<clever>
obfusk: running `env` and `set -x` may also help
<obfusk>
clever: I did that. but thanks.
<clever>
obfusk: shellcheck will also complain that you should "$snippet" i believe
<obfusk>
the point is either way that I don't expect a `source $stdenv/setup` to change the way bash echoes an unquoted string (stripping any word containing <? or ?> it seems)
<clever>
oh
<clever>
its nullglob
<clever>
? is a wildcard for matching a single character
<colemickens>
Does anyone have any idea why I keep having this problem? It only happens in NixOS, it happens on a variety of networks... https://i.imgur.com/K5YM3Qu.png
<clever>
and the default action for a pattern matching nothing is to just return the pattern
<colemickens>
It will sit there like that for 5 minutes, telling me it can't find the DNS entry, even though `dig` shows it works just fine.
<colemickens>
And then all of the suddent it will "fix" itself.
<colemickens>
Can't tell if it's NM or something else being screwy.
<clever>
obfusk: so if you 'touch foo*' and there are no matching files, it creates a file with the name 'foo*', including a literal *
<clever>
obfusk: nullglob disables that, and makes it return an empty list instead
<clever>
obfusk: those unquoted will behave weirdly, if you happen to have files matching them in the current dir
zimbatm has quit [Ping timeout: 252 seconds]
zimbatm has joined #nixos
<obfusk>
clever: I know what nullglob does. but I wasn't aware of this behaviour of unquoted strings. thanks.
hamishmack has quit [Quit: My MacBook has gone to sleep. ZZZzzz…]
<obfusk>
clever: I normally always quote my strings when writing bash scripts, but nix packages don't use quotes most of the time (which works for nix paths of course). I was trying to find out what happens w/ an unquoted example from the nix manual and ended up with this instead of what I expected (just word splitting, not pathname expansion).
<samueldr>
colemickens: it won't help, but AFAIK dig doesn't use whatever the system will use to resolve, which AFAIK would be what `getent hosts nixos.org` would be closer to (if it can help you diagnose)
<clever>
stepcut: can i PM you about some haskell stuff?
<stepcut>
clever: sure
<colemickens>
samueldr: okay, that's good to know, and feels like something I should've figured out. Thank you.
romildo has quit [Quit: Leaving]
hakujin has joined #nixos
hiroshi has quit [Ping timeout: 244 seconds]
<hakujin>
hey all - anyone successfully running docker (the service) on 18.09? I'm specifically on `nixos-18.09-small` and getting `Failed to start containerd: exec: "containerd": executable file not found in $PATH`
hiroshi has joined #nixos
<nh2>
clever: so far I've had the same .drv fail on both my Ubuntu and my NixOS servers, haven't found a machine yet where it actually succeeds. Is there a way to check if the sandbox really is on?
<clever>
nh2: make a derivation that just does ls /nix/store/
<ottidmes>
clever: I think I am close to get it to work (I am not used to C), but I have trouble with an example, any idea a sane value is for socklen_t (the third argument of connect)?
<ottidmes>
clever: almost there, Protocol wrong type for socket (from Googling I understand that SOCK_STREAM is not the right type): sock = socket(AF_UNIX, SOCK_STREAM, 0);
<ottidmes>
it feels so wrong, this approach, search the internet for snippets, frankenstein them together to make a sort of functioning whole, and hope for the best :P
<clever>
:D
<ottidmes>
and the LD_PRELOAD program worked the first time I tried :)
<{^_^}>
[nixpkgs] @orivej-nixos pushed commit from @orivej to staging « linux: enable CGROUP_HUGETLB, CGROUP_PERF, CGROUP_RDMA (#50225) »: https://git.io/fpm7d
Havvy has quit [Ping timeout: 252 seconds]
thc202 has quit [Ping timeout: 268 seconds]
Havvy has joined #nixos
<justanotheruser>
is there a way I can specify a derivation that uses a .deb file installed via dpkg? I have a propietary package I want to install and the producer has instructions for deb file
<ottidmes>
justanotheruser: if you look through nixpkgs, there should be plenty examples of such packages
<justanotheruser>
hmm, I'll search for .deb
hyp3rbor3ax has joined #nixos
hyp3rbor3ax has quit [Remote host closed the connection]
maximiliantagher has quit [Remote host closed the connection]
<{^_^}>
[nixpkgs] @peti pushed to haskell-updates « hackage-packages.nix: automatic Haskell package set update »: https://git.io/fpmda
<{^_^}>
[nixpkgs] @orivej opened pull request #50292 → flex_2_6_1: delete in favor of flex 2.6.4 → https://git.io/fpmd9
lassulus_ has joined #nixos
lassulus has quit [Ping timeout: 252 seconds]
lassulus_ is now known as lassulus
drakonis_ has joined #nixos
maximiliantagher has joined #nixos
<ottidmes>
If I use gcc directly in my installPhase, shouldnt I add to my buildInputs gcc.cc?
Rusty1 has quit [Quit: Konversation terminated!]
<__red__>
Digital Ocean apparently now allows VM image uploads
stepcut has quit [Remote host closed the connection]
worldofpeace has quit [Remote host closed the connection]
<{^_^}>
[nixpkgs] @orivej-nixos merged pull request #50292 → flex_2_6_1: delete in favor of flex 2.6.4 → https://git.io/fpmd9
<{^_^}>
[nixpkgs] @orivej-nixos pushed commit from @orivej to master « flex_2_6_1: delete in favor of flex 2.6.4 (#50292) »: https://git.io/fpmbI
maximiliantagher has quit [Remote host closed the connection]
<clever>
ottidmes: gcc is part of the stdenv and in all derivations by default
Rusty1 has joined #nixos
<ottidmes>
clever: I wondered because I remember people talking about wanting to use clang instead, but I guess that is only possible per package, because right now they assume gcc?
<clever>
ottidmes: oh, gcc is the default on linux, clang is the default on darwin, and clangStdenv.mkDerivation gives you clang on linux
<clever>
and on all, $CC points to the right one
<clever>
> gccStdenv.mkDerivation
<{^_^}>
<LAMBDA>
<clever>
and this forces gcc on darwin
<ottidmes>
clever: so given I hardcoded a call to gcc in my installPhase, I really ought to use gccStdenv then right?
<clever>
yeah
<ottidmes>
clever: except I cant, because its hidden in vscode-utils
<clever>
hidden how?
aleph- has quit [Ping timeout: 246 seconds]
<ottidmes>
clever: right, I should be able to override its stdenv argument to be explicitly gccStdenv
<clever>
yeah, that should work too
<ottidmes>
that has to be done in callPackage, right? no other sane way?
<clever>
you can either edit the default.nix to request the right one, or pkgs.callPackage ./foo { stdenv = gccStdenv; };
<ottidmes>
but its like vscode-util/default.nix that needs gccStdenv, for my default.nix to work properly, because the stdenv.mkDerivation call is done in vscode-util/default.nix
maximiliantagher has joined #nixos
<clever>
ah, you could also use override then
<clever>
vscode.override { stdenv = gccStdenv; }
<clever>
then only you get the new vscode, and everybody else gets the normal one
Supersonic has quit [Ping timeout: 252 seconds]
maximiliantagher has quit [Ping timeout: 268 seconds]
Supersonic has joined #nixos
<ottidmes>
clever: too bad, it seemed to work, but I now get: connect ENOENT /tmp/CoreFxPipe_ba361950e1a542cfaecd3e10f974ed1a
<clever>
ottidmes: can you pastebin the source of your PRELOAD?
<lostman>
how can I check permissions of a directory in a derivation? I'm trying to add some code that enables ccache if cache directory is set and writable
<lostman>
found a builtin to check if path exists but can't find anything for permissions
<dmj`>
So does nixos have a graphical installer now
<dmj`>
I’ve always installed from the minimal install cd
<dmj`>
but the docs say both
<dmj`>
> "Please note that NixOS at the moment lacks a nice, user-friendly graphical installer. Therefore this form of installation may not be suitable for novice Linux users."
<{^_^}>
"Please note that NixOS at the moment lacks a nice, user-friendly graphical installer. Therefore this form of installation may not be suitable for novice Linux users."
<dmj`>
yea but!
<dmj`>
"The graphical installation CD contains the NixOS installer as well as X11, Plasma 5 Desktop and several applications. It’s a live CD, so it allows you to get an impression of NixOS (and the Nix package manager) before installing it."
