#nixos — irc logs

16:32 <clever> coco: allow port 5000 udp?

16:05 <clever> ocharles: looks like the children survived, systemd will likely -9 them

16:02 <clever> ocharles: id reboot then

16:02 <clever> ocharles: -9 to the head then, lol

16:01 <clever> ocharles: upgrade to -term ?

16:00 <clever> kill -int 22414 27332

16:00 <clever> id just kill (-int) both of those nix-daemons (not their children)

15:59 <clever> as-is 27319

15:59 <clever> except 22401 is missing

15:59 <clever> ocharles: pid 22401 and 27319 are doing something with those nix daemons

15:58 <clever> the filesystem shouldnt allow that

15:57 <clever> sounds like fs corruption?

15:56 <clever> ocharles: can you pastebin `ps -eH x` ?

15:21 <clever> evanjs: thats easy enough, it has its own nixos config

15:20 <clever> ah

15:19 <clever> evanjs: thatll do it

15:19 <clever> evanjs: i think path-info doesnt show closure? but maybe it does now

15:18 <clever> evanjs: oops, yeah, -qR

15:18 <clever> ocharles: and check what generic-builder.nix did with .env

15:17 <clever> ocharles: what about ghcWithPackages?

15:16 <clever> evanjs: that will tell you how big everything it depends on is, and sort by size

15:16 <clever> evanjs: `du -hc --max=0 $(nix-store THATPATH) | sort -h`

15:13 <clever> evanjs: yep, now `nix-store -r /nix/store/8fz04l5n1zrjm2b5bflvraf8w1zn3754-nixos-system-nixos-19.09.1647.2e73f72c87e.drv` to find its output

15:12 <clever> there should be one that looks like a nixos build, with a channel name or something

15:12 <clever> evanjs: nix-store -qR /nix/store/gq9y41i9zkradkfv294bgh8y80dsa1qz-initrd.drv | grep system

15:11 <clever> evanjs: nix-store -q --deriver /nix/store/jxj92yj8xjb773dq5afm79aq7sq2gwvc-initrd

15:08 <clever> evanjs: what is the storepath for your initrd?

14:20 <clever> not sure why yours is bigger

14:20 <clever> -r--r--r-- 1 root root 286M Dec 31 1969 rescue-initrd

14:20 <clever> Filesystem Size Used Avail Use% Mounted on

14:20 <clever> /dev/sda2 488M 422M 32M 94% /boot

14:19 <clever> evanjs: boot.loader.grub.extraFiles is what copied things to /boot for you

13:40 <clever> bbl

13:37 <clever> evanjs: need nodev there to keep it happy

13:35 <clever> boot.loader.grub.efiSupport = true;

13:34 <clever> evanjs: boot.loader.grub.devices = [ "nodev" ]; to make it shut up

13:34 <clever> evanjs: grub.devices is only if your not using efi

13:32 <clever> evanjs: just `nixos-rebuild switch --install-bootloader` and your done

13:31 <clever> evanjs: just switch to grub, youll thank me for it :P

13:31 <clever> the memtest86 support is specialy coded directly into systemd-boot-builder.py

13:30 <clever> i dont think systemd-boot has an option at all to add custom configs

13:30 <clever> ah, its using a new memtest86-efi package

13:29 <clever> thats new...

13:26 <clever> evanjs: memtest doesnt work under systemd-boot, it doesnt support efi

13:23 <clever> brnzz: then wrap the program with a shell script, that will copy from $out to the \$HOME, if the files are missing

13:22 <clever> evanjs: currently only tested on grub, but if you figure out how to add extra entries to systemd-boot, you can fix that

13:22 <clever> evanjs: https://github.com/cleverca22/nixos-configs/blob/master/rescue_boot.nix

13:22 <clever> evanjs: one min

13:21 <clever> brnzz: it should read $HOME at runtime, not build time

13:19 <clever> just pass imports plain paths, nothing more

13:19 <clever> without any fuss

13:19 <clever> pie_: if you use imports, the merging happens automatically

13:18 <clever> brnzz: configure it to use $HOME for the state

13:11 <clever> pie_: you can also just define more nixos options

13:08 <clever> pie_: i think you want to just stop trying to call extra and nop_fun, just insert raw paths, and use _module.args

13:08 <clever> decoding...

