hydra-eval-jobs says access to path '/nix/store/2ikh2abhjaiidam039zfwypj2cf2anxr-nixpkgs-a888bba' is forbidden in restricted mode
368 views
Skip to first unread message
Tomas Hlavaty
Feb 20, 2018, 2:19:57 PM2/20/18
to nix-devel
Hi,
in our second hydra instance which I use to bring our test environment
to nixos 17.09 I get this error:
hydra-eval-jobs returned exit code 1:
error: access to path '/nix/store/2ikh2abhjaiidam039zfwypj2cf2anxr-nixpkgs-a888bba' is forbidden in restricted mode
It seems that "restricted mode" is refering to
https://nixos.org/nix/manual/#conf-restrict-eval but that is by default
off, I cannot see it set to true anywhere and even if I put
"restrict-eval = false" into /etc/nix/nix.conf I get this error.
Any ideas what could be the problem and how to fix it?
Thanks in advance!
Tomas
in our second hydra instance which I use to bring our test environment
to nixos 17.09 I get this error:
hydra-eval-jobs returned exit code 1:
error: access to path '/nix/store/2ikh2abhjaiidam039zfwypj2cf2anxr-nixpkgs-a888bba' is forbidden in restricted mode
It seems that "restricted mode" is refering to
https://nixos.org/nix/manual/#conf-restrict-eval but that is by default
off, I cannot see it set to true anywhere and even if I put
"restrict-eval = false" into /etc/nix/nix.conf I get this error.
Any ideas what could be the problem and how to fix it?
Thanks in advance!
Tomas
Freddy Rietdijk
Feb 20, 2018, 2:24:12 PM2/20/18
to Tomas Hlavaty, nix-devel
Hi,
it is enabled by Hydra itself:
Freddy
Tomas
--
You received this message because you are subscribed to the Google Groups "nix-devel" group.
To unsubscribe from this group and stop receiving emails from it, send an email to nix-devel+unsubscribe@googlegroups.com.
To post to this group, send email to nix-...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/nix-devel/86606rpixx.fsf%40knowledgetools.de.
For more options, visit https://groups.google.com/d/optout.
Tomas Hlavaty
Feb 20, 2018, 2:34:30 PM2/20/18
to nix-devel
Hi Freddy,
thanks, I missed that.
Why would hydra itself enable restrict-eval and then tried to evaluate
nixpkgs?
This hydra instance is "ordinary" hydra module from nixpkgs 17.09
https://nixos.org/channels/nixos-17.09/nixexprs.tar.xz
Is there a way to debug this issue somehow?
Thank you
Tomas
On Tue 20 Feb 2018 at 20:23, Freddy Rietdijk <freddyr...@fridh.nl> wrote:
> Hi,
>
> it is enabled by Hydra itself:
> https://github.com/NixOS/hydra/blob/364e21919a2284db24509bf953126329d6de92bb/src/hydra-eval-jobs/hydra-eval-jobs.cc#L189
>
> Freddy
>
> On Tue, Feb 20, 2018 at 8:19 PM, Tomas Hlavaty <
> tomas....@knowledgetools.de> wrote:
>
>> Hi,
>>
>> in our second hydra instance which I use to bring our test environment
>> to nixos 17.09 I get this error:
>>
>> hydra-eval-jobs returned exit code 1:
>> error: access to path '/nix/store/2ikh2abhjaiidam039zfwypj2cf2anxr-nixpkgs-a888bba'
>> is forbidden in restricted mode
>>
>> It seems that "restricted mode" is refering to
>> https://nixos.org/nix/manual/#conf-restrict-eval but that is by default
>> off, I cannot see it set to true anywhere and even if I put
>> "restrict-eval = false" into /etc/nix/nix.conf I get this error.
>>
>> Any ideas what could be the problem and how to fix it?
>>
>> Thanks in advance!
>>
>> Tomas
>>
>> --
>> You received this message because you are subscribed to the Google Groups
>> "nix-devel" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to nix-devel+...@googlegroups.com.
thanks, I missed that.
