<donbright>
hello, i did configure, make, make install from nix source (1.11.13) but i cant seem to use nix-env etc. for example nix-env -qa says "error getting information about '/home/don/.nix-defexpr': no such file or directory
<donbright>
how do i get it to create my ~/.nix- folders and whatnot? how do i load my profile thingy?
<timclassic>
Is KRDC not available in Nixpkgs or am I just having trouble finding it?
* timclassic
is looking for a decent client that does VNC and RDP and isn't Remmina
timofonic has joined #nixos
<timofonic>
Hello
<timofonic>
I used Gentoo (and Paludis in the past), now I use Archlinux. I miss the configurability, availability of bleeding edge packages and optimization of Gentoo. Arch provides faster upgrading due to binary packages and AUR packages provide extra stuff, but there's lots of bitrot (outdated, orphaned, broken packages). Is it possible to compare the packages of my distro with the ones in NixOS? Does NixOS provides
<timofonic>
the flexibility of Gentoo's USE flags?
<donbright>
ok thanks... but how do i create my ~/.nix-profile
<clever>
donbright: nix-env will automatically create .nix-profile
<timclassic>
rnhmjoj: Okay, that's what I found too
<timclassic>
Ugh, remmina is working pretty well, FINE ;)
<timclassic>
rnhmjoj: Thanks for looking! :D
<donbright>
don@sakharov:/tmp/nix-1.11.13$ nix-env -i hello error: Unknown CPU type: powerpc64
<timofonic>
I would love remmina and tons of other apps but using a lot more lightweight toolkit, efl for example :P
<Myrl-saki>
clever: Do you set isNormalUser ?
<clever>
Myrl-saki: yeah
<clever>
donbright: and the expressions within nixpkgs need to know how to build a gcc for the current platform
<donbright>
clever: thanks... what should i read to be able to figure this out?
<rnhmjoj[m]>
timofonic: I have never used gentoo but I think nix is quite flexible. currently in my configuration I have custom build flags set for firefox and wine, an override of some haskell package to disable failing test, a version override of some package, and I used to have a patches for a few programs before they were fixed.
roni has quit [(Ping timeout: 240 seconds)]
MP2E has quit [(Quit: be back later)]
<clever>
donbright: what does this print? nix-instantiate --eval -E 'builtins.currentSystem'
<clever>
donbright: this outputs a backtrace to the source of the problem, even if you run it on an x86 machine
<rodarmor>
I want to submit a PR that improves the way the mpd service is configured under NixOS. I think I made the right changes, but how do I test them?
<rodarmor>
I have the changes in a local nixpkgs checkout
schoppenhauer has quit [(Ping timeout: 248 seconds)]
<donbright>
error: file ‘nixpkgs’ was not found in the Nix search path (add it using $NIX_PATH or -I), at (string):1:13
<clever>
donbright: you may also need to set the env var NIX_PATH=nixpkgs=/path/to/nixpkgs
schoppenhauer has joined #nixos
mizu_no_oto has quit [(Quit: Computer has gone to sleep.)]
<Myrl-saki>
clever: I guess the question starts becoming "How do I not nuke my build system if I do a nix-collect-garbage"?
<donbright>
clever: thanks, looks like nixpkgs/lib/systems/parse.nix only has 'powerpc' as 32bit, no entry for powerpc64
<Myrl-saki>
Well
<donbright>
lol problem is all of /nix/store is read only
Myrl-saki has quit [(Quit: WeeChat 1.9)]
<clever>
donbright: /nix/store is supposed to be read-only, it must never be modified by hand
<donbright>
yeah ... this project is amazing but its very different from everything im used to
<donbright>
how do you hack on something that is read only?
<dash>
you don't, you hack on a source repo as usual
<donbright>
so basically i need to hack on a source version of 'nixpkgs', and then install the "built" version into /nix/store ?
<donbright>
then reset my NIXPATH then re-run the nix setup
<clever>
donbright: copy the nixpkgs version to your home folder and edit the copy
<clever>
donbright: and you can use a command like: nix-build ~/nixpkgs -A hello, to test it
<clever>
Myrl-saki: make sure you quote the private key path, or it lands in /nix/store/
<Myrl-saki>
clever: Right. I did that, but it didn't appear on /nix/machines.
<Myrl-saki>
clever: Is having it in /root a problem?
<Myrl-saki>
Oh wait what. It's now here.
<Myrl-saki>
I may have just misread. Sorry.
rauno_ has quit [(Ping timeout: 246 seconds)]
rauno has quit [(Ping timeout: 240 seconds)]
<Myrl-saki>
clever: error: imported archive of ‘/nix/store/l8wcfjdn3isg6mha5p22g41qgk46pxbl-echo-0.1.3-doc’ lacks a signature
<clever>
Myrl-saki: you need to add the build user to the trusted-users list in the slaves nix.conf file
<clever>
nix = {
<clever>
trustedUsers = [ "builder" ];
<Myrl-saki>
Ah
<Myrl-saki>
Thanks.
<tnks>
I hear people say they tried using Python and Nix, but gave up... but I'm not having so sad of an experience.
<tnks>
Does anyone know what the major complaint is?
<tnks>
Maybe it doesn't seem as bad to me because I've accepted that occaisionally I need to write up Nix expressions for dependencies.
<clever>
i'm guessing its users trying to just nix-env all deps or just blindly using pip as always
<Myrl-saki>
Lmao
<Myrl-saki>
How do I errr
<Myrl-saki>
I set NIX_BUILD_HOOK to "", but it still insists on remote building
<Myrl-saki>
I guess I could turn off one of my systems for a bit lol
<clever>
if NIX_REMOTE is set to daemon, then its nix-daemons hook that matters
<Myrl-saki>
Ohhh
<Myrl-saki>
This was a funny deadlock tho
<clever>
but if you run nix-build as root, you can safely unset NIX_REMOTE
<clever>
it will internally do the same things as nix-daemon
<Myrl-saki>
clever: nix-build but not nix-rebuiuld?
<clever>
that should also work
<clever>
another option in that case
<Myrl-saki>
Oh wait, you said NIX_REMOTE
<clever>
just delete /etc/nix/machines
<Myrl-saki>
Right.
<clever>
nixos-rebuild will restore it
<Myrl-saki>
clever: Mhm
<Myrl-saki>
Thanks.
<Myrl-saki>
clever: Hypothetical example. I run nix-build on Machine A. It finishes. Then I run it on Machine B, will the built things on machine A be copied to B?
<clever>
only if B tries to build it on A
<clever>
it will discover it was already done
<Myrl-saki>
clever: Makes sense.
<clever>
Myrl-saki: nix-serve is one option, that runs a binary cache
<clever>
so it gets checked sooner
<clever>
and it will be checked even if build slaves are off
stepcut has joined #nixos
<Myrl-saki>
clever: Would it be a good itea to run this on a desktop(non-dedicated build server)?
<clever>
sure
<Myrl-saki>
clever: I think I get the general idea.
<Myrl-saki>
clever: What if I instead set the relative speed to an insanely high number? How does that differ?
<Myrl-saki>
clever: I guess there'll be less slots?
<clever>
havent looked into the code of how that controls things
<stepcut>
I wasn't paying close attention, and Linode switched me from Xen to KVM and now my NixOS install no longer boots. I can boot into a rescue console and mount the partitions -- but is there some way to chroot into the nixos system so that I can update it using nixops deploy?
<clever>
stepcut: i think you could run this kexec trick inside the rescue shell, then you will have nixos running from ram
<clever>
stepcut: then you can use "nixos-install --chroot" to chroot into it properly
<stepcut>
nixos-install --chroot just does a chroot, it doesn't actually install things?
<clever>
correct
<stepcut>
I wonder what would happen if I didn't kexec first
<clever>
there are some directories and env vars that nixos needs set when using chroot
<clever>
nixos-install handles all of it
<Myrl-saki>
clever: If I have a buildMachine config that's local->remote and remote->local, will it deadlock?
<clever>
Myrl-saki: maybe
inflames has quit [(Ping timeout: 240 seconds)]
<stepcut>
clever: I am unclear how I would run this kexec expression with out first being able to boot nixos
<clever>
stepcut: its designed to be built into a tar on another nix machine, uploaded, then unpacked and ran
<clever>
stepcut: have a look at the session.md file
<stepcut>
So, I boot up some random rescue disk (Finnix in this case), upload and extract the tarball, and then run the ./kexec_nixos command. That leaves me with a system that now has a NixOS kernel -- but still has the Finnix filesystems mounted. Then I use the nixos-install --chroot command to switch into the nixos environment?
<stepcut>
do I need the `--root /mnt` flag for nixos-install as well?
<clever>
stepcut: kexec will mount a nixos filesystem that was inside the tarball
<clever>
stepcut: so it will be running a fully nixos based system, from ram
<stepcut>
ah
<stepcut>
that makes a bit more sense
<stepcut>
I'm going to guess things will go more smoothly if I don't try to build that tarball on an nix-darwin system :-/
<clever>
yeah
<clever>
*looks*
<clever>
nothing in the expression forces it to be a linux build
<clever>
so it will try to make a darwin build of the linux kernel
<stepcut>
yeah, I already booted up a NixOS virtualbox instance
<stepcut>
now things are happening -- hopefully good things
mizu_no_oto has quit [(Quit: Computer has gone to sleep.)]
<stepcut>
it built -- now I am jumping throw the hoops of getting from a virtualbox instance the rescue system -- the lack of ssh makes things.. challenging
<clever>
:S
<clever>
if you can enable an sshd in the vbox, you can use agent forwarding to hop around
<stepcut>
well, mostly tedious
loupgaroublond has quit [(Quit: Bisy backson!)]
<stepcut>
the issue is that I need to get things to the system booted from a rescue disk -- and that system is not running sshd. I am copying the file to a webserver and can just use wget
loupgaroublond has joined #nixos
<clever>
ah
<clever>
you will also want to populate /ssh_pubkey before you /kexec_nixos
<stepcut>
at least after this is all done I will be on KVM and will get twice as much ram for the same price :)
<clever>
that will become the authorized_keys file
silver_hook has joined #nixos
silver_hook has quit [(Changing host)]
silver_hook has joined #nixos
<stepcut>
k
<stepcut>
ok! nixos ramdisk booted.
<stepcut>
so I did, `mount /dev/sdc /mnt && mount /dev/sda /mnt/boot` and now I do `nixos-install --chroot --root /mnt` ?
<sphalerite>
--root /mnt is the default
<sphalerite>
So you don't need to specify it
<sphalerite>
Only for nixos-generate-config
inflames has joined #nixos
<clever>
also, the --chroot arg parsing is rather dumb
<clever>
the command you gave will run --root as a shell in --chroot
<stepcut>
so just `nixos-install --chroot` then
<clever>
yep
<stepcut>
it seems to be downloading a bunch of packages -- should I be scared?
<clever>
what packages?
<stepcut>
fontconfig, fonts, gawk, other stuff
HurricaneHarry has quit [(Ping timeout: 246 seconds)]
<stepcut>
I guess it is downloading those to the ramdisk /nix, not the /mnt/nix
<Lisanna>
Hey, how come nix-build isn't picking up my NixOS proxy settings?
<Lisanna>
if I run echo ${http_proxy} in one of the build hooks it prints an empty string :/
<clever>
Lisanna: all networking is disabled during builds
<Lisanna>
err, echo $http_proxy
<stepcut>
perl, dbus, gnugrep, sudoers, etc
<Lisanna>
clever: ah, I was afraid it might be something like that
<Lisanna>
I guess it makes sense though
<Lisanna>
handwritten makefiles are the worst <_<
<timofonic>
alacritty or kitty? :)
<Myrl-saki>
Lisanna: As opposed to cmake?
<Lisanna>
Myrl-saki: as oppoed to just autotools, at least I always know what I'm getting with that
MercurialAlchemi has joined #nixos
<stepcut>
clever: it seems like this wants to do a lot more than just 'chroot' but not sure why.. seems to want to build a bunch of units and other things and copy them into my /mnt
<clever>
stepcut: and your sure you used just --chroot?
<clever>
stepcut: its safe to ctrl+c
<stepcut>
[root@kexec:/]# nixos-install --chroot
<clever>
stepcut: what are the contents of /mnt//nix/var/nix/profiles
<Lisanna>
is there an easy way to evaluate a bash expression as part of evaluationg a nix expression?
NixOS_GitHub has joined #nixos
<NixOS_GitHub>
[nixpkgs] bjornfor pushed 1 new commit to master: https://git.io/v7QDN
<NixOS_GitHub>
nixpkgs/master e615745 Jean-Pierre PRUNARET: nixos/munin: scripts need to be executable in order to build a wrapper...