<dmj`>
one sentence down
<dmj`>
it contradicts
<dmj`>
or is that just a graphical environment, but not a graphical installer
endformationage has quit [Quit: WeeChat 2.3]
<dmj`>
it does say, "The graphical installation CD "
<ekleog>
dmj`: I think it's just the graphical environment, but no graphical installer
carlosdagos has joined #nixos
<ekleog>
should maybe rename “graphical live CD with an installer” but that sounds heavy
<dmj`>
alright, duly noted
<dmj`>
thank you all
<colemickens>
welp, I went too long ignoring the acme problems that now I'm rate banned for a while, womp womp.
wykurz has joined #nixos
eric88 has joined #nixos
maximiliantagher has quit [Remote host closed the connection]
<eric88>
Hey all
<eric88>
Did a bit of scrounging around - looks like nixos doesn't round-up security patches regularly?
<eric88>
It used to in e.g. 2016-2017 (gchristensen et al.)
<eric88>
Is _very_ out of date. Is there any opening for a spruce-up?
<tomberek>
as usual, more help is always needed
<eric88>
The startup I work for uses NixOS - if we're going to work with higher profile clients we need assurances that NixOS is secure - we do use it industrially.
<eric88>
So I'm sure there's energy behind it...
<eric88>
Who on the security list is still active?
<eric88>
Slash is nixos/nixpkgs on github the core location for open issues? We'd probably be able to set aside some real time given the utility NixOS provides us.
<jasongrossman>
eric88: Most or all of those four people are still active.
<eric88>
I just don't really know where to start.
<eric88>
Awesome, jasongrossman++ tomberek++
<jasongrossman>
eric88: Thanks for your interest in this!
<tomberek>
eric88: If you can devote some time, I'm sure you can ask some of the members to help on-board you to working on the issues. Just ask them.
<colemickens>
I really wish nix.* options were applied before the rest of rebuild.
<colemickens>
:(
<colemickens>
would make using overlays + cache a bit nicer. it's really awkward to have to add the mirror in one rebuild and the overlay/packages in another, less risk re-buidling the first time around
<tilpner>
You can do that, but it makes you incompatible with the rest of the ecosystem
<colemickens>
really?
<colemickens>
The "you can do that" part, I thought it was just not possible?
<tilpner>
Well, parts of it at least
<tilpner>
Overlays should be applied right-now by default, I think?
<tilpner>
You're right about options to Nix though, don't see how to do that right-now :/
<tilpner>
(Well... you can do those too, but then you lose nixos-rebuild)
jvassev has quit [Ping timeout: 256 seconds]
<tilpner>
(You would have a first stage of eval, evaluating just nix.*, then passing those options to a second stage eval. You can implement that in Nix as long as you use just nixpkgs options, but you need a custom rebuild script once you want to define Nix options too)
periklis has joined #nixos
<colemickens>
If I change my user's nix configuration, is that used for nixos-rebuild commands as that user?
<colemickens>
But cachix use doesn't seem to try to populate the user config on NixOS...
<colemickens>
hm
__Sander__ has joined #nixos
locallycompact has joined #nixos
locallycompact has quit [Remote host closed the connection]
maximiliantagher has joined #nixos
civodul has joined #nixos
locallycompact has joined #nixos
maximiliantagher has quit [Ping timeout: 250 seconds]
<ckauhaus>
eric88: thank you for your interest in NixOS security - would you mind joining us on #nixos-security so we can discuss further details there?
<ekleog>
ckauhaus: eric88 is gone :/
Tucky has joined #nixos
<jakub>
is there a tool that would inline imports in nix files where possible?
lostman has quit [Quit: Connection closed for inactivity]
Acou_Bass has joined #nixos
<ekleog>
jakub: probably not, as the two following files are valid nix: a.nix: `{ a = 1; b = import ./b.nix; }` b.nix: `{ a = import ./a.nix; b = 2; }`
<ekleog>
(and that's not even taking into account computed imports)
<ekleog>
but I'm curious, what's the use case you're thinking for it?
maximiliantagher has joined #nixos
<{^_^}>
[nixpkgs] @roberth merged pull request #49256 → NixOS: use overlays when nixpkgs.pkgs is set → https://git.io/fxHJS
<tilpner>
colemickens - Hey, you are listed in the sway-beta module. What am I doing wrong when it fails to become DRM master due to lack of CAP_SYS_ADMIN?
<colemickens>
tilpner: Hm, I'm not sure. `sway version` to ensure you're on the version you expect.
<tilpner>
The sway module adds a setcap wrapper, but the sway-beta one doesn't
<colemickens>
Otherwise my understanding is that you just need logind, which should be in place in NixOS.
<colemickens>
Yeah, it's obliviated by sway 1.0's support for logind, as far as I understand it.
<colemickens>
(I'm using that module right now)
maximiliantagher has quit [Ping timeout: 245 seconds]
<tilpner>
Hmm, there's another error line before that
<tilpner>
"Failed to get session id: No such process"
<jakub>
ekleog: i was careful to ask for a solution 'inline ... where possible', but my usecase is that I want to use config.system.build.virtualBoxOVA from virtualbox-image.nix but I have trouble putting together the arguments to the function defined in that file... so I wanted to collect the input to the function from other places, but since the configurations seem to be all over the place I have trouble figuring
<jakub>
this out
<jakub>
ekleog: i am not on nixos (i am currently running nix from debian)
<{^_^}>
[nixpkgs] @edude03 opened pull request #50299 → Fix helm version → https://git.io/fpYmr
<colemickens>
tilpner: are you doing anything weird regarding logging in?
<colemickens>
are you using a display manager, for example? I recommend not using one.
jasom has quit [Ping timeout: 272 seconds]
jasom has joined #nixos
maximiliantagher has joined #nixos
vidbina has joined #nixos
thc202 has joined #nixos
<tilpner>
colemickens - No display manager, but I am doing something weird (trying to use sway-beta on 18.09)
maximiliantagher has quit [Ping timeout: 272 seconds]
<colemickens>
tilpner: I maintain nixpkgs-wayland which provides HEAD versions of sway and other things
<colemickens>
I actually just tested it with an new 18.09 VM about 3 hours ago.
<tilpner>
I don't have a browser right now, stuck in TTY land
<ekleog>
jakub: nixos configs use a heavily intricated import mechanism, so I don't think such a tool would manage to import
<colemickens>
tilpner: what graphics?
