[Nix-dev] nixops: Deploying from macOS

Sun May 28 10:23:18 CEST 2017

Nowadays it works without nix-daemon, so my guess is that there was indeed
some kind of ssh keys complication, but now it is no longer there and the
issue should probably be closed.

As I understant it, it is a question of security. nix-daemon can use remote
builders and it will add the results of their work to the local store,
which means that the builders must be trusted by the system. On the other
hand, we want ordinary users to use nixops, and if we allow them to
communicate to nix-daemon whichever builders they want to use, this will
allow them to sneak anything into the local store, which is very bad.
To be more specific, nix-daemon does read configuration from /etc, but when
you run nixops as a user, it won’t have permissions to update this
configuration, and that is a good thing. Even if you were running nixops as
root, you probably do not want it to edit your system remote builders
configuration just for this one deployment, that’s why it uses temporary
files.

On Sun, May 28, 2017 at 10:06 AM Wout Mertens <wout.mertens at gmail.com>
wrote:

> This issue is quite old and I haven't tried in a while :) back then, even
> without nix-daemon it didn't work.
>
> BTW, why not let nix-daemon read the configuration from /etc so that it
> can change at runtime?
>
> On Sun, May 28, 2017, 8:13 AM Kirill Elagin <kirelagin at gmail.com> wrote:
>
>> I still can’t make sense of the troubles you were experiencing.
>>
>> As far as I understand it, if one has configured nix-daemon, then there
>> is basically no way to use `NIX_REMOTE_SYSTEMS` from nixops and one has to
>> configure nix-daemon by setting `NIX_REMOTE_SYSTEMS` in its environment.
>> After reading the description of your issue I was left under an impression
>> that you somehow managed to make it work without reconfiguring nix-daemon.
>> Am I wrong?
>>
>> Without nix-daemon I don’t think there are any problems as of today.
>>
>>
>> On Sat, May 27, 2017 at 9:08 PM Wout Mertens <wout.mertens at gmail.com>
>> wrote:
>>
>>> The problem is probably ssh-ing into the VM it should be using for
>>> building. This probably fails due to not having the correct environment,
>>> and then it silently decides building on OSX.
>>>
>>> On Fri, May 26, 2017, 12:39 PM Kirill Elagin <kirelagin at gmail.com>
>>> wrote:
>>>
>>>> Hi,
>>>>
>>>> I have finally switched my laptop to using nix-daemon and got bitten by
>>>> https://github.com/NixOS/nixops/issues/260 (and/or
>>>> https://github.com/NixOS/nixops/issues/483).
>>>>
>>>> To be honest, I am completely lost. Could someone please explain to me
>>>> what is going on here?
>>>>
>>>> 1. The error that I get is this one:
>>>>
>>>> > error: a ‘x86_64-linux’ is required to build
>>>> ‘/nix/store/cm2y0hlgv6dpcyzf022ih1b0qwh3x5n7-etc-logind.conf.drv’, but I am
>>>> a ‘x86_64-darwin’
>>>>
>>>> Why on Earth is Linux needed to build _config files_? Building configs
>>>> is mostly echoing, right? Who exactly tells nix that `environment.etc`
>>>> files require a certain platform to be built? Maybe we could fix that?
>>>>
>>>> 2. How is this all related to nix-daemon? `nixops/deployment.py` checks
>>>> for `os.environ.get('NIX_REMOTE') != 'daemon'`, why does it do this? Is
>>>> that because `NIX_BUILD_HOOK` does not work when using nix-daemon? What’s
>>>> that whole story with `NIX_REMOTE_SYSTEMS` and ssh keys really about? Why
>>>> are there no issues with ssh keys when we I do not use nix-daemon? Why
>>>> copying something manually helps?
>>>>
>>> _______________________________________________
>>>> nix-dev mailing list
>>>> nix-dev at lists.science.uu.nl
>>>> https://mailman.science.uu.nl/mailman/listinfo/nix-dev
>>>>
>>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mailman.science.uu.nl/pipermail/nix-dev/attachments/20170528/380cb6d9/attachment.html>