NixOS_GitHub has left #nixos []
oida has joined #nixos
NixOS_GitHub has joined #nixos
<NixOS_GitHub>
[nixpkgs] bjornfor closed pull request #28208: munin-node: scripts need to be executable to build a wrapper (master...pr-munin) https://git.io/v7HlK
NixOS_GitHub has left #nixos []
phreedom has quit [(Ping timeout: 246 seconds)]
oida_ has quit [(Ping timeout: 240 seconds)]
NixOS_GitHub has joined #nixos
<NixOS_GitHub>
[nixpkgs] fpletz pushed 2 new commits to master: https://git.io/v7Qyq
<NixOS_GitHub>
nixpkgs/master 3317c71 Franz Pletz: grub2: 2.x-2015-11-16 -> 2.02...
<NixOS_GitHub>
nixpkgs/master eb9f427 Franz Pletz: zfs: use multiple outputs...
<clever>
Myrl-saki: what are the deps being passed into your package?
<clever>
when generic-builder was called?
<Myrl-saki>
Wait, I passed base.
<clever>
base is null, its part of ghc
<Myrl-saki>
Rip.
<Myrl-saki>
No wonder.
<clever>
base and containers cant have their versions overriden
<Myrl-saki>
Oh cool. I didn't know about the containers part.
<clever>
i ran into the same problem a week ago, somebody increased the required version of containers
<clever>
stack could build it, but nix couldnt
<stepcut>
ok. Getting closer. I rebuilt using nixos 17.03. But when I try to do 'systemctl start sshd' it says, 'Running in chroot, ignoring request.'
<Myrl-saki>
clever: So... containers should be implicitly passed?
<Myrl-saki>
base and containers
<clever>
nixpkgs will just ignore it when you try to pass those in
<clever>
so there is no real point in trying
<Myrl-saki>
Right.
<Myrl-saki>
Doing nix-build -A buildInputs gets me what I want now.
<Myrl-saki>
But it's a list.
<Myrl-saki>
Is there like a list -> derivation?
aloiscochard has joined #nixos
<clever>
buildEnv
<Myrl-saki>
clever: Thanks. :D
FRidh has quit [(Ping timeout: 240 seconds)]
filterfish has joined #nixos
filterfish has quit [(Remote host closed the connection)]
<Myrl-saki>
clever: Will doing `nix-build -A buildInputs` keep it from getting gc'd?
<clever>
depends on if it makes a link for each output or not
<rodarmor>
I have kind of a stupid setup that requires me to make sure that I set some acls on mpd's data dir, so it can read it. I'd like to include these commands in configuration.nix, so that they're always applied. Where is the appropriate place to put commands so that they run after all the filesystems have been mounted, but before starting services?
<rodarmor>
Maybe `boot.postBootCommands`?
<clever>
rodarmor: preStart on the proper systemd unit
<rodarmor>
clever: Oh, crazy, I didn't see all the generic systemd.services.<name>.*
<rodarmor>
Awesome, thanks!
ShalokShalom_ has joined #nixos
ShalokShalom has quit [(Ping timeout: 248 seconds)]
zeus_ has quit [(Remote host closed the connection)]
<rodarmor>
clever: It looks like mpd already has a preStart command defined in the service. Will the one I set in my configuration.nix override it?
<clever>
rodarmor: you can use mkForce to override it, but that will entirely replace
<clever>
so your new preStart has to create and fix the owner
inflames has quit [(Ping timeout: 246 seconds)]
<rodarmor>
clever: The existing preStart does some unrelated permissions stuff, which are fine. The new preStart stuff does other permissions stuff. They should both run, ideally
nslqqq has quit [(Ping timeout: 248 seconds)]
<clever>
you will need to manualy paste the old preStart into your override
Fannar has joined #nixos
<rodarmor>
clever: Ah, gotcha, okay
rauno has joined #nixos
<rauno>
hi
<rauno>
which packages does include make in nix manager ?
<clever>
rodarmor: nix-shell -p gnumake
ebzzry_ has quit [(Ping timeout: 240 seconds)]
<simpson>
clever: How are you so fast!?
* simpson
still in nix-repl
<clever>
ive memorized an unually large chunk of nixpkgs
<cocreature>
clever is just a really good AI
<rodarmor>
loooool
<Lisanna>
I've never seen clever not active in this channel
<rauno>
thx clever
<rodarmor>
clever bot ;)
<rodarmor>
Is there a `with X as ALIAS;` construct in nix lang?
<clever>
nope, but you could maybe do it with a let block
<Kanarme>
hey i try to package the iota-wallet, with node2nix. if i do nix-build i will get the error "sh: rimraf: command not found" so i package rimraf, what work fine and installed it. but i get still the same error, so how i can tell nix to use rimraf? i was trying to use buildinputs, it is the right way?
kalhauge has joined #nixos
cathod has joined #nixos
<cathod>
hey, is it possible to access ${stdenv.glibc} for example from bash ?
ShalokShalom has quit [(Quit: No Ping reply in 180 seconds.)]
ShalokShalom has joined #nixos
<stepcut>
success at last! I have switched from Xen to KVM
cathod has quit [(Quit: Page closed)]
<rauno>
another question :) how to configure tcp keepalives under nixos ?
newhoggy has quit [(Remote host closed the connection)]
newhoggy has joined #nixos
jensens has joined #nixos
waern has joined #nixos
mpcsh has quit [(Quit: THE NUMERICONS! THEY'RE ATTACKING!)]
<waern>
Hi, is there some way to check (in nix lang) if a string has a context or not?
python476 has joined #nixos
mpcsh has joined #nixos
<layus_>
waern, none that I know of. Have you looked at the builtins in nix man ?
layus_ is now known as layus
pie_ has joined #nixos
ebzzry_ has quit [(Ping timeout: 246 seconds)]
<waern>
layus_: yes, I couldn't find any such function there. But I think I can do `hasStringContext = s: (builtins.unsafeDiscardContext s != s)`
astsmtl has quit [(Ping timeout: 260 seconds)]
<layus>
waern, that's a nifty hack. I was looking for something that extracts the context, but your solution should work.
<waern>
:-)
<layus>
By the way, that builtin is not in the manual...
<layus>
waern, Specifically, have you tested that `hasStringContext = s: (builtins.unsafeDiscardContext s != s)` is not always true ?
<waern>
layus: it is false for strings without contexts
astsmtl has joined #nixos
astsmtl has quit [(Changing host)]
astsmtl has joined #nixos
newhoggy has quit [(Remote host closed the connection)]
<layus>
waern, yep, and also false for strings with context for me
kalhauge has quit [()]
<layus>
`nix-instantiate --eval --expr 'with import <nixpkgs> {}; let s = "${pkgs.hello}/lol"; in (builtins.unsafeDiscardStringContext s != s)'` => false
<layus>
`nix-instantiate --eval --expr 'with import <nixpkgs> {}; let s = "lol"; in (builtins.unsafeDiscardStringContext s != s)'` => also false...
<waern>
layus: Ah, yes, it doesn't seem to work here either
<waern>
I had read somewhere that == on strings took string contexts into account
takle has joined #nixos
taktoa has quit [(Remote host closed the connection)]
waern has quit [(Ping timeout: 246 seconds)]
waern has joined #nixos
ebzzry_ has joined #nixos
schoppenhauer has joined #nixos
Wizek_ has joined #nixos
ylwghst has joined #nixos
<viric>
(
waern has quit [(Quit: leaving)]
bennofs has joined #nixos
gnuhurd has joined #nixos
<makefu>
michaelpj_: yes i know about `man configuration.nix` but it is not as nearly as convenient as the website. especially when you are not 100% sure what you are searching for.
ison111 has quit [(Ping timeout: 258 seconds)]
phinxy has joined #nixos
roberth has joined #nixos
sellout- has joined #nixos
<LnL>
lol, so I have a go binary that panics because we remove the references to it's source
<Phillemann>
I'm trying to nixos-rebuild switch --upgrade, but compiling some package fails. From the console output, I'm not sure _which_ package that is, however.
<Phillemann>
Ah, wait, I missed some lines of output telling me which one.
<Phillemann>
Okay, so it's noto-fonts-emoji. Can I somehow just update this one package (to isolate the failure)?
gnuhurd has quit [(Remote host closed the connection)]
gnuhurd has joined #nixos
<Phillemann>
Or maybe the package with its closure.
gm152 has quit [(Ping timeout: 246 seconds)]
<srhb>
Phillemann: Sure, nix-env or nix-build
<srhb>
nix-build '<nixpkgs>' -A noto-fonts-emoji
roundhouse has joined #nixos
<Phillemann>
Ah, thanks!
<srhb>
Phillemann: Looks like a segfault in optipng...
<srhb>
Fun.
<Phillemann>
I'm creating an issue for that right now.
<gnuhurd>
so now I have `(emacsWithPackages (epkgs: [ erlang ]))', and it still doesn't work
<gnuhurd>
with what I had before but instead of erlang, I had nix-mode, nix-mode worked perfectly and I could require it from my init file
gnuhurd has left #nixos ["Killed buffer"]
gnuhurd has joined #nixos
justbeingglad has left #nixos []
<srhb>
gnuhurd: Did you mean epkgs.erlang?
mbrgm_ has joined #nixos
<gnuhurd>
oh... right
gnuhurd has quit [(Remote host closed the connection)]
<mbrgm_>
hey! does someone have an explanation for why `nix-build '<nixpkgs>' -A libproxy` fails for me on latest nixos-unstable, while building inside a shell by invokin the individual build phases succeeds?
<srhb>
mbrgm_ Does it work with nix-shell --pure ?
gnuhurd has joined #nixos
<gnuhurd>
that still didn't work, I can't (require 'erlang-start)
<srhb>
mgrgm_: It builds correctly for me on 17.09.git.059d722 (Hummingbird)
newhoggy has joined #nixos
<mbrgm_>
srhb: yeah, also works with --pure
NixOS_GitHub has joined #nixos
<NixOS_GitHub>
[nixpkgs] peterhoeg pushed 1 new commit to master: https://git.io/v77W9
<NixOS_GitHub>
nixpkgs/master 806af3d Peter Hoeg: syncthing: 0.14.32 -> 0.14.36
NixOS_GitHub has left #nixos []
<gchristensen>
mbrgm_: what happens?
<mbrgm_>
oh shsh, I'm sorry :-/... rebased a custom branch after pulling and was on that branch
<mbrgm_>
damn ^^
<mbrgm_>
srhb: thx for pointing me to chech the hash!
<srhb>
mbrgm_ :-) Happy to help.
nh2 has joined #nixos
<srhb>
gnuhurd: I cannot reproduce that.
<srhb>
gnuhurd: I did this: nix-shell -p 'pkgs.emacsWithPackages (epkgs: [ epkgs.erlang ])'
<srhb>
gnuhurd: Afterwards I can (require 'erlang-start)
<srhb>
gnuhurd: Without epkgs.erlang, it fails (as expected)
<srhb>
gnuhurd: I'm on nixos-unstable, for the record.
<gnuhurd>
I am on nixos-unstable as well, I put this line in my environment.systemPackages part in /etc/nixos/configuration.nix
<srhb>
gnuhurd: Which line?
<gnuhurd>
(emacsWithPackages (epkgs: [
<gnuhurd>
epkgs.erlang
<gnuhurd>
]))
<mbrgm_>
humm... breakage occured after cherry-picking 748589bf60feb00f54c325503e87771754bdc044 onto nixos-unstable
<srhb>
gnuhurd: Are you shadowing that emacs with another emacs perhaps?
<mbrgm_>
FRidh: ^
eschnett has joined #nixos
<gnuhurd>
that might be a problem srhb
ylwghst has quit [(Ping timeout: 248 seconds)]
<gnuhurd>
I have another emacs in my environment.systemPackages
<srhb>
gnuhurd: Sounds likely then, yes. :)
<gnuhurd>
alright, I'll try it and come back to thank you
gnuhurd has quit [(Remote host closed the connection)]
<Infinisil>
You mention that your image looks a lot more like NixOS, in what sense does it not?
mbrgm has joined #nixos
justelex has joined #nixos
<Infinisil>
I should probably just look at it myself tbh
<LnL>
the nixos/nix image is just alpine + nix
<LnL>
mine doesn't have stuff in global stuff except for /bin/sh and /usr/bin/env
<Infinisil>
LnL: Hmm, where is the source of this base image? I can't find it in your repo
mbrgm_ has quit [(Quit: WeeChat 1.9)]
<Infinisil>
The thing that actually installs nix & co.