jvassev has joined #nixos
<tilpner>
colemickens - Laptop with Intel+Nvidia, but I think I set WLC_DRM_DEVICE correctly because it works with sway-stable
<tilpner>
dyu
<tilpner>
dddddddddddddddd
<tilpner>
Sorry, tty acting up
<tilpner>
(Multiple processes competing for input on the same tty)
<jakub>
ekleog: in that case, is there at least a way to tell a type of set members? i am trying to figure out what config.system.build.nixos-install might be, is it a function, a path, what the hell is it :)
srl295 has quit [Quit: Connection closed for inactivity]
orivej_ has quit [Ping timeout: 240 seconds]
sb0 has quit [Quit: Leaving]
averell has quit [Read error: Connection reset by peer]
<Random25252>
Hey people I would greatly appreciate any help, I've read the wiki page named Linux_Kernel#Developing_Kernel_Modules but I'm not sure how to approach an issue. I need to specify a kernel version, and then also apply multiple patches to it, and apply some custom configuration options aswell. Could this all be done with an/multiple boot.kernelPatches configurations? I'm really new to this, sorry
maximiliantagher has quit [Ping timeout: 252 seconds]
<ekleog>
jakub: though there's nixos-option too, but I don't think it documents system.build, because system.build isn't intended for external use AFAIR
<{^_^}>
[nixpkgs] @peti pushed to haskell-updates « hackage-packages.nix: automatic Haskell package set update »: https://git.io/fpYGB
<jakub>
ekleog: i have been looking at the source, i see no indication of what it is
<jakub>
ekleog: or whether it is related to what nix-build is complaining about
rembo10 has joined #nixos
<ekleog>
jakub: so I don't know what nix-build is complaining about, but it's a derivation that outputs $out/bin/nixos-install based on the `src` argument from my second link
<jakub>
ekleog: if you were to use nixpkgs/nixos/modules/virtualisation/virtualbox-image.nix (from any linux other than nixos, using nix) what would you do, or where would you even start, I am trying to feed the right inputs to the function in that file, and using nix-build i try to invoke the derivation config.system.build.virtualBoxOVA of the returned set
<ekleog>
(after having substituted the variables as mentioned by line 9 same file)
mitescugd has joined #nixos
freeman42x]NixOS has joined #nixos
orivej has joined #nixos
betaboon has quit [Quit: WeeChat 2.2]
<ekleog>
jakub: oh. so the function in virtualbox-image.nix is not designed to be called by you
betaboon has joined #nixos
<jakub>
ekleog: i guessed that, but found no better way
<ekleog>
you're supposed to look for something like `lib.evalModules`, invoke it with `-E` and look at its `.system.build.virtualBoxOVA`
<ekleog>
well, it's more that you really cannot call this function unless you re-code lib.evalModules :)
<jakub>
ekleog: what is evalModules anyway :)
<ekleog>
now I must say I haven't done it yet personally
<ekleog>
evalModules is “take these modules and evaluate them as a fix-point”, because the function you see in virtualbox-image.nix is supposed to be called as part of said fix-point
<ekleog>
by passing your configuration with something like -I nixos-config=./configuration.nix
<jakub>
ekleog: thanks, that helps, but it also gets me back to my initial problem, of getting the configuration :)
<ekleog>
disclaimer: there may be a way easier way of doing this, I'm learning as I read the code :p
nschoe has joined #nixos
<jakub>
ekleog: don't worry, if an easier way pops up later, i will use that, in the meantime i appreciate any way :)
m0rphism has quit [Quit: WeeChat 2.2]
<ekleog>
the configuration is a file like virtualbox-image.nix, you can set it to `{ imports = [ <nixpkgs/nixos/.../virtualbox-image.nix> ]; }` I think
<jakub>
ekleog: now i am very confused
<jakub>
ekleog: i know at some point i need to provide vmname, memorysize, imagesize etc, but I have no clue where and how to provide these :)
<jakub>
ekleog: thanks, thats where I started, but it seemed to involve a lot of things without explanation, so I started cutting it down
<jakub>
and got lost along the way
<jakub>
time to backtrack i guess
<ekleog>
yeah, I think it's maybe better to first get an intuition of how nixos config works before trying to do weird stuff ^^
<ekleog>
even though that involves following some obscure instructions, at least you get to touch nixos configuration and get an intuition of how it fits together
<ekleog>
looks like (but I think it's a bit much to understand without having ever tried nixos ^^)
<jakub>
ekleog: i will follow your advice, altough I really dislike following instructions that i cannot assign any meaning to... that doesn't give any insight, but still I am very grateful for your help, i just seem to have trouble finding some doc of elementary concepts\
<srhb>
nh2: Good that you figured it out :D
maximiliantagher has quit [Ping timeout: 250 seconds]
<ekleog>
jakub: let's say if you're familiar with either the nix or the haskell language maybe I can try to explain it more :) otherwise I think it's better to gain some familiarity first
zolk3ri has joined #nixos
<ekleog>
(well, I can still try to explain more, but… :p)
<jakub>
ekleog: i am familiar with haskell, nix, not so much, i just try to extrapolate from haskell when there is something in nix that was not introduced by the documentation so far but it gets used like crazy in all the examples/instructions, like rec, _, ...
<ekleog>
jakub: ok so I'll try to explain it in haskell-like terms :)
<arianvp>
How would I set up a dynamic MOTD in nixos?
<arianvp>
I want to have a "Reboot for updates pending" message after a nixos-rebuild boot
<ekleog>
_ is nothing special, rec is “just” like OCaml's `rec` keyword: it's like doing `let set = with set; { ... }; in set`
vidbina has joined #nixos
<arianvp>
ekleog: I digged a bit into the DynamicUser problem by the way
<ekleog>
jakub: so for the module system, each module is a function from, basically, { config, pkgs, lib } -> { config = {...}; options = {...}; }
averell has joined #nixos
<ekleog>
oh, and imports = [...]
<ekleog>
jakub: and there's a big fixpoint (lib/eval-config.nix apparently, though I seemed to remember lib.evalModules) that takes one module, follows all the imports, and ties the knot
<ekleog>
jakub: during the knot-tying, it also does dynamic type-checking (with the values defined in `options = {...}`), and that results in the `config` output
<ekleog>
jakub: with the particularity that if your module doesn't declare either `config` or `options`, then everything is considered to be under `config` by default, so that it's easier to write a module
<srhb>
(Is knot-tying really the right analogy wrt. fixpoints? I've only heard it uses in regards to cyclical data structures.)
<srhb>
used*
<ekleog>
jakub: once the knot is tied, there's `config.system.build` that contains basically what can be interesting to run the system, and `nixos-rebuild` etc. are wrappers over `nix-build` that build appropriate outputs of `config.system.build`
<ekleog>
srhb: Oh? this may be me not knowing haskell very well, that's how I called the act of closing the recursion upon itself
<jakub>
ekleog: knot-tying is just expressing the mutual dependency, no? so it is not specific to data structures but values in general
<srhb>
ekleog: Hm, well, when you phrase it like that it sounds more reasonable to me as well. :)
<srhb>
Disregard my complaint. :-)
<colemickens>
is there already a nix/nix2.0 equivalence guide before I start a new wiki page?
<ekleog>
jakub: and so the issue you're running into is that you're trying to basically redo the job of `nixos-rebuild` without having `nixos-rebuild` to help you
<srhb>
colemickens: I don't think so, but please name it "nix command-style" rather than nix 2.0 :)
<ekleog>
(because nixos-rebuild is available only on nixos, iirc there was a motion to change that a few days/weeks ago but I can't remember it being actually done)
<srhb>
colemickens: (Since nix-shell and nix-build are equally nix 2.x nowadays)
* colemickens
squints
<colemickens>
good to know, sad to know it
<ekleog>
arianvp: hmm, last I saw was at the time where you noticed nscd appeared to indeed load the module, did you go farther?
<jakub>
ekleog: i see now. because there is no direct motivation to having config computed as fixpoint in my simple example, i never knew i was trying to insert myself in the middle of the fixpoint computation, (which is not communicated anywhere as far as i know)
<srhb>
colemickens: Or "experimental nix command interface" :-P
<arianvp>
yep I just traced dbus and the nss module is even making the dbus call and returning it!
<colemickens>
srhb: point taken ;)
<ekleog>
jakub: yes, documentation is very lacking :/ if you can jot down a summary of all you find hard to understand I'm sure we'd all be great to have a copy so we can try to improve documentation :)
<ekleog>
s/great/happy/
<ekleog>
(issue about documentation is after some time it just feels “normal” and you don't notice it's complex any longer ^^')
<jakub>
ekleog: well i would be happy to put down some notes, hope I get the time to go over the docs one more time so I might add some things I had problem with on the first go that I cant remember now
<ekleog>
jakub: great, thank you! :) I guess a github issue / discourse thread would be most adapted
<tilpner>
colemickens - Duh! I should have caught that, but even with WLR_ it doesn't launch. It also doesn't say anthing about nvidia (which is not loaded, nor do I want to use it)
sigmundv has joined #nixos
<colemickens>
tilpner: ah okay, if it's not loaded that seems sufficient. I'd assume it can pick the right one I guess.
<colemickens>
I forgot to mention, I'm not sure if you need this with sway 1.0, but I think I'm in the 'video' group on my machine.
<tilpner>
I am too, in the video and input group (but not in the sway group anymore)
<tilpner>
I also built your sway-beta from your nixpkgs-wayland, same error
<colemickens>
hm, I'm not sure I have any more ideas unfortunately.
Dedalo has quit [Quit: My MacBook has gone to sleep. ZZZzzz…]
<colemickens>
srhb: is there a design doc or rfc about the experimental command structure stuff? I have opinions TM and am curious for more context around them
<colemickens>
you can read the linked archwiki page, it's probably great as usual
<colemickens>
:)
<symphorien>
arianvp: if the MOTD can be dynamically generated by a shell script, if /run/current-system and /run/booted-system are the same link, then ...
maximiliantagher has joined #nixos
* tilpner
reboots
freeman42x]NixOS has quit [Ping timeout: 246 seconds]
<symphorien>
arianvp: apparently you need pam_motd to have a shell script as a MOTD
<tilpner>
colemickens - Good find, hideProcessInformation = false, rebuild and reboot, fixed it! No idea why (yet, I'll be able to check your link soon)
maximiliantagher has quit [Ping timeout: 246 seconds]
<tilpner>
Thank you! :)
<tilpner>
colemickens++
<{^_^}>
colemickens's karma got increased to 2
<colemickens>
:) hurray!
<colemickens>
have fun, make sure you check out grim/slurp/mako/redshift-wayland/wlstream for some essentials
<arianvp>
Mic92: I really think this is a systemd bug . The error is coming from systemd itself
<arianvp>
:/
<Mic92>
arianvp: I switched to unscd, when started as a services it does not work, when I start it in debugging mode in foreground, it works.
<arianvp>
did you add systemd to LD_LIBRARY_PATH ?
