[Nix-dev] gitFetchPrivate on NixOS
Adrien Devresse
Adev at adev.name
Thu Jun 16 15:57:57 CEST 2016
Hi Ash,
I join to this mail the script I use to use gitFetchPrivate in a
multi-user configuration.
Have a look, you should be able to adapt it to your usage quite easily.
The trick is to give to the nix-daemon access to three things :
- rw access to your ssh-agent socket
- read access to your ssh config file
- the option that will request ssh to ignore the user read-only
permission on the config file.
Cheers,
Adrien
Le 16/06/2016 00:46, zimbatm a écrit :
> I believe you could run nix-prefetch-git to pre-populate the store but
> I don't know if it's still possible, the derivation might not match
> exactly anymore. Also it's only really useful for developer machines,
> on a CI you still want it to have access to the repo isn't it?
>
> On Wed, 15 Jun 2016 at 13:42 Ashley Gillman <gillmanash at gmail.com
> <mailto:gillmanash at gmail.com>> wrote:
>
> Thanks Zimbatm,
>
> Actually I don't think the issue is the socket (yet). For example,
> I get exactly the same error when just calling `nix-shell -I
> ssh-config-file=$HOME/.ssh/config`. The current "wall" I think is
> either that config file or the referenced id_rsa file, but the
> error indicates its the config file itself. I have tried `chmod
> o+rw` on the file, and with group (`chmod g+rw` and `chgrp`ing to
> nixbld), but to no avail.
>
> I should mention also, I do not have my heart set on
> gitFetchPrivate. If there is another way to access a remote
> (BitBucket) server requiring credentials, that would be great.
> Although pulling each manually and using a local file path is not
> preferred.
>
> Cheers,
> Ash
>
> On Wed, Jun 15, 2016 at 10:07 PM, zimbatm <zimbatm at zimbatm.com
> <mailto:zimbatm at zimbatm.com>> wrote:
>
> Hi,
>
> Yes the difference is that the build user is nixbld[1-9]. Also
> the SSH agent doesn't allow other users to access to the socket.
>
> Sorry I don't know the solution. You could maybe build a
> bridge on the socket using `socat` to hide the caller's user.
>
>
> On Wed, 15 Jun 2016, 11:57 Ashely Gillman,
> <gillmanash at gmail.com <mailto:gillmanash at gmail.com>> wrote:
>
> Hi all,
> I have been attempting to use gitFetchPrivate to fetch
> from a private bitbucket repo over SSH, on both Ubuntu
> running Nix and on NixOS. I am able to get the setup
> working on Ubuntu.
>
> - Set up SSH-Agent the usual way.
> - Ensure that `git clone ssh://git@bitbucket.domain.com
> <mailto:git at bitbucket.domain.com>:<port>/<user>/<repo>.git` works,
> it does
> - Use `nix-shell -I ssh-config-file=$HOME/.ssh/config -I
> ssh-auth-sock=$SSH_AUTH_SOCK`, with a local shell.nix
> specifying requirements
>
> However, I am unable to repeat the process on a NixOS machine.
>
> gil at gil-nixos:~/proj/pylx $ git clone
> ssh://git@bitbucket.<DOMAIN>:7999/~<USER>/milx-view.git
> <This works>
>
> gil at gil-nixos:~/proj/pylx $ nix-shell -I
> ssh-config-file=$HOME/.ssh/config -I
> ssh-auth-sock=$SSH_AUTH_SOCK
> these derivations will be built:
>
> /nix/store/48cz61di3gf6fpkydgri74h5i2s8qh3h-vtk-qvtk-5.10.1.drv
>
> /nix/store/pcj22pnchg10bq63a32jcc53l75cy8z1-boost-1.59.0.drv
>
> /nix/store/sb7xc3pan2h7n1qdh94ynblb9cv12a3p-milx-view-585a819.drv
>
> /nix/store/dzh8jzl90ghsl0l71p9v2zqzh9wn2ngb-milx-view.drv
> building path(s)
> ‘/nix/store/603gs7mcgpf7cnyv3k2bkxk1kbj4smbq-boost-1.59.0’, ‘/nix/store/q26zzdzy5zngyxyah8fhqmnqwbmz4gl4-boost-1.59.0-lib’,
> ‘/nix/store/zggqsmrh9l70yrcdagmgqjmv8i6a9rls-boost-1.59.0-dev’
> building path(s)
> ‘/nix/store/ra27851hlszq1k0n9zfa14xwhxqvn8zs-milx-view-585a819’
> building path(s)
> ‘/nix/store/j70pal3svpcip7xv21bxf5xy2c4chl84-vtk-qvtk-5.10.1’
> exporting
> ssh://git@bitbucket.<DOMAIN>:7999/~<USER>/milx-view.git
> (rev 585a8195804) into
> /nix/store/ra27851hlszq1k0n9zfa14xwhxqvn8zs-milx-view-585a819
> Initialized empty Git repository in
> /nix/store/ra27851hlszq1k0n9zfa14xwhxqvn8zs-milx-view-585a819/.git/
> Can't open user config file /home/gil/.ssh/config:
> Permission denied
> fatal: Could not read from remote repository.
