have this library?
carlosda1 has joined #nixos
<yumbox>
nix-env -qaP | less
<yumbox>
then search for fortran
hiratara has joined #nixos
<praduca>
you can use nox
<perebor>
right. so if I install any of the gfortran packages from that none of them have it
newhoggy has joined #nixos
<perebor>
in examples that other people have used, I see them using "nix-build --no-out-link "<nixpkgs>" -A gfortran" to pass the lib/ directory, but if I do that there is no lib directory. so I'm wondering if libgfortran comes in a package that can't be found by grepping nix-env -qaP
carlosda1 has quit [(Ping timeout: 258 seconds)]
FRidh has joined #nixos
<FRidh>
perebor: $ nix-store -qR $(nix-build -A gfortran) | grep gfortran shows that gfortran is a wrapped package which depends on another derivation that contains the libraries
<FRidh>
typically one shouldn't need to explicitly point to the library when adding gfortran as buildInput