Private Mirrors in Airgapped Environments

nathanv · March 25, 2023, 3:24am

How are folks using private mirrors in airgapped environments? For instance, fetchurl is hard coded to use mirrors.nix. Could this file be a configurable option or could it be made to be extensible?

nixinator · March 25, 2023, 8:47pm

If it can be stored on tarballs.nixos.org, then marsnix might be of interest to you.

At Nixcon 2022 it was installed on a raspberry pi, serving basically everything from that.

it needs a bit of work to get to a release status … but it’s very close.

The idea is you can build nix , work with nix, patch nix and upgraded nix, on mars

I don’t think you’ll be pulling 3GB docker containers from dockerhub when living there…

Is this for a work assignment or personal use at home? I’m interested out of curiosity what your requirements are for airgapping nix is.

nathanv · March 26, 2023, 10:19pm

Thanks @nixinator, is there a video for this from Nixcon? I couldn’t find it here.

In a work setting, the machine is behind an air gap, so I can’t reach out directly the URLs like these. Instead, I need to go through something like artifactory. It would be convenient if fetchurl had an easy way to append my own private mirrors or swap out the file without doing an overlay.

nixinator · March 27, 2023, 7:20am

we used it a nixcon, good lord, they don’t like us speak.

I have used artifactory before.

Marsnix might be a solution for you, if you reach out to @matthewcroughan directly he can give you more information on whats needed to bring that up to release standard and if it fits your needs.

github.com

NixOS/nixpkgs/blob/56206539ba1de71fb0be7e4f23551e05fdeb29de/maintainers/scripts/copy-tarballs.pl

#! /usr/bin/env nix-shell
#! nix-shell -i perl -p perl perlPackages.NetAmazonS3 perlPackages.FileSlurp perlPackages.JSON perlPackages.LWPProtocolHttps nixUnstable nixUnstable.perl-bindings

# This command uploads tarballs to tarballs.nixos.org, the
# content-addressed cache used by fetchurl as a fallback for when
# upstream tarballs disappear or change. Usage:
#
# 1) To upload one or more files:
#
#    $ copy-tarballs.pl --file /path/to/tarball.tar.gz
#
# 2) To upload all files obtained via calls to fetchurl in a Nix derivation:
#
#    $ copy-tarballs.pl --expr '(import <nixpkgs> {}).hello'

use strict;
use warnings;
use File::Basename;
use File::Path;
use File::Slurp;

This file has been truncated. show original

github.com

NixOS/nixpkgs/blob/56206539ba1de71fb0be7e4f23551e05fdeb29de/maintainers/scripts/all-tarballs.nix

/* Helper expression for copy-tarballs. This returns (nearly) all
   tarballs used the free packages in Nixpkgs.

   Typical usage:

   $ copy-tarballs.pl --expr 'import <nixpkgs/maintainers/scripts/all-tarballs.nix>'
*/

import ../../pkgs/top-level/release.nix
  { # Don't apply ‘hydraJob’ to jobs, because then we can't get to the
    # dependency graph.
    scrubJobs = false;
    # No need to evaluate on i686.
    supportedSystems = [ "x86_64-linux" ];
    limitedSupportedSystems = [];
  }

might be useful for you. This populates the nixos tarball server (upload to s3 buckets, download via https).

You copy all the source tarballs onto a server, and point nix at that. and your done.

or hack the /etc/host file , but don’t tell anyone i told you to do that, as thats an ugly hack.

tarballs.nixos.org 192.168.0.100 (or some local https server on your network).

you may have to fiddle with ssl certs a bit to stop it complaining.

You may even be able to point at artifactory itself … if can supply tarballs over https in a way that makes fetchurl happy. nix needs it to be content addressed, so artifactory might not like that.

like…

wget http://tarballs.nixos.org/sha256/1gsfidg3gim5pjbl82vkh0cw4ya253m4p7nirm8nr6yjrsirkzxg

its quite likely artifactory wont understand that, how it might be able to be patch to make it understand.

You can probably get artifactory to check these tar balls for known vulnerabilities at the same time.

your devsecops persons should be able to help you with that.

Some ideas for you.

At the end of the day, nix checks the the hash of each Fixed output derivation, so it doesn’t matter really where it comes from…it could come from a server on the moon over unencrypted satellite link, if that hash matches your all good to go.