<srhb>
infinisil: Ping
hke has joined #nixos
__Sander__ has quit [Read error: No route to host]
<srhb>
infinisil: Actually, nevermind!
mayhewluke has quit [Ping timeout: 264 seconds]
<arianvp>
Mic92: I updated the issue by the way. Both DBus calls are failing actually. And they both say the dynamic user was never added to systemd's internal hashamp
<arianvp>
hashmap*
<arianvp>
so nscd seems to be working fine, but something fishy is going on inside systemd itself
__Sander__ has joined #nixos
mayhewluke has joined #nixos
<{^_^}>
[nixpkgs] @Mic92 pushed 0 commits to roberth-patch-1: https://git.io/fpYWo
maximiliantagher has joined #nixos
<Mic92>
arianvp: yes, it is the same definition from nscd I adapted
<arianvp>
Okayyy it does seem nscd's fault
<arianvp>
that Lookup error only occurs when nscd is _not_ running
<arianvp>
and when nscd _is_ running no lookup appears at all
<Mic92>
you can also try with nscd stopped with getent and LD_LIBRARY_PATH set.
nbardiuk has quit [Quit: Lost terminal]
Itkovian has quit [Quit: My MacBook has gone to sleep. ZZZzzz…]
orivej has joined #nixos
<arianvp>
Sorry, my fault. it does. However it only does it once, and after that nscd seems to cache it :P
<arianvp>
debugging is hard and precise endeveaour
maximiliantagher has quit [Ping timeout: 244 seconds]
<arianvp>
Mic92: yep it's NSCD interferring
<Mic92>
arianvp: so is it a caching problem?
<arianvp>
no, it fails on the first lookup as well
<Mic92>
arianvp: maybe systemd-run already adds a negative cache entry when it creates the dynamic user.
<arianvp>
okay now i'm going to see if I can reproduce this on fedora or whatever
<Mic92>
but then restarting nscd would solve the issue
<arianvp>
yes so restarting nscd makes the LookupDynamicUser dbus call appear
<arianvp>
but that call fails
carlosdagos has quit [Quit: Connection closed for inactivity]
<arianvp>
Mic92: yep! restarting nscd seems to work
<arianvp>
if you systemd-run sh instead of whoami
<arianvp>
and type whoami once, it fails, if you then restart nscd and type whoami again it succeeds
<arianvp>
:P
EarlDeLaWarr has quit [Ping timeout: 250 seconds]
<Mic92>
arianvp: this is also what I did.
<Mic92>
Which is why I think systemd-run already does the request before and poison the cache.
<arianvp>
I'm gonna grab some lunch. I suspect so too
<Mic92>
It has to check for the uid because there might be external systems like ldap that allocate uid/gid s
<arianvp>
ahh yeh that's true. So systemd should clear the cache after this uid lookup right? but it doesn't
__monty__ has joined #nixos
<Mic92>
arianvp: negative-time-to-live in nscd could be zer0
<arianvp>
We should make a small non-nixos specific reproducer, explain the behaviour and file a bug with systemd I guess
<Mic92>
arianvp: I don't see how systemd could fix this. They have to use nsswitch.conf and its modules because this is what the user expects.
<Mic92>
They would need to explicitly flush the nscd cache afterwards.
<Mic92>
And one can only validate the whole group and not just single entries.
<Mic92>
*invalidate
<arianvp>
the only reason we're using nscd is such that we can set LD_LIBRARY_PATH right?
<arianvp>
Mic92: but given that systemd is an nss module. Shouldn't it be well-behaved? In that the module shouldn't recursively call nss calls again?
<arianvp>
The more I think of it the more I think it's actually a bug
hyper_ch2 has quit [Quit: Page closed]
<avn>
arianvp: can you tell more about dynamic users in systemd? Does it allow create/destroy regular users on-the-fly?
hyper_ch2 has joined #nixos
Itkovian has joined #nixos
<Dezgeg>
sssd is already run in nixos with nscd-with-caches-disabled in front
Guanin has joined #nixos
locallycompact has quit [Remote host closed the connection]
maximiliantagher has joined #nixos
<arianvp>
Then we should just switch to sssd Dezgeg
<Dezgeg>
huh?
<Dezgeg>
you don't need sssd if you don't use LDAP or AD or whatever auth
<hyper_ch2>
(and for a moment I thought sssd is a misspelling of ssd)
maximiliantagher has quit [Ping timeout: 245 seconds]
<arianvp>
Or disable caching :p
Itkovian has quit [Quit: My MacBook has gone to sleep. ZZZzzz…]
<Dezgeg>
?
<Dezgeg>
sssd is not a nscd replacement
<Dezgeg>
it won't talk to the systemd nss module for example
<arianvp>
What I meant is. We need to run nscd similarly to how we run it when sssd is enabled
<arianvp>
Which is. With caching disables
<Dezgeg>
right, that might make sense
shabius_ has joined #nixos
<tilpner>
colemickens - I have now re-enabled hidepid, but put my user into the proc group. What do you think of adding an assertion to the sway-beta module that !config.security.hideProcessInformation || with builtins; any (u: elem "proc" u.extraGroups) (attrValues profiles.till.lelouch.config.users.users) ?
shabius has quit [Ping timeout: 276 seconds]
<tilpner>
I mean (attrValues config.users.users) of course
<tilpner>
That might keep someone from trying to track down the same problem as we just did
<tilpner>
And it allows people to keep hidepid, though maybe that should be mentioned in the error message
<arianvp>
But if you enable sssd, sssd does caching too right?
peel has joined #nixos
<arianvp>
Wouldn't that reintroduce this problem again?
<Dezgeg>
it won't cache anything related to systemd nss, only LDAP and such stuff
<arianvp>
Ah it doesn't cache the entire passwd service? But only the things that actually go to ldap?
<Dezgeg>
no, it has no knowledge of other NSS modules
iyzsong has joined #nixos
Guanin has quit [Ping timeout: 260 seconds]
erictapen has joined #nixos
Mateon3 has joined #nixos
maximiliantagher has joined #nixos
Mateon1 has quit [Ping timeout: 260 seconds]
Mateon3 is now known as Mateon1
hyper_ch2 has quit [Ping timeout: 256 seconds]
erictapen has quit [Ping timeout: 268 seconds]
maximiliantagher has quit [Ping timeout: 246 seconds]
sb0 has joined #nixos
<{^_^}>
[nixpkgs] @matthewbauer pushed to master « libxml2: only use static output with both shared & static »: https://git.io/fpYuR
civodul has quit [Quit: ERC (IRC client for Emacs 26.1)]
jschievink has joined #nixos
<nh2>
can anybody tell me how I'm supposed to call webpack for building a node package with node2nix? I have a working shell from node2nix, but now I want to write a derivation inside which I call webpack on my source folders
<jschievink>
can I make nix-build fail when it would have to build derivations from source?
hyper_ch2 has joined #nixos
<nh2>
jschievink: try `--max-jobs 0`
Lisanna has joined #nixos
<jschievink>
nh2: wow
<Lisanna>
what sorts of things can cause a /nix/store path to become corrupted? i.e., such that nix-store --verify-path reports a hash mismatch
<jschievink>
I really like the idea behind Nix, but it could really do with better UX
<avn>
Lisanna: it have some sort of `--repair`, but it not helps if your paths is ok, but .sqlite file was damadged
<Lisanna>
if a derivation isn't deterministic and it gets built on two different machines, could this ever result in this scenario? e.g., if one of the paths was garbage collected and got replaced by the other, or something
<{^_^}>
[nixpkgs] @Synthetica9 closed pull request #50269 → sphinx_1_2: use uppercase for override → https://git.io/fpqQX
<Lisanna>
avn the --repair-path won't work because the machine the path is corrupted on *is* my binary cache ):
nbardiuk has joined #nixos
<Lisanna>
I don't think there's anything wrong with the sqlite database... this path was built very recently, and there have been no events that would cause the database to be corrupted (e.g., power loss)
<Lisanna>
well, one thing's for sure... I'm NEVER building ANYTHING ANYWHERE except on my binary cache...
<Lisanna>
well, *ever again
<Lisanna>
I've heard that garbage collection can screw up stuff like this too
<simpson>
jschievink: Nix isn't designed to fail in that situation; if you've requested a build, then you should be prepared for a build. What are you working on?
<jakub>
what is the simplest way to convert nix, nixos, nixpkgs, ... docs to pdf? I noticed there used to be pdfs, not anymore
<jakub>
(simplest but still readable)
<jschievink>
simpson: I'm deploying an application to a tiny device that should try to build it from source
<simpson>
Lisanna: Which package? Nondeterministic builds should be tracked as bugs IMO unless they're infeasible to fix.
