[Nix-dev] Impossible to use Nix + fetchgit on any Linux configured with LDAP authentication /libnss_sss

Adrien Devresse Adev at adev.name
Tue Jun 23 18:37:37 CEST 2015 

> Would this work as a non-root user ?
> No, you need to be root to do chroot builds.
>

This is unfortunately a problem: Nix is advertised to work in non-root
environment and is used as this.

You have common situations where root access is just not possible.

A Linux cluster configured with LDAP ( libnss_sss ) is one of the most
common type of "shared" / "non-root" environment existing around.
Almost all scientific or academic organizations in this world have one
and All HPC centers are in this situation too.

Solving this issue by enforcing chroot for any Nix build is like
forbidding any usage of Nix in these environments.


Would it not  be possible to create a wrapper that map any "host"
libnss-* plugin  into the stdenv build path ? That would allow to use
any kind of exotic nss/pam auth configured on the host transparently.

It is an impure solution but a solution that would fix this kind of
issue definitively.


Adrien




Le 23/06/2015 15:38, Eelco Dolstra a écrit :
> Hi,
>
> On 23/06/15 14:50, Adrien Devresse wrote:
>
>>> If possible, you could also enable chroot builds. It might be possible to
>>> override /etc/nsswitch.conf in the chroot by setting the Nix option
>>> "build-chroot-dirs = /etc/nsswitch.conf=/path/to/my-nsswitch.conf" (where
>>> my-nsswitch.conf doesn't contain libnss_nss). However, looking at the code, it
>>> may not be possible to override /etc/nsswitch.conf at the moment, but fixing
>>> that wouldn't be hard.
>> Would this work as a non-root user ?
> No, you need to be root to do chroot builds.
>
>> If the current user is an LDAP-referenced user, this will cause a
>> failure too even if sss is not configured through /etc/nsswitch.conf
> The user inside the chroot is always called "nixbld" and has an entry in the
> chroot's /etc/passwd file, so looking up that user would not require LDAP lookups.
>


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
Url : http://lists.science.uu.nl/pipermail/nix-dev/attachments/20150623/8e107056/attachment.bin

More information about the nix-dev mailing list