Flake + restricted evaluation: how to download stuff?

t184256 · January 13, 2022, 8:55am

I’m trying to write a flake that doesn’t build upon nixpkgs. For the purpose of that question, let’s simplify it to “I just want to download and invoke a statically linked binary”. I want to build it in my hydra, which seems to require restricted evaluation mode. Here’s an illustrative flake.nix:

{
  description = "small broken example";
  outputs = { self }:
    let
      problem = builtins.fetchurl {
        url = "https://busybox.net/downloads/binaries/1.21.1/busybox-x86_64";
        sha256 = "8d7a4ac8629db62457447673fd5e3ae857bdf5c4bda46f6c2abc53b3315f4b
f5";
      };
    in
      {
        defaultPackage.x86_64-linux = derivation {
          name = "test";
          builder = problem;
          args = [ "echo" "this is not gonna work for multiple reasons" ];
          system = "x86_64-linux";
      };
  };
}

Invocation: nix build --restrict-eval.

Expected: permission denied, applet not found, but it at least tries to build the derivation.

Observed: error: access to URI 'https://busybox.net/downloads/binaries/1.21.1/busybox-x86_64' is forbidden in restricted mode.

How am I supposed to fetch stuff then? I presume nixpkgs also starts from something, how does it fetch that something?

nrdxp · January 13, 2022, 8:06pm

Can’t reproduce, copying your flake verbatim into a new empty directory gives me this:

❯ n build --restrict-eval -L
test>
test> ErroSysErroroexecuting '/nix/store/grygsvfbd6n4nblyimnn9mg8382lw6wh-busybox-x86_64': Permission denied
error: builder for '/nix/store/lp8c2w309wwadprdbl9wkk9f2xzazm8b-test.drv' failed with exit code 1;
       last 2 log lines:
       >
       > ErroSysErroroexecuting '/nix/store/grygsvfbd6n4nblyimnn9mg8382lw6wh-busybox-x86_64': Permission denied
       For full logs, run 'nix log /nix/store/lp8c2w309wwadprdbl9wkk9f2xzazm8b-test.drv'.

t184256 · January 13, 2022, 8:26pm

Did it download busybox in the same invocation, i.e., you didn’t build without --restrict-eval first? Just tried again, nix 2.5.1, experimental-features = nix-command flakes ca-derivations, fails as in OP. I’m glad to provide more info, though I don’t know what’s relevant.

t184256 · January 18, 2022, 9:17am

I’ve solved or sidestepped with a builtins.fetchurl replacement using derivation = { builder = "builtin:fetchurl"; ...}.

Now hydra-queue-runner just crashes on it, but at least nix build --restrict-eval works, I’m clearly doing unresonable things all around =)

ilkecan · January 18, 2022, 1:15pm

I think you may need to set allowed-uris in nix.conf. Related: Allow all locked flake inputs in restricted eval mode · Issue #5039 · NixOS/nix · GitHub

t184256 · January 18, 2022, 1:31pm

Wouldn’t scale as I have links to lots of places, but thanks for the relevant link.

ilkecan · January 18, 2022, 1:54pm

According to this comment, defining allowed-uris as http:// https:// should allow access to any domain.