Flake fails to build with Fedora's DNF-packaged Nix but works elsewhere

Help
1

I have a flake that fails to build with Nix installed through DNF on Fedora, while it works with Nix installed via the standard curl-to-bash installers. Based on my surface-level understanding of Nix, I would expect that the same flake and lock file should be reproducible everywhere within hardware or kernel limits (assuming no adversarial build instructions like “crash on Tuesdays,” etc.), however I am not sure.

Q: Is the flake non-reproducibility a bug in DNF Nix or elsewhere, or should I not in general expect to be able to run the same flake on different machines?

flake.nix:

{
  description = "minimal repro for r-magick build failure";
  inputs = {
    nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
  };
  outputs = { self, nixpkgs }:
    let
      system = "x86_64-linux";
      pkgs = import nixpkgs { inherit system; };
    in {
      devShells.${system}.default = pkgs.mkShell {
        packages = [
          pkgs.R
          pkgs.rPackages.magick
        ];
      };
    };
}

flake.lock

{
  "nodes": {
    "nixpkgs": {
      "locked": {
        "lastModified": 1774386573,
        "narHash": "sha256-4hAV26quOxdC6iyG7kYaZcM3VOskcPUrdCQd/nx8obc=",
        "owner": "NixOS",
        "repo": "nixpkgs",
        "rev": "46db2e09e1d3f113a13c0d7b81e2f221c63b8ce9",
        "type": "github"
      },
      "original": {
        "owner": "NixOS",
        "ref": "nixos-unstable",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
    "root": {
      "inputs": {
        "nixpkgs": "nixpkgs"
      }
    }
  },
  "root": "root",
  "version": 7
}

error:

error: Cannot build '/nix/store/iz9ny6qj11sy1nrjya3dvnyaw1hvz1sk-r-magick-2.9.0.drv'.
       Reason: builder failed with exit code 1.
       Output paths:
         /nix/store/barqhfqnhykg5wnqh423byi299rwwff9-r-magick-2.9.0
       Last 19 log lines:
       > Running phase: unpackPhase
       > unpacking source archive /nix/store/lp9qym78kfm86a21f5gs0yxlfqbvfxn2-magick_2.9.0.tar.gz
       > source root is magick
       > setting SOURCE_DATE_EPOCH to timestamp 1757341802 of file "magick/MD5"
       > Running phase: patchPhase
       > Running phase: updateAutotoolsGnuConfigScriptsPhase
       > Running phase: configurePhase
       > patching script interpreter paths in configure
       > Running phase: buildPhase
       > Running phase: checkPhase
       > Running phase: installPhase
       > * installing *source* package 'magick' ...
       > ** this is package 'magick' version '2.9.0'
       > ** package 'magick' successfully unpacked and MD5 sums checked
       > ** using staged installation
       > sh: ./configure: not found
       > Warning in system(cmd) : error in running command
       > ERROR: configuration failed for package 'magick'
       > * removing '/nix/store/barqhfqnhykg5wnqh423byi299rwwff9-r-magick-2.9.0/library/magick'
       For full logs, run:
         nix log /nix/store/iz9ny6qj11sy1nrjya3dvnyaw1hvz1sk-r-magick-2.9.0.drv
error: Cannot build '/nix/store/11gpi4sabbwqanvq9chi1aq7qpfshg63-r-fsbrain-0.5.6.drv'.
       Reason: 1 dependency failed.
       Output paths:
         /nix/store/xfc15527pscjx6b3y1dr1sjz71j03ck0-r-fsbrain-0.5.6
error: Cannot build '/nix/store/70w42xzjs5zsqvsz9rjwg00ln4jz6qwa-nix-shell-env.drv'.
       Reason: 1 dependency failed.
       Output paths:
         /nix/store/ay779rbl492dh806cvg1kcmd391ncz7v-nix-shell-env
1 Like
2

What version of nix does fedora install? Are the effective nix configurations the same?

4

Alternatively, is your nix store corrupt, and is SELinux and such definitely not causing issues?

5

I am sorry, i accidentally deleted the reply. The version DNF installs is: nix (Nix) 2.31.3