<LnL>
it's generated by nix and uses the dockerTools :D
<Infinisil>
Oh lol
bennofs1 has quit [(Ping timeout: 246 seconds)]
jensens has quit [(Ping timeout: 240 seconds)]
<Infinisil>
LnL: I somehow still don't fully grasp docker images. But Would it be possible to have a full NixOS running in docker?
<LnL>
systemd doesn't work in docker
bfrog has joined #nixos
<Infinisil>
Ahh, so docker is just some half-baked VM, for running single programs
ona has quit [(Quit: ...)]
newhoggy has joined #nixos
<catern>
Infinisil: though keep in mind that other container mechanisms do support running a full NixOS. but Docker restricts itself to "application containers", i.e. a terrible hack that people who don't use Nix use to manage their dependencies :)
newhoggy has quit [(Ping timeout: 240 seconds)]
<catern>
for a single application at a time
<catern>
(which might be multiple processes)
<Infinisil>
I see
<Infinisil>
What other container mechanisms are you talking about?
<NixOS_GitHub>
[nixpkgs] rickynils pushed 1 new commit to release-17.03: https://git.io/v77uF
<NixOS_GitHub>
nixpkgs/release-17.03 65752b2 Franz Pletz: sudo: 1.8.20p1 -> 1.8.20p2...
NixOS_GitHub has left #nixos []
newhoggy has quit [(Ping timeout: 240 seconds)]
bfrog has quit [(Quit: WeeChat 1.9)]
vandenoever has quit [(Ping timeout: 276 seconds)]
<catern>
Infinisil: rkt and lxc are two
<catern>
Infinisil: containers that can run systemd (and in general are equivalent in power to a full VM) are sometimes called "operating system containers"
<dash>
docker is, in general, a poor man's substitute for nix ;)
<Infinisil>
catern: Then what's the difference between a VM and such a container?
<dash>
Infinisil: a VM simulates an entire machine
<dash>
containers just provide some separate namespaces for processes to use
<dash>
same kernel, no significant security isolation, etc
<Infinisil>
Hmm alright, are there any significant downsides to containers then?
newhoggy has joined #nixos
<Infinisil>
I guess less flexibility
<Infinisil>
Alright I got it
<Infinisil>
Gonna use nixos containers while in nixos land :D
bgamari has joined #nixos
<catern>
all of this is silliness though :) IMO Nix replaces containers for the most part :) just need to pair it with a sandboxing story
<Infinisil>
Yeah, I'm more thinking about other operating systems
<catern>
dash: containers are fairly significant security isolation - much more than regular processes at the moment, unfortunately...
<gchristensen>
"containers" is not a bad word
rauno has joined #nixos
<gchristensen>
divorce "container" from "docker"
newhoggy has quit [(Ping timeout: 246 seconds)]
<catern>
IMO it is a bad word :) I prefer Nix-like things for application deployment, and more granular sandboxing for security (like capability security things like Capsicum/CloudABI). unfortunately while Nix is ready for production, the latter is not
<catern>
so we have to use the poorly designed "container" idea
peacememories has quit [(Quit: My MacBook has gone to sleep. ZZZzzz…)]
<Infinisil>
I had a problem some months ago: University distributed a full Ubuntu VM to run jdk6 and 2 libraries, because they didn't know any better
<Infinisil>
I was pretty new to nix at that time, so I sadly wasn't able to write a nix expression for it
<Infinisil>
And I didn't know much docker, so I couldn't do that either
<Infinisil>
It needs to run on windows as well
newhoggy has joined #nixos
<Infinisil>
If something happened again, I'd use LnL's nix docker image, best of both worlds (portability + nix)
bennofs1 has joined #nixos
<Infinisil>
Oh and their VM was 3GB.. and super friggin slow to run on my poor laptop, it was horrible and I was so discouraged that I avoided it as much as I could
erictapen has quit [(Remote host closed the connection)]
<Infinisil>
Oh and something else: jdk6 doesn't exist in nix..
<LnL>
gchristensen: well it's pretty overloaded since people it's used for both the image format and the execution sandbox
erictapen has joined #nixos
<gchristensen>
yeah :/
newhoggy has quit [(Ping timeout: 246 seconds)]
<hodapp>
I still end up having to use Docker to run things that just don't play nice or are royal pains to install because they want to be like an octopus with its tentacles all over every part of the system
MercurialAlchemi has quit [(Ping timeout: 258 seconds)]
<adisbladis>
catern: You can apply pretty much all of what container solutions provide via systemd units :)
<adisbladis>
A well written systemd unit file is not that far from being a container
<Infinisil>
I really need to have a closer look at systemd unit files, it seems they are pretty powerful
* hodapp
goes to make popcorn for the ensuing systemd argument
newhoggy has joined #nixos
<hodapp>
adisbladis: but how much can one isolate in a systemd unit file?
<adisbladis>
hodapp: Pretty damn much. You can do syscall filtering, private tmp, protecting readable/writeable directories (basically giving the process its complete own view of the system), setting up capabilities, doing all the normal cgroup things like process and memory limitations
<adisbladis>
Granular access to devices etc etc
newhoggy has quit [(Ping timeout: 260 seconds)]
freusque has quit [(Quit: WeeChat 1.7.1)]
NixOS_GitHub has joined #nixos
<NixOS_GitHub>
[nixpkgs] joachifm pushed 2 new commits to master: https://git.io/v77wk
<NixOS_GitHub>
nixpkgs/master c27f692 Chris Hodapp: opencv: Add optional Tesseract support
<NixOS_GitHub>
nixpkgs/master 16f6913 Joachim F: Merge pull request #27011 from Hodapp87/opencv_tesseract...
NixOS_GitHub has left #nixos []
<Infinisil>
adisbladis: Whoa, how does it do the directory thing? (And how do I google that?)
NixOS_GitHub has joined #nixos
<NixOS_GitHub>
[nixpkgs] zimbatm pushed 1 new commit to master: https://git.io/v77wt
<adisbladis>
Iirc it needs about 15G or something like that
<shapr>
hodapp: what does that mean? it did a good job and finding builds that are awful?
<Ankhers>
That kinda sucks. I guess I will give OSX some space then and just dual boot.
<indefini1>
adisbladis: Ankhers: I have osx installed on an external disk, that shouldn't prevent firmware updates, right?
<hodapp>
shapr: Nix runs builds in environments where a lot of builds that do silly things tend to break
<shapr>
ohh
<Ankhers>
But I first need to find a decent setup. I haven't used linux as a main computer in years :(
<adisbladis>
indefini1: As long as you can boot it its fine
<hodapp>
e.g. try to write files all over the place, try to access stuff on the Internet when they should only be compiling
Kingsquee has joined #nixos
<hodapp>
do ad-hoc dependency management
<shapr>
now I'm even more interested
<indefini1>
adisbladis: Alright then, full nixos disk it shall be then
<hodapp>
shapr: it's interesting except when you just need things to work :|
<indefini1>
But, I have a MacBook Air from 2012, I doubt there's gonna be much firmware upgrades
<shapr>
yeah, that's why I'm a bit wary
<hodapp>
it doesn't come up much with me, and I do still have the option of just running it in a container or *not* packing something up neatly as a proper Nix build
<indefini1>
Isorkin: That's totally not what you should do. You can just use the users zsh config dir
<hodapp>
but I tend to try to solve it properly
newhoggy has joined #nixos
<indefini1>
Isorkin: That is, ~/.zshrc, that file gets sourced by zsh automatically by default
<catern>
adisbladis: yes, that's true, systemd is a really great way to get isolation/sandboxing without a full container... but my issue is that it only works for system services - you can't use systemd as an unprivileged user
<adisbladis>
Infinisil: Yes quite a lot should be available, but capabilities for example reasonably shouldnt
<catern>
adisbladis: they don't have the security things
<catern>
any of them
<catern>
at least without user namespaces being enabled
<catern>
but user namespaces are mega-insecure
<Infinisil>
catern: How so?
<bennofs1>
Infinisil: most applications don't expect them
magnetophon has joined #nixos
ison111 has joined #nixos
<bennofs1>
Infinisil: for example, you can fake paths with userns + unsharing the mount namespace (allowing the user to do chroot)
<Infinisil>
Isorkin: And why do you copy the file manually?
<Infinisil>
This should all be managed by nixos
<Infinisil>
bennofs1: Ohh, I'm actually doing that for something
proteusguy has quit [(Remote host closed the connection)]
<Isorkin>
indefini: I do not know how to fix the error in the config
<Infinisil>
Isorkin: Which error?
<magnetophon>
is it possible to do "nixos-rebuild switch -p profileName -I nixos-config=/config" without making it the default boot? So IOW: just build and put it in the GRUB sub-menu.
<Isorkin>
Infinisil: not work autocompletion
proteusguy has joined #nixos
<avn>
magnetophon: boot -- add to menu w/o switch, test -- switch without modify boot menu
<avn>
switch does both
python47` has joined #nixos
<Infinisil>
magnetophon: And there's also --install-bootloader (don't know exactly what it does though)
erictapen has quit [(Ping timeout: 255 seconds)]
newhoggy has joined #nixos
<adisbladis>
catern: TIL. Did not know they are not available.
<magnetophon>
avn, Infinisil: thanks. but what I mean is: when you switch (and presumably also when you boot) with a "-p" flag, to put it in a GRUB submenu, it also gets added to the grub main menu, so IOW it becomes the default boot. I don't want that, I want it only in the submenu. Is that possible?
<Infinisil>
magnetophon: I think you need grub.extraEntries for that
newhoggy has quit [(Ping timeout: 240 seconds)]
<magnetophon>
Infinisil: I know that as a way to put other distros in GRUB. can you also link that to a NixOS build?
<Infinisil>
magnetophon: I'm 70% certain that's possible, but I don't know how. Since the system should be just another derivation, it should also have an $out path somewhere, and that's where the initrd and stuff is located, which I think the grub entries need
nix-gsc-io`bot has joined #nixos
<joepie91>
very much worth a watch for those interested in OS-level security and isolation: https://www.youtube.com/watch?v=Nr2h9eigpqA -- tl;dr, Genode, an OS that implements capability-based security throughout (with processes requesting resources and permissions from their parent processes, with the parents being responsible for delegated resources/permissions), allowing for isolation and/or restrictions at arbitrary levels
* Infinisil
puts that video on his Watch Later list
newhoggy has joined #nixos
ixxie has joined #nixos
newhoggy has quit [(Ping timeout: 255 seconds)]
dbe has joined #nixos
vandenoever has joined #nixos
vandenoever has quit [(Changing host)]
vandenoever has joined #nixos
zraexy has joined #nixos
newhoggy has joined #nixos
newhoggy has quit [(Ping timeout: 248 seconds)]
bgamari has joined #nixos
newhoggy has joined #nixos
snikkers has quit [(Ping timeout: 258 seconds)]
newhoggy has quit [(Ping timeout: 255 seconds)]
afics has quit [(Quit: afics)]
ij has quit [(Ping timeout: 240 seconds)]
afics has joined #nixos
bgamari has quit [(Ping timeout: 240 seconds)]
<michalrus>
So I removed a partition which UUID is listed in boot.filesystems… And now I’m stuck in a ‘you’re in an emergency mode’ loop. :\ When I run `systemd default`, it gets back to emergency mode after ~2 minutes. To little to do nixos-rebuild without that line.
<michalrus>
What to do? :/
<mog>
michalrus, what if you boot an older revision and fix it?
<michalrus>
I had this partition from the very beginning…
<michalrus>
But why does it loop back to ‘welcome to emergency mode’ message after 2 minutes? I’m in the middle of fixin’ it, goddamit! =)
<Infinisil>
michalrus: Why are you rebooting while it's not fixed?
<michalrus>
I’m not. It’s doing it on its own. Somehow.
python47` has quit [(Remote host closed the connection)]
<michalrus>
But not full reboot, just back to ‘you’re in an emergency mode’ message.
newhoggy has joined #nixos
<Infinisil>
Wait, are you removing a partition currently in use by the system?
<michalrus>
And most services get restarted.
<michalrus>
No.
* Infinisil
doesn't really understand the problem
<michalrus>
Me neither, TBH.
<michalrus>
:c
<catern>
Infinisil: user namespaces allow you to make your unprivileged user appear as root and have access to a few extra root-only functionalities. that is the intended use case, but it has had a ton of security problems in the kernel, where other syscalls were not properly checking your *real* credentials, but only your apparent (root) credentials, so you got access to those syscalls
<michalrus>
Infinisil: I physically removed a partition which is still listed in configuration.nix. The system won’t boot.
