Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Nixops deploy/Sudo failing to build due to NSS #894

Closed
berdario opened this issue Mar 4, 2018 · 1 comment
Closed

Nixops deploy/Sudo failing to build due to NSS #894

berdario opened this issue Mar 4, 2018 · 1 comment

Comments

@berdario
Copy link

berdario commented Mar 4, 2018
edited
Loading

Issue description

I suspect this is related to NixOS/nixpkgs#36297 but the LD_PRELOAD workaround doesn't work

I think that when building the configuration for the machine, visudo is being used, but nixops is not propagating environment variables (which is usually something that we want to have hermetic builds), which means that it fails to retrieve the user and thus to build.

The error can also be reproduced more simply with

> nix run nixpkgs.sudo -c visudo
visudo: you do not exist in the passwd database

But in this case, setting LD_PRELOAD is enough to avoid the issue

I'm not sure if nixops could/should make an exception for the sudoers file, or if I should create an overlay with a patched sudo (hoping that nixops would pick that up). What do you think it's the best approach to overcome this issue?

Steps to reproduce

> env LD_PRELOAD=/usr/lib/x86_64-linux-gnu/libnss_cache.so.2 nixops deploy -d test-berdario
[...]
building '/nix/store/9d0k44h5m2sz3fz3293wpqwhxya96skc-initrd.drv'...
42038 blocks
building '/nix/store/m7wrag29ms4i3vddr9qvcf8zmhycjcvr-sudo.pam.drv'...
building '/nix/store/fx5hrijbjf3315jc79dqdlkds4g4yg85-sudoers-in.drv'...
building '/nix/store/i4h34rma3xqr06km3xcmwlwms98rna2m-system-path.drv'...
created 4582 symlinks in user environment
install-info: warning: no info dir entry in `/nix/store/k5hv9rv1nkvfzhhilpkrqinwqz1ayiby-system-path/share/info/time.info'
building '/nix/store/xw26hnz59a4samhls7pgqra4q5pw74lh-sudoers.drv'...
visudo: you do not exist in the passwd database
builder for '/nix/store/xw26hnz59a4samhls7pgqra4q5pw74lh-sudoers.drv' failed with exit code 1
cannot build derivation '/nix/store/mqiq23k84qfah396lrds6ficwh1dyn7x-etc.drv': 1 dependencies couldn't be built
building '/nix/store/ms2849rz45yiphmxw9ld0qhwmiq5ln1n-users-groups.json.drv'...
cannot build derivation '/nix/store/ph3sw8d28vdm0rbdssrzpgggwkp7swrc-nixos-system-testserver-17.09pre-git.drv': 1 dependencies couldn't be built
cannot build derivation '/nix/store/gycbxwmlcn47b1ll69j65rd6jhy2fia4-nixops-machines.drv': 1 dependencies couldn't be built
error: build of '/nix/store/gycbxwmlcn47b1ll69j65rd6jhy2fia4-nixops-machines.drv' failed
error: unable to build all machine configurations

Technical details

  • system: "x86_64-linux"
  • host os: Linux 4.9.0-5-amd64, Debian GNU/Linux, noversion
  • multi-user?: no
  • sandbox: no
  • version: nix-env (Nix) 2.0
  • channels(berdario): "nixpkgs-18.03pre129212.098c7f3d945"
  • nixpkgs: /nix/store/lmg9r94g2dq9prd87n8jzcdga6nglmk7-cfc4fcf05293f15d02a1f6358e24ec389d7f9b30.tar.gz
@rbvermaa
Copy link
Member

rbvermaa commented Mar 7, 2018

I do not think this is a nixops issue, but rather an issue with nixpkgs. In your example, setting LD_PRELOAD might work, because nix run will take over the environment, however, in the build of the nixos closure, such environment variable will not show up, as the builds are properly contained. You can verify this, when trying to build the derivation that fails in this example (/nix/store/xw26hnz59a4samhls7pgqra4q5pw74lh-sudoers.drv), it will likely fail regardless of whether you set the nv variable or not.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@rbvermaa @berdario