[Nix-dev] impureEnvVars, the second
Ben Franksen
ben.franksen at online.de
Fri Apr 18 01:09:44 CEST 2014
Shea Levy wrote:
> On Thu, Apr 17, 2014 at 06:13:35PM +0200, Ben Franksen wrote:
>> Eelco Dolstra wrote:
>> > On 17/04/14 17:04, Ben Franksen wrote:
>> >
>> >> sorry to bother you again regarding impureEnvVars. I still can't get
>> >> my fetchdarcs over ssh to work, even though I am now using
>> >> constant-output derivations and have
>> >>
>> >> impureEnvVars = [ "SSH_AGENT_PID" "SSH_AUTH_SOCK" ];
>> >>
>> >> in my fetchdarcs/default.nix.
>> >>
>> >> The environment variables are now defined in the builder. However,
>> >> they are empty :(
>> >>
>> >> Could this be because I am using the Nix multi-user setup where
>> >> building is delegated to a number of nixbld users?
>> >
>> > Right, environment variables from the client are not passed to the
>> > builder. Even if they were, the builder probably would not have file
>> > system access to the socket identifier by $SSH_AUTH_SOCK.
>>
>> The latter could, I guess, be worked-around (using build-chroot-dirs)
>
> Actually, fixed-output derivations are done outside of the chroot, so
> you just need to ensure the socket is accessible to the build users
> group. In fact, *not* having it in the chroot is better so that
> non-fixed-output builds don't have access.
>
>> but
>> the former seems... hopeless :(
>
> Why? Just start the daemon with the right environment settings.
Well, those would have to be static, as the daemon is not started separately
by each user. But the environment variables are created dynamically when the
ssh agent is started.
But: what you said here gave me an idea for a much simpler solution: I don't
have to rely on the developer's credentials at all. Instead I'll give the
Nix build users their own ssh identity (key pair) w/o passphrase. Then add
their public key to the <repouser>@<reposerver>'s .ssh/authorized_keys. No
impureEnvVars needed, since the build users don't need to connect to an ssh
agent.
I hope that Nix build users not having a home directory is only a
recommendation, not a requirement for the multi-user setup to work.
Cheers
Ben
--
"Make it so they have to reboot after every typo." -- Scott Adams
More information about the nix-dev
mailing list