<michalrus>
More/less.
python476 has joined #nixos
<Infinisil>
catern: Hmm, does that mean a program that uses this functionality, run with user privileged, has access to certain syscalls as root?
<Infinisil>
Because that could be literally any program
ij has joined #nixos
<catern>
Infinisil: yes
<Infinisil>
michalrus: Well that does seem like something that could give you problems, there's systemd targets and stuff made for these filesystems
<michalrus>
Indeed, so how to fix this, if *for some reason* it keeps throwing me out of emergency console, and getting back to the ‘welcome to emergency mode’ message?
<Infinisil>
catern: That seems very bad, but why isn't this seemingly huge security hole fixed? Or is it already?
<michalrus>
That loop seems pretty useless. :)
newhoggy has quit [(Ping timeout: 246 seconds)]
<Infinisil>
michalrus: You could boot from an usb stick :)
<michalrus>
This is a very strange laptop, it won’t. :\
<Infinisil>
michalrus: How did you install nixos on it?
<michalrus>
Gets stuck on some kernel line.
<michalrus>
Infinisil: by taking the drive out. :P
<michalrus>
But it’s a lot of work.
<Infinisil>
Oh damn
<michalrus>
Yeah…
<Infinisil>
I also had problems with certain usb disks before, some of them work, some of them don't
<catern>
Infinisil: some syscalls that can currently be only used as root, are actually safe for unprivileged users to use, as long as they are used in the slightly-restricted environment of a user namespace. for example, setuid executables don't function inside user namespaces, and you can't ptrace things outside the usernamespace. those are two restrictions that make things safer.
<catern>
but other syscalls are always unsafe even with those restrictions
<michalrus>
clever: I’ll just run nixos-install on that drive. :p
betaboon has quit [(Quit: This computer has gone to sleep)]
hotfuzz_ has joined #nixos
newhoggy has quit [(Ping timeout: 260 seconds)]
hotfuzz has quit [(Ping timeout: 246 seconds)]
zeus_ has joined #nixos
zeus_ has quit [(Remote host closed the connection)]
zeus_ has joined #nixos
simukis_ has quit [(Ping timeout: 246 seconds)]
bgamari has joined #nixos
ertes-w has quit [(Ping timeout: 240 seconds)]
bgamari has quit [(Client Quit)]
__Sander__ has quit [(Quit: Konversation terminated!)]
newhoggy has joined #nixos
<Ankhers>
Infinisil: That should be fairly easy to build, no? (the bot)
justelex has quit [(Ping timeout: 246 seconds)]
Mercuria1Alchemi has joined #nixos
Sonarpulse has joined #nixos
ison111 has joined #nixos
goibhniu has quit [(Ping timeout: 240 seconds)]
newhoggy has quit [(Ping timeout: 248 seconds)]
<Infinisil>
Ankhers: I have no idea how to integrate it into this channel
seagreen has quit [(Ping timeout: 246 seconds)]
<Infinisil>
But the bot itself would be pretty trivial
<Ankhers>
Maybe I will throw one together in the next couple days. I would need permission from at least one of the channel ops to put it in here though.
freusque has joined #nixos
<Infinisil>
Ankhers: Nice :D You have experience with this then?
thblt has joined #nixos
<Ankhers>
Kinda, not really. I haven't done anything "production" with it, but I have toyed with things in the past.
<srhb>
I had a slack bot lying around that evaluated haskell. Though I guess there is no evaluator for nix aside from the nix tools.
<Ankhers>
But it should be as simple as getting an IRC connection, connecting to different channels, and then listen for messages that start with a certain character, like `> 4 + 4` or something simple.
<srhb>
It would be nice if one could use it "as a library"
<Infinisil>
Ankhers: Probably "!" instead, > is often used for quoting
<Ankhers>
Yeah, it was just an example.
<Ankhers>
It doesn't matter what the first char is really.
<Infinisil>
srhb: What do you mean by as a library?
nwuensche has quit [(Quit: Leaving)]
[0x4A6F] has joined #nixos
frankpf has joined #nixos
<srhb>
Infinisil: I meant, in Haskell I could just import some libraries that allowed me to evaluate a String as Haskell code itself. If Nix could work as a library like that, it would be really easy to do something like this :)
<frankpf>
is it possible to redefine an option?
<srhb>
frankpf: Generally no.
<frankpf>
I'm running NixOS on EC2 and I'm trying to redefine services.sshd.permitRootLogin
<sphalerite>
srhb: that exists, it's just a C++ library :p
<frankpf>
but it's already defined in <nixpkgs/nixos/modules/virtualisation/amazon-image.nix>
<frankpf>
can I edit that file?
<srhb>
sphalerite: Oh, nice. Though c++ bindings are difficult :(
<frankpf>
or should I keep my config in /etc/nixos/configuration.nix
<Infinisil>
sphalerite: srhb: Or hnix, a haskell module for nix :D
<sphalerite>
frankpf: you can override that setting using mkForce
<srhb>
Infinisil: Isn't that mostly syntactic?
<srhb>
Infinisil: Huh, apparently not. Cool!
<Infinisil>
srhb: It can evaluate too
<sphalerite>
frankpf: e.g. `services.sshd.permitRootLogin = lib.mkForce false;`
<frankpf>
sphalerite: Thanks
Mercuria1Alchemi has quit [(Ping timeout: 246 seconds)]
<Infinisil>
srhb: But I think for this bot a simple `nix-instantiate` should be enough
<srhb>
Indeed.
<Infinisil>
I'll go eat, bbl
<frankpf>
sphalerite: But then nixos-rebuild complains about lib being undefined
<clever>
frankpf: add lib to the arguments on line 1 of the file
<M1k3y>
Hello, just getting started with nixos. I want a script to run every time the config changes. Tried using activationScripts. The script executes, but it can't find the tool "tar". When running manually it works. What am I missing here?
<ToxicFrog>
M1k3y: activation scripts (and scripts in configuration.nix in general) don't run with the same $PATH you have as a user.
<clever>
michalrus: what are you trying to do with the activation script? those run extremely early in the boot
<sphalerite>
M1k3y: it presumably has an empty PATH. Refer to the full path to tar
<ToxicFrog>
Use ${pkgs.tar}/bin/tar or similar rather than just `tar`.
<M1k3y>
sounds logic, will try. Thanks for the quick help.
<frankpf>
clever: that worked, but nixos-rebuild is still complaining about me redefing openssh.permitRootLogin.
<frankpf>
redefining*
<clever>
frankpf: what did you put into configuration.nix?
<frankpf>
The unique option `services.openssh.permitRootLogin' is defined multiple times, in `/nix/var/nix/profiles/per-user/root/channels/nixos/nixpkgs/nixos/modules/rename.nix' and `/nix/var/nix/profiles/per-user/root/channels/nixos/nixpkgs/nixos/modules/virtualisation/amazon-image.nix
<clever>
frankpf: try setting services.openssh rather then services.sshd
<clever>
this sounds like a bug in the rename module not allowing overrides
<M1k3y>
ok, your solution kind of worked. Now it's finding the tar command, but can't find "gzip", which is getting called since my script unpacks a .tar.gz "tar (child): gzip: Cannot exec: No such file or directory"
<clever>
M1k3y: why are you trying to unpack a tar so early in the boot?
<adisbladis>
M1k3y: tar -z -j etc are actually just shelling out to gzip and bzip2, so you can just explicitly do that instead
<adisbladis>
But I'm thinking the same as clever.. It doesn't really feel right
FRidh has quit [(Quit: Konversation terminated!)]
<clever>
ive seen somebody break the system so hard it couldnt even find systemd, because he tried to do networking in the activation script
bennofs1 has quit [(Ping timeout: 240 seconds)]
hotfuzz_ is now known as hotfuzz
<M1k3y>
clever: I'm using this to deploy some files to all home directories and check for some files. This action only runs on initial installation or when there are new users on the system.
<clever>
M1k3y: i think a systemd unit would be better for that, set the type to one-shot
<clever>
the activation scripts may run before the users have even been created
<srhb>
I've done something similar with systemd one-shots too, works quite well. :)
<clever>
they can even run before you have a /etc or /home directory
<M1k3y>
good to know. I'll look inte the systemd one-shots then.
<shapr>
ok, I just realized the reason the NixOS manual starts out describing the configuration system, is that the entire OS is effectively chef/puppet.. I should have realized that earlier.
dhess has quit [(Remote host closed the connection)]
dhess has joined #nixos
<clever>
sphalerite: something of note, nixos-install --chroot doesnt work on nixos-unstable right now
<sphalerite>
was that highlight meant for me?
<clever>
yeah
<clever>
the topic had come up lastnight
<sphalerite>
oooh right
<clever>
but it turns out we where both wrong, because its broken
erictapen has quit [(Remote host closed the connection)]
erictapen has joined #nixos
erictapen has quit [(Remote host closed the connection)]
bennofs1 has joined #nixos
erictapen has joined #nixos
ison111 has quit [(Ping timeout: 255 seconds)]
ona has joined #nixos
FRidh has joined #nixos
ison111 has joined #nixos
vandenoever has quit [(Ping timeout: 248 seconds)]
ylwghst has quit [(Quit: Lost terminal)]
bgamari has joined #nixos
pxc has quit [(Ping timeout: 240 seconds)]
newhoggy has joined #nixos
pxc has joined #nixos
bgamari has quit [(Client Quit)]
newhoggy has quit [(Ping timeout: 246 seconds)]
NixOS_GitHub has joined #nixos
<NixOS_GitHub>
[nixpkgs] layus opened pull request #28266: grisbi: init at 1.0.2 (master...grisbi-init) https://git.io/v75J1
NixOS_GitHub has left #nixos []
bgamari has joined #nixos
Mercuria1Alchemi has joined #nixos
<aristid>
sphalerite: i think "ip" is one of the most annoying commands for me
ison111 has quit [(Ping timeout: 240 seconds)]
newhoggy has joined #nixos
Myrl-saki has quit [(Ping timeout: 248 seconds)]
bgamari has quit [(Client Quit)]
* bennofs1
thinks ss is worse
bennofs1 is now known as bennofs
bgamari has joined #nixos
<sphalerite>
lsof ftw
newhoggy has quit [(Ping timeout: 240 seconds)]
magnetophon has quit [(Ping timeout: 255 seconds)]
<aristid>
sphalerite: lsof can do what netstat/ss can do?
<aristid>
bennofs: netstat -nltup is still what i know :D
<sphalerite>
idk the details of what netstat/ss can do, but it can certainly list all the connections that processes have open (lsof -i) and has various filtering options too
DutchWolfie has joined #nixos
DutchWolfie has quit [(Changing host)]
DutchWolfie has joined #nixos
newhoggy has joined #nixos
<sphalerite>
`lsof -iTCP -sTCP:LISTEN` does what you would probably guess it does
bgamari- has joined #nixos
<aristid>
bennofs: ss -nltup works
erictapen has quit [(Ping timeout: 255 seconds)]
<aristid>
bennofs: so i think ss is great!
<aristid>
it can do what i know that netstat can do, with fewer characters to type!
<adelbertc>
Is there a way to have a default Xresources which Nix applies for everyone?
<Infinisil>
I'm just trying to debug an xmonad problem
newhoggy has quit [(Ping timeout: 276 seconds)]
<Infinisil>
Trying to get a second xmobar running
<Infinisil>
And damn, xmobar putting a *compiled* binary in ~/.xmonar is really ugly
<srhb>
Infinisil: Uglier than xmonad doing it? :-P
newhoggy has joined #nixos
<Infinisil>
Ugh
<Infinisil>
Especially on nixos
<catern>
what is wrong with that
<catern>
that is perfectly ok
<srhb>
I also don't find it problematic.
<catern>
though maybe, given Nix, you maybe should just stick it in the store instead?
<catern>
and symlink to it?
<Infinisil>
Well it's not that bad really, but on nixos usually binaries live in the store
<Infinisil>
yes
<Ankhers>
But xmonad recompiles itself becase on a user config. Where would that go in the store?
<catern>
xmonad shouldn't recompile itself, a small Nix derivation should do it for it :)
<Infinisil>
Good argument
<srhb>
It could recompile itself, but it should use nix-build
<Infinisil>
Yeah, and not recompile if the config didn't change
<srhb>
nix-build should take care of that, no?
