`nixos-rebuild switch` fails under flakes and doas with git warning about dubious ownership

flgr · May 27, 2024, 3:56pm

Hey,

I am using NixOS with flakes tracking the unstable branch and I am using doas with disabled sudo (becomes important in the end!). Starting about two or three days ago, nixos-rebuild switch is broken for me. I usually run doas nixos-rebuild switch --flake /path/to/flake#default and it had always been working perfectly previously. Now I receive the following warnings and errors:

fatal: detected dubious ownership in repository at '/home/username/git/flake/.git'
To add an exception for this directory, call:

	git config --global --add safe.directory /home/username/git/flake/.git
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.
warning: could not read HEAD ref from repo at '/home/username/git/flake', using 'master'
evaluating derivation 'git+file:///home/username/git/flake#nixosConfigurations."default".config.system.build.nixos-rebuild'fatal: ambiguous argument 'master': unknown revision or path not in the working tree.
Use '--' to separate paths from revisions, like this:
'git <command> [<revision>...] -- [<file>...]'
error:
       … while fetching the input 'git+file:///home/username/git/flake'

       error: program 'git' failed with exit code 128

Following this error message, I tried the following:

change the permissions of the git directory (doas chown -R username:username /path/to/flake); no change. I even cloned the git repo again, just to make sure
delete .git directory; works again like before, but this is hardly an acceptable solution
having a dirty git worktree; works, but again not really an acceptable solution
rename main branch to master. This fixes the error, but the warnings remain (and now they appear twice):

fatal: detected dubious ownership in repository at '/home/username/git/flake/.git'
To add an exception for this directory, call:

	git config --global --add safe.directory /home/username/git/flake/.git
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.
warning: could not read HEAD ref from repo at '/home/username/git/flake', using 'master'
building the system configuration...
fatal: detected dubious ownership in repository at '/home/username/git/flake/.git'
To add an exception for this directory, call:

	git config --global --add safe.directory /home/username/git/flake/.git
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.
warning: could not read HEAD ref from repo at '/home/username/git/flake', using 'master'

Note that all other git actions (like git add, git commit) work without any warnings.

Out of curiosity, I tried enabling sudo and ran sudo nixos-rebuild switch --flake /path/to/flake#default and suddenly it worked normally.

I checked if anyone else had the same problem and came across this post. However, the solution is not applicable since I already have

security.doas.extraRules = [{
    users = [ "wheel" ];
    keepEnv = true;
}];

in my configuration and my current user is part of the wheel group.

My question now is, if this is a bug or just a configuration problem (i.e. expected behaviour)? If it is a bug, is the nixpkgs Github the correct place to write a bug report; is this an issue with nix, git or some library nixos-rebuild uses internally? I would appreciate your help

firecat53 · May 27, 2024, 4:41pm

I’ve also seen this recently on unstable. Fixed imperatively by:

sudo git config --global --add safe.directory /home/firecat53/nixos/nixos/.git

I saw some bug reports of this in the past but they were all closed as resolved. I’m a little concerned about having this affect my servers that are running stable when the 24.05 update happens soon.

matklad · May 27, 2024, 6:37pm

I’d say in some sense this is a design bug in nixos-rebuild.

In this use case, it does two things:

builds the configuration (creates a path in /nix/store with all the stuff)
activates the configuration (adding boot loader entry, restarting systemd units and whatever else)

only the second action needs privileges, so doasing the entire nixos-rebuild does not exactly feels right.

Consider not using nixos-rebuild, and instead do the above two steps “manually” (by writing a script of your own making)

Here’s mine:

github.com

matklad/config/blob/37a388c754ecf74355dd6b50fecafca5ecbc0e58/xtool/src/nix.rs#L35


      
          }
          if !flags.no_pp {
              cmd!(sh, "git pull --rebase").run()?;
          }
          
          
{
              cmd!(sh, "doas rm -rf /var/lib/sddm/.cache").run()?;
              cmd!(sh, "rm -rf /home/matklad/.config/Code/GPUCache/").run()?;
          }
          
          
let host = cmd!(sh, "hostname").read()?;
          let system = cmd!(
              sh,
              "
              nix build --no-link --print-out-paths
                  path:/home/matklad/config#nixosConfigurations.{host}.config.system.build.toplevel"
          )
          .read()?;
          cmd!(sh, "doas {system}/bin/switch-to-configuration switch").run()?;
          if committed && !flags.no_pp {
              cmd!(sh, "git push").run()?;

