Trying to use Nix in CI: java.io.IOException: Unknown host: github.com

typesanitizer · July 30, 2022, 3:16pm

I’ve been learning how to use Nix (with flakes), and was trying to get a CI job which does a build (that works for me locally).

I get an error: (failure logs)

ERROR: no such package '`@io_tweag_rules_nixpkgs//nixpkgs`':
java.io.IOException:
    Error downloading
        https://github.com/tweag/rules_nixpkgs/archive/3425eb1cddee0f824944e04258f43c97a2e78cc3.tar.gz
    to /build/.cache/bazel/_bazel_nixbld/cc61aad5ab2f850e8dc25e1bcc0af429/external/io_tweag_rules_nixpkgs/temp7796387977141492287/3425eb1cddee0f824944e04258f43c97a2e78cc3.tar.gz
    Unknown host: github.com

which doesn’t seem to make a lot of sense (if you copy the URL, your browser should download the tarball). It seems like there is a configuration bug.

I found a couple of related threads:

Discussion in buildBazelPackage which mentions that there might be a workaround using a fetchAttrs.sha256, but I can’t tell if that applies to my use case or not.
Another mention of an issue with enableNixHacks in buildBazelPackage.

If possible, I’d like to allow Bazel and only Bazel to fetch stuff (since those are verified with SHA256 checksums in the Bazel config anyways), while still maintaining other forms of sandboxing. I see there is a --no-sandbox flag but that seems like a blunt hammer…

I took a look at the CI config for Tweag’s rules_nixpkgs, but nothing in the shell.nix or in the CI code stands out to me in terms of why their CI doesn’t run into this issue.

Sandro · July 30, 2022, 5:54pm

the build sandbox forbids access to the internet if no output hash is specified.

I’d like to allow Bazel and only Bazel to fetch stuff

Thats not really possible. You probably need to download all things manually or do a FOD (fixed output derivation).

typesanitizer · July 31, 2022, 1:10am

Thank you, that is helpful information. I was reading up on FODs and they don’t seem like what I’d want since the hash would have to change for ~every commit.

I was digging into the rules_nixpkgs build, which does have a similar http_archive call:

github.com

tweag/rules_nixpkgs/blob/9f08fb2322050991dead17c8d10d453650cf92b7/WORKSPACE#L48-L55


      
          http_archive(
              name = "io_bazel_rules_go",
              sha256 = "7c10271940c6bce577d51a075ae77728964db285dac0a46614a7934dc34303e6",
              urls = [
                  "https://mirror.bazel.build/github.com/bazelbuild/rules_go/releases/download/v0.26.0/rules_go-v0.26.0.tar.gz",
                  "https://github.com/bazelbuild/rules_go/releases/download/v0.26.0/rules_go-v0.26.0.tar.gz",
              ],
          )

One of the builds talks to BuildBuddy and performs the build remotely, but that invocation runs through nix-shell:

github.com

tweag/rules_nixpkgs/blob/9f08fb2322050991dead17c8d10d453650cf92b7/.github/workflows/workflow.yaml#L14-L31


      
          - uses: actions/checkout@v3.0.2
          - uses: cachix/install-nix-action@v17
            with:
              nix_path: nixpkgs=./core/nixpkgs.nix
          - name: Configure
            env:
              BUILDBUDDY_API_KEY: ${{ secrets.BUILDBUDDY_API_KEY }}
            run: |
              cp .bazelrc.ci $HOME/.bazelrc
              cat >>$HOME/.bazelrc <<EOF
              common --config=ci
              build --remote_header=x-buildbuddy-api-key="$BUILDBUDDY_API_KEY"
              # no-op flag to avoid "ERROR: Config value 'ci' is not defined in any .rc file"
              common:ci --announce_rc=false
              EOF
          - name: Build & test
            run: |
              nix-shell --pure --keep GITHUB_REPOSITORY --run 'bash .github/build-and-test'

github.com

tweag/rules_nixpkgs/blob/9f08fb2322050991dead17c8d10d453650cf92b7/.github/build-and-test#L28-L41


      
          declare -ra dirs=(
              .
              core
              toolchains/go
              toolchains/java
              toolchains/cc
              toolchains/python
              toolchains/posix
              toolchains/rust
          )
          for dir in "${dirs[@]}"
          do
              pushd $dir
              if ! bazel test //... ; then

Does this mean that nix-shell --pure doesn’t do sandboxing by default which is done by nix build? I took a look at nix issue 903 - Why is there no way to run nix-shell in a chroot and without the user’s .bashrc? and this comment from 2019 which seems to indicate that’s the case.

Sandro · July 31, 2022, 2:00am

The resulting nix-shell has no sandboxing.

typesanitizer · July 31, 2022, 4:34am

Resolution: I ended up using a nix develop --command <mycommand> invocation, because disabling sandboxing wasn’t sufficient; I needed Bazel to be able to access nix-build when running, but I couldn’t achieve that with nix build --no-sandbox <blah> (I suppose I could’ve included nix-build as a dependency inside the derivation… but this works fine for now…).

flurie · March 8, 2023, 5:36pm

You might be able to do what you want by running a bazel fetch command in fetchPhase.