Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Build failure: nixosTests.cryptpad #370717

Closed
wegank opened this issue Jan 3, 2025 · 3 comments · Fixed by #371085 · May be fixed by #372342
Closed

Build failure: nixosTests.cryptpad #370717

wegank opened this issue Jan 3, 2025 · 3 comments · Fixed by #371085 · May be fixed by #372342
Labels
0.kind: build failure A package fails to build

Comments

@wegank
Copy link
Member

wegank commented Jan 3, 2025

Steps To Reproduce

Steps to reproduce the behavior:

  1. build nixosTests.cryptpad

Build log

https://hydra.nixos.org/job/nixos/trunk-combined/nixos.tests.cryptpad.x86_64-linux

Additional context

Discovered in ngi-nix/ngipkgs#473.

Metadata

  • system: "x86_64-linux"
  • host os: Linux 6.12.7, NixOS, 25.05 (Warbler), 25.05.20241231.6bb37ce
  • multi-user?: yes
  • sandbox: yes
  • version: nix-env (Nix) 2.24.11
  • channels(root): "nixos"
  • nixpkgs: /nix/store/vwnibw3pwb0yv7vzjqmfah65ig3vhczz-source

Notify maintainers

@martinetd


Note for maintainers: Please tag this issue in your PR.


Add a 👍 reaction to issues you find important.

@wegank wegank added the 0.kind: build failure A package fails to build label Jan 3, 2025
@martinetd
Copy link
Member

So...

working in https://hydra.nixos.org/build/282397430#tabs-buildinputs d70bd19
first broken [that wasn't just cancelled] in https://hydra.nixos.org/build/283182159#tabs-buildinputs bdfccb2

And there doesn't seem to be anything changed there:

$ git diff d70bd19e0a38ad4790d3913bf08fcbfc9eeca507 bdfccb2c88b683979b99eec8f91003a89aba7878 pkgs/by-name/cr/cryptpad/
<empty>

I wanted to compare other inputs, but the build inputs tab fails in error 500... I guess a nodejs update happened or something?
This is going to be fun... I'll try to look at some point.

(hydra is pretty bad with this, considering the first cancelled build as failed... and then showing up changes between the last cancelled build and the first failure if you look at the failure...)

@martinetd
Copy link
Member

Indeed, nodejs 20.x -> 22.x broke the seccomp filters of the service.
"fixed" in #371085 ; to wait for tests to run.

@drupol drupol closed this as completed in cf498c1 Jan 5, 2025
yechielw pushed a commit to yechielw/nixpkgs that referenced this issue Jan 6, 2025
nixosTests.cryptpad started failing recently.

Investigating the issue shows that seccomp has become problematic during
the init phase, (e.g. this can be reproduced by removing the customize
directory in /var/lib/cryptpad):

machine # [   10.774365] systemd-coredump[864]: Process 756 (node) of user 65513 dumped core.
machine #
machine # Module libgcc_s.so.1 without build-id.
machine # Module libstdc++.so.6 without build-id.
machine # Module libicudata.so.74 without build-id.
machine # Module libicuuc.so.74 without build-id.
machine # Module libicui18n.so.74 without build-id.
machine # Module libz.so.1 without build-id.
machine # Module node without build-id.
machine # Stack trace of thread 756:
machine # #0  0x00007ff951974dcb fchown (libc.so.6 + 0x107dcb)
machine # NixOS#1  0x00007ff95490d0c0 uv__fs_copyfile (libuv.so.1 + 0x150c0)
machine # NixOS#2  0x00007ff95490d89a uv__fs_work (libuv.so.1 + 0x1589a)
machine # NixOS#3  0x00007ff954910c76 uv_fs_copyfile (libuv.so.1 + 0x18c76)
machine # NixOS#4  0x0000000000eb8a39 _ZN4node2fsL8CopyFileERKN2v820FunctionCallbackInfoINS1_5ValueEEE (node + 0xab8a39)
machine # NixOS#5  0x0000000001cda5e2 Builtins_CallApiCallbackGeneric (node + 0x18da5e2)
[...]
machine # [   10.877468] cryptpad[685]: /nix/store/h4yhhxpfm03c5rgz91q7jrvknh596ly2-cryptpad-2024.12.0/bin/cryptpad: line 3:   756 Bad system call         (core dumped) "/nix/store/fkyp1bm5gll9adnfcj92snyym524mdrj-nodejs-22.11.0/bin/node" "/nix/store/h4yhhxpfm03c5rgz91q7jrvknh596ly2-cryptpad-2024.12.0/lib/node_modules/cryptpad/scripts/build.js"

nodejs 20.18 rightly did not require chown when the source and
destination are the same owner (heck, the script does not run as
root so even if it is not blocked there is no way it'd work with a
different owner...)

For now just allow chown calls again, this is not worth wasting more
time.

Fixes NixOS#370717
martinetd added a commit to martinetd/nixpkgs that referenced this issue Jan 9, 2025
The previous fix had only been tested locally through a runtime edit of
the service, and the order in which @chown had been re-added was
different so commit cf498c1 ("nixos/cryptpad: fix service with
nodejs 22.11") did not actually fix the issue.

This properly orders @chown after @PRIVILEGED so the rule is respected,
and also properly denies with EPERM instead of allowing the chown family
of syscalls: this will properly prevent seccomp from killing nodejs
while still disallowing fchown()

Fixes NixOS#370717
@martinetd
Copy link
Member

I double-checked hydra earlier and I hadn't actually fixed the test, which still fails on the same place.

#372342 should do it this time..

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
0.kind: build failure A package fails to build
Projects
None yet
2 participants