.so i’m trying to understand your thread model, if it’s to stop developers on your internal network writing their own derivations and fetching source code ? Maybe you can explain that. or maybe you can’t.

talks about this, with tools ,but it’s focused on binary cache mirroring and caching, which is not what i think you need.

Good luck. and keep nixxing.

nathanv · March 29, 2023, 2:40am

Thanks for sharing the examples and thread @nixinator. I had read a bit about content addressing, but I hadn’t seen the tarballs.nixos.org site before. What gets uploaded there by default, everything?

In my case, I’m setting up mirrors for things like CRAN in artifactory and trying to build R environments. If the R package tarballs are content addressed, I suppose it wouldn’t matter if I overlay my own artifactory mirrors.

Anyways, you’ve given me plenty to think about. Thanks!

nixinator · March 29, 2023, 3:34am

No worries.

You gave me a lot to think about too.

I’m glad you trying out nix in these environments and putting it through its paces.

Tarballs.nixos.org (or hairballs as i like to call it) , is just a fall back if the main mirrors don’t work, change or get remove a lot due to internet churn. Things get shifted around all the time, this seems to happen to large vendors, as they refactor their delivery mechanisms, and have no regards to link persistence.

Everything that is free, and can be stored on tarballs, and is. That’s the thing you would take to mars so you could recompile stuff locally form source. ;-). A complete history of humans open source endeavours.

Do you think Microsofts patch Tuesday going to work there? LOL.

As i’ve used Artifactory , Sonatype and a few other that the names escape me.

I know a solution is get first class nix support from these vendors, but alas…

Again , everything is in place to do this , your a just a few scripts away from a great solution.

The prospect of a great static code analysis tools, dynamic analysis tools (built into the nixos testing framework) to be integrated with nix is low hang fruit. Your in a good position as you can build everything from source, because nix likes source code, so static source code analysis tools could really win here. You can recompile stuff things with extra Harding.

Obviously the more you harden a system. the more it will break apart. That is the nature of compatibility vs hardening. In nix, the constant rebuilding here can work in your favour as the defender.

Hydra supplies some of these hardened variants too, which make suit your needs if you trust other building software for you.

Software supply chain security is difficult, but at least nix gives you a fighting chance to get that under control and see how software is actually constructed. Gentoo has these same properties, but , I miss it, but i don’t miss the compile times!

It doesn’t matter how many security products you have in play, they are no substitute for well written, secure code. Programs that are written defensively are high quality, and will be better, faster and more secure by default. You have to remember that the dynamic security infrastructure is code too and can be exploited sometimes as easily.

Less is more… less is actually more. thats why you can unix pipe out put to less, not more. The clues in the CLI.

Their was a company the offered a special gcc that could hardening binaries , a bit like ASLR, but could completely change the finger print of binaries and the way they looked, basically making your binaries after recompilation ‘salty’, or look different to everyone else, this was pretty good defence against zero days , especially those written in memory non safe languages, like C. I can’t find them now, but i thought it was cool at the time. It was a bit security by obscurity, or even security by ossification , but even that broke a few programs!!! , and introduced bugs!! So it’s a slippery (nop sled) of balance… but it’s fun to do it, but then again, my idea of fun and others might be slightly different. I guess a non running program is totally secure , if can’t run, it can’t be exploited i guess (lol)

The scanners are out there they just need to be integrated into the pipe lines automatically… it’s possible

I know GitHub - nix-community/vulnix: Vulnerability (CVE) scanner for Nix/NixOS.

However, that doesn’t test AFAIK , does not check configurations’ , i.e that ‘things’ are ‘configured’ in a potentially vulnerable state, but it’s a cool tool none the less.

Vulnerability is not only code, but configuration and environment. It would nice to see the more popular code/system security vendors get on board, especially with regard to end to end testing. A lot of security vendors did special open source tool editions, for free and open source projects, however, this seems to be a lot less common these days as the security ‘industry’ has become more of a massive 500,000% ROI… IMHO… Meaning only those that can afford it can have security. I’m not sure how i feel about how the security circus is panning out long term… i think i feel ashamed to be perfectly honest… Github does it best to offer the world better security. There are better tools, which everyone could benefit from… but your not going to see ‘on your machine’ any time soon.

