[Nix-dev] NixOps reproducible bug with large amount of deployment.keys

Thu Apr 20 14:41:09 CEST 2017

Hi Nix-Devs,

I filed the following bug report in the Github issue tracker
https://github.com/NixOS/nixpkgs/issues/25057

Hope someone has the skills to have a look at this..

I'm currently trying to work around this issue by encrypting and packaging
these files myselfs and manually move the keys to the /run/keys folder..
not a nice solution but at least it should keep me going untill a fix is
created.

Kind regards,

Erik aka 4levels

On Wed, Apr 19, 2017 at 2:27 PM 4levels <4levels at gmail.com> wrote:

> Hi Nix Devs, hi Philip,
>
> in an effort to solve my previous problem (bash argument list too long) I
> tried a new deployment in NixOps, only containing the derivations from the
> examples in the nixops manual.  The forementioned issue appears again so I
> think this is a bug in NixOps and how the keys derivation is being handled.
>
> Steps to reproduce: create the following files
>
> test.nix:
>
> {
>   network.description = "Web server";
>
>   webserver =
>     { config, pkgs, ... }:
>     { services.httpd.enable = true;
>       services.httpd.adminAddr = "alice at example.org";
>       networking.firewall.allowedTCPPorts = [ 80 ];
>     };
> }
>
> test-servers.nix:
>
> webserver =
>   { config, pkgs, ... }:
>   {
>     deployment.targetEnv = "virtualbox";
>     deployment.virtualbox.memorySize = 1024; # megabytes
>     deployment.virtualbox.vcpu = 2; # number of cpus
>     };
>   }
>
>
> Add a lot of keys to test-servers.nix, in the form below (example)
>
> deployment.keys."phpmyadmin.password" = {
>   text = fileContents (./keys/phpmyadmin.password);
>   group = "keys";
>   permissions = "0640";
> };
>
> Removing the extra attributes group and permissions doesn't seem to
> change the length of the generated derivation.
>
> Create a new deployment:
> $ nixops create -dtest test.nix test-servers.nix
>
> Output of $ nixops info -dtest
> Network name: test
> Network UUID: 74586894-24e7-11e7-adab-525400d7e1fa
> Network description: Web server
> Nix expressions: test.nix test-server.nix
>
> +-----------+--------------------+------------+-------------+------------+
> | Name      |       Status       | Type       | Resource Id | IP address |
> +-----------+--------------------+------------+-------------+------------+
> | webserver | Missing / Outdated | virtualbox |             |            |
> +-----------+--------------------+------------+-------------+------------+
>
>
> As soon as you add a lot of key files (+1000) the issue appears, resulting
> in the following error:
>
> $ nixops deploy -dtest --build-only:
> building path(s)
> ‘/nix/store/lv40g4brdfa187x3h08jbxgwrs12gmpm-nixos-system-webserver-17.03.890.ce3ab704b2’
> while setting up the build environment: executing
> ‘/nix/store/86blj9iqyxwmdgkn3dyrpib1gkbmz91v-bash-4.4-p5/bin/bash’:
> Argument list too long
> builder for
> ‘/nix/store/apmw3a1pb7imlw7p6vls9hs6glj4n44h-nixos-system-webserver-17.03.890.ce3ab704b2.drv’
> failed with exit code 1
>
>
> The main reason is that the keys derivation contains all key related
> statements on a single line and is passed as a single argument to bash,
> triggering the maxlength error (argument list too long).  I could reduce
> the lenght of the names of the keyfiles, since this will actually reduce
> the total length of the generated keys derivation, but that's no solution,
> especially since I'm intending to deploy even more keys in the near future..
>
> Since this is reproducible and baked into NixOps, I consider this a bug.
> This is currenlty really a blocking issue for me, setting me back for
> almost a week now as I lack the skills to solve this myself.
> Has anyone an idea how I or someone else can fix / work around this?
>
>
> Kind regards,
>
> Erik aka 4levels
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.science.uu.nl/pipermail/nix-dev/attachments/20170420/281c742c/attachment.html>