[Nix-dev] impureEnvVars, the second
Ben Franksen
ben.franksen at online.de
Fri Apr 18 05:43:56 CEST 2014
Ben Franksen wrote:
> Shea Levy wrote:
>> On Thu, Apr 17, 2014 at 06:13:35PM +0200, Ben Franksen wrote:
>>> Eelco Dolstra wrote:
>>> > On 17/04/14 17:04, Ben Franksen wrote:
>>> >
>>> >> sorry to bother you again regarding impureEnvVars. I still can't get
>>> >> my fetchdarcs over ssh to work, even though I am now using
>>> >> constant-output derivations and have
>>> >>
>>> >> impureEnvVars = [ "SSH_AGENT_PID" "SSH_AUTH_SOCK" ];
>>> >>
>>> >> in my fetchdarcs/default.nix.
>>> >>
>>> >> The environment variables are now defined in the builder. However,
>>> >> they are empty :(
>>> >>
>>> >> Could this be because I am using the Nix multi-user setup where
>>> >> building is delegated to a number of nixbld users?
>>> >
>>> > Right, environment variables from the client are not passed to the
>>> > builder. Even if they were, the builder probably would not have file
>>> > system access to the socket identifier by $SSH_AUTH_SOCK.
>>>
>>> The latter could, I guess, be worked-around (using build-chroot-dirs)
>>
>> Actually, fixed-output derivations are done outside of the chroot, so
>> you just need to ensure the socket is accessible to the build users
>> group. In fact, *not* having it in the chroot is better so that
>> non-fixed-output builds don't have access.
>>
>>> but
>>> the former seems... hopeless :(
>>
>> Why? Just start the daemon with the right environment settings.
>
> Well, those would have to be static, as the daemon is not started
> separately by each user. But the environment variables are created
> dynamically when the ssh agent is started.
>
> But: what you said here gave me an idea for a much simpler solution: I
> don't have to rely on the developer's credentials at all. Instead I'll
> give the Nix build users their own ssh identity (key pair) w/o passphrase.
> Then add their public key to the <repouser>@<reposerver>'s
> .ssh/authorized_keys. No impureEnvVars needed, since the build users don't
> need to connect to an ssh agent.
>
> I hope that Nix build users not having a home directory is only a
> recommendation, not a requirement for the multi-user setup to work.
Just wanted to report that this approach finally worked! Yay!
(BTW, this is possible only because fixed-output derivations are built
outside the chroot, else ssh could not access the identity file in the build
user's home.)
Cheers & thanks again
Ben
--
"Make it so they have to reboot after every typo." -- Scott Adams
More information about the nix-dev
mailing list