GNU bug report logs -
#46297
nix-service-configuration is missing the default /bin/sh
Previous Next
Reported by: John Soo <jsoo1 <at> asu.edu>
Date: Thu, 4 Feb 2021 16:02:01 UTC
Severity: normal
Done: Oleg Pykhalov <go.wigust <at> gmail.com>
Bug is archived. No further changes may be made.
To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 46297 in the body.
You can then email your comments to 46297 AT debbugs.gnu.org in the normal way.
Toggle the display of automated, internal messages from the tracker.
Report forwarded
to
bug-guix <at> gnu.org
:
bug#46297
; Package
guix
.
(Thu, 04 Feb 2021 16:02:01 GMT)
Full text and
rfc822 format available.
Acknowledgement sent
to
John Soo <jsoo1 <at> asu.edu>
:
New bug report received and forwarded. Copy sent to
bug-guix <at> gnu.org
.
(Thu, 04 Feb 2021 16:02:01 GMT)
Full text and
rfc822 format available.
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
Hi guix,
I am working with nix at work and I found some issues with the sandbox configuration for nix. The docs say that the default sandbox-paths should have a default mount for /bin/sh
https://nixos.org/manual/nix/unstable/command-ref/conf-file.html?highlight=Sandbox-paths#description
Default:/bin/sh=/nix/store/zi90rxslsm4mlr46l2xws1rm94g7pk8p-busybox-1.31.1-x86_64-unknown-linux-musl/bin/busybox
I think that means we should add that option to the configuration file.
Thanks!
John
[Message part 2 (text/html, inline)]
Information forwarded
to
bug-guix <at> gnu.org
:
bug#46297
; Package
guix
.
(Thu, 04 Feb 2021 18:56:01 GMT)
Full text and
rfc822 format available.
Message #8 received at 46297 <at> debbugs.gnu.org (full text, mbox):
After some review and testing, I am not sure we need build-sandbox-paths
either.
Information forwarded
to
bug-guix <at> gnu.org
:
bug#46297
; Package
guix
.
(Wed, 21 Apr 2021 15:42:02 GMT)
Full text and
rfc822 format available.
Message #11 received at submit <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
I ran into the same issue and agree with your conclusion that we
may not need build-sandbox-paths.
Attached a patch that removes the `build-sandbox-paths` option.
This causes nix to use the default value which seems to work fine.
[0001-services-nix-Remove-build-sandbox-items-configuratio.patch (text/x-patch, attachment)]
[Message part 3 (text/plain, inline)]
CC: Oleg Pykhalov who seems to have worked on this.
Thanks,
pukkamustard
Information forwarded
to
bug-guix <at> gnu.org
:
bug#46297
; Package
guix
.
(Wed, 21 Apr 2021 15:42:02 GMT)
Full text and
rfc822 format available.
Information forwarded
to
bug-guix <at> gnu.org
:
bug#46297
; Package
guix
.
(Thu, 22 Apr 2021 07:00:02 GMT)
Full text and
rfc822 format available.