<Infinisil>
the standard key command does `xmonad --recompile; xmonad --restart`
<srhb>
As in, it would be a no-op.
<Infinisil>
Yeah
M1k3y has quit [(Ping timeout: 260 seconds)]
<catern>
can you get nix-shell to build the expression you pass it? then you could do nix-shell xmonad.nix --run xmonad
<catern>
or something like that
<srhb>
I think with the recent changes to xmonad to support stackified deployments, it might actually not be too hard to make these changes to support nix-build
<srhb>
How do I tell which haskell packagesets are cached at any given point?
<bennofs>
srhb: look at hydra? :D
<sphalerite>
Anyone got lxc working on nixos? I've got a debian container I unfortunately need to run and I'm having some difficulties
<srhb>
bennofs: More specifically? :-)
bgamari has joined #nixos
<sphalerite>
Specifically, I'm getting: lxc-start 20170814201257.973 ERROR lxc_conf - conf.c:setup_rootfs:1194 - No such file or directory - Failed to access to "/var/lib/lxc/rootfs". Check it is present.
<srhb>
For now, the mysterious explanation I will go with is that lens is somehow explicitly cached and therefore a large percentage of Hackage is also cached. :-)
<bennofs>
srhb: i believe lens is a dependency of language-nix :)
kiloreux has joined #nixos
ylwghst has quit [(Remote host closed the connection)]
<srhb>
I'll buy it.
<clever>
the nix source tarball also depends on shellcheck, which pulls in a decent amount of haskell (unknown ghc version)
roberth has quit [(Ping timeout: 240 seconds)]
<srhb>
It's just really strange to try and reconstruct the tree and try to match it with the "observed cached" packages, but I guess there really is no good way of determining it. :)
ylwghst has joined #nixos
<clever>
srhb: i think you would need root on hydra to find it easily
* srhb
nods
justbeingglad has joined #nixos
justbeingglad has left #nixos []
<bennofs>
we would need a reverse dependency db for that
<srhb>
I wish we had infinity capacity.
<srhb>
Nix is theoretically so good for testing backwards compatibility with multiple ghc versions with some CI service
<bennofs>
one more reason to just set up some server that streams every nar that is build by hydra and stores info about it in some db :=)
MP2E has quit [(Read error: Connection reset by peer)]
erictapen has quit [(Ping timeout: 255 seconds)]
<srhb>
Yeah.
<clever>
there is an api url in hydra that spits out the storepath for every job in an eval
<clever>
the programs.sqlite util used that
MP2E has joined #nixos
<bennofs>
clever: oh? but afaik, it only contains jobids, right?
anelson_ has joined #nixos
Geeky[m] has joined #nixos
<bennofs>
clever: i'd kinda want the info about the job as well
<bennofs>
but don't think it'd be good to fetch every job detail page individually from hydra, may be a bit too much load :)
newhoggy has joined #nixos
<clever>
one min
DutchWolfie has quit [(Quit: Konversation terminated!)]
Capprentice has quit [(Remote host closed the connection)]
Capprentice has joined #nixos
ShalokShalom has quit [(Read error: Connection reset by peer)]
<anelson_>
hi guys, I'm on CentOS, I compiled a version of nix with storeDir = /tmp/nix/store, and when I use it to build e.g. `pkgs.bash` I'm seeing something really weird when I `ldd` the bash binary
<clever>
bennofs: it returns a json list of every storepath in the eval
<anelson_>
It lists libdl.so.2 and libc.so.6 pointing at nix store objects, which is great, but then it has a third entry where the *name* of the library is a nix store path, but the path after the => is *not* a nix store path
<anelson_>
specifically it says /tmp/nix/store/1qqd5d9bab6cd4glmpmijdviqc4k4qdx-glibc-2.25/lib/ld-linux-x86-64.so.2 => /lib64/ld-linux-x86-64.so.2
<bennofs>
clever: right. you can also get this by just fetching store-paths.xz from the channel path :)
ShalokShalom has joined #nixos
<bennofs>
clever: i want some info for it though: reverse-dependencies, job name, system etc
<clever>
bennofs: and once you have that from either source, you can query each narinfo on the binary cache, to form the runtime dep trees
<bennofs>
clever: oh right, reverse deps are actually easy
<clever>
but that wont help with build-time only deps
newhoggy has quit [(Ping timeout: 248 seconds)]
sigmundv__ has quit [(Ping timeout: 248 seconds)]
<bennofs>
ah, drvs are not cached :/
<bennofs>
clever: still, you wont get the job name <-> store path assocation from it
<clever>
yeah
jensens has joined #nixos
Capprentice has quit [(Ping timeout: 240 seconds)]
<clever>
was going to bring up nix-index, then i remembered the github url, lol
<bennofs>
it was actually one of my thoughts for getting the package names from store paths for nix index (you could get it from the hydra job name)
<clever>
bennofs: this requires no special config on the host, and will spit out a json mapping job names to drv files
<clever>
and it will populate the host store with those drv's
<bennofs>
clever: thats... kind of what nix-index does :)
<clever>
it can also optionaly GC root each drv it creates
<bennofs>
clever: but it's slow
<bennofs>
and also fails whenever nixpkgs has an eval error (granted, i could perhaps fix that with some try eval, but then it gets even slower)
<bennofs>
clever: and it depends on exact hash matches
<clever>
yeah
<clever>
you would need to fetch the same nixpkgs hydra/channel has
newhoggy has quit [(Ping timeout: 240 seconds)]
Ivanych has quit [(Ping timeout: 255 seconds)]
ylwghst has quit [(Quit: Lost terminal)]
bennofs1 has joined #nixos
gnuhurd has quit [(Remote host closed the connection)]
gnuhurd has joined #nixos
bennofs has quit [(Ping timeout: 248 seconds)]
hl has quit [(Ping timeout: 240 seconds)]
ninegua[m] has quit [(Ping timeout: 246 seconds)]
newhoggy has joined #nixos
taktoa has joined #nixos
ycy[m] has quit [(Ping timeout: 246 seconds)]
etcinit[m] has quit [(Ping timeout: 240 seconds)]
StuK[m] has quit [(Ping timeout: 240 seconds)]
trikl[m] has quit [(Ping timeout: 240 seconds)]
Barnabas[m] has quit [(Ping timeout: 240 seconds)]
Exee7uvo[m] has quit [(Ping timeout: 258 seconds)]
dalaing has quit [(Ping timeout: 258 seconds)]
ptotter[m] has quit [(Ping timeout: 258 seconds)]
sudoreboot[m] has quit [(Ping timeout: 258 seconds)]
timclassic has quit [(Ping timeout: 258 seconds)]
florianjacob has quit [(Ping timeout: 258 seconds)]
rnhmjoj[m] has quit [(Ping timeout: 258 seconds)]
Drakonis[m] has quit [(Ping timeout: 246 seconds)]
NickHu has quit [(Ping timeout: 246 seconds)]
thematter[m] has quit [(Ping timeout: 246 seconds)]
copumpkin has quit [(Ping timeout: 246 seconds)]
spacekitteh[m] has quit [(Ping timeout: 246 seconds)]
primeos[m] has quit [(Ping timeout: 246 seconds)]
Geeky[m] has quit [(Ping timeout: 246 seconds)]
reactormonk[m] has quit [(Ping timeout: 246 seconds)]
ArdaXi[m] has quit [(Ping timeout: 246 seconds)]
musicmatze[m] has quit [(Ping timeout: 246 seconds)]
octalsrc[m] has quit [(Ping timeout: 255 seconds)]
bendlas has quit [(Ping timeout: 255 seconds)]
matrixkrav has quit [(Ping timeout: 240 seconds)]
wak-work has quit [(Ping timeout: 240 seconds)]
jsv[m] has quit [(Ping timeout: 240 seconds)]
revoltmedia[m] has quit [(Ping timeout: 240 seconds)]
sphalerite has quit [(Ping timeout: 240 seconds)]
indefini has quit [(Ping timeout: 240 seconds)]
TimePath has quit [(Ping timeout: 240 seconds)]
chominist[m] has quit [(Ping timeout: 255 seconds)]
jlle[m] has quit [(Ping timeout: 240 seconds)]
Guest65834 has quit [(Ping timeout: 240 seconds)]
ylwghst has joined #nixos
danielrf has quit [(Ping timeout: 246 seconds)]
seif[m] has quit [(Ping timeout: 246 seconds)]
kainospur[m] has quit [(Ping timeout: 246 seconds)]
BurNiinTRee[m] has quit [(Ping timeout: 246 seconds)]
sargon[m] has quit [(Ping timeout: 246 seconds)]
berot3[m] has quit [(Ping timeout: 246 seconds)]
regnat[m] has quit [(Ping timeout: 246 seconds)]
magnap has quit [(Ping timeout: 246 seconds)]
Naughtmare[m] has quit [(Ping timeout: 258 seconds)]
adisbladis[m] has quit [(Ping timeout: 246 seconds)]
hedning[m] has quit [(Ping timeout: 246 seconds)]
sk23[m] has quit [(Ping timeout: 276 seconds)]
AmineChikhaoui[m has quit [(Ping timeout: 240 seconds)]
icetan has quit [(Ping timeout: 240 seconds)]
qtness[m] has quit [(Ping timeout: 240 seconds)]
AdamSlack[m] has quit [(Ping timeout: 240 seconds)]
lecorpsnoir[m] has quit [(Ping timeout: 240 seconds)]
peterhoeg has quit [(Ping timeout: 240 seconds)]
Ralith has quit [(Ping timeout: 240 seconds)]
unlmtd has quit [(Ping timeout: 240 seconds)]
davidar has quit [(Ping timeout: 240 seconds)]
zimbatm has quit [(Ping timeout: 240 seconds)]
baconicsynergy[m has quit [(Ping timeout: 264 seconds)]
WinterFox[m] has quit [(Ping timeout: 264 seconds)]
Kallegro[m] has quit [(Ping timeout: 264 seconds)]
eqyiel[m] has quit [(Ping timeout: 240 seconds)]
corngood has quit [(Ping timeout: 240 seconds)]
dash has quit [(Ping timeout: 240 seconds)]
Sovereign_Bleak has quit [(Ping timeout: 240 seconds)]
herzmeister[m] has quit [(Ping timeout: 240 seconds)]
aniketd[m] has quit [(Ping timeout: 255 seconds)]
hendrik[m]1 has quit [(Ping timeout: 255 seconds)]
dtz has quit [(Ping timeout: 255 seconds)]
bachp has quit [(Ping timeout: 255 seconds)]
xj9[m] has quit [(Ping timeout: 255 seconds)]
a123123123[m] has quit [(Ping timeout: 255 seconds)]
wmertens[m] has quit [(Ping timeout: 255 seconds)]
qrilka[m] has quit [(Ping timeout: 255 seconds)]
abbafei[m] has quit [(Ping timeout: 255 seconds)]
cwopel has quit [(Ping timeout: 255 seconds)]
edef[m] has quit [(Ping timeout: 255 seconds)]
spawnthink[m] has quit [(Ping timeout: 246 seconds)]
<roni>
:q
roni has left #nixos []
offlinehacker[m] has quit [(Ping timeout: 264 seconds)]
benkolera has quit [(Ping timeout: 264 seconds)]
M-liberdiko has quit [(Ping timeout: 264 seconds)]
ylwghst has quit [(Client Quit)]
ylwghst has joined #nixos
fiveht has joined #nixos
puffnfresh has quit [(Ping timeout: 246 seconds)]
myklam[m] has quit [(Ping timeout: 240 seconds)]
Oo[m] has quit [(Ping timeout: 258 seconds)]
viaken[m] has quit [(Ping timeout: 258 seconds)]
tommyangelo[m] has quit [(Ping timeout: 246 seconds)]
rycee[m] has quit [(Ping timeout: 246 seconds)]
yochai[m] has quit [(Ping timeout: 246 seconds)]
bhipple[m] has quit [(Ping timeout: 246 seconds)]
DIzFer[m] has quit [(Ping timeout: 246 seconds)]
jyp[m] has quit [(Ping timeout: 246 seconds)]
Yaniel has quit [(Ping timeout: 246 seconds)]
newhoggy has quit [(Ping timeout: 260 seconds)]
admin[m] has quit [(Ping timeout: 258 seconds)]
retrry[m] has quit [(Ping timeout: 258 seconds)]
mhsjlw[m] has quit [(Ping timeout: 258 seconds)]
sziszi[m] has quit [(Ping timeout: 258 seconds)]
dibblego[m] has quit [(Ping timeout: 258 seconds)]
olejorgenb[m] has quit [(Ping timeout: 246 seconds)]
Khorne[m] has quit [(Ping timeout: 246 seconds)]
bgamari has quit [(Ping timeout: 255 seconds)]
JameySharp[m] has quit [(Ping timeout: 246 seconds)]
mtncoder[m] has quit [(Ping timeout: 276 seconds)]
<Infinisil>
Lol
mith[m] has quit [(Ping timeout: 264 seconds)]
scott2 has quit [(Ping timeout: 264 seconds)]
Dezgeg[m] has quit [(Ping timeout: 276 seconds)]
Kirill[m] has quit [(Ping timeout: 276 seconds)]
jack[m]1 has quit [(Ping timeout: 276 seconds)]
AlanPearce[m] has quit [(Ping timeout: 276 seconds)]
Elephant454[m] has quit [(Ping timeout: 276 seconds)]
necronian has quit [(Ping timeout: 276 seconds)]
bennofs[m] has quit [(Ping timeout: 276 seconds)]
Wysteriary[m] has quit [(Ping timeout: 276 seconds)]
sirius[m] has quit [(Ping timeout: 276 seconds)]
cornu[m] has quit [(Ping timeout: 276 seconds)]
pstn has quit [(Ping timeout: 276 seconds)]
aspiwack[m] has quit [(Ping timeout: 276 seconds)]
newhoggy has joined #nixos
<Infinisil>
In the Container section of the NixOS manual, there is this: "Warning: Currently, NixOS containers are not perfectly isolated from the host system. This means that a user with root access to the container can do things that affect the host."
