Skip to content

Operating a Builder

Graham Christensen edited this page Dec 26, 2017 · 16 revisions

Standard Setup

If you get:

Protocol("Unexpected method frame: connection.close, expected: connection.open-ok")

it means your credentials don't have enough permissions.

If you get:

thread 'main' panicked at 'Running "nix-build": Error { repr: Os { code: 2, message: "No such file or directory" } }'

it means nix-build isn't executable, and if you're on a mac you might need this annoying patch:

diff --git a/ofborg/src/nix.rs b/ofborg/src/nix.rs
index dbb21c2..ceb2381 100644
--- a/ofborg/src/nix.rs
+++ b/ofborg/src/nix.rs
@@ -40,7 +40,7 @@ impl Nix {
             attrargs.push(attr);
         }
 
-        return self.safely("nix-build", nixpkgs, attrargs, true);
+        return self.safely("/nix/var/nix/profiles/default/bin/nix-build", nixpkgs, attrargs, true);
     }

Best Practices

  • Only run a builder on a host which is "multi-user", ie: uses the build daemon
  • On Linux, ensure you have sandboxing enabled

Security and Privacy of your builder

Running a builder will inherently expose some information about your system publicly in GitHub comments. Efforts are taken to minimize the risk and exposure, but it cannot be perfect. Please evaluate the risks for yourself when deciding to run a builder.

Builder Identity

The builder's identity is considered public information, and efforts are not taken to hide it.

Home Directory Leakage

For example, one operator was unhappy that the builder exposed their home directory in an error log:

error: while evaluating the attribute ‘args’ of the derivation ‘hello-1.12.0’ at /Users/theiruser/.nix-test-rs/repo/commit-hash/builder/their-builder-identity/pkgs/stdenv/generic/make-derivation.nix:98:11:
couldn't change to directory of ‘/nix/var/nix/daemon-socket/socket’: No such file or directory

If you'd rather your home directory / user account information not exposed, ensure the build root is outside of your home directory.

Clone this wiki locally