Incidentally, it uses path: to specify the flake, which I think would also be a separate work-around here?

flgr · May 28, 2024, 4:13pm

Thank you, I’m considering doing it like this for now (just using doas instead of sudo), but it seems suboptimal. Especially since it had been working fine previously.

flgr · May 28, 2024, 4:37pm

Thank you for your explanation. Do you have any idea about why it was working in the first place and why it still works normally with sudo? Also thank you for your code, but I think I would rather want to avoid “reimplementing” nixos-rebuild.

Overall, do you think the whole issue is a “won’t fix”, or actually worth reporting as a bug?

matklad · May 28, 2024, 7:57pm

My guess would be that somehow different versions of git are involved this dubious “dubious ownership” warning is a recent feature. So I would double check which git version are you at with and without warning.

akgrant · June 3, 2024, 4:38am

I also just hit this issue, but using sudo. Going back to 23.11 and running a nixos-rebuild appears to succeed, but didn’t actually produce a new boot generation.

akgrant · June 4, 2024, 6:03am

In case someone else hits this using ‘sudo’, I was able to avoid the ‘dubious ownership’ warning by adding --use-remote-sudo to the nixos-rebuild command, see.

(sorry for somewhat side-tracking the original query about doas, and I’ve lost the original link to the suggestion)

taliyahwebb · June 10, 2024, 8:29pm

I just hit this issue after upgrading unstable -> 24.05

• Updated input 'nixpkgs':
    'github:NixOS/nixpkgs/ad7efee13e0d216bf29992311536fce1d3eefbef' (2024-05-06)
  → 'github:NixOS/nixpkgs/2819fffa7fa42156680f0d282c60d81e8fb185b7' (2024-06-09)

It also still persists if i use the latest nix flake update unstable -> unstable.

• Updated input 'nixpkgs':
    'github:NixOS/nixpkgs/ad7efee13e0d216bf29992311536fce1d3eefbef' (2024-05-06)
  → 'github:NixOS/nixpkgs/3bcedce9f4de37570242faf16e1e143583407eab' (2024-06-09)

I get the same error message as @flgr and can confirm/have reproduced the following behavior:

dirty worktree → doas nixos-rebuild ... runs without issue
renaming main to master produces more warnings but the rebuild seems to run through

I use a compat script that translates sudo invocations to doas invocations for limited use cases.
Thanks to that running nixos-rebuild as directory owner with --use-remote-sudo works as a workaround, however it is quite inconvenient as i have to enter my password 3 times this way.

Additionally on slow systems (e.g. Raspberry Pi3) it is quite unhandy that one has to enter a password “mid”-build.

I also found a closed issue that seem to have a similar error message (https://github.com/NixOS/nix/issues/6443)

taliyahwebb · June 10, 2024, 11:41pm

Another “Workaround”, is to directly rebuild the system from the git remote

doas nixos-rebuild build --flake "git+ssh://git@<host>/<repo>#system"
(sudo should work just as well with this approach)

martijn · June 12, 2024, 11:54am

In the same boat:

using main instead of master
using doas with sudo disabled
alias sudo to doas
set safe.directory to my Nix directory in home-manager git config

Switching to master makes deploys works with warnings. This is not ideal constantly having to rebase. Hopefully someone finds a cleaner workaround/fix

Tmplt · July 22, 2024, 8:38am

Hit this on 24.05.

$ git branch
  feat/ci
  git-annex
  import-prev
* master
  synced/master

i.e., I’m using git-annex. Unsure if related.

  security.sudo.enable = false;
  security.doas = {
    enable = true;
    wheelNeedsPassword = true;
    extraRules = [{
      groups = [ "wheel" ];
      noPass = false;
      keepEnv = true;
      persist = true;
    }];
  };

safe.directory is unset.

Warning is printed twice, but switch passes.

Staging an empty file replaces the error with the usual “git tree dirty” warning.

I presume that you’re presenting your solution as temporary here, but just to make sure: let’s not consider using something other than nixos-rebuild.

martijn · October 5, 2024, 1:15pm

Using this sudo shim: NixOS Search

I can use --use-remote-sude which fixes the warnings. It’s not ideal but it’s something