[Solved] Can't get vendorHash for buildGoModule

Help
1

I’m trying to use a newer version of gvisor with an overlay, since it is behind and the update to containerd from 24.11 to 25.05 seems to not be compatible.

Everything seems to assume that if I put an empty hash then it will tell me the usual “expected sha-AAA… actual sha-4382X…” but this is not the case. What I actually get is it downloading a bunch of go modules and then dying, with no indication why. I separated it out from configuration.nix to try to build it on its own with nix-build, and get the same error.

error: builder for ‘/nix/store/0a4f82vr9nskq7rswqh4bfqgjxhs9sq2-gvisor-20240401.0-go-modules.drv’ failed with exit code 1;
last 25 log lines:
{downloading go modules}
For full logs, run ‘nix log /nix/store/0a4f82vr9nskq7rswqh4bfqgjxhs9sq2-gvisor-20240401.0-go-modules.drv’.
error: 1 dependencies of derivation ‘/nix/store/74n5fhz38mg114z8zjkqpy95kk9i2rq5-gvisor-20240401.0.drv’ failed to build

Full logs don’t reveal anything more interesting, just the same go modules being downloading before quitting.

Go | nixpkgs All the links here are unhelpful, but I couldn’t find better documentation.

nixpkgs.overlays = [
( final: prev: {
gvisor = prev.gvisor.overrideAttrs (old: {
version = “20250512.0”;
src = prev.fetchFromGitHub {
owner = “google”;
repo = “gvisor”;
rev = “e4c059533a2aa873d566638faf29821006822462”;
hash = “sha256-PsSL/sdpr6XniRktWtz/V+VyeW4am36ZOxbtB6mwGco=”;
};
vendorHash = “”;
});
})
];

2

Is it possible I am getting an error before it even gets to whatever steps verifies the vendorHash? I found the same solution of putting a fake hash here

And do I even need this, if I use vendorHash = lib.fakeHash as suggested?
Nah, you are just fine if you start with fakeHash and then update it with the hash printed in the build failure message.

3

Excuse the sarcastic voice, please bear with it for a moment.…

You know how Google made Go? And how they use it internally a lot?
You also know that Google runs a lot of big infrastructure and has a lot of specific requirements? And how they have the build system bazel for a lot of things?
And how they then proceed to not use Go package management for their own Go projects?

(end of sarcasm)

So the thing here is, nixpkgs (or rather buildGoModule) require the go.mod file which lists all of the dependencies to be accurate and fully resolved (or something, I’m not a Go person, really). Google however does not do that in the gvisor repository because they use Bazel in some way which does things differently.

This is why your build probably fails with these lines:

gvisor-0-unstable-e4c05953-go-modules> go: downloading github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd
gvisor-0-unstable-e4c05953-go-modules> go: downloading github.com/modern-go/reflect2 v1.0.2
gvisor-0-unstable-e4c05953-go-modules> go: downloading github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da
gvisor-0-unstable-e4c05953-go-modules> go: updates to go.mod needed; to update it:
gvisor-0-unstable-e4c05953-go-modules>  go mod tidy

In a nutshell that is nixpkgs complaining about a mismatch of the downloaded dependencies and the go.mod file (please someone come along to correct me if I’m off about something).

The gvisor maintainers have luckily left a hint which points us at the go branch of the gvisor repository where Google does some funny things to turn their bazel project back into a Go project which.… yeah. Google™.

Anyway, if you pick any commit from the go branch you will actually get beyond that step, and it will tell you the correct hash.

example 
nom build --no-link --print-out-paths --print-build-logs -v --show-trace --impure --expr '(builtins.getFlake "github:NixOS/nixpkgs/4faa5f5321320e49a78ae7848582f684d64783e9").legacyPackages.${builtins.currentSystem}.callPackage ({ lib, gvisor, fetchFromGitHub }: gvisor.overrideAttrs (final: { src, ... }: {
  version = "0-unstable-e4c05953";
  src = fetchFromGitHub {
    inherit (src) owner repo;
    rev = "eede7a881b20000bcaa22e7c17c63bc027f6a2b2";
    hash = "sha256-ONpflureM3b74oEDFEH1b/5sbL8BYD3EmZgI+syXs0I=";
  };
  vendorHash = lib.fakeHash;
})) {}'

Will throw this at you:

error: hash mismatch in fixed-output derivation '/nix/store/gfdh25fypypdq02sg6vb58yc11lqc4ln-gvisor-0-unstable-e4c05953-go-modules.drv':
        likely URL: (unknown)
         specified: sha256-AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
            got:    sha256-3fKFr8viabGEwIHYxg9vjhKMVOxCjji3PDgs8wBBZzY=
        expected path: /nix/store/dxh2wg7dnhjdhzdara9z9jbcaqa7yrlp-gvisor-0-unstable-e4c05953-go-modules
          got path: /nix/store/f8arj7986vh30ax1gr9a3inms92752ri-gvisor-0-unstable-e4c05953-go-modules
error: 1 dependencies of derivation '/nix/store/2njrzrpqixz5nw3r1x3rblr1qk72vrvm-gvisor-0-unstable-e4c05953.drv' failed to build

Does this solve your problem?
I mean, it may create a new one; finding the right commit in the go branch that corresponds to what version you want to build, but it hopefully works if you manage that, and if it doesn’t, any info you can provide will be helpful of course.

Side note: overrideAttrs for buildGoModule only works since 25.05, if anyone on 24.11 reads this; you’ll have to do the buildGoModule/override dance.

4

That was it, thank you for your time and help!

5

Side note, updating gvisor seemed to fix whatever issue it was having with containerd which was my goal

1 Like