13:04 <clever> the outer config takes a module, which can optionally have a config key

13:04 <clever> pie_: i think you want containers.retiolum.config.config then?

13:01 <clever> so you want imports = [...]; config = mkMerge [];

13:01 <clever> imports isnt a child of config, its a sibling

13:00 <clever> the errors get nasty if you dont

13:00 <clever> pie_: imports can accept sets or functions, or paths, its best to just always give it a path

12:59 <clever> pie_: just call mkMerge with a list? or use imports?

12:58 <clever> but it was computing the closure before running nix-build

12:58 <clever> the snack project has something similar

12:42 <clever> ocharles: the nix expr can probably run storePath for you, after you --argstr

12:40 <clever> that might work?

12:40 <clever> its now referencing the original, but its not tagged as a drv

12:40 <clever> "inputSrcs": [

12:40 <clever> "/nix/store/yhzvzdq82lzk0kvrp3i79yhjnhps6qpk-hello-2.10"

12:40 <clever> :q

12:40 <clever> «derivation /nix/store/j0naavgvinx348daarkqwpzhnsfxmbkp-name.drv»

12:40 <clever> nix-repl> builtins.derivation { name = "name"; foo = builtins.storePath /nix/store/yhzvzdq82lzk0kvrp3i79yhjnhps6qpk-hello-2.10; builder = "bar"; system = "x86_64-linux"; }

12:40 <clever> "string"

12:40 <clever> nix-repl> builtins.typeOf (builtins.storePath /nix/store/yhzvzdq82lzk0kvrp3i79yhjnhps6qpk-hello-2.10)

12:39 <clever> but you need an existing string with the context you want

12:38 <clever> and string appends spread it like a plague :P

12:38 <clever> LnL: note that even a single character of a string, has all of the strings context

12:36 <clever> correct

12:36 <clever> it treats it identically to `src = ./.`

12:36 <clever> "inputSrcs": [

12:36 <clever> "/nix/store/yz7398ad4nwarp502pzhl6s56s1kii6n-yhzvzdq82lzk0kvrp3i79yhjnhps6qpk-hello-2.10"

12:35 <clever> $ nix show-derivation /nix/store/3alg0nw6p214ah0w31mnd6mw27z6hgk1-name.drv

12:35 <clever> «derivation /nix/store/3alg0nw6p214ah0w31mnd6mw27z6hgk1-name.drv»

12:35 <clever> nix-repl> builtins.derivation { name = "name"; foo = /nix/store/yhzvzdq82lzk0kvrp3i79yhjnhps6qpk-hello-2.10; builder = "bar"; system = "x86_64-linux"; }

12:33 <clever> nix-repl> "${toString /nix/store/yhzvzdq82lzk0kvrp3i79yhjnhps6qpk-hello-2.10}"

12:33 <clever> "/nix/store/yhzvzdq82lzk0kvrp3i79yhjnhps6qpk-hello-2.10"

12:33 <clever> LnL: toString bypasses the copy

12:32 <clever> why did i see otherwise, elsewhere...

12:32 <clever> ack!

12:32 <clever> "/nix/store/yz7398ad4nwarp502pzhl6s56s1kii6n-yhzvzdq82lzk0kvrp3i79yhjnhps6qpk-hello-2.10"

12:32 <clever> nix-repl> "${/nix/store/yhzvzdq82lzk0kvrp3i79yhjnhps6qpk-hello-2.10}"

12:32 <clever> ive only seen it copy when using a symlink to the store

12:31 <clever> since its already immutable

12:31 <clever> if the item is already in the store, it wont copy it

12:31 <clever> ocharles: and no toString on that value?

