How do I access internet inside `nix build`?

Poscat · June 15, 2020, 8:19am

I’m trying to build a stack project using haskell.nix and it requires stack-to-nix to be called during build time to generate nix derivations, but calling stack-to-nix requires internet access since it needs to clone github repos. I’m 100% sure that this is pure.

Here are the errors I got:

builder for '/nix/store/8w25s7dxlzknlg4rkar0iwd6jlasj48d-source-stack-to-nix-pkgs.drv' failed with exit code 1; last 6 log lines:
  error: creating directory '/nix/var': Permission denied
  Initialized empty Git repository in /build/git-checkout-tmp-kZWOiIWv/shake-fb3859d/.git/
  fatal: unable to access 'https://github.com/wz1000/shake.git/': Could not resolve host: github.com
  fatal: unable to access 'https://github.com/wz1000/shake.git/': Could not resolve host: github.com
  Unable to checkout fb3859dca2e54d1bbb2c873e68ed225fa179fbef from https://github.com/wz1000/shake.git.
  stack-to-nix: nix-prefetch-hg: createProcess: runInteractiveProcess: exec: does not exist (No such file or directory)
[0 built (1 failed), 0.0 MiB DL]
error: while evaluating anonymous function at /home/poscat/Projects/Nix/hls-nix/hls.nix:1:1

Are there any walkarounds of this limitation?

NobbZ · June 15, 2020, 8:46am

You can disable sandboxing in your /etc/nix/nix.conf/nix.useSandbox.

Though its better to not do that.

You should write your derivation in a way that it does not require online access at all. Perhaps provide all the stuff that is generated vi stack-to-nix via patches or another derivation?

Poscat · June 15, 2020, 8:54am

Thx. The generated nix expressions are really large and I’d rather not to generate them beforehand. Would it be possible to temporarily disable sandbox?

NobbZ · June 15, 2020, 8:55am

You could try using nix build --option sandbox=false ….

lilyball · June 15, 2020, 9:04am

Is the output of stack-to-nix deterministic? If so you can use a fixed-output derivation, which is allowed network access even while sandboxed as long as the output matches the hash (this is how stuff like fetchGitHub work).

Poscat · June 15, 2020, 9:42am

trace: To make this a fixed-output derivation but not materialized, set `stack-sha256` to the output of /nix/store/k5g06sbk1dd3zcxcxsja0xvyjq1r8z0q-calculateSha
trace: To materialize the output entirely, pass a writable path as the `materialized` argument and pass that path to /nix/store/p1h3zhsbcd2mqsvzzn3sa2ldd3sfq23i-generateMaterialized
builder for '/nix/store/8w25s7dxlzknlg4rkar0iwd6jlasj48d-source-stack-to-nix-pkgs.drv' failed with exit code 1; last 10 log lines:
  remote: Total 288 (delta 2), reused 78 (delta 2), pack-reused 0
  Receiving objects: 100% (288/288), 686.64 KiB | 3.43 MiB/s, done.
  Resolving deltas: 100% (2/2), done.
  From https://github.com/wz1000/shake
   * branch            no-scheduler -> FETCH_HEAD
   * [new branch]      no-scheduler -> origin/no-scheduler
  Switched to a new branch 'fetchgit'
  removing `.git'...
  error: cannot open connection to remote store 'daemon': reading from file: Connection reset by peer
  stack-to-nix: nix-prefetch-hg: createProcess: runInteractiveProcess: exec: does not exist (No such file or directory)
[0 built (1 failed)]

I tried to build with sandbox turned off, git clone succeeded but It still failed, not sure why tho…

cdepillabout · June 15, 2020, 9:45am

In general, the haskell.nix stuff should not require sandboxing turned off. My guess is that your nix code is incorrect.

Could you share your derivations using haskell.nix?

I feel like I heard someone complaining at ZuriHac this weekend that the documentation for stack based builds for Haskell.nix needed updating or something.

NobbZ · June 15, 2020, 9:45am

Looks like nix-prefetch-hg is missing. You might need to add it to your inputs.

Poscat · June 15, 2020, 9:45am

It seems that using fixed-output derivations requires setting arguments of mkDerivation, unfortunately haskell.nix did not give such low level access.

Poscat · June 15, 2020, 9:48am

repo: GitHub - poscat0x04/hls-nix at overhaul

Poscat · June 15, 2020, 10:06am

I tried to use the cache field as well but it didn’t help either

cdepillabout · June 15, 2020, 1:28pm

I’m not sure why this wasn’t working for you.

This appeared to build for me with only minor changes (at your repo’s commit 364659bb54e):

diff --git a/hls.nix b/hls.nix
index 434a9ae..30eead1 100644
--- a/hls.nix
+++ b/hls.nix
@@ -5,11 +5,16 @@ let
   pkgs =
     import haskellNix.sources.nixpkgs-2003 haskellNix.nixpkgsArgs;
 
-  hsPkgs = with pkgs.haskell-nix; stackProject {
-    src = cleanSourceHaskell {
-      src = source.hls-master;
-      name = "hls-source";
-    };
+  inherit (pkgs.haskell-nix) stackProject cleanSourceHaskell;
+
+  hls-src = cleanSourceHaskell {
+    src = source.hls-master;
+    name = "hls-source";
+  };
+
+  hsPkgs = stackProject {
+    src = hls-src;
+
     cache = [
       {
         name = "shake";
@@ -28,4 +33,5 @@ let
     stackYaml = "stack-8.8.3.yaml";
   };
 in
-  hsPkgs
+hsPkgs.haskell-language-server.components.library
diff --git a/source/spec/haskell-nix.json b/source/spec/haskell-nix.json
index 180f3a1..b566d70 100644
--- a/source/spec/haskell-nix.json
+++ b/source/spec/haskell-nix.json
@@ -1,7 +1,7 @@
 {
     "owner": "input-output-hk",
     "repo": "haskell.nix",
-    "rev": "7672d524914620ee89c31bc59485c43a1f131f60",
-    "sha256": "1zyiz6hkk17xymx0dsvlbhqqpzjfl5h3y2i0yjzdr5wqwspq3nlb",
+    "rev": "794acb7b013e8b1508b0ab3aa28ac7c57344f4ea",
+    "sha256": "1lnhmjwil5pc9r674ghh3iljcpa63gysj1shlmn23dnx83ish7v9",
     "fetchSubmodules": false
}

The only real thing I did here was change haskell.nix to a different commit.

Poscat · June 15, 2020, 1:41pm

Oops I forgot to mention I fixed it by adding “.git” to the url, thanks for verifying that it builds. I think that was a (minor) bug of the haskell.nix library.