Hello.
When I use nix -L --keep-failed build ... as a normal user it leaves artifacts from failed builds under root:root user/group which I have to clean up with sudo. Is there a way to change that?
I could craft some sudoers rule for this but I’d really like a proper fix. Having user-run nix build genrate user-undeletable artifacts is a design bug IMHO.
(Since I really enjoy using tmpfs and I’m often working with RPi and VM images which /build directories are very large this is a real problem for me and I have to keep using sudo to clean up --keep-failed artifacts when debugging some problem in order not run out of space.)
It is 100% my deliberate decision to have nix do builds in tmpfs. Path does not matter at all. If it was building somewhere else I would move it to /tmp or mount the “somewhere else” as tmpfs anyway.
But when building and debugging using --keep-failed without using sudo I want to be able to do cleanup without using sudo too.
But the build is started by the current user. I don’t care that it doesn’t run as the current user. I do not put my password anywhere anytime.
Why can’t there be a cleanup function started by the current user in the exactly same way? Currently I do have to put my password in when trying to delete them.
You user does not start the build, it issues a request to the demon to build something. Then it just waits for the demon to finish the build orchestration.
You are playing with words perhaps trying to look wise but in my opinion very directly contradicting yourself and perhaps very deliberately misunderstanding the problem.
My user absolutely does start the build - by connecting to the nix-daemon - because he is in the allowed-users list in nix settings.
But my user can only remove old artifacts because he’s in the wheel group which is something completely orthogonal.
This is clear demonstration of the design problem. Users in allowed-users list can get nix daemon to produce artifacts into TMPDIR but there seems to be not facility to get it to clean them and completely different mechanism outside of nix daemon with different settings and commands etc…
No one’s playing with words, we’re not nix devs, neither are 90% of the people on this help forum. You can continue to express your frustration, but the best we can provide is workarounds since as far as I’m aware there is no cleanup command/mechanism for said files built into nix. If you want to follow up with the nix project on a cleaner mechanism for what you believe to be a design flaw, feel free to do so in the linked issue or a new issue. (Or of course, you’re welcome to contribute a fix yourself.)
Being able to get nix to produce a artifact is handled by allowed-users nix setting.
There seems to be no way to get nix to delete an artifact (specifically failed/incomplete build) created by the same user and it probably has to be handled by a completely different mechanism (like sudoers rule or an automatic cleanup service running as root etc etc etc…)
I wasn’t so sure about the second point. It seemed to me 100% natural that there should have been some nix sub-command (which can connect to nix daemon… yada yada) or some similar way and I thought I had just missed that in the manual hence this thread.
What I got was in my opinion irrelevant nerdy lecturing that there is a nix-daemon (of course there is, it’s pre-101 knowledge) perhaps best represented by this meme and it is technically irrelevant because you can have such problem even without any daemon at all just replace the daemon with setuid binary. Which is funny because sudo rm -rf ... is ackchyually solving daemon created problem with daemon-less solution. I digress.
I’ll investigate it further and create a proper issue if there is not one already (I had done some searching even before creating this thread but I’m not good at it. I’ll try harder once more.) and link it to the one @waffle8946 found.