12:30 <clever> ocharles: the key is --arg, not --argstr

12:30 <clever> ocharles: if the ghc is already in the nix store, it will just use it, and it already has deps

12:29 <clever> ocharles: you could just pass it the path to a ghc, --arg ghc $(which ghc)

12:27 <clever> only something that nix-build is building can have deps

12:27 <clever> ocharles: nix-store --add cant deal with any dependencies

12:27 <clever> ocharles: sounds like you just want to run `nix-build ghc.nix --arg file ./file.hs` basically

12:23 <clever> ocharles: if you call builtins.derivation with the right args, it should create that

12:23 <clever> that just tells it how to pretty-print the object

12:23 <clever> yeah

12:22 <clever> the other attrs are just misc data, that let you do other things with the object

12:22 <clever> > let foo = { outPath = "bar"; }; in "${foo}"

12:22 <clever> ocharles: if a set has an outPath and you try to treat it as a string, it just uses whatever the outPath is

11:48 <clever> if you know which nixpkgs it came from, its much simpler

11:48 <clever> ocharles: and then incrementally recreate the nix expression

11:47 <clever> ocharles: you can use nix-diff to compare 2 .drv files

10:56 <clever> siers: then generates a shell script that takes over the old binary name

10:56 <clever> siers: it renames the binary to .binary-wrapped

07:47 <clever> pie_: dig +trace, will explain it

07:46 <clever> pie_: dig will obey /etc/resolv.conf by default, but it bypasses nscd

07:45 <clever> pie_: dig

06:54 <clever> your welcome

06:34 <clever> i prefer having it in a $HOME, so i dont have to cd as far

06:34 <clever> user preference again

06:33 <clever> but its mostly user preference at that point

06:33 <clever> pie_: thats why i keep it in /root/ instead

06:30 <clever> inferencerules: then you dont need any symlinks, and that might have also fixed it

06:30 <clever> inferencerules: what i would instead do, is create a /etc/nixos/configuration.nix, that has just 1 line: { imports = [ /home/clever/nixcfg/configuration.nix ]; }

06:28 <clever> inferencerules: was it setup the exact same way before the upgrade failed?

06:25 <clever> could be interesting to try and reproduce it

06:25 <clever> inferencerules: any symlinks happen to be involved in that file?

06:25 <clever> id expect builtins.genericClosure to detect that, but maybe symlinks are breaking it

06:23 <clever> inferencerules: https://github.com/inferencerules/dotfiles/blob/master/nixos-configs/configuration.nix#L13 configuration.nix is loading configuration.nix

06:22 <clever> inferencerules: and there are no local differences?

06:19 <clever> inferencerules: can you pastebin the configuration.nix file?

06:16 <clever> inferencerules: re-run it with `nixos-rebuild build -vv` and see what it says

06:16 <clever> inferencerules: that definitely sounds like it could be infinite recursion

06:15 <clever> inferencerules: start by doing `strace -p 4520 -f`, does it output anything?

06:14 <clever> inferencerules: so i can give directions for the next steps

06:12 <clever> inferencerules: which pid is consuming 100% cpu?

06:06 <clever> inferencerules: how fast is the cpu, how long has it been running?

06:01 <clever> inferencerules: that sounds like decompression on the tar file for channels

04:50 <clever> matthuszagh: phases="unpackPhase patchPhase configurePhase buildPhase" genericBuild

04:08 <clever> juxiemaotu: are there any errors at the tail end of dmesg?

04:05 <clever> juxiemaotu: just run `dmesg` in the terminal

04:01 <clever> juxiemaotu: did you check dmesg?

03:55 <clever> juxiemaotu: anything interesting in dmesg?

17:16 <clever> tobiasBora: yeah, the -env- in the middle is a sign of it likely just being a bash script that changes env vars to make weechat find plugins

17:14 <clever> pie_: and EnvironmentFile says to load that, based on the %i (the name after the @)

17:14 <clever> pie_: nixos creates a /etc/containers/foo.conf file, that contains the HOST_ADDRESS=

17:13 <clever> pie_: https://github.com/NixOS/nixpkgs/blob/59edab3a476de70a6325e0194aaef23e0f25cc5a/nixos/modules/virtualisation/containers.nix#L772-L794

17:10 <clever> tobiasBora: typically config files dont have version numbers in the names

17:10 <clever> tobiasBora: half memorizing the name and purpose of every single package, half looking for version numbers

17:10 <clever> pie_: you could also read some of those attrs

17:09 <clever> pie_: .environment on all of the services, is set to a set from a let block

17:09 <clever> pie_: https://github.com/NixOS/hydra/blob/master/hydra-module.nix#L310-L332

17:09 <clever> getting link...

