-
-
Notifications
You must be signed in to change notification settings - Fork 164
Operating a Builder
nix-shell ./shell.nix
$ cd ofborg
$ cargo build
cargo build
or:
nix-build . -A ofborg.rs
then copy example.config.json
to config.json
and edit its vars. Set nix.remote
to an empty string if you're not using the daemon.
If you used cargo build
, run:
./target/debug/builder ./config.json
If you used nix-build
, run:
./result/bin/builder ./config.json
Note if you run multiple builders (which you can) they must each have a separately configured identity
, and probably should also have separate build roots at this time.
This is a service I use:
let
grahamcofborg = builtins.storePath
(builtins.fromJSON
(builtins.readFile
(builtins.fetchurl
"https://hydra.nixos.org/job/ofborg/release/ofborg.rs.x86_64-linux/latest/api/get-info"
)
)
).outPath;
# or if you'd prefer run out of a checkout:
# grahamcofborg = (import ./ofbborg/default.nix).ofborg.rs;
in {
users.users.gc-of-borg = {
description = "GC Of Borg Workers";
home = "/var/lib/gc-of-borg";
createHome = true;
group = "gc-of-borg";
uid = 402;
};
users.groups.gc-of-borg.gid = 402;
systemd.services.grahamcofborg-builder = {
enable = true;
after = [ "network.target" "network-online.target" ];
wants = [ "network-online.target" ];
wantedBy = [ "multi-user.target" ];
path = with pkgs; [
nix
git
curl
bash
];
serviceConfig = {
User = "gc-of-borg";
Group = "gc-of-borg";
PrivateTmp = true;
WorkingDirectory = "/var/lib/gc-of-borg";
Restart = "always";
};
preStart = ''
mkdir -p ./nix-test
'';
script = ''
export HOME=/var/lib/gc-of-borg;
export NIX_REMOTE=daemon;
git config --global user.email "[email protected]"
git config --global user.name "GrahamCOfBorg"
export RUST_BACKTRACE=1
${grahamcofborg}/bin/builder ${./myconfig.json}
'';
};
If you get:
Protocol("Unexpected method frame: connection.close, expected: connection.open-ok")
it means your credentials don't have enough permissions.
If you get:
thread 'main' panicked at 'Running "nix-build": Error { repr: Os { code: 2, message: "No such file or directory" } }'
it means nix-build isn't executable, and if you're on a mac you might need this annoying patch:
diff --git a/ofborg/src/nix.rs b/ofborg/src/nix.rs
index dbb21c2..ceb2381 100644
--- a/ofborg/src/nix.rs
+++ b/ofborg/src/nix.rs
@@ -40,7 +40,7 @@ impl Nix {
attrargs.push(attr);
}
- return self.safely("nix-build", nixpkgs, attrargs, true);
+ return self.safely("/nix/var/nix/profiles/default/bin/nix-build", nixpkgs, attrargs, true);
}
- Only run a builder on a host which is "multi-user", ie: uses the build daemon
- Ensure you have sandboxing enabled
- On MacOS, As of 2017-12-25, ONLY run it if you either:
- Are using Nix 1.12 from master with the fancy sandboxing code
- Are aware of the problems of not using the sandbox and have judged that to not be a problem for you if you don't fit these two, Subscribe to https://github.com/grahamc/ofborg/issues/7 and I'll update / close that when I have good documentation on setting up sandboxing.
Ensure you have sandboxing enabled on your Mac's Nix. Do this by using a "recent enough" Nix Unstable as of 2018-01-06, nixUnstable
in Nixpkgs for 17.09 and master are new enough:
ndndx:nixpkgs graham$ nix-build . -A nixUnstable
...
/nix/store/chl6llrafsyfqyf7q199b6smc4fv9abk-nix-unstable-1.12pre5810_5d5b931f
ndndx:nixpkgs graham$ sudo su -
ndndx:~ root# /nix/store/chl6llrafsyfqyf7q199b6smc4fv9abk-nix-unstable-1.12pre5810_5d5b931f/bin/nix-env --uninstall nix
uninstalling 'nix-1.11.16'
building '/nix/store/6ban3wlcl8y9n6y11wl64ssgpxvsz195-user-environment.drv'...
created 1 symlinks in user environment
ndndx:~ root# /nix/store/chl6llrafsyfqyf7q199b6smc4fv9abk-nix-unstable-1.12pre5810_5d5b931f/bin/nix-env --install /nix/store/chl6llrafsyfqyf7q199b6smc4fv9abk-nix-unstable-1.12pre5810_5d5b931f
installing 'nix-unstable-1.12pre5810_5d5b931f'
building '/nix/store/x2cybarskjbcfm3lmivv9bpajm66i1ck-user-environment.drv'...
created 8 symlinks in user environment
ndndx:~ root# nix --version
nix (Nix) 1.12pre5810_5d5b931f
ndndx:~ root# cat /Library/LaunchDaemons/org.nixos.nix-daemon.plist
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Label</key>
<string>org.nixos.nix-daemon</string>
<key>RunAtLoad</key>
<true/>
<key>Program</key>
<string>/nix/store/chl6llrafsyfqyf7q199b6smc4fv9abk-nix-unstable-1.12pre5810_5d5b931f/bin/nix-daemon</string>
<key>StandardErrorPath</key>
<string>/var/log/nix-daemon.log</string>
<key>StandardOutPath</key>
<string>/dev/null</string>
</dict>
</plist>
Then make sure your /etc/nix/nix.conf
has:
build-use-sandbox = true
pre-build-hook =
ndndx:~ root# launchctl stop org.nixos.nix-daemon
ndndx:~ root# pgrep nix
ndndx:~ root# launchctl start org.nixos.nix-daemon
ndndx:~ root# pgrep nix
55039
Test your sandboxing works via:
let pkgs = import <nixpkgs> {}; in pkgs.runCommand "test" {} "ls /Users"
ndndx:~ root# nix-build ./test.nix
these derivations will be built:
/nix/store/sqanh64mvgsijgppwkz7rxzbzzy5xbvw-test.drv
building '/nix/store/sqanh64mvgsijgppwkz7rxzbzzy5xbvw-test.drv'...
