Trying to use Nix in CI: Unknown host:

I’ve been learning how to use Nix (with flakes), and was trying to get a CI job which does a build (that works for me locally).

I get an error: (failure logs)

ERROR: no such package '`@io_tweag_rules_nixpkgs//nixpkgs`':
    Error downloading
    to /build/.cache/bazel/_bazel_nixbld/cc61aad5ab2f850e8dc25e1bcc0af429/external/io_tweag_rules_nixpkgs/temp7796387977141492287/3425eb1cddee0f824944e04258f43c97a2e78cc3.tar.gz
    Unknown host:

which doesn’t seem to make a lot of sense (if you copy the URL, your browser should download the tarball). It seems like there is a configuration bug.

I found a couple of related threads:

If possible, I’d like to allow Bazel and only Bazel to fetch stuff (since those are verified with SHA256 checksums in the Bazel config anyways), while still maintaining other forms of sandboxing. I see there is a --no-sandbox flag but that seems like a blunt hammer…

I took a look at the CI config for Tweag’s rules_nixpkgs, but nothing in the shell.nix or in the CI code stands out to me in terms of why their CI doesn’t run into this issue.

the build sandbox forbids access to the internet if no output hash is specified.

I’d like to allow Bazel and only Bazel to fetch stuff

Thats not really possible. You probably need to download all things manually or do a FOD (fixed output derivation).


Thank you, that is helpful information. I was reading up on FODs and they don’t seem like what I’d want since the hash would have to change for ~every commit.

I was digging into the rules_nixpkgs build, which does have a similar http_archive call:

One of the builds talks to BuildBuddy and performs the build remotely, but that invocation runs through nix-shell:

Does this mean that nix-shell --pure doesn’t do sandboxing by default which is done by nix build? I took a look at nix issue 903 - Why is there no way to run nix-shell in a chroot and without the user’s .bashrc? and this comment from 2019 which seems to indicate that’s the case.

The resulting nix-shell has no sandboxing.

Resolution: I ended up using a nix develop --command <mycommand> invocation, because disabling sandboxing wasn’t sufficient; I needed Bazel to be able to access nix-build when running, but I couldn’t achieve that with nix build --no-sandbox <blah> (I suppose I could’ve included nix-build as a dependency inside the derivation… but this works fine for now…).

You might be able to do what you want by running a bazel fetch command in fetchPhase.