<Infinisil>
Any idea what this is referring to?
<simpson>
It's not a reference. It's the truth itself.
<simpson>
A container, on Linux, is not perfect isolation.
<LnL>
I mentioned that before, you can get out if the container with root
<Infinisil>
How exactly?
<gchristensen>
look up any numerous container exploits :)
<simpson>
Infinisil: By making syscalls while root inside a container. It's not magic, but it's not obvious because the container model is a hybrid of so many different pieces of functionality.
<LnL>
you are sharing the kernel with the host, it's less secure as a vm by design
<Infinisil>
Hmm okay
<Infinisil>
So just not give root to untrusted users and it should be fine
<Infinisil>
Asking regarding Ankhers nix-bot, which shouldn't be able to trash his machine
<simpson>
Infinisil: You can't just not give root when working with containers. It's a big part of the problem.
<Infinisil>
simpson: Can't a container have a normal user accessible via ssh?
newhoggy has quit [(Remote host closed the connection)]
<simpson>
Infinisil: Sure, but that doesn't make me feel any better about containers as security.
<tilpner>
simpson - With user namespace you can? (Though the frequent news don't inspire confidence in their security either)
<simpson>
Just don't think of containers as a security measure!
<Infinisil>
Hmm alright
<LnL>
^^
<thoughtpolice>
You can do that, but it's more about authority. You generally want processes inside a container to be able to do "root like things", for example, bind to port 80. Why shouldn't it be able to bind to port 80? It's not really port 80 on the host, in a network namespace. It should be "fine", after all.
<simpson>
thoughtpolice: And in a capability system, where we could reason about authority piecemeal, that'd be great. Sadly, Linux "capabilities" are not capabilities.
<thoughtpolice>
The problem is Linux hasn't ever really had an idea of "your uid == 0, but you're not actually root". So in practice, tons of "root level" code throughout the kernel and system assume the root user isn't hostile.
fiveht has quit [(Quit: WeeChat 1.7.1)]
<thoughtpolice>
e.g. people always assumed only Root would ever be able to make certain syscalls, so why harden those syscalls if you're already root? The game was already over. That was true 10 years ago, but not now.
<tilpner>
thoughtpolice - Again, what about user namespaces?
<thoughtpolice>
simpson: I prefer to call Linux capabilities "crapabilities"
<Infinisil>
So we need to rewrite the linux kernel with this in mind
<Infinisil>
Preferably in Rust
<Infinisil>
\s
fiveht has joined #nixos
<thoughtpolice>
tilpner: They suffer from the exact same problem. In fact the scenario I just outlined is a huge problem with user namespaces -- many parts of Linux are not hardened against an attacker who has uid == 0 and is extremely hostile.
<sphalerite_>
ooooh, the matrix bridge is down again. That explains why I haven't seen the updates
fiveht has quit [(Client Quit)]
<Infinisil>
simpson: I haven't watched the talk yet :)
<Infinisil>
sphalerite_: Ahh, i wondered why you left
fiveht has joined #nixos
<thoughtpolice>
This is why systems like grsec completely disabled them. You have code all throughout the kernel that things "uid == 0, ok", but doesn't take into consideration things like this. So you get exploits like user-namespaced root users (uid == 0) able to do things like bind mount host folders, etc etc.
<tilpner>
thoughtpolice - But they are the mechanism for "your uid == 0, but you're not actually root", so stating that "Linux hasn't ever really had" them is inaccurate. They're just not very trustworthy
ylwghst has quit [(Quit: Lost terminal)]
<tilpner>
(If you know about implementation details, please tell me if I'm wrong)
<sphalerite_>
meh. I really like matrix but it's not all that reliable :(
<thoughtpolice>
Well, that's fair -- but it's all the same to me, frankly, if exploits pop up on the regular. It will likely take years to suss out all those issues, I imagine. In the mean time, just never assume containers provide security; you can only really assume they provide some level of resource isolation.
<kiloreux>
How can I use a specific commit of nixpkgs as my channel ?
<kiloreux>
I tried adding the commit in the default.nix
<kiloreux>
as well as nix-env -f commit -i
<Infinisil>
You can't
<Infinisil>
channels are already picked out specifit commits of nixpkgs
<kiloreux>
is there anyway to install a package only available in the last commits ?
<thoughtpolice>
(I'm hoping one day something like Capsicum (true capability security) will come to Linux, but they've been working on it for years now and I have less and less hope on that front.)
<sphalerite_>
I believe
<kiloreux>
sphalerite_, tried that. Negative.
<simpson>
thoughtpolice: Capsicum and pledge() are probably never coming to Linux. I've been working on a successor to E for a few years so that I can have a capability-safe userspace.
filterfish has quit [(Remote host closed the connection)]
<tilpner>
simpson - Do you know how Genode compares to Qubes?
[0x4A6F] has quit [(Ping timeout: 246 seconds)]
<thoughtpolice>
You could approximate pledge() easily enough for most cases I think if you extended seccomp, but Capsicum is a little harder. That said, the only reason I was under the impression Capsicum would ever come to Linux is because they actually have patches for it... somewhere
<thoughtpolice>
They were still working on that set as recently as last year, IIRC
<sphalerite_>
kiloreux: works for me
<sphalerite_>
kiloreux: how is it not working?
<simpson>
tilpner: Sure; Genode is a capability-based system in the tradition of KeyKOS and EROS, while Qubes is based on more practical, battle-tested, but also historically kinda buggy systems.
<kiloreux>
sphalerite_, well, i submitted a PR for a new package opencore-amr that was accepted a few days ago. And I picked a commit today the last ones and tried installing everything.
<kiloreux>
opencore is still not available
<tilpner>
simpson - Oh. Does that mean not everything in Genode is sandboxed with VirtualBox? I interpreted the "Virtualization" line like that...
<simpson>
tilpner: Maybe it is, but that is 0% of what makes it interesting to me.
<manveru>
anyone here got 64bit wine working?
<simpson>
In the future, if we are in a not-so-dark timeline, it should be possible to be virus-free *and* not need context switches. I will settle for one of two though.
<sphalerite_>
not sure if opencore-amr is the thing you want?
<Infinisil>
simpson: I consider virus-free only a possiblitiy when every program has been written purely functional, with a good type system to represent what a program can do
<kiloreux>
Okay I will try to delete everything in nix and see :D
<kiloreux>
Thanks for the help.
<Infinisil>
And it being type-checked to make sure it doesn't do anything else
newhoggy has quit [(Ping timeout: 276 seconds)]
<simpson>
Infinisil: Why do you think that either of those things prevent viruses? Do you know about confused deputies?
<thoughtpolice>
I admit, I don't fully 'get' Qubes security model. It is supposed to use AppVMs or whatever to isolate applications, but isolation isn't really what I want. If someone sends me an exploit for Thunderbird's Gecko engine -- who cares if it can or cannot read my ~/.ssh or something? It already has my mail spool. And presumably that AppVM will happily open a socket to send my spool to a server somewhere. The game was over.
<simpson>
thoughtpolice: Qubes is oriented more towards low-level hardware-software-interaction security instead of higher-level capability-aware security.
<joepie91>
tilpner: in Genode, a process by default does not have any privileged capabilities whatsoever (and 'privileged' includes things like 'access the filesystem'), and to gain access to any such capabilities, a process needs to ask its parent process for them; the parent process can then ask *its* parent process, etc. ad infinitum, until a point is reached where the resource that the capability represents can be accessed, after which some sort of access to
dash1 has joined #nixos
<dash1>
hsk3: People are using nixos for production services, though.
<joepie91>
the resource (or a virtualized form thereof) is passed back. any 'node' in that path can modify or refuse to propagate the request that is being sent up the tree, which provides for very flexible isolation/restriction policies that can be enforced at any level
<dash1>
Hmmm. I'm trying to use spark and one of its shell scripts wants to invoke `ps`
<dash1>
i've added procps to my nix-shell invocation but still no bueno... wonder what else is going on
<dash1>
ultimately i guess i'll have to patch it
<dash1>
hsk3: I would. But I'm a developer professionally, only do ops on an amateur basis right now :)
<hsk3>
cool
<Infinisil>
simpson: I have no idea what confused deputies is
<thoughtpolice>
It mostly just seems to be papering over poor isolation in a lot of application designs... You'd be better off just using a Chrome-derived mailclient vs anything Qubes could do for e.g. Thunderbird. I guess hardware level isolation makes some amount of sense...
<joepie91>
tilpner: this isn't done through VMs or containers; rather, through a fundamentally different process model that starts out with zero capabilities and has to request everything it needs and have it approved by the tree above it (as opposed to the kernel deciding whether a process can have a resource or not). there's a bunch of other aspects to it as well, such a resource accounting
<srhb>
hsk3: I feel more safe with NixOS than either of those, yes.
<srhb>
hsk3: The problem being that I generally don't know what the heck is even on that Debian or Ubuntu machine.
<srhb>
hsk3: It's just a ball of "hopefully not too bad"
<hsk3>
:)
<simpson>
tilpner: To be pithy, "virtual" as in "virtual memory" or "virtual filesystem", not "virtual machine".
<thoughtpolice>
(I also admit I didn't really take away much confidence the first time I saw Qubes since it mostly looked like it was papered together with Python and shell. Then again, the sausage-making process is rarely nice)
<srhb>
hsk3: (And I *do* unfortunately run a lot of that in production)
<Infinisil>
simpson: I think it's more like one of todays lucky 10 or so in such a domain :P
<joepie91>
tilpner: Qubes, OTOH, uses Xen(-derived?) tools to essentially create virtualized environments, with potentially virtualized hardware, and so on. it's still shared environments with a single set of capabilities that applies to the entire environment, though, unlike Genode where capabilities and resource allocations are managed on a per-process basis; and following a one-environment-per-process model is not great because it entails a lot of overhead
<joepie91>
and hassle to share data between environments without sharing access that's *too* broad
<sphalerite_>
simpson: what about "virtual environment" à la Python :D
<joepie91>
tilpner: disclaimer: I'm not an expert on either of these technologies, so I'm just explaining it as best as I can, according to the understanding I have of them :P
zeus_ has quit [(Read error: Connection reset by peer)]
betaboon has joined #nixos
betaboon has quit [(Changing host)]
betaboon has joined #nixos
<simpson>
sphalerite_: Yeah, same meaning. VMs are the odd ones out, because virtualizing the act of computation itself is equivalent to interpreting, whereas all the others are done via API.
unlmtd has joined #nixos
zeus_ has joined #nixos
<tilpner>
simpson, joepie91 - Thank you for the overview! I've also found "Genode as virtualization layer for Qubes OS" in /about/challenges, but I don't understand how that would work yet. Maybe the presentation will clear that up. :)
<joepie91>
tilpner: simpson: speculation: I would imagine that 'virtualization' in the context of Genode refers to the fact that because parent processes can modify a capability request to ask for something else, it's possible for them to transparently provide virtualized resources to the child process instead of the real resources that were asked for, without the child process being aware of this
<joepie91>
(and so on and so forth, recursively)
<hsk3>
srhb run into what?
