GNU bug report logs - #46297
nix-service-configuration is missing the default /bin/sh

Previous Next

Package: guix;

Reported by: John Soo <jsoo1 <at> asu.edu>

Date: Thu, 4 Feb 2021 16:02:01 UTC

Severity: normal

Done: Oleg Pykhalov <go.wigust <at> gmail.com>

Bug is archived. No further changes may be made.

To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 46297 in the body.
You can then email your comments to 46297 AT debbugs.gnu.org in the normal way.

Toggle the display of automated, internal messages from the tracker.

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to bug-guix <at> gnu.org:
bug#46297; Package guix. (Thu, 04 Feb 2021 16:02:01 GMT) Full text and rfc822 format available.

Acknowledgement sent to John Soo <jsoo1 <at> asu.edu>:
New bug report received and forwarded. Copy sent to bug-guix <at> gnu.org. (Thu, 04 Feb 2021 16:02:01 GMT) Full text and rfc822 format available.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: John Soo <jsoo1 <at> asu.edu>
To: Bug Guix <bug-guix <at> gnu.org>
Subject: nix-service-configuration is missing the default /bin/sh
Date: Thu, 4 Feb 2021 08:00:34 -0800
[Message part 1 (text/plain, inline)]
     
 

 
 
 
 Hi guix,
 
 
 
 I am working with nix at work and I found some issues with the sandbox configuration for nix.    The docs say that the default sandbox-paths should have a default mount for /bin/sh  
 
 
 
   https://nixos.org/manual/nix/unstable/command-ref/conf-file.html?highlight=Sandbox-paths#description
 
 
 
 
 
   Default:/bin/sh=/nix/store/zi90rxslsm4mlr46l2xws1rm94g7pk8p-busybox-1.31.1-x86_64-unknown-linux-musl/bin/busybox
 
   
 
   I think that means we should add that option to the configuration file.
 
   
 
   Thanks!
 
   
 
   John
 
 
 

 
     
[Message part 2 (text/html, inline)]

Information forwarded to bug-guix <at> gnu.org:
bug#46297; Package guix. (Thu, 04 Feb 2021 18:56:01 GMT) Full text and rfc822 format available.

Message #8 received at 46297 <at> debbugs.gnu.org (full text, mbox):

From: John Soo <jsoo1 <at> asu.edu>
To: 46297 <at> debbugs.gnu.org
Subject: Re: bug#46297: nix-service-configuration is missing the default
 /bin/sh
Date: Thu, 04 Feb 2021 10:54:58 -0800
After some review and testing, I am not sure we need build-sandbox-paths
either.




Information forwarded to bug-guix <at> gnu.org:
bug#46297; Package guix. (Wed, 21 Apr 2021 15:42:02 GMT) Full text and rfc822 format available.

Message #11 received at submit <at> debbugs.gnu.org (full text, mbox):

From: pukkamustard <pukkamustard <at> posteo.net>
To: John Soo <jsoo1 <at> asu.edu>
Cc: go.wigust <at> gmail.com, bug-guix <at> gnu.org, 46297 <at> debbugs.gnu.org
Subject: Re: bug#46297: nix-service-configuration is missing the default
 /bin/sh
Date: Wed, 21 Apr 2021 15:00:09 +0000
[Message part 1 (text/plain, inline)]
I ran into the same issue and agree with your conclusion that we 
may not need build-sandbox-paths.

Attached a patch that removes the `build-sandbox-paths` option. 
This causes nix to use the default value which seems to work fine.

[0001-services-nix-Remove-build-sandbox-items-configuratio.patch (text/x-patch, attachment)]
[Message part 3 (text/plain, inline)]
CC: Oleg Pykhalov who seems to have worked on this.

Thanks,
pukkamustard


Information forwarded to bug-guix <at> gnu.org:
bug#46297; Package guix. (Wed, 21 Apr 2021 15:42:02 GMT) Full text and rfc822 format available.