17:08 <clever> pie_: hydra already does that

17:06 <clever> tobiasBora: and a quick skim over it says that the "biggest" thing your building is a single perl package, the rest are just configs

17:06 <clever> tobiasBora: i dont see any kernel in that pastebin, only linux-modules (a buildEnv) and modules-shrunk (the closure used by the initrd)

17:05 <clever> and due to hydra pre-building things, it wont have to compile anything

17:05 <clever> tobiasBora: and only if that build is green, will i know that nixos-rebuild switch can pass without errors

17:05 <clever> tobiasBora: personally, i have my own hydra setup, to build my entire nixos config, against the latest version of a channel

17:03 <clever> pie_: ive played a bit with namespacing, and read over how nix creates a namespace with only lo, but i havent seen the code yet to create a linked pair of ve- IF's in seperate namespaces

17:02 <clever> pie_: probably

17:00 <clever> pie_: https://hydra.nixos.org/job/nixpkgs/trunk/qtcreator.aarch64-linux#tabs-charts

16:59 <clever> and you have no way to know if an override has been applied to that drv

16:59 <clever> but, dry-run shows drv files, not attrs

16:59 <clever> pie_: enless you look up the build graphs for an attr overall

16:59 <clever> pie_: i think so, but you need to know which eval its in, which means knowing the nixpkgs rev

16:57 <clever> tobiasBora: and if it hangs for more then a minute on a certain job, look at the job names

16:57 <clever> tobiasBora: one thing that i find helps, is `nixos-rebuild -Q` to hide the build logs, then you can see what it is building

16:56 <clever> tobiasBora: not much you can do for that, you just have to learn what package names are cheap and what are expensive, and skim over the list

16:43 <clever> keithy[m]: https://github.com/cleverca22/nixos-configs/blob/master/router.nat.nix#L96 and the zone file is in the same repo

16:43 <clever> keithy[m]: i just use proper bind when i want a dns server, ive never messed with dnsmasq

16:33 <clever> keithy[m]: the entire 127.*.*.* is loopback

16:33 <clever> tobiasBora: nixos-rebuild dry-run

16:33 <clever> tobiasBora: nix-build --dry-run

16:32 <clever> keithy[m]: thats localhost, the loopback ip

16:31 <clever> keithy[m]: i believe its based on your hostname

14:29 <clever> ocharles: i'm not sure if it accepts both or not, and didnt think it kept logs for failures

14:27 <clever> ocharles: there is also `nix-store -l /nix/store/foo`

10:40 <clever> /home/clever/apps/nixpkgs/pkgs/development/compilers/kotlin/default.nix: wrapProgram $out/bin/$p --prefix PATH ":" ${jre}/bin ;

10:39 <clever> /home/clever/apps/nixpkgs/pkgs/development/tools/gometalinter/default.nix: wrapProgram $bin/bin/gometalinter --prefix PATH : "${makeBinPath runtimeDeps}"

10:38 <clever> siers: the wrapProgram function will generate that script for you

09:51 <clever> inferencerules: usually when things get that corrupt, your only option is to delete the entire /nix and re-run nixos-install from a livecd

15:37 <clever> pie_: not that i know of

15:15 <clever> siers: yeah

15:15 <clever> siers: its much simpler to have a default.nix that imports nixpkgs, and uses callPackage for you

15:15 <clever> siers: only if you use -E and callPackage yourself

15:13 <clever> siers: yes, but it will be a lot simpler to make a default.nix and then `nix-env -f . -iA foo`

15:01 <clever> rizary_: correct

14:57 <clever> rizary_: so for configurePhase and onwards, the current directory is the writable copy of the src

14:56 <clever> rizary_: the stdenv will also cd into the copy after unpackPhase has run

14:56 <clever> rizary_: its $NIX_BUILD_TOP, which would be something like /tmp/nix-build-name-0/

14:54 <clever> DigitalKiwi: callCabal2nix is IFD, which isnt allowed within nixpkgs

14:53 <clever> rizary_: yeah, the sandbox stops you from doing anything thats completely unsafe

14:52 <clever> rizary_: you need to `chmod +w -R $out` to fix those permissions, and let you modify $out further

14:52 <clever> rizary_: if you use `cp $src $out`, then cp will preserve the fact that the contents of $src where read-only

14:50 <clever> and the buildInputs will only be available at build time

14:49 <clever> since $src is still read-only, you cant add things under $out/foo

14:49 <clever> siers: if $out is a symlink to $src, there is no way to persist those buildInputs at runtime

14:48 <clever> siers: you can just use ./. instead

14:48 <clever> siers: yes, but at that point, your derivation is pointless

14:47 <clever> thats an error saying you cant reach 10.243.77.2

14:47 <clever> thats not a valid reply

14:46 <clever> and then tcpdump the container side of the host<->container link, does that also show the replies

14:46 <clever> pie_: then tcpdump the container, is it sending pings out the vpn? are they coming back?