<joepie91>
tilpner: the presentation does include an example of virtualbox, that might be related; I'm not sure though :)
<simpson>
joepie91: Yep. This is related to the theoretical idea of membrane/powerbox. We really should have called it "relativized filesystem", "relativized memory", etc.
<thoughtpolice>
tilpner: To be fair, I find Genode to have amazingly obtuse documentation.
<srhb>
hsk3: I run a lot of Debian in production, I meant. :)
<hsk3>
ok i see :)
pxc has quit [(Quit: WeeChat 1.9)]
<joepie91>
heh. my impression of the Genode site was "this looks way too academic, obtuse, and theoretical - is this just a research project?"
<joepie91>
it's really only because I spoke to somebody about it at SHA2017 that I knew where to start looking
<joepie91>
their presentation needs work :)
<taktoa>
joepie91: that was my impression of NixOS when I first saw it
<joepie91>
I do think NixOS has that problem to a degree
<dash1>
joepie91: I don't think one-environment-per-process has to be heavyweight, necessarily
<joepie91>
but eg. the website is a bunch less hostile-looking than that of Genode
<joepie91>
from an "I just want a thing that works" perspective
<joepie91>
still could be better, though
<taktoa>
well actually the impression I got of NixOS was that there are probably barely any packages
<taktoa>
maybe we should mention "hey, we have like 20k packages lol"
<joepie91>
taktoa: hm, any particular reason for that?
jensens has quit [(Ping timeout: 240 seconds)]
<taktoa>
joepie91: well because it seemed like a niche weird OS with some weird (but cool) package manager
<simpson>
joepie91: I find that capability theory, in general, has really obtuse presentation. I'm not sure why. It might just be difficult to reconcile with modern computing.
<dash1>
ffff, matrix doesn't tell you when your nick done been stole.
<joepie91>
(personally I feel like the declarative/reliable/devops-friendly boxes really need work to make it look more attractive from a practical perspective... although this probably needs to be mirrored by the corresponding increase in docs accessibility, so perhaps shouldn't be a priority for now)
<taktoa>
joepie91: granted, I think I first checked out NixOS in 2012, so that may have been true at the time
dash1 is now known as dash2
<Infinisil>
dash2: Register your nick ;)
<dash2>
oh this is hilarious
<joepie91>
simpson: honestly, my experience in general has been that there's very, very little overlap between "people who understand complex and/or low-level and/or highly theoretical concepts" and "people who can explain concepts in an easy-to-understand way that doesn't require much background knowledge"
<dash2>
Infinisil: I did.
<joepie91>
simpson: which is probably part of the problem
<Infinisil>
joepie91: ++
<dash2>
joepie91: no website where you can search the package list
<Infinisil>
dash2: Isn't the whole point of registering a nick so you can claim it? Can't you do that?
hiratara has quit [(Ping timeout: 258 seconds)]
<thoughtpolice>
simpson: My hope is that someone re-builds a capability-based QNX clone on top of seL4. That would be a dream. QNX got many, many things right.
<joepie91>
simpson: anyway, I'm not convinced that capability theory is inherently *hard to understand*, I think it just requires some translation between mental models and sets of background knowledge
<thoughtpolice>
(And if QNX is any indication you can probably do it with some level of compatibility/familiarity people in the POSIX world are accustomed to.)
<joepie91>
to be comprehensible to different audiences
<ToxicFrog>
(caveat: the website package search doesn't show nonfree packages. I'm working on that on and off.)
newhoggy has joined #nixos
das4 is now known as das6
<Infinisil>
What the hell dash
das6 is now known as dash
M-fishy has joined #nixos
<dash>
infinisil: I think the matrix->freenode bridge is overloaded
<dash>
so the nick-stealer got to reconnect before it changed my nick
<dash>
thoughtpolice, infinisil: Anyway! capability OS written in Rust: https://robigalia.org/
<M-fishy>
sorry if this question was asked before, but why does nix package manager insist on being installed under /nix and with sudo? why can't it be installed under, say, $HOME/nix?
<dash>
fishy: Because that way you can use the binary cache of prebuilt packages
<dash>
fishy: which all are compiled to refer to paths in /nix
<joepie91>
M-fishy: the hash of a built derivation is based on all of the inputs to the derivation; these inputs include absolute paths referencing /nix store paths
gm152 has joined #nixos
<dash>
You can certainly put it in $HOME/nix but you'll have to build every single thing yourself.
<joepie91>
M-fishy: therefore, changing the store path would change the hash for every single derivation, and then what dash is describing would happen :P
<M-fishy>
thanks :)
frankpf has joined #nixos
<joepie91>
M-fishy: (binary cache downloads are entirely hash-based, to ensure that you get a build that's actually the same as it would be if you'd built it locally, even if you have certain config flags set)
baconicsynergy[m has joined #nixos
cornu[m] has joined #nixos
jyp[m] has joined #nixos
abbafei[m] has joined #nixos
Guest76101 has joined #nixos
sirius[m] has joined #nixos
primeos[m] has joined #nixos
indefini has joined #nixos
xj9[m] has joined #nixos
scott2 has joined #nixos
berot3[m] has joined #nixos
aspiwack[m] has joined #nixos
bachp has joined #nixos
revoltmedia[m] has joined #nixos
mith[m] has joined #nixos
NickHu has joined #nixos
davidar has joined #nixos
puffnfresh has joined #nixos
Naughtmare[m] has joined #nixos
hendrik[m]1 has joined #nixos
TimePath has joined #nixos
M-liberdiko has joined #nixos
aniketd[m] has joined #nixos
timclassic has joined #nixos
wak-work has joined #nixos
ptotter[m] has joined #nixos
Kallegro[m] has joined #nixos
Oo[m] has joined #nixos
ArdaXi[m] has joined #nixos
AlanPearce[m] has joined #nixos
octalsrc[m] has joined #nixos
chominist[m] has joined #nixos
olejorgenb[m] has joined #nixos
sudoreboot[m] has joined #nixos
Exee7uvo[m] has joined #nixos
copumpkin has joined #nixos
matrixkrav has joined #nixos
Drakonis[m] has joined #nixos
myklam[m] has joined #nixos
Elephant454[m] has joined #nixos
hl has joined #nixos
herzmeister[m] has joined #nixos
Geeky[m] has joined #nixos
viaken[m] has joined #nixos
thematter[m] has joined #nixos
florianjacob has joined #nixos
reactormonk[m] has joined #nixos
magnap has joined #nixos
spacekitteh[m] has joined #nixos
sargon[m] has joined #nixos
spawnthink[m] has joined #nixos
Wysteriary[m] has joined #nixos
necronian has joined #nixos
benkolera has joined #nixos
peterhoeg has joined #nixos
offlinehacker[m] has joined #nixos
Yaniel has joined #nixos
edef[m] has joined #nixos
dtz has joined #nixos
cwopel has joined #nixos
pstn has joined #nixos
bennofs[m] has joined #nixos
BurNiinTRee[m] has joined #nixos
bhipple[m] has joined #nixos
rnhmjoj[m] has joined #nixos
WinterFox[m] has joined #nixos
zimbatm has joined #nixos
Sovereign_Bleak has joined #nixos
sk23[m] has joined #nixos
mtncoder[m] has joined #nixos
DIzFer[m] has joined #nixos
danielrf has joined #nixos
sphalerite has joined #nixos
Ralith has joined #nixos
musicmatze[m] has joined #nixos
dibblego[m] has joined #nixos
Barnabas[m] has joined #nixos
jsv[m] has joined #nixos
hedning[m] has joined #nixos
bendlas has joined #nixos
lecorpsnoir[m] has joined #nixos
qrilka[m] has joined #nixos
jack[m]1 has joined #nixos
kainospur[m] has joined #nixos
dalaing has joined #nixos
regnat[m] has joined #nixos
wmertens[m] has joined #nixos
adisbladis[m] has joined #nixos
yochai[m] has joined #nixos
Dezgeg[m] has joined #nixos
AdamSlack[m] has joined #nixos
rycee[m] has joined #nixos
seif[m] has joined #nixos
ycy[m] has joined #nixos
StuK[m] has joined #nixos
qtness[m] has joined #nixos
tommyangelo[m] has joined #nixos
a123123123[m] has joined #nixos
trikl[m] has joined #nixos
Kirill[m] has joined #nixos
corngood has joined #nixos
etcinit[m] has joined #nixos
eqyiel[m] has joined #nixos
icetan has joined #nixos
Khorne[m] has joined #nixos
retrry[m] has joined #nixos
admin[m] has joined #nixos
sziszi[m] has joined #nixos
AmineChikhaoui[m has joined #nixos
ninegua[m] has joined #nixos
mhsjlw[m] has joined #nixos
JameySharp[m] has joined #nixos
jlle[m] has joined #nixos
<joepie91>
dash: is that your project?
<joepie91>
robigalia.org, that is
<dash>
nope, all I know about it is "EROS, sel4, Rust"
<joepie91>
right, okay :P
<dash>
obviously it is not as far along as Genode.
* joepie91
bookmarks
<Infinisil>
joepie91: I don't know anything about seL4, EROS, etc. but I do like seeing rust used for more stuff ++
josePhoenix has left #nixos []
* joepie91
has an interest in developing a cap-based OS in Rust
* joepie91
has an interest in a lot of things, actually... <.<
hc has joined #nixos
<Infinisil>
Wait, are these capabilities stuff like "This app can only access bluetooth, this directory, this server, etc"?
<hc>
hi
<joepie91>
Infinisil: for example, yes. as fine-grained as you want, at least in theory
<joepie91>
depending on the type of resource there will be practical limits, or cases where you want to reduce granularity and present a virtualized resource instead
<LnL>
joepie91: have you heard about redox?
<hc>
is this the right place to ask about trouble with nixos-rebuild switch --upgrade? :)
<joepie91>
(eg. for filesystem-based things, where it's easier to write an application against a virtualized filesystem than it is to request a capability for every file you want to access)
<sphalerite_>
I use it to run nix on uni computers where I don't have root :)
<sphalerite_>
hc: yes
<dash>
infinisil: think of it like programming without global variables; anything the code needs has to be passed in when it starts
<joepie91>
hc: yep!
NixOS_GitHub has joined #nixos
<NixOS_GitHub>
[nixpkgs] dezgeg pushed 1 new commit to master: https://git.io/v75ov
<NixOS_GitHub>
nixpkgs/master 55a642f Tuomas Tynkkynen: linuxHeaders: Remove cruft
NixOS_GitHub has left #nixos []
<joepie91>
LnL: yep, I know of it
<Infinisil>
iOS and macOS has a capabilites thing for its applications (in the app store)
<hc>
awesome. specifically, i have a machine that runs nixos an github... on upgrade i'm getting this message:
<hc>
"tar: ./opt/gitlab/embedded/bin/ksu: Cannot change mode to rwsr-xr-x: Operation not permitted
<joepie91>
dash: mm, I don't believe that "passed in when it starts" is necessarily a requirement
<hc>
any ideas? :)
<joepie91>
capabilities can be requested on runtime, depending on design
<M-fishy>
sphalerite_: thanks, I'll give that a try
<dash>
joepie91: ok yes, it can be passed in later too :)
<hc>
s/github/gitlab/
<dash>
joepie91: but that's the three ways to get a capability: create one, start with one, or receive one by some communication channel
<Infinisil>
dash: joepie91: That reminds me very much of Idris' effects system
erictapen has joined #nixos
<joepie91>
Infinisil: I would say that there's a difference between 'permissions' (what Android and iOS and such have) and 'capabilities' (what Genode has)
<joepie91>
Infinisil: permissions are transitive; that is, everything executed *by* a process with certain permissions will also receive those permissions
<joepie91>
capabilities are not; each process starts out with zero capabilities, and has to request each capability, typically from the parent process
jbrechtel has joined #nixos
<joepie91>
and that a parent process has a certain capability does not mean that a child process of it does too
<joepie91>
I don't believe that this is a model that's supported on either Android or iOS
<joepie91>
hc: can you pastebin the last 50 lines or so of your rebuild output?