Information forwarded to bug-guix <at> gnu.org:
bug#46297; Package guix. (Thu, 22 Apr 2021 07:00:02 GMT) Full text and rfc822 format available.

Message #17 received at 46297 <at> debbugs.gnu.org (full text, mbox):

From: Oleg Pykhalov <go.wigust <at> gmail.com>
To: pukkamustard <pukkamustard <at> posteo.net>
Cc: John Soo <jsoo1 <at> asu.edu>, 46297 <at> debbugs.gnu.org
Subject: Re: bug#46297: nix-service-configuration is missing the default
 /bin/sh
Date: Thu, 22 Apr 2021 09:59:12 +0300
[Message part 1 (text/plain, inline)]
Hi,

The ‘make check-system TESTS=nix’ doesn't succeeded with patch applied
on 13c4a377f5a2e1240790679f3d5643385b6d7635:
--8<---------------cut here---------------start------------->8---
building of '/nix/store/nvx13nribwnd47hs6frbq61vlq2n3nzh-guix-test.drv': woken up
substitution of '/nix/store/30xf8m13vrk3n8hfi9q4mkjmxvhqi4g4-guix-test': goal destroyed
building of '/nix/store/nvx13nribwnd47hs6frbq61vlq2n3nzh-guix-test.drv': all outputs substituted (maybe)
building of '/nix/store/nvx13nribwnd47hs6frbq61vlq2n3nzh-guix-test.drv': all inputs realised
building path '/nix/store/30xf8m13vrk3n8hfi9q4mkjmxvhqi4g4-guix-test'
added input paths 
building of '/nix/store/nvx13nribwnd47hs6frbq61vlq2n3nzh-guix-test.drv': woken up
building of '/nix/store/nvx13nribwnd47hs6frbq61vlq2n3nzh-guix-test.drv': trying to build
locking path '/nix/store/30xf8m13vrk3n8hfi9q4mkjmxvhqi4g4-guix-test'
lock acquired on '/nix/store/30xf8m13vrk3n8hfi9q4mkjmxvhqi4g4-guix-test.lock'
removing invalid path '/nix/store/30xf8m13vrk3n8hfi9q4mkjmxvhqi4g4-guix-test'
starting build hook '/gnu/store/0xgj4bz1ac973pw9wr8rhg3z1qc0phf8-nix-2.3.10/libexec/nix/build-remote'
cannot find machines file '/etc/nix/machines'
got 0 remote builders
hook reply is 'decline-permanently'
killing process 186
found build user 'nixbld01'
found build user 'nixbld02'
found build user 'nixbld03'
found build user 'nixbld04'
found build user 'nixbld05'
found build user 'nixbld06'
found build user 'nixbld07'
found build user 'nixbld08'
found build user 'nixbld09'
found build user 'nixbld10'
trying user 'nixbld01'
killing all processes running under uid '989'
setting up chroot environment in '/nix/store/nvx13nribwnd47hs6frbq61vlq2n3nzh-guix-test.drv.chroot'
executing builder '/gnu/store/pwcp239kjf7lnj5i4lkdzcfcxwcfyk72-bash-minimal-5.0.16/bin/bash'
bind mounting '/tmp/nix-build-guix-test.drv-0' to '/nix/store/nvx13nribwnd47hs6frbq61vlq2n3nzh-guix-test.drv.chroot/build'
bind mounting '/dev/full' to '/nix/store/nvx13nribwnd47hs6frbq61vlq2n3nzh-guix-test.drv.chroot/dev/full'
