[Nix-dev] impureEnvVars, the second

Thu Apr 17 18:18:06 CEST 2014

On Thu, Apr 17, 2014 at 06:13:35PM +0200, Ben Franksen wrote:
> Eelco Dolstra wrote:
> > On 17/04/14 17:04, Ben Franksen wrote:
> > 
> >> sorry to bother you again regarding impureEnvVars. I still can't get my
> >> fetchdarcs over ssh to work, even though I am now using constant-output
> >> derivations and have
> >> 
> >>   impureEnvVars = [ "SSH_AGENT_PID" "SSH_AUTH_SOCK" ];
> >> 
> >> in my fetchdarcs/default.nix.
> >> 
> >> The environment variables are now defined in the builder. However, they
> >> are empty :(
> >> 
> >> Could this be because I am using the Nix multi-user setup where building
> >> is delegated to a number of nixbld users?
> > 
> > Right, environment variables from the client are not passed to the
> > builder. Even if they were, the builder probably would not have file
> > system access to the socket identifier by $SSH_AUTH_SOCK.
> 
> The latter could, I guess, be worked-around (using build-chroot-dirs)

Actually, fixed-output derivations are done outside of the chroot, so
you just need to ensure the socket is accessible to the build users
group. In fact, *not* having it in the chroot is better so that
non-fixed-output builds don't have access.

> but 
> the former seems... hopeless :(
>

Why? Just start the daemon with the right environment settings.

> 
> I wonder what other options I have to achieve my goal. ATM I can see two:
> 
> (1) Make the repositories available via http. That means I'll have to 
> convince the sysadmin to set up a web server on the repo server and let it 
> offer the directory that contains our repos. Or I can setup the web werver 
> on another machine that can NFS mount the repo directory; yes, that sounds 
> more practical ;-)
> 
> (2) Use my self-written nix-prefetch-darcs. That works because it does not 
> delegate the downloading to a nixbld user. The problem is that this breaks 
> automatic dependency resolution during nix-build, if the source derivation 
> is not yet in the Nix store. Developers will have to use nix-prefetch-darcs 
> at least once for every new dependency an application acquires. I could 
> modify the source derivations to display a message to users like
> 
>   Builder cannot proceed: please call
>     nix-prefetch-darcs <user>@<host>:<path> <tag>
>   from the command line and try again.
> 
> where the placeholders <user>, <host>, <path> and <tag> are automatically 
> filled in by the builder, so the user can cut and paste this line into their 
> shell.
> 
> The main question with regard to (2) is: how do I prevent the source 
> derivations from being garbage collected (for instance in case the final 
> build did not succeed and no result link gets created) so that users at 
> least have to do this only once for each dependency?
> 
> Cheers
> Ben
> -- 
> "Make it so they have to reboot after every typo." -- Scott Adams
> 
> 
> _______________________________________________
> nix-dev mailing list
> nix-dev at lists.science.uu.nl
> http://lists.science.uu.nl/mailman/listinfo/nix-dev