Message #17 received at 46297 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
Hi,
The ‘make check-system TESTS=nix’ doesn't succeeded with patch applied
on 13c4a377f5a2e1240790679f3d5643385b6d7635:
--8<---------------cut here---------------start------------->8---
building of '/nix/store/nvx13nribwnd47hs6frbq61vlq2n3nzh-guix-test.drv': woken up
substitution of '/nix/store/30xf8m13vrk3n8hfi9q4mkjmxvhqi4g4-guix-test': goal destroyed
building of '/nix/store/nvx13nribwnd47hs6frbq61vlq2n3nzh-guix-test.drv': all outputs substituted (maybe)
building of '/nix/store/nvx13nribwnd47hs6frbq61vlq2n3nzh-guix-test.drv': all inputs realised
building path '/nix/store/30xf8m13vrk3n8hfi9q4mkjmxvhqi4g4-guix-test'
added input paths
building of '/nix/store/nvx13nribwnd47hs6frbq61vlq2n3nzh-guix-test.drv': woken up
building of '/nix/store/nvx13nribwnd47hs6frbq61vlq2n3nzh-guix-test.drv': trying to build
locking path '/nix/store/30xf8m13vrk3n8hfi9q4mkjmxvhqi4g4-guix-test'
lock acquired on '/nix/store/30xf8m13vrk3n8hfi9q4mkjmxvhqi4g4-guix-test.lock'
removing invalid path '/nix/store/30xf8m13vrk3n8hfi9q4mkjmxvhqi4g4-guix-test'
starting build hook '/gnu/store/0xgj4bz1ac973pw9wr8rhg3z1qc0phf8-nix-2.3.10/libexec/nix/build-remote'
cannot find machines file '/etc/nix/machines'
got 0 remote builders
hook reply is 'decline-permanently'
killing process 186
found build user 'nixbld01'
found build user 'nixbld02'
found build user 'nixbld03'
found build user 'nixbld04'
found build user 'nixbld05'
found build user 'nixbld06'
found build user 'nixbld07'
found build user 'nixbld08'
found build user 'nixbld09'
found build user 'nixbld10'
trying user 'nixbld01'
killing all processes running under uid '989'
setting up chroot environment in '/nix/store/nvx13nribwnd47hs6frbq61vlq2n3nzh-guix-test.drv.chroot'
executing builder '/gnu/store/pwcp239kjf7lnj5i4lkdzcfcxwcfyk72-bash-minimal-5.0.16/bin/bash'
bind mounting '/tmp/nix-build-guix-test.drv-0' to '/nix/store/nvx13nribwnd47hs6frbq61vlq2n3nzh-guix-test.drv.chroot/build'
bind mounting '/dev/full' to '/nix/store/nvx13nribwnd47hs6frbq61vlq2n3nzh-guix-test.drv.chroot/dev/full'
bind mounting '/dev/null' to '/nix/store/nvx13nribwnd47hs6frbq61vlq2n3nzh-guix-test.drv.chroot/dev/null'
bind mounting '/dev/random' to '/nix/store/nvx13nribwnd47hs6frbq61vlq2n3nzh-guix-test.drv.chroot/dev/random'
bind mounting '/dev/tty' to '/nix/store/nvx13nribwnd47hs6frbq61vlq2n3nzh-guix-test.drv.chroot/dev/tty'
bind mounting '/dev/urandom' to '/nix/store/nvx13nribwnd47hs6frbq61vlq2n3nzh-guix-test.drv.chroot/dev/urandom'
bind mounting '/dev/zero' to '/nix/store/nvx13nribwnd47hs6frbq61vlq2n3nzh-guix-test.drv.chroot/dev/zero'
closing leaked FD 3
closing leaked FD 4
closing leaked FD 5
closing leaked FD 6
closing leaked FD 7
closing leaked FD 8
closing leaked FD 9
closing leaked FD 10
closing leaked FD 11
closing leaked FD 12
closing leaked FD 13
building '/nix/store/nvx13nribwnd47hs6frbq61vlq2n3nzh-guix-test.drv'...
while setting up the build environment: executing '/gnu/store/pwcp239kjf7lnj5i4lkdzcfcxwcfyk72-bash-minimal-5.0.16/bin/bash': No such file or directory
building of '/nix/store/nvx13nribwnd47hs6frbq61vlq2n3nzh-guix-test.drv': got EOF
building of '/nix/store/nvx13nribwnd47hs6frbq61vlq2n3nzh-guix-test.drv': woken up
building of '/nix/store/nvx13nribwnd47hs6frbq61vlq2n3nzh-guix-test.drv': build done
killing process 190
builder process for '/nix/store/nvx13nribwnd47hs6frbq61vlq2n3nzh-guix-test.drv' finished
killing all processes running under uid '989'
builder for '/nix/store/nvx13nribwnd47hs6frbq61vlq2n3nzh-guix-test.drv' failed with exit code 1
lock released on '/nix/store/30xf8m13vrk3n8hfi9q4mkjmxvhqi4g4-guix-test.lock'
building of '/nix/store/nvx13nribwnd47hs6frbq61vlq2n3nzh-guix-test.drv': done
building of '/nix/store/nvx13nribwnd47hs6frbq61vlq2n3nzh-guix-test.drv': goal destroyed
error: build of '/nix/store/nvx13nribwnd47hs6frbq61vlq2n3nzh-guix-test.drv' failed
QEMU runs as PID 14
connected to QEMU's monitor
read QEMU monitor prompt
connected to guest REPL
%%%% Starting test nix (Writing full log to "nix.log")
marionette is ready
/gnu/store/xmnqlhxlbywkp688im5kpwr6q4mbil4g-nix-test-builder:1: FAIL Nix daemon running
# of expected passes 1
# of unexpected failures 1
note: keeping build directory `/tmp/guix-build-nix-test.drv-0'
builder for `/gnu/store/bl5gryai81zxmdhs6zzkb17nbpypyhsw-nix-test.drv' failed with exit code 1
build of /gnu/store/bl5gryai81zxmdhs6zzkb17nbpypyhsw-nix-test.drv failed
View build log at '/var/log/guix/drvs/bl/5gryai81zxmdhs6zzkb17nbpypyhsw-nix-test.drv.bz2'.
guix build: error: build of `/gnu/store/bl5gryai81zxmdhs6zzkb17nbpypyhsw-nix-test.drv' failed
make: *** [Makefile:6894: check-system] Error 1
--8<---------------cut here---------------end--------------->8---
It doens't fail without the patch. Could I ask what issue the
build-sandbox-paths introduce for you? Also it would be helpful if you
provide terminal output with an error you occurred.
Thanks,
Oleg.
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to
bug-guix <at> gnu.org
:
bug#46297
; Package
guix
.
(Thu, 22 Apr 2021 07:59:01 GMT)
Full text and
rfc822 format available.
Message #20 received at 46297 <at> debbugs.gnu.org (full text, mbox):
Oleg Pykhalov <go.wigust <at> gmail.com> writes:
> It doens't fail without the patch. Could I ask what issue the
> build-sandbox-paths introduce for you? Also it would be helpful
> if you
> provide terminal output with an error you occurred.
Ah, sorry I didn't see that there where system tests.
This is how I ran into the issue (nixpkgs/ folder is a checkout of
the nixpkgs repo).
```
$ nix-build nixpkgs/ -A ocaml-ng.ocamlPackages_4_11.ocaml
building
'/nix/store/075nqnnbsgz2frmg5fzhj3ql8lajvgq3-ocaml-4.11.2.tar.xz.drv'...
trying
http://caml.inria.fr/pub/distrib/ocaml-4.11/ocaml-4.11.2.tar.xz
% Total % Received % Xferd Average Speed Time Time
Time Current
Dload Upload Total Spent
Left Speed
100 3418k 100 3418k 0 0 2553k 0 0:00:01 0:00:01
--:--:-- 2555k
building
'/nix/store/p4b4shz2alnb2zpiyx44rf7yn5k30m32-ocaml-4.11.2.drv'...
unpacking sources
unpacking source archive
/nix/store/9harmbwn44004ylalfnvlic4qp5ppvi4-ocaml-4.11.2.tar.xz
source root is ocaml-4.11.2
setting SOURCE_DATE_EPOCH to timestamp 1614163229 of file
ocaml-4.11.2/yacc/wstr.c
patching sources
configuring
fixing libtool script ./build-aux/ltmain.sh
configure flags: --disable-static -prefix
/nix/store/gvwnh8wn0ib40fd6k3wa4xf7ja1y17l9-ocaml-4.11.2
/nix/store/bmnhfb10m2s3whl6478dmqhcrkjwk77y-stdenv-linux/setup:
./configure: /bin/sh: bad interpreter: No such file or directory
builder for
'/nix/store/p4b4shz2alnb2zpiyx44rf7yn5k30m32-ocaml-4.11.2.drv'
failed with exit code 126
error: build of
'/nix/store/p4b4shz2alnb2zpiyx44rf7yn5k30m32-ocaml-4.11.2.drv'
failed
````
The build succeeds if I do following:
```
$ sudo nix-build nixpkgs/ -A ocaml-ng.ocamlPackages_4_11.ocaml
--option build-sandbox-paths
"/bin/sh=//nix/store/0xrjvxvh3wvdbf8pc2850jry1fcx292g-busybox-1.32.1/bin/busybox"
these derivations will be built:
/nix/store/p4b4shz2alnb2zpiyx44rf7yn5k30m32-ocaml-4.11.2.drv
building
'/nix/store/p4b4shz2alnb2zpiyx44rf7yn5k30m32-ocaml-4.11.2.drv'...