>
> Please make sure you have the correct access rights
> and the repository exists.
> unpacking sources
> unpacking source archive
> /nix/store/cdz3wd9r8vlnp193kv091pal401mg9kc-boost_1_59_0.tar.bz2
> Can't open user config file /home/gil/.ssh/config:
> Permission denied
> fatal: Could not read from remote repository.
>
> Please make sure you have the correct access rights
> and the repository exists.
> Unable to checkout 585a8195804 from
> ssh://git@bitbucket.<DOMAIN>:7999/~<USER>/milx-view.git.
> builder for
> ‘/nix/store/sb7xc3pan2h7n1qdh94ynblb9cv12a3p-milx-view-585a819.drv’
> failed with exit code 1
> cannot build derivation
> ‘/nix/store/dzh8jzl90ghsl0l71p9v2zqzh9wn2ngb-milx-view.drv’:
> 1 dependencies couldn't be built
> error: build of
> ‘/nix/store/dzh8jzl90ghsl0l71p9v2zqzh9wn2ngb-milx-view.drv’ failed
> /run/current-system/sw/bin/nix-shell: failed to build
> all dependencies
>
> With the relevant line being:
> Can't open user config file /home/gil/.ssh/config:
> Permission denied
>
> Probably a nixbld user is trying to access this? I am not
> actually sure if my nixpkgs are built by my user or by
> nixbld. How can I tell? `cat /etc/passwd` indicates that
> the nixbld users exist.
>
> I have attempted to follow instructions for setting up
> gitFetchPrivate for multi-user installations (but again,
> not even sure this is what I have - I just installed the
> simplest way), but to no avail (although the instructions
> are somewhat unclear).
>
> Thanks for any help,
> Ashley Gillman (Ash)
> _______________________________________________
> nix-dev mailing list
> nix-dev at lists.science.uu.nl
> <mailto:nix-dev at lists.science.uu.nl>
> http://lists.science.uu.nl/mailman/listinfo/nix-dev
>
>
>
> _______________________________________________
> nix-dev mailing list
> nix-dev at lists.science.uu.nl
> http://lists.science.uu.nl/mailman/listinfo/nix-dev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.science.uu.nl/pipermail/nix-dev/attachments/20160616/2f1a5107/attachment-0001.html>
-------------- next part --------------
#!/bin/bash
# globals
NIX_DAEMON_USER="nix-daemon"
NIX_PATH_CONTENT="$NIX_PATH"
TMP_SSH_CONFIG_DIR="$(mktemp -d /tmp/nix-ssh-config-XXXXXXXXX)"
## configure ssh agent location
##
if [[ -e ${SSH_AUTH_SOCK} ]]; then
NIX_PATH_CONTENT="ssh-auth-sock=${SSH_AUTH_SOCK}:${NIX_PATH_CONTENT}"
setfacl -m "u:${NIX_DAEMON_USER}:rwx" ${SSH_AUTH_SOCK}
setfacl -m "u:${NIX_DAEMON_USER}:rwx" "$(dirname ${SSH_AUTH_SOCK})"
else
echo "Error: ssh-agent environment variable SSH_AUTH_SOCK is not existing" >&2
fi
## configure ssh config path
mkdir -p ${TMP_SSH_CONFIG_DIR}/.ssh
TMP_SSH_CONFIG_FILE="${TMP_SSH_CONFIG_DIR}/.ssh/config"
## use ssh_config user file as initial template
## if it exists
## to forward user alias and parameters
##
if [[ -e ${HOME}/.ssh/config ]]; then
cp ${HOME}/.ssh/config ${TMP_SSH_CONFIG_FILE}
else
touch ${TMP_SSH_CONFIG_FILE}
fi
## Disable strict host key checking
## Needed to have the nix-daemon able to read
## a file not owned by him without throwing
## a SSH error
##
cat >> ${TMP_SSH_CONFIG_FILE} << EOF
Host *
StrictHostKeyChecking no
UserKnownHostsFile /dev/null
EOF
setfacl -m "u:${NIX_DAEMON_USER}:rwx" -R ${TMP_SSH_CONFIG_DIR}
NIX_PATH_CONTENT="ssh-config-file=${TMP_SSH_CONFIG_FILE}:${NIX_PATH_CONTENT}"
##
## print the suggested NIX_PATH including SSH config file and agent
##
echo "export NIX_PATH=\"${NIX_PATH_CONTENT}\""
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://lists.science.uu.nl/pipermail/nix-dev/attachments/20160616/2f1a5107/attachment-0001.sig>
More information about the nix-dev
mailing list