Comments (17)
I get the same issue, both for github.com and cachix.org:
- https://gitlab.com/rycee/nur-expressions/-/jobs/588465247
- https://gitlab.com/rycee/home-manager/-/jobs/588434988
from docker.
@peti The reason is apparently this:
$ ls -l $NIX_SSL_CERT_FILE
ls: /nix/var/nix/profiles/default/etc/ssl/certs/ca-bundle.crt: No such file or directory
from docker.
I see that the value of NIX_SSL_CERT_FILE
has changed from
/root/.nix-profile/etc/ssl/certs/ca-bundle.crt
in 2.3.4 to /etc/ssl/certs/ca-certificates.crt
in 2.3.6. Could that be the reason?
from docker.
I built this locally and it looks like it's garbage collecting nss-cacert:
finding garbage collector roots...
deleting garbage...
deleting '/nix/store/7dxhzymvy330i28ii676fl1pqwcahv2f-nss-cacert-3.49.2'
deleting '/nix/store/rdk8344ikky544zib47jr0fqvc3y7jng-nixpkgs-unstable'
deleting '/nix/store/trash'
deleting unused links...
note: currently hard linking saves -0.00 MiB
from docker.
Could someone test with installing cacert after GC?
from docker.
$ docker run nixos/nix nix-shell -p hello --run hello
error: unable to download 'https://cache.nixos.org/hs6rg4zbsclx660s6i5938605zmv6lgh.narinfo': Problem with the SSL CA cert (path? access rights?) (77)
but it does work interactively:
[grahamc@Petunia:~]$ docker run nixos/nix /bin/sh -i -c 'nix-shell -p hello --run hello'
/bin/sh: can't access tty; job control turned off
these paths will be fetched (54.74 MiB download, 243.99 MiB unpacked):
/nix/store/0x8pbk0578knfpxf9gbl0lhmpynh2947-binutils-2.31.1
...
Hello, world!
comparing the environment between the two:
[grahamc@Petunia:~]$ cat interactive.sort
ENV=/etc/profile
GIT_SSL_CAINFO=/nix/var/nix/profiles/default/etc/ssl/certs/ca-bundle.crt
HOME=/root
HOSTNAME=b39c25bbdd8a
NIX_PATH=/nix/var/nix/profiles/per-user/root/channels:/root/.nix-defexpr/channels
NIX_PROFILES=/nix/var/nix/profiles/default /root/.nix-profile
NIX_SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt
PAGER=less
PATH=/root/.nix-profile/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
PS1=\h:\w\$
PWD=/
SHLVL=1
TERM=xterm
USER=root
[grahamc@Petunia:~]$ cat noninteractive.sort
ENV=/etc/profile
GIT_SSL_CAINFO=/nix/var/nix/profiles/default/etc/ssl/certs/ca-bundle.crt
HOME=/root
HOSTNAME=d68db68c3e42
NIX_PATH=/nix/var/nix/profiles/per-user/root/channels
NIX_SSL_CERT_FILE=/nix/var/nix/profiles/default/etc/ssl/certs/ca-bundle.crt
PATH=/nix/var/nix/profiles/default/bin:/nix/var/nix/profiles/default/sbin:/bin:/sbin:/usr/bin:/usr/sbin
USER=root
from docker.
[nix-shell:~]$ ls -la 2.3.6/nix/var/nix/profiles/
total 6
drwxr-xr-x 3 root root 5 Jun 8 05:27 .
drwxr-xr-x 7 root root 8 Jun 8 05:27 ..
lrwxrwxrwx 1 root root 14 Jun 8 05:27 default -> default-1-link
lrwxrwxrwx 1 root root 60 Jun 8 05:27 default-1-link -> /nix/store/82hb6jjw8rphw962d3d9x38ngd5iqh8h-user-environment
drwxr-xr-x 3 root root 3 Jun 8 05:27 per-user
[nix-shell:~]$ ls -la 2.3.6/nix/store/82hb6jjw8rphw962d3d9x38ngd5iqh8h-user-environment/
total 21
dr-xr-xr-x 2 root root 9 Dec 31 1969 .
drwxrwxr-t 40 root nixbld 47 Jun 8 05:27 ..
lrwxrwxrwx 2 root root 57 Dec 31 1969 bin -> /nix/store/j8dbv5w6jl34caywh2ygdy88knx1mdf7-nix-2.3.6/bin
lrwxrwxrwx 2 root root 57 Dec 31 1969 etc -> /nix/store/j8dbv5w6jl34caywh2ygdy88knx1mdf7-nix-2.3.6/etc
lrwxrwxrwx 2 root root 61 Dec 31 1969 include -> /nix/store/j8dbv5w6jl34caywh2ygdy88knx1mdf7-nix-2.3.6/include
lrwxrwxrwx 2 root root 57 Dec 31 1969 lib -> /nix/store/j8dbv5w6jl34caywh2ygdy88knx1mdf7-nix-2.3.6/lib
lrwxrwxrwx 2 root root 61 Dec 31 1969 libexec -> /nix/store/j8dbv5w6jl34caywh2ygdy88knx1mdf7-nix-2.3.6/libexec
lrwxrwxrwx 2 root root 60 Dec 31 1969 manifest.nix -> /nix/store/vam6zpl5wfz46nm3lp3hk59y8mh7rddv-env-manifest.nix
lrwxrwxrwx 2 root root 59 Dec 31 1969 share -> /nix/store/j8dbv5w6jl34caywh2ygdy88knx1mdf7-nix-2.3.6/share
note the etc
symlink points directly in to the nix
store path. Compare in 2.3.4, where etc is a dir linking out to other store paths:
[nix-shell:~]$ ls -la 2.3.4/nix/var/nix/profiles
total 6
drwxr-xr-x 3 root root 5 May 6 10:23 .