bind mounting '/dev/null' to '/nix/store/nvx13nribwnd47hs6frbq61vlq2n3nzh-guix-test.drv.chroot/dev/null'
bind mounting '/dev/random' to '/nix/store/nvx13nribwnd47hs6frbq61vlq2n3nzh-guix-test.drv.chroot/dev/random'
bind mounting '/dev/tty' to '/nix/store/nvx13nribwnd47hs6frbq61vlq2n3nzh-guix-test.drv.chroot/dev/tty'
bind mounting '/dev/urandom' to '/nix/store/nvx13nribwnd47hs6frbq61vlq2n3nzh-guix-test.drv.chroot/dev/urandom'
bind mounting '/dev/zero' to '/nix/store/nvx13nribwnd47hs6frbq61vlq2n3nzh-guix-test.drv.chroot/dev/zero'
closing leaked FD 3
closing leaked FD 4
closing leaked FD 5
closing leaked FD 6
closing leaked FD 7
closing leaked FD 8
closing leaked FD 9
closing leaked FD 10
closing leaked FD 11
closing leaked FD 12
closing leaked FD 13
building '/nix/store/nvx13nribwnd47hs6frbq61vlq2n3nzh-guix-test.drv'...
while setting up the build environment: executing '/gnu/store/pwcp239kjf7lnj5i4lkdzcfcxwcfyk72-bash-minimal-5.0.16/bin/bash': No such file or directory
building of '/nix/store/nvx13nribwnd47hs6frbq61vlq2n3nzh-guix-test.drv': got EOF
building of '/nix/store/nvx13nribwnd47hs6frbq61vlq2n3nzh-guix-test.drv': woken up
building of '/nix/store/nvx13nribwnd47hs6frbq61vlq2n3nzh-guix-test.drv': build done
killing process 190
builder process for '/nix/store/nvx13nribwnd47hs6frbq61vlq2n3nzh-guix-test.drv' finished
killing all processes running under uid '989'
builder for '/nix/store/nvx13nribwnd47hs6frbq61vlq2n3nzh-guix-test.drv' failed with exit code 1
lock released on '/nix/store/30xf8m13vrk3n8hfi9q4mkjmxvhqi4g4-guix-test.lock'
building of '/nix/store/nvx13nribwnd47hs6frbq61vlq2n3nzh-guix-test.drv': done
building of '/nix/store/nvx13nribwnd47hs6frbq61vlq2n3nzh-guix-test.drv': goal destroyed
error: build of '/nix/store/nvx13nribwnd47hs6frbq61vlq2n3nzh-guix-test.drv' failed
QEMU runs as PID 14
connected to QEMU's monitor
read QEMU monitor prompt
connected to guest REPL
%%%% Starting test nix  (Writing full log to "nix.log")
marionette is ready
/gnu/store/xmnqlhxlbywkp688im5kpwr6q4mbil4g-nix-test-builder:1: FAIL Nix daemon running
# of expected passes      1
# of unexpected failures  1
note: keeping build directory `/tmp/guix-build-nix-test.drv-0'
builder for `/gnu/store/bl5gryai81zxmdhs6zzkb17nbpypyhsw-nix-test.drv' failed with exit code 1
build of /gnu/store/bl5gryai81zxmdhs6zzkb17nbpypyhsw-nix-test.drv failed
View build log at '/var/log/guix/drvs/bl/5gryai81zxmdhs6zzkb17nbpypyhsw-nix-test.drv.bz2'.
guix build: error: build of `/gnu/store/bl5gryai81zxmdhs6zzkb17nbpypyhsw-nix-test.drv' failed
make: *** [Makefile:6894: check-system] Error 1
--8<---------------cut here---------------end--------------->8---