<Lisanna>
simpson custom package
<jschievink>
and I'm setting up a binary cache that should provide the prebuilt executable
<Lisanna>
but, built with a sandbox :/
<simpson>
jschievink: Can you nix-copy-closure or similar instead of doing nix-build?
<jschievink>
preventing nix-build from attempting a source build is basically just an assertion that I haven't fucked up the caching
<Lisanna>
but, that's an interesting perspective... I guess I should look into why the build is non-deterministic in the first place
<simpson>
jschievink: Sure, but I think that that's choosing to do extra stuff unnecessarily. Copying the desired closure instead would not have this failure mode, I think.
<simpson>
I think that doing verify/challenge/check operations with non-deterministic builds is going to generally fail, but I haven't used those features much.
<Lisanna>
simpson it only comes up because nix forces the hash to match if you try to copy to a binary cache (--to file://)
<Lisanna>
so I found that it's non-determinstic with nix-store --realise --check, but how do I actually compare the two outputs? It didn't really give me a second output path to point a diff tool at...
<{^_^}>
[nixpkgs] @dotlambda merged pull request #50274 → home-assistant: add support for waze, bluetooth tracker and IFTTT → https://git.io/fpmUR
<jschievink>
simpson: yeah I could copy the closure, but at least later I don't want to rely on all systems being online and reachable via SSH
<jschievink>
(they might not even run sshd)
acarrico has joined #nixos
xAFFE has left #nixos [#nixos]
<jschievink>
at that point all the systems should pull updates and prebuilt artifacts from a custom channel and binary cache
Rusty1 has joined #nixos
orivej has joined #nixos
<simpson>
jschievink: You have space for Nix but not an SSH daemon!? Anyway, I see where you're going, but I'm not sure how your plan will work.
jmeredith has joined #nixos
<jschievink>
simpson: it's not about space, but more about avoiding externally-facing services
<jschievink>
but the main issue is that the systems aren't always online
<jschievink>
so even having SSH wouldn't help much (also, the device might be behind NAT I don't control)
<simpson>
Hm. I'd consider what it's like as a user of this device. How would a user like for this device to interact with the network?
<simpson>
After all, it sounds like it might not be up to you whether your devices get connectivity or a chance to update.
elgoosy has quit [Remote host closed the connection]
spacekookie has quit [Quit: **more agressive swooshing**]
Itkovian has quit [Ping timeout: 252 seconds]
<{^_^}>
[nixpkgs] @peti pushed to haskell-updates « hackage-packages.nix: automatic Haskell package set update »: https://git.io/fpYVL
dbmikus_ has joined #nixos
<{^_^}>
[cabal2nix] @peti pushed to master « opencv: drop the explicit configuration of --with-gcc and --with-ld »: https://git.io/fpYVl
Guanin has joined #nixos
<jschievink>
simpson: yes, I basically cannot rely on the devices to be reachable *all the time*, but in order to use them you still have to make sure they can connect to our servers, so they'd pull updates when they get the chance
<{^_^}>
[nixpkgs] @peti pushed commit from @typetetris to haskell-updates « haskell-opencv: fix build and #47595 »: https://git.io/fpYVA
<Guanin>
Hi, I'm trying to get some proprietary toolchain running, and one script that is used within that complains about not finding a binary, but it exists. So when trying to execute the binary, zsh complains that the file does not exist: http://termbin.com/e6d1
<Guanin>
Does anyone know why?
<jschievink>
so basically users are still going to bring the devices online, I just don't know exactly when, so I want to host all software passively instead of pushing it to all devices
Dedalo has joined #nixos
<simpson>
Hm. Makes sense, I guess. Sounds exactly like the kind of device I don't allow on my network though.
<ottidmes>
Guanin: in my experience that is almost always caused by not patchelf'ing the binary in question, so it still references to the wrong interpreter location
<{^_^}>
[nixpkgs] @peti pushed 2 commits to haskell-updates: https://git.io/fpYwt
<Guanin>
ottidmes, builder.sh has a line that runs patchelf on that binary. How can I check if it failed?
erictapen has joined #nixos
<jschievink>
simpson: it's not that much different from any old OS with auto-updates enabled though
<lunik1>
Hi, how do I rollback to a config older than the previous one?
<Guanin>
Oh wait, file says that the interpreter is at /lib64, that does not seem right, I guess?
<sphalerite>
lunik1: your system or your user profile?
<lunik1>
system
<lunik1>
ideally without going through grub
<simpson>
jschievink: Sure, but I bet that your device isn't a general-purpose computer that can be freely reprogrammed by the end user.
<jschievink>
true
<simpson>
jschievink: FWIW the nix-copy-closure route only requires an SSH client on the clients, since they're connecting out towards your home machine.
<aminechikhaoui>
Lisanna it should be readonly by default
waleee has joined #nixos
<Lisanna>
OK, so with nix.readOnlyStore = true, somehow my nix-shell was able to muck around with an already-built output in /nix/store...
<Lisanna>
does that read-only-ness not apply if the account is root?
<waleee>
Is it logical that, occasionally, nixos-rebuild --upgrade cmd isn't updating anything, but it does upgrades after a sudo nix-channel --update?
<{^_^}>
[nixpkgs] @Mic92 merged pull request #50186 → Allow cloud-init to support creating btrfs partitions → https://git.io/fptYO
<waleee>
the manual is pretty clear that it shouldn't be any difference, but my experience from eg 10 minutes ago is giving me some doubt
<Lisanna>
does doing a nix-shell on a derivation open up its outputs for writing, even if the outputs already exist?
<ottidmes>
waleee: it might be that you need to be sure to do nixos-rebuild --upgrade under root, it could very well be that --upgrade runs as the regular user otherwise, while it uses the one defined by root (just my guess, I dont use channels)
<samueldr>
waleee: it will have a difference since `--upgrade` needs to update root's channel named `nixos`
<samueldr>
so, in actuality, using `nixos-rebuild` with some of the options (like `build`) works well without superuser (root) access, but some options will need it to work right, and will not fail noisily :/
<ottidmes>
waleee: so just do: environment.shellAliases.nixos-rebuild = "sudo nixos-rebuild";
<waleee>
samueldr: I do run nixos-rebuild --upgrade switch or boot with sudo, so that wouldn't account for the difference I hope?
crmlt has quit [Read error: Connection reset by peer]
crmlt has joined #nixos
<samueldr>
waleee: depends on what's the difference you see
<lunik1>
sphalerite: system profile, I'd rather not do it through grub
<waleee>
samueldr: that "sudo nixos-rebuild --upgrade boot" don't upgrade anything, and that "sudo nix-channel --update" followed by "sudo nixos-rebuild --upgrade boot" upgrades stuff
<lunik1>
sphalerite: but I want to go back more than one generation, do I just keep running it?
<{^_^}>
[nixpkgs] @costrouc opened pull request #50313 → autospotting: init at unstable-acbadb09a0ab2c2d3f5dcc984594f65d7904d587 → https://git.io/fpYKC
grenade has quit [Ping timeout: 252 seconds]
<waleee>
samueldr: (backpedaling a bit) ... do "sudo nixos-rebuild --upgrade CMD" only update the nixos channel? It disregards any other you might have added?
<sphalerite>
waleee: yes
<waleee>
sphalerite: ok thanks. I did a revision of the last rebuild and did notice that it was unstable packages that weren't updated
<samueldr>
(sphalerite: in a pragmatic sense, yes, but in reality, the source says you can somehow tag other channels to be updated on rebuilds)
<samueldr>
>> If there are other channels that contain a file called ".update-on-nixos-rebuild", update them as well.
<waleee>
samueldr: How would one go about with that?
<sphalerite>
lunik1: not sure about the canonical way to do ti, but you can use /nix/var/nix/profiles/system-<generationnumber>-link/bin/switch-to-configuration switch
<arianvp>
Dezgeg: i'm looking at the sssd module, and i dont see where it disables nscd caching
stepcut has quit [Remote host closed the connection]
<Guanin>
Is there a way to keep a file that is added via `nix-store --add` from being garbage collected? I can't find anything related in the manpages of nix-collect-garbage or nix-store
<tommyangelo>
so if I put the key in a file and do `nixops -d test ssh -i host.priv` that works, but if I take the -i parameter away it asks for a password
crmlt has quit [Ping timeout: 252 seconds]
maximiliantagher has quit [Ping timeout: 250 seconds]
<tommyangelo>
the state of the vm is "6", backend is None
<{^_^}>
[nixpkgs] @gnidorah opened pull request #50318 → SDL2: enable parallel building → https://git.io/fpY5O
<tommyangelo>
it has no "toplevel" attribute though, which is strange
<tommyangelo>
ah well, I have to go, will try again tomorrow
<stites>
Hi all! I'm looking to push up a version bump on a package and I'm wondering how to test this in a sandbox on linux
<stites>
it seems a little silly to ask in the issues
<symphorien>
stites: are you using nix on non-nixos ?