$ nix config show
abort-on-warn = false
accept-flake-config = false
access-tokens = 
allow-dirty = true
allow-dirty-locks = false
allow-import-from-derivation = true
allow-new-privileges = false
allow-symlinked-store = false
allow-unsafe-native-code-during-evaluation = false
allowed-impure-host-deps = 
allowed-uris = 
allowed-users = *
always-allow-substitutes = false
auto-optimise-store = true
bash-prompt = 
bash-prompt-prefix = (nix:$name)\040
bash-prompt-suffix = 
build-dir = 
build-hook = /usr/bin/nix __build-remote
build-poll-interval = 5
build-users-group = 
builders = @/etc/nix/machines
builders-use-substitutes = false
commit-lock-file-summary = 
compress-build-log = true
connect-timeout = 15
cores = 0
debugger-on-trace = false
debugger-on-warn = false
diff-hook = 
download-attempts = 5
download-buffer-size = 67108864
download-speed = 0
eval-cache = true
eval-profile-file = nix.profile
eval-profiler = disabled
eval-profiler-frequency = 99
eval-system = 
experimental-features = fetch-tree flakes nix-command
extra-platforms = i686-linux x86_64-v1-linux x86_64-v2-linux x86_64-v3-linux
fallback = false
filter-syscalls = true
flake-registry = https://channels.nixos.org/flake-registry.json
fsync-metadata = true
fsync-store-paths = false
gc-reserved-space = 8388608
hashed-mirrors = 
http-connections = 25
http2 = true
id-count = 8388608
ignore-try = false
ignored-acls = security.csm security.selinux system.nfs4_acl
impersonate-linux-26 = false
json-log-path = 
keep-build-log = true
keep-derivations = true
keep-env-derivations = false
keep-failed = false
keep-going = false
keep-outputs = false
log-lines = 25
max-build-log-size = 0
max-call-depth = 10000
max-free = 9223372036854775807
max-jobs = 8
max-silent-time = 0
max-substitution-jobs = 16
min-free = 0
min-free-check-interval = 5
nar-buffer-size = 33554432
narinfo-cache-negative-ttl = 3600
narinfo-cache-positive-ttl = 2592000
netrc-file = /etc/nix/netrc
nix-path = nixpkgs=flake:nixpkgs
nix-shell-always-looks-for-shell-nix = true
nix-shell-shebang-arguments-relative-to-script = true
plugin-files = 
post-build-hook = 
pre-build-hook = 
preallocate-contents = false
print-missing = true
pure-eval = true
require-drop-supplementary-groups = false
require-sigs = true
restrict-eval = false
run-diff-hook = false
sandbox = true
sandbox-build-dir = /build
sandbox-dev-shm-size = 50%
sandbox-fallback = true
sandbox-paths = /bin/sh=/usr/bin/busybox
secret-key-files = 
show-trace = false
ssl-cert-file = /etc/ssl/certs/ca-certificates.crt
stalled-download-timeout = 300
start-id = 872415232
store = auto
substitute = true
substituters = https://cache.nixos.org/
sync-before-registering = false
system = x86_64-linux
system-features = benchmark big-parallel kvm nixos-test uid-range
tarball-ttl = 3600
timeout = 0
trace-function-calls = false
trace-import-from-derivation = false
trace-verbose = false
trust-tarballs-from-git-forges = true
trusted-public-keys = cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=
trusted-substituters = 
trusted-users = root
upgrade-nix-store-path-url = https://github.com/NixOS/nixpkgs/raw/master/nixos/modules/installer/tools/nix-fallback-paths.nix
use-case-hack = false
use-cgroups = false
use-registries = true
use-sqlite-wal = true
use-xdg-base-directories = false
user-agent-suffix = 
warn-dirty = true
warn-large-path-threshold = 0
warn-short-path-literals = false
6

could be, but it works on the same machine and same fedora with the curl to bash nix.

7

Can you run file /usr/bin/busybox and ldd /usr/bin/busybox? I suspect that it uses libraries or a dynamic loader which is not present in the sandbox.

Edit: In case anyone is building nix outside the nix store, use a statically compiled shell for this job. The nix installer installs a shell as part of nix in the nix store and the static build of nix embeds a static version of busybox into nix for this reason.

1 Like
9

Here:

$ file /usr/bin/busybox
/usr/bin/busybox: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, BuildID[sha1]=30accd986d4749ea99df0ed1ebb1577c7f5b5db8, stripped
$ ldd /usr/bin/busybox
not a dynamic executable

1 Like
10

Do you mean that it should look like: sandbox-paths = /bin/sh=/nix/store/cbwbz05v2iqhn2d1w118y1rw97cqimjf-busybox-1.36.1/bin/busybox ?

11

Ideally, no additional sandbox paths are configured.

Though we don’t know why the Fedora packaging team did what they did.

On the other hand side, the busybox is statically linked, so it’s very likely not the problem Max is suggesting.

12

Ok, I’ve setup a Fedora install within a VM and I’m able to reproduce the issue on a fresh install of Fedora Workstation 43 where I’ve just installed nix (and started nix-daemon.service).

The configure script doesn’t appear to have a shebang at the top so it’s using sh, I’m not sure whether it’s relevant however I’m going to check (with strace) what the fallback shell paths are.

1 Like
13

Ok, the build is executing /bin/sh (Fedora’s busybox) which then tries to execute ./configure, there’s no shebang so it tries to execute it using it’s builtin shell (/usr/sbin/busybox) which doesn’t exist within the sandbox causing the error.

Edit: Fedora explicitly sets CONFIG_BUSYBOX_EXEC_PATH="/usr/sbin/busybox" in busybox-static-musl.config. I don’t know if Fedora needs to support an environment without /proc as the default value for this is /proc/self/exe (which nixpkgs uses).

Edit 2: A quick solution would be adding /usr/sbin/busybox to sandbox-paths i.e. setting it to /bin/sh=/usr/sbin/busybox /usr/sbin/busybox.

14

Interesting. Why doesn’t it crash on many more packages?

15

I suspect that this is because it requires

  1. An executable shell script without a shebang (#!) which causes a fallback to running the script within a shell.
  2. The executable shell script to be executed from /bin/sh e.g. through the system() function.
  3. The package which would encounter this issue to not already be cached and therefore wouldn’t be built locally.
1 Like
16

@juhp would you mind looking into this? Should I submit a bug report somewhere?