14:45 <clever> pie_: tcpdump on the far end, is it receiving the packets?

14:39 <clever> buildPhase should build things

14:39 <clever> generally, installPhase should be what writes to $out

14:39 <clever> pie_: it exists, but it would be simpler to just use buildPhase or installPhase

14:38 <clever> you need to chmod +w -R, to make it writable

14:38 <clever> rizary_: the default unpackPhase fixes the permissions for you

14:38 <clever> rizary_: the $src you copied is read-only, and cp preserves that

14:35 <clever> siers: nix-daemon will flag it all as read-only, after your builder exits

14:31 <clever> siers: buildCommand stops unpackPhase from running, so you may want to switch to installPhase instead

14:30 <clever> siers: and id recomend you then copy the files you want to keep to somewhere under $out, along with the scripts themselves

14:30 <clever> siers: the unpackPhase will copy it to $NIX_BUILD_TOP/name, and cd into it

14:30 <clever> siers: `src = ./.;` will copy ./. to /nix/store/hash-name, and set $src to that at build time

14:28 <clever> nd

14:28 <clever> siers: you can also just do cp ${./foo.txt} foo.txt in the buildComma

14:27 <clever> siers: if you do `src = ./.;` then the default unpackPhase will copy the entire directory, and cd into it

14:19 <clever> do i even want to know what your network is doing? lol

14:16 <clever> pie_: that could be done

14:13 <clever> duairc: that works

14:11 <clever> correct

14:10 <clever> which will un-nat things, as it forwards it back to the host

14:10 <clever> when packets come back over the vpn, they will enter the network stack for the container

14:09 <clever> think of the container as its own machine

14:08 <clever> pie_: the "internal" ip is the one from the virtual link between host&guest

14:01 <clever> pie_: https://github.com/cleverca22/nixos-configs/blob/master/netboot_server.nix#L116

14:01 <clever> pie_: nat is trivial to setup with nixos

13:57 <clever> or use NAT in the container, to claim everything came from the containers vpn addr

13:57 <clever> either setup the routing tables on the far end, to be be able to route packets back to you

13:56 <clever> thats your problem

13:55 <clever> pie_: does the far end know how to route 10.0.2.2 backwards?

13:55 <clever> pie_: it needs to know about 10.0.0.0, and to route it back to the vpn addr of that container

13:55 <clever> pie_: the remote node, at the other end of the vpn tunnel

13:51 <clever> pie_: realpath $(which tcpdump)

13:51 <clever> pie_: you may need to setup channels first, simpler to just run tcpdump by absolute path

13:50 <clever> pie_: so if you know the path to tcpdump, you can just run it by absolute path

13:50 <clever> pie_: also, the container has access to the entire /nix/store of the host

13:49 <clever> pie_: nix-env and nix-shell still work in the container

13:48 <clever> pie_: check tcpdump in the container, is it receiving the packets from the host? is it sending them out the vpn?

13:48 <clever> nixooosaaaa: if you keep the replacement string the exact same length as the original, sed could work on a compiled binary

13:47 <clever> pie_: the kernel still keeps up with the lie and uses the ip to know if something is for itself or another machine

13:46 <clever> nixooosaaaa: you dont have to fork the repo, thats what the patchPhase is for, to modify the source at build time

13:39 <clever> nixooosaaaa: and your not able to modify the source before it got compiled?

