-
-
Notifications
You must be signed in to change notification settings - Fork 14.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Build failure: nixosTests.cryptpad #370717
Comments
So... working in https://hydra.nixos.org/build/282397430#tabs-buildinputs d70bd19 And there doesn't seem to be anything changed there:
I wanted to compare other inputs, but the build inputs tab fails in error 500... I guess a nodejs update happened or something? (hydra is pretty bad with this, considering the first cancelled build as failed... and then showing up changes between the last cancelled build and the first failure if you look at the failure...) |
Indeed, nodejs 20.x -> 22.x broke the seccomp filters of the service. |
nixosTests.cryptpad started failing recently. Investigating the issue shows that seccomp has become problematic during the init phase, (e.g. this can be reproduced by removing the customize directory in /var/lib/cryptpad): machine # [ 10.774365] systemd-coredump[864]: Process 756 (node) of user 65513 dumped core. machine # machine # Module libgcc_s.so.1 without build-id. machine # Module libstdc++.so.6 without build-id. machine # Module libicudata.so.74 without build-id. machine # Module libicuuc.so.74 without build-id. machine # Module libicui18n.so.74 without build-id. machine # Module libz.so.1 without build-id. machine # Module node without build-id. machine # Stack trace of thread 756: machine # #0 0x00007ff951974dcb fchown (libc.so.6 + 0x107dcb) machine # NixOS#1 0x00007ff95490d0c0 uv__fs_copyfile (libuv.so.1 + 0x150c0) machine # NixOS#2 0x00007ff95490d89a uv__fs_work (libuv.so.1 + 0x1589a) machine # NixOS#3 0x00007ff954910c76 uv_fs_copyfile (libuv.so.1 + 0x18c76) machine # NixOS#4 0x0000000000eb8a39 _ZN4node2fsL8CopyFileERKN2v820FunctionCallbackInfoINS1_5ValueEEE (node + 0xab8a39) machine # NixOS#5 0x0000000001cda5e2 Builtins_CallApiCallbackGeneric (node + 0x18da5e2) [...] machine # [ 10.877468] cryptpad[685]: /nix/store/h4yhhxpfm03c5rgz91q7jrvknh596ly2-cryptpad-2024.12.0/bin/cryptpad: line 3: 756 Bad system call (core dumped) "/nix/store/fkyp1bm5gll9adnfcj92snyym524mdrj-nodejs-22.11.0/bin/node" "/nix/store/h4yhhxpfm03c5rgz91q7jrvknh596ly2-cryptpad-2024.12.0/lib/node_modules/cryptpad/scripts/build.js" nodejs 20.18 rightly did not require chown when the source and destination are the same owner (heck, the script does not run as root so even if it is not blocked there is no way it'd work with a different owner...) For now just allow chown calls again, this is not worth wasting more time. Fixes NixOS#370717
The previous fix had only been tested locally through a runtime edit of the service, and the order in which @chown had been re-added was different so commit cf498c1 ("nixos/cryptpad: fix service with nodejs 22.11") did not actually fix the issue. This properly orders @chown after @PRIVILEGED so the rule is respected, and also properly denies with EPERM instead of allowing the chown family of syscalls: this will properly prevent seccomp from killing nodejs while still disallowing fchown() Fixes NixOS#370717
I double-checked hydra earlier and I hadn't actually fixed the test, which still fails on the same place. #372342 should do it this time.. |
Steps To Reproduce
Steps to reproduce the behavior:
Build log
https://hydra.nixos.org/job/nixos/trunk-combined/nixos.tests.cryptpad.x86_64-linux
Additional context
Discovered in ngi-nix/ngipkgs#473.
Metadata
"x86_64-linux"
Linux 6.12.7, NixOS, 25.05 (Warbler), 25.05.20241231.6bb37ce
yes
yes
nix-env (Nix) 2.24.11
"nixos"
/nix/store/vwnibw3pwb0yv7vzjqmfah65ig3vhczz-source
Notify maintainers
@martinetd
Note for maintainers: Please tag this issue in your PR.
Add a 👍 reaction to issues you find important.
The text was updated successfully, but these errors were encountered: