Hi Ash, I join to this mail the script I use to use gitFetchPrivate in a multi-user configuration.
Have a look, you should be able to adapt it to your usage quite easily. The trick is to give to the nix-daemon access to three things : - rw access to your ssh-agent socket - read access to your ssh config file - the option that will request ssh to ignore the user read-only permission on the config file. Cheers, Adrien Le 16/06/2016 00:46, zimbatm a écrit : > I believe you could run nix-prefetch-git to pre-populate the store but > I don't know if it's still possible, the derivation might not match > exactly anymore. Also it's only really useful for developer machines, > on a CI you still want it to have access to the repo isn't it? > > On Wed, 15 Jun 2016 at 13:42 Ashley Gillman <[email protected] > <mailto:[email protected]>> wrote: > > Thanks Zimbatm, > > Actually I don't think the issue is the socket (yet). For example, > I get exactly the same error when just calling `nix-shell -I > ssh-config-file=$HOME/.ssh/config`. The current "wall" I think is > either that config file or the referenced id_rsa file, but the > error indicates its the config file itself. I have tried `chmod > o+rw` on the file, and with group (`chmod g+rw` and `chgrp`ing to > nixbld), but to no avail. > > I should mention also, I do not have my heart set on > gitFetchPrivate. If there is another way to access a remote > (BitBucket) server requiring credentials, that would be great. > Although pulling each manually and using a local file path is not > preferred. > > Cheers, > Ash > > On Wed, Jun 15, 2016 at 10:07 PM, zimbatm <[email protected] > <mailto:[email protected]>> wrote: > > Hi, > > Yes the difference is that the build user is nixbld[1-9]. Also > the SSH agent doesn't allow other users to access to the socket. > > Sorry I don't know the solution. You could maybe build a > bridge on the socket using `socat` to hide the caller's user. > > > On Wed, 15 Jun 2016, 11:57 Ashely Gillman, > <[email protected] <mailto:[email protected]>> wrote: > > Hi all, > I have been attempting to use gitFetchPrivate to fetch > from a private bitbucket repo over SSH, on both Ubuntu > running Nix and on NixOS. I am able to get the setup > working on Ubuntu. > > - Set up SSH-Agent the usual way. > - Ensure that `git clone ssh://[email protected] > <mailto:[email protected]>:<port>/<user>/<repo>.git` > works, > it does > - Use `nix-shell -I ssh-config-file=$HOME/.ssh/config -I > ssh-auth-sock=$SSH_AUTH_SOCK`, with a local shell.nix > specifying requirements > > However, I am unable to repeat the process on a NixOS machine. > > gil@gil-nixos:~/proj/pylx $ git clone > ssh://git@bitbucket.<DOMAIN>:7999/~<USER>/milx-view.git > <This works> > > gil@gil-nixos:~/proj/pylx $ nix-shell -I > ssh-config-file=$HOME/.ssh/config -I > ssh-auth-sock=$SSH_AUTH_SOCK > these derivations will be built: > > /nix/store/48cz61di3gf6fpkydgri74h5i2s8qh3h-vtk-qvtk-5.10.1.drv > > /nix/store/pcj22pnchg10bq63a32jcc53l75cy8z1-boost-1.59.0.drv > > /nix/store/sb7xc3pan2h7n1qdh94ynblb9cv12a3p-milx-view-585a819.drv > > /nix/store/dzh8jzl90ghsl0l71p9v2zqzh9wn2ngb-milx-view.drv > building path(s) > ‘/nix/store/603gs7mcgpf7cnyv3k2bkxk1kbj4smbq-boost-1.59.0’, > ‘/nix/store/q26zzdzy5zngyxyah8fhqmnqwbmz4gl4-boost-1.59.0-lib’, > ‘/nix/store/zggqsmrh9l70yrcdagmgqjmv8i6a9rls-boost-1.59.0-dev’ > building path(s) > ‘/nix/store/ra27851hlszq1k0n9zfa14xwhxqvn8zs-milx-view-585a819’ > building path(s) > ‘/nix/store/j70pal3svpcip7xv21bxf5xy2c4chl84-vtk-qvtk-5.10.1’ > exporting > ssh://git@bitbucket.<DOMAIN>:7999/~<USER>/milx-view.git > (rev 585a8195804) into > /nix/store/ra27851hlszq1k0n9zfa14xwhxqvn8zs-milx-view-585a819 > Initialized empty Git repository in > > /nix/store/ra27851hlszq1k0n9zfa14xwhxqvn8zs-milx-view-585a819/.git/ > Can't open user config file /home/gil/.ssh/config: > Permission denied > fatal: Could not read from remote repository. > > Please make sure you have the correct access rights > and the repository exists. > unpacking sources > unpacking source archive > /nix/store/cdz3wd9r8vlnp193kv091pal401mg9kc-boost_1_59_0.tar.bz2 > Can't open user config file /home/gil/.ssh/config: > Permission denied > fatal: Could not read from remote repository. > > Please make sure you have the correct access rights > and the repository exists. > Unable to checkout 585a8195804 from > ssh://git@bitbucket.<DOMAIN>:7999/~<USER>/milx-view.git. > builder for > > ‘/nix/store/sb7xc3pan2h7n1qdh94ynblb9cv12a3p-milx-view-585a819.drv’ > failed with exit code 1 > cannot build derivation > ‘/nix/store/dzh8jzl90ghsl0l71p9v2zqzh9wn2ngb-milx-view.drv’: > 1 dependencies couldn't be built > error: build of > ‘/nix/store/dzh8jzl90ghsl0l71p9v2zqzh9wn2ngb-milx-view.drv’ failed > /run/current-system/sw/bin/nix-shell: failed to build > all dependencies > > With the relevant line being: > Can't open user config file /home/gil/.ssh/config: > Permission denied > > Probably a nixbld user is trying to access this? I am not > actually sure if my nixpkgs are built by my user or by > nixbld. How can I tell? `cat /etc/passwd` indicates that > the nixbld users exist. > > I have attempted to follow instructions for setting up > gitFetchPrivate for multi-user installations (but again, > not even sure this is what I have - I just installed the > simplest way), but to no avail (although the instructions > are somewhat unclear). > > Thanks for any help, > Ashley Gillman (Ash) > _______________________________________________ > nix-dev mailing list > [email protected] > <mailto:[email protected]> > http://lists.science.uu.nl/mailman/listinfo/nix-dev > > > > _______________________________________________ > nix-dev mailing list > [email protected] > http://lists.science.uu.nl/mailman/listinfo/nix-dev
#!/bin/bash
# globals
NIX_DAEMON_USER="nix-daemon"
NIX_PATH_CONTENT="$NIX_PATH"
TMP_SSH_CONFIG_DIR="$(mktemp -d /tmp/nix-ssh-config-XXXXXXXXX)"
## configure ssh agent location
##
if [[ -e ${SSH_AUTH_SOCK} ]]; then
NIX_PATH_CONTENT="ssh-auth-sock=${SSH_AUTH_SOCK}:${NIX_PATH_CONTENT}"
setfacl -m "u:${NIX_DAEMON_USER}:rwx" ${SSH_AUTH_SOCK}
setfacl -m "u:${NIX_DAEMON_USER}:rwx" "$(dirname ${SSH_AUTH_SOCK})"
else
echo "Error: ssh-agent environment variable SSH_AUTH_SOCK is not
existing" >&2
fi
## configure ssh config path
mkdir -p ${TMP_SSH_CONFIG_DIR}/.ssh
TMP_SSH_CONFIG_FILE="${TMP_SSH_CONFIG_DIR}/.ssh/config"
## use ssh_config user file as initial template
## if it exists
## to forward user alias and parameters
##
if [[ -e ${HOME}/.ssh/config ]]; then
cp ${HOME}/.ssh/config ${TMP_SSH_CONFIG_FILE}
else
touch ${TMP_SSH_CONFIG_FILE}
fi
## Disable strict host key checking
## Needed to have the nix-daemon able to read
## a file not owned by him without throwing
## a SSH error
##
cat >> ${TMP_SSH_CONFIG_FILE} << EOF
Host *
StrictHostKeyChecking no
UserKnownHostsFile /dev/null
EOF
setfacl -m "u:${NIX_DAEMON_USER}:rwx" -R ${TMP_SSH_CONFIG_DIR}
NIX_PATH_CONTENT="ssh-config-file=${TMP_SSH_CONFIG_FILE}:${NIX_PATH_CONTENT}"
##
## print the suggested NIX_PATH including SSH config file and agent
##
echo "export NIX_PATH=\"${NIX_PATH_CONTENT}\""
signature.asc
Description: OpenPGP digital signature
_______________________________________________ nix-dev mailing list [email protected] http://lists.science.uu.nl/mailman/listinfo/nix-dev