<joepie91>
Infinisil: anyway, permissions as such are way less granular and way less secure, as eg. a particular subprocess of an application will still have access to resources it does not need, and if a subprocess of an application is compromised then the application's entire set of permissions can be abused
<joepie91>
to just give an example
<joepie91>
Infinisil: an interesting example of capability-based model benefits was given to me by somebody at SHA2017; say you have a browser, and that browser has an image parsing process, and a CSS parsing process, and a layout calculation process, and so on
<dash>
yep, that's what the DarpaBrowser paper is about
<joepie91>
Infinisil: if somebody finds a vulnerability in the image parser that allows them to trick it into making a network request... it'll do absolutely nothing, because even though the browser has network access, the image parser does not, as it doesn't have a *reason* to have network access, thus it was never granted to it
<hc>
joepie91: unfortunately not atm, because when i ran the command again, now the kernel is build from source and that fails first =)
<hc>
joepie91: i'll get back to you tomorrow or so
<joepie91>
alright :)
<joepie91>
Infinisil: anyhow, Genode also applies this concept to resource accounting; a particularly interesting example from the presentation was that of one program 'paying' some of its resource allocation to another program, when asking it to do something on its behalf
<joepie91>
Infinisil: such that the resource cost for handling the request is paid by the originating program, not the executing program
<joepie91>
which allows for more realistic resource accounting and limitations
<joepie91>
I haven't looked into how this is implemented exactly or what its limitations are, but it's a rather interesting concept
<dtzWill>
jophish: yeah it's a fair point although I think it's a bit unfair. Anyway luckily it's not a competition, and debian's been doing /awesome/ things re:finding and fixing all kinds of issues
Myrl-saki has joined #nixos
digitus has joined #nixos
<dtzWill>
hopefully Nix/NixOS grows to get their kind of reproducibility soon, I think it's something everyone's interested in
hiratara has joined #nixos
newhoggy has quit [(Remote host closed the connection)]
Mateon2 has quit [(Remote host closed the connection)]
Mateon2 has joined #nixos
Myrl-saki has quit [(Ping timeout: 240 seconds)]
Khetzal_ has quit [(Ping timeout: 276 seconds)]
python476 has left #nixos ["ERC (IRC client for Emacs 25.2.1)"]
Myrl-saki has joined #nixos
johnsonav has joined #nixos
silver_hook has quit [(Ping timeout: 276 seconds)]
Fare has joined #nixos
<Fare>
hi.
georgiy has joined #nixos
Fare has quit [(Client Quit)]
Fare has joined #nixos
<Fare>
I'm desperately trying to get nix-copy-closure to work, and after installing identical keys in /etc/nix/signing-key.{sec,pub} on machines ff and ff2, I get this error when I try this on ff: nix-copy-closure --sign --from ff /nix/store/alhr9h8aqp06flxvl50crj7icf42kqb1-gerbil-0.12-DEV-0576f56
<Fare>
copying 2 missing paths from ‘ff’...
<Fare>
error: program ‘/nix/store/58w4l758i2pz5j30dkn80krv99n8jnvh-openssl-1.0.2l-bin/bin/openssl’ failed with exit code 1
<Fare>
unexpected end-of-file at /run/current-system/sw/bin/nix-copy-closure line 104.
<Fare>
I mean --from ff on ff2, or --to ff2 on ff
<Fare>
same error
alexteves_ has joined #nixos
alexteves_ has quit [(Client Quit)]
<anelson_>
is it possible to install a package with a prefix such that the binaries don't clash with other installed packages?
mizu_no_oto has joined #nixos
alexteves_ has joined #nixos
<srhb>
anelson_: Not exactly as stated, you'd have to override the build or make another derivation that depends on it.
<srhb>
That could probably be generalized, now that I think about it
gnuhurd has quit [(Remote host closed the connection)]
<Myrl-saki>
Welll
<anelson_>
srhb: cool, thanks
<Myrl-saki>
This takes 4 minutes or so to compile on my laptop.
<Myrl-saki>
How do I make a nix-shell with a temporary space?
<srhb>
anelson_: But, let me just ask, why do you need this?
<Myrl-saki>
I guess I can just drop to $TMPDIR
<anelson_>
srhb: I don't; I can work around it. I'm building a version of nix which operates out of a different directory than standard
<srhb>
anelson_: Normally that need arises when you're, say, developing some packages. In that case you'd usually simply not install them into your profile at all, but let the build shell get whichever version that specific build needs.
<srhb>
Ah ok.
<srhb>
You already know this then :-)
<anelson_>
yeah :) this is a bit of a weird case ;)
georgiy has quit [(Remote host closed the connection)]
<Myrl-saki>
Because like, I don't want to ruin my repo with build artifacts.
<alexteves_>
hey; I'm trying to bundle my entire /nix/store into a file but can't get nix-store --export to do this
<srhb>
alexteves_: tar cf?
<Myrl-saki>
Wtf
<Myrl-saki>
haskellPackages.mkDerivation doesn't have cabal in buildInputs?
<alexteves_>
srhb: i had some troubles manually doing that
<alexteves_>
or rather
<Myrl-saki>
How does it like build then? @_@
<anelson_>
ok now I'm running into something else... I built a version of nix that has a different storeDir, stateDir and confDir. However, when I'm running it on nixos, it's still trying to use nix-daemon (I just want it to run as my user)
<alexteves_>
that worked, but nix redownloaded things anyway, even if they were already in /nix/store
<alexteves_>
also need to bundle the database or something
<anelson_>
Myrl-saki: glad I'm not the only one who is mystified by this
<anelson_>
even the .env version doesn't have cabal T_T
<anelson_>
Myrl-saki: if you want to use cabal you can add `cabal-install` to your package's testHaskellDepends
athan has quit [(Remote host closed the connection)]
<anelson_>
anyone know what causes nix to attempt to use a daemon? Because that's not what I want to happen...
<Myrl-saki>
anelson_: I think I get the build system now.
ebzzry_ has joined #nixos
<Myrl-saki>
anelson_: That's why we have preparreCompiler and stuff
<Myrl-saki>
setup*
<anelson_>
Myrk-saki: to be honest the majority of the haskell stuff confuses the heck out of me. It's great that it works and all, but it's very poorly documented and elaborate as heck
<dash>
word to the wise, if you get a baffling "cannot compare a set with a function" error
<dash>
it's because you typed "import <nixpkgs>>"
Kingsquee has quit [(Excess Flood)]
Kingsquee has joined #nixos
<anelson_>
dash: yikes, that does not sound fun
<anelson_>
soooo.... anyone know enough about nix internals to know what makes it decide to use a daemon
<anelson_>
oh ok, I got passed that one, it's `unset NIX_REMOTE`
<anelson_>
next problem I'm getting is `error: setting uid: Operation not permitted`
<anelson_>
why is it trying to set the UID??
<Myrl-saki>
Ugh
<Myrl-saki>
Can anyone teach me how to use *phase?
<Myrl-saki>
$prePhases
<Myrl-saki>
bash: setupCompilerEnvironmentPhase: command not found
<Myrl-saki>
I mean, I get why it's like that.
<Myrl-saki>
But, "how do I make it work?"
<anelson_>
what are you trying to accomplish
<anelson_>
what are you setting `prePhases` to?
<alexteves_>
ok bundling the entire /nix folder works, problem fixed
digitus has quit [(Quit: digitus)]
kiloreux has quit [(Ping timeout: 246 seconds)]
phdoerfler has joined #nixos
alexteves_ has quit [(Quit: Page closed)]
<Myrl-saki>
Back.
mizu_no_oto has quit [(Quit: Computer has gone to sleep.)]
<Myrl-saki>
anelson_: I'm using haskellPackages.mkDerivation's prePhases
<Myrl-saki>
That's set to setupCompilerEnvironmentPhase
<anelson_>
is that a phase that you're defining, or is it already in mkDerivation
<Myrl-saki>
anelson_: Former.
<Myrl-saki>
Err
<Myrl-saki>
Latter*
<anelson_>
oh
<anelson_>
ok
<anelson_>
can you try `echo "$setupCompilerEnvironmentPhase"` in a nix shell?
<Myrl-saki>
If I nix-shell, then the environment is weird.
<Myrl-saki>
anelson_: That works, and it does set it up.
<anelson_>
you mean an `eval` or what
<Myrl-saki>
anelson_: Yep, I've been using `eval`s
<anelson_>
to be honest I'm not totally sure what your situation is
<anelson_>
what's broken?
<Myrl-saki>
Right.
<anelson_>
what problem are you seeing?
<Myrl-saki>
So the environment is weird. buildPhase and the like are running the default functions, but $buildPhase shows the correct stuff.
<anelson_>
not quite sure what you mean
<Myrl-saki>
[nix-shell:/run/user/1000/CellGame]$ type buildPhase | grep Makefile
<anelson_>
that means it's a function, not an environment variable
<Myrl-saki>
and $buildPhase is the correct one.
<Myrl-saki>
anelson_: Right.
<anelson_>
ok, so again, what problem are you seeing
<anelson_>
both of them are defined, but one of them is an environment variable, and the other one is a bash function?
<Myrl-saki>
anelson_: I think buildPhase should have been set to $buildPhase.
<Myrl-saki>
anelson_: Looking at nixpkgs manual, buildPhase isn't prefixed with a $
<anelson_>
it can be either, I beliece
<anelson_>
*believe
<Myrl-saki>
anelson_: Right, but they're not equal to each other.
<anelson_>
phases can be defined as functions or as variables
<anelson_>
I assume the variables take precedence
<anelson_>
but I'm not sure
<anelson_>
I'm still not sure what *problem* you are encountering
<anelson_>
is something failing to build?
<Myrl-saki>
anelson_: Aside from a missing executable(which doesn't error in nix-build), then no.
<Myrl-saki>
Well
<Myrl-saki>
anelson_: I also can't just $prePhases
<Myrl-saki>
Or eval "$prePhases"
<anelson_>
what happens when you echo $prePhases
<Myrl-saki>
setupCompilerEnvironmentPhas
<Myrl-saki>
But I can do $setupCompilerEnvironmentPhase
<Myrl-saki>
It's basically just a matter of convenience.
<anelson_>
hmm
frankpf has quit [(Ping timeout: 246 seconds)]
<anelson_>
why do you need to execute $prePhases
<anelson_>
I'm really just trying to understand the problem
betaboon has quit [(Quit: This computer has gone to sleep)]
<Myrl-saki>
anelson_: It sets up the compiler environment, but I'm not sure if it's required.
<anelson_>
what problem is this causing for you ?
<anelson_>
I mean in the sense of, is some package failing to build, or failing to build correctly
<Myrl-saki>
anelson_: nix-build works but nix-shell doesn't.
erasmas has quit [(Quit: leaving)]
<anelson_>
ah, ok
<Myrl-saki>
anelson_: nix-build takes 6 minutes on my laptop for a 4-file project.
<Myrl-saki>
anelson_: I mean, I think I can force nix-shell to work, but it's not easy.
<anelson_>
the shell doesn't start at all? or it starts but displays error messages? or it starts but doesn't execute the commands you meant?
<anelson_>
*want
<Myrl-saki>
anelson_: The last.
<Myrl-saki>
Peti | Profpatsch: The generic builder calls "$configurePhase" if that variable exists and "configurePhase()" otherwise. The shell function exists by default. The variable is defined by Nix iff you define it in your derivation.
<Myrl-saki>
Profpatsch: Lmao. Sorry for the ping.
<Myrl-saki>
anelson_: You seem to be correct there.
<srhb>
I just rewatched a NixOS talk and was reminded of a question: Do we have the ability to optionally and in a standardized way guarantee that the output derivation meets a certain hash, bit for bit?
filterfish has quit [(Ping timeout: 240 seconds)]
<srhb>
Like "I promise that this build is bit-for-bit reproducible"
<Myrl-saki>
But there's still the issue of $prePhases returning the variable name rather than a function to use the variable name.
<anelson_>
srhb: I don't think that in general that is possible to guarantee
<Myrl-saki>
Oh.
<Myrl-saki>
`runHook $prePhases`
phdoerfler has quit [(Quit: Leaving.)]
<Myrl-saki>
That makes sense.
<srhb>
anelson_: No, but on a per-package basis it might be.
newhoggy has quit [(Remote host closed the connection)]
Kingsqueee has joined #nixos
newhoggy has joined #nixos
<anelson_>
srhb: I suppose if you know the build steps then yes
mkoenig_ has joined #nixos
<anelson_>
of course you could only prove that if you also could prove that all of its dependencies are bit-for-bit deterministic
Kingsquee has quit [(Ping timeout: 255 seconds)]
<srhb>
Right, I know that it is possible for a number of packages, I'm wondering whether we have an option to say "enforce this output hash for this derivation"
<Myrl-saki>
So
<anelson_>
srhb: just set the outputHash?
<Myrl-saki>
I think I'm supposed to do `runHook prePhases && $patchPhase && $configurePhase && $buildPhase'