It doens't fail without the patch.  Could I ask what issue the
build-sandbox-paths introduce for you?  Also it would be helpful if you
provide terminal output with an error you occurred.

Thanks,
Oleg.
[signature.asc (application/pgp-signature, inline)]

Information forwarded to bug-guix <at> gnu.org:
bug#46297; Package guix. (Thu, 22 Apr 2021 07:59:01 GMT) Full text and rfc822 format available.

Message #20 received at 46297 <at> debbugs.gnu.org (full text, mbox):

From: pukkamustard <pukkamustard <at> posteo.net>
To: Oleg Pykhalov <go.wigust <at> gmail.com>
Cc: John Soo <jsoo1 <at> asu.edu>, 46297 <at> debbugs.gnu.org
Subject: Re: bug#46297: nix-service-configuration is missing the default
 /bin/sh
Date: Thu, 22 Apr 2021 07:30:58 +0000
Oleg Pykhalov <go.wigust <at> gmail.com> writes:

> It doens't fail without the patch.  Could I ask what issue the
> build-sandbox-paths introduce for you?  Also it would be helpful 
> if you
> provide terminal output with an error you occurred.

Ah, sorry I didn't see that there where system tests.

This is how I ran into the issue (nixpkgs/ folder is a checkout of 
the nixpkgs repo).

```
$ nix-build nixpkgs/ -A ocaml-ng.ocamlPackages_4_11.ocaml

building 
'/nix/store/075nqnnbsgz2frmg5fzhj3ql8lajvgq3-ocaml-4.11.2.tar.xz.drv'...

trying 
http://caml.inria.fr/pub/distrib/ocaml-4.11/ocaml-4.11.2.tar.xz
 % Total    % Received % Xferd  Average Speed   Time    Time 
 Time  Current
                                Dload  Upload   Total   Spent 
                                Left  Speed
100 3418k  100 3418k    0     0  2553k      0  0:00:01  0:00:01 
--:--:-- 2555k
building 
'/nix/store/p4b4shz2alnb2zpiyx44rf7yn5k30m32-ocaml-4.11.2.drv'...
unpacking sources
unpacking source archive 
/nix/store/9harmbwn44004ylalfnvlic4qp5ppvi4-ocaml-4.11.2.tar.xz
source root is ocaml-4.11.2
setting SOURCE_DATE_EPOCH to timestamp 1614163229 of file 
ocaml-4.11.2/yacc/wstr.c
patching sources
configuring
fixing libtool script ./build-aux/ltmain.sh
configure flags: --disable-static -prefix 
/nix/store/gvwnh8wn0ib40fd6k3wa4xf7ja1y17l9-ocaml-4.11.2
/nix/store/bmnhfb10m2s3whl6478dmqhcrkjwk77y-stdenv-linux/setup: 
./configure: /bin/sh: bad interpreter: No such file or directory
builder for 
'/nix/store/p4b4shz2alnb2zpiyx44rf7yn5k30m32-ocaml-4.11.2.drv' 
failed with exit code 126
error: build of 
'/nix/store/p4b4shz2alnb2zpiyx44rf7yn5k30m32-ocaml-4.11.2.drv' 
failed

````

The build succeeds if I do following:

```
$ sudo nix-build nixpkgs/ -A ocaml-ng.ocamlPackages_4_11.ocaml 
--option build-sandbox-paths 
"/bin/sh=//nix/store/0xrjvxvh3wvdbf8pc2850jry1fcx292g-busybox-1.32.1/bin/busybox"
these derivations will be built:
 /nix/store/p4b4shz2alnb2zpiyx44rf7yn5k30m32-ocaml-4.11.2.drv
building 
'/nix/store/p4b4shz2alnb2zpiyx44rf7yn5k30m32-ocaml-4.11.2.drv'...
unpacking sources
unpacking source archive 
/nix/store/9harmbwn44004ylalfnvlic4qp5ppvi4-ocaml-4.11.2.tar.xz
source root is ocaml-4.11.2
setting SOURCE_DATE_EPOCH to timestamp 1614163229 of file 
ocaml-4.11.2/yacc/wstr.c
patching sources
configuring
fixing libtool script ./build-aux/ltmain.sh
configure flags: --disable-static -prefix 
/nix/store/gvwnh8wn0ib40fd6k3wa4xf7ja1y17l9-ocaml-4.11.2
configure: Configuring OCaml version 4.11.2
checking build system type... x86_64-pc-linux-gnu
checking host system type... x86_64-pc-linux-gnu
checking target system type... x86_64-pc-linux-gnu
checking how to print strings... printf
checking for gcc... gcc
checking whether the C compiler works... yes
.
.
.
/nix/store/gvwnh8wn0ib40fd6k3wa4xf7ja1y17l9-ocaml-4.11.2
```

Note that I need to use sudo as otherwise Nix would simply ignore 
my request to override system configurations. And I had to run 
`nix-build -A busybox` to make sure busybox was in the /nix/store.

