I was able to spend some more time on this topic. I won’t use any paid solution since we’re talking about really small projects I do just for fun. I then looked at GitHub - nix-community/linuxkit-nix: An easy to use Linux builder for macOS [maintainer=@nicknovitski] but it honestly seems like a lot of complexity. Considering my alternative is to ditch Nix and just use the default Haskell Docker image, it seems like adding yet more layers isn’t something I want to do.
Then I looked at GitHub - LnL7/nix-docker: Docker images for the Nix package manager and used it to craft my own remote builder using the official Nix Docker image. To rule out mistakes on my part, I tried to use the LnL7 remote builder too. But in both cases I get “unable to load seccomp BPF program: Invalid argument”:
$ nix build .#packages.x86_64-linux.docker --builders 'ssh://nix-docker x86_64-linux'
error: build of '/nix/store/yaf6fy6wdjfkd2qka9ifgjsasy9zj2q1-build-spago-style.drv' on 'ssh://nix-docker' failed: while setting up the build environment: unable to load seccomp BPF program: Invalid argument
error: builder for '/nix/store/yaf6fy6wdjfkd2qka9ifgjsasy9zj2q1-build-spago-style.drv' failed with exit code 1
error: 1 dependencies of derivation '/nix/store/jcaq8l839jcv1w5vb7mli4rkyy9pkc38-lions-client.drv' failed to build
error: 1 dependencies of derivation '/nix/store/0xw07gaii4r1syn28fkn8ays101z2r45-lions-all-client-assets.drv' failed to build
error: 1 dependencies of derivation '/nix/store/jhf2ka90dpbjfq6ajyv7mkn1l7jmj92y-lions-website.drv' failed to build
error: 1 dependencies of derivation '/nix/store/dpg0qb0valcxppm2l5f5g41kfn66isbk-server-config.json.drv' failed to build
error: 1 dependencies of derivation '/nix/store/niqlffyvy725j844dwxivys13pb84kn0-docker-image-server.tar.gz.drv' failed to build
This seems to be a rather uncommon error:
- Installing Nix fails on Ubuntu 18.04.1 LTS Error: cloning builder process: Invalid argument · Issue #2651 · NixOS/nix · GitHub
- Install fails for aarch64 in docker · Issue #5258 · NixOS/nix · GitHub
I thought it might be related to the sandboxing difference between the official Docker image (disabled) and the default install (enabled). So I enabled it in the container and ran it with --privileged but same issue.
So I now resorted to filter-syscalls = false. The documentation is vague and just says:
Whether to prevent certain dangerous system calls, such as creation of setuid/setgid files or adding ACLs or extended attributes. Only disable this if you’re aware of the security implications.
I have no idea what the security implications are. I am inclined to say it’s a local builder that I control. On the other hand I’m building packages I don’t control so they might make syscalls I don’t like. On the other hand the whole thing happens in a container. So I guess… it’s fine? But it feels like I shouldn’t have to do any of these things.
I have to say the divide between “Haskell Cross Compilation is best-in-class on Nix” and the reality of “everything is more or less broken” is pretty extreme.
I got pretty far this time:
> /nix/store/h6bva8mkj6xfp7za4v3jpp59i58wqs9f-stdenv-linux/setup: line 1359: 1795 Killed ./Setup configure $configureFlags 2>&1
> 1798 Done | /nix/store/dj89pwrdlycn8iyn08v8znmynjz1zsi9-coreutils-9.0/bin/tee "$NIX_BUILD_TOP/cabal-configure.log"
I’ll give it more memory.
Nope, same problem.
Luckily there’s a fix for linked issue about cross compilation (the fix which worked on a toy example and I’ll try this with the actual application next.