Why would hydra itself enable restrict-eval and then tried to evaluate
nixpkgs?
This hydra instance is "ordinary" hydra module from nixpkgs 17.09
https://nixos.org/channels/nixos-17.09/nixexprs.tar.xz
Is there a way to debug this issue somehow?
Thank you
Tomas
On Tue 20 Feb 2018 at 20:23, Freddy Rietdijk <freddyr...@fridh.nl> wrote:
> Hi,
>
> it is enabled by Hydra itself:
> https://github.com/NixOS/hydra/blob/364e21919a2284db24509bf953126329d6de92bb/src/hydra-eval-jobs/hydra-eval-jobs.cc#L189
>
> Freddy
>
> On Tue, Feb 20, 2018 at 8:19 PM, Tomas Hlavaty <
> tomas....@knowledgetools.de> wrote:
>
>> Hi,
>>
>> in our second hydra instance which I use to bring our test environment
>> to nixos 17.09 I get this error:
>>
>> hydra-eval-jobs returned exit code 1:
>> error: access to path '/nix/store/2ikh2abhjaiidam039zfwypj2cf2anxr-nixpkgs-a888bba'
>> is forbidden in restricted mode
>>
>> It seems that "restricted mode" is refering to
>> https://nixos.org/nix/manual/#conf-restrict-eval but that is by default
>> off, I cannot see it set to true anywhere and even if I put
>> "restrict-eval = false" into /etc/nix/nix.conf I get this error.
>>
>> Any ideas what could be the problem and how to fix it?
>>
>> Thanks in advance!
>>
>> Tomas
>>
>> --
>> You received this message because you are subscribed to the Google Groups
>> "nix-devel" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
Domen Kožar
Feb 21, 2018, 10:39:48 AM2/21/18
to nix-devel
Hey Tomas,
I belive we are seeing the same problem with pinned nixpkgs and latests Hydra. Can you share Nix expression that produces
/nix/store/2ikh2abhjaiidam039zfwypj2cf2anxr-nixpkgs-a888bba path?
Domen
Domen Kožar
Feb 21, 2018, 12:44:35 PM2/21/18
to nix-devel
See also: https://github.com/NixOS/nix/issues/1888
Tomas Hlavaty
Feb 26, 2018, 8:48:16 AM2/26/18
to nix-devel
I think that /nix/store/2ikh2abhjaiidam039zfwypj2cf2anxr-nixpkgs-a888bba
is produced by our hydra, as one of the inputs is
nixpkgs Git checkout foo.bar.lan:/path/to/nixpkgs.git nixos-17.09
and <nixpkgs> is then used in the nix expression evaluated by hydra.
The error I am seing is that hydra downloads the inputs, it checkouts
the nixpkgs.git repo into the nix store and then it tries to evaluate it
from there.
https://github.com/NixOS/nix/issues/1888#issuecomment-367394617
As a workaround, maybe -I store=/nix/store works.
I tried adding nixPath = ["store=/nix/store"] or nixPath =
["/nix/store"] but it did not make any difference.
This hydra instance is running 17.09.3047.8bce347f02f (Hummingbird).
People commenting on the issue seem to understand how to fix it on their
side by rewriting their hydra expressions, but I don't see what needs to
be done.
Especially if nixpkgs is a build input to hydra and there is no way to
get around evaluating it.
What am I missing?
Tomas
> To view this discussion on the web visit https://groups.google.com/d/msgid/nix-devel/abb73453-1661-42c2-b500-f4e96a491942%40googlegroups.com.
is produced by our hydra, as one of the inputs is
nixpkgs Git checkout foo.bar.lan:/path/to/nixpkgs.git nixos-17.09
and <nixpkgs> is then used in the nix expression evaluated by hydra.
The error I am seing is that hydra downloads the inputs, it checkouts
the nixpkgs.git repo into the nix store and then it tries to evaluate it
from there.
https://github.com/NixOS/nix/issues/1888#issuecomment-367394617
As a workaround, maybe -I store=/nix/store works.