The build-sandbox-paths I manually supplied seem to be the 
defaults (as stated in documentation linked in John Soo's mail), 
so I assumed that just removing the build-sandbox-path setting 
from the nix.conf would solve the issue. I was a bit sloppy with 
testing it completely...

This might be an upstream issue with how OCaml is built in Nix. I 
think Nix builders should use ${stdenv.shell} instead of /bin/sh 
(https://github.com/NixOS/nixpkgs/issues/183). But maybe good if 
we can fix it in the Guix nix-service as well.

-pukkamustard




Information forwarded to bug-guix <at> gnu.org:
bug#46297; Package guix. (Thu, 22 Apr 2021 16:51:02 GMT) Full text and rfc822 format available.

Message #23 received at 46297 <at> debbugs.gnu.org (full text, mbox):

From: Oleg Pykhalov <go.wigust <at> gmail.com>
To: pukkamustard <pukkamustard <at> posteo.net>
Cc: John Soo <jsoo1 <at> asu.edu>, 46297 <at> debbugs.gnu.org
Subject: Re: bug#46297: nix-service-configuration is missing the default
 /bin/sh
Date: Thu, 22 Apr 2021 19:50:25 +0300
[Message part 1 (text/plain, inline)]
pukkamustard <pukkamustard <at> posteo.net> writes:

[…]

> The build succeeds if I do following:
>
> ```
> $ sudo nix-build nixpkgs/ -A ocaml-ng.ocamlPackages_4_11.ocaml --option
> build-sandbox-paths
> "/bin/sh=//nix/store/0xrjvxvh3wvdbf8pc2850jry1fcx292g-busybox-1.32.1/bin/busybox"

Could you apply the following patch on
13c4a377f5a2e1240790679f3d5643385b6d7635 and run the command again,
please?

[0001-services-nix-Add-bin-sh-to-build-sandbox-paths.patch (text/x-patch, inline)]
From 1aa675482fa1aaba02ac1d8599198ec0aa8c2201 Mon Sep 17 00:00:00 2001
From: Oleg Pykhalov <go.wigust <at> gmail.com>
Date: Thu, 22 Apr 2021 19:46:23 +0300
Subject: [PATCH] services: nix: Add /bin/sh to build-sandbox-paths.

* gnu/services/nix.scm (nix-service-etc): Add /bin/sh to build-sandbox-paths.
---
 gnu/services/nix.scm | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/gnu/services/nix.scm b/gnu/services/nix.scm
index 1aef47db0a..619e3cae54 100644
--- a/gnu/services/nix.scm
+++ b/gnu/services/nix.scm
@@ -1,5 +1,5 @@
 ;;; GNU Guix --- Functional package management for GNU
-;;; Copyright © 2019, 2020 Oleg Pykhalov <go.wigust <at> gmail.com>
+;;; Copyright © 2019, 2020, 2021 Oleg Pykhalov <go.wigust <at> gmail.com>
 ;;; Copyright © 2020 Peng Mei Yu <i <at> pengmeiyu.com>
 ;;;
 ;;; This file is part of GNU Guix.
@@ -19,6 +19,7 @@
 
 (define-module (gnu services nix)
   #:use-module (gnu packages admin)
+  #:use-module (gnu packages bash)
   #:use-module (gnu packages package-management)
   #:use-module (gnu services base)
   #:use-module (gnu services configuration)
@@ -121,7 +122,8 @@ GID."
                     (format #t "sandbox = ~a~%" (if #$sandbox "true" "false"))
                     ;; config.nix captures store file names.
                     (format #t "build-sandbox-paths = ~{~a ~}~%"
-                            (append internal-sandbox-paths
+                            (append (list (string-append "/bin/sh=" #$bash-minimal "/bin/sh"))
+                                    internal-sandbox-paths
                                     '#$build-sandbox-items))
                     (for-each (cut display <>) '#$extra-config)))))))))))
 
-- 
2.31.1

[signature.asc (application/pgp-signature, inline)]

Information forwarded to bug-guix <at> gnu.org:
bug#46297; Package guix. (Mon, 26 Apr 2021 07:37:02 GMT) Full text and rfc822 format available.