unpacking sources
unpacking source archive
/nix/store/9harmbwn44004ylalfnvlic4qp5ppvi4-ocaml-4.11.2.tar.xz
source root is ocaml-4.11.2
setting SOURCE_DATE_EPOCH to timestamp 1614163229 of file
ocaml-4.11.2/yacc/wstr.c
patching sources
configuring
fixing libtool script ./build-aux/ltmain.sh
configure flags: --disable-static -prefix
/nix/store/gvwnh8wn0ib40fd6k3wa4xf7ja1y17l9-ocaml-4.11.2
configure: Configuring OCaml version 4.11.2
checking build system type... x86_64-pc-linux-gnu
checking host system type... x86_64-pc-linux-gnu
checking target system type... x86_64-pc-linux-gnu
checking how to print strings... printf
checking for gcc... gcc
checking whether the C compiler works... yes
.
.
.
/nix/store/gvwnh8wn0ib40fd6k3wa4xf7ja1y17l9-ocaml-4.11.2
```
Note that I need to use sudo as otherwise Nix would simply ignore
my request to override system configurations. And I had to run
`nix-build -A busybox` to make sure busybox was in the /nix/store.
The build-sandbox-paths I manually supplied seem to be the
defaults (as stated in documentation linked in John Soo's mail),
so I assumed that just removing the build-sandbox-path setting
from the nix.conf would solve the issue. I was a bit sloppy with
testing it completely...
This might be an upstream issue with how OCaml is built in Nix. I
think Nix builders should use ${stdenv.shell} instead of /bin/sh
(https://github.com/NixOS/nixpkgs/issues/183). But maybe good if
we can fix it in the Guix nix-service as well.
-pukkamustard
Information forwarded
to
bug-guix <at> gnu.org
:
bug#46297
; Package
guix
.
(Thu, 22 Apr 2021 16:51:02 GMT)
Full text and
rfc822 format available.
Message #23 received at 46297 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
pukkamustard <pukkamustard <at> posteo.net> writes:
[…]
> The build succeeds if I do following:
>
> ```
> $ sudo nix-build nixpkgs/ -A ocaml-ng.ocamlPackages_4_11.ocaml --option
> build-sandbox-paths
> "/bin/sh=//nix/store/0xrjvxvh3wvdbf8pc2850jry1fcx292g-busybox-1.32.1/bin/busybox"
Could you apply the following patch on
13c4a377f5a2e1240790679f3d5643385b6d7635 and run the command again,
please?
[0001-services-nix-Add-bin-sh-to-build-sandbox-paths.patch (text/x-patch, inline)]
From 1aa675482fa1aaba02ac1d8599198ec0aa8c2201 Mon Sep 17 00:00:00 2001
From: Oleg Pykhalov <go.wigust <at> gmail.com>
Date: Thu, 22 Apr 2021 19:46:23 +0300
Subject: [PATCH] services: nix: Add /bin/sh to build-sandbox-paths.
* gnu/services/nix.scm (nix-service-etc): Add /bin/sh to build-sandbox-paths.
---
gnu/services/nix.scm | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/gnu/services/nix.scm b/gnu/services/nix.scm
index 1aef47db0a..619e3cae54 100644
--- a/gnu/services/nix.scm
+++ b/gnu/services/nix.scm
@@ -1,5 +1,5 @@
;;; GNU Guix --- Functional package management for GNU
-;;; Copyright © 2019, 2020 Oleg Pykhalov <go.wigust <at> gmail.com>
+;;; Copyright © 2019, 2020, 2021 Oleg Pykhalov <go.wigust <at> gmail.com>
;;; Copyright © 2020 Peng Mei Yu <i <at> pengmeiyu.com>
;;;
;;; This file is part of GNU Guix.