13:34 <clever> ,xy nixooosaaaa

13:30 <clever> pie_: sounds like it, and they decided to upgrade a node 100's of people where in the middle of using

13:27 <clever> patchelf is operating mainly on the structured part of the file, and leaving the .data untouched

13:25 <clever> nixooosaaaa: its usually not safe to edit binaries with sed, since it uses relative offsets within itself a lot

13:25 <clever> which is also why its so bad :P

13:25 <clever> its a single central node

13:24 <clever> gchristensen: id call that a DoS, not a DDoS

13:23 <clever> pie_: for extra confusion, the kernel has both drm (digital rights management) and drm (direct rendering manager)

13:02 <clever> if you do nat, your forced to keep the reply coming down the same path

13:02 <clever> more, that if you dont do nat, your able to have different paths

12:59 <clever> and send traffic out one, but replies down the other

12:59 <clever> you could have 2 different containers, each with its own vpn link

12:58 <clever> pie_: this shows 2 src/dst pairs

12:57 <clever> ipv4 2 tcp 6 105 SYN_SENT src=192.168.2.11 dst=80.250.4.14 sport=48130 dport=52233 [UNREPLIED] src=80.250.4.14 dst=108.175.80.208 sport=52233 dport=48130 mark=0 use=2

12:57 <clever> [root@router:~]# cat /proc/net/nf_conntrack | head

12:56 <clever> the conntrack table handles that

12:56 <clever> if your not doing NAT, then the reply could come down a different path

12:55 <clever> so the router has to un-fudge it

12:55 <clever> but, when the reply comes back, it will have the "wrong" destination

12:55 <clever> so the router will fudge the source ip

12:55 <clever> and in the case of 10.0.2.2 going to the web, you cant claim ownership of 10.0.0.0/8

12:55 <clever> for the responce to make it back to you, the source ip you claim must also be in the routing tables

12:54 <clever> each hop notices that the dest ip is "wrong", looks it up in its own routing tables, and relays it via the next gateway in the chain

12:54 <clever> yeah

12:53 <clever> the router also had NAT setup, so it will mutate the src ip along the way

12:53 <clever> and forwards it in the right direction

12:53 <clever> and because forwarding is enabled, the router looks that dest up, in its own routing tables

12:53 <clever> the OS within the router, then notices the dest ip is "wrong"

12:53 <clever> the dest mac is what triggers the remote NIC (in the router, in this case) to respond to the packet

12:52 <clever> when your default route says `via 10.0.2.2`, then you lookup the mac of 10.0.2.2, then send things to the public ip (say 8.8.8.8) but the mac of 10.0.2.2

12:52 <clever> you must use ARP to lookup the mac behind an ip

12:52 <clever> on typical ethernet based networks (wifi and ethernet), you can only ever send packets to a mac, never an ip

12:50 <clever> its likely showing up on lo

12:50 <clever> pie_: its the same as sending to 127.0.0.1

12:50 <clever> pie_: nope, linux will notice that that is its own ip, and not even shove it out the interface

12:49 <clever> then it will route it to the guest, via whatever device the guest ip shows up on (routing tables again)

12:48 <clever> it must point to the guest ip

12:48 <clever> via points to 10.250.0.1, the host

12:48 <clever> oh wait, theres the problem

12:48 <clever> yep, that looks fine

12:47 <clever> /12 is 8 + 4

12:47 <clever> 243 0xf3

12:46 <clever> 240 0xf0

12:46 <clever> checking the numbers...

12:46 <clever> pie_: what does `ip route` on the host say?

12:44 <clever> pie_: what IP are you trying to ping?

12:43 <clever> pie_: check the main interface of the host, do you see the ping there?

12:39 <clever> pie_: there should be a virtual if between the host and container, and tcpdump should see it on both ends of that if

12:36 <clever> pie_: and does the container see the ping on its internal IF?

12:36 <clever> pie_: what are the IP's on the host and container side?

12:36 <clever> pie_: so if your pings appear to come from 192.168.2.100, the remote machine will either send a responce out onto the lan (for nobody to hear) or out the main router (onto the general internet, for nobody to hear)

12:35 <clever> pie_: the source ip matters

12:07 <clever> `tcpdump -i IFACE -p -n icmp`

12:06 <clever> tcpdump on every link, and a ping, will show you how far things are getting

12:06 <clever> pie_: and setup a either NAT in the container, or a reverse route so the far end knows how to send replies back

12:05 <clever> pie_: and enable forwarding within the container

2019-12-20

2019-12-19

2019-12-18