ls: cannot access '/Users': Operation not permitted
builder for '/nix/store/sqanh64mvgsijgppwkz7rxzbzzy5xbvw-test.drv' failed with exit code 2
error: build of '/nix/store/sqanh64mvgsijgppwkz7rxzbzzy5xbvw-test.drv' failed
setOutputFlags = false; # it would move $out/modules, etc.
buildInputs = [perl] ++
- optional brotliSupport brotli ++ optional sslSupport openssl ++ optional ldapSupport openldap ++ # there is no --with-ldap flag optional libxml2Support libxml2 ++ @@ -58,6 +61,7 @@ stdenv.mkDerivation rec { --enable-cern-meta --enable-imagemap --enable-cgi
- ${optionalString brotliSupport "--enable-brotli --with-brotli=${brotli}"}
${optionalString proxySupport "--enable-proxy"} $ {optionalString sslSupport "--enable-ssl"} ${optionalString http2Support "--enable-http2 --with-nghttp2"} INFO:ofborg::clone: Locking "/Users/graham/nix-borg/repo/38dca4e3aa6bca43ea96d2fcc04e8229/builder/grahamc-zoidberg.lock" Merge made by the 'recursive' strategy. pkgs/servers/http/apache-httpd/2.4.nix | 4 ++++ 1 file changed, 4 insertions(+) Got path: "/Users/graham/nix-borg/repo/38dca4e3aa6bca43ea96d2fcc04e8229/builder/grahamc-zoidberg", building ok built (true), building Lines: ["patching script interpreter paths in /nix/store/bhqdhkxcp8xaqsr0k6y3z4idvml65ccw-apache-httpd-2.4.29-dev", "/nix/store/bhqdhkxcp8xaqsr0k6y3z4idvml65ccw-apache-httpd-2.4.29-dev/share/build/mkdir.sh: interpreter directive changed from "/bin/sh" to "/nix/store/hgsbnqhg7zr5vbjazb250ac4wnj3cfhy-bash-4.4-p12/bin/sh"", "/nix/store/bhqdhkxcp8xaqsr0k6y3z4idvml65ccw-apache-httpd-2.4.29-dev/share/build/instdso.sh: interpreter directive changed from "/bin/sh" to "/nix/store/hgsbnqhg7zr5vbjazb250ac4wnj3cfhy-bash-4.4-p12/bin/sh"", "/nix/store/bhqdhkxcp8xaqsr0k6y3z4idvml65ccw-apache-httpd-2.4.29-dev/share/build/config.nice: interpreter directive changed from " /bin/sh" to "/nix/store/hgsbnqhg7zr5vbjazb250ac4wnj3cfhy-bash-4.4-p12/bin/sh"", "gzipping man pages under /nix/store/4nnmfx9dn23dd9crg1hnd40bvr93d07w-apache-httpd-2.4.29-man/share/man/", "strip is /nix/store/bhfkh37smh9lc5bngdha6zx98k6w6cgd-cctools-binutils-darwin/bin/strip", "patching script interpreter paths in /nix/store/4nnmfx9dn23dd9crg1hnd40bvr93d07w-apache-httpd-2.4.29-man", "strip is /nix/store/bhfkh37smh9lc5bngdha6zx98k6w6cgd-cctools-binutils-darwin/bin/strip", "patching script interpreter paths in /nix/store/1i2y31a5fdlfjas2hd48id5vi8rfd9bi-apache-httpd-2.4.29-doc", "/nix/store/p2k95k6cf3mclwgs5vx4apdzzdn73wcr-apache-httpd-2.4.29"] ^C
[nix-shell:~/ofborg/ofborg]$ which nix /nix/var/nix/profiles/default/bin/nix
[nix-shell:~/ofborg/ofborg]$ nix --version nix (Nix) 1.12pre5810_5d5b931f
nix-shell:~/ofborg/ofborg]$ cargo run --bin builder ../config.json
nix-shell:~/ofborg/ofborg]$ cargo run --bin builder ../config.json
Finished dev [unoptimized + debuginfo] target(s) in 0.0 secs
Running target/debug/builder ../config.json
INFO:builder: Defaulting RUST_LOG environment variable to info
Hello, world!
INFO:amqp::session: Session initialized
Connected to rabbitmq
About to open channel #1
Opened channel #1
Got personal queue: "amq.gen-0_eY0gB2MkV87FoJHKpYlg"
Running a builder will inherently expose some information about your system publicly in GitHub comments. Efforts are taken to minimize the risk and exposure, but it cannot be perfect. Please evaluate the risks for yourself when deciding to run a builder.
The builder's identity is considered public information, and efforts are not taken to hide it.
For example, one operator was unhappy that the builder exposed their home directory in an error log:
error: while evaluating the attribute ‘args’ of the derivation ‘hello-1.12.0’ at /Users/theiruser/.nix-test-rs/repo/commit-hash/builder/their-builder-identity/pkgs/stdenv/generic/make-derivation.nix:98:11:
couldn't change to directory of ‘/nix/var/nix/daemon-socket/socket’: No such file or directory
If you'd rather your home directory / user account information not exposed, ensure the build root is outside of your home directory.