Message #26 received at 46297 <at> debbugs.gnu.org (full text, mbox):

From: pukkamustard <pukkamustard <at> posteo.net>
To: Oleg Pykhalov <go.wigust <at> gmail.com>
Cc: John Soo <jsoo1 <at> asu.edu>, 46297 <at> debbugs.gnu.org
Subject: Re: bug#46297: nix-service-configuration is missing the default
 /bin/sh
Date: Mon, 26 Apr 2021 07:21:40 +0000
Oleg Pykhalov <go.wigust <at> gmail.com> writes:

[…]

> Could you apply the following patch on
> 13c4a377f5a2e1240790679f3d5643385b6d7635 and run the command 
> again,
> please?

Applied and tested in a virtual machine. Your patch seems to fix 
the issue I was having. Thank you!

Also tested again in a VM without your patches and was able to 
reproduce the error as reported.

For completeness the commands I ran in the VM:

```
$ nix-channel add https://nixos.org/channels/nixpkgs-unstable 
nixpkgs
$ nix-channel --update
$ nix-build '<nixpkgs>' -I .nix-defexpr/channels -A 
ocaml-ng.ocamlPackages_4_11.ocaml
/nix/store/gvwnh8wn0ib40fd6k3wa4xf7ja1y17l9-ocaml-4.11.2
```

-pukkamustard




Reply sent to Oleg Pykhalov <go.wigust <at> gmail.com>:
You have taken responsibility. (Mon, 26 Apr 2021 17:07:01 GMT) Full text and rfc822 format available.

Notification sent to John Soo <jsoo1 <at> asu.edu>:
bug acknowledged by developer. (Mon, 26 Apr 2021 17:07:01 GMT) Full text and rfc822 format available.

Message #31 received at 46297-done <at> debbugs.gnu.org (full text, mbox):

From: Oleg Pykhalov <go.wigust <at> gmail.com>
To: 46297-done <at> debbugs.gnu.org
Cc: pukkamustard <pukkamustard <at> posteo.net>, John Soo <jsoo1 <at> asu.edu>
Subject: Re: bug#46297: nix-service-configuration is missing the default
 /bin/sh
Date: Mon, 26 Apr 2021 20:06:16 +0300
[Message part 1 (text/plain, inline)]
pukkamustard <pukkamustard <at> posteo.net> writes:

[…]

>> Could you apply the following patch on
>> 13c4a377f5a2e1240790679f3d5643385b6d7635 and run the command again,
>> please?
>
> Applied and tested in a virtual machine. Your patch seems to fix the issue I
> was having. Thank you!
>
> Also tested again in a VM without your patches and was able to reproduce the
> error as reported.
>
> For completeness the commands I ran in the VM:
>
> ```
> $ nix-channel add https://nixos.org/channels/nixpkgs-unstable nixpkgs
> $ nix-channel --update
> $ nix-build '<nixpkgs>' -I .nix-defexpr/channels -A
> ocaml-ng.ocamlPackages_4_11.ocaml
> /nix/store/gvwnh8wn0ib40fd6k3wa4xf7ja1y17l9-ocaml-4.11.2
> ```

Thank yoo for the test.

Pushed to master as 43a7724040560d35e9e3a19bd1cfdb7e5c4c4711

Oleg.
[signature.asc (application/pgp-signature, inline)]

bug archived. Request was from Debbugs Internal Request <help-debbugs <at> gnu.org> to internal_control <at> debbugs.gnu.org. (Tue, 25 May 2021 11:24:08 GMT) Full text and rfc822 format available.

This bug report was last modified 2 years and 308 days ago.

Previous Next


GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.