It reminds me when i had to pay 100,000 dollars for a commercial C compiler for unix. At least that could actually compile programs that were useful. Many security tools beyond logging, don’t actually do stuff, unless they repel an attack. Security is like a kind of hidden tax these days. IT’s funny how it’s turned out. Security profits are booming, as always, as the system complexity of our systems increases and bits are rotting all over the place. However is that a good metric of ;success;. In 2038… do we still need dedicated security companies/products any more, i’d say that they have achieved their reason for being.

May be i’m just tired of the IT security Arms race, and to younger people all this makes perfect sense.

How many engineer hours are lost through windows reboots and data loss over the last 40 years?

How many engineering hours are lost securing stuff that can’t be secured due to it’s inherent architectural failings?

Should engineers be working on a better rocket engine , or working on building higher and higher fences around the launch site?

With trust you don’t need security, but trust does not scale.

My old adage is buy skin not tin. However skin is expensive.

The question is can 100 lines of code be secured better than a billion lines of code. Complexity is the bane of security. However, nix doesn’t reduce that for me, it just contains it a little and keeps things running.

You’d think all IT security companies would be funded by government, so basically everyone could have better security tools? I guess not. Security is now firmly an optional extra from a defenders point of view.
However the number of attack tools , is well, unlimited. Interesting situation.

Nix tries to come with everything ‘in the box’, it would be nice it had the best tools on the planet right now in the box too!! One can dream i guess.

I think everyone should had seat belts in there car, but what happens when seat belts are patented?

It’s an interesting ethical dilemma, and i don’t have any answers.

Many of the traditional tools can give false positives, as they don’t know exactly what to make of nix ‘linix/unix compatibility’ layers and its hybrid linking scheme.

Usually ‘finding’ stuff is easy, but once you’ve found it, fixing it is the problem… There are thousand vendors who will show you ‘problems’, but very few vendors that with ‘fix’ those problems.

However, do your own scanning is still of value if upstream projects don’t do it, for what ever that 1000’s of reasons that is.

at the end of the day, you have the advantage here, because you have the source, and can patch it yourself… nix actually makes that quick…very very quick… so in the field patching is possible without fear of leaving a system unrecoverable. That’s less stress, and thats probably a very good thing. Combine that with Kexec and it can be very cool.

I have not lived patched a kernel for a while… but thats also possible!!!

and all these things that might make nix ‘military grade’ after all. or perhaps not.

If you wanna talk further, you know where i am, or some one might have even better solutions out there on the Internets.

the Nixos Security channel is full of fine and experienced souls as far as can see… maybe they can help too?

Well, i went down a bit of a security rabbit hole there, which is easy to do. Sometimes i think security is just one big troll, and Ken Thompson is just sitting there laughing at us, with his backed doored C compiler, or is it someone else for that matter …

This is MHO , i’m sure there are other that would disagree with me, but that’s not first time that has happend, or the last .

Nix as it grows need about every system ‘breaker’ on the planet to put it through it’s paces and report problems with the core packages and subsystems… , like what happens with the Linux kernel.

There scope for a lot of nix native scanners, as we have the entire configuration of EVERYTHING, in a programming language, we can reason about this without even logging into the machine. Making automated policy and configuration checking/audit an absolute breeze.

That’s probably why i like nix and guix , it’s not finished … where as there other unix might be completely finished. So there very little to do engineering wise on them, apart from the constant grind and drudge of maintenance .

Security is a thankless , endless task, which is mainly drudge work. I salute those that stare at their debuggers, examine the code flow, revealing zero days responsibly… publicly… . If we don’t change the way we think about system security, we will never get to mars or 2038.

The future for F/OSS security is bright, but at least i don’t have to deal with closed source security… at that point i have to put my hands up and run out of the room!

Nix needs to be represented at Defcon and Blackhat this year, as well as other security conferences. I maybe wrong about it’s security properties , but i don’t think i am.

Anyone finding and RESPONSIBLY reporting security problems, will get a free nix wheel!

Hows that for a unofficial bug bounty program.

Keep Nixxing.

ggjulio · August 2, 2023, 3:27pm

First thank you both for this very interesting conversation !
I have the same kind of issues.

@nathanv If you tried your luck or have any useful information,
I would be glad to get any feedbacks

Thanks !