<Myrl-saki>
stites: Are you using NixOS?
<Myrl-saki>
sy1lol
<Myrl-saki>
symphorien: lol
<symphorien>
:)
<stites>
no, I'm on linux
<Myrl-saki>
--option sandbox true?
<symphorien>
Multi-user installation ?
maximiliantagher has joined #nixos
<symphorien>
(See the output of nix-info)
<stites>
mm... I tried the sandbox flag, but I am still getting the old version when I build (I also tried setting the build-use-sandbox in the nix.conf)
the-kenny has joined #nixos
the-kenny has quit [Client Quit]
<stites>
I'm using single-user
the-kenny has joined #nixos
<symphorien>
I think the option was renamed to just sandbox
<stites>
I found a one-liner that looks like: nix-build -A rubber ~/git/nixpkgs/ --check
<stites>
but when that happens I see a bunch of folders with the old version flag
<symphorien>
You can check with nix show-config
<stites>
yup, I seem to be in sandbox mode
<symphorien>
How is the version related to sandbox ?
sigmundv has quit [Ping timeout: 240 seconds]
<stites>
mmm... I don't know? I was assuming that if I build in a sandbox I wouldn't see any instances of the older package
the-kenny has quit [Client Quit]
<stites>
I'm still figuring nix out : )
<symphorien>
Ah
the-kenny has joined #nixos
<symphorien>
Use nix show-derivation to check what nix understood you wanted to build
<symphorien>
Did you change the sha256 of the source ?
<Guanin>
Oh, I found out why the binary is not patched - patchelf fails with "cannot find section .interp"
<symphorien>
Alternatively you can just change one figure of the sha
<symphorien>
,tofu stites
<{^_^}>
stites: To get a sha256 hash of a new source, you can use the Trust On First Use model: use probably-wrong hash (for example: 0000000000000000000000000000000000000000000000000000) then replace it with the correct hash Nix expected.
<stites>
cool beans!
romildo has joined #nixos
maximiliantagher has joined #nixos
erictapen has quit [Quit: leaving]
sanscoeur has joined #nixos
fragamus has quit [Ping timeout: 252 seconds]
orivej has joined #nixos
civodul has quit [Quit: ERC (IRC client for Emacs 26.1)]
<romildo>
How to change the window size used by run-nixos-vm ?
maximiliantagher has quit [Remote host closed the connection]
jperras has joined #nixos
mayhewluke has quit [Ping timeout: 272 seconds]
mayhewluke has joined #nixos
sigmundv has joined #nixos
johann__ has quit [Ping timeout: 252 seconds]
kai_w has quit [Quit: Konversation terminated!]
<{^_^}>
[nixpkgs] @florianjacob opened pull request #50321 → nixos/systemd-resolved: link networkd resolv.conf to dynamic stub resolver → https://git.io/fpYjt
stepcut has quit [Remote host closed the connection]
romildo has quit [Quit: Leaving]
jschievink has quit [Quit: WeeChat 2.3]
<elvishjerricco>
disasm: What do you mean? It should provide the deps. You just have to run the tests with cabal.
stepcut has joined #nixos
peterHK has joined #nixos
johann__ has joined #nixos
<peterHK>
someone has the link to the example of python insane deps (you get random ones each time you install)
<peterHK>
i cant find it anymore and wanna use it to justify why we should just use shell.nix for python deps (which makes also my life much easier for making container with lib.dockertools)
<peterHK>
and we would also contribute a lot to add new python packages
<Berra>
I can not find a reason why the symlinks would be broken
<emily>
I want /nix/store/*-fontconfig-*/etc/fonts/conf.d/10-scale-bitmap-fonts.conf in my /etc/fonts. is there a convenient way to do that with NixOS's font configuration?
<emily>
or should I just use environment.etc to set up a symlink?
johann__ has quit [Quit: Leaving.]
johann__ has joined #nixos
peterHK has quit [Ping timeout: 256 seconds]
maximiliantagher has quit [Remote host closed the connection]
<{^_^}>
[nixpkgs] @NeQuissimus pushed 2 commits to release-18.03: https://git.io/fpOkC
<{^_^}>
[nixpkgs] @NeQuissimus pushed 3 commits to release-18.09: https://git.io/fpOkW
johann__ has quit [Quit: Leaving.]
drakonis has joined #nixos
johann__ has joined #nixos
johann__ has quit [Client Quit]
<hyperfekt>
I'm doing very cursed things and am stuck on using curl in buildCommand, it doesn't seem to have network access. Any flag I can set to fix that?
<hyperfekt>
I thought it was only disallowed when using sandboxing.
<LnL>
don't know what you're trying to do but sounds evil
<hyperfekt>
LnL: it very much is, but i'm making the derivation __impure
<LnL>
curl in buildCommand ~= fetchurl
<{^_^}>
[nixpkgs] @matthewbauer merged pull request #50244 → make-wrapper should use runtimeShell, not $SHELL, for cross-compilation → https://git.io/fpqvM
<{^_^}>
[nixpkgs] @matthewbauer pushed 2 commits to staging: https://git.io/fpOLm
<{^_^}>
[nix] @edolstra merged pull request #2228 → use editline instead of linenoise(-ng) → https://git.io/vh6We
<hyperfekt>
yeah, i'm currently trying to figure out how to make it work with fetchurl, but first i wanted to make sure i understand what im doing (wrong) so far.
<sphalerite>
what you're doing wrong: trying to access the network in a pure derivation ;)
<averell>
sandbox default to true was changed in 18.09
maximiliantagher has quit [Remote host closed the connection]
<simpson>
hyperfekt: Why can't you use fetchurl?
orivej has quit [Ping timeout: 245 seconds]
maximiliantagher has joined #nixos
<hyperfekt>
simpson: I think I can, I just thought if curl can't access the network fetchurl wouldn't be able to, either.
drakonis has quit [Quit: WeeChat 2.3]
Itkovian_ has joined #nixos
<averell>
it's not technically part of the actual build. the point is to have reproducibility, or sort of referential transparency for the derivation. so you give it an URL and a checksum, that build will always be the same. some shell script with a curl might have some completely different artifact injected for example.
maximiliantagher has quit [Ping timeout: 244 seconds]
Itkovian has quit [Ping timeout: 252 seconds]
<ottidmes>
clever: I could not make it work with LD_PRELOAD, probably because it itself is doing something similar (its a Core .NET program), with GDB I can make it close the fd to /dev/log or change it to /dev/null, but it restores itself afterwards. (I could of course loop and if its up again close it again, but thats just ugly)
Itkovian has joined #nixos
<clever>
ottidmes: namespacing is next then? lol, chroot it and delete /dev/log!
<clever>
ottidmes: or just file an upstream issue asking it to shut up :P
<ottidmes>
clever: the latter was one the first things I did, but its been open for quite some time by others with similar problems
<clever>
ottidmes: a more extreme fix, patch glibc to include your connect() change, and then link against that patched one
Itkovian_ has quit [Ping timeout: 272 seconds]
<clever>
then PRELOAD wont be involved!!
<ottidmes>
lol
<clever>
its nix, you can trivially run a custom glibc for things like that, and not have any problems!!
<ottidmes>
clever: so I've still got 2 options left, cool :) (not counting the horrible gdb loop)
<ottidmes>
with chroot, can you just say, keep everything as is, except for this particular file, do as if it not exist or change that one to /dev/null, or is it quite invasive (meaning I might solve my issue, but get ton of others in return)
<clever>
ottidmes: with namespacing you can just mount --bind the host root to / and then mount --bind /dev/null to /dev/log
Itkovian_ has joined #nixos
Itkovian has quit [Ping timeout: 245 seconds]
<hyperfekt>
averell: The whole point is for the build to not always be the same, I'm trying to do autoupdating vscode extensions. My reasoning being that if I find something breaks, I can still go ahead and fix the version.
gm152 has joined #nixos
<simpson>
Okay, but that's not really how Nix works.
<ottidmes>
clever: thats indeed exactly what I want, now I just have to figure out how to actually do so :P
gm152 has quit [Quit: WeeChat 2.3]
<hyperfekt>
simpson: I understand that - but the alternatives are either manually updating all those extensions, or not managing them with Nix at all. I don't like it either.
<simpson>
hyperfekt: I don't mean "I don't like this, this isn't how the Nix community works", I mean that at a technical level, autoupdating is the kind of thing that Nix is designed to prevent, tame, and manage.