drwxr-xr-x 7 root root 8 May 6 10:22 ..
lrwxrwxrwx 1 root root 14 May 6 10:22 default -> default-2-link
lrwxrwxrwx 1 root root 60 May 6 10:22 default-2-link -> /nix/store/zqzvr7xxaia779b5xxzd9sc8345x3lm7-user-environment
drwxr-xr-x 3 root root 3 May 6 10:22 per-user
[nix-shell:~]$ ls -la 2.3.4/nix/store/zqzvr7xxaia779b5xxzd9sc8345x3lm7-user-environment/
total 22
dr-xr-xr-x 3 root root 9 Dec 31 1969 .
drwxrwxr-t 41 root nixbld 48 May 6 10:23 ..
lrwxrwxrwx 2 root root 57 Dec 31 1969 bin -> /nix/store/8928ygfyf9iassfrnj76v55s6zid58ja-nix-2.3.4/bin
dr-xr-xr-x 2 root root 5 Dec 31 1969 etc
lrwxrwxrwx 2 root root 61 Dec 31 1969 include -> /nix/store/8928ygfyf9iassfrnj76v55s6zid58ja-nix-2.3.4/include
lrwxrwxrwx 2 root root 57 Dec 31 1969 lib -> /nix/store/8928ygfyf9iassfrnj76v55s6zid58ja-nix-2.3.4/lib
lrwxrwxrwx 2 root root 61 Dec 31 1969 libexec -> /nix/store/8928ygfyf9iassfrnj76v55s6zid58ja-nix-2.3.4/libexec
lrwxrwxrwx 2 root root 60 Dec 31 1969 manifest.nix -> /nix/store/37095zs8zpx3wlxpmdrfm6mdqpcjf3vd-env-manifest.nix
lrwxrwxrwx 2 root root 59 Dec 31 1969 share -> /nix/store/8928ygfyf9iassfrnj76v55s6zid58ja-nix-2.3.4/share
[nix-shell:~]$ ls -la 2.3.4/nix/store/zqzvr7xxaia779b5xxzd9sc8345x3lm7-user-environment/etc
total 5
dr-xr-xr-x 2 root root 5 Dec 31 1969 .
dr-xr-xr-x 3 root root 9 Dec 31 1969 ..
lrwxrwxrwx 2 root root 62 Dec 31 1969 init -> /nix/store/8928ygfyf9iassfrnj76v55s6zid58ja-nix-2.3.4/etc/init
lrwxrwxrwx 2 root root 67 Dec 31 1969 profile.d -> /nix/store/8928ygfyf9iassfrnj76v55s6zid58ja-nix-2.3.4/etc/profile.d
lrwxrwxrwx 2 root root 69 Dec 31 1969 ssl -> /nix/store/zswq70r66ranf0n1hzwx9a9grx437a59-nss-cacert-3.49.2/etc/ssl
from docker.
Build log difference: https://gist.github.com/domenkozar/fe4a74b88d8e15fd490c2b245e501c0f
from docker.
Regression test in #22
from docker.
I see in the log that the 2.3.6 PR doesn't attempt to install cacerts, and that is why it is deleted in the GC.
from docker.
If I build the docker image locally, it does install nscert. So much for reproducibility.
from docker.
I guess nix-shell
sources the profile and setup scripts from bash
because it's an interactive shell, which seems to overwrite the (correct) environment variable
NIX_SSL_CERT_FILE=/nix/var/nix/profiles/default/etc/ssl/certs/ca-bundle.crt
that docker configures.
from docker.
Yeah, but the problem here is that nsscerts
are never installed. Building locally they are - not sure what the hell happened.
from docker.
nsscerts
is installed, but it's removed by the garbage collector. That didn't happen in previous Nix versions. Nix 2.3.6 depends on openssl
, but not on nsscerts
.
from docker.
You can see it's not installed via nix-env
:
And it does install for me locally, but not on travis: #22 (same commit)
from docker.
I'm not thrilled by this fix, because I am worried there is a regression in the Nix installation itself. Can this be researched further?
from docker.
Can this be researched further?
Yes, anybody who wants to is free to spend their time getting to the root of this change in behavior.
from docker.
Related Issues (20)
- nixpkgs-unstable included in the image HOT 8
- bash not installed HOT 1
- cannot execute nix-shell with pinned nixpkgs in CI environment HOT 3
- nix-build works locally, but not in docker HOT 2
- Arm64 images on Docker Hub HOT 6
- Please push tagged nixos/nix:2.3.10 to Docker Hub HOT 1
- nix-build expects git to be around, it's not in the image HOT 10
- error: could not set permissions on '/nix/var/nix/profiles/per-user' to 755 HOT 1
- Possibly non-optimal default order of lookups in nsswitch.conf HOT 1
- unable to install jdk from nix-env HOT 1
- Docker HUB is dysfunctional for free accounts HOT 5
- error: opening file '/default.nix': No such file or directory HOT 1
- Where is configuration.nix ? HOT 1
- NixOS 21.11 image HOT 1
- Update nix to 2.4 HOT 2
- Sources of the 2.5.0 image HOT 2
- Docker hub image unexpectedly uses Nix 2.5 HOT 1
- Channel update fails with latest nixos/nix image HOT 2
- Missing Dockerfile for nixos/nix:2.5.0 HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from docker.