@@ -19,6 +19,7 @@
(define-module (gnu services nix)
#:use-module (gnu packages admin)
+ #:use-module (gnu packages bash)
#:use-module (gnu packages package-management)
#:use-module (gnu services base)
#:use-module (gnu services configuration)
@@ -121,7 +122,8 @@ GID."
(format #t "sandbox = ~a~%" (if #$sandbox "true" "false"))
;; config.nix captures store file names.
(format #t "build-sandbox-paths = ~{~a ~}~%"
- (append internal-sandbox-paths
+ (append (list (string-append "/bin/sh=" #$bash-minimal "/bin/sh"))
+ internal-sandbox-paths
'#$build-sandbox-items))
(for-each (cut display <>) '#$extra-config)))))))))))
--
2.31.1
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to
bug-guix <at> gnu.org
:
bug#46297
; Package
guix
.
(Mon, 26 Apr 2021 07:37:02 GMT)
Full text and
rfc822 format available.
Message #26 received at 46297 <at> debbugs.gnu.org (full text, mbox):
Oleg Pykhalov <go.wigust <at> gmail.com> writes:
[…]
> Could you apply the following patch on
> 13c4a377f5a2e1240790679f3d5643385b6d7635 and run the command
> again,
> please?
Applied and tested in a virtual machine. Your patch seems to fix
the issue I was having. Thank you!
Also tested again in a VM without your patches and was able to
reproduce the error as reported.
For completeness the commands I ran in the VM:
```
$ nix-channel add https://nixos.org/channels/nixpkgs-unstable
nixpkgs
$ nix-channel --update
$ nix-build '<nixpkgs>' -I .nix-defexpr/channels -A
ocaml-ng.ocamlPackages_4_11.ocaml
/nix/store/gvwnh8wn0ib40fd6k3wa4xf7ja1y17l9-ocaml-4.11.2
```
-pukkamustard
Reply sent
to
Oleg Pykhalov <go.wigust <at> gmail.com>
:
You have taken responsibility.
(Mon, 26 Apr 2021 17:07:01 GMT)
Full text and
rfc822 format available.
Notification sent
to
John Soo <jsoo1 <at> asu.edu>
:
bug acknowledged by developer.
(Mon, 26 Apr 2021 17:07:01 GMT)
Full text and
rfc822 format available.
Message #31 received at 46297-done <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
pukkamustard <pukkamustard <at> posteo.net> writes:
[…]
>> Could you apply the following patch on
>> 13c4a377f5a2e1240790679f3d5643385b6d7635 and run the command again,
>> please?
>
> Applied and tested in a virtual machine. Your patch seems to fix the issue I
> was having. Thank you!
>
> Also tested again in a VM without your patches and was able to reproduce the
> error as reported.
>
> For completeness the commands I ran in the VM:
>
> ```
> $ nix-channel add https://nixos.org/channels/nixpkgs-unstable nixpkgs
> $ nix-channel --update
> $ nix-build '<nixpkgs>' -I .nix-defexpr/channels -A
> ocaml-ng.ocamlPackages_4_11.ocaml
> /nix/store/gvwnh8wn0ib40fd6k3wa4xf7ja1y17l9-ocaml-4.11.2
> ```
Thank yoo for the test.
Pushed to master as 43a7724040560d35e9e3a19bd1cfdb7e5c4c4711
Oleg.
[signature.asc (application/pgp-signature, inline)]
bug archived.
Request was from
Debbugs Internal Request <help-debbugs <at> gnu.org>
to
internal_control <at> debbugs.gnu.org
.
(Tue, 25 May 2021 11:24:08 GMT)
Full text and
rfc822 format available.
This bug report was last modified 2 years and 308 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.