<__monty__>
I would think it lends itself well to automatic updates. If anything goes awry you can just roll back.
<averell>
you could find helpful scripts that update the actual derivations. that way you get reproducibility, and easy updates.
<averell>
that stuff is done in various places, for example r packages, idea IDEs etc.
philippD has joined #nixos
crmlt has joined #nixos
<ottidmes>
you could also opt to keep it outside of nixpkgs in its own repo that contains the generated derivations and an overlay, but maybe that is not necessary, I do not know what the status is of fast updating packages and nixpkgs
<averell>
right, that way there's even a chance someone else does the work for you :)
<hyperfekt>
What would be the effective difference between running a script to update the derivations before every rebuild and downloading the latest version number and hash to choose create a correct derivation during the rebuild? Unless I implement some kind of rollback for the former anything but the most current derivation is lost, anyway. And either way I still have the old derivations in the store in case I want to choose a different gener
EarlDeLaWarr has joined #nixos
asymmetric has quit [Ping timeout: 245 seconds]
argo has joined #nixos
<averell>
the first way makes the inputs to your derivation explicit, like running a function. with random network access during the build, that is a very hard problem and can not be guaranteed.
<averell>
and the design was to go for maximum purity. to prevent accidents (because it's not even obvious such things happen) there is a sandbox.
maximiliantagher has joined #nixos
gm152 has joined #nixos
civodul has joined #nixos
Ridout has quit [Quit: leaving]
vk3wtf has joined #nixos
<emily>
the difference is just that one works with nix's model and the other doesn't
<hyperfekt>
So the idea is that if something goes wrong I have the generated derivations to tell me what happened? My trouble understanding here is that while the build itself may become pure, the two systems as a whole are still equally impure - where is the difference between reading the derivations from a file whose contents come from the network or reading them from the network, except that one of the two persists?
<simpson>
hyperfekt: Also writing down the hashes and checking the hashes, and doing it all in a way that can't be cheated.
<hyperfekt>
Sorry if I'm being a bit dense, but I'd really like to understand instead of just saying 'ok, i won't do that then'
<hyperfekt>
simpson: Sensible, but realistically I'm never ever going to compare those hashes with a different source before rebuilding.
<simpson>
hyperfekt: Okay, but you're still trying to negotiate your social behaviors against a technological system.
crmlt has quit [Ping timeout: 244 seconds]
<__monty__>
hyperfekt: Yes, mixing pure and impure behavior begets impure behavior. That doesn't mean purity is useless. Look at haskell for example.
<hyperfekt>
Yeah, I keep being told it's technologically impossible, which I'm ready to accept - but I haven't seen a reason: Can I not import a nix expression from a derivation? Or can I not access the network after all?
<hyperfekt>
Mind that I'm not using the impure derivations themselves as the extensions, the extensions' derivations themselves remain pure.
<simpson>
curl can't access the network, but fetchurl should be able to.
<symphorien>
hyperfekt: you can import a nix file from a derivation. It is called ifd (import from derivation)
<simpson>
The difference being that fetchurl knows in advance what it's going to go out and get.
<symphorien>
hydra and some flags to the nix evaluator can disable this, though
<symphorien>
also, builtins.fetchTarball does not require a hash, if you want an impure thing
<symphorien>
it will cache the result for 1 hour irrc and on the next time, redownload
mmercier has quit [Ping timeout: 252 seconds]
<hyperfekt>
Oh, it's only the fetchTarball that doesn't require a hash? Curious. I had assumed if it was true for both fetchGit and fetchTarball it was also true for fetchurl
<symphorien>
fetchurl is from nixpkgs, fetchTarball is a nix builtin
<hyperfekt>
Then I'll have to make a PR to the docs
<symphorien>
ah my bad it does exist
<symphorien>
TIL
<clever>
nh2: replace-dependency.nix is a pure action that jussssst sed's paths as it recursively copies things
<clever>
nh2: you want an override
<symphorien>
but in any case, fetchurl and builtins.fetchurl are different functions, hyperfekt
<symphorien>
because (usually) fetchurl is the one from nixpkgs
<hyperfekt>
Yes, one of them doesn't require me to pass a hash :b
<hyperfekt>
Sorry ^^
<nh2>
clever: I'm not sure what to override though; just sticking the patched glibc into `librarySystemDepends` doesn't seem to have any effect
<nh2>
clever: actually, that's wrong:
<Guanin>
strange, patchelf exited without an error, but the interpreter is unchanged
<clever>
nh2: yeah, you need to patch the gcc
<clever>
nh2: one sec
<clever>
overrideCC
<clever>
hmmm, close
<nh2>
clever: it has the effect that `Setup.hs build` immediately segfaults because the thing in the dynamic loader isn't the same libc version as the one I put into LD_LIBRARY_PATH or LD_PRELOAD
<clever>
nh2: looking at the musl stuff should help
mekeor has joined #nixos
<clever>
> pkgsCross.musl64.haskellPackages.hello
<clever>
nh2: that is a build of the hello world app, using 64bit musl
<clever>
looking at how it uses a different glibc should answer your question
<hyperfekt>
If there was a way to have the derivation-updating script execute before the autoupgrade-rebuilds I'd be fine with working on a version that pulls the list of packages out of the config.
<nh2>
clever: I managed to patch it straight into the normal glibc, but that obviously has the undesired side effect of building all my stuff with the patched glibc, which takes over 12 hours. So I'd like to link only my final Haskell package against the patched glibc.
<nh2>
(this is why I was hoping I could go the replace-dependency.nix way)
<hyperfekt>
Oh, I think I actually can. That's great. Because y'all have me convinced, I don't want my build to fail just because e.g. Microsoft's servers don't respond
<clever>
nh2: the cross-compile logic should handle most of that
<clever>
nh2: it will then have a host glibc and a target glibc
stites has quit [Ping timeout: 245 seconds]
<nh2>
clever: I'm not quite sure where I have to stick the thing though, how I can turn my one haskell package into something akin to pkgsCross.musl64.haskellPackages.hello
<clever>
nh2: but a check with nix-build reveals it still has to compile a new ghc
<clever>
nh2: you would need to create a new cross-compile target like musl64, that uses your patched glibc
<simpson>
hyperfekt: That's the problem with using software that doesn't belong to you; you never can be sure how reliable its owners are.
<clever>
what exactly needs that new glibc?
<simpson>
(There's the possibility of mirroring, and nixpkgs supports that, but probably not for MSFT's closed-source stuff.)
<nh2>
clever: in my Haskell app I call malloc_info() to show the amount of malloced memory in an EKG monitoring graph. But it turns out malloc_info() has a bug, reporting some numbers as always 0, so I patched that
<clever>
ahh
<hyperfekt>
simpson: Many of the vscode extensions link their repo, maybe some day in the future that would be a way to bypass Microsoft entirely.
<clever>
nh2: what if you just LD_PRELOAD a .so that replaces malloc_info() ?
<clever>
nh2: if you import the right headers (and it has no static top-level vars in the file), the linker will just give it access to the internal state
<simpson>
hyperfekt: Oh, yes, it's absolutely possible to build from repo with Nix. Indeed, that's the more common way to do things; shipping binaries usually means either that the build process is difficult to replicate or that we don't have the license/source to rebuild them.
<bsima>
hi, i'm adding some python packages. Should I base my commits on master, or release-18.09 branch?
<clever>
nh2: that allows you to transparently replace any function you want, and you can then optionally use `dlsym(RTLD_NEXT` to lookup the original version
<clever>
nh2: in theor, you can just copy the entire __malloc_info function to its own file, compile it to a simple .so, and then LD_PRELOAD it
<nh2>
clever: the problem is though that __malloc_info makes use of all kinds of CPP macros and other functions locally defined in that C file -- how shall I get at them?
<clever>
nh2: copy them over as well
<clever>
ugly, but it should work
<hyperfekt>
simpson: Given that they all seem to be created with npm, it might be possible to entirely automate it. Otherwise I think it might be out of scope for the near-to-mid future.
<clever>
weak_alias (__malloc_info, malloc_info)
<clever>
nh2: also not sure what this does, so you may need to name it malloc_info also
<hyperfekt>
simpson: Given that there's such a huge number of extensions, that is.
<simpson>
hyperfekt: There's some npm support in nixpkgs. As you get more used to Nix, it'll probably seem less daunting. Many folks write scripts to ease the tedium.