I tried adding nixPath = ["store=/nix/store"] or nixPath =
["/nix/store"] but it did not make any difference.
This hydra instance is running 17.09.3047.8bce347f02f (Hummingbird).
People commenting on the issue seem to understand how to fix it on their
side by rewriting their hydra expressions, but I don't see what needs to
be done.
Especially if nixpkgs is a build input to hydra and there is no way to
get around evaluating it.
What am I missing?
Tomas
Bas van Dijk
Mar 3, 2018, 9:05:16 AM3/3/18
to nix-devel, Tomas Hlavaty
I'm having a similar issue on my 17.09 hydra machine:
hydra-eval-jobs returned exit code 1: error: access to path '/nix/store/jgw8hxx7wzkyhb2dr9hwsd9h2caaasdc-bash-4.4-p12/bin/bash' is forbidden in restricted modeNote that I'm fetching nixpkgs using an empty NIX_PATH as described in:
Are there any workarounds?
Bas
> To unsubscribe from this group and stop receiving emails from it, send an email to nix-devel+unsubscribe@googlegroups.com.
> To post to this group, send email to nix-...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/nix-devel/abb73453-1661-42c2-b500-f4e96a491942%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the Google Groups "nix-devel" group.
To unsubscribe from this group and stop receiving emails from it, send an email to nix-devel+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/nix-devel/86zi3vrhet.fsf%40knowledgetools.de.
Tomas Hlavaty
Mar 7, 2018, 5:51:42 AM3/7/18
to nix-devel
Looks like this is the problem:
{pkgs ? (import <nixpkgs> {})}:
let
nixpkgsCcl = pkgs.fetchgit {
url = https://github.com/NixOS/nixpkgs.git;
rev = "a888bbacb1d37c800b183fad1e721da31206864b"; # 15.09
sha256 = "0yq9frfvnf4mscsm9w751kssclwh6mv0sq4shki0l29gshglbvig";
};
in {
ccl = pkgs.stdenv.lib.overrideDerivation (import nixpkgsCcl {}).ccl (oldAttrs : {lisptype = "ccl";});
}
Is there a different way to pin nixpkgs for a package which would work
with restricted mode?
{pkgs ? (import <nixpkgs> {})}:
let
nixpkgsCcl = pkgs.fetchgit {
url = https://github.com/NixOS/nixpkgs.git;
rev = "a888bbacb1d37c800b183fad1e721da31206864b"; # 15.09
sha256 = "0yq9frfvnf4mscsm9w751kssclwh6mv0sq4shki0l29gshglbvig";
};
in {
ccl = pkgs.stdenv.lib.overrideDerivation (import nixpkgsCcl {}).ccl (oldAttrs : {lisptype = "ccl";});
}
Is there a different way to pin nixpkgs for a package which would work
with restricted mode?
Shea Levy
Mar 7, 2018, 10:00:48 AM3/7/18
to Tomas Hlavaty, nix-devel
Hi Tomas,
This should be fixed in Nix 2.0:
https://github.com/NixOS/nix/commit/43f8ef73c6aeb23aee40d485556004d6262d4e3b#diff-aa78d090ed5dd00a22cae91aca1315eb
Thanks,
Shea
This should be fixed in Nix 2.0:
https://github.com/NixOS/nix/commit/43f8ef73c6aeb23aee40d485556004d6262d4e3b#diff-aa78d090ed5dd00a22cae91aca1315eb
Thanks,
Shea
> --
> You received this message because you are subscribed to the Google Groups "nix-devel" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to nix-devel+...@googlegroups.com.
> To post to this group, send email to nix-...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/nix-devel/867equzs9m.fsf%40knowledgetools.de.
> You received this message because you are subscribed to the Google Groups "nix-devel" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to nix-devel+...@googlegroups.com.
> To post to this group, send email to nix-...@googlegroups.com.
Reply all
Reply to author
Forward
0 new messages