<nh2>
clever: I guess the `weak_alias (__malloc_info, malloc_info)` below does the exporting
<clever>
nh2: in c, all functions are exported by default, and you have to define it as static to not export it
<nh2>
clever: right, I mean that bit is what gives it its final name
<clever>
yeah
<nh2>
clever: how can I make sure that I can actually compile that file with its various imports? I expect that glibc has the command line to compile it carefully crafted with some autoconf invocation
<clever>
nh2: yeah, thats also a hard question to answer
<hyperfekt>
simpson: That's less what I meant, just that it may not be worth the burden of updating tons of packages manually that have their own package management already. I was thinkin of something like what R uses to automate the process.
<simpson>
hyperfekt: Oh, it's absolutely the other way around here, in that we generally don't trust language-specific package managers to do the right thing.
<nh2>
clever: as an alternative, I would also be very happy to recompile everything on the path gcc->ghc->mypackage, but I'd like to avoid to build other large software like Chromium or Ceph with the patched glibc. But I'm not sure where to stick that patched glibc for this approach
<clever>
nh2: when you import nixpkgs, pass the override there
betaboon has quit [Quit: WeeChat 2.2]
<clever>
let pkgs = import <nixpkgs> { config.packageOverrides = pkgs: {...}; }; in ...
<clever>
nh2: do that inside your default.nix/shell.nix, and it will only impact things using that file
<clever>
and chrome should be part of the host nixos, and will ignore it
jtojnar_ has joined #nixos
jtojnar has quit [Read error: Connection reset by peer]
jtojnar_ is now known as jtojnar
random_yanek has quit [Ping timeout: 268 seconds]
<nh2>
clever: I already have a distinction `nixpkgs = import <nixpkgs> { custom stuff }` and `unmodified_nixpkgs = import <nixpkgs> {};` in my files, but I'm having the added trouble that if I put my patched glibc into `nixpkgs = import <nixpkgs> { config.packageOverrides = {...} }`, it doesn't seem to be picked up at all
<clever>
nh2: and the stdenv stuff is a bit protected, let me see what has happened to it lately
<clever>
nh2: you can also try { overlays = [ (self: super: { ... }) ];
<clever>
nh2: also note that if you dont specify a config=, then the ~/.nixpkgs/config.nix gets loaded, and can cause unexpected problems
<Berra>
Anyone have any insight as to why the symlinks would be broken?
<ottidmes>
is there an easy way to get sh/bash to just run the arguments as they would evaluate them, so: sh --magic cmd1 arg1 arg2 "$foo" ; cmd2 "${bar[@]}" test, so that I do not have to convert it in a valid shell script first making sure that my string arguments are quoted correctly and all that
<nh2>
clever: I had high hopes for replace-dependency.nix because the example suggests it was designed for replacing glibcs. But I don't understand why it doesn't work on `env`
<clever>
nh2: it doesnt work in a shell, because it acts after the build has finished
<clever>
nh2: its basically just cat $in/bin/foo | sed > $out/bin/foo
<nh2>
clever: right, but doesn't the .env that starts me a shell also simply have references to the old glibc in its closure that I can replace with the same sed approach?
<clever>
sort of, you would have to manually run that after every `cabal build`
<clever>
but that gives me another idea, what if you just prefix LD_LIBRARY_PATH right, or LD_PRELOAD the new glibc, for just the one binary that needs it?
jabranham has quit [Quit: ERC (IRC client for Emacs 27.0.50)]
dbmikus_ has quit [Ping timeout: 252 seconds]
<nh2>
clever: I already tried that, maybe I'm doing it wrong: I'm doing `export LD_PRELOAD=${glibc_patched}/lib/libc.so.6:$LD_PRELOAD`, but then I'm immediately getting `14371:__vdso_time/tmp/nix-shell-9068-0/rc: line 1: 14371 Segmentation fault (core dumped) runhaskell Setup.hs configure `
<nh2>
clever: from my research this is what happens if the glibc in the dynamic loader isn't the same as the one you LD_PRELOAD
<nh2>
but I don't know how it notices that
<nh2>
clever: so, to be concrete, I can enter that nix-shell, but e.g. `ls` also gives `20069:__vdso_timeSegmentation fault (core dumped)`
seku is now known as Guest38764
mekeor has quit [Ping timeout: 268 seconds]
das_j has quit [Ping timeout: 268 seconds]
bgamari has quit [Ping timeout: 250 seconds]
W1lkins_ has joined #nixos
azdle has quit [Ping timeout: 268 seconds]
<clever>
nh2: try it only for the binary that uses malloc_info, dont set the var with export
azdle has joined #nixos
Guest38764 has quit [Ping timeout: 268 seconds]
imincik has quit [Ping timeout: 268 seconds]
W1lkins has quit [Read error: Connection reset by peer]
<nh2>
clever: hmm, that proably destroys my nix-shell use case though, which is running the thing from ghci
vk3wtf has joined #nixos
rprije has joined #nixos
<ottidmes>
clever: I got it working, but in doing so, I figured out why my LD_PRELOAD approach did not work, after failing to write to /dev/log, it for some reason removes the binary XD, so afterwards I get ENOENT errors... I am now getting the binary back and trying a regular file instead of /dev/null
<clever>
nh2: oh, and ghci will likely have a lot of the same problems, because its dynamic loading
<clever>
nh2: only compiled things would avoid the dynamic issue
<clever>
ottidmes: try just returning -ENOENT, dont remap it to another path
<clever>
ottidmes: also, double-check what the real connect returns if you give it a socket that doesnt exist
<clever>
ottidmes: oh wait, not `return -ENOENT;` its `errno = ENOENT; return -1;` i belibe
<nh2>
clever: do you know why it segfaults? Maybe it's some check I can just turn off given that I know my change is binary compatible
<clever>
nh2: if you flip this on, and `ulimit -c unlimited`, then systemd will save coredumps for everything, you can then use `coredumpctl gdb <pid>` as root to inspct how it failed
<clever>
nh2: i leave that enabled on most machines, and it makes it trivial to inspect an unexpected chrome segfault
IRCsum has quit [Ping timeout: 245 seconds]
ma27 has quit [Ping timeout: 268 seconds]
CapsLock has quit [Ping timeout: 268 seconds]
hyperfekt has quit [Ping timeout: 256 seconds]
IRCsum has joined #nixos
ma27 has joined #nixos
<aanderse>
when i get a "error: timed out waiting for the VM to connect" for running a nixos test in a vm
<aanderse>
how do i tell my vm to not care and just keep going?
<nh2>
clever: I also have coredumps on (though not via systemd-coredump because I found it to be 100x slower in writing the core file for unknown reasons)
c0bw3b_ has quit [Remote host closed the connection]
<ottidmes>
clever: I remembered that LD_PRELOAD did not work regardless of what I did, the same holds true after testing with unshare, even if I do not rebind anything, it will fail on the connect ENOENT /tmp/CoreFxPipe_*
dbmikus has quit [Remote host closed the connection]
wchresta has quit [Read error: Connection reset by peer]
<hyperfekt>
I've thrown something together that will create derivations for all specified extensions on the automatic rebuild, but I'm still looking for an elegant way to have it run before manual rebuilds - otherwise adding an extension won't have an immediate effect.
<ottidmes>
nh2: you also needed to patch an existing executable with a custom glibc? If so, I very much want to know too :)
voiceftp has quit [Remote host closed the connection]
voiceftp has joined #nixos
<nh2>
ottidmes: I wrote it up on https://github.com/NixOS/nixpkgs/issues/50329. I suspect that if you only have to patch *one* executable, then `patchelf` in combination with `LD_PRELOAD` will probably work. I need to patch a whole environment though
<{^_^}>
#50329 (by nh2, 1 hour ago, open): How to override glibc with a patch for a specific package?
<ottidmes>
nh2: LD_PRELOAD does not work for me :( I tried with a simple pass through function, and the program I am trying to patch does not work correctly anymore
hyperfekt has quit [Ping timeout: 256 seconds]
erasmas has quit [Quit: leaving]
Itkovian has quit [Quit: My MacBook has gone to sleep. ZZZzzz…]
<azazel>
what's the story with systemd.user.services? Configuring a service under it will spawn a process for every configured user?
romanofskiWork has joined #nixos
slack1256 has joined #nixos
<ottidmes>
azazel: I believe so, depending on its wantedBy and such, I recently also learned you can set unitConfig.ConditionGroup to specify the group the users should belong to
<azazel>
ottidmes: ah, thanks, theres is also ConditionUser ;-)
<{^_^}>
[nixpkgs] @hedning pushed 31 commits to gnome-3.30: https://git.io/fpO06
<ottidmes>
azazel: Thanks you giving me that link I now no longer see it as a true security measure, but it is still a good security through obscurity measure, as in, objectively its apparantly not secure, but in practice, it furfills its function of preventing access
<azazel>
to some extent, yes
<ottidmes>
azazel